Download the full version of the ebook at ebookfinal.

com

Fast Software Encryption Orr Dunkelman

https://ebookfinal.com/download/fast-software-encryption-
orr-dunkelman/

OR CLICK BUTTON

DOWNLOAD EBOOK

Download more ebook instantly today at https://ebookfinal.com

Instant digital products (PDF, ePub, MOBI) available
Download now and explore formats that suit you...

Frommer s Niagara Region 4th Edition Barbara Ramsay Orr

https://ebookfinal.com/download/frommer-s-niagara-region-4th-edition-
barbara-ramsay-orr/

ebookfinal.com

Multimedia Content Encryption Techniques and Applications

1st Edition Shiguo Lian

https://ebookfinal.com/download/multimedia-content-encryption-
techniques-and-applications-1st-edition-shiguo-lian/

ebookfinal.com

A First Course in Functional Analysis 1st Edition Orr

Moshe Shalit

https://ebookfinal.com/download/a-first-course-in-functional-
analysis-1st-edition-orr-moshe-shalit/

ebookfinal.com

Software Metrics and Software Metrology 1st Edition Alain

Abran

https://ebookfinal.com/download/software-metrics-and-software-
metrology-1st-edition-alain-abran/

ebookfinal.com
Simple Steps to Data Encryption A Practical Guide to
Secure Computing 1st Edition Peter Loshin

https://ebookfinal.com/download/simple-steps-to-data-encryption-a-
practical-guide-to-secure-computing-1st-edition-peter-loshin/

ebookfinal.com

Fast Feedback Second Edition Bruce Tulgan

https://ebookfinal.com/download/fast-feedback-second-edition-bruce-
tulgan/

ebookfinal.com

Fast SOA 1st Edition Frank Cohen

https://ebookfinal.com/download/fast-soa-1st-edition-frank-cohen/

ebookfinal.com

Fast Feng Shui for Prosperity Stephanie Roberts

https://ebookfinal.com/download/fast-feng-shui-for-prosperity-
stephanie-roberts/

ebookfinal.com

Growing Software Proven Strategies for Managing Software

Engineers 1° Edition Louis Testa

https://ebookfinal.com/download/growing-software-proven-strategies-
for-managing-software-engineers-1-edition-louis-testa/

ebookfinal.com
Lecture Notes in Computer Science 5665
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board
David Hutchison
Lancaster University, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Alfred Kobsa
University of California, Irvine, CA, USA
Friedemann Mattern
ETH Zurich, Switzerland
John C. Mitchell
Stanford University, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
Oscar Nierstrasz
University of Bern, Switzerland
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
University of Dortmund, Germany
Madhu Sudan
Microsoft Research, Cambridge, MA, USA
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max-Planck Institute of Computer Science, Saarbruecken, Germany
Orr Dunkelman (Ed.)

Fast
Software Encryption

16th International Workshop, FSE 2009

Leuven, Belgium, February 22-25, 2009
Revised Selected Papers

13
Volume Editor

Orr Dunkelman
École Normale Supérieure
Département d’Informatique
45 rue d’Ulm, 75230 Paris CEDEX 05, France
E-mail: [email protected]

Library of Congress Control Number: 2009931058

CR Subject Classification (1998): E.3, I.1, E.2, D.4.6, K.6.5

LNCS Sublibrary: SL 4 – Security and Cryptology

ISSN 0302-9743
ISBN-10 3-642-03316-4 Springer Berlin Heidelberg New York
ISBN-13 978-3-642-03316-2 Springer Berlin Heidelberg New York

This work is subject to copyright. All rights are reserved, whether the whole or part of the material is
concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting,
reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication
or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965,
in its current version, and permission for use must always be obtained from Springer. Violations are liable
to prosecution under the German Copyright Law.
springer.com
© International Association for Cryptologic Research 2009
Printed in Germany
Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India
Printed on acid-free paper SPIN: 12731466 06/3180 543210
 Preface

Fast Software Encryption 2009 was the 16th in a series of workshops on symmet-
ric key cryptography. Starting from 2002, it is sponsored by the International
Association for Cryptologic Research (IACR). FSE 2009 was held in Leuven,
Belgium, after previous venues held in Cambridge, UK (1993, 1996), Leuven,
Belgium (1994, 2002), Haifa, Israel (1997), Paris, France (1998, 2005), Rome,
Italy (1999), New York, USA (2000), Yokohama, Japan (2001), Lund, Sweden
(2003), New Delhi, India (2004), Graz, Austria (2006), Luxembourg, Luxem-
bourg (2007), and Lausanne, Switzerland (2008).
The workshop’s main topic is symmetric key cryptography, including the
design of fast and secure symmetric key primitives, such as block ciphers, stream
ciphers, hash functions, message authentication codes, modes of operation and
iteration, as well as the theoretical foundations of these primitives.
This year, 76 papers were submitted to FSE including a large portion of
papers on hash functions, following the NIST SHA-3 competition, whose work-
shop was held just after FSE in the same location. From the 76 papers, 24 were
accepted for presentation. It is my pleasure to thank all the authors of all sub-
missions for the high-quality research, which is the base for the scientific value
of the workshop. The review process was thorough (each submission received
the attention of at least three reviewers), and at the end, besides the accepted
papers, the Committee decided that the merits of the paper “Blockcipher-Based
Hashing Revisited” entitled the authors to receive the best paper award. I wish
to thank all Committee members and the referees for their hard and dedicated
work.
The workshop also featured two invited talks. The first was given by Shay
Gueron about “Intel’s New AES Instructions for Enhanced Performance and Se-
curity” and the second was given by Matt Robshaw about “Looking Back at the
eSTREAM Project.” Along the presentation of the papers and the invited talks,
the traditional rump session was organized and chaired by Dan J. Bernstein.
I would like to thank Thomas Baignères for the iChair review management
software, which facilitated a smooth and easy review process, and Shai Halevi
for the Web Submission and Review Software for dealing with the proceedings.
A special thanks is due to the organizing team. The COSIC team from
Katholieke Universiteit Leuven, headed by Program Chair Bart Preneel, did
a wonderful job in hosting the workshop. The warm welcome that awaited more
than 200 delegates from all over the world was unblemished. The support given to
the FSE 2009 workshop by the sponsors Katholieke Universiteit Leuven, Price-
WaterhouseCoppers, and Oberthur technologies is also gratefully acknowledged.

May 2009 Orr Dunkelman

 Fast Software Encryption 2009

Leuven, Belgium, February 22–25, 2009

Sponsored by the
International Association for Cryptologic Research (IACR)

Program and General Chairs

Program Chair Orr Dunkelman
École Normale Supérieure, France
General Chair Bart Preneel
Katholieke Universiteit Leuven, Belgium

Program Committee
Steve Babbage Vodafone Group R&D, UK
Alex Biryukov University of Luxembourg, Luxembourg
Dan J. Bernstein University of Illinois at Chicago, USA
Joan Daemen STMicroelectronics, Belgium
Christophe De Cannière École Normale Supérieure, France
and Katholieke Universiteit Leuven, Belgium
Orr Dunkelman (Chair) École Normale Supérieure, France
Henri Gilbert Orange Labs, France
Louis Granboulan EADS Innovation Works, France
Helena Handschuh Spansion, France
Tetsu Iwata Nagoya University, Japan
Nathan Keller Hebrew University, Israel
Stefan Lucks Bauhaus-University Weimar, Germany
Mitsuru Matsui Mitsubishi Electric, Japan
Willi Meier FHNW, Switzerland
Kaisa Nyberg Helsinki University of Technology
and NOKIA, Finland
Raphael Phan Loughborough University, UK
Bart Preneel Katholieke Universiteit Leuven, Belgium
Håvard Raddum University of Bergen, Norway
Christian Rechberger Graz University of Technology, Austria
Thomas Ristenpart UC San Diego, USA
Greg Rose Qualcomm, Australia
Serge Vaudenay EPFL, Switzerland
Yiqun Lisa Yin Independent Consultant, USA
VIII Organization

Referees
Elena Andreeva Mario Lamberger
Kazumaro Aoki Changhoon Lee
Frederik Armknecht David McGrew
Jean-Philippe Aumasson Florian Mendel
Guido Bertoni Nicky Mouha
Olivier Billet Jorge Nakahara Jr.
Billy Brumley Maria Naya-Plasencia
Rafik Chaabouni Ivica Nikolić
Donghoon Chang Khaled Ouafi
Joo Yeon Cho Matthew Parker
Shanshan Duan Sylvain Pasini
Baha Dundar Chris Peikert
Ewan Fleischmann Thomas Peyrin
Chistian Forler Thomas Roche
Pasqualina Fragneto Martin Schläffer
Benedikt Gierlichs Yannick Seurin
Michael Gorski Zhijie Shi
Jian Guo Thomas Shrimpton
Risto Hakala Hervé Sibert
Miia Hermelin Dirk Stegemann
Shoichi Hirose Daisuke Suzuki
Michael Hutter Stefano Tessaro
Sebastiaan Indesteege Stefan Tillich
Kimmo Järvinen Elena Trichina
Pascal Junod Gilles Van Assche
Charanjit Jutla Martin Vuagnoux
Liam Keliher Ralf-Philipp Weinmann
Shahram Khazaei Bo-Yin Yang
Dmitry Khovratovich Scott Yilek
Jongsung Kim Erik Zenner
Matthias Krause Fan Zhang

Sponsors
Katholieke Universiteit Leuven, Belgium
PriceWaterhouseCoppers, Belgium
Oberthur technologies, Belgium
 Table of Contents

Stream Ciphers
Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and
Trivium . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Jean-Philippe Aumasson, Itai Dinur, Willi Meier, and Adi Shamir

An Efficient State Recovery Attack on X-FCSR-256 . . . . . . . . . . . . . . . . . . 23

Paul Stankovski, Martin Hell, and Thomas Johansson

Key Collisions of the RC4 Stream Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Mitsuru Matsui

Invited Talk
Intel’s New AES Instructions for Enhanced Performance and
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Shay Gueron

Theory of Hash Functions

Blockcipher-Based Hashing Revisited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Martijn Stam

On the Security of Tandem-DM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Ewan Fleischmann, Michael Gorski, and Stefan Lucks

Indifferentiability of Permutation-Based Compression Functions and

Tree-Based Modes of Operation, with Applications to MD6 . . . . . . . . . . . 104
Yevgeniy Dodis, Leonid Reyzin, Ronald L. Rivest, and Emily Shen

Hash Functions Analysis I

Cryptanalysis of RadioGatún . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Thomas Fuhr and Thomas Peyrin

Preimage Attacks on Reduced Tiger and SHA-2 . . . . . . . . . . . . . . . . . . . . . 139

Takanori Isobe and Kyoji Shibutani

Cryptanalysis of the LAKE Hash Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Alex Biryukov, Praveen Gauravaram, Jian Guo,
Dmitry Khovratovich, San Ling, Krystian Matusiewicz,
Ivica Nikolić, Josef Pieprzyk, and Huaxiong Wang
X Table of Contents

Block Ciphers Analysis

New Cryptanalysis of Block Ciphers with Low Algebraic Degree . . . . . . . 180
Bing Sun, Longjiang Qu, and Chao Li

Algebraic Techniques in Differential Cryptanalysis . . . . . . . . . . . . . . . . . . . 193

Martin Albrecht and Carlos Cid

Multidimensional Extension of Matsui’s Algorithm 2 . . . . . . . . . . . . . . . . . 209

Miia Hermelin, Joo Yeon Cho, and Kaisa Nyberg

Hash Functions Analysis II

Meet-in-the-Middle Attacks on SHA-3 Candidates . . . . . . . . . . . . . . . . . . . . 228
Dmitry Khovratovich, Ivica Nikolić, and Ralf-Philipp Weinmann

Practical Collisions for EnRUPT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Sebastiaan Indesteege and Bart Preneel

The Rebound Attack: Cryptanalysis of Reduced Whirlpool and

Grøstl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Florian Mendel, Christian Rechberger, Martin Schläffer, and
Søren S. Thomsen

Block Ciphers
Revisiting the IDEA Philosophy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Pascal Junod and Marco Macchetti

Cryptanalysis of the ISDB Scrambling Algorithm (MULTI2) . . . . . . . . . . 296

Jean-Philippe Aumasson, Jorge Nakahara Jr., and Pouyan Sepehrdad

Beyond-Birthday-Bound Security Based on Tweakable Block Cipher . . . 308

Kazuhiko Minematsu

Theory of Symmetric Key

Enhanced Target Collision Resistant Hash Functions Revisited . . . . . . . . 327
Mohammad Reza Reyhanitabar, Willy Susilo, and Yi Mu

Message Authentication Codes

MAC Reforgeability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
John Black and Martin Cochran

New Distinguishing Attack on MAC Using Secret-Prefix Method . . . . . . . 363

Xiaoyun Wang, Wei Wang, Keting Jia, and Meiqin Wang
 Table of Contents XI

Fast and Secure CBC-Type MAC Algorithms . . . . . . . . . . . . . . . . . . . . . . . . 375

Mridul Nandi

HBS: A Single-Key Mode of Operation for Deterministic Authenticated

Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Tetsu Iwata and Kan Yasuda

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

 Cube Testers and Key Recovery Attacks
on Reduced-Round MD6 and Trivium

Jean-Philippe Aumasson1, , Itai Dinur2 , Willi Meier1, , and Adi Shamir2

1
FHNW, Windisch, Switzerland
2
Computer Science Department, The Weizmann Institute, Rehovot, Israel

Abstract. CRYPTO 2008 saw the introduction of the hash function

MD6 and of cube attacks, a type of algebraic attack applicable to crypto-
graphic functions having a low-degree algebraic normal form over GF(2).
This paper applies cube attacks to reduced round MD6, finding the full
128-bit key of a 14-round MD6 with complexity 222 (which takes less
than a minute on a single PC). This is the best key recovery attack an-
nounced so far for MD6. We then introduce a new class of attacks called
cube testers, based on efficient property-testing algorithms, and apply
them to MD6 and to the stream cipher Trivium. Unlike the standard
cube attacks, cube testers detect nonrandom behavior rather than per-
forming key extraction, but they can also attack cryptographic schemes
described by nonrandom polynomials of relatively high degree. Applied
to MD6, cube testers detect nonrandomness over 18 rounds in 217 com-
plexity; applied to a slightly modified version of the MD6 compression
function, they can distinguish 66 rounds from random in 224 complexity.
Cube testers give distinguishers on Trivium reduced to 790 rounds from
random with 230 complexity and detect nonrandomness over 885 rounds
in 227 , improving on the original 767-round cube attack.

1 Introduction
1.1 Cube Attacks
Cube attacks [29, 9] are a new type of algebraic cryptanalysis that exploit im-
plicit low-degree equations in cryptographic algorithms. Cube attacks only re-
quire black box access to the target primitive, and were successfully applied
to reduced versions of the stream cipher Trivium [6] in [9]. Roughly speaking,
a cryptographic function is vulnerable to cube attacks if its implicit algebraic
normal form over GF(2) has degree at most d, provided that 2d computations
of the function is feasible. Cube attacks recover a secret key through queries
to a black box polynomial with tweakable public variables (e.g. chosen plaintext
or IV bits), followed by solving a linear system of equations in the secret key
variables. A one time preprocessing phase is required to determine which queries
should be made to the black box during the on-line phase of the attack. Low-
degree implicit equations were previously exploited in [11,27,21,10] to construct

Supported by the Swiss National Science Foundation, project no. 113329.

Supported by GEBERT RÜF STIFTUNG, project no. GRS-069/07.

O. Dunkelman (Ed.): FSE 2009, LNCS 5665, pp. 1–22, 2009.


c International Association for Cryptologic Research 2009
2 J.-P. Aumasson et al.

distinguishers, and in [32, 12, 15] for key recovery. Cube attacks are related to
saturation attacks [17] and to high order differential cryptanalysis [16].

Basics. Let Fn be the set of all functions mapping {0, 1}n to {0, 1}, n > 0,
and let f ∈ Fn . The algebraic normal form (ANF) of f is the polynomial p over
GF(2) in variables x1 , . . . , xn such that evaluating p on x ∈ {0, 1}n is equivalent
to computing f (x), and such that it is of the form1
n
2 −1
i
ai · xi11 xi22 · · · xn−1
n−1 in
xn
i=0
n
for some (a0 , . . . , a2n −1 ) ∈ {0, 1}2 , and where ij denotes the j-th digit of the
binary encoding of i (and so the sum spans all monomials in x1 , . . . , xn ). A key
observation regarding cube attacks is that for any function f : {0, 1}n → {0, 1},
the sum (XOR) of all entries in the truth table

f (x)
x∈{0,1}n

equals the coefficient of the highest degree monomial x1 · · · xn in the algebraic

normal form (ANF) of f . For example, let n = 4 and f be defined as

f (x1 , x2 , x3 , x4 ) = x1 + x1 x2 x3 + x1 x2 x4 + x3 .

Then summing f (x1 , x2 , x3 , x4 ) over all 16 distinct inputs makes all monomials
vanish and yields zero, i.e. the coefficient of the monomial x1 x2 x3 x4 . Instead,
cube attacks sum over a subset of the inputs; for example summing over the four
possible values of (x1 , x2 ) gives

f (0, 0, x3 , x4 ) + f (0, 1, x3 , x4 ) + f (1, 0, x3 , x4 ) + f (1, 1, x3 , x4 ) = x3 + x4 ,

where (x3 + x4 ) is the polynomial that multiplies x1 x2 in f :

f (x1 , x2 , x3 , x4 ) = x1 + x1 x2 (x3 + x4 ) + x3 .

Generalizing, given an index set I  {1, . . . , n}, any function in Fn can be

represented algebraically under the form

f (x1 , . . . , xn ) = tI · p(· · · ) + q(x1 , . . . , xn )

where tI is the monomial containing all the xi ’s with i ∈ I, p is a polynomial

that has no variable in common with tI , and such that no monomial in the
polynomial q contains tI (that is, we factored f by the monomial tI ). Summing
f over the cube tI for other variables fixed, one gets
 
tI · p(· · · ) + q(x1 , . . . , xn ) = tI · p(· · · ) = p(· · · ),
I I
1
The ANF of any f ∈ Fn has degree at most n, since xdi = xi , for xi ∈ GF(2), d > 0.
 Cube Testers and Key Recovery Attacks 3

that is, the evaluation of p for the chosen fixed variables. Following the termi-
nology of [9], p is called the superpoly of I in f . A cube tI is called a maxterm if
and only if its superpoly p has degree 1 (i.e., is linear but not a constant). The
polynomial f is called the master polynomial.
Given access to a cryptographic function with public and secret variables, the
attacker has to recover the secret key variables. Key recovery is achieved in two
steps, a preprocessing and an online phase, which are described below.

Preprocessing. One first finds sufficiently many maxterms tI of the master

polynomial. For each maxterm, one computes the coefficients of the secret vari-
ables in the symbolic representation of the linear superpoly p. That is, one
reconstructs the ANF of the superpoly of each tI . Reconstruction is achieved
via probabilistic linearity tests [5], to check that a superpoly is linear, and to
identify which variables it contains. The maxterms and superpolys are not key-
dependent, thus they need to be computed only once per master polynomial.
The main challenge of the cube attack is to find maxterms. We propose the
following simple preprocessing heuristic: one randomly chooses a subset I of k
public variables. Thereafter one uses a linearity test to check whether p is linear.
If the subset I is too small, the corresponding superpoly p is likely to be a
nonlinear function in the secret variables, and in this case the attacker adds a
public variable to I and repeats the process. If I is too large, the sum will be a
constant function, and in this case he drops one of the public variables from I
and repeats the process. The correct choice of I is the borderline between these
cases, and if it does not exist the attacker retries with a different initial I.

Online Phase. Once sufficiently many maxterms and the ANF of their super-
polys are found, preprocessing is finished and one performs the online phase.
Now the secret variables are fixed: one evaluates the superpoly’s p by summing
f (x) over all the values of the corresponding maxterm, and gets as a result a lin-
ear combination of the key bits (because the superpolys are linear). The public
variables that are not in the maxterm should be set to a fixed value, and to the
same value as set in the preprocessing phase.
Assuming that the degree of the master polynomial is d, each sum requires
at most 2d−1 evaluations of the derived polynomials (which the attacker obtains
via a chosen plaintext attack). Once enough linear superpolys are found, the key
can be recovered by simple linear algebra techniques.

1.2 MD6
Rivest presented the hash function MD6 [24, 25] as a candidate for NIST’s hash
competition2 . MD6 shows originality in both its operation mode—a parametrized
quadtree [7]—and its compression function, which repeats hundreds of times a
simple combination of XOR’s, AND’s and shift operations: the r-round compres-
sion function of MD6 takes as input an array A0 , . . . , A88 of 64-bit words, recur-
sively computes A89 , . . . , A16r+88 , and outputs the 16 words A16r+73 , . . . , A16r+88 :
2
See http://www.nist.gov/hash-competition
4 J.-P. Aumasson et al.

for i = 89, . . . , 16r + 88

x ← Si ⊕ Ai−17 ⊕ Ai−89 ⊕ (Ai−18 ∧ Ai−21 ) ⊕ (Ai−31 ∧ Ai−67 )
x ← x ⊕ (x  ri )
Ai ← x ⊕ (x i )
return A16r+73,...,16r+88

A step is one iteration of the above loop, a round is a sequence of 16 steps.

The values Si , ri , and i are step-dependent constants (see Appendix A). MD6
generates the input words A0 , . . . , A88 as follows:
√
1. A0 , . . . , A14 contain constants (fractional part of 6; 960 bits)
2. A15 , . . . , A22 contain a key (512 bits)
3. A23 , A24 contain parameters (key length, root bit, digest size, etc.; 128 bits)
4. A25 , . . . , A88 contain the data to be compressed (message block or chain
value; 4096 bits)

The proposed instances of MD6 perform at least 80 rounds (1280 steps) and at
most 168 (2688 steps). Resistance to “standard” differential attacks for collision
finding is proven for up to 12 rounds. The designers of MD6 could break at most
12 rounds with high complexity using SAT-solvers.
The compression function of MD6 can be seen as a device composed of 64 non-
linear feedback shift registers (NFSR’s) and a linear combiner: during a step the
64 NFSR’s are clocked in parallel, then linearly combined. The AND operators
(∧) progressively increase nonlinearity, and the shift operators provide wordwise
diffusion. This representation will make our attacks easier to understand.

1.3 Trivium

The stream cipher Trivium was designed by De Cannière and Preneel [6] and sub-
mitted as a candidate to the eSTREAM project in 2005. Trivium was eventually
chosen as one of the four hardware ciphers in the eSTREAM portofolio3 . Re-
duced variants of Trivium underwent several attacks [23, 19, 20, 31, 32, 10, 12, 22],
including cube attacks [9].
Trivium takes as input a 80-bit key and a 80-bit IV, and produces a keystream
after 1152 rounds of initialization. Each round corresponds to clocking three feed-
back shift registers, each one having a quadratic feedback polynomial. The best
result on Trivium is a cube attack [9] on a reduced version with 767 initialization
rounds instead of 1152.

1.4 The Contributions of This Paper

First we apply cube attacks to keyed versions of the compression function of

MD6. The MD6 team managed to break up to 12 rounds using a high complex-
ity attack based on SAT solvers. In this paper we show how to break the same
12 round version and recover the full 128-bit key with trivial complexity using
3
See http://www.ecrypt.eu.org/stream/
 Cube Testers and Key Recovery Attacks 5

√
Table 1. Summary of the best known attacks on MD6 and Trivium (“ ” designates
the present paper)

#Rounds Time Attack Authors

MD6
12 hours inversion [25]
√
14 222 key recovery
√
18 217 nonrandomness
√
66 224 nonrandomness
Trivium
33
736 2 distinguisher [10]
736 230 key-recovery [9]
767 236 key-recovery [9]
√
772 224 distinguisher
27 √
785 2 distinguisher
30 √
790 2 distinguisher
√
842 224 nonrandomness
√
885 227 nonrandomness

: for a modified version where Si = 0.

: cost excluding precomputation.

a cube attack, even under the assumption that the attacker does not know any-
thing about its design (i.e., assuming that the algorithm had not been published
and treating the function as a black box polynomial). By exploiting the known
internal structure of the function, we can improve the attack and recover the
128-bit key of a 14-round MD6 function in about 222 operations, which take less
than a minute on a single PC. This is the best key recovery attack announced
so far on MD6.
Then we introduce the new notion of cube tester, which combines the cube
attack with efficient property-testers, and can be used to mount distinguishers or
to detect nonrandomness in cryptographic primitives. Cube testers are flexible
attacks that are adaptable to the primitive attacked. Some cube testers don’t
require the function attacked to have a low degree, but just to satisfy some
testable property with significantly higher (or lower) probability than a random
function. To the best of our knowledge, this is one of the first explicit applications
of property-testing to cryptanalysis.
Applying cube testers to MD6, we can detect nonrandomness in reduced ver-
sions with up to 18 rounds in just 217 time. In a variant of MD6 in which all
the step constants Si are zero, we could detect nonrandomness up to 66 rounds
using 224 time. Applied to Trivium, cube testers give distinguishers on up to
790 in time 230 , and detect nonrandomness on up to 885 rounds in 227 . Table 1
summarizes our results on MD6 and Trivium, comparing them with the previous
attacks .
As Table 1 shows, all our announced complexities are quite low, and presum-
ably much better results can be obtained if we allow a complexity bound of 250
6 J.-P. Aumasson et al.

(which is currently practical on a large network of PC’s) or even 280 (which

may become practical in the future). However, it is very difficult to estimate the
performance of cube attacks on larger versions without actually finding the best
choice of cube variables, and thus our limited experimental resources allowed us
to discover only low complexity attacks. On the other hand, all our announced
attacks are fully tested and verified, whereas other types of algebraic attacks are
often based on the conjectured independence of huge systems of linear equations,
which is impossible to verify in a realistic amount of time.

2 Key Recovery on MD6

2.1 Method

We describe the attack on reduced-round variants of a basic keyed version of the

MD6 compression function. The compression function of the basic MD6 keyed
version we tested uses a key of 128 bits, and outputs 5 words. Initially, we used
the basic cube attack techniques that treat the compression function as a black
box, and were able to efficiently recover the key for up to 12 rounds. We then
used the knowledge of the internal structure of the MD6 compression function
to improve on these results. The main idea of the improved attack is to choose
the public variables in the cube that we sum over so that they do not mix
with the key in the initial mixing rounds. In addition, the public variables that
do not belong to the cube are assigned predefined constant values that limit
the diffusion of the private variables and the cube public variables in the MD6
array for as many rounds as possible. This reduces the degree of the polynomials
describing the output bits as functions in the private variables and the cube
public variables, improving the performance of the cube attack.
The improved attack is based on the observation that in the feedback function,
Ai depends on Ai−17 , Ai−89 , Ai−18 , Ai−31 and Ai−67 . However, since Ai−18 is
ANDed with Ai−21 , the dependency of Ai on Ai−18 can be eliminated regardless
of its value, by zeroing Ai−21 (assuming the value of Ai−21 can be controlled by
the attacker). Similarly, dependencies on Ai−21 , Ai−31 or Ai−67 can be eliminated
by setting the corresponding ANDed word to zero. On the other hand, removing
the linear dependencies of Ai on Ai−17 or Ai−89 is not possible if their value
is unknown (e.g. for private variables), and even if their values are known (e.g.
for public variables), the elimination introduces another dependency, which may
contribute to the diffusion of the cube public variables (for example it is possible
to remove the dependency of Ai on Ai−89 by setting Ai−17 to the same value,
introducing the dependency of Ai−17 on Ai−89 ).
These observations lead to the conclusion that the attacker can limit the
diffusion of the private variables by removing as many quadratic dependencies
of the array variables on the private variables as possible. The basic MD6 keyed
version that we tested uses a 2-word (128-bit) key, which is initially placed in
A15 and A16 . Note that the MD6 mode of operation dedicates a specific part of
the input to the key in words A15 , . . . , A22 (512 bits in total).
 Cube Testers and Key Recovery Attacks 7

Table 2 describes the diffusion of the key into the MD6 compression function
array up to step 189 (the index of the first outputted word is 89).
In contrast to the predefined private variable indexes, the attacker can choose
the indexes of the cube public variables, and improve the complexity of the attack
by choosing such cube public variables that diffuse linearly to the MD6 array
only at the later stages of the mixing process. Quadratic dependencies of an array
word on cube public variables can be eliminated if the attacker can control the
value of the array word that is ANDed with the array word containing the cube
public variables. It is easy to verify that the public variable word that is XORed
back to the MD6 array at the latest stage of the mixing process is A71 , which
is XORed in step 160 to A160 . Thus, the array word with index 71 and words
with index just under 71, seem to be a good choice for the cube public variables.
Exceptions are A68 and A69 which are mixed with the key in steps 135 and 136
and should be zeroed. We tested several cubes, and the best preprocessing results
were obtained by choosing cube indexes from A65 . One of the reason that A65
gives better results than several other words (e.g. A71 ) is that it is ANDed with
just 2 words before it is XORed again into the array in step 154, whereas A71
is ANDed with 4 words before step 170. This gives the attacker more freedom
to choose the values of the fixed public variables, and limit the diffusion of the
private and cube public variables for more rounds.Table 3 describes the diffusion
of A65 into the MD6 compression function array up to step 185 (the index of the
first outputted word is 89).

2.2 Results

We were able to prevent non-linear mixing of the cube public variables and
the private variables for more than 6 MD6 compression function rounds. This
was made possible by zeroing all the MD6 array words whose indexes are listed
in the third column of Table 2 and Table 3 (ignoring the special ”L” values).
As described in the previous section, we set the values of several of the 63
attacker controlled words, excluding A65 (from which the cube public variables
were chosen), to predefined constants that zero the words specified in the third
column. Public variables whose value does not affect the values of the listed
MD6 array words were set to zero. We were not able to limit the diffusion of the
cube public variables and the private variables as much when all the cube public
variable indexes were chosen from words other than A65 .
We describe the cube attack results on the keyed MD6 version. The results
were obtained by running the preprocessing phase of the cube attack with the
special parameters describes above. We found many dense maxterms for 13-
round MD6, with associated cubes of size 5. Each of the maxterms passed at
least 100 linearity tests, thus the maxterm equations are likely to be correct for
most keys. During the online phase, the attacker evaluates the superpolys by
summing over the cubes of size 5. This requires a total of about 212 chosen IVs.
The total complexity of the attack is thus no more than 212 .
We were able to find many constant superpolys for 14 rounds of MD6, with
associated cubes of size 7. However, summing on cubes of size 6 gives superpolys
8 J.-P. Aumasson et al.

Table 2. Diffusion of the private variables into the MD6 compression function array in
the initial mixing steps. The third column specifies the MD6 array index of the word
that is ANDed with the key-dependent array word index in the step number specified
by the first column. The output of step i is inserted into Ai . If the key-dependent
array word is diffused linearly, then L is written instead. Note that once a dependency
of an MD6 array word on the private variables can be eliminated, it does not appear
any more as key-dependent (i.e. we assume that this dependency is eliminated by the
attacker).

Step Key-dependent array index ANDed index

104 15 L
105 16 L
121 104 L
122 105 L
122 104 101
123 105 102
125 104 107
126 105 108
135 104 68
136 105 69
138 121 L
139 122 L
139 121 118
140 122 119
142 121 124
143 122 125
152 121 85
153 122 86
155 138 L
156 139 L
156 138 135
157 139 136
159 138 141
160 139 142
169 138 102
170 139 103
171 104 140
172 105 141
172 155 L
173 156 L
173 155 152
174 156 153
176 155 158
177 156 159
186 155 119
187 156 120
187 121 157
188 122 158
 Cube Testers and Key Recovery Attacks 9

Table 3. Diffusion of A65 into the MD6 compression function array in the initial mixing
rounds (if the key-dependent array word is diffused linearly, then L is written instead)

Step A65 -dependent array index Multiplicand index

96 65 29
132 65 101
154 65 L
171 154 L
172 154 151
175 154 157
185 154 118

of high degree in the key bits. In order to further eliminate most (but not all)
high degree terms from the superpolys obtained by summing on cubes of size
6, we added more public variable indexes from words other than A65 . The best
results were obtained by choosing the remaining indexes from A32 , A33 , A49
and A50 (which are directly XORed with key bits in steps 121, 122, 138 and
139). Using this approach, we found many dense maxterms for 14-round MD6,
with associated cubes of size 15. Some of these results are listed in Table 5
(Appendix A), many more linearly independent maxterms can be easily obtained
by choosing other cube indexes from the same words listed in Table 5. During the
online phase, the attacker evaluates the superpolys by summing over the cubes
of size 15. This requires a total of about 222 chosen IVs. The total complexity
of the attack is thus no more than 222 . In fact every IV gives many maxterms,
so the required total of chosen IVs is lower than 222 , and the total complexity
of the attack is less than 222 .
We were able to find many constant superpolys for 15 rounds of MD6, with
associated cubes of size 14. We were not able to find low degree superpolys for 15-
round MD6. However, it seems likely that low degree equation for 15-round MD6
can be obtained using approaches similar to the one we used to recover the key
for 14-round MD6. Hence we believe that cube attacks can efficiently recover the
key for 15-round MD6. Furthermore, we believe that cube key recovery attacks
will remain faster than exhaustive search for 18-19 MD6 rounds.

3 Cube Testers
3.1 Definitions
Recall that Fn denotes the set of all functions mapping {0, 1}n to {0, 1}, n > 0.
For a given n, a random function is a random element of Fn (we have |Fn | =
n
22 ). In the ANF of a random function, each monomial (and in particular, the
highest degree monomial x1 · · · xn ) appears with probability 1/2, hence a random
function has maximal degree of n with probability 1/2. Similarly, it has degree
(n − 2) or less with probability 1/2n+1 . Note that the explicit description of a
random function can be directly expressed as a circuit with, in average, 2n−1
10 J.-P. Aumasson et al.

gates (AND and XOR), or as a string of 2n bits where each bit is the coefficient
of a monomial (encoding the truth table also requires 2n bits, but hides the
algebraic structure).
Informally, a distinguisher for a family F  Fn is a procedure that, given a
function f randomly sampled from F  ∈ {F, Fn }, efficiently determines which
one of these two families was chosen as F  . A family F is pseudorandom if and
only if there exists no efficient distinguisher for it. In practice, e.g. for hash
functions or ciphers, a family of functions is defined by a k-bit parameter of
the function, randomly chosen and unknown to the adversary, and the function
is considered broken (or, at least, “nonrandom”) if there exists a distinguisher
making significantly less than 2k queries to the function. Note that a distin-
guisher that runs in exponential time in the key may be considered as “efficient”
in practice, e.g. 2k−10 .
We would like to stress the terminology difference between a distinguisher and
the more general detection of pseudorandomness, when speaking about crypto-
graphic algorithms; the former denotes a distinguisher (as defined above) where
the parameter of the family of functions is the cipher’s key, and thus can’t be
modified by the adversary through its queries; the latter considers part of the
key as a public input, and assumes as secret an arbitrary subset of the input
(including the input bits that are normally public, like IV bits). The detection
of nonrandomness thus does not necessarily correspond to a realistic scenario.
Note that related-key attacks are captured by neither one of those scenarios.
To distinguish F  Fn from Fn , cube testers partition the set of public
variables {x1 , . . . , xn } into two complementary subsets:

– cube variables (CV)

– superpoly variables (SV)

We illustrate these notions with the example from §1.1: recall that, given

f (x1 , x2 , x3 , x4 ) = x1 + x1 x2 x3 + x1 x2 x4 + x3 ,

we considered the cube x1 x2 and called (x3 + x4 ) its superpoly, because

f (x1 , x2 , x3 , x4 ) = x1 + x1 x2 (x3 + x4 ) + x3 .

Here the cube variables (CV) are x1 and x2 , and the superpoly variables (SV)
are x3 and x4 . Therefore, by setting a value to x3 and x4 , e.g. x3 = 0, x4 = 1,
one can compute (x3 + x4 ) = 1 by summing f (x1 , x2 , x3 , x4 ) for all possibles
choices of (x1 , x2 ). Note that it is not required for a SV to actually appear in
the superpoly of the maxterm. For example, if f (x1 , x2 , x3 , x4 ) = x1 + x1 x2 x3 ,
then the superpoly of x1 x2 is x3 , but the SV’s are both x3 and x4 .

Remark. When f is, for example, a hash function, not all inputs should be
considered as variables, and not all Boolean components should be considered
as outputs, for the sake of efficiency. For example if f maps 1024 bits to 256 bits,
one may choose 20 CV and 10 SV and set a fixed value to the other inputs. These
 Cube Testers and Key Recovery Attacks 11

fixed inputs determine the coefficient of each monomial in the ANF with CV and
SV as variables. This is similar to the preprocessing phase of key-recovery cube
attacks, where one has access to all the input variables. Finally, for the sake
of efficiency, one may only evaluate the superpolys for 32 of the 256 Boolean
components of the output.

3.2 Examples
Cube testers distinguish a family of functions from random functions by testing
a property of the superpoly for a specific choice of CV and SV. This section
introduces this idea with simple examples. Consider

f (x1 , x2 , x3 , x4 ) = x1 + x1 x2 x3 + x1 x2 x4 + x3

and suppose we choose CV x3 and x4 and SV x1 and x2 , and evaluate the

superpoly of x3 x4 :

f (x1 , x2 , 0, 0) + f (x1 , x2 , 0, 1) + f (x1 , x2 , 1, 0) + f (x1 , x2 , 1, 1) = 0 ,

This yields zero for any (x1 , x2 ) ∈ {0, 1}2 , i.e. the superpoly of x3 x4 is zero,
i.e. none of the monomials x3 x4 , x1 x3 x4 , x2 x3 x4 , or x1 x2 x3 x4 appears in f . In
comparison, in a random function the superpoly of x3 x4 is null with probability
only 1/16, which suggests that f was not chosen at random (indeed, we chose it
particularly sparse, for clarity). Generalizing the idea, one can deterministically
test whether the superpoly of a given maxterm is constant, and return “random
function” if and only if the superpoly is not constant. This is similar to the test
used in [10].
Let f ∈ Fn , n > 4. We present a probabilistic test that detects the presence
of monomials of the form x1 x2 x3 xi . . . xj (e.g. x1 x2 x3 , x1 x2 x3 xn , etc.):
1. choose a random value of (x4 , . . . , xn ) ∈ {0, 1}n−4
2. sum f (x1 , . . . , xn ) over all values of (x1 , x2 , x3 ), to get

f (x1 , . . . , xn ) = p(x4 , . . . , xn )
(x1 ,x2 ,x3 )∈{0,1}3

where p is a polynomial such that

f (x1 , . . . , xn ) = x1 x2 x3 · p(x4 , . . . , xn ) + q(x1 , . . . , xn )

where the polynomial q contains no monomial with x1 x2 x3 as a factor in its

ANF
3. repeat the two previous steps N times, recording the values of p(x4 , . . . , xn )
If f were a random function, it would contain at least one monomial of the
form x1 x2 x3 xi . . . xj with high probability; hence, for a large enough number of
repetitions N , one would record at least one nonzero p(x4 , . . . , xn ) with high
probability. However, if no monomial of the form x1 x2 x3 xi . . . xj appears in the
ANF, p(x4 , . . . , xn ) always evaluates to zero.
12 J.-P. Aumasson et al.

3.3 Building on Property Testers

Cube testers combine an efficient property tester on the superpoly, which is

viewed either as a polynomial or as a mapping, with a statistical decision rule.
This section gives a general informal definition of cube testers, starting with
basic definitions. A family tester for a family of functions F takes as input a
function f of same domain D and tests if f is close to F , with respect to a
bound  on the distance
|{x ∈ D, f (x) = g(x)}|
δ(f, F ) = min .
g∈F |D|

The tester accepts if δ(f, F ) = 0, rejects with high probability if f and F are
not -close, and behaves arbitrarily otherwise. Such a test captures the notion of
property-testing, when a property is defined by belonging to a family of functions
P; a property tester is thus a family tester for a property P.
Suppose one wishes to distinguish a family F  Fn from Fn , i.e., given a
random f ∈ F  , to determine whether F  is F or Fn (for example, in Trivium,
F may be a superpoly with respect to CV and SV in the IV bits, such that
each f ∈ F is computed with a distinct key). Then if F is efficiently testable
(see [26, 14]), then one can use directly a family tester for F on f to distinguish
it from a random function.
Cube testers detect nonrandomness by applying property testers to super-
polys: informally, as soon as a superpoly has some “unexpected” property (that
is, is anormally structured) it is identified as nonrandom. Given a testable prop-
erty P  Fn , cube testers run a tester for P on the superpoly function f , and
use a statistical decision rule to return either “random” or “nonrandom”. The
decision rule depends on the probabilities |P|/|Fn | and |P ∩ F |/|F | and on a
margin of error chosen by the attacker. Roughly speaking, a family F will be
distinguishable from Fn using the property P if
 
 |P| |P ∩ F | 
 −
 |Fn | |F | 

is non-negligible. That is, the tester will determine whether f is significantly

closer to P than a random function. Note that the dichotomy between structure
(e.g. testable properties) and randomness has been studied in [30].

3.4 Examples of Testable Properties

Below, we give examples of efficiently testable properties of the superpoly, which

can be used to build cube testers (see [14] for a general characterization of
efficiently testable properties). We let C be the size of CV, and S be the size of
SV; the complexity is given as the number of evaluations of the tested function
f . Note that each query of the tester to the superpoly requires 2C queries to the
target cryptographic function. The complexity of any property tester is thus,
even in the best case, exponential in the number of CV.
 Cube Testers and Key Recovery Attacks 13

Balance. A random function is expected to contain as many zeroes as ones in

its truth table. Superpolys that have a strongly unbalanced truth table can thus
be distinguished from random polynomials, by testing whether it evaluates as
often to one as to zero, either deterministically (by evaluating the superpoly for
each possible input), or probabilistically (over some random subset of the SV).
For example, if CV are x1 , . . . , xC and SV are xC+1 , . . . , xn , the deterministic
balance test is
1. c ← 0
2. for all values of (xC+1 , . . . , xn )
3. compute

p(xC+1 , . . . , xn ) = f (x1 , . . . , xn ) ∈ {0, 1}
(x1 ,...,xC )

4. c ← c + p(xC+1 , . . . , xn )
5. return D(c) ∈ {0, 1}
where D is some decision rule. A probabilistic version of the test makes N < 2S
iterations, for random distinct values of (xC+1 , . . . , xn ). Complexity is respec-
tively 2n and N · 2C .

Constantness. A particular case of balance test considers the “constantness”

property, i.e. whether the superpoly defines a constant function; that is, it detects
either that f has maximal degree strictly less than C (null superpoly), or that f
has maximal degree exactly C (superpoly equals the constant 1), or that f has
degree strictly greater than C (non-constant superpoly). This is equivalent to
the maximal degree monomial test used in [10], used to detect nonrandomness
in 736-round Trivium.

Low Degree. A random superpoly has degree at least (S − 1) with high proba-
bility. Cryptographic functions that rely on a low-degree function, however, are
likely to have superpolys of low degree. Because it closely relates to probabilisti-
cally checkable proofs and to error-correcting codes, low-degree testing has been
well studied; the most relevant results to our concerns are the tests for Boolean
functions in [1, 28]. The test by Alon et al. [1], for a given degree d, queries the
function at about d · 4d points and always accepts if the ANF of the function
has degree at most k, otherwise it rejects with some bounded error probability.
Note that, contrary to the method of ANF reconstruction (exponential in S), the
complexity of this algorithm is independent of the number of variables. Hence,
cube testers based on this low-degree test have complexity which is independent
of the number of SV’s.

Presence of Linear Variables. This is a particular case of the low-degree test,

for degree d = 1 and a single variable. Indeed, the ANF of a random function
contains a given variable in at least one monomial of degree at least two with
probability close to 1. One can thus test whether a given superpoly variable
appears only linearly in the superpoly, e.g. for x1 using the following test similar
to that introduced in [5]:
14 J.-P. Aumasson et al.

1. pick random (x2 , . . . , xS )

2. if p(0, x2 , . . . , xS ) = p(1, x2 , . . . , xS )
3. return nonlinear
4. repeat steps 1 to 3 N times
5. return linear
This test answers correctly with probability about 1 − 2−N , and computes N ·
2C+1 times the function f . If, say, a stream cipher is shown to have an IV bit
linear with respect to a set of CV in the IV, independently of the choice of the
key, then it directly gives a distinguisher.

Presence of Neutral Variables. Dually to the above linearity test, one can
test whether a SV is neutral in the superpoly, that is, whether it appears in at
least one monomial. For example, the following algorithm tests the neutrality of
x1 , for N ≤ 2S−1 :
1. pick random (x2 , . . . , xS )
2. if p(0, x2 , . . . , xS ) = p(1, x2 , . . . , xS )
3. return not neutral
4. repeat steps 1 to 3 N times
5. return neutral
This test answers correctly with probability about 1 − 2−N and runs in time
N ·2C . For example, if x1 , x2 , x3 are the CV and x4 , x5 , x6 the SV, then x6 is neu-
tral with respect to x1 x2 x3 if the superpoly p(x4 , x5 , x6 ) satisfies p(x4 , x5 , 0) =
p(x4 , x5 , 1) for all values of (x4 , x5 ). A similar test was implicitly used in [12],
via the computation of a neutrality measure.

Remarks. Except low degree and constantness, the above properties do not
require the superpoly to have a low degree to be tested. For example if the
maxterm x1 x2 has the degree-5 superpoly
x3 x5 x6 + x3 x5 x6 x7 x8 + x5 x8 + x9 ,
then one can distinguish this superpoly from a random one either by detecting
the linearity of x9 or the neutrality of x4 , with a cost independent on the degree.
In comparison, the cube tester suggested in [9] required the degree to be bounded
by d such that 2d is feasible.
Note that the cost of detecting the property during the preprocessing is larger
than the cost of the on-line phase of the attack, given the knowledge of the
property. For example, testing that x1 is a neutral variable requires about N · 2C
queries to the function, but once this property is known, 2C queries are sufficient
to distinguish the function from a random one with high probability.
Finally, note that tests based on the nonrandom distribution of the monomi-
als [11, 27, 21] are not captured by our definition of cube testers, which focus
on high-degree terms. Although, in principle, there exist cases where the former
tests would succeed while cube testers would fail, in practice a weak distribution
of lower-degree monomials rarely comes with a good distribution of high-degree
ones, as results in [10] and of ourselves suggest.
 Cube Testers and Key Recovery Attacks 15

4 Cube Testers on MD6

We use cube testers to detect nonrandom properties in reduced-round versions
of the MD6 compression function, which maps the 64-bit words A0 , . . . , A88
to A16r+73 , . . . , A16r+88 , with r the number of rounds. From the compression
function f : {0, 1}64×89 → {0, 1}64×16 , our testers consider families of functions
{fm } where a random fi : {0, 1}64×89−k → {0, 1}64×16 has k input bits set to a
random k-bit string. The attacker can thus query fi , for a randomly chosen key
i, on (64 × 89 − k)-bit inputs.
The key observations leading to our improved attacks on MD6 are that:
1. input words appear either linearly (as Ai−89 or Ai−17 ) or nonlinearly (as
A18 , A21 , A31 , or A67 ) within a step
2. words A0 , . . . , A21 are input once, A22 , . . . , A57 are input twice, A58 , . . . , A67
are input three times, A68 , A69 , A70 four times, A71 five times, and A72 , . . . ,
A88 six times
3. all input words appear linearly at least once (A0 , . . . , A71 ), and at most twice
(A72 , . . . , A88 )
4. A57 is the last word input (at step 124, i.e. after 2 rounds plus 3 steps)
5. A71 is the last word input linearly (at step 160, i.e. after 4 rounds plus 7
steps)
6. differences in a word input nonlinearly are “absorbed” if the second operand
is zero (e.g. Ai−18 ∧ Ai−21 = 0 if Ai−18 is zero, for any value of Ai−21 )
Based on the above observations, the first attack (A) makes only black-box
queries to the function. The second attack (B) can be seen as a kind of related-
key attack, and is more complex and more powerful. Our best attacks, in terms
of efficiency and number of rounds broken, were obtained by testing the balance
of superpolys.

4.1 Attack A
This attack considers CV, SV, and secret bits in A71 : the MSB’s of A71 contain
the CV, the LSB’s contain the 30 secret bits, and the 4 bits “in the middle” are
the SV. The other bits in A71 are set to zero. To minimize the density and the
degree of the ANF, we set Ai = Si for i = 0, . . . , 57 in order to eliminate the
constants Si from the expressions, and set Ai = 0 for i = 58, . . . , 88 in order to
eliminate the quadratic terms by “absorbing” the nonzero A22 , . . . , A57 through
AND’s with zero values.
The attack exploits the fact that A71 is the last word input linearly. We set
initial conditions on the message such that modifications in A71 are only effective
at step 160, and so CV and SV are only introduced (linearly) at step 160: in
order to absorb A71 before step 160, one needs A68 = A74 = A35 = A107 = 0,
respectively for steps 89, 92, 102, and 138.
Given the setup above, the attack evaluates the balance of the superpoly for
each of the 1024 output components, in order to identify superpolys that are
constant for a large majority of inputs (SV). These superpolys may be either
constants, or unbalanced nonlinear functions. Results for reduced and modified
MD6 are given in subsequent sections.
16 J.-P. Aumasson et al.

4.2 Attack B

This attack considers CV, SV, and secret bits in A54 , at the same positions as
in Attack A. Other input words are set by default to Si for A0 , . . . , A47 , and to
zero otherwise.
The attack exploits the fact that A54 and A71 are input linearly only once, and
that both directly interact with A143 . We set initial conditions on the message
such that CV and SV are only effective at step 232. Here are the details of this
attack:

– step 143: input variables are transfered linearly to A143

– step 160: A143 is input linearly; to cancel it, and thus to avoid the introduc-
tion of the CV and SV in the ANF, one needs A71 = S160 ⊕ A143
– step 92: A71 is input nonlinearly; to cancel it, in order to make A138 inde-
pendent of A143 , we need A74 = 0
– step 138: A71 is input nonlinearly; to cancel it, one needs A107 = 0
– step 161: A143 is input nonlinearly; to cancel it, one needs A140 = 0
– step 164: A143 is input nonlinearly; to cancel it, one needs A146 = 0
– step 174: A143 is input nonlinearly; to cancel it, one needs A107 = 0 (as for
step 138)
– step 210: A143 is input nonlinearly; to cancel it, one needs A179 = 0
– step 232: A143 is input linearly, and introduces the CV and SV linearly into
the ANF

To satisfy the above conditions, one has to choose suitable values of A1 , A18 ,
A51 , A57 , A74 . These values are constants that do not depend on the input in
A54 .
Given the setup above, the attack evaluates the balance of the superpoly for
each of the 1024 output components, in order to identify superpolys that are
constant for large majority of inputs (SV). Results for reduced and modified
MD6 are given in §4.3.

4.3 Results

In this subsection we report the results we obtained by applying attacks A and

B to reduced versions of MD6, and to a modified version of MD6 that sets all
the constants Si to zero. Recall that by using C CV’s, the complexity of the
attack is about 2C computations of the function. We report results for attacks
using at most 20 CV (i.e. doable in less than a minute on a single PC):

– with attack A, we observed strong imbalance after 15 rounds, using 19 CV.

More precisely, the Boolean components corresponding to the output bits
in A317 and A325 all have (almost) constant superpoly. When all the Si
constants are set to 0, we observed that all the outputs in A1039 and A1047
have (almost) constant superpoly, i.e. we can break 60 rounds of this modified
MD6 version using only 14 CV’s.
 Cube Testers and Key Recovery Attacks 17

– with attack B, we observed strong imbalance after 18 rounds, using 17 CV’s.

The Boolean components corresponding to the output bits in A368 and A376
all have (almost) constant superpoly. When Si = 0, using 10 CV’s, one finds
that all outputs in A1114 and A1122 have (almost) constant superpoly, i.e. one
breaks 65 rounds. Pushing the attack further, one can detect nonrandomness
after 66 rounds, using 24 CV’s.
The difference of results between the original MD6 and the modified case in which
Si = 0 comes from the fact that a zero Si makes it possible to keep a sparse state
during many rounds, whereas a nonzero Si forces the introduction of nonzero
bits in the early steps, thereby quickly increasing the density of the implicit
polynomials, which indirectly facilitates the creation of high degree monomials.

5 Cube Testers on Trivium

Observations in [9, Tables 1,2,3] suggest nonrandomness properties detectable
in time about 212 after 684 rounds, in time 224 after 747 rounds, and in time 230
after 774 rounds. However, a distinguisher cannot be directly derived because
the SV used are in the key, and thus cannot be chosen by the attacker in an
attack where the key is fixed.

5.1 Setup
We consider families of functions defined by the secret key of the cipher, and
where the IV corresponds to public variables. We first used the 23-variable index
sets identified in [8, Table 2]; even though we have not tested all entries, we
obtained the best results using the IV bits (starting from zero)
{3, 4, 6, 9, 13, 17, 18, 21, 26, 28, 32, 34, 37, 41, 47, 49, 52, 58, 59, 65, 70, 76, 78} .

For this choice of CV, we choose 5 SV, either

– in the IV, at positions 0, 1, 2, 35, 44 (to have a distinguisher), or
– in the key, at positions 0, 1, 2, 3, 4 (to detect nonrandomness)
For experiments with 30 CV, we use another index set discovered in [8]:
{1, 3, 6, 12, 14, 18, 22, 23, 24, 26, 30, 32, 33, 35, 36, 39, 40, 44, 47, 49, 50, 53, 59, 60, 61, 66, 68, 69, 72, 75} .

IV bits that are neither CV nor SV are set to zero, in order to minimize the degree
and the density of the polynomials generated during the first few initialization
steps. Contrary to MD6, we obtain the best results on Trivium by testing the
presence of neutral variables. We look for neutral variables either for a random
key, or for the special case of the zero key, which is significantly weaker with
respect to cube testers.
In addition to the cubes identified in [8, Table 2], we were able to further
improve the results by applying cube testers on carefully chosen cubes, where the
indexes are uniformly spread (the distance between neighbors is at least 2). These
cubes exploit the internal structure of Trivium, where non linear operations are
18 J.-P. Aumasson et al.

only performed on consecutive cells. The best results were obtained using the
cubes below:

{0, 3, 6, 9, 12, 15, 18, 21, 24, 27, 33, 36, 39, 42, 45, 48, 51, 60, 63, 66, 69, 72, 75, 79}
{0, 3, 6, 9, 12, 15, 18, 21, 24, 27, 30, 33, 36, 39, 42, 45, 48, 51, 54, 57, 60, 63, 66, 69, 72, 75, 79}
{0, 2, 4, 6, 8, 10, 12, 14, 16, 18, 21, 24, 27, 30, 33, 36, 39, 42, 45, 48, 51, 54, 57, 60, 63, 66, 69, 72, 75, 79}

5.2 Results
We obtained the following results, by testing the neutrality of the SV in the
superpoly:
– with 23 CV, and SV in the IV, we found a distinguisher on up to 749 rounds
(runtime 223 ); SV 0, 1, 2, and 3 are neutral after 749 initialization rounds.
Using the zero key, neutral variables are observed after 755 rounds (SV 0, 1
are neutral).
– with 23 CV, and SV in the key, we observed nonrandomness after 758 initial-
ization rounds (SV 1, 2, 3 are neutral). Using the zero key, nonrandomness
was observed after 761 rounds (SV 0 is neutral).
– with 30 CV, and SV in the key, we observed nonrandomness after 772 initial-
ization rounds (SV 0, 2, 4 are neutral). Using the zero key, nonrandomness
was observed after 782 rounds (SV 2, 3, 4 are neutral).
With the the new chosen cubes we obtain the following results:

– with 24 CV, we observe that the resultant superpoly after 772 initialization
rounds is constant, hence we found a distinguisher on up to 772 rounds.
Using the neutrality test, for the zero key, we detected nonrandomness over
up to 842 rounds (the 4 first key bits are neutral).
– with 27 CV, we observe that the resultant superpoly after 785 initialization
rounds is constant, hence we found a distinguisher on up to 785 rounds.
Using the neutrality test, for the zero key, we detected nonrandomness over
up to 885 rounds (bits 0, 3, and 4 of the key are neutral).
– with 30 CV, we observe that the resultant superpoly after 790 initialization
rounds is constant, hence we found a distinguisher for Trivium with up to
790 rounds.
Better results are obtained when the SV’s are in the key, not the IV; this is
because the initialization algorithm of Trivium puts the key and the IV into
two different registers, which make dependency between bits in a same register
stronger than between bits in different registers.
In comparison, [10], testing the constantness of the superpoly, reached 736
rounds with 33 CV. The observations in [8], obtained by testing the linearity of
SV in the key, lead to detectable nonrandomness on 748 rounds with 23 CV, and
on 771 rounds with 30 CV.
 Cube Testers and Key Recovery Attacks 19

6 Conclusions

We applied cube attacks to the reduced-round MD6 compression function, and

could recover a full 128-bit key on 14-round MD6 with a very practical complex-
ity of 222 evaluations. This outperforms all the attacks obtained by the designers
of MD6.
Then we introduced the notion of cube tester, based on cube attacks and
on property-testers for Boolean functions. Cube testers can be used to mount
distinguishers or to simply detect nonrandomness in cryptographic algorithms.
Cube testers do not require large precomputations, and can even work for high
degree polynomials (provided they have some “unexpected” testable property).
Using cube testers, we detected nonrandomness properties after 18 rounds of
the MD6 compression function (the proposed instances have at least 80 rounds).
Based on observations in [9], we extended the attacks on Trivium a few more
rounds, giving experimentally verified attacks on reduced variants with up to
790 rounds, and detection of nonrandomness on 885 rounds (against 1152 in the
full version, and 771 for the best previous attack).
Our results leave several issues open:

1. So far cube attacks have resulted from empirical observations, so that one
could only assess the existence of feasible attacks. However, if one could
upper-bound the degree of some Boolean component (e.g. of MD6 or Triv-
ium) after a higher number of rounds, then one could predict the existence
of observable nonrandomness (and one may build distinguishers based on
low-degree tests [1]). The problem is closely related to that of bounding the
degree of a nonlinear recursive Boolean sequence which, to the best of our
knowledge, has remained unsolved.
2. Low-degree tests may be used for purposes other than detecting nonrandom-
ness. For example, key-recovery cube attacks may be optimized by exploit-
ing low-degree tests, to discover low-degree superpolys, and then reconstruct
them. Also, low-degree tests for general fields [13] may be applicable to hash
functions based on multivariate systems [4], which remain unbroken over
fields larger than GF(2) [2].
3. Our attacks on MD6 detect nonrandomness of reduced versions of the com-
pression function, and even recover a 128-bit key. It would be interesting to
extend these attacks to a more realistic scenario, e.g. that would be applica-
ble to the MD6 operation mode, and/or to recover larger keys.
4. One may investigate the existence of cube testers on other primitives that are
based on low-degree functions, like RadioGatún, Panama, the stream cipher
MICKEY, and on the SHA-3 submissions ESSENCE [18], and Keccak [3]. We
propose to use cube attacks and cube testers as a benchmark for evaluating
the algebraic strength of primitives based on a low-degree component, and
as a reference for choosing the number of rounds. Our preliminary results on
Grain-128 outperform all previous attacks, but will be reported later since
they are still work in progress.
20 J.-P. Aumasson et al.

References
1. Alon, N., Kaufman, T., Krivelevich, M., Litsyn, S., Ron, D.: Testing low-degree
polynomials over GF(2). In: Arora, S., Jansen, K., Rolim, J.D.P., Sahai, A. (eds.)
RANDOM 2003 and APPROX 2003. LNCS, vol. 2764, pp. 188–199. Springer,
Heidelberg (2003)
2. Aumasson, J.-P., Meier, W.: Analysis of multivariate hash functions. In: Nam,
K.-H., Rhee, G. (eds.) ICISC 2007. LNCS, vol. 4817, pp. 309–323. Springer, Hei-
delberg (2007)
3. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak specifications. Sub-
mission to NIST 2008 (2008), http://keccak.noekeon.org/
4. Billet, O., Robshaw, M.J.B., Peyrin, T.: On building hash functions from mul-
tivariate quadratic equations. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.)
ACISP 2007. LNCS, vol. 4586, pp. 82–95. Springer, Heidelberg (2007)
5. Blum, M., Luby, M., Rubinfeld, R.: Self-testing/correcting with applications to
numerical problems. In: STOC, pp. 73–83. ACM, New York (1990)
6. De Cannière, C., Preneel, B.: Trivium. In: Robshaw, M.J.B., Billet, O. (eds.) New
Stream Cipher Designs. LNCS, vol. 4986, pp. 244–266. Springer, Heidelberg (2008)
7. Crutchfield, C.Y.: Security proofs for the MD6 hash function mode of operation.
Master’s thesis, Massachusetts Institute of Technology (2008)
8. Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. IACR
ePrint Archive, Report 2008/385, version 20080914:160327 (2008),
http://eprint.iacr.org/2008/385
9. Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux,
A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg
(2009); see also [8]
10. Englund, H., Johansson, T., Turan, M.S.: A framework for chosen IV statisti-
cal analysis of stream ciphers. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.)
INDOCRYPT 2007. LNCS, vol. 4859, pp. 268–281. Springer, Heidelberg (2007)
11. Filiol, E.: A new statistical testing for symmetric ciphers and hash functions. In:
Deng, R.H., Qing, S., Bao, F., Zhou, J. (eds.) ICICS 2002. LNCS, vol. 2513, pp.
342–353. Springer, Heidelberg (2002)
12. Fischer, S., Khazaei, S., Meier, W.: Chosen IV statistical analysis for key recovery
attacks on stream ciphers. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS,
vol. 5023, pp. 236–245. Springer, Heidelberg (2008)
13. Kaufman, T., Ron, D.: Testing polynomials over general fields. In: FOCS, pp.
413–422. IEEE Computer Society, Los Alamitos (2004)
14. Kaufman, T., Sudan, M.: Algebraic property testing: the role of invariance. In:
Ladner, R.E., Dwork, C. (eds.) STOC, pp. 403–412. ACM, New York (2008)
15. Khazaei, S., Meier, W.: New directions in cryptanalysis of self-synchronizing
stream ciphers. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT
2008. LNCS, vol. 5365, pp. 15–26. Springer, Heidelberg (2008)
16. Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE
1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995)
17. Lucks, S.: The saturation attack - a bait for Twofish. In: Matsui, M. (ed.) FSE
2001. LNCS, vol. 2355, pp. 1–15. Springer, Heidelberg (2001)
18. Martin, J.W.: ESSENCE: A candidate hashing algorithm for the NIST competi-
tion. Submission to NIST (2008)
19. Maximov, A., Biryukov, A.: Two trivial attacks on Trivium. In: Adams, C.M.,
Miri, A., Wiener, M.J. (eds.) SAC 2007. LNCS, vol. 4876, pp. 36–55. Springer,
Heidelberg (2007)
 Cube Testers and Key Recovery Attacks 21

20. McDonald, C., Charnes, C., Pieprzyk, J.: Attacking Bivium with MiniSat. eS-
TREAM, ECRYPT Stream Cipher Project, Report 2007/040 (2007)
21. O’Neil, S.: Algebraic structure defectoscopy. IACR ePrint Archive, Report
2007/378 (2007), http://eprint.iacr.org/2007/378
22. Pasalic, E.: Transforming chosen iv attack into a key differential attack: how to
break TRIVIUM and similar designs. IACR ePrint Archive, Report 2008/443
(2008), http://eprint.iacr.org/2008/443
23. Raddum, H.: Cryptanalytic results on Trivium. eSTREAM, ECRYPT Stream
Cipher Project, Report 2005/001 (2006)
24. Rivest, R.L.: The MD6 hash function. Invited talk at CRYPTO 2008 (2008),
http://people.csail.mit.edu/rivest/
25. Rivest, R.L., Agre, B., Bailey, D.V., Crutchfield, C., Dodis, Y., Fleming, K.E.,
Khan, A., Krishnamurthy, J., Lin, Y., Reyzin, L., Shen, E., Sukha, J., Sutherland,
D., Tromer, E., Yin, Y.L.: The MD6 hash function – a proposal to NIST for SHA-
3, http://groups.csail.mit.edu/cis/md6/
26. Rubinfeld, R., Sudan, M.: Robust characterizations of polynomials with applica-
tions to program testing. SIAM J. Comput. 25(2), 252–271 (1996)
27. Saarinen, M.-J.O.: Chosen-IV statistical attacks on eStream ciphers. In: Malek,
M., Fernández-Medina, E., Hernando, J. (eds.) SECRYPT, pp. 260–266. INSTICC
Press (2006)
28. Samorodnitsky, A.: Low-degree tests at large distances. In: Johnson, D.S., Feige,
U. (eds.) STOC, pp. 506–515. ACM, New York (2007)
29. Shamir, A.: How to solve it: New techniques in algebraic cryptanalysis. Invited
talk at CRYPTO 2008 (2008)
30. Tao, T.: The dichotomy between structure and randomness, arithmetic progres-
sions, and the primes. In: International Congress of Mathematicians, pp. 581–608.
European Mathematical Society (2006)
31. Turan, M.S., Kara, O.: Linear approximations for 2-round Trivium. eSTREAM,
ECRYPT Stream Cipher Project, Report 2007/008 (2007)
32. Vielhaber, M.: Breaking ONE.FIVIUM by AIDA an algebraic IV differential at-
tack. IACR ePrint Archive, Report 2007/413 (2007),
http://eprint.iacr.org/2007/413

A Details on MD6
The word Si is a round-dependent constant: during the first round (i.e., the first
16 steps) Si = 0123456789abcdef, then at each new round it is updated as

Si ← (S0 1) ⊕ (S0  63) ⊕ (Si−1 ∧ 7311c2812425cfa).

The shift distances ri and i are step-dependent constants, see Table 4.

Table 4. Distances of the shift operators used in MD6, as function of the step index
within a round

Step 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
ri 10 5 13 10 11 12 2 7 14 15 7 13 11 7 6 12
i 11 24 9 16 15 9 27 15 6 2 29 8 15 5 31 9
22 J.-P. Aumasson et al.

The number of rounds r depends on the digest size: for a d-bit digest, MD6
makes 40 + d/4 rounds.

Table 5. Examples of maxterm equations for 14-round MD6, with respect specified
cube are listed

Maxterm equation Output index

A015 + A115 + A315 + A415 + A615 + A815 + A915 + A14
15 + A20
15 + A21
15 O00
+A22
15 + A26
15 + A28
15 + A32
15 + A37
15 + A38
15 + A40
15 + A41
15 + A43
15 + A44
15
+A47
15 + A48
15 + A49
15 + A50
15 + A56
15 + A58
15 + A60
15 + A61
15 + A62
15 + A63
15
+A116 + A216 + A316 + A416 + A516 + A10
16 + A11
16 + A12
15 + A13
16 + A15
16
+A16
16 + A17
16 + A19
16 + A21
16 + A22
16 + A24
16 + A25
16 + A27
16 + A28
16 + A29
16
+A31
16 + A32
16 + A36
16 + A37
16 + A38
16 + A39
16 + A43
16 + A44
16 + A48
16 + A49
16
+A50
16 + A52
16 + A53
16 + A55
16 + A57
16 + A60
16 + A61
16 + A63
16 + A816 +1
A015 + A115 + A315 + A615 + A815 + A10
15 + A11
15 + A14
15 + A16
15 + A21
15 O01
+A22
15 + A27
15 + A28
15 + A32
15 + A34
15 + A35
15 + A36
15 + A37
15 + A44
15 + A45
15
+A48
15 + A50
15 + A54
15 + A55
15 + A57
15 + A58
15 + A59
15 + A60
15 + A63
15 + A016
+A216 + A516 + A616 + A716 + A916 + A10
16 + A11
16 + A13
16 + A16
16 + A17
16
+A18
16 + A19
16 + A20
16 + A21
16 + A23
16 + A30
16 + A35
16 + A36
16 + A39
16 + A42
16
+A43
16 + A44
16 + A47
16 + A48
16 + A49
16 + A50
16 + A51
16 + A53
16 + A59
16 + A61
16
+A50
16 + A51
16 + A53
16 + A59
16 + A61
16 +1
 An Efficient State Recovery Attack on
X-FCSR-256

Paul Stankovski, Martin Hell, and Thomas Johansson

Dept. of Electrical and Information Technology, Lund University,

P.O. Box 118, 221 00 Lund, Sweden

Abstract. We describe a state recovery attack on the X-FCSR-256

stream cipher of total complexity at most 257.6 . This complexity is achiev-
able by requiring 249.3 output blocks with an amortized calculation effort
of at most 28.3 table lookups per output block using no more than 233
table entries of precomputational storage.

Keywords: stream cipher, FCSR, X-FCSR, cryptanalysis, state recovery.

1 Introduction

A common building block in stream ciphers is the Linear Feedback Shift Register
(LFSR). The bit sequence produced by an LFSR has several cryptographically
interesting properties, such as long period, low autocorrelation and balanced-
ness. LFSRs are inherently linear, so additional building blocks are needed in
order to introduce nonlinearity. A Feedback with Carry Shift Register (FCSR)
is an alternative construction, similar to an LFSR, but with a distinguishing
feature, namely that the update of the register is in itself nonlinear. The idea of
using FCSRs to generate sequences for cryptographic applications was initially
proposed by Klapper and Goresky in [8].
Recently, we have seen several new constructions based on the concept of FC-
SRs. The class of F-FCSRs, Filtered FCSRs, was proposed by Arnault and Berger
in [1]. These constructions were cryptanalyzed in [7], using a weakness in the ini-
tialization function. Also a time/memory tradeoff attack was demonstrated in the
same paper.
Another similar construction targeting hardware environments is F-FCSR-H,
which was submitted to the eSTREAM project [4]. F-FCSR-H was later up-
dated to F-FCSR-H v2 because of a weakness demonstrated in [6]. F-FCSR-H
v2 was one of the four ciphers targeting hardware that were selected for the
final portfolio at the end of the eSTREAM project. Inspired by the success,
Arnault, Berger, Lauradoux and Minier presented a new construction at In-
docrypt 2007, now targeting software implementations. It is named X-FCSR [3].
The main idea was to use two FCSRs instead of one, and to also include an
additional nonlinear extraction function inspired by the Rijndael round func-
tion. Adding this would allow more output bits per register update and thus
increase throughput significantly. Two versions, X-FCSR-256 and X-FCSR-128,

O. Dunkelman (Ed.): FSE 2009, LNCS 5665, pp. 23–37, 2009.


c International Association for Cryptologic Research 2009
24 P. Stankovski, M. Hell, and T. Johansson

were defined producing 256 and 128 bits per register update, respectively. Ac-
cording to the specification X-FCSR-256 runs at 6.5 cycles/byte and X-FCSR-
128 runs at 8.2 cycles/byte. As this is comparable to the fastest known stream
ciphers, it makes them very interesting in software environments. For the secu-
rity of X-FCSR-256 and X-FCSR-128 we note that there have been no published
attacks faster than exhaustive key search.
In [5] a new property inside the FCSR was discovered, namely that the update
was sometimes temporarily linear for a number of clocks. This resulted in a very
efficient attack on F-FCSR-H v2 and led to its removal from the eSTREAM
portfolio.
In this paper we present a state recovery attack on X-FCSR-256. We use
the observation in [5]. The fact that two registers are used, together with the
extraction function, makes it impossible to immediately use this observation to
break the cipher. However, several additional non-trivial observations will allow
a successful cryptanalysis. The keystream is produced using state variables 16
time instances apart. By considering consecutive output blocks, and assuming
that the update is linear, we are able to partly remove the dependency of several
state variables. A careful analysis of the extraction function then allows us to
treat parts of the state independently and brute force these parts separately,
leading to an efficient state recovery attack. It is shown that the state can be
recovered using 249.3 keystream output blocks and a computational complexity
of 28.3 table lookups per output block. Note that table lookup operations are
much cheaper than testing a single key.
The paper is organized as follows. In Section 2 we give an overview of the
FCSR construction in general and the X-FCSR-256 stream cipher in particular.
In Section 3 we describe the different parts of the attack. Each part of the attack
is described in a separate subsection and in order to simplify the description
we will deliberately base the attack on assumptions and methods that are not
optimal for the cryptanalyst. Then, additional observations and more efficient
algorithms are discussed in Section 4, leading to a more efficient attack. Finally,
some concluding remarks are given in Section 5.

2 Background
This section will review the necessary prerequisites for understanding the de-
tails of the attack. FCSRs are presented separately as they are used as core
components of the X-FCSR-256 stream cipher. The X-FCSR-256 stream cipher
itself is outlined in sufficient detail for understanding the presented attack. For
remaining details, the reader is referred to the specification [3].

2.1 Recalling the FCSR Automaton

An FCSR is a device that computes the binary expansion of a 2-adic number
p/q, where p and q are some integers, with q odd. For simplicity one may assume
that q < 0 < p < |q|. Following the notation from [2], the size n of the FCSR is
the bitlength of |q| less one. In stream ciphers, p usually depends on the secret
 An Efficient State Recovery Attack on X-FCSR-256 25

key and the IV, and q is a public parameter. The choice of q induces a number of
FCSR properties, the most important one being that it completely determines
the length of the period T of the keystream.
The FCSR automaton as described in [2] efficiently implements generation
of a 2-adic expansion sequence. It contains two registers, a main register M
and a carries register C. The main register M contains n cells. n−1Let M =
(mn−1 , mn−2 , . . . , m1 , m0 ) and associate M to the integer M = i=0 mi · 2i .
Let the binary representation of the positive integer d = (1 + |q|)/2 be given
n−1
by d = i=0 di · 2i . The carries register contains l active cells, l + 1 being the
number of nonzero binary digits di in d. The active carry cells are the ones in
the interval 0 ≤ i ≤ n − 2 for which di = 1, and dn−1 must always be set.
Write the carries register as C = (cn−2 , cn−3 , . . . , c1 , c0 ) and associate it to

the integer C = n−2 i=0 ci · 2 . Note that l of the bits in C are active and the
i

remaining ones are set to zero. 

Representing the integer p as n−1 i=0 pi · 2 where pi ∈ {0, 1}, the 2-adic ex-
i

pansion of the number p/q is computed by the automaton given in Figure 1.

- pn−1 - pn−2 - - p1 - p0 -
6 6 6 6
dn−1 dn−2 dn−3 d1 d0
- - - - -
6 6 6 6 6

Fig. 1. Automaton computing the 2-adic expansion of p/q

The automaton is referred to as the Galois representation and it is very sim-

ilar to the Galois representation of an LFSR. For all defined variables we also
introduce a time index t, letting M (t) and C(t) denote the content of M and C
at time t, respectively.
The addition with carry operation, denoted  in Figure 1, has a one bit
memory, the carry. It operates on three inputs in total, two external inputs and
the carry bit. It outputs the XOR of the external inputs and sets the new carry
value to one if and only if the integer sum of all three inputs is two or three.
In Figure 2 we specifically illustrate (following [2]) the case q = −347, which
gives us d = 174 = (10101110)binary . The X-FCSR family of stream ciphers uses
two FCSR automatons at the core of their construction. For the purposes of this
paper it is sufficient to recall the FCSR automaton as implemented in Figure 1
and Figure 2.
The FCSR automaton has n bits of memory in the main register and l bits
in the carries register for a total of n + l bits. If (M, C) is our state, then many
states are equivalent in the sense that starting in equivalent states will produce
the same output. As the period is |q| − 1 ≈ 2n , the number of states equivalent
to a given state is in the order of 2l .
26 P. Stankovski, M. Hell, and T. Johansson

C(t) 0 0 c5 0 c3 c2 c1 0

6 6 6 6
M (t) - m7 - m6 ?
- m5 - m4 ?
- m3 ?
- m2 ?
- m1 - m0 -
6 6 6 6

d 1 0 1 0 1 1 1 0

Fig. 2. Example of an FCSR

2.2 Brief Summary of X-FCSR-256 Prerequisites

X-FCSR-256 admits a secret key of 128-bit length and a public initialization
vector (IV) of bitlength ranging from 64 to 128 as input. The core of the X-
FCSR stream cipher consists of two 256-bit FCSRs with main registers Y and
Z which are clocked in opposite directions.

Y (t) = (yt+255 , . . . , yt+2 , yt+1 , yt ), clocked →

Z(t) = (zt−255 , . . . , zt−2 , zt−1 , zt ), clocked ←

X-FCSR combines Y and Z to form a 256-bit block X(t) at each discrete time
instance t according to
X(t) = Y (t) ⊕ Z(t),
where ⊕ denotes bitwise XOR, so that

X(0) = (y255 ⊕ z−255 , . . . , y2 ⊕ z−2 , y1 ⊕ z−1 , y0 ⊕ z0 )

X(1) = (y256 ⊕ z−254 , . . . , y3 ⊕ z−1 , y2 ⊕ z0 , y1 ⊕ z1 )
X(2) = (y257 ⊕ z−253 , . . . , y4 ⊕ z0 , y3 ⊕ z1 , y2 ⊕ z2 )
...

Further define

W (t) = round256 (X(t)) = mix(sr(sl(X(t))), (1)

where sl, sr and mix mimic the general structure of the AES round function;

sl is an s-box function applied at byte level,

sr is a row-shifting function operating on bytes,
mix is a column mixing function operating on bytes.

The round functions operate on a 256-bit input, as defined in (1). The general
idea behind the round function operations becomes apparent if one considers
how the functions operate on the 256-bit input when it is viewed as a 4 × 8
matrix A at byte level. Let the byte entries of A be denoted ai,j with 0 ≤ i ≤ 3
and 0 ≤ j ≤ 7.
 An Efficient State Recovery Attack on X-FCSR-256 27

The first transformation layer consists of an S-box function sl applied at byte

level. The chosen S-box has a number of attractive properties that are described
in [3].
The second operation shifts the rows of A, and sr is identical to the row
shifting operation of Rijndael. sr shifts (i.e., rotates) each row of A to the left
at byte level, shifting the first, second, third and fourth rows 0, 1, 3 and 4 bytes
respectively.
The purpose of the third operation, mix, is to mix the columns of A. This is
also done at byte level according to
⎛ ⎞ ⎛ ⎞
a0,j a3,j ⊕ a0,j ⊕ a1,j
⎜ a1,j ⎟ ⎜ a0,j ⊕ a1,j ⊕ a2,j ⎟
mix256 ⎜ ⎟ ⎜
⎝ a2,j ⎠ = ⎝ a1,j ⊕ a2,j ⊕ a3,j ⎠
⎟

a3,j a2,j ⊕ a3,j ⊕ a0,j

for every column j of A.

Note that sl, sr and mix are all both invertible and byte oriented. Finally,
the 256 bits of keystream that are output at time t are given by

out(t) = X(t) ⊕ W (t − 16). (2)

This last equation introduces a time delay of 16 time units. The first block of
keystream is produced at t = 0 and the key schedule takes care of defining W (t)
for t < 0.

3 Describing the Attack

3.1 Idea of Attack

A conceptual basis for understanding the attack is obtained by dividing it into

the four parts listed below. Each part has been attributed its own section.

• LFSRization of FCSRs
• Combining Output Blocks
• Analytical Unwinding
• Brute-forcing the State
In Section 3.2 we describe a trick we call “LFSRization of FCSRs”. We explain
how an observation in [5] can be used to allow treating FCSRs as LFSRs. There
is a price to pay for introducing this simplification, of course, but the penalty is
not as severe as one may expect.
We observe that we can combine a number of consecutive output blocks to
effectively remove most of the dependency on X(t) introduced in (2). The LF-
SRization process works in our favor here as it provides a linear relationship
between FCSR variables. Output block combination is explored in Section 3.3.
Once a suitable combination Q of output blocks is defined, state recovery is
the next step. This is done in two parts. In Section 3.4 we explain how to work
28 P. Stankovski, M. Hell, and T. Johansson

with Q analytically to transform its constituent parts into something that will
get us closer to the state representation. As it turns out, we can do quite a bit
here. Finally, having exhausted the analytical options available to us, we bring
in the computational artillery and do the remaining job by brute-force. We find
that the state can be divided into several almost independent parts and perform
exhaustive search on each part separately. This is described in Section 3.5.

3.2 LFSRization of FCSRs

As mentioned above, an observation in [5] provides a way of justifying the validity
in treating FCSRs as LFSRs, and does so at a very reasonable cost. We call
this process LFSRization of FCSRs, or simply LFSRization when there is no
confusion as to what is being treated as an LFSR. There are two parts to the
process, a flush phase and a linearity phase.
The observation is simply that a zero feedback bit causes the contents of the
carry registers to change in a very predictable way. Adopting a statistical view
and assuming independent events is helpful here. Assuming a zero feedback bit,
carry registers containing zeros will not change, they will remain zero. The carry
registers containing ones are a different matter, though. A ’one’ bit will change to
a zero bit with probability 12 . In essence this means that one single zero feedback
bit will cut the number of ones in the carry registers roughly in half.
The natural continuation of this observation is that a sufficient amount of
consecutive zero feedback bits will eventually flush the carry registers so that
they contain only zeros. On average, roughly half of the carry registers contain
ones to start with, so an FCSR with N active carry registers requires roughly
lg N2 + 1 zero feedback bits to flush the ’ones’ away with probability 12 . By
expected value we therefore require roughly lg N2 + 2 zero feedback bits to flush
a register completely. For X-FCSR-256 we have N = 210, indicating that we
need no more than nine zero feedback bits to flush a register.
After the flush phase, a register is ready to act as an LFSR. In order to
take advantage of this state we need to maintain a linearity phase in which we
keep having zero feedback bits fed for a sufficiently long duration of time. As
we will see from upcoming arguments, we will in principle require the linearity
property for two separate sets of six consecutive zero feedback bits, with the two
sets being sixteen time units apart. We will need the FCSRs to act as LFSRs
during this time, so our base requirement consists of two smaller LFSRizations,
each requiring roughly 9 + 6 bits for flush and linearity phase respectively. The
probability of the two smaller LFSRizations occurring in both registers Y and Z
simultaneously is 2−4(9+6) = 2−60 . In other words, our particular LFSRization
condition appears once in about 260 output blocks.
A real life deviation from the theoretical flush reasoning was noted in [5]. We
cannot flush the carry register entirely as the last active carry bit will tend to
one instead of zero. As further noted in [5], flushing all but the last carry bit
does not cause a problem in practice. Consider the linearized FCSR in Figure 3,
it produces a maximal number of zero feedback bits for an FCSR of its size.
 An Efficient State Recovery Attack on X-FCSR-256 29

C(t) 0 0 0 0 0 0 1 0

6 6 6 6
M (t) - 1 - 1 ?
- 1 - 1 ?
- 1 ?
- 1 ?
- 0 - 0 -
6 6 6 6

d 1 0 1 0 1 1 1 0

Fig. 3. Maximally linearized FCSR

In simulations and analytical work we must compensate for this effect, of

course, but the theoretical reasoning to follow remains valid as we allow ourselves
to treat FCSRs as simple LFSRs. The interested reader is referred to [5] for
details on this part.
Furthermore, assumptions of independence are not entirely realistic. Although
the theoretical reasoning above is included mainly for reasons of completeness,
simulations show that we are not far from the truth, effectively providing some
degree of validation for the theory. Our simulations show that we have 228.7 for
the Y register and 227.5 for Z for a total of at most 256.2 expected output blocks
for LFSRization in X-FCSR as we require it.
Our requirements for the basic attack are as follows. At some specific time
instance t we require the carry registers of X and Y to be completely flushed
except for the last bit. Here we also require the tails of the main registers to
contain the bit sequence 111100 as in Figure 3 to guarantee at least six consec-
utive zero feedback bits. At t + 16 we require this precise set-up to appear once
again. In each set, the first five zero feedback bits are needed to ensure that the
main registers are linear. The last remaining zero feedback bit is used only to
facilitate equation solving in the state recovery part, as it guarantees that the
last carry bit remains set.
To be fair and accurate we will use the simulation values, which puts us at

COSTLF SRization ≤ 256.2

for the basic attack. Later, in Section 4.2, we will see how we can reduce the
requirements to only four consecutive zero feedback bits per set for a complexity
of
COSTLF SRization ≤ 249.3 .

3.3 Combining Output Blocks

The principal reason for combining consecutive output blocks is to obtain a set
of data that is easier to analyze and work with, ultimately leading to a less
complicated way to reconstruct the cipher state. Remember that we now treat
the two FCSRs as LFSRs with the properties given in Section 3.2.
30 P. Stankovski, M. Hell, and T. Johansson

The main observation is that the modest and regular clocking of the two main
registers provides us with the following equality:
X(t) ⊕ [X(t + 1)  1] ⊕ [X(t + 1) 1] ⊕ X(t + 2) = (, 0, 0, . . . , 0, ) (3)
The shifting operations  and on the left hand side denote shifting of the
corresponding 256-bit block left and right, respectively. From this point onward
we discard bits that fall over the edge of the 256 bit blocks, and we do so without
loss of generality or other such severe penalties. The right hand side is then the
zero vector1 , with the possible exception of the first and last bits which are
undetermined (and denoted ). Define
OU T (t) = out(t) ⊕ [out(t + 1)  1] ⊕ [out(t + 1) 1] ⊕ out(t + 2) (4)
in the corresponding way. We have
OU T (t) =
X(t) ⊕ [X(t + 1)  1] ⊕ [X(t + 1) 1] ⊕ X(t + 2) ⊕
W (t − 16) ⊕ [W (t − 15)  1] ⊕ [W (t − 15) 1] ⊕ W (t − 14)
=
(, 0, 0, . . . , 0, ) ⊕
W (t − 16) ⊕ [W (t − 15)  1] ⊕ [W (t − 15) 1] ⊕ W (t − 14)
≈
W (t − 16) ⊕ [W (t − 15)  1] ⊕ [W (t − 15) 1] ⊕ W (t − 14), (5)
where ≈ denotes bitwise equality except for the first and last bit. This expression
allows us to relate keystream bits to bits inside the generator that are just a few
time instances apart. This will turn out to be very useful when recovering the
state of the FCSRs. In order to further unwind equation (5) we need to take a
closer look at the constituent parts of W , namely the round function operations
sl, sr and mix.

3.4 Analytical Unwinding

Reviewing the round function operations from Section 2.2, recall that all of the
operations are invertible and byte oriented. We can also see that the operations
mix, sr and their inverses are linear over ⊕, such that
mix(A ⊕ B) = mix(A) ⊕ mix(B),
sr(A ⊕ B) = sr(A) ⊕ sr(B).
Obviously, sl does not harbor the linear property. So, in order to unwind (5) as
much as possible, we would now ideally like to apply mix−1 and sr−1 in that
order. Let us begin with focusing on the mix operation.
1
Recall that we ignore the effects of the last carry bit being one instead of zero, as
explained in Section 3.2. The arguments below are valid as long as adjustments are
made accordingly.
 An Efficient State Recovery Attack on X-FCSR-256 31

The linearity of mix over ⊕ is the first ingredient we need as it allows us to

apply mix−1 to each of the W terms separately. The shifting does cause us some
problems, however, since
mix−1 (W (t)  1) = mix−1 (W (t))  1.
Therefore mix−1 cannot be applied directly in this way, but realizing that mix−1
is a byte-oriented operation, it is clear that the equality holds if one restricts
comparison to every bit position except the first and last bit of every byte.
This is easy to realize if one considers the origin and destination byte of the
six middlemost bits as mix−1 is applied. One single bit shift does not affect the
destination byte of these bits. Furthermore, the peripheral bits that are shifted
out of their byte position are mapped to another peripheral bit position. We
therefore have
mix−1 (OU T (t)) ∼
= sr (sl (X(t − 16))) ⊕
[ sr (sl (X(t − 15)))  1 ] ⊕
[ sr (sl (X(t − 15))) 1]⊕
sr (sl (X(t − 14))) ,
where ∼
= denotes equality with respect to the six middlemost bits of each byte.
The same arguments apply to sr−1 , so we define Q(t) = sr−1 mix−1 (OU T (t))
to obtain
Q(t) ∼
= sl (X(t − 16)) ⊕ (6)
[ sl (X(t − 15))  1 ] ⊕
[ sl (X(t − 15)) 1]⊕
sl (X(t − 14)) .
Loosely put, we can essentially bypass the effects of the mix and sr operations
by ignoring the peripheral bits of each byte.
We have combined consecutive keystream blocks out(t) into Q in hope of Q
being easier to analyze than out(t). Since the ultimate goal is to map out(t) to
Y and Z, we don’t have very far to go now. As our expression for Q involves
only X and sl, let’s see how and at what cost we can brute-force Q and solve
for Y and Z.

3.5 Brute-Forcing the State

The brute-forcing part can most easily be understood by focusing on one specific
byte position in Q(t). Given the, say, seventh byte in Q(t), how can we uniquely
reconstruct the relevant parts of Y and Z? Let us first figure out which bits one
needs from Y (t − 16) and Z(t − 16) in order to be able to calculate the given
byte in Q(t). Note that this step is possible only because of the LFSRization
described in Section 3.2.
Have another look at the first part of expression (6): sl (X(t − 16)). Since sl is
an S-box function that operates on bytes, we need to know the full corresponding
32 P. Stankovski, M. Hell, and T. Johansson

byte from X(t − 16). Those eight bits are derived from eight bits in each of Y
and Z, totaling 16 bits, as shown in the left column of Figure 4 below.

Y (t − 16) Y (t − 16) Y (t − 16)

Z(t − 16) Z(t − 16) Z(t − 16)

Y (t − 15) Y (t − 15)

Z(t − 15) Z(t − 15)

Y (t − 14)

Z(t − 14)

X(t − 16) X(t − 15) X(t − 14)

Q(t)

Fig. 4. Bit usage for one byte in Q(t)

The next parts of (6) involves sl(X(t − 15)). The same reasoning applies here,
we need to know the full corresponding byte of X(t − 15) in order to be able to
calculate this S-box value. But, since the main registers act like LFSRs, most of
the bits we need from Y and Z for X(t − 15) have already been employed for
X(t − 16) previously. Since the two main registers are clocked only one step at
each time instance, only two more bits are needed, one from Y and one from Z.
This is illustrated by the middle column of Figure 4 below. We count 18 bits in
Y and Z so far.
In the same vein, two more bits are needed from Y and Z to calculate
sl(X(t − 14)), illustrated in the remaining part of Figure 4. This brings the
total up to 20 bits. All in all, for one byte position in Q(t) we have total bit
usage as shown in Figure 5.
So, 10 bits in Y (t − 16) and 10 bits in Z(t − 16) is what we require to be
able to calculate one specific byte position in Q(t). By restricting our attention
to the six middlemost bits of each byte in Q we accomplish two objectives; we
effectively reduce the number of unknown bits we are dealing with in Y and Z,
 An Efficient State Recovery Attack on X-FCSR-256 33

Y (t − 16)

Z(t − 16)

Q(t)

Fig. 5. Bit usage in Q(t)

and we simplify the expression for calculating the byte in Q by safely reducing
the effects of the shifting operation. Specifically, shifting one bit left or right does
not bring neighboring bytes into play.
Focusing on one single byte position gives us six equations, one for each of the
six middlemost bits, and 20 unsolved variables, one for each bit position in Y
and Z. This amounts to an underdetermined system, of course, but we can easily
add more equations by having a look at the same byte position in Q(t + 1). The
six middle bits of that byte give us six new equations at the cost of introducing
a few new variables. To see how many, we must perform the analysis for Q(t + 1)
corresponding to Figure 4. The total bit usage for one byte position in Q(t + 1)
in terms of bits in Y (t − 16) and Z(t − 16) is given in Figure 6.

Y (t − 16)

Z(t − 16)

Q(t + 1)

Fig. 6. Bit usage in Q(t + 1)

From this we see that the six new equations have the downside of introducing
two new variables. In total we therefore have 12 equations and 22 variables after
including Q(t+1). The system is still underdetermined, so we can add Q(t+2) as
well. This brings us to 18 equations and 24 variables, and so on. Adding Q(t + 3)
provides 24 equations for 26 variables, but at this level we will obtain a resulting
system that provides hope of being fully determined as we may also reduce the
number of variables by reusing already determined values as we scan Q byte by
byte from one end to the other to solve for bits in Y and Z. The corresponding
34 P. Stankovski, M. Hell, and T. Johansson

bit usage for our four consecutive Q’s in terms of bits in Y (t − 16) and Z(t − 16)
is illustrated in Figure 7 below.

Y (t − 16)

Z(t − 16)

Q(i)

Fig. 7. Total bit usage for Q(i), t ≤ i ≤ t + 3

When brute-forcing one byte position in Q we essentially solve for 26 bits. If

we scan Q from left to right, solving the corresponding system for each byte, we
can reuse quite many of these bits. Instead of solving for 26, we need only solve
for 16 as the remaining 10 have already been determined. This is illustrated in
Figure 8. Reusing bits in this way works fine for all byte positions except the
first one. For the first byte position we don’t have any prior solution to lean back
on, but we can use the LFSRization assumption. We have already assumed that
we have ’zero’ feedback bits coming in and these are valid to use when solving
the system. The system for the first byte contains 21 unsolved variables, so the
24 equations do indeed provide a fully determined system.

Y (t − 16)

Z(t − 16)

Q(t)

Fig. 8. Reusing bits when solving for Q(t)

Employing bit reuse, the total cost for the brute-forcing part becomes

COSTbrute−f orce ≤ 221 + 31 × 216 < 222 .

This calculation is a little bit idealized, however, since we in practice do obtain
multiple solutions in some cases. These occur sometimes because the peripheral
bits in the system appear in only one or two of the equations, causing false
 An Efficient State Recovery Attack on X-FCSR-256 35

solutions. These are easy to spot, though, as the succeeding equation system
will generally be unsolvable as we attempt to reuse 10 of the bits from the false
solution. And since the false solutions do not appear in abundance, we do not
compensate for this complexity wise.
This concludes the basic attack, in which we have assumed availability of four
separate sets of six consecutive zero feedback bits as described in Section 3.2.

4 Improving the Attack

4.1 Precomputation
We can reduce the workload of the brute-force part almost entirely using pre-
computation. A precomputation table for solving the first byte system would
require 224 entries2 as we have the 24 bits from the four Q’s as input to resolve
21 bits. For succeeding byte positions we may limit the number of Q’s to three,
which provides 18 equations for the 16 unsolved variables. Adding the already
determined 8 bits to the formula, we can see that a table with 218+8 = 226 entries
will suffice. In this context we consider these tables to be of reasonable size.
The total amortized cost for attempting to solve for the entire state is then
given by considering the relative frequencies of table lookups per byte position.
Using table lookups as unit, we have

1 1 1 7
COSTbrute−f orce < 1 + 1+ + + ... =
8 4 42 6

using no more than 227 table entries worth of storage.

4.2 Lowering the Required Keystream

In the basic attack we assumed existence of four separate sets of six consecutive
zero feedback bits, as explained in Section 3.2. Our next improvement is to
reduce the required keystream by loosening the above requirement to only four
consecutive zero feedback bits in each set and increasing the calculation effort
correspondingly.
To shine some light upon some of the details involved in this process, consider
equation (5) once more. The purpose of the second of the two sets of zero feedback
bits is to make way for the X’s to cancel out properly according to equation (3). A
’one’ feedback bit in the second set prohibits the X’s from canceling out entirely.
We can cope with this anomaly by compensating for such a non-null aggregate
of the X’s in equation (5). The important issue is that we are in control of the
resulting changes.
The first set of zero feedback bits govern the composition of the W ’s. With
zero feedback bits all the way we obtain a well defined system when solving
for the first byte position in Q. If the fifth feedback bit is a ’one’ the system
changes somewhat, but it is still as well defined as before. Here, too, we are in
2
The storage is trivially realized using on average at most two 4-byte words per entry.
36 P. Stankovski, M. Hell, and T. Johansson

control of the resulting changes. Our increase in computational effort consists

of constructing and using the corresponding tables for the resulting systems, so
that we can solve the resulting system regardless of these last bit values.
Without the sixth and last zero feedback bit in each set we would not know if
the last remaining carry bit has ultimately been nullified or not. Our basic attack
assumptions allow us to easily figure out the value of the last carry bit. We may
remove the requirement of the sixth zero feedback bit in each set if we instead
solve all the 16 similar but essentially different resulting variants of the system.
In principle, we can allow creation of 16 new tables, one for each system, for a
total workload increase factor of 16. Therefore, storage requirements increase to
228 table entries for the first byte position systems but remain at at most 226 for
the succeeding byte position systems for a total of 229 table entries. Note that
no specialized tables for the last byte position system are needed because of the
symmetry in the systems for the first and last byte positions.
The corresponding arguments are valid when removing the requirement of
the fifth zero feedback bit. The fifth feedback bit from two of the sets affect the
system of the first byte position for an increase in storage and computation of
a factor of at most 16, again. Storage requirements increase to 232 table entries
for the first byte position systems and remain at at most 226 for succeeding byte
position systems. All in all, we can solve the entire system for all cases using
only
7
COSTbrute−f orce < 24+4 × < 28.3
6
table lookups into at most 233 table entries of storage. The interested reader is
referred to [5], in which a similar situation is discussed.
In practice, the COSTLF SRization part tells us how many keystream blocks we
need to analyze before we can find a favorable situation that allows the brute-
force method to go all the way to recovering the state. The COSTbrute−f orce
part is payed by performing that many calculations for each analyzed keystream
block. To summarize, we have

COST = COSTLF SRization × COSTbrute−f orce < 249.3+8.3 = 257.6

using no more than 233 table entries worth of precomputational storage.

5 Concluding Remarks

It is clear that the design of the X-FCSR stream cipher family is not sufficiently
secure. Depending on one’s inclination, it is possible to attribute this insufficiency
to the modest clocking of the two FCSRs, the size or number of FCSRs, how
they are combined, the complexity of the round function or some other issue.
All of these factors are parts of the whole, but the key insight, however, is that
it is important not to rely on the non-linear property of FCSRs too heavily. The
LFSRization process shows that it is relatively cheap to linearize FCSRs, the
cost being roughly logarithmic in the size of active carry registers.
 An Efficient State Recovery Attack on X-FCSR-256 37

More details on the last improvements and a more in-depth exposé of the
effects of the last carry bit on system solving are available in the full version
of this paper. There we also exploit the symmetry situation of requiring several
consecutive ’one’ feedback bits for an additional reduction in required keystream.
Let us end with a note on applicability to X-FCSR-128. The basic attack
presented here works for X-FCSR-128 as well, but the resulting complexity is
much less impressive. The LFSRization process is identical for both variants of
X-FCSR, as is the analytical unwinding. Enter round functions. The two registers
are 256 bits in size in both cases, but X-FCSR-128 “folds” the contents of the
registers to produce a 128-bit result, implying that more bits are condensed into
one byte position of Q as analyzed in Section 3.5. This affects cost in a negative
way, actually making the attack more expensive for X-FCSR-128. We estimate
that at least twelve consecutive Q’s are needed for a fully determined first byte
system. This leads to a guesstimated expected value of about 274 output blocks
for the attack to come through in the basic setting, each output block requiring
roughly one table lookup into a storage of at most 272 table cells.

References
1. Arnault, F., Berger, T.: F-FCSR: Design of a new class of stream ciphers. In: Gilbert,
H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 83–97. Springer, Heidelberg
(2005)
2. Arnault, F., Berger, T., Lauradoux, C.: Update on F-FCSR stream cipher. eS-
TREAM, ECRYPT Stream Cipher Project, Report 2006/025 (2006),
http://www.ecrypt.eu.org/stream
3. Arnault, F., Berger, T.P., Lauradoux, C., Minier, M.: X-FCSR - a new software ori-
ented stream cipher based upon FCSRs. In: Srinathan, K., Pandu Rangan, C., Yung,
M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 341–350. Springer, Heidelberg
(2007)
4. ECRYPT. eSTREAM: ECRYPT Stream Cipher Project, IST-2002-507932,
http://www.ecrypt.eu.org/stream/
5. Hell, M., Johansson, T.: Breaking the F-FCSR-H stream cipher in real time. In:
Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 557–569. Springer, Hei-
delberg (2008)
6. Jaulmes, E., Muller, F.: Cryptanalysis of ECRYPT candidates F-FCSR-8 and F-
FCSR-H. eSTREAM, ECRYPT Stream Cipher Project, Report 2005/046 (2005),
http://www.ecrypt.eu.org/stream
7. Jaulmes, E., Muller, F.: Cryptanalysis of the F-FCSR stream cipher family. In:
Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 20–35. Springer,
Heidelberg (2006)
8. Klapper, A., Goresky, M.: 2-adic shift registers. In: Anderson, R.J. (ed.) FSE 1993.
LNCS, vol. 809, pp. 174–178. Springer, Heidelberg (1994)
 Key Collisions of the RC4 Stream Cipher

Mitsuru Matsui

Information Technology R&D Center

Mitsubishi Electric Corporation
5-1-1 Ofuna Kamakura Kanagawa 247-8501, Japan
[email protected]

Abstract. This paper studies “colliding keys” of RC4 that create the
same initial state and hence generate the same pseudo-random byte
stream. It is easy to see that RC4 has colliding keys when its key size
is very large, but it was unknown whether such key collisions exist for
shorter key sizes. We present a new state transition sequence of the key
scheduling algorithm for a related key pair of an arbitrary fixed length
that can lead to key collisions and show as an example a 24-byte collid-
ing key pair. We also demonstrate that it is very likely that RC4 has a
colliding key pair even if its key size is less than 20 bytes. This result is
remarkable in that the number of possible initial states of RC4 reaches
256! ≈ 21684 . In addition we present a 20-byte near-colliding key pair
whose 256-byte initial state arrays differ at only two byte positions.

1 Introduction

The RC4 stream cipher is one of the most widely-used real-world cryptosystems.
Since its development in 1980’s, RC4 has been used in various software appli-
cations and standard protocols such as Microsoft Office, Secure Socket Layer
(SSL), Wired Equivalent Privacy (WEP). The architecture of RC4 is extremely
simple and its encryption speed is remarkably fast. It has been suitable for not
only PC applications but also embedding environments.
RC4 accepts a secret key whose length is 1 to 256 bytes, where a typical
key size is 5 bytes (due to an old export regulation), 13 bytes (in the WEP
encryption) or 16 bytes. It consists of two parts; the key scheduling algorithm
(KSA) and the pseudo-random generating algorithm (PRGA). The KSA cre-
ates the 256-byte initial state from the secret key, and the PRGA generates
pseudo-random byte stream from the initial state. Either of the algorithms can
be described unambiguously in only a few lines. Due to this simplicity and wide
applicability, a vast amount of efforts have been made for cryptanalysing RC4
since its specification was made public on Internet in 1994 [1].
As early as one year after the specification of RC4 was publicly available,
it was pointed out by Roos [10] that the initial few bytes of its output stream
are strongly correlated with the key. This observation was later extended in
various ways. Mantin and Shamir [8] mounted a distinguishing attack of RC4
under the “strong distinguisher scenario” that an attacker can obtain many

O. Dunkelman (Ed.): FSE 2009, LNCS 5665, pp. 38–50, 2009.


c International Association for Cryptologic Research 2009
 Key Collisions of the RC4 Stream Cipher 39

short output streams using random and unrelated keys. Paul and Preneel [9]
successfully demonstrated a distinguisher that requires a total of 225 output
bytes (2 bytes/key × 224 keys).
For cryptanalysis of a real-world application using RC4, Fluhrer, Mantin and
Shamir [3] showed an attack of WEP for the first time in 2001. They found
that partial information of the key of RC4 gives non-negligible information of
its output bytes. This fact was efficiently used for mounting a passive attack,
since the initial vector of WEP is packet-variable and embedded in the key of
RC4. It was recently improved by Klein [6], and finally in 2007 Tews, Weinmann
and Pyskin [11] and Vaudenay and Vuagnoux [12] independently demonstrated
a very practical key recovery attack of the 104-bit WEP.
For another attacks, Fluhrer and McGrew [4] presented a distinguishing at-
tack of RC4 using 230.6 output bytes generated by a single key, and Mantin [7]
successfully reduced the output stream size required for the successful attack
down to 226.5 bytes and also showed how to predict output bits. More recently
Biham and Carmeli [2] concentrated on the key scheduling algorithm of RC4
and discussed how to recover a secret key from a given internal state.
This paper studies another type of weakness of the key scheduling algorithm of
RC4; that is, existence of secret keys that create the same initial state and hence
generate the same pseudo-random byte stream, which we call “colliding keys”.
It had been already pointed out by Grosul and Wallach [5] in 2000 that RC4 has
related-key key pairs that generate substantially similar hundred output bytes
when the key size is close to the full 256 bytes. In this paper we explore much
stronger key collisions in a shorter key size.
Since the total number of possible initial states of RC4 reaches 256! ≈ 21684 ,
RC4 must have colliding keys if its key size exceeds 1684/8 = 210 bytes.
Moreover, due to the birthday paradox, it is not surprising that RC4 has colliding
keys when its key size is (1684/2)/8 = 105 (or more) bytes. However, it was
unknown whether colliding keys exist in a shorter key size. The contribution of
this paper is to give a positive answer to this problem.
In this paper, we begin by demonstrating a specific example of a colliding
64-byte key pair, whose internal 256-byte state arrays differ at most two byte
positions in any step i (0≤i≤255) of the key scheduling algorithm. Then by
generalizing this example, we show a state transition pattern that is applicable
to a key pair of an arbitrary fixed length and estimate the probability that such
pattern actually takes place for randomly given key pairs with a fixed difference.
We have confirmed that our probability estimation mostly agrees with com-
puter experimental results when the key size is around 32 bytes or more. We
also demonstrate that it is very likely that RC4 has a colliding key pair even
when its key size is much shorter, say 20 bytes, while the minimal key size that
has colliding keys is still an open problem.
We further extend our observation to a near-colliding key pair; that is, a
key pair whose initial states differ at exactly two positions. In the same way as
the key collision case, we show a state transition pattern of a key pair of an
arbitrary length that can lead to a near-collision and analyze the probability
40 M. Matsui

that the pattern actually takes place. Finally we illustrate our (near-)colliding
key pair search algorithm, which has successfully found a 24-byte colliding key
pair and a 20-byte near-colliding key pair.

2 The RC4 Stream Cipher

RC4 is a stream cipher with a secret key whose length is 1 to 256 bytes. We define
k and K as the target key size in byte and the k-byte secret key, respectively, and
K[0]...K[k-1] denote k key bytes. For arbitrary i, K[i] means K[i mod k].
RC4 consists of the key scheduling algorithm (KSA), which creates the 256-byte
initial state array S[0]...S[255] from the secret key, and the pseudo-random
generating algorithm (PRGA), which generates byte sequence Z[0]...Z[L-1]
of arbitrary length L from the initial state.
This paper discusses colliding key pairs of RC4 that create the same initial
state. Hence only the key scheduling algorithm, described below in the syntax of
C language, is relevant. When necessary, we use notations S1/S2 and j1/j2 for
the state array and the state index for the first and second key K1/K2, respec-
tively. The goal of this paper is to find, or show a strong evidence of existence
of, key pair K1 and K2 such that the corresponding state arrays S1 and S2 are
completely same at the end of the key scheduling algorithm.
We define “the distance of a key pair at step i” as the number of distinct
bytes between S1 and S2 at the bottom (i.e. after the swap) of the i-th iteration
in the state randomization loop. If the distance of key pair K1 and K2 is 0 at
step 255, then they are a colliding key pair. This paper will deal with key pairs
whose distance is at most 2 at any step i (0≤i≤255).
[The Key Scheduling Algorithm of RC4]
/* State Initialization */
for(i=0; i<256; i++){
S[i] = i;
}
/* State Randomization */
j=0; /* Index j */
for(i=0; i<256; i++){
/* Step i */
j = (j + S[i] + K[i % k]) & 0xff;
SWAP(S[i], S[j]);
}

[The Pseudo-Random Generator Algorithm of RC4]

i = 0;
j = 0;
for(n=0; n<L; n++){
i = (i + 1) & 0xff;
j = (j + S[i]) & 0xff;
SWAP(S[i], S[j]);
Z[n] = S[(S[i] + S[j]) & 0xff];
}
 Key Collisions of the RC4 Stream Cipher 41

3 An Example: How It Works

In this section we demonstrate a specific example of a colliding key pair and
explain how its collision is created in a step-by-step fashion. In fact, this simple
example contains all tricks that we need for finding colliding key pairs of an
arbitrary length in later sections. The following is a 64-byte key pair, written in
hexadecimal form, which differs at only one byte position, K1[2]=K2[2]. These
two keys create the same initial state, and hence they are cryptographically
indistinguishable.

K1 = 45 3d 7d 3d c9 45 57 12 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

K2 = 45 3d 7e 3d c9 45 57 12 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Table 1 shows internal values in the state randomization loop for each key,
where “@XX” denotes an address of the state array. For example, at the end of
step i=02 (i.e. after the swap), j1=02, j2=03 and the state arrays differ at exactly
two positions 02 and 03. At these positions, S1[02]=02, S2[02]=03, S1[03]=03
and S2[03]=02.

Table 1. The State Transition Pattern of the 64-byte Key Pair

i K1 K2 j1 j2 differences between S1 and S2

00 45 45 45 45 S1=S2
01 3d 3d 83 83 S1=S2
02 7d 7e 02 03 @02(S1=02 S2=03) @03(S1=03 S2=02)
03 3d 3d 42 42 @02(S1=02 S2=03) @42(S1=03 S2=02)
04-40 @02(S1=02 S2=03) @42(S1=03 S2=02)
41 3d 3d 02 02 @41(S1=02 S2=03) @42(S1=03 S2=02)
42 7d 7e 82 82 @41(S1=02 S2=03) @82(S1=03 S2=02)
43-80 @41(S1=02 S2=03) @82(S1=03 S2=02)
81 3d 3d 41 41 @81(S1=02 S2=03) @82(S1=03 S2=02)
82 7d 7e c1 c1 @81(S1=02 S2=03) @c1(S1=03 S2=02)
83-bf @81(S1=02 S2=03) @c1(S1=03 S2=02)
c0 45 45 81 81 @c0(S1=02 S2=03) @c1(S1=03 S2=02)
c1 3d 3d c1 c0 S1=S2
c2 7d 7e 54 54 S1=S2
c3-ff S1=S2

Now let us take a look at this transition sequence more closely to see why/how
the distance of this key pair remains 0 or 2 at any step.
Exploring the Variety of Random
Documents with Different Content
 témoin de toutes mes angoisses, j’en appelle à votre cœur loyal,
et devant l’insuffisance des mots qui traduisent si mal le fond
des sentiments, je me désespère, je me tords, je deviens
folle !…
S’il est vrai que vous allez partir bientôt, comme déjà on
l’annonce, s’il est vrai que cet épouvantable dénouement
m’attend dans quelques semaines, pourquoi me laisser
agoniser ainsi lentement ?
Pardonnez à ma raison éprouvée le ton et l’accent de ces
lignes. Je ne veux pas savoir ce qui a pu me rabaisser à vos
yeux ; je sais seulement que j’étouffe, que je sanglote et que
peut-être vous ne me croirez pas…

Javotte.

Paul était avec moi quand Olive m’a remis cette lettre. Plus
remué par cette lecture que je ne l’aurais voulu, je lui ai dit :
— C’est de Javotte. Je voudrais te la montrer, car à présent nous
ne devons plus rien nous cacher ; mais il y a là-dedans une douleur
simulée ou réelle que je ne peux pas me résigner à trahir… C’est
une femme… Sache seulement que je ne lui répondrai pas.
— Tu as raison. Je ne veux pas savoir ce qu’elle t’écrit. Que
m’importe tout ce qu’elle peut inventer à présent !… Mais tu peux
t’attendre à un bel étalage de ces phrases auxquelles malgré soi on
se laisse toujours prendre… Ce qui me rassure, c’est que notre
amitié est désormais à l’abri des entreprises de cette gredine.
Il en parle sans indulgence. Mais il faut se mettre à la place de
Paul qui constate avec un peu d’humeur involontaire que c’est à moi
et non à lui qu’elle a écrit.
Que ferai-je ? J’ai dit à Paul que je ne répondrais pas. Je relis la
lettre lentement quand je suis seul. Je suis ému ; mais ma conviction
n’est pas ébranlée. Que ferai-je ? Si je la revois, le moindre de ses
gestes m’attachera à elle mieux que la preuve la plus éclatante de
sa sincérité ? Et même si je suis convaincu qu’elle ment, en sera-t-
elle moins désirable ? Alors que m’importent ses explications ? Quoi
qu’elle dise, que ses paroles soient persuasives ou qu’elles n’aient
aucun sens, je n’entendrai pas ses paroles ; j’entendrai le son de sa
voix et je n’aurai plus de force dans les jambes. Même s’imposât-elle
le silence, qu’il lui suffirait de me regarder ; son regard m’engourdirait
le cœur. Et tint-elle les yeux baissés que la seule vue de sa bouche
dissoudrait mon courage…
Non, il ne faut pas, il ne faut pas que je la revoie.

Maintenant, c’est la détente ; l’organisme cède. Je ne quitte plus

la chambre. C’est à peine si je me lève pour aller m’étendre près de
la fenêtre. Debout, mes jambes chancellent. Je suis essoufflé au
moindre mouvement. J’éprouve une vive douleur entre les épaules.
Évidemment, il se fait en moi une diminution sensible des forces. Je
n’ose plus prendre ma température ; mais le feu de mes pommettes,
mon pouls précipité, mes mains brûlantes indiquent suffisamment
que ma fièvre est permanente.
Je me suis décidé à me remettre entre les mains du docteur. Il
est venu. Il m’a ausculté longuement.
— Respirez… respirez donc… vous ne respirez pas.
— Mais si, docteur, je respire autant que je peux.
— Je n’entends rien du tout.
L’oreille contre mon dos, il soufflait, s’obstinait, me faisait
compter :
— Quarante et un, quarante-deux, quarante-trois, quarante-
quatre…
— Allons ! ce n’est pas brillant : mais il ne faut pas s’en étonner…
Vous ne voulez donc pas guérir ?
Il sait ce qui se passe et il me le fait comprendre d’une façon
bourrue et paternelle qu’autorisent son âge et sa fonction. Puis, se
tournant vers ma mère :
 — Madame, il faut emmener votre fils. Si vous prolongez votre
séjour ici, je ne réponds plus de rien. Je parle devant lui pour qu’il ne
l’ignore pas.
J’ai dit :
— Mais je ne peux pas me mettre en route dans l’état où je suis.
Je me sens trop faible.
— Rassurez-vous, ce n’est pas le voyage qui m’inquiète ; vous le
supporterez très bien. Choisissez aux environs de Paris un endroit
aéré, éloigné de la Seine, vous y serez au mieux pendant les mois
de soleil.
Ma mère, alors, a proposé :
— Nous avons à Sannois, dans la vallée de Montmorency, une
petite propriété où nous passions chaque année, avant sa maladie,
une partie de l’été. Comme il nous faut désormais renoncer à Paris,
c’est là que nous comptons nous fixer définitivement.
— C’est cela. Allez-y ; c’est ce qu’il vous faut. Mais partez le plus
tôt possible. Vous m’entendez bien, partez sans plus attendre.
Il en est ainsi décidé. Nous partons dans une semaine. Mais
aurai-je la force de ne pas la revoir ?
 XXI
LE DEVOIR

Je ne l’ai pas revue.

Le jour de notre départ, elle était dans la villa Suzanne, chez Mme
Toledo. Elle chantait une mélodie de Massenet et je comprenais que
c’était pour moi, pour m’attendrir, pour me retenir, qu’elle chantait
d’une voix si chaude et si implorante. J’entendrai longtemps cette
voix qui m’appelait.
Voilà, c’est fini, notre court roman, et je vais encore parler d’elle.
Je voudrais qu’il s’échappât de cette page quelque chose de lent et
de triste comme la fumée qui monterait d’une petite maison muette
où l’on saurait que, derrière les volets clos, quelqu’un est occupé à
brûler des lettres d’amour.
Après une trop belle saison, un voyage enivrant, ou le lendemain
d’une fête, on vit d’une façon un peu silencieuse, un peu
mélancolique et pleine de souvenirs. Mais quand on a quitté pour
toujours un être auprès duquel on avait rêvé mourir, on vit d’une
façon humble, si courbée, tellement soumise au destin !…
C’est ainsi que je vis, depuis que nous avons regagné notre logis
d’été à Sannois, au pied de la colline. J’y suis entré un matin gris
d’avril, aussi brisé de corps que d’âme, Quelle angoisse dès que
j’eus refermé la porte ! Les malles, les cartons, qui encombraient le
vestibule, l’aspect inhabité des chambres entretenaient en moi la
sensation déchirante de la séparation. Encore, à Val-Roland, je
savais qu’elle était là, à deux pas de moi, qu’elle pouvait passer
sous ma fenêtre. Mais ici !… Je regardais, pendant qu’on préparait
mon lit, ces murs longtemps plongés dans la nuit, cette demeure
sonore et froide comme un tombeau. La lumière n’avait pas encore
réveillé l’atmosphère, le charme endormi de mes heures d’autrefois.
Je me disais : « Il faut quelques jours pour que l’air s’attiédisse, pour
que je m’adapte. » Je me mouvais avec une sorte de lenteur
accablée. J’évoquais notre chalet de là-bas, le silence, l’odeur de thé
de cette petite salle à manger, le tic tac de la vieille horloge qui est
dans l’escalier. En tournant un peu la tête, il me semblait revoir,
accrochées au mur, deux natures mortes naïvement peintes que
Paul trouvait « touchantes » ; en prêtant l’oreille, il me semblait
entendre le feu qui respire, la petite voix de la lampe et le pas
d’Olive qui fait tinter les verres sur la table. Que tout cela était
lointain !
Lointains, l’éclairage rêveur que j’aime tant, le faible
rayonnement de la route qui semble de la lueur de veilleuse, l’allée
pensive qui est bien le prolongement d’une chambre de malade !
Lointains, le chant du pâtre qu’amplifie l’écho de la montagne, les
fumées paresseuses sur les toits, le petit cimetière où je voulais
dormir, et, devant l’église, cette terrasse solitaire et chaude, où le
soleil s’ennuie !…
Les premiers temps de mon séjour à Val-Roland, qu’ils furent
doux ! Mais elle est venue et je n’ai plus goûté le silence et les bruits
du village, la tiédeur du matin dans la chambre, l’intimité des lampes,
l’odeur de la pluie et les après-midi bleues et vermeilles. Elle est
venue… Ah ! pourquoi es-tu venue ?
Je te connaissais bien. Je savais l’heure où tu venais à moi et où
ta marche légère, dans l’allée, tendait sur ton beau corps ta robe
comme celle de ces Victoires que drape le vent. Je savais la place
près de la fenêtre où le soleil dorait ta peau comme la pelure d’un
fruit, tandis que la volonté de m’asservir était dans ton beau front,
dans tes yeux un peu étrangement éclairés, dans chaque souffle qui
soulevait comme deux ailes ta poitrine cachée. Je savais le moment
où tu commençais de m’oublier, où tu secouais, en descendant
l’escalier tous ces petits riens que tu emportais de notre intimité,
tous ces petits riens qui faisaient déborder de moi et se répandre en
toi le contenu de ma faible vie. Je savais que, de ta bouche qui
mentait, me venait cet obstacle, là, sur la gorge, qui m’empêchait de
respirer. Je te parlais en badinant ; je te considérais avec une
moquerie légère, et j’avais le cœur serré à chacune des minutes qui
se détachaient de l’heure et déjà n’étaient plus… Combien de fois ai-
je pleuré, angoissé par l’attente et la peur de te perdre ! Je
t’attendais si frénétique, si malheureux, si déchiré… et puis tu
venais ; tu me donnais tes mains et j’étais consolé.
J’étais consolé, mais sans sécurité pourtant. Tes mains, un
instant consolatrices, je les sentais trop capricieuses, trop mobiles,
toujours prêtes à se reprendre ; elles n’étaient pas de celles, douces
et pures, qui se posent sur un front et sur une pensée, de celles qui
apaisent, qui rassurent, qui rendent la confiance.
Je savais que tant que je te connaîtrais, je ne serais ni patient, ni
heureux, ni tranquille ; que tout ce que tu m’offrais ne saurait jamais
contenter mon âme. Même après que tu m’eus fait de toi, de ton être
jeune, de ta beauté ardente, ce don magnifique, mon tourment ne fit
que s’exaspérer, et ce qui est arrivé était inévitable.
Mon amie, tu comptais trop sur ma faiblesse. Tu me laissais, tu
me retrouvais, sûre de ton pouvoir et de mon désir, et pourtant, tu
vois, je suis parti.
Et maintenant, il faut que je reprenne mes pensées, une à une, et
tous les sentiments de mon cœur, que je remette de l’ordre dans ce
désordre, que j’installe la paix là où tu as mis tant de tumulte, que je
détruise ton ouvrage, que je retourne à l’austérité morne de mes
jours d’autrefois. Hélas ! une âme ardente supporte la douleur, mais
comment supporter l’ennui ?…
La sonnette de la maison peut tinter, j’ai fini de tressaillir. Un pas
peut gravir l’escalier, je sais bien que ce n’est pas toi. Toi, tu es là-
bas, dans ce pays que j’aimais et où je ne reviendrai plus. Tu
continues à promener ingénument dans toutes les chambres de
malades ton beau cœur passionné qui les éclaire comme un
flambeau.
Tu aimes tant les malades !
Je t’évoque dans n’importe quel chalet, partout où il y a un
homme affaibli et désœuvré. Son visage délicat se tourne vers toi
avec une force d’attention contenue. Tu ris, tu verses le thé, et, de
même qu’on voit monter le liquide vermeil à travers la tasse de fine
porcelaine, je vois, à chacun de tes gestes, transparaître et
progresser une joie chaude à travers le visage délicat. Et je
t’entends lui dire :
— Je suis sûre qu’on vous a dit du mal de moi et que vous l’avez
cru… Dites-moi ce qu’on vous a raconté… Ça m’amuse tant de
savoir !…
Ou bien je t’entrevois près de ta fenêtre, penchée sur un billet
que tu achèves et qui ne m’est pas destiné. Et je te retrouve encore
dans quelque jardin, quand vient le soir, cachée par un bosquet et
prononçant de ta voix grave et veloutée des paroles d’amour qui ne
sont pas pour moi…

Les lettres de Paul ont repris leur voyage amical. Il s’ennuie à

Bordeaux où il s’est fixé. Il vient d’aller passer huit jours à Saint-
Jean-de-Luz. Sa dernière lettre me disait :

Je n’ai pas voulu repartir sans avoir revu Val-Roland, un peu

poussé par la curiosité que tu devines. Dans l’allée, comme je
faisais les cent pas, je me trouve soudain face à face avec « la
Dame qui souffla la tempête entre nous ». — Bonjour,
Mademoiselle. — Bonjour, Monsieur. Ce fut tout. Elle passa très
digne, enfermée dans une sorte de réserve hostile. Je ne
pouvais insister. Étrange fille !

Alors, j’entends de nouveau avec plus de force la voix qui

m’appelait le jour de mon départ. La lettre, qu’elle m’a écrite, se
reconstruit dans mon esprit : « Une raison plus forte que ma volonté
et devant laquelle j’ai dû m’incliner justifiait mon attitude vis-à-vis de
vous ; mais au prix de quel sacrifice !… Vous, mon ami, qui avez
souffert, comprendrez la sincérité de mon cri… Vous sentir là, en
face, à deux pas de moi, dans l’ignorance de certaines choses et ne
pouvoir rien dire ! » Ah ! l’effet pernicieux de ces phrases sur qui ne
demande encore qu’à les croire ! Le poison recommence à s’infiltrer
en moi. Qui sait si je n’ai pas eu tort ? Qui sait si elle ne m’a pas
aimé ?
Pourquoi m’aurait-elle aimé ? Mais est-ce que l’amour
s’explique ? Est-il un sentiment plus arbitraire, plus inconcevable,
plus incompréhensible ? Explique-t-on seulement l’amitié qui est, en
somme, un des degrés inférieurs de l’amour ? Choisissons-nous nos
amis pour leur valeur ou leurs vertus ? L’admiration, l’estime font-
elles pencher notre cœur et contre-balancent-elles des raisons plus
mystérieuses qui nous portent vers ceux dont nous subissons
malgré nous l’attrait, dont nous excusons d’avance tous les travers,
tous les défauts ? Nos préférences sont instinctives, irrésistibles,
injustes. Les meilleurs offices, le dévouement, la fidélité de ceux que
nous n’avons pas élus, même s’ils nous touchent, ne leur
conquièrent point notre réelle, notre intime, notre profonde affection
et ne peuvent faire que nous éprouvions en leur présence cette
sensation de plaisir ou de joie que nous apportent de vrais amis.
Alors, quand nous ne pouvons même pas expliquer l’amitié,
comment expliquerions-nous l’amour ?

Il faut le dire : Ici, j’ai plus de courage. On aime partout ; partout

on peut être faible, déraisonnable, insensé ; mais on a plus de
courage sous certains climats. A Val-Roland, l’atmosphère
voluptueuse et molle vous livre sans défense à tous vos désirs. La
trame de l’air semble une étoffe qui se détend. Rien ne vous
soutient ; la volonté n’a pas de support. On se sent irrésolu,
désemparé, vulnérable. Ici, au contraire, le temps vif, l’air serré vous
raffermissent. Il y a sans cesse autour de soi comme un effort qui
nous aide. Un invisible secours vient à nous qui nous révèle à nous-
mêmes nos secrètes énergies.
Allons ! je l’oublierai. Je sais que si je vis assez pour pouvoir
mettre entre nous l’épaisseur de l’été, je verrai s’affaisser mon
regret. L’énigme ne sera jamais résolue ; mais le doute cessera de
me tourmenter. J’en serai distrait quelques jours, puis il reviendra. Je
l’oublierai encore, puis je le retrouverai un soir, comme un hôte qu’on
n’attend plus et qui vient, de loin en loin, s’asseoir à votre table.
Enfin la paix se fera. C’est ainsi que se fatiguent et s’usent, à la
longue, parmi nos maux, ceux qui ne sont point mortels.
Les jours se succèdent. Je les vois s’envoler comme les derniers
pétales qui tombent de ma vie. Nous sommes au milieu de mai. Les
après-midi favorables, je demeure étendue dans un petit kiosque
qu’ombrageront, en été, deux acacias qui n’ont pas encore de
feuilles. J’entends, dans le parc voisin, un jardinier tailler une haie
d’aubépines ou bien passer le râteau sur le gravier des allées. Ce
parc est planté de hauts sapins qui limitent ma vue. Un petit sentier
public le sépare de mon jardin étroit et long où je fais quelques pas,
sous des arbres fruitiers, entre une double bordure d’œillets blancs,
quand décline le jour et qu’on perçoit partout les bruits de l’arrosoir.
Autour de moi, ce ne sont que verdures, que vergers. Il n’y a rien
d’autre. Et en moi, il n’y a rien non plus, que le souvenir de Javotte
qui plane tristement sur mon cœur vide, comme un soleil sur un
désert…
Ainsi, mon amie, quand je veux me détacher de toi, je n’ai pour
me distraire que la couleur de l’air, le jardin, tour à tour dilaté par la
lumière et rétréci par l’ombre, les heures qui tournent, sans bruit,
autour de la maison. Mais il le faut ! Je m’intéresse à tout ce qui
m’entoure. J’appelle à moi des pensées hautes ; je songe à des
choses très vagues que tu ne pourrais saisir, que je dirai plus loin ; et
je donne congé à ton image, ayant, comme chaque jour, rendez-
vous avec le devoir.
 XXII
RÊVERIE DANS UN JARDIN

J’ai passé l’été étendu dans mon petit kiosque, à rêver, à jouir
une dernière fois du mystérieux enchantement qui enveloppe les
hommes. Septembre est venu. Sur le rideau de sapins où mon
regard se pose, je vois s’affaiblir la lumière dont le rayonnement se
fait plus émouvant de jour en jour. C’est l’instant de la morne féerie,
des journées douces et dorées qui amollissent le cœur. Le paysage
le plus indigent se magnifie. Quelle paix rêveuse dans une allée en
septembre et en octobre ! Quelle ardente mélancolie ! De leur
décomposition prochaine, les choses semblent avoir le grand
pressentiment et l’âme cesse de se croire seule quand elle sent
autour d’elle toutes ces forces en déclin, quand elle sent dans
l’espace tant de lyrisme et de regret.
Chaque matin, la lumière en se séparant de l’ombre me trouve
déjà éveillé. Dans l’air, si limpide qu’il semble avoir été filtré par la
nuit, il y a encore des chants d’oiseaux. Ce sont les derniers de la
saison. Ils se dispersent, se fragmentent et, pendant que mon oreille
les recueille et les rassemble un à un, je crois réunir les morceaux
épars d’une page déchirée. Bientôt cette douce naissance d’une
journée nouvelle m’appelle au jardin. Je me lève. C’est le moment
où je refais connaissance avec moi-même. La glace me renvoie un
étrange visage auquel je ne parviens pas à m’accoutumer. Les
cheveux et la barbe qui ont blanchi par places d’une façon inégale,
ont l’air fané, déteint, d’une étoffe de mauvaise qualité. Il s’en
dégage une impression de disgrâce, de pauvreté, comme si une
partie de mon vêtement était usée.
Il y a, devant ma fenêtre, un sorbier dont la cime jaunit et se
dessèche parce que, sous la terre, un mal que je ne puis percevoir,
ronge ses racines. Je ressemble à ce sorbier. Le sourd travail que la
maladie poursuit en moi, c’est à mon sommet qu’il se révèle et,
parce que l’organisme a été touché dans ses parties obscures, la vie
s’éteint à la cime de l’arbre.
Il me semble que l’automne dernier, à Davos, j’ai vaguement
pensé quelque chose d’analogue. Mais là-bas, encore, je paraissais
si jeune ! J’avais l’air d’un adolescent affaibli par une rapide
croissance ; et voici que, sans transition, j’ai passé d’un extrême à
l’autre, comme au théâtre, selon la volonté de l’auteur, un
personnage vieillit de vingt ans dans l’intervalle d’un entr’acte. Il en
résulte cette surprise quotidienne que j’ai à consulter ma glace. Je
crois toujours que je me trompe, que ce n’est pas moi, que je suis
victime d’une supercherie. Alors, je descends et, dehors, si j’adresse
la parole, comme cela m’est arrivé hier, à un enfant arrêté devant ma
grille, l’enfant à demi effrayé se met à courir puis, vingt pas plus loin,
rassuré par la distance, il se retourne et dit en me désignant du
doigt :
— Ah ! ah ! le bonhomme !
Le bonhomme !…
Chaque matin, donc, je descends au jardin de mon pas de
bonhomme. Dans l’allée, le soleil est avec moi. D’une façon
affectueuse, sans peser, il touche ma faible épaule. Il m’encourage,
il m’accompagne comme un ami.
Je donne un regard aux acacias qui sont les blonds parmi les
arbres. Leur ombre légère remue sur le petit kiosque où je vais
m’étendre. A cause du rideau de sapins qui limite ma vue, je suis
comme enfermé dans un cloître de verdure. Tout se resserre autour
de moi. Tout devient plus intime. D’une forge voisine m’arrivent plus
atténuées les sonorités mélancoliques du fer que frappe le marteau.
Un rouge-gorge, sur le cerisier, veut que je l’écoute, et, quand il se
tait, j’entends la voix lointaine du coucou qui sonne les dernières
heures de l’été. Ainsi passe le temps. Parfois une reine-Claude trop
mûre roule sur le petit toit qui me protège et va se meurtrir à terre où
elle suscite aussitôt un bourdonnement de guêpes. Parfois, c’est une
poire de curé qui tombe de très haut, et, pendant qu’elle tombe, je
vois son ombre attentive courir sur le sol pour la rejoindre et la
recevoir. Ici, un insecte, dont j’ignore le nom, creuse, au prix d’efforts
inouïs, un petit trou où il se tiendra embusqué, guettant plus faible
que soi ; là, deux papillons qui se poursuivent décorent le mur de
leurs guirlandes ; et, sur les montants du kiosque que parcourent en
longues files les fourmis laborieuses, autour de ma tête, dans l’air
que les mouches emplissent de leur ballet aérien, sur chaque rosier,
où un insecte, dont j’ignore aussi le nom, pratique, à l’aide d’une
petite scie, une entaille pour y déposer ses œufs, au centre de cette
toile qu’achève l’araignée, partout, quelle hâte de vivre chez ces
êtres innombrables qui, menacés par l’hiver, remplissent avec plus
d’ardeur leur fonction belliqueuse ou débonnaire et qu’on ne
distingue pas toujours de leur milieu, telle la vrillette qu’on prendrait
pour une parcelle de bois, tel l’opâtre qui ressemble à un grain de
sable !…
Comment garder l’impression d’être une cellule isolée, ne pas
s’intéresser à tout cela, aux mille petites amies que veulent être les
fleurs pour celui qui les cultive, aux feuilles qui humblement
grandissent, se colorent, donnent un peu d’ombre, sèchent et se
détachent de l’arbre, aux racines qui sont de lentes énergies
cachées, aux liserons qu’on arrache et qu’on retrouve sous ses pas
comme autant de petites volontés patientes, au sourd travail des
forces de la vie ? Comment se refuser à jouir du plaisir secret et
inexplicable qui vous vient d’un vieux figuier penché d’une certaine
façon ou du grincement, dans la rue voisine, d’un vieux portail
évocateur de broussailles et de solitude ? Parce que mes amis me
négligent ou m’abandonnent, parce que ceux que la curiosité
ramenait à moi m’ont comblé en partant de souhaits affectueux, de
paroles d’espérance et qu’ils ne sont pas revenus, vais-je me
lamenter ?
Ne sais-je pas, ne savons-nous pas qu’il y a dans tout ce qui
réussit une vertu attirante et dans tout ce qui échoue je ne sais quoi
qui éloigne ? Nous nous sentons plus légers si, devant nous, une
hirondelle trace les courbes de son vol, tandis que la fatigue d’un
cheval qui gravit une côte nous alourdit les jambes. L’homme
recherche instinctivement les images de la joie. Nous savons donc
qu’une période d’épreuve ou d’infortune fera le vide autour de nous.
Pourquoi, lorsque les circonstances nous forcent à subir cette loi,
semblons-nous la découvrir et en éprouvons-nous une sorte de
stupéfaction triste ? On mesure sa déchéance aux réponses si
lentes qu’on reçoit à ses lettres, et qui autrefois étaient si promptes à
venir, à tant de sympathies qui se sont refroidies. Pour ma part, je
sens vivement la faute que j’ai commise aux yeux de mes meilleurs
camarades par mon obstination à demeurer malade. En ne
reprenant pas ma place dans l’activité, je me raye du nombre de
ceux qui comptent, je cesse d’être une valeur sociale. J’ai tort : je
suis coupable vis-à-vis de ceux qui croyaient à ma fortune d’avoir
déçu leurs espérances.
Il faut le reconnaître. Il y a une certaine beauté dans la réussite,
comme il y a quelque laideur dans l’insuccès. Que toutes les
conséquences de la laideur s’attachent à la défaite, qu’on éprouve
pour l’une et pour l’autre la même compassion distraite, le même
éloignement, peut-être cela n’est-il pas bon, ni juste ; mais cela est
logique dans une certaine mesure. Ce qu’on admire, c’est une
œuvre heureuse de la nature, un organisme exceptionnel, un
cerveau de génie, la beauté d’un visage, tout ce que nous tenons de
la naissance et non pas de l’effort, tout ce qui dans l’homme semble
d’essence divine. Tentez de vous surpasser avec une santé débile,
une petite taille, des dons moyens, on dira : « Ce n’est pas mal ».
L’effort n’a droit qu’à une estime secondaire. Ames vaillantes, logées
dans un corps trop faible, qui défaillez en chemin, n’attendez que
l’oubli. Si vous tombez, c’est que vous ne formiez pas un être
complet, c’est que la nature n’avait pas mis en vous les forces
nécessaires à votre aboutissement.
Certes, j’ai subi, comme chacun de nous, l’attrait du triomphe ;
mais, devant le triomphateur, j’ai toujours pensé : « Celui-là n’a plus
besoin de moi. » Lorsqu’une cause au succès de laquelle j’ai
contribué de toute mon adhésion est gagnée, ma sympathie se
renverse et je me tourne avec intérêt vers l’adversaire, vers la cause
perdue, où l’on n’avait peut-être pas tout à fait tort, cédant, malgré
moi, à cet instinct irrésistible qui m’a toujours porté à prendre le parti
du plus faible.
Je n’ignore pas combien une telle disposition risque d’affaiblir
l’énergie et je ne la conseille pas à ceux qui ne sauraient me
comprendre. La plupart des hommes vont au triomphateur. Qu’ils y
aillent !
Je ne dois pas me dire : « Pierre qui me suivait, qui m’enviait, a
vu par ma disparition s’offrir à lui les fruits qui m’attendaient. Le petit
Pascal vient d’épouser une créature adorable. Étienne approche de
la gloire. J’étais le plus décidé, le plus volontaire d’entre eux, le plus
entraîné à goûter la joie sainte du travail, l’ami de bon conseil,
jamais découragé, dont ils disaient : « Celui-là, son affaire est
bonne », et me voilà sur une chaise longue, jusqu’à ma dernière
heure. » Non, je ne dois pas me dire ces choses. Quand on accepte
courageusement un sort comme le mien, on s’avise de cette vérité
que tout a une limite : le bonheur comme la souffrance. On n’est
jamais aussi heureux qu’on le souhaite, ni aussi déshérité qu’on le
croit.

La journée du solitaire est une plaine nue. La plus légère

impression y résonne profondément. Chaque menu fait s’y détache
comme des pas sur la neige. L’esprit y est plus attentif, plus vigilant,
plus apte à découvrir la petite source de joie qui se cache dans les
plus humbles choses. On m’eût bien étonné autrefois, en me disant
qu’il y avait en moi la possibilité de vivre seul sans connaître l’ennui.
Je ne connais pas l’ennui. Mais les raisons que j’en pourrais donner
ne me semblent excellentes que si je me les donne à moi-même. Si
je les expose à autrui, je les trouve piteuses. Il en est d’elles comme
de ces meubles qui nous séduisent dans l’intimité d’un appartement
et nous désenchantent quand l’occasion d’un départ les livre, un
instant, au jour cru de la rue.
Peut-on rendre cette sensation de plénitude inattendue qui vient
du vide même, comme l’extrême froid produit l’effet d’une brûlure,
cette sensation d’être comblé qu’on éprouve à de certaines minutes,
cette douce sérénité sans relations avec les circonstances, cette
félicité surprenante et si courte qui jaillissent de nous tout à coup,
d’une façon animale, et auxquelles nous ne comprenons rien ?…
Si l’odeur royale des dernières roses retarde un instant ma
marche dans l’allée, si le cri du rouge-gorge me fait lever la tête vers
la cime du cerisier, si je goûte, dans l’été qui s’en va, la plus
déchirante des fins de fête, si ce temps rêveur, cette lumière oblique,
ce jardin dénoué qui découvre ses suprêmes beautés,
m’étourdissent un peu, si j’entre en confidence avec tout ce qui
m’entoure, si j’ai mieux senti aujourd’hui à mon côté l’affection qui
me soutient, dois-je croire que tout bonheur a déserté ma vie ?
Quand on s’éloigne résolument de ce qu’on a perdu et qu’on se
tourne vers ce qui vous reste, on cesse d’appeler le bonheur, on
cesse d’ouvrir une après l’autre toutes les portes de sa maison en
criant : « Où es-tu ? » et, cessant de le chercher, on le trouve, on le
reconnaît sous ses plus humbles aspects. Le parfum de la rose,
l’éclairage qui m’enchante, la main qui est demeurée longtemps sur
mon épaule, tout cela, n’est-ce pas encore quelque chose de lui ?

Maintenant il m’arrive encore de penser à Javotte ; j’y pense

même souvent. Je voudrais affirmer le contraire et que je me suis
reconquis ; mais si je ne dis pas la vérité ces lignes n’ont aucune
raison d’être. Non, la paix ne m’est pas encore venue de ce côté-là.
Il y a toujours ce doute qui subsiste, que le temps et la réflexion
n’ont pu détruire et qui s’exprime par cette petite phrase mille fois
répétée : « Et si, par impossible, elle a été sincère ? »
 Qui le sait ? Qui me le dira ?
Ainsi, du côté de l’amour, la paix ne m’est pas encore venue ; par
contre, elle me vient chaque jour davantage du côté de la mort.
L’espèce de quiétude étrange, le calme fataliste des premiers jours
du mal, sont de nouveau en moi. Ce n’est pas que mon cœur ne
connaisse plus de défaillances et que, parfois, je n’éprouve avec une
poignante évidence que mourir à trente ans c’est mourir davantage ;
mais, en somme, ma propre expérience confirme la justesse de
cette parole d’un de mes amis : « Dans tous nos maux, il est trois
phases : d’abord on s’illusionne, ensuite on se révolte, enfin on se
soumet. »
Cet état d’esprit, je le tiens de mon père, dont je sens avec
émotion grandir en moi, sous la ressemblance physique, la
personnalité morale. Cette patience nouvelle qui me porte à souffrir
mon destin me vient de lui. De lui, cette soumission à la grande loi
de périr et de disparaître qui frappe chacun à une heure différente et
qu’on doit s’efforcer de subir avec sérénité parce que, sans que
nous le comprenions, cela est nécessaire ; il faut que cela soit.
Le malade qui, séduit par la magie d’un jour doré d’automne, a
reçu dans son cœur l’apaisement venu de la terre où tout se
transforme, comprend confusément que les forces qui sont en elle et
qui vont le reprendre sont bienfaisantes et généreuses, et même si
tout en lui n’accepte pas la mort, c’est avec moins d’effroi qu’il voit
venir l’heure de s’endormir, à la fin d’un beau soir, dans cette terre
qui l’a porté, bercé par ces forces généreuses et maternelles.
Autour de moi, sans cesse, je sens présentes, invisibles et
rassurantes, une prévoyance souveraine et une immense sagesse.
J’y veux voir aussi un peu de bonté. En dépit des meurtres sur
lesquels se fonde l’universelle vie, puisque la nature a mis dans
l’homme la bonté et l’amour, la bonté et l’amour sont en elle.
Quelle douceur ont ces herbes accueillantes où nous étendons
nos membres las ! Quelle vertu secourable dans ce soleil déclinant
qui caresse, à cette heure, sur la place mélancolique de chaque petit
village, le dos des vieillards assis sur les bancs ! Comme il assoupit
nos regrets, fait fondre nos ressentiments, efface les pas qui nous
ont foulé l’âme, affaiblit nos chagrins et, avec les pierres et nos
volontés, fait de la poussière ! De quelle façon insensible et sûre, lui
qui a éclairé toutes les désillusions humaines, il décolore, détruit en
nous le désir de biens que nous ne pouvons atteindre ! Avec quelle
force tranquille de persuasion il dit : « Résignez-vous », à ceux qui
savent entendre sa leçon !…
Ici, sur ce petit point du monde où j’achève de vivre, à un certain
moment de sa course, il rencontre une goutte de gomme qui, sur le
tronc de ce prunier, s’est solidifiée et la transforme en une topaze
incandescente. C’est chaque fois comme un geste mystérieux qui
me dit :
— Il est trois heures.
Nous sommes à l’époque où dans la maison il pénètre
davantage. En juillet, par la fenêtre qui éclaire l’escalier, il effleurait à
peine la première marche. Déjà, il atteint la cinquième. Et à mesure
que le froid viendra, se sentant plus attendu, il montera encore. C’est
ainsi que durant la saison du sommeil végétal, quand il n’a plus
d’autre utilité que de réchauffer les êtres, il s’attache à eux, les suit
dans leurs demeures, en gravit les degrés, s’élargit dans les
chambres, s’avance jusqu’au chevet des lits pour retrouver ses amis
les malades. Puis, discrètement, sur la pointe du pied, il se retire,
rétrograde, mois par mois, redescend, marche à marche, comme il
est venu, rappelé dans l’univers par les vergers, les prairies et les
bois.
Pendant que je trace ces lignes au crayon sur quelque marge de
journal, son dernier rayon chemine, lentement, ce soir, parmi le
gravier de l’allée. Les arbres, les plantes, les fleurs, qui perdent avec
lui leur bien le plus précieux, ont poussé davantage du côté où il les
quitte, à cause de l’effort qu’ils ont fait chaque soir pour le voir partir ;
et quand il a disparu, c’est un peu impressionnant de se retrouver,
dans un vaste silence, avec ces témoins arrêtés, cette multitude
immobile comme assemblée sur des gradins, dont toutes les têtes
tournées vers le même point dénoncent la route qu’il a prise…
 Le rayon chemine lentement sur le gravier, semblable à la traîne
d’une robe qui s’en va. Et moi, dont les meilleurs moments furent
donnés à mon cœur par un retour mélancolique vers la dernière
aventure de ma vie, je me rappelle combien de fois j’ai suivi du
regard Javotte qui s’en allait ainsi. Ainsi, elle s’en allait, sans bruit,
dans l’allée de Val-Roland, et, à chaque pas qui l’éloignait, je voyais
pareillement l’ombre grandir autour de moi…

J’écris pour ceux que la vie, le mal ou l’amour ont blessés, pour
ceux qui portent au côté gauche une langueur secrète et qui, comme
moi, étendus dans un jardin, interrompent leur lecture ou leur rêverie
pour mieux sentir dans l’enveloppement affectueux d’une journée de
septembre ces douces influences qui veulent consoler…
 XXIII
RÊVERIE PHILOSOPHIQUE

La Nature, pour nous contraindre à l’action, a paré d’attraits tout

ce que nous n’avons pas. Pour nous incliner au souvenir, elle nous a
donné le regret. Nos impulsions les plus confuses tendent aux fins
qu’elle se propose. Or, quelles promesses a-t-elle encloses dans ce
don qu’elle nous fit de l’espoir et du rêve ? Cette ardeur qui nous
porte vers le mieux, cette tentation de s’évader de soi-même, ce
besoin de s’élever qui nous exalte et nous passionne, est-ce sans
but que nous les subissons ? Est-ce sans dessein qu’il fut permis à
notre pensée d’aller toujours au delà de ce que nos mains peuvent
faire et que nous sentons en nous le germe d’actions impossibles à
accomplir dans l’état où nous sommes ? A quoi servent cette
impulsion qui se retrouve, jamais lassée, toujours intacte, à tous les
âges de la terre, cette tendance ascensionnelle, cette constante
aspiration vers un état supérieur ?
Chaque fois qu’un homme que n’illumine point la foi s’est tourné
vers la mort, il s’est demandé :
« Quoi ! la vie est cette attente inquiète, ce moment instable où
nous cherchons à nous découvrir, à nous réaliser ! Chaque effort que
nous faisons dans ce but prépare notre propre ruine ; les ailes que
nous avons acquises nous approchent de notre fin comme la
chrysalide ne se mue en papillon que pour s’anéantir quelques
instants après. A peine épelons-nous quelques vérités que notre
lampe s’éteint. Nous mourons inachevés. Et c’est pour ce
bégaiement que nous venons au monde, pour quelques fêtes de
l’esprit et de la chair, quelques ivresses, quelques sanglots ? Mais
quelle absurdité est-ce donc alors que la vie ? »
Le problème de la mort, qui a tiré des poètes leurs plus beaux
cris, n’a tiré des penseurs que de vains efforts désespérés vers la
suprême raison des choses. Il n’est pas de domaine où notre
conception soit plus pauvre en hypothèses, et les différents
systèmes qu’on nous propose sont comparables à ces épreuves
photographiques non fixées qu’il suffit d’exposer à la lumière pour
qu’elles s’obscurcissent. Si quelqu’un me déclare que la vie n’a pas
de sens, je me dis : « Qu’en sait-il ? » Tout infime que soit l’homme,
je ne puis voir en lui un jouet aux mains des forces qui le conduisent.
Dès qu’il cesse d’être ébloui par les merveilles qui l’entourent et qu’il
commence à les considérer, l’esprit pressent qu’elles ne sont point
une terminaison. La création présente la trace de tâtonnements,
toute une série d’essais que les fouilles du sol ramènent au jour et
où se peut suivre à travers les époques, dans les types ébauchés,
puis abandonnés, comme la sourde, patiente, éternelle volonté
d’une réalisation meilleure. Même dans ce qui a survécu et qui, par
conséquent, dut la satisfaire, le pouvoir d’invention de la Nature
n’apparaît pas sans limites. Elle se répète dans la construction des
végétaux, dans la forme des animaux et jusque dans les ruses des
insectes. Non, son œuvre n’est point close ; et il est permis de se
demander si ce n’est pas à l’homme, qui a déjà remplacé par l’hélice
les nageoires et les ailes, si ce n’est pas à l’homme qu’elle a songé,
si ce n’est pas lui, le bon ouvrier, le collaborateur dont elle entend
utiliser le génie pour perfectionner ses procédés.
Sans doute, ce génie n’a pas encore donné sa mesure. Mais
nous quittons à peine l’état de barbarie où les guerres firent tort aux
laboratoires ; et puis, le monde est-il si vieux ? Je calcule qu’il n’y a
pas plus d’un milliard de minutes que le Christ est mort, et que
trente-deux individus de soixante ans représentent la durée actuelle
de l’ère chrétienne.