Linear Feedback Shift Registers

Similar documents
Sequences, DFT and Resistance against Fast Algebraic Attacks

x n k m(x) ) Codewords can be characterized by (and errors detected by): c(x) mod g(x) = 0 c(x)h(x) = 0 mod (x n 1)

MTH310 EXAM 2 REVIEW

4.3 General attacks on LFSR based stream ciphers

The Adjacency Graphs of Linear Feedback Shift Registers with Primitive-like Characteristic Polynomials

Cyclic codes: overview

Polynomials. Chapter 4

STREAM CIPHER. Chapter - 3

De Bruijn Sequences from Nonlinear Feedback Shift Registers

g(x) = 1 1 x = 1 + x + x2 + x 3 + is not a polynomial, since it doesn t have finite degree. g(x) is an example of a power series.

On The Nonlinearity of Maximum-length NFSR Feedbacks

Appendix A. Pseudo-random Sequence (Number) Generators

Linear Cyclic Codes. Polynomial Word 1 + x + x x 4 + x 5 + x x + x

LECTURE NOTES IN CRYPTOGRAPHY

Block vs. Stream cipher

Finding Low Degree Annihilators for a Boolean Function Using Polynomial Algorithms

1 Introduction. 2 Calculation of the output signal

Univ.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.

EE512: Error Control Coding

A Scalable Method for Constructing Galois NLFSRs with Period 2 n 1 using Cross-Join Pairs

Least Period of Linear Recurring Sequences over a Finite Field

Searching for Nonlinear Feedback Shift Registers with Parallel Computing

Introduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard

Nonlinear feedback shift registers and generating of binary de Bruijn sequences

Cryptography Lecture 3. Pseudorandom generators LFSRs

Linear Cellular Automata as Discrete Models for Generating Cryptographic Sequences

Resilience to Distinguishing Attacks on WG-7 Cipher and Their Generalizations

How does the computer generate observations from various distributions specified after input analysis?

Nonlinear Equivalence of Stream Ciphers

Cryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences

Stream Cipher Design based on Jumping Finite State Machines

New Implementations of the WG Stream Cipher

Generator Matrix. Theorem 6: If the generator polynomial g(x) of C has degree n-k then C is an [n,k]-cyclic code. If g(x) = a 0. a 1 a n k 1.

Notes 4: Stream ciphers, continued. Recall from the last part the definition of a stream cipher:

ERROR CORRECTING CODES

Cryptography and Shift Registers

Linear Cyclic Codes. Polynomial Word 1 + x + x x 4 + x 5 + x x + x f(x) = q(x)h(x) + r(x),

CRC Press has granted the following specific permissions for the electronic version of this book:

Introduction to Modern Cryptography Lecture 4

COMPUTER ARITHMETIC. 13/05/2010 cryptography - math background pp. 1 / 162

Clock-Controlled Shift Registers for Key-Stream Generation

U + V = (U V ) (V U), UV = U V.

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

Binary Primitive BCH Codes. Decoding of the BCH Codes. Implementation of Galois Field Arithmetic. Implementation of Error Correction

Public Key Encryption

ECEN 604: Channel Coding for Communications

Design of Pseudo-Random Spreading Sequences for CDMA Systems

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Rings. EE 387, Notes 7, Handout #10

1 Cryptographic hash functions

Mathematical Foundations of Cryptography

Math 547, Exam 2 Information.

Fault Tolerance & Reliability CDA Chapter 2 Cyclic Polynomial Codes

A new simple technique to attack filter generators and related ciphers

ALG 4.0 Number Theory Algorithms:

Stream Ciphers: Cryptanalytic Techniques

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

Nonlinear Shi, Registers: A Survey and Open Problems. Tor Helleseth University of Bergen NORWAY

IEEE P1363 / D13 (Draft Version 13). Standard Specifications for Public Key Cryptography

Algebraic Aspects of Symmetric-key Cryptography

Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers

Division of Trinomials by Pentanomials and Orthogonal Arrays

IEEE P1363 / D9 (Draft Version 9). Standard Specifications for Public Key Cryptography

Low Correlation Sequences for CDMA

Design of Filter Functions for Key Stream Generators using Boolean Power Functions Jong-Min Baek

MATH 431 PART 2: POLYNOMIAL RINGS AND FACTORIZATION

On Welch-Gong Transformation Sequence Generators

Thesis Research Notes

Subquadratic space complexity multiplier for a class of binary fields using Toeplitz matrix approach

Section VI.33. Finite Fields

EE 229B ERROR CONTROL CODING Spring 2005

Computational and Statistical Learning Theory

Pseudo-Random Number Generators

Maximum Length Linear Feedback Shift Registers

Number Theory. Modular Arithmetic

Modified Alternating Step Generators

Lecture 10-11: General attacks on LFSR based stream ciphers

Finite Fields and Error-Correcting Codes

Filtering Nonlinear Feedback Shift Registers using Welch-Gong Transformations for Securing RFID Applications

Outline. MSRI-UP 2009 Coding Theory Seminar, Week 2. The definition. Link to polynomials

Finite Fields. Mike Reiter

1 The Algebraic Normal Form

Part II. Number Theory. Year

On the Statistically Optimal Divide and Conquer Correlation Attack on the Shrinking Generator

Discrete Mathematics GCD, LCM, RSA Algorithm

Statistical Properties of the Arithmetic Correlation of Sequences. Mark Goresky School of Mathematics Institute for Advanced Study

Basic elements of number theory

Characterizations on Algebraic Immunity for Multi-Output Boolean Functions

Basic elements of number theory

Elliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.

Improvements to Correlation Attacks Against Stream. Ciphers with Nonlinear Combiners. Brian Stottler Elizabethtown College

Affine equivalence in the AES round function

Objective: To become acquainted with the basic concepts of cyclic codes and some aspects of encoder implementations for them.

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

1 Cryptographic hash functions

Section 33 Finite fields

PETERSON'S TABLE OF IRREDUCIBLE POLYNOMIALS OVER GF(2)

Mathematics for Cryptography

7.1 Definitions and Generator Polynomials

CHAPTER 10: POLYNOMIALS (DRAFT)

Transcription:

Linear Feedback Shift Registers

Pseudo-Random Sequences A pseudo-random sequence is a periodic sequence of numbers with a very long period. Golomb's Principles G1: The # of zeros and ones should be as equal as possible per period. G2: Half the runs in a period have length 1, one-quarter have length 2,..., 1/2 i have length i. Moreover, for any length, half the runs are blocks and the other half gaps. (A block is a subsequence of the form... 011110... and a gap is one of the form...10000001..., either type is called a run.) G3: The out-of-phase autocorrelation AC(k) is the same for all k. AC(k) = (Agreements - Disagreements)/p where we are comparing a sequence of period p and its shift by k places. The autocorrelation is out-of-phase if p does not divide k.

Pseudo-Random Sequences Furthermore, to be of practical use for cryptologists we would require: C1: The period should be very long (~ 10 50 at a minimum). C2: The sequence should be easy to generate (for fast encryption). C3: The cryptosystem based on the sequence should be cryptographically secure against chosen plaintext attack. (minimum level of security for modern cryptosystems)

Feedback Shift Registers (FSR's) The c i 's and s i 's are all 0 or 1. All arithmetic is binary. An FSR is linear if the function f is a linear function, i.e., n 1 f s = i=0 c i s i

LFSR's The output is determined by the initial values s 0, s 1,..., s n-1 and the linear recursion: which is equivalent to: n 1 s = k n i=0 c i s k i, k 0 n i=0 c i s k i = 0, k 0 if we define c n := 1.

LFSR's Example: n = 4 c 0 = c 2 = c 3 = 1, c 1 = 0 initial state 0,1,1,0 0 + 1 + 0 = 1 1 0 1 1 0 0 1 1 0 0 1 1 0 1 0 0 0 1 1 0

PN-sequences A sequence produced by a length n LFSR which has period 2 n -1 is called a PN-sequence (or a pseudo-noise sequence). We can characterize the LFSR's that produce PN-sequences. We define the characteristic polynomial of an LFSR as the polynomial, n f x = c c x c x 2 c x n 1 x n = 0 1 2 n 1 i=0 c i x i where c n = 1 by definition and c 0 = 1 by assumption.

Some Algebra Factoids Every polynomial f(x) with coefficients in GF(2) having f(0) = 1 divides x m + 1 for some m. The smallest m for which this is true is called the period of f(x). An irreducible (can not be factored) polynomial of degree n has a period which divides 2 n - 1. An irreducible polynomial of degree n with period 2 n - 1 is called a primitive polynomial. Theorem: A LFSR produces a PN-sequence if and only if its characteristic polynomial is a primitive polynomial.

Examples 1: The characteristic polynomial of our previous example of an LFSR with n = 4 is: f(x) = x 4 + x 3 +x 2 + 1 = (x+1)(x 3 + x + 1) and so is not irreducible and therefore not primitive. 2: f(x) = x 4 + x 3 + x 2 + x + 1 is an irreducible polynomial( no linear factors and remainder x + 1 when divided by x 2 + x + 1). However, x 5 + 1 = (x+1)f(x) and so it has period 5 and is not primitive. 3: f(x) = x 4 + x 3 + 1 is an irreducible polynomial over GF(2). To find its period, we have to determine the smallest m so that f(x) divides x m + 1. Clearly, m > 4 and the period divides 2 4-1 = 15, thus it must be either 5 or 15. By trying the possibilities we get x 5 + 1 = (x+1)(x 4 + x 3 + 1) + (x 3 + x) x 15 + 1 = (x 11 + x 10 + x 9 + x 8 + x 6 + x 4 + x 3 + 1)(x 4 + x 3 + 1) Thus, f(x) has period 15 and so, is a primitive polynomial.

Example The LFSR with characteristic polynomial f(x) =x 4 + x 3 + 1 is 0 0 0 1 1 1 1 0 1 0 1 1 0 0 1 0 0 0 1 Starting state 0 0 0 1

Ω(f) Let Ω(f) denote the set of all sequences that can be produced from an LFSR with characteristic polynomial f(x). Since each starting state produces a different (we are considering shifts as different) sequence, there are 2 n elements in Ω(f) since there are that many starting states. The sum of two sequences in Ω(f) is again in Ω(f) since the sum will satisfy the same recursion relationship (i.e., the sum corresponds to a different starting state). The reciprocal polynomial of f(x) of degree n, denoted f*(x) is: f*(x) = x n f(1/x) = c 0 x n + c 1 x n-1 +... + c n. Note that if f(x) = g(x)h(x) then f*(x) = g*(x) h*(x).

Form of Ω(f) Theorem: Ω(f) = {τ(x)/f*(x), where deg τ(x)< n }. Pf: We show that each element of Ω(f) can be uniquely expressed in the desired form, and the result will follow since there are exactly 2 n binary polynomials of degree < n. Let S(x) Ω(f), where S x = s i x i and f*(x) = c 0 x n +...+ c n. Then, S x f * x = k=0 n s k x k l=0 c n l x l n 1 j = j=0 l=0 = j=0 min j, n l=0 c n l s j l x j j n n = x j n i=0 c n l s j l x j n l=0 c i s j n i x j c n l s j l x j = x

Are PN-sequences psuedo-random? G1: Since every non-zero state appears once per period and the leftmost bit of the state is the next output value of the sequence, there are 2 n-1 1's and 2 n-1-1 0's in any period. G2: For k n - 2, a run of length k will occur in the sequence whenever the leftmost k +2 states are of the form 0111...110 or 100...001. Since all states occur, the number of each of these state sequences is 2 n-k-2. There is one state 011..11, and it is followed by state 11..11 since f is primitive f(1) = 1, and that state is followed by 11..110, thus there is no block of size n-1 and one block of size n. Similarly, there is no gap of size n and only one of size n- 1. We can therefore calculate the number of runs as n 2 2 2 k=1 2 n k 2 =2 2 2 n 2 1 = 2 n 1 and of these 1/2 k of them are of length k.

Are PN-sequences psuedo-random? G3: Let {s i } be a PN-sequence and {s i+k } be the same sequence shifted k places. The sum of these two sequences satisfies the same recursion relation as the both of them do and so is a PN-sequence as well. The number of agreements in the two sequences will be the number of 0's in the sum and the number of disagreements is the number of 1's in the sum. So by G1, AC k = 2n 1 1 2 n 1 for all 1 k < 2 n 1. 2 n 1 = 1 2 n 1 Thus we see that PN-sequences satisfy all of Golomb's conditions for pseudo-randomness.

Crypto Properties of LFSR's C1: One can obtain sufficiently large periods by taking n large enough. In fact, n = 166 will give a period of 2 166-1 > 10 50. C2:Being simple Boolean circuits, LFSR's are extremely easy to implement and are very fast. C3: Zilch. Given 2n consecutive bits of the sequence, s k, s k+1,..., s k+2n-1 (which can be obtained in a known plaintext attack) we can write down a system of n equations in the n unknowns c 0,..., c n-1 which is non-degenerate and so has a unique solution. This gives the characteristic polynomial and so the LFSR to the cryptanalyst.

Linear Equivalence Thus, linear feedback shift registers should not be used in cryptographic work (despite this, LFSR's are still the most commonly used technique). However, this argument does not apply to non-linear FSR's so we need to examine them next. An FSR with a possibly non-linear feedback function will still produce a periodic sequence (with a possible non-periodic beginning). If the period is p, then the LFSR with characteristic function 1 + x p and starting state equal to the period of the sequence, will produce the same sequence; possibly other LFSR's will also. Hence, the following definition makes sense. The linear equivalence of a periodic sequence S(x) is the length n of the smallest LFSR that can generate S(x).

More Theory Lemma 1 : Let h(x) and f(x) be the characteristic polynomials of an m-stage and respectively n-stage LFSR. Then Ω(h) is contained in Ω(f) iff h(x) f(x). Lemma 2: Let S(x) be in Ω(f) with S(x) = τ(x)/f*(x). Then there exists an h(x) with h(x) f(x) and h(x) f(x) with S(x) in Ω(h) iff gcd( τ(x), f*(x)) 1. Theorem: Let S(x) be the generating function of a periodic binary sequence with period p. Let S (p) (x) be the truncated polynomial of degree p-1. Then there exists a unique polynomial m(x) with a) S(x) Ω(m), and b) if S(x) Ω(h) then m(x) h(x).

Minimal Characteristic Polynomials m(x) is called the minimal characteristic polynomial of S(x), and m * 1 x p x = gcd S p x,1 x p Proof. Let S(x) Ω(m), but S(x) Ω(f) for any proper divisor f of m. We shall prove that m is unique. Note that S(x) = S (p) (x)/ (1 + x p ). Since S(x) Ω(m), we know that there exists a τ(x) with degree < degree of m, such that S(x) = τ(x)/m*(x). By Lemma 2, gcd (m*(x),τ(x)) = 1, so gcd m * x, S p x m * x 1 x p =1 gcd m * x 1 x p, S p x m * x =1 x p m * x gcd 1 x p, S p x =1 x p

Example Cor: The linear equivalence of S(x) with period p is the degree of m(x) ( = deg m*(x)) above. Consider the following non-linear feedback function (3-stage): f(s 0,s 1,s 2 ) = s 0 + s 1 + s 1 s 2 + 1. With starting state 1 0 1 we get the following sequence: The period 8 sequence produced has the generating polynomial: S (8) (x) = 1 + x 2 + x 6 + x 7. 1 0 1-0 1 0 1 1 0 0 0 0 0 0 1 0 0 1 0 0 1 1 0 1 1 1 0 1 1 0 1 1 0 1 1 Now gcd (S (8) (x), 1 + x 8 ) = 1 + x, so m*(x) = (1 + x) 7 = 1 + x + x 2 + x 3 + x 4 + x 5 + x 6 + x 7, and m(x) = m*(x). With starting state 1 0 1 0 0 0 1, this 7-stage LFSR produces the same sequence. The linear equivalence of our starting sequence is thus 7.

Non-Linear Functions We see that the use of non-linear functions does not gain any cryptographic security since we can always find a LFSR to give the same sequence. In an attempt to get this security, various means of combining the outputs of LFSR's in a non-linear way have been attempted. Clearly, sums, shifts and products of outputs don't work. Most of the information on these techniques is classified (so, someone does believe that the required security can be obtained this way). One such approach which is in the public domain is the multiplexing algorithm of Jennings.

Jennings' Multiplexing Algorithm Take an m-stage (the a i ) and an n-stage (the b j ) LFSR with primitive characteristic polynomials and non-zero starting states. Choose h min(m, log 2 n) entries from the set of subscripts {0, 1,..., m-1} and order them 0 i 1 < i 2 <...< i h < m. At time t, define h N t = j=1 a i j t 2 j 1 Let τ be any one-one mapping from {0,1,...,2 h -1} into {0,1,..., n-1}. Define the output u(t) of the multiplexed sequence to be: u t =b N t t

Jennings' Multiplexing Algorithm a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9... N(t) τ b 1 b 2 b 3 b 4 b 5 b 6... Thm: If (m,n) = 1 this multiplexed sequence has period (2 m -1)(2 n - 1). Thm: If (m,n) = 1 and h = m - 1, then the sequence has linear equivalence n(2 m - 1).

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback