Analysis of resynchronization mechanisms of stream ciphers

Stream ciphers are cryptographic primitives belonging to symmetric key cryptography to ensure data confidentiality of messages sent through an insecure communication channel. This thesis presents attacks on several stream ciphers, especially against their initialization methods.
The first targets are the stream ciphers Salsa20 and Trivium. For both ciphers slid pairs are described. Salsa20 can be distinguished from a random function using only the slid pair relation. When a slid pair is given for Salsa20 both secret keys can be recovered immediately if the nonces and counters are known. Also an efficient search for a hidden slid pair in a large list of ciphertexts is shown. The efficiency of the birthday attack can be increased twice using slid pairs. For the cipher Trivium a large related-key class which produces identical keystreams up to a shift is presented.
Then the resynchronization mechanism of the stream ciphers SNOW 3G and SNOW 2.0 is analyzed. Both ciphers are simplified by replacing all additions modulo 32 with XORs. A known IV key-recovery attack is presented for SNOW 3G and SNOW 2.0 where both ciphers have no feedback from the FSM. This attack works for any amount of initialization clocks. Then in both ciphers the feedback from the FSM is restored and the number of 33 initialization clocks is reduced. Chosen IV key-recovery attacks on SNOW 3G with 12 to 16 initialization clocks and SNOW 2.0 with 12 to 18 initialization clocks are shown.
In a similar way versions of the stream cipher K2 are attacked. This cipher is simplified by replacing all additions modulo 32 with XORs as well. Chosen IV key-recovery attacks on versions with reduced initialization clocks from five to seven out of 24 are presented. For the version with seven initialization clocks also a chosen IV distinguishing attack is shown.
The last part deals with a linear key-IV setup and known feedback polynomials of the shrinking generator. It is shown that this linear initialization results in a very weak cipher as only a few known IVs are required to recover the secret key.
The original design of the shrinking generator does not include any initialization method so the initial state was assumed to be the secret key.