Espresso is a stream cipher proposed for the 5G wireless communication system. Since the design of this cipher is based on the Galois configuration of NLFSR, the cipher has a short propagation delay, and it is the fastest among the ciphers below 1500 GE, including Grain-128 and Trivium. The time-memory-data tradeoff (TMDTO) attack on this cipher and finding the conditional BSW sampling resistance are difficult due to its Galois configuration. This paper demonstrates the calculation of conditional BSW-sampling resistance of Espresso stream cipher, which is based on Galois configuration, and also mounts the TMDTO attack on the cipher by employing the calculated sampling resistance. It is also shown that the attack complexities of TMDTO attack are lower than those claimed by the designers of the ciphers.

中文翻译：

---

使用条件采样电阻和TMDTO攻击恢复Espresso流密码的内部状态

Espresso是为5G无线通信系统提出的流密码。由于此密码的设计基于NLFSR的Galois配置，因此该密码具有较短的传播延迟，并且在1500 GE以下的密码（包括Grain-128和Trivium）中是最快的。由于它的Galois配置，对此密码进行时间存储数据折衷（TMDTO）攻击和查找条件BSW采样电阻非常困难。本文演示了基于Galois配置的Espresso流密码的条件BSW采样电阻的计算，并且还通过使用计算的采样电阻将TMDTO攻击加到了密码上。还表明，TMDTO攻击的攻击复杂性低于密码设计者所宣称的复杂性。