## New Approaches to the Design of Self-Synchronizing Stream Ciphers (1991)

Venue: | EUROCRYPT'91 |

Citations: | 28 - 0 self |

### BibTeX

@INPROCEEDINGS{Maurer91newapproaches,

author = {Ueli M. Maurer},

title = {New Approaches to the Design of Self-Synchronizing Stream Ciphers},

booktitle = {EUROCRYPT'91},

year = {1991},

pages = {458--471},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Self-synchronizing stream ciphers (SSSC) are a commonly used encryption technique for channels with low bit error rate but for which bit synchronization can present a problem. Most presently used such ciphers are based on a block cipher (e.g. DES) in 1-bit cipher feedback mode. In this paper, several alternative design approaches for SSSCs are proposed that are superior to the design based on a block cipher with respect to encryption speed and potentially also with respect to security. A method for combining several SSSCs is presented that allows to prove that the combined SSSC is at least as secure as any of the component ciphers. The problem of designing SSSCs is contrasted with the problem of designing conventional synchronous additive stream ciphers and it is shown that different security criteria must be applied. Furthermore, an efficient algorithm is presented for finding a function of low degree that approximates a given Boolean function, if such an approximation exists. Its significance for the cryptographic security of SSSCs and its applications in coding theory are discussed.

### Citations

1951 |
The Theory of Error-correcting Codes
- MacWilliams, Sloane
- 1977
(Show Context)
Citation Context ...xM . When only linear rather than ane functions are considered (i.e., a 0 = 0), the described procedure can be interpreted as a decoding algorithm for the dual code of a (2 M 1; 2 M M 1) Hamming code =-=[12]-=-. The minimum distance of this code is 2 M 1 so that only 25% errors are guaranteed to be corrected, but when errors occur randomly and independently, close to 50% errors can be corrected with high pr... |

629 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...ion (as well as other denitions in this paper) could however be further formalized similar to the denition of a pseudorandom function generator (PRFG) introduced by Goldreich, Goldwasser and Micali [6] and Luby and Racko [9]. For instance, one could consider a family F = fF k B t(k) : k = 1; 2; : : :g of KBFs where for every k 1; 2; : : :, F k B t(k) is a KBF of size k with key space B t(k) , an... |

502 | Cryptography and Data Security
- Denning
- 1982
(Show Context)
Citation Context ...nd block ciphers behave catastrophically since loss of synchronization results in a completely erroneous decryption of the entire following ciphertext. A well-known cryptographic technique (e.g., see =-=[5]-=-) that is resistant against bit slips on the transmission channel (without introducing additional synchronization bits and without using an interactive higher-level protocol for recovering lost synchr... |

418 |
Theory and Practice of Error Control Codes
- Blahut
- 1984
(Show Context)
Citation Context ...olean functions of degree at most r dier for at least a fractions2 r of the arguments. This is equivalent to saying that the minimum distance of an r-th order Reed-Muller code of length 2 M is 2 M r [=-=3-=-]. Hence it is theoretically possible to uniquely determine the best r-th degree approximation g to a given function f provided that it diers in less than a fraction 2 r 1 of the function values. For ... |

284 |
How to construct pseudorandom permutations from pseudorandom functions
- Luby, Rackoff
- 1988
(Show Context)
Citation Context ...nitions in this paper) could however be further formalized similar to the denition of a pseudorandom function generator (PRFG) introduced by Goldreich, Goldwasser and Micali [6] and Luby and Racko [9]. For instance, one could consider a family F = fF k B t(k) : k = 1; 2; : : :g of KBFs where for every k 1; 2; : : :, F k B t(k) is a KBF of size k with key space B t(k) , and where t(k) is an integ... |

272 | Shift-register synthesis and BCH decoding - Massey - 1969 |

224 |
Tilborg. On the inherent intractability of certain coding problems (corresp
- Berlekamp, McEliece, et al.
- 1978
(Show Context)
Citation Context ... [k 1], Y i and Z and is independent of i 1 [k]; : : : ; i 1 [T ]. The dependence structure of such an automaton A is characterized by a loop-free directed graph GA with vertex set V = fI; [1]; [2]; : : : ; [T ]; Og and edge set E, where I and O denote the input and output, respectively. A directed edge from [j] to [k] indicates that i [k] functionally depends on i 1 [j]. Similarly, an e... |

105 |
Analysis and Design of Stream Ciphers
- Rueppel
- 1986
(Show Context)
Citation Context ... cipher based on the remaining ciphertext. Although no presently-used cipher can rigorously be proved computationally secure, some necessary security criteria are known for synchronous stream ciphers =-=[1, 15]-=-. A synchronous stream cipher is insecure unless the period and the linear complexity of the keystream sequence are suciently large. These criteria cannot be applied to SSSCs because there exists no s... |

49 |
Cipher Systems: The Protection of Communications
- Beker, Piper
- 1992
(Show Context)
Citation Context ...teed to correspond to an automaton withsnite input memory M . Without essential loss of generality we assume in the following that the state can be represented by T M binary digits, i.e. i = ( i [1]; : : : ; i [T ]). Hence = B T . For 1 k T , i [k] is a (memoryless) generally key-dependent function of the ciphertext digit Y i , some of the variables i 1 [1]; : : : ; i 1 [T ] and th... |

7 |
Cryptanalysis of McEliece’s public-key cryptosystem”, Adv
- KORZHIK, TURKIN
- 1991
(Show Context)
Citation Context ...s NP-complete [2]. However, for certain special types of codes there do exist ecient decoding algorithms. Moreover, a signicant step towards decoding general linear codes has recently been announced [=-=8]-=-. Because the codewords in our application have length 2 M and are thus too long to be even only read in feasible time, general decoding algorithms are of no use however. In this section we present a ... |

2 | A self�synchronizing cascaded cipher system with dynamic control of error�propagation - Proctor - 1985 |

1 |
Dierential analysis of DES-like cryptosystems
- Biham, Shamir
(Show Context)
Citation Context ... in terms of encryption speed since one block cipher operation is required for enciphering a single plaintext bit. Moreover, the published design criteria, security analysis and cryptanalytic attacks =-=[4]-=- for most block ciphers is restricted to the electronic codebook mode. While some design and security criteria are known for synchronous stream ciphers and block ciphers, only little is known about th... |

1 |
Cascade ciphers: the importance of being presented at the 1990
- Maurer, Massey
(Show Context)
Citation Context ...ber generator. The following theorem about the cryptographic security of the parallel composition of SSSCs or, equivalently, the sum of KBFs, can be proved using a similar argument as the one used in =-=[11-=-] for proving that the cascade of several conventional synchronous stream ciphers is at least as secure as the most secure component cipher. The theorem holds for virtually every reasonable denition o... |