“…In other words, if α k belongs to a subfield F 2 m of F 2 n , then the fast correlation attack consists in decoding a linear code of dimension m, instead of a code of dimension n. This may enable the attacker to recover log 2 (τ k ) bits of the initial state with a lower complexity than the fast correlation attack involving the original LFSR of length n. The optimal situation which maximizes the number of bits recovered by the attacker for a given complexity is then when τ k = 2 m − 1 for some divisor m of n, i.e., when k is such that gcd(k, 2 n −1) = (2 n −1)/(2 m −1). Several decoding algorithms have been proposed in this context [32,21,6,7,22,33,8] which offer different trade-offs between the dimension of the code and the error probability (see [1] for a recent survey). Example 1.…”