Cryptography is the practice of hiding and securing information. It is the study of safe communication techniques that allows only the message’s sender and receiver to view its content. This article will teach you about correlation attacks on a combination generator.

Stream Ciphers

Stream Ciphers are an essential part of symmetric (secret key) Cryptography. In this, the plaintext digits are combined with the keystream (pseudorandom cipher digit stream) and are encrypted bit by bit. Examples of stream ciphers are Scream, Grain, PANAMA, etc.

These ciphers use LFSRs (Linear Feedback Shift Register) to generate keystream.

Get the tech career you deserve, faster!

Connect with our expert counsellors to understand how to hack your way to success

User rating 4.7/5

1:1 doubt support

95% placement record

Akash Pal

Senior Software Engineer

326% Hike After Job Bootcamp

Himanshu Gusain

Programmer Analyst

32 LPA After Job Bootcamp

After Job Bootcamp

LFSR

An LFSR is a well-chosen feedback function that can produce a sequence of random bits with a very long cycle.

A linear feedback shift register (LFSR) with length L consists of L stages numbered 0, 1, . . . , L − 1. Each of these stages can store one bit and has one input and one output. There is a clock that controls the movement of data. With each unit of time, the following operations are performed:

A part of the output sequence is the content of stage 0;

For each i, 1 ≤ i ≤ L − 1; and 10, the content of stage i is moved to stage i − 1

The new content of stage L−1 is the feedback bit s_{j} which is calculated by a feedback function f(s_{0}, s_{1}, . . . , s_{n-1}). It is equal to adding the previous contents of a fixed subset of stages modulo 2.

If the content of stage i is s_{i} ∈ {0, 1} for each 0 ≤ i ≤ L − 1, then S = (s_{0}, s_{1}, . . . , s_{L-1}) is called the state of the LFSR.

Correlation Attacks

Correlation attacks are a type of known plaintext attacks that were first proposed by T. Siegenthaler on Geffe Generator in 1984 for breaking a specific type of stream ciphers known as combination generators.

A combination generator generates the keystream by combining the outputs of several LFSRs using a Boolean function. A correlation attack is an essential cryptanalytic technique discussed against the combination generator.

Combination Generator

LFSRs give a large period and have excellent statistical properties. But they have low linear complexity. Combining several LFSRs with a non-linear Boolean function achieves higher linear complexity. A system where outputs of several individual LFSR units are involved and combined as the inputs to a non-linear Boolean function ‘F’ to ultimately generate the final keystream bit ‘K’ is known as an LFSR-based combination generator.

In a combination generator, we have say, ‘r’ of LFSRs. Suppose that the j^{th} LFSR generates the keystream z_{1}^{j}, z_{2}^{j},. . . . The basic idea is to use a boolean function f : (Z_{2})^{r} → Z_{2} for combining the r keystreams into a new keystream z_{1}z_{2} . . . , via the rule z_{i} = f(z_{1}^{i}, . . . , z_{r}^{i}), i = 1, 2, . . . . where f is the combining function.

Note that it is desirable that the r LFSRs have pairwise relatively prime periods – which provides the longest possible period for the input to the combining function.

Correlation Attack on a Combination Generator

The case where a combination generator uses shift registers with a linear feedback function is very old and is too vulnerable to several attacks like correlation attacks, algebraic attacks, and distinguishing attacks. The combination generators composed of LFSRs are less susceptible to these attacks.

The combination generator with the filter generator is one of stream ciphers’ most straightforward and most analyzed constructions. It uses many linear feedback shift registers (LFSRs) as an internal state. We are taking m as the total size in bits. These LFSRs are filtered using an n-variable balanced Boolean function f(from F^{n}_{2} into F_{2}) to produce the keystream (z_{t}) t ≥ 0.

The inputs of this function are taken from some bits in the LFSR’s internal states. We will write x_{t} for the n-bit vector corresponding to the inputs of f at time t. Our goal here is to find the key (that is, the initial state of all the LFSRs), knowing the keystream sequence (z_{t}) t ≥ 0 and all the components of the combination generator.

We are considering that there are r = 3 LFSRs, and the combining function, which is also called the “majority function,” is f(z_{1}, z_{2}, z_{3}) = (z_{1} ∧ z_{2}) ⊕ (z_{1} ∧ z_{3}) ⊕ (z_{2} ∧ z_{3}), where Λ is logical ‘and’ operator, and the symbol ‘⊕’ is the xor operator.

Step 1: Know the number of LFSRs (r) = 3.

z_{1}, z_{2}, and z_{3} are the input variables. Since r = 3 thus, there will be 8 (2^{3}) possible equations for different values of the input variables.

Step 2: Find their binary equivalent from 0 to 2^{r} - 1. These will be your value of input variables. For example, the binary equivalent of 6 is 110, where z_{1} will be 1, z2 will be 1, and z3 will be 0.

Step 3: Put these 8 different sets of values in the given combining function viz

{The xor operator yields true (1) only if the values are different; else results in 0. Whereas the logical and operator yield 1 only if all the values are high (1)}.

We can solve it for different values of input bits, using the majority function as shown -

Step 4: Find all the possible values using the method shown in the image above.

For example, f(1, 1, 0) = (1 ∧ 1) ⊕ (1 ∧ 0) ⊕ (1 ∧ 0)

So, f(1, 1, 0) = 0⊕1⊕1 = 1 as 0⊕1 = 1 and 1⊕1 = 1.

On solving all the eight possible combinations, the outputs of f are:

Step 5: By considering the three inputs are the same, find the probability of getting the matching keystream obtained by solving the above values.

Assuming that every input triple - (z_{1}, z_{2}, z_{3}) is alike, we can associate a random variable z_{j} for each z_{j} - input variable and z a random variable with the output f(z_{1}, z_{2}, z_{3}). From the above image showing the outputs, it can be seen that - Pr[z = z_{j}] = 3/4, which means the probability of the calculated output matching the keystream is 0.75.

On generating a sequence of bits using this LFSR and comparing it to the series of actual keystream bits, if the guessed initial key is correct, we expect 75% of the bits of LFSR to agree with the keystream. If the guessed initial key is incorrect, we expect 50% of the LFSR bits to concur with the keystream.

Ninjas note that probability theory techniques can be used for predicting how many keystream bits are required for the attack to succeed with high probability. Generally, the number of required keystream bits depends on the correlation and the degree of the recurrence relations (the number of stages in the LFSRs). Larger LFSRs usually require more keystream bits. The number of keystream bits, N, must be at least L_{i} for an attack on an LFSR having L_{i} stages to succeed L_{i}/(p − 1/2)^{2}, where p is the predicted correlation.

It is a string of pseudorandom characters combined with the plaintext to produce an encrypted message.

What are the applications of LFSR?

LFSR generates pseudorandom numbers, fast digital counters, pseudo-noise sequences, and whitening sequences.

What is Kerckhoff's principle?

It states that the cryptographic system must be secure even if all its details (except the key) are public.

Why are combination generators used over LFSR?

An LFSR does not give a secure stream cipher. Therefore, combination generators, the combination of LFSRs, are used to get a secure stream cipher.

What is a cipher?

A cipher is an encrypted mode of communication so that if the message is found, the attacker is unable to determine the meaning of that message.

Conclusion

From this article, you might have learned about stream ciphers, Linear Feedback Shift registers (LFSR), correlation attacks, and correlation attacks on a combination generator. Below are some of the articles related to this article, so you must read them: