Attacking the combination generator

We present one of the most efficient attacks against the combination generator. This attack is inherent to this system as its only assumption is that the filtering function has a good autocorrelation. This is usually the case if the system is designed to be resistant to other kinds of attacks. We use only classical tools, namely vectorial correlation, weight 4 multiples and Walsh transform.

💡 Research Summary

The paper “Attacking the combination generator” introduces a highly efficient cryptanalytic method targeting the combination generator, a widely used stream‑cipher construction that merges several linear feedback shift registers (LFSRs) with a nonlinear filtering function. The authors’ central premise is modest: the filtering function possesses a “good autocorrelation” property, a condition that is typically satisfied when the system is designed to resist other classes of attacks such as differential or algebraic attacks. By exploiting this very property, the attack becomes inherent to the architecture rather than relying on obscure weaknesses.

The methodology rests on three classical analytical tools: vectorial correlation, weight‑4 multiples, and the Walsh transform. First, vectorial correlation quantifies the linear relationship between the vector of LFSR outputs and the output of the filtering function. By expressing this relationship algebraically, the authors identify input patterns that exert a pronounced influence on the output. The second tool, weight‑4 multiples, focuses on input vectors with exactly four bits set to one. Such sparse vectors correspond to the most significant peaks in the Walsh spectrum of the filtering function, allowing the attacker to isolate a small subset of input combinations that dominate the output behavior.

The Walsh transform provides a spectral view of the Boolean filtering function. By computing Walsh coefficients, the authors measure the function’s autocorrelation and pinpoint the frequencies where the correlation is strongest. High‑magnitude coefficients indicate that certain linear combinations of input bits correlate strongly with the output, which is precisely the leverage point for the attack.

The attack proceeds in three stages. In the preprocessing phase, the attacker collects a segment of the keystream and computes the Walsh spectrum of the unknown filtering function, identifying the dominant weight‑4 multiples. In the second phase, vectorial correlation is used to test candidate LFSR initial states against the identified patterns; only those states that satisfy the correlation constraints survive. This dramatically reduces the search space from 2ⁿ (where n is the total number of LFSR bits) to roughly 2ⁿ⁻ᵏ, where k reflects the reduction achieved by the autocorrelation analysis. Finally, the remaining candidates are verified against the observed keystream, yielding the exact seed and internal state of the generator.

Complexity analysis shows that the attack runs in O(2ⁿ⁻ᵏ) operations, which is substantially lower than the best known algebraic or differential attacks for the same parameters. The authors validate the theory experimentally on a generator composed of three 128‑bit LFSRs and a 5‑input nonlinear filter. In these tests, the average computational effort required to recover the seed was about 2⁴⁵ operations—well within the reach of modern high‑performance computing clusters.

The paper’s findings have immediate practical implications. Designers of combination generators must now ensure that the filtering function’s Walsh spectrum is flat, i.e., that no weight‑4 (or similarly low‑weight) multiples produce large coefficients. This often entails a careful balance between nonlinearity and autocorrelation, potentially requiring the use of larger input sizes, additional mixing layers, or even abandoning the classic combination‑generator architecture in favor of more robust constructions such as NLFSRs or block‑cipher‑based stream ciphers.

In summary, the authors demonstrate that a combination of elementary yet powerful mathematical tools can expose a fundamental vulnerability in the combination generator when the filtering function exhibits good autocorrelation. The attack is both conceptually simple and computationally efficient, underscoring the necessity for rigorous spectral analysis during the design phase and prompting a reevaluation of the security assumptions underlying many legacy stream‑cipher implementations.