Think Before Your LFSRs Jump
Mujahid Mohsin Mehreen Afzal
College of Telecommunication College of Telecommunication
NUST NUST
Rawalpindi, Pakistan Rawalpindi, Pakistan
mujahidmohsin@mcs.edu.pk mehreenafzal@mcs.edu.pk
Abstract—This paper scrutinizes the structure of jump-
controlled LFSRs for resistance against generalized correlation
attack based upon Constrained Levenshtein Distance(CLD)
measure. It proves that for a given number of cipher text
bits, CLD computation is independent of Jump index. However,
based upon the inherent relation between the jump index and
deletion rate, it is argued that structures utilizing primitive
polynomials with large values of jump indices are relatively
safer against generalized correlation attack when compared
with their counterparts. The paper also presents a novel
recursive algorithm for efficient computation of CLD for jump
controlled structures and another algorithm to defeat the
complexity induced due to high deletion rates.
Keywords-Linear finite state machine, Jump controlling, Edit
distance attack, CLD computation
I. INTRODUCTION
Linear feedback shift registers (LFSRs), along with some
non-linear component, are considered ideal for the design of
stream ciphers; not only for the good statistical properties of
the sequences they produce, but also for the simplicity and
speed of their hardware implementation. Irregular clocking
of shift registers is a time-tested technique to introduce non-
linearity which has been practically employed in a number of
stream cipher designs such as the famous GSM standard A-5
and LILI [1] etc. One of the known problems with clock-
controlled structures is susceptibility against side channel
attacks because of their irregular bit output rate. Moreover,
these designs are not best suited for high speed implemen-
tations owing to inherent delays of multiple clocking. The
practical designs of stream ciphers, therefore, would have
to address these shortcomings. One such intelligent design
is of Jumping LFSRs [2], in which the LFSRs were taught
to make ‘jumps’ without traversing through the intermediate
states. This concept has been utilized successfully in certain
stream ciphers of eSTREAM project [3] such as Pomaranch
[4] and Mickey [5].
The problem of string comparison has been extensively
studied in literature especially in the fields of error de-
tection, voice recognition, bio-molecular sciences and gas-
chromatography etc. A nice compilation of these applica-
tions can be found in [6]. Number of efficient algorithms
have been developed in this regard including the method
of edit distance calculation based upon permissible edit
Muhammad Arif Wahla
College of Telecommunication
NUST
Rawalpindi, Pakistan
arif@mcs.edu.pk
operations (such as substitutions, deletions and insertions
etc). This distance, also known as Generalized Levenshtein
Distance, is measured as the minimum number of edit
operations required to equate two strings.
The peculiar design of clock controlled structures dictates
that conventional correlation attack based upon hamming
distance cannot be applied to these designs. In [7] a new
attack, termed as ‘generalized correlation attack’ was pro-
posed by Golic and Mihaljevic. The algorithm developed
in [7] was based upon Constrained Levenshtein Distance
(CLD) measure and can be regarded as a ‘binary stream
specific attack’ of a more generalized constrained string
editing approach [8], with deletions (caused by irregular
clocking) and substitutions (caused by plain-text x-or) as
the only permissible edit operations.
In this article, we examine the basic structure of jump-
LFSR for resistance against generalized correlation attack
and prove that these structures are also not safe against the
mentioned attack. We support our claim by presenting an
efficient recursive algorithm for CLD computation of a basic
jump controlled structure.
The rest of the paper is organized as follows. Section II
reproduces some of the basics on jump-control structures.
Section III is dedicated to the generalized correlation attack
and its application on a basic jump clocked structure. In
section IV, we give a novel algorithm for computation of
CLD, specific to such structures. Moreover, we also present
an algorithm for dealing with jump controlled structures
having large deletion rates. Finally we conclude in section
V.
II. HOW LFSR S JUMP
This section is devoted to brief description of the basic
structure of jumping LFSRs. For a detailed description one
may refer to [9],[10]. Consider an LFSR as shown in Figure-
1. The connection polynomial (also known as feedback
polynomial) of an LFSR of length L is represented as:
L
ci xi ; c0 = cL = 1
P
F (x) =
i=0
At each clock, the LFSR produces a bit based upon linear
recurrence:
 L
sj+L =
P
ci sj+L−i A. Basic Jump-Control Structure
i=1 Consider a basic clock control structure (as shown in Figure
2) comprising of two LFSMs. LFSM-A is clocked regularly
and produces an i.i.d binary sequence. Let X = {xi }∞ i=1 be
a binary stream produced by LFSM-B. The output of A is
used to introduce decimation in X in a way that B is stepped
c0 or c1 times if A produces a 0 or 1 respectively. Thus, the
sequence Y, can be represented as:
y1 = x1 and for n > 1
n−1
P
yn = xf (n) ; f (n) = 1 + di ;
i=1
n
Figure 1. Linear Feedback Shift Register
Where D = d1 d2 . . . dn ; D = {c0 , c1 } is the clock
controlling sequence depending upon the output of
LFSM-A. To explain it further, if the i-th bit produced
An alternate way of defining the operation of an LFSR by A is 1 (0) then di = c1 (c0 ). U is taken as a
is to consider it as a Linear Finite State Machine (LFSM). realization of an unbalanced binary noise sequence U n (i.e
Thus, the transitions between the states of an LFSR can be P r(U = 0) 6= P r(U = 1)), which may be constructed
completely defined with the help of a (L × L) transition using the plain text statistics. Finally the cipher text Z is
matrix where L is the degree of the irreducible feedback produced by the traditional exclusive-or i.e zn = yn ⊕ un .
polynomial of the LFSR. The transition matrix of the LFSR
of Figure 1 is thus given as: Without loss of generality we assume both the state ma-

c1 1 0 ... 0
 
 c2 0 1 ... 0
 . .. .. . . 
T=  . . 0
 . . . 
c 0 0 0 1
L−1
cL 0 0 0 0
The state δtL of the LFSM at any given time t can
be obtained as: Figure 2. Basic Jump/Clock Controlled Structure
δtL = L
δt−1 T;
chines as LFSRs with L1 and L2 stages and their charac-
L
where δt−1 is the (1×L) state vector representing the state at teristic polynomials as primitive with maximal periods of
time (t − 1). Following the linear algebra, the characteristic p1 = 2L1 − 1 and p2 = 2L2 − 1 respectively, when operated
polynomial f (x), of this LFSM is equal to det(xI − T), in isolation. Let p1 contains N0 zeros and N1 ones, then
where I is the (L × L) identity matrix. Thus, a jump of the total steps made by LFSR-B in one cycle of LFSR-A is
J steps can be executed by multiplying the LFSM’s state equal to Ns = c0 N0 +c1 N1 . Let the output key stream has a
vector with TJ and then appropriate rewiring of the circuit. maximum period of p1 p2 , which is based upon a necessary
Since it is not easy to implement an involution circuit for a condition that gcd(Ns , p2 ) = 1.
random J value; jump J is selected such that: The clock-controlled model presented in Figure 2 is not
a true implementation of jump-controlling. This is because,
xJ = (x + 1)mod(f (x)) (1) instead of decimating the output stream, jumps are executed
by directly controlling the input clock of LFSR-B[9]. How-
Under this condition a jump J can be achieved as ever, for making our work easily understandable, we follow
L the same model for jump-controlling as well. To simulate
δt−1 (T+I) which is an easy implementable involution oper-
ation. If such J exists for which equation 1 holds then J is a jump control structure, let c0 and c1 be equal to 1 and J
called the jump index of f and the characteristic polynomial respectively, where J is the jump index of the characteristic
of modified matrix i.e det((x + 1)I + T) = f (x + 1) is polynomial of LFSR-B. Hence, LFSR-B clocks normally
called the dual f ⊥ (x) of f . It is also easy to prove that or makes a jump depending on whether output of LFSR-A
jump index of a primitive polynomial always exists and if is equal to 0 or 1 respectively. The deletion rate of clock-
the dual polynomial is also primitive then J ⊥ = j −1 modλ. controlled generator is given as:
Where λ = 2L − 1 is the period. Moreover, jump index of
dr = 1 − 1/d∗ where d∗ =
P
(dP r(d))
reciprocal polynomial J ∗ = (1 − J)modλ [9]. d∈D
and if the jump controller (LFSR-A in our case) is balanced
i.e (P r(D = 1) = P (D = J) = 0.5) then
dr = (J − 1)/(J + 1)
This equation states that the deletion rate of jump-
controlled structures increases with jump index and its value
approaches 1 for very large values of J. The initial states of
both the LFSRs combine to form the secret key. We assume
that the characteristic polynomials of both the LFSRs are
known. Our aim is to recover the key with computational
complexity lesser than the exhaustive search.
III. GENERALIZED CORRELATION ATTACK
In this section, we present a general framework of an attack
based upon CLD, specific to the jump structure as described
in previous section. Let X M = {xi }M
i=1 be the LFSR-B
sequence produced by an initial state XjL2 (1 ≤ j ≤ 2L2 )
and Z N = {zi }Ni=1 ; (N ≤ M ) be the N cipher bits known
to the attacker. Then, for jump-control structure, the CLD
(also known as constrained edit distance) ‘d’ between X M
and Z N , is defined as the minimum sum of elementary edit
operations of deletions and substitutions required in X M to
make it identical to Z N , with a constraint that the number of
consecutive deletions be exactly equal to ∆J = J − 1. Since
total number of deletions will always be M − N , CLD can
be defined alternatively as, carrying out M − N deletions in
X M (while abiding by the mentioned constraint) in such a
way that number of effective substitutions required to match
the two strings are minimum. The constraint on consecutive
deletions is because of the inherent jump control structure
which implies that M − N should always be a non-negative
multiple of ∆J . The value of ∆J , for a primitive polynomial
of degree L2 , is bounded by the limits as given below [9]:
L2 − 1 ≤ ∆J ≤ 2L2 − L2 − 1
In [7], a generalized correlation attack was proposed on
clock controlled structures, based upon CLD measure. The
paper used the measure of distance d as a decision criteria
to choose between the following two hypothesis:
H0 : The observed sequence Z N is produced by the
initial state XjL2 .
H1 : The observed sequence Z N is not produced by the
initial state XjL2 .
The output of a jump-controlled LFSR is identical to
the conventional {1,J} clocked structure. The difference
between the two is only in the method of implementa-
tion. Hence, similar kind of attack can also be launched
on Jump control structures. The attack is based upon a
threshold value ‘t’ of edit distance, which is calculated
in the pre-computation phase. Let D́ be the probability
distribution, representing the outcome of edit distance d.
Initially appropriate values for the probability of missing
event Pm = P r(D́ > t/H0 ) and Probability of false alarm
Pf = P r(D́≤ t/H1 ) are selected for the attack. Then
the threshold t is set to the maximum edit distance value
calculated between XiM (1 ≤ i ≤ 1/Pm ) and Z N for 1/Pm
randomly selected initial states.
The values of N and M must be carefully selected for
giving reliable results of edit distance measure. The length
M is selected as a function of N depending upon the
probability of missing event. The peculiar design of jump-
controlling dictates that the last edit operation is always sub-
stitution. Moreover, since the model produces the key-stream
bit before applying the normal or jump clock (depending
upon the controller’s output bit); it implies that y1 is always
equal to x1 irrespective of the value of d1 . Hence, the value
of M is bounded by:
N ≤ M ≤ N + (N − 1)∆J
√ optimum value of M for the attack can be M = Mexp +
An
c N ; where Mexp = {(J + 1)N/2} is the expected value
of M and c is a constant used to control the probability of
missing event and to make M − N a multiple of ∆J .
After agreeing upon the values of M and N and calculat-
ing the acceptable level of threshold t, edit distance between
X M and Z N is calculated for all the left over initial states
and hypothesis H0 or H1 is selected if (d ≤ t) or (d > t)
respectively. All those initial states for which d is less than
or equal to t form the set of candidate initial states.
IV. CLD COMPUTATION
In [7], an algorithm was developed to compute the con-
strained levenshtein distance. This algorithm computes Par-
tial CLD W (e, s), which is defined as the distance between
prefixes X e+s and Z s of X M and Z N respectively, under
the same constraint. Here, e and s represent the number of
deletions and substitutions respectively. W (e, s) is computed
recursively for all permitted values of e and s, which
ultimately gives us the desired CLD value i.e W (M −N, N ).
For the jump control structure, the set of permitted values
of e and s are given as:
0≤s≤N
e = k∆J f or 0 ≤ k ≤ min{(M − N )/∆J ; s − 1}
Now we present an efficient recursive algorithm for
calculating the CLD, specifically designed for the jump-
controlled structures. Although the algorithm follows the
same concept of partial CLD as introduced in [8][7], it is
developed using an entirely different scheme as given in
the proof of theorem 1.
 Theorem 1: For jump-controlled structure, the partial
CLD satisfies the recursion: Procedure
1: W (0, 0) = 0
2: for s = 1 to s ≤ N do
W (e, s) = (xe+s ⊕ zs ) + min{W (e, s − 1);
3: W (0, s) = W (0, s − 1) + (xs ⊕ zs )
W (e − ∆J , s − 1) + d0 ∆J } 4: end for
L
5: initialstate = δ1 2
6: W (∆J , 2) = W (0, 1) + (x∆J +2 ⊕ z2 ) + ∆J
1≤s≤N and L L
7: δ2 2 = δ1 2 X
e = k∆J ; 0 ≤ k ≤ min{(M − N )/∆J ; (s − 2)} 8: for s = 3 to s ≤ N do
9: for n = 1 to n ≤ min{(M − N )/∆J ; (s − 2)} do
and if ((s − 1)∆J ≤ M − N ) then; 10: e = n∆J
L2 L2
11: δe+s = δe+s−∆ J −1
[X + I]
W (e = (s − 1)∆J , s) = (xe+s ⊕ zs ) + W (e − ∆J ,s − 1) 12: xe+s = δe+s [0]
13: W (e, s) = (xe+s ⊕ zs ) + min{W (e, s − 1); W (e −
+ d0 ∆J
∆J , s − 1) + ∆J }
L2 L2
The proof of the theorem is appended with the paper. 14: δe+s−1 = δe+s [ X −1 ]
Here, d0 is the elementary edit distance for deletion of one 15: end for
bit and can be replaced with unity for simplicity. The time 16: if ((s − 1)∆J ≤ M − N ) then
and space complexities of the algorithm are both equal to 17: W (e = (s − 1)∆J , s) = (xe+s ⊕ zs ) + W (e −
O(N (M − N )/∆J ). ∆J , s − 1) + ∆J
18: end if
L2
Let M = Mexp = [(J + 1)/2]N . Then, 19: δsL2 =X δs−1
20: end for
M − N = N ∆J /2
This algorithm requires maintaining and updating of only
L2
and two state vectors δsL2 and δe+s which are then used to
N (M − N )/∆J = N 2 /2 (2) compute the desired bit i.e xe+s . Hence, lengthy streams of
M bits are not required to be generated/stored for each initial
Equation 2 implies that the computational complexity of state. The jumps can efficiently be implemented in hardware
the algorithm only depends upon N (known cipher text bits) or software using simple x-or gates/operations respectively
and is independent of ∆J . This is because if the jump [9].
index is increased, the value of M is also increased to
keep the term (M − N )/∆J constant. However, raising the B. Recovery of Jump Controller’s Initial State
jump index of the structure will certainly raise the space After short listing the candidate initial states and storing their
and time complexities of the generalized correlation attack corresponding W (e, s) matrices, initial state of the controller
owing to the fact that for large J values, M will also grow LFSR (LFSR-A) can be recovered. The success of the attack
enormously large. Hence, the attacker would be required to relies on the probability of false alarm pf , which defines the
generate and store extremely large bit streams for all the cardinality of the set of candidate initial states and hence,
initial states and then calculate the CLD for each state. To must be kept very low. A number of efficient algorithms such
defeat this complexity induced by large deletion rates, the as directed depth first [11], k-best paths algorithms [12] etc,
attacker may also play smart and instead of generating all have been developed to recover the initial state of controller.
the M bits for each initial state, he may directly jump to Any of them can be applied in the phase-II to complete the
the desired bits using the same mechanism as explained in attack.
section II. Modified algorithm to deal with large J values is
given below. V. CONCLUSION
In this paper we applied the CLD based generalized correla-
A. Proposed Algorithm tion attack on the jump-controlled structures. Jump-clocking
Input: Initial state δ1L2 = {δ1 [L2 − 1]δ1 [L2 − 2] . . . δ1 [0]}; is considered to be an efficient approach for implementing
binary sequence {zn }N n=1 ; transition matrix X for the clock-controlling and is considered secure against various
characteristic polynomial and ∆J . forms of side channel attacks such as timing and power
attacks. However, like conventional clock controlling, these
Output: CLD=W (M − N, N ) structures are also found unsecure against the generalized
correlation attack. However, if the secret key is changed
frequently and periodically then the efficacy of this attack
can be reduced. This is true because by doing so the attacker
will be deprived of lengthy cipher text bit streams, encrypted
with the same key. Future work may focus on jump-control
structures combined with non-linear boolean functions such
as the one used in Pomaranch [4]. Moreover, application
of probabilistic correlation and embedding attacks on these
structures can also be studied.
ACKNOWLEDGMENTS
We are grateful to Mr Slobodan V. Petrović for extending
his valuable help and guidance in the initial phase of
research.
APPENDIX
Proof of Theorem 1: We define G(e, s) as a set con-
taining all possible combinations of ‘jump sub-sequences’
of {xi }e+s
i=1 , with each sub-sequence having exactly ‘e/∆J ’
number of jumps. In other words, each member stream of
G(e, s) is build using a unique selection of s bits from
{xi }e+s
i=1 (while following the jump constraint), with first
bit as x1 and last bit as xe+s . The cardinality of the set
 
s−1
is .
e/∆J
The proof for W (e = (s − 1)∆J , s) is fairly straight
forward as in this case, the set G(e, s) contains only one
member i.e {x1+iJ }s−1
i=0 . We now concentrate on the first
equation which is valid for e < (s − 1)∆J . As per the
definition of CLD given in section III, the partial CLD,
W (e, s) can be defined as:
Which, in accordance with equation 3 can be written as:
W (e, s) = (xe+s ⊕ zs ) + min{W (e, s − 1); d0 ∆J
+ W (e − ∆J , s − 1)}
R EFERENCES
[1] L. R. Simpson, E. Dawson, J. D. Golic, and W. Millan, “Lili
keystream generator,” in Selected Areas in Cryptography,
2000, pp. 248–261.
[2] C. J. A. Jansen, “Stream cipher design: Make your lfsrs
jump!” in Workshop record ECRYPT-State of the Art of
Stream Ciphers, Brugge, 2004, pp. 94–108.
[3] M. J. B. Robshaw and O. Billet, Eds., New Stream Cipher
Designs - The eSTREAM Finalists, ser. Lecture Notes in
Computer Science. Springer, 2008, vol. 4986.
[4] C. J. Jansen, T. Helleseth, and A. Kholosha, “Cascade jump
controlled sequence generator and pomaranch stream cipher,”
pp. 224–243, 2008.
[5] S. Babbage and M. Dodd, “The mickey stream ciphers,” in
The eSTREAM Finalists, 2008, pp. 191–209.
[6] D. Sankoff and J. B. Kruskal, Eds., Time Warps,string edits
and Macromolecules: The Theory and Practice of Sequence
Comparison.
[7] J. D. Golic and M. J. Mihaljevic, “A generalized correlation
attack on a class of stream ciphers based on the levenshtein
distance,” J. Cryptology, vol. 3, no. 3, pp. 201–212, 1991.

[8] B. J. Oommen, “Constrained string editing,” Inf. Sci., vol. 40,

W (e, s) = ed0 + minHD(ℵs , Z s ) ∀ ℵ ∈ G(e, s)
Where ‘minHD’ denotes the minimum hamming distance.
Since the last bit of each ℵs ∈ G(e, s) is xe+s , equation 3
can be re-written as.
W (e, s) = ed0 + (xe+s ⊕ zs ) + minHD(ℵ s−1
,Z s−1
Where ℵs−1 ∀ ℵ ∈ G(e, s) represents the prefixes of same
sub-sequences with the last bit (i.e xe+s ) clipped-off. The
set containing all ℵs−1 ∈ G(e, s) can be partitioned into
two mutually exclusive and exhaustive subsets G(e, s − 1)
and G(e − ∆J , s − 1). Hence,
W (e, s) = ed0 +(xe+s ⊕zs )+min(minHD1; minHD2)
(3) no. 3, pp. 267–284, 1986.
[9] C. J. A. Jansen, “Stream cipher design based on jumping finite
state machines,” 2005.
[10] T. Helleseth, C. J. A. Jansen, and E. Kholosha, “Cascade
) jump controlled sequence generator,” in In: Symmetric Key
Encryption Workshop, Workshop Record, ECRYPT Network
of Excellence in Cryptology, 2005.
[11] S. Petrovic and A. Fúster-Sabater, “Clock control sequence
reconstruction in the ciphertext only attack scenario,” in
ICICS, 2004, pp. 427–439.
[12] T. Herland, “The use of k-best paths algorithms in clock
control sequence reconstruction,” 2006.

Where
minHD1 =minHD(ℵs−1 , Z s−1 )∀ℵ ∈ G(e, s − 1)
minHD2 =minHD(ℵs−1 , Z s−1 )∀ℵ ∈ G(e − ∆J , s − 1)

W (e, s) = (xe+s ⊕ zs ) + min{ed0 + minHD1; d0 ∆J +

d0 (e − ∆J ) + minHD2}