Analysis of Geffe Generator LFSR properties

on the application of algebraic attack

Cite as: AIP Conference Proceedings 2168, 020029 (2019); https://doi.org/10.1063/1.5132456
Published Online: 04 November 2019

F. Handayani, and N. P. R. Adiati

ARTICLES YOU MAY BE INTERESTED IN

Further analysis on volatility function selection for simulating European option prices under
Ornstein-Uhlenbeck stochastic volatility assumption
AIP Conference Proceedings 2168, 020027 (2019); https://doi.org/10.1063/1.5132454

Search for rectangle distinguisher 16 round on LBlock

AIP Conference Proceedings 2168, 020032 (2019); https://doi.org/10.1063/1.5132459

Square attack on 4 round Midori64

AIP Conference Proceedings 2168, 020031 (2019); https://doi.org/10.1063/1.5132458

AIP Conference Proceedings 2168, 020029 (2019); https://doi.org/10.1063/1.5132456 2168, 020029

© 2019 Author(s).
 Analysis of Geffe Generator LFSR Properties on the
Application of Algebraic Attack
F. Handayania) and N. P. R. Adiati

National Crypto Institute, Jl. Raya Haji Usa, Putat Nutung, Ciseeng, Bogor 16120, Indonesia
a)
Corresponding author: fitri.handayani@student.stsn-nci.ac.id

Abstract. The purpose of this research was to investigate the effect of LFSR properties in the application of algebraic
attack on Geffe Generator. This research was conducted in four different cases: Case 1 with the relatively prime LFSR
length and the primitive polynomial LFSR properties, Case 2 with the relatively prime LFSR length and the non-
primitive polynomial LFSR properties, Case 3 with the non-relatively prime LFSR length and the primitive polynomial
LFSR properties, and Case 4 with the non-relatively prime LFSR length and the non-primitive polynomial LFSR
properties. The result of this research is that the relatively prime and primitive polynomials influence the length of the
period of equation that is produced in algebraic attack of Geffe Generator. LFSR that have non-relatively prime and non-
primitive polynomials properties cannot produce a maximum period of equation. The length of the period of equation
influence both the memory complexity and the execution time on an algebraic attack.

Keywords: Algebraic attack, non-primitive polinomials, primitive polynomials

INTRODUCTION

Stream cipher is an encryption algorithm in system encoding done on a bit-by-bit basis [1]. Linear Feedback
Shift Register (LFSR) is the simplest kind of feedback shift register that consists of a shift register and feedback
function. The shift register is a sequence of bits and the feedback function is simply the XOR of certain bits in the
register. LFSR based stream cipher can use at least one LFSR in combination with different lengths and different
feedback functions. The key to an LFSR-based stream cipher is its initial state [2]. One bit of output is generated
from one shift. LFSR based stream cipher enough easy implemented on hardware because its function use XOR,
AND, OR, and NOT operations [3].
The Geffe Generator is an LFSR based stream cipher algorithm that combines three LFSRs with different lengths
and is relatively prime [2]. Assume the degrees of the polynomial feedback function are relatively prime [3]. The
Geffe Generator was introduced by P.R. Geffe in 1973. A Geffe Generator consists of three LFSRs: two LFSRs as
input multiplexers and one LFSR as a controller [3]. The Geffe Generator scheme is shown on Fig. 1. The LFSR
(A,B,C) output is notated consecutively as (a,b,c). Here is the function of the Geffe Generator [4]:

keystream = ( ⋀(¬ ) ⊕ ( ⋀ ) (1)

( , , ) = (1 ⊕ ) ⊕ . = ⊕ . ⊕ . (2)

An algebraic attack is an attack on a cipher by establishing a system of polynomial equations that relate the key
bits, the bits of plain text and cipher text bits [1]. This attack is a known plaintext attack where the attacker is
assumed to have some plain text and cipher text that correspond to each other in order to find the initial state of

Proceedings of the 4th International Symposium on Current Progress in Mathematics and Sciences (ISCPMS2018)
AIP Conf. Proc. 2168, 020029-1–020029-9; https://doi.org/10.1063/1.5132456
Published by AIP Publishing. 978-0-7354-1915-5/$30.00

020029-1
some known keystream bits [3]. There are two phases for carrying out algebraic attacks. The first phase involves
changing an algorithm into a polynomial equation system. The second phase involves finding the solution of the
polynomial equations system to obtain the secret key of the cipher [5].
Linearization is a method for solving a polynomial equation system that can be used with the condition that the
number of equations known is equal to or more than the monomial number. The solution to the equation can be
found as follows [5]:
1. Turning nonlinear equations into linear equations by substituting all monomials into new variables.
2. Complete the linear equation system using the Gauss elimination method.
3. Entering the solution that has been obtained into the original equation to check the truth.

METHODS

Based on the Kerckhoff principle, the attacker is assumed to know all the information about the algorithm except
the key. In this case, the attacker knows the information about the feedback function and the algorithm functions
used. Algebraic attacks are known plaintext attacks, so attackers know the pairs of plaintext and ciphertext that
correspond to each other. In the stream cipher, knowing the plaintext and ciphertext helps attackers find out which
keystream is being used. So in this research, the attacker knows information about the feedback function, the
algorithm function, and the keystream used in the Geffe Generator.

The Phase of Finding Polynomial Equations System

Three steps to find a linear equation system in Geffe Generator are:

a. Finding all possible outputs of each LSFR
Suppose that it is known that LFSR A has 5 states with a feedback function x5 + x2 + 1, which is (a5, a4, a3,
a2, a1) as input bit of LFSR A, and (a1 ⊕ a4) is the feedback value. The state is shifted to the right as much
as one, in order to obtain the output of (a1). The feedback value that has been obtained previously will fill in
the blank state on the left and the internal state will change to (a1 ⊕ a4, a5, a4, a3, a2). All possible outputs
are obtained by repeating the steps as much as possible (2 1) = (2 1) = 3 times. An example list of
possible outputs of LFSR A can be seen in Table 1.

LFSR A

LFSR B keystream

LFSR C

FIGURE 1. Scheme of Geffe Generator [4]

TABLE 1. Examples of possible LFSR outputs a Geffe Generator.

Clock Internal state LFSR A output
1 ( ⊕ , , , , )
2 ( ⊕ , ⊕ , , , )
3 ( ⊕ ⊕ , ⊕ , ⊕ , , )
…

31 ( , , , , ) ⊕

020029-2
 The next step is to look for all possible outputs of LFSR B and C. Steps to search all of the outputs LFSR B
and C are the same as the steps in the search all of the outputs of LFSR A. All possible LFSR outputs
(A,B,C) can be calculated as follows:
Number of possible outputs of LFSR A = (2 1).
Number of possible outputs of LFSR B = (2 ! 1).
Number of possible outputs of LFSR C = (2 " 1).
Number of states of LFSR (A,B,C) that can be notated as follows:
Number of unknown variables = nA + nB + nC.
b. Finding all possible combination outputs LFSR (A,B,C)
Period of possible combinations of LFSR outputs (A,B,C) can be calculated by (2 1)(2 ! 1)(2 "
1). Examples of possible combinations of LFSR Geffe Generator outputs could be seen on Table 2.
c. Finding all possible nonlinear equations
Nonlinear equations are obtained by inserting all possible combinations of outputs for an LFSR into the
algorithm function. An example of a Geffe Generator nonlinear equation system can be seen in Table 3. The
nonlinear equation consists of several monomials. In Geffe Generators, one nonlinear equation consists of at
least three monomials. This is influenced by the Geffe Generator algorithm function. The amount of all
possible nonlinear equations could be calculated with formula (2 1)(2 ! 1)(2 " 1).

The Phase of Finding Solutions to Polynomial Equation Systems

After the polynomial equation system is obtained, the next step is to search the solution of the polynomial
equation system using the linearization method. Linearization consists of the following three steps:
a. Turning nonlinear equations into linear equations
Linear equations are obtained by substituting the monomial that has been obtained previously into new
variables. Examples of new variables can be seen in Table 4. The next step is substituting new variables into
nonlinear equations. The result is a linear equation as shown in Table 5.
b. Completing the linear equation system uses Gauss Jordan Elimination
The next step is to do Gauss Jordan elimination. However, this requires changing the linear equation into a
matrix form. After being converted into a matrix, the next step is to find a solution using Gauss Jordan
elimination. The result of Gauss Jordan elimination is a reduced row echelon matrix. The reduced row
echelon matrix shows that the variable value has been found.

TABLE 2. Examples of possible combinations Geffe Generator outputs LFSR.

Clock LFSR A LFSR B LFSR C
1
2
3 ⊕
…

...
651 ⊕ ⊕ ⊕

TABLE 3. Example of the Geffe Generator Nonlinear Equation System.

Clock Nonlinear Equation
1 ⊕ . ⊕ .
2 ⊕ . ⊕ .
3 ⊕ . ⊕ . ⊕ . ⊕ .
…

...
⊕ ⊕ . ⊕ . ⊕ .
651
⊕ . ⊕ . ⊕ . ⊕ . ⊕ .

020029-3
 TABLE 4. Example of a Geffe Generator new variable.
No. Monomial New Variable
1 #
2 #
3 #
...

…
21 . #

TABLE 5. Example of a Geffe Generator linear equation.

No. Linear Equation
1 # ⊕ #$ ⊕ # $ 1
2 # ⊕ #% ⊕ # & 1
3 # ⊕# &⊕# ⊕# '⊕# 1

…
...
# ⊕ # ⊕ # ⊕ # ⊕ # ⊕ #$ ⊕ #( ⊕ #' ⊕ # & ⊕
21 # ⊕# ⊕# ⊕# ⊕# ⊕# $⊕# (⊕
# '⊕# %⊕# &⊕# 1

TABLE 6. Examples of evidence equation.

No. Proof of Equality
⊕ . ⊕ . 1
1
1 ⊕ 1.1 ⊕ 1.1 1
⊕ . ⊕ . 1
2
1 ⊕ 1.1 ⊕ 1.1 1
⊕ . ⊕ . ⊕ . ⊕ . 1
3
1 ⊕ 1.1 ⊕ 1.1 ⊕ 1.1 ⊕ 1.1 1
⋮ ⋮
⊕ ⊕
⊕ ⊕ ⊕ . ⊕ . ⊕ . ⊕
. ⊕
. ⊕ . ⊕ . ⊕ . ⊕ . ⊕
21 . ⊕ . ⊕ . ⊕ . ⊕ . 1
1 ⊕ 1 ⊕ 1 ⊕ 1 ⊕ 1 ⊕ 1.1 ⊕ 1.1 ⊕ 1.1 ⊕ 1.1 ⊕ 1.1 ⊕
1.1 ⊕ 1.1 ⊕ 1.1 ⊕ 1.1 ⊕ 1.1 ⊕ 1.1 ⊕ 1.1 ⊕ 1.1 ⊕ 1.1 1

c. Checking the truth of the solution

The truth of the solution is checked by entering the solution that has been obtained into the initial equation,
like the example in Table 6. If the solution found meets the initial equation, then the solution found is
correct. The solution obtained is the algorithm key of the Geffe Generator.

RESULTS AND DISCUSSION

Algebraic Attack on Geffe Generator

This research consists of four applications of algebraic attacks with different LFSR properties. The difference
lies in the properties of the length LFSR used, which is the relatively prime and the use of primitive polynomials.
Case 1 is the LFSR which is relatively prime and primitive polynomial. Case 2 is the LFSR which is relatively prime
and non-primitive polynomial. Case 3 is the LFSR which is not relatively prime and primitive polynomials. Case 4
is LFSR which is not relatively prime and non-primitive polynomials.

020029-4
 Case 1: The length of LFSR's Relatively Prime and Primitive Polynomial

The length of the LFSR that used is relatively prime and primitive polynomial. The attack knows the feedback
function, algorithm function, and keystream with the following conditions.

• Feedback function : LFSR A: * + * + 1

LFSR B: * + * + 1
LFSR C: * + * + 1
• Algorithm function : , ⊕ ,. , ⊕ ,. ,
• Keystream (- … - ) : 11101 00111 00000 11010 1

Based on algebraic attacks that have been carried out, obtained the characteristics of the polynomial equation
system as in Table 7. The length of LFSR (A,B,C) that was used is (5,2,3). The number of unknown variables is 10
which consists of ( , , , , , , , , , ). The length of the periods based on calculations and
experiments are the same, namely (2 − 1)(2 − 1)(2 − 1) 651. Its linear complexity is (5 + 5.2 + 2.3) 21.
Memory complexity in the search phase of the polynomial equation system is 28 KB and the equation of the solution
search phase is 62 KB, so the total amount is 90 KB. The processing time in the search phase of the polynomial
equation system is 5.5 s and the search phase of the equation solution is 1.09 s, so the total amount is 6.59 s.

Case 2: The length of LFSR’s Relatively Prime and Non-Primitive Polynomial

LFSR that were used have relatively prime lengths and use non-primitive polynomials. The attack knows the
feedback function, algorithm function, and keystream with the following conditions.

• Feedback function : LFSR A: * + * + 1

LFSR B: * + 1
LFSR C: * + * + * + 1
• Algorithm function : , ⊕ ,. , ⊕ ,. ,
• Keystream (- , … , - ) : 10101 01000 10001 00000 1

Application of algebraic attack produces the characteristics of the polynomial equation system is shown in Table
8. The length of LFSR (A,B,C) that used is (5,2,3). The amount of unknown variable is 10 which is consist of
( , , , , , , , , , ). The period should be (2 − 1)(2 − 1)(2 − 1) 651, but in the 85th equation
the period has been repeated, so the period is not optimal. The linear complexity is (5 + 5.2 + 2.3) 21. The
complexity memory is equal to 92 KB which is 4 KB from search phase of polynomial equation, and 88 KB from
search phase of solution equation. The processing time is 4.38 s with details 3.17 s from search phase of equation
system and 1.21 s from search phase of solution equation.

TABLE 7. The Characteristics of the polynomial equation system in Case 1.

Properties of LFSR Geffe Generator
Characteristics
Relatively Prime and Primitive Polynomials
LFSR Length (A, B, C) (5,2,3)
Number of unknown variables 10
Maximum period length 651
Period length 651
Monomial amount 21
Linear complexity 21
Memory complexity (28 KB + 62 KB) = 90 KB
Processing time 5.5 s + 1.09 s = 6.59 s

020029-5
 TABLE 8. The Characteristics of the polynomial equation system in Case 2.
Properties of LFSR Geffe Generator
Characteristics
Relatively Prime and Non-Primitive Polynomials
LFSR Length (A, B, C) (5,2,3)
Number of unknown variables 10
Maximum period length 651
Period length 84
Monomial amount 21
Linear complexity 21
Memory complexity (4 KB + 88 KB) = 92 KB
Processing time (3.17 s + 1.21 s) = 4.38 s

TABLE 9. The Characteristics of the polynomial equation system in Case 3.

Properties of LFSR Geffe Generator
Characteristics
Not Relatively Prime and Primitive Polynomials
LFSR length (A, B, C) (6,2,4)
Number of unknown variables 12
Maximum period length 2835
Period length 315
Monomial amount 26
Linear complexity 26
Memory complexity (2 KB + 93 KB) = 95 KB
Processing time (3.97 s + 1.35 s) = 5.32 KB

Case 3: The length of LFSR’s Not Relatively Prime and Primitive Polynomial

The length of the LFSR that was used is not relatively prime and primitive polynomial. The attack knows the
feedback function, the algorithm function, and the keystream with the following conditions.
• Feedback function : LFSR A: * $ + * + 1
LFSR B: * + * + 1
LFSR C: * + * + 1
• Algorithm function : , ⊕ ,. , ⊕ ,. ,
• Keystream (- … - $ ) : 11110 10100 01000 11010 10110 0
From the algebraic attack, obtained characteristics could be seen in Table 9. The length of LFSR (A,B,C) that
was used is (60,2,4). The amount of unknown variables is 12 which consists of (a1, a2, a3, a4, a5, b1, b2, c1, c2, c3, c4).
According to calculations, the period produced is (2$ − 1)(2 − 1)(2 − 1) 63.3.15 2835. But the
experimental results for the period are 315. The linear complexity is 6 + 6.2 + 2.4 26. Memory complexity in the
search phase of the polynomial equation system is 2 KB and the search phase of the equation solution is 93 KB, so
the total amount is 95 KB. The processing time at the search phase of the polynomial equation system is 3.97 s and
at the search phase of the equation solution 1.35 s, so the total amount is 5.32 s.

Case 4: The length of LFSR Not Relatively Prime and Non-Primitive Polynomials

LFSR that was used has a length which is not relatively prime and non-primitive polynomials. The attack knows
the feedback function, algorithm function, and keystream with the following conditions:
• Feedback function : LFSR A: * $ + * + 1
LFSR B: * + 1
LFSR C: * + * + 1
• Algorithm function : , ⊕ ,. , ⊕ ,. ,
• Keystream (- … - $ ) : 11110 10100 01000 11010 10110 0

020029-6
 TABLE 10. The Characteristics of the polynomial equation system in Case 4.
Properties of LFSR Geffe Generator
Characteristics
Not Relatively Prime and Non-Primitive Polynomials
LFSR length (A, B, C) (6,2,4)
Number of unknown variables 12
Maximum period length 2835
Period length 42
Monomial amount 26
Linear complexity 26
Memory complexity (2 KB + 126 KB) = 128 KB
Processing time (2.97 s + 1.26 s) = 4.23 s

After the algebraic attack, the characteristics obtained can be seen in Table 10. The length of LFSR (A,B,C) that
used is (6,2,4). The number of unknown variables is 12 that is (a1, a2, a3, a4, a5, b1, b2, c1, c2, c3, c4). According to
calculations, the period produced is (2$ − 1)(2 − 1)(2 − 1) 2835. But the experimental results are 42. The
amount of monomial and linear complexity is (6 + 6.2 + 2.4) 26. The memory complexity is 128 KB with 2 KB
from the search phase of the system equation and 126 KB from the search phase of the equation solution. Processing
time is 4.23 s with 2.97 s from search phase of the equation system and 1.26 s from the search phase of the equation
solution.

Analysis of Geffe Generator LFSR Properties

Based on the results of the implementation of the Geffe Generator algebraic attack, the next step is to do data
analysis. The analysis is based on the characteristics of the Geffe Generator polynomial equation system that was
obtained in the previous section. This section discusses about analysis results application algebraic attack in four
cases of Geffe Generator. The aim is to know the influence of relatively prime and polynomial primitive to algebraic
attack on Geffe Generator. Comparison results application algebraic attack on Geffe Generator can be seen in Table
11. Based on results of the algebraic attack, there are four cases whose results are as follows:
1. In Case 1, using the length of LFSR which is relatively prime and primitive polynomial. Each LFSR
generates all possible outputs, namely LFSR A as much as 31, LFSR B as much as 3, and LFSR C as much
as 7. In this case, 3 4 (56 , 57 , 58 ) 1.The equation period is maximum that is (2 − 1)(2 − 1)(2 −
1) 31.3.7 651.
2. In Case 2, using the length of LFSR which is relatively prime and non-primitive polynomial. According to
calculations, the length of the period that produced is (2 − 1)(2 − 1)(2 − 1) 31.3.7 651. In this
case, 3 4 (56 , 57 , 58 ) 1 but the experiments show that the period is only 84. LFSR A only produces an
output as much as 21, LFSR B and LFSR C only produces an output as much as 2 and 4, respectively. So
the period is calculated from : ; of the three LFSR outputs are : ; (21,2,4) 3.7.2 84.
3. In Case 3, using the length of LFSR which is not relatively prime and primitive polynomial. According to
calculations, the length of the period that produced is (2$ − 1)(2 − 1)(2 − 1) 63.3.15 2835.
However, the experiments show that the period is 315. Each LFSR generates all possible outputs, namely
LFSR A as much as 63, LFSR B as much as 3, and LFSR C as much as 15. But in this case,
3 4 (56 , 57 , 58 ) 3so that the period is calculated from : ; the three LFSR outputs are : ; (63,3,5)
3 . 7.5 315.
4. In Case 4, using the length of the LFSR which is not relatively prime and non-primitive polynomials.
According to calculations, the length of the period produced is (2$ − 1)(2 − 1)(2 − 1) 63.3.15
2835. But the experiments show that the period produced is 42. LFSR A only produces 14 outputs, LFSR
B only produces 2 outputs, and LFSR C only produces 6 outputs. In this case, 3 4(56 , 57 , 58 ) 2 so that
the period is calculated from : ; the three LFSR outputs are : ; (14,2,6) 7.2.3 42.
5. In Cases 1 and Case 3, all possible LFSR (A, B, C) outputs are generated, whereas in Cases 2 and Case 4,
not all possible LFSR (A, B, C) outputs are generated. LFSR which is a non-primitive polynomial does not
cause all possible outputs in LFSR to be generated and causes the length of the resulting period to be not
optimal.

020029-7
 TABLE 11. Comparison characteristics system equation polynomial.
Properties of LFSR Geffe Generator
Characteristics
Case 1 Case 2 Case 3 Case 4
LFSR Length (A, B, C) (5,2,3) (5,2,3) (6,2,4) (6,2,4)
Number of unknown variables 10 10 12 12
Maximum period length 651 651 2835 2835
Period length 651 84 315 42
Monomial amount 21 21 26 26
Linear complexity 21 21 26 26
Number of independent variables 3 7 4 16
(28 + 78) (4 + 93) (15 + 91) (1 + 135)
Memory complexity
106 KB 97 KB 106 KB 136 KB
(5.5 + 1.09) (3.17 + 1.21) (3.97 + 1.35) (2.97 + 1.82)
Processing time
6.59 s 4.38 s 5.32 s 4.79 s

d. Cases 1 and Case 2 have 3 4(56 , 57 , 58 ) 1. This shows that the length of the LFSR used is relatively
prime. Cases 3 and Case 4 have 3 4(56 , 57 , 58 ) ≠ 1, namely, 3 and 2. This shows that the length of the
LFSR that was used is not relatively prime. The relatively prime properties affect the length of the period
produced.
e. The length of the LFSR that is relatively prime affects the number of possible combinations of LFSR
outputs produced. If the length of the LFSR used is not relatively prime, then not all possibilities for the
combination of LFSR output are generated and the period is not optimal.
f. Primitive polynomials on LFSR affects the number of possible LFSR outputs produced. If the LFSR used is
a non-primitive polynomial, then not all of the possibilities of LFSR output will be generated and the period
will be non-optimal.
g. However, the relatively prime or only primitive polynomials do not guarantee that the period produced is
maximal. The maximum period can only be obtained if the LFSR length is relatively prime and uses
primitive polynomials.

CONCLUSION

Based on example in Case with LFSR (A,B,C) in size (5,2,3) and (6,2,4) it is known that Case 1 where the length
of LFSR is relatively prime and with primitive polynomials produces a maximum period of 651. Case 2 where the
length of LFSR is relatively prime and with non-primitive polynomials produces a non-maximum period of 84. Case
3 where the length LFSR non-relatively prime and with primitive polynomials produces a non-maximum period of
315. Case 4 where the length LFSR non-relatively prime and with non-primitive polynomials produces a non-
maximum period of 42. This research is a case study, so different parameters will produce different results. For
further research, besides being applied to the Geffe Generator algorithm, algebraic attacks need to be applied to
other stream and block ciphers. And further research can also be carried out on methods of finding solutions that can
be used in algebraic attacks such as XL algorithm and Grobner Base.

ACKNOWLEDGMENTS

Accept love God Almighty, the Prophet Muhammad, my parents, and lecturers of National Cryptography
Institute in particular Kelompok Keilmuan Ilmu Persandian.

020029-8
 REFERENCES

1. Sumarkidjo, P. Prasetyaningtyas, N. Pantjawati and A. F. Syukri, Jelajah Kriptologi (Lembaga Sandi Negara
RI, Jakarta, 2007).
2. A. J. Menezes, P. C. Van Oorschot and S. A. Vanstone, Handbook of Applied Cryptography (CRC Press, USA,
1997).
3. B. Schneier, Applied cryptography: Protocols, algorithm, and source code in C (John Wiley & Sons Inc, New
Jersey, United States, 1996)
4. Z. I. Salman, J. Babylon Univ. 22, 1516-1524 (2014).
5. G. V. Bard, Algebraic Cryptanalysis (Springer, New York, United State 2009).

020029-9