Results 1 
5 of
5
Fast computation of large distributions and its cryptographic applications
 In Asiacrypt 2005, LNCS 3788, SpringerVerlag
, 2005
"... Abstract. Let X1,X2,...,Xk be independent n bit random variables. If they have arbitrary distributions, we show how to compute distributions like Pr{X1 ⊕ X2 ⊕···⊕Xk} and Pr{X1 ⊞ X2 ⊞ ··· ⊞ Xk} in complexity O(kn2 n). Furthermore, if X1,X2,...,Xk are uniformly distributed we demonstrate a large class ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
Abstract. Let X1,X2,...,Xk be independent n bit random variables. If they have arbitrary distributions, we show how to compute distributions like Pr{X1 ⊕ X2 ⊕···⊕Xk} and Pr{X1 ⊞ X2 ⊞ ··· ⊞ Xk} in complexity O(kn2 n). Furthermore, if X1,X2,...,Xk are uniformly distributed we demonstrate a large class of functions F (X1,X2,...,Xk), for which we can compute their distributions efficiently. These results have applications in linear cryptanalysis of stream ciphers as well as block ciphers. A typical example is the approximation obtained when additions modulo 2 n are replaced by bitwise addition. The efficiency of such an approach is given by the bias of a distribution of the above kind. As an example, we give a new improved distinguishing attack on the stream cipher SNOW 2.0.
Predicting the Shrinking Generator with Fixed Connections
 In Advances in Cryptology  EUROCRYPT 2003
, 2003
"... Abstract. We propose a novel distinguishing attack on the shrinking generator with known feedback polynomial for the generating LFSR. The attack can e.g. reliably distinguish a shrinking generator with a weight 4 polynomial of degree as large as 10000, using 2 32 output bits. As the feedback polynom ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
Abstract. We propose a novel distinguishing attack on the shrinking generator with known feedback polynomial for the generating LFSR. The attack can e.g. reliably distinguish a shrinking generator with a weight 4 polynomial of degree as large as 10000, using 2 32 output bits. As the feedback polynomial of an arbitrary LFSR is known to have a polynomial multiple of low weight, our distinguisher applies to arbitrary shrunken LFSR’s of moderate length. The analysis can also be used to predict the distribution of blocks in the generated keystream. 1
A New Stream Cipher HC256
 in Fast Software Encryption (FSE’04), LNCS 3017
, 2004
"... Abstract. HC256 is a softwareefficient stream cipher. It generates keystream from a 256bit secret key and a 256bit initialization vector. The encryption speed of the C implementation of HC256 is about 1.9 bits per clock cycle (4.2 cycle/byte) on the Intel Pentium 4 processor. A variant of HC25 ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Abstract. HC256 is a softwareefficient stream cipher. It generates keystream from a 256bit secret key and a 256bit initialization vector. The encryption speed of the C implementation of HC256 is about 1.9 bits per clock cycle (4.2 cycle/byte) on the Intel Pentium 4 processor. A variant of HC256 is also introduced in this paper. 1
A New Statistical Distinguisher for the Shrinking Generator
, 2003
"... The shrinking generator is a wellknown keystream generator composed of two linear feedback shift registers, LFSR 1 and LFSR 2 , where LFSR 1 is clockcontrolled according to regularly clocked LFSR 2 . The keystream sequence is thus a decimated LFSR 1 sequence. ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
The shrinking generator is a wellknown keystream generator composed of two linear feedback shift registers, LFSR 1 and LFSR 2 , where LFSR 1 is clockcontrolled according to regularly clocked LFSR 2 . The keystream sequence is thus a decimated LFSR 1 sequence.
Linear Sequential Circuit Approximation of Grain and Trivium Stream Ciphers * 1
"... Abstract. Grain and Trivium are two hardware oriented synchronous stream ciphers proposed as the simplest candidates to the ECRYPT Stream Cipher Project, both dealing with 80bit secret keys. In this paper we apply the linear sequential circuit approximation method to evaluate the strength of these ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. Grain and Trivium are two hardware oriented synchronous stream ciphers proposed as the simplest candidates to the ECRYPT Stream Cipher Project, both dealing with 80bit secret keys. In this paper we apply the linear sequential circuit approximation method to evaluate the strength of these stream ciphers against distinguishing attack. In this approximation method which was initially introduced by Golic in 1994, linear models are effectively determined for autonomous finitestate machines. We derive linear functions of consecutive keystream bits which are held with correlation coefficient of about 263.7 and 2126 for Grain and Trivium ciphers, respectively. Then using the concept of socalled generating function, we turn them into linear functions with correlation coefficient of 229 for Grain and 272 for Trivium. It shows that the Grain output sequence can be distinguished from a purely random sequence, using about 2 58 bits of the output sequence with the same time complexity. However, our attempt fails to find a successful distinguisher for Trivium.