Shift Register Sequences
(and Applications to Cryptography)
Tor Helleseth
University of Bergen
Norway
Outline
!
!
!
!
Motivation
- Classical cryptography
- One-time-pad
- Introduction to stream ciphers
Linear Feedback Shift Registers (LFSR)
- Periodicity
- Complexity
Nonlinear Feedback Shift Registers
Applications to stream ciphers
- Nonlinear generators
- Filter generators
- Clock controlled generators
Communication Security
Bob
Alice
Eve
- Active
- Passive
Secrecy
! Only receiver can read message
Authentication
! Message has not been changed
! Message comes from the actual sender
Secret-key Cryptosystems
!
Sender & receiver have common secret key
csrgyrh
spsfvh
vwnkt
Happy
birthday
Happy
birthday
How to Construct a Secret Code!
Translation of Steen and Stoffer
!
!
!
!
!
”So, our secret code is ready”
”Let me see”
”I have assigned to each letter a completely
random number so that code becomes hard to
break. The letter A is 3.004.577.688, B is
28.731.5691/2”
”This must certainly be a really good code”
”Now, we only need to learn it by heart”
Secret-key Cryptosystems
!
!
!
!
!
Cæsar / Monoalphabetic substitution
Vigénere (1586 -1863)
One-Time-Pad (1926)
DES (1975)
AES (2000)
Cæsar Cipher
24
23
0
25
Y
X
..
.
Z
A
1
B
.
.
.
C
!
2
!
Encryption
- Rotate k (=3) times
clockwise
Decryption
- Rotate k (=3) times
counter clockwise
P : A B C D E F ……. W X Y Z
C : D E F G H I ...….. Z A B C
Example:
TOR LECTURES → WRU OHFWTUHV
Cryptoanalysis
- Need only test 26 keys to find the correct key
Monoalphabetic Substitution
P : A B C D E F ……. X Y Z
C : X N L H T I ……. O K U
! Alphabet is permuted i.e., each letter is
replaced by another letter (A→X,B→N,… )
! Number of (possible) keys
26x25x24x…x2x1 = 4x1026 = 288.2
! Cryptanalysis
- Can be analyzed by using the statistics
in language (need 25-40 characters)
Frequence Distribution (English)
14
12
10
8
%
6
4
2
0
A
C
E
G
I
K
M
O
Q
S
U
W
Y
Polyalphabetic Substitution
!
Vigenere (1586)
K \ P ABCD …. Z
A
B
C
Z
!
ABCD ….Z
BCDE ….A
CDEF …. B
……………
ZABC …. Y
P : THEMATHEMAT ICAL ...
K : COVERCOVERCOVER …
C : VVZQRVVZQRVWXEC …
Cryptoanalysis (Kasiski 1863)
- Find period of key, and solve several
monoalphabetic substitutions
- Even if the key is infinitely long (english text)
this can be broken
A Provable Secure Cryptosystem
Binary
random
source
Vernam one-time pad (1926)
ki
pi
⊕
ci
⊕
pi
ci = pi ⊕ ki
pi = ci ⊕ ki = pi ⊕ ki ⊕ ki = pi
Provable secure cryptosystem provided
- Key is random,
- Key is as long as the message
- Key is only used once.
Proved by Claude E. Shannon (picture) 1949.
Mathematical Proof - Perfect Secrecy (I)
pi = i-th plaintext bit
! ci = i-th ciphertext bit
! ki = i-th keybit
! Mixing algorithm ci = pi ⊕ ki
! P(pi) = Probability that pi was sent
! P(pi|ci) = Probability that pi was sent given that
ci was observed
! Want to show perfect secrecy
P(pi) = P(pi|ci)
(Ciphertext gives no information about plaintext)
!
Mathematical Proof - Perfect Secrecy (II)
P(ki) = The probability of i-th keybit
! P(ki=0) = P(ki=1) = 1/2 for all i
! Two of {pi, ci, ki} determines the third since
ci = pi⊕ ki
! Given one of {pi, ci, ki}, a second of these will
determine the third,
P(ci=1|ki=0) = P(pi=1)
P(ci=1|ki=1) = P(pi=0)
etc.
!
Probability Distribution - P(ci) Uniform
P(ci=1) = P(pi=0)P(ki=1) + P(pi=1)P(ki=0)
= [P(pi=0) + P(pi=1)]1/2
= 1/2
P(ci=0) = P(pi=1)P(ki=1) + P(pi=0)P(ki=0)
= [P(pi=1) + P(pi=0)]1/2
= 1/2
Probability Distribution - P(ci|pi) Uniform
If pi=0 then
P(ci=0|pi=0) = P(ki=0) = 1/2
P(ci=1|pi=0) = P(ki=1) = 1/2
If pi=1 then
P(ci=0|pi=1) = P(ki=1) = 1/2
P(ci=1|pi=1) = P(ki=0) = 1/2
Hence
P(ci|pi) = 1/2 for all ci and pi
One Time Pad – Perfect Secrecy
Finally,
P(pi,ci) = P(ci|pi) P(pi)= P(pi|ci) P(ci)
and since P(ci|pi) = P(ci)=1/2 we have
P(pi) = P(pi|ci)
which implies perfect secrecy since no
information of the plaintext is obtained by
looking at the ciphertext
Two Types of Stream Ciphers
!
!
!
!
Synchronous stream ciphers
Keystream is generated from the key independent of
the plaintext (and the ciphertext)
- Needs synchronization between
sender and receiver
- No error propagation
Self-synchronous stream ciphers
Keystream is generated from the key and a fixed
number of previous ciphertext symbols
- Self synchronization
- Limited error propagation
Synchronous Stream Cipher
k
IV
k
IV
M
σt
σt
f
g
plaintext
h
M
f
g
ciphertext
h-1
σ0=M(IV,k), σt=f(σt-1,k), zt=g(σt,k), ct=h(mt,zt)
plaintext
Additive Stream Cipher
Message indicator
MI
K
Key
pi
Cryptoalgorithm
ki Keystream
⊕
ci
• Cryptoalgorithm generates a
pseudorandom keystream
added to each plaintext bit
• Receiver decrypts by adding
the same keystream
• Streamcipher has “memory”
• Blockciphers can operate in
“stream-cipher mode”
• RC4, GSM (A5)
Additive Stream Cipher
Key
MI
Key
MI
Pseudorandomgenerator
Pseudorandomgenerator
Keystream
Keystream
Plaintext
⊕
Ciphertext
Requirements for a good keystream
- Good randomness distribution
- Long period
- High complexity
⊕
Plaintext
Generation of Keystream
For a good system one needs:
• Linearity
- To control the period of keystream
- To control randomness of keystream
• Nonlinearity
- To control complexity of keystream
• Combination of linearity and nonlinearity
- To also get good randomness and preserve
the period and complexity
Linear Feedback Shift Registers (LFSR)
Difference equation
! Characteristic polynomial
! Periodicity
! Cycle structure
!
Difference Equation
S0
st+3 = st+1+st
S1
(mod 2)
S2
(t=0,1,2…)
s3 = s1+s0
s4 = s2+s1
……………
Initial value of s0, s1, s2 and the difference equation
determines (st)
Example 1 - LFSR
S0
S1
S2
st+3 = st+1+ st
S0 S1 S2
Initial fill determines the sequence of states
Generates a periodic sequence
…0010111...
Maximal period
23-1=7
0
0
1
0
1
0
1
0
1
0
1
1
1
1
1
1
1
0
1
0
0
----------------0
0
1
Example 2 - Cycle Structure
S0
S1
S2
st+3= st+2+st+1+st
0
0
1
0
1
0
1
0
1
1
1
0
1
---------------
1
1
0
1
0
0
----------------0
1
1
1
1
1
1
0
0
0
--------------0
0
0
0
--------------0
0
1
Cycle (1100)
Cycle (01)
Cycle (1)
Cycle (0)
General Fibonacci Shiftregister
S0
c0=1
S1
c1
Sn-1
c2
cn-1
• Linear recursion
st+n + cn-1st+n-1 + …+c1st+1 + c0st = 0 (c0 ≠ 0)
• Characteristic polynomial
xn + cn-1xn-1 + … + c1x + c0 = 0
cn=1
Some Characteristic Polynomials
S0
S1
S2
f(x)=x3+x+1
S0
S1
S2
f(x)=x3+x2+x+1
Matrix Description - Example
f(x)= x3+x+1
!
!
!
!
Let S = { s0, s1, s2 } be contents before shift
Let S’ = { s0’,s1’ ,s2’ } be contents after shift
Then s0’=s1, s1’ =s2 , s2’=s0+s1
Then S’ = S T
where T =
0

1
0

0
0
1
1

1
0 
Fibonacci Register
Let S={s0,s1,...,sn-1} be initial state
! Let S’={s0,s1,...,sn-1} be next state
! Let f(x)=xn+cn-1xn-1+...+ c0 be characteristic
polynomial
! Then S’ = S T where
 00...0 − c0 


T nonsingular
10...0 − c1 
 01...0 − c 
when cn-1 ≠ 0
2


 .............. 


−
00
...
0
c
n −1 

!
T =
Galois Shiftregister
S0
S1
d0
T=
 d 0 d1d 2 ...d n −1 


100........00 
 010........00 


 .................. 


000
........
10


Sn-1
d1
dn-2
dn-1
Nonsingular dn-1 ≠ 0
Ω(f) – Sequences Generated by f(x)
S0
S1
Sn-1
….
c0=1
f(x)
• Characteristic polynomial
f(x) = xn + cn-1 xn-1 + … + c1 x + c0
• The initial vector (s0, s1,…,sn-1) and f(x) define a sequence
• Ω(f) is the set of sequences generated by f(x)
• | Ω(f) |=2n
• Ω(f) is a vector space over {0,1}
cn=1
Ω(f) - f(x) = x3 + x + 1
S0
S1
S2
Sequences in Ω(f)
0000000…
0010111…
0101110…
1011100…
0111001…
1110010…
1100101…
1001011…
• Each initial state (s0,s1,s2) gives a sequence
• Eight different initial states gives eight
different sequences
• In this case all nonzero sequences are cyclic
shifts of each other
G(x)-Generating Function of Sequence
!
!
!
Given a sequence s0, s1, s2, …
Generating function
∞
G(x) = s0+s1x+s2x2+ s3x3+ … = Σ si xi
i=0
First Fundamental Identity
- Let (st) be a sequence in Ω(f)
- Then (due to recursion most terms disappear)
G(x) f*(x) = φ*(x)
where
φ(x) = s0xn-1 + (s1 + cn-1s0)xn-2 + (s2 + cn-1s1 + cn-2s0)xn-3+…
+ (sn-1+ cn-1sn-2 +…+ c1s0)
and f*(x) is the reciprocal polynomial of f(x)
G(x)f*(x)=φ*(x) - Calculations (n=4)
Calculations give
G(x)f*(x)
= (s0+s1x+s2x2+ s3x3+ … )(1+c3x+c2x2+c1x3+c0x4)
= s0 + s1x + s2x2 + s3x3 + s4x4 + s5x5 + …
+ c3s0x + c3 s1x2 + c3s2x3 + c3s3x4 + c3s4x5 + …
+ c2 s0x2 + c2s1 x3 + c2s2x4 + c2s3x5 + …
+ c1s0 x3 + c1s1x4 + c1s2x5 + …
+ c0s0 x4 + c0s1x5 + …
= s0+(s1+c3s0)x+(s2+c3s1+c2s0)x2+(s3+c3s2+c2s1+c1s0)x3
= φ*(x)
Representation of Ω(f)
Let (st) be a sequence in Ω(f)
! Let G(x) = s0+s1x+s2x2+ s3x3+ …
! Then
φ*(x)
Ω(f) = {
| deg φ* < deg f* }
f*(x)
where
!
- φ(x)=s0xn-1+(s1+cn-1s0)xn-2+(s2+cn-1s1+cn-2s0)xn-3+…
+ (sn-1+cn-1sn-2+…+c1s0)
- One-to-one correspondence between all 2n
sequences in Ω(f) and polynomials of deg< n
Example – First Fundamental Identity
(0010111) is generated by f(x) = x3 + x + 1
! Generating function
G(x) = x2+x4+x5+x6 + x9 +x11+x12+x13 +x16+…
!
!
What is φ(x) ?
!
φ(x) = s0xn-1+(s1+cn-1s0)xn-2 + (s2+cn-1s1+cn-2s0)xn-3+…
+ (sn-1+cn-1sn-2+…+c1s0)
=1
G(x) = x2/(x3+x2+1)
= x2+x4+x5+x6 + x9+x11+x12+x13 + x16+…
G(x) – When (st) is Periodic
!
!
!
Let (st) be periodic of period ε
Generating function
G(x) = (s0+s1x+…+sε-1 xε-1 ) (1 + xε + x2ε + x3ε +…)
= (s0+s1x+s2x2+… +sε-1 xε-1 ) / (1-xε )
= σ*(x)/(1-xε )
Combining with first fundamental identity gives for G(x) :
σ*(x)
1-xε
!
=
φ*(x)
f*(x)
Second Fundamental Identity
(xε -1) φ(x) = σ(x) f(x)
where
- (st) periodic of period ε
- φ(x) =s0xn-1+(s1+cn-1s0)xn-2+…+ (sn-1+cn-1sn-2+…+c1s0)
- σ(x) =s0xε-1+s1xε-2+…+ sε-1
- f(x) =xn+cn-1xn-1+…+c0
Example – Second Fundamental Identity
!
!
!
(0010111) is generated by f(x) = x3 + x + 1
Generating function
- σ(x) = 1+x+x2+x4
- φ(x) = 1
- ε=7
Second Fundamental Identity
(xε -1) φ(x) = σ(x) f(x)
(x7+1)·1 = (1+x+x2+x4)(x3+x+1)
Period of f(x)
Definition
The period of the polynomial f(x) is the
smallest integer e such that f(x) divides xe-1
Theorem
Let (st) be a sequence in Ω(f) then
(i) ε=per(st) divides e = per(f)
(ii) There is at least one (ut) in Ω(f) with
period e=per(f)
Period of f(x) and Sequences in Ω(f)
Proof: (i) Note that f(x) F(x) = xe-1 for some F(x).
The first fundamental identity gives
G(x) =
φ*(x)
φ*(x)F*(x)
f*(x) = f*(x)F*(x)
φ*(x) F*(x)
= 1-xe
which implies (st) in Ω(f) repeats with period e ( ε ≤ e)
(ii) From the second fundamental identity
(xε -1) φ(x) = σ(x) f(x)
Select φ(x) =1 then
f(x) | xε -1
Hence, ε ≥ e and a sequence in Ω(f) with φ(x) =1 has period e
Cycle Structure Ω(f) - f(x) irreducible
Theorem
Let (st) be a nonzero sequence in Ω(f) where f(x) is
irreducible. Then per(st) = per(f) = e
Proof:
Note that (xε -1) φ(x) = σ(x) f(x) and f(x) is irreducible
Since gcd(φ(x),f(x))=1, then
f(x) | xε -1
and therefore
ε≥e
Hence, from the previous theorem
ε=e
Example – f(x) = x6+x3+1
000001001
000011011
000101101
001010011
000111111
001110111
010101111
x6=x3+1
x7=x4+x
x8=x5+x2
x9=x6+x3 = 1 (mod f(x))
per(f)=9
Some Descriptions of Ω(f)
! Several
useful descriptions to prove
properties of Ω(f)
! Zierler’s method
! Classical method
! Peterson’s method
- The coding method
Zierler’s Method – Example
Ω(f) = {
φ*(x)
f*(x)
| deg φ* < deg f* }
1
(ut ) = 3 2 ↔ (0010111) ∈ Ω( x 3 + x + 1)
x + x +1
1
(vt ) = 2
↔ (011) ∈ Ω( x 2 + x + 1)
x + x +1
(ut + vt ) = 3 1 2 + 2 1
x + x +1 x + x +1
x3 + x
3
2
= 3
∈
Ω
((
x
+
x
+
1
)(
x
+ x + 1)
2
2
( x + x + 1)( x + x + 1)
↔ 111110101001100010000
Classical Method (I)
!
!
!
!
Linear recursion
st+n + cn-1st+n-1 + …+c1st+1 + c0st = 0 (c0 ≠ 0)
Characteristic polynomial
f(x)= xn +cn-1xn-1+…+ c1x + c0 = 0
Let f(αi)=0 then “sequence” (st)=(αit) obeys recursion
st+n + cn-1st+n-1 + …+c1st+1 + c0st
= αit+n +cn-1αit+n-1+…+ c1αit+1 + c0αit
= αit (αin +cn-1αin-1+…+ c1αi + c0)
= αit f(αi)
=0
Classical Method (II)
!
!
!
Linear recursion
st+n + cn-1st+n-1 + …+c1st+1 + c0st = 0 (c0 ≠ 0)
If all zeros of f(x) are simple, then uniquely
st = Σ ai αit
where αi, i=1,2, … are the zeros of f(x)
Needs conditions on the constants ai to ensure the
sequence (st) is in GF(2)
- Note that if αi is zero of f(x) then αi2 is also a zero.
- Then coefficients of ai of αi and a2i of αi2 are related
a2i = ai2
- This ensures that (st) is a sequence in GF(2)
Example – Classical Method
Recursion:
st+3 = st+1+ st
Characteristic polynomial: f(x) = x3 + x +1
Let α3 = α+1, then α generates GF(23)
1 α α2
1 100
α 010
α2 0 0 1
α3 110
α4 0 1 1
α5 1 1 1
α6 1 0 1
• Zeros of f(x) are
α, α2, α4
• Then
st = αt + α2t + α4t
(st) = (1001011)
Peterson’s method (Coding description Ω(f))
e = per(f) is a common period for Ω(f)
! From second fundamental identity
(xe-1) φ(x) = s(x) f(x)
where
s(x)=s0xe-1+s1xe-2+...+se-1
! Then
e
!
s( x) =
i.e,
x −1
ϕ ( x)
f ( x)
 xe −1 
Ω( f ) = {
}
 f ( x) 
(mod xe-1)
Example – f(x)=x4+x3+x+1
f(x) = x4+x3+x+1 =(x2+x+1)(x+1)2
! e = per(f)=6
! Ω(f)=({x2+x+1}) (mod x6-1)
! Basis
{x2+ x+ 1} ↔ 0 0 0 1 1 1
{x3+x2+ x} ↔ 0 0 1 1 1 0
{x4+x3+x2} ↔ 0 1 1 1 0 0
{x5+x4+x3} ↔ 1 1 1 0 0 0
!
Example - Cycle Structure of Divisors
f(x) = x4+x3+x2+1 = (x+1)(x3+x+1)
Ω(f) = {(0), (0010111), (1101000), (1)}
g(x) = x3+x+1
Ω(g) = { (0), (0010111)}
Conditions for Ω(g) ⊂ Ω(f) - Zierler
Theorem Ω(g) ⊂ Ω(f) if and only if g(x) | f(x)
Proof: (Zierler’s method)
- If Ω(g) ⊂ Ω(f) then 1/g* = h*/f* for some
h*(x) and therefore f(x) = g(x)h(x)
- If g(x)|f(x), i.e., f(x)=g(x)h(x) for some h(x)
then any (st) in Ω(g) can be written
st ↔ a*/ g* = a* h* / g* h*
= a*g*/f*
i.e, (st) is in Ω(f)
Conditions Ω(g) ⊂ Ω(f) – Peterson’s
x −1
x −1
}) ⊂ ({
})
Ω( g ) ⊂ Ω( f ) ⇔ ({
g ( x)
f ( x)
e
x −1 x −1
|
⇔
f ( x) g ( x)
⇔ g ( x) | f ( x)
e
e
e
Some properties
Ω(f) + Ω(g) = Ω(lcm{f,g})
2. Ω(f) ∩ Ω(g) = Ω(gcd{f,g})
Proof
Follows by straightforward applications of
the fundamental identities using the property
1.
Ω(f) = { (
xe-1
f(x)
)}
(mod xe-1)
Determining cycle structure of Ω(f)
Let f(x) = Πi fi(x)ki , fi(x) irreducible
! To determine cycle structure of Ω(f) then
1. Determine the cycle structure of Ω(fi(x)ki)
from the cycle structure (period) of fi(x)
2. Determine the cycle structure of Ω(gh)
given the cycle structure of Ω(g) and Ω(h)
when gcd(g(x),h(x))=1
!
Cycle structure of Ω(fk) – f irreducible
Theorem
Let f(x) be irreducible of degree n and period e
Determine κ such that 2κ < k ≤ 2κ+1
Then Ω(f) contains the following number of sequences
with the following periods
k
:
1
2
4
… k
# Seq(Ω(fk)\Ω(fk-1)) : 1 2n-1 22n-2n 24n-22n … 2kn-22κn
Period
: 1
e
2e
4e … 2κ+1e
Examples (I)
Example 1
! f(x) = x2+x+1, n=2, e=3
#Sequences 1 3
Period
1 3
#Cycles
1 1
! Ω(f) = {(0),(011)}
Example 2
! f(x) = (x2+x+1)2, n=2, e=3
#Sequences 1 3 12
Period
1 3 6
#Cycles
1 1 2
! Ω(f) = {(0),(011),(000101),(001111)}
Examples (II)
Example 3
! f(x) = (x+1)k, n=1, e=1
k
#New Seq.
Period
#Cycles
1
2
1
2
2
2
2
1
3
4
4
1
4 5
8 16
4 8
2 2
6
32
8
4
7 8 9
64 128 256
8 8 16
8 16 16
Structure of Ω(gh) – gcd(g,h)=1
Theorem
Let gcd(g,h) =1 i.e., Ω(gh) = Ω(g) Ω(h).
Then any sequence in Ω(gh) can be uniquely
written as a sum of a sequence in Ω(g) and
one in Ω(h)
Proof:
Since gcd(g,h) = 1 then Ω(g) + Ω(h) = Ω(gh).
and the result follows since |Ω(g)| |Ω(h)|=|Ω(gh)|.
Structure of Ω(gh) – gcd(g,h)=1
Alternative p roof: Every element in can be written uniquely
as a sum of a sequence from Ω(g) and a sequence from Ω(h).
Let (ut), (u’t) in Ω(g) and (vt), (v’t) in Ω(h).
If
(ut)+ (vt) = (u’t) + (v’t)
then
(ut) + (u’t) = (vt) + (v’t) in Ω(g) ∩ Ω(h) = (0)
and therefore
(ut) = (ut) and (vt) = (v’t)
i.e., uniqueness
Period of sequences Ω(gh) – gcd(g,h)=1
Theorem
Let gcd(g,h)=1. Let (ut) ∈ Ω(g) and (vt) ∈ Ω(h). Then
per((ut)+(vt)) = lcm{per(ut), per(vt)}
Proof:
Let τ be smallest integer such that
(ut+ τ) + (vt+ τ) = (ut) + (vt)
Hence,
(ut+ τ) + (ut) = (vt+ τ) + (vt) ∈ Ω(g) ∩ Ω(h) = {(0)}
Therefore,
per(ut) | τ and per(vt) | τ
which implies
τ = lcm(per(ut), per(vt))
Cycle structure of Ω(gh) – gcd(g,h)=1
Let gcd(g,h)=1 then Ω(gh) = Ω(g) Ω(h)
! Let Ω(g) contain d1 cycles of length λ1, [d1(λ1)]
! Let Ω(h) contain d2 cycles of length λ2 , [d2(λ2)]
! Combine by adding the corresponding sequences
# Sequences :
d1λ1d2λ2
Period
:
lcm{λ1 , λ2}
# Cycles
:
d1d2(λ1, λ2)
Formally (cycle structure found combining all cycles and formulae)
[d1(λ1)] [d2(λ2)] = [d(λ)]
where
d = d1d2(λ1, λ2)
λ = lcm{λ1 , λ2}
!
Exercises
Exercise 1
! Let f(x)=(x2+x+1)(x+1)2
! Determine the cycle structure of Ω(f)
Exercise 2
! Let f(x)=(x+1)2(x3+x+1)(x4+x3+x2+x+1)
! Determine the cycle structure of Ω(f)
Solution: Exercise 1
Let f(x) = (x2+x+1)(x+1)2
! g(x) = x2+x+1, Ω(g) : [1(1)+1(3)]
! h(x) = (x+1)2 , Ω(h) : [2(1)+1(2)]
The cycle structure of Ω(f) is
[2(1)+1(2)+2(3)+1(6)]
In fact, Ω(f) contains the cycles
(000111), (001), (011), (01), (1), (0)
Solution: Exercise 2
Let f(x) =x15+x14+x13+x9+x3+1
=(x+1)2(x3+x+1)3(x4+x3+x2+x+1)=f1(x)2 f2(x)3 f3(x)
where
! f1(x) = x+1
Ω(f1) : [2(1)]
! f2(x) = x3+x+1
Ω(f2) : [1(1)+1(7)]
! f3(x) = x4+x3+x2+x+1
Ω(f3) : [1(1)+3(5)]
The cycle structure is
! Ω(f12) : [2(1)+1(2)]
! Ω(f23) : [1(1)+1(7)+4(14)+16(28)]
! Ω(f3) : [1(1)+3(5)]
Combining gives cycle structure of Ω(f)
[2(1)+1(2)+2(7)+17(14)+64(28)+6(5)+3(10)+6(35)+51(70)+192(40)]
Multigrams
In Ω(f), n=deg(f), all n-dimensional state
vectors occur exactly once
! In particular select first two coordinates of each
state vector in all sequences
! All bigrams [s0, s1] are evenly distributed
(each occur 2n-2 times)
! Similarly all multigrams
[ sτ1 sτ2 ... sτm]
are evenly distributed 0≤ τ1< ... <τm<τ1+n
!
Example
!
!
!
!
!
!
!
f(x)=x4+x+1
Ω(f)={(0),(000100110101111)}
[st st+1] – Even distributed (over all sequences in Ω(f))
[st st+1 st+3] – Even distributed
[st st+1 st+4] and [st st+2 st+8] skew distribution
- 000 011 101 110 occur 4 times each
- 111 100 010 001 do not occur at all
Reason for skewness
st+4=st+1+st
Note x4+x+1 | x8+x4+1=(x4+x+1)2
Skew Multigrams
Theorem
A multigram [st+τ1 st+τm ... st+τm ] is skew if and only if
there exists elements d1, ... , dm not all zero such that
f(x) | dmxτm+ ... + d1xτ1 (≠0)
”Proof (if part):” If f(x) | d(x) = d1xτ1+ ... + dmxτm ≠0
then Ω(f) is contained in Ω(d) and (in the case dm≠0)
dmst+τm = dm-1st+τm-1 + ... + d1st+τ1
implies st+τm is uniquely determined by st+τi for i=1,...,m-1.
Thefore multigram is skew (at most 2m-1 posibilities).
Unit Sequences in Ω(f)
Characteristic polynomial
f(x) = xn+cn-1xn-1+...+c1x+c0
Unit sequences in Ω(f)
(Ut) = 1 0 ... 0 0 Un Un+1...
(Vt) = 0 1 ... 0 0 Vn Vn+1...
(Wt) = 0 0 ... 1 0 WnWn+1...
..................
(Zt) = 0 0 ... 0 1 Zn Zn+1...
Theorem
xt = Ztxt-1 +...+ Vtx + Ut (mod f(x))
Proof: Holds for t=0,1,..,n-1 and follows from the recursion.
Unit Sequences in Ω(f)
Theorem
xt = Ztxt-1 +...+ Vtx + Ut (mod f(x))
Proof:
By induction. Holds for t=0,1,..,n-1. Then (mod f(x))
Zt+nxt+n-1 +...+ Vt+nxt+1 + Ut+nxt
= (cn-1Zt+n-1+...+c0Zt)xt+n-1+...+ (cn-1Ut+n-1+...+c0Ut)xt
= cn-1(Zt+n-1xt+n-1+...+ Ut+n-1xt)+...+ c0(Ztxt+n-1+...+Ut)
= cn-1xt+n-1+cn-2xt+n-2+...+c0xt
= xt (cn-1xn-1+cn-2xn-2+...+c0)
= xt+n
Relations Between Unit Sequences
Unit sequences
(Ut) = 1 0 ... 0 0 Un Un+1...
(Vt) = 0 1 ... 0 0 Vn Vn+1...
................
(Wt) = 0 0 ... 1 0 WnWn+1...
(Zt) = 0 0 ... 0 1 Zn Zn+1...
Theorem
Zt=Zt, Wt=Zt+1+cn-1Zt, ... ,Vt=Wt+1+c1Zt , Ut=Vt+1+c0Zt
”Proof”:
(Note Zn=cn-1)
Zt+1= 0...01cn-1...
cn-1Zt = 0...00cn-1...
Hence, Wt = Zt+1+cn-1Zt are equal in first n bits and obey
same reccurrence etc.
Relations Between Unit Sequences
Unit sequences
(Ut) = 1 0 ... 0 0 Un Un+1...
(Vt) = 0 1 ... 0 0 Vn Vn+1...
................
(Wt) = 0 0 ... 1 0 WnWn+1...
(Zt) = 0 0 ... 0 1 Zn Zn+1...
Theorem (n=4)
Zt = Zt
Wt = Zt+1 + c3Zt
Vt = Wt+1+c2Zt = Zt+2+c3Zt+1+ c2Zt
Ut = Vt+1 +c1Zt = Zt+3+c3Zt+¨2+c2Zt+1+ c1Zt
Relation - st = φ(E)Zt
φ(x) =s0xn-1+(s1+cn-1s0)xn-2+…+ (sn-2+cn-1sn-3+…+c2s0)x
+ (sn-1+cn-1sn-2+…+c1s0)
Theorem
For any sequence in Ω(f) then
st = φ(E)Zt
where E is shift operator Est=st+1
Proof:
!
Zt=Zt,Wt=Zt+1+cn-1Zt,...,Ut=Zt+n-1+cn-1Zt+n-2+..+ c1Zt
!
Result is true for all unit sequences
Therefore it is true for any (st) in Ω(f)
!
Power Sum Sequence
st = Σ αit , f(αi) = 0
! When the roots of f(x)=0 are different (simple) then
by symmetry (st) is a regular sequence in GF(2)
Theorem
(1) st = Ut + Vt+1 + ... + Zt+n-1
(2) st = f’(E)Zt
where Est = st+1
”Proof:” Follows from Newton’s identitites
φ(x) = s0xn-1+(s1+cn-1s0)xn-2+...+(sn-1+cn-1sn-2+...+c1s0)
= nxn-1+(n-1)cn-1xn-2+...+c1
!
Minimum Polynomial of (st)
!
!
!
The minimum polynomial of a sequence (st) is the
polynomial of smallest degree generating (st)
If the complete sequence is known one easily finds the
minimum polynomial.
From the second fundamental identity
(xe-1) φ(x) = s(x) f(x)
Minimum polynomial f(x) of (st) is has gcd(φ(x),f(x))=1.
Dividing both sides by gcd(xe-1,s(x)) gives
xe −1
f ( x) =
e
gcd( x − 1, s ( x))
Example - Minimum Polynomial
!
!
Determine the minimum polynomial of the sequence
(st) = 0010111
Then s(x)=1+x+x2+x4 and therefore
x7 + 1
m( x ) =
gcd( x 7 + 1,1 + x + x 2 + x 4 )
x7 + 1
=
1+ x + x2 + x4
= x3 + x + 1
Regular sequences
Definition (st) is regular in Ω(f) if f(x) is the minimum
polynomial of (st)
Example (0010111) is a regular sequence in Ω(x3+x+1)
Consider n=3 consecutive state vectors in sequence
001,010, 101
Observe they are linear independent
Theorem (st) is regular in Ω(f) if and anly if n
consecutive state vectors are linear independent
Berlekamp - Massey algorithm
• Can determine the minimum polynomial f(x) = xn+cn-1xn-1+... +c0
of a sequence (st) from 2n successive bits s0, s1, …,s2n-1
s0, s1, …,sn-1
c0
sn
s1, s2, …,sn
c1
sn+1
……………..
…
sn-1, sn, …,s2n-2
cn-1
=
…
s2n-1
• Matrix has rank n if minimum polynomial has rank n
• There exists a very efficient algorithm due to Berlekamp
and Massey to calculate c0, c1, …, cn-1 in O(n2) operations
Maximal Sequences
• The maximal period of a sequence generated by a
polynomial f(x) of degree n is at most 2n-1
• f(x) is said to be primitive if f(x) is irreducible of degree n
and period 2n-1
Then f(x) generates a maximal sequence of period 2n-1
• Some primitive polynomials and m-sequences
- f(x) = x3+x+1 (0010111)
- f(x) = x4+x+1 (000100110101111)
- f(x) = x5+x2+1 (0000100101100111110001101110101)
Correlation of Sequences
Let (at) and (bt) be binary sequences of period ε
! The crosscorrelation between (at) and (bt) at
shift τ is
!
ε-1
at+τ - bt
θa,b(τ) = Σ (-1)
t=0
!
The autocorrelation of (at) at shift τ is
ε-1
θa,a(τ) = Σ (-1)
t=0
at+τ - at
Golomb’s Randomness Postulates
Run = Consecutive 0’s or 1’s
! Block = Runs of 1’s
! Gap = Runs of 0’s
!
R1. The number of zeros and number of ones differ by at
most one during a period of the sequence.
! R2. Half of the runs in a full cycle have length 1, one 1/4 of
all runs have length 2, 1/8 have length 3 etc, as long as
the number of runs exceed one. Moreover, for each of
these length there are equally many gaps and blocks.
! R3. The out of phase autocorrelation of the sequence
always has the same value
! Note: m-sequences obey and are model for these postulates
!
Two-level autocorrelation of m-sequences
Let (st) be an m-sequence of period ε=2n-1
! Then the autocorrelation of the m-sequence is
θs,s(τ) = 2n-1 if τ=0 (mod 2n-1)
= -1 if τ≠0 (mod 2n-1)
Proof: Let τ≠0 (mod 2n-1). Then
st+τ-st
θs,s(τ) = Σt (-1)
!
st+γ
= Σt (-1)
= -1 (since m-sequence is balanced)
Nonlinear Shiftregisters
Increases linear complexity of keystream
! Difficult to predict the period
! No general theory exists
! Often one combines linear shiftregisters and
nonlinear shiftregisters to control period and
complexity
!
Nonlinear Shift Registers
!
A nonlinear recursion can be described using its
truth table
s0 s1 s2
0 0 0
0 0 1
0 1 0
0 1 1
1 0 0
1 0 1
1 1 0
1 1 1
f(s0 s1 s2)
0
0
0
1
1
1
1
0
S0
S1
• .
• f = s0+s1s2
S2
Nonlinear Functions
s0 s1 s2 f(s0 s1 s2)
0 0 0
0 0 1
0 1 0
0 1 1
1 0 0
1 0 1
1 1 0
1 1 1
1
1
0
1
0
0
1
0
!
!
How to find f(s0,s1,s2) from a
given truth table?
f(s0,s1,s2)=(1+s0)(1+s1)(1+s2)
+ (1+s0)(1+s1)s2
+ (1+s0)s1s2
+ s0s1(1+s2)
= 1+ s0+s1+s1s2
• # Boolean functions in n-variable 22n
• # Boolean linear functions in n-variable 2n
Table Look Up (Multiplexing)
Can construct complex cryptographic transformations
by table look-up
x1 … xn-1xn
...
0 … 0 0
y0
0 … 0 1
y1
………..
1 … 1 1
…
y2n-1
(n=3)
F = y0 (x1+1)(x2+1)(x3+1) + y1(x1+1)(x2+1)x3 +…+ y7 x1x2x3
Example - deBruijn Sequence
!
Let f(s0,s1,s2)=1+s0+s1+s1s2
110
101
010
111
011
100
001
000
• This gives a maximal sequence of length 2n
…1101000…
and is called a deBruijn sequences
• # deBruijn sequences of period
2n
are
n-1-n
2
2
Example – Singular f
!
Let f(s0,s1,s2) = 1+s0+s1+s2+s0s1+s0s2+s1s2
001
101
010
011
110
000
111
100
• Contains “branch point” and such an f is called
singular
• f is nonsingular if and only if f = s0+g(s1,…,sn-1)
How to avoid branch points
!
Assume branch point exist
α0 α1 ··· αn-1
β0 β 1 ··· βn-1
!
!
!
!
Then
α1··· αn-1 f(α0··· αn-1)
||
β1··· βn-1 f(β0 ·· βn-1)
α0= β0+1, αi = βi for i = 1,..,n-1
f(α0,α1,...,αn-1 ) = f(β0, β1,..., βn-1)
= f(α0+1,α1,..., αn-1)
Branch points avoided iff
- Second half of truth table is complement of the first
- f(x0,x1,...,xn-1) = x0 + g(x1,x2,...,xn-1)
n-1
# Feedback function without brancpoints (nonsingular) = 22
The deBruijn Graph
Directed graph
! 2n nodes (states) ↔ (s0,s1,...,sn-1)
! Each state has two possible successors
!
α0 α1 ··· αn-1
!
α1 α2 ··· αn-1 0
α1 α2 ··· αn-1 1
Each state has two possible predecessors
0 α1 α2 ··· αn-1
1 α1 α2 ··· αn-1
α1 α2 ··· αn-1 *
DeBruijn Graph (Examples)
B2
B3
00
000
01
10
001
100
010
11
101
011
110
111
Cycles in DeBruijn Graph–(f = s0)
B3
(0)
(001)
000
001
100
010
f = s0
101
(101)
(1)
011
110
111
Pure Cycling Register
!
!
!
!
Let f(s0,s1,...,sn-1) = s0 i.e., g=0 (f=s0+g(s1,...,sn))
Weight of truth table of g is 0
Cycle structure (PCR)
n=3 (0), (1), (001), (011)
n=4 (0), (1), (01), (0001), (0011), (0111)
Number of cycles of Bn
1
Z (n) = ∑ ϕ (d )2 n / d ( = even number )
n d |n
Weight of linear registers
Theorem
If f(s0,s1,...,sn-1)=s0+g(s1,...,sn-1) where g≠0 is linear.
Then the truth table of g has 2n-2 0’s and 2n-2 1’s
(i.e, balanced)
Proof
If g≠0 then for some i
g = si+h(s1,...,si-1,si+1,..sn-1)
i.e.,
g(s1,...,si-1,si,si+1,..sn-1)=g(s1,...,si-1,si+1,si+1,..sn-1)
Parity of Number of Cycles
Theorem
The number of cycles which Bn is composed
into has the same parity as the weight of the
truth table of g
! Proof: Maximal sequence decomposes Bn into 2
(even) cycles. Also g=0 gives Z(n) (even) cycles
! Any other nonlinear function f can be obtained by
changing truth table bit by bit.
! Each change of truth table of g changes the
number of cycles by one and the weight of g by 1
DeBruijn sequences (Necc. conditions)
Theorem
(1) To obtain a deBruijn sequences then f
uses all n variables
(2) The truth table of g (f=s0+g) must have
odd weight (at least Z(n)-1)
Proof: Follows since otherwise truth table
has even weight and can not generate a
deBruijn sequence
Changing the Truth Table
Given a nonsingular f
! Changing a bit in truth table changes the
number of cycles by one
! Ex: Increasing number of cycles
!
!
Changing parity of truth table changes
parity of number of cycles
DeBruijn sequences from m-seq
Change longest run in m-sequence by
appending an extra 0. The result is a
deBruijn sequence
! Example: 0000100110101111
! This deBruijn sequence is ”almost linear”
! However, linear complexity is as large as
possible for deBruijn sequences
! This is a prime example that linear
complexity is no guarantee for security
!
Period of Nonlinear Shiftregisters
Hard problem in general
! Very few general results on the period
! Some results known when g(s1,...,sn-1) is
symmetric
! Maximum number of cycles among all nonlinear
functions is Z(n) that occurs when g=0 (but also
in many other cases)
!
Multiplication of Sequences
( ut)=(1110100)
S2
S1
⊗
(w )=(011010011001001010000)
S0
t
( vt)=( 011)
S1
• Product sequence has
S0
- Period 21=3x7
- Linear complexity 6
• Increases the linear complexity in an easy way (need to balancing)
Period of (utvt)
Theorem
Let gcd(per(ut), per(vt))=1 then
per(utvt) = per(ut)·per(vt)
Proof:
If per(utvt) ≠ per(ut)·per(vt) then per(utvt) = k·per(ut)
where k | per(vt). Decimate (utvt) by e=per(ut) gives
(u0v0), (u0ve), (u0v2e), …
of period k< per(vt). Since, gcd(e, per(vt))=1 this is a
contradiction.
Linear Complexity of (utvt)
Let (ut) ∈ Ω(f) and (vt) ∈ Ω(g)
! Let (wt) = (ut vt)
ut = Σ ai αit where αi zeros of f(x)
vt = Σ bj βjt where βj zeros of g(x)
Then
(wt) = Σ ai bj αit βjt
If h(x) has all products αi βj as zeros
then (wt) ∈ Ω(h)
!
Nonlinear Feed-Forward Register
Output
ut = stst+1+ st+2st+3 + st+4st+5
• Period = 63
• Linear complexity =21
• Increases the linear complexity in an easy way
Nonlinear Functions on LFSRs
• Using one LFSR (nonlinear filter)
...
LFSRU
...
f
z
f(x1,x2,...,xn) = Σ ai1i2..in xi1xi2...xin
Properties of a Filter Generator
Let (st) be an m-sequence of period 2n-1
Let ut = st+τst+2τ…st+kτ
Then the linear complexity of (ut) is ( n )
k
Let zt = ΣN ci st+i+δst+i+2δ…st+i+(k-1)δ
i=0
Then the linear complexity of (zt) is ( n )–(N-1)
k
when at least one ci is nonzero
Non-linear Combination Generator
LFSR 1
x1
LFSR 2
x2
…
xn
f
z
LFSR n
z = f(x1,x2,…,xn) Boolean function
Linear Complexity
LFSR 1
x1
LFSR 2
x2
…
LFSR n
•
•
•
•
•
f
z
xn
Let LFSR i generate m-sequence of period 2ni-1
Let gcd(ni,nj) = 1 for all i ≠ j
Let ni ≥ 2 for all i
Let f(x1,…,xn) = Σ ai1…in xi1..xit
Then linear complexity is
f(n1,…,nn)
Geffe generator
LFSR 1
LFSR 2
LFSR 3
x1
x2
x3
f
z
The LFSRs generate m-sequence of period 2ni-1, gcd (ni,nj)=1
! z = f(x1,x2,…,xn) = x1x2+x2x3+x3
! x2=1 → f = x1
! x2=0 → f = x3
n
n
n
! Period = (2 1-1)(2 2-1)(2 3-1)
! Linear complexity = n1n2+n2n3+n3
Correlation attack - Geffe generator
LFSR 1
LFSR 2
LFSR 3
x1
x2
x3
f
z
Correlation attack of Geffe generator
(NB! Prob(z=x1) = ¾)
- Guess initial state of LFSR 1
- Compare x1 and z
- If agreement ¾ , guess is likely to be correct
- If agreement ½ , guess is likely to be wrong
Correlation immunity
To avoid correlation attack choose f(x1,x2,...,xn) to be
correlation immune of high order
Definition f(x1,x2,...xn) is m-th order correlarion immune if
f(x1,x2,..,xn) if it is statistically independent of any m variable
Example
- f(x1,x2,...,xn) = x1+x2+...+xn is (n-1)-th order correlation immune
- Geffe generator z=f(x1,x2,x3) = x1x2+x2x3+x3
(0-th order correlation immune,
P(z=1) = 1/2 ≠ P(z=1 | x3=0) =1/4
Remark
If f(x1,x2,..,xn) is m-th order correlatrion immune then deg f ≤ n -m
Cascade Coupling
LFSR A
!
!
!
(at)
LFSR B
(ct)
Output sequence
0…0 1 0…0 1 0…0 1 0 … = a
c = a b = 0…0 b0 0…0 b10…0 b2 0…. = (ct)
For two m-sequences (at) and (bt) of period 2m - 1 the cascaded
sequence c has
- Period:
(2m-1)2
- Linear complexity: m(2m-1)
Randomness
- Probability of 1 is approximately ¼
- Can get a probability ½ by adding suitable combinations
Shrinking Generator
! Coppersmith, Krawczyk og Mansour, 1993
ai
LFSR 1
clock
LFSR 2
bi
ai=1
Yes
bi
No
Discard bi
• If gcd(n1, n2) = 1, the period will be (2n2-1)2n1-1
• Linear complexity L is bounded by
n22n1-2 < L < n22n1-1
• Statistical properties in the output sequence is “almost” uniform
• Security level of the generator is “approximately” 2L, i.e. selecting
length of R1 and R2 close to 64, gives 128 bits “security”
Alternating Step Generator
LFSR 2
clock
LFSR 1
zt
LFSR 3
If output of LFSR 1 is 1 then clock LFSR 2 otherwise
clock LFSR 3
! Let LFSR 1 generates a deBruijn sequence of period 2n1
! Let LFSR 2 and LFSR 3 generate m-sequences of period
2n1 and 2n2 respectively where gcd(n1,n2)=1 i
! Then zt has the properties
- Period
= 2n1(2n2-1)(2n3-1)
- Linear complexity
(n2+n3)2n1-1 ≤ L ≤ (n2+n3)2n1
!
Summary
We have given an overview of basic properties
of LFSRs and nonlinear shiftregisters
! Shown some methods how to combine LFSRs
in a nonlinear way
! Studied some basic designs and analysis of
stream ciphers
!
Galois Registers
The previous parts have considered the situation
of Fibonacci registers
! In the Fibonacci case each bits in the register
shifts to the next stage without ”interruption”
! The sequences in each cell in the register are just
delayed shifts of each other
! For Galois registers a there is feedback to
intermediate cells
! Therefore we have a sequence of state vectors
that give individual coordinate sequences
!
The Matrix Method (I)
Start vector S = (S0,S1,...,Sn-1)
! T linear transformation
! Next state S’=ST
! Register contents S, ST, ST2, ST3, ···
! Nonsingular transformation, det(T) ≠ 0
! For nonsingular T there exist an e such that Te=I
! The sequence of state vectors have period e
! No single cycle for Galois registers but a sequence
of state vectors that give coordinate sequences
!
The Matrix Method (II)
Register contents S, ST, ST2, ST3, ···
! Nonsingular transformation, det(T) ≠ 0
! Characteristic polynomial c(x) = det(xI-T)
! Minimal polynomial m(x) is polynomial of
lowest degree such that m(T) = 0
! Note that
- m(x) | c(x) (since c(T)=0)
- m(x)=c(x) when c(x) has no repeated roots
!
Example
!
Vector sequence periodic with period e
S’ = S T = S
!
!
!
c(x)=x3+1=(x+1)(x2+x+1)
Cycle structure
C0 : 000 C1 : 011 C2: 010 C3: 001
101
110
111
100
0

1
1

0
0
1
1

1
0 
Matrix Description - Example
S0
!
Then s0’=s0+s+s2, s1’=s2, s2’=s0+s1
!
Then S’ = S T
!
T is singular
010
100
101
1 0 1 


T = 1 0 1 
1 1 0 


011
011
Vector recurrences
!
!
!
!
Recurrence relation
Vt+r+gr-1Vt+r-1+...+g0Vt=0
Characteristic polynomial
g(x) = xr + gr-1 xr-1 + ... + g0
Let T(S, S’, S’’, ..., S(t) , ···) , S(t) = STt
denote a vector sequence (denote these by Ω(T))
If recurrence relation holds at time t it holds at any
later time
S(t+r)+gr-1S(t+r-1)+...+g0S(t) = 0
S(t)(Tr+gr-1Tr-1+...+g0I) = 0
S(t)(g(T))=0
Minimum polynomial T(S,S’,...)
!
!
!
!
The minimum polynomial of T(S,S’...) is
polynomial g(x) of lowest degree such that
S(t) g(T)=0
Since m(T) = 0 then g(x)|m(x)
Conversely if all sequences in Ω(T)
satisfies
S(t)M(T)=0 then m(x)|M(x)
The recurrence relation of lowest order
satisfied by all sequences in Ω(T) is
S(t)m(T)=0
Rank of Vector Sequences
!
Rank of vector sequence is rank of ε x n matrix
formed by corresponding cycle
Theorem
Rank of T(S,S’,...) is r=deg(g(x))
Proof:
Rank is at most r since all vectors is a linear
combination of at most r consecutive vectors
Rank is at least r since r consecutive vectors are
linear independent
Example
Cycle structure
! C0 : 000 C1 : 011 C2: 010 C3: 001
101
110
111
100
! m(x)=(x3+1)=(x+1)(x2+x+1)
! Cycle
C1
C2
C3
! Rank
1
2
3
! g(x)
x+1 x2+x+1 x3+1
!
Summary
We have given introduction to
- Linear Shift Register
- Nonlinear shiftregisters
- Applications to stream ciphers
! Sequences have applications in
- Coding
- Cryptography
- Communications
!