New guess-and-determine attack on the self-shrinking generator

Abstract

We propose a new type of guess-and-determine attack on the self-shrinking generator (SSG). The inherent flexibility of the new attack enables us to deal with different attack conditions and requirements smoothly. For the SSG with a length L LFSR of arbitrary form, our attack can reliably restore the initial state with time complexity O(20.556L), memory complexity O(L 2) from O(20.161L)-bit keystream for L ≥ 100 and time complexity O(20.571L), memory complexity O(L2) from O(20.194L)-bit keystream for L< 100. Therefore, our attack is better than all the previously known attacks on the SSG and especially, it compares favorably with the time/memory/data tradeoff attack which typically has time complexity O(20.5L), memory complexity O(20.5L) and data complexity O(20.25L)-bit keystream after a pre-computation phase of complexity O(20.75L). It is well-known that one of the open research problems in stream ciphers specified by the European STORK (Strategic Roadmap for Crypto) project is to find an attack on the self-shrinking generator with complexity lower than that of a generic time/memory/data tradeoff attack. Our result is the best answer to this problem known so far. © 2006 Springer-Verlag.