International Association for Cryptologic Research

International Association
for Cryptologic Research


Cryptanalysis of Elisabeth-4

Henri Gilbert , ANSSI, UVSQ, France
Rachelle Heim Boissier , Université Paris-Saclay, UVSQ, CNRS, Laboratoire de mathématiques de Versailles, Versailles, France
Jérémy Jean , ANSSI, France
Jean-René Reinhard , ANSSI, France
Search ePrint
Search Google
Presentation: Slides
Conference: ASIACRYPT 2023
Abstract: Elisabeth-4 is a stream cipher tailored for usage in hybrid homomorphic encryption applications that has been introduced by Cosseron et al. at ASIACRYPT 2022. In this paper, we present several variants of a key-recovery attack on the full Elisabeth-4 that break the 128-bit security claim of that cipher. Our most optimized attack is a chosen-IV attack with a time complexity of 2^88 elementary operations, a memory complexity of 2^54 bits and a data complexity of 2^41 bits. Our attack applies the linearization technique to a nonlinear system of equations relating some keystream bits to the key bits and exploits specificities of the cipher to solve the resulting linear system efficiently. First, due to the structure of the cipher, the system to solve happens to be very sparse, which enables to rely on sparse linear algebra and most notably on the Block Wiedemann algorithm. Secondly, the algebraic properties of the two nonlinear ingredients of the filtering function cause rank defects which can be leveraged to solve the linearized system more efficiently with a decreased data and time complexity. We have implemented our attack on a toy version of Elisabeth-4 to verify its correctness. It uses the efficient implementation of the Block Wiedemann algorithm of CADO-NFS for the sparse linear algebra.
  title={Cryptanalysis of Elisabeth-4},
  author={Henri Gilbert and Rachelle Heim Boissier and Jérémy Jean and Jean-René Reinhard},