几类序列密码乱源部件研究
|
摘要
乱源部件是序列密码算法的重要组成部分,它为序列密码算法提供了具有良好伪随机性质的序列,其性质直接影响着序列密码算法的安全性。自NESSIE和ECRYPT序列密码征集计划开始以来,序列密码算法的设计和分析得到了极大的发展,出现了很多新的密码算法和乱源部件的设计方法。包括面向硬件实现的序列密码通常需要基于反馈移位寄存器的乱源部件,如Grain、Trivium等序列密码算法中采用的非线性反馈移位寄存器(NFSR);面向软件实现的序列密码通常需要基于字的乱源部件,如Snow、LEX等序列密码算法中采用的基于字的线性反馈移位寄存器(LFSR)和分组密码的轮函数。由于这些乱源部件以及密码算法的设计结构比较新颖,理论基础尚不成熟,因此需要对它们进行进一步的分析。本文对几类序列密码乱源部件进行研究,主要结果如下:
1.针对以Fibonacci NFSR为乱源部件的有记忆变换模型,给出了其状态刷新变换构成双射的充要条件,构造出其状态刷新变换构成双射的三种模型。
2.针对以Fibonacci NFSR为乱源部件的Grain型级联模型和Trivium型级联模型,分别给出了其状态刷新变换构成双射的构造方法,并给出了二元域上的Trivium型级联模型的状态刷新变换构成双射的充要条件。
3.针对有限域上的Galois NFSR,给出了其非奇异的充要条件,给出了三种有限域上的非奇异Galois NFSR的构造方法。并针对以Galois NFSR为乱源部件的有记忆变换模型和级联模型,分别给出了其状态刷新变换构成双射的构造方法。
4.针对有限域上的Galois NFSR和Fibonacci NFSR,分别给出了使得它们的状态刷新变换构成正形置换的充要条件,并给出了此类非线性反馈移位寄存器的几种构造方法。
5.针对以AES轮函数为状态刷新变换的泄漏提取模型,研究了内部状态的提取位置对该模型的安全性影响,通过分析提取位置在奇数轮和偶数轮相同情况下模型的抗猜测决定攻击能力,证明了提取位置在奇偶轮不同时模型(LEX算法)的安全强度更高。
6.提出了对LEX算法的相关密钥攻击,在已知两个相关密钥的各239.5字节的密钥流时,仅需21003轮AES加密就可求出LEX算法的全部密钥,成功率为1。
Driven component is an important part in stream cipher, which provides source sequencefor stream cipher with large period and good pseudorandomness properties. It influences thesecurity of stream cipher directly. With the development of NESSIE and ECRYPT projects,several new designs of stream ciphers and driven components have appeared. Hardware orientedstream ciphers are usually based on feedback shift register, such as NFSR used in Grain andTrivium. Software oriented stream ciphers are usually based on driven components over finitefield, such as LFSR over finite field used in Snow and round function of block cipher used inLEX. The research on these new driven components and structures are not mature, and needfurther analysis. In this paper, we focus on several driven components, and our contributionsmainly include the following parts:
1. For the Fibonacci NFSR-based combiner with memory, we give the necessary andsufficient conditions where the update transformation of inner state are bijective, and give threestructures with such property.
2. For Grain-like cascade model and Trivium-like cascade model based on Fibonacci NFSR,we analyze the bijectivity of their state update transformations, show the constructions of suchmodel with bijective state update transformations. Moreover, we give the necessary andsufficient condition where the state update transformation of bit-oriented Trivium-like cascademode is bijective.
3. For Galois NFSR over finite field, the necessary and sufficient condition for thenonsingularity of Galois NFSR is proposed, and three constructions of nonsingular Galois NFSRare proposed. And for combiner with memory and cascade model based on Galois NFSR, wegive the constructions with bijective state update transformation.
4. For Galois NFSR and Fibonacci NFSR over finite field, we show the necessary andsufficient conditions of state update transformations being orthomorphic permutation. Then, theconstructions of such Galois NFSRs and Fibonacci NFSR are proposed.
5. For leak extraction model which uses the round function of block cipher as state updatetransformation, we investigate how the extract locations influence the security of LEX cipher.We analyze the ability of such cipher whose extract locations are the same in both even and oddround against guess and determine attack, and prove that LEX whoes extract locations aredifferent in even and odd round may provide higher security level.
6. A related key attack on LEX cipher is presented, if239.5bytes keysteams under tworelated keys are obtained, we can recover the entire key of LEX with only2100.3AES encryptoperations, and the success rate is1.
1.针对以Fibonacci NFSR为乱源部件的有记忆变换模型,给出了其状态刷新变换构成双射的充要条件,构造出其状态刷新变换构成双射的三种模型。
2.针对以Fibonacci NFSR为乱源部件的Grain型级联模型和Trivium型级联模型,分别给出了其状态刷新变换构成双射的构造方法,并给出了二元域上的Trivium型级联模型的状态刷新变换构成双射的充要条件。
3.针对有限域上的Galois NFSR,给出了其非奇异的充要条件,给出了三种有限域上的非奇异Galois NFSR的构造方法。并针对以Galois NFSR为乱源部件的有记忆变换模型和级联模型,分别给出了其状态刷新变换构成双射的构造方法。
4.针对有限域上的Galois NFSR和Fibonacci NFSR,分别给出了使得它们的状态刷新变换构成正形置换的充要条件,并给出了此类非线性反馈移位寄存器的几种构造方法。
5.针对以AES轮函数为状态刷新变换的泄漏提取模型,研究了内部状态的提取位置对该模型的安全性影响,通过分析提取位置在奇数轮和偶数轮相同情况下模型的抗猜测决定攻击能力,证明了提取位置在奇偶轮不同时模型(LEX算法)的安全强度更高。
6.提出了对LEX算法的相关密钥攻击,在已知两个相关密钥的各239.5字节的密钥流时,仅需21003轮AES加密就可求出LEX算法的全部密钥,成功率为1。
Driven component is an important part in stream cipher, which provides source sequencefor stream cipher with large period and good pseudorandomness properties. It influences thesecurity of stream cipher directly. With the development of NESSIE and ECRYPT projects,several new designs of stream ciphers and driven components have appeared. Hardware orientedstream ciphers are usually based on feedback shift register, such as NFSR used in Grain andTrivium. Software oriented stream ciphers are usually based on driven components over finitefield, such as LFSR over finite field used in Snow and round function of block cipher used inLEX. The research on these new driven components and structures are not mature, and needfurther analysis. In this paper, we focus on several driven components, and our contributionsmainly include the following parts:
1. For the Fibonacci NFSR-based combiner with memory, we give the necessary andsufficient conditions where the update transformation of inner state are bijective, and give threestructures with such property.
2. For Grain-like cascade model and Trivium-like cascade model based on Fibonacci NFSR,we analyze the bijectivity of their state update transformations, show the constructions of suchmodel with bijective state update transformations. Moreover, we give the necessary andsufficient condition where the state update transformation of bit-oriented Trivium-like cascademode is bijective.
3. For Galois NFSR over finite field, the necessary and sufficient condition for thenonsingularity of Galois NFSR is proposed, and three constructions of nonsingular Galois NFSRare proposed. And for combiner with memory and cascade model based on Galois NFSR, wegive the constructions with bijective state update transformation.
4. For Galois NFSR and Fibonacci NFSR over finite field, we show the necessary andsufficient conditions of state update transformations being orthomorphic permutation. Then, theconstructions of such Galois NFSRs and Fibonacci NFSR are proposed.
5. For leak extraction model which uses the round function of block cipher as state updatetransformation, we investigate how the extract locations influence the security of LEX cipher.We analyze the ability of such cipher whose extract locations are the same in both even and oddround against guess and determine attack, and prove that LEX whoes extract locations aredifferent in even and odd round may provide higher security level.
6. A related key attack on LEX cipher is presented, if239.5bytes keysteams under tworelated keys are obtained, we can recover the entire key of LEX with only2100.3AES encryptoperations, and the success rate is1.
引文
[1]R. A. Ruppel. Analysis of design of stream ciphers[M]. Communications and Control Engineering Series, Springer-Verlag,1986.
[2]W. Meier,O. Staffelbach. Fast Correlation Attacks on Stream Ciphers [J]. Journal of Cryptology,1989,1(3):pp.159-176.
[3]R. Rivest. The RC4Encryption Algorithm [P]. RSA Data Security, Inc., Mar.1992.
[4]D. Coppersmith. The Data Encryption Standard (DES) and its Strength against Attacks. Technical report re186131994, IBM Thomas J. Watson Research Center, December1994.
[5]P. Rogaway, D. Coppersmith. A software-optimized encryption algorithm [A]. Fast Software Encryption1993Workshop[C]. In:LNCS, Vol809. Berlin Heiderberg:Springer-Verlag,1994.53-63.
[6]P. Rogaway, D. Coppersmith. A software optimized encryption algorithm [J]. Journal of Cryptology,1998,11(4):273-287.
[7]M. Zhang, C. Carroll, A. Chan. The Software-Oriented Stream Cipher SSC2[A]. Fast Software Encryption2000Workshop[C]. In:LNCS, Vol1978. Berlin Heiderberg:Springer-Verlag, pp.31-48,2001.
[8]J. Daemen, S. Craig, K. Clapp. Fast Hashing and Stream Encryption with PANAMA [A]. Fast Software Encryption1998Workshop[C]. In:LNCS, Vol1372. Berlin Heiderberg:Springer-Verlag, pp.60-74,1999.
[9]NESSIE, New European Schemes for Signatures, Integrity, and Encryption IST-1999-12324[EB/OL]. https://www.cosic.esat.kuleuven.be/nessie/,2000.
[10]N. T. Courtois, W. Meier. Algebraic attacks on stream ciphers with linear feedback [A]. Biham E. Advances in Cryptology-Eurocrypt2003[C]. LNCS2656, pp.345-359,2003.
[11]N. T. Courtois. Fast algebraic attacks on stream ciphers with linear feedback [A]. Boneh D. Advances in Cryptology-Crypto2003[C]. LNCS2729, Springer-Verlag, pp.176-194,2003.
[12]F. Armknecht, M. Krause. Algebraic attacks on combiners with memory [A]. Boneh D. Advances in Cryptology-Crypto2003[C]. LNCS2729, Springer-Verlag, pp.162-175,2003.
[13]ECRYPT. eSTREAM:ECRYPT Stream Cipher Project, IST-2002-507932[EB/OL]. Available at http://www.ecrypt.eu.org/stream,2004.
[14]丁石孙.线性移位寄存器序列[M].上海:上海科学技术出版社,1982.
[15]金晨辉,郑浩然,张少武,胡斌,史建红.密码学[M].北京:高等教育出版社,2009.
[16]L. James, L. Massey. Shift-Register Synthesis and BCH Decoding[J]. IEEE Transactions, on Information Theory.15(1), pp.122-127,1969。
[17]C. Berbain, O. Billet, A. Canteaut, N. Courtois, H. Gilbert, L. Goubin, A. Gouget, L. Granboulan, C. Lauradoux, M. Minier, T. Pornin and H. Sibert. SOSEMANUK:a fast software-oriented stream cipher[EB/OL]. eSTREAM, ECRYPT Stream Cipher Project, Report2005/027,2005. http://www.ecrypt.eu.org/stream/sosemanukp3.html.
[18]P. Ekdahl and T. Johansson. SNOW-a new stream cipher[C]. In Proceedings of the First Open NESSIE Workshop,13-14November2000, Heverlee, Belgium
[19]ETSI/SAGE. Specification of the3GPP confidentiality and integrity algorithms UEA2&UIA2.Document5:SNOW3G Specification:1.0[EB/OL]. http://www.gsmworld.com/using/algorithms/index.shtml,2006.
[20]吴文铃,冯登国,张文涛.分组密码的设计与分析[M].清华大学出版社,2009
[21]S. Babbage, M. Dodd. The stream cipher MICKEY2.0[EB/OL]. June30,2006. URL:http://www. ecrypt.eu.org/stream/p3ciphers/Mickey/Mickeyp3.pdf.
[22]C. Berbain, O. Billet, A. Canteaut, N. Courtois, B. Debraize, H. Gilbert, L. Goubin, Gouget, L. Granboulan, C. Lauradoux, M. Minier, T. Pornin, H. Sibert. Decim:A New Stream Cipher for Hardware Applications [EB/OL]. ECRYPT Stream Cipher Project Report2005/004. Available at http://www. ecrypt. eu.org/stream/
[23]A. J. Menezes, P. V. Oorschot, S. A. Vanstone.应用密码学手册[M].电子工业出版社.2005.
[24]万哲先,刘木兰,代宗铎,冯绪宁.非线性移位寄存器.北京:科学出版社,1978.
[25]P. Hawkes, M. Paddon, G Rose et al. Primitive specification for NLSv2[EB/OL]. http://www.ecrypt.eu.org/stream/nls3.html,2007
[26]M. Hell, T. Johansson and W Meier, Grain-A Stream Cipher for Constrained Environments [EB/OL]. eSTREAM-ECRYPT Stream Cipher Project (2007). Available at http://www.ecrypt.eu.org/stream/p3ciphers/grain/Grain p3.pdf.
[27]C. D. Canniere and B. Preneel. Trivium. New Stream Cipher Designs [J]. LNCS, vol4817, pp.244-246. Springer-Verlag2008.
[28]H. G Hu. Periods on Two Kinds of Nonlinear Feedback Shift Registers with Time Varying Feedback Functions [J]. International Journal of Foundations of Computer Science,22(6):1317-1329,2011.
[29]A. Biryukov. The Design of a Stream Cipher LEX[C]. In Proceedings of Selected Areas in Cryptography2006, LNCS, vol.4356, pp.67-75, Springer-Verlag,2007.
[30]J. Daemen, V Rijmen. The Design of Rijndael:AES-The Advanced Encryption Standard [M]. Springer-Verlag, Berlin Germany,2002.
[31]O. Dunkelman, N Keller. A New Attack on the LEX Stream Cipher [J]. Lecture Notes in Computer Science,5350:pp.539-556,2008.
[32]H. J. Wu. The Stream Cipher HC-128[EB/OL]. http://www.ecrypt.eu.org/stream/hcp3.html.
[33]E. Biham, J. Seberry. Py:A fast and secure stream cipher using rolling arrays [EB/OL]. http://www.ecrypt.eu.org/stream/p2ciphers/py/py_p2.ps,2007.
[34]A. Klimov and A. Shamir, A New Class of Invertible Mappings[A], Cryptographic Hardware and Embedded Systems[C], LNCS2523,470-483,2002.
[35]D. Moon, D. Kwon, etc. T-function based streamcipher TSC-4[EB/OL]. ECRYPT Project. http://www.ecrypt.eu.org/stre am/p2ciphers/tsc4/tsc4_p2.pdf.
[36]A. Maximov. A New Stream Cipher Mir[EB/OL], http://www.ecrypt.eu.org/stream/ciphers/mir1/mir1.ps.
[37]V. Anashin, A. Bogdanov, I. Kizhvatov, and S. Kumar. ABC:Anew fast flexible stream cipher [EB/OL]. ECRYPT Stream Cipher Project, Report2005/001,2005.
[38]A. Klapper, M. Goresky.2-Adic Shift Registers [A]. Fast Software Encryption1993[C]. LNCS809, pp.174-178,1993.
[39]F. Arnault, T. Berger, C. Laurandoux. Update on F-FCSR stream cipher [EB/OL]. eSTREAM, Ecrypt Stream cipher project, Report2006/025,2006. http://www.ecrypt.eu.org/stream/papersdir/2006/025.pdf.
[40]M. Hell, T. Johansson. Breaking the F-FCSR-H stream cipher in real time[C]. In Advances in Cryptology-Asiacrypt2008, LNCS5350:pp.557-569,2008.
[41]ETSI/SAGE Specification. Specification of the3GPP Confidentiality and Integrity Algorithms128-EEA3&128-EIA3. Document2:ZUC Specification; Version:1.4[EB/OL] Date:30th July,2010.
[42]E. Dubrova. An equivalent preserving transformation from the Fibonacci to the Galois NLFSRs [EB/OL]. arXiv:0801.4079,2008.
[43]温巧燕,钮心忻,杨义先.现代密码学中的布尔函数[M].北京:科学出版社,2000.
[44]X. J. Lai. Condition for the nonsingularity of a feedback shift register over a general finite field [J]. IEEE transactions on information theory,33(5), pp.747-749,1987
[45]L. G Mullen. Permutation Polynomials and Nonsingular Feedback Shift Registers over Finite Fields [J]. IEEE TRANSACTIONS ON INtOKMATION THEORY. VOL.35. NO.4, JULY1989
[46]李超,谢端强.反馈移位寄存器非奇异性判定.电子科学学刊,17(5):500-505,1995.
147]李超.q=3,4,5时n元反馈函数非奇异的充要条件[J].湖南数学年刊,11,1996.
[48]李声涛,谢端强,戴清平.反馈移位寄存器非奇异性研究[J].计算机工程与科学,28(7),131-133,2006.
[49]E. Dubrova. How to speed-up your NLFSR-based stream cipher[C]. Design, Automation&Test in Europe Conference&Exhibition, pp.878-881,2009.
[50]章佳敏,戚文峰.Galois NFSR和Fibonacci NFSR线性等价的判别[J].信息工程大学学报,13(2):pp.134-140,2012.
[51]J. L. Massey, R. W. Liu. Equivalence of Nonlinear Shift-Registers [J]. IEEE Trans on Information Theory10, pp.378-379,1964.
[52]北京大学数学系几何与代数教研室前代数小组.高等代数[M].高等教育出版社,2003.
[53]ETSI/SAGE Specification. Specification of the3GPP Confidentiality and Integrity Algorithms 128-EEA3&128-EIA3. Document2:ZUC Specification; Version:1.5[EB/OL]. Date:4th January,2011.
[54]B. Sun, X. H. Tang and C. Li. Preliminary Cryptanalysis Results of ZUC. The First International Workshop on ZUC Algorithm,2010.
[55]H. J. Wu, T. Huang, P. H. Nguyen, H. X. Wang, and S. Ling. Differential Attacks against Stream Cipher ZUC[C]. ASIACRYPT2012, LNCS, vol.7658, pp.262-277,2012.
[56]C. Berbain, H. Gilbert, A. Maximov. Cryptanalysis of Grain[C]. Advances in Cryptology-FSE2006, LNCS4047, pp.15-29,2006.
[57]宋海欣,范修斌,武传坤,冯登国.流密码算法Grain的立方攻击[J].软件学报,23(1):pp.171-176,2012.
[58]D.H. Green, K.R. Dimond. Nonlinear product-feedback shift registers [J]. PROC. IEEE,1970,117(4), pp.681-686.
[59]Z. Ma, W F. Qi, T. Tian. On the decomposition of an NFSR into the cascade connection of an NFSR into an LFSR [J]. Journal of Complexity,2012, In Press.
[60]J. P. Aumasson, I. Dinur, W Meier, A. Shamir. Cube Testers and Key Recovery Attacks on Reduced-Round MD6and Trivium[C]. Advances in Cryptology-FSE2009,2009, LNCS5665:pp.1-22
[61]Y. P. Hu, J. T. Gao, Q. Liu, Y. W Zhang. Fault analysis of Trivium[J]. Des. Codes Cryptography,2012,62(3):pp.289-311.
[62]贾艳艳,胡予濮,杨文峰,高俊涛.2轮Trivium的多线性密码分析[J].电子与信息学报,33(1):223-227,2011.
[63]T. Eiban, E. Pilz, and S. Steck. Comparing and optimizing two generic attacks on Bibium[C]. Workshop on The State of the Art of Stream Ciphers (SASC2008), Lausanne, pp.57-68,2008.
[64]M. Afzal, A. Masood. Modifications in the Design of Trivium to Increase its Security Level [J]. Proc. Pakistan Acad. Sci.47(1), pp.51-63,2010.
[65]Y Tian. Quavium-A New Stream Cipher Inspired by Trivium [J]. Journal of Computers,7(5),2012.
[66]X. L. Huang, C. K. Wu. Cryptanalysis of a New Stream Cipher Structure [J]. Journal of Software,19(5):1256-1264,2008.
[67]C. Berbain, H. Gilbert, A. Joux. Algebraic and Correlation Attacks against Linearly Filtered Non Linear Feedback Shift Registers [C]//Proc. of SAC2008, New Brunswick, Canada, Springer-Verlag, pp.184-198,2009.
[68]E. Dubrova. A transformation from the Fibonacci to the Galois NLFSRs [J]. IEEE Transactions on Information Theory,55(11), pp.5263-5271,2009.
[69]E. Dubrova. Finding matching initial states for equivalent NLFSRs in the Fibonacci to the Galois configurations [J]. IEEE Transactions on Information Theory,56(6), pp.2961-2967,2010.
[70]M. Chabloz, S. Mansouri, E. Dubrova. An algorithm for constructing a fastest Galois NLFSR generating a given sequence [C]. Sequences and Their Applications-SETA2010, LNCS6338, pp.41-54,2010.
[71]E. Dubrova. A Scalable Method for Constructing Galois NLFSRs with Period2n-1using Cross-Join Pairs. Information Theory [J]. IEEE Transactions on Information Theory,59(1), pp.703-709,2013.
[72]S. S. Mansouri, E. Dubrova. An improved implementation of Grain [EB/OL]. arXiv:0910.5595vl,29Oct2009.
[73]S. W. Golomb. Shift Register Sequences. Holden-Day [M]. Inc., Laguna Hills, CA, USA,1967.
[74]L. Mittenthal. Block substitutions using orthomorphic mapping [J]. Advances in Applied Mathematics,16, pp.59-71,1995.
[75]Keeloq wikipedia article [EB/OL]. See http://en.wikipedia.org/wiki/KeeLoq,25January2007.
[76]J. Choy, G Chew, K. Khoo and H. Yap. Cryptographic Properties and Application of a Generalized Unbalanced Feistel Network Structure [EB/OL]. Australasian Conference on Information Security and Privacy-ACISP2009,2009.
[77]吕述望,范修斌,周玉洁.序列密码的设计与分析[M].北京:北京中软电子出版社,2003.
[78]O. Dunkelman, N. Keller. Cryptanalysis of the Stream Cipher LEX [J]. Designs, Codes and Cryptography. March2012, Published online.
[79]H. J. Wu, B. Preneel. Resynchronization attacks on WG and LEX [J]. Lecture Notes in Computer Science,4047, pp.422-432,2006.
[80]V. Velichkov, V. Rijmen, B. Preneel. Algebraic cryptanalysis of a small-scale version of stream cipher LEX [J]. Information Security,4(2), pp.49-61,2010.
[81]C. Bouillaguet, P. Derbez, O. Dunkelman. Low data complexity attacks on AES [J]. IEEE Transactions on Information Theory,58(11), pp.7002-7017,2012.
[82]J. Y. Huang, W. Susilo, J. Seberry. Differential Fault Analysis of LEX[J]. Lecture Notes in Computer Science,6280, pp.55-72,2010.
[83]M. Mainack, C. Avik, D. Nilanjia. TweLEX:A tweaked version of the LEX stream cipher[EB/OL]. http://eprint.iacr.org/2011/586,2011.
[84]E. Biham. New types of cryptanalytic attacks using related keys [J]. Journal of Cryptology,7(4), pp.229-246,1994.
[2]W. Meier,O. Staffelbach. Fast Correlation Attacks on Stream Ciphers [J]. Journal of Cryptology,1989,1(3):pp.159-176.
[3]R. Rivest. The RC4Encryption Algorithm [P]. RSA Data Security, Inc., Mar.1992.
[4]D. Coppersmith. The Data Encryption Standard (DES) and its Strength against Attacks. Technical report re186131994, IBM Thomas J. Watson Research Center, December1994.
[5]P. Rogaway, D. Coppersmith. A software-optimized encryption algorithm [A]. Fast Software Encryption1993Workshop[C]. In:LNCS, Vol809. Berlin Heiderberg:Springer-Verlag,1994.53-63.
[6]P. Rogaway, D. Coppersmith. A software optimized encryption algorithm [J]. Journal of Cryptology,1998,11(4):273-287.
[7]M. Zhang, C. Carroll, A. Chan. The Software-Oriented Stream Cipher SSC2[A]. Fast Software Encryption2000Workshop[C]. In:LNCS, Vol1978. Berlin Heiderberg:Springer-Verlag, pp.31-48,2001.
[8]J. Daemen, S. Craig, K. Clapp. Fast Hashing and Stream Encryption with PANAMA [A]. Fast Software Encryption1998Workshop[C]. In:LNCS, Vol1372. Berlin Heiderberg:Springer-Verlag, pp.60-74,1999.
[9]NESSIE, New European Schemes for Signatures, Integrity, and Encryption IST-1999-12324[EB/OL]. https://www.cosic.esat.kuleuven.be/nessie/,2000.
[10]N. T. Courtois, W. Meier. Algebraic attacks on stream ciphers with linear feedback [A]. Biham E. Advances in Cryptology-Eurocrypt2003[C]. LNCS2656, pp.345-359,2003.
[11]N. T. Courtois. Fast algebraic attacks on stream ciphers with linear feedback [A]. Boneh D. Advances in Cryptology-Crypto2003[C]. LNCS2729, Springer-Verlag, pp.176-194,2003.
[12]F. Armknecht, M. Krause. Algebraic attacks on combiners with memory [A]. Boneh D. Advances in Cryptology-Crypto2003[C]. LNCS2729, Springer-Verlag, pp.162-175,2003.
[13]ECRYPT. eSTREAM:ECRYPT Stream Cipher Project, IST-2002-507932[EB/OL]. Available at http://www.ecrypt.eu.org/stream,2004.
[14]丁石孙.线性移位寄存器序列[M].上海:上海科学技术出版社,1982.
[15]金晨辉,郑浩然,张少武,胡斌,史建红.密码学[M].北京:高等教育出版社,2009.
[16]L. James, L. Massey. Shift-Register Synthesis and BCH Decoding[J]. IEEE Transactions, on Information Theory.15(1), pp.122-127,1969。
[17]C. Berbain, O. Billet, A. Canteaut, N. Courtois, H. Gilbert, L. Goubin, A. Gouget, L. Granboulan, C. Lauradoux, M. Minier, T. Pornin and H. Sibert. SOSEMANUK:a fast software-oriented stream cipher[EB/OL]. eSTREAM, ECRYPT Stream Cipher Project, Report2005/027,2005. http://www.ecrypt.eu.org/stream/sosemanukp3.html.
[18]P. Ekdahl and T. Johansson. SNOW-a new stream cipher[C]. In Proceedings of the First Open NESSIE Workshop,13-14November2000, Heverlee, Belgium
[19]ETSI/SAGE. Specification of the3GPP confidentiality and integrity algorithms UEA2&UIA2.Document5:SNOW3G Specification:1.0[EB/OL]. http://www.gsmworld.com/using/algorithms/index.shtml,2006.
[20]吴文铃,冯登国,张文涛.分组密码的设计与分析[M].清华大学出版社,2009
[21]S. Babbage, M. Dodd. The stream cipher MICKEY2.0[EB/OL]. June30,2006. URL:http://www. ecrypt.eu.org/stream/p3ciphers/Mickey/Mickeyp3.pdf.
[22]C. Berbain, O. Billet, A. Canteaut, N. Courtois, B. Debraize, H. Gilbert, L. Goubin, Gouget, L. Granboulan, C. Lauradoux, M. Minier, T. Pornin, H. Sibert. Decim:A New Stream Cipher for Hardware Applications [EB/OL]. ECRYPT Stream Cipher Project Report2005/004. Available at http://www. ecrypt. eu.org/stream/
[23]A. J. Menezes, P. V. Oorschot, S. A. Vanstone.应用密码学手册[M].电子工业出版社.2005.
[24]万哲先,刘木兰,代宗铎,冯绪宁.非线性移位寄存器.北京:科学出版社,1978.
[25]P. Hawkes, M. Paddon, G Rose et al. Primitive specification for NLSv2[EB/OL]. http://www.ecrypt.eu.org/stream/nls3.html,2007
[26]M. Hell, T. Johansson and W Meier, Grain-A Stream Cipher for Constrained Environments [EB/OL]. eSTREAM-ECRYPT Stream Cipher Project (2007). Available at http://www.ecrypt.eu.org/stream/p3ciphers/grain/Grain p3.pdf.
[27]C. D. Canniere and B. Preneel. Trivium. New Stream Cipher Designs [J]. LNCS, vol4817, pp.244-246. Springer-Verlag2008.
[28]H. G Hu. Periods on Two Kinds of Nonlinear Feedback Shift Registers with Time Varying Feedback Functions [J]. International Journal of Foundations of Computer Science,22(6):1317-1329,2011.
[29]A. Biryukov. The Design of a Stream Cipher LEX[C]. In Proceedings of Selected Areas in Cryptography2006, LNCS, vol.4356, pp.67-75, Springer-Verlag,2007.
[30]J. Daemen, V Rijmen. The Design of Rijndael:AES-The Advanced Encryption Standard [M]. Springer-Verlag, Berlin Germany,2002.
[31]O. Dunkelman, N Keller. A New Attack on the LEX Stream Cipher [J]. Lecture Notes in Computer Science,5350:pp.539-556,2008.
[32]H. J. Wu. The Stream Cipher HC-128[EB/OL]. http://www.ecrypt.eu.org/stream/hcp3.html.
[33]E. Biham, J. Seberry. Py:A fast and secure stream cipher using rolling arrays [EB/OL]. http://www.ecrypt.eu.org/stream/p2ciphers/py/py_p2.ps,2007.
[34]A. Klimov and A. Shamir, A New Class of Invertible Mappings[A], Cryptographic Hardware and Embedded Systems[C], LNCS2523,470-483,2002.
[35]D. Moon, D. Kwon, etc. T-function based streamcipher TSC-4[EB/OL]. ECRYPT Project. http://www.ecrypt.eu.org/stre am/p2ciphers/tsc4/tsc4_p2.pdf.
[36]A. Maximov. A New Stream Cipher Mir[EB/OL], http://www.ecrypt.eu.org/stream/ciphers/mir1/mir1.ps.
[37]V. Anashin, A. Bogdanov, I. Kizhvatov, and S. Kumar. ABC:Anew fast flexible stream cipher [EB/OL]. ECRYPT Stream Cipher Project, Report2005/001,2005.
[38]A. Klapper, M. Goresky.2-Adic Shift Registers [A]. Fast Software Encryption1993[C]. LNCS809, pp.174-178,1993.
[39]F. Arnault, T. Berger, C. Laurandoux. Update on F-FCSR stream cipher [EB/OL]. eSTREAM, Ecrypt Stream cipher project, Report2006/025,2006. http://www.ecrypt.eu.org/stream/papersdir/2006/025.pdf.
[40]M. Hell, T. Johansson. Breaking the F-FCSR-H stream cipher in real time[C]. In Advances in Cryptology-Asiacrypt2008, LNCS5350:pp.557-569,2008.
[41]ETSI/SAGE Specification. Specification of the3GPP Confidentiality and Integrity Algorithms128-EEA3&128-EIA3. Document2:ZUC Specification; Version:1.4[EB/OL] Date:30th July,2010.
[42]E. Dubrova. An equivalent preserving transformation from the Fibonacci to the Galois NLFSRs [EB/OL]. arXiv:0801.4079,2008.
[43]温巧燕,钮心忻,杨义先.现代密码学中的布尔函数[M].北京:科学出版社,2000.
[44]X. J. Lai. Condition for the nonsingularity of a feedback shift register over a general finite field [J]. IEEE transactions on information theory,33(5), pp.747-749,1987
[45]L. G Mullen. Permutation Polynomials and Nonsingular Feedback Shift Registers over Finite Fields [J]. IEEE TRANSACTIONS ON INtOKMATION THEORY. VOL.35. NO.4, JULY1989
[46]李超,谢端强.反馈移位寄存器非奇异性判定.电子科学学刊,17(5):500-505,1995.
147]李超.q=3,4,5时n元反馈函数非奇异的充要条件[J].湖南数学年刊,11,1996.
[48]李声涛,谢端强,戴清平.反馈移位寄存器非奇异性研究[J].计算机工程与科学,28(7),131-133,2006.
[49]E. Dubrova. How to speed-up your NLFSR-based stream cipher[C]. Design, Automation&Test in Europe Conference&Exhibition, pp.878-881,2009.
[50]章佳敏,戚文峰.Galois NFSR和Fibonacci NFSR线性等价的判别[J].信息工程大学学报,13(2):pp.134-140,2012.
[51]J. L. Massey, R. W. Liu. Equivalence of Nonlinear Shift-Registers [J]. IEEE Trans on Information Theory10, pp.378-379,1964.
[52]北京大学数学系几何与代数教研室前代数小组.高等代数[M].高等教育出版社,2003.
[53]ETSI/SAGE Specification. Specification of the3GPP Confidentiality and Integrity Algorithms 128-EEA3&128-EIA3. Document2:ZUC Specification; Version:1.5[EB/OL]. Date:4th January,2011.
[54]B. Sun, X. H. Tang and C. Li. Preliminary Cryptanalysis Results of ZUC. The First International Workshop on ZUC Algorithm,2010.
[55]H. J. Wu, T. Huang, P. H. Nguyen, H. X. Wang, and S. Ling. Differential Attacks against Stream Cipher ZUC[C]. ASIACRYPT2012, LNCS, vol.7658, pp.262-277,2012.
[56]C. Berbain, H. Gilbert, A. Maximov. Cryptanalysis of Grain[C]. Advances in Cryptology-FSE2006, LNCS4047, pp.15-29,2006.
[57]宋海欣,范修斌,武传坤,冯登国.流密码算法Grain的立方攻击[J].软件学报,23(1):pp.171-176,2012.
[58]D.H. Green, K.R. Dimond. Nonlinear product-feedback shift registers [J]. PROC. IEEE,1970,117(4), pp.681-686.
[59]Z. Ma, W F. Qi, T. Tian. On the decomposition of an NFSR into the cascade connection of an NFSR into an LFSR [J]. Journal of Complexity,2012, In Press.
[60]J. P. Aumasson, I. Dinur, W Meier, A. Shamir. Cube Testers and Key Recovery Attacks on Reduced-Round MD6and Trivium[C]. Advances in Cryptology-FSE2009,2009, LNCS5665:pp.1-22
[61]Y. P. Hu, J. T. Gao, Q. Liu, Y. W Zhang. Fault analysis of Trivium[J]. Des. Codes Cryptography,2012,62(3):pp.289-311.
[62]贾艳艳,胡予濮,杨文峰,高俊涛.2轮Trivium的多线性密码分析[J].电子与信息学报,33(1):223-227,2011.
[63]T. Eiban, E. Pilz, and S. Steck. Comparing and optimizing two generic attacks on Bibium[C]. Workshop on The State of the Art of Stream Ciphers (SASC2008), Lausanne, pp.57-68,2008.
[64]M. Afzal, A. Masood. Modifications in the Design of Trivium to Increase its Security Level [J]. Proc. Pakistan Acad. Sci.47(1), pp.51-63,2010.
[65]Y Tian. Quavium-A New Stream Cipher Inspired by Trivium [J]. Journal of Computers,7(5),2012.
[66]X. L. Huang, C. K. Wu. Cryptanalysis of a New Stream Cipher Structure [J]. Journal of Software,19(5):1256-1264,2008.
[67]C. Berbain, H. Gilbert, A. Joux. Algebraic and Correlation Attacks against Linearly Filtered Non Linear Feedback Shift Registers [C]//Proc. of SAC2008, New Brunswick, Canada, Springer-Verlag, pp.184-198,2009.
[68]E. Dubrova. A transformation from the Fibonacci to the Galois NLFSRs [J]. IEEE Transactions on Information Theory,55(11), pp.5263-5271,2009.
[69]E. Dubrova. Finding matching initial states for equivalent NLFSRs in the Fibonacci to the Galois configurations [J]. IEEE Transactions on Information Theory,56(6), pp.2961-2967,2010.
[70]M. Chabloz, S. Mansouri, E. Dubrova. An algorithm for constructing a fastest Galois NLFSR generating a given sequence [C]. Sequences and Their Applications-SETA2010, LNCS6338, pp.41-54,2010.
[71]E. Dubrova. A Scalable Method for Constructing Galois NLFSRs with Period2n-1using Cross-Join Pairs. Information Theory [J]. IEEE Transactions on Information Theory,59(1), pp.703-709,2013.
[72]S. S. Mansouri, E. Dubrova. An improved implementation of Grain [EB/OL]. arXiv:0910.5595vl,29Oct2009.
[73]S. W. Golomb. Shift Register Sequences. Holden-Day [M]. Inc., Laguna Hills, CA, USA,1967.
[74]L. Mittenthal. Block substitutions using orthomorphic mapping [J]. Advances in Applied Mathematics,16, pp.59-71,1995.
[75]Keeloq wikipedia article [EB/OL]. See http://en.wikipedia.org/wiki/KeeLoq,25January2007.
[76]J. Choy, G Chew, K. Khoo and H. Yap. Cryptographic Properties and Application of a Generalized Unbalanced Feistel Network Structure [EB/OL]. Australasian Conference on Information Security and Privacy-ACISP2009,2009.
[77]吕述望,范修斌,周玉洁.序列密码的设计与分析[M].北京:北京中软电子出版社,2003.
[78]O. Dunkelman, N. Keller. Cryptanalysis of the Stream Cipher LEX [J]. Designs, Codes and Cryptography. March2012, Published online.
[79]H. J. Wu, B. Preneel. Resynchronization attacks on WG and LEX [J]. Lecture Notes in Computer Science,4047, pp.422-432,2006.
[80]V. Velichkov, V. Rijmen, B. Preneel. Algebraic cryptanalysis of a small-scale version of stream cipher LEX [J]. Information Security,4(2), pp.49-61,2010.
[81]C. Bouillaguet, P. Derbez, O. Dunkelman. Low data complexity attacks on AES [J]. IEEE Transactions on Information Theory,58(11), pp.7002-7017,2012.
[82]J. Y. Huang, W. Susilo, J. Seberry. Differential Fault Analysis of LEX[J]. Lecture Notes in Computer Science,6280, pp.55-72,2010.
[83]M. Mainack, C. Avik, D. Nilanjia. TweLEX:A tweaked version of the LEX stream cipher[EB/OL]. http://eprint.iacr.org/2011/586,2011.
[84]E. Biham. New types of cryptanalytic attacks using related keys [J]. Journal of Cryptology,7(4), pp.229-246,1994.