Linear models for keystream generators

It is shown that an arbitrary binary keystream generator with M bits of memory can be linearly modeled as a nonautonomous linear feedback shift register of length at most M with an additive input sequence of nonbalanced identically distributed binary random variables. The sum of the squares of input correlation coefficients over all the linear models of any given length proves to be dependent on a keystream generator. The minimum and maximum values of the correlation sum along with-the necessary and sufficient conditions for them to be achieved are established. An effective method for the linear model determination based on the linear sequential circuit approximation of autonomous finite-state machines is developed. Linear models for clock-controlled shift registers and arbitrary shift register based keystream generators are derived. Several examples including the basic summation generator, the clock-controlled cascade, and the shrinking generator are presented. Linear models are the basis for a general structure-dependent and initial-state-independent statistical test. They may also be used for divide and conquer correlation attacks on the initial state. Security against the corresponding statistical attack appears hard to control in practice and generally hard to achieve with simple keystream generator schemes.