We present some new ideas on attacking stream ciphers based on regularly clocked shift registers. The nonlinear lter functions used in such systems may leak information if they interact with shifted copies of themselves, and this gives us a systematic way to search for correlations between a keystream and the underlying shift register sequence.

We explain how to apply statistical techniques to solve several language-recognition problems that arise in cryptanalysis and other domains. Language recognition is important in cryptanalysis because, among other applications, an exhaustive key search of any cryptosystem from ciphertext alone requires a test that recognizes valid plaintext. Written for cryptanalysts, this guide should also be helpful to others as an introduction to statistical inference on Markov chains. Modeling language as a finite stationary Markov process, we adapt a statistical model of pattern recognition to language recognition. Within this framework we consider four welldefined language-recognition problems: 1) recognizing a known language, 2) distinguishing a known language from uniform noise, 3) distinguishing unknown 0th-order noise from unknown 1st-order language, and 4) detecting non-uniform unknown language. For the second problem we give a most powerful test based on the Neyman-Pearson Lemma. For the oth...

. A number of keystream generators have been proposed which are based on Fibonacci sequences, and at least one has been fielded. They are attractive in that they can use some of the security results from the theory of shift register based keystream generators, while running much more quickly in software. However, new designs bring new risks, and we show how a system proposed at last year's workshop, the Fibonacci Shrinking Genertor (FISH), can be broken by an opponent who knows a few thousand words of keystream. We then discuss how such attacks can be avoided, and present a new algorithm, PIKE, which is based on the A5 algorithm used in GSM telephones. 1 Introduction For many years, cryptologists have studied keystream generators based on linear feedback shift registers [1]. When implemented in hardware, such systems can use a relatively small number of gates for a given level of security; they were very popular in the days before very large scale integration, and are still used in app...

1.4 Simple XOR

We present and implement a ciphertext-only algorithm to break Gifford's cipher, a stream cipher designed in 1984 by David Gifford of MIT and used to encrypt New York Times and Associated Press wire reports. Applying linear algebra over finite fields, we exploit a time-space tradeoff to separately determine key segments derived from a decomposition of the feedback function. This work, the first proposed attack on Gifford's cipher, illustrates a powerful attack on stream ciphers and shows that Gifford's cipher is ill-suited for encrypting broadcast data in the MIT-based Boston Community Information System (BCIS). Gifford's cipher is a filter generator---a linear feedback shift register with nonlinear output. Our cryptanalytic problem is to determine the secret 64-bit initial fill, which is changed for each news article. Representing the feedback function as a binary matrix F , we decompose the vector space of register states into a direct sum of four F -invariant Support for this res...

This paper presents an efficient stream cipher using an internal state with variable structure and evolution. Arbitrarily large internal states can be used in order to defeat brute-force guessing attacks without compromising the performance of cipher, and possibly improving it. Attacking is made even more complicated by dynamically chosing different topologies and evolutions for the cipher's internal state. The cipher controls the evolution of its internal state by using both an external keyed pseudo-random generator (EKPRG), either cryptographically strong or weak, and plaintext feedback. The plaintext feedback reduces the probability of producing cyclic keystreams without compromising the security of the cipher. The parameters controlling the structure and evolution of the cipher's internal state can be chosen in order to achieve different levels of security, memory consumption and performance. In terms of security, we evaluate the impact of this parameters in the strength of the c...