A New Distinguisher for Clock Controlled Stream Ciphers

  • Håkan Englund
  • Thomas Johansson
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3557)


In this paper we present a distinguisher targeting towards irregularly clocked filter generators. The attack is applied on the irregularly clocked stream cipher called LILI-II. LILI-II is the successor of the cipher LILI-128 and its design was published in [1]. There have been no known attacks better than exhaustive key search on LILI-II. Our attack is the first of this kind that distinguishes the cipher output from a random source using 2103 bits of keystream using computational complexity of approximately 2103 operations.


Boolean Function Correlation Property Stream Cipher Linear Feedback Shift Register Random Source 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Clark, A., Dawson, E., Fuller, J., Golić, J., Lee, H.-J., Millan, W., Moon, S.-J., Simpson, L.: The LILI-II keystream generator. In: Batten, L.M., Seberry, J. (eds.) ACISP 2002. LNCS, vol. 2384, pp. 25–39. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  2. 2.
    Daemen, J., Rijmen, V.: The Design of Rijndael. Springer, Heidelberg (2002)zbMATHGoogle Scholar
  3. 3.
    Siegenthaler, T.: Correlation-immunity of non-linear combining functions for cryptographic applications. IEEE Transactions on Information Theory 30, 776–780 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Meier, W., Staffelbach, O.: Fast correlation attacks on stream ciphers. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 301–316. Springer, Heidelberg (1988)Google Scholar
  5. 5.
    Canteaut, A., Trabbia, M.: Improved fast correlation attacks using parity-check equations of weight 4 and 5. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 573–588. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Chepyzhov, V., Johansson, T., Smeets, B.: A simple algorithm for fast correlation attacks on stream ciphers. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 181–195. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    Johansson, T., Jönsson, F.: A fast correlation attack on LILI-128. Information Processing Letters 81, 127–132 (2002)zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Johansson, T., Jönsson, F.: Fast correlation attacks through reconstruction of linear polynomials. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 300–315. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  9. 9.
    Johansson, T., Jönsson, F.: Fast correlation attacks based on turbo code techniques. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 181–197. Springer, Heidelberg (1999)Google Scholar
  10. 10.
    Johansson, T., Jönsson, F.: Improved fast correlation attacks on stream ciphers via convolutional codes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 347–362. Springer, Heidelberg (1999)Google Scholar
  11. 11.
    Courtois, N., Meier, WS.: Algebraic attacks on stream ciphers with linear feedback. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  12. 12.
    Courtois, N.: Fast algebraic attacks on stream ciphers with linear feedback. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 176–194. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  13. 13.
    Ekdahl, P., Johansson, T.: Distinguishing attacks on SOBER-t16 and t32. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 210–224. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  14. 14.
    Golić, J.D., Menicocci, R.: A new statistical distinguisher for the shrinking generator, Available at (Accessed September 29, 2003)
  15. 15.
    Junod, P.: On the optimality of linear, differential and sequential distinguishers. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 17–32. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  16. 16.
    Watanabe, D., Biryukov, A., De Canniere, C.: A distinguishing attack of SNOW 2.0 with linear masking method. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  17. 17.
    Englund, H., Johansson, T.: A new simple technique to attack filter generators and related ciphers. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 39–53. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  18. 18.
    NESSIE. New European Schemes for Signatures, Integrity, and Encryption (1999), Available at (Accessed November 10, 2004)
  19. 19.
    Clark, A., Dawson, E., Fuller, J., Golic, J., Lee, H.-J.: The LILI-128 keystream generator. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, p. 248. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  20. 20.
    Molland, H., Helleseth, T.: An improved correlation attack against irregular clocked and filtered keystream generators. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 373–389. Springer, Heidelberg (2004)Google Scholar
  21. 21.
    Golić, J.D., O’Connor, L.: A unified markow approach to differential and linear cryptanalysis. In: Safavi-Naini, R., Pieprzyk, J.P. (eds.) ASIACRYPT 1994. LNCS, vol. 917, pp. 387–397. Springer, Heidelberg (1995)Google Scholar
  22. 22.
    Golić, J.D.: Towards fast correlation attacks on irregularly clocked shift registers. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 248–262. Springer, Heidelberg (1995)Google Scholar
  23. 23.
    Golić, J.D.: Computation of low-weight parity-check polynomials. Electronic Letters 32(21), 1981–1982 (1996)CrossRefGoogle Scholar
  24. 24.
    Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–303. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  25. 25.
    Coppersmith, D., Halevi, S., Jutla, C.S.: Cryptanalysis of stream ciphers with linear masking. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 515–532. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  26. 26.
    LILI-II design (2004), Available at (Accessed November 10, 2004)
  27. 27.
    Leveiller, S., Zémor, G., Guillot, P., Boutros, J.: A New Cryptanalytic Attack for PN-generators Filtered by a Boolean Function. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 232–249. Springer, Heidelberg (2003)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Håkan Englund
    • 1
  • Thomas Johansson
    • 1
  1. 1.Dept. of Information TechnologyLund UniversityLundSweden

Personalised recommendations