Design of Filter Functions for Key Stream Generators using Boolean Power Functions Jong-Min Baek

Transcription

1 Design of Filter Functions for Key Stream Generators using Boolean Power Functions Jong-Min Baek The Graduate School Yonsei University Department of Electrical and Electronic Engineering

2 Design of Filter Functions for Key Stream Generators using Boolean Power Functions by Jong-Min Baek A Thesis Submitted to the Graduate School of Yonsei University in Partial Fulfillment of the Requirements for the Degree of Master of Science Supervised by Professor Hong-Yeop Song, Ph.D. Department of Electrical and Electronic Engineering The Graduate School YONSEI University December 2006

3 This certifies that the thesis of Jong-Min Baek is approved. Thesis Supervisor: Hong-Yeop Song Hong-Goo Kang Sanghoon Lee The Graduate School Yonsei University December 2006

4 2.,.,...,..,.,..,..,,,

5 ,.., כ.,,

6 Contents List of Figures iii List of Tables v Abstract vi 1 Introduction Motivation Overview Preliminaries Linear Feedback Shift Registers LFSR based Stream Ciphers Linear Complexity Berlekamp-Massey Algorithm Trace Representation Boolean Functions Boolean Functions for Stream Ciphers i

7 2.4.2 Nonlinear Functions and Linear Complexity Correlation Immunity Design of the Key Stream Generators Boolean Power Functions Constructing Key Stream Generators Some Properties of the Key Stream Generators Randomness of the Key Stream Sequence Maximal Period Property Balance Property Run Test Cryptographic Properties of the Key Stream Sequences Observations of the Linear Complexity Nonlinear Order and Correlation Immunity Using Other Exponents Concluding Remarks 38 Bibliography 39 Abstract (in Korean) 43 ii

8 List of Figures 2.1 Fibonacci and Galois Configuration LFSR based Runnning Key Generator Berlekamp-Massey Algorithm ANF Truth Table Conversion Nonlinear Filter Function and Nonlinear Combining Function The Proposed Boolean Power Function iii

9 List of Tables 2.1 Relationship Between d and k Proportion of the Key stream Passing the Run Test The Proportion of maximum L(z t ) The ratio min L(zt) max L(z t) The Proportion of maximum L(z t ) for reciprocal pairs The ratio min L(zt) max L(z t) for reciprocal pairs Linear complexity distribution for n = Linear complexity distribution for n = Linear complexity distribution for n = Linear complexity distribution for n =5, reciprocal pairs Linear complexity distribution for n = Linear complexity distribution for n =6, reciprocal pairs Linear complexity distribution for n = Linear complexity distribution for n =7, reciprocal pairs Linear complexity distribution for n = Linear complexity distribution for n =8, reciprocal pairs iv

10 4.16 Linear complexity distribution for n = Linear complexity distribution for n =9, reciprocal pairs Linear complexity distribution for n = Linear complexity distribution for n =10, reciprocal pairs Linear complexity distribution for n = Linear complexity distribution for n =11, reciprocal pairs Linear complexity distribution for n = Linear complexity distribution for n =12, reciprocal pairs The largest correlation immunity order v

11 ABSTRACT Design of Filter Functions for Keystream Generators using Boolean Power Functions Jong-Min Baek Department of Electrical and Electronic Eng. The Graduate School Yonsei University In the thesis we deal with the problem of designing keystream sequences which have cryptographically secure properties. To solve the problem, we focus on the design of filter functions used in keystream generator. The method we propose is expected to increase linear complexity of keystream sequences. We also present some numerical results on the linear complexity of keystream sequence which is obtained from the proposed method. It is also critical issue for keystream sequence that the sequence should have maximal period and good statistical properties. We derive theoretical results on these two properties. To know the randomness of sequence in the sense of run distribution, we present the results of the run test. The results on correlation immunity will also be derived. Key words : Stream cipher, Boolean function, Linear complexity, Run Test, BMalgorithm, Correlation immunity vi

12 Chapter 1 Introduction 1.1 Motivation A Linear Feedback Shift Register, which is abbreviated to LFSR, is commonly used to produce periodic binary sequences for various purposes. For example, an LFSR can make maximal length sequences, which is also known as m-sequences, and most stream cipher systems use LFSR as their internal logic. Among the various purposes, if we want to use LFSRs to generate key stream sequences for stream cipher system, the registers must have primitive connection polynomial to yield maximal length output sequences. Maximal length condition is so important for stream ciphers because it gives unpredictability. However, sequences from n-stage LFSR are vulnerable to Berlekamp and Massey attack (BM attack); no more than 2n successive outputs are needed to determine the feedback connection and the initial state. In other words, we can say the linear complexity of a sequence s t, which is denoted by L(s t ), will be n if the degree of its shortest connection polynomial is n. To overcome the BM attack, we should increase the linear complexity of key stream sequences as large as possible. One of the classical way to 1

13 increase linear complexity is applying nonlinear logic to LFSR. There are two ways of applying nonlinear logic: nonlinear filtering and nonlinear combination. These ways can be regarded as Boolean functions which is named nonlinear filter function and nonlinear combining function, respectively. To deal with nonlinear logic, it is needed to understand the theory of product of m-sequences. In 1970 s, three fundamental papers have appeared which discuss the problems of product of sequences. Zierler and Mills [12] were basically interested in finding that LFSR which could produce every sequence resulting from multiplying every possible output sequence of not necessarily distinct LFSRs. Groth [11] concentrated on the use of 2nd order products which he applied to the stages of an LFSR with a primitive connection polynomial. Key [9] investigated both the nonlinear filtering and the nonlinear combination in his very readable and fundamental paper. Many researchers have studied to design nonlinear function which is secure and has good cryptographic properties. In 1994, Nyberg [2] proposed some differentially uniform mappings can be used for block ciphers. In her paper, the inversion mapping in finite field satisfies criteria for substitution functions. Later her method is used for the substitution box (S-box) in Rijndael Block Cipher, which is adopted as Advanced Encryption Standard [19]. In 1999, Gong [14] analyzed the S-boxes of DES using some transform tools, for example, Hadamard transform and Avalanche transform. In her paper, she presents the trace representation of the component functions of DES s-boxes. Recently, the trace representation of the component functions of Rijndael S-box is revealed by Youssef and Tavares [17] and in [1], the authors proposed new S-box by modifying the Rijndael S-box. It is remarkable that the component functions of the new S-box 2

14 have some appealing properties, such as large linear complexity and satisfying balance property. 1.2 Overview First, we present some notions that is used through out this thesis in chapter 2. The new method of designing the nonlinear filter function of key stream generators will be presented in chapter 3. In chapter 4, we will give theoretical approach to show maximal length property and balance property of the generated key stream sequence and present some observations about linear complexity and run distribution. Finally, all of this thesis are summarized with some discussions in chapter 5. 3

15 Chapter 2 Preliminaries In this chapter, we provide some basic concepts about LFSR, stream ciphers, and Boolean functions. 2.1 Linear Feedback Shift Registers An LFSR is a combination of several registers and exclusive OR (XOR). Since each register is also said to be a stage, when we consider an LFSR with n registers, we say it an n-stage LFSR. At each clock, each stage will be updated by the corresponding connection and logic. The collection of n stages at some clock is said to be a state. The connection structure between registers and XOR can be represented in polynomial form. This polynomial is said to be a connection polynomial. When we know the number of stages and connection polynomial, we know all about the structure of LFSR. However, the sequence of state is quite different according to how each stages are updated. There are two update methods; Fibonacci configuration and Galois configuration. In figure 2.1, two state transition orders are different to each other. In Galois config- 4

16 Fibonacci Configuration + Galois Configuration = 1 = 2 = 3 = 4 = +1 = 5 = 2 + Figure 2.1: Fibonacci and Galois Configuration uration, if α refers to a root of the connection polynomial and a set {1,α,α 2,,α n 1 } refers to a basis of a finite field F 2 n = F2 n, each state can be considered as an element in the field. Then we can see that each state is updated in the order of the power of α. In Fibonacci configuration, each state is no more in order of the power of α. However, if we set the connection polynomials of Galois and Fibonacci configuration to be reciprocal, the recurrence relation will be the same. For the convenience of analyzing LFSR sequences, we will use Galois configuration from now on. 2.2 LFSR based Stream Ciphers Stream cipher is based on the theoretically unbreakable cipher one-time-pad, which is sometimes known as Vernam cipher. One-time-pad encrypts each message by using 5

17 different keys at each clock and it is known that breaking this type of ciphers is impossible [18]. Stream cipher is similar to one-time-pad; At each clock, running key generator generates a key stream bit according to the current state and it is added to a message bit of that clock. However, in practical, all message can not be encrypted by different keys at each clock, since it is not possible to generate infinite and totally unpredictable key stream sequence. Instead, by using LFSR as a state updater, we can design running key generator to generate periodic and sufficiently unpredictable key stream sequence as the following. Figure 2.2: LFSR based Runnning Key Generator In the figure 2.2, the corresponding key stream sequence is ( ), which denotes the first period of a periodic sequence. From now on, we will denote key stream as z t, which the subscript t means clock time t. Note that the key stream sequence, which we will denote s t, is generated from the leftmost register of the LFSR, but as we can see 6

18 the sequences from the other registers are also same as the key stream sequence in cyclic shift sense. We will denote s j t the sequence whose phase is shifted by j clock from s t. If j =0, then we will use s t instead of s 0 t. 2.3 Linear Complexity When we use only LFSR to make a key stream generator, then the key stream is a maximal length sequence, which is also known as m-sequence. An m-sequence has good randomness properties to be used for stream ciphers. However, by Berlekamp and Massey s algorithm, the weakness of LFSR based stream ciphers is revealed; When we want to know the whole structure of the (2 n 1)-period LFSR sequence, we only need 2n bits of the sequence. Thus we should not use simple LFSR as a key stream generator, though it has good statistical properties. From now on, we will observe how to know the linear complexity of key stream sequence Berlekamp-Massey Algorithm First we examine the famous Berlekamp-Massey algorithm (BM algorithm) [7]. C(D) is the connection polynomial of the target LFSR, which is denoted by C(D) =c 0 + c 1 D + c 2 D c n 1 D n 1, where c i F 2 for all i. Note that B(D) and T (D) are also polynomials over F 2 and the degree of these three polynomials are not determined unless the algorithm procedure is ended. We start the algorithm with a given sequence s t = {s 0,s 1,,s n 1 }. At the end of the procedure, we get the connection polynomial C(D) and the shortest length L of LFSR which can generate this sequence. Thus the 7

19 Initial Condition 1 C(D), 1 B(D), 1 x, 0 L, 1 b, 0 N begin if N = n end else compute d = s N + L i=1 c is N i if d 0and 2L >N C(D) db 1 D x B(D) C(D) x +1 x N +1 N and return to begin if d 0and 2L N C(D) db 1 D x B(D) C(D) N +1 L L T (D) B(D) d b 1 x N +1 N and return to begin Figure 2.3: Berlekamp-Massey Algorithm linear complexity is L, and from now on we will denote the linear complexity of a sequence s t to be L(s t ). BM algorithm is very efficient, but it does not tell us about the algebraic structure of the target sequence or LFSR. To analyze stream ciphers theoretically, we need another approach to find linear complexity Trace Representation First, we will introduce discrete Fourier transform (DFT) and its inverse formula [4]. 8

20 Definition 2.1 (DFT) S k = N 1 t=0 s t α tk, k =0, 1,,N 1. α F 2 n, ord(α) =N. (2.1) Note that the length N of the sequence {s t } N 1 t=0 must satisfy N 2n 1. We also define the inverse formula as the following. Definition 2.2 (Inverse DFT, IDFT) s t = N 1 k=0 S k α kt, t =0, 1,,N 1 (2.2) Using definition 2.2, we can derive the following representation [4]. Definition 2.3 (Trace Representation of Sequences) The inverse DFT of the sequence {s t } can be written in the following form: s t = j Γ(N) Tr n j 1 (S jα jt ), t =0, 1,,N 1 S j F 2 n j, (2.3) where Γ(N) means the set of coset leaders in cyclotomic cosets modulo N with respect to 2 and n j means the size of the coset with leader j, which is denoted by C j. Now we introduce Blahut s theorem [8]. Theorem 2.1 Let s = {s t } be a sequence over F 2 of period N, where N 2 n 1. Let S = {S t } be the sequence of DFT of each s t. Then the linear complexity of s is equal to the Hamming weight of S. Using theorem 2.1, we can explain how the trace representation of a sequence is connected to linear complexity. To do that, we need the following lemma [4]. Note that all notations are the same as above. 9

21 Lemma 2.1 For 1 k N 1, N 1 S k 2 j = Sk 2j, 0 j n k, S 0 = s t. (2.4) Lemma 2.1 tells us that all the DFTs with indices are in the same coset have the same value. Therefore zeros in S affects the trace terms to be vanished in the trace representation and non-zeros affects the remaining terms. So linear complexity can be t=0 represented by L(s t )= j Γ(N) S j 0 n j. (2.5) 2.4 Boolean Functions Definition 2.4 A Boolean function f on n variables, say f(x 1,x 2,,x n ), is a mapping from F 2 n to F 2. A Boolean function can also be regarded as a function from F 2 n to F 2 if we have a basis of the form {β 1,β 2,,β n } in F 2 n. Then the input vector x =(x 1,x 2,,x n ) in F n 2 can be represented as the input element x = x 1 β 1 + x 2 β x n β n in F 2 n. We will use same notation f to represent those functions. Note that a binary periodic sequence s t is obtained from f(x) by evaluation of f(x) as the following. s t = f(α t ), α F 2 n, ord(α) =2 n 1. (2.6) Generally, there are three methods to represent a Boolean function. The most simple way is just presenting the truth table. 10

22 Definition 2.5 A truth table is a binary sequence of length 2 n, which can be represented by f =[f (0, 0,, 0),f(1, 0,, 0),f(0, 1,, 0),,f(1, 1,, 1)]. (2.7) The second is called algebraic normal form, which is widely used since it is easy to specify operation logic of a Boolean function for implementation. Definition 2.6 A Boolean function on n variables can be represented in algebraic normal form (ANF) as following f(x 1,x 2,,x n ) = a 0 + a 1 x 1 + a 2 x a n x n + +a 12 x 1 x 2 + a 13 x 1 x 3 + (2.8) +a 123 n x 1 x 2 x 3 x n, where the all coefficients are in F 2. For an arbitrary term x i1 x i2 x ik, i j {1, 2,,n}, we refer the term to kth order nonlinear term. Also we say the term has nonlinear order k. In the ANF of a Boolean function, we refer the maximal nonlinear order, say k, toalgebraic degree. We can get ANF by using the transform method introduced by Rueppel [3]. When we know the truth table of a Boolean fucntion, then we can converse the table to get ANF. The conversion process is described in figure 2.4. We give an example for a Boolean function on 3 variables. In figure 2.4, each input vector is written in integer decimal form. Note that the process can be used for conversion from ANF to truth table. At the first step, a 0 is added 11

23 Figure 2.4: ANF Truth Table Conversion to a 1, a 2 is added to a 3, and so on. At the second step, (a 0,a 1 ) are added to (a 2,a 3 ) and (a 4,a 5 ) are added to (a 6,a 7 ) pairwise. Each arrow indicates those addition processes at each step. The last one is trace representation of functions using function DFT and IDFT [4]. We do not present the definition of function DFT and IDFT since they are very similar to sequence version. Definition 2.7 Trace representation of a Boolean function f(x) from F 2 n to F 2 is f(x) = k Γ(N) where N =2 n 1. Tr n k 1 (A kx k )+A 2 n 1x 2n 1, A k F 2 n k,a 2 n 1 F 2, (2.9) 12

24 2.4.1 Boolean Functions for Stream Ciphers In this subsection, we observe the concepts which are important for the main idea will be appeared in the next chapter. Recall that m-sequences are vulnerable to BM attack, since their key stream sequence has the lowest linear complexity. From the early years, researchers have been studied how to increase the linear complexity of LFSR based sequences. One of the most researched methods is applying nonlinear Boolean function to LFSR. We can easily know that the term nonlinear means the existence of the monomial terms in ANF which contains more than 2 variables. According to the way that we apply the function to LFSR, there are generally two types of nonlinear Boolean functions [3]; One is nonlinear filter function and the other is nonlinear combining function. + i + + i + Figure 2.5: Nonlinear Filter Function and Nonlinear Combining Function In figure 2.5, the nonlinear filter function is applied to registers of LFSR. According to the number of registers which are connected to the logic of the function, the number of variables of the function is determined. On the other hand, the number of variables is determined by the number of LFSRs when we consider nonlinear combining functions. 13

25 In addition, for nonlinear combining functions, if we make the length of each LFSR be the same, then it can be represented as nonlinear filter functions. We can combine above two functions. At first, apply filter functions to each LFSR. Then apply combining function to combine those parts. In this paper, we will focus our attentions on nonlinear filter functions Nonlinear Functions and Linear Complexity Before we discuss the main part of this thesis, the last thing to explain is remained; How does nonlinear Boolean function affect to the linear complexity of a sequence? First, we examine the case that two binary periodic sequences are multiplied together as in [9]. From now on, the product of two or more than two sequences means the termwise product of the sequences, not the product from the multiplication rule in the ring of formal power series. Assume the two sequence s l t and sm t are multiplied. They are shifted version of a binary PN-sequences s t with period 2 n 1. Then they can be represented in trace representation. s l t = Tr(S l α t ) (2.10) s m t = Tr(S m α t ), (2.11) where S l,s m are the coefficients derived by DFT of s l t,s m t and α F 2 n, ord(α) = 14

26 2 n 1. Now we multiply these two sequences s l t sm t = Tr(S l α t ) Tr(S m α t ) ( n 1 ) n 1 2 = S i l α t2i 2 S j m α t2j (2.12) = i=0 n 1 n 1 j=0 S l,i S m,j α (2i +2 j )t, i=0 j=0 where S l,i, S m,j mean S l 2 i and S m 2 j, respectively. Note that we describe the exponent of α as binary expansion form. If i = j, then α has the exponent which has only one nonzero bit and there are n such exponents. If i j, then the exponent of α has two nonzero bit and there are ( n 2) such exponents. Since all the coefficients are not vanished, by Blahut s theorem we can determine the linear complexity of the product of two sequences. L(s l t s m t )=n + ( ) n n(n 1) n(n +1) = n + = (2.13) When we multiply more than 2 sequences, then there can be the exponents which have more than 2 nonzero coefficients. However, in this case the coefficients in the trace representation can be vanished. Instead we can determine an upper bound on the linear complexity of product sequences. [9] L(s j 1 t s j k t ) k i=1 ( ) n, (2.14) i where j 1,,j k means arbitrary shift values. In [3], it is said that the above bound can be applied to kth-order Boolean functions in general. That is, the order of a nonlinear function plays a key role in the determination of the linear complexity of the produced sequences. 15

27 2.4.3 Correlation Immunity In 1984, Siegenthaler investigated the concept of correlation immunity as follows [16]. Definition 2.8 A Boolean function f(x) in n variables is kth-order correlation immune if each k-subset K of {1,,n}, f(x) is independent of all x i for i K where the x i s are considered as random variables over F 2 taking the values 0 or 1 with equal probability. He also showed the relationship between nonlinear order, say d, and correlation immunity, say k, as follows. Table 2.1: Relationship Between d and k d + k n if f is kth-order correlation immune d + k n 1 if f is balanced and kth-order correlation immune (k <n 1) d =1 if k = n 1 16

28 Chapter 3 Design of the Key Stream Generators In this chapter, we introduce about Boolean power functions shortly, and then provide how to construct key stream generators which yields sequences with high linear complexity using Boolean power functions. 3.1 Boolean Power Functions First we observe polynomial functions on a certain finite field. A polynomial function f : F 2 n F 2 n is defined by f(x) =A 0 + A 1 x + A 2 x A 2 n 1x 2n 1, A i F 2 n. (3.1) Among polynomial functions, a monomial function is a polynomial function with only one monomial term. Note that we already refer monomial in ANF, but if the context is clear, we will use the notation in both two cases. We can decompose f into n Boolean functions f 1,f 2,,f n, where f i (x) takes ith bit of f(x) as its output value for all x. 17

29 They can be represented as the following [17]. f i (x) =Tr(γ i f(x)), γ i F 2 n. (3.2) We refer each f i as component function of f. When f(x) is a monomial function, then we will refer the each component function of f(x) to Boolean power functions [15]. From the past study, several monomial functions with interesting properties are known. Nyberg investigates the properties of monomial function with the exponent 1 [2], i.e., { x 1 if x 0 INV(x) (3.3) 0 if x =0 Note that to know the specified structure of INV(x), we need defining polynomial of finite field. The ith component function, i.e., the ith Boolean power function of INV(x) is simply INV i (x) =Tr(γ i x 1 )=Tr(γ i x 2n 2 ). (3.4) Since INV(x) has the exponent as the inverse of 1, we know easily that the size of conjugate class of exponent 1 is the same as that of 1, i.e., C 1 = n. From this, the above notation also shows the trace representation of INV(x) exactly. Thus we can observe that the linear complexity of a sequence from any Boolean power functions of INV(x) is n, which is same as that of m-sequence. 3.2 Constructing Key Stream Generators We think that a field element x and its inverse x 1 in same field structure (same defining polynomial field) in the previous section. If we think them in different structure each other, then what will happen? 18

30 Consider two finite field structure with same size 2 n and different defining polynomial g(x) and h(x). We will denote those structure as G and H, respectively. So G = F 2 n = F2 [x]/g(x) and H = F 2 n = F2 [x]/h(x). Suppose that g(α) =h(β) =0, ord(α) =ord(β) =2 n 1, where α and β are elements of F 2 n. Consider an n-stage LFSR with connection polynomial C(D) =g(d) and with Galois configuration. If we set a polynomial basis for F 2 n, that is, {α 0,α 1,,α n 1 } and set the initial state of LFSR as (0, 0,, 1), then at each clock t the state is equal to α t. Let us define INV(x) to compute its inverse in H. Now we set another polynomial basis {β 0,β 1,,β n 1 }. Then at clock t, the state is also equal to β s, where s may be different to t. Applying INV(x) to β s,wegetβ s and it can be represented as the resulting binary vector. This process is exactly a polynomial function on F 2 n, say P (x). Note that P (x) is especially a permutation function, since each state of the LFSR with Galois configuration corresponds to each elements inf 2 n. Therefore it is important to set the primitive connection polynomial for the driving LFSR. We can get component function of the form P i (x) =Tr(γ i P (x)). It is known that the invertible affine transformation of P (x) has component functions of the similar form as P i (x) [17]. Figure 3.1 summarize all these steps when n =3. Let us look at the boxed sequence in the figure. In this case, we have only two primitive polynomials, so the cyclically distinct m-sequence is ( ) and ( ). However, the boxed sequence is not equal to either two m-sequences at all. The trace representation of the sequence is the following. z t = Tr(α 6 α t )+Tr(α 5 α 3t ) (3.5) 19

31 n n Figure 3.1: The Proposed Boolean Power Function Thus L(z t )=3+3=6, which is maximum as possible (L(z t )=7is possible if z t is complemented). Note that if we take the rightmost component function, then the key stream sequence is equal to m-sequence of the form Tr(γx). It is called degeneracy that a Boolean function fails to achieve maximum linear complexity [3]. Thus, we should observe all component functions to find functions with no degeneracy. 20

32 Chapter 4 Some Properties of the Key Stream Generators 4.1 Randomness of the Key Stream Sequence In this section, we will show that the key stream sequence does not have subperiod, but has maximal period. We also give compact description about the balance property of the sequence. However, even the sequence is balanced, it may be not sufficient for measuring randomness. For example, When the number of 1 s and 0 s are equal, attacker will realize the pattern if there are only two runs: 1-run of length 2 n 1 and 0-run of length 2 n 1 1, i.e., ( ). To be more random, the key stream sequences must have good run property as truly random sequences. We will show statistical run test instead of presenting exact run distribution to determine how good the randomness of the key stream sequence is. 21

33 4.1.1 Maximal Period Property As we mentioned before, the period of key stream sequence employed in a stream cipher must be large enough that the key stream has virtually no chance of being repeated. When we use n stage LFSR, the resulting key stream sequence must have period 2 n 1, which is maximal. Rueppel mentioned about the maximal period property of the key stream sequence obtained from filter functions [3]. However, he described this statement not rigorously, we will derive another proof of this statement. At first, we present two-tuple balance property of periodic sequences [14]. Definition 4.1 Let s = {s i } 2n 1 i=0 be a sequence over F 2 of period 2 n 1, T = {(s i,s i+τ ) 0 i 2 n 2}, and N λ,μ (τ) = {i (s i,s i+τ =(λ, μ), 0 i 2 n 2},λ,μ F 2.We say that s has the two-tuple balance property if s satisfies the following conditions: (i) If τ 0 (mod2 n 1), then N λ,μ (τ) = 2 n 2, (λ, μ) (0, 0), N 0,0 (τ) = 2 n 2 1. (ii) If τ 0(mod2 n 1), then N λ,λ (τ) = 2 n 1, λ 0, N 0,0 (τ) = 2 n 1 1. We can derive the following lemma based on the proof of Zierler s theorem [13]. 22

34 Lemma 4.1 Every m-sequence over F 2 with period 2 n 1 satisfies k-tuple balance property, where k n, for all k distinct phase shift of the sequence. Proof: We will take the same notation used in the definition of two-tuple balance property. We can consider set T as the following, T = {(s i+τ1,s i+τ2,,s i+τk ) 0 i 2 n 2}, where τ 1,,τ k are all distinct phase shift of the m-sequence. We can also consider N λ1,λ 2,,λ k = {i (s i+τ1,s i+τ2,,s i+τk )=(λ 1,λ 2,,λ k ) 0 i 2 n 2}, λ i F 2. Since s i+τj = Tr ( α τ j α i), 1 j k, T can be written as T = {((Tr(β 1 x),tr(β 2 x),,tr(β k x)) x F 2 n}, where each β j = α τ j. For any k-tuple (λ 1,λ 2,,λ k ), we consider the following system of equations in n variables x, x 2,,x 2n 1 : Tr(β 1 x) = λ 1 Tr(β 2 x) = λ 2... (4.1) Tr(β k x) = λ k. The coefficient matrix of the above system of linear equations, denoted by A, is given by A = β 1 β1 2 β1 2n 1 β 2 β2 2 β2 2n 1... β k βk 2 βk 2n 1 23

35 Since all phase shift is distinct, the rank of A is equal to k, the system of equation has 2 n k solutions. Especially, if (λ 1,λ 2,,λ k )=(0, 0,, 0), then the equation has 2 n k 1 solutions. Theorem 4.1 Consider an n-stage LFSR with primitive connection polynomial. If an arbitrary nonlinear filter function f is applied to the LFSR, then the resultant output key stream sequence has maximal period 2 n 1. Proof: From definition 2.6, any nonlinear filter function f can be represented by ANF, so the key stream sequence is z t = f(s t+τ1,s t+τ2,,s t+τn ) = a 0 + a 1 s t+τ1 + + a n s t+τn +a 12 s t+τ1 s t+τ2 + + a 12 n s t+τ1 s t+τ2 s t+τn, where each s t+τj means distinct phase shift of m-sequence. For our convenience, we refer first period of each m-sequences to linear vector as binary (2 n 1)-tuple vectors in vector subspace of F 2n 1 2. Also we refer product of k linear vectors to kth-order nonlinear vector. Obviously, all nonlinear vector is linearly independent since one nonlinear vector can not be obtained from other vectors by linear operation. For linear vectors, since the phase shifts are indeed τ 2 = τ 1 +1,τ 3 = τ 2 +1,,τ n = τ 1 1 due to Galois configuration (the operations are performed over Z 2 n 1), we can consider an arbitrary vector obtained from linear combination of all linear vectors as the following, a 1 s t+τ1 + + a n s t+τn = Tr((a n + a 1 α + + a n 1 α n 1 )α t+τ 1 1 ), 24

36 where each coefficient a i F 2. Since {1,α,,α n 1 } is a polynomial basis, linear vectors are also linearly independent. Thus we have totally (2 n 1) linearly independent vectors and they can be a basis of the subspace. Now consider a kth-order nonlinear vector. Among all component in the vector, one comes from the all-one k-tuple (1, 1,, 1) which consists of corresponding linear vectors. If the vector has subperiod N sub 2 n 1, then N sub must divide the number of ones. However, from lemma 1, the number of ones is 2 n k, therefore nonlinear vectors can not have subperiod. Note that when k = n, the nonlinear vector has component one in only one position, so it cannot have subperiod, too. Consequently, since all vectors in the basis have maximal period of 2 n 1, we can get any resultant key stream sequence of length 2 n 1 and maximal period. Corollary 4.1 The key stream sequence z t obtained from ith Boolean power function P i (x)) has maximal period Balance Property Theorem 4.2 The key stream sequence z t obtained from ith Boolean power function P i (x) satisfies balance property. Proof: We know that our procedure can be represented as a polynomial function P (x) on F 2 n and the function is permutation polynomial. Therefore the key stream sequence from a Boolean power function P i (x) is the sequence whose elements are permuted. We can prove the corollary 4.1 by using theorem 4.2. The key stream sequence z t is always balanced and has 2 n 1 1 s. If z t has subperiod N sub, then the number of 1 s in z t 25

37 must be divided by N sub. However, it is impossible, thus z t does not have subperiod Run Test Run is the consecutive zeroes or ones preceded by one (or zero) and followed by one (or zero) in a sequence [4] [5]. When we consider binary sequences of length 2 n 1, then to satisfy Golomb s randomness postulate [4] [5], runs of 0 s of length k, 1 k n 2, occur 2 n 2 k times, a run of 0 s of length n 1 occurs once, and a run of 1 s of length n occurs once. This property is referred to as the run property. However, if a sequence does not satisfy the run property, then how can we measure the randomness of the sequence in the sense of the run distributions? One of the reasonable answer is applying run test. The run test is a test measure in NIST test suite for random number generation [20]. It just counts the number of changing bits (0 1 or 1 0) in given sequence. Then it compute P-value by using complementary error function (erfc) formula as the following ( ) VN (obs) 2Nπ(1 π) P-value = erfc 2, (4.2) 2Nπ(1 π) where N is the length of sequence, V N (obs) is the number of changing bits plus 1, and π is proportion of ones in the sequence. The decision rule at the 1% significance level is correspond to whether P-value is greater than or lesser than If P-value 0.01, then the test fails. If not, then the test succeeds. The meaning of success is each run of the given sequence is distributed as that of truly random sequence. Note that it is a statistical test. Even if a sequence passes the test, indeed it may be a poor sequence such as ( ). To make the test more reliable, the number of sample sequences (to be tested) and the length of each sequence is very important. NIST report 26

38 says that the number of samples should be larger than at least 1000 and the length of each sequence should be longer than 100 bits. We may think that although the length of the given sequence is less than 100, it can be extended to 100 bits since the proposed sequence is periodic. However periodically repeated sequence is not balanced and imbalance increases as the number of repetition increases. Since the prerequisite test of the run test is the frequency test, which is checking balance of 0 s and 1 s, thus the run test will fail if the given sequence is periodically repeated. So we are going to test sequences of length larger than 100 bits, that is, sequences from n-stage LFSR with 7 n 12. In those cases, the number of samples is equal to the total number of possible key stream sequences. Also, the number is larger than 1000, we can say that the test results are reliable. Table 4.1: Proportion of the Key stream Passing the Run Test n Number of Sample Sequences Proportion Table 4.1 tells us almost every key stream sequence of length 2 n 1, n 12, satisfies the run test presented by NIST. When we use key stream generator with larger n, we can say the key stream sequence is pseudorandom in the sense of the run distribution. 27

39 4.2 Cryptographic Properties of the Key Stream Sequences Observations of the Linear Complexity In our procedure, the key part of increasing linear complexity is P (x), which is a permutation polynomial on F 2 n. However, we can not derive the exact form of P (x) since it is difficult to deal with permutation polynomials. Instead, we present some numerical results and analysis on the linear complexity of key stream sequences. The linear complexity values are obtained by using BM algorithm. Note that it is also key part to make g(x) and h(x) be different for constructing P (x). Thus, we investigate all possible pair of g(x) and h(x) for all primitive polynomials dividing x 2n 1 1 over F 2, 3 n 11. We also consider each P i (x) s for fixed (g(x),h(x)) pair. We know that from definition 2.3 or 2.7, if 2 n 1 is a prime number, then C j = n or C j =1, for all j (Note that C j =1occurs only once and it means complement of the sequence). If 2 n 1 is not prime, then C j will be n or its proper divisor. From equation 2.5, the maximum linear complexity means all n j is added and degeneracy means that some n j s are subtracted from the maximum value. It is well known that the maximum linear complexity of a periodic sequence is its period. The linear complxity of our proposed key stream sequences can be at most 2 n 2, since in the trace representation, a constant term is always zero. When we perform complement operation on the sequence, we can make the linear complexity equal to the period. In this sense, we will say the linear complexity is maximum even if it is 2 n 2. We will say the linear complexity is minimum if it is the most degenerated 28

40 case among all the key stream sequences of the same length. Now, we present our observation. First, the number of cases for prime 2 n 1 is larger than for non-prime 2 n 1 in the sense of achieving maximum linear complexity. However, when 2 n 1 is a product of two distinct prime, such as 15 and 2047(= 23 89), the portion of maximum case is greatly increased, too. Table 4.2: The Proportion of maximum L(z t ) n 3* 4** 5* 6 7* ** 12 Proportion(%) (*: 2 n 1 is prime) (**: 2 n 1 is factorized into two distinct prime) Second, the least possible linear complexity is not less than the half of the maximum. Table 4.3: The ratio min L(zt) max L(z t) n 3* 4** 5* 6 7* ** 12 min L(z t ) max L(z t ) ratio (*: 2 n 1 is prime) (**: 2 n 1 is factorized into two distinct prime) Therefore, we can expect that the maximum linear complexity occurs in high probability and the degeneracy is decreased as n increase, especially for 2 n 1 is prime or 2 n 1 is factorized into two distinct prime. It is well known fact that the reciprocal form of any primitive polynomial is also a primitive polynomial [6]. Obviously, a primitive polynomial and its reciprocal form is also can be a (g(x),h(x)) pair. In this case, when we know just one polynomial, we 29

41 can determine a distinct polynomial more easier. Let us denote (g(x),h(x)) pair, which g(x) is a reciprocal form of h(x) and vice versa, to reciprocal pair. Now we present some results like table 4.2 and 4.3 in the following. Table 4.4: The Proportion of maximum L(z t ) for reciprocal pairs n 3* 4** 5* 6 7* ** 12 Proportion(%) (*: 2 n 1 is prime) (**: 2 n 1 is factorized into two distinct prime) In the table 4.4 each proportion is not so different from 4.2. Let us observe the ratio of minimum to maximum, as table 4.3. Table 4.5: The ratio min L(zt) max L(z t) for reciprocal pairs n 3* 4** 5* 6 7* ** 12 min L(z t ) max L(z t ) ratio (*: 2 n 1 is prime) (**: 2 n 1 is factorized into two distinct prime) In the table 4.5, we can observe min L(z t ) is increased for 6 n 12. Therefore, when we design the proposed key stream generator, it is recommended to use reciprocal pairs to guarantee larger linear complexity than not reciprocal ones. In the next page, we can see the distribution of each possible linear complexity values from table 4.6 to table

42 Table 4.6: Linear complexity distribution for n =3 L(z t ) 3 6 frequency 1 5 Table 4.7: Linear complexity distribution for n =4 L(z t ) frequency 1 7 Table 4.8: Linear complexity distribution for n =5 L(z t ) frequency Table 4.9: Linear complexity distribution for n =5, reciprocal pairs L(z t ) frequency Table 4.10: Linear complexity distribution for n =6 L(z t ) frequency Table 4.11: Linear complexity distribution for n =6, reciprocal pairs L(z t ) frequency

43 Table 4.12: Linear complexity distribution for n =7 L(z t ) frequency Table 4.13: Linear complexity distribution for n =7, reciprocal pairs L(z t ) frequency Table 4.14: Linear complexity distribution for n =8 L(z t ) frequency L(z t ) frequency Table 4.15: Linear complexity distribution for n =8, reciprocal pairs L(z t ) frequency L(z t ) frequency

44 Table 4.16: Linear complexity distribution for n =9 L(z t ) frequency L(z t ) frequency Table 4.17: Linear complexity distribution for n =9, reciprocal pairs L(z t ) frequency Table 4.18: Linear complexity distribution for n =10 L(z t ) frequency L(z t ) frequency L(z t ) frequency Table 4.19: Linear complexity distribution for n =10, reciprocal pairs L(z t ) frequency L(z t ) frequency

45 Table 4.20: Linear complexity distribution for n =11 L(z t ) frequency Table 4.21: Linear complexity distribution for n =11, reciprocal pairs L(z t ) frequency Table 4.22: Linear complexity distribution for n =12 L(z t ) frequency L(z t ) frequency L(z t ) frequency L(z t ) frequency L(z t ) frequency L(z t ) frequency L(z t ) frequency L(z t ) frequency Continued on next page 34

46 L(z t ) frequency Table 4.23: Linear complexity distribution for n =12, reciprocal pairs L(z t ) frequency L(z t ) frequency L(z t ) frequency L(z t ) frequency

47 4.2.2 Nonlinear Order and Correlation Immunity Lemma 4.2 Any n-variable balanced Boolean function does not have a nonlinear order n term. Proof: Let us consider Rueppel s truth table to ANF tranform method. Let the truth table of a Boolean function be simply f and a vector be decimal form. At first phase of the method, f(0) is added to f(1), f(2) is added to f(3), and so on. At second phase, f(0) = f(0), f(1) = f(0) + f(1), f(2) = f(0) + f(2), f(3) = f(0) + f(1) + f(2) + f(3), and so on. At last phase, f(2 n 1) will be f(2 n 1) = f(0) + f(1) + f(2) + + f(2 n 1) (4.3) Since the Boolean function is balanced, the above result will be zero. It means that there is no term of nonlinear order n. Theorem 4.3 If the linear complexity of s t from P i (x) is 2 n 2, then the nonlinear order of P i (x) is exactly n 1. Proof: Suppose that the nonlinear order is k, which is less than n 1. From [9], k ( ) n L(s t ) i i=1 (4.4) If k is less than n 1, then the linear complexity cannot be 2 n 2, since the summation of right hand side is less than 2 n 2. Therefore, k must be n or n 1 to achieve 2 n 2. Because P i (x) is a balanced function, the nonlinearity cannot be n by lemma 4.2 By using the proof of theorem 4.3, we can find the lower bound of nonlinear order of P i (x) for each n. For example, when n =3, k 1 to achieve all possible linear complexity. When n =4, k 3 because the least possible linear complexity is 12. Using 36

48 the table 2.1, we will present the following from observation of all possible construction. (Note that CI is the abbreviation of correlation immunity) Table 4.24: The largest correlation immunity order n largest CI Table 4.24 shows that an arbitrary key stream sequence obtained from the generator of n-stage LFSR, 3 n 12, has relatively small CI order than n. Therefore, one might be aware of the correlation attack if he (or she) construct stream cipher system with our proposed key stream generator. 4.3 Using Other Exponents The proposed filter function is based on INV(x) which is a monomial function with exponent 1. We have explained that 1 2 n 2(mod2 n 1) is relatively prime to 2 n 1. Since there are φ(2 n 1) elements in Z 2 n 1 which is relatively prime to 2 n 1, we can change the exponent of Boolean power function to these elements to apply proposed method. Note that even the exponents are changed, maximal period and balance property are still valid because all of these function is a permutation function. However, the changed exponents can not achieve the maximum linear complexity, for 5 n 12 (For n =3, 4, the possible exponents are 1 and -1 only). Since we want to make a linear complexity of the key stream sequence as large as possible, it can be one reason for using INV(x). 37

49 Chapter 5 Concluding Remarks In this thesis, the construction method of proposed key stream generator which is expected to achieve maximum linear complexity is presented. It also has maximal period and satisfies balance property. The key point of the proposition is set the connection polynomial of running LFSR and the field defining polynomial to perform INV(x) to be different. The experimental result shows that the resulting key stream sequence has maximum linear complexity or nearly maximum linear complexity. We derived maximal length property and balance property mathematically and examined the run test. However, one problem of the key stream generator is that it has low correlation immunity, so the function would be easily attacked by the method of correlation attack, including the recent fast correlation attacks. Therefore it is recommended to combine several proposed generator into another Boolean function which has large correlation immunity. If each generator has different length of driving LFSRs, then the resultant key stream sequence will have long period and large linear compexity as well as the proposed sequence [10]. We can not present the theoretical approach on linear complexity because it is very difficult task to find the exact formula by using the theory of permutation polynomials 38

50 in general. Several papers says about the bound on linear complexity, but they can not explain many things about our proposed scheme. Instead we tried to present numerical results for some n. In the results, we observe that the key stream sequence has maximum linear complexity in high probability and does not degenerate so much as n increase. It is interesting that if 2 n 1 is prime or is factorized into two distinct prime, then maximum linear complexity will be occur in high probability even for small n. However we do not present our observation for various n because we can not compute finite field operation for such n due to its computing complexity. For future works, we will compute the linear complexity up to 16 or 32 and examine our expectation. That will be more practical case since we can design combining function model additionally to make whole key stream generator cover 64 bits or 128 bits keys. Also we will study the theory of permutation polynomial to find the enhanced bound or the exact formula for the linear complexity. 39

51 Bibliography [1] S.-Y. Jin, J.-M. Baek, and H.-Y. Song, Improved Rijndael-like S-Box and Its Transform Domain Analysis, Proceedings of SETA 06, Lecture Notes in Computer Science, vol. 4086, pp , Sep [2] K. Nyberg, Differentially Uniform Mappings for Cryptography, Proceedings of EUROCRYPT 93, Lecture Notes in Computer Science, vol. 765, pp , [3] R. A. Rueppel, Anaysis and Design of Stream Ciphers, Springer-Verlag, [4] S. W. Golomb and G. Gong, Signal Design for Good Correlation, Cambridge University Press, [5] S. W. Golomb, Shift Register Sequences, revised edition, Aegean Park Press, [6] R. Lidl and H. Niederreiter, Introduction to Finite Fields and Their Applications, Cambridge University Press, 1986 [7] J. Massey, Shift-Register Synthesis and BCH Decoding, IEEE Trans. Inform. Theory, vol. IT-15, no. 1, pp , Jan

52 [8] R. E. Blahut, Algebraic Codes for Data Transmission, Cambridge University Press, 2003 [9] E. L. Key, An analysis of the structure and complexity of nonlinear binary sequence generators, IEEE Trans. Inform. Theory, vol. IT-22, no. 6, pp , Nov [10] R. A. Rueppel, O. J. Staffelbach, Products of Linear Recurring Sequences with Maximum Complexity, IEEE Trans. Inform. Theory, vol. IT-33, no. 1, Jan [11] E. J. Groth, Generation of binary sequences with controllable complexity, IEEE Trans. Inform. Theory, vol. IT-13, no. 3, pp , May [12] N. Zierler and W. H. Mills, Products of Linear Recurring Sequences, J. Algebra, vol. 27, [13] N. Zierler, Linear Recurring Sequences, J. Soc. Indust. Appl. Math., vol. 7, pp , [14] G. Gong and S. W. Golomb, Transform Domain Analysis of DES, IEEE Trans. Inform. Theory, vol. 45, no. 6, pp , Sep [15] Y. Nawaz, G. Gong, and K. C. Gupta, Upper Bounds on Algebraic Immunity of Boolean Power Functions, Technical Report of CACR, cacr , [16] T. Siegenthaler, Correlation-Immunity of Nonlinear Combining Functions for Cryptographic Applications, IEEE Trans. Inform. Theory, vol. IT-30, no. 5, pp , Sep