This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Linear Models for Keystream Generators
January 1996 (vol. 45 no. 1)
pp. 41-49

Abstract—It is shown that an arbitrary binary keystream generator with M bits of memory can be linearly modeled as a non-autonomous linear feedback shift register of length at most M with an additive input sequence of nonbalanced identically distributed binary random variables. The sum of the squares of input correlation coefficients over all the linear models of any given length proves to be dependent on a keystream generator. The minimum and maximum values of the correlation sum along with the necessary and sufficient conditions for them to be achieved are established. An effective method for the linear model determination based on the linear sequential circuit approximation of autonomous finite-state machines is developed. Linear models for clock-controlled shift registers and arbitrary shift register based keystream generators are derived. Several examples including the basic summation generator, the clock-controlled cascade, and the shrinking generator are presented. Linear models are the basis for a general structure-dependent and initial-state-independent statistical test. They may also be used for divide and conquer correlation attacks on the initial state. Security against the corresponding statistical attack appears hard to control in practice and generally hard to achieve with simple keystream generator schemes.

[1] R.J. Anderson,"Solving a class of stream ciphers," Crytologia, vol. 14, no. 3, pp. 285-288, 1990.
[2] W.G. Chambers and D. Gollmann,"Lock-in effect in cascades of clock-controlled shift registers," Proc. Advances in Cryptology—EUROCRYPT '88, Lecture Notes in Computer Science, vol. 330, C.G. Günther, ed., pp. 331-342. Springer-Verlag, 1991.
[3] V. Chepyzhov and B. Smeets,"On a fast correlation attack on stream ciphers," Proc. Advances in Cryptology—EUROCRYPT '91, Lecture Notes in Computer Science, vol. 547, D.V. Davies, ed., pp. 176-185. Springer-Verlag, 1991.
[4] D. Coppersmith,H. Krawczyk, and Y. Mansour,"The shrinking generator," Proc. Advances in Cryptology-CRYPTO '93, Lecture Notes in Computer Science, vol. 773, D.R. Stinson, ed., pp. 22-39. Springer-Verlag, 1994.
[5] R.G. Gallager,"Low-density parity-check codes," IRE Trans. Information Theory, vol. 8, pp. 21-28, Jan. 1962.
[6] J.Dj. Golic and M.V. Zivkovic,"On the linear complexity of nonuniformly decimated PN-sequences," IEEE Trans. Information Theory, vol. 34, pp. 1,077-1,079, Sept. 1988.
[7] J.Dj. Golic and M.J. Mihaljevic,"A generalized correlation attack on a class of stream ciphers based on the Levenshtein distance," J. Cryptology, vol. 3, no. 3, pp. 201-212, 1991.
[8] J.Dj. Golic,"Correlation via linear sequential circuit approximation of combiners with memory," Proc. Advances in Cryptology—EUROCRYPT '92, Lecture Notes in Computer Science, vol. 658, R.A. Rueppel, ed., pp. 113-123. Springer-Verlag, 1993.
[9] J.Dj. Golic and S.V. Petrovic,"A generalized correlation attack with a probabilistic constrained edit distance," Proc. Advances in Cryptology—EUROCRYPT '92, Lecture Notes in Computer Science, vol. 658, R.A. Rueppel, ed., pp. 472-476. Springer-Verlag, 1993.
[10] J.Dj. Golic,"On the security of shift register based keystream generators," Proc. Fast Software Encryption—Cambridge '93, Lecture Notes in Computer Science, vol. 809, R.J. Anderson, ed., pp. 90-100. Springer-Verlag, 1994.
[11] D. Gollmann and W.G. Chambers,"Clock-controlled Shift Registers: A Review," IEEE J. Select. Areas Communications, vol. 7, no. 4, pp. 525-533, May 1989.
[12] D. Gollmann and W.G. Chambers,"A cryptanalysis of stepk,m-cascades," Proc. Advances in Cryptology—EUROCRYPT '89, Lecture Notes in Computer Science, vol. 434, J.-J. Quisquater and J. Vandewalle, eds., pp. 680-687. Springer-Verlag, 1990.
[13] S.W. Golomb, Shift Register Sequences. Aegean Park Press, 1982.
[14] J. Massey,“Shift-register synthesis and BCH decoding,” IEEE Trans. on Information Theory, vol. 15, pp. 122-127, 1969.
[15] J.L. Massey and R.A. Rueppel,"Method of, and apparatus for, transforming a digital sequence into an encoded form," U.S. Patent no. 4,797,922, 1989.
[16] M. Matsui,“Linear cryptanalysis method for DES cipher,” Advances in Cryptology: Proc. EUROCRYPT’93, pp. 386-397,Berlin, Springer-Verlag, 1994.
[17] W. Meier and O. Stafflebach, “Fast Correlation Attacks on Certain Stream Ciphers,” J. Cryptology, vol. 1, pp. 159-176, 1989.
[18] R. Menicocci,"Short Gollmann cascade generators may be insecure," Proc. Codes and Cyphers, Cryptography and Coding IV, P.G. Farrell, ed., pp. 281-297. Inst. of Mathematics and its Applications, 1995..
[19] M.J. Mihaljevic and J.Dj. Golic,"Convergence of a Bayesian iterative error-correction procedure on a noisy shift register sequence," Proc. Advances in Cryptology—EUROCRYPT '92, Lecture Notes in Computer Science, vol. 658, R. Rueppel, ed., pp. 124-137. Springer-Verlag, 1993.
[20] M.J. Mihaljevic,"An approach to the initial state reconstruction of a clock-controlled shift register based on a novel distance measure," Proc. Advances in Cryptology—AUSCRYPT '92, Lecture Notes in Computer Science, vol. 718, J. Seberry and Y. Zheng, eds., pp. 349-356. Springer-Verlag, 1993.
[21] R.A. Rueppel,"Stream ciphers," Contemporary Cryptology: The Science of Information Integrity, G. Simmons, ed., pp. 65-134.New York: IEEE Press, 1991.
[22] T. Siegenthaler,"Decrypting a class of stream ciphers using ciphertext only," IEEE Trans. Computers, vol. 34, pp. 81-85, Jan. 1985.
[23] K.C. Zheng,C.H. Yang, and T.R.N. Rao,"On the linear consistency test (LCT) in cryptanalysis and its applications," Proc. Advances in Cryptology—CRYPTO '89, Lecture Notes in Computer Science, vol. 435, G. Brassard, ed., pp. 164-174. Springer-Verlag, 1990.
[24] K.C. Zheng,C.H. Yang, and T.R.N. Rao,"An improved linear syndrome algorithm in cryptanalysis with applications," Proc. Advances in Cryptology—CRYPTO '90, Lecture Notes in Computer Science, vol. 537, A.J. Menezes and S.A. Vanstone, eds., pp. 34-47. Springer-Verlag, 1991.
[25] M.V. Zivkovic,"An algorithm for the initial state reconstruction of the clock-controlled shift register," IEEE Trans. Information Theory, vol. 37, pp. 1,488-1,490, Sept. 1991.

Index Terms:
Clock-controlled shift registers, correlation coefficients, cryptography, keystream generators, linear models.
Citation:
Jovan Dj. Golic, "Linear Models for Keystream Generators," IEEE Transactions on Computers, vol. 45, no. 1, pp. 41-49, Jan. 1996, doi:10.1109/12.481485
Usage of this product signifies your acceptance of the Terms of Use.