Modelling Nonlinear Sequence Generators in terms of Linear Cellular Automata

In this work, a wide family of LFSR-based sequence generators, the so-called Clock-Controlled Shrinking Generators (CCSGs), has been analyzed and identified with a subset of linear Cellular Automata (CA). In fact, a pair of linear models describing the behavior of the CCSGs can be derived. The algorithm that converts a given CCSG into a CA-based linear model is very simple and can be applied to CCSGs in a range of practical interest. The linearity of these cellular models can be advantageously used in two different ways: (a) for the analysis and/or cryptanalysis of the CCSGs and (b) for the reconstruction of the output sequence obtained from this kind of generators.

💡 Research Summary

The paper investigates a broad class of stream‑cipher generators built from linear feedback shift registers (LFSRs) that are controlled by a clock‑shrinking mechanism, known as Clock‑Controlled Shrinking Generators (CCSGs). Although CCSGs are attractive for cryptographic applications because the clock‑controlled “shrinking” operation introduces non‑linearity, this very non‑linearity makes formal analysis and cryptanalysis difficult. The authors’ main contribution is to show that every CCSG can be represented exactly by a pair of one‑dimensional linear cellular automata (CA) built from the elementary rules 90 and 150.

The paper proceeds in four logical stages. First, it reviews the architecture of a CCSG: two LFSRs, a “clock” register that decides whether the output bit of a “data” register is kept or discarded, and the resulting output stream that is a non‑linear subsequence of the data register’s linear sequence. The authors formalize the clock‑control function as a Boolean selector and derive the period of the combined system in terms of the individual LFSR periods.

Second, the authors recall the theory of linear CA. Rule 90 corresponds to the polynomial x + 1, while rule 150 corresponds to x² + x + 1; both generate maximal‑length sequences when appropriate boundary conditions are used. Because a linear CA can be interpreted as a network of mutually coupled LFSRs, its behavior is completely described by linear algebra over GF(2).

Third, the core of the work presents a constructive algorithm that maps a given CCSG to two linear CA. The algorithm works as follows: (i) express each LFSR’s feedback polynomial and compute its characteristic matrix; (ii) expand the clock‑control selector into two exclusive cases—“clock bit = 1” and “clock bit = 0”. For each case the authors show that the resulting output is a linear combination of the data‑register state, which can be reproduced by a CA using rule 150 (when the bit is kept) or rule 90 (when the bit is discarded). (iii) Align the two CA in time so that the concatenation of their outputs reproduces the original CCSG stream. The required initial states are obtained by solving a small linear system; the overall computational cost is O(L), where L is the total length of the involved LFSRs.

Because the resulting models are linear, all classical linear‑sequence analysis tools become applicable. The authors demonstrate two concrete applications. In cryptanalysis, an attacker who observes a modest number of output bits can run the Berlekamp‑Massey algorithm on the derived CA to recover the underlying LFSR states, and then reconstruct the full CCSG output with far fewer samples than required for a direct attack on the non‑linear generator. In sequence reconstruction, the linear CA model enables exact recovery of missing portions of a captured stream by solving the corresponding linear equations, which is valuable for error‑correction or forensic analysis.

Finally, the paper discusses the broader implications. The CA representation is compatible with existing CA‑based stream‑cipher designs, suggesting the possibility of hybrid constructions that combine the security benefits of clock‑controlled shrinking with the implementation simplicity of linear CA. The authors also outline future work, including extensions to multi‑clock CCSGs, non‑binary cellular automata, and hardware implementations that exploit the regular structure of CA for high‑speed encryption.

In summary, the authors provide a rigorous, low‑complexity method to linearize a whole family of non‑linear LFSR‑based generators. By translating CCSGs into pairs of linear cellular automata, they open the door to efficient analysis, cryptanalysis, and sequence reconstruction, while preserving the practical advantages of the original generators.