See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/234037962

Comparative Study of Techniques and Attacks on NLFSR Based Stream Ciphers –

A Review

Conference Paper · February 2012

CITATIONS READS

0 557

3 authors:

Iqrar Ahmad Shadab Alam

Aligarh Muslim University Jazan University
2 PUBLICATIONS   3 CITATIONS    49 PUBLICATIONS   491 CITATIONS   

SEE PROFILE SEE PROFILE

Mohammad Ubaidullah Bokhari

Aligarh Muslim University
58 PUBLICATIONS   495 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Security in IoT View project

A Survey on Cloud Computing View project

All content following this page was uploaded by Shadab Alam on 20 May 2014.

The user has requested enhancement of the downloaded file.

Comparative Study of Techniques and Attacks on NLFSR Based Stream Ciphers – A Review

Comparative Study of Techniques and Attacks on NLFSR Based Stream Ciphers

– A Review
Iqrar Ahmad1, Shadab Alam2 and M.U. Bokhari
1,2,3
Department of Computer Science
Aligarh Muslim University, Aligarh, (UP) India
1
iqrar_azad@yahoo.co.in,2s4shadab@gmail.com and 3mubokhari@gmail.com
ABSTRACT
Among the recent developments on stream ciphers, several
indices on the security of stream ciphers have been proposed
for guaranteeing their strength. But the proposed indices are
not sufficient to guarantee the security of stream ciphers. It is
possible that sequences with a high linear complexity have a
very bad “linear complexity stability”, i.e., after changing a
few bits of the original sequence, its linear complexity either
decreases or increases very fast. The sequences may be well
approximated by another one with very lower linear
unpredictability. This problem is especially important when
linear feedback shift registers are used. To overcome this
problem, non-linear next state functions are the possible
solution. In this paper a comparative study of NLFSR based
streams ciphers is made with respect to design structures and
some techniques in order to analyses them. Also this paper
highlights the security in concerned ciphers.
KEYWORDS
Linear complexity, Linear feedback shift registers, NLFSR,
stream ciphers
1. INTRODUCTION
Non-Linear Feedback Shift Registers (NLFSRs) have been
proposed as an alternative to Linear Feedback Shift Registers
(LFSRs) for generating pseudo-random sequences for stream
ciphers. The pseudo-random bit sequences are often generated
using Linear Feedback Shift Registers (LFSRs). Advantages of
LFSRs include the ease of implementation, simplicity, speed,
and the ability to generate a maximal cycle sequence with the
same uniform statistical distribution of 0’s and 1’s as in a truly
random sequence [1]-[2]. The main disadvantage of LFSRs is
their linearity, leading to a relatively easy cryptanalysis [3].
A common solution to this problem in LFSR-based stream
ciphers is to feed the outputs of several parallel LFSRs into a
nonlinear Boolean function to form a combination generator
[4]. The combining function has to be carefully selected to
ensure the security of the resulting scheme, for example, in
order to prevent correlation attacks [5]. Other approaches are to
combine several bits from the LFSR state using a non-linear
function, or to use the irregular clocking of the LFSR [6].
Important LFSR-based stream ciphers include A5/1 stream
cipher which used to provide over-the-air communication
privacy in the GSM cellular telephone standard [7], E0 stream
cipher which is used in the Bluetooth protocol [8], and the
shrinking generator [9]. As another alternative, Non-Linear
Feedback Shift Register (NLFSR) whose current state is a non-
linear function of its previous state can be used. A number of
different implementations of NLFSR based stream ciphers for
RFID and smartcards applications have been proposed,
including Achterbahn [10], Grain [11] and VEST [12].
NLFSRs have been shown to be more resistant to cryptanalytic
attacks than LFSRs. However, construction of large NLFSRs
with guaranteed long periods remains an open problem. A
systematic algorithm for NLFSR synthesis has not been
discovered so far. Only solutions to some special cases have
been presented [2]-[13]-[14].
2. BACKGROUND
2.1. DEFINITION OF NLFSRs
A Non-Linear Feedback Shift Register (NLFSR) consists of n
binary storage elements, called bits. Each bit I €{0, 1, … , n _
1} has an associated state variable xi which represents the
current value of the bit I and a feedback function fi : {0,1}n →
{0,1} which determines how the value of I is updated. For any
I € {0,1, …, n _ 1} fi depends on x(i+1)mod n and a subset of
variables from the set {x0, x1, …xi}. A state of an NLFSR is an
ordered set of values of its state variables (x0, x1, ... xn_1). At
every clock cycle, the next state is determined from the current
state by updating the values of all bits simultaneously to the
values of the corresponding fi’s. The output of an NLFSR is the
value of its 0th bit. If for all I €{0,1,…, n _2} the feedback
functions are of type fi = xi+1, we call an NLFSR the Fibonacci
type. Otherwise, we call an NLFSR the Galois type. Two
NLFSRs are equivalent if their sets of output sequences are
equal. Feedback functions of NLFSRs are usually represented
using the algebraic normal form. The algebraic normal form
(ANF) of a Boolean function f : {0,1}n→{0,1} is a polynomial
in GF(2) of type
Where € {0,1} and (i0i1 … in_1) is the binary expansion of i
with i0 being the least significant bit[15].
A pseudorandom sequence can be generated using a linear
feedback shift register (LFSR). LFSRs are simple, fast, and
easy to implement in both, software and hardware. They are
capable of generating pseudorandom sequences with the same
uniform statistical distribution of 0’s and 1’s as in a random
sequence. However, they are not cryptographically secure
because the structure of an n-bit LFSR can be easily deduced
by observing 2n consecutive bit of its sequence [16]. One
solution to this problem is to feed the outputs of several parallel

Copy Right © INDIACom-2012; ISSN 0973-7529; ISBN 978-93-80544-03-8

Comparative Study of Techniques and Attacks on NLFSR Based Stream Ciphers – A Review
LFSRs into a nonlinear Boolean function to form a
combination generator [17]. The combining function has to be
carefully selected to ensure the security of the resulting
scheme, for example, in order to prevent correlation attacks [2].
Other solutions are to combine several bits from the LFSR state
using a nonlinear function [18], to use the irregular clocking of
the LFSR [19], or to make the LFSR structure more complex
by complementing feedback with carry [20]. Examples of
LFSR-based stream ciphers include A5/1 stream cipher which
is used to provide over-the-air communication privacy in the
GSM cellular telephone standard [21], and E0 stream cipher
which is used in the Bluetooth protocol [22]. In general, there
are two ways to implement an NLFSR: in the Fibonacci
configuration, or in the Galois configuration. The Fibonacci
configuration, shown in Fig. 1, is conceptually simpler. The
Fibonacci type of NLFSRs consists of a number of bits
numbered from left to right as
n-1, n-2, …., 0 with feedback from each bit to the n-1th bit.
Fig.1.The Fibonacci configuration of NLFSR
Fig 2. The Galois configuration of NLFSR
At each clocking instance, the value of the bit is moved to the
bit i-1. The value of the bit becomes the output of the register.
The new value of the bit n-1 is computed as some function of
the previous values of other bits. In the Galois type of NLFSR,
shown in Fig. 2, each bit is updated according to its own
feedback function. Thus, in contrast to the Fibonacci NLFSRs
in which feedback is applied to the n-1th bit only, in the Galois
NLFSRs feedback can be applied to every bit. Since the depth
of the circuits implementing feedback functions of individual
bits is usually smaller than the depth of the circuits
implementing the feedback function of the Fibonacci NLFSR,
the propagation time can potentially be reduced. This makes
Galois NLFSRs particularly attractive for stream ciphers
applications in which high keystream generation speed is
important [18].
2.2A CONDITION FOR EXISTENCE OF A NONLINEAR
RECURRENCE
In this section, we formulate a condition for existence of a
nonlinear recurrence of order describing the output sequence of
Copy Right © INDIACom-2012; ISSN 0973-7529; ISBN 978-93-80544-03-8
an n-bit NLFSR. First, we introduce some definitions which are
necessary for the presentation of the main result [17].
Definition 1: Two NLFSRs are equivalent if their sets of output
sequences are equal.
Definition 2: The feedback graph of an –bit NLFSR is a
directed graph v0…vn-1 with vertices which represent the bits 0
….. n-1 of the NLFSR, respectively. There is an edge from vi to
vj if
i €(dep fj)
Definition 3: Given a feedback graph, the reduced feedback
graph of G is a graph obtained by repeatedly applying the
substitution to each vertex of with the input degree, until no
more substitutions can be applied.
3. COMPARISON BASED ON TECHNIQUES
There are many different pseudorandom sequence generators
applied to stream ciphering. Most of them are based on the
structure of the LFSR. Within the combination schemes, we
can find the first non-LFSR generator, proposed by Geffe [24].
His idea resides in using two LFSR, the entry to a multiplexer
controlled by a third LFSR that selects which of the bits of the
two previous LFSR will be reflected in the output. This
combination has no memory, and presents a high correlation
between the output bits of the global generator and those bits of
any of the internal LFSRs. Therefore, it is easily
cryptoanalizable. The clock-controlled schemes are especially
interesting by their capacity to obtain high complexities,
although their periods are reduced and it is necessary to use key
lengths somewhat higher than what it would be strictly
necessary. There are two general modalities: the schemes in
which the clock of a subgenerator is controlled by another
subgenerator (i.e. bilateral generator), and those where the
clock of a generator is ruled by its own output or a function of
he internal state (i.e. A5 generator).According to Schneier [25],
the A5 generator is composed of three LFSRs of lengths 19, 22
and 23. The central bits of each register are used in a voting by
majority. Those LFSRs whose intermediate bit equals to the
voting are the only ones that change. The output is the sum of
the last bits of the three registers.
The prototype of a cascade generator is the generator of
Gollmann [26]. In fact, the cascade schemes generally use a
clock-controlled mechanism, but they have the advantage of
the fact that their design is modular and repetitive, allowing the
concatenation of an undefined number of generators, thus,
obtaining huge periods and high linear complexities. They are
vulnerable to the lock-in attack and it is recommended to use at
least more than 15 generators in cascade. Finally, in the last
years, there have being appearing some new methods of stream
ciphering that operate with blocks of bits, as for example, the
RC4. The RC4 uses a variable length key. During some years,
it was patented by R.S.A. Data Security and it has been used in
applications as Lotus Notes, Apple Computer's AOCE, Oracle
Secure SQL Three years ago, the source code was spread
anonymously through electronic mail and the code was quickly
divulged by Internet to everybody. It uses some S-boxes of 8x8
size (similar to those that the DES algorithm uses), that are
changing every time a symbol is ciphered. Therefore, the
Comparative Study of Techniques and Attacks on NLFSR Based Stream Ciphers – A Review

scheme is highly non-linear and it originates very huge periods

(the number of possible states is approximately of 21700).
Sometimes it is necessary to compare different ciphers, to 4
evaluate their properties and after that, to have sufficient data 3.5
in order to decide which generator is better. Customarily, some 3
2.5

Values
parameters are calculated applying some algorithms called tests
2
to the generated sequences. Before seeing the performance of a 1.5 Bit Entropy
cipher, it is very important to know the length of the key used. 1
In order to avoid a brute-force attack it is recommended having 0.5 Spectral
not less than 100 bits. However, the statistics of the ciphers 0
hardly vary when the key does. Because of this, we will H(ZL)

Grain
Gollmann

Bilateral
RC4

Geffe
A5
manage lower key lengths so as to be able to calculate the
period and other features. The key lengths and periods will be
as close as possible to compare equitably among them.

Ciphers
There exist several types of tests in order to evaluate the
strength of a stream ciphering device: statistical, empirical,
theoretical, complexities ... We will use at least one of each Fig.3 Comparison of different tests which have small values
type to compare the upper explained generating schemes. For a
deeper knowledge about the analysis techniques on
pseudorandom sequences, see: [27]-[28]-[29]-[30]-[31]-[32].
Concretely, the following tests have been used.
3.1 THIRD POSTULATE OF GOLOMB
It performs the autocorrelation of the sequence and compares
the value of the maximum peak with the value in the origin, the
principal-secondary lobe. The worst result of this test is when
there is a large peak because many of the bits shifted will
reflect the same behavior as the originals. The outcome of the
test will reflect the relationship principal-secondary lobe in dB.

3.2 UNIVERSAL ENTROPY TEST

This test estimates the value of the bit entropy of the sequence
according to the algorithm proposed by Maurer. It depends on
some parameters as: the estimated memory of the sequence
source, the length of the transition period ... Since the entropy
calculated is an estimation, it can originate values greater than
one.
3.3. SPECTRAL TEST
Grouping the bits in symbols (in an overlapped way), the
appearance distribution of such symbols is calculated. On this
distribution, one calculates a discrete Fourier transformation
obtaining a spectrum, this gives the name of this test. If the
sequence is truly random, the spectrum should have a 1 value
in the origin and 0 at the other frequency components. The
result can be represented through what we call the quadratic
distortion, which measures energy of the frequency
components not null versus the energy of the constant
component.
Quadratic distortion=
Fig.4 Comparison of different tests which have large values
3.4 LINEAR COMPLEXITY
It calculates the minimal length of the LFSR able to synthesize
the same sequence by means of the Massey-Berlekamp
algorithm [32]. The result of the complexity is compared with
the period of the sequence.
3.5 ZIV-LEMPEL’S COMPLEXITY
It counts the number of patterns with different structures in the
sequence. From the measure of this complexity it can be
estimated the bit. Entropy of the sequence, as = c .
where C is the Ziv-Lempel complexity of the sequence and n
its length.

All the peaks are important, because the main aspect is the
difference between the result and the ideal values, the lost
energy, and it doesn’t matter if this lost energy is spread
uniformly, or concentrated in only one particular frequency
component.
4. ATTACKS ON CIPHERS
Cryptanalytic attacks against ciphers play a very important role
in the analysis of their strengths. Algebraic attack in recent few
years has become a threat to stream ciphers based on LFSR.

Copy Right © INDIACom-2012; ISSN 0973-7529; ISBN 978-93-80544-03-8

Comparative Study of Techniques and Attacks on NLFSR Based Stream Ciphers – A Review
That is why the designs which are vulnerable to these attacks
are avoided.
Somewhat surprisingly for such a widely known and analyzed
cipher RC4, Mantin and Shamir found a trivial distinguishing
attack as late as 2001[33]-[34]. The first few hundred output
bytes are random and leak information about the key,
especially the first few bytes are highly biased and the second
output byte of RC4 takes on the value 0 with probability 2-7
instead of 2-8. The reason for these weaknesses is that the table
S does not have uniform distributions after the initial
permutation. The attack on A5 is found Active KPA or KPA
Time memory Tradeoff with a computational complexity 239.91
[35].
Due to NLFSR, degrees of algebraic equations of Grain
increase with each clock. With the high degrees of equations
which also vary in time, it is not possible to obtain all internal
state bits within the reasonable resources. The best known
attack on Grain is key derivation [36]-[35]. In this work an
attempt is made to figure out the maximum number of bits that
can be recovered while rest of the bits is guessed. We also give
here the importance of guessing bits at different positions, by
providing a comparison between the degrees of equations in
different cases.
Trivium seems to be a particularly attractive target for
algebraic attacks (Brute force attack)[37]-[35]. The complete
scheme can easily be described with extremely sparse
equations of low degree. However, its state does not evolve in a
linear way, and hence the efficient linearization techniques
used to solve the systems of equations generated by LFSR
based schemes will be hard to apply. However, other
techniques might be applicable and their efficiency in solving
this particular system of equations needs to be investigated
CONCLUSION
Undoubtedly, the importance of NLFSR based stream ciphers
in computer applications cannot be ignored. Therefore, a
standardized model for the stream cipher design is certainly
today’s requisite. In the Figure 3, shows Comparison of
different tests which have small values and the Figure 4 shows
Comparison of different tests which have large values, On the
basis of analysis it can be conclude that Geffe cipher is not
good at all, Gollmann also lacks in serial test and the LC/P is
very low, Bilateral has good properties but it fails at the 3rd
postulate of Golomb compared to the values of the other
sequences and other ciphering schemes (A5, Grain and RC4)
are robust and have succeeded these tests.
FUTURE SCOPE
This review studies the standard structures and a few important
stream ciphers with a hope to come up with an advanced
stream cipher that meets the standards of efficiency in terms of
security and implementation. We aim to design a cipher which
will be more secure and robust from the existing ciphers.
Copy Right © INDIACom-2012; ISSN 0973-7529; ISBN 978-93-80544-03-8
REFERENCES
[1] M.U. Bokhari, Shadab Alam, and Faheem Syed
Masoodi “Coparative analysis of Py (Roo) family of
stream ciphers” ICRITO-2010, November 2010,
Faidabad (India) pp 667-671
[2] S. Golomb, Shift Register Sequences, Aegean Park
Press, 1982.
[3] B.Schneier, “A self-study course in block-cipher
cryptanalysis,” Cryptologia, vol. XXIV, no. 1, pp. 18–
33, 2000.
[4] M. Robshaw, “Stream ciphers,” Tech. Rep. TR - 701,
July 1994.
[5] W. Meier and O. Staffelbach, “Fast correlation attacks
on certain stream ciphers,” J. Cryptol., vol. 1, no. 3,
pp. 159–176, 1989
[6] K. Zeng, C. Yang, D. Wei, and T. R. N. Rao,
“Pseudo-random bit generators in stream-cipher
cryptography,” Computer, 1991.
[7] E. Biham and O. Dunkelman, “Cryptanalysis of the
A5/1 GSM stream cipher,” in INDOCRYPT ’00:
Proceedings of the First International Conference on
Progress in Cryptology, (London, UK), pp. 43–51,
Springer-Verlag, 2000.
[8] O.Y.Shaked, “Cryptanalysis of the Bluetooth E0
cipher,”citeseer.ist.psu.edu/ 744254.html.
[9] D. Coppersmith, H. Krawczyk, and Y. Mansour, “The
shrinking generator,” in CRYPTO ’93: Proceedings of
the 13th annual international cryptology conference on
Advances in cryptology, (New York, NY,USA), pp.
22–39, Springer-Verlag New York, Inc., 1994.
[10] B. Gammel, R. G¨ottfert, and O. Kniffler,
“Achterbahn-128/80: Design and analysis,” in
SASC’2007: Workshop Record of The State of the Art
of Stream Ciphers, pp. 152–165, 2007.
[11] A. Maximov, “Cryptanalysis of the ”Grain” family of
stream ciphers,” in ASIACCS ’06: Proceedings of the
2006 ACM Symposium on Information, computer and
communications security, (New York, NY, USA), pp.
283– 288, ACM Press, 2006.
[12] B. Gittins, H. A. Landman, S. O’Neil, and R. Kelson,
“A presentation on VEST hardware performance, chip
area measurements, power consumption estimates and
benchmarking in relation to the aes, sha- 256 and sha-
512.” Cryptology ePrint Archive, Report 2005/415,
2005, http://eprint.iacr.org/
[13] Mykkeltveit, “Nonlinear recurrences and arithmetic
codes,” Information and Control, vol. 33, no. 3, pp.
193–209, 1977.
[14] J. S. I. Janicka-Lipska, “ Boolean feedback functions
for full-length nonlinear shift registers,”
Telecommunications and Information Technology,
vol. 5, pp. 28–29, 2004.
[15] Shohreh Sharif Mansouri and Elena Dubrova, “An
Improved Hardware Implementation of the Grain
Stream Cipher” 13th Euromicro Conference on Digital
System Design: Architectures, Methods and Tools,
2010.
[16] C. Canni`ere and B. Preneel, “Trivium,” New Stream
Cipher Designs: The eSTREAM Finalists, LNCS
4986, pp. 244–266, 2008.
[17] E. Dubrova, “A transformation from the Fibonacci to
the Galois NLFSRs,” in IEEE Transactions on
Information Theory, November 2009, to appear
[18] Cadence, “Using encounter rtl compiler, product
version 9.1,” 2009.
Comparative Study of Techniques and Attacks on NLFSR Based Stream Ciphers – A Review

[19] “Cadence nc-verilog simulator help, product version

8.2,” 2008.
[20] P.Alfke, “Xilinx - unusual clock dividers,” Xilinx -
Xcell Issue 33 Quarterly Journal, 1999.
[21] A. D. Selbst, Clock division as a power saving
strategy in a system constrained by high transmission
frequency and low data rate. Massachusetts Institute
of Technology, Department of Electrical Engineering
and Computer Science, 2005
[22] M. Balch, Complete Digital Design: A
Comprehensive Guide to Digital Electronics and
Computer System Architecture. McGraw-Hill
Professional Publishing, June 2003
[23] Geffe. “How to Protect Data with Ciphers that are
Really Hard to Break”. Electronics, Jan 73. pp 99- 101
[24] B. Schneier, Applied Cryptography, John Wiley &
Sons, 1996.
[25] Gollmann, Chambers. “Clock controlled shift
registers: A review”. IEEE JSAC, vol7, 1989.
[26] D. Knuth. The Art of Computer Programming Vol2:
Seminummerical Algorithms. 1981
[27] Solomon Golomb, Shiji Register Sequences, Plenum
Press, 1967.
[28] U. Maurer. “A universal statistical test for random bit
generators” Lecture Notes in Computer Science, No
537. Advances in Cryptology- CRYPTO90, Springer-
Verlag, Berlin, 1991
[29] Jansen, Boekee. “The Shortest Feedback Shift
Register that can Generate a Give Sequence”
Proceedings Crypto’89, Springer-Verlag Lecture
Notes in Computer Science, n.435
[30] S. Mund. “Ziv-Lempel complexity for periodic
sequences and its cryptographic application”
EUROCRYPT’91.Springer Verlag, pp.92-98
[31] R. A. Rueppel. Analysis and Design of Stream
Ciphers , Springer-Verlag (1986).
[32] Mohammad Ubaidullah Bokhari, Faheem Masoodi
“Comparative Analysis of Structures And Attacks on
Various Stream Ciphers” in 4th National Conference;
INDIACom-2010.
[33] Itsik Mantin and Adi Shamir, A Practical Attack on
Broadcast RC4.
[34] http://en.wikipedia.org/wiki/Stream_ciphert
[35] Mehreen Afzal, Ashraf Masood, “Algebraic
Cryptanalysis of A NLFSR Based Stream Cipher” in
IEEE Xplore.
[36] http://www.ecrypt.eu.org/stream/p3ciphers/trivium/
trivium_p3.pdf

Copy Right © INDIACom-2012; ISSN 0973-7529; ISBN 978-93-80544-03-8

View publication stats