Linear Models for Keystream Generators

It is shown that an arbitrary binary keystream generator with M bits of memory can be linearly modeled as a non-autonomous linear feedback shift register of length at most M with an additive input sequence of nonbalanced identically distributed binary random variables. The sum of the squares of input correlation coefficients over all the linear models of any given length proves to be dependent on a keystream generator. The minimum and maximum values of the correlation sum along with the necessary and sufficient conditions for them to be achieved are established. An effective method for the linear model determination based on the linear sequential circuit approximation of autonomous finite-state machines is developed. Linear models for clock controlled shift registers and arbitrary shift register based keystream generators are derived. Several examples including the basic summation generator, the clock-controlled cascade, and the shrinking generator are presented. Linear models are the basis for a general structure-dependent and initial-state-independent statistical test. They may also be used for divide and conquer correlation attacks on the initial state. Security against the corresponding statistical attack appears hard to control in practice and generally hard to achieve with simple keystream generator schemes.

[1]  Jovan Dj. Golic,et al.  On the linear complexity of nonuniformly decimated PN-sequences , 1988, IEEE Trans. Inf. Theory.

[2]  Jovan Dj. Golic,et al.  Convergence of a Bayesian Iterative Error-Correction Procedure on a Noisy Shift register Sequence , 1992, EUROCRYPT.

[3]  Jovan Dj. Golic,et al.  Correlation via Linear Sequential Circuit Approximation of Combiners with memory , 1992, EUROCRYPT.

[4]  Miodrag V. Zivkovic An algorithm for the initial state reconstruction of the clock-controlled shift register , 1991, IEEE Trans. Inf. Theory.

[5]  Thomas Siegenthaler,et al.  Decrypting a Class of Stream Ciphers Using Ciphertext Only , 1985, IEEE Transactions on Computers.

[6]  Jovan Dj. Golic,et al.  A Generalized Correlation Attack with a Probabilistic Constrained Edit Distance , 1992, EUROCRYPT.

[7]  Robert G. Gallager,et al.  Low-density parity-check codes , 1962, IRE Trans. Inf. Theory.

[8]  Chung-Huang Yang,et al.  An Improved Linear Syndrome Algorithm in Cryptanalysis With Applications , 1990, CRYPTO.

[9]  Chung-Huang Yang,et al.  On the Linear Consistency Test (LCT) in Cryptanalysis with Applications , 1989, CRYPTO.

[10]  Jovan Dj. Golic,et al.  On the Security of Shift Register Based Keystream Generators , 1993, FSE.

[11]  James L. Massey,et al.  Shift-register synthesis and BCH decoding , 1969, IEEE Trans. Inf. Theory.

[12]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[13]  Miodrag J. Mihaljevic An Approach to the Initial State Reconstruction of a Clock-Controlled Shift Register Based on a Novel Distance Measure , 1992, AUSCRYPT.

[14]  Hugo Krawczyk,et al.  The Shrinking Generator , 1994, CRYPTO.

[15]  Ross J. Anderson Solving a Class of Stream Ciphers , 1990, Cryptologia.

[16]  Vladimir V. Chepyzhov,et al.  On A Fast Correlation Attack on Certain Stream Ciphers , 1991, EUROCRYPT.

[17]  Dieter Gollmann,et al.  Clock-controlled shift registers: a review , 1989, IEEE J. Sel. Areas Commun..

[18]  Dieter Gollmann,et al.  A Cryptanalysis of Stepk, m-Cascades , 1989, EUROCRYPT.

[19]  Solomon W. Golomb,et al.  Shift Register Sequences , 1981 .

[20]  Dieter Gollmann,et al.  Lock-In Effect in Cascades of Clock-Controlled Shift-Registers , 1988, EUROCRYPT.