We present some new ideas on attacking stream ciphers based on regularly clocked shift registers. The nonlinear lter functions used in such systems may leak information if they interact with shifted copies of themselves, and this gives us a systematic way to search for correlations between a keystream and the underlying shift register sequence.

When we ask what makes a hash function `good', we usually get an answer which includes collision freedom as the main (if not sole) desideratum. However, we show here that given any collision-free function, we can derive others which are also collision-free, but cryptographically useless. This explains why researchers have not managed to find many interesting consequences of this property. We also prove Okamoto's conjecture that correlation freedom is strictly stronger than collision freedom. We go on to show that there are actually rather many properties which hash functions may need. Hash functions for use with RSA must be multiplication free, in the sense that one cannot find X , Y and Z such that h(X)h(Y ) = h(Z); and more complex requirements hold for other signature schemes. Universal principles can be proposed from which all the freedom properties follow, but like most theoretical principles, they do not seem to give much value to a designer; at the practical level, the main imp...

. A number of keystream generators have been proposed which are based on Fibonacci sequences, and at least one has been fielded. They are attractive in that they can use some of the security results from the theory of shift register based keystream generators, while running much more quickly in software. However, new designs bring new risks, and we show how a system proposed at last year's workshop, the Fibonacci Shrinking Genertor (FISH), can be broken by an opponent who knows a few thousand words of keystream. We then discuss how such attacks can be avoided, and present a new algorithm, PIKE, which is based on the A5 algorithm used in GSM telephones. 1 Introduction For many years, cryptologists have studied keystream generators based on linear feedback shift registers [1]. When implemented in hardware, such systems can use a relatively small number of gates for a given level of security; they were very popular in the days before very large scale integration, and are still used in app...