Cryptanalysis of MUX-LFSR Based Scramblers

A recursive attack is presented that is applicable to synchronous stream ciphers consisting of a finite state machine with a linear state-transition function and a multiplexer as output function. A variant of this attack can be used to build a cheap system that bypasses on-line the scrambling of video signals as advised in [1] . 1 The Attacked System The scrambler can be described by a finite state machine model. The internal state at a time t is denoted by s , a binary vector with n components st0 to s t n−1 . The linear state transition can be expressed by the matrix equation s = As (1) with A an invertible binary n × n matrix. The output function is a multiplexer. A multiplexer with q address inputs has 2 data inputs. The output is equal to the data input selected by the address input bits. The output function is completely specified by the indices of the components that are the address and data inputs. This finite state machine is used as a pseudorandom bitstream generator. The cryptographic security is based on the secrecy of the initial state s. It is assumed that the finite state machine is periodically resynchronized. When resynchronization occurs the internal state is assigned a value that is the bitwise XOR (denoted by + ) of the original initial state s and a publicly known vector vi that only depends on the serial number of the resynchronization. 2 The Cryptanalytic Algorithm The presented attack is a known plaintext attack: the cryptanalist knows part of the output stream of the generator. This stream is divided into a number of (partly known) Appeared in Proceedings of the 3rd Symposium on State and Progress of Research in Cryptography, W. Wolfowicz (ed.), Fondazione Ugo Bordoni, pp. 55–61, 1993. c ©1993 Fondazione Ugo Bordoni