Nonlinear Shi, Registers: A Survey and Open Problems Tor Helleseth University of Bergen NORWAY Outline •  Introduc9on •  Nonlinear Shi> Registers (NLFSRs) –  Some basic theory •  De Bruijn Graph –  De Bruijn graph –  Golomb’s conjecture/Mykkeltveit’s proof •  Period of NLFRs •  Connec9ons to Finite Fields –  Cross-­‐join pairs –  Cycle-­‐joining and cyclotomy Linear Recursion •  Linear recurrence st+n + cn-­‐1 st+n-­‐1 + … + c0st = 0, ci , si ∈ GF(p) •  Characteris9c polynomial f(x) = xn + cn-­‐1 xn-­‐1 + … + c0 Ω(f) = The 2n binary sequences generated by recursion •  Proper9es –  “Easy” to find period of the sequences in Ω(f) from f(x) •  Period determined by smallest e such that f(x) | xe -­‐ 1 •  All sequences in Ω(f) have period e •  Smallest period for at least one sequences in Ω(f) –  Bounds on the distribu9on of elements in (st) are evaluated using methods from finite fields m-­‐sequences Linear recurrence st+4 + st+1 + st = 0 Primi9ve polynomial f(x) = x4 + x + 1 (st ) : 000100110101111 . . . General proper9es of m-­‐sequences •  Period ε = 2n -­‐ 1 •  Balanced (except for a missing 0) •  Run property •  st -­‐ st+τ= st+γ , s2t = st+δ •  During a period all nonzero n-­‐tuples occur Nonlinear Shift Registers
s0 s1 ... sn-­‐1 f(s0,s1, …,sn-­‐1) •  The feedback polynomial is nonlinear of the form f(s0,s1,…sn-­‐1) = Σ Iε{0,1}n cI s0i0 s1i1 … sn-­‐1in-­‐1 •  Determined by truth table giving f(s0,s1,…sn-­‐1) for all possible 2n values •  Number of nonlinear polynomials (Boolean func9ons) in n 2
n variables is 2
Nonlinear Shift Registers - Challenges
Mo9va9on •  NLSRs are used as building blocks in many modern stream ciphers (Grain, Trivium, Mickey, Pomaranch, …) •  Increase complexity of the key stream in stream ciphers Challenges for NLFSRs •  How to determine the period of sequences from NLFSRs •  No general theory exists and many ad-­‐hoc techniques have to be invented for these problems •  Construc9ng efficiently large classes long sequences of period 2n (de Bruijn sequences)/Classify de Bruijn sequences •  Find algebraic methods to analyze NLFSRs •  Find the distribu9on of the elements in sequences generated by an NLFSR Nonlinear Shift Register - Example
•  A nonlinear recursion in n-variables can be described
using its truth table (Example n=3)
s0 s1 s2
0
0
0
0
1
1
1
1
0
0
1
1
0
0
1
1
0
1
0
1
0
1
0
1
f(s0 s1 s2)
0
0
0
1
1
1
1
0
S0 S1 • 
SS2 2 .
f(s0,s1,s2) = s0+s1s2
( st+2 = st + st+1st+2 )
•  The number of Boolean functions in n-variables are 22n
•  The number of linear Boolean functions are 2n
Example – de Bruijn Sequence
•  Let f(s0,s1,s2) = 1+s0+s1+s1s2
110
101
010
111
011
100
001
000
•  This gives a maximal sequence of length 2n … 11010001 … and is called a de Bruijn sequence n-­‐1 -­‐n •  Number of de Bruijn sequences of period 2n are 22
Example – Singular f •  Let f(s0,s1,s2) = 1+s0+s1+s2+s0s1+s0s2+s1s2 001
101
010
011
110
000
111
100
•  Contains “branch point” and such an f is called singular •  f is nonsingular if and only if f = s0 + g(s1,…,sn-­‐1) •  Then (s0, s1, …. , sn-­‐1)→(s1, s2, …. , sn-­‐1, f(s1,s2,….,sn-­‐1)) is a permuta9on of Bn De Bruijn Graph •  Directed graph •  2n nodes (states) ↔ (s0,s1,...,sn-­‐1) •  Each state has two successors (α0 α1 ··· αn-1)
(α1 α2 ··· αn-1 0)
(α1 α2 ··· αn-1 1)
•  Each state has two predecessors (0 α1 α2 ··· αn-1)
(α1 α2 ··· αn-1 0)
(1 α1 α2 ··· αn-1)
(α1 α2 ··· αn-1 1)
De Bruijn Graphs (B2 and B3) B2 B3 000
00
01
001
10
100
010
101
11
011
110
111
De Bruijn graph B4 0000 0001 1000 0010 0100 1001 0011 1010 0101 1100 0110 1011 1101 1110 0111 1111 Pure Cycling Register (PCRn) •  Let f(s0,s1,...,sn-­‐1) = s0 i.e., g=0 (since f=s0+g(s1,...,sn)) –  Weight of truth table of g is 0 –  Cycle structure (PCRn) n=3 (0), (1), (001), (011) n=4 (0), (1), (01), (0001), (0011), (0111) •  Number of cycles of Bn 1
Z (n) = ∑ ϕ (d )2n / d ( = even number )
n d |n
Pure Cycling Register (PCR3) : (f = s0) •  Decomposi9on of B3 for Boolean func9on f=s0 (0)
(001)
000
001
100
010
f = s0
101
(101)
(1)
011
110
111
Number of cycles Z(3) = 4 Pure Cycling Register (PCR4) (0) 0000 0001 1000 0010 (0001) 0100 1001 0011 1010 0101 1100 (1001) (01) 0110 1011 1101 1110 0111 1111 (1011) (1) Golomb’s Conjecture Golomb’s conjecture (1967) The maximum number of cycles obtained in any decomposi9on of the de Bruijn graph Bn (for all nonlinear func9ons f) is Z(n). This occurs for the PCRn when g=0 (but also in many other cases). History (approx.) •  S. Golomb n=5 / H. Fredricksen n=6, 7 / A. Lempel n=8, 9, 10 / J. Mykkeltveit and Fredriksen n=11,12 .. •  Proved by J. Mykkeltveit (1972), for all n (one year of work to color Bn) Main idea Select one node from each cycle in PCRn (i.e, Z(n) nodes) such that: any cycle in Bn contains at least one of these nodes. Coloring de Bruijn graph B4 0000 0001 1000 0010 0100 1001 0011 1010 0101 1100 0110 1011 1101 1110 0111 1111 •  Any cycle in B4 contains at least one of the Z(4)=6 green colored nodes •  Coloring due to Mykkeltveit •  How to select green color? CM of a binary n-­‐tuple x Let V0=(v0,v1,v2,v3,v4), (n=5) v 0 Place vt in coordinate posi9on Ÿ !
2π it
2π it $
v 1 v (x, y) = # cos
, sin
&
Ÿ 4 Ÿ "
n
n %
y Ÿ C M Compute CM=Center of mass n−1
Ÿ v3 2π it
v
Ÿ 2 Moment y = mV = ∑ vt sin
0
Color a vector (v0, v1, … , vn-­‐1 ) L = If CM on the le, of the x-­‐axis (y > 0) I = If CM on the x-­‐axis (y = 0) R = If CM on the right of the x-­‐axis (y < 0) t=0
n
Coloring the PCRn Cycles Coloring L I R v1 Ÿ v2 Ÿ Type 1: (CM not in center of PCR cycle) •  Select unique node L with predecessor not L) I/R L L Ÿ v3 Type 2: (CM in the center of PCR cycle) •  Select any node colored I I/L I I R L v4 Ÿ Ÿ CM R R L v0 Ÿ R I I I I I I
I I Remarks-­‐Coloring •  Shi>ing a node cyclically shi>s CM •  The two predecessors for a node in Bn have the same color (since they only differ in 0-­‐th coordinate on the x-­‐axis). •  The two successors of a node can not both have color I (since they only differ in posi9on n-­‐1). •  A cycle in PCRn has either: –  All nodes colored I –  One R block and one L block separated by most one I. •  Any cycle S =(s0,s1,…,se-­‐1) in Bn has (average moment = 0), i.e. has either: –  All nodes colored I –  At least one R and one L separated by most one I. Colors on a cycle Lemma 1 Let (s0,s1,…,se-­‐1) be a cycle of length e on Bn. The nodes (n-­‐tuples) of the cycles are St=(st,st+1,…,st+n-­‐1), t=0,1,…,e-­‐1. Then either –  All nodes on the cycle have the color I –  Cycle contains at least one R and one L Proof. This follows since the sum of the moments of the y-­‐coordinates on the nodes on a cycle is e−1
e−1 n−1
e−1
n−1
2π t '
2π t '
∑ mSt = ∑∑ st+t ' sin n = ∑ st ∑sin n = 0
t=0
t=0 t '=0
t=0
t '=0
Proof of Golomb’s conjecture Theorem (Mykkeltveit) No decomposi9on of the de Bruijn graph Bn for any nonsingular Boolean func9on f can give more cycles than the PCRn. Proof. Select Z(n) nodes one node from each PCRn cycle. (1)  If CM in center select arbitrary node on cycle. (2)  If CM not in center select first L with predecessor not L. Then any cycle in any decomposi9on will contain at least one of these Z(n) nodes. Overview -­‐ Proof Coloring L I R v1 Ÿ PCR -­‐ Cycles v0 Ÿ v4 Ÿ Ÿ CM I/R L R R L v2 Ÿ All nodes I I I I Nodes L and R Ÿ v3 R L L I/L R I I I I I I
I Arbitrary Cycle I/R L Select node on cycle with color L and predecessor L not L is the first L in a I/R block of L’s on PCR R I I I R L I I I A cycle with only I’s I R is a PCR cycle with (CM in center) I I I
I I Cycle Join Algorithm – Joining Cycles Defini9on (α, α*) is a conjugate pair iff α + α* = (1,0,…,0) A conjugate pair have the same two possible successors (0,…) = α (…,0) Exchanging successors of (α, α*) (1,…) = α* (…,1) changes g(…) for only one value Joining two cycles–Change successors of α and α* on different cycles α -­‐-­‐-­‐ α* -­‐-­‐-­‐ Spli\ng a Cycle Spli|ng a cycle •  Exchanging the successors of a conjugate pair (α, α*) on the same cycle •  This change parity of truth table g by one (and also changes parity of number of cycles by one) α* ⁄ ⁄ α Parity of Number of Cycles Theorem The number of cycles which Bn is composed into has the same parity as the weight of the truth table of g Proof: The func9on f=x0+g where g=0 gives Z(n) (even) cycles •  Any other nonlinear func9on f can be obtained by changing truth table bit by bit. •  Each change of truth table of g changes the number of cycles by one and the weight of g by 1 Hence, parity stays invariant between cycles and weight DeBruijn sequences (Necc. condi^ons) Theorem (1) To obtain a deBruijn sequence then f uses all n variables (2) The truth table of g (f=s0+g) must have odd weight (at least Z(n)-­‐1) Proof: Follows since otherwise truth table has even weight and can not generate a de Bruijn sequence De Bruijn sequences from m-­‐sequences •  Change longest run in m-­‐sequence by appending an extra 0. The result is a deBruijn sequence •  Example: 0000100110101111 •  This de Bruijn sequence is ”almost linear” •  However, linear complexity is as large as possible for deBruijn sequences •  This is a prime example that linear complexity is no guarantee for security •  Bounds on the linear complexity of de Bruijn sequences is studied (Chan, Games 1980s) Periods on NLFSRs 1.  General 2.  Kjeldsen’s method 3.  Mykkeltveit and AN-­‐codes Period of Nonlinear Shift Registers
•  Hard problem in general •  Rather few general results on the period •  Some nontrivial results known in the case when g(x1,...,xn-­‐1) is a symmetric polynomial (Kjeldsen, Søreng from the 1970-­‐80s) •  Proofs are in general very technical and hard to read and new simpler methods are needed to progress •  Mykkeltveit (1979) used arithme9c codes to study periods of nonlinear shi> registers •  Classifica9on of de Bruijn sequences (Fredricksen 1982, Hauge and Mykkeltveit 1990’s) Kjeldsen’s Mapping (1) δ: xi → xi+1 for i=0,1,…,n-­‐2 xn-­‐1 → xn = x0 + g(x1,…,xn-­‐1) This algebra homomorphism leads to a sequence of polynomials in the polynomial ring F[x0,x1,…,xn-­‐1]/(x02+1, … ,xn-­‐12+1) (x0,x1,…,xn-­‐1,xn,xn+1, …..,xt+n= xt + g(xt+1,…,xt+n-­‐1), …. ) Defini9on The period of δ is the smallest integer p such that δp = id. (= smallest period of x0) Theorem All sequences in Ω(f) (generated by st+n= st+ g(st+1,…,st+n-­‐1)) have period dividing p and at least one sequence has least period p. Kjeldsen’s Mapping (2) δ: xi → xi+1 for i=0,1,…,n-­‐2 xn-­‐1 → xn = x0 + g(x1,…,xn-­‐1) Let h(x0,…,xn-­‐1) = h1(x0,…,xn-­‐2) + xn-­‐1h2(x0,…,xn-­‐2) Then δ(h) = h1(x1,…,xn-­‐1) + (x0+g)h2(x1,…,xn-­‐1) = h1(x1,…,xn-­‐1) + x0h2(x1,…,xn-­‐1) + gh2(x1,…,xn-­‐1) = h(x1,…,xn-­‐1,x0) + g(x1,…,xn-­‐1) h2(x1,…,xn-­‐1) = h(σ(x0,…,xn-­‐1)) + g(x1,…,xn-­‐1)h2(x1,…,xn-­‐1) where σ is cyclic shi> of n-­‐tuples. Hence, defining g2 = g* δ(g) = σ(g(x0,…,xn-­‐1)) + g*g Symmetric Feedback Polynomials Let Sj be elementary symmetric polynomial of degree j in n-­‐1 variables Theorem (Kjeldsen) (n−2/2
If g ( x 1 ,...,
x n−1
) = ∑
a k S 2k+1
(x
1 ,...,
x n−1
) , ak ε{0,1}, g≠0, S1, k=0
then the minimal period of δ is n(n+1). Proof sketch: It follows that due to symmetry in g we can derive the condi9on (σjg)* g = 0 if j = -­‐1 (mod n) (since independent of xn-­‐1) = g if j ≠ -­‐1 (mod n) (periodic in j and symmetry) Hence, δ(g) = σ(g(x0,…,xn-­‐1)) + gg* = σ(g(x0,…,xn-­‐1)) + g where (n−2/2
g * ( x1,..., xn−1 ) = ∑ ak S2k (x2 ,..., xn−1 )
k=0
Proof Remarks Note δ(g) = σ(g(x0,…,xn-­‐1)) + g*g = σ(g) + g Therefore δ(σ(g)) = σ2(g(x0,…,xn-­‐1)) + (σg)*g = σ2(g(x0,…,xn-­‐1)) + g*g = σ2(g) + g and in general δ(σn-­‐1(g)) = g for j = -­‐1 mod n δ(σj(g)) = σj+1(g) + g for j ≠ -­‐1 mod n Kjeldsen’s Method – II x0 x1 … g σ(g) … xn-­‐1 • 
• 
• 
• 
• 
• 
σn-­‐2(g) σn-­‐1(g) “Linear register” of period n(n+1) Characteris9c polynomial (xn+1)(xn+1+1)/(x+1) Provided some suitable condi9ons on g (like gg* = g etc.) Many symmetric polynomials g sa9sfy condi9ons Lead to controllable periods n(n+1) Even though “small” period the was important idea Period of Nonlinear Register and Coding Theorem Let C be a cyclic code (not necessarily linear) with dmin≥3. Define f = x0 + g where g(x1,…xn-­‐1)=1 iff (0,x1+1,…xn-­‐1+1)εC or (0,x1+1,…xn-­‐1+1)εC. Then all sequences in Ω(f) have periods dividing n(n+1). Proof: Follows since also in this case σi(g)g*= 0 if j = -­‐1 (mod n) = g if j ≠ -­‐1 (mod n) AN-­‐Codes and Period of NLFSRs An AN-­‐Code is an arithme9c code is a code with codewords C = {AN (mod 2n-­‐1) : N=0,1,…,B-­‐1} where AB=2n-­‐1. The codewords AN can be represented binary (a0,a1,…,an-­‐1) ai = (N⋅2i (mod B)) (mod 2) The codewords have period dividing n and can be defined via NLFSRs Mykkeltveit (1977) determined the corresponding NLFSRs for the codewords in the AN-­‐code for several values of A and thus their periods. Algebraic Methods for NLFSRs •  Cross-­‐join pairs on a cycle –  Two conjugate pairs (α,α*) and (β, β*) on a cycle such that interchanging the successors of each of these pairs give the same number of cycles (“split and join”). –  The number of cross-­‐join pairs were conjectured for m-­‐sequences by Kim et. al. in 1990 and solved Helleseth and Kløve using simple connec9ons with finite field •  Cyclotomy and the number of conjugate pairs from irreducible cyclic codes –  An irreducible cyclic code of period e|2n-­‐1 decomposes Bn into E=(2n-­‐1)/e disjoint cycles. –  Using a special mapping between nodes in Bn reduces problem of finding conjugate pairs on the E cycles to –  This gives es9mate of number of de Bruijn sequences that can be constructed by joining the cycles from the irreducible code Cross Join Pairs (α,α*) and (β,β*) conjugate pairs α + α* = β + β* = (1,0,…,0) β β α α α* α* β* β β* α α
* β* Cross Join Pairs on m-­‐sequences Given an m-­‐sequence 1.  Split the cycle into two cycles using a conjugate pair (α,α*) on m-­‐sequence 2.  Join the two cycles into one cycle using a new conjugate pair (β, β*) (on the two new cycles) The pair (α,β) is called a cross-­‐join pair Theorem (Helleseth and Kløve) The number of cross-­‐join pairs on an m-­‐sequence is N = (2n-­‐1-­‐1)(2n-­‐1-­‐2)/6 Mapping Mapping φ between F2n and F2n Example: Ψ4 + Ψ3 + 1 = o 1 Ψ Ψ2 Ψ3 1 1 0 0 0 Ψ 0 1 0 0 Ψ2 0 0 1 0 Ψ3 0 0 0 1 Ψ4 1 0 0 1 Ψ5 1 1 0 1 Ψ6 1 1 1 1 Ψ7 1 1 1 0 Ψ8 0 1 1 1 Ψ9 1 0 1 0 Ψ10 0 1 0 1 Ψ11 1 0 1 1 Ψ12 1 1 0 0 Ψ13 0 1 1 0 Ψ14 0 0 1 1 Let st be the first coordinate sequences. Then Φ(0) = ( 0, 0, … , 0) Φ(Ψt)= (st, st+1,..,st+n-­‐1) Conjugate pairs (x,x*) correspond to elements with x + x*=1 Cross-­‐join pairs corresponds to equivalence classes of intersec9ng chords 1000 0001 0011 ψ 1 ψ14 0100 Ψ13 ψ2 0111 ψ3 Ψ12 1001 Ψ11 1100 1111 ψ4 1110 0010 ψ10 ψ5 1101 0110 ψ9 ψ6 ψ7 1010 ψ8 0101 1011 Number of Cross Join Pairs •  One-­‐to-­‐one correspondence between cross join pairs and equivalence classes of subsets {θ1, θ2, θ3, θ4} with θ1+ θ2 + θ3 + θ4=0 (wlog {θ1, θ3} and {θ2, θ4} are intersec9ng •  Two sets are equivalent iff θ{θ1,θ2, θ3, θ4} ={θ1,θ2,θ3,θ4} •  The number of dis9nct subsets are (2n -­‐ 1)(2n – 2)/24 •  Each equivalence class contains exactly one cross-­‐join pair. Thus dividing by 2n-­‐1 gives the number of cross join pairs •  The cross join pair corresponds to the unique θ with θθ1+θθ3 = θ θ2+θθ4=1 Cyclotomy and Cross Join pairs Let C be irreducible cyclic code of period e = (2n – 1)/E C={ ca | (ca)x= Tr(axE), aεGF(2n)} Code consists of E cycles of period e. The cyclotomic classes Ci = {Ψtj+i : 0 ≤ t< (2n-­‐1)/E)} for i=0,1,…,E-­‐1. The cyclotomic numbers (i,j) of order E is the number of solu9ons zi +1 = zj where zi, zj belong Ci and Cj respec9vely. Mapping of Cycles Similar mapping as for cross-­‐join pairs Nodes in cycle i can be represented by Ψi βt , t=0,1,…,e-­‐1 where β is zero of irreducible (pairty-­‐check) polynomial of the code. The number of conjugate pairs between cycle i and j is the number of solu9ons zi+1=zj which is the cyclotomic number. The number of de Bruijn sequences obtained by joining cycles in the irreducible code can be es9mated from the “BEST” theorem that gives the number of spanning trees in the Cycle Joining Algorithm (CJA) Conclusions •  NLFSRs is an important topic with great poten9al •  Many open problems –  Period –  Distribu9on –  Construc9on of sequence families •  Most results are quite old •  New ideas are needed to solve the challenges in the analysis of nonlinear generated sequences