Algebraic Attacks on Clock-Controlled Stream Ciphers by Sultan Zayid Mohammed Al-Hinai Bachelor of Science (In Physics) (Strathclyde University- Glasgow -Scotland) – 2000 Master of Science (In Information Security) (Royal Holloway University of London ) – 2002 Thesis submitted in accordance with the regulations for the Degree of Doctor of Philosophy Information Security Institute Faculty of Information Technology Queensland University of Technology November 6, 2007 Keywords Stream Ciphers, Linear Feedback Shift Registers, Non Linear Feedback Shift Registers, Regular Clocking, Irregular Clocking, Clock-Controlled, Algebraic Attacks, Fast Algebraic Attacks i ii Abstract Stream ciphers are encryption algorithms used for ensuring the privacy of digital telecommunications They have been widely used for encrypting military communications, satellite communications, pay TV encryption and for voice encryption of both fixed lined and wireless networks The current multi year European project eSTREAM, which aims to select stream ciphers suitable for widespread adoptation, reflects the importance of this area of research Stream ciphers consist of a keystream generator and an output function Keystream generators produce a sequence that appears to be random, which is combined with the plaintext message using the output function Most commonly, the output function is binary addition modulo two Cryptanalysis of these ciphers focuses largely on analysis of the keystream generators and of relationships between the generator and the keystream it produces Linear feedback shift registers are widely used components in building keystream generators, as the sequences they produce are well understood Many types of attack have been proposed for breaking various LFSR based stream ciphers A recent attack type is known as an algebraic attack Algebraic attacks transform the problem of recovering the key into a problem of solving multivariate system of equations, which eventually recover the internal state bits or the key bits This type of attack has been shown to be effective on a number of regularly clocked LFSR based stream ciphers In this thesis, algebraic attacks are extended to a number of well known stream ciphers where at least one LFSR in the system is irregularly clocked Applying algebriac attacks to these ciphers has only been discussed previously in the open literature for LILI-128 In this thesis, algebraic attacks are first applied to keystream generators using stop-and go clocking Four ciphers belonging to this group are investigated: the Beth-Piper stop-and-go generator, the alternating step generator, the Gollmann cascade generator and the eSTREAM candidate: the Pomaranch cipher It is shown that algebraic attacks are very effective on the first three of these ciphers Although no effective algebraic attack was found for Pomaranch, the algebraic analysis lead to some interesting findings including weaknesses that may be exploited in future attacks Algebraic attacks are then applied to keystream generators using (p, q) clocking Two well known examples of such ciphers, the step1/step2 generator and the self decimated generator are investigated Algebraic attacks are shown to be very powerful attack in recovering the internal state of these generators A more complex clocking mechanism than either stop-and-go or the (p, q) clocking keystream generators is known as mutual clock control In mutual clock control generators, the LFSRs control the clocking of each other Four well known stream ciphers belonging to this group are investigated with respect to algebraic attacks: the Bilateral-stop-and-go generator, A5/1 stream cipher, Alpha stream cipher, and the more recent eSTREAM proposal, the MICKEY stream ciphers Some theoretical iii results with regards to the complexity of algebraic attacks on these ciphers are presented The algebraic analysis of these ciphers showed that generally, it is hard to generate the system of equations required for an algebraic attack on these ciphers As the algebraic attack could not be applied directly on these ciphers, a different approach was used, namely guessing some bits of the internal state, in order to reduce the degree of the equations Finally, an algebraic attack on Alpha that requires only 128 bits of keystream to recover the 128 internal state bits is presented An essential process associated with stream cipher proposals is key initialization Many recently proposed stream ciphers use an algorithm to initialize the large internal state with a smaller key and possibly publicly known initialization vectors The effect of key initialization on the performance of algebraic attacks is also investigated in this thesis The relationships between the two have not been investigated before in the open literature The investigation is conducted on Trivium and Grain-128, two eSTREAM ciphers It is shown that the key initialization process has an effect on the success of algebraic attacks, unlike other conventional attacks In particular, the key initialization process allows an attacker to firstly generate a small number of equations of low degree and then perform an algebraic attack using multiple keystreams The effect of the number of iterations performed during key initialization is investigated It is shown that both the number of iterations and the maximum number of initialization vectors to be used with one key should be carefully chosen Some experimental results on Trivium and Grain-128 are then presented Finally, the security with respect to algebraic attacks of the well known LILI family of stream ciphers, including the unbroken LILI-II, is investigated These are irregularly clock- controlled nonlinear filtered generators While the structure is defined for the LILI family, a particular paramater choice defines a specific instance Two well known such instances are LILI-128 and LILI-II The security of these and other instances is investigated to identify which instances are vulnerable to algebraic attacks The feasibility of recovering the key bits using algebraic attacks is then investigated for both LILI128 and LILI-II Algebraic attacks which recover the internal state with less effort than exhaustive key search are possible for LILI-128 but not for LILI-II Given the internal state at some point in time, the feasibility of recovering the key bits is also investigated, showing that the parameters used in the key initialization process, if poorly chosen, can lead to a key recovery using algebraic attacks iv Contents Front Matter Keywords i i Abstract Table of Contents iii v List of Figures xi List of Tables xiii Notation xiv Declaration xv Previously Published Material xvii Acknowledgements xix Introduction 1.1 Overview of Stream Ciphers 1.1.1 1.1.2 Measuring the Security Provided by Stream Ciphers The One Time Pad 2 1.1.3 Keystream Generators for Stream Ciphers 1.1.4 1.1.5 Background on LFSR Based Stream Ciphers Clock-Controlled Generators 4 1.2 1.3 Introduction to Cryptanalysis Algebraic Attacks 1.4 1.5 Key Initialization Aims and Objectives of Thesis 10 1.6 1.7 Contributions and Achievements Outline of the Thesis 10 10 Overview of Algebraic Attacks on LFSR based Stream Ciphers 2.1 Framework for Algebraic Attacks 13 14 2.1.1 2.1.2 2.1.3 Equation Generation Linearly Updated Internal States 15 15 Nonlinearly Updated Internal States 18 Reducing the Degree of the Equations Methods for Solving Nonlinear Equations 19 24 Linearization 24 v Gr¨obner Bases 27 Other Methods 28 Fast Algebraic Attacks 2.2.1 Precomputation Phase 31 31 2.2.2 Realtime Phase Summary 32 35 Keystream Generators using Stop-and-Go Clocking 3.1 Introduction 37 37 3.2 3.3 Equation Generation for Stop-and-Go Generators Beth-Piper Stop-and-Go Generator 38 39 3.3.1 3.3.2 Description of the Basic Beth-Piper Stop-and-Go Generator Algebraic Attack of the Basic Beth-Piper Stop-and-Go Generator 39 39 3.3.3 3.3.4 The Strengthened Beth-Piper Stop-and-Go Generator Algebraic Attack on the Strengthened Beth-Piper Stop-and-Go Generator 41 41 3.3.5 Reducing the Degree of the Equations Experimental Results 41 42 3.3.6 Comparison with Previous Cryptanalysis 43 3.3.7 Fast Algebraic Attack on Strengthened Beth-Piper Stop-and-Go Generator Alternating Step Generator 46 47 3.4.1 3.4.2 Description Algebraic Attack on the Alternating Step Generator 47 47 3.4.3 3.4.4 Experimental Results Comparison with Previous Cryptanalysis 48 49 3.4.5 3.4.6 Modified Alternating Step Generator Alternative Algebraic Attacks on the Alternating Step Generator 51 51 Cascade Generators Gollmann Cascade Generator 52 53 3.6.1 3.6.2 Description Algebraic Attack on the Gollmann Cascade Generator 53 53 3.6.3 Recovering the Initial State Experimental Results 54 56 3.6.4 Comparison with Previous Cryptanalysis 56 3.6.5 3.6.6 An Alternative Algebraic Attack 58 Clock-Controlled Cascade Generator with Output Bits Taken from All Registers 59 2.2 2.3 3.4 3.5 3.6 3.7 3.8 Pomaranch 3.7.1 Pomaranch Description 60 60 3.7.2 Algebraic Analysis of Pomaranch Overcoming the Problem of the Degree Accumulation 62 63 Algebraic Analysis of the Filter Function Summary 65 65 vi Keystream Generators using (p, q) Clocking 67 4.1 Introduction 67 4.2 Step1/Step2 Generator 4.2.1 Description 68 68 4.2.2 4.2.3 Algebraic Attack on the Step1/Step2 Generator Experimental Results 68 69 4.2.4 4.2.5 Comparison with Previous Cryptanalysis Alternative Algebraic Attack on the Step1/Step2 Generator 70 72 Self-Decimated Generator 4.3.1 Description 73 73 4.3.2 4.3.3 Algebraic Attack on the Self-Decimated Generator Experimental Results 73 74 4.3.4 Strengthening the (p, q) Self-Decimated Generator Summary 75 75 Keystream Generators using Mutual Clock Control 5.1 Introduction 77 77 5.2 Equation Generation for Mutually Clock-Controlled Keystream Generators 78 5.3 The Bilateral Stop-and-Go Generator 5.3.1 Description of the Bilateral Stop and Go Generator 81 81 5.3.2 Algebraic Analysis of the Bilateral Stop and Go Generator Reducing the Overall Degree of the Equations 81 82 A5/1 5.4.1 Description of A5/1 83 84 5.4.2 Algebraic Analysis of A5/1 Reducing the Overall Degree of the Equations 84 85 Alpha 5.5.1 Description of Alpha 86 87 5.5.2 5.5.3 Algebraic Attacks on Alpha Reducing the Overall Degree of the Equations 88 88 5.5.4 Experimental Results MICKEY 89 90 5.6.1 Description 90 5.6.2 5.6.3 Algebraic Analysis of MICKEY-80 v1 Algebraic Analysis of MICKEY-80 v2 91 92 5.7 5.6.4 Algebraic Analysis of MICKEY-128 v2 An Alternative Algebraic Attack on Mutually Clock Control Stream Ciphers 93 94 5.8 Summary 96 4.3 4.4 5.4 5.5 5.6 Initialization and Algebraic Attacks 97 6.1 6.2 Introduction Algebraic Attacks using Multiple Keystreams 97 98 6.2.1 99 Facilitating the Linearization Approach vii 6.2.2 6.3 Overview of Key Initialization Process of eSTREAM Ciphers 101 6.4 Trivium 102 6.4.1 Facilitating the Linearization Approach on Trivium 103 6.4.2 6.4.3 6.5 6.6 Degree Reduction 100 Experimental Results 103 Observation on Trivium Initialization 105 Grain-128 105 6.5.1 Facilitating the Linearization Approach 106 6.5.2 Experimental Results 106 Summary 110 Algebraic Analysis of the LILI Keystream Generators 111 7.1 Introduction 111 7.2 7.3 Description 112 7.2.1 LILI-128 Keystream Generator 113 7.2.2 LILI-II Keystream Generator 113 Algebraic Analysis of the LILI Family of Stream Ciphers 113 7.3.1 7.4 Attack : Guessing the Controlling Register 114 7.3.2 Attack : Keystream Decimation 115 Algebraic Analysis of the LILI-II Stream Cipher 117 7.4.1 7.4.2 Algebraic Representation for the LILI Family of Stream Ciphers 117 Algebraic Attacks on LILI-II 117 Standard Algebraic Attacks of Section 7.3.1 118 Standard Algebraic Attacks of Section 7.3.2 118 7.5 7.4.3 Fast Algebraic Attacks on LILI-II 118 Initialization and Algebraic Attacks 119 7.5.1 7.5.2 Direct Recovery of Key Bits 120 Recovering the Key Bits Given the Internal State Bits 121 7.6 Investigating the Resistance of Other Instances of the LILI Family Ciphers to Algebraic Attacks 122 7.7 Summary 125 Conclusion and Future Research 8.1 8.2 127 Review of Contributions 127 8.1.1 8.1.2 Chapter 3: Keystream Generators using Stop-and-Go Clocking 128 Chapter 4: Keystream Generators using (p, q) Clocking 129 8.1.3 8.1.4 Chapter 5: Keystream Generators using Mutual Clock Control 129 Chapter 6: Initialization and Algebraic Attacks 130 8.1.5 Chapter 7: Algebraic Analysis of the LILI Keystream Generators 130 Future Directions 131 A Algebraic Relations in Pomaranch 133 B Algebraic Normal Form of LILI-II Boolean function 137 viii BIBLIOGRAPHY 142 [13] F Armknecht and M Krause Constructing single- and multi-output boolean functions with maximal algebraic immunity In M Bugliesi et al., editor, ICALP 2006, Part II, volume 4052 of Lecture Notes in Computer Science, pages 180–191 Springer-Verlag, 2006 [14] G Ars, J Faug´ere, H Imai, M Kawazoe, and M Sugita Comparison between XL and Gr¨obner basis algorithms In P Lee, editor, Advances in Cryptology—ASIACRYPT 2004, volume 3329 of Lecture Notes in Computer Science, pages 338–353 Springer-Verlag, 2004 [15] Telecommunications International Association B dual-mode cellular system: Authentication, message encryption, voice privacy mask generation, shared secret data generation, a-key verification and test data Cryptology ePrint Archive, Feburary 1992 [16] S Babbage A space/time tradeoff in exhaustive search attacks on stream ciphers In In European Convention on Security and Detection, volume 408 of Lecture Notes in Computer Science IEE Conference Publication, 1995 [17] S Babbage and M Dodd The stream cipher mickey-128 (version 1) eSTREAM, ECRYPT Stream Cipher Project, Report 2005/016, 2005 http://www.ecrypt.eu.org/stream [18] S Babbage and M Dodd The stream cipher MICKEY(version 1) eSTREAM, ECRYPT Stream Cipher Project, Report 2005/015, 2005 http://www.ecrypt.eu.org/stream [19] S Babbage and M Dodd The stream cipher mickey (version 2) eSTREAM, ECRYPT Stream Cipher Project, Report 2006, 2006 http://www.ecrypt.eu.org/stream [20] G Bard, N Courtois, and C Jefferson Efficient methods for conversion and solution of sparse systems of low-degree multivariate polynomials over GF (2) via SAT-solvers Cryptology ePrint Archive, Report 2007/024, 2007 http://eprint.iacr.org/ [21] E Barkan, E Biham, and N Keller Instant ciphertext-only cryptanalysis of gsm encrypted communication In D Boneh, editor, Advances in Cryptology— CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science, pages 600–616 Springer-Verlag, 2003 [22] L Batten Algebriac attacks over GF (q) In A Canteaut and K Viswanathan, editors, Proceedings of the 5th International Conference on Cryptology in India, INDOCRYPT 2004, volume 3348 of Lecture Notes in Computer Science, pages 84–91 Springer-Verlag, 2004 [23] C Berbain, O Billet, A Canteaut, N Courtois, B Debraize, H Gilbert, L Goubin, A Gouget, L Granboulan, C Lauradoux, M Minier, T Pornin, and H Sibert ”Decim - a new stream cipher for hardware applications” eSTREAM, ECRYPT Stream Cipher Project, Report 2005/004, 2005 http://www.ecrypt.eu.org/stream [24] T Berger and M Minier Two algebraic attacks against the f-fcsrs using the iv mode In S Maitra, C Madhavan, and R Venkatesan, editors, Proceedings of the 6th International Conference on Cryptology in India, INDOCRYPT 2005, volume 3797 of Lecture Notes in Computer Science, pages 143–154 Springer-Verlag, 2006 [25] E Berlekamp, editor Algebric Coding Theory McGrew Hill, New York, 1986 BIBLIOGRAPHY 143 [26] T Beth and F C Piper The stop-and-go generator In T Beth, N Cot, and I Ingemarsson, editors, Advances in Cryptology— CRYPTO 95, volume 209 of Lecture Notes in Computer Science, pages 88–92 Springer-Verlag, 1985, 1985 [27] O Billet and H Gilbert Resistance of SNOW 2.0 against algebraic attacks In A Menezes, editor, CT-RSA 2005, volume 3376 of Lecture Notes in Computer Science, pages 19–28 SpringerVerlag, 2005 [28] A Biryukov, A.Shamir, and D Wagner Real time cryptanalysis of A5/1 on a pc In B Schneier, editor, Fast Software Encryption FSE 2000, volume 1978 of Lecture Notes in Computer Science, pages 1–18 Springer-Verlag, 2000 [29] A Biryukov and A Shamir Cryptanalytic time/memory/data tradeoffs for stream ciphers In T Okamoto, editor, Advances in Cryptology—ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer Science, pages 1–13 Springer-Verlag, 2000 [30] S Blackburn, S Murphy, F Piper, and P Wild A SOBERing remark Technical report, Egham,Surrey TW20 0EX, U.K, 1998 [31] Bleichenbacher and Patel SOBER cryptanalysis In L Knudsen, editor, Fast Software Encryption FSE 1999, volume 1636 of Lecture Notes in Computer Science, pages 305–316 SpringerVerlag, 1999 [32] U Bl¨ocher and M Dichtl Fish: A fast software stream cipher In R Anderson, editor, Fast Software Encryption FSE 1994, volume 809 of Lecture Notes in Computer Science, pages 41– 44 Springer-Verlag, 1994 [33] M Boesgaard, M Vesterage, T Pedersen, j Christiansen, and O Scavenius Rabbit : a new high performance stream cipher In T Johansson, editor, Fast Software Encryption FSE 2003, volume 2887 of Lecture Notes in Computer Science, pages 307–329 Springer-Verlag, 2003 [34] A Braeken, J Lano, N Mentens, B Preneel, and I Verbauwhede ” ”sfinks” : A synchronous stream cipher for restricted hardware environments ” eSTREAM, ECRYPT Stream Cipher Project, Report 2005/026, 2005 http://www.ecrypt.eu.org/stream [35] A Braeken, J Lano, and B Preneel Evaluating the resistance of stream ciphers with linear feedback against fast algebraic attacks In L M Batten and R Safavi-Naini, editors, Proceedings of Information Security and Privacy - 11th Australasian Conference, ACISP 2006, volume 4058 of Lecture Notes in Computer Science, pages 40–51 Springer-Verlag, 2006 [36] A Braeken and B Preneel On the algebraic immunity of symmetric boolean functions In S Maitra, C Madhavan, and R Venkatesan, editors, Proceedings of the 6th International Conference on Cryptology in India, INDOCRYPT 2005, volume 3797 of Lecture Notes in Computer Science, pages 35–48 Springer-Verlag, 2006 [37] M Briceno, I Goldberg, and D Wagner http://www.scard.org., May 1999 A pedagogical implementation of A5/1 BIBLIOGRAPHY 144 [38] B Buchberger An Algorithm for Finding the Bases Elements of the Residue Class Ring Modulo a Zero Dimensional Polynomial Ideal (German) PhD thesis, University of Innsbruck, Austria, 1965 [39] B Buchberger An algorithmical criterion for the solvability of algebraic systems of equations (german) Aequationes Mathematicae, 4(3):374–384, 1970 [40] B Buchberger Some properties of Gr¨obner bases for polynomial ideals ACM SIGSAM Bulletin, 10(4):19–24, 1976 [41] C De Canni´ere and B Preneel ”Trivium - a stream cipher construction inspired by block cipher design principle” eSTREAM, ECRYPT Stream Cipher Project, Report 2006/021, 2006 http://www.ecrypt.eu.org/stream [42] C Carlet A method of construction of balanced functions with optimum algebraic immunity Cryptology ePrint Archive,Available at http://eprint.iacr.org/2006/149, 2006 [43] C Carlet On the higher order nonlinearities of algebraic immune functions In C Dwork, editor, Advances in Cryptology—CRYPTO 2006, volume 4117 of Lecture Notes in Computer Science, pages 584–601 Springer-Verlag, 2006 [44] W Chambers Two stream ciphers In R Anderson, editor, Fast Software Encryption - FSE 1993, volume 809 of Lecture Notes in Computer Science, pages 51–55 Springer-Verlag, 1994 [45] W Chambers and D Gollmann Lock-in effect in cascades of clock-controlled shift-registers In Christoph G G¨unther, editor, Advances in Cryptology—EUROCRYPT 88, volume 330 of Lecture Notes in Computer Science, pages 331–344 Springer-Verlag, 1988 [46] W Chambers and D Gollmann Embedding attacks on step[l d] clock controlled generators Electronics Letters, 36(1):1771–1773, 2000 [47] K Chen, W Millan, and L R Simpson Perspectives on word based stream ciphers In proceedings of Cryptographic Algorithms and Their uses, pages 14–28,QUT, July 2004 [48] K Chen, L Simpson, M Henricksen, W Millan, and E Dawson A complete divide and conquer attack on the Alpha stream cipher In I Lim and D.H Lee, editors, Information Security and Cryptology - ICISC 2003, volume 2971 of Lecture Notes in Computer Science, pages 418–431 Springer-Verlag, 2003 [49] Chepyzhov, Johansson, and Smeets A simple algorithm for fast correlation attacks on stream ciphers In B Schneier, editor, Fast Software Encryption FSE 2000, volume 1978 of Lecture Notes in Computer Science, pages 181–195 Springer-Verlag, 2000 [50] J Cho and J Pieprzyk Algebraic attacks on sober-t32 and sober-t16 without stuttering In B Roy and W Meier, editors, Fast Software Encryption - FSE 2004, volume 3017 of Lecture Notes in Computer Science, pages 49–64 Springer-Verlag, 2004 [51] C Cid, H Gilbert, and T Johansson ”Cryptanalysis of Pomaranch” eSTREAM, ECRYPT Stream Cipher Project, Report 2005/060, 2005 http://www.ecrypt.eu.org/stream BIBLIOGRAPHY 145 [52] C Cid and G Leurent An analysis of the XSL algorithm In B Roy, editor, Advances in Cryptology—ASIACRYPT 2005, volume 3788 of Lecture Notes in Computer Science, pages 333– 352 Springer-Verlag, 2005 [53] A Clark, J Golic, and E Dawson A comparison of fast correlation attakcs In D Gollmann, editor, Fast Software Encryption, FSE 1996, volume 1039 of Lecture Notes in Computer Science, pages 145–157 Springer-Verlag, 1996 [54] D Coppersmith Fast evaluation of logarithms in fields of characteristic two IEEE Transactions on Information Theory, 30(4):587–593, 1984 [55] D Coppersmith, S Halevi, and C Jutla Cryptanalysis of stream ciphers with linear masking In M Yung, editor, Advances in Cryptology— CRYPTO 2002, volume 2442 of Lecture Notes in Computer Science, pages 515–532 Springer-Verlag, 2002 [56] D Coppersmith, H Krawczyk, and Y Mansour The shrinking generator In D Stinson, editor, Advances in Cryptology—CRYPTO 93, volume 773 of Lecture Notes in Computer Science, pages 22–39 Springer-Verlag, 1993 [57] N Courois, A Klimov, J Patarin, and A Shamir Efficient algorithms for solving overdefined systems of multivariate polynomial equations In B Preneel, editor, Advances in Cryptology— EUROCRYPT 2003, volume 1807 of Lecture Notes in Computer Science, pages 392–407 Springer-Verlag, 2000 [58] N Courtois The security of hidden field equations (HFE) In D Naccache, editor, Progress in Cryptology - CT-RSA 2001, volume 2020 of Lecture Notes in Computer Science, pages 266–281 Springer-Verlag, 2001 [59] N Courtois Higher order correlation attacks, XL algorithm and cryptanalysis of toyocrypt In P-J Lee and C-H Lim, editors, Information Security and Cryptology - ICISC 2002, volume 2587 of Lecture Notes in Computer Science, pages 182–199 Springer-Verlag, 2002 [60] N Courtois Fast algebraic attacks on stream ciphers with linear feedback In D Boneh, editor, Advances in Cryptology—CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science, pages 176–194 Springer-Verlag, 2003 [61] N Courtois Algebraic attacks on combiners with memory and several outputs In C Park and S Chee, editors, Information Security and Cryptology ICISC 2004, volume 3506 of Lecture Notes in Computer Science, pages 3–20 Springer-Verlag, 2005 [62] N Courtois Cryptanalysis of Sfinks In D Won and S Kim, editors, Information Security and Cryptology ICISC 2005, volume 3935 of Lecture Notes in Computer Science, pages 261–269 Springer-Verlag, 2006 [63] N Courtois and G Bard Algebraic cryptanalysis of the data encryption standard Cryptology ePrint Archive, Report 2006/402, 2006 http://eprint.iacr.org/ BIBLIOGRAPHY 146 [64] N Courtois, B Debraize, and E Garrido On exact algebraic [non-]immunity of s-boxes based on power functions In L M Batten and R Safavi-Naini, editors, Proceedings of Information Security and Privacy - 11th Australasian Conference, ACISP 2006, volume 4058 of Lecture Notes in Computer Science, pages 76–86 Springer-Verlag, 2006 [65] N Courtois and W Meier Algebraic attacks on stream ciphers with linear feedback In E Biham, editor, Advances in Cryptology—EUROCRYPT 2003, volume 2656 of Lecture Notes in Computer Science, pages 346–359 Springer-Verlag, 2003 [66] N Courtois and J Patarin About the XL algorithm over GF (2) In M Joye, editor, Topics in Cryptology - CT-RSA 2003, volume 2612 of Lecture Notes in Computer Science, pages 141–157 Springer-Verlag, 2003 [67] N Courtois and J Pieprzyk Cryptanalysis of block ciphers with overdefined systems of equations In Y Zheng, editor, Advances in Cryptology—ASIACRYPT 2002, volume 2501 of Lecture Notes in Computer Science, pages 267–287 Springer-Verlag, 2002 [68] Dalai, Deepak, Maitra, Subhamoy, Sarkar, and Sumanta Basic theory in construction of boolean functions with maximum possible annihilator immunity Designs, Codes and Cryptography, 40(1):41–58, July 2006 [69] D Dalai, K Gupta, and S Maitra Results on algebraic immunity for cryptographically significant boolean functions In A Canteaut and K Viswanathan, editors, 5th International Conference on Cryptology in India - INDOCRYPT 2005, volume 3348 of Lecture Notes in Computer Science, pages 92–106 Springer-Verlag, 2006 [70] D Dalai, K Gupta, and Subhamoy Maitra Cryptographically significant boolean functions: Construction and analysis in terms of algebraic immunity In H Gilbert and H Handschuh, editors, Fast Software Encryption - FSE 2005, volume 3557 of Lecture Notes in Computer Science, page 98111 Springer-Verlag, 2005 [71] E Dawson Cryptanalysis of summation generator In J Seberry and Y Zheng, editors, Advances in Cryptology —ASIACRYPT 1992, volume 718 of Lecture Notes in Computer Science, pages 209–215 Springer-Verlag, 1993 [72] E Dawson Design and analysis of symmetric ciphers PhD thesis, Information security reserach center,Faculty of information technology, Queensland University of Technology, Feb 1991 [73] E Dawson, A Clark, J Goli´c, W Millan, L Penna, , and L Simpson The LILI-128 keystream generator NESSIE submission, in the proceedings of the First Open NESSIE Workshop (Leuven, November 2000) and available at http://www.cryptonessie.org [74] E Dawson, J Goli´c, W Millan, , and L Simpson Response to initial report on LILI-128 NESSIE submission, available at http://www.cryptonessie.org [75] E Dawson and L Nielsen Automated cryptanalysis of xor plaintext string Cryptologia, 10(2):25–40, April 1996 BIBLIOGRAPHY 147 [76] F Didier Using wiedemanna algorithm to compute the immunity against algebraic and fast algebraic attacks In T Lange R Barua, editor, Proceedings of the 7th International Conference on Cryptology in India, INDOCRYPT 2006, volume 4329 of Lecture Notes in Computer Science, pages 236–250 Springer-Verlag, 2006 [77] F Didier and J-P Tillich Computing the algebraic immunity efficiently In M Robshaw, editor, Fast Software Encryption - FSE 2006, volume 4047 of Lecture Notes in Computer Science, pages 359–374 Springer-Verlag, 2006 [78] C Diem The XL-algorithm and a conjecture from commutative algebra In P Lee, editor, Advances in Cryptology—ASIACRYPT 2004, volume 3329 of Lecture Notes in Computer Science, pages 323–337 Springer-Verlag, 2004 [79] C Diem The XL algorithm and a conjecture from commutative algebra In P Lee, editor, Advances in Cryptology—ASIACRYPT 2004, volume 3329 of Lecture Notes in Computer Science, pages 323–337 Springer-Verlag, 2004 [80] M Krause E Zenner and S Lucks Improved cryptanalysis of the self-shrinking generator In V Varadharajan and Y Mu, editors, Proceedings of Information Security and Privacy - 6th Australasian Conference, ACISP 2001, volume 2119 of Lecture Notes in Computer Science, pages 21–35 Springer-Verlag, 2001 [81] P Ekdahl and T Johansson Distinguishing attacks on SOBER-t16 and t32 In V Rijmen J Daemen, editor, Fast Software Encryption FSE 2002, volume 2365 of Lecture Notes in Computer Science, pages 210–224 Springer-Verlag, 2002 [82] P Ekdahl and T Johansson Another attack on A5/1 IEEE Transactions on Information Theory, 49(1):284–289, 2003 [83] P Ekdahl, W Meier, and T Johansson Predicting the shrinking generator with fixed connections In E Biham, editor, Advances in Cryptology—EUROCRYPT 2003, volume 2656 of Lecture Notes in Computer Science, pages 330–344 Springer-Verlag, 2003 [84] P Ekhdal and T Johansson A new version of the stream cipher SNOW In H Heys K Nyberg, editor, Selected Areas in Cryptography: 5th Annual International Workshop - SAC 2002, volume 2595 of Lecture Notes in Computer Science, pages 47–61 Springer-Verlag, 2002 [85] H Englund, M Hell, and T Johansson Two general attacks on pomaranch-like keystream generators eSTREAM, ECRYPT Stream Cipher Project, Report 2007/001, 2006 [86] H Englund and T Johansson A new distinguisher for clock controlled stream ciphers In H Gilbert and H Handschuh, editors, Fast Software Encryption - FSE 2005, volume 3557 of Lecture Notes in Computer Science, pages 181–195 Springer-Verlag, 2005 [87] H˚akan Englund and T Johansson A new distinguisher for clock controlled stream ciphers In H Gilbert and H.Handschuh, editors, Fast Software Encryption - FSE 2005, volume 3557 of Lecture Notes in Computer Science, pages 181–195 Springer-Verlag, 2005 BIBLIOGRAPHY 148 [88] J-C Faug´ere A new efficient algorithm for computing Gr¨obner bases (f 4) Journal of Pure and Applied Algebra, 139:61–88, 1999 [89] J-C Faug´ere A new eficient algorithm for computing Gr¨obner bases without reduction to zero f In T Mora, editor, Proceedings of ISSAC 2002, pages 75–83 ACM Press, 2002 [90] J-C Faug´ere and G Ars An algebraic cryptanalysis of nonlinear filter generator using Gr¨obner bases Technical report, 2003 [91] N Ferguson, D Whiting, B Schneier, J Kelsey, S Lucks, and T Kohno Helix fast encryption and authentication in a single cryptographic primitive In T Johansson, editor, Fast Software Encryption FSE 2003, volume 2887 of Lecture Notes in Computer Science, pages 330–346 Springer-Verlag, 2003 [92] S Fluhrer, I Mantin, and A Shamir Weaknesses in the key scheduling algorithm of RC4 In S Vaudenay and A Youssef, editors, Selected Areas in Cryptography: 8th Annual International Workshop - SAC 2001, volume 2259 of Lecture Notes in Computer Science, pages 1–24 Springer-Verlag, 2001 [93] B Gammel, Rainer Gttfert, and O Kniffler ”the Achterbahn stream cipher” eSTREAM, ECRYPT Stream Cipher Project, Report 2005/002, 2005 http://www.ecrypt.eu.org/ stream [94] B Gammel, Rainer Gttfert, and O Kniffler ”status of Achterbahn and tweaks” eSTREAM, ECRYPT Stream Cipher Project, Report 2006/027, 2006 http://www.ecrypt.eu.org/ stream [95] P Geffe How to protect data with with ciphers that are really hard to break Electronics, 46(1):99–101, January 1973 [96] W Geiselmann and D Gollmann Correlation attacks on cascades of clock controlled shift registers In T Matsumoto K Kim, editor, ASIACRYPT, volume 1163 of Lecture Notes in Computer Science, pages 346–359 Springer-Verlag, 1996 [97] I Goldberg, D Wagner, and L Green The (real-time) cryptanalysis of A5/2 Presented at the Rump Session of Crypto’99, 1999 [98] J Goli´c Linear cryptanalysis of stream ciphers In Fast Software Encryption FSE 1994, volume 1008 of Lecture Notes in Computer Science, pages 66–77 Springer-Verlag, 1994 [99] J Goli´c Towards fast correlation attacks on irregularly clocked shift registers In L Guillou and J Quisquater, editors, Advances in Cryptology—EUROCRYPT 95, volume 921 of Lecture Notes in Computer Science, pages 248–262 Springer-Verlag, 1995 [100] J Goli´c Correlation properties of a general binary combiner with memory Journal of Cryptology, 9(2):111–126, 1996 [101] J Goli´c On the security of nonlinear filter generators In D Gollmann, editor, Fast Software Encryption FSE 1996, volume 1039 of Lecture Notes in Computer Science, pages 173–188 Springer-Verlag, 1996 BIBLIOGRAPHY [102] J Goli´c Cryptanalysis of alleged A5 stream cipher 149 In W Fumy, editor, Advances in Cryptology— EUROCRYPT 97, volume 1233 of Lecture Notes in Computer Science, pages 239– 255 Springer-Verlag, 1997 [103] J Goli´c Linear statistical weakness of alleged RC4 keystream generator In W Fumy, editor, Advances in Cryptology— Eurocrypt 97, volume 1233 of Lecture Notes in Computer Science, pages 226–238 Springer-Verlag, 1997 [104] J Goli´c Correlation analysis of the shrinking generator In K Joe, editor, Advances in Cryptology—CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages 440– 457 Springer-Verlag, 2001 [105] J Goli´c and R Menicocci Edit distance correlation attack on the alternating step generator In B Kaliski, editor, Advances in Cryptology— CRYPTO 97, volume 1294 of Lecture Notes in Computer Science, pages 499–512 Springer-Verlag, 1997 [106] J Goli´c and R Menicocci Correlation analysis of the alternating step generator In B Kaliski, editor, Designs, Codes and Cryptography, volume 31 of Lecture Notes in Computer Science, pages 51–74 Springer-Verlag, 2004 [107] J Goli´c and L O’Connor Embedding and probabilistic correlation attacks on clock-controlled shift registers In Alfredo De Santis, editor, Advances in Cryptology—EUROCRYPT 94, volume 950 of Lecture Notes in Computer Science, pages 230–243 Springer-Verlag, 1995, 1994 [108] J Goli´c and S V Petrovic Correlation attacks on clock-controlled shift registers in keystream generators IEEE Trans Computers, 45(4):482–486, 1996 [109] J Goli´c, M Salmasizadeh, E Dawson, and A Khodkar Cryptanalysis of the summation generator with three input lfsrs International Symposium on Information Theory and its Applications 1996, 1:343–346, Oct 1949 [110] D Gollmann Pseudo random properties of cascade connections of clock controlled shift registers In T Beth, N Cot, and I Ingemarsson, editors, Advances in Cryptology—EUROCRYPT 84, volume 209 of Lecture Notes in Computer Science, pages 93–98 Springer-Verlag, 1985 [111] D Gollmann and W Chambers Clock-controlled shift registers: a review IEEE Journal on Selected Areas in Communications, 7:525–533, 1989 [112] S Golomb Shift register sequences Holden Day, 1967 [113] G Gong and Y Nawaz The WG stream cipher” eSTREAM, ECRYPT Stream Cipher Project, Report 2005/033, 2005 http://www.ecrypt.eu.org/stream [114] A Gouget and H Sibert The bit-search generator The State of the Art of Stream Ciphers: Workshop Record, Brugge, Belgium, October 2004 [115] C G¨unther Alternating step generators controlled by deBruijn sequences In D Chaum and W Price, editors, Advances in Cryptology—EUROCRYPT 87, volume 304 of Lecture Notes in Computer Science, pages 5–14 Springer-Verlag, 1987 BIBLIOGRAPHY 150 [116] S Halevi, D Coppersmith, and C Jutla Scream: a software-efficient stream cipher In J Daemen and V Rijmen, editors, Fast Software Encryption FSE 2002, volume 2365 of Lecture Notes in Computer Science, pages 195–209 Springer-Verlag, 2002 [117] M Hasanzadeh, S Khazaei, and A Kholosha On IV setup of pomaranch eSTREAM, ECRYPT Stream Cipher Project, Report 2005/082, 2005 [118] P Hawekes and G Rose Primitive specification and supporting documentation for the sober-t-32 submission to NESSIE 2000 [119] P Hawkes and G Rose Exploiting multiples of the connection polynomial in word-oriented stream ciphers In T Okamoto, editor, Advances in Cryptology— ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer Science, pages 303–316 Springer-Verlag, 2000 [120] P Hawkes and G Rose Guess-and-determine attacks on SNOW In H Heys K Nyberg, editor, Selected Areas in Cryptography: 5th Annual International Workshop - SAC 2002, volume 2595 of Lecture Notes in Computer Science, pages 37–46 Springer-Verlag, 2002 [121] P Hawkes and G Rose Rewriting variables: The complexity of fast algebraic attacks on stream ciphers In M Franklin, editor, Advances in Cryptology—CRYPTO 2004, volume 3152 of Lecture Notes in Computer Science, pages 390–406 Springer-Verlag, 2004 [122] M Hell and T Johansson Some attacks on the bit-search generator In H Gilbert and H.Handschuh, editors, Fast Software Encryption - FSE 2005, volume 3557 of Lecture Notes in Computer Science, pages 215–227 Springer-Verlag, 2005 [123] M Hell, T Johansson, A Maximov, and W Meier A stream cipher proposal: Grain-128 To appear at the IEEE International Symposium on Information Theory 2006, Seattle, USA, 2006 [124] M Hell, T Johansson, and W Meier ”Grain - a stream cipher for constrained environments” eSTREAM, ECRYPT Stream Cipher Project, Report 2005/010, 2005 http://www.ecrypt eu.org/stream [125] T Helleseth, C Jansen, S Khazaei, and A Kholosha Security of jump controlled sequence generators for stream ciphers In G Gong, Tor Helleseth, H-Y Song, and Kyeongcheol Yang, editors, SETA 2006, volume 4086 of Lecture Notes in Computer Science, pages 141–152 SpringerVerlag, 2006 [126] T Helleseth, C Jansen, and A Kholosha Pomaranch - design and analysis of a family of stream ciphers eSTREAM, ECRYPT Stream Cipher Project, Report 2006/008, 2006 [127] J Hong and Woo-Hwan Kim ”Tmd-Tradeoff and State Entropy Loss Considerations of Streamcipher MICKEY” eSTREAM, ECRYPT Stream Cipher Project, Report 2005/055, 2005 http://www.ecrypt.eu.org/stream [128] C Jansen, T Helleseth, and A Kholosha Cascade jump controlled sequence generator and pomaranch stream cipher (version 3) eSTREAM, ECRYPT Stream Cipher Project, Report 2006/06, 2006 BIBLIOGRAPHY 151 [129] C Jansen and A Kolosha Cascade jump controlled sequence generator (cjcsg) pomaranch eSTREAM, ECRYPT Stream Cipher Project, Report 2005/022, 2005 [130] T Johansson Reduced complexity correlation attacks on two clock-controlled generators In K Otha and D Pei, editors, Advances in Cryptology—ASIACRYPT 98, volume 1541 of Lecture Notes in Computer Science, pages 342–356 Springer-Verlag, 1998 [131] T Johansson and F J¨onsson Fast correlation attacks based on turbo code techniques In J Stern, editor, Advances in Cryptology— CRYPTO 1999, volume 1666 of Lecture Notes in Computer Science, pages 181–197 Springer-Verlag, 1999 [132] T Johansson and F Jonsson Improved fast correlation attacks on stream ciphers via convolutional codes In J Stern, editor, Advances in Cryptology— EUROCRYPT 1999, volume 1592 of Lecture Notes in Computer Science, pages 347–362 Springer-Verlag, 1999 [133] D Kahn, editor The CodeBreakers: The Story of Secret Writing Macmillan Publishing, New York, 1967 [134] A Kanso Clock-Controlled Generators PhD thesis, Royal Holloway University of London, Egham, London, 1999 [135] A Kerckhoffs La cryptographie militaire Journal des Sciences Militaires, pages 161–191, 1883 [136] E Key An analysis of the structure and complexity of nonlinear binary sequence generators IEEE Trans Information Theory, IT-22(6):732–736, 1976 [137] S Khazaei ”Cryptanalysis of Pomaranch (CJCSG)”) eSTREAM, ECRYPT Stream Cipher Project, Report 2005/065, 2005 http://www.ecrypt.eu.org/stream [138] A Kipnis and A Shamir Cryptanalysis of the hfe public key cryptosystem by relinearization In M Wiener, editor, Advances in Cryptology—CRYPTO 1999, volume 1666 of Lecture Notes in Computer Science, pages 19–30 Springer-Verlag, 1999 [139] K Komninos, B Honary, and M Darnell An efficient stream cipher for mobile and wireless devices In B Honary, editor, Cryptography and Coding - 8th IMA International Conference 2001, volume 2260 of Lecture Notes in Computer Science, pages 294–300 Springer-Verlag, 2001 [140] D H Lee, J Kim, J Hong, J W Han, and D Moon Algebraic attacks on summation generators In B Roy and W Meier, editors, Fast Software Encryption - FSE 2004, volume 3017 of Lecture Notes in Computer Science, pages 34–48 Springer-Verlag, 2004 [141] N Li and W-F Qi Construction and analysis of boolean functions of 2t + variables with maximum algebraic immunity In X Lai and K Chen, editors, Advances in Cryptology—ASIACRYPT 2006, volume 4284 of Lecture Notes in Computer Science, pages 84–98 Springer-Verlag, 2006 [142] Y Lu, W Meier, and S Vaudenay The conditional correlation attack: A practical attack on bluetooth encryption In V Shoup, editor, Advances in Cryptology—CRYPTO 2005, volume 3621 of Lecture Notes in Computer Science, pages 97–117, Springer-Verlag, 2005 BIBLIOGRAPHY 152 [143] J Massey Shift-register synthesis and BCH decoding IEEE Trans Information Theory, IT15:122–127, 1969 [144] A Maximov, T Johansson, and S Babbage An improved correlation attack on A5/1 In M Hasan H Handschuh, editor, Selected Areas in Cryptography: 11th Annual International Workshop - SAC 2004, volume 3357 of Lecture Notes in Computer Science, pages 1–18 Springer-Verlag, 2004 [145] C McDonald, C Charnes, and J Pieprzyk ”attacking bivium with minisat” eSTREAM, ECRYPT Stream Cipher Project, Report 2007/040, 2007 http://www.ecrypt.eu.org/ stream [146] W Meier, E Pasalic, and C Carlet Algebraic attacks and decomposition of boolean functions In C Cachin and J Camenisch, editors, Advances in Cryptology— Eurocrypt 2004, volume 3027 of Lecture Notes in Computer Science, pages 474–491 Springer-Verlag, 2004 [147] W Meier and O Staffelbach Fast correlation attacks on stream ciphers (extended abstract) In C G¨unther, editor, Advances in Cryptology—EUROCRYPT 88, volume 330 of Lecture Notes in Computer Science, pages 301–314 Springer-Verlag, 1988 [148] W Meier and O Staffelbach Fast corelation attacks on certain stream ciphers Journal of Cryptology, 1:159–176, 1989 [149] W Meier and O Staffelbach The self-shrinking generator In A De Santis, editor, Advances in Cryptology—EUROCRYPT 94, volume 950 of Lecture Notes in Computer Science, pages 205–214 Springer-Verlag, 1995, 1999 [150] A Menezes, P Oorschot, and S Vanstone, editors Handbook of Applied cryptography Discrete Mathimatics and its Applications CRC Press, 1996 [151] A J Menezes, P C Van Oorschot, and S A Vanstone Handbook of Applied Cryptography CRC Press, 1997 [152] R Menicocci Cryptanalysis of a two stage gollmann cascade generator In Proceedings of the 3rd Symposium on State and Progress of Research in Cryptography, volume 4, page 6269 Springer-Verlag, 1993 [153] R Menicocci and J Goli´c Edit probability correlation attack on bilateral stop/go generator In M Walker, editor, Cryptography and Coding - 6th IMA International Conference 1999, volume 1746 of Lecture Notes in Computer Science, pages 202–212 Springer-Verlag, 1999 [154] M Mihaljevic An approach to the initial state reconstruction of a clock-controlled shift register based on a novel distance measure In J Seberry and Y Zheng, editors, Advances in Cryptology—AUSCRYPT 92, volume 718 of Lecture Notes in Computer Science, pages 349– 356 Springer-Verlag, 1992 [155] W Millan Low order approximation of cipher functions In Cryptography: Policy and Algorithms (CPAC’95), volume 1029 of Lecture Notes in Computer Science, pages 144–155 Springer-Verlag, 1995 BIBLIOGRAPHY 153 [156] W Millan A report on word based stream ciphers Internal Report, ISRC, QUT, 2003 [157] W Millan New results on binary bent functions International Symposium on Information Theory and its Applications, pages 1013–1016, November 1994 [158] C Mitchell Remarks on the security of the Alpha stream cipher Egham,Surrey TW20 0EX, U.K, 2001 Technical report, [159] H Molland Improved linear consistency attack on irregular clocked keystream generators In B Roy and W Meier, editors, Fast Software Encryption FSE 2004, volume 3017 of Lecture Notes in Computer Science, pages 109–126 Springer-Verlag, 2004 [160] H Molland and Tor Helleseth An improved correlation attack against irregular clocked and filtered keystream generators In M Franklin, editor, Advances in Cryptology—CRYPTO 2004, volume 3152, pages 373–389 Springer-Verlag, 2004 [161] S Rønjom and T Helleseth Breaking of the filter generator accepted by IEEE Transactions on Information Theory [162] S Rønjom and T Helleseth Attacking the filter generator over GF (2 m ) SASC, the State of the Art of Stream Ciphers, 2007 [163] National Bureau of Standards Data encryption standard Federal Information Processing Standard (FIPS, 1977 [164] S-J Park, S-J Lee, , and S-C Goh On the security of the gollmann cascades In D Coppersmith, editor, Advances in Cryptology—CRYPTO 95, volume 963 of Lecture Notes in Computer Science, pages 148–156 Springer-Verlag, 1995 [165] S Petrovic and A F.-Sabater Cryptanalysis of the A5/2 algorithm Cryptography ePrint Archive, Report 2000/052, 2000 [166] V.S Pless Encryption schemes for computer confidentiality IEEE Trnas.Comput, C-26:1133– 1136, November 1977 [167] H Raddum ”Cryptanalytic results on Trivium” eSTREAM, ECRYPT Stream Cipher Project, Report 2006/039, 2006 http://www.ecrypt.eu.org/stream [168] G Rose and P Hawkes Turing : a fast stream cipher In T Johansson, editor, Fast Software Encryption FSE 2003, volume 2887 of Lecture Notes in Computer Science, pages 290–306 Springer-Verlag, 2003 [169] R Rueppel New Approaches to Stream Ciphers PhD thesis, Swiss Federal Institute of Technology Zurich, Zurich,Switzerland, 1984 [170] R Rueppel, editor Analysis and Design of Stream Ciphers Springer-Verlag, Berlin, 1986 [171] R Rueppel When shift registers clock themselves In D Chaum and W Price, editors, Advances in Cryptology—EUROCRYPT 87, volume 304 of Lecture Notes in Computer Science, pages 53– 64 Springer-Verlag, 1988, 13–15 1987 BIBLIOGRAPHY 154 [172] R A Rueppel Stream ciphers In Gustavus J Simmons (Ed.), Contemporary Cryptology :The Science of Information Integrity, IEEE Press 1992 [173] M Saarinen A time-memory tradeoff attack against LILI-128 In J Daemen and V Rijmen, editors, Fast Software Encryption - FSE 2002, volume 2365 of Lecture Notes in Computer Science, pages 231–236 Springer-Verlag, 2002 [174] M Salmasizadeh statistical and corelation analysis of certain shift register based stream ciphers PhD thesis, Information security reserach center,Faculty of information technology,School of data comminications, Queensland university of technology, June 1997 [175] M Salmasizadeh, J Goli´c, E Dawson, and L Simpson A systematic procedure for applying fast correlation attacks to combiners with memory In Selected Areas in Cryptography: 4th Annual International Workshop - SAC 1997, Lecture Notes in Computer Science, pages 102– 116 Springer-Verlag, 1997 [176] P Sarkar Hiji-bij-bij: A new stream cipher with self-synchronizing and mac modes of operation In Proceedings of the 3th International Conference on Cryptology in India, INDOCRYPT 2003, volume 2904 of Lecture Notes in Computer Science, pages 36–51 Springer-Verlag, 2003 [177] F Sato and K Kurosawa On the randomness of a [d, k] self-decimation stream key generator [178] C Shannon Communication theory of secrecy systems Bell System Technical Journal, 28(1):656–715, Oct 1949 [179] T Siegenthaler Decrypting a class of stream ciphers using ciphertext only IEEE Transactions on Computers, C-34(1):81–85, January -1985 [180] T Siegenthaler Correlation-immunity of nonlinear combining functions for cryptographic applications IEEE Transactions on Information Theory, 30(5):776–780, September-1984 [181] L Simpson, E Dawson, J Fuller, J Goli´c, H J Lee, W Millan, S J Moon, and A Clark The LILI-II keystream generator In L Batten and J Seberry, editors, Proceedings of Information Security and Privacy - 7th Australasian Conference, ACISP 2002, volume 2384 of Lecture Notes in Computer Science, pages 25–39 Springer-Verlag, 2002 [182] L Simpson, E Dawson, J Goli´c, and W Millan LILI keystream generator In D Stinson and S Tavares, editors, Selected Areas in Cryptography: 7th Annual International Workshop - SAC 2000, volume 2012 of Lecture Notes in Computer Science, pages 248–261 Springer-Verlag, 2001 [183] L Simpson, J Goli´c, and E Dawson A probabilisitic attack on the shrinking generator In C Boyd and E Dawson, editors, Proceedings of Information Security and Privacy, ACISP 1998, volume 1438 of Lecture Notes in Computer Science, pages 147–158 Springer-Verlag, 1998 [184] L Simpson, J Goli´c, M Salmasizadeh, and E Dawson Fast correlation attacks on the multiplexer generator In ISIT98, pages 270–270, August 1998 [185] S Singh, editor The Code Book BIBLIOGRAPHY 155 [186] V Strassen Gaussian elimination is not optimal Numerische Mathematik, 13:354–356, 1969 [187] K Sugimoto, T Chikaraishi, and T Morizumi Design criteria and security evaluations on certain stream ciphers Technical report, University of Mannheim, Germany, 2000 [188] Emmanuel Thom´e Computation of discrete logarithms in F2607 In C Boyd, editor, Advances in Cryptology—ASIACRYPT 2001, volume 2248 of Lecture Notes in Computer Science, pages 107–124 Springer-Verlag, 2001 [189] G Vernam Cipher printing telegraph system for secret wire and radio telegraphic communications Journal of American Institute of Electrical Engineers, 45:109–115, 1926 [190] D Wagner Analysis of CAVE: A first look David Wagner described inversion and custom attacks on CAVE, 20 April 1998 [191] D Wagner, B Schneier, and J Kelsey Cryptanalysis of the cellular message encryption algorithm In Advances in Cryptology— CRYPTO 1997, volume 1294 of Lecture Notes in Computer Science, pages 526–537 Springer-Verlag, 1997 [192] D Wagner, L Simpson, E Dawson, J Kelsey, W Millan, and B Schneier Cryptanalysis of ORYX In H Meijer S Tavares, editor, Selected Areas in Cryptography: 5th Annual International Workshop - SAC 1998, volume 1556 of Lecture Notes in Computer Science, pages 296–305 Springer-Verlag, 1998 [193] D Watanabe, A Biryukov, , and C De Canni´ere A distinguishing attack of SNOW 2.0 with linear masking method In M Matsui and R Zuccherato, editors, SAC 2003: Annual International Workshop on Selected Areas in Cryptography, volume 3006 of Lecture Notes in Computer Science, pages 222–233 Springer-Verlag, 2003 [194] D Watanable, S Furuya, H Yoshida, and K Takaragi A new stream generator MUGI In J Daemen and V Rijmen, editors, Fast Software Encryption FSE 2002, volume 2365 of Lecture Notes in Computer Science, pages 179–194 Springer-Verlag, 2002 [195] D H Wiedemann Solving sparse linear equations over finite fields IEEE Transactions on Information Theory, 32(1):54–62, 1986 [196] H Wu Cryptanalysis of stream cipher Alpha In L Batten and J Seberry, editors, Proceedings of Information Security and Privacy - 7th Australasian Conference ACISP 2002, volume 2384 of Lecture Notes in Computer Science, pages 169–175 Springer-Verlag, 2002 [197] B Yang and J Chen All in the XL family: Theory and practice In S Chee C Park, editor, Information Security and Cryptology ICISC 2004, volume 3506 of Lecture Notes in Computer Science, pages 67–86 Springer-Verlag, 2005 [198] B-Y Yang, J-M Chen, and Nicolas T Courtois On asymptotic security estimates in XL and Gr¨obner bases-related algebraic cryptanalysis In J L´opez, S Qing, and E Okamoto, editors, Information Security and Cryptology ICISC 2004, volume 3269 of Lecture Notes in Computer Science, pages 401–413 Springer-Verlag, 2004 BIBLIOGRAPHY 156 [199] K Zeng, C Yang, and T Rao An improved linear syndrome algorithm in cryptanalysis with applications In A Vanstone and A Menezes, editors, Advances in Cryptology—CRYPTO 90, volume 537, pages 34–48 Springer-Verlag, 1990 [200] K Zeng, C-H Yang, and T R N Rao Large primes in stream cipher cryptography In J Seberry and J Pieprzyk, editors, AUSCRYPT 90: Proceedings of the International Conference on Cryptology, volume 453 of Lecture Notes in Computer Science, pages 194–205 Springer-Verlag, 1990 [201] E Zenner On the efficiency of the clock control guessing attack In C-H Lim P-J Lee, editor, Information Security and Cryptology - ICISC 2002, volume 2587 of Lecture Notes in Computer Science, pages 200–212 Springer-Verlag, 2002 [202] E Zenner Cryptanalysis of LFSR-based pseudorandom generators - a survey Technical report, University of Mannheim, Germany, 2004 [203] H Zhang, L Li, and X Wang Fast correlation attack on stream cipher abc v3 eSTREAM, ECRYPT Stream Cipher Project, Report 2006/049, 2006 http://www.ecrypt.eu.org/ stream [204] X Zhang, J Pieprzyk, and Y Zheng On algebraic immunity and annihilators In M Rhee and B Lee, editors, Information Security and Cryptology ICISC 2006, volume 4296 of Lecture Notes in Computer Science, pages 65–80 Springer-Verlag, 2006 [205] M V Zivkovic An algorithm for the initial state reconstruction of the clock-controlled shift register IEEE Transactions on Information Theory, 37(5):1488, 1991 ... attacks Others are more specialized, such as divide and conquer attacks, conditional and unconditional correlation attacks, attacks based on linear consistency, linear cryptanalysis, inversion... presented, and contain material based on the content of this thesis • [1] Sultan Zayid Al-Hinai, Lynn Batten, Bernard Colbert and Kenneth Wong Algebraic attacks on clock- controlled stream ciphers In...Keywords Stream Ciphers, Linear Feedback Shift Registers, Non Linear Feedback Shift Registers, Regular Clocking, Irregular Clocking, Clock- Controlled, Algebraic Attacks, Fast Algebraic Attacks