Key-Dependent Feedback Configuration matrix of primitive σ-LFSR and resistance to some Known Plaintext Attacks

In this paper, we propose and evaluate a method for generating key-dependent feedback configurations (KDFC) for σ-LFSRs. σ-LFSRs with such configurations can be applied to any stream cipher that uses a word-based LFSR. Here, a configuration generation algorithm uses the secret key(K) and the Initialization Vector (IV) to generate a new feedback configuration after the initialization round. It replaces the older known feedback configuration. The keystream is generated from this new feedback configuration and the FSM part. We have mathematically analysed the feedback configurations generated by this method. As a test case, we have applied this method on SNOW 2.0 and have studied its impact on resistance to algebraic attack. Besides, as a consequence of resisting algebraic attack, SNOW 2.0 can also withstand some other attacks like Distinguishing Attack, Fast Correlation Attack, Guess and Determining Attack and Cache Timing Attack. Further, we have also tested the generated keystream for randomness and have briefly described its implementation and the challenges involved in the same.


I. INTRODUCTION
S TREAM ciphers are used in a variety of applications [1,2]. LFSRs (Linear Feedback Shift Register) are widely used as building blocks in stream ciphers( [3,4]) because of their simple construction, good pseudorandomness( [5]) and easy implementation.
Word based LFSRs were introduced to efficiently use the structure of modern word based processors ( [6,7,8,9,10,11,12,13]). Such LFSRs are used in a variety of stream ciphers, most notably in the SNOW series of stream ciphers. A σ-LFSR is a word based LFSR configuration that was introduced in [14]. An important property of this configuration is that there are multiple feedback functions corresponding to a given characteristic polynomial of the state transition matrix( [15]). The number of such configurations was conjectured in ( [14]). This conjecture was constructively proved in [16].
The knowledge of the feedback function plays a critical role in most attacks on LSFR based stream ciphers. These include algebraic attacks, correlation attacks, distinguishing attacks, guess and determining attack and Cache timing attack ( [17,18,19,20,21]). Therefore, hiding the feedback function of the LFSR could potentially increase the security of such schemes. One way of doing this is by using dynamic feedback control. This approach is used in stream ciphers such as K2 ( [22]) and A5. This converts the deterministic linear recurrence of some registers into a probabilistic recurrence. However, key recovery attacks on K2 and A5 have been reported in literature ( [23])( [24]).
In this paper we try to increase the security of LFSR based word oriented stream ciphers by making the feedback function dependent on the secret key. The resulting configuration IEEE Access, Second mark is called the σ-KDFC (Key Dependent Feedback Configuration). The proposed method for obtaining the feedback function from the secret key utilizes the algorithm given in [15,16].The feedback gains thus obtained are highly nonlinear functions of the secret key. Further, the number of iterations in this algorithm can be adjusted depending on the available computing power. As an example, we study the interconnection of the σ-KDFC with the finite state machine (FSM) of SNOW-2. We use empirical tests to verify the randomness of the keystream generated by this scheme. Further, we analyse the scheme for security against various kinds of attacks.

Symbol
Meaning Finite field of cardinality 2 n F n  The rest of this paper is organized as follows. Section II-A introduces LFSRs, σ-LFSRs and some related concepts. Section III examines σ-KDFC and its time complexity. Section IV presents the mathematical analysis on the algebraic degree of the parameters of the feedback function generated by σ-KDFC. Section V discusses the the interconnection of σ-KDFC with the FSM of SNOW and its security against various cryptographic attacks . Section VI concludes the paper.

B. CONTRIBUTION
The contribution of this article is as follows: • We have proposed a method of making of making the feedback configuration of a word based shift register dependent on the key of a stream cipher. Most Known plaintext attacks (KPAs) on LFSR based stream ciphers, particularly algebraic ones, make use of the feedback equation. Therefore, making the feedback equation dependent on the secret key protects the cipher against such attacks. • We have also calculated the algebraic degree of the entries of the resulting feedback matrices. • As a test case, we have analysed the security of SNOW 2.0 after replacing the LFSR in that cipher with the proposed configuration. • Finally, we have tested the pseudorandomness of KDFC-SNOW with 16 NIST randomness tests.

A. LFSRS AND σ-LFSRS
An LFSR is an electronic circuit that implements a Linear Recurring Relation (LRR) of the form x n+b = a b−1 x n+b−1 + · · · + a 0 x n . It consists of a shift register with b flip-flops and a linear feedback function which is typically implemented using XOR gates. The integer b is called the length of the LFSR. The characteristic polynomial of an LFSR is a monic polynomial with the same coefficients as the LRR implemented by it. For example, the characteristic polynomial of an LFSR which implements the LRR given above is x b + a b−1 x b−1 + · · · + a 0 . The period of the sequence generated by an LFSR of length b is at most 2 b − 1.
Further, an LFSR generates a maximum-period sequence if its characteristic polynomial is primitive [25]. The state vector of an LFSR at any time instant is a vector whose entries are the outputs of the delay blocks at tha time instant i.e x n = [x n , x n+1 , . . . , x n+b−1 ]. Two consecutive state vectors are related by the equation x n+1 = x n P f where P f is the companion matrix of the characteristic polynomial.
In order to efficiently work with word based processors various word based LFSR designs have been proposed [6,8,11,13,26,27,28]. These designs use multi input multi output delay blocks. One such design is the σ-LFSR shown in Figure 1. Here, the feedback gains are matrices and the implemented linear recurring relation is of the form Here, each delay block has m-inputs and m-outputs and the σ-LFSR generates a sequence of vectors in F m

2
The matrices B 0 , B 1 , · · · , B b−1 are referred to as the gain matrices of the σ-LFSR and the following matrix is defined as its configuration matrix.
where 0, I ∈ F m×m 2 are the all-zero and identity matrices respectively. We shall refer to the structure of this matrix as the M -companion structure. The characteristic polynomial of this configuration matrix is known as the characteristic polynomial of the σ-LFSR.
If x n is the output of the σ-LFSR at the n-th time instant, then its state vector at that time instant is defined asx n = [x n , x n+1 , . . . , x n+b−1 ]. This vector is got by stacking the outputs of all the delay blocks at the n-th time instant. Two consecutive state vectors are related by the following equation:x In the case of σ-LFSRs, there are many possible feedback configurations having the same characteristic polynomial. For a given primitive polynomial, the number of such configurations was conjectured in [14] to be the following, where 5, GL(m, F 2 ) is the general linear group of nonsingular matrices ∈ F m×m 2 , and φ represents Euler's totient. This conjecture has been proved in [29]. Moreover, this inductive proof is constructive and gives an algorithm for calculating such feedback functions.
In the following section, we shall use the algorithm given in [29] to develop a key dependent feedback configuration for the σ-LFSR.

III. σ-KDFC
Stream ciphers, like the SNOW series of ciphers, use word based LFSRs along with an FSM module. The feedback configuration of the LFSR in such schemes is publicly known. This feedback relation is used in most attacks on such schemes [17,19,21,30]. Therefore, the security of such schemes could potentially increase if the feedback function is made key dependent.
Before proceeding to our construction of a key dependent feedback configuration, we briefly describe the algorithm given in [29] which generates feedback configurations for σ-LFSRs with a given characteristic polynomial. Given a primitive polynomial p mb (x) having degree mb, the algorithm for calculating a feedback configuration for a σ-LFSR with b minput m-output delay blocks is as follows: Let be the unique integer less or equal to m which is equivalent to i mod m. if t == then 8: end if 10: end for(At the end of each iteration, an extra column is added to Y till Y ∈ F m×mb 2 ). 11: Construct the following matrix Q.
The matrix C generated in the above algorithm is the configuration matrix of a σ-LFSR with characteristic polynomial p mb (x). As can be seen from Equation 3, the last m rows of this matrix contain the feedback gain matrices. Each set of choices for the d t s and the initial full rank matrix result in a different feedback configuration. In Step 3a, the coefficients of the polynomial f (x) can be calculated by solving the linear equation y × K t = (0, 0, . . . , 1) ∈ F m+i−1 2 for y, where K i is given by VOLUME -, 2016 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.
Note that in every iteration of Step 3 in Algorithm 1, m − 1 random numbers are appended to the rows of the matrix Y .
In the proposed scheme, some of these numbers are derived from the secret key. As a consequence, the derived feedback configuration is dependent on the secret key. We now proceed to look at this configuration in detail. Example III.1. For a better understanding, we demonstrate the generation of an invertable matrix Q for a σ−LFSR with 2 4-input 4-output delay blocks, i.e. m=4, b=2. The characteristic polynomial of the LFSR is assumed to be x 8 + x 4 + x 3 + x 2 + 1 which is a primitive polynomial of degree 8.
Ist Iteration: In this iteration the matrix M is the companion matrix of the primitive polynomial x 4 + x + 1.  The corresponding matrix Q is as follows.
The following matrix P is the companion matrix of the primitive polynomial This results in the following matrix C 4 VOLUME -, 2020 In the above example, B 0 and B 1 are the two gain matrices that we have computed using Algorithm 1.
In order to create a keystream generator from the proposed σ-LFSR configuration, it can be connected to a Finite state machine which introduces non-linearity. Figure 2 shows the schematic of the proposed scheme along with its interconnection with an FSM. The scheme has an initialization phase wherein the feedback configuration of the σ-LFSR is calculated by running Algorithm 1. In order to reduce the time taken for initialization, Algorithm 1 is run offline (at some server) till k iterations of step 3 and the resulting matrix Y is made public. The number k can be chosen depending on the computational capacity of the machine that hosts the σ-LFSR. The feedback configuration is calculated by running the remaining part of the algorithm in the initialization phase. In this phase there is no keystream generated at the output. The following subsection explains the initialization phase in detail.

A. THE INITIALIZATION PHASE
During the initialization phase the σ-LFSR has a publicly known feedback configuration. Further, the pre-calculated matrix Y ∈ F m×(m+k) 2 , and the primitive polynomials p m+k+1 (x), p m+k+2 (x), . . . , p mb (x) are also publicly known. The initial state of the σ-LFSR is derived from the secret key and the IV. (as is normally done in word based stream ciphers like SNOW). The σ-LFSR is run along with the FSM for mb − m − k clock cycles. This generates mb−m−k vectors in F m 2 . This corresponds to the mb−m−k remaining iterations of Step 3 in Algorithm 1.
The remaining part of Algorithm 1 is now run. In each iteration of Step 3, the boolean numbers appended to the rows of the matrix Y in Step 3(b) are the entries of the the corresponding vector. More precisely, in the i-th iteration of Step 3 that is run on the keystream generator, for t = i + k mod m, the t-th row of Y is appended with the t-th entry of the i-th vector that was generated.
The feedback gains of the σ-LFSR are now set according to the configuration matrix that is generated by Algorithm 1.
Once the feedback gains are set the σ-LFSR is run along with the FSM. The first b vectors are discarded and the keystream starts from the b + 1-th vector. The reason for doing this is that the initial state of the σ-LFSR with the new configuration is generated by the publicly known feedback configuration which is used in the initialization process.
The algorithm for generating the configuration matrix can be applied for all values of m and b. Therefore, the above described KDFC scheme can be used along with any existing word based stream cipher irrespective of the size and number of delay blocks.

1) Time Complexity of the Initialization Phase
Step 3(a) in Algorithm 1 involves solving a system of linear equations in less than mb variables. This can be done with a time complexity of O((mb) 3 ) using Gaussian elimination. The time complexity of Step 5, the matrix C can be calculated by solving the linear system of equations CQ = QP mb for C. This can be done in O((mb) 4 ) using Gaussian elimination.
Step 4 has a time complexity of O((mb) 3 ). Thus, the time complexity of the initialization phase is O((mb) 4 ).

IV. ALGEBRAIC ANALYSIS OF σ-KDFC
The entries of the feedback matrices, B 0 , B 1 , . . . , B b−1 , calculated by the procedure given in the previous section are functions of the matrix Y generated in Step 3 of Algorithm 1. The entries of Y are in turn non-linear functions of the initial state of the σ-LFSR.
Note that the last row of Y is always e n 1 . Let the first m − 1 rows of Y be v 1 , v 2 , . . . , v m−1 . Let U be the set of variables that denote the entries in these rows. Therefore, The algebraic degree of the configuration matrix, denoted by Θ, is defined as follows Θ can be considered as a measure of the algebraic resistance of σ-KDFC. We now proceed to find a lower bound for Θ.
The matrix Q generated in Step 4 of Algorithm 1 is given VOLUME -, 2016 IEEE Access, Second mark as follows where P mb is the companion matrix of the publicly known primitive characteristic polynomial of the σ-LFSR. The configuration matrix C is generated by the formula is the adjugate of Q. Moreover, since the elements of Q belong to F 2 , the co-factors are equal to the minors of Q. The rows of Q can be permuted to get the following matrix Q P The matrix Q P can be decomposed as follows into four sub-matrices Q 1 , Q 2 , Q 3 and Q 4 : where is the all zero matrix and the matrices are as follows where * s are linear combinations of the entries of the previous row. Note that Q −1 can be got by permuting the rows of Q −1 P . Since Q P is invertible, det(Q P ) = det(Q 3 ) = 1. Let Γ k be the set of of polynomial functions of U variables with degree k. We now proceed to analyse some of the minors of Q P .
Proof. For two matrices A and B with the same number of rows, let [AB] p,q be the matrix which is got by removing the p th column from A and appending the q th column of B to A.
6 VOLUME -, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Recall that, for a binary matrix M ∈ F mb×mb 2 , its determinant is given by the following formula, where S mb is the set of permutations on (1, 2, . . . , mb). Observe that the diagonal elements of ([Q 3 Q 4 ]) j,1 are distinct v i,k s. Their product corresponds to the identity permutation in the determinant expansion formula for [Q 3 Q 4 ]) j,1 . The resultant monomial has degree mb−b. Further, this monomial will not occur as a result of any other permutation. Hence Clearly, the minors of these elements are all equal to the determinant of Q 3 . As we have already seen, the invertibility of Q P implies that this determinant is always 1. Therefore, s are the elements of Q 2 that are below the antidiagonal. Observe that, if the row and column corresponding to such an element are removed from Q P , then the first b − 1 rows of the resulting matrix are always rank deficient. Therefore, the determinant of this matrix is always 0. Therefore, Proof. Observe that the elements of Q P considered in this lemma are elements of the sub-matrix Q 3 . Therefore, µ(Q P [i, j]), for the range of i and j considered, is nothing but the determinant of the sub-matrix of Q 3 got by deleting the i th row and j th column of Q 3 . The diagonal elements of such a sub-matrix are distinct v i,j s. Their product will result in a monomial of degree mb − b − 1. This corresponds to the identity permutation in the determinant expansion formula given by Equation 14. Observe that no other permutation generates this monomial. Hence, the minor will always have a monomial of degree Proof. The elements of Q P considered in this lemma are elements of the submatrix Q 4 . Whenever the row and column corresponding to such an element is removed from Q P , the rows of the submatrix Q 2 become linearly dependent. Therefore, the first b rows of the resultant matrix are always rank deficient. Consequently, µ(Q P [i, j]) = 0.
For a given matrix A with polynomial entries, let Θ(A) be the maximum degree among all the entries of A. As there are mb − b rows in Q P with variable entries, Θ(Q −1 P ) ≤ mb − b. Therefore, we get the following as a consequence of Lemma IV.1.
Recall that the configuration matrix C is given by QP mb Q −1 . We now use the above developed machinery to calculate Θ(C).
Proof. Observe that the gain matrices B 0 , B 1 · · · , B b−1 appear in the last m rows of C S . These rows are generated by multiplying the last m rows QP mb with Q −1 . The last m rows of QP mb are as follows is got by multiplying the (mb − m + 1)-th row of QP mb with the (mb−m+1)-th column of Q −1 . Note that the (mb−m+1)th column of Q −1 is equal to the b-th column of Q −1 P . As a consequence of Lemmas IV.1 and IV.2, this column has the following form.
x 5 x 6 x 7 x 8 x 6 x 7 x 8 Therefore, Here, C S [7,7], is equal to P 4 which is a polynomial of degree 4.

V. CASE STUDY: INTEGRATION WITH SNOW 2.0
In this subsection, we first introduce SNOW 2.0, and then use it as a case study to show how σ-KDFC can be applied to an LFSR-based cipher stream. We refer to the resulting cipher as KDFC-SNOW.

A. SNOW 2.0:
The SNOW series of word based stream ciphers was first introduced in [28]. This version of SNOW is known as SNOW 1.0. This was shown to be vulnerable to a linear distinguishing attack as well as a guess and determine attack [31]. SNOW 2.0 (Adopted by ISO/IEC standard IS 18033-4) was introduced later in [8] as a modified version of SNOW 1.0. This version was shown to be vulnerable to algebraic and other attacks [17,19,30,31,32,33]. We consider SNOW 2.0 as a test case and demonstrate how replacing the LFSR in this scheme with a σ-LFSR increases its resistance to various attacks.
The block diagram of SNOW 2.0 is shown in figure 3.  (2)) and integer addition modulo 2 32 respectively. As shown in figure 3, the keystream generator in SNOW 2.0 consists of an LFSR and an FSM (Feedback State Machine). The LFSR implements the following linear recurring relation: where, α is the root of the following primitive polynomial where β is the root of the following primitive polynomial.
The FSM contains two 32-bit registers R1 and R2. These registers are connected by means of an S-Box which is made using four AES S-boxes. This S-box serves as the source of nonlinearity.

B. KDFC-SNOW:
In the proposed modification, we replace the LFSR part of SNOW 2.0 by a σ-LFSR having 16, 32-input 32-output delay blocks. The configuration matrix of the σ-LFSR is generated using Algorithm 1. We shall refer to the modified scheme, shown in Figure 4, as KDFC-SNOW. During initialization the feedback function of the σ-LFSR is identical to that of SNOW-2. As in SNOW 2.0, the σ-LFSR is initialized using a 128-bit IV and a 128/256-bit secret key K. KDFC-SNOW is run with this configuration for 32 clock cycles without producing any symbols at the output. The vectors generated in the last 12 of these clock cycles are used in Algorithms 1 to generate a new feedback configuration. As we have already mentioned, some of the iterations of Algorithm 1 are pre-calculated and the remaining ones are done as a part of the initialization process. In this case, it is assumed that 468 of these iterations are pre-calculated and the last 12 iterations are carried out in the initialization process. This calculated configuration replaces the original one and the resulting set-up is used to generate the keystream.

C. INITIALIZATION OF KDFC-SNOW
• The delay blocks D 0 , · · · , D 15 are initialized using the 128/256 bit secret key K and a 128 bit IV in exactly the same manner as SNOW 2.0. The registers R 1 and R 2 are set to zero. • The initial feedback configuration of the σ-LFSR is identical to SNOW 2.0. This is done by setting B 11 and B 0 as matrices that represent multiplication by α −1 and α respectively. Further, B 2 is set to identity. The other gain matrices are set to zero. • KDFC-SNOW is run in this configuration for 32 clock cycles without making the output externally available. The last 12 values of F t are used as the random numbers in Algorithm 1. • A new configuration matrix is calculated using Algorithms 1 and the corresponding feedback configuration replaces the original one. The scheme is now run with this configuration. The first 32 vectors are discarded and the key stream starts from the 33 rd vector.

D. GOVERNING EQUATIONS OF KDFC-SNOW
Let D t i ∈ F 2 32 denote the value stored in the i th delay block at the t-th time instant after the key stream generation has started. The outputs of the delay blocks of the σ-LFSR are related as per the following equation: Therefore, The value of the keystream at the t-th time instant is given by the following equation Let F t be the output of the FSM at time t, The registers are updated as follows: where R t 1 and R t 2 represent the values of registers R 1 and R 2 at time instant t. The operation " " is defined as follows: x y = (x + y) mod 2 32 (30) The challenge for an adversary in this scheme is to find the gain matrices {B 0 , B 1 , · · · , B 15 } in addition to the initial state {D 0 0 , · · · , D 0 15 }. Note that Equations 26 to 29 are got from the FSM. Since the FSM part of the keystream generator is identical for SNOW 2.0 and KDFC-SNOW these equations are identical for both schemes.

E. SECURITY ENHANCEMENT DUE TO KDFC-SNOW
The primary objective of the proposed scheme is to resist Algebraic Attack. In these section, we describe how this happens. Further, for completeness, we briefly describe the performance of KDFC-SNOW against other attacks such as Distinguishing Attack, Fast Correlation Attack and Guess and Determining Attack.

1) Algebraic Attack:
We first briefly the Algebraic attack on SNOW 2 described in [17] and demonstrate why this attack becomes difficult with KDFC-SNOW. This attack first attempts to break a modified version of the scheme where the operator is approximated by ⊕. The state of LFSR and the value of the registers at the end of the 32 initialization cycles are considered unknown variables. This accounts for a total of 512 + 32 = 544 unknown variables. The algebraic degree of each of the S-box(S) equations (156 linearly independent quadratic equations in each clock cycle ) is 2. Rearranging the terms in Equation 29, we get the following Note that R 0 1 = R 0 2 + z 0 + D 0 0 + D 0 15 .Therefore, by approximating as ⊕, Equation 31 expands to the following: Further, Equation 28 can be expanded as follows: In Equation 33, the outputs of the delay blocks can be related to the initial state of the LFSR using the following equation.
Observe that, while D 1 15 is a polynomial of degree two in the unknown variables, D 2 15 is a polynomial of degree 3. Similarly, with each successive iteration the degree of the expression for D t 15 keeps increasing, till all the m 2 b entries of the feedback matrices are multiplied with each other. A similar thing happens with the expressions for D t 0 . This results in a set of polynomial equations having maximum degree equal to m 2 b + 1 = 16385 . Therefore, although the equations generated by Equation 33 are quadratic in terms of the initial state of the σ-LFSR, they are no longer quadratic in the set of all unknowns. We instead have a system of equations in 16982 variables with a maximum degree of degree of over 16000. Linearizing such a system will give us a system of linear equations in N =

M i=0
16928 i unknowns where M is higher than 16000. Such an attack is therefore not feasible.
One could instead consider the rows of the matrix Y generated by Algorithm 1 as unknowns. Assuming that the first row is e n 1 , the total number of unknowns will now be 31 * 512 = 15872. As we have already seen, the entries of the feedback matrices (B i s) are polynomials in these variables. From Theorem IV.5, the maximum degree of these polynomials is atleast mb − b. Therefore, the maximum degree of the equations generated by Equation 33 will be atleast mb − b + 1 = 497. Therefore, linearizing this system of equations gives rise to a system of linear equations in N = 497 i=0 16416 i ≈ O(2 3207 ) unknowns. Therefore, an algebraic attack on this scheme that uses linearization seems unfeasible.
Another approach to the algebraic cryptoanalysis of SNOW 2 is found in [34]. Therein, linear equations are generated by assuming a set of values for the entries of the registers of the FSM. Two methods of cryptoanalysis are presented in this paper. In the first method, the attacker guesses the values of ten consecutive entries of the the register R 1 . The guessed value of R t 1 uniquely determines the value of = R t+1 2 ( by Equation 28). Given values of R t 1 and R t 2 , Equation 26 gives rise to two linear equations and thirty quadratic equations. These equations can be generated for nine time instances. Further, given values of R t+1 1 and R t 2 , the value of D t 5 can be uniquely determined. One can thus determine 8 consecutive values of D t 5 . These along with the linear and quadratic equations results in an over-determined system of equations. These, when solved, gives us an estimate of the current state. Since the relation between the current state and the initial state is linear, one can get an estimate of the initial state from the estimate of the current state. The correctness of the guesses can be verified by using the estimated initial state and the system equations of SNOW 2.0 to regenerate the key stream and check if it matches with the actual one.
In the second method, the attacker assumes the following nine consecutive entries of the register R 1 Now, there are 7 consecutive time instances,k, where the values of R k+1 1 and R k 2 are simultaneously known. Hence, at each of these time instances, Equation 27 gives rise to 32 linear equations over GF (2). This accounts for a total of 224 equations. Further, there are 7 consecutive values of k wherein the value of R k 1 is 0 and the value of R k 2 is known. Therefore, Equation 26 gives us 32 linear equations over GF (2) at each of these time instances. This accounts for another 224 linear equations. If the assumption made in this attack holds true, at the t + 1-th time instance the value in the register R 1 is zero while the value in the regiester R 2 is given as follows.
R t+1 When these values are substituted in Equation 26, we get another 32 linear equations. Recall that, at the t + 2-th time instance, the value in the register R 1 is 1111 · · · 1. As a consequence of Theorem 2 in [34], this results in Equation 26 generating 32 linear equations which are satisfied with probability half. This probability becomes 1 when D 2 0 +z 2 +S(0) is zero. We thus have a total of 512 linear equations. When these equations are linearly independent, solving them gives us the state of the LFSR. The correctness of the assumptions is verified by checking if the sequence generated from this state matches with the actual keystream.
In both these attacks, in order to verify the correctness of the assumptions, one has to generate the sequence with the calculated state of the LFSR and check if it matches the actual keystream. To do this, the feedback equation of the LFSR is needed. Since this is not available in KDFC-SNOW, this verification cannot be done. As a result, KDFC-SNOW is immune to these attacks. For a similar attack to work on KDFC-SNOW, the assumptions should enable the attacker to calculate 512 output words of the LFSR (as against the 32 output words that are calculated in these attacks ). This would mean more assumptions. Consequently, the probability of these assumptions being true will be significanlty lower. This will result in a much higher time complexity for the attack.

2) Distinguishing Attack:
In the distinguishing attack, the attacker aims to distinguish the generated keystream from a random sequence. Distinguishing attacks on SNOW 2.0 have been launched using the linear masking method [18,19,20]. This method essentially adapts the linear cryptanalysis method given in [35] to stream ciphers. In this method, the algorithm of the key stream generator is assumed to consist of two parts, a linear one and a non-linear one. In the case of SNOW 2.0, the linear part is the LFSR and the non-linear part is the FSM. The linear part satisfies a linear recurring relation of the form f (x n , x n+1 , x n+2 , . . . , x n+k ) = 0 for all n. We then try to find a linear relation, called the masking relation, that the non-linear part approximately satisfies. This relation is of the following form: where z 0 , z 1 , . . . is the output sequence of the key stream generator. The Γ i s and Λs are linear masks that map the corresponding x n+i s and z n+i s to F 2 respectively. The error in the masking relation can be seen as a random variable. If p is the probability that the non linear part satisfies Equation 37, then p − 1 2 is called the bias of the masking relation. The Masking relation along with the linear recurring relation is used to generate a relation in terms of the elements of the output sequence. The error in this relation can also be seen as a random variable. If the probability of the sequence satisfying this relation is p f , then p f − 1 2 is the bias of this relation. This bias can be related to the bias of the masking relation using the piling up lemma in [35]. The main task in this type of attack is to find masks Γ i s and Γ i s which maximise the bias of the masking relation. The following linear masking equation is used in [18] and [19] for the FSM of SNOW 2.
In [18] it is assumed that all the Γ i s and Λ i s are equal to each other. In [19] it is assumed that Γ 0 , Γ 15 and Λ 0 are equal to each other. Γ 1 , Γ 5 .Γ 16 and Λ 1 are also assumed to be equal. Since f (x n , x n+1 , . . . , x n+k ) is a linear relation, the following relation can be written purely in terms of the z i s The linear relation between the elements of the output sequence in both [18] and [19] is obtained using this method. Further, if there are non-zero coefficients in f , then the random variable corresponding to the error in this relation is a sum of random variables each corresponding to the error in the linear masking equation.
In the proposed σ-LFSR configuration, the feedback equation is not known. Therefore the only known linear recurring relation that the output of the σ-LFSR satisfies is the one defined by its characteristic polynomial. If the characteristic polynomial is assumed to be the same as that of the LFSR in SNOW 2, then the corresponding linear recurring relation has 250 non-zero coefficients. Further, since these coefficients are elements of F 2 , the non-zero coefficients are all equal to 1. Therefore, as a consequence of the piling up lemma, if the bias of the masking equation is , then the bias of the relation between the elements of the key stream is given as follows The number of elements of the key stream needed to distinguish it from a random sequence is 1 2 f inal . Therefore, for an identical linear masking equation, the length of the key stream for the distinguishing attack is much higher for the proposed configuration as compared to SNOW 2. This is demonstrated in the following  The Fast Correlation Attack is a commonly used technique for the cryptanalysis of LFSR based stream ciphers. This method was first introduced for bitwise keystreams in ( [36]).
Here, the attacker views windows of the key stream as noisy linear encodings of the initial state of the LFSR. She then tries to recover the initial state by decoding this window. Further, linear combinations of elements in this window can be seen as encodings of subsets of the initial state. This results in smaller codes which are more efficient to decode [37]. The linear recurring relation satisfied by the output of the LFSR is used to generate the parity check matrix for this code. A Fast correlation attack for word based stream ciphers was first described in [38]. An improvement on this attack is given in [20]. Both these schemes consider a linear recurring relation with coefficients in F 2 . For SNOW 2.0, this relation has order 512. This is equivalent to considering each component sequence to be generated by a conventional bitwise LFSR having the same characteristic polynomial as the LFSR in SNOW 2.0. The time complexity of the attack given in [20] is 2 212.38 . The scheme in [21] considers the LFSR in SNOW 2.0 to be over F 2 8 . This results in a linear recurring relation of order 64. Further, it utilizes the k− tree Algorithm given in [39] to generate parity check equations. This results in a significant improvement in the time complexity of the attack. The time complexity of this attack is 2 164.5 which is around 2 49 times better than that of the attack given in [20]. However, in order to derive the linear recurring relation over F 2 8 , the knowledge of the feedback function is critical. In KDFC SNOW, the characteristic polynomial of the σ-LFSR is publicly known. The attacker can therefore generate a linear recurring relation over F 2 that the output of the σ-LFSR satisfies. Therefore, the attack given in [20] will also be effective against KDFC-SNOW. However, without the knowledge of the feedback function, the attacker will not be able to derive a linear recurring relation over F 2 8 . Hence, KDFC-SNOW is resistant against the attack given in [21].
[40] uses MILP(Mixed Integer Linear Programming) to find a linear mask that gives better correlation. This results in an attack with a time complexity of 2 162.91 which is 2 1.59 times better than [21]. [41] further modifies this attack using a small trick in k− tree algorithm. The time complexity with this modification turns out to be 2 162.86 . These attacks consider a feedback polynomial of degree 512 over F 2 . Therefore, KDFC-SNOW does not provide any extra security against these attacks.

4) Guess and Determine Attack
In a Guess and Determine Attack, the attacker aims to estimate the values of a minimum number of variables using which the complete sequence can be constructed. For SNOW 2.0, this includes the values of the outputs of the delay blocks of the LFSR and the outputs of the registers of the FSM at some time instant. This is done by guessing some of the values and determining the rest of them using system equations. If the sequence generated using these estimates matches the output of the key-stream generator, then the guesses are deemed to be correct. Otherwise, a fresh set of guesses are considered. The set of variables whose values are guessed is known as the basis for the attack. For both SNOW 2.0 and KDFC-SNOW, these variables take their values from F 32 2 . Hence, if the size of the basis is k, then the probability of a correct guess is 2 −32k . Thus, on average, one needs O(2 −32k ) attempts to make a correct guess. Therefore, the problem here is to find a basis of the minimum possible size. A systematic Vitterbi-like algorithm for doing this is given in [30].The complexity of this attack was found to be 2 265 ([30]) for SNOW2.0. The complexity of this attack reduced to 2 192 in ( [33]) by incorporating a couple of auxiliary equations. We now briefly describe the algorithm given in [30] These equations are used to generate the following tables The entries in the above tables correspond to the variables that are to be estimated. The entries in the first We now consider a multi stage graph with 56 nodes in each stage corresponding to the 56 entries in the above tables. Each node is connected to all the nodes in the next stage giving rise to a trellis diagram. An entry is said to be eliminated by a path if, knowing the values of the entries corresponding to the nodes in the path, the value of that entry can be calculated.
We now recursively calculate an optimal path that eliminates all the entries. The desired basis corresponds to the nodes in this path. In the i-th iteration of this algorithm we calculate the optimal path of length i to each node in the i-th stage. In order to find the optimal path to the k-th node, we consider all the incoming edges of node k. By appending the node k to the optimal paths of length i−1 ending at the source nodes of these edges, we get 55 paths of length i. We choose the edge corresponding to the path that eliminates the most number of variables. In case of a tie, we consider the path that results in the most number of rows with 2 unknowns and so on. This process is continued till we get a path that eliminates all the entries. This algorithm results in a basis of cardinality 8 for SNOW 2.0.

5) Cache Timing Attack
It is a kind of side-channel analysis attack where the cache memory is accessed by the adversary before or after the generation of each keystream bit. In schemes like SNOW 2.0 (and other schemes in the SNOW series), multiplication in the finite field is performed using look up tables corresponing to the non-zero constants in the feedback equation. Further, another look up table is used for the implementation of the S-BOX . These implementations are cache friendly. However, the adversary can extract secret information about the LFSR by monitering the cache access. According to the attack model of [42,43], the adversary uses two synchronous oracles: 1 KEYSTREAM(J) It returns the J−th keystream block. 2 SCA-KEYSTREAM(J) It returns the unordered list of cache accesses which is done during the creation of the J−th keystream. In SNOW 2.0 and SNOW 3G there are multiplications over F 2 3 2 that are done in every clock cycle viz. multiplication by α and α −1 . These multiplications are implemented as follows where x = (x 3 x 2 x 1 x 0 ) ∈ F 2 32 and T 1 , T 2 are two 8 × 32 tables. Thus, from the list of cache accesses the adversary can extract 8-bits of information viz. the first four bits of S t and the last four bits of S t+11 . The adversary then gathers all linear equations formed from these bits for (512/8=64) clock cycles. The state of the LFSR can then be found by solving these linear equations.
In the proposed KDFC scheme, the feedback gains do not correspond to known elements of the finite field. Instead, the feedback gains are matrices which are dependent on the key. Therefore, the feedback equation cannot be calculated by using look up tables. As a result, the attacker cannot obtain any information from the list of cache accesses.

F. RANDOMNESS TEST
In this subsection, we evaluate the randomness of the keystream generated by KDFC-SNOW.

1) Test Methodology
We have used the NIST randomness test suite to evaluate the randomness of a keystream generated by KDFC-SNOW.There are are 16 randomness tests in the suite. Each test returns a level of significance i.e. P − V alue. If this value is above 0.01 for a given test, then the keystream is considered to be random for that test.

VOLUME -, 2016
then do a bit-wise right shift on each of these integers and introduce the result of the XOR operation bitwise as the most significant bits. In this way, the σ-LFSR can be implemented using bitwise XORs and shifts. The FSM is implemented as in SNOW 2.0 [8]. This implementation takes 25 cycles to generate a single word on an Intel Probook 4440s machine with a 2.8 Ghz i5 processor. Each iteration of Algorithm 1 involves solving a system of linear equations. This process is time consuming and contributes to increasing the initialization time. The initialization process was implemented using a C code with open mp (with 3 threads). In this implementation linear equations were solved using a parallel implementation of the LU decomposition algorithm.

VI. CONCLUSIONS
In this paper, we have described a method of using σ-LFSRs with key dependent feedback configurations in stream ciphers that use word based LFSRs. In this method, an iterative configuration generation algorithm(CGA) uses keydependant random numbers to generate a random feedback configuration for the σ-LFSR. We have theoretically analysed the algebraic degree of the resulting feedback configuration As a test case, we have demonstrated how this scheme can be used along with the Finite State Machine of SNOW 2.0. We have analysed the security of the resulting key-stream generator against various attacks and have demonstrated the improvement in security as compared to SNOW 2.0. Further, the keytreams generated by the proposed method are comparable to SNOW 2.0 from a randomness point of view.