Another look at weak feedback polynomials in the nonlinear combiner. 1115-1119. Paper

Abstract-Feedback polynomials with low degree multiples of low weight should be avoided in linear feedback shift registers when used in nonlinear combiners. We consider another class of weak feedback polynomials, namely the class when taps are located in small groups. This class was introduced in 2004 demonstrating that the resulting distinguishing attack can sometimes be better than the one using low weight multiples. In this paper we take another look at these polynomials and give further insight to the theory behind the attack complexity. Using the Walsh transform we show an easy way to determine the attack complexity given a polynomial. Further, we show that the size of the vectors should sometimes be larger than previously known. We also give a simple relation showing when the new attack will outperform the simple attack based on low weight multiples

Some Results on Distinguishing Attacks on Stream Ciphers

Stream ciphers are cryptographic primitives that are used to ensure the privacy of a message that is sent over a digital communication channel. In this thesis we will present new cryptanalytic results for several stream ciphers. The thesis provides a general introduction to cryptology, explains the basic concepts, gives an overview of various cryptographic primitives and discusses a number of different attack models. The first new attack given is a linear correlation attack in the form of a distinguishing attack. In this attack a specific class of weak feedback polynomials for LFSRs is identified. If the feedback polynomial is of a particular form the attack will be efficient. Two new distinguishing attacks are given on classical stream cipher constructions, namely the filter generator and the irregularly clocked filter generator. It is also demonstrated how these attacks can be applied to modern constructions. A key recovery attack is described for LILI-128 and a distinguishing attack for LILI-II is given. The European network of excellence, called eSTREAM, is an effort to find new efficient and secure stream ciphers. We analyze a number of the eSTREAM candidates. Firstly, distinguishing attacks are described for the candidate Dragon and a family of candidates called Pomaranch. Secondly, we describe resynchronization attacks on eSTREAM candidates. A general square root resynchronization attack which can be used to recover parts of a message is given. The attack is demonstrated on the candidates LEX and Pomaranch. A chosen IV distinguishing attack is then presented which can be used to evaluate the initialization procedure of stream ciphers. The technique is demonstrated on four candidates: Grain, Trivium, Decim and LEX

On the Design and Analysis of Stream Ciphers

This thesis presents new cryptanalysis results for several different stream cipher constructions. In addition, it also presents two new stream ciphers, both based on the same design principle. The first attack is a general attack targeting a nonlinear combiner. A new class of weak feedback polynomials for linear feedback shift registers is identified. By taking samples corresponding to the linear recurrence relation, it is shown that if the feedback polynomial has taps close together an adversary to take advantage of this by considering the samples in a vector form. Next, the self-shrinking generator and the bit-search generator are analyzed. Both designs are based on irregular decimation. For the self-shrinking generator, it is shown how to recover the internal state knowing only a few keystream bits. The complexity of the attack is similar to the previously best known but uses a negligible amount of memory. An attack requiring a large keystream segment is also presented. It is shown to be asymptotically better than all previously known attacks. For the bit-search generator, an algorithm that recovers the internal state is given as well as a distinguishing attack that can be very efficient if the feedback polynomial is not carefully chosen. Following this, two recently proposed stream cipher designs, Pomaranch and Achterbahn, are analyzed. Both stream ciphers are designed with small hardware complexity in mind. For Pomaranch Version 2, based on an improvement of previous analysis of the design idea, a key recovery attack is given. Also, for all three versions of Pomaranch, a distinguishing attack is given. For Achterbahn, it is shown how to recover the key of the latest version, known as Achterbahn-128/80. The last part of the thesis introduces two new stream cipher designs, namely Grain and Grain-128. The ciphers are designed to be very small in hardware. They also have the distinguishing feature of allowing users to increase the speed of the ciphers by adding extra hardware

Using Coding Techniques to Analyze Weak Feedback Polynomials

We consider a class of weak feedback polynomials for LFSRs in the nonlinear combiner. When feedback taps are located in small groups, a distinguishing attack can sometimes be improved considerably, compared to the common attack that uses low weight multiples. This class of weak polynomials was introduced in 2004 and the main property of the attack is that the noise variables are represented as vectors. We analyze the complexity of the attack using coding theory. We show that the groups of polynomials can be seen as generator polynomials of a convolutional code. Then, the problem of finding the attack complexity is equivalent to finding the minimum row distance of the corresponding generator matrix. A modified version of BEAST is used to search all encoders of memory up to 13. Moreover, we give a tight upper bound on the required size of the vectors in the attack

A note on the selfshrinking generator

We show that certain weak feedback polynomials allow very efficient distinguishing attacks on the selfshrinking generator. This gives a new improved attack if the generator uses a secret feedback polynomial

Improved Distinguishers on Stream Ciphers with Certain Weak Feedback Polynomials

It is well known that fast correlation attacks can be very efficient if the feedback polynomial is of low weight. These feedback polynomials can be considered weak in the context of stream ciphers. This paper generalizes the class of weak feedback polynomials into polynomials were taps are located in several groups, possibly far apart. Low weight feedback polynomials are thus a special case of this class. For the general class it is shown that attacks can sometimes be very efficient even though the polynomials are of large weight. The main idea is to consider vectors of noise variables. It is shown how the complexity of a distinguishing attack can be efficiently computed and that the complexity is closely related to the minimum row distance of a generator matrix for a convolutional code. Moreover, theoretical results on the size of the vectors are given

Correlation attacks using a new class of weak feedback polynomials

In 1985 Siegenthaler introduced the concept of correlation attacks on LFSR based stream ciphers. A few years later Meier and Staffelbach demonstrated a special technique, usually referred to as fast correlation attacks, that is very effective if the feedback polynomial has a special form, namely, if its weight is very low. Due to this seminal result, it is a well known fact that one avoids low weight feedback polynomials in the design of LFSR based stream ciphers. This paper identifies a new class of such weak feedback polynomials, polynomials of the form f(x) = g(1) (x) + g(2) (x)x(M1) + (...) + g(t)(x)x(Mt-1), where g(1), g(2), (...), g(t) are all polynomials of low degree. For such feedback polynomials, we identify an efficient correlation attack in the form of a distinguishing attack

Another look at weak feedback polynomials in the nonlinear combiner

Feedback polynomials with low degree multiples of low weight should be avoided in linear feedback shift registers when used in nonlinear combiners. We consider another class of weak feedback polynomials, namely the class when taps are located in small groups. This class was introduced in 2004 demonstrating that the resulting distinguishing attack can sometimes be better than the one using low weight multiples. In this paper we take another look at these polynomials and give further insight to the theory behind the attack complexity. Using the Walsh transform we show an easy way to determine the attack complexity given a polynomial. Further, we show that the size of the vectors should sometimes be larger than previously known. We also give a simple relation showing when the new attack will outperform the simple attack based on low weight multiples

On LFSR based Stream Ciphers - analysis and design

Stream ciphers are cryptographic primitives used to ensure privacy in digital communication. In this thesis we focus on stream ciphers built using Linear Feedback Shift Registers (LFSRs). Several different stream ciphers are analysed and new attacks are presented. In addition, two new stream ciphers are presented, both based on the same design. The first attack is performed on SOBER-t16 and SOBER-t32. A new distinguishing attack is presented for simplified versions of the two ciphers, as well as for the complete version of SOBER-t16. Next, the cipher A5/1, used in the GSM standard for mobile telephones, is analysed. The resulting attack is an initial state recovery attack which recovers the secret key using approximately 5 minutes of known keystream. The attack takes roughly 5 minutes to perform on today's standard PC. Bluetooth is a well-known standard for wireless communication and the cipher responsible for the secrecy within that standard is called E0. An initial state recovery algorithm on E0 is presented, based on recently discovered correlations within the cipher. These new correlations are stronger than previously known. This attack, however, is only applicable to E0 in a theoretical perspective, since the required length of the observed keystream is longer than allowed in the Bluetooth standard. Following this, two distinguishing attacks are presented targeting clock controlled generators; the shrinking generator and the self-shrinking generator. The attack on the shrinking generator is based on a new observation that the majority bits of a block surrounding the tap positions in the LFSR output also fulfils the linear recurrence equation. The attack on the self-shrinking generator identifies two new classes of weak feedback polynomials. For the first class, both a distinguishing attack and an initial state recovery attack are presented. This distinguishing attack is remarkable in the sense that the required length of the observed keystream only grows linearly in the length of the shift register. For the second class of weak feedback polynomials a distinguishing attack is given. The final part of this thesis concerns the design of stream ciphers. Two new designs are presented, SNOW 1.0 and SNOW 2.0, the latter being an improvement on the former. These ciphers are designed to be very fast, especially in a software implementation