# Attacks Against Filter Generators Exploiting Monomial Mappings

- 2 Citations
- 916 Downloads

## Abstract

Filter generators are vulnerable to several attacks which have led to well-known design criteria on the Boolean filtering function. However, Rønjom and Cid have observed that a change of the primitive root defining the LFSR leads to several equivalent generators. They usually offer different security levels since they involve filtering functions of the form \(F(x^k)\) where \(k\) is coprime to \((2^n-1)\) and \(n\) denotes the LFSR length. It is proved here that this monomial equivalence does not affect the resistance of the generator against algebraic attacks, while it usually impacts the resistance to correlation attacks. Most importantly, a more efficient attack can often be mounted by considering non-bijective monomial mappings. In this setting, a divide-and-conquer strategy applies based on a search within a multiplicative subgroup of \(\mathbb {F}_{2^n}^*\). Moreover, if the LFSR length \(n\) is not a prime, a fast correlation involving a shorter LFSR can be performed.

## Keywords

Stream ciphers Correlation attacks LFSR Filter generator Nonlinear equivalence Monomials## 1 Introduction

The running-key used in a stream cipher is produced by a pseudo-random generator whose initialization is the secret key shared by the users. Linear feedback shift registers (LFSR) are building-blocks used in many keystream generators since they are appropriate to low-cost implementations, produce sequences with good statistical properties and have a simple mathematical description. While basic LFSR-based generators, like combination generators or filter generators, are not used directly as keystream generators in modern stream ciphers, they are still widely used either as a part of the generator or in modified form [13]. This situation then motivates an in-depth evaluation of the security of LFSR-based generators. Actually, several modern ciphers have been analyzed by enhanced variants of attacks, which were first dedicated to simple LFSR-based generators (e.g. [26, 29, 34]).

At this aim, our work investigates the security of the so-called filter generator, which consists of a single LFSR whose content is filtered by a nonlinear Boolean function. These generators have been extensively studied and are known to be vulnerable to several types of attacks, mainly algebraic attacks and their variants [9, 10, 17, 38] and (fast) correlation attacks [32]. These attacks have led to the definition of design criteria, especially related to the choice of the filtering function, and they have initiated a whole line of research on the constructions of appropriate filtering functions. However, it has been observed more recently by Rønjom and Cid [36] that a simple change of the primitive characteristic polynomial of the LFSR (i.e., a change of the primitive root of the underlying finite field), may lead to an equivalent generator whose filtering function corresponds to the composition of a monomial permutation with the original filtering function, \(x \mapsto F(x^k)\) for some \(k\) coprime to \((2^n-1)\) where \(n\) is the LFSR length. This observation opens the door to new weaknesses since the main security criteria, like the nonlinearity, the degree or the algebraic immunity of the filtering function, are not invariant under this *nonlinear equivalence*. Hence, this raises many open questions about the relevance of the usual criteria, as noted by Rønjom and Cid. In this context, the objective of our paper is to answer most of these questions by evaluating the minimal security offered by all generators derived by monomial equivalence, and to further investigate the possibilities to transform the constituent LFSR by applying a monomial mapping, especially a *non-bijective* monomial mapping.

*Our contributions.* Our contributions are then two-fold: first, we show that, even if the degree and the algebraic-immunity of a Boolean function may highly vary within an equivalence class, the monomial equivalence defined by Rønjom and Cid has no impact on the resistance of a filter generator against algebraic attacks and their variants. The reason is that the degree and the algebraic immunity are not the relevant parameters for estimating the security of a filter generator as shown in [17, 20, 28]. Instead, the complexities of these attacks are determined by the linear complexity and the spectral immunity of the filtering function, which are derived from the univariate representation of the function and are therefore invariant under monomial equivalence. On the other hand, the second family of attacks, namely (fast) correlation attacks, are highly affected by monomial equivalence, implying that the associated criterion must be the generalized nonlinearity of the filtering function as defined in [41]. But we show that the non-bijective monomial mappings also play a very important role, usually much more important than monomial permutations, because the LFSR can then be transformed into an LFSR producing a sequence with smaller period \(\tau \). A divide-and-conquer attack can then be mounted exploiting this property, where the number of values to be examined decreases from \((2^n-1)\) to \(\tau \). Moreover, if the LFSR length \(n\) is not a prime, the new LFSR involved in the attack may be shorter than the original one, leading to a much more efficient fast correlation attack.

*Organization of the paper.* We first introduce the monomial equivalence between filter generators as described by Rønjom and Cid [36] and show that the univariate representation of both the LFSR and the filtering function is well-suited for analyzing its impact. Section 3 then focuses on algebraic attacks and proves that all filter generators obtained by monomial equivalence have the same behaviour with respect to this family of attacks. Section 4 then investigates correlation attacks and their variants, and shows that the situation is very different. Also, we describe a new setting for (fast) correlation attacks where non-bijective monomials are used. Two types of attacks are then presented: fast correlation involving a shorter LFSR which can be mounted when the LFSR length is not a prime, and correlation attacks based on FFT which recover \(\log _2 \tau \) bits of the initial state where \(\tau \) is a divisor of \((2^n-1)\).

## 2 Equivalence Between Filtered LFSR

### 2.1 Filtered LFSRs

*characteristic polynomial*, \(P(X)=X^n + \sum _{i=0}^{n-1} c_i X^i \in \mathbb {F}_2[X]\), is the finite-state automaton which produces the binary sequences \(\mathbf{s} =(s_t)_{t \ge 0}\), satisfying the linear recurrence relation

*linear complexity*of any sequence generated by the LFSR from a nonzero initial state is equal to the LFSR length. A well-known property of LFSR sequences is that any sequence produced by an LFSR with an irreducible characteristic polynomial \(P\) (and a nonzero initial state) is periodic and its least period is equal to the order of \(P\), i.e., to the smallest positive integer \(r\) for which \({P(X)}\) divides \({X^r +1}\). Hence, the characteristic polynomials of LFSRs used in practical applications are chosen primitive. More details on the properties of LFSR sequences can be found e.g. in [19, 25].

*filter generator*(aka filtered LFSR), is a keystream generator composed of a single binary LFSR of length \(n\) whose content is filtered by a nonlinear Boolean function of \(n\) variables. More precisely, the output sequence \((s_t)_{t \ge 0}\) of the filter generator is given by

### 2.2 Univariate Representation of Filtered LFSRs

Filter generators have been extensively studied and are known to be vulnerable to several types of attacks which have led to the definition of some security criteria on the tapping sequence \((\gamma _i)_{1 \le i \le m}\) [14] and on the Boolean filtering function (see e.g. [4] for a survey). For instance, it is well-known that \(f\) must have a high algebraic degree in order to generate a keystream sequence with a high linear complexity [39], a high algebraic-immunity in order to resist algebraic attacks [10, 31] and a high nonlinearity in order to resist fast correlation attacks [32]. These design criteria on the filtering function must be considered up to some equivalence in the sense that several filtered LFSR may generate the same set of sequences. This equivalence between filtered LFSR can be simply described by defining the LFSR next-state function over the finite field with \({2^n}\) elements instead of the vector space \(\mathbb {F}_2^n\).

### Proposition 1

**(Theorem 9.2 in**[30]

**).**Let \(P\) be an irreducible polynomial in \(\mathbb {F}_{2}[X]\) with degree \(n\). Let \(\alpha \in \mathbb {F}_{2^n}\) be a root of \(P\) and \(\{\beta _0, \ldots , \beta _{n-1}\}\) denote the dual basis of \(\{1, \alpha , \ldots , \alpha ^{n-1}\}\), i.e.,

*univariate representation*defined by a root \(\alpha \in \mathbb {F}_{2^n}\) of the LFSR characteristic polynomial, and a function \(F\) from \(\mathbb {F}_{2^n}\) into \(\mathbb {F}_2\). This generator produces from any initial state \(X_0 \in \mathbb {F}_{2^n}\) the sequence \(s_t = F(X_0 \alpha ^t)\). For the sake of clarity, univariate functions defined over \(\mathbb {F}_{2^n}\) will be denoted by capital letters, while small letters will be used for multivariate functions over \(\mathbb {F}_2^n\). Clearly, the multivariate representation of a filter generator, \((P,f)\), can be recovered from its univariate representation \((\alpha ,F)\): since \(P\) is irreducible, it corresponds to the minimal polynomial of \(\alpha \) and \(f\) is equal to \(F \circ \varphi \) where \(\varphi \) is the isomorphism associated to the dual basis of \(\{1, \alpha , \alpha ^2, \ldots , \alpha ^{n-1}\}\). Conversely, a given multivariate representation \((P,f)\) corresponds to \(n\) univariate representations \((\alpha ,F)\) since there are several possible values for \(\alpha \) corresponding to the conjugate roots of \(P\), i.e., \(\alpha , \alpha ^2, \alpha ^{2^2}, \ldots , \alpha ^{2^{n-1}}\). The univariate filtering functions \(F\) associated to the different choices for \(\alpha \) are then linearly equivalent because they only differ from the composition with the Frobenius map. However, composing \(F\) with a linear permutation does not change its cryptographic properties (see the next section for details).

As a function from \(\mathbb {F}_{2^n}\) into \(\mathbb {F}_{2^n}\), \(F\) can be written as a univariate polynomial in \(\mathbb {F}_{2^n}[X]\) and the coefficients of this polynomial are computed from the values of \(F\) by the discrete Fourier Transform (DFT) of \(F\) (aka Mattson-Solomon transform) (see e.g. [2, 15, 27]).

### Proposition 2

**(Discrete Fourier Transform of a Function).**Let \(F\) be a function from \(\mathbb {F}_{2^n}\) into \(\mathbb {F}_{2^n}\). Then, there exists a unique univariate polynomial in \(\mathbb {F}_{2^n}[X]/(X^{2^n}+X)\) such that

### 2.3 Monomial Equivalence Between Filtered LFSR

Using the univariate representation, it is easy to observe that, for any nonzero \(\lambda \in \mathbb {F}_{2^n}\), the sequence generated by the filtered LFSR with characteristic polynomial \(P\) and filtering function \(F\) from the initial state \(X_0 \in \mathbb {F}_{2^n}\) is the same as the sequence obtained by filtering the same LFSR with \(G(x)=F(\lambda x)\) from the initial state \(Y_0=\lambda ^{-1} X_0\). It follows that not only \(F\) but also any function \(G(x)=F(\lambda x)\) can be attacked when cryptanalyzing the generator. But, this equivalence does not affect the security of filter generators since all design criteria are known to be invariant under linear equivalence, i.e., under the composition of the filtering function by an \(\mathbb {F}_2\)-linear permutation of \(\mathbb {F}_{2^n}\).

*monomial equivalence*

^{1}. It follows that there exist \(\frac{\varPhi (2^n-1)}{n}\) monomial transformations which are not linearly equivalent and nevertheless provide equivalent filtering LFSR, where \(\varPhi \) is the Euler’s totient function. Any attack against one among these \(\frac{\varPhi (2^n-1)}{n}\) generators then provides an attack against the whole class. Most notably, an initial-state recovery attack against the generator defined by \(\beta \) enables the attacker to recover the initial state \(X_0\) of the LFSR defined by \(\alpha \) by using that \(X_0 = Y_0^r\). Therefore, the security level offered by a filter generator is clearly the minimal security among all generators in its equivalence class.

## 3 Monomial Equivalence and Algebraic Attacks

Determining the cryptographic properties of a Boolean function up to any change of the primitive element seems rather complicated, since the major properties of the function, like its degree or its nonlinearity, are not invariant under these nonlinear transformations (see e.g. [36, Appendix A]). However, the recent works by Gong et al. [17, 20, 37, 38] point out that this difficulty mainly comes from the fact that the multivariate representation of the function is usually not relevant for evaluating its security level. Instead, the univariate representation provides a much more powerful tool which allows to directly determine the security offered by a generator against algebraic attacks (and its variants). Indeed, the action of the monomial equivalence can be described in a much simpler way when the univariate expression of the function is considered: the class of all filtering functions in the equivalence class of \(F\) consists of all functions \(G=\sum _{i=0}^{2^n-2}B_i X^i\) whose univariate representation \((B_0, \ldots , B_{2^n-2})\) is obtained by decimating the univariate representation of \(F\) by some integer \(k\) coprime to \((2^n-1)\), i.e., \({B_i=A_{ik \mod (2^n-1)}}\). Using this simple transformation, it becomes possible to determine how the complexity of algebraic-type attacks varies within the equivalence class of a filtering function.

### 3.1 Linear Complexity

*linear complexity*\(\varLambda \). It determines the complexity of solving the smallest linear system expressing each output bit of the generator as a linear function of its initial state. It is widely believed that, exactly as for the combination generator, the linear complexity of a filter generator increases with the degree of the filtering function (see e.g. [24, 39]). For instance, it has been shown by Rueppel that, when the LFSR length \(n\) is a large prime, \(\varLambda \ge {n \atopwithdelims ()d}\) for most functions \(f\) of degree \(d\) [39, Chapter 5]. However, as explained in [28], the well-known Blahut’s theorem [2] implies that \(\varLambda \) is entirely determined by the univariate form of the filtering function, \(F(X)=\sum _{i=0}^{2^n-2} A_i X^i\):

### 3.2 Algebraic Attacks

*general algebraic immunity*of a filtering function \(F\) [36, Definition 6] as the smallest algebraic immunity for a function in the monomial equivalence class of \(F\). But, exactly as algebraic attacks allow to decrease the degree of the equations below the degree of the filtering function by considering an annihilator \(g\) of \(f\) [10], the same idea can be used for improving the previously described attack based on the univariate approach [17]. Then, the complexity of the best attack is determined by the smallest linear complexity for an annihilator of \(F\). This quantity has been named the

*spectral immunity*of \(F\) [17, Definition 1]. As we discussed before, for any function \(G\), including any annihilator of \(F\),

Suppose now that the previously described attack is applied to some equivalent filter generator involving the filtering function \(F'\) defined as \(F'(x)=F(x^k)\), for some \(k\) with \(\gcd (k,2^n-1)=1\). The attack then exploits the linear complexity of an annihilator \(G'\) of \(F'\). But, it can be observed that a function \(G'\) is an annihilator of \(F'\) if and only if \(G(x)=G'(x^r)\) is an annihilator of \(F\) where \(rk \equiv 1 \bmod {(2^n-1)}\). Then, the linear complexity of \(G'\) is then equal to the linear complexity of \(G\), the corresponding annihilator of \(F\). It follows that the attack applied to \(F'\) has the same complexity as the attack against the original filter generator. In other words, the spectral immunity of a filtering function \(F\) is invariant under monomial equivalence.

Therefore, it appears that the monomial equivalence does not affect the complexity of algebraic attacks since the optimal versions of these attacks are based on the univariate representation and involve the number of nonzero coefficients in this representation which is invariant under monomial equivalence.

## 4 Univariate Correlation Attacks

### 4.1 Correlation-Like Attacks on Filtered LFSR

Another type of attacks against LFSR-based stream ciphers is the correlation attack and its variants. For generators using many LFSR combined by a Boolean function, a divide-and-conquer technique can be used by exploiting an approximation of the combining function *f* by a function *g* with fewer variables [40]. The attack then consists in performing an exhaustive search for the internal state of the small generator (called the target generator) composed of fewer LFSR combined by *g*, and in deciding which one of the states gives an output sequence having the expected correlation with the keystream. A well-known improved variant, named *fast correlation attack* [32] applies when *g* is linear. It identifies the problem with a decoding problem. Then an exhaustive search for the initial state of the target generator is not required anymore. Instead, a decoding algorithm for a linear code is used, for instance an algorithm exploiting sparse parity-check relations [6, 8, 32]. In the case of filtered LFSR, the situation is different since the only relevant target generator producing sequences correlated to the keystream, consists of an LFSR of the same size as the original generator filtered by a linear approximation of *f*. In this situation, the classical correlation attack cannot be faster than a brute-force attack, implying that only fast correlation attacks are relevant on filtered LFSR. To avoid these attacks, filtering functions must have a high nonlinearity.

*f*is the distance of

*f*to all affine functions, the distance to all monomial functions with an exponent coprime to \((2^n-1)\) must also be taken into account. Indeed, the fast correlation attack can be generalized as follows. Let us consider an LFSR of size

*n*, of primitive root \(\alpha \) and of initial state \(X_0\), filtered by a Boolean function

*F*. We suppose now that there exist \(\lambda \in \mathbb {F}_{2^n}\backslash \{0\}\) and

*k*coprime to \((2^n-1)\) such that the function

*F*is highly correlated to \(G(x)=\mathsf {Tr}^n(\lambda x^k)\). Because

*k*is coprime to \((2^n-1)\), the monomial equivalence can be applied to the LFSR filtered by

*G*, as depicted on Fig. 1. Then we can perform a fast correlation attack and recover the initial state of the LFSR defined by \(\alpha ^k\), which corresponds to \(X_0^k\). As

*k*is coprime to \((2^n-1)\), we then recover \(X_0\). In other words, a fast correlation attack can be mounted even if the approximation

*G*of

*F*is nonlinear but has a trace representation with a single term, \(\mathsf {Tr}^n(\lambda x^k)\) with \(\gcd (k,2^n-1)=1\). The corresponding design criterion is that the filtering function \(F\) must have a high generalized nonlinearity. This notion has been first introduced by Youssef and Gong in 2001 [41], but was not motivated by any attack.

### Definition 1

**(Extended Walsh-Transform**[41]

**).**Let

*F*a function from \(\mathbb {F}_{2^n}\) into \(\mathbb {F}_2\), then its extended Walsh transform is

*generalized nonlinearity*:

*F*to the components of all monomial

*permutations*of \(\mathbb {F}_{2^n}\).

### 4.2 A More Efficient Correlation Attack

*F*is correlated with a monomial function whose exponent \(k\) is coprime to \((2^n-1)\). However, the exponents \(k\) with \(\gcd (k,2^n-1)>1\) must also be taken into account even if they do not provide an equivalence relation. Let us now consider some

*k*which is not coprime to \((2^n-1)\) and some Boolean function \(H\) such that

*F*is correlated to \(G:x \mapsto H(x^k)\). We can then also apply some monomial transformation to the target generator which is composed of the LFSR defined by \(\alpha \) filtered by \(G\). Indeed, the LFSR internal state at time \(t\) is \(X_0\alpha ^t\), implying that the sequence produced by the target generator is \(\sigma _t=G(X_0\alpha ^t)=H(X_0^k\alpha ^{kt})\) for all \(t\ge 0\). On the other hand, the LFSR with characteristic polynomial \(P_{\alpha ^k}\) generates the successive internal states \((Y_0 \alpha ^{kt})_{t\ge 0}\), implying that \(\sigma \) can also be generated by the LFSR defined by \(\alpha ^k\) filtered by \(H\). In other words, the two generators produce exactly the same sequence if the initial state of the LFSR defined by \(\alpha ^k\) satisfies \(Y_0=X_0^k\), as depicted on Fig. 2. It is important to notice that the least period of the sequence generated by the LFSR defined by \(\alpha ^k\) is

*k*is no longer coprime to \((2^n-1)\). However, we get some information on \(X_0\).

### Lemma 1

The knowledge of \(X_0^k\) gives \(\log _2(\tau _k)\) bits of information on \(X_0\) where \(\tau _k = (2^n-1)/\gcd (k,2^n-1)\).

### Proof

*r*is the unique integer in \([0,\tau _k-1]\) such that \(X_0^k=\alpha ^{rk}\). Indeed, if there exist \(r_1\) and \(r_2\), \(r_1> r_2\) such that \(\alpha ^{r_1k}=\alpha ^{r_2k}\) then \(\alpha ^{(r_1-r_2)k}=1\). Then, \((r_1-r_2)\) is a multiple of \(\tau _k\) which is the order of \(\alpha ^k\). This is impossible since \(r_2-r_1 \in [0,\tau _k-1]\). Therefore, for \(X_0 = \alpha ^i\), the knowledge of \(X_0^k\) gives the value of the remainder of the Euclidean division of

*i*by \(\tau _k\). It then provides \(\log _2(\tau _k)\) bits of information on \(X_0\). \(\square \)

### 4.3 Recovering the Remaining Bits of the Initial State

*i*by \(\mathsf {lcm}(\tau _{k_1},\tau _{k_2})\). The best situation for the attacker is obviously the case where \(\tau _{k_1}\) and \(\tau _{k_2}\) are coprime, otherwise there is some redundancy between the information retrieved by the two distinct attacks.

### 4.4 Fast Correlation Attack When \(H\) is Linear

In the correlation attack, the target generator is composed of the LFSR defined by \(\alpha ^k\) filtered by a Boolean function \(H\), and it generates sequences \(\sigma \) with period \(\tau _k < (2^n-1)\). Then, as noticed in the pioneer work by Meier and Staffelbach [32], any \(N\)-bit portion of \(\sigma \) can be seen as a codeword in a code of length \(N\) and size \(\tau _k\). Therefore, recovering the initial state of the target generator boils down to decoding the corresponding \(n\)-bit keystream with respect to this code since the keystream can be identified with the result of the transmission of \(\sigma \) through a binary symmetric channel with error-probability \(\frac{1}{2}(1-\varepsilon )\) where \(\varepsilon \) is the correlation between the two sequences.

In the specific case where the function *H* defining \(G(x)=H(x^k)\) is linear, i.e., \(H(x)=\mathsf {Tr}(\lambda x)\) for some \(\lambda \in \mathbb {F}_{2^n}\), the involved code is a linear code. Some decoding algorithms dedicated to linear codes can then be used. These algorithms are faster than the exhaustive search (which corresponds to a maximum-likelihood decoding), at the price of a higher data complexity. The corresponding attack is then named *fast correlation attack* [32]. Obviously, a major parameter affecting the complexity of the decoding procedure is the dimension of the involved code. This dimension is the degree of the minimal polynomial of \(\alpha ^k\), which may be smaller than \(n\): it corresponds to the size \(n_k\) of the cyclotomic class of *k*. Equivalently, \(n_k\) is the smallest integer \(m\) such that \(2^m \equiv 1 \bmod {\tau _k}\). In other words, if \(\alpha ^k\) belongs to a subfield \(\mathbb {F}_{2^m}\) of \(\mathbb {F}_{2^n}\), then the fast correlation attack consists in decoding a linear code of dimension \(m\), instead of a code of dimension \(n\). This may enable the attacker to recover \(\log _2(\tau _k)\) bits of the initial state with a lower complexity than the fast correlation attack involving the original LFSR of length \(n\). The optimal situation which maximizes the number of bits recovered by the attacker for a given complexity is then when \(\tau _k=2^m-1\) for some divisor \(m\) of \(n\), i.e., when \(k\) is such that \(\gcd (k, 2^n-1) = (2^n-1)/(2^m-1)\). Several decoding algorithms have been proposed in this context [6, 7, 8, 21, 22, 32, 33] which offer different trade-offs between the dimension of the code and the error probability (see [1] for a recent survey).

### Example 1

Let us consider an LFSR of size 10 with primitive characteristic polynomial \(P(X)=X^{10}+X^9+X^7+X^6+X^5+X^4+X^3+X^2+1\). We then use as a filtering function a balanced function of \(10\) variables with a high nonlinearity obtained by Dobbertin’s construction [12]. As described by Dobbertin, we start from a bent function which is constant on a subspace of dimension \(\frac{n}{2}\) and replace this constant restriction by a balanced function in order to make the whole function balanced. Here we start from \(\mathsf {Tr}(\alpha x^{33})\) where \(\alpha \) is a root of *P* since this function is bent, and modify it as in [12]. It is worth noticing that this modification makes the function much more complex. In particular, it increases its degree and its linear complexity, at the price of a very small degradation of its nonlinearity. We construct this way a balanced function \(F\) of \(10\) variables with nonlinearity 481 and algebraic immunity 3. By computing its univariate representation, we get that the linear complexity of the keystream is equal to 992. Therefore, this filtering function meets all design criteria related to algebraic-like attacks and to fast correlation attacks. However, by construction, our filtered function *F* is very close to the Boolean function \(G(x)=\mathsf {Tr}(\alpha x^{33})\). This means that the keystream is highly correlated to the output of the LFSR defined by \(\alpha ^{33}\). Indeed, the correlation between the two sequences equals \(\varepsilon = 1 - 2^{-9} \mathsf {d}_H(F,G) = 0.96\). We can mount a fast correlation attack on an LFSR of size 5, and we recover almost 5 bits of the internal state of the generator. This attack is obviously much faster than the usual fast correlation attack: in our new setting, the involved correlation is \(\varepsilon = 0.96\) and the code dimension is \(n_{33}=5\), while the usual fast correlation attack corresponds to a correlation \(\varepsilon ' = 1- 481 \times 2^{-9} = 0.06\) and code dimension \(n=10\). The remaining \(5\) bits of the initial state can be determined by an exhaustive search over 33 possible values.

### Example 2

Let us consider the same LFSR of size 10 as in Example 1, but now filtered by a Boolean function which is not constructed from a monomial function. We choose as a filtering function the following function of \(6\) variables:

\(f(x_0,x_1,x_2,x_3,x_4,x_5)=x_0x_1x_2x_3x_4 + x_0x_1x_2x_3x_5 + x_0x_1x_2x_4x_5 + x_0x_1x_2x_4 + x_0x_1x_2 + x_0x_1x_3x_4 + x_0x_1x_3 + x_0x_1x_4 + x_0x_1x_5 + x_0x_1 + x_0x_2x_3x_4 + x_0x_2x_3x_5 + x_0x_2x_4x_5 + x_0x_2x_4 + x_0x_2 + x_0x_3x_4 + x_0x_4 + x_0 + x_1x_2x_3x_4x_5 + x_1x_2x_3x_4 + x_1x_2x_3x_5 + x_1x_2x_3 + x_1x_2x_4 + x_1x_2 + x_1x_3x_5 + x_1x_3 + x_1x_4 + x_1x_5 + x_1 + x_2x_3x_4x_5 + x_2x_3x_4 + x_2x_3x_5 + x_2x_3 + x_2 + x_3x_4 + x_4x_5 + x_4\)

### 4.5 Correlation Attack Using a Fast Fourier Transform When \(H\) is Nonlinear

*N*is the number of keystream bits we need to be able to detect the bias, i.e., \(N=\frac{2\ln (\tau _k)}{\varepsilon ^2}\) where \(\varepsilon \) is the expected correlation. The time complexity of this algorithm is therefore proportional to

^{2}. A similar technique has been described in [5, 34] but in an attack against combination generators. We now prove that it also applies in our context.

### Example 3

Let us consider the LFSR of size 12 with characteristic polynomial \(P(X)=X^{12}+X^{10}+X^9+X^8+X^7+X^5+X^4+X^3+X^2+X+1\) and filtered by the same \(6\)-variable function as in Example 2, but where the inputs of \(F\) are now defined by the tapping sequence \((\gamma _1,\ldots , \gamma _6) = (11,10,7,5,2,0)\). Then, the correlation between \(F\) and any function of the form \(G= \mathsf {Tr}(\lambda x^{k})\) with \(k = \ell \frac{2^n-1}{2^m-1}\) and \(\gcd (\ell , 2^n-1)=1\) is too low for improving on the classical correlation attack. However, we can use \(k=45\) which satisfies \(\mathsf {ord}(\alpha ^k)=91\). In this case, we are able to get a higher correlation since we allow all possible functions \(H\), not only the linear ones. Here, the best approximation by a function of the form \(G(x)=H(x^k)\) gives us a correlation equal to 0.125. With an FFT, the attack requires roughly \((592+574)=1166\) operations, and 574 keystream bits. The whole initial state can then be recovered by an exhaustive search.

### 4.6 Approximation of the Filtering Function by \(H(x^k)\)

All previous correlation attacks exploit the existence of a function \(G\) of the form \(G(x)=H(x^k)\) for some \(k\) with \(\gcd (k,2^n-1) > 1\), which provides a good approximation of \(F\). In particular, the fast correlation attacks involving a shorter LFSR point out that the notion of generalized nonlinearity as defined in [41] must be extended in order to capture these new attacks: it appears that the distance of the filtering function to all \(\mathsf {Tr}(\lambda x^k)\) with \(k= \ell \times \frac{2^n-1}{2^m-1}\) where \(m\) is a divisor of \(n\) and \(\gcd (\ell , 2^n-1)=1\) is a much more relevant quantity than its distance to the components of monomial permutations.

*F*as follows. For the sake of simplicity, we now suppose that \(k\) is a divisor of \((2^n-1)\), or equivalently that \(\tau = (2^n-1)/k\) (otherwise, we get similar results by replacing \(k\) by \(\gcd (k,2^n-1)\)). Let \(\langle \alpha ^\tau \rangle \) be the cyclic subgroup of \(\mathbb {F}_{2^n}\) of order \(k\). Then, by shifting this cyclic subgroup, we obtain the sets \(E_i=\alpha ^i \langle \alpha ^\tau \rangle \), for \(0 \le i < \tau \) which provide the partition

While in usual (fast) correlation attacks, choosing a filtering function with a high nonlinearity guarantees that the attack will be infeasible, this is not the case here. For instance, some bent functions in the so-called class \(\mathcal {PS}^{-}\) [11] are constant on all sets \(\lambda \langle \alpha ^\tau \rangle \) for \(\tau =2^{n/2}+1\), while they have the best nonlinearity.

The previous results enable us to find the best approximation of \(F\) by a function of the form \(H(x^k)\). However, improving the complexity of this search when \(n\) grows and \(F\) depends on a few inputs only remains an open issue. Indeed, it seems difficult to use this property of \(F\) to simplify the search for the optimal \(H\). Another open problem is to be able to find in an efficient way the best approximation of the form \(G(x)=\mathsf {Tr}(\lambda x^k)\).

## 5 Conclusions

While the monomial equivalence introduced by Rønjom and Cid does not affect the security of filter generators regarding algebraic attacks, it usually allows to decrease the complexity of correlation attacks and their variants. Most importantly, considering a non-bijective monomial mapping enables the attacker to mount a divide-and-conquer attack by decomposing the set of all nonzero initial states with respect to some multiplicative subgroup having a smaller order. If the LFSR length is not a prime, the involved subgroup may be a subfield and this divide-and-conquer attack can be further improved as in fast correlation attacks. A counter-measure to avoid these attacks then consists in choosing for the LFSR length a Mersenne prime, i.e. both \(n\) and \((2^n-1)\) are prime.

## Footnotes

## References

- 1.Ågren, M., Löndahl, C., Hell, M., Johansson, T.: A survey on fast correlation attacks. Cryptogr. Commun.
**4**(3–4), 173–202 (2012)MathSciNetCrossRefzbMATHGoogle Scholar - 2.Blahut, R.E.: Theory and Practice of Error Control Codes. Addison-Wesley, Boston (1983)zbMATHGoogle Scholar
- 3.Blahut, R.E.: Fast Algorithms for Digital Signal Processing. Addison-Wesley, Boston (1985)zbMATHGoogle Scholar
- 4.Canteaut, A.: Filter generator. In: van Tilborg, H.C.A., Jajodia, S. (eds.) Encyclopedia of Cryptography and Security, pp. 726–729. Springer, Heidelberg (2011)Google Scholar
- 5.Canteaut, A., Naya-Plasencia, M.: Correlation attacks on combination generators. Cryptogr. Commun.
**4**(3–4), 147–171 (2012)MathSciNetCrossRefzbMATHGoogle Scholar - 6.Canteaut, A., Trabbia, M.: Improved fast correlation attacks using parity-check equations of weight 4 and 5. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 573–588. Springer, Heidelberg (2000)CrossRefGoogle Scholar
- 7.Chepyzhov, V.V., Johansson, T., Smeets, B.: A simple algorithm for fast correlation attacks on stream ciphers. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 181–195. Springer, Heidelberg (2001)CrossRefGoogle Scholar
- 8.Chose, P., Joux, A., Mitton, M.: Fast correlation attacks: an algorithmic point of view. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 209–221. Springer, Heidelberg (2002)CrossRefGoogle Scholar
- 9.Courtois, N.T.: Fast algebraic attacks on stream ciphers with linear feedback. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 176–194. Springer, Heidelberg (2003)CrossRefGoogle Scholar
- 10.Courtois, N.T., Meier, W.: Algebraic attacks on stream ciphers with linear feedback. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003)CrossRefGoogle Scholar
- 11.Dillon, J.: Elementary Hadamard difference sets. Ph.D. thesis, University of Maryland (1974)Google Scholar
- 12.Dobbertin, H.: Construction of bent functions and balanced Boolean functions with high nonlinearity. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 61–74. Springer, Heidelberg (1995)CrossRefGoogle Scholar
- 13.ECRYPT - European Network of Excellence in Cryptology: The eSTREAM Stream Cipher Project (2005). http://www.ecrypt.eu.org/stream/
- 14.Golic, J.D.: On the security of nonlinear filter generators. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 173–188. Springer, Heidelberg (1996)CrossRefGoogle Scholar
- 15.Golomb, S.W., Gong, G.: Signal Design for Good Correlation: For Wireless Communication, Cryptography, and Radar. Cambridge University Press, Cambridge (2004)zbMATHGoogle Scholar
- 16.Gong, G.: A closer look at selective DFT attacks. CACR report 2011–35, University of Waterloo (2011)Google Scholar
- 17.Gong, G., Rønjom, S., Helleseth, T., Hu, H.: Fast discrete Fourier spectra attacks on stream ciphers. IEEE Trans. Inf. Theor.
**57**(8), 5555–5565 (2011)MathSciNetCrossRefGoogle Scholar - 18.Hell, M., Johansson, T., Brynielsson, L.: An overview of distinguishing attacks on stream ciphers. Cryptogr. Commun.
**1**(1), 71–94 (2009)MathSciNetCrossRefzbMATHGoogle Scholar - 19.Helleseth, T.: Maximal-length sequences. In: van Tilborg, H.C.A., Jajodia, S. (eds.) Encyclopedia of Cryptography and Security, 2nd edn, pp. 763–766. Springer, Heidelberg (2011)Google Scholar
- 20.Helleseth, T., Rønjom, S.: Simplifying algebraic attacks with univariate analysis. In: Information Theory and Applications - ITA 2011, pp. 153–159. IEEE (2011)Google Scholar
- 21.Johansson, T., Jönsson, F.: Improved fast correlation attacks on stream ciphers via convolutional codes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 347–362. Springer, Heidelberg (1999)Google Scholar
- 22.Johansson, T., Jönsson, F.: Fast correlation attacks through reconstruction of linear polynomials. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 300–315. Springer, Heidelberg (2000)CrossRefGoogle Scholar
- 23.Joux, A.: Algorithmic Cryptanalysis. Chapman & Hall/CRC, London (2009)CrossRefzbMATHGoogle Scholar
- 24.Key, E.L.: An analysis of the structure and complexity of nonlinear binary sequence generators. IEEE Trans. Inf. Theor.
**22**, 732–736 (1976)CrossRefzbMATHGoogle Scholar - 25.Lidl, R., Niederreiter, H.: Finite Fields. Cambridge University Press, Cambridge (1983)zbMATHGoogle Scholar
- 26.Lu, Y., Vaudenay, S.: Faster correlation attack on bluetooth keystream generator E0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 407–425. Springer, Heidelberg (2004)CrossRefGoogle Scholar
- 27.MacWilliams, F.J., Sloane, N.J.: The Theory of Error-correcting Codes. North-Holland, Amsterdam (1977)zbMATHGoogle Scholar
- 28.Massey, J.L., Serconek, S.: A Fourier transform approach to the linear complexity of nonlinearly filtered sequences. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 332–340. Springer, Heidelberg (1994)Google Scholar
- 29.Maximov, A., Johansson, T., Babbage, S.: An improved correlation attack on A5/1. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 1–18. Springer, Heidelberg (2004)CrossRefGoogle Scholar
- 30.McEliece, R.J.: Finite Fields for Computer Scientists and Engineers. Kluwer, Dordrecht (1987)CrossRefzbMATHGoogle Scholar
- 31.Meier, W., Pasalic, E., Carlet, C.: Algebraic attacks and decomposition of Boolean functions. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 474–491. Springer, Heidelberg (2004)CrossRefGoogle Scholar
- 32.Meier, W., Staffelbach, O.: Fast correlation attack on certain stream ciphers. J. Cryptol.
**1**, 159–176 (1989)MathSciNetCrossRefzbMATHGoogle Scholar - 33.Mihaljević, M.J., Fossorier, M.P.C., Imai, H.: A low-complexity and high-performance algorithm for the fast correlation attack. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 196–212. Springer, Heidelberg (2001)CrossRefGoogle Scholar
- 34.Naya-Plasencia, M.: Cryptanalysis of Achterbahn-128/80. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 73–86. Springer, Heidelberg (2007)CrossRefGoogle Scholar
- 35.Rønjom, S.: Powers of subfield polynomials and algebraic attacks on word-based stream ciphers. IACR Cryptology ePrint Archive 2015/495 (2015)Google Scholar
- 36.Rønjom, S., Cid, C.: Nonlinear equivalence of stream ciphers. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 40–54. Springer, Heidelberg (2010)CrossRefGoogle Scholar
- 37.Rønjom, S., Gong, G., Helleseth, T.: On attacks on filtering generators using linear subspace structures. In: Golomb, S.W., Gong, G., Helleseth, T., Song, H.-Y. (eds.) SSC 2007. LNCS, vol. 4893, pp. 204–217. Springer, Heidelberg (2007)CrossRefGoogle Scholar
- 38.Rønjom, S., Helleseth, T.: A new attack on the filter generator. IEEE Trans. Inf. Theor.
**53**(5), 1752–1758 (2007)MathSciNetCrossRefzbMATHGoogle Scholar - 39.Rueppel, R.A.: Analysis and Design of Stream Ciphers. Springer, Heidelberg (1986)CrossRefzbMATHGoogle Scholar
- 40.Siegenthaler, T.: Decrypting a class of stream ciphers using ciphertext only. IEEE Trans. Comput.
**C–34**(1), 81–84 (1985)CrossRefGoogle Scholar - 41.Youssef, A.M., Gong, G.: Hyper-bent functions. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 406–419. Springer, Heidelberg (2001)CrossRefGoogle Scholar
- 42.Zierler, N.: Linear recurring sequences. J. Soc. Indus. Appl. Math.
**7**, 31–48 (1959)MathSciNetCrossRefzbMATHGoogle Scholar