Improving algebraic attacks on stream ciphers based on linear feedback shift register over $$\mathbb {F}_{2^k}$$

In this paper we investigate univariate algebraic attacks on filter generators over extension fields \(\mathbb {F}_q=\mathbb {F}_{2^n}\) with focus on the Welch–Gong (WG) family of stream ciphers. Our main contribution is to reduce the general algebraic attack complexity on such cipher by proving new and lower bounds for the spectral immunity of such ciphers. The spectral immunity is the univariate analog of algebraic immunity and instead of measuring degree of multiples of a multivariate polynomial, it measures the minimum number of nonzero coefficients of a multiple of a univariate polynomial. In particular, there is an algebraic degeneracy in these constructions, which, when combined with attacks based on low-weight multiples over \(\mathbb {F}_q\), provides much more efficient attacks than over \(\mathbb {F}_2\). With negligible computational complexity, our best attack breaks the primitive WG-5 if given access to 4 kilobytes of keystream, break WG-7 if given access to 16 kilobytes of keystream and break WG-8 if given access to half a megabyte of keystream. Our best attack on WG-16 targeted at 4G-LTE is less practical, and requires \(2^{103}\) computational complexity and \(2^{61}\) bits of keystream. In all instances, we significantly lower both keystream and computational complexity in comparison to previous estimates. On a side note, we resolve an open problem regarding the rank of a type of equation systems used in algebraic attacks.     

A discrete logarithm-based approach to compute low-weight multiples of binary polynomials

Being able to compute efficiently a low-weight multiple of a given binary polynomial is often a key ingredient of correlation attacks to LFSR-based stream ciphers. The best known general purpose algorithm is based on the generalized birthday problem. We describe an alternative approach which is based on discrete logarithms and can take advantage of the structure of the polynomial. In some cases it has much lower memory complexity requirements with a comparable time complexity.     

Generic cryptographic weakness of k-normal Boolean functions in certain stream ciphers and cryptanalysis of grain-128

This paper considers security implications of k-normal Boolean functions when they are employed in certain stream ciphers. A generic algorithm is proposed for cryptanalysis of the considered class of stream ciphers based on a security weakness of k-normal Boolean functions. The proposed algorithm yields a framework for mounting cryptanalysis against particular stream ciphers within the considered class. Also, the proposed algorithm for cryptanalysis implies certain design guidelines for avoiding certain weak stream cipher constructions. A particular objective of this paper is security evaluation of stream cipher Grain-128 employing the developed generic algorithm. Contrary to the best known attacks against Grain-128 which provide complexity of a secret key recovery lower than exhaustive search only over a subset of secret keys which is just a fraction (up to 5%) of all possible secret keys, the cryptanalysis proposed in this paper provides significantly lower complexity than exhaustive search for any secret key. The proposed approach for cryptanalysis primarily depends on the order of normality of the employed Boolean function in Grain-128. Accordingly, in addition to the security evaluation insights of Grain-128, the results of this paper are also an evidence of the cryptographic significance of the normality criteria of Boolean functions.     

A systematic method of constructing Boolean functions with optimal algebraic immunity based on the generator matrix of the Reed–Muller code

Because of the recent algebraic attacks, optimal algebraic immunity is now an absolutely necessary (but not sufficient) property for Boolean functions used in stream ciphers. In this paper, we firstly determine the concrete coefficients in the linear expression of the column vectors with respect to a given basis of the generator matrix of Reed–Muller code, which is an important tool for constructing Boolean functions with optimal algebraic immunity. Secondly, as applications of the determined coefficients, we provide simpler and direct proofs for two known constructions. Further, we construct new Boolean functions on odd variables with optimal algebraic immunity based on the generator matrix of Reed–Muller code. Most notably, the new constructed functions possess the highest nonlinearity among all the constructions based on the generator matrix of Reed–Muller code, although which is not as good as the nonlinearity of Carlet–Feng function. Besides, the ability of the new constructed functions to resist fast algebraic attacks is also checked for the variable \(n=11,13\) and 15.     

On the security of the Feng–Liao–Yang Boolean functions with optimal algebraic immunity against fast algebraic attacks

In the past few years, algebraic attacks against stream ciphers with linear feedback function have been significantly improved. As a response to the new attacks, the notion of algebraic immunity of a Boolean function f was introduced, defined as the minimum degree of the annihilators of f and f + 1. An annihilator of f is a nonzero Boolean function g, such that fg = 0. There is an increasing interest in construction of Boolean functions that possess optimal algebraic immunity, combined with other characteristics, like balancedness, high nonlinearity, and high algebraic degree. In this paper, we investigate a recently proposed infinite class of balanced Boolean functions with optimal algebraic immunity, optimum algebraic degree and much better nonlinearity than all the previously introduced classes of Boolean functions with maximal algebraic immunity. More precisely, we study the resistance of the functions against one of the new algebraic attacks, namely the fast algebraic attacks (FAAs). Using the special characteristics of the family members, we introduce an efficient method for the evaluation of their behavior against these attacks. The new algorithm is based on the well studied Berlekamp–Massey algorithm.     

Construction of balanced Boolean functions with high nonlinearity and good autocorrelation properties

Boolean functions with high nonlinearity and good autocorrelation properties play an important role in the design of block ciphers and stream ciphers. In this paper, we give a method to construct balanced Boolean functions of n variables, where n ≥ 10 is an even integer, satisfying strict avalanche criterion (SAC), and with high algebraic degree. Compared with the known balanced Boolean functions with SAC property, the constructed functions possess the highest nonlinearity and the best global avalanche characteristics property.     

Fast construction of binary ring FCSRs for hardware stream ciphers

Stream ciphers based on linear feedback shift registers have been subject to algebraic attacks. To avoid these kinds of attacks, feedback with carry shift registers (FCSRs) have been proposed as an alternative. They are suitable for hardware implementations. FCSRs have been implemented using ring representation, in order to circumvent some weaknesses in the traditional representations. In this paper, we explore the simplest case of FCSRs, called binary FCSRs, which are common in applications. We give a fast algorithm to construct binary ring FCSRs for hardware stream ciphers.     

Concatenating Indicators of Flats for Designing Cryptographic Functions

Boolean functions with good cryptographic characteristics are needed for the design of robust pseudo-random generators for stream ciphers and of S-boxes for block ciphers. Very few general constructions of such cryptographic Boolean functions are known. The main ones correspond to concatenating affine or quadratic functions. We introduce a general construction corresponding to the concatenation of indicators of flats. We show that the functions it permits to design can present very good cryptographic characteristics.     

A family of keystream generators with large linear complexity

In this work, a new class of keystream generators with a large linear complexity has been derived. The design criteria are easily compatible with those given in the literature to prevent correlation attacks.     

Run distribution innonlinear binary generators

In this work, an easy method of computing the exact number of runs of ones and zerosin the sequence obtained from LFSR-based nonlinear generators has been developed. The procedure is based on the decomposition of the generating function in global minterms. If the obtained results are not in the expected range, then the sequence generator must be rejected for cryptographic purposes.     

代数免疫度为1的布尔函数

布尔函数的代数免疫度是在流密码的代数攻击中所产生的重要概念.研究了代数免疫度为1的布尔函数,得到的主要结果有:对代数免疫度为1的布尔函数给出了一个谱刻画,给出了其个数的精确计数公式,最后给出了此类函数的非线性度的紧的上界.     

Binary Representations of Finite Fields and Their Application to Complexity Theory

Binary representations of finite fields are defined as an injective mapping from a finite field tol-tuples with components in {0, 1} where 0 and 1 are elements of the field itself. This permits one to study the algebraic complexity of a particular binary representation, i.e., the minimum number of additions and multiplications in the field needed to compute the binary representation. The two-way complexity of a binary representation is defined as the sum of the algebraic complexities of the binary representation and of its inverse mapping. Two particular binary representations are studied: the standard representation and the logarithmic representation. A method of surrogate computation is developed and used to deduce relationships between the algebraic complexities of certain functions. The standard representation of a finite field is shown to be among the two-way easiest representations of this field. In particular, the standard representation of a finite field with characteristicpis two-way easy wheneverp− 1 has only small prime factors. For any finite field having a two-way easy binary representation, the algebraic complexity in this field is shown to be essentially equivalent to Boolean circuit complexity. For any finite field, the Boolean circuit complexity of Zech's (or Jacobi's) logarithm is shown to be closely related to the Boolean circuit complexity of the discrete logarithm problem that is used in public-key cryptography.     

Self-shrinking chaotic stream ciphers

In the last two decades, a growing number of chaos-based cipher systems have been suggested for use in cryptographic applications. Most of these systems were subject to cryptanalytic attacks, and many of them were shown to suffer from a lack of security. In this paper, we export the self-shrinking technique used in classical cryptography into chaotic systems to develop chaotic keystream generators capable of generating keystreams featuring very good statistical properties, and possessing high level of security. This paper proposes a sample self-shrinking chaos-based keystream generator implemented using a 1-D chaotic tent map. Randomness properties and results of statistical testing of keystream bits generated by applying the self-shrinking technique on chaotic maps with suitable parameters are found encouraging. Furthermore, chaotic cipher systems based on such technique are demonstrated to have a better performance in terms of randomness properties and security level than many existing cipher systems.     

A stream cipher based on a spatiotemporal chaotic system

A stream cipher based on a spatiotemporal chaotic system is proposed. A one-way coupled map lattice consisting of logistic maps is served as the spatiotemporal chaotic system. Multiple keystreams are generated from the coupled map lattice by using simple algebraic computations, and then are used to encrypt plaintext via bitwise XOR. These make the cipher rather simple and efficient. Numerical investigation shows that the cryptographic properties of the generated keystream are satisfactory. The cipher seems to have higher security, higher efficiency and lower computation expense than the stream cipher based on a spatiotemporal chaotic system proposed recently.     

A new result on irreducible NFSRs with respect to cascade connection

Nonlinear feedback shift registers (NFSRs) are widely used in stream cipher design as building blocks. The cascade connection of NFSRs, known as an important architecture, has been adopted in Grain family of stream ciphers. In this paper, a new sufficient condition under which an NFSR cannot be decomposed into the cascade connection of two smaller NFSRs is presented, which is easy to be verified from the algebraic normal form (ANF) of the characteristic function. In fact, our results are also applicable to nonsingular Boolean functions, which actually improve a previous research of Rhodes [6] where the characteristic functions of NFSRs cannot be contained.     

Improved distinguishers for HC-128

HC-128 is an eSTREAM final portfolio stream cipher. Several authors have investigated its security and, in particular, distinguishing attacks have been considered. Still, no one has been able to provide a distinguisher stronger than the one presented by Wu in the original HC-128 paper. In this paper we first argue that the keystream requirement in Wu’s original attack is underestimated by a factor of almost 2⁸. Our revised analysis shows that the keystream complexity of Wu’s original attack is 2^160.471 32-bit keystream blocks. We then go on to investigate two new types of distinguishers on HC-128. One of them, a distinguisher counting the number of zeros in created blocks of bits, gives a biased distribution that requires 2^143.537 such constructed block samples (2^152.537 32-bit keystream blocks). For fairness, the same metric is used to compare our attack to Wu’s, and our improvement is significant compared to Wu’s original result. Furthermore, the vector-based methodology used is general and can be applied to any cryptographic primitive that reveals a suitable probability distribution.     

On the Linear Complexity Profile of Nonlinear Congruential Pseudorandom Number Generators with Dickson Polynomials

Linear complexity and linear complexity profile are important characteristics of a sequence for applications in cryptography and Monte-Carlo methods. The nonlinear congruential method is an attractive alternative to the classical linear congruential method for pseudorandom number generation. Recently, a weak lower bound on the linear complexity profile of a general nonlinear congruential pseudorandom number generator was proven by Gutierrez, Shparlinski and the first author. For most nonlinear generators a much stronger lower bound is expected. Here, we obtain a much stronger lower bound on the linear complexity profile of nonlinear congruential pseudorandom number generators with Dickson polynomials.     

On the structure of digital explicit nonlinear and inversive pseudorandom number generators

We analyze the lattice structure and distribution of the digital explicit inversive pseudorandom number generator introduced by Niederreiter and Winterhof as well as of a general digital explicit nonlinear generator. In particular, we extend a lattice test designed for this class of pseudorandom number generators to parts of the period and arbitrary lags and prove that these generators pass this test up to very high dimensions. We also analyze the behavior of digital explicit inversive and nonlinear generators under another very strong lattice test which in its easiest form can be traced back to Marsaglia and provides a complexity measure essentially equivalent to linear complexity.     

幂函数的一些密码学性质

二元域上n数组空间上的非线性置换在分组码，杂凑函数与流密码等密码学领域中有重要应用.域GF（2n）上的幂函数提供了二元域上n数组空间上的一类非线性置换．本文着重研究幂函数的强完全性、完全性与非线性度等密码学性质．作为结果，本文证明了幂函数具有完全性；证明了具有强完全性的函数必有较高的拓扑非线性度；木文找到一类具有强完全性的幂函数；周时也定出了幂函数的代数非线性度．     

Design of Practical and Provably Good Random Number Generators

We present a construction for a family of pseudo-random generators that are very fast in practice, yet possess provable statistical and cryptographic unpredictability properties. Such generators are useful for simulations, randomized algorithms, and cryptography.Our starting point is a slow but high quality generator whose use can be mostly confined to a preprocessing step. We give a method of stretching its outputs that yields a faster generator. The fast generator offers smooth memory–time–security trade-offs and also has many desired properties that are provable. The slow generator can be based on strong one-way permutations or block ciphers. Our implementation based on the block cipher DES is faster than popular generators.