its weaknesses. The ASG consists of three subgenerators K,fl,

Transcription

1 ALTERNATING STEP GENERATORS CONTROLLED BY DE BRUIJN SEQUENCES C.G. Giinther Brown Boveri Research Center 5405 Baden, Switzerland ABSTRACT The alternating step generator (ASG) is a new generator of pseudo- random sequences which is closely related to the stop-and-go generator. It shares all the good properties of this latter generator without POsessing its weanesses. The ASG consists of three subgenerators K,fl, and ;"i - The main characteristic of its structure is that the output of one of the subgenerators, K, controls the cloc of the two others, fl and. In the present contribution, we determine the period, the distribution of short patterns and a lower bound for the linear complexity of the sequences generated by an ASG. The proof of the lower bound is greatly simplified by assuming that K generates a de Bruijn sequence. Under this and other not very restrictive assumptions the period and the linear complexity are found to be proportional to the period of the de Bruijn sequence. Furthermore the frequency of all short patterns as well as the autocorrelations turn out to be ideal. This means that the sequences generated by the ASG are provably secure against the standard attacs. 1. INTRODUCTION In stream cipher cryptography messages are usualy combined with pseudorandom sequences by modular addition. Therefore, schemes for the generation of such sequences are important. They are generally based on finite state machines and most frequently on linear feedbac shift registers (LFSR's). To avoid certain classes of attacs, these se- quences are required to have a large period, a high linear complexity and good statistical properties. D. Chaum and W.L. Price (Eds.): Advances in Cryptology - EUROCRYPT '87, LNCS 304, pp. 5-14, Springer-Verlag Berlin Heidelberg 1988

2 6 In one approach to the generation of these sequences, the cloc of an LFSR is controlled by the output of another LFSR. Examples of generators based on this principle are various inds of stop-and-go generators [1]-[5] and binary rate multipliers [6]. Both types of generators easily produce sequences of large period and high linear complexity (exponential in the length of the register which controls the cloc). The binary rate multipliers furthermore generate sequences with good statistical properties. One disadvantage of these generators is, however, that they need several cloc cycles for the generation of one single pseudorandom bit. Amongst the various inds of stop-and-go generators we consider the following one:, Fig. 1 In this generator the output of fl is repeated each time the K register produces a "0". On the one side, this leads, under suitable conditions, to a large period and a high linear complexity, on the other side, this always implies bad statistics (eg. p(00) 3 2 p(1l) B z, p(o1) = 1 p(10) 8). Furthermore, the fact that the output ut can only change if K~ = 1, determines one half of all the lllllis present in the sequence K. This can strongly reduce the effort needed to reconstruct K. Similar weanesses exist in all nown stop-and-go gecerators.

3 7 11. THE ALTERNATING STEP GENERATOR The alternating step generator (ASG) is closely related to the stop-and-go generator. Noteworthy is that it has all the good proper- ties of the latter generator but does not share its weanesses. The ASG consists of three subgeneratorsk,fl and 3, which are interconnected such that fl and # are cloced when the output of K equals "1" and "0". respectively (Fig. 2). Mathematically, this generator can be described as follows: let K, and they are independently cloced. In addition, let ft: = P t be the sequences generated by the subgenerators K, fl and 3, when = t-ft, then the output ut is described by t-1 1 s=o K~ and p W t = ft In practice the sequences K, 1.1 amd will typically be either maximum length linear recurring sequences (m-sequences) or linear recurring sequences. In the present paper, however, K will be assumed to be a de Bruijn sequence [7]. Such a sequence can easily be obtained from an in-sequence. In the case of a de Bruijn sequence, the proof for a lower bound on the linear complexity becomes particularly simple. A treatment of the case in which K, p and are all linear recurring sequences as well as some clues on the cascading of the structure can be found in [a]. The only attac on the ASG we could find so far is a correlation attac on K [9]. In the present case, however, it does not substan-

4 tially reduce the effort to brea the system. In this correlation attac (Fig. 3) a trial sequence 2 is correlated with K using the relation cloc w delay t > m,~ J A S G - t Vt Fortunately, this attac only reduces the effort to brea the system to essentially the third root of the effort needed for an exhaustive search. For typical parameters K = T(K) * Zlz7 it would need 10 years to search through all phases if 10 phases could be tested per second. In the following section the results on the period, linear complexity and frequencies of short patterns are presented.

5 9 111 THE MAIN RESULTS Theorem 1: (period and linear complexity) Assn: a) K is a de Bruijn sequence of period K = 2, b) the characteristic polynomials p(x) and G(x) of p and c are irreducible and different and have the degrees m and iii and the periods M and w, respectively, c) M, 5 > 1 ; gcd(m,fi) = 1. Under these assumptions the period T and the linear complexity L of w satisfy the following relations: T = 2% (3) Proof: Using that p(x) and G(x) are relatively prime, the proof follows immediatly ( [ [ 111 ) from i) s:=t(~~) = 2% ii) the characteristic polynomial of pf has the form p(x)i with Z-l ( 2 5 2, and corresponding assertions for ci. The proof of i) only requires 2#M, which is implied by the irreducibility of p(x) [lo]. It reads as follows: The defining equation of S, i.e. - pft, Y t E 2, implies ft+s = ft (mod M), V t E Z. With M > 1 %+S the difference of this equation and of the corresponding equation for t+l, i-e. K ~ f + K~ ~ (mod M), becomes K ~ = + K ~ 1.e., S = ~ 2 As ~ a. de Bruijn sequence is "1" with frequency one half, this implies f + y2-1 5 ft (mod M) and as 2+M: y = M, 1.e. S = 2%. ' t The proof of ii) is very similar to that of the lower bound for the linear complexity of a de Bruijn sequence [12]. Let D be the time rn shift operator i D K = ~ K ~ and - ~ let p(x) ni x, then i=o

6 10 m P(D2 )I.I ni p ft i=o ft-i2 m = $ A - 1 i=o i "ft-i2 where = o, - - and 5 were defined by % = ft and Dpz = p"t1. This equation implies that the characteristic polynomial of pft must divide p(xz ) = p ( ~ ) 1.e. ~ ~ it, must have the form p(x)', with Now assume 2 - < 2-1, then p(xf I (xm-l)a I (xm-l) 2-l = M x ' 2 - ' -1 I which contradicts S = 2%. This completes the proof. 0 The results of theorem 1 are easily adapted to the case that no assumptions are made on p(x) and p(x): T = 2% Z+l < L 5 (rn+iii)2. The proof is based on the fact that gcd(m,i) = 1 implies gcd(p(x),p(x)) I x-1 and can easily be figured out. The following theorem on the frequency of patterns holds for almost arbitrary K. However, we will restrict ourselves to the case where K 1s a de Bruijn sequence, since we would otherwise need a more general assertion on the period. For a more general statement we refer to [81. In this theorem we use the notation Z/(T):= {O,l,-..,T-1~-

7 11 Theorem 2: (frequency of short patterns) & s s ~ ~ : a) K is a de Bruijn sequence of period K = 2, b) p and are m-sequences with the periods M = 2m-l and fi = 2m-l, respectively, c) gcd (M,M) = 1. Under these assumptions the frequency of any pattern a of length i 5 min (m,m) is 2-' up to an error of order O(-&) 1 + O(-), 2m-% i.e. a for any a = (a 0 I..., 'se-l) I0,lI. (9) Remar : We note that the deviation of this distribution from an ideal one is very similar to the corresponding deviation for an m-sequence. In addition, this deviation is due to the corresponding deviation for m-sequences. Proof of theorem 2: Let t E Z/(T) be represented in the form t = 1: + (s+em)2, r E 2/(2 ), s B Z/(M), s E Z/(fi) and let us first consider the frequency of patterns for a fixed r E Z/(2 ). Let p = p(r) and p = p(r) be defined by - p o : = O, po:=ao, for i E Z/(.Q-l)- Then a can be decomposed into (i E Z/(i)) - ai = pi.

8 12 For the matching condition at time t W t+i = ui, i E Z/(A), this implies i;- = pi, i E z/(a). ft+i ft+i Using the following relations i E Z/(A-1), the sum of equation (13) and of the corresponding equation for i+l becomes: (i E Z/(g-l)) This has two solutions: (i E - 1-I - Pi ft+i Z/(a)) - - IJ- - Pi ft+i and The number of solutions to this equation is equal to the number Of occurences of the pattern u in the sequence ~ ~+(~+;~)~, s E Z/(M), 5 E Z/(&), 1.e. to the quantity we want to determine.

9 13 Without restricting ourselves we consider the solutions of equation (16a). Maing use of the fact that K has the period K = 2 K-1 2-l and that.i K~ =, this equation becomes: (i E Z/(Q)) s =o 'fr+i + s2-1 = i ' (17) IJ- + (S+ZM)24 = p. 1 * fr+i Let 4r: = fr+e-l - fr, then the assumptions 2jM and 1.1 an m-sequence imply that equation (17) has Zm-@r-l solutions if p # 0. Let Jr = i-l-~$~, #en similarly 2#& - gcd (M,fi) = 1 and an m-sequence imply that equation (,18) has 2m-@r-1 solutions if p' f 0. This remains true 1 for p = 0 and/or p' = 0 if we accept an error of at most 0 ( ~ + ) 1 O ( p ). Clearly the same result also holds for equation (16b). Hence the total number of solutions to equation (12) is 2*2m''r-1 2K-'r'1 = 2m+iii-a, which is independent of r. This finally implies that the frequency of the pattern a is given by 2m+m-Q + O(- 1 6 and thereby yields the assertion. c] IV. CONCLUDING REMARKS Under suitable assumptions the alternating step generator (ASG) is a simple and very efficient pseudorandom number generator. It 1s fast and provably satisfies the usual criteria. The autocorrelations, which were not dealt with in the present paper, are also ideal for a large range of delays ( E Z/(K)). [S] The structure of the ASG is favorable to cascading, i.e. to have one or several of the subgenerators K, 17 and being ASG's themselves. This is further discussed in [8].

10 14 SELECTED REFEFENCES S.A. Tretter, "Properties of PN2 sequences", IEEE Trans. Inform. Theory, vol. IT-20, pp , March K. Kjeldsen and E. Andresen, IISome randomness properties of cascaded sequences", IEEE Trans. Inform. Theory, vol. IT-26, pp , March T. Beth and F. Piper, "The stop-and-go-generator", in Proc. of EUROCRYPT 84, Springer Lect. Notes in Comp. Science, vol. 209, pp R. Vogel, "On the linear complexity of cascaded sequences", in Proc. of EUROCRYPT 84, Springer Lect. Notes in Comp. Science, vol. 209, pp D. Gollman, "Pseudo random properties of cascade connections Of cloc controlled shift registers", in Proc. of EUROCRYPT 84, Springer Lect. Notes in Comp. Science, vol. 209, pp W.G. Chambers and S.M. Jennings, "Linear equivalence of certain BRM shiftregister sequences", Electronics Letters, vol. 20, pp , Nov N.G. de Bruijn, "A combinatorial problem", Proc. K. Ned. Aad. Wet., vol. 49, pp , C.G. Gunther, "Alternating step generators", submitted to IEEE Trans. on Inform. Theory. T. Siegenthaler, "Correlation-immunity of non-linear combining functions for cryptographic applications", IEEE Trans. on Inform. Theory, vol. IT-30, pp , Sept N. Zierler, "Linear recurring sequencess1, J. SOC. Indust. Appl. Math., VOl. 7, pp , March E.S. Selmer, Linear Recurrence Relations Over Finite Fields, Department of Mathematics, University of Bergen, Norway A.H. Chan, R.A. Games and E.L. Key, "On the complexities of de Bruijn sequences", J. of Comb. Theory, Series A, vol. 33, pp , 1982.