Parity-Check Relations on Combination Generators

International audienceA divide-and-conquer cryptanalysis can often bemounted against some keystream generators composed of several(possibly nonlinear) independent devices combined by a Booleanfunction. In particular, any parity-check relation derived fromthe periods of some constituent sequences usually leads to adistinguishing attack whose complexity is determined by the biasof the relation. However, estimating this bias is a difficult problemsince the piling-up lemma cannot be used. Here, we give two exactexpressions for this bias. Most notably, these expressions lead to anew algorithm for computing the bias of a parity-check relation,and they also provide some simple formulas for this bias in someparticular cases which are commonly used in cryptography,namely resilient functions and plateaued functions. We also showhow to build parity-check relations with the highest possible biasin some particularly relevant cases