Intrinsic statistical weakness of keystream generators

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 917)


It is shown that an arbitrary binary keystream generator with M bits of memory can be linearly modelled as a non-autonomous linear feedback shift register of length at most M with an additive input sequence of nonbalanced identically distributed binary random variables. An effective method for the linear model determination based on the linear sequential circuit approximation of autonomous finite-state machines is developed. Linear models for clock-controlled shift registers and arbitrary shift register based keystream generators are derived. Several examples including the time-variant memoryless combiner, the basic summation generator, the stop-and-go cascade, and the shrinking generator are presented. Linear models are the basis for a general structure-dependent and initial-state-independent statistical test and they may also be used for correlation attacks on the initial-state. Theoretical security against the introduced statistical attack appears hard to control in practice and hard to achieve with simple schemes.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    R. J. Anderson, ”Solving a class of stream ciphers,” Cryptologia, 14(3):285–288, 1990.Google Scholar
  2. 2.
    W. G. Chambers and D. Gollmann, ”Lock-in effect in cascades of clock-controlled shift registers,” Advances in Cryptology — EUROCRYPT '88, Lecture Notes in Computer Science, vol. 330, C. G. Günther ed., Springer-Verlag, pp. 331–342, 1988.Google Scholar
  3. 3.
    D. Coppersmith, H. Krawczyk, and Y. Mansour, ”The shrinking generator,” Advances in Cryptology — CRYPTO '93, Lecture Notes in Computer Science, vol. 773, D. R. Stinson ed., Springer-Verlag, pp. 22–39, 1994.Google Scholar
  4. 4.
    R. G. Gallager, ”Low-density parity-check codes,” IRE Trans. Inform. Theory, 8:21–28, Jan. 1962.Google Scholar
  5. 5.
    J. Dj. Golić and M. V. Živković, ”On the linear complexity of nonuniformly decimated PN-sequences,” IEEE Trans. Inform. Theory, 34:1077–1079, Sep. 1988.Google Scholar
  6. 6.
    J. Dj. Golić and M. J. Mihaljević, ”Minimal linear equivalent analysis of a variablememory binary sequence generator,” IEEE Trans. Inform. Theory, 36:190–192, Jan. 1990.Google Scholar
  7. 7.
    J. Dj. Golić and M. J. Mihaljević, ”A generalized correlation attack on a class of stream ciphers based on the Levenshtein distance,” Journal of Cryptology, 3(3):201–212, 1991.Google Scholar
  8. 8.
    J. Dj. Golić, ”Correlation via linear sequential circuit approximation of combiners with memory,” Advances in Cryptology — EUROCRYPT '92, Lecture Notes in Computer Science, vol. 658, R. A Rueppel ed., Springer-Verlag, pp. 113–123, 1993.Google Scholar
  9. 9.
    J. Dj. Golić and S. V. Petrović, ”A generalized correlation attack with a probabilistic constrained edit distance,” Advances in Cryptology — EUROCRYPT '92, Lecture Notes in Computer Science, vol. 658, R. A. Rueppel ed., Springer-Verlag, pp. 472–476, 1992.Google Scholar
  10. 10.
    J. Dj. Golić, ”On the security of shift register based keystream generators,” Fast Software Encryption '93, Lecture Notes of Computer Science, vol. 809, R. J. Anderson ed., Springer-Verlag, pp. 90–100, 1994.Google Scholar
  11. 11.
    D. Gollmann and W. G. Chambers, ”Clock controlled shift registers: a review,” IEEE J. Sci. Ar. Commun., 7(4):525–533, 1989.Google Scholar
  12. 12.
    M. D. MacLaren and G. Marsaglia, ”Uniform random number generators,” J. Ass. Comput. Machinery, 12:83–89, 1965.Google Scholar
  13. 13.
    J. L. Massey, ”Shift register sequences and BCH decoding,” IEEE Trans. Inform. Theory, 15:122–127, 1969.Google Scholar
  14. 14.
    J. L. Massey and R. A. Rueppel, ”Method of, and apparatus for, transforming a digital sequence into an encoded form” U. S. Patent, No. 4,797,922, 1989.Google Scholar
  15. 15.
    W. Meier and O. Staffelbach, ”Fast correlation attacks on certain stream ciphers,” Journal of Cryptology, 1(3):159–176, 1989.Google Scholar
  16. 16.
    R. Menicocci, ”Short Gollmann cascade generators may be insecure,” Abstracts of the Fourth IMA Conference on Coding and Cryptography, Cirencester, 1993, to appear in the Proceedings, Oxford University Press.Google Scholar
  17. 17.
    M. J. Mihaljević, ”An approach to the initial state reconstruction of a clockcontrolled shift register based on a novel distance measure,” Advances in Cryptology — AUSCRYPT '92, Lecture Notes in Computer Science, vol. 718, J. Seberry and Y. Zheng eds., Springer-Verlag, pp. 349–356, 1993.Google Scholar
  18. 18.
    R. A. Rueppel, ”Stream ciphers,” in Contemporary Cryptology: The Science of Information Integrity, G. Simmons ed., pp. 65–134. New York: IEEE Press, 1991.Google Scholar
  19. 19.
    T. Siegenthaler, ”Decrypting a class of stream ciphers using ciphertext only,” IEEE Trans. Comput., 34:81–85, Jan. 1985.Google Scholar
  20. 20.
    K. C. Zeng, C. H. Yang, and T. R. N. Rao, ”On the linear consistency test (LCT) in cryptanalysis and its applications,” Advances in Cryptology — CRYPTO '89, Lecture Notes in Computer Science, vol. 218, G. Brassard ed., Springer-Verlag, pp. 164–174, 1990.Google Scholar
  21. 21.
    M. V. Živković, ”An algorithm for the initial state reconstruction of the clockcontrolled shift register,” IEEE Trans. Inform. Theory, 37:1488–1490, Sep. 1991.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1995

Authors and Affiliations

  1. 1.Information Security Research CentreQueensland University of TechnologyBrisbaneAustralia
  2. 2.School of Electrical EngineeringUniversity of BelgradeUSA

Personalised recommendations