Show Summary Details
More options …

Open Mathematics

formerly Central European Journal of Mathematics

Editor-in-Chief: Gianazza, Ugo / Vespri, Vincenzo

IMPACT FACTOR 2017: 0.831
5-year IMPACT FACTOR: 0.836

CiteScore 2018: 0.90

SCImago Journal Rank (SJR) 2018: 0.323
Source Normalized Impact per Paper (SNIP) 2018: 0.821

Mathematical Citation Quotient (MCQ) 2017: 0.32

ICV 2017: 161.82

Open Access
Online
ISSN
2391-5455
See all formats and pricing
More options …

Linearity in decimation-based generators: an improved cryptanalysis on the shrinking generator

Sara D. Cardell
• Corresponding author
• Instituto de Matemática, Estatística e Computação Científica, Universidade Estadual de Campinas, Campinas, Brazil
• Email
• Other articles by this author:
/ Amparo Fúster-Sabater
• Instituto de Tecnologías Físicas y de la Información, Consejo Superior de Investigaciones Científicas (CSIC), Madrid, Spain
• Email
• Other articles by this author:
• Instituto de Tecnologías Físicas y de la Información, Consejo Superior de Investigaciones Científicas (CSIC), Madrid, Spain
• Other articles by this author:
Published Online: 2018-06-14 | DOI: https://doi.org/10.1515/math-2018-0058

Abstract

Decimation-based sequence generators are a class of non-linear cryptographic generators designed to be used in hardware implementations. An inherent characteristic of such generators is that their output sequences are interleaved sequences. This profitable characteristic can be used in the cryptanalysis of those generators. In this work, emphasis is on the most representative decimation-based generator, the shrinking generator, which has been cryptanalyzed just by solving linear equation systems. Compared with previous cryptanalysis, computational complexity and intercepted sequence requirements are dramatically reduced. Although irregularly decimated generators have been conceived and designed as non-linear sequence generators, in practice they can be easily analyzed in terms of simple linear structures.

MSC 2010: 94A55; 94A60

1 Introduction

Nowadays stream ciphers are the fastest among the encryption procedures. They are designed to generate, from a short key, a long sequence (keystream sequence) of seemingly random bits. Some well known designs in stream ciphers can be found in [1, 2]. Typically, a stream cipher consists of a keystream generator whose output sequence is bit-wise XORed with the plaintext (in emission) to obtain the ciphertext or with the ciphertext (in reception) to recover the original plaintext. References [3, 4, 5] provide a solid introduction to the study of stream ciphers.

There are many proposals of keystream generators that are based on maximal-length Linear Feedback Shift Registers (LFSRs) [6]. Such registers are linear structures characterized by their length L, their characteristic polynomial p(x) and their initial state is (currently the key of the cryptosystem). Their output sequences, the so-called PN-sequences, are usually combined in a non-linear way in order to break their linearity and to produce new pseudorandom sequences of cryptographic application. LFSRs with dynamic feedback, clock-controlled generators, nonlinear filters or irregularly decimated generators are just some of the most popular keystream generators, see above references.

Irregularly decimated generators produce sequences with good cryptographic properties: long periods, right correlation, excellent run distribution, balancedness, simplicity of implementation, etc. The underlying idea of this kind of generators is the irregular decimation of a PN-sequence according to the bits of another one. The result of this decimation is a binary sequence that will be used as keystream sequence in the cryptographic procedure of stream cipher.

Inside the family of irregularly decimated generators, we can enumerate:

1. The shrinking generator proposed by Coppersmith, Krawczyk and Mansour [7] that involves two LFSRs.

2. The self-shrinking generator designed by Meier and Staffelbach [8] involving only one LFSR.

3. The generalized self-shrinking generator proposed by Hu and Xiao [9] that generates a family of binary sequences.

4. The modified self-shrinking generator, a decimation-based keystream sequence generator, introduced by Kanso in [10] as an improved version of the self-shrinking generator.

In addition, different linear structures based in Cellular Automata that model such generators can also be found in the literature [11, 12, 13].

This work focuses on the most representative element in the class of decimation-based sequence generators: the shrinking generator. Taking advantage of the fact that its output sequence is an interleaved sequence, a simple cryptanalytic attack has been developed. The basic ideas of this attack can be generalized to other elements in the same class of generators.

The paper is organized as follows: in Section 2 fundamentals and basic concepts are provided. In Section 3, we introduce some important properties of the shrinking generator that will be used in Section 4 to perform a recovering algorithm for the generated sequence. Section 5 compares the attack here presented with other ones found in the literature. Finally, conclusions in Section 6 end the paper.

2 Preliminaries

Notation and basic concepts are now introduced. First of all, we introduce the concept of decimation, which will be used repeatedly throughout this paper. Let {ui} (i = 0, 1, 2, …) be a linear recursive sequence over a finite field. The decimation of the sequence {ui} by d is a new sequence obtained by taking every d-th term of {ui} [14].

Next, the definition of interleaved sequence is provided [15].

Definition 2.1

Let g(x) be a polynomial of degree r over GF(q) (the Galois field of q elements) and let n be a positive integer. For any sequence w = {wk} over GF(q), write k = i n+j (i = 0, 1, 2, … j = 0, …, n − 1). If all the subsequences wj = {wi n + j}i ≥ 0 (j = 0, …, n − 1) are generated by g(x), then w is called an interleaved sequence over GF(q) of size n associated with g(x).

We can write w = (w0, w1, …, wn − 1) where each wj (j = 0, …, n − 1) is a subsequence of w. In fact, each wj is an n-decimation of the sequence w obtained from such a sequence by taking one out of n terms. In the sequel, GF(q) will be the binary field GF(2).

The shrinking generator (SG) was first introduced in [7]. It is made up of two maximal-length LFSRs denoted by R1 and R2. Let L1 and L2 (L1 < L2) be the LFSR lengths, the primitive polynomials p1(x), p2(x) their characteristic polynomials, and is1 and is2 their initial states, respectively. Moreover, let {ai} and {bi} be the PN-sequences generated by R1 and R2, respectively. In this case, the sequence {ai} decimates the other sequence {bi}. The decimation rule is very simple: given two bits ai and bi, the output sequence of the generator {sk} is computed as $If ai=1 then sk=biIf ai=0 then bi is discarded.$

We call the sequence {sk} as the shrunken sequence (SS). Assume that gcd(L1, L2) = 1, then the period of SS is T = 2L1 − 1(2L2 − 1).

The linear complexity of a sequence, denoted by LC, is defined as the length of the minimum LFSR that generates such a sequence. As gcd(L1, L2) = 1, then the linear complexity of the shrunken sequence is given by L2 2L1 − 2 < LCL2 2L1 − 1. Moreover, its characteristic polynomial is of the form p(x)m where p(x) is a primitive polynomial of degree L2 and m an integer satisfying 2L1 − 2 < m ≤ 2L1 − 1.

As usual, the key of this generator is the initial state of the both registers R1 and R2.

Next a simple illustrative example is introduced.

Example 2.2

Consider two LFSRs R1 and R2 with lengths L1 = 2 and L2 = 3, characteristic polynomials p1(x) = 1+x+x2 and p2(x) = 1+x2+x3, and initial states is1 = (1, 0) and is2 = (1, 0, 0), respectively.

The shrunken-sequence can be computed as follows: ${ai}:101101101101101101101{bi}:10∖/011∖/101∖/001∖/110∖/100∖/111∖/0{sk}:11100111110010000111111110011111100$

The shrunken sequence {sk} has period 14 and it is easy to check that its characteristic polynomial is p(x)2 = (1+x+x3)2, consequently its linear complexity equals 6.

3 Linear properties of the shrunken sequence

In this section, we highlight some properties of the shrunken sequence, which will be used in the algorithm proposed in Section 4. As before, we consider two LFSRs R1 and R2 with lengths L1 and L2, characteristic polynomials p1(x), p2(x) and initial states is1 and is2. In addition, T1 = 2L1 − 1 and T2 = 2L2 − 1 are the periods of their corresponding PN-sequences {ai} and {bi}, respectively.

According to Definition 2.1, the shrunken sequence s = {sk} can be written as s = {s0, s1, …, sn − 1} where n = 2L1 − 1. In fact, every subsequence sj (j = 0, …, n − 1) is a PN-sequence generated by the L2-degree primitive polynomial p(x) defined as $p(x)=∏i=0L2−1(x+αei),$

where ei = 2iT1 mod T2 and α is a root of the polynomial p2(x). Recall that every subsequence sj is just a decimation of {bi} by d = 2L1 − 1, thus the resulting sequence is a PN-sequence too. In brief, ei (i = 0, …, L2 − 1) are the elements of the cyclotomic coset 2L1 − 1 and p(x) is the polynomial associated with such a coset [6]. The subsequences sj (j = 0, …, n − 1) are called the interleaved PN-sequences of the shrunken sequence.

Example 3.1

Consider two LFSRs R1 and R2 with lengths L1 = 3 and L2 = 4, characteristic polynomials p1(x) = 1+x+x3 and p2(x) = 1+x+x4 and initial states is1 = (1, 0, 0) and is2 = (1, 0, 0, 0), respectively. The shrunken sequence has period T = 60 and its characteristic polynomial is p(x)4 = (1+x3+x4)4. Since the shrunken sequence is an interleaved sequence, it is composed of 4 PN-sequences: $d1=3→s0s1s2s3↓↓↓↓d1=3→1000d1=3→1111d1=3→1010d3=3→0_001d1=3→1001d2=5→0_110d1=3→1100d1=3→1101d1=3→0100d1=9→0_010d1=3→1110d1=3→0011d1=3→0111d1=3→0101d1=3→1011$

All of them have the same characteristic polynomial p(x) = 1+x3+x4, thus there is a unique PN-sequence but shifted. This shift depends on the positions of the 1s in the PN-sequence {ai}.

Let {i0, i1, …, i2L1 − 1−1} denote the position of the 2L1−1 ones in the PN-sequence {ai} and let δ be an integer such that (2L1 − 1)δ = 1 mod (2L2 − 1). Let also dj (j = 1, 2, …, 2L1−1 − 1) be the position over s0 of the first element of each subsequence sj (j = 1, …, n − 1), respectively. If we know such positions dj over s0, then we can compute the indices ij by means of the following expressions: $dj=δ⋅ij mod 2L2−1, for j=1,2,…,2L1−1−1.$(1)

In Example 3.1, we had four interleaved subsequences s0, s1, s2 and s3. It is easy to check that d1 = 9, d2 = 5 and d3 = 3. In this case, T1 = 7 and T2 = 15, then δ = 13. With this information, we can determine the position of the ones in {ai} (i0 = 0, without loss of generality): $13⋅i1=9 mod 15→i1=313⋅i2=5 mod 15→i2=513⋅i3=3 mod 15→i3=6$

Therefore, the set of indices is given by {0, 3, 5, 6} and the PN-sequence {ai} is given by {1, 0, 0, 1, 0, 1, 1}.

In the algorithm proposed in Section 4, the opposite situation occurs. In that case, we know the position of the ones in the PN-sequence {ai} and we compute the position of the first element of each subsequence sj in s0 by means of the expressions given in (1).

The presence of PN-sequences inside the shrunken sequence reveals severe dependencies among its bits. These linear relationships will be advantageously used in the proposed attack. In fact, given N intercepted bits of this sequence, the goal is to determine the pair of initial states (is1, is2) of both registers.

4 Cryptanalytic attack

Prior to the attack’s description, the following notation is introduced:

• is1 = (a0, a1, …, aL1 − 1), is2 = (b0, b1, …, bL2−1)

• S = {s0, s1, …, sN−1} are the N intercepted bits of the shrunken sequence. Currently, the number N can be written as N = N1 + N2 where N1 bits are used to compute the pair (is1, is2) while N2 bits are used to check the correctness of the previous pair.

• δ as before is an integer δ ∈ {1, 2, 3, …, T2 − 1}, such that T1δ = 1 mod T2.

The N1 intercepted bits are elements of any interleaved PN-sequence sj. Nevertheless, in this attack we only focus on the first interleaved PN-sequence s0. For simplicity it will be denoted by {ui} (i = 0, 1, …, 2L2 − 2). According to the properties of the PN-sequences, any term uk of {ui} can be expressed as a function of the first L2 bits (u0, u1, …, uL2 − 1) by means of the modular expression $q(x)=xk mod p(x),$

where q(x) = cL2 − 1 xL2 − 1 + … + c1 x + c0 with ciGF(2). Thus, $uk=cL2−1uL2−1+…+c1u1+c0u0.$

This cryptanalytic attack is based on solving systems of linear equations of the form: $Ax=b,$(2)

where A is an (N1 × L2) binary coefficient matrix, x is the (L2 × 1) vector of unknowns and b is the (L2 × 1) right side vector of intercepted bits. Each initial state is1 parametrises the coefficient matrix A, then the Linear Consistency Test (LCT) [16] checks the consistency of the corresponding equation system (2). If is1 considered is the right initial state, then the equation system certainly will be consistent. On the other hand, if is1 is not the initial state used in the generation of the intercepted bits, then by [16, Theorem 1] the consistency probability of the system will be very small when the intercepted segment is long enough. In order to make the number of false consistency alarms as small as possible, the number of equations in (2) should exceed L1 + L2 significantly, see [16] and [17].

The attack is divided into two phases. In phase 1, we check the 2L1 − 1 initial states is1 starting by 1 (as only the 1s of {ai} generate bits in the shrunken sequence) to determine a set Q of possible candidates to initial state of R1. In phase 2, for every is1 in Q its corresponding is2 will be computed. The pair (is1, is2) able to generate all the intercepted shrunken sequence will be the key of the cryptosystem. In brief, the algorithm can be described as follows:

INPUT : The lengths L1 and L2 of both registers, the characteristic polynomials p1(x), p2(x) and the N intercepted bits S = {s0, s1, …, sN−1} of the shrunken sequence.

1. Computation of PHASE 1

2. Computation of PHASE 2

OUTPUT : The initial states is1 and is2 (key of the cryptosystem) that generate the shrunken sequence.

In the sequel, the whole attack is described in detail.

• PHASE 1

For each is1 considered do:

1. Starting in is1, generate a portion of sequence {ai} until N1 ones are obtained. Such ones will be located at positions ik (k = 0, 1, …, N1 − 1) over {ai}.

2. Determine N1 positions in the sequence {ui} as $dk=δ⋅ik mod T2(k=0,1,…,N1−1).$

3. Assign the N1 intercepted bits to the previous positions $udk=sk(k=0,1,…,N1−1).$

4. Express each udk as a function of the first L2 terms of {ui}, that is udk = fk(u0, u1, …, uL2 − 1), by means of $xdk mod p(x)(k=0,1,…,N1−1).$

It turns out to be a system of linear equations $udk=fk(u0,u1,…,uL2−1)=sk$

(k = 0, 1, …, N1 − 1) with N1 equations in the (u0, u1, …, uL2 − 1) unknowns.

5. Apply the Linear Consistency Test (LCT) [16] to check the consistency of the previous system, if the system is consistent, then include is1 in Q

else is1 is rejected.

end do

The result of this phase is the set Q of possible candidates to initial state of LFSR R1. Once the set Q has been computed, the second step of the attack is performed.

• PHASE 2

For each is1 in Q do:

1. Express each bik as a function of the first L2 terms of {bi}, that is bik = gk(b0, b1, …, bL2 − 1), by means of $xik mod p2(x)(k=0,1,…,N1−1).$

It turns out to be a system of linear equations $bik=gk(b0,b1,…,bL2−1)=sk$

(k = 0, 1, …, N1 − 1) with N1 equations in the (b0, b1, …, bL2 − 1) = is2 unknowns.

2. Apply the Linear Consistency Test (LCT) to check the consistency of the previous system,

if the system is not consistent, then reject (is1, is2)

else if the pair (is1, is2) can generate the shrunken sequence by using the N2 bits for checking,

then cryptosystem broken !!!

else is1 is rejected.

The result of this phase is the pair (is1, is2) generating the shrunken sequence, that is the key of the cryptosystem.

A software implementation of the previous attack has been performed on a laptop device with the following specifications:

• Operative system: Arch Linux

• CPU: Dual core Intel Core i7-4510U, Cache 4096 KB, Freq. 3100 MHz

• RAM: 8 GB, Type: DDR3

• Hard Disk: Type SSD, Size 256.1 GB

Some numerical results are depicted in Table 1 where L1, L2 are the lengths of registers R1 and R2, respectively, T is the period of the corresponding shrunken sequence, N1 is the number of intercepted bits for computation, c(Q) is the cardinality of Q, that is the number of candidates to initial state of R1, and t is the running time expressed in seconds. It must be noticed that the period of the shrunken sequence is much greater than the number of intercepted bits needed to successfully run the algorithm within a reasonable time. For our computations, N1 = 2 ⋅ L2 while N2 is chosen N2 = N1. In brief, the requirements of intercepted sequence are extremely low. In Table 2, the same results are shown but now the number of intercepted bits N1 equals L2. In this case, since N1 has been reduced, the execution time has been reduced too. Nevertheless, the number of candidates has grown considerably. Table 3 shows the numerical results corresponding to the verification of a unique initial state is1 in the phase 1 of the algorithm. Recall that even for large values of L1 and L2 the execution time of such routine is very low.

Table 1

Numerical results for the algorithm

Table 2

Numerical results for the algorithm when N1 = L2

The most remarkable features of the proposed attack are:

Table 3

Numerical results for the verification of one is1

1. The low amount of intercepted bits needed for its execution. Indeed, N1 = nL2, n being a small integer (n = 2, 3, 4), and N2N1. Thus the amount of sequence required is linear in the length of the register R2.

2. The running time of the attack is dominated by phase 1 which has a time complexity of O(2L1 − 1 ⋅ (N1 × L2)3), that is exponential in L1 due to the number of is1 considered and polynomial in L2. In fact, the work factor needed for each test is that of the Gauss elimination algorithm applied to the augmented matrix (A, b), which is cubic in the dimension of the matrix. In any case, the cubic factor is irrelevant compared with the exponential factor.

3. Both phases 1 and 2 are fully parallelizable and some tweaks can be made to optimize the LCT step.

The program makes use of SageMath, an algebraic computation systems based on Python. In order to handle polynomials over GF(2), SageMath uses the libraries NLT. In order to compute with matrices over GF(2), SageMath uses the libraries M4RI. In the LCT application, the system of equations is transformed into a low reduced echelon form. This step is important in the computation efficiency as the system consistency is reduced to test the existence of a row (0, 0, …, 0, 1) in the coefficient matrix of the system.

5 Other attacks over the shrinking generator

Other attacks against the shrinking generator have been designed in the literature. For example, in [18], the authors proposed two fault cryptoanalysis. In that work, the attacker is supposed to have a device implementing the shrinking generator and can use it freely. They also assume that the base and control generators of the shrinking generator output bits according to the uniform distribution over GF(2) and that an attacker can disturb clocking of the device, that is, he can stop the control sequence for a couple of steps, and observe the output of the generator. These attacks require injecting specific faults and restarting the device with partially the same internal state. While injecting such faults is potentially possible, it may require some design faults (so that potentially vulnerable parts of the device were placed on external layers). It shows at least that a careful examination of a chip design might be necessary. Furthermore, on the first cryptanalysis, there exists a probability of false solution and algorithm failure. As a consequence, they have to assume that the number of 0s between two 1s does not exceed a certain parameter maxzeros. They proved that the probability of a false result grows rapidly with the assumed length of the gap between the 1s. That is why they assume that the control sequence does not contain a block of more than maxzeroes 0s. Of course, when this assumption is false, the algorithm fails.

Several correlation attacks against the shrinking generator have been proposed too. A correlation attack was proposed in [19] and was experimentally analyzed in [20], where an exhaustive search through all initial states and all possible feedback polynomials of R2 was performed. Later, in [21] the author presented a reduced complexity correlation attack based on searching for specific subsequences of the keystream sequence, whose complexity and required keystream length are both exponential in the length of R2.

A few years later, in [22] Golić conducted a probabilistic correlation analysis based on a recursive computation of the posterior probabilities of individual bits of R2, which revealed the possibility of implementing certain type of fast correlation attacks on the shrinking generator. A novel distinguishing attack was also proposed in [23]. In a subsequent paper [24], the author proposed an improved linear consistency attack based on an exhaustive search through all initial states of R1.

In [22], the author conjectured that the shrinking generator could be vulnerable against fast correlation attacks that would not require an exhaustive search through all possible initial states. In [25], the authors tried to answer this question with length of R2 equal to 61 (as suggested in [26]). They claimed that given 140000 keystream bits, the initial state of R2 with arbitrary weight characteristic polynomial of degree 61 could be recovered with success probability higher than 99% and complexity 256, which was a good trade-off between these parameters.

In brief, the algorithm here developed presents two main advantages against other proposals. First, compared with other cryptanalytic attacks, the original key of the cryptosystem is always obtained. As pointed in [16], there is a trade-off between the number of equations to consider and the false positive ratio. Nevertheless, in our experiments we consider a minimum number of equations and in most cases only the original key was retrieved. Furthermore, with the knowledge of the LFSRs’ parameters the attacker just needs to intercept a part of the keystream sequence and perform the algorithm; our method does not need further assumptions. Second, the results given in Table 1 show that the required keystream length in our algorithm grows linearly in the length of R2, in contrast with other proposals where the amount of required sequence is exponential in the length of any register.

6 Conclusions

The shrinking generator obtains an implicit non-linearity originated from the decimation process. This process is an attempt to create strong pseudorandom sequences with cryptographically good properties out of weak components. It is proved that the shrunken sequence has a long period, a desirably high linear complexity and good statistical properties. However, the linear properties presented in this work make this generator vulnerable against attacks. This paper presents a cryptanalysis over the shrinking generator based on solving linear systems. Besides, the number of intercepted bits needed to successfully perform the algorithm is substantially lower than the period of the sequence, growing linearly with the length of the register R2.

Acknowledgement

The work of the first author was supported by FAPESP with process number 2015/07246-0. This research has been partially supported by Ministerio de Economía, Industria y Competitividad (MINECO), Agencia Estatal de Investigación (AEI), and Fondo Europeo de Desarrollo Regional (FEDER, UE) under project COPCIS, reference TIN2017-84844-C2-1-R, and by Comunidad de Madrid (Spain) under project reference S2013/ICE-3095-CIBERDINE-CM, also co-funded by European Union FEDER funds.

References

• [1]

eSTREAM: the ECRYPT Stream Cipher Project, ECRYPT II, eSTREAM portfolio. [Online]. Available: http://www.ecrypt.eu.org/stream/

• [2]

Robshaw M., Billiet O., New Stream Cipher Designs: The eSTREAM Finalists, Springer, 2008 Google Scholar

• [3]

Menezes A. J., van Oorschot P. C., Vanstone S. A., Handbook of Applied Cryptography, Boca Raton, FL: CRC Press, 1996 Google Scholar

• [4]

Paar C., Pelzl J., Understanding Cryptography, Berlin: Springer, 2010 Google Scholar

• [5]

Rueppel R. A., Analysis and Design of Stream Ciphers New York, NY: Springer Verlag, 1986 Google Scholar

• [6]

Golomb S. W., Shift Register-Sequences, Laguna Hill, California: Aegean Park Press, 1982 Google Scholar

• [7]

Coppersmith D., Krawczyk H., Mansour Y., The shrinking generator, Advances in Cryptology – CRYPTO ’93, Lecture Notes in Computer Science, Springer-Verlag, 1993, 773, 23–39 Google Scholar

• [8]

Meier W., Staffelbach O., The self-shrinking generator, Advances in Cryptology – EUROCRYPT ’94, Lecture Notes in Computer Science, Springer-Verlag, 1994, 950, 205–214 Google Scholar

• [9]

Hu Y., Xiao G., Generalized Self-Shrinking Generator, IEEE Trans. Inf. Theory, 2004, 50(4), 714–719

• [10]

Kanso A., Modified self-shrinking generator, Computers and Electrical Engineering, 2010, 36(5), 993–1001

• [11]

Fúster-Sabater A., Caballero-Gil P., Linear solutions for cryptographic nonlinear sequence generators, Physics Letters A, 2007, 369, 432–437

• [12]

Cardell S. D., Fúster-Sabater A., Modelling the shrinking generator in terms of linear CA, Advances in Mathematics of Communication, 2016, 10(4), 797–809

• [13]

Cardell S. D., Fúster-Sabater A., Linear models for the self-shrinking generator based on CA, Journal of Cellular Automata, 2016, 11(2-3), 195–211 Google Scholar

• [14]

Duvall P. F., Mortick J. C., Decimation of periodic sequences, SIAM Journal on Applied Mathematics, 1971, 21(3), 367–372

• [15]

Gong G., Theory and Applications of q-ary Interleaved Sequences, IEEE Trans. Inf. Theory, 1995, 41(2), 400–411

• [16]

Zeng K., Yang C. H., Rao T. R., On the Linear Consistency Test (LCT) in Cryptanalysis with Applications, Advances in Cryptology – CRYPTO ’89, Lecture Notes in Computer Science, Springer-Verlag, 1990, 435, 164–174.

• [17]

Boztas S., Alamer A., Statistical dependencies in the Self-Shrinking Generator, Seventh International Workshop on Signal Design and its Applications in Communications, IWSDA 2015, Bengaluru, India, 2015, 42–46. Google Scholar

• [18]

Gomulkiewicz M., Kutylowski M., Wlaź P., Fault cryptanalysis and the shrinking generator, 5th International Workshop on Experimetal Algorithms (WEA 2006), Lecture Notes in Computer Science, Berlin: Springer-Verlag, 2006, 4007, 61–72. Google Scholar

• [19]

Golić J. D., Embedding and probabilistic correlation attacks on clock-controlled shift registers, Advances in Cryptology-EUROCRYPT’94, Lecture Notes in Computer Science, Berlin: Springer-Verlag, 1994, 950, 230–243. Google Scholar

• [20]

Simpson L., Golić J. D., A probabilistic correlation attack on the shrinking generator, ACISP ’98 – Third Australasian Conference on Information Security and Privacy, Lecture Notes in Computer Science, Berlin: Springer-Verlag, 1998, 1438, 147–158.

• [21]

Johansson T., Reduced complexity correlation attacks on two clock-controlled generators, Advances in Cryptology – ASIACRYPT’98, Lecture Notes in Computer Science, Berlin: Springer-Verlag, 1998, 1514, 342–357 Google Scholar

• [22]

Golić J. D., Correlation analysis of the shrinking generator, Advances in Cryptology-Crypto’2001, Lecture Notes in Computer Science, Berlin: Springer-Verlag, 2001, 2139, 440–457 Google Scholar

• [23]

Ekdahl P., Johansson T., Predicting the shrinking generator with fixed connections, Advances in Cryptology-EUROCRYPT’2003, Lecture Notes in Computer Science, Berlin: Springer-Verlag, 2003, 2656, 330–344 Google Scholar

• [24]

Molland, H., Improved linear consistency attack on irregular clocked keystream generators, Fast Software Encryption-FSE’2004, Lecture Notes in Computer Science, Springer-Verlag, 2004, 3017, 109–126

• [25]

Zhang B., Wu H., Feng D., Bao F., A fast correlation attack on the shrinking generator, Topics in Cryptology – CT-RSA 2005, Lecture Notes in Computer Science, Berlin: Springer-Verlag, 2005, 537, 72–86 Google Scholar

• [26]

Krawczyk H., The shrinking generator: Some practical considerations, Fast Software Encryption-FSE’94, Lecture Notes in Computer Science, Berlin: Springer-Verlag, 1994, 809, 45–46 Google Scholar

Accepted: 2018-01-23

Published Online: 2018-06-14

Citation Information: Open Mathematics, Volume 16, Issue 1, Pages 646–655, ISSN (Online) 2391-5455,

Export Citation