## Cryptanalysis of LFSR-based pseudorandom generators -- a survey (2004)

Citations: | 1 - 0 self |

### BibTeX

@TECHREPORT{Zenner04cryptanalysisof,

author = {Erik Zenner},

title = {Cryptanalysis of LFSR-based pseudorandom generators -- a survey},

institution = {},

year = {2004}

}

### OpenURL

### Abstract

Pseudorandom generators based on linear feedback shift registers (LFSR) are a traditional building block for cryptographic stream ciphers. In this report, we review the general idea for such generators, as well as the most important techniques of cryptanalysis.

### Citations

10885 |
Computer and Intractability: A Guide to the Theory of NP-Completeness
- Garey, Johnson
- 1979
(Show Context)
Citation Context ...Thus, working with nonlinear equations can only be efficient if the number of monomials in each equations is not too large. – Even worse, solving systems of nonlinear equations is known to be NP-hard =-=[12]-=-. Thus, we can not expect to find an algorithm that efficiently solves all nonlinear equation systems. On the other hand, finding such a universal algorithm is not the attacker’s goal anyway. In our m... |

6013 |
The Mathematical theory of communication
- SHANNON
- 1949
(Show Context)
Citation Context ... 1.1 Shannon’s model Basic setting: The most basic task of cryptography is encryption. The setting was captured by Shannon in [47] as a modification of his well-known communication model, proposed in =-=[46]-=-. Consider two entities, named sender and receiver, who want to transmit an arbitrary message at an arbitrary point in time in complete privacy. There are two communication channels available: – The s... |

2191 |
The Art of Computer Programming
- Knuth
- 1973
(Show Context)
Citation Context ... ( s−d s−d 2 , 4 � X = 2 Dd − follows a standard normal distribution. ) normal distributed, implying that s − d 2 � / √ s − d Other tests have been proposed by Golomb [24], Beker and Piper [1], Knuth =-=[30]-=-, Maurer [32], and many others. It is important to remember that all of these tests are necessary, but by no means sufficient criteria for good keystream sequences. 2.3 Period and linear complexity Re... |

790 |
Communication Theory of Secrecy Systems
- Shannon
- 1949
(Show Context)
Citation Context ...s well as the most important techniques of cryptanalysis. 1 Security Model 1.1 Shannon’s model Basic setting: The most basic task of cryptography is encryption. The setting was captured by Shannon in =-=[47]-=- as a modification of his well-known communication model, proposed in [46]. Consider two entities, named sender and receiver, who want to transmit an arbitrary message at an arbitrary point in time in... |

270 |
Shift-register synthesis and bch decoding
- Massey
- 1969
(Show Context)
Citation Context ...gth of the smallest LFSR that generates the sequence z. Note that the period recurrence itself is a linear recurrence, such that LC(z) ≤ ρ. There exists an efficient algorithm by Berlekamp and Massey =-=[31]-=- that constructs the shortest linear recurrence describing z. Since this algorithm needs only 2 · LC keystream bits and takes only O(LC 2 ) computational steps, an attacker can easily simulate a keyst... |

254 |
Introduction to Coding Theory
- Lint
- 1992
(Show Context)
Citation Context ...own that the corresponding vector (a0, a1, . . . , an−1) was generated by an LFSR of length lA. Thus, 4 For an introduction to the theory of linear codes, see any textbook on coding theory, e.g. [41],=-=[50]-=-. e 19 zs(a0, a1, . . . , an−1) can be considered as a codeword in a linear code, with lA information bits and n − lA checking bits. The problem of reconstructing the contents of register A is equival... |

224 |
Tilborg. On the inherent intractability of certain coding problems (corresp
- Berlekamp, McEliece, et al.
- 1978
(Show Context)
Citation Context .... . , an−1) with the least Hamming distance to the known output word (z0, z1, . . . , zn−1). However, the general problem of reconstructing the nearest codeword in an arbitrary linear code is NP-hard =-=[2]-=-. In coding theory, the problem was solved by deliberately choosing the linear code in such a way that decoding is easy. A surprising consequence was that when the duality of coding theory and cryptan... |

134 | Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations
- Courtois, Klimov, et al.
(Show Context)
Citation Context ..., however, the attacker has a lot more equations at his disposal, reducing the number of output bits required. Still, for the attack to work, the original equation system has to be over-specified. In =-=[8]-=-, some evidence (though no formal proof) is given that the attack requires more than l output bits, but that the number of additional bits is small. 16sSample attack: Remember that for the Geffe gener... |

119 |
Low-density parity check codes
- Gallager
- 1963
(Show Context)
Citation Context ... a brute force search over all possible initial states of register A, yielding an effort of 2 |A| computational steps. In [33, 34], Meier and Staffelbach proposed to use techniques from coding theory =-=[11]-=- in order to speed up the reconstruction of register A. First observe that each bit of the vector a = (a0, a1, . . . , an−1) produced by A is part of a number of linear relations. For example, if the ... |

118 |
Practical Cryptography
- Ferguson, Schneier
- 2003
(Show Context)
Citation Context ... function. Thus, overall security depends both on this initialisation function and on G. Remember, however, that for cryptographic systems, every component should be as strong as possible (cf., e.g., =-=[9]-=-), independently of the other building blocks. Thus, when considering the security of the PRG, we ignore the existence of an initialisation function and assume that the seed is equal to the key, i.e. ... |

117 |
Nonlinearity Criteria for Cryptographic Functions
- Meier, Staffelbach
- 1990
(Show Context)
Citation Context ...k } be the set of linear functions in up to k variables. The correlation coefficient between g and Li is defined as ci = 2 · pi − 1, with pi = Pr(Li(x) = g(x)). It was proven by Meier and Staffelbach =-=[35]-=- that � 2 k i=1 ci 2 = 1 . (4) This means that if g has high correlation immunity (i.e. g is not correlated to any linear function in few variables), it is at the same time strongly correlated to line... |

109 |
Correlation-immunity of nonlinear combining functions for cryptographic applications
- Siegenthaler
(Show Context)
Citation Context ...deliberately choosing the linear code in such a way that decoding is easy. A surprising consequence was that when the duality of coding theory and cryptanalysis was discovered by Siegenthaler in 1984 =-=[48, 49]-=-, no generic algorithms for the decoding of arbitray linear codes existed. Ever since, cryptographers have developed algorithms for the decoding problem, enabling increasingly powerful correlation att... |

105 |
Analysis and Design of Stream Ciphers
- Rueppel
- 1986
(Show Context)
Citation Context ...t, G has to be computable by an efficient algorithm. In practice, it is implemented by a finite state machine with output, as displayed in figure 2. The components of such a generator are (see, e.g., =-=[42]-=-): S g v 1 i z i Fig. 2. Pseudorandom Generator 1. An inner state Si ∈ {0, 1} l , 2. an update function f : {0, 1} l → {0, 1} l that modifies the inner state between two outputs, and 3. an output func... |

91 | Cryptanalysis of the HFE public key cryptosystem by relinearization
- Kipnis, Shamir
- 1999
(Show Context)
Citation Context ...e nonlinear equation x1x2x3x4 = 1 by the linearised equation M1 = 1. The extension technique: An important improvement over mere linearisation is the extension technique proposed by Kipnis and Shamir =-=[29]-=-. Given a system of nonlinear equations, the attacker constructs additional equations by multiplying the existing ones with monomials of small degree. If the degree of the resulting equation is not gr... |

91 |
Introduction to the Theory of Error-Correcting Codes
- Pless
- 1982
(Show Context)
Citation Context ...is known that the corresponding vector (a0, a1, . . . , an−1) was generated by an LFSR of length lA. Thus, 4 For an introduction to the theory of linear codes, see any textbook on coding theory, e.g. =-=[41]-=-,[50]. e 19 zs(a0, a1, . . . , an−1) can be considered as a codeword in a linear code, with lA information bits and n − lA checking bits. The problem of reconstructing the contents of register A is eq... |

90 |
Decrypting a class of stream ciphers using ciphertext only
- Siegenthaler
- 1985
(Show Context)
Citation Context ...deliberately choosing the linear code in such a way that decoding is easy. A surprising consequence was that when the duality of coding theory and cryptanalysis was discovered by Siegenthaler in 1984 =-=[48, 49]-=-, no generic algorithms for the decoding of arbitray linear codes existed. Ever since, cryptographers have developed algorithms for the decoding problem, enabling increasingly powerful correlation att... |

88 | Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers
- Biryukov, Shamir
- 2000
(Show Context)
Citation Context ... requirements for the pre-computation phase are in the order of N2. In practice, however, computation time is considerably cheaper than memory. This problem is solved by the time-memory-data tradeoff =-=[3]-=-, which allows for a more sophisticated choice of the attack parameters. Using this technique, the parameters T (realtime computation time), P (pre-processing computation time), D (number of known key... |

73 |
Fast correlation attacks on certain stream ciphers
- Meier, Staffelbach
- 1989
(Show Context)
Citation Context ...ut zi of the generator. The attack proposed by Siegenthaler basically requires a brute force search over all possible initial states of register A, yielding an effort of 2 |A| computational steps. In =-=[33, 34]-=-, Meier and Staffelbach proposed to use techniques from coding theory [11] in order to speed up the reconstruction of register A. First observe that each bit of the vector a = (a0, a1, . . . , an−1) p... |

70 |
Cipher Printing Telegraph Systems For Secret Wire and Radio Telegraphic Communications
- Vernam
- 1926
(Show Context)
Citation Context ...r all k ′ ∈ K ′ . On the other hand, deriving the set of key candidates from the set of message candidates is usually not feasible. 1.3 One-time pad and pseudorandom generators One-time pad (OTP): In =-=[51]-=-, G. Vernam introduced a simple encryption algorithm. Let m, c, k ∈ {0, 1} n , then the encryption function is E(k, m) = k ⊕ m and the corresponding decryption function is D(k, c) = k ⊕ c. Here, ⊕ den... |

64 | A universal statistical test for random bit generators
- Maurer
- 1991
(Show Context)
Citation Context ..., 4 � X = 2 Dd − follows a standard normal distribution. ) normal distributed, implying that s − d 2 � / √ s − d Other tests have been proposed by Golomb [24], Beker and Piper [1], Knuth [30], Maurer =-=[32]-=-, and many others. It is important to remember that all of these tests are necessary, but by no means sufficient criteria for good keystream sequences. 2.3 Period and linear complexity Remember that a... |

61 |
Cryptanalysis of Alleged A5 Stream Cipher
- Golic
- 1997
(Show Context)
Citation Context ...uce the effort for reconstruction of A and B to � 3 4 · 2� lA+lB = 20.58(lA+lB) steps. Such backtracking improvements are also applicable for the linear consistency test, with examples being given in =-=[17, 59, 58]-=-. 3.3 Algebraic attacks Preliminaries: While the linear consistency test uses linear equations to reconstruct the seed of a pseudorandom generator, algebraic attacks use nonlinear equations. A nonline... |

61 |
A Spectral Characterization of CorrelationImmune Combining Functions
- Guo-Zhen, Massey
- 1988
(Show Context)
Citation Context ... k variables exist such that Pr(L(x) = g(x)) �= 1/2. The following tradeoffs, however, make it difficult to strengthen the generator in this way: 23s– It was shown by Siegenthaler, Xiao and Massey in =-=[48, 54]-=- that an increase in correlation immunity leads to a decrease in linear complexity, and vice versa. Thus, a highly correlation immune combination generator can be attacked using the Berlekamp-Massey-a... |

60 |
Shift Register Sequences”, Aegean Park
- Golomb
- 1982
(Show Context)
Citation Context ...use of such an LFSR as pseudorandom generator, creating the output sequence via zi = g(Si) = si k for a fixed k, 0 ≤ k ≤ l − 1. It can be shown that the resulting sequence satisfies Golomb’s criteria =-=[24]-=-, which are defined as follows: – The output sequence has the same period as the inner states, i.e. 2 l − 1. 1 For a proof and further details on LFSR, cf. [24]. 6 ⎞s– Fix an arbitray integer r, 1 ≤ r... |

58 | Improved fast correlation attacks using parity-check equations of weight 4 and 5
- Canteaut, Trabbia
- 2000
(Show Context)
Citation Context ...red in subsequent years. Johansson and Jönsson use convolutional codes [26, 28], Turbo Codes [25] or algorithms from learning theory [27] in order to reconstruct the inner state. Canteaut and Trabbia =-=[4]-=- gave an algorithm to construct linear relations of low weight for arbitrary feedback vectors. Chepyzhov, Johansson and Smeets [5] approximate the LFSR output by a linear code of smaller dimension, bu... |

49 |
Cipher Systems: The Protection of Communications
- Beker, Piper
- 1992
(Show Context)
Citation Context ...ings, Dd is ( s−d s−d 2 , 4 � X = 2 Dd − follows a standard normal distribution. ) normal distributed, implying that s − d 2 � / √ s − d Other tests have been proposed by Golomb [24], Beker and Piper =-=[1]-=-, Knuth [30], Maurer [32], and many others. It is important to remember that all of these tests are necessary, but by no means sufficient criteria for good keystream sequences. 2.3 Period and linear c... |

37 | Improved fast correlation attack on stream ciphers via convolutional codes
- Johansson, Jonnson
- 1999
(Show Context)
Citation Context ...under consideration have low weight. This limitation was done away with by a set of completely different algorithms to be discovered in subsequent years. Johansson and Jönsson use convolutional codes =-=[26, 28]-=-, Turbo Codes [25] or algorithms from learning theory [27] in order to reconstruct the inner state. Canteaut and Trabbia [4] gave an algorithm to construct linear relations of low weight for arbitrary... |

36 | A simple algorithm for fast correlation attacks on stream ciphers
- Chepyzhov, Johansson, et al.
- 2000
(Show Context)
Citation Context ...ry [27] in order to reconstruct the inner state. Canteaut and Trabbia [4] gave an algorithm to construct linear relations of low weight for arbitrary feedback vectors. Chepyzhov, Johansson and Smeets =-=[5]-=- approximate the LFSR output by a linear code of smaller dimension, but with higher error probability. A similar approach is chosen by Filiol [10], who proposes a d-decimating attack, considering only... |

28 |
On a fast correlation attack on certain stream ciphers
- Chepyzhov, Smeets
(Show Context)
Citation Context ... and 3 can be increased if more care is spent on this preprocessing step. Proposals on how to find more or better linear relations were given, e.g., by Mihaljević and Golić [39], Chepyzhov and Smeets =-=[6]-=-, and Penzhorn [40]. – In addition, the iterative decoding procedure in step 2 and 3 was improved by several proposals, such as the algorithms given by Zeng, Huang, Yang and Rao [55, 57], Mihaljević a... |

27 |
Fast correlation attacks on stream ciphers
- Meier, Staffelbach
- 1988
(Show Context)
Citation Context ...ut zi of the generator. The attack proposed by Siegenthaler basically requires a brute force search over all possible initial states of register A, yielding an effort of 2 |A| computational steps. In =-=[33, 34]-=-, Meier and Staffelbach proposed to use techniques from coding theory [11] in order to speed up the reconstruction of register A. First observe that each bit of the vector a = (a0, a1, . . . , an−1) p... |

26 | Fast correlation attacks: an algorithmic point of view
- Chose, Joux, et al.
- 2002
(Show Context)
Citation Context ...erators, however, the most efficient algorithm to date is a combination of several of the above concepts, as proposed by Mihaljević, Fossorier and Imai [37, 38] and improved by Chose, Joux and Mitton =-=[7]-=-. 4.3 Correlation attacks and memory Correlation immunity: The efficiency of correlation attacks makes it necessary to harden combination generators against such attacks. The most obvious solution is ... |

26 | Fast correlation attacks through reconstruction of linear polynomials
- Johansson, Jönsson
- 2000
(Show Context)
Citation Context ...away with by a set of completely different algorithms to be discovered in subsequent years. Johansson and Jönsson use convolutional codes [26, 28], Turbo Codes [25] or algorithms from learning theory =-=[27]-=- in order to reconstruct the inner state. Canteaut and Trabbia [4] gave an algorithm to construct linear relations of low weight for arbitrary feedback vectors. Chepyzhov, Johansson and Smeets [5] app... |

24 |
New Approaches to Stream Ciphers
- Rueppel
- 1984
(Show Context)
Citation Context ... an LFSR-type matrix M. In this case, the only possibility to introduce nonlinearity into the keystream is the use of a nonlinear output function g. Such a generator is denoted as filtering generator =-=[44]-=-. Nonlinear combination: A similar approach is the use of two or more m-LFSR with pairwise differing lengths and feedback vectors. In this design, the output function g uses part of the inner states o... |

22 |
On the linear consistency test (LCT) in cryptanalysis with applications
- Zeng, Yang, et al.
- 1989
(Show Context)
Citation Context ...ffort of 2 l−2lA/3 guesses. If lA = lC = l/2, this yields a computational effort of 2 2l/3 generator runs. Linear consistency test The linear consistency test (LCT) was proposed by Zeng, Yang and Rao =-=[56]-=-. It can be considered as a combination of the above guessing attacks, making use of the linearity of the inner bitstreams. To carry out the test, the attacker guesses l ′ < l bit of the inner state i... |

20 |
A generalized correlation attack on a class of stream ciphers based on the Levenshtein distance
- GoliC, MihaljeviC
- 1991
(Show Context)
Citation Context ...x1, . . . , xn) and (z1, . . . , zn) becomes meaningless, and correlation attacks in the above sense are no longer applicable. However, other measures of correlation can be used. Golić and Mihaljević =-=[19, 20]-=- proposed to replace the Hamming distance by the so-called Levenshtein distance. This distance measures the minimum number of elementary operations (insertion, deletion, and substitution) required to ... |

20 | Fast correlation attacks based on turbo code techniques
- Johansson, Jonsson
- 1999
(Show Context)
Citation Context ...ve low weight. This limitation was done away with by a set of completely different algorithms to be discovered in subsequent years. Johansson and Jönsson use convolutional codes [26, 28], Turbo Codes =-=[25]-=- or algorithms from learning theory [27] in order to reconstruct the inner state. Canteaut and Trabbia [4] gave an algorithm to construct linear relations of low weight for arbitrary feedback vectors.... |

18 |
Clock-Controlled Shift Registers: A Review
- Gollmann, Chambers
- 1989
(Show Context)
Citation Context ...put a i else Fig. 5. Geffe Generator output b i {1, 2}-clocked generator: This generator is a special case of the basic clockcontrolled shift register arrangement proposed by Gollmann and Chambers in =-=[23]-=-. It consists of two m-LFSR A and C, where C is called the control register of the arrangement. If ci = 0, register A is clocked by one step; otherwise, A 12 z isis clocked by two steps. Thus, the gen... |

18 | A Low-complexity and high-performance algorithm for fast correlation attack
- Mihaljević, Fossorier, et al.
- 1978
(Show Context)
Citation Context ...e of varying efficiency. For the majority of generators, however, the most efficient algorithm to date is a combination of several of the above concepts, as proposed by Mihaljević, Fossorier and Imai =-=[37, 38]-=- and improved by Chose, Joux and Mitton [7]. 4.3 Correlation attacks and memory Correlation immunity: The efficiency of correlation attacks makes it necessary to harden combination generators against ... |

16 |
How to Protect Data With Ciphers That are Really Hard to Break
- Geffe
- 1973
(Show Context)
Citation Context ...ions, LFSR are denoted by capital letters. The length of LFSR X is denoted as lX, and the output sequence generated by X is x = (x0, x1, . . .). Geffe generator: The Geffe generator was introduced in =-=[13]-=-. It is a nonlinear combination generator, as discussed in subsection 1.5. It consists of three m-LFSR A, B and C, producing m-sequences a, b and c. Keystream bit zi is generated using the Boolean fun... |

16 |
Correlation Properties of Combiners with Memory in Stream Cipher
- Meier, Staffelbach
- 1992
(Show Context)
Citation Context ...t for a good choice of f2, such a function can achieve maximum correlation immunity while at the same time having maximum linear complexity. However, it was proven by Meier, Staffelbach and Goli`c in =-=[36, 14, 16]-=-, that for such a generator, too, a tradeoff similar to (4) can be found. This time, however, several consecutive input bits from each register have to be considered, increasing the number of variable... |

14 | Improved Cryptanalysis of the Self-Shrinking Generator
- Zenner, Krause, et al.
- 2001
(Show Context)
Citation Context ...uce the effort for reconstruction of A and B to � 3 4 · 2� lA+lB = 20.58(lA+lB) steps. Such backtracking improvements are also applicable for the linear consistency test, with examples being given in =-=[17, 59, 58]-=-. 3.3 Algebraic attacks Preliminaries: While the linear consistency test uses linear equations to reconstruct the seed of a pseudorandom generator, algebraic attacks use nonlinear equations. A nonline... |

13 |
A fast iterative algorithm for a shift register initial state reconstruction given the noisy output sequence
- Mihaljevi'c, Goli'c
- 1990
(Show Context)
Citation Context .... The efficiency of steps 2 and 3 can be increased if more care is spent on this preprocessing step. Proposals on how to find more or better linear relations were given, e.g., by Mihaljević and Golić =-=[39]-=-, Chepyzhov and Smeets [6], and Penzhorn [40]. – In addition, the iterative decoding procedure in step 2 and 3 was improved by several proposals, such as the algorithms given by Zeng, Huang, Yang and ... |

12 |
Towards Fast Correlation Attacks on Irregularly Clocked Shift Registers
- Golic
- 1995
(Show Context)
Citation Context ... CLD in the order of O(n 2 ) computational steps. A number of modifications of this attack have been proposed against specific generators [52, 22, 21, 18], but the general method remains the same. In =-=[15]-=-, Golić proposes an algorithm similar to the fast correlation attack by Meier and Staffelbach. However, step 1 of the algorithm (finding suitable linear relations) proved to be difficult, except for v... |

11 |
Correlation via linear sequential circuit approximation of combiners with memory
- Golic
- 1992
(Show Context)
Citation Context ...t for a good choice of f2, such a function can achieve maximum correlation immunity while at the same time having maximum linear complexity. However, it was proven by Meier, Staffelbach and Goli`c in =-=[36, 14, 16]-=-, that for such a generator, too, a tradeoff similar to (4) can be found. This time, however, several consecutive input bits from each register have to be considered, increasing the number of variable... |

11 |
Correlation properties of a general binary combiner with memory
- Golic
- 1996
(Show Context)
Citation Context ...t for a good choice of f2, such a function can achieve maximum correlation immunity while at the same time having maximum linear complexity. However, it was proven by Meier, Staffelbach and Goli`c in =-=[36, 14, 16]-=-, that for such a generator, too, a tradeoff similar to (4) can be found. This time, however, several consecutive input bits from each register have to be considered, increasing the number of variable... |

11 |
Correlation Immunity and the Summation Generator
- Rueppel
- 1986
(Show Context)
Citation Context ...algorithm, a correlation attack is always possible. Improved correlation immunity from nonlinear memory: In order to destroy the dependency between correlation immunity and linear complexity, Rueppel =-=[43]-=- introduced the generator with (nonlinear) memory. As described in section 1.5, the memory of such a generator consists of two parts: While the majority is made up of LFSRs, some bits are updated by a... |

10 |
On the linear syndrome method in cryptanalysis
- Zeng, Huang
- 1990
(Show Context)
Citation Context ...epyzhov and Smeets [6], and Penzhorn [40]. – In addition, the iterative decoding procedure in step 2 and 3 was improved by several proposals, such as the algorithms given by Zeng, Huang, Yang and Rao =-=[55, 57]-=-, Mihaljević and Golić [39], Chepyzhov and Smeets [6] or ˇZivković [53]. As opposed to the original algorithm, many of these proposals also contain a proof of their convergence. However, all of these ... |

8 |
Correlation Attacks on Stream Ciphers: Computing Low Weight Parity Checks based on Error Correcting
- Penzhorn
- 1996
(Show Context)
Citation Context ...eased if more care is spent on this preprocessing step. Proposals on how to find more or better linear relations were given, e.g., by Mihaljević and Golić [39], Chepyzhov and Smeets [6], and Penzhorn =-=[40]-=-. – In addition, the iterative decoding procedure in step 2 and 3 was improved by several proposals, such as the algorithms given by Zeng, Huang, Yang and Rao [55, 57], Mihaljević and Golić [39], Chep... |

8 |
An improved linear syndrome algorithm in cryptanalysis with applications
- Zeng, Yang, et al.
- 1991
(Show Context)
Citation Context ...epyzhov and Smeets [6], and Penzhorn [40]. – In addition, the iterative decoding procedure in step 2 and 3 was improved by several proposals, such as the algorithms given by Zeng, Huang, Yang and Rao =-=[55, 57]-=-, Mihaljević and Golić [39], Chepyzhov and Smeets [6] or ˇZivković [53]. As opposed to the original algorithm, many of these proposals also contain a proof of their convergence. However, all of these ... |

7 |
A Generalised Correlation Attack with a Probabilistic Constrained Edit Distance
- Golic, Petrovic
- 1992
(Show Context)
Citation Context ...iven a target sequence of length n, the algorithm computes the CLD in the order of O(n 2 ) computational steps. A number of modifications of this attack have been proposed against specific generators =-=[52, 22, 21, 18]-=-, but the general method remains the same. In [15], Golić proposes an algorithm similar to the fast correlation attack by Meier and Staffelbach. However, step 1 of the algorithm (finding suitable line... |

7 | Fast correlation attack algorithm with list decoding and an application
- Mihaljević, Fossorier, et al.
- 2002
(Show Context)
Citation Context ...e of varying efficiency. For the majority of generators, however, the most efficient algorithm to date is a combination of several of the above concepts, as proposed by Mihaljević, Fossorier and Imai =-=[37, 38]-=- and improved by Chose, Joux and Mitton [7]. 4.3 Correlation attacks and memory Correlation immunity: The efficiency of correlation attacks makes it necessary to harden combination generators against ... |