Correlation properties of combiners with memory in stream ciphers

Abstract

For pseudo-random generators where one or several LFSRs are combined by a memoryless function, it is known that the output sequences are correlated to certain LFSR-sequences whose correlation coefficients ct satisfy the equation ∑ic2i= 1. In this paper it is proved that a corresponding result also holds for generators whose LFSRs are connected to a combiner with memory. If correlation probabilities are conditioned on side information, e.g., on known output digits, it is shown that new or stronger correlations may occur. This is exemplified for the summation cipher with only two LFSRs where such correlations can be exploited in a known plaintext attack. A cryptanalytic algorithm is given which is shown to be successful for LFSRs of considerable length and with arbitrary feedback connection. © 1992 International Association for Cryptologic Research.