Leonie Simpson

The LILI-II Keystream Generator

The LILI-II keystream generator is a LFSR based synchronous stream cipher with a 128 bit key. LILI-II is a specific cipher from the LILI family of keystream generators, and was designed with larger internal components than previous ciphers in this class, in order to provide increased security. The design offers large period and linear complexity, is immune to currently known styles of attack, and is simple to implement in hardware or software. The cipher achieves a security level of 128 bits.

Dragon: a fast word based stream cipher

This paper presents Dragon, a new stream cipher constructed using a single word based non-linear feedback shift register and a non-linear filter function with memory. Dragon uses a variable length key and initialisation vector of 128 or 256 bits, and produces 64 bits of keystream per iteration. At the heart of Dragon are two highly optimised 8 × 32 s-boxes. Dragon uses simple operations on 32-bit words to provide a high degree of efficiency in a wide variety of environments, making it highly competitive when compared with other word based stream ciphers. The components of Dragon are designed to resist all known attacks.

LILI Keystream Generator

A family of keystream generators, called the LILI keystream generators, is proposed for use in stream cipher applications and the security of these generators is investigated with respect to currently known attacks. The design is simple and scalable, based on two binary linear feedback shift registers combined in a simple way, using both irregular clocking and nonlinear functions. The design provides the basic security requirements such as a long period and high linear complexity, and is resistant to known cryptanalytic attacks.

A Probabilistic Correlation Attack on the Shrinking Generator

A probabilistic correlation attack on irregularly clocked shift registers is applied in a divide and conquer attack on the shrinking generator. Systematic computer simulations show that the joint probability is a suitable basis for the correlation attack and that, given a keystream segment of length linear in the length of the clock-controlled shift register, the shift register initial states can be identified with high probability. The attack is conducted under the assumption that the secret key controls only the shift register initial states.

Cryptanalysis of ORYX

We present an attack on the ORYX stream cipher that requires only 25-27 bytes of known plaintext and has time complexity of 216. This attack directly recovers the full 96 bit internal state of ORYX, regardless of the key schedule. We also extend these techniques to show how to break ORYX even under a ciphertext-only model. As the ORYX cipher is used to encrypt the data transmissions in the North American Cellular system, these results are further evidence that many of the encryption algorithms used in second generation mobile communications offer a low level of security.

Investigating Cube Attacks on the Authenticated Encryption Stream Cipher MORUS

The cube attack is an algebraic attack that allows an adversary to extract low degree polynomial equations from the targeted cryptographic primitive. This work applies the cube attack to a reduced round version of ACORN , a candidate cipher design in the CAESAR cryptographic competition. The cube attack on 477 initialization rounds of ACORN can recover the 128 bit key with a total attack complexity of about 2 35 . We have also shown that linear equations relating the initial state of the full version of ACORN can be easily generated which can lead to state recovery attack with an attack complexity of about 2 72.8 .

Fast Correlation Attacks and Multiple Linear Approximations

The fast correlation attack based on iterative probabilistic decoding is applied to nonlinear filter generators in order to investigate the effect of multiple linear transforms of the same linear recurring sequence being correlated to the keystream sequence. Systematic computer simulations on random balanced filter functions reveal that the attack is successful if the number of parity-checks used is sufficiently large given the correlation coefficient of the best affine approximation to the filter function. Nevertheless, the attack is more successful when applied to the independent correlation noise which appears in memoryless combiners where a multiple linear transform effect is not present. The experiments conducted show that the attack is successful on many publicly proposed filter functions and indicate that some bent filter functions may be easier to attack than the others.

Fast correlation attacks on nonlinear filter generators

The fast correlation attack based on iterative probabilistic decoding is applied to nonlinear filter generators in order to investigate the effect of multiple linear transforms of the same linear recurring sequence being correlated to the keystream sequence. Systematic experimental results on random balanced as well as on some special filter functions show that the attack is successful if the number of parity-checks used is sufficiently large given the correlation coefficient of the best affine approximation to the filter function. In addition, the attack is shown to be more successful when applied to independent correlation noise present in memoryless combiners with distinct input shift registers.

Improved Cryptanalysis of the Common Scrambling Algorithm Stream Cipher

This paper provides a fresh analysis of the widely-used Common Scrambling Algorithm stream cipher (CSA-SC). Firstly, a new representation of CSA-SC with a state size of only 89 bits is given, a significant reduction from the 103 bit state of a previous CSA-SC representation. Analysis of this 89-bit representation demonstrates that the basis of a previous guess-and-determine attack is flawed. Correcting this flaw increases the complexity of that attack so that it is worse than exhaustive key search. Although that attack is not feasible, the reduced state size of our representation makes it obvious that CSA-SC is vulnerable to several generic attacks, for which feasible parameters are given.

A fast correlation attack on multiplexer generators

Abstract The security of multiplexer generators is investigated with respect to a fast correlation attack based on iterative probabilistic decoding. The number of inputs to the multiplexer determines the coefficient of correlation between the keystream sequence and phase-shifts of one of the underlying shift register sequences. This known plaintext attack is successful if the number of low-weight parity-checks used is sufficiently large given the number of inputs, 2 k , to the multiplexer. Successful experimental attacks are conducted for k=2,3 and 4 . For multiplexer generators with large component shift registers, this attack is an improvement on previously described attacks based on similar assumptions.