Periodicity, Complementarity and Complexity of 2-adic FCSR Combiner Generators

Transcription

1 Periodicity, Complementarity and Complexity of 2-adic FCSR Combiner Generators S. Anand AU-KBC Research Centre MIT Campus of Anna University Chromepet, Chennai , India Gurumurthi V. Ramanan AU-KBC Research Centre MIT Campus of Anna University Chromepet, Chennai , India ABSTRACT Feedback-with-carry shift registers (FCSRs) are nonlinear analogues of linear feedback shift registers (LFSRs). Like the LFSRs, FCSRs are easy to implement and are important primitives in stream cipher design and pseudorandom number generation. In this paper, we investigate the properties of combiner generators that use two 2-adic feedback-withcarry shift registers as primitives. The combining function is simply the XOR function. This choice is motivated by an observation of Arnault and Berger on the high nonlinearity of the FCSR and that of Siegenthaler on the tradeoff between resilience and correlation immunity of boolean functions. When the two FCSRs have odd prime power connection integers with 2 as a primitive root, we determine the exact period of the output sequence. We also prove that if the prime factors of the connection integers of the two FC- SRs belong to different equivalence classes modulo 4, then the output sequence is symmetrically complementary. We use this fact to derive upper bounds on the linear complexity and the 2-adic complexity of the output sequence of the FCSR-combiner. Categories and Subject Descriptors G.3 [Probability and Statistics]: Random Number Generation; E.3 [Data Encryption]; F.2.2 [Nonnumerical Algorithms and Problems]: Computations on discrete structures General Terms Theory, Security, Algorithms, Design The results in this paper are part of the M.S. thesis done under the direction of the second author. Corresponding author. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. ASIACCS 06, March 21 24, 2006, Taipei, Taiwan Copyright 2006 ACM /06/ $5.00. Key Algorithm Infinite binary sequence (keystream) Binary plaintext Interceptor (cryptanalyst) Ciphertext Figure 1: Diagrammatic representation of a stream cipher Keywords stream ciphers, feedback shift registers, combiners, FCSR, linear complexity, 2-adic complexity, -sequences, pseudorandom number generators 1. INTRODUCTION Stream ciphers are private-key encryption algorithms that operate on the plaintext one bit or one machine word at a time. The structure of a stream cipher is shown diagrammatically in Figure 1 which is adapted from Beker and Piper [4]. The algorithm or keystream generator is usually a finite state machine such as one or more shift registers with additional boolean logic. The cryptanalyst is included in the diagram merely to indicate where interception is likely to occur. The initial state of the pseudorandom keystream generator represents the key of the stream cipher. The keystream is usually XOR-ed with the binary plaintext to give the ciphertext. Stream ciphers are extremely fast and easy to implement. In addition, they usually have very minimal memory and hardware resource requirements. Therefore stream ciphers are of great importance in applications where encryption speed is paramount and where area-constrained or memoryconstrained devices make it impractical to use block ciphers. Stream ciphers have been especially popular in military communications since they offer a practical alternative to the one-time pad, albeit without its absolute security guarantee. Conventional block encryption algorithms such as AES can also be used like a stream cipher by running them in one of the so-called feedback modes, namely, output feedback 275

2 ... a n-1 a n-2 a n-r+1 a n-r a i... q 1 q 2 q r-1 q r Figure 2: Linear Feedback Shift Register (LFSR) over F 2 mode (OFB) and cipher feedback mode (CFB). However, an important point of difference between block ciphers used in feedback mode and the stream ciphers is that in the latter there is no error propagation. Any error in one of the ciphertext bits does not affect subsequent ciphertext bits. In many applications, the propagation of errors is undesirable and in such situations, stream ciphers are preferable to block ciphers. Examples of stream ciphers that have enjoyed widespread use include the A5 family of ciphers in GSM networks, the RC4 cipher in WEP, and the E0 cipher in Bluetooth. The linear feedback shift register (LFSR, Figure 2) has remained the workhorse of stream cipher design for the past several decades. It is well-understood and easy to implement. The general theory of LFSR sequences is based on the algebra of finite fields. Excellent accounts of this theory may be found in the books of Golomb [8], Rueppel [19] and Beker and Piper [4]. A nonlinear, with-carry analogue of the LFSR was described independently by Marsaglia [16], Couture and L Ecuyer [5], and Klapper and Goresky [12, 13]. Klapper and Goresky called this architecture the feedbackwith-carry shift register (FCSR, Figure 3). The FCSR is a common generalisation of the well-known LFSR and other previously proposed pseudorandom number generators such as the linear congruential generator (LCG), the add-withcarry generator (AWC) and the multiply-with-carry generator (MWC). An FCSR is a feedback shift register that is similar to the LFSR except that it has a small amount of auxiliary memory and the analysis of FCSRs is based on the arithmetic of 2-adic numbers. Like the LFSRs, FCSRs are very fast and easy to implement in both software and hardware, and as such, are important primitives in the design of stream ciphers [20]. One of the important measures of the security of a classical stream cipher is the linear complexity of the pseudorandom keystream generator used in its design. The linear complexity of a sequence is defined as the size of the smallest LFSR that generates the given sequence. Sequences of low linear complexity are susceptible to cryptanalysis via the Berlekamp-Massey algorithm. If a sequence (a i) i 0 is the output of an LFSR with r register cells, then the Berlekamp-Massey algorithm completely recovers the parameters, namely, the tap coefficients and the initial state of the LFSR using just 2r consecutive elements in the sequence. Hence the LFSR cannot directly be used as a keystream generator in stream ciphers. By introducing suitable nonlinearities in the output or feedback function of the LFSR, it is often possible to increase the linear complexity and thus reduce the predictability of the generated sequence. A number of methods have been devised to increase the linear complexity of sequences by including nonlinear feedforward functions in an LFSR-based keystream generator. For example, two LFSR sequences a and b of periods T 1 and T 2 respectively may be combined using the XOR function to yield a new sequence c of period T. In general, n LFSRs may be combined using some nonlinear boolean function. Such a construction is called a combination generator or a combiner. There is a huge amount of literature on this subject and such families of constructions as clock-controlled generators, combination generators and filter generators have been studied extensively [19, 20] over the last three decades. FCSR sequences share many of the important properties of LFSR sequences. In particular, they can be synthesised by a 2-adic analogue of the Berlekamp-Massey algorithm. This algorithm due to de Weger [6] is based on the theory of approximation lattices of p-adic numbers and it gives rise to the notion of the 2-adic complexity (Definition 1) of a sequence. The 2-adic complexity of the keystream is also an important measure of the security of a stream cipher. The existence of de Weger s algorithm implies that FCSRs too cannot be directly used as keystream generators in stream ciphers. This raises the interesting question of whether, in a manner that is analogous to the case of the LFSR, it is possible to increase the 2-adic complexity of FCSR sequences by introducing suitable boolean functions in the output of the FCSRs. This question has not received serious attention in the literature so far. Indeed, stream ciphers using FCSRs still remain largely unexplored [20]. To our knowledge, there have been only a handful of papers describing or analysing the properties of stream cipher designs based on FCSRs [1, 2, 3, 18, 22]. There have been no previous attempts to determine the period, linear complexity and 2-adic complexity of combiners using FCSRs. In this paper, we study the periodicity, symmetric complementarity, linear complexity and 2-adic complexity of combiner generators that use two 2-adic FCSRs as primitives and the XOR operation as the combining function. When the two FCSRs have odd-prime power connection integers with 2 as a primitive root, we determine the period of the output sequence (Theorem 1). We prove that when the 276

3 prime factors of the connection integers of the two FCSRs belong to different equivalence classes modulo 4, the output sequence is symmetrically complementary (Theorem 2). We use this property to derive upper bounds on the 2-adic complexity (Theorem 3) and the linear complexity (Theorem 4) of the output sequence of the FCSR-combiner. In the rest of this section we briefly review the basic theory of FCSRs and list some of the properties of FCSR sequences. We fix notation and recall some well-known facts in Section 2. Section 3 contains our main results on the period and complexity bound of the combiner generator. 1.1 Review of 2-adic Numbers The analysis of FCSRs is based on the arithmetic of 2- adic numbers. We will briefly review the concept of 2-adic numbers before describing the operation of the 2-adic FCSR. In 1904, Hensel introduced the concept of 2-adic, and in general, p-adic numbers for p prime. A 2-adic number may be described as a binary number α... α 3α 2α 1α 0.α 1α 2... α k (1) where α i {0, 1}, whose representation extends infinitely to the left of the binary point, but has only finitely many places to the right of the point. 2-adic numbers represented by equation (1) may also be thought of as formal power series X α α i2 i, (2) i k where α i {0, 1}. When there are no non-zero bits to the right of the binary point (i.e., k 0), the 2-adic numbers are called 2-adic integers, X Z 2 { α i2 i α i {0, 1}} (3) i0 The set of 2-adic integers is denoted by Z 2. The set of 2-adic integers forms a ring with additive identity 0 and multiplicative identity Addition in Z 2 is performed by carrying overflow bits to higher order terms, so that 2 i + 2 i 2 i+1. It may be useful for some readers to think of the 2-adic numbers as a 2 s complement number system in which the numbers extend infinitely to the left of the point. Using the fact that in Z 2, 1 1 0, it is easy to see that, (4) From the binary (base-2) representation of positive integers, it is clear that Z 2 contains all positive integers. The identity α ( 1)α ( )(α 0 +α 12+ +α r2 r ) (5) shows that Z 2 contains the negative integers. In general, for an arbitrary 2-adic number α, calculating the additive inverse α, can be done as follows. Expressing α in the form α 2 r (1 + P i0 αi2i ), where r is an integer, we have X α 2 r (1 + α i2 i ) (6) where α i denotes the complementary bit and α i + α i 1. When k 0 in equation (2), the set of 2-adic numbers is denoted by Q 2 and it forms a field under the operations of addition and multiplication. Q 2 contains Z 2 as a subring. Below are some examples of the 2-adic expansions of integers and rationals. i0 Example 1. We give the 2-adic representation of the numbers 1 7, 1 7, 9 2, and , , , (7) 10 Note that 1 and 1 are 2-adic integers, whereas 9 and are 2-adic rationals. The rational number has an 7 eventually periodic 2-adic expansion and has a 7 strictly periodic 2-adic expansion. In both these cases, note that the period is just the multiplicative order of 2 in the field Z. 7Z In Z 2, the ring of 2-adic integers, every odd integer α Z has a unique multiplicative inverse. Thus, the ring Z 2 contains every rational number p/q provided q is odd. In fact Z 2 { p p, q Z, q 0 and q is odd}. (8) q This gives an alternative description of Z 2. These ideas may be extended to develop the theory of p-adic and N-adic numbers. We have given a very sketchy account of the theory of 2- adic numbers. For a comprehensive treatment, we refer to the books by Koblitz [14], Mahler [15] and Gouvêa [10]. 1.2 The 2-adic FCSR The operation of the FCSR may be briefly described as follows. For details, the reader is referred to the original paper of Klapper and Goresky [13]. Fix an odd positive integer q and let q + 1 q q q r2 r (9) be the binary expansion of q + 1, where r log 2 (q + 1) and q i {0, 1}. Then the 2-adic FCSR with connection integer q has r stages and feedback connection coefficients (also referred to as tap coefficients or taps) given by the bits {q 1, q 2,..., q r} of equation (9). This is shown in figure 3. By letting q 0 1, we may write q rx q i2 i. (10) i0 Let the contents of the main shift register cells be denoted by a n 1, a n 2,..., a n r {0, 1} and let the initial memory be denoted by m n 1 Z. The contents of the main shift register and the contents of the memory register together represent the state of the FCSR. With reference to figure 3, the operation of the 2-adic FCSR is given by iterating the following steps: A1. Form the integer sum σ n P r k0 q ka n k + m n 1. A2. Shift contents one step to the right, output the rightmost bit a n r. A3. Place a n σ n mod q into the leftmost cell of the shift register. A4. Replace the memory integer m n 1 with m n (σ n a n)/2 σ n/2. 277

4 ... m n-1 a n-1 a n-2 a n-r+1 a n-r a i... div 2 mod 2 q 1 q 2 q r-1 q r Σ Figure 3: 2-adic Feedback-with-Carry Shift Register (FCSR) The FCSR sequence is thus the unique solution to the with-carry linear recurrence a n + 2m n q 1a n 1 + q 2a n q ra n r + m n 1 (11) for n r. In solving the recurrence (11), we first compute the right hand side as an integer σ n Z, then obtain a n by reducing σ n modulo 2, and then compute the new memory m n as σn. There are three alternative ways in which such 2 an FCSR sequence may be described. First, it is the output of an FCSR with r main register cells, tap coefficients given by the q is and the initial state given by the a is and m r 1. The output sequence of the FCSR is obtained by iterating steps A1 A4. The connection integer of this FCSR is given by equation (10). Secondly, it is the coefficient sequence of the 2-adic expansion of the rational number p q a0 + a12 + a222 + (12) where the numerator is given by p Xr 1 j0 i0 jx q ia j i2 j m r 12 r. (13) Thirdly, FCSR sequences also possess an exponential representation in which the general term may be written as a n (aδ n (mod q)) (mod 2) (14) where δ 2 1 (mod q) and a Z/(q) is an element that depends upon the initial state. In the right hand side of equation (14), the quantity aδ n is first reduced modulo q and represented as an integer in the range {0, 1,..., q 1} and then this integer is reduced modulo 2. It is clear that the connection integer q of an FCSR depends only upon the tap coefficients, and that for a fixed q, the numerator in equation (12) is dependent only upon the register contents and the memory. Thus in equations (12) and (13), p represents the state of the FCSR. Properties of the FCSR such as period and distribution properties of the output are independent of the state of the FCSR and are determined by q alone. The equations (12), (13) and (14) also show how the state changes due to one iteration of steps A1 A4. In every iteration, q remains fixed, but as the contents of the register change, p cycles through the different states of the FCSR. The change of state due to one iteration of steps A1 A4 is given by the following relation: if p is the current state, the next state is simply δp (mod q). This follows from the exponential representation of an FCSR sequence. 1.3 Properties of 2-adic FCSR Sequences Let Z 2 denote the ring of 2-adic integers. The following facts are known about the 2-adic FCSR: 1. (Klapper and Goresky [13]) If a sequence a (a i) i 0 is the output of a 2-adic FCSR with odd connection integer q, then a is eventually periodic and is the 2- adic expansion of a rational number α p/q Z 2. Conversely, every eventually periodic binary sequence can be associated with a 2-adic integer α p/q Z 2, where q is odd, and the sequence is the output of a 2- adic FCSR with connection integer q. Thus there is a one-to-one correspondence between rational numbers p/q with q odd and eventually periodic sequences generated by a 2-adic FCSR. Every 2-adic FCSR is completely characterised by the rational number whose 2- adic expansion coincides with the output of the FCSR. 2. (Klapper and Goresky [13]) If α p/q Z 2 is the 2-adic number associated with the output sequence of a 2-adic FCSR, then the sequence is strictly periodic if and only if q < p 0. If this condition is not satisfied, then the sequence is eventually periodic and has a transient prefix. 3. (Gauß [7]) If α p/q Z 2 is the 2-adic number associated with the output sequence of a 2-adic FCSR, then the period of the sequence is the multiplicative order of 2 modulo q. 4. (Klapper and Goresky [13]) If α p/q Z 2, and if 2 is a primitive root modulo q, then the period of the FCSR sequence with connection integer q is maximal and equal to ( Z ) qz ϕ(q), where ϕ denotes Euler s totient function. Such a sequence is called an -sequence in analogy with the m-sequence of LFSR theory. 5. (Goresky and Klapper [9]) Every binary -sequence of period 2t, where t is a positive integer, has the property that the second half of any segment of length 2t is the bit-wise complement of the first half. This property is known as the symmetrical complementarity property. The converse is not true. Not every symmetrically complementary sequence is an -sequence. For example, when q 17, the sequence is symmetrically complementary, but it is not an -sequence because 2 278

5 -p /q, T p /q, T FCSR 1 FCSR 2 a b c -p/q, T Figure 4: 2-adic FCSR Combiner with XOR combiner function is not primitive modulo 17 and the period of the sequence is only 8. The precise characterisation of symmetrically complementary FCSR sequences is given by the following result. 6. (Mittelbach and Finger [18]) Any strictly periodic sequence generated by a 2-adic FCSR with connection integer q is symmetrically complementary if and only if q divides 2 T/2 + 1, where T is the period of the sequence. 7. (Goresky and Klapper [9]) Every binary -sequence generated by a 2-adic FCSR with connection integer q possesses the nearly de Bruijn property which states that in any given period of the sequence, every binary string of length log 2 (q) occurs at least once and every binary string of length log 2 (q) +1 occurs at most once. 8. (Xu [23]) The linear complexity of an -sequence of period 2t is at most t COMBINERS USING TWO FCSRS AND THE XOR FUNCTION In this paper, we consider combiner generators that use two 2-adic FCSRs as primitives and the bit-wise XOR operation as the combining function. A schematic diagram depicting the generator is shown in Figure 4. Our aim is to study the properties of the sequences generated by these combiners in terms of their period and complexity. According to Arnault and Berger [2], the feedback function of the FCSR is highly nonlinear and hence FCSR sequences are resistant to linear attacks such as the Berlekamp- Massey algorithm. They state that therefore linear functions are adequate to mask the 2-adic structure of the FCSR and to protect against 2-adic attacks such as de Weger s algorithm. Further, in the light of the tradeoff observed by Siegenthaler [21] between algebraic degree and resilience, it is clear that linear functions are optimal from the point of view of resilience and that linear functions provide some measure of immunity against certain correlation attacks. Linear functions are also easy to implement. For these reasons, we simply choose our combining function to be the XOR function. Let x, y {0, 1} and let the symbol denote the XOR function or addition modulo 2. We denote complementation by the symbol. It is easy to verify the following two facts about the XOR function from the extended truth table shown in Table 1: Fact 1. x y x y x y Fact 2. x y x y With reference to the combiner in Figure 4, we now fix the notation for the rest of this paper. Let r 1 and r 2 be two odd primes, not necessarily distinct. Let q 1 r e 1 1 and q 2 r e 2 2 be two prime powers where e1, e2 > 0 and such that 2 is a primitive root modulo q 1 and q 2. Let a : (a i) i 0 and b : (b i) i 0 be two strictly periodic binary sequences generated by 2-adic FCSRs with connection integers q 1 and q 2, respectively. Let T 1 (r 1 1)r e and T 2 (r 2 1)r e be the periods of the two sequences a and b respectively and let L lcm(t 1, T 2). Let c : (c i) i 0 : a b : (a i b i) i 0 be the output sequence obtained by computing the elementwise exclusive-or of a and b. Let T be the period of the sequence c and let p/q be the rational number in lowest terms, whose 2-adic expansion coincides with the sequence c. 3. MAIN RESULTS Before we proceed to discuss the main theorems, we need a couple of useful lemmas. The first of these is a well-known fact that can be easily derived from the results in any introductory textbook on number theory such as, for example, from Theorem 95 of Hardy and Wright [11]. We include the proof of Lemma 1 here for the sake of completeness. Lemma 1. Let q r e be a power of an odd prime r such that 2 is a primitive root modulo q. Then r is of the form 4k ± 1 where k is odd. Proof. The proof is by contradiction. Suppose r 4k±1 where k is even. Then r 4k ± 1 8k ± 1 for some integer k. Consider the quadratic character of 2 modulo q. We know from Euler s criterion on quadratic residues that ( 2 ) p 2ϕ(p)/2 ±1 mod p for any prime p, where the sign is taken according as p ±1 (mod 8) or p ±3 (mod 8), and where ϕ denotes Euler s totient function. Since r 8k ± 1, this implies that 2 ϕ(r)/2 +1 (mod r) and that 2 is a quadratic residue modulo r. Therefore 2 is also a quadratic residue modulo q and 2 ϕ(q)/2 +1 (mod q). But this contradicts the fact that if 2 is a primitive root modulo q then 2 i +1 (mod q) for no i < ϕ(q). Hence k cannot be even. Lemma 2. Let q 1 r e 1 1 and q 2 r e 2 2 be two powers of odd primes r 1 and r 2 such that 2 is a primitive root modulo q 1 and q 2. Let T 1 (r 1 1)r e 1 1 1, T 2 (r 2 1)r e and let L lcm(t 1, T 2). i. If r 1 r 2 (mod 4) and if r 1 4k 1 +1 and r 2 4k 2 1, then L/T 1 is odd and L/T 2 is even. ii. If r 1 r 2 (mod 4), then both L/T 1 and L/T 2 are odd. Proof. (i.) We have Therefore, L lcm(t 1, T 2) T 1T 2/ gcd(t 1, T 2). L/T 2 T 1 gcd(t 1, T 2) 4k 1(4k 1 + 1) e 1 1 gcd(4k 1(4k 1 + 1) e 1 1, (4k 2 2)(4k 2 1) e 2 1 ) 279

6 Table 1: Truth table for the XOR function x y x y x y x y x y k 1(4k 1 + 1) e 1 1 gcd(2k 1(4k 1 + 1) e 1 1, (2k 2 1)(4k 2 1) e 2 1 ). This is clearly an even number since the denominator is odd and therefore divides k 1(4k 1 + 1) e 1 1 (by Lemma 1). By similar arguments, L/T 1 can also be seen to be an odd number. (ii.) We can prove this for both r 1 r 2 1 (mod 4) and r 1 r 2 1 (mod 4) by using Lemma 1 in an argument similar to the one above. Case 1. r 1 r 2 +1 (mod 4) L/T 1 T 2 gcd(t 1, T 2) 4k 2(4k 2 + 1) e 2 1 gcd(4k 1(4k 1 + 1) e 2 1, 4k 2(4k 2 + 1) e 2 1 ) k 2(4k 2 + 1) e 2 1 gcd(k 1(4k 1 + 1) e 2 1, k 2(4k 2 + 1) e 2 1 ). This is odd since k 1 and k 2 are both odd by Lemma 1. Similarly, L/T 2 is also odd. Case 2. r 1 r 2 1 (mod 4) L/T 1 T 2 gcd(t 1, T 2) (4k 2 2)(4k 2 2) e 2 1 gcd((4k 1 2)(4k 1 2) e 2 1, (4k 2 2)(4k 2 2) e 2 1 ) (2k 2 1)(4k 2 2) e 2 1 gcd((2k 1 1)(4k 1 2) e 2 1, (2k 2 1)(4k 2 2) e 2 1 ). This is clearly again an odd number. Similarly, we can prove that L/T 2 is also odd. Under the same assumptions as in Lemma 2, consider the expression (T 1 T 2) (mod 4). Without loss of generality, assume that r 1 4k and r 2 4k 2 1. Then, and Therefore, T 1 (r 1 1)r e k 1(4k 1 + 1) e 1 1 T 2 (r 2 1)r e (4k 2 2)(4k 2 1) e 2 1. T 1 T 2 2[2k 1(4k 1 + 1) e 1 1 (2k 2 1)(4k 2 1) e 2 1 ]. The first term inside the square brackets is even while the second term is odd. This implies that T 1 T 2 2m where m is some odd integer. Therefore we must have T 1 T 2 2 (mod 4). (15) We will need equation (15) in the proof of Theorem 1 which establishes the exact period of the XOR-combination of two -sequences. 3.1 Period of the Output Sequence Theorem 1. Let q 1 r e 1 1 and q 2 r e 2 2 be two prime powers where e 1, e 2 > 0, such that 2 is a primitive root modulo q 1 and q 2. Let a : (a i) i 0 and b : (b i) i 0 be two strictly periodic binary sequences generated by 2-adic FC- SRs with connection integers q 1 and q 2, and c : (c i) i 0 : a b : (a i b i) i 0. Let T 1 (r 1 1)r e and T 2 (r 2 1)r e be the periods of the two sequences a and b respectively and let L lcm(t 1, T 2). If r 1 r 2 (mod 4), then the sequence c has period L; if r 1 r 2 (mod 4), then the sequence c has period L/2. Proof. The sequence a is an -sequence and is symmetrically complementary. By Fact 5 of Section 1.3 sequence a has the following properties: a i a i+(2n)t1 /2 and a i a i+(2n+1)t1 /2, i 0, 1, 2,... (16) for any fixed integer n 0. Similarly, for the sequence b we have b i b i+(2n)t2 /2 and b i b i+(2n+1)t2 /2, i 0, 1, 2,... (17) for any fixed integer n 0. Let the period of the sequence c be denoted by T. Case 1. r 1 r 2 (mod 4) We will prove that T L/2 by first showing that T L and then by proving that L T. By Lemma 2 when 2 2 r 1 r 2 (mod 4), both L/T 1 and L/T 2 are odd. Putting (2n + 1) L/T 1 and (2n + 1) L/T 2 in equations (16) and (17) respectively, we have a i a i+l/2 and b i b i+l/2 for every i 0. That is, c i a i b i a i+l/2 b i+l/2 a i+l/2 b i+l/2 c i+l/2. (18) Hence T, which is the smallest period of the sequence c, must divide L/2. On the other hand, if T is the period, c i c i+t for every i 0. This implies that a i a i+t and b i b i+t, or that a i a i+t and b i b i+t. In either case, T is a common multiple of T 1/2 and T 2/2. Since L/2 is the least common multiple of T 1/2 and T 2/2, we must have T. Therefore, T L/2. L 2 Case 2. r 1 r 2 (mod 4) We will prove that T L by first showing that T L and then by showing that L T. First, note that since L is a multiple of both T 1 as well as T 2, we must have a i a i+l and b i b i+l for every i 0. Hence c i : a i b i a i+l b i+l : c i+l for every i 0, and since T is the (smallest) period of c, T L. On the other hand, if T is the period of the sequence c, then c i c i+t for every i 0, which implies either that a i b i a i+t b i+t or that a i b i a i+t b i+t (by Fact 2) for every i 0. This implies 280

7 either that a i a i+t and b i b i+t, or that a i a i+t and b i b i+t, for all i 0. Suppose the latter holds. Then T must be an odd multiple of T 1/2 as well as of T 2/2. That is, T (2m 1 +1)T 1/2 and T (2m 2 +1)T 2/2 for some integers m 1 and m 2. Hence, (2m 1 + 1)T 1/2 (2m 2 + 1)T 2/2, which implies 2m 1T 1 + T 1 2m 2T 2 + T 2. Therefore, we must have T 2 T 1 2(m 1T 1 m 2T 2) 0 (mod 4). Since T 1 and T 2 are even, this contradicts the fact that if r 1 r 2 (mod 4), we must have T 2 T 1 2 (mod 4) (by equation 15). Therefore, T cannot be an odd multiple of T 1/2 and T 2/2. We consider the other possibility that T is an even multiple of T 1/2 and T 2/2. This implies that T 2m 1T 1/2 and T 2m 2T 2/2 for some integers m 1 and m 2. Therefore, T is a common multiple of both T 1 and T 2. Since L is the least common multiple of T 1 and T 2, it must divide any common multiple of T 1 and T 2. Therefore, L T. Since we have already proved that T L, this means that T L. We have established that the period T of the FCSR XORcombiner is j T1 T T 2/ gcd(t 1, T 2), if r 1 r 2 (mod 4) T 1 T 2/2 gcd(t 1, T 2), if r 1 r 2 (mod 4) (19) We may say that combining two -sequences using the XOR function yields a sequence whose period, is approximately the product of the the individual -sequences. To maximise the period of the output sequence, r 1 and r 2 must be chosen so that they do not belong to the same equivalence class modulo 4. For proper choices of r 1 and r 2, the period of the XOR-combiner can be made as large as T 1 T 2/ Complementarity of the Output Sequence In the next theorem, we prove that if r 1 r 2 (mod 4), the output sequence of the combiner considered in figure 4 is symmetrically complementary. Theorem 2. Let all assumptions be the same as in Theorem 1. If r 1 r 2 (mod 4), then the sequence c is symmetrically complementary. Proof. When r 1 r 2 (mod 4), L/T 1 is odd and L/T 2 is even by Lemma 2. Therefore, from Equation (16) and Equation (17) a i a i+l/2 and b i b i+l/2 for every i 0, which implies that c i a i b i a i+l/2 b i+l/2, (20) for i 0, 1, 2,.... By Fact 1 of the bit-wise XOR operation we now have c i a i+l/2 b i+l/2 a i+l/2 b i+l/2 c i+l/2, (21) for i 0, 1, 2,.... Since we know from Theorem 1 that the sequence c has period L, equation (21) implies that c is symmetrically complementary adic Complexity of the Output Sequence Before we prove upper bounds on the 2-adic complexity of the output sequence, we first define the 2-adic complexity of a binary sequence following Xu s definition of N-adic complexity [23]. Let s : s 0s 1s 2... be an infinite periodic binary sequence and let P i0 si2i p/q Z 2 be the fraction in lowest terms whose 2-adic expansion agrees with the sequence s. Definition 1. The 2-adic complexity of the sequence s is the integer φ(s) max( log 2 ( p ), log 2 ( q ) ). If the sequence s is strictly periodic, then p/q < 0 and p < q, so that φ(s) is simply equal to log 2 ( q ). We determine an upper bound on the 2-adic complexity of the FCSR XORcombiner in the following theorem. Theorem 3. Let all assumptions be the same as in Theorem 1. If r 1 r 2 (mod 4), the 2-adic complexity of the output sequence c of the FCSR combiner, denoted by φ(c) satisfies φ(c) < L/2+1 T/2+1. If r 1 r 2 (mod 4), the 2- adic complexity of the sequence c satisfies φ(c) < L/2 T. Proof. Let q be the denominator of that fraction expressed in lowest terms, whose 2-adic expansion agrees with the sequence c. Let T be the period of the sequence c. If r 1 r 2 (mod 4), then by Theorem 2 and by Fact 6 about FCSR sequences, we must have q 2 T/ We also know by theorem 1 that T L. Therefore, q 2 L/2 +1. The maximum value of q occurs when q 2 L/2 + 1 and in such a case, φ(c) log 2 (q) < L/ If r 1 r 2 (mod 4), then the period of the output sequence c is T L/2. We know that for any sequence of period T, q 2 T 1 and the maximum value of q for a given T occurs when q 2 T 1. Hence, φ(c) log 2 (q) < L/2. Even though it seems to be difficult to prove a lower bound on the 2-adic complexity of the XOR combiner, numerical experiments point to a lower bound of L/2 max(φ(a), φ(b)) when r 1 r 2 (mod 4). In this context, we point out that for a fixed pair of connection integers (q 1, q 2) of the type considered in this paper, most of the output sequences attain the upper bound on the 2-adic complexity. Numerical experiments also show that for most such pairs of connection integers, all output sequences attain the upper bound. We observe from Theorem 1 and Theorem 3 that for both cases r 1 r 2 (mod 4) and r 1 r 2 (mod 4) the period of the output sequence grows roughly quadratically with the periods of the input sequences. However, for the case r 1 r 2 (mod 4), due to the symmetric complementarity of the output sequence, its 2-adic complexity bound is half of the period; for the case r 1 r 2 (mod 4) the 2-adic complexity bound is the period of the output sequence. This leads to the following design principle: if what we desire are large period sequences without regard to 2-adic complexity, then it is better to choose r 1 r 2 (mod 4); however, if we desire sequences with 2-adic complexity that is large compared to the period, then it is better to choose r 1 r 2 (mod 4). 3.4 Linear Complexity of the Output Sequence We now turn to the problem of determining an upper bound on the linear complexity of the FCSR combiner of figure 4. Theorem 4. Let all assumptions be the same as in Theorem 1. The linear complexity of the sequence c is at most (T 1 + T 2)/ Proof. From the result of Xu [23, Corollary 2.5.2] specialised to the 2-adic case, we know that the linear complexity of the individual -sequences are upper bound by T 1/2 + 1 and T 2/2 + 1, where T i s are the periods of the individual -sequences. From the work of Massey [17] it is well-known that the linear complexity of a linear combination of sequences is at most the sum of their linear complexities. Applying this result we see that the linear complexity of the FCSR XOR combiner is at most the sum of the linear complexities of the individual FCSRs. 281

8 4. CONCLUSIONS We have determined the period of a combiner that uses two 2-adic -sequences and the XOR function. We have shown that a particular sub-family of these sequences possesses the important property of symmetric complementarity. We used this fact to derive upper bounds on the linear complexity and 2-adic complexity of such combiner sequences. We are currently working towards extending our proofs to the case where the number of FCSRs in the combiner is arbitrary and when the combining function is a more general boolean function. Several questions regarding FCSR combiners remain unanswered. What are the lower bounds on the period and 2-adic complexity of the sums and products of FCSR sequences? Which families of combining functions maximise period and 2-adic complexity? Which families of combining functions increase the resistance of FCSR sequences to known cryptanalytic attacks? 5. ACKNOWLEDGEMENTS The first author wishes to gratefully acknowledge the generous support of the AU-KBC Research Centre in awarding him a research fellowship during the period July 2002 to June REFERENCES [1] F. Arnault and T.-P. Berger. Design of new pseudorandom generators based on a filtered fcsr automaton. In Proceedings of the SASC Workshop, pages , October [2] F. Arnault and T.-P. Berger. F-FCSR: Design of a new class of stream ciphers. In H. Gilbert and H. Handschuh, editors, 12th. International Workshop, Fast Software Encryption 2005, Paris, France. Lecture Notes in Computer Science 3557, pages Springer, February [3] F. Arnault, T.-P. Berger, and A. Necer. A new class of stream ciphers combining LFSR and FCSR architectures. In A. Menezes and P. Sarkar, editors, Progress in Cryptology INDOCRYPT 2002, Lecture Notes in Computer Science, volume 2551, pages Springer, New York, [4] H. Beker and F. Piper. Cipher Systems. John Wiley, [5] R. Couture and P. L Ecuyer. Distribution properties of multiply-with-carry random number generators. Mathematics of Computation, 66: , [6] B. M. M. de Weger. Approximation lattices of p-adic numbers. Journal of Number Theory, 24:70 88, [7] C. F. Gauß. Disquisitiones Arithmeticæ. (Reprinted English translation, Yale University Press, New Haven, 1966), [8] S. W. Golomb. Shift Register Sequences. Holden-Day, San Francisco, [9] M. Goresky and A. Klapper. Large period nearly de Bruijn FCSR sequences. In Advances in Cryptology EUROCRYPT 95, Lecture Notes in Computer Science, volume 921, pages Springer, New York, [10] F. Gouvêa. p-adic Numbers: An Introduction. Springer-Verlag, 2nd. edition, [11] G. H. Hardy and E. M. Wright. An Introduction to the Theory of Numbers. Oxford University Press, 5th edition, [12] A. Klapper and M. Goresky. 2-adic shift registers. In Fast Software Encryption, Cambridge Security Workshop, Lecture Notes in Computer Science, volume 809. Springer-Verlag, December [13] A. Klapper and M. Goresky. Feedback shift registers, 2-adic span and combiners with memory. Journal of Cryptology, 10: , [14] N. Koblitz. p-adic Numbers, p-adic Analysis, and Zeta Functions. Springer-Verlag, New York, GTM Vol. 58 edition, [15] K. Mahler. Introduction to p-adic Numbers and their Functions. Cambridge University Press, [16] G. Marsaglia. yet another rng. Posted to the Usenet newsgroup sci.stat.math, August 1, [17] J. L. Massey. Shift-register synthesis and BCH decoding. IEEE Transactions on Information Theory, IT-15: , January [18] M. Mittelbach and A. Finger. Investigation of FCSR-based pseudorandom sequence generators for stream ciphers. In Proceedings of the 3rd. International Conference on Networking, February [19] R. A. Rueppel. Analysis and Design of Stream Ciphers. Springer-Verlag, [20] B. Schneier. Applied Cryptography. John Wiley & Sons, 2nd edition, [21] T. Siegenthaler. Correlation immunity of nonlinear combining functions for cryptographic applications. IEEE Transactions on Information Theory, IT-30: , [22] Z. Tasheva, B. Bedzhev, and B. Stoyanov. N-adic summation shrinking generator basic properties and empirical evidences. Submitted to the IACR e-print archive, [23] J. Xu. Stream Cipher Analysis Based on FCSRs. Ph.D. dissertation, University of Kentucky, Lexington, Kentucky,