Towards non-linear feedbacks
|
|
- Loreen Griffith
- 5 years ago
- Views:
Transcription
1 Towards non-linear feedbacks Who? Cédric Lauradoux When? December 2, 2008
2 Applications of sequences BPSK Data Carrier m t IV Init s n K k t f Φ Φ c t s 1 s n s 1 PRNG Spread spectrum Boolean functions PRNG Stream ciphers PRNG Φ Φ s n s 1 s n PRNG s 1 c t Data scrambler m t Path n Path n 1 Path 1 CUT Build In Self Test
3 Outline Shift register theory fundamentals Universal windmill generators: parallel random number generators; parallel generation of m-sequences; windmill generators (extension); Symmetric feedback functions: Symmetric functions; Ideas. Conclusions
4 Shift register theory fundamentals Linear Feedback Shift Registers m 3 m 2 m 1 m 0 Period: T = 2 n 1 Quadratic Feedback Shift Registers m 3 m 2 m 1 m 0 m 3 m 2 m 1 m 0 m 0 m 1 m 2 m 3 Feedback with Carry Shift Registers Period: T = 2 n m 3 m 2 m 1 m 0 Period: 2 n T < 2 n+1 c 0
5 Shift register theory fundamentals non-linear Theorem Theorem [De Bruijn1946] There is exactly 22n 1 2 NLFSRs of period 2 n. n (The number of LFSRs of period 2 n 1 is φ(2n 1) 2 n 2n n.) [Golomb1967] The feedback function f of an NLFSR of period 2 n is defined: f (x 0,x 1,,x n 1 ) = x 0 g(x 1,x 2,,x n 1 ). Such NLFSRs is called a non-singular shift register.
6 Shift register theory fundamentals Modern cryptography Block ciphers: Feistel scheme (DES,RC6...) 32 bits L i R i f K i Hash functions: (MD4, MD5, MD6...) 32 bits Q i Q i 1 Q i 2 Q i 3 f w σ (i)
7 Shift register theory fundamentals Modern cryptography estream Portfolio: Software profile HC-128 Rabbit Salsa20/12 Sosemanuk Hardware profile Grain Mickey Trivium other designs: Keeloq (block/stream) Squash (MAC)
8 Shift register theory fundamentals So if everybody use NLFSRs, it must be well-mastered?? Ask the question to Ron Rivest... How to explore non-linear feedback functions? constraints on the variables reduced the choice for the feedback function
9 Universal windmill generators Definition A v-vane universal windmill generator is a network of v shift registers non-linearly interconnected, v 1. The size of the vane R k is l(k). The interconnection network defined the feedback of a register R k by: m k l(k) (t+1) = g(mσ 1(k) α i1 (t),m σ 1(k) α i2 (t),,m σ 2(k) β j1 (t),m σ 2(k) β j2 (t), with σ 1 and σ 2 are 2 permutations of 1,2,,v 1.
10 Universal windmill generators Example Nothing yet! waiting for simulation results! Don t worry some entertainement is following...
11 Parallel random number generator Simple example The basic linear congruential generator (LCG): X t+1 = ax t + c mod n. X 0 X 2 X 4 X 2i X 1 X 3 X 5 X 2i+1 S = X 0,X 1,X 2, X 2i+1,
12 Parallel random number generator LCG: parallel implementation More generally, we have: X t+i = a i X 0 + Then, we obtain for t = u k : X k(u+1) = a k X ku + ( a i ) 1 c mod n. a 1 ( a k ) 1 c mod n a 1 k = 2,u = 0 and u = 1 S2 0 = X 0,X 2,X 4 X 2i 2 S2 1 = X 1,X 3,X 5 X 2i+1
13 Parallel random number generator Applications X 0 X 2 X 4 X 2i X 1 X 3 X 5 X 2i+1 SIMD/MIMD computers Vector processor
14 Parallel random number generator The problem Let S be an infinite sequence over an alphabet A: S = s 0,s 1,s 2 For an integer v, a v decimation of S is the set of sub-sequences defined by: Sv 0 = (s 0,s v, ) Sv 1 = (s 1,s 1+v, )... v = (s v 2,s 2v 2, ) v = (s v 1,s 2v 1, ). S v 2 S v 1 Knowing S, how to generate the sub-sequences S i v? (Jeopardy: knowing the S i v how to find the shortest S?)
15 Parallel random number generator Other generators Linear congruential generator: X k(u+1) = a k X ku + ( a k 1 a 1 ) c mod n. Blum Blum Shub (p,q are 2 large prime numbers): X k(u+1) = X 2k mod (p 1)(q 1) ku mod pq. FCSRs [Lauradoux et Roeck 2008] (x 0 ) τ m+i m 2 i k=0 a i+k [(x 0 ) τ k 1 (c i+k ) τ k 1 ] if m v i < m (x i ) τ = (x i+v ) t d 1 k=0 a i+k [(x 0 ) τ k 1 (c i+k ) τ k 1 ] if i < m v (c i ) τ = [(x 0 ) τ 1 (x i+1 ) τ 1 ] [(x 0 ) τ 1 (c i ) τ 1 ] (x 0 ) τ 1
16 Parallel generation of m-sequences q n 2 q n 3 q 1 q 0 m n 1 m n 2 m 2 m 1 m 0 S S 0 v SUB-SEQUENCES GENERATOR S 1 v S v 1 v
17 Parallel generation of m-sequences 4 solutions exist to obtain parallel LFSRs: decimation: properties of m-sequences; parallel feedforward transformation (PFF); parallel feedback transformation (PFB); windmill generators. [Zierler1959] [Hsia1969] [Hurd1974] [Smeets1988]
18 Parallel generation of m-sequences Solution I: decimation Theorem [Zierler1959]. Let S be an m-sequence of characteristic polynomial q with root α. The sub-sequences Sv i of S are also some m-sequences such that: the minimum polynomial of α v in F 2 n is the connection polynomial q (x) of the resulting LFSR; the period T of S i v is: T = T gcd(v,t) ; the degree n of q (x) is equal to the multiplicative order of q(x) in Z T. A given Sv i can be generated by an LFSR.
19 Parallel generation of m-sequences Solution II: parallel feedforward Idea Based on the exponential representation of m-sequences: u t = Tr(α i x) q n 2 q n 3 q 1 q 0 m n 1 m n 2 m 2 m 1 m 0 f S v 1 v S 1 v S 0 v
20 Parallel generation of m-sequences Solution III: parallel feedback Idea Clock v times the LFSR in one clock cycle!? Example A PFB transformation on a simple cycling register: m 3 m 2 m 1 m 0 S m m S m S2 1 3 m 1
21 Parallel generation of m-sequences Solution III: a more elaborate example Example Let consider the LFSR defined by the following relations: m 7 (t + 1) = m 3 (t) m 4 (t) m 5 (t) m 0 (t) m i (t + 1) = m i+1 (t) if i 7. m 7 m 6 m 5 m 4 m 3 m 2 m 1 m 0 S
22 Parallel generation of m-sequences Solution III: a more elaborate example To apply the PFB transformation, we need to implements the previous equations for the successive states m 7 (t + j) for 1 j v (v = 3): m 7 (t + 1) = m 3 (t) m 4 (t) m 5 (t) m 0 (t) m 7 (t + 2) = m 4 (t) m 5 (t) m 6 (t) m 1 (t) m 7 (t + 3) = m 5 (t) m 6 (t) m 7 (t) m 2 (t) m i (t + 3) = m i+3 (t) if i < 5. Now, we start the unpleasant part...
23 Parallel generation of m-sequences Solution III: the bloody mess m 6 m 3 m 0 S m 7 m 4 m 1 m 5 m 2
24 Parallel generation of m-sequences Solution IV: windmills Definition [Smeets1988] A v-vane windmill generator is a network of v shift registers linearly interconnected, v 1. The size of the vane k is l(k). The interconnection network is defined by: l(σ(k)) ml(k) k (t + 1) = i=0 α i m σ(k) i with σ a permutation of 1,2,,v 1. l(k) (t) β j mj k (t) j=0 Such a generator is an (n,v,σ,l)-windmill generator.
25 Parallel generation of m-sequences Solution IV: first figure R0 Sv 0 S R1 v 1 S v 1 Rv 1 v βn 1 β0 βn 1 β0 βn 1 β0 α0 αl 1 α0 αl 1 α0 αl 1 σ
26 Parallel generation of m-sequences Solution IV: property Theorem [Smeets1988] Let n and v be integers such that 1 v < n, a permutation σ and a length function l. Let α(x) = α i x i and β(x 1 ) = β i x i be two polynomials over F 2 such that α(0) = 1 and β(0) 1. The polynomial defined by: q(x) = α(x v ) + β(x v x n ) is the connection polynomial of the sequences S associated to an (n, v, σ, l)-windmill generator. q is called a windmill polynomial.
27 Parallel generation of m-sequences Solution IV: exemple The windmill generator has been used in the E0 stream cipher (Bluetooth): Four LFSRs Four 4-vane windmills R 0 m6 0 m5 0 m4 0 m3 0 m2 0 m 0 1 s 0 4 m 0 0 R 2 m4 2 m3 2 m 2 5 m 2 2 m 2 1 m2 0 s 2 4 R 1 m5 1 m4 1 m3 1 s4 1 R 3 m5 3 m4 3 m3 3 m2 3 m1 3 m0 3 m2 1 m1 1 m0 1 s 3 4 q(x) = x 25 + x 20 + x 12 + x 8 + 1
28 Parallel generation of m-sequences Solution IV: why is called windmill? s 0 4 x 0 x 4 x 8 x 12 x 16 x 20 x 24 s4 3 x 3 x 7 x 11 x 15 x 19 x 23 x 21 x 17 x 13 x 9 x 5 x 1 s4 3 x 22 x 18 x 14 x 10 x 6 x 2 s 2 4
29 Windmill generators Even Don Quichotte has some weapons!
30 Windmill generators Testing irreducibility Definition A polynomial q F k [X] is irreducible, if deg(q) > 0 and if all the divisor of q is a constant or a multiple of q by a constant. Many algorithms: Berlekamp: Knuth-Alanen; Shoup; Ben-Or; Rabin; Argnt...
31 Windmill generators Irreducibility test Theorem Theorem [Rabin] Let p 1,p 2,p k be all the prime divisor of n, and denote n i = n p i for 1 i k. A polynomial finf q [x] of degree n is irreducible in F q [x] iff gcd(f,x qn i 1) = 1, for 1 i k, and f divides x qn x. [Ben-Or] For i 1, the polynomial x qi x F q [x] is the product of all monic irreducible polynomials whose degree divides i. Algorithm Ben-Or Rabin Worst case nm(n) log kn nm(n)log k log n M(n) = n log n log log n (assuming FFT-based multiplication)
32 Windmill generators How many they are v n # pri # irr # pri # irr # pri # irr
33 Windmill generators How many they are Theorem [Cohen1989] There is no (n, v, σ, l)-windmill polynomials, v = 2 i,i > 0 such that n = 3 mod 8 or n even. First observed by Smeets and later proved by Cohen while studying the Galois group the windmill polynomials. There is something to do with the PFB transformation and the windmill generators.
34 Windmill generators PFB transformation and windmill generator The feedback function F i in the PFB transformation can be decomposed as the sum modulo two of v sub-functions which depends each of a given register R j : sv 0 sv 1 R 0 R 1 R v 1 s n 1 v The windmill generator is the optimal case for a PFB transformation!
35 Windmill generators PFB transformation and windmill generator Remark An (n, v, σ, l)-windmill generator corresponds to a shift-registers network issued from a PFB transformation. The feedback F i of R i depends at most on the contribution of 2 registers Comment Let consider a windmill polynomial q(x) = α(x v ) + β(x v )x n. We have: β(x) 1, F i depends exactly on 2 registers: β(x) = 1, F i depends exactly on 1 registers.
36 Windmill generators Extension R i S i v β n 1 α 0 α l 1
37 Windmill generators Extension Instead of the original windmill polznomial: q(x) = α(x v ) + β(x v )x n, let consider the linear universal windmill polynomial: q(x) = α(x v ) + x n φ β(x v ) + x n, with φ < v. l(σ 1 (k)) ml(k) k (t + 1) = i=0 l(σ 2 (k)) α i m σ 1(k) i (t) j=0 β j m σ 2(k) j (t)
38 Windmill generators Extension Let see what we can achieve with φ: φ = 0 the original definition; n φ = 0 mod v, q(x) = α(x) + x n ; otherwise we have something new: parameters (n, v, τ, l, φ). Example An (19, 4, σ, l, 2)-universal windmill generator: α(x) = 1 + x β(x) = x + x 2 Interesting: 19 = 3 mod 8. q(x) = 1 + x 4 + x 9 + x 13 + x 19
39 Windmill generators Extension R 0 m4 0 m3 0 m2 0 m1 0 m0 0 s 0 4 R 1 m4 1 m3 1 m2 1 m1 1 m0 1 s 1 4 R 2 m4 2 m3 2 m2 2 m1 2 m0 2 s 2 4 R 3 m3 3 m2 3 m1 3 m0 3 s 3 4 q(x) = x 19 + x 13 + x 9 + x 4 + 1
40 The extended windmill generator New result v n # pri # irr # pri # irr # pri # irr
41 Windmill generators n = 41, v = Extended windmill Original definition [11] Number of polynomials (degree 41, v=4) w(q)
42 Windmill generators Security A windmill polynomial q is likely to have a multiple of low Hamming weight of the form Q(x) = (1 + x iv )q(x): q(x) = x 41 + x 37 + x 33 + x 32 + x 29 + x 28 + x 25 + x 24 + x 21 + x 20 + x 17 + x 16 + x 13 + x 12 + x 9 + x 8 + x 5 + x has for multiple Q(x) = (1 + x 4 ) q(x) = x 45 + x 36 + x
43 Conclusions Theorem Universal? Let q be a prime number of maximal order such that: q = α + 2 n φ β + 2 n with α = α i 2 iv, α 0 = 1 and β = β i 2 iv is the connection integer of an (n, v, σ, l, φ)-watermill generator. NLFSRs? coming soon in A first paper submitted at IEEE TC.
44 s 0 4 x 0 x 4 x 8 x 12 x 16 x 20 x 24 s 3 4 x 3 x 7 x 11 x 15 x 19 x 23 x 21 x 17 x 13 x 9 x 5 x 1 s 3 4 x 22 x 18 x 14 x 10 x 6 x 2 s 2 4 B. f (x) = x 25 + x 17 + x 13 + x 5 + 1
Analysis of Modern Stream Ciphers
Analysis of Modern Stream Ciphers Josef Pieprzyk Centre for Advanced Computing Algorithms and Cryptography, Macquarie University, Australia CANS - Singapore - December 2007 estream Outline 1. estream Project
More informationOn The Nonlinearity of Maximum-length NFSR Feedbacks
On The Nonlinearity of Maximum-length NFSR Feedbacks Meltem Sönmez Turan National Institute of Standards and Technology meltem.turan@nist.gov Abstract. Linear Feedback Shift Registers (LFSRs) are the main
More informationCryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences
Cryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences Kalikinkar Mandal, and Guang Gong Department of Electrical and Computer Engineering University of Waterloo Waterloo,
More informationFiltering Nonlinear Feedback Shift Registers using Welch-Gong Transformations for Securing RFID Applications
Filtering Nonlinear Feedback Shift Registers using Welch-Gong Transformations for Securing RFID Applications Kalikinkar Mandal, and Guang Gong Department of Electrical and Computer Engineering University
More informationStream Ciphers: Cryptanalytic Techniques
Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic
More informationStream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden
Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas@eit.lth.se May 16, 2011 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types
More informationParallel Generation of l-sequences
Parallel Generation of l-sequences Cédric Lauradoux 1 and Andrea Röck 2 1 Princeton University, Department of electrical engineering Princeton, NJ 08544, USA claurado@princeton.edu 2 Team SECRET, INRIA
More informationCSCE 564, Fall 2001 Notes 6 Page 1 13 Random Numbers The great metaphysical truth in the generation of random numbers is this: If you want a function
CSCE 564, Fall 2001 Notes 6 Page 1 13 Random Numbers The great metaphysical truth in the generation of random numbers is this: If you want a function that is reasonably random in behavior, then take any
More informationDesign of Pseudo-Random Spreading Sequences for CDMA Systems
Design of Pseudo-Random Spreading Sequences for CDMA Systems Jian Ren and Tongtong Li Department of Electrical and Computer Engineering Michigan State University, 2120 Engineering Building East Lansing,
More informationSTREAM CIPHER. Chapter - 3
STREAM CIPHER Chapter - 3 S t r e a m C i p h e r P a g e 38 S t r e a m C i p h e r P a g e 39 STREAM CIPHERS Stream cipher is a class of symmetric key algorithm that operates on individual bits or bytes.
More informationPseudorandom Generators
Outlines Saint Petersburg State University, Mathematics and Mechanics 2nd April 2005 Outlines Part I: Main Approach Part II: Blum-Blum-Shub Generator Part III: General Concepts of Pseudorandom Generator
More informationStream Ciphers. Çetin Kaya Koç Winter / 20
Çetin Kaya Koç http://koclab.cs.ucsb.edu Winter 2016 1 / 20 Linear Congruential Generators A linear congruential generator produces a sequence of integers x i for i = 1,2,... starting with the given initial
More informationCryptanalysis of Sosemanuk and SNOW 2.0 Using Linear Masks
Cryptanalysis of Sosemanuk and SNOW 2.0 Using Linear Masks Jung-Keun Lee, Dong Hoon Lee, and Sangwoo Park ETRI Network & Communication Security Division, 909 Jeonmin-dong, Yuseong-gu, Daejeon, Korea Abstract.
More informationF-FCSR: Design of a New Class of Stream Ciphers
F-FCSR: Design of a New Class of Stream Ciphers François Arnault and Thierry P. Berger LACO, Université de Limoges, 123 avenue A. Thomas, 87060 Limoges CEDEX, France {arnault, thierry.berger}@unilim.fr
More informationA Byte-Based Guess and Determine Attack on SOSEMANUK
A Byte-Based Guess and Determine Attack on SOSEMANUK Xiutao Feng, Jun Liu, Zhaocun Zhou, Chuankun Wu and Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy
More informationHow does the computer generate observations from various distributions specified after input analysis?
1 How does the computer generate observations from various distributions specified after input analysis? There are two main components to the generation of observations from probability distributions.
More informationOn the Primitivity of some Trinomials over Finite Fields
On the Primitivity of some Trinomials over Finite Fields LI Yujuan & WANG Huaifu & ZHAO Jinhua Science and Technology on Information Assurance Laboratory, Beijing, 100072, P.R. China email: liyj@amss.ac.cn,
More informationDesign of Filter Functions for Key Stream Generators using Boolean Power Functions Jong-Min Baek
Design of Filter Functions for Key Stream Generators using Boolean Power Functions Jong-Min Baek The Graduate School Yonsei University Department of Electrical and Electronic Engineering Design of Filter
More informationCryptography Lecture 3. Pseudorandom generators LFSRs
Cryptography Lecture 3 Pseudorandom generators LFSRs Remember One Time Pad is ideal With OTP you need the same transmission capacity via an already secure channel for the key as you can then secure via
More informationAppendix A. Pseudo-random Sequence (Number) Generators
Communication Systems Security, Appendix A, Draft, L. Chen and G. Gong, 2008 1 Appendix A. Pseudo-random Sequence (Number) Generators In this appendix, we introduce how to design pseudo-random sequence
More informationModified Alternating Step Generators
Modified Alternating Step Generators Robert Wicik, Tomasz Rachwalik Military Communication Institute Warszawska 22A, 05-130 Zegrze, Poland {r.wicik, t.rachwalik}@wil.waw.pl Abstract. Irregular clocking
More informationL9: Galois Fields. Reading material
L9: Galois Fields Reading material Muzio & Wesselkamper Multiple-valued switching theory, p. 3-5, - 4 Sasao, Switching theory for logic synthesis, pp. 43-44 p. 2 - Advanced Logic Design L9 - Elena Dubrova
More informationStream Ciphers and Number Theory
Stream Ciphers and Number Theory Revised Edition Thomas W. Cusick The State University of New York at Buffalo, NY, U.S.A. Cunsheng Ding The Hong Kong University of Science and Technology China Ari Renvall
More informationA Scalable Method for Constructing Galois NLFSRs with Period 2 n 1 using Cross-Join Pairs
A Scalable Method for Constructing Galois NLFSRs with Period 2 n 1 using Cross-Join Pairs Elena Dubrova Royal Institute of Technology (KTH), Forum 12, 164 4 Kista, Sweden {dubrova}@kth.se Abstract. This
More informationUniv.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.
Cryptography Univ.-Prof. Dr. rer. nat. Rudolf Mathar 1 2 3 4 15 15 15 15 60 Written Examination Cryptography Tuesday, August 29, 2017, 01:30 p.m. Name: Matr.-No.: Field of study: Please pay attention to
More informationNonlinear Shi, Registers: A Survey and Open Problems. Tor Helleseth University of Bergen NORWAY
Nonlinear Shi, Registers: A Survey and Open Problems Tor Helleseth University of Bergen NORWAY Outline ntroduc9on Nonlinear Shi> Registers (NLFSRs) Some basic theory De Bruijn Graph De Bruijn graph Golomb
More informationSequences, DFT and Resistance against Fast Algebraic Attacks
Sequences, DFT and Resistance against Fast Algebraic Attacks Guang Gong Department of Electrical and Computer Engineering University of Waterloo Waterloo, Ontario N2L 3G1, CANADA Email. ggong@calliope.uwaterloo.ca
More informationConstructing a Ternary FCSR with a Given Connection Integer
Constructing a Ternary FCSR with a Given Connection Integer Lin Zhiqiang 1,2 and Pei Dingyi 1,2 1 School of Mathematics and Information Sciences, Guangzhou University, China 2 State Key Laboratory of Information
More informationBreaking the F-FCSR-H Stream Cipher in Real Time
Breaking the F-FCSR-H Stream Cipher in Real Time Martin Hell and Thomas Johansson Dept. of Electrical and Information Technology, Lund University, P.O. Box 118, 221 00 Lund, Sweden Abstract. The F-FCSR
More informationLecture 10-11: General attacks on LFSR based stream ciphers
Lecture 10-11: General attacks on LFSR based stream ciphers Thomas Johansson T. Johansson (Lund University) 1 / 23 Introduction z = z 1, z 2,..., z N is a known keystream sequence find a distinguishing
More informationCRC Press has granted the following specific permissions for the electronic version of this book:
This is a Chapter from the Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, and S. Vanstone, CRC Press, 1996. For further information, see www.cacr.math.uwaterloo.ca/hac CRC Press has
More informationPseudo-Random Numbers Generators. Anne GILLE-GENEST. March 1, Premia Introduction Definitions Good generators...
14 pages 1 Pseudo-Random Numbers Generators Anne GILLE-GENEST March 1, 2012 Contents Premia 14 1 Introduction 2 1.1 Definitions............................. 2 1.2 Good generators..........................
More informationNonlinear feedback shift registers and generating of binary de Bruijn sequences
Nonlinear feedback shift registers and generating of binary de Bruijn sequences Christian Ebne Vivelid November 21, 2016 Master's thesis Department of Informatics University of Bergen 1 Introduction Cryptology
More informationComplete permutation polynomials of monomial type
Complete permutation polynomials of monomial type Giovanni Zini (joint works with D. Bartoli, M. Giulietti and L. Quoos) (based on the work of thesis of E. Franzè) Università di Perugia Workshop BunnyTN
More informationLinear Feedback Shift Registers
Linear Feedback Shift Registers Pseudo-Random Sequences A pseudo-random sequence is a periodic sequence of numbers with a very long period. Golomb's Principles G1: The # of zeros and ones should be as
More informationState Recovery Attacks on Pseudorandom Generators
Appears in WEWoRC 2005 - Western European Workshop on Research in Cryptology, Lecture Notes in Informatics (LNI) P-74 (2005) 53-63. Gesellschaft für Informatik. State Recovery Attacks on Pseudorandom Generators
More informationMathematical Foundations of Cryptography
Mathematical Foundations of Cryptography Cryptography is based on mathematics In this chapter we study finite fields, the basis of the Advanced Encryption Standard (AES) and elliptical curve cryptography
More informationThe Adjacency Graphs of Linear Feedback Shift Registers with Primitive-like Characteristic Polynomials
The Adjacency Graphs of Linear Feedback Shift Registers with Primitive-like Characteristic Polynomials Ming Li and Dongdai Lin State Key Laboratory of Information Security, Institute of Information Engineering,
More informationImproved Linear Cryptanalysis of SOSEMANUK
Improved Linear Cryptanalysis of SOSEMANUK Joo Yeon Cho and Miia Hermelin Helsinki University of Technology, Department of Information and Computer Science, P.O. Box 5400, FI-02015 TKK, Finland {joo.cho,miia.hermelin}@tkk.fi
More informationLeast Period of Linear Recurring Sequences over a Finite Field
Degree Project Least Period of Linear Recurring Sequences over a Finite Field 2012-02-29 Author: Sajid Hanif Subject: Mathematics Level: Master Course code: 5MA12E Abstract This thesis deals with fundamental
More informationPage Points Possible Points. Total 200
Instructions: 1. The point value of each exercise occurs adjacent to the problem. 2. No books or notes or calculators are allowed. Page Points Possible Points 2 20 3 20 4 18 5 18 6 24 7 18 8 24 9 20 10
More informationConstruction of latin squares of prime order
Construction of latin squares of prime order Theorem. If p is prime, then there exist p 1 MOLS of order p. Construction: The elements in the latin square will be the elements of Z p, the integers modulo
More informationSearching for Nonlinear Feedback Shift Registers with Parallel Computing
Searching for Nonlinear Feedback Shift Registers with Parallel Computing Przemysław Dąbrowski, Grzegorz Łabuzek, Tomasz Rachwalik, Janusz Szmidt Military Communication Institute ul. Warszawska 22A, 05-130
More informationNumber Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.
CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 29 December 2011 CSS322Y11S2L06, Steve/Courses/2011/S2/CSS322/Lectures/number.tex,
More informationSome Results on the Arithmetic Correlation of Sequences
Some Results on the Arithmetic Correlation of Sequences Mark Goresky Andrew Klapper Abstract In this paper we study various properties of arithmetic correlations of sequences. Arithmetic correlations are
More informationHomework 8 Solutions to Selected Problems
Homework 8 Solutions to Selected Problems June 7, 01 1 Chapter 17, Problem Let f(x D[x] and suppose f(x is reducible in D[x]. That is, there exist polynomials g(x and h(x in D[x] such that g(x and h(x
More informationEECS150 - Digital Design Lecture 21 - Design Blocks
EECS150 - Digital Design Lecture 21 - Design Blocks April 3, 2012 John Wawrzynek Spring 2012 EECS150 - Lec21-db3 Page 1 Fixed Shifters / Rotators fixed shifters hardwire the shift amount into the circuit.
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationPseudo-random Number Generation. Qiuliang Tang
Pseudo-random Number Generation Qiuliang Tang Random Numbers in Cryptography The keystream in the one-time pad The secret key in the DES encryption The prime numbers p, q in the RSA encryption The private
More informationTrue & Deterministic Random Number Generators
True & Deterministic Random Number Generators Çetin Kaya Koç http://cs.ucsb.edu/~koc koc@cs.ucsb.edu 1.0 0.5 1.0 0.5 0.5 1.0 0.5 1.0 Koç (http://cs.ucsb.edu/~koc) HRL RNG April 11, 2013 1 / 47 Random Numbers
More informationBlock vs. Stream cipher
Block vs. Stream cipher Idea of a block cipher: partition the text into relatively large (e.g. 128 bits) blocks and encode each block separately. The encoding of each block generally depends on at most
More informationCryptanalysis of the Stream Cipher ABC v2
Cryptanalysis of the Stream Cipher ABC v2 Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium {wu.hongjun,bart.preneel}@esat.kuleuven.be
More informationString Matching. Thanks to Piotr Indyk. String Matching. Simple Algorithm. for s 0 to n-m. Match 0. for j 1 to m if T[s+j] P[j] then
String Matching Thanks to Piotr Indyk String Matching Input: Two strings T[1 n] and P[1 m], containing symbols from alphabet Σ Goal: find all shifts 0 s n-m such that T[s+1 s+m]=p Example: Σ={,a,b,,z}
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 2: Mathematical Concepts Divisibility Congruence Quadratic Residues
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 37 Outline 1 Pseudo-Random Generators and Stream Ciphers 2 More Security Definitions: CPA and CCA 3 Pseudo-Random Functions/Permutations
More informationA Byte-Based Guess and Determine Attack on SOSEMANUK
A Byte-Based Guess and Determine Attack on SOSEMANUK Xiutao Feng, Jun Liu, Zhaocun Zhou, Chuankun Wu, and Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy
More informationImpact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers
Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers Goutam Paul and Shashwat Raizada Jadavpur University, Kolkata and Indian Statistical Institute,
More informationCryptanalysis of Lightweight Cryptographic Algorithms
Cryptanalysis of Lightweight Cryptographic Algorithms By Mohammad Ali Orumiehchiha A thesis submitted to Macquarie University for the degree of Doctor of Philosophy Department of Computing July 2014 ii
More informationLinear Approximations for 2-round Trivium
Linear Approximations for 2-round Trivium Meltem Sönmez Turan 1, Orhun Kara 2 1 Institute of Applied Mathematics, Middle East Technical University Ankara, Turkey msonmez@metu.edu.tr 2 TUBITAK-UEKAE, Gebze,
More informationTHEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys
THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER A. A. Zadeh and Howard M. Heys Electrical and Computer Engineering Faculty of Engineering and Applied Science Memorial University of Newfoundland
More informationCSE 311 Lecture 13: Primes and GCD. Emina Torlak and Kevin Zatloukal
CSE 311 Lecture 13: Primes and GCD Emina Torlak and Kevin Zatloukal 1 Topics Modular arithmetic applications A quick wrap-up of Lecture 12. Primes Fundamental theorem of arithmetic, Euclid s theorem, factoring.
More informationLecture notes: Algorithms for integers, polynomials (Thorsten Theobald)
Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald) 1 Euclid s Algorithm Euclid s Algorithm for computing the greatest common divisor belongs to the oldest known computing procedures
More informationCube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium
Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27 Cube attacks 2 / 27 Timeline Aug 08: Shamir presents cube attacks
More informationFinite fields: some applications Michel Waldschmidt 1
Ho Chi Minh University of Science HCMUS Update: 16/09/2013 Finite fields: some applications Michel Waldschmidt 1 Exercises We fix an algebraic closure F p of the prime field F p of characteristic p. When
More informationFinite Fields. SOLUTIONS Network Coding - Prof. Frank H.P. Fitzek
Finite Fields In practice most finite field applications e.g. cryptography and error correcting codes utilizes a specific type of finite fields, namely the binary extension fields. The following exercises
More informationEXPONENTIAL SUMS EQUIDISTRIBUTION
EXPONENTIAL SUMS EQUIDISTRIBUTION PSEUDORANDOMNESS (1) Exponential sums over subgroups General philosophy: multiplicative subgroups are well-distributed even if they are very small Conjecture. (M-V-W)
More informationChapter 4 Finite Fields
Chapter 4 Finite Fields Introduction will now introduce finite fields of increasing importance in cryptography AES, Elliptic Curve, IDEA, Public Key concern operations on numbers what constitutes a number
More informationCOMPUTER ARITHMETIC. 13/05/2010 cryptography - math background pp. 1 / 162
COMPUTER ARITHMETIC 13/05/2010 cryptography - math background pp. 1 / 162 RECALL OF COMPUTER ARITHMETIC computers implement some types of arithmetic for instance, addition, subtratction, multiplication
More informationof how many there are
Windmill Generators A generalization and an observation of how many there are B.J.M. Smeets') W.G. Chambers') '1 Dept of Inform. Theory University of Lund Box 118, S-222 46, Lund, Sweden 2, Dept of Eletronic
More informationNotes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I
Number Theory: Applications Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry Fall 2007 Computer Science & Engineering 235 Introduction to Discrete Mathematics Sections 3.4 3.7 of Rosen cse235@cse.unl.edu
More informationPseudorandom Sequences I: Linear Complexity and Related Measures
Pseudorandom Sequences I: Linear Complexity and Related Measures Arne Winterhof Austrian Academy of Sciences Johann Radon Institute for Computational and Applied Mathematics Linz Carleton University 2010
More informationLightweight Cryptography for RFID Systems
Lightweight Cryptography for RFID Systems Guang Gong Department of Electrical and Computer Engineering University of Waterloo CANADA G. Gong (University of Waterloo)
More informationOn the Fourier spectrum of symmetric Boolean functions
On the Fourier spectrum of symmetric Boolean functions Amir Shpilka Technion and MSR NE Based on joint work with Avishay Tal 1 Theme: Analysis of Boolean functions Pick favorite representation: Fourier
More informationEECS Components and Design Techniques for Digital Systems. Lec 26 CRCs, LFSRs (and a little power)
EECS 150 - Components and esign Techniques for igital Systems Lec 26 CRCs, LFSRs (and a little power) avid Culler Electrical Engineering and Computer Sciences University of California, Berkeley http://www.eecs.berkeley.edu/~culler
More informationACORN: A Lightweight Authenticated Cipher (v3)
ACORN: A Lightweight Authenticated Cipher (v3) Designer and Submitter: Hongjun Wu Division of Mathematical Sciences Nanyang Technological University wuhongjun@gmail.com 2016.09.15 Contents 1 Specification
More informationNAVAL POSTGRADUATE SCHOOL
NAVAL POSTGRADUATE SCHOOL MONTEREY, CALIFORNIA THESIS GENERALIZED BOOLEAN FUNCTIONS AS COMBINERS by Oliver Di Nallo June 2017 Thesis Advisor: Pantelimon Stănică Second Reader: Thor Martinsen Approved for
More informationHomework problems from Chapters IV-VI: answers and solutions
Homework problems from Chapters IV-VI: answers and solutions IV.21.1. In this problem we have to describe the field F of quotients of the domain D. Note that by definition, F is the set of equivalence
More informationOn the Number of Trace-One Elements in Polynomial Bases for F 2
On the Number of Trace-One Elements in Polynomial Bases for F 2 n Omran Ahmadi and Alfred Menezes Department of Combinatorics & Optimization University of Waterloo, Canada {oahmadid,ajmeneze}@uwaterloo.ca
More informationChapter 6. BCH Codes
Chapter 6 BCH Codes Description of the Codes Decoding of the BCH Codes Outline Implementation of Galois Field Arithmetic Implementation of Error Correction Nonbinary BCH Codes and Reed-Solomon Codes Weight
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationIntroduction to Modern Cryptography Lecture 4
Introduction to Modern Cryptography Lecture 4 November 22, 2016 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationMath 201C Homework. Edward Burkard. g 1 (u) v + f 2(u) g 2 (u) v2 + + f n(u) a 2,k u k v a 1,k u k v + k=0. k=0 d
Math 201C Homework Edward Burkard 5.1. Field Extensions. 5. Fields and Galois Theory Exercise 5.1.7. If v is algebraic over K(u) for some u F and v is transcendental over K, then u is algebraic over K(v).
More informationTopics on Register Synthesis Problems
University of Kentucky UKnowledge Theses and Dissertations--Computer Science Computer Science 2016 Topics on Register Synthesis Problems Weihua Liu University of Kentucky, liuweihua817@gmail.com Digital
More informationA new approach for FCSRs
A new approach for FCSRs François Arnault 1, Thierry Berger 1, Cédric Lauradoux 2, Marine Minier 3 and Benjamin Pousse 1 1 XLIM (UMR CNRS 6172), Université de Limoges 23 avenue Albert Thomas, F-87060 Limoges
More informationChapter 6 Reed-Solomon Codes. 6.1 Finite Field Algebra 6.2 Reed-Solomon Codes 6.3 Syndrome Based Decoding 6.4 Curve-Fitting Based Decoding
Chapter 6 Reed-Solomon Codes 6. Finite Field Algebra 6. Reed-Solomon Codes 6.3 Syndrome Based Decoding 6.4 Curve-Fitting Based Decoding 6. Finite Field Algebra Nonbinary codes: message and codeword symbols
More informationNumber Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers
Number Theory: Applications Number Theory Applications Computer Science & Engineering 235: Discrete Mathematics Christopher M. Bourke cbourke@cse.unl.edu Results from Number Theory have many applications
More informationFeedback with Carry Shift Registers over Finite Fields (Extended Abstract)
Feedback with Carry Shift Registers over Finite Fields (Extended Abstract) Andrew Klapper* Dept. of Computer Science 763H Anderson Hall University of Kentucky, Lexington KY 40506-0046 USA klapper@cs.uky.edu.
More informationNonlinear Equivalence of Stream Ciphers
Sondre Rønjom 1 and Carlos Cid 2 1 Crypto Technology Group, Norwegian National Security Authority, Bærum, Norway 2 Information Security Group, Royal Holloway, University of London Egham, United Kingdom
More informationLecture Notes. Advanced Discrete Structures COT S
Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-27 Recap ADFGX Cipher Block Cipher Modes of Operation Hill Cipher Inverting a Matrix (mod n) Encryption: Hill Cipher Example Multiple
More informationEECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs)
EECS150 - igital esign Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Nov 21, 2002 John Wawrzynek Fall 2002 EECS150 Lec26-ECC Page 1 Outline Error detection using parity Hamming
More informationChosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers
Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers Simon Fischer 1, Shahram Khazaei 2, and Willi Meier 1 1 FHNW and 2 EPFL (Switzerland) AfricaCrypt 2008, Casablanca - June 11-14
More informationAttacks against Filter Generators Exploiting Monomial Mappings
Attacks against Filter Generators Exploiting Monomial Mappings Anne Canteaut and Yann Rotella Inria, Paris, France Anne.Canteaut@inria.fr, Yann.Rotella@inria.fr Abstract. Filter generators are vulnerable
More information4.3 General attacks on LFSR based stream ciphers
67 4.3 General attacks on LFSR based stream ciphers Recalling our initial discussion on possible attack scenarios, we now assume that z = z 1,z 2,...,z N is a known keystream sequence from a generator
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 60 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4
More informationFast correlation attacks on certain stream ciphers
FSE 2011, February 14-16, Lyngby, Denmark Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview A decoding problem LFSR-based stream ciphers Correlation attacks Fast
More informationFinite Fields. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay
1 / 25 Finite Fields Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay September 25, 2014 2 / 25 Fields Definition A set F together
More informationImproved Fast Correlation Attacks Using Parity-Check Equations of Weight 4 and 5
Improved Fast Correlation Attacks Using Parity-Check Equations of Weight 4 and 5 Anne Canteaut 1 and Michaël Trabbia 1,2 1 INRIA projet CODES B.P. 105 78153 Le Chesnay Cedex - France Anne.Canteaut@inria.fr
More informationPREDICTING MASKED LINEAR PSEUDORANDOM NUMBER GENERATORS OVER FINITE FIELDS
PREDICTING MASKED LINEAR PSEUDORANDOM NUMBER GENERATORS OVER FINITE FIELDS JAIME GUTIERREZ, ÁLVAR IBEAS, DOMINGO GÓMEZ-PEREZ, AND IGOR E. SHPARLINSKI Abstract. We study the security of the linear generator
More information