TECHNISCHE UNIVERSITÄT DRESDEN. Diplomarbeit

Transcription

1 TECHNISCHE UNIVERSITÄT DRESDEN Fakultät Elektrotechnk und Informatonstechnk Insttut für Nachrchtentechnk Lehrstuhl Theoretsche Nachrchtentechnk Dplomarbet Thema: Analyse und Synthese von Pseudozufallsgeneratoren für Stromchffrerungen vorgelegt von: Martn Mttelbach geboren am: 14. Januar 1978 n: Lenefelde zur Erlangung des akademschen Grades Dplomngeneur (Dpl.-Ing) Betreuer: Dr.-Ing. H. Wehl Verantwortlcher Hochschullehrer: Prof. Dr.-Ing. habl. A. Fnger Tag der Enrechung: 4. Aprl 003

2 To my parents

3 Selbstständgketserklärung Hermt erkläre ch, dass de vorlegende Dplomarbet mt dem Thema Analyse und Synthese von Pseudozufallsgeneratoren für Stromchffrerungen von mr selbstständg verfasst wurde. Dabe snd kene anderen aufzählungspflchtgen Hlfsmttel als de angegebenen Quellen benutzt worden. In deser Arbet verwendete Ztate snd als solche gekennzechnet. Dresden, 3. Aprl 003 Martn Mttelbach

4 Aufgabenstellung

5 Contents 1 Contents 1 Introducton Motvaton Background and Classfcaton Objectve of Thess and Outlne... 5 Stream Cphers and Feedback Shft Regsters 6.1 Introducton Block and Stream Cphers The One-Tme-Pad Synchronous Stream Cphers Self-synchronous Stream Cphers Pseudorandom Sequences for Stream Cpherng Feedback Shft Regsters Lnear Feedback Shft Regsters Regster Archtecture Analyss of LFSRs Feedback Carry Shft Regsters Mathematcal Foundatons Regster Archtecture Analyss and Synthess of FCSRs Propertes of l-sequences Complexty Measures Lnear Complexty adc Complexty Keystream Generators Based on LFSRs Classfcaton The Geffe-Generator Keystream Generators Based on FCSRs Smulaton Some more Propertes of l-sequences... 3

6 Contents 3..1 Lnear Complexty Autocorrelaton Functon The l p -Geffe-Generator Perod Bt Pattern Dstrbuton Lnear Complexty Autocorrelaton Functon The -adc-geffe-generator and FCSRs wth Composed Connecton Integer Perod Bt Pattern Dstrbuton Lnear Complexty Autocorrelaton Functon Summary 60 Glossary 61 Lterature References 66 Lst of Fgures 68 Lst of Tables 70 Appendxes 71 A 1. Lst of -Prmes A. The Berlekamp-Massey Algorthm... 7 A 3. The Ratonal Approxmaton Algorthm A 4. Lnear complexty of FCSR sequences wth -prme connecton nteger (q < 10000) A 5. Lst of -prme Connecton Integers for l p -Geffe-Generators Producng Sequences wth Complementary Perod Halves (q 509)... 75

7 1 Introducton 3 1 Introducton 1.1 Motvaton In hstory, cryptography has been a prvlege reserved for governments and mltary, whch are concerned about protectng ther own secrets and nformaton relevant to natonal securty and publc safety. As the world moved nto an nformaton socety, securely protectng data has become mportant also n the prvate sector. Today, more and more data s stored and transmtted electroncally and the prvacy of ndvdual people as well as of organzatons reles heavly on the possblty of secure communcaton. Therefore, securng and authentcatng data has become an mportant aspect of modern computer and communcaton systems. A number of developments have caused the need for cryptographc technologes and systems for prvate and commercal use: Some ndustres, n partcular fnancal servces, operate funds transfers to a large and ncreasng extent n electronc form. The development of the world economy has lead to an ncreasng number of nternatonally operatng companes, whch electroncally exchange and transfer senstve nformaton such as confdental documents contanng e.g. ntellectual propretary. The fast development of the nternet and the broadenng use of computers and computer networks ntate an ncreased computerzaton of economcal lfe and a wdespread use of electronc servces such as electronc bankng, e-commerce, or musc and vdeo on demand servces. Wreless communcatons systems, such as cellular telephones, whch are hghly vulnerable to unauthorzed ntercepts, have become ncreasngly mportant n recent tmes. All these examples show that cryptography has become a part of nearly everyone s lfe and ndcate the need for advanced and fast cryptographc systems enablng secure hgh-speed communcatons. 1. Background and Classfcaton Cryptographc systems allow nformaton to be sent n a secure form so that only the ntended recpent s able to recover ths nformaton 1. All modern cryptosystems make use of a keypar n such a way that the securty les completely n the keys, meanng all detals of the employed algorthm or hardware may be publcly avalable. At the sendng ste the plantext message s transformed (encrypted) nto a cphertext message under control of the encrypton key and s then transmtted over a publc, unsecured channel. At the recever, the encrypton process s reversed,.e. the cphertext s turned back (decrypted) nto the orgnal plantext. Ths decrypton process s controlled by the secret decrypton key. There are two general types of key-based algorthms: publc-key and symmetrc-key algorthms. 1 Most of the facts presented n ths secton are of very general and ntroductory nature and can be found n every book about cryptography so that respectve lterature references are omtted.

8 1 Introducton 4 Publc-key algorthms are asymmetrc meanng that the key used for encrypton s dfferent from the key used for decrypton. Furthermore, the decrypton key cannot be determned from the encrypton key so that the recpent can make hs encrypton key publc to all, ntended to securely send hm a message (gvng the algorthm s name). The most commonly used system of ths type s the RSA cryptosystem [RIV78]. Snce, publc-key algorthms are computatonally ntensve, encrypton and decrypton s slow. Ths s not sgnfcant for short messages, but certanly s for large amounts of data such as vdeo or audo. Symmetrc-key algorthms are algorthms where the same key s used for both encrypton and decrypton, hence ther name. Sender and recever need to agree on an dentcal key that must reman secret as long as ther communcaton needs to reman secret. The key tself must be transmtted to the recpent n a secure way, whch s mostly accomplshed wth a publckey algorthm. Ths type of cryptosystem s very mportant n modern cryptography because, n general, symmetrc-key cryptosystems are much faster than publc-key systems. They are commonly classfed nto block and stream cphers. Block cphers group the plantext nto fxed sze blocks and encrypt each block ndependently. Wdely used block cphers are the DES 3 [DES99] and the AES 4 [AES01]. In contrast, stream cphers subdvde the plantext nto smaller enttes, called characters (usually bts), and operate on each character under a tme-varyng functon. Stream cphers are generally faster to execute n hardware than block cphers. They are more sutable or even oblgatory n stuatons where bufferng s lmted or when characters must be mmedately processed as they are receved (e.g. telecommuncatons applcatons or pay televson). Moreover, when transmsson errors are hghly probable, stream cphers may also be advantageous because they have lmted or no error propagaton. There s much theoretcal knowledge on stream cphers allowng systematc desgn procedures, whereas there s only very lttle theory on block cphers. Furthermore, well-desgned stream cphers can destroy statstcal propertes of the plantext whle block cphers may not. Because of these sgnfcant advantages stream cphers are very mportant and wdely used today, partcularly n hghspeed and real-tme applcatons. The central desgn problem for stream cphers s the development of devces whch can effcently generated pseudorandom sequences. Most pseudorandom generators are based on feedback shft regsters (FSRs) because they are well suted to hardware mplementatons. Especally lnear feedback shft regsters (LFSRs) have wdely been used as buldng blocks for fast pseudorandom generators. Many modern stream cphers are desgned by combnng several LFSRs n varous nonlnear ways to obtan hghly complex sequences. As alternatve to ths feedforward structure, a great amount of effort has been spent to study nonlnear feedback archtectures but wth only very lttle success. A new analyzable feedback archtecture was ntroduced by Klapper and Goresky [KLA97] called feedback wth carry shft regsters (FCSRs). An FCSR s a feedback shft regster together wth a small amount of extra memory. The algebrac structure of -adc numbers [KOB77] s the mathematcal tool wth whch sequences generated by FCSRs can be analyzed n the same way as the algebra over fnte felds can be used to analyze LFSR-sequences. The nvestgaton of FCSRs and FCSR-based sequence generators s the man objectve of ths thess. named after ts nventors Rvest, Shamr, and Adleman 3 Data Encrypton Standard 4 Advanced Encrypton Standard

9 1 Introducton Objectve of Thess and Outlne The objectve of ths thess s the analyss of pseudorandom sequence generators that are based on feedback shft regsters. Startng from the lnear feedback archtecture the thess manly focuses on feedback wth carry shft regster-based pseudorandom generators and partcularly on nonlnear combnatons of these basc regsters. The cryptographc strength of the consdered generators and the randomness qualty of the generated sequences are emprcally, numercally, and analytcally evaluated n terms of pattern dstrbuton and autocorrelaton propertes as well as of certan complexty measures such as the lnear complexty. In agreement wth the supervsor, the nvestgaton of parallel structures for bussystem applcatons, as postulated n the thess task, s left out to allow a deeper study of the prevously mentoned aspects. In the remander of the thess only the case of bnary sequences wll be consdered. The thess s organzed as follows: In chapter the theory and basc concepts relevant to the thess are ntroduced. The frst secton (.1) descrbes stream cphers as symmetrc key systems n comparson to block cphers (.1.1), ntroduces the noton of pseudorandom generators (.1.), and explans synchronous (.1.3) and self-synchronous (.1.4) stream cphers as common subclasses. The next secton (.) presents randomness crtera of cryptographcally useful pseudorandom sequences such as Golomb s randomness postulates. LFSRs and FCSRs are studed n secton.3. In subsecton.3.1 a bref revew of man propertes of LFSRs are provded. The LFSR archtecture s descrbed n and the underlyng theory s summarzed n Subsequently, FCSRs are ntroduced smlarly to LFSRs but n much more detal: Mathematcal foundatons (.3..1), regster archtecture (.3..) and analyss (.3..3), and maxmal-perod FCSR-sequences (.3..4) are dscussed. Secton (.4) ntroduces complexty measures based on the lnear feedback and the feedback carry regster type, namely the lnear complexty (.4.1) and the -adc complexty (.4.). In the last secton (.5), t s descrbed how LFSRs are used as buldng blocks n nonlnear pseudorandom sequence generators (.5.1) wth the purpose to provde a bass for the constructon and analyss of FCSR-based generators. The Geffe-generator s examned n more detal as a specal type of a nonlnear generator (.5.). In chapter 3 FCSR-based pseudorandom sequence generators are analyzed. At frst ( 3.1), techncal aspects concernng the generaton and analyss of smulaton data are dscussed. Second ( 3.), some more characterstcs of maxmal-perod FCSR-sequences regardng lnear complexty and autocorrelaton propertes are presented. The nonlnear combnaton of FCSRs usng the Geffe-functon s examned n secton ( 3.3) wth respect to perod ( 3.3.1), bt pattern dstrbuton ( 3.3.), lnear complexty ( 3.3.3), and autocorrelaton propertes ( 3.3.4) of the generated sequences. A further modfcaton of ths structure that employs -adc arthmetc nstead of Boolean operatons to combne the outputs of FCSRs s nvestgated n secton 3.4. The resultng generator s equvalent to a more general FCSR and s studed lkewse regardng perod ( 3.4.1), bt pattern dstrbuton ( 3.4.), lnear complexty ( 3.4.3), and autocorrelaton propertes ( 3.4.4) of the output sequences. The last chapter ( 4) summarzes the man results of the thess and dscusses questons that stll reman open. I would lke to thank Prof. Fnger for hs confdence, hs great support and help whenever I was askng for, and all of hs valuable comments and suggestons. I am grateful to DI Schönfeld and Dr. Wehl for ther techncal support. Especally and emphatcally, I would lke to thank my grlfrend Anja, my famly, and my frends for ther mportant personal support.

10 Stream Cphers and Feedback Shft Regsters 6 Stream Cphers and Feedback Shft Regsters As already stated, stream cphers are an mportant class of symmetrc-key encrypton algorthms. They are employed when large amounts of data need to be encrypted very quckly. Snce many applcatons requre secure ultra-hgh-speed data communcatons, stream cphers are wdely used today. Most modern stream cphers are based on lnear feedback shft regsters (LFSRs) because they provde an economcal, fast, and effcent method for generatng pseudorandom sequences. Durng the last few years, feedback carry shft regsters (FCSRs) have been nvestgated as alternatve method for the effcent generaton of long pseudorandom bnary sequences. The analyss of FCSR-based sequence generators s the man objectve of ths thess. Ths chapter ntroduces the theory and basc concepts relevant to the thess. It s organzed as follows: The frst secton (.1) explans what stream cphers are, descrbes common subclasses of stream cphers, and ntroduces the noton of pseudorandom generators. The next secton (.) dscusses randomness crtera of cryptographcally useful pseudorandom sequences. LFSRs and FCSRs are studed n secton.3 as a certan knd of pseudorandom generator. Complexty measures based on these two regster types, namely the lnear complexty and the -adc complexty, are dscussed n secton.4. In the last secton (.5), keystream generators employng nonlnear extensons of LFSRs are ntroduced to serve as startng pont for the constructon of FCSR-based keystream generators. The Geffe-generator s examned n more detal as a specal type of a nonlnear generator (.5.)..1 Introducton.1.1 Block and Stream Cphers The two major categores of symmetrc key systems are block and stream cphers [RUE86]. The essental dstncton between block and stream cphers s the memory. A block cpher breaks the plantext nto fxed sze blocks and under control of a key each block s encrypted ndependently. The same transformaton s used to process consecutve blocks, thus block cphers are memoryless. Snce, block cphers encrypt dentcal plantext blocks nto dentcal cphertext blocks they are smple substtuton cphers. Therefore they must have large alphabets,.e. large block szes, to provde securty. Stream cphers operate on small blocks or characters (usually bts) and the encrypton functon depends on not only the secret key but also on the current state of the system. Therefore, stream cphers are devces wth nternal memory. The state s changed after the encrypton of each character wth respect to some state-change functon. Consequently, two dentcal plantext characters are usually transformed nto dfferent cphertext characters. The sequence, whch controls the encrypton, s called the keystream or runnng key. The determnstc automaton, whch produces the keystream from the current key and the nternal state, s called the keystream generator. The gven classfcaton nto block and stream cphers s not absolute, snce, addng memory to a block cpher results n a stream cpher wth large characters.

11 Stream Cphers and Feedback Shft Regsters 7.1. The One-Tme-Pad Theoretcally, a truly random keystream havng the same length as the message and that s used only once for encrypton provdes perfect securty [RUE86]. Ths keystream, consstng of ndependently and randomly generated characters, s called a one-tme-pad. Perfect securty means that cphertext and plantext are statstcally decoupled,.e. the cphertext does not transfer any nformaton about the plantext regardless of the statstcal dstrbuton of the plantext. The obvous drawbacks of the one-tme-pad are that t has to be generated by a true random process and that t should be as long as the plantext. Because of the dffcultes of key generaton, key dstrbuton, and key management, the one-tme-pad s mpractcal. Ths motvates the desgn of stream cphers where the purely random keystream generator s replaced by a fnte state machne, whch generates a determnstc pseudorandom sequence. Such stream cphers are not perfectly secure but, f well desgned, they are computatonally secure. The securty of such a stream cpher depends on the randomness qualty of the generated keystream. Hence, a central desgn problem s the development of devces, whch can effcently generate large perod sequences that satsfy varous statstcal crtera. Stream cphers are usually classfed nto synchronous and self-synchronous systems [RUE86]..1.3 Synchronous Stream Cphers In a synchronous stream cpher, the next state depends only on the prevous state. The keystream s therefore ndependent of the plantext message and of the cphertext message. The encrypton transformaton of a synchronous stream cpher can be descrbed by the followng set of equatons: σ + 1 = f ( σ, k) (a) z = g( σ, k) (b) (Eq..1) c = h z, m ) (c) ( where f denotes the next-state functon, g s the functon that produces the keystream z, and h s the output functon whch generates the cphertext c by combnng the keystream and the message stream m. The ntal state s σ 0 and can possbly be derved from the key k. Fgure 1 on the next page llustrates the encrypton and decrypton processes 5. A synchronous stream cpher s synchronzed when the key and the nternal state of the keystream generators at the sendng and recevng ste are dentcal. If a cphertext character s lost, nserted, or deleted durng transmsson, decrypton becomes mpossble and the sender and recever must resynchronze ther generators before they can proceed further. Consequently, specal resynchronzaton technques have to be employed. Moreover, there are no propagaton errors because the modfcaton of one cphertext character due to transmsson errors does not effect the decrypton of another cphertext character. 5 The fgures and the notatons n ths secton are adopted from [MEN01].

12 Stream Cphers and Feedback Shft Regsters 8 Encrypton Keystream generator Plantext m Cphertext c Key k Keystream z σ σ m State σ σ Decrypton Keystream generator σ c f f k g z h c k g z h -1 m Fgure 1 Model of a synchronous stream cpher One of the most mportant stream cpher s the addtve synchronous stream cpher. Its output functon h mplements a smple addton of the keystream character and the plantext character. Most commonly, the plantext, cphertext and keystream characters are bnary dgts and the output functon h s therefore the XOR-functon. In ths case encrypton and decrypton are the same. Because the method of combnng plantext and keystream characters s very smple, the employed keystream generators must be suffcently strong..1.4 Self-synchronous Stream Cphers In a self-synchronous stream cpher, each keystream character s produced as a functon of the key and a fxed number n of proceedng cphertext characters. The followng equatons descrbe the encrypton process: σ = + 1 f ( c n, c n+ 1,..., c, k) (a) z = g( σ, k) (b) (Eq..) c = h z, m ) (c) ( where f denotes the next-state functon, g s the functon that produces the keystream z, and h s the output functon whch generates the cphertext c by combnng the keystream and the message stream m. The ntal state s σ 0 and k s the key. The encrypton and decrypton processes are depcted n Fgure on the next page. If a cphertext character s lost, deleted, nserted, or altered durng transmsson, the error propagates forward for n characters because the decrypton functon depends only on a fxed number of precedng cphertext characters. The cpher resynchronzes tself automatcally and performs proper decrypton after n correct cphertext characters have been receved. In contrast to synchronous stream cphers, self-synchronous stream cphers are non-perodc because each keystream character s functonally dependent on the precedng message stream.

13 Stream Cphers and Feedback Shft Regsters 9 Encrypton Decrypton Keystream generator Plantext m Cphertext c Key k Keystream z σ σ State σ σ Keystream generator σ f m f k g z h c k g z h -1 m c Fgure Model of a self-synchronous stream cpher. Pseudorandom Sequences for Stream Cpherng As motvated n the prevous secton, stream cphers employ determnstcally generated random sequences,.e. pseudorandom sequences, to encrypt the message stream. Such a pseudorandom sequence s generally defned as a sequence that appears to be random. The objectve n stream cpherng s to use a short, truly random sequence (the key) and expand t to a sequence of much larger length, whch should be as statstcally ndstngushable as possble from a truly random sequence [MEN01]. Snce a keystream generator s a fnte state machne the generated sequence s naturally perodc. If somethng s perodc, t s, by defnton, predctable and therefore cannot be random wth respect to the strct meanng of randomness [SCH96]. Thus, the randomness of perodc sequences or fnte sequences, f only one perod s consdered has to be defned. It seems to be a dffcult problem because every fnte sequence s equally lkely to occur or equally random f the probablty of generatng a sngle zero or one s assumed to be equal and each bt s ndependent of the prevous bts. But there exst sequences that are more typcal than others. For example, a sequence that has about the same number of ones and zeros s consdered to be more typcal than the all-zeros sequence, even though both sequences are equally lkely. Ths typcally-concept forms the bass of how randomness of a fnte sequence s defned. Varous statstcal tests desgned to detect specfc randomness characterstcs are descrbed n [MEN01]. The mportant crteron of dstrbuton propertes follows ntutvely from what s regarded as typcal. It states that a fnte sequence of length T may be called random f every bnary k-tuple for all k smaller then some upper bound (e.g. log (T)) appears about equally often [RUE86]. The wdely accepted randomness postulates of S. Golomb [GOL67] are based on ths defnton. To measure the randomness of perodc bnary sequences the followng requrements have been proposed:

14 Stream Cphers and Feedback Shft Regsters 10 (G1) (G) (G3) The number of ones and zeros wthn one perod of the sequence dffers at most by one. In every perod, (1/ ) of the total number of runs (subsequences of the same bt) has length, as long as there are at least runs of length. The perodc autocorrelaton functon (ACF) s two-valued. The perodc ACF of a bnary sequence s defned as follows [FUM94, p.115]: A( τ ) D( τ ) C( τ ) = T (Eq..3) where τ ndcates a cyclc shft of the sequence and T s the length of the perod. A(τ ) and D(τ ) denote the number of agreements and dsagreements between the shfted and the orgnal verson of the sequence wthn one perod. Sequences satsfyng (G1)-(G3) are called pseudo-nose sequences. In most practcal cases, the rough agreement wth these crtera s suffcent. The frst requrement (G1) s cryptographcally relevant because, f there are many more ones than zeros n a bnary sequence, then the sequence becomes more predctable because each bt could be guessed wth a probablty of greater than ½. Furthermore, bad pattern dstrbutons may be used to accumulate statstcs for an effcent attack. It s also known that unform pattern dstrbutons and good autocorrelaton propertes are closely related and that the perodc autocorrelaton functon reflects global randomness propertes [CUS98]. These facts are captured wth (G) and (G3). For many communcatons applcatons, such as radar systems, spread spectrum communcaton systems, multple-termnal dentfcaton or code-dvson multple access communcaton systems, sequences are suffcent that possess specfc correlaton propertes and certan statstcal characterstcs. But meetng the above descrbed statstcal crtera s only necessary and not suffcent for cryptographc applcatons. Cryptographc randomness does not mean just statstcal randomness. For a sequence to be cryptographcally secure pseudorandom t must be unpredctable. It must be computatonally nfeasble to predct the next bt gven complete knowledge of the algorthm or hardware generatng the sequence and of all the prevous bts of the sequence [SCH96]. The securty of a stream cpher depends prmarly on the property of unpredctablty of the keystream. Startng pont n stream cpher desgn and analyss s therefore the assessment of the securty of keystream generators n terms of predctablty. Partcularly mportant s the lnear unpredctablty or lnear complexty of a sequence, whch s measured by the length of the shortest LFSR that s able to generate a gven sequence. The lnear complexty and the assocated lnear complexty profle are crtera that allow one to effcently judge the unpredctablty of pseudorandom sequences due to the Berlekamp-Massey algorthm (BM-algorthm) [MAS69]. Equvalent complexty measures based on FCSRs, namely the -adc complexty and the -adc complexty profle, may also be used. More detals on these measures are provded n chapter.4 below. In ths thess, the prevously dscussed pattern dstrbuton and autocorrelaton propertes as well as the complexty measures wll be used to emprcally and analytcally evaluate the cryptographc strength of the nvestgated keystream sequences.

15 Stream Cphers and Feedback Shft Regsters 11.3 Feedback Shft Regsters Lnear feedback shft regsters (LFSRs) are basc components n many keystream generators. Because of ther structure, they can be fully analyzed usng algebrac tools and they are well suted to hardware mplementatons. Moreover, the produced sequences may have large perod and good statstcal propertes. Although LFSRs are not drectly analyzed n ths thess, they are of theoretcal nterest and provde the bass for further nvestgatons. The analyss of feedback carry shft regster (FCSR) sequences s qute dfferent from that of LFSR-sequences. Instead of algebra over fnte felds, algebra over the -adc numbers s employed. However, there are many parallel propertes between LFSRs and FCSRs. In subsecton.3.1 a bref revew of the man propertes of LFSRs s gven. The theory behnd LFSRs s assumed to be bascally known. Only selected results about LFSRs are summarzed whch are mportant for the remander of the thess. FCSRs are descrbed n more detal n subsecton.3.. They are presented n the same way as LFSRs to emphasze the parallels between these two types of feedback shft regsters. Unless otherwse stated the theoretcal results are taken from [KLA97]. The theory of -adc numbers s ntroduced at the begnnng of subsecton Lnear Feedback Shft Regsters Regster Archtecture An LFSR conssts of a seres of cells wth feedback connectons on a subset of these cells. The archtecture of an LFSR s depcted n Fgure 3, where {a n-1, a n-,, a n-r } {0,1} s the cell contents and the symbol denotes addton modulo. The coeffcents {q 1, q,, q r } {0,1} represent the exstence or nonexstence of a feedback tap. Snce, the regster has length r t s called an r-stage LFSR. Fgure 3 A lnear feedback shft regster The shft regster works as follows: 1. The regster cells {a n-1, a n-,, a n-r } are ntalzed.. The contents of the tapped regster cells are added modulo : r a n = qa n (mod ); ( n > = 1 r) (Eq..4)

16 Stream Cphers and Feedback Shft Regsters 1 3. The cell contents are shfted rght by one poston outputtng the rghtmost bt a n-r. 4. The sum a n s returned nto the leftmost cell a n-1 of the shft regster. Because the LFSR mplements a lnear recurson (see (Eq..4)), the output sequence s also referred to as lnear recurrence sequence Analyss of LFSRs LFSRs are analyzed usng arthmetc n fnte felds. The basc algebrac structure s the rng GF()[[X]] of formal power seres n X wth coeffcents n GF() 6. Detals about ths mathematcal noton can be found n [FUM94] and [RUE86]. The feedback taps {q 1, q,..., q r } of an r-stage LFSR correspond to a connecton polynomal r r 1 q( X ) = q X + q X + K + q1 r r 1 1 (Eq..5) wth q GF(). The LFSR s sad to be non-sngular f the degree of q(x) s r, otherwse t s sngular. Many propertes of LFSR-sequences may be descrbed wth ths polynomal. An nfnte bnary sequence (a) = (a 0, a 1, a, ) may be represented by ts generatng functon A ( X ) = a X GF()[[X]]. The sequence = 0 (a) s eventually perodc f and only f A(X) s equal to the quotent of two polynomals: A ( X ) = r( X ) / q( X ). (Eq..6) The denomnator q(x) s the connecton polynomal of an LFSR and the numerator r(x) corresponds to a specfc ntal loadng that has to be nonzero. The sequence (a) s strctly perodc f and only f the degree of r(x) s less than the degree of q(x) (deg(r(x)) < deg(q(x))) n whch case the LFSR s non-sngular. For a prmtve 7 connecton polynomal the output sequence has maxmum possble perod T max = r -1 and s called m-sequence. m-sequences have nce statstcal propertes. They are balanced and have the de Brujn property, that s, every nonzero subsequence of length s occurs exactly once. Furthermore, the ACF of an m-sequence s two-valued. Therewth Golomb s randomness postulates (G1) (G3) (see.) are satsfed so that every m-sequence s also a pseudo-nose sequence. If the connecton polynomal q(x) s rreducble 8 over GF(), then there s a convenent descrpton of the th term of the output sequence (a) = (a 0, a 1, a, ) of the LFSR. Let Tr ( β ) = β + β + K + β ( r 1) (Eq..7) denote the trace functon whch maps any element β of the extenson feld GF( r ) nto the groundfeld GF(). Furthermore, let γ GF( r ) be a root of q(x), then the sequence (a) s defned as follows: 6 GF(p) s the Galos feld of order p or smply the fnte feld wth p elements. p s prme or a prme power. 7 A prmtve polynomal of degree n wth coeffcents over GF(q) s one that s rreducble and dvdes x N -1 for N = q n -1 but no smaller N. 8 A polynomal wth coeffcents n GF(p) s rreducble over GF(p) f t allows only trval factorsaton.

17 Stream Cphers and Feedback Shft Regsters 13 a = T ( A ) = 0,1,,K r γ (Eq..8) where A GF( r ) corresponds to a certan ntal loadng of the shft regster. Ths trace descrpton s partcularly suted for the analyss of nonlnear combnatons of LFSRs..3. Feedback Carry Shft Regsters.3..1 Mathematcal Foundatons The analyss of FCSR-sequences s based on the arthmetc n the -adc numbers. The followng subsecton brefly ntroduces ths mathematcal tool. For a more comprehensve treatment of the theory see for example [CUS98], [GOU97], or [KOB77]. Let p be a fxed prme number, then any x Z (Z denotes the ntegers) can be wrtten as an expanson n base p n the form: n x = ± = 0 wth coeffcents a {0,1,, p-1}. Ths representaton s also referred to as p-adc expanson. For example, the -adc expanson of x = 35 s , n short Generalzng equaton (Eq..9) to x Q (Q denotes the ratonals) results n the followng sum: x = ± In ths formulaton, the ntegers are those numbers where a = 0 for all < 0. As an alternatve, f one extends the p-adc expansons by allowng nfnte sums of the form = x a p (Eq..11) =k where k s some (possbly negatve) nteger, we obtan the feld Q p of p-adc numbers. Those p-adc numbers wth a = 0 for all < 0 are also called p-adc ntegers (Z p ) [WIK03]. Based on that, a -adc nteger s defned as follows: Defnton.1 A -adc nteger s a formal power seres n = (Eq..9) (Eq..10) = α a (Eq..1) =0 wth a {0,1}. The rng of all such power seres s the rng Z of -adc ntegers. There s a one-to-one correspondence between ratonal numbers α = p/q (q odd) and -adc ntegers gven by the -adc expanson of α [KLA97]. That means every such ratonal number has a unque -adc expanson. Ths -adc expanson s an eventually perodc sequence (a) of bnary coeffcents (a 0, a 1, a, ). Conversely, for every eventually perodc bnary sequence (a) the assocated -adc nteger α = a s the -adc expanson of a ratonal number [CUS98]. To expand a ratonal number α = p/q -adcally, one has to expand both numerator p and denomnator q n powers of and then dvde formally (smlar to polynomal dvson) where a p a p.

18 Stream Cphers and Feedback Shft Regsters 14 s treated as an ndetermnate. But one may have to carry. For example, the sum of two coeffcents may be larger than. Then the overflow bts are carred to hgher order terms [GOU97]. The followng example llustrates ths concept. Example.1 p Let α = = q 3 19, then 1 0 p = and q = are the expanson of p and q n powers of. Dvdng these two expressons as descrbed above results n 1 0 p = = K q The coeffcent sequence of the -adc expanson s the eventually perodc bnary sequence ( a ) = ( ) wth a prefx of 4 bts and a perod length of 18. If q < p 0 (q odd), then the bt sequence for the -adc expanson of α = p/q s strctly perodc. If also p and q are relatvely prme (gcd 9 (p,q) = 1), then α s a reduced ratonal number and the perod s: T = ord q () (Eq..13) where ord q () s the order 10 of modulo q. An FCSR s exactly performng ths -adc expanson of some ratonal number α = p/q (q odd), outputtng the bnary coeffcent sequence. There exsts a fast software-orented algorthm as alternatve to ths hardware mplementaton. It can be summarzed as follows [CUS98, p. 313]: begn: Input p and q. Condtons: q odd; q 1; gcd(p,q) = 1 repeat: If p s even, then output 0 and set p p/; otherwse output 1 and set p (p q)/. end An example, demonstratng the algorthm s gven below (Example.). Example. p Suppose: α = = q p = 3 s odd: output: 1 p (p q)/ = (3 19)/ = 8. p = 8 s even: output: 0 p p/ = ( 8)/ = 4 9 greatest common dvsor 10 The order of modulo q, denoted ord q (), s the smallest postve nteger x such that x 1 (mod q).

19 Stream Cphers and Feedback Shft Regsters p = 4 s even: output: 0 p p/ = ( 4)/ = M Contnung the procedure yelds the sequence already determned n Example.1. In ths thess, the smulaton-based nvestgaton of FCSR-sequences has been carred out usng the above presented algorthm. The arthmetc n the rng of -adc ntegers (Z ) s defned by the followng operatons [CUS98, p. 316]. Suppose that α und β are two -adc ntegers wth where a, b {0,1}, then the addton α + β s defned by the seres where each r s computed by r = ( a + b + c 1) mod (Eq..16) c = ( a + b + c 1) / ( denotes the nteger part) where the c s are carry bts and c -1 s defned to be 0. The next example demonstrates these calculatons. Example.3 p 1 Let α α = = = a wth ( a ) = (10110) qα 5 = 0 pβ 4 and β = = = b wth ( b ) = ( ) then α + β s the result of qβ 9 = 0 the followng calculaton: a b c r α + β = r wth ( r ) = ( ). Ths -adc sum of α and β s = 0 (of course) dentcal to the -adc expanson of the ratonal number α + β = p pβ pα qβ + pβ q α α = = + =. q q q q α β α α = α + β = β = 0 a, β = (Eq..14) (Eq..15) The subtracton α β s defned to be α + ( β) where ( β) s the addtve nverse of β. If β s the complementary -adc nteger of β, formed by takng the complement of each bt (replace 0 by 1 and 1 by 0), then β s gven by [GOR97]: = 0 b ( a + b ) = = 0 = 0 β = β + 1. r (Eq..17)

20 Stream Cphers and Feedback Shft Regsters 16 The multplcaton of two -adc ntegers α and β (same notaton as n (Eq..14)) s defned by the equaton [CUS98, p. 317] where = αβ =0 u = u a k k + j= b j. (Eq..18) (Eq..19) Because the u s could be larger then, the same reducton procedure as before has to be appled to obtan = αβ =0 r (Eq..0) where each r {0,1} s calculated by r c = ( u + c 1) mod ( u + c 1) / = (Eq..1) where the c s are carry bts and c -1 s defned to be 0. Wth the subsequent example, these operatons are made explct. Example.4 Let α and β be the same as n Example.3, then α β s determned as follows: a b u c r αβ = r wth ( r ) = ( ). Ths -adc product of α and = 0 β s (of course) equal to the -adc expanson of the ratonal number α β = p pβ pα p α β = = =. q q q q α β α β Clearly, dvson of two -adc numbers s defned to be α/β = αβ 1 where β 1 denotes the multplcatve nverse of β. The above descrbed operatons -adc sum and -adc product of two bnary sequences are a natural consequence of the one-to-one correspondence between the set of bnary, eventually perodc sequences and the set of -adc ntegers (or ratonal numbers α = p/q wth q odd). These operatons may be qute useful n constructng sequences for a varety of applcatons, especally for keystream generators as wll be dscussed later n ths thess.

21 Stream Cphers and Feedback Shft Regsters Regster Archtecture FCSRs can be thought of as LFSRs wth ordnary addton n place of addton modulo and auxlary memory for storng the carry. The archtecture of an FCSR s depcted n Fgure 4, where {a n-1, a n-,, a n-r } {0,1} s the cell contents, m n-1 s the current contents of the memory, and the symbol denotes nteger addton. Notce that the memory contans a nonnegatve nteger. The coeffcents {q 1, q,, q r } {0,1} represent the exstence or nonexstence of a feedback tap. Snce, the regster has length r t s called an r-stage FCSRs. Fgure 4 A feedback carry shft regster The shft regster works as follows: 1. The regster cells {a n-1, a n-,, a n-r } and the memory m n-1 are ntalzed.. The contents of the tapped regster cells are added as ntegers to the current contents of the memory: σ n = r = 1 q a n + (Eq..) 3. The cell contents are shfted rght by one poston, outputtng the rghtmost bt a n-r. 4. The party bt a n of σ n s returned nto the leftmost cell a n-1 of the shft regster: m n 1. an = σ (mod ). n (Eq..3) 5. The hgher order bts of σ n are retaned for the new value of the memory: m n = ( σ n an ) / = σ n /. (Eq..4) where denotes the nteger or floor part. Alternatve archtectures and hardware mplementatons of FCSRs are proposed n [KLA97] and [GOR0].

22 Stream Cphers and Feedback Shft Regsters Analyss and Synthess of FCSRs As already mentoned n.3..1, the rng of -adc ntegers (Z ) and the arthmetc over ths rng s requred to analyze FCSRs and ts output sequences. In ths subsecton, the basc propertes of FCSRs are presented n terms of the theory derved n The feedback taps {q 1, q,, q r } of an r-stage FCSR correspond to the bnary expanson of an nteger q: r r 1 q = q + q + K + q 1 (Eq..5) r r 1 1 wth q {0,1} and q r = 1. (Notce that q 0 = 1 does not correspond to a feedback tap.) The nteger q s referred to as the connecton nteger because the above bnary expanson gves the analog to the connecton polynomal n the usual theory of LFSRs. Many propertes of FCSRsequences may be descrbed wth ths nteger. The length r of an FCSR s related to the connecton nteger by the followng equaton: r = log ( q + 1). (Eq..6) As descrbed n.3..1, an nfnte bnary sequence (a) = (a 0, a 1, a, ) may be represented by the formal power seres α = a = 0 Z. The sequence (a) s eventually perodc f and only f α s equal to the quotent of two ntegers p and q (q odd). In ths case, the sequence s dentcal to the output of an FCSR that computes the coeffcent sequence of the -adc expanson p = α a Z (Eq..7) = = q 0 of that ratonal number p/q. The denomnator q (q > 0 s assumed wthout loss of generalty) s the connecton nteger of the FCSR and generates the perodc part of (a). The numerator p corresponds to a specfc regster ntalzaton wth p = r 1 = 0 j= 0 q j a j m r r 1 (Eq..8) where the q j s are the feedback taps, {a r-1, a r-,, a 1, a 0 } {0,1} are the ntal loadngs of the regster cells and m r-1 Z s the ntal memory value. The sequence (a) s strctly perodc f and only f p < q and α < 0,.e. f q < p 0. If also p and q are relatvely prme (gcd(p,q) = 1), then the perod s T = ord q () (see (Eq..13)). In case p and q have a common factor, then the perod T s a dvsor of ord q (). If p 0 or p q then the sequence has a transent prefx before t drops nto a perodc state. If p s a multple of q, then α corresponds to a usual nteger. In ths case, after a transent prefx the output conssts of all 0 s or all 1 s dependng on whether p s postve or negatve. Ths s due to (Eq..17) and due to the fact, that the -adc expanson of a postve nteger s actually ts expanson n base, whch s a fnte seres. The maxmum possble perod for an FCSR wth connecton nteger q s acheved f and only f q s prme and s a prmtve root 11 modulo q. Wth (Eq..13) the maxmum perod s 11 An nteger N s a prmtve root modulo q (q prme) f t has maxmum possble order modulo q,.e. f N T 1(mod q) for T = q-1 but no smaller T.

23 Stream Cphers and Feedback Shft Regsters 19 Tmax = q 1. (Eq..9) Sequences generated by ths type of FCSR are called l-sequences to stress the analogy to m-sequences. They have nce propertes that are dscussed n.3..4 below. The requrements for the addtonal memory of an r-stage FCSR depend on ts feedback connectons. At most, log ( r) = log ( log ( q + 1) ) (Eq..30) bts of memory are necessary. If an FCSR s n a perodc state, then the memory value les n the range 0 m < ω, where ω = ωt(q+1) s the Hammng weght of q + 1,.e. the number of nonzero feedback taps. In ths case, no more than log ( ω 1) + 1 (Eq..31) bts of memory are requred. In general, memory values outsde the range 0 m < ω are also possble. If the ntal memory value s m r-1 ω, then t wll monotoncally decrease and wll drop nto the range 0 m < ω wthn log ( m r 1 ω) + r (Eq..3) steps. If the ntal memory s m r-1 < 0, then t wll monotoncally ncrease and wll arrve n the range 0 m < ω wthn log ( m r 1 ) + (Eq..33) steps, where denotes the next greater nteger. It has already been dscussed that an FCSR outputs all 1 s or 0 s f the ratonal number α = p/q correspondng to the output sequence s a usual nteger,.e. f p s a multple of q. In ths case, the assocated ntal loadng, whch s specfed by (Eq..8), s sad to be degenerated. From a cryptographc pont of vew, degenerated ntal loadngs are crtcal because they consttute a set of weak keys. Almost always, strctly perodc sequences are desred. In order to guarantee a strctly perodc output the followng ntal loadngs may be used: m = 1 and all the a j = 0, p = r m = 1, a 0 = 1, and all the other a j = 0, p = q r+1 m = 0, a r-1 = 1, and all the other a j = 0, p = r-1. If the ntal loadng and the ntal memory of an FCSR for a gven ratonal number α = p/q (q an odd postve nteger) are to be determned, one has to solve (Eq..8), whch may be accomplshed by the subsequent procedure (The same notaton as n (Eq..5) and (Eq..6) s assumed.): 1. Compute {a 0, a 1,, a r-1 } by the software algorthm for the -adc expanson descrbed n r 1. Compute = q = 0 j= 0 j a j y. 3. Compute m = (y p) / r. r

24 Stream Cphers and Feedback Shft Regsters 0 An FCSR wth these parameters and q as connecton nteger wll output the -adc expanson of p/q. If the gven ratonal number α = p/q s not n lowest terms, by reducton a shorter FCSR can be found that produces the same sequence. Smlar to the trace representaton of perodc LFSR sequences there exsts an exponental representaton for perodc sequences of bts obtaned from FCSRs. Let (a) = (a 0, a 1, a, ) be a perodc sequence generated by an FCSR and γ = 1 Z/(q) be the multplcatve nverse of n the rng Z/(q) of ntegers modulo q. Then (a) s defned by a = Aγ (mod q)(mod ) = 0,1,,K (Eq..34) where A Z/(q) corresponds to a specfc ntal loadng. The notaton (mod q)(mod ) means that Aγ s reduced modulo q and the result of ths reducton s reduced modulo to obtan an element of GF(). The ntroduced exponental representaton plays an mportant role n the analyss of FCSR-sequences. Wth a fnal numercal example the prevously presented theory of FCSRs s llustrated: Example.5 Suppose an FCSR wth connecton nteger q = 19. Wth (Eq..6) t follows that the regster has r = 4 stages. Snce q = there are feedback connectons on the second and fourth cell (compare to (Eq..5) and Fgure 4). At most bts of extra memory are requred (see (Eq..30)). If the FCSR s n a perodc state, then only 1 memory bt s necessary (see (Eq..31)). Because s a prmtve root modulo 19 the FCSR outputs a strctly perodc l-sequence wth perod T = 18 (see (Eq..9)). Ths s true for any ntal loadng that corresponds to an nteger p wth 19 < p 0. For all the other non-degenerated ntal loadngs the perodc part of the sequence wll have a fnte prefx. The sequence n Example.1 s an nstance for p = 3. For an ntal memory of m = 0 and an ntal cell loadng of {a 0 = 1, a 1 = 0, a = 1, a 3 = 0} the assocated nteger s p = 1 (see (Eq..8). Ths ntal loadng s obtaned by the procedure gven on the prevous page. Usng the ntal load for p = 1 the output sequence s gven by (Eq..34) wth γ = 1 = 10 (Note: 10 1 (mod 19), hence 1 = 10 Z/(19)) and A = 1 for = 0, 1,,. Equvalently, the equatons (Eq..) through (Eq..4) may be used to determne the output of the FCSR. In Table 1 the resultng sequence s shown. The contents of the four regster cells, the output bt, and the value of the memory (m) are lsted for every ndex. Each state of the shft regster corresponds to a ratonal number α = p /19. The nomnator p s related to the second column of the table by p = Aγ.

25 Stream Cphers and Feedback Shft Regsters 1 Aγ regster output (a ) m Table 1 The states of an FCSR wth q = Propertes of l-sequences In the prevous subsecton l-sequences have been ntroduced as FCSR-sequences wth maxmum possble perod T max = q 1, where q s the connecton nteger of the FCSR. Ths perod s acheved for any non-degenerated ntal loadng f and only f q s prme and s prmtve root modulo q. However, dependng on the ntalzaton there may be a transent prefx before the regster drops nto the bg perodc state (see.3..3). Prmes havng as prmtve root are called -prmes. About 37.4% of all prmes are -prmes whch means an nfnte number of them do exst. There are effcent technques for fndng large -prmes [COH93] whch s a necessary condton for practcal applcatons. A lst of -prmes wth an assocated regster length of up to r = 8 s gven n appendx A.1. For these prmes s also a prmtve root of any of ther powers. Another lst wth all -prmes q < s provded n [SCH96]. An l-sequence s a shft of the btwse complement of a 1/q-sequence. A 1/q-sequence s the bnary expanson of the fracton 1/q 1 1/ q = b0 + b1 + b 3 + K (Eq..35) and has the followng propertes: 1. The number of 0 s and the number of 1 s n one perod s equal.. The second half of the perod s the btwse complement of the frst half of the perod. 3. In any gven perod of the sequence, every strng of length ( ) once and every bnary strng of length ( ) 1 the generalzed de Brujn property. log q occurs at least log q + occurs at most once. Ths s called

26 Stream Cphers and Feedback Shft Regsters The second property has been found n ths thess through smulaton and was proven n [GOR97]. For cryptographc applcatons ths property s undesrable because only half of the perod s suffcent to specfy the whole sequence. The ACF of an l-sequence s n general dffcult to determne. However, some evaluatons have been carred out that are dscussed n the next chapter ( 3..). Based on the arthmetc n the -adc ntegers there s an analog to the usual ACF called arthmetc autocorrelaton functon (AACF). It s defned as follows. If α = a n n and α[] = a n n + = α represent the -adc ntegers correspondng to a sequence (a) and ts shft by postons, then the AACF R ((a) ) s the number of 1 s mnus the number of 0 s n any perod of the eventually perodc bt sequence of the -adc sum α + α[]. An l-sequence has the deal autocorrelaton property wth respect to ths functon,.e. R ((a) ) s two-valued. The arthmetc crosscorrelaton functon (ACCF) s the equvalent analog to the usual crosscorrelaton (CCF). It s possble to construct large famles of sequences wth deal ACCF usng d-fold decmatons of l-sequences. Ths fact possbly makes l-sequences sutable for several practcal applcatons, such as spread-spectrum communcaton systems, radar systems, sgnal synchronzaton, sgnal dentfcaton, or cryptanalyss. Detals about the concept of arthmetc correlatons of FCSR-sequences are provded n [KLA95] and [GOR97]. Long pseudorandom sequences can also be obtaned by FCSRs wth nonprme connecton nteger. If the connecton nteger q s a power of a prme such that q = p e wth p prme, p >, e, and prmtve root modulo q, then the perod of the output sequence s T = p e 1 ( p 1). (Eq..36) FCSR-sequences of ths type are also referred to as l-sequences. Ther propertes are almost dentcal to those of l-sequences wth prme connecton nteger. The dfference s that they are only close to have the generalzed de Brujn property, that s, the number of occurrences of any two substrngs of length log (T) (T perod) wthn a perod dffers by at most. Although l-sequences are not satsfyng all of the randomness postulates ntroduced by S. Golomb (see.) they have good statstcal propertes, whch are parallel to those of m-sequences. In addton, they may also have large perods, whch s a necessary requrement for keystream sequences. Fnally, t should be noted that the presented results of ths secton (.3.) apply to bnary FCSR-sequences. For non-bnary FCSR-sequences the theory of p-adc nstead of -adc numbers has to be employed. Ths regster type and varatons wth multple carry regsters are ntroduced n [KLA95a], [KLA97], and [GOR0]..4 Complexty Measures It has already been stated n. that for a keystream generator to be secure t must be unpredctable. Complexty measures are mathematcal tools for evaluatng the unpredctablty and therewth the securty level offered by a keystream wth respect to some computatonal model or machne. They are cryptographcally mportant only f there are effcent algorthms for determnng the parameters of the underlyng model. Some