Espresso cipher is designed targeting 5G wireless communication systems. To achieve high efficiency, a maximum period Galois NLFSR is used as the only building block. The Galois NLFSR is constructed by a scalable method which converts a maximum LFSR to a Galois NLFSR. Based on this method, a new class of stream ciphers, namely maximum period Galois NLFSR-based stream ciphers can be designed. However, we identify a conditional equivalence problem in the design method and adopt the Type-II-to-Fibonacci transformation algorithm. We apply the algorithm to the Espresso cipher and successfully transform the Galois NLFSR to a Fibonacci LFSR with a nonlinear output function. The Espresso cipher is transformed to an LFSR filter generator. We break it by the fast algebraic attack and the Rønjom-Helleseth attack with complexity of 2^68.50 and 2^48.59 logical operations respectively. Moreover, we show that the entire class of maximum period Galois NLFSR-based stream ciphers can be transformed to LFSRs. Therefore, this kind of cipher is always equivalent to an LFSR filter generator. We discuss other related attacks and give suggestions for future design.

Espresso 密码旨在针对 5G 无线通信系统。为了实现高效率，最大周期 Galois NLFSR 被用作唯一的构建块。Galois NLFSR 是通过可扩展的方法构建的，该方法将最大 LFSR 转换为 Galois NLFSR。基于该方法，可以设计出一类新的流密码，即基于最大周期Galois NLFSR的流密码。但是，我们在设计方法中发现了条件等价问题，并采用了 Type-II-to-Fibonacci 转换算法。我们将该算法应用于 Espresso 密码，并成功地将 Galois NLFSR 转换为具有非线性输出函数的 Fibonacci LFSR。Espresso 密码被转换为 LFSR 过滤器生成器。我们通过快速代数攻击和复杂度为 2 的 Rønjom-Helleseth 攻击来打破它分别为^68.50和 2 ^{48.59 次}逻辑运算。此外，我们表明整个基于最大周期 Galois NLFSR 的流密码可以转换为 LFSR。因此，这种密码总是等价于一个 LFSR 过滤器生成器。我们讨论其他相关的攻击并为未来的设计提供建议。