Sequences Linear Shift Registers and Stream Ciphers

Sequences Linear Shift Registers and Stream Ciphers Tor Helleseth University of Bergen Norway

- Motivation - Linear Feedback Shift Registers (LFSR) - Periodicity - Complexity - Nonlinear Feeedback Shift Registers - Applications to stream ciphers - Nonlinear generators - Filter generators - Clock controlled generators Outline

One-time-pad Plaintext Plaintext Cipher 100.. 110.. 110.. 010... 010... K K • Provable secure provided - Key K is random - Key K is as long as the message - Key K is used only one time

Keystream ...10100101 Key generator Cipher message ...11001110 Plain message … 01101011 Key generator Key Requirements for a good keystream • Good randomness distribution • Longperiod • High complexity

Generation of Keystream For a good system one needs: • Linearity - To control the period of keystream - To control randomness of keystream • Nonlinearity - To control complexity of keystream • Combination of linearity and nonlinearity - To also get good randomness and preserve the period and complexity

Synchronous stream cipher • Keystream is generated independent of the plaintext (and the ciphertext) - Initial state: σ0 (depends on key K) - Next state function: σi = f(σi-1,K) - Keystream function: zi = g(σi,K) - Output function: ci = h(zi,mi) (In additive stream cipher: ci = zi + mi (mod 2)) • Needs synchronization between sender and receiver • No error propagation …

State State K f K f g K K g ci mi h ci h mi Synchronous Stream Cipher

Self-Synchronous Stream Cipher • Keystream is generated from the key and a fixed number of previous ciphertext symbols - Initial state: σ0 (depends on key K) - Next state function: σi=f(ci-1, ci-2,…, ci-T,K) - Keystream function: zi=g(σi,K) - Output function: ci=h(zi,mi) (In additive stream cipher: ci = zi + mi (mod 2)) • Self synchronization • Limited error propagation …

S0 S1 S2 Difference Equation st+3 = st+1+st (mod 2) (t=0,1,2…) s3 = s1+s0 s4 = s2+s1 …………… Initial value of s0, s1, s2 and the difference equation determines (st)

S0 S1 S2 Example 1 - LFSR st+3 = st+1+ st S0 S1 S2 0 0 1 0 1 0 1 0 1 0 1 1 1 1 1 1 1 0 1 0 0 ----------------- 0 0 1 Initial fill determines the sequence of states Generates a periodic sequence …0010111... Maximal period 23-1=7

S0 S1 S2 Example 2 - Cycle Structure st+3= st+2+st+1+st 0 0 1 0 1 1 1 1 0 1 0 0 --------------- 0 0 1 0 1 0 1 0 1 ----------------- 0 1 0 1 1 1 --------------- 1 1 1 0 0 0 --------------- 0 0 0 Cycle (1100) Cycle (01) Cycle (1) Cycle (0)

S0 S1 Sn-1 c0=1 c1 c2 cn-1 cn=1 General Shiftregister • Linear recursion st+n + cn-1st+n-1 + …+c1st+1 + c0st = 0 (c0≠ 0) • Characteristic polynomial xn +cn-1xn-1+…+ c1x + c0 = 0

S0 S1 S2 S0 S1 S2 Some Characteristic Polynomials f(x)=x3+x+1 f(x)=x3+x2+x+1

…. cn=1 f(x) Ω(f) – Sequences Generated by f(x) S0 S1 Sn-1 c0=1 • Characteristic polynomial f(x) = xn + cn-1 xn-1 + … + c1 x + c0 • The initial vector (s0, s1,…,sn-1)andf(x) define a sequence • Ω(f) is the set of sequences generated by f(x) • | Ω(f) |=2n • Ω(f) is a vector space over {0,1}

S0 S1 S2 Ω(f) - f(x) = x3 + x + 1 Sequences in Ω(f) 0000000… 0010111… 0101110… 1011100… 0111001… 1110010… 1100101… 1001011… • Each initial state (s0,s1,s2) gives a sequence • Eight different initial states gives eight different sequences • In this case all nonzero sequences are cyclic shifts of each other

G(x) - Generating Function of a Sequence • Given a sequence s0, s1, s2, … • Generating function G(x) = s0+s1x+s2x2+ s3x3+ …= Σ si xi • First Fundamental Identity - Let (st) be a sequence in Ω(f) - Then (due to recursion most terms disappear) G(x) f*(x) = φ*(x) where φ(x)=s0xn-1+(s1+cn-1s0)xn-2+(s2+cn-1s1+cn-2s0)xn-3+… + (sn-1+cn-1sn-2+…+c1s0) and f*(x) is the reciprocal polynomial of f(x) ∞ i=0

Example – First Fundamental Identity • (0010111) is generated by f(x) = x3 + x + 1 • Generating function G(x) = x2+x4+x5+x6 + x9+x11+x12+x13 + x16+… • What isφ(x) ? φ(x) = s0xn-1+(s1+cn-1s0)xn-2 + (s2+cn-1s1+cn-2s0)xn-3+… + (sn-1+cn-1sn-2+…+c1s0) = 1 • G(x) = x2/(x3+x2+1) = x2+x4+x5+x6 + x9+x11+x12+x13 + x16+…

G(x) – When (st) is Periodic • Let (st) be periodic of period ε • Generating function G(x) = (s0+s1x+…+sε-1xε-1) (1 + xε + x2ε + x 3ε+…) = (s0+s1x+s2x2+… +sε-1xε-1) /(1-xε) = σ*(x)/(1-xε) • Combining with first fundamental identity gives G(x) = σ*(x)/(1-xε) = φ*(x)/f*(x) • Second Fundamental Identity (xε-1) φ(x) =σ(x) f(x) where - (st) periodic of period ε - φ(x) =s0xn-1+(s1+cn-1s0)xn-2+…+ (sn-1+cn-1sn-2+…+c1s0) - σ(x) =s0xε-1+s1xε-2+…+ sε-1 - f(x) =xn+cn-1xn-1+…+c0

Example – Second Fundamental Identity • (0010111) is generated by f(x) = x3 + x + 1 • Generating function - σ(x) = 1+x+x2+x4 - φ(x) = 1 - ε=7 • Second Fundamental Identity (xε-1) φ(x) =σ(x) f(x) (x7+1)·1 = (1+x+x2+x4)(x3+x+1)

Period of f(x) Definition The period of the polynomial f(x) is the smallest integer e such that f(x) divides xe-1 Theorem Let (st) be a sequence in Ω(f) then (i) per(st) divides e=per(f) (ii) There is at least one (ut) in Ω(f) with period e=per(f)

Period of f(x) and Sequences in Ω(f) Proof:(i)Note that f(x) F(x) = xe-1 for some F(x). The first fundamental identity gives G(x) = φ*(x)/f*(x) = φ*(x)F*(x)/f*(x)F*(x) = φ*(x)F*(x)/(1-xe) which implies (st) inΩ(f) repeats with period e (i.e., ε≤ e) (ii) From the second fundamental identity (xε-1) φ(x) =σ(x) f(x) Select φ(x) =1 then f(x) | xε-1 Hence, ε ≥ e and a sequence in Ω(f) with φ(x) =1 has period e

Cycle structure of Ω(f) - f(x) irreducible Theorem Let (st) be a nonzero sequence in Ω(f) where f(x) is irreducible. Then per(st) = per(f) = e Proof: Note that (xε-1) φ(x) =σ(x) f(x) and f(x) is irreducible Then, since gcd(φ(x),f(x))=1, then f(x) | xε-1 and therefore ε ≥e Hence,from the previous theorem ε =e

000001001 000011011 000101101 001010011 000111111 001110111 010101111 x6=x3+1 x7=x4+x x8=x5+x2 x9=x6+x3 = 1 per(f)=9 Example – f(x)=x6+x3+1

Classical Method • Linear recursion st+n + cn-1st+n-1 + …+c1st+1 + c0st = 0 (c0 ≠ 0) • Characteristic polynomial xn +cn-1xn-1+…+ c1x + c0 = 0 • If all zeros of f(x) are simple, then st = Σ ai αit where αi, i=1,2, … are the zeros of f(x)

Example Recursion: st+3 = st+1+ st Characteristic polynomial: f(x) = x3 + x +1 Let α3 = α+1, then 1 αα2 1 1 0 0 α0 1 0 α20 0 1 α31 1 0 α40 1 1 α51 1 1 α61 0 1 • Zeros of f(x) are α, α2, α4 • Then st = αt + α2t + α4t (st) = (1001011)

f(x) = x4+x3+x2+1 Ω(f) = {(0), (0010111), (1101000), (1)} Example - Cycle structure of divisors g(x) = x3+x+1 Ω(g) = { (0), (0010111)}

Some properties • Ω(f) + Ω(g) = Ω(lcm{f,g}) • Ω(f) ∩ Ω(g) = Ω(gcd{f,g})

Determining cycle structure of Ω(f) • Let f(x) = Πi fi(x)ki , fi(x) irreducible • To determine cycle structure of Ω(f) then 1. Determine the cycle structure of Ω(fi(x)ki) from the cycle structure (period) of fi(x) 2. Determine the cycle structure of Ω(gh) given the cycle structure of Ω(f) and Ω(f)

Cycle structure of Ω(fk) – f irreducible Theorem Let f(x) be irreducible of degree n and period e Determine κ such that 2κ < k ≤ 2κ+1 Then Ω(f) contains the following number of sequences with the following periods k : 1 2 4 … k #Seq(Ω(fk)\Ω(fk-1)) : 1 2n-1 22n-2n 24n-22n … 2kn-22κn Period : 1 e 2e 4e … 2κ+1e

Examples (I) Example 1 • f(x)=x2+x+1, n=2, e=3 #Sequences 1 3 Period 1 3 #Cycles 1 1 • Ω(f)={(0),(011)} Example 2 • f(x) = (x2+x+1)2, n=2, e=3 #Sequences 1 3 12 Period 1 3 6 #Cycles 1 1 2 • Ω(f)={(0),(011),(000101),(001111)}

Examples (II) Example 3 • f(x) = (x+1)k, n=1, e=1 k 2 3 4 5 6 7 8 9 #New Sequences 2 4 8 16 32 64 128 256 Period 2 4 4 8 8 8 8 16 #Cycles 1 1 2 2 4 8 16 16

Structure of Ω(gh) – gcd(g,h)=1 Theorem Let gcd(g,h)=1 i.e., Ω(gh) = Ω(g) Ω(h). Then any sequence in Ω(gh) can be uniquely written as a sum of a sequence in Ω(g) and one in Ω(h) Proof: Since gcd(g,h) = 1 then Ω(g) + Ω(h) = Ω(gh). and the result follows since |Ω(g)| |Ω(h)| = |Ω(gh)|.

Period of sequences Ω(gh)– gcd(g,h)=1 Theorem Let gcd(g,h)=1. Let (ut)  Ω(f) and (vt)  Ω(g). Then per((ut)+(vt)) = lcm{per(ut), per(vt)} Proof: Let τ be smallest integer such that (ut+ τ) + (vt+ τ) = (ut) + (vt) Hence, (ut+ τ) + (ut) = (vt+ τ) + (vt)  Ω(f) ∩ Ω(g) = {(0)} Therefore, per(ut) | τ and per(vt) | τ which implies τ = lcm(per(ut), per(vt))

Cycle structure of Ω(gh) – gcd(g,h)=1 • Let gcd(g,h)=1 then Ω(gh) = Ω(g) Ω(h) • Let Ω(g) contain d1 cycles of length λ1, [d1(λ1)] • LetΩ(h) contain d2 cycles of length λ2 , [d2(λ2)] • Combine by adding the corresponding sequences #Sequences : d1λ1d2λ2 Period : lcm{λ1 , λ2} #Cycles : d1d2(λ1, λ2) Formally (cycle structure found combining all cycles and formulae) [d1(λ1)] [d2(λ2)] = [d(λ)] where d = d1d2(λ1, λ2) λ = lcm{λ1 , λ2}

Exercises Exercise 1 • Let f(x)=(x2+x+1)(x+1)2 • Determine the cycle structure of Ω(f) Exercise 2 • Let f(x)=(x+1)2(x3+x+1)(x4+x3+x2+x+1) • Determine the cycle structure of Ω(f)

Solution: Exercise 1 Let f(x) = (x2+x+1)(x+1)2 • g(x) = x2+x+1, Ω(g) : [1(1)+1(3)] • h(x) = (x+1)2 , Ω(h) : [2(1)+1(2)] The cycle structure of Ω(f) is [2(1)+1(2)+2(3)+1(6)] In fact, Ω(f) contains the cycles (000111), (001), (011), (01), (1), (0)

Solution: Exercise 2 Let f(x) =x15+x14+x13+x9+x3+1 = (x+1)2(x3+x+1)3(x4+x3+x2+x+1)=f1(x)2 f2(x)2 f3(x) where • f1(x) = x+1 Ω(f1) : [2(1)] • f2(x) = x3+x+1 Ω(f2) : [1(1)+1(7)] • f3(x) = x4+x3+x2+x+1 Ω(f3) : [1(1)+3(5)] The cycle structure is • Ω(f12) : [2(1)+1(2)] • Ω(f23) : [1(1)+1(7)+4(14)+16(28)] • Ω(f3) : [1(1)+3(5)] Combining gives cycle structure of Ω(f) [2(1)+1(2)+2(7)+17(14)+64(28)+6(5)+3(10)+6(35)+51(70)+192(40)]

Maximal Sequences • The maximal period of a sequence generated by a polynomial f(x) of degree n is at most 2n-1 • f(x) is said to be primitive if f(x) is irreducible of degree n and period 2n-1 Then f(x) generates a maximal sequence of period 2n-1 • Some primitive polynomials and m-sequences - f(x) = x3+x+1 (0010111) - f(x) = x4+x+1 (000100110101111) - f(x) = x5+x2+1 (0000100101100111110001101110101)

Correlation of Sequences • Let (at) and (bt) be binary sequences of period  • The crosscorrelation between (at) and (bt) at shift  is a,b() =  (-1) • The autocorrelation of (at) at shift  is a,a() =  (-1) -1 at+ - bt t=0 at+ - at -1 t=0

Two-level autocorrelation of m-sequences • Let (st) be an m-sequence of period =2n-1 • Then the autocorrelation of the m-sequence is s,s() =2n-1 if =0 (mod2n-1) =-1 if 0 (mod2n-1) Proof: Let 0 (mod pn-1). Then s,s() = t (-1) = t (-1) = -1 (since m-sequence is balanced) st+-st st+

= Berlekamp-Massey algorithm • Can determine the minimum polynomial f(x)=xn+cn-1xn-1+... +c0 of a sequence (st) from 2n successive bits s0, s1, …,s2n-1 s0, s1, …,sn-1 s1, s2, …,sn …………….. sn-1, sn, …,s2n-2 sn sn+1 … s2n-1 c0 c1 … cn-1 • Matrix has rank n if minimum polynomial has rank n • There exists a very efficient algorithm due to Berlekamp and Massey to calculate c0,c1, …, cn-1 in O(n2) operations

Nonlinear Shiftregisters • Increases linear complexity of keystream • Difficult to predict the period • No general theory exists • Often one combines linear shiftregisters and nonlinear shiftregisters to control period and complexity

Golomb’s Randomness Postulates • Run = Consecutive 0’s or 1’s • Block =Runs of 1’s • Gap = Runs of 0’s • R1. The number of zeros and number of ones differ by at most one during a period of the sequence. • R2. Half of the runs in a full cycle have length 1, one 1/4 of all runs have length 2, 1/8 have length 3 etc, as long as the number of runs exceed one. Moreover, for each of these length there are equally many gaps and blocks. • R3. The out of phase autocorrelation of the sequence always has the same value • Note: m-sequences obey and are the model for these postulates

S0 S1 S2 . Nonlinear Shift Registers • A nonlinear recursion can be described using its truth table s0 s1 s2f(s0 s1 s2) 0 0 0 0 0 0 1 0 0 1 0 0 0 1 1 1 1 0 0 1 1 0 1 1 1 1 0 1 1 1 1 0 f = s0+s1s2

s0 s1 s2f(s0 s1 s2) 0 0 0 1 0 0 1 1 0 1 0 0 0 1 1 1 1 0 0 0 1 0 1 0 1 1 0 1 1 1 1 0 How to find f(s0,s1,s2) from a given truth table? f(s0 ,s1,s2)=(1+s0)(1+s1)(1+s2) + (1+s0)(1+s1)s2 + (1+s0)s1s2 + s0s1(1+s2) = 1+ s0+s1+s1s2 Nonlinear Functions # Boolean functions in n-variable 22n # Boolean linear functions in n-variable 2n

x1 … xn-1xn ... 0 … 0 0 0 … 0 1 ……….. 1 … 1 1 y0 y1 … y2n-1 Table look up (Multiplexing) Can construct complex cryptographic transformations by table look-up (n=3) F = y0 (x1+1)(x2+1)(x3+1)+ y1(x1+1)(x2+1)x3+…+ y7x1x2x3

Example - deBruijn Sequence • Let f(s0,s1,s2)=1+s0+s1+s1s2 110 111 101 010 011 100 001 000 This gives a maximal sequence of length 2n and is called a deBruijn sequences #deBruijn sequences of period 2n are 22n-1-n

Example – Singular f • Let f(s0,s1,s2)=1+s0+s1+s0s1+s0s2+s1s2 001 101 010 000 111 100 110 011 Contains “branch point” and such an f is called singular f is nonsingular if and only if f = s0+g(s1,…,sn-1)

(ut)=(1110100)  S2 S1 S0 (vt)=( 011) S1 S0 Multiplication of sequences (wt)=(011010011001001010000) • Product sequence has - Period 21=3x7 - Linear complexity 6 • Increases the linear complexity in an easy way (need to be balanced)

Period of (utvt) Theorem Let gcd(per(ut), per(vt))=1 then per(utvt) = per(ut)·per(vt) Proof: If per(utvt) ≠ per(ut)·per(vt) then per(utvt) = k·per(ut) where k | per(vt). Decimate (utvt) by e=per(ut) gives (u0v0), (u0ve), (u0v2e), … of period k< per(vt). Since, gcd(e, per(vt))=1 this is a contradiction.

Sequences Linear Shift Registers and Stream Ciphers

Sequences Linear Shift Registers and Stream Ciphers

Presentation Transcript

Behavioral Design Style: Registers, Counters, Shift Registers

Block vs Stream Ciphers

Stream Ciphers

Stream Ciphers

Stream Ciphers

Linear Sequences

Stream ciphers 2

Shift Registers and Shift Register Counters

Stream Ciphers

Stream Ciphers: WG and LEX.

Linear Feedback Shift Registers (LFSR)

Stream Ciphers

Stream Ciphers

Stream and Block Ciphers

8.5 Shift Registers

Linear feedback shift registers, Galois fields, and stream ciphers

Stream Ciphers and Block Ciphers

Stream Ciphers

Stream Ciphers

Shift Registers

Shift Registers

Linear sequences