Why are stream ciphers based on linear-feedback shift registers so popular?

Question

I was conducting research on stream ciphers and LFSRs was a subtopic of my research and I was wondering why are LFSRs so popular?

Answer 1

There were popular once upon a time;

1. They were very easy to implement in the hardware. Think about you only need latch and $\oplus$. For combining functions some $\wedge$ operation.

2. Their periodic properties are well studied, the minimal polynomial and characteristic polynomial etc. You can see a glimpse in the classical book of Solomon Golomb.

3. They are insecure, as Fgrieu said in comments. Single LFSR can be breakable by Berlekamp-Massay algorithm. You need only $2L$ keystream if the LFSR's length is $L$. Interestingly, this algorithm was invented for decoding the BCH codes.

4. Many people tried to use LFSRs to produce secure stream ciphers. To see the attacks on them look at the links.

   • Combining LFSRs with non-linear combiner broken by the novel attack of Siegenthaler
   • Irregular clocking as Alternating step generator
   • Shrinking Generator
   • Filtering the LFSR

5. Some recent (date back to 1999) algorithms based on LFSR

   • A5/1 and A5/2 used in GSM phones, E0 used in Bluetooth. If you look carefully on their usage you will see that there were a second design factor for this ciphers. That is; using smaller hardware. And, this reduces the power consumption.

---

Note 0: Definitions:

• Shift Register : cascaded flip-flops that the out od each is connected to the next one's input. At each clock cycle, the data shifts one. As in 'C' code x << 1

• Linear-feedback shift register, LFSR is a shift register where the input is the linear combination of previous states.

• Nonlinear-feedback shift register, NLFSR is a shift register where the input is the non-linear combination of previous states.

Note 1: The following from eSream project are using LFSR or NLFSR or both:

1. Trivium uses 3 NLFSRs.
2. Sosemanuk uses LFSR with a maximal period $2^{230}-1$
3. Grain uses both LFSR and NLFSR
4. MICKEY uses both LFSR and NLFSR

Note 2: They have other applications as @bmmo6 said in the comments.

Note 3: I barely remember a product advertisement in Cryptologia. They were claiming that they combined 5 LFSRs to generate a secure cipher.

Answer 2

A complement to @kelalaka's excellent answer.

Here are a few LFSR (and NLFSR for Trivium) based stream ciphers that have not been broken.

1. Trivium

2. Self shrinking generator.

Also, some stream ciphers with more modern structure are much less understood.