matt�rsa.com

Abstract. We propose a novel distinguishing attack on the shrinking generator with known feedback polynomial for the generating LFSR. The attack can e.g. reliably distinguish a shrinking generator with a weight 4 polynomial of degree as large as 10000, using 2 32 output bits. As the feedback polynomial of an arbitrary LFSR is known to have a polynomial multiple of low weight, our distinguisher applies to arbitrary shrunken LFSR’s of moderate length. The analysis can also be used to predict the distribution of blocks in the generated keystream. 1

The shrinking generator is a well-known keystream generator composed of two linear feedback shift registers, LFSR 1 and LFSR 2 , where LFSR 1 is clock-controlled according to regularly clocked LFSR 2 . The keystream sequence is thus a decimated LFSR 1 sequence.

Abstract. HC-256 is a software-efficient stream cipher. It generates keystream from a 256-bit secret key and a 256-bit initialization vector. The encryption speed of the C implementation of HC-256 is about 1.9 bits per clock cycle (4.2 cycle/byte) on the Intel Pentium 4 processor. A variant of HC-256 is also introduced in this paper. 1

Abstract. Pseudorandom generators based on linear feedback shift registers (LFSR) are a traditional building block for cryptographic stream ciphers. In this report, we review the general idea for such generators, as well as the most important techniques of cryptanalysis. 1 Security Model 1.1 Shannon’s model Basic setting: The most basic task of cryptography is encryption. The setting was captured by Shannon in [47] as a modification of his well-known communication model, proposed in [46]. Consider two entities, named sender and receiver, who want to transmit an arbitrary message at an arbitrary point in time in complete privacy. There are two communication channels available: – The secret channel is completely confidential. No information that is transmitted using this channel can be observed by a third party. However, the secret channel has the disadvantage of being available only at fixed points in time (e.g., when sender and receiver meet in person).

A new construction of a pseudo-random generator based on a simple combination of three feedback shift registers (FSRs) is introduced. The main characteristic of its structure is that the output of one of the three FSRs controls the clocking of the other two FSRs. This construction allows users to generate a large family of sequences using the same initial states and the same feedback functions of the three combined FSRs. The construction is related to the Alternating Step Generator that is a special case of this construction. The period, and the lower and upper bound of the linear complexity of the output sequences of the construction whose control FSR generates a de Bruijn sequence and the other two FSRs generate m-sequences are established. Furthermore, it is established that the distribution of short patterns in these output sequences occur equally likely and that they are secure against correlation attacks. All these properties make it a suitable cryptogenerator for stream cipher applications.

Statement 1. HC-128 supports 128-bit key and 128-bit initialization vector. Statement 2. 2 64 keystream bits can be generated from each key/IV pair. Statement 3. There is no hidden flaw in HC-128. Statement 4. The smallest period is expected to be much larger than 2 128. Statement 5. Recovering the secret key is as difficult as exhaustive key search. Statement 6. Distinguishing attack requires more than 2 64 keystream bits. Statement 7. There is no weak key in HC-128. Statement 8. Encryption speed is 3.05 cycles/byte on Pentium M processor. Statement 9. The key and IV setup takes about 27,300 clock cycles Statement 10. HC-128 is not covered by any patent and it is freely available. Remarks. When more than 2 64 keystream bits are generated from each key/IV pair, the effect on the security of the message/key is negligible. Thus there is no need to implement any mechanism to restrict the keystream length in practice. 1

A new construction ofapseudorandom generator based on a simple combination of three feedback shift registers (FSRs) is introduced. The main characteristic of its structure is that the output of one of the three FSRs controls the clocking of the other two FSRs. This construction allows users to generate a large family of sequences using the same initial states and the same feedback functions of the three combined FSRs. The construction is related to the Alternating Step Generator that is a special case of this construction.