## Searching for the Optimum Correlation Attack (1995)

Venue: | FSE’94, LNCS 1008 |

Citations: | 29 - 0 self |

### BibTeX

@INPROCEEDINGS{Anderson95searchingfor,

author = {Ross Anderson},

title = {Searching for the Optimum Correlation Attack},

booktitle = {FSE’94, LNCS 1008},

year = {1995},

pages = {137--143},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

We present some new ideas on attacking stream ciphers based on regularly clocked shift registers. The nonlinear lter functions used in such systems may leak information if they interact with shifted copies of themselves, and this gives us a systematic way to search for correlations between a keystream and the underlying shift register sequence.

### Citations

335 |
Differential Cryptanalysis of the Data Encryption Standard
- Biham, Shamir
- 1993
(Show Context)
Citation Context ...from looking at a few candidates that most randomly chosen balanced lter functions appear to leak rather badly. This suggests that just as it is a bad idea to replace the DES S-boxes with random ones =-=[BS]-=-, it is also a bad idea to use randomly chosen lters; and of course a knowledgeable designer can easily place a trapdoor in the lter. Many further implications remain to be worked out. For example, ev... |

276 | Why Cryptosystems Fail
- Anderson
- 1994
(Show Context)
Citation Context ...and the underlying shift register. However, the problem of nding an actual correlation tends to have been dismissed with an existence proof. Our principle that robust security depends on explicitness =-=[A2]-=- made us suspicious of this, and inspired us to look for a construction. We would ideally like to have an algorithm which will nd the maximum correlation which an attacker can obtain; we can then use ... |

118 |
Nonlinearity criteria for cryptographic functions
- Meier, Staffelbach
- 1990
(Show Context)
Citation Context ...uch equation halves the keyspace which we still have to search. How well does our technique work against other nonlinear combiners? In recent years, a lot of attention has been paid to bent functions =-=[MS2]-=-. We looked atatypical bent function, h(x1; :::; x6) =x1+x2+x3+x1x4+x2x5+x3x6, and found it to be signi cantly worse than the correlation-immune function discussedsabove. In fact, its augmented functi... |

90 |
Decrypting a class of stream ciphers using ciphertext only
- Siegenthaler
- 1985
(Show Context)
Citation Context ...ns of varying complexity [MFB] [KBS] [CSh]. Some variants use several functions simultaneously to generate a numberofkeystream bits in parallel [M1]. The conventional attack onthe lter generator [S2] =-=[S3]-=- [MS1] proceeds in two stages. Firstly, we nd a function of the keystream which is correlated with the underlying shift register sequence; it can be shown that such a function always exists [XM], even... |

60 | Parallel collision search with application to hash functions and discrete logarithms
- Oorschot, Wiener
- 1994
(Show Context)
Citation Context ...gree n, this will take about n 2 2( n 2 ) operations. Recent work by van Oorschot and Wiener has shown that it is feasible to construct special-purpose collision search hardware for n up to 128 or so =-=[VW]-=-. Thus the security of the nonlinear lter generators under consideration boils down to nding good correlations between the keystream and the underlying shift register. However, the problem of nding an... |

28 |
On a Fast Correlation Attack on Certain Stream Ciphers
- Chepyzhov, Smeets
- 1991
(Show Context)
Citation Context ...acks converge [MG]. Where f(x) is not sparse, one can look for a decimation of the sequence whose polynomial is sparse [A1], or more generally a sparse multiple of f (i.e., a low weight parity check) =-=[CS]-=-. Meier and Sta elbach pointed out that low weight checks can be found by meet-in-the-middle techniques [MS1]; and if f(x) has degree n, this will take about n 2 2( n 2 ) operations. Recent work by va... |

17 |
Correlation Immunity of Nonlinear Combining Functions for Cryptographic Applications
- Siegenthaler
- 1984
(Show Context)
Citation Context ...nctions of varying complexity [MFB] [KBS] [CSh]. Some variants use several functions simultaneously to generate a numberofkeystream bits in parallel [M1]. The conventional attack onthe lter generator =-=[S2]-=- [S3] [MS1] proceeds in two stages. Firstly, we nd a function of the keystream which is correlated with the underlying shift register sequence; it can be shown that such a function always exists [XM],... |

11 |
Correlation via linear sequential circuit approximation of combiners with memory
- Golic
- 1992
(Show Context)
Citation Context ...d a function of the keystream which is correlated with the underlying shift register sequence; it can be shown that such a function always exists [XM], even if the combining function possesses memory =-=[G]-=-. The keystream is viewed as a noisy version of the shift register sequence, and is reconstructed by various techniques ( gure 2):sLFSR ,! Add noise ,! Ki Figure 2 - the standard model This `standard ... |

9 |
Cryptanalysts' representation of nonlinearly filtered m sequences
- Siegenthaler
- 1986
(Show Context)
Citation Context ...hniques ( gure 2):sLFSR ,! Add noise ,! Ki Figure 2 - the standard model This `standard model', which has been the focus of most of the published work on the subject, was rst proposed by Siegenthaler =-=[S4]-=-. His original attack involved an exhaustive search through all phases of the shift register to nd the highest correlation [S3]; Meier and Sta elbach later showed that iterative reconstruction techniq... |

9 | How to Break Gifford's Cipher
- Cain, Sherman
- 1994
(Show Context)
Citation Context ...# # # # # h # K i Figure 1 - the nonlinear filter generator Typical systems have shift registers of between 61 and 127 bits in length, and nonlinear filter functions of varying complexity [MFB] [KBS] =-=[CSh]-=-. Some variants use several functions simultaneously to generate a number of keystream bits in parallel [M1]. The conventional attack on the filter generator [S2] [S3] [MS1] proceeds in two stages. Fi... |

5 |
Derived Sequence Attacks on Stream Ciphers," presented at the rump session of CRYPTO '93
- Anderson
- 1993
(Show Context)
Citation Context ...ile Mihaljevic and Golic proved conditions under which these fast correlation attacks converge [MG]. Where f(x) is not sparse, one can look for a decimation of the sequence whose polynomial is sparse =-=[A1]-=-, or more generally a sparse multiple of f (i.e., a low weight parity check) [CS]. Meier and Sta elbach pointed out that low weight checks can be found by meet-in-the-middle techniques [MS1]; and if f... |

4 |
A fast correlation attack on nonlinearly feedforward filtered shift register sequences
- Forré
- 1990
(Show Context)
Citation Context ...r columns give us correlations of 0.7, 0.8, and so on. Now the fact that the correlation between a nonlinearly ltered sequence and the underlying shift register is uneven was rst pointed out by Forre =-=[F]-=-, but she did not investigate the matter further. At last we have explained this irregularity | it is simply a matter of counting the input/output stability of the augmented function h. Of course, we ... |

4 |
A free energy minimisation framework for inference problems in modulo 2 arithmetic. Preprint available from http://131.111.48.24/mackay/fe.ps.Z
- MacKay
(Show Context)
Citation Context ...onstruction. We would ideally like to have an algorithm which will nd the maximum correlation which an attacker can obtain; we can then use this together with the convergence bounds found in [MG] and =-=[M2]-=- to establish whether a given design is vulnerable to a fast correlation attack. Our model is therefore Random Noise ,! h(x) ,! Ki Figure 3 Our model This is essentially the dual of the problem studie... |

4 |
Staffelbach: "Nonlinearity criteria for cryptographic functions
- Meier, O
- 1990
(Show Context)
Citation Context ...uch equation halves the keyspace which we still have to search. How well does our technique work against other nonlinear combiners? In recent years, a lot of attention has been paid to bent functions =-=[MS2]-=-. We looked at a typical bent function, h(x 1 ; :::; x 6 ) = x 1 +x 2 +x 3 +x 1 x 4 +x 2 x 5 +x 3 x 6 , and found it to be significantly worse than the correlation-immune function discussed above. In ... |

3 |
O Staffelbach, "Fast correlation attacks on certain stream ciphers
- Meier
- 1989
(Show Context)
Citation Context ...ing complexity [MFB] [KBS] [CSh]. Some variants use several functions simultaneously to generate a number of keystream bits in parallel [M1]. The conventional attack on the filter generator [S2] [S3] =-=[MS1]-=- proceeds in two stages. Firstly, we find a function of the keystream which is correlated with the underlying shift register sequence; it can be shown that such a function always exists [XM], even if ... |

2 |
Sta elbach. Fast correlation attacks on certain stream ciphers
- Meier, O
- 1989
(Show Context)
Citation Context ... varying complexity [MFB] [KBS] [CSh]. Some variants use several functions simultaneously to generate a numberofkeystream bits in parallel [M1]. The conventional attack onthe lter generator [S2] [S3] =-=[MS1]-=- proceeds in two stages. Firstly, we nd a function of the keystream which is correlated with the underlying shift register sequence; it can be shown that such a function always exists [XM], even if th... |

2 |
Multiple Independent Binary Bit Stream Generator
- Snow
- 1993
(Show Context)
Citation Context ...tes an attack. In fact, in a recent NSA patent on a device for generating simultaneous keystreams, the underlying generator is run at high speed to ensure that the keystreams are linearly independent =-=[S1]-=-. Another implication is that when doing a correlation attack, the `lumpiness' of the correlation will mean that we have little information about some bits in the shift register sequence, but will kno... |

2 |
n Vinnige Veeldoelige Enkripsievlokkie", supplementary paper to
- Kuhn, Bruwer, et al.
- 1990
(Show Context)
Citation Context ...ter # # # # # # h # K i Figure 1 - the nonlinear filter generator Typical systems have shift registers of between 61 and 127 bits in length, and nonlinear filter functions of varying complexity [MFB] =-=[KBS]-=- [CSh]. Some variants use several functions simultaneously to generate a number of keystream bits in parallel [M1]. The conventional attack on the filter generator [S2] [S3] [MS1] proceeds in two stag... |

2 |
A Low cost high speed encryption system and method
- Mayhew
- 1994
(Show Context)
Citation Context ...1 and 127 bits in length, and nonlinear filter functions of varying complexity [MFB] [KBS] [CSh]. Some variants use several functions simultaneously to generate a number of keystream bits in parallel =-=[M1]-=-. The conventional attack on the filter generator [S2] [S3] [MS1] proceeds in two stages. Firstly, we find a function of the keystream which is correlated with the underlying shift register sequence; ... |

2 |
The Kinetic Protection Device
- Mayhew, Frazee, et al.
- 1992
(Show Context)
Citation Context ... register # # # # # # h # K i Figure 1 - the nonlinear filter generator Typical systems have shift registers of between 61 and 127 bits in length, and nonlinear filter functions of varying complexity =-=[MFB]-=- [KBS] [CSh]. Some variants use several functions simultaneously to generate a number of keystream bits in parallel [M1]. The conventional attack on the filter generator [S2] [S3] [MS1] proceeds in tw... |

1 |
Tree Functions and Cipher Systems", in Cryptologia v XV no 3
- Anderson
- 1991
(Show Context)
Citation Context ...for exhaustive analysis, it may still have some structure which we can use. It might have a tractable mathematical de nition as in [CSh]; if it has a regular tree structure which is key dependent [K] =-=[A3]-=-, then these keybits might be deduced by observing which patterns are most common in decimations of the keystream; where an unknown permutation is introduced in the tree structure, the ideas of [MDO] ... |

1 |
How to Break Gi ord's Cipher
- Cain, Sherman
(Show Context)
Citation Context ...er # # # # # # h # Ki Figure 1 - the nonlinear lter generator Typical systems have shift registers of between 61 and 127 bits in length, and nonlinear lter functions of varying complexity [MFB] [KBS] =-=[CSh]-=-. Some variants use several functions simultaneously to generate a numberofkeystream bits in parallel [M1]. The conventional attack onthe lter generator [S2] [S3] [MS1] proceeds in two stages. Firstly... |

1 |
The Stability Theory of Stream Ciphers', Springer LNCS v 561
- Ding, Xiao, et al.
- 1991
(Show Context)
Citation Context ...her would be to look for linear functions of the keystream and of the underlying shift register sequence which are correlated; a variant is the `best a ne approximation' attack of Ding, Xiao and Shan =-=[DXS]-=-. However, both these attacks throw away a lot of information about the nonlinear structure of h, and our goal is to try and identify - and if possible use - all the information which h leaks. If Ki =... |

1 |
Algorithms for Self-Synchronising Ciphers
- Kuhn
(Show Context)
Citation Context ...on Let us take a concrete example. Suppose that the nonlinear combining function h is given by h(x1;x2;x3;x4;x5)=x1+x2+(x1+x3)(x2 + x4 + x5)+(x1+x4)(x2 + x3)x5 This function is used as a primitive in =-=[K]-=- and appears to have been used in other designs too [KBS]; it is distinguished by being as small a function as one can get which is both balanced and correlation immune of degree two. As already noted... |

1 |
n Vinnige Veeldoelige Enkripsievlokkie", supplementary paper to
- GKuhn, Smit
- 1990
(Show Context)
Citation Context ...register # # # # # # h # Ki Figure 1 - the nonlinear lter generator Typical systems have shift registers of between 61 and 127 bits in length, and nonlinear lter functions of varying complexity [MFB] =-=[KBS]-=- [CSh]. Some variants use several functions simultaneously to generate a numberofkeystream bits in parallel [M1]. The conventional attack onthe lter generator [S2] [S3] [MS1] proceeds in two stages. F... |

1 |
Speed Encryption System and Method
- GMayhew, High
- 1994
(Show Context)
Citation Context ...en 61 and 127 bits in length, and nonlinear lter functions of varying complexity [MFB] [KBS] [CSh]. Some variants use several functions simultaneously to generate a numberofkeystream bits in parallel =-=[M1]-=-. The conventional attack onthe lter generator [S2] [S3] [MS1] proceeds in two stages. Firstly, we nd a function of the keystream which is correlated with the underlying shift register sequence; it ca... |

1 | Fast Attacks on Tree-structured Ciphers
- Millan, Dawson, et al.
- 1994
(Show Context)
Citation Context ...] [A3], then these keybits might be deduced by observing which patterns are most common in decimations of the keystream; where an unknown permutation is introduced in the tree structure, the ideas of =-=[MDO]-=- may beuseful; and even where none of these tricks can be used, statistical sampling of the augmented function may still give information to the opponent. Some systems use a number of nonlinear lters ... |

1 |
The Kinetic Protection Device
- GMayhew, Bianco
- 1992
(Show Context)
Citation Context ...shift register # # # # # # h # Ki Figure 1 - the nonlinear lter generator Typical systems have shift registers of between 61 and 127 bits in length, and nonlinear lter functions of varying complexity =-=[MFB]-=- [KBS] [CSh]. Some variants use several functions simultaneously to generate a numberofkeystream bits in parallel [M1]. The conventional attack onthe lter generator [S2] [S3] [MS1] proceeds in two sta... |

1 |
JD Golic, \Convergence of a Bayesian Iterative Errorcorrection Procedure on a Noisy Shift Register Sequence
- Mihaljevic
(Show Context)
Citation Context ...much faster, and especially so if the shift register's connection polynomial f(x) isoflowweight [MS1], while Mihaljevic and Golic proved conditions under which these fast correlation attacks converge =-=[MG]-=-. Where f(x) is not sparse, one can look for a decimation of the sequence whose polynomial is sparse [A1], or more generally a sparse multiple of f (i.e., a low weight parity check) [CS]. Meier and St... |

1 |
A spectral characterisation of correlation-immune combining functions
- Xiao, Massey
- 1988
(Show Context)
Citation Context ... [S2] [S3] [MS1] proceeds in two stages. Firstly, we nd a function of the keystream which is correlated with the underlying shift register sequence; it can be shown that such a function always exists =-=[XM]-=-, even if the combining function possesses memory [G]. The keystream is viewed as a noisy version of the shift register sequence, and is reconstructed by various techniques ( gure 2):sLFSR ,! Add nois... |

1 |
JD Goli'c, "Convergence of a Bayesian Iterative Errorcorrection Procedure on a Noisy Shift Register Sequence
- Mihaljevi'c
(Show Context)
Citation Context ...faster, and especially so if the shift register's connection polynomial f(x) is of low weight [MS1], while Mihaljevi'c and Goli'c proved conditions under which these fast correlation attacks converge =-=[MG]-=-. Where f(x) is not sparse, one can look for a decimation of the sequence whose polynomial is sparse [A1], or more generally a sparse multiple of f (i.e., a low weight parity check) [CS]. Meier and St... |