We present some new ideas on attacking stream ciphers based on regularly clocked shift registers. The nonlinear lter functions used in such systems may leak information if they interact with shifted copies of themselves, and this gives us a systematic way to search for correlations between a keystream and the underlying shift register sequence.

A function f(X 1 ; X 2 ; : : : ; Xn ) is said to be t th-order correlation-immune if the random variable Z = f(X 1 ; X 2 ; : : : ; Xn ) is independent of every set of t random variables chosen from the independent equiprobable random variables X 1 ; X 2 ; : : : ; Xn . Additionally, if all possible outputs are equally likely, then f is called a t \Gamma resilient function. In this paper, we provide three different characterizations of t th-order correlation immune functions and resilient functions where the random variable is over GF (q). The first is in terms of the structure of a certain associated matrix. The second characterization involves Fourier transforms. The third characterization establishes the equivalence of resilient functions and large sets of orthogonal arrays. keywords: Correlation-immune functions, resilient functions, stream ciphers, Fourier transforms, orthogonal arrays. 1 Definitions Let GF (q) denote the Galois Field with q elements, where q = p a is a prime po...

This paper presents Dragon, a new stream cipher constructed using a single word based non-linear feedback shift register and a nonlinear filter function with memory. Dragon uses a variable length key and initialisation vector of 128 or 256 bits, and produces 64 bits of keystream per iteration. At the heart of Dragon are two highly optimised 8 s-boxes. Dragon uses simple operations on 32-bit words to provide a high degree of e#ciency in a wide variety of environments, making it highly competitive when compared with other word based stream ciphers. The components of Dragon are designed to resist all known attacks.

to Bob, she encrypts x using the encryption rule e K . That is, she computes y = e K (x), and sends y to Bob over the channel. When Bob receives y, he decrypts it using the decryption function dK , obtaining x. Informally, perfect secrecy means that observation of a ciphertext gives no information about the corresponding plaintext. This idea can be stated more precisely using probability distributions. Suppose there is are probability distributions pP on P, and pK on K. Then a probability distribution p C is induced on C. A cryptosystem is said to provide perfect secrecy provided that pP (xjy) = pP<F24.

This paper presents a new, powerful statistical testing of symmetric ciphers and hash functions which allowed us to detect biases in both of these systems where previously known tests failed. We first give a complete characterization of the Algebraic Normal Form (ANF) of random Boolean functions by means of the M obius transform. Then we built a new testing based on the comparison between the structure of the different Boolean functions Algebraic Normal Forms characterizing symmetric ciphers and hash functions and those of purely random Boolean functions. Detailed testing results on several cryptosystems are presented. As a main result we show that AES, DES Snow and Lili-128 fail all or part of the tests and thus present strong biases.

A systematic procedure for applying fast correlation attacks to combiners with memory is introduced. This procedure consists of the following four stages: identifying correlated linear input and output transforms with maximum possible or relatively large correlation coefficient, calculating low-weight polynomial multiples based on the identified input linear transform, applying an iterative error correction algorithm to the linear transform of the observed keystream and solving several sets of linear equations to determine the initial state of the input LFSRs. This procedure is successfully applied to three keystream generators, namely, the summation generators with three and five inputs, the nonlinear filter generator and the multiplexed sequence generator. 1 Introduction A well-known type of keystream generator for stream cipher applications consists of a number of linear feedback shift registers (LFSRs) combined by a memoryless nonlinear function. The keystream sequences pr...

This paper presents a new attack called Decimation Attack of most stream ciphers. It exploits the property that multiple clocking (or equivalently d-th decimation) of a LFSR can simulate the behavior of many other LFSRs of possible shorter length. It yields then significant improvements of all the previous known correlation and fast correlation attacks. A new criterion on the length of the polynomial is then defined to resist to the decimation attack. Simulation results and complexity comparison are detailed for ciphertext only attacks.

A general mathematical framework behind algebraic cryptanalytic attacks is developed.

Tree-structures have been proposed for both the construction of block ciphers by Kam and Davida [7], and self-synchronous stream ciphers by Kuhn [9]. Attacks on these ciphers have been given by Anderson [2] and Heys and Tavares [6]. In this paper it is demonstrated that a more efficient attack can be conducted when the underlying Boolean functions for the cells are known. It is shown that this attack requires less then 1 3 the chosen ciphertext of Anderson's original attack on Kuhn's cipher. We also comment on an improved version of Kuhn's cipher that was modified in light of Anderson's original attack. The work in this paper has been funded in part by the Cooperative Research Centres program through the Department of the Prime Minister and Cabinet of Australia. 1 Introduction This paper deals with the cryptanalysis of ciphers which can be reduced to a boolean function which has a tree-structure, such as the cipher proposed by Kuhn [9], and Kam and Davida's construction [7] of ...

Abstract: J. Dj. Golić applied linear sequential circuit approximation (LSCA) method to analyze the summation generator with an arbitrary number of inputs. He conjectured that he could obtain all pairs of mutually correlated input and output linear functions with the maximum possible absolute value of the correlation coefficient by this method, but he did not give any proof. By using Walsh Transformation technique, the conjecture is proved for even n in this paper. The “total correlation ” of summation generator is studied which is very similar to that of combiners with one bit memory. Key words: summation generator; correlation coefficient; memory; stream cipher 摘 要: J. Dj. Golić 运用线性序列电路逼进的方法来分析具有任意个输入的求和生成器.他猜想可以通过这种方 法来获得所有具有最大相关系数的输入和输出线性函数对,但是他未给出证明.利 用 Walsh 变换技术证明了 当 n 是