5

I was conducting research on stream ciphers and LFSRs was a subtopic of my research and I was wondering why are LFSRs so popular?

SEJPM
  • 45,967
  • 7
  • 99
  • 205
Learner
  • 61
  • 3
  • 1
    Note: Stream ciphers based on a single LFSR are very insecure, thus not popular. Hint: simplicity. – fgrieu Jan 23 '19 at 15:03
  • 1
    Short answer: LFSRs have been around for a long time, the math behind them is very well understood, and they have many applications outside of crypto. – bmm6o Jan 23 '19 at 16:04
  • 1
    Please don't substantially change your question after it has been posted. I have rolled back the latest edit. If you have a new / different question now, please post a new question instead. – SEJPM Jan 24 '19 at 09:33
  • 1
    @Learner You will find that most specifications are written around a minimally viable VLSI implementation, whether it's MPEG, RFID or BlueTooth. There's a huge disparity between what a cryptographer would use and what an engineer with a space constraint will consider adequate. I've made many choices based on what worked best in silicon that were marginal from the cryptography standpoint. – b degnan Jan 24 '19 at 17:20

2 Answers2

6

There were popular once upon a time;

  1. They were very easy to implement in the hardware. Think about you only need latch and $\oplus$. For combining functions some $\wedge$ operation.

  2. Their periodic properties are well studied, the minimal polynomial and characteristic polynomial etc. You can see a glimpse in the classical book of Solomon Golomb.

  3. They are insecure, as Fgrieu said in comments. Single LFSR can be breakable by Berlekamp-Massay algorithm. You need only $2L$ keystream if the LFSR's length is $L$. Interestingly, this algorithm was invented for decoding the BCH codes.

  4. Many people tried to use LFSRs to produce secure stream ciphers. To see the attacks on them look at the links.

  5. Some recent (date back to 1999) algorithms based on LFSR

    • A5/1 and A5/2 used in GSM phones, E0 used in Bluetooth. If you look carefully on their usage you will see that there were a second design factor for this ciphers. That is; using smaller hardware. And, this reduces the power consumption.

Note 0: Definitions:

Note 1: The following from eSream project are using LFSR or NLFSR or both:

  1. Trivium uses 3 NLFSRs.
  2. Sosemanuk uses LFSR with a maximal period $2^{230}-1$
  3. Grain uses both LFSR and NLFSR
  4. MICKEY uses both LFSR and NLFSR

Note 2: They have other applications as @bmmo6 said in the comments.

Note 3: I barely remember a product advertisement in Cryptologia. They were claiming that they combined 5 LFSRs to generate a secure cipher.

kelalaka
  • 48,443
  • 11
  • 116
  • 196
  • 1
    I'd say "classic book" of Golomb. Archaic has a negative connotation. – kodlu Jan 23 '19 at 20:59
  • 1
    @kodlu let me correct. Actually, I couldn't find a better one. it was like the book of stream ciphers at that time. – kelalaka Jan 23 '19 at 21:01
4

A complement to @kelalaka's excellent answer.

Here are a few LFSR (and NLFSR for Trivium) based stream ciphers that have not been broken.

  1. Trivium

  2. Self shrinking generator.

Also, some stream ciphers with more modern structure are much less understood.

kodlu
  • 22,423
  • 2
  • 27
  • 57
  • Can we say Trivium is LFSR based? It uses non-linear combining taps. Also, the Feedback is in circular of three Shift Registers. – kelalaka Jan 24 '19 at 09:57
  • You're right of course, there is an algebraic relation between LFSR and NLFSR's, it is a small departure that gives strength. – kodlu Jan 24 '19 at 10:02
  • could you provide me a link about the algebraic relation to read? – kelalaka Jan 24 '19 at 16:19
  • 1
    I should have said, there are algebraic relationships, not a "single algebraic relation". See here to begin (this may be known to you of course) https://www.ricam.oeaw.ac.at/specsem/specsem2013/workshop4/slides/helleseth.pdf. There are some other recent papers by Helleseth and others. – kodlu Jan 30 '19 at 00:18