New Guess-and-Determine Attack on the Self-Shrinking Generator

We propose a new type of guess-and-determine attack on the self-shrinking generator (SSG). The inherent flexibility of the new attack enables us to deal with different attack conditions and requirements smoothly. For the SSG with a length L LFSR of arbitrary form, our attack can reliably restore the initial state with time complexity O(2), memory complexity O(L) from O(2)-bit keystream for L ≥ 100 and time complexity O(2), memory complexity O(L) from O(2)-bit keystream for L < 100. Therefore, our attack is better than all the previously known attacks on the SSG and especially, it compares favorably with the time/memory/data tradeoff attack which typically has time complexity O(2), memory complexity O(2) and data complexity O(2)-bit keystream after a pre-computation phase of complexity O(2). It is well-known that one of the open research problems in stream ciphers specified by the European STORK (Strategic Roadmap for Crypto) project is to find an attack on the self-shrinking generator with complexity lower than that of a generic time/memory/data tradeoff attack. Our result is the best answer to this problem known so far.