Towards non-linear feedbacks

Transcription

1 Towards non-linear feedbacks Who? Cédric Lauradoux When? December 2, 2008

2 Applications of sequences BPSK Data Carrier m t IV Init s n K k t f Φ Φ c t s 1 s n s 1 PRNG Spread spectrum Boolean functions PRNG Stream ciphers PRNG Φ Φ s n s 1 s n PRNG s 1 c t Data scrambler m t Path n Path n 1 Path 1 CUT Build In Self Test

3 Outline Shift register theory fundamentals Universal windmill generators: parallel random number generators; parallel generation of m-sequences; windmill generators (extension); Symmetric feedback functions: Symmetric functions; Ideas. Conclusions

4 Shift register theory fundamentals Linear Feedback Shift Registers m 3 m 2 m 1 m 0 Period: T = 2 n 1 Quadratic Feedback Shift Registers m 3 m 2 m 1 m 0 m 3 m 2 m 1 m 0 m 0 m 1 m 2 m 3 Feedback with Carry Shift Registers Period: T = 2 n m 3 m 2 m 1 m 0 Period: 2 n T < 2 n+1 c 0

5 Shift register theory fundamentals non-linear Theorem Theorem [De Bruijn1946] There is exactly 22n 1 2 NLFSRs of period 2 n. n (The number of LFSRs of period 2 n 1 is φ(2n 1) 2 n 2n n.) [Golomb1967] The feedback function f of an NLFSR of period 2 n is defined: f (x 0,x 1,,x n 1 ) = x 0 g(x 1,x 2,,x n 1 ). Such NLFSRs is called a non-singular shift register.

6 Shift register theory fundamentals Modern cryptography Block ciphers: Feistel scheme (DES,RC6...) 32 bits L i R i f K i Hash functions: (MD4, MD5, MD6...) 32 bits Q i Q i 1 Q i 2 Q i 3 f w σ (i)

7 Shift register theory fundamentals Modern cryptography estream Portfolio: Software profile HC-128 Rabbit Salsa20/12 Sosemanuk Hardware profile Grain Mickey Trivium other designs: Keeloq (block/stream) Squash (MAC)

8 Shift register theory fundamentals So if everybody use NLFSRs, it must be well-mastered?? Ask the question to Ron Rivest... How to explore non-linear feedback functions? constraints on the variables reduced the choice for the feedback function

9 Universal windmill generators Definition A v-vane universal windmill generator is a network of v shift registers non-linearly interconnected, v 1. The size of the vane R k is l(k). The interconnection network defined the feedback of a register R k by: m k l(k) (t+1) = g(mσ 1(k) α i1 (t),m σ 1(k) α i2 (t),,m σ 2(k) β j1 (t),m σ 2(k) β j2 (t), with σ 1 and σ 2 are 2 permutations of 1,2,,v 1.

10 Universal windmill generators Example Nothing yet! waiting for simulation results! Don t worry some entertainement is following...

11 Parallel random number generator Simple example The basic linear congruential generator (LCG): X t+1 = ax t + c mod n. X 0 X 2 X 4 X 2i X 1 X 3 X 5 X 2i+1 S = X 0,X 1,X 2, X 2i+1,

12 Parallel random number generator LCG: parallel implementation More generally, we have: X t+i = a i X 0 + Then, we obtain for t = u k : X k(u+1) = a k X ku + ( a i ) 1 c mod n. a 1 ( a k ) 1 c mod n a 1 k = 2,u = 0 and u = 1 S2 0 = X 0,X 2,X 4 X 2i 2 S2 1 = X 1,X 3,X 5 X 2i+1

13 Parallel random number generator Applications X 0 X 2 X 4 X 2i X 1 X 3 X 5 X 2i+1 SIMD/MIMD computers Vector processor

14 Parallel random number generator The problem Let S be an infinite sequence over an alphabet A: S = s 0,s 1,s 2 For an integer v, a v decimation of S is the set of sub-sequences defined by: Sv 0 = (s 0,s v, ) Sv 1 = (s 1,s 1+v, )... v = (s v 2,s 2v 2, ) v = (s v 1,s 2v 1, ). S v 2 S v 1 Knowing S, how to generate the sub-sequences S i v? (Jeopardy: knowing the S i v how to find the shortest S?)

15 Parallel random number generator Other generators Linear congruential generator: X k(u+1) = a k X ku + ( a k 1 a 1 ) c mod n. Blum Blum Shub (p,q are 2 large prime numbers): X k(u+1) = X 2k mod (p 1)(q 1) ku mod pq. FCSRs [Lauradoux et Roeck 2008] (x 0 ) τ m+i m 2 i k=0 a i+k [(x 0 ) τ k 1 (c i+k ) τ k 1 ] if m v i < m (x i ) τ = (x i+v ) t d 1 k=0 a i+k [(x 0 ) τ k 1 (c i+k ) τ k 1 ] if i < m v (c i ) τ = [(x 0 ) τ 1 (x i+1 ) τ 1 ] [(x 0 ) τ 1 (c i ) τ 1 ] (x 0 ) τ 1

16 Parallel generation of m-sequences q n 2 q n 3 q 1 q 0 m n 1 m n 2 m 2 m 1 m 0 S S 0 v SUB-SEQUENCES GENERATOR S 1 v S v 1 v

17 Parallel generation of m-sequences 4 solutions exist to obtain parallel LFSRs: decimation: properties of m-sequences; parallel feedforward transformation (PFF); parallel feedback transformation (PFB); windmill generators. [Zierler1959] [Hsia1969] [Hurd1974] [Smeets1988]

18 Parallel generation of m-sequences Solution I: decimation Theorem [Zierler1959]. Let S be an m-sequence of characteristic polynomial q with root α. The sub-sequences Sv i of S are also some m-sequences such that: the minimum polynomial of α v in F 2 n is the connection polynomial q (x) of the resulting LFSR; the period T of S i v is: T = T gcd(v,t) ; the degree n of q (x) is equal to the multiplicative order of q(x) in Z T. A given Sv i can be generated by an LFSR.

19 Parallel generation of m-sequences Solution II: parallel feedforward Idea Based on the exponential representation of m-sequences: u t = Tr(α i x) q n 2 q n 3 q 1 q 0 m n 1 m n 2 m 2 m 1 m 0 f S v 1 v S 1 v S 0 v

20 Parallel generation of m-sequences Solution III: parallel feedback Idea Clock v times the LFSR in one clock cycle!? Example A PFB transformation on a simple cycling register: m 3 m 2 m 1 m 0 S m m S m S2 1 3 m 1

21 Parallel generation of m-sequences Solution III: a more elaborate example Example Let consider the LFSR defined by the following relations: m 7 (t + 1) = m 3 (t) m 4 (t) m 5 (t) m 0 (t) m i (t + 1) = m i+1 (t) if i 7. m 7 m 6 m 5 m 4 m 3 m 2 m 1 m 0 S

22 Parallel generation of m-sequences Solution III: a more elaborate example To apply the PFB transformation, we need to implements the previous equations for the successive states m 7 (t + j) for 1 j v (v = 3): m 7 (t + 1) = m 3 (t) m 4 (t) m 5 (t) m 0 (t) m 7 (t + 2) = m 4 (t) m 5 (t) m 6 (t) m 1 (t) m 7 (t + 3) = m 5 (t) m 6 (t) m 7 (t) m 2 (t) m i (t + 3) = m i+3 (t) if i < 5. Now, we start the unpleasant part...

23 Parallel generation of m-sequences Solution III: the bloody mess m 6 m 3 m 0 S m 7 m 4 m 1 m 5 m 2

24 Parallel generation of m-sequences Solution IV: windmills Definition [Smeets1988] A v-vane windmill generator is a network of v shift registers linearly interconnected, v 1. The size of the vane k is l(k). The interconnection network is defined by: l(σ(k)) ml(k) k (t + 1) = i=0 α i m σ(k) i with σ a permutation of 1,2,,v 1. l(k) (t) β j mj k (t) j=0 Such a generator is an (n,v,σ,l)-windmill generator.

25 Parallel generation of m-sequences Solution IV: first figure R0 Sv 0 S R1 v 1 S v 1 Rv 1 v βn 1 β0 βn 1 β0 βn 1 β0 α0 αl 1 α0 αl 1 α0 αl 1 σ

26 Parallel generation of m-sequences Solution IV: property Theorem [Smeets1988] Let n and v be integers such that 1 v < n, a permutation σ and a length function l. Let α(x) = α i x i and β(x 1 ) = β i x i be two polynomials over F 2 such that α(0) = 1 and β(0) 1. The polynomial defined by: q(x) = α(x v ) + β(x v x n ) is the connection polynomial of the sequences S associated to an (n, v, σ, l)-windmill generator. q is called a windmill polynomial.

27 Parallel generation of m-sequences Solution IV: exemple The windmill generator has been used in the E0 stream cipher (Bluetooth): Four LFSRs Four 4-vane windmills R 0 m6 0 m5 0 m4 0 m3 0 m2 0 m 0 1 s 0 4 m 0 0 R 2 m4 2 m3 2 m 2 5 m 2 2 m 2 1 m2 0 s 2 4 R 1 m5 1 m4 1 m3 1 s4 1 R 3 m5 3 m4 3 m3 3 m2 3 m1 3 m0 3 m2 1 m1 1 m0 1 s 3 4 q(x) = x 25 + x 20 + x 12 + x 8 + 1

28 Parallel generation of m-sequences Solution IV: why is called windmill? s 0 4 x 0 x 4 x 8 x 12 x 16 x 20 x 24 s4 3 x 3 x 7 x 11 x 15 x 19 x 23 x 21 x 17 x 13 x 9 x 5 x 1 s4 3 x 22 x 18 x 14 x 10 x 6 x 2 s 2 4

29 Windmill generators Even Don Quichotte has some weapons!

30 Windmill generators Testing irreducibility Definition A polynomial q F k [X] is irreducible, if deg(q) > 0 and if all the divisor of q is a constant or a multiple of q by a constant. Many algorithms: Berlekamp: Knuth-Alanen; Shoup; Ben-Or; Rabin; Argnt...

31 Windmill generators Irreducibility test Theorem Theorem [Rabin] Let p 1,p 2,p k be all the prime divisor of n, and denote n i = n p i for 1 i k. A polynomial finf q [x] of degree n is irreducible in F q [x] iff gcd(f,x qn i 1) = 1, for 1 i k, and f divides x qn x. [Ben-Or] For i 1, the polynomial x qi x F q [x] is the product of all monic irreducible polynomials whose degree divides i. Algorithm Ben-Or Rabin Worst case nm(n) log kn nm(n)log k log n M(n) = n log n log log n (assuming FFT-based multiplication)

32 Windmill generators How many they are v n # pri # irr # pri # irr # pri # irr

33 Windmill generators How many they are Theorem [Cohen1989] There is no (n, v, σ, l)-windmill polynomials, v = 2 i,i > 0 such that n = 3 mod 8 or n even. First observed by Smeets and later proved by Cohen while studying the Galois group the windmill polynomials. There is something to do with the PFB transformation and the windmill generators.

34 Windmill generators PFB transformation and windmill generator The feedback function F i in the PFB transformation can be decomposed as the sum modulo two of v sub-functions which depends each of a given register R j : sv 0 sv 1 R 0 R 1 R v 1 s n 1 v The windmill generator is the optimal case for a PFB transformation!

35 Windmill generators PFB transformation and windmill generator Remark An (n, v, σ, l)-windmill generator corresponds to a shift-registers network issued from a PFB transformation. The feedback F i of R i depends at most on the contribution of 2 registers Comment Let consider a windmill polynomial q(x) = α(x v ) + β(x v )x n. We have: β(x) 1, F i depends exactly on 2 registers: β(x) = 1, F i depends exactly on 1 registers.

36 Windmill generators Extension R i S i v β n 1 α 0 α l 1

37 Windmill generators Extension Instead of the original windmill polznomial: q(x) = α(x v ) + β(x v )x n, let consider the linear universal windmill polynomial: q(x) = α(x v ) + x n φ β(x v ) + x n, with φ < v. l(σ 1 (k)) ml(k) k (t + 1) = i=0 l(σ 2 (k)) α i m σ 1(k) i (t) j=0 β j m σ 2(k) j (t)

38 Windmill generators Extension Let see what we can achieve with φ: φ = 0 the original definition; n φ = 0 mod v, q(x) = α(x) + x n ; otherwise we have something new: parameters (n, v, τ, l, φ). Example An (19, 4, σ, l, 2)-universal windmill generator: α(x) = 1 + x β(x) = x + x 2 Interesting: 19 = 3 mod 8. q(x) = 1 + x 4 + x 9 + x 13 + x 19

39 Windmill generators Extension R 0 m4 0 m3 0 m2 0 m1 0 m0 0 s 0 4 R 1 m4 1 m3 1 m2 1 m1 1 m0 1 s 1 4 R 2 m4 2 m3 2 m2 2 m1 2 m0 2 s 2 4 R 3 m3 3 m2 3 m1 3 m0 3 s 3 4 q(x) = x 19 + x 13 + x 9 + x 4 + 1

40 The extended windmill generator New result v n # pri # irr # pri # irr # pri # irr

41 Windmill generators n = 41, v = Extended windmill Original definition [11] Number of polynomials (degree 41, v=4) w(q)

42 Windmill generators Security A windmill polynomial q is likely to have a multiple of low Hamming weight of the form Q(x) = (1 + x iv )q(x): q(x) = x 41 + x 37 + x 33 + x 32 + x 29 + x 28 + x 25 + x 24 + x 21 + x 20 + x 17 + x 16 + x 13 + x 12 + x 9 + x 8 + x 5 + x has for multiple Q(x) = (1 + x 4 ) q(x) = x 45 + x 36 + x

43 Conclusions Theorem Universal? Let q be a prime number of maximal order such that: q = α + 2 n φ β + 2 n with α = α i 2 iv, α 0 = 1 and β = β i 2 iv is the connection integer of an (n, v, σ, l, φ)-watermill generator. NLFSRs? coming soon in A first paper submitted at IEEE TC.

44 s 0 4 x 0 x 4 x 8 x 12 x 16 x 20 x 24 s 3 4 x 3 x 7 x 11 x 15 x 19 x 23 x 21 x 17 x 13 x 9 x 5 x 1 s 3 4 x 22 x 18 x 14 x 10 x 6 x 2 s 2 4 B. f (x) = x 25 + x 17 + x 13 + x 5 + 1