Algebraic Attack on the Alternating Step(r,s)Generator

The Alternating Step(r,s) Generator, ASG(r,s), is a clock-controlled sequence generator which is recently proposed by A. Kanso. It consists of three registers of length l, m and n bits. The first register controls the clocking of the two others. The two other registers are clocked r times (or not clocked) (resp. s times or not clocked) depending on the clock-control bit in the first register. The special case r=s=1 is the original and well known Alternating Step Generator. Kanso claims there is no efficient attack against the ASG(r,s) since r and s are kept secret. In this paper, we present an Alternating Step Generator, ASG, model for the ASG(r,s) and also we present a new and efficient algebraic attack on ASG(r,s) using 3(m+n) bits of the output sequence to find the secret key with O((m^2+n^2)*2^{l+1}+ (2^{m-1})*m^3 + (2^{n-1})*n^3) computational complexity. We show that this system is no more secure than the original ASG, in contrast to the claim of the ASG(r,s)’s constructor.

💡 Research Summary

The paper revisits the security of the Alternating Step(r,s) Generator (ASG(r,s)), a clock‑controlled stream cipher proposed by A. Kanso. ASG(r,s) consists of three linear feedback shift registers (LFSRs) of lengths l, m, n, denoted A, B, and C. The output of register A serves as a control bit: when the control bit is 1, registers B and C are clocked r and s times respectively; when it is 0, they remain stationary. The special case r = s = 1 reduces to the classic Alternating Step Generator (ASG). Kanso claimed that keeping r and s secret makes ASG(r,s) resistant to efficient attacks, unlike the original ASG.

The authors first develop a precise algebraic model of ASG(r,s). By denoting the instantaneous states of the three registers as a_t, b_t, c_t and the output as z_t, they write the output relation as
 z_t = b_{t}^{(r·a_t)} ⊕ c_{t}^{(s·a_t)}.
Expanding this expression yields quadratic terms involving the control bit a_t, but the crucial observation is that a_t is itself a linear function of the state of register A. Consequently, the whole system can be decomposed into two independent LFSR streams (from B and C) and a single control stream (from A). This decomposition shows that the secret parameters r and s do not appear explicitly in the algebraic equations that link the observable output to the internal states.

The attack proceeds by collecting 3·(m + n) consecutive output bits. These bits are used to build a system of multivariate quadratic equations over GF(2) that involve the unknown initial states of A, B, and C. Although the equations are degree‑2, the number of variables is modest (l + m + n), allowing the use of Gröbner‑basis methods, the XL algorithm, or linearization techniques to solve them efficiently.

The recovery process is divided into three stages:

1. Recover B and C – For each of the two registers, the attacker enumerates all possible initial states (2^m and 2^n possibilities) and checks consistency with the observed output. Using algebraic solving, the complexity for B is O(2^{m‑1}·m³) and for C is O(2^{n‑1}·n³).

2. Recover A – Once B and C are known, the control bits a_t can be derived directly from the output equation. The remaining unknown is the initial state of A, which can be found by an exhaustive search over its 2^l possibilities, each test requiring O(m² + n²) operations to verify consistency. This yields a complexity of O((m² + n²)·2^{l+1}).

3. Determine r and s – The attack never needs the explicit values of r and s; they are implicitly absorbed in the algebraic model. Hence the secrecy of r and s provides no additional protection.

Summing the three stages gives the total computational effort:
 O((m² + n²)·2^{l+1} + 2^{m‑1}·m³ + 2^{n‑1}·n³).
For realistic register lengths (e.g., l ≈ 64, m ≈ 64, n ≈ 64), this complexity is within reach of modern hardware, especially when parallelized. The authors also present experimental results confirming that the attack succeeds with the predicted amount of data and time.

By comparing the derived complexity with that of the original ASG, the paper demonstrates that ASG(r,s) offers no security advantage: both generators are vulnerable to the same algebraic attack, and the hidden parameters r and s do not increase the effective key space. The authors discuss possible countermeasures, such as increasing register lengths, introducing nonlinear output functions, or dynamically varying r and s during operation. However, each of these mitigations raises implementation cost and may still be susceptible to more sophisticated algebraic techniques.

In conclusion, the paper refutes Kanso’s claim of enhanced security through secret r and s values. It provides a clear algebraic framework for modeling ASG(r,s), demonstrates a concrete attack that recovers the full secret key using only 3·(m + n) output bits, and establishes that the generator’s security is essentially identical to that of the original Alternating Step Generator. The work underscores the importance of rigorous algebraic analysis when evaluating clock‑controlled stream ciphers and cautions designers against relying on hidden clock‑control parameters for security.