A New Attack on the Filter Generator.

The filter generator is an important building block in many stream ciphers. The generator consists of a linear feedback shift register of length n that generates an m-sequence of period 2′ - 1 filtered through a Boolean function of degree d that combines bits from the shift register and creates an output bit zt at any time t. The previous best attacks aimed at reconstructing the initial state from an observed keystream, have essentially reduced the problem to solving a nonlinear system of D = (Multiple line equation(s) cannot be represented in ASCII text) (i) equations in n unknowns using techniques based on linear algebra. This attack needs about D bits of keystream and the system can be solved in complexity O (Dω), where ω can be taken to be Strassen's reduction exponent ω = log2 (7) ≈ 2.807. This paper describes a new algorithm that recovers the initial state of most filter generators after observing O(D) keystream bits with complexity O((D - n)/2) ≈ O(D), after a pre-computation with complexity O(D(log2 D)³). [ABSTRACT FROM AUTHOR]