Does a denser feedback function in LFSRs improve security for known feedback LFSR stream ciphers?

Question

From my limited reading into LFSR based stream ciphers design there does not appear to be significant emphasis put upon an LFSR's polynomial feedback. At most[1] I see requirements that the polynomial feedback function be primitive over the relevant Galois field and potentially be kept secret as part of the key. Given this relative lack of constraint on the LFSR design, I believe that selecting a particularly sparse feedback polynomial would be ideal for such stream ciphers due to the low amount of gates required to implement this. Is there any reason to pick a maximal feedback polynomial that is more dense/requires more gates to implement?

PS: This question is in regards to parameterizing component LFSRs in LFSR based stream ciphers(ie constructions like SSG and ASG) in general, not using a linear combination(or just one) of LFSRs to generate keystream directly.

[1] Technically speaking you also need to make sure there are no negative interactions with other components like the initialization process as engineered in GEA-1, see https://eprint.iacr.org/2021/819

Answer 1

Among standard suggestions for feedback polynomials for LFSRs the following are common (see this paper:

1. The connection polynomial must be primitive over $GF(2).$
2. The weight of the connection polynomial must be high.
3. There should not be any sparse multiple ofmoderate degree for the connection polynomial.

This is because low weight polynomials result in low weight parity checks which can be used in correlation attacks. Since a keystream also satisfies multiples of the generating polynomial, low weight multiples of high weight polynomials can also be utilized here.

Also note that if there is a combination generator where the LFSR based components with LFSR $j$ having output $x_{j,t}$ are used to output keystream $z_t$ of the form $$ z_t=f(x_{1,t},x_{2,t},\ldots,x_{m,t})),\quad t\geq 0 $$ if the individual LFSR has low weight, low complexity correlation equations can still be set up between a specific LFSR sequence and the output sequence.

See the references below:

1. A. Canteaut, M. Trabbia. Improved fast correlation attacks using parity-check equations of weight 4 and 5, Advances in Cryptology—EUROCRYPT 2000.

2. W. Meier, O. Stafflebach, Fast correlation attacks on certain stream ciphers, J. Cryptology 1 (1989) 159–176.