Attacking the Filter Generator over

We consider the filter generator over GF (2) consisting of a linear feedback shift register of length k that generates a maximal length linear sequence of period 2 − 1 over GF (2) and a Boolean function of degree d that combines bits from one element in the shift register (considered as an element in GF (2)) and creates a binary output bit zt at any time t. We show how to extend a recent attack by the authors on the binary filter generator to the filter generator over GF (2). The attack recovers the initial state of the filter generator from L keystream bits with complexity O(L), after a pre-computation with complexity O(L(log2L) ), where L is the linear complexity upper bounded by D = P d i=1 ` n i ́ with n = mk, which is also the number of monomials of degree ≤ d in GF (2). In addition we explain why a function of only one element in the shift register reduces the linear complexity of the keystream, compared to using the function freely on bits from several words in the initial state. We also discusses some implications for the WG cipher.