The Differential Cryptanalysis and Design of Natural Stream Ciphers

This paper introduces the differential cryptanalysis of additive stream ciphers, and develops its theoretical basis. The relationships between differential and other types of stream cipher analysis are presented. The conservation laws of patterns and of mutual information are derived. The cryptographic significance of pattern distribution of keystream sequences is shown. The cryptographic transformation densities are introduced, and their relations with other cryptographic factors are summarized. This work is illustrated by reference to the design and security of additive natural stream ciphers, which are nonlinear filtered sequences driven by a counter rather than by a shift register. 1 I n t r o d u c t i o n Stream ciphers have a long history and still play an important role in securing communications. Most of the literature on stream ciphers is about the design and analysis of synchronous stream ciphers, and especially additive synchronous stream ciphers, because of their relatively tractable structure. The main design problem of additive synchronous stream ciphers is producing a secure key stream generator. So far many kinds of generator have been proposed: nonlinearly-filtered LFSR generators [18], nonlinearly-combined LFSR generators [13, 25], multiplexer generators [17], threshhold generators [10], inner product generators [20], BBS generators [9], knapsack generators [27], Shamir's generators [28], counter generators [11], clock-controlled LFSR generators (survey in [16]), and the shrinking generator [6], to name only a few. Though there are some common security measures for every sequence generator (such as nonlinearity, linear complexity, sphere complexity [12] and 2-adic complexity [19]), every system has its own particular security problems. Though it may be generally said that cryptographic gains and losses usually go together, there are differences between cipher systems. Some are easy to implement, but may have tradeoffs between known security parameters; some are relatively difficult to implement, but their security may be easy to control; others may have both an easy implementation and ideal security, but be slow. Of course, fewer tradeoffs make for easier design. In designing secure cipher systems the most important problems are: