Results 1  10
of
22
Good ErrorCorrecting Codes based on Very Sparse Matrices
, 1999
"... We study two families of errorcorrecting codes defined in terms of very sparse matrices. "MN" (MacKayNeal) codes are recently invented, and "Gallager codes" were first investigated in 1962, but appear to have been largely forgotten, in spite of their excellent properties. The decoding of both cod ..."
Abstract

Cited by 513 (25 self)
 Add to MetaCart
We study two families of errorcorrecting codes defined in terms of very sparse matrices. "MN" (MacKayNeal) codes are recently invented, and "Gallager codes" were first investigated in 1962, but appear to have been largely forgotten, in spite of their excellent properties. The decoding of both codes can be tackled with a practical sumproduct algorithm. We prove that these codes are "very good," in that sequences of codes exist which, when optimally decoded, achieve information rates up to the Shannon limit. This result holds not only for the binarysymmetric channel but also for any channel with symmetric stationary ergodic noise. We give experimental results for binarysymmetric channels and Gaussian channels demonstrating that practical performance substantially better than that of standard convolutional and concatenated codes can be achieved; indeed, the performance of Gallager codes is almost as close to the Shannon limit as that of turbo codes.
Algebraic Attacks on Stream Ciphers with Linear Feedback
, 2003
"... A classical construction of stream ciphers is to combine several LFSRs and a highly nonlinear Boolean function f . Their security is usually studied in terms of correlation attacks, that can be seen as solving a system of multivariate linear equations, true with some probability. At ICISC'02 thi ..."
Abstract

Cited by 203 (22 self)
 Add to MetaCart
A classical construction of stream ciphers is to combine several LFSRs and a highly nonlinear Boolean function f . Their security is usually studied in terms of correlation attacks, that can be seen as solving a system of multivariate linear equations, true with some probability. At ICISC'02 this approach is extended to systems of higherdegree multivariate equations, and gives an attack in 2 for Toyocrypt, a Cryptrec submission.
Higher Order Correlation Attacks, XL algorithm and Cryptanalysis of Toyocrypt
, 2002
"... Abstract. A popular technique to construct stream ciphers is to use a linear sequence generator with a very large period and good statistical properties and a nonlinear filter. There is abundant literature on how to use linear approximations of this nonlinear function to attack the cipher, which i ..."
Abstract

Cited by 57 (8 self)
 Add to MetaCart
Abstract. A popular technique to construct stream ciphers is to use a linear sequence generator with a very large period and good statistical properties and a nonlinear filter. There is abundant literature on how to use linear approximations of this nonlinear function to attack the cipher, which is known as (fast) correlation attacks. In this paper we explore nonlinear approximations, much less well known. We will reduce the cryptanalysis of a stream cipher to solving an overdefined system of multivariate equations. At Eurocrypt 2000, Courtois, Klimov, Patarin and Shamir have introduced the XL algorithm for solving systems of overdefined multivariate quadratic equations over finite fields. The exact complexity of the XL algorithm remains an open problem. and some authors such as T.T.Moh have expressed serious doubts whether it actually works very well. However there is no doubt that such methods work very well for largely overdefined systems (much more equations than variables), and we confirm this by computer simulations. Luckily systems we obtain in cryptanalysis of stream ciphers are precisely very overdefined. In this paper we will show how to break efficiently stream ciphers that are known to be immune to all the previously known attacks. For example, we will be able to break the stream
A Free Energy Minimization Algorithm for Decoding and Cryptanalysis
, 1995
"... An algorithm is derived for inferring a binary vector s given noisy observations of Asmodulo 2, where A is a binary matrix. Here, the binary vector is replaced by a vector of probabilities, optimized by free energy minimization. Experiments on the inference of the state of a linear feedback shift re ..."
Abstract

Cited by 16 (10 self)
 Add to MetaCart
An algorithm is derived for inferring a binary vector s given noisy observations of Asmodulo 2, where A is a binary matrix. Here, the binary vector is replaced by a vector of probabilities, optimized by free energy minimization. Experiments on the inference of the state of a linear feedback shift register indicate that this algorithm supersedes Meier and Staffelbach's polynomial algorithm. Index: approximate inference, combinatorial optimization, error correction, stream cipher. Consider three binary vectors: s of length N , and z and n of length M N , related by: (As + n) mod 2 = z (1) where A is a binary matrix. Our task is to infer s given z and A, and given assumptions about the statistical properties of s and n. This problem arises in the decoding of a noisy communication z which was transmitted using an errorcorrecting code based on parity checks of the original signal s, and in the inference of the sequence of a linear feedback shift register (LFSR) from a noisy observation...
A Free Energy Minimization Framework for Inference Problems in Modulo 2 Arithmetic
 Fast Software Encryption (Proceedings of 1994 K.U. Leuven Workshop on Cryptographic Algorithms), number 1008 in Lecture Notes in Computer Science
, 1994
"... . This paper studies the task of inferring a binary vector s given noisy observations of the binary vector t = Asmodulo 2, where A is an M \Theta N binary matrix. This task arises in correlation attack on a class of stream ciphers and in the decoding of error correcting codes. The unknown binary v ..."
Abstract

Cited by 10 (5 self)
 Add to MetaCart
. This paper studies the task of inferring a binary vector s given noisy observations of the binary vector t = Asmodulo 2, where A is an M \Theta N binary matrix. This task arises in correlation attack on a class of stream ciphers and in the decoding of error correcting codes. The unknown binary vector is replaced by a real vector of probabilities that are optimized by variational free energy minimization. The derived algorithms converge in computational time of order between wA and NwA , where wA is the number of 1s in the matrix A, but convergence to the correct solution is not guaranteed. Applied to error correcting codes based on sparse matrices A, these algorithms give a system with empirical performance comparable to that of BCH and ReedMuller codes. Applied to the inference of the state of a linear feedback shift register given the noisy output sequence, the algorithms offer a principled version of Meier and Staffelbach's (1989) algorithm B, thereby resolving the open proble...
The FilterCombiner Model for Memoryless Synchronous Stream Ciphers
 LNCS 2442, Crypto 2002
, 2002
"... Abstract. We introduce a new model – the FilterCombiner model – for memoryless synchronous stream ciphers. The new model combines the best features of the classical models for memoryless synchronous stream ciphers – the NonlinearCombiner model and the NonlinearFilter model. In particular, we show ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Abstract. We introduce a new model – the FilterCombiner model – for memoryless synchronous stream ciphers. The new model combines the best features of the classical models for memoryless synchronous stream ciphers – the NonlinearCombiner model and the NonlinearFilter model. In particular, we show that the FilterCombiner model provides key length optimal resistance to correlation attacks and eliminates weaknesses of the NF model such as the the Anderson leakage and the Inversion Attacks. Further, practical length sequences extracted from the FilterCombiner model cannot be distinguished from true random sequences based on linear complexity test. We show how to realise the FilterCombiner model using Boolean functions and cellular automata. In the process we point out an important security advantage of sequences obtained from cellular automata over sequences obtained from LFSRs.
The LILI128 Keystream Generator
"... The LILI128 keystream generator is a LFSR based synchronous stream cipher with a 128 bit key. The design offers large period and linear complexity, and is resistant to currently known styles of attack. LILI is simple to implement in hardware or software. ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
The LILI128 keystream generator is a LFSR based synchronous stream cipher with a 128 bit key. The design offers large period and linear complexity, and is resistant to currently known styles of attack. LILI is simple to implement in hardware or software.
Algebraic Immunity of Sboxes and Augmented Functions
"... Abstract. In this paper, the algebraic immunity of Sboxes and augmented functions of stream ciphers is investigated. Augmented functions are shown to have some algebraic properties that are not covered by previous measures of immunity. As a result, efficient algebraic attacks with very low data com ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Abstract. In this paper, the algebraic immunity of Sboxes and augmented functions of stream ciphers is investigated. Augmented functions are shown to have some algebraic properties that are not covered by previous measures of immunity. As a result, efficient algebraic attacks with very low data complexity on certain filter generators become possible. In a similar line, the algebraic immunity of the augmented function of the eSTREAM candidate Trivium is experimentally tested. These tests suggest that Trivium has some immunity against algebraic attacks on augmented functions.