Counting Functions for the k-error Linear Complexity of 2 n -Periodic Binary Sequences

Similar documents
Counting Functions for the k-error Linear Complexity of 2 n -Periodic Binary Sequences

Characterization of 2 n -Periodic Binary Sequences with Fixed 2-error or 3-error Linear Complexity

2 n -Periodic Binary Sequences with Fixed k-error Linear Complexity for k = 2 or 3

On the k-error linear complexity for p n -periodic binary sequences via hypercube theory

Periodicity and Distribution Properties of Combined FCSR Sequences

4.3 General attacks on LFSR based stream ciphers

Berlekamp-Massey decoding of RS code

On the computation of the linear complexity and the k-error linear complexity of binary sequences with period a power of two

Lecture 10-11: General attacks on LFSR based stream ciphers

Cryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences

Design of Pseudo-Random Spreading Sequences for CDMA Systems

An algorithm for computing minimal bidirectional linear recurrence relations

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

ANALYSIS OF SECURITY MEASURES FOR SEQUENCES

Statistical Properties of the Arithmetic Correlation of Sequences. Mark Goresky School of Mathematics Institute for Advanced Study

Feedback with Carry Shift Registers over Finite Fields (Extended Abstract)

Algebraic Feedback Shift Registers Based on Function Fields

Modified Berlekamp-Massey algorithm for approximating the k-error linear complexity of binary sequences

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

On The Nonlinearity of Maximum-length NFSR Feedbacks

UNPREDICTABLE BINARY STRINGS

Some Results on the Arithmetic Correlation of Sequences

New Minimal Weight Representations for Left-to-Right Window Methods

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Fall 2017 November 10, Written Homework 5

Complexity measures for classes of sequences and cryptographic apllications

Homework #2 Solutions Due: September 5, for all n N n 3 = n2 (n + 1) 2 4

Computer Science A Cryptography and Data Security. Claude Crépeau

PREDICTING MASKED LINEAR PSEUDORANDOM NUMBER GENERATORS OVER FINITE FIELDS

Algebra for error control codes

Stream Ciphers: Cryptanalytic Techniques

Cryptography and Security Midterm Exam

Correcting Codes in Cryptography

Sums of Squares. Bianca Homberg and Minna Liu

A Simple Left-to-Right Algorithm for Minimal Weight Signed Radix-r Representations

High-Order Conversion From Boolean to Arithmetic Masking

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

A Simple Left-to-Right Algorithm for Minimal Weight Signed Radix-r Representations

Pseudorandom Sequences I: Linear Complexity and Related Measures

1-Resilient Boolean Function with Optimal Algebraic Immunity

Unpredictable Binary Strings

FIBONACCI NUMBERS AND DECIMATION OF BINARY SEQUENCES

Computer Science & Engineering 423/823 Design and Analysis of Algorithms

9 Knapsack Cryptography

download instant at

Reverse Berlekamp-Massey Decoding

A Characteristic Set Method for Equation Solving in F 2 and Applications in Cryptanalysis of Stream Ciphers 1

On the Number of Trace-One Elements in Polynomial Bases for F 2

Well known bent functions satisfy both SAC and PC(l) for all l n, b not necessarily SAC(k) nor PC(l) of order k for k 1. On the other hand, balancedne

Cryptanalysis of Achterbahn

Cryptography Lecture 3. Pseudorandom generators LFSRs

ALGEBRA. 1. Some elementary number theory 1.1. Primes and divisibility. We denote the collection of integers

Computer Science & Engineering 423/823 Design and Analysis of Algorithms

Analytic Number Theory Solutions

Chapter 6 Reed-Solomon Codes. 6.1 Finite Field Algebra 6.2 Reed-Solomon Codes 6.3 Syndrome Based Decoding 6.4 Curve-Fitting Based Decoding

Combinatorics of p-ary Bent Functions

New Construction of Single Cycle T-function Families

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Scalar multiplication in compressed coordinates in the trace-zero subgroup

Thesis Research Notes

Constructing a Ternary FCSR with a Given Connection Integer

Visual Cryptography Schemes with Optimal Pixel Expansion

PUTNAM PROBLEMS SEQUENCES, SERIES AND RECURRENCES. Notes

Randomness and Complexity of Sequences over Finite Fields. Harald Niederreiter, FAMS. RICAM Linz and University of Salzburg (Austria)

ADVANCED CALCULUS - MTH433 LECTURE 4 - FINITE AND INFINITE SETS

PUTNAM TRAINING NUMBER THEORY. Exercises 1. Show that the sum of two consecutive primes is never twice a prime.

Constructions of Resilient S-Boxes with Strictly Almost Optimal Nonlinearity Through Disjoint Linear Codes

Cellular Automata in Cryptography" Information Security Group,Royal Holloway, Abstract The cipher systems based on Cellular Automata proposed by Nandi

Decoding Interleaved Gabidulin Codes using Alekhnovich s Algorithm 1

Division of Trinomials by Pentanomials and Orthogonal Arrays

On Welch-Gong Transformation Sequence Generators

How to write proofs - II

Consistent Fixed Points and Negative Gain

On the Linear Complexity of Legendre-Sidelnikov Sequences

CRC Press has granted the following specific permissions for the electronic version of this book:

Optimal XOR based (2,n)-Visual Cryptography Schemes

Public Key Encryption

Analysis of Modern Stream Ciphers

Mathematical Structures Combinations and Permutations

Antipodal Gray Codes

x n k m(x) ) Codewords can be characterized by (and errors detected by): c(x) mod g(x) = 0 c(x)h(x) = 0 mod (x n 1)

Computing the rank of configurations on Complete Graphs

Notes on Systems of Linear Congruences

Vector Space Basics. 1 Abstract Vector Spaces. 1. (commutativity of vector addition) u + v = v + u. 2. (associativity of vector addition)

15.1 Proof of the Cook-Levin Theorem: SAT is NP-complete

Remainders. We learned how to multiply and divide in elementary

arxiv: v2 [cs.ds] 17 Sep 2017

Generalized hyper-bent functions over GF(p)

OWO Lecture: Modular Arithmetic with Algorithmic Applications

Introduction to Decision Sciences Lecture 10

Sequences, DFT and Resistance against Fast Algebraic Attacks

Lecture 10 - MAC s continued, hash & MAC

Standard forms for writing numbers

Pencils of Quadratic Forms over Finite Fields

Perfect Two-Fault Tolerant Search with Minimum Adaptiveness 1

Complex Numbers: Definition: A complex number is a number of the form: z = a + bi where a, b are real numbers and i is a symbol with the property: i

Solutions to Assignment 1

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Visual cryptography schemes with optimal pixel expansion

Breaking the F-FCSR-H Stream Cipher in Real Time

Transcription:

Counting Functions for the k-error inear Complexity of 2 n -Periodic Binary Sequences amakanth Kavuluru and Andrew Klapper Department of Computer Science, University of Kentucky, exington, KY 40506. Abstract inear complexity is an important measure of the cryptographic strength of key streams used in stream ciphers. The linear complexity of a sequence can decrease drastically when a few symbols are changed. Hence there has been considerable interest in the k-error linear complexity of sequences which measures this instability in linear complexity. For 2 n -periodic sequences it is known that minimum number of changes needed per period to lower the linear complexity is the same for sequences with fixed linear complexity. In this paper we derive an expression to enumerate all possible values for the k-error linear complexity of 2 n -periodic binary sequences with fixed linear complexity, when k equals the minimum number of changes needed to lower the linear complexity below. For a certain set of these values we derive the expression for the corresponding number of 2 n -periodic binary sequences with fixed linear complexity and k-error linear complexity when k equals the minimum number of changes needed to lower the linear complexity. 1 Introduction The linear complexity of a sequence is the length of the shortest linear feedback shift register (FS) that can generate the sequence. The FS that generates a given sequence can be determined using the Berlekamp-Massey algorithm using only the first 2 elements of the sequence, where is the linear complexity of the sequence. The typical assumption in the analysis of the security of stream ciphers is that the attacker has access to a part of the key stream and wants to use this to predict the remainder of the key stream. Thus the problem of designing a good stream cipher is reduced to the problem of designing a fast key stream generator whose output is hard to predict from a prefix of the the output. Hence for cryptographic purposes sequences with high linear complexity are essential as an adversary This paper is accepted to appear in the proceedings of the 15th annual workshop on Selected Areas in Cryptography (SAC 2008). This material is based upon work supported by the National Science Foundation under Grant No. CCF-0514660. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation. 1

would then need large initial segments of the sequences to recover the FSs that generate them using the Berlekamp-Massey algorithm. A system is insecure if all but a few symbols of the key stream can be extracted. So for a cryptographically strong sequence, the linear complexity should not decrease drastically if a few symbols are changed. If it did, an attacker could modify the known prefix of the key stream and try to decrypt the result using the Berlekamp-Massey algorithm. If the resulting sequence differed from the actual key stream by only a few symbols, the attacker could extract most of the message. This observation gives rise to k-error linear complexity of sequences introduced in [10]. The k-error linear complexity of a periodic sequence is the smallest linear complexity achieved by making k or fewer changes per period. In addition to having large linear complexity, cryptographically strong sequences should, thus, also have large k-error linear complexity at least for small k. et S = (s 0,s 1,,s T 1 ) be a periodic binary sequence with period T. We associate the polynomial S(x) = s 0 + s 1 x + + s T 1 x T 1 and the corresponding T-tuple S (T) = (s 0,s 1,,s T 1 ) to S. The relationship between the linear complexity, denoted (S), of S and the associated polynomial S(x) is given by (S) = T deg(gcd(x T 1,S(x))). (1) et w H (S) denote the Hamming weight of the T-tuple S (T). For 0 k T, the k-error linear complexity of S, denoted k (S), is given by k (S) = min E (S + E), (2) where the minimum is over all T-periodic binary sequences E such that w H (E) k. Since we consider only 2 n -periodic sequences, we use T = 2 n and the observation x T 1 = x 2n 1 = (x 1) 2n (3) for the rest of the paper. et merr(s) denote the minimum value k such that the k-error linear complexity of a 2 n -periodic sequence S is strictly less than its linear complexity. That is merr(s) = min{k : k (S) < (S)}. (4) Kurosawa et al. [3] derived the formula for the exact value of merr(s). emma 1. For any nonzero 2 n -periodic sequence S, we have merr(s) = 2 w H(2 n (S)), where w H (j), 0 j 2 n 1, denotes the Hamming weight of the binary representation of j. The counting function of a sequence complexity measure gives the number of sequences with a given complexity measure value. ueppel [9] determined the counting function of linear complexity for 2 n -periodic binary sequences. Using equations (1) and (3) it is straightforward to obtain the number of 2 n -periodic binary sequences with fixed linear complexity. For the rest of the paper let N() and A() denote, respectively, the number of and the 2

set of 2 n -periodic binary sequences with given linear complexity, 0 2 n. ueppel [9] showed that N(0) = 1 and N() = 2 1 for 1 2 n. (5) Counting functions and expected values for linear complexity and k-error linear complexity were extensively explored by Meidl and Niederreiter [5, 6, 7]. ecently, using efficient algorithms to compute the linear complexity of p n periodic sequences over F p, Meidl [4] obtained the counting function and the expected value for the 1-error linear complexity of 2 n -periodic binary sequences. Meidl and Venkateswarlu [8] extended these results to p n - periodic sequences over F p. Fengxiang and Wenfeng [1] used Meidl s [4] approach of analyzing Games-Chan algorithm to obtain the counting functions and gave the exact expression for the expected value of the 2-error linear complexity of a random 2 n -periodic binary sequence with linear complexity 2 n 1. In this paper we perform a more rigorous analysis of Games-Chan algorithm to enumerate all the possible values of k-error linear complexity of sequences in A() for k = 2 w H(2 n ), that is when k is the minimum number of changes needed to lower the linear complexity below. For certain sets of these values, we also derive the corresponding number of sequences in A() whose k-error linear complexity equals the values in those sets. For the rest of the paper by k min () denote the minimum number of changes needed to lower the linear complexity of sequences in A(), that is k min () = 2 w H(2 n ). 2 Games-Chan Algorithm In this section we describe the Games-Chan algorithm and list some results using its analysis. By emma 1 for any 2 n -periodic sequence S with merr(s) = 2 m, m {0,,n}, the linear complexity (S) can be uniquely expressed as (S) = 2 n or (S) = 2 n m 2 n r i, where 0 < r 1 < < r m n. The Games-Chan algorithm [2] is a fast algorithm for computing the linear complexity of a 2 n -periodic binary sequence. For any S A() with period S (2n) = (s 0,,s 2 n 1), denote the left and right halves of S (2n) by S (2n 1 ) = (s 0,,s 2 n 1 1) and S (2n 1 ) = (s 2 n 1,,s 2 n 1). et S and S denote the 2 n 1 periodic sequences S = (s 0,,s 2 n 1 1) and S = (s 2 n 1,,s 2 n 1). (6) The Games-Chan algorithm can be described as in Figure 1. We make some observations and establish notation we use for the rest of the paper. We note that the for loop in the Games-Chan algorithm shown in Figure 1 is executed a total of n times to compute the linear complexity of any S A(). In the ith step, i = 0,,n 1, the algorithm computes the linear complexity of a 2 n i -periodic binary sequence. et ψ i (S), 3

Games Chan (S,n) begin := 0 for i := 0 to n 1 do if S = S then S := S else S := S + S := + 2 n i 1 fi od := + S 0 return end Figure 1: The Games-Chan Algorithm i = 0,,n 1, denote the first period of the 2 n i -periodic binary sequence considered in the ith step of the algorithm when run with input sequence S. et ψ i (S) and ψi (S) denote, respectively, the left and right halves of ψ i (S). et m i (S) denote the total value contributed to (S) in the algorithm during the execution from the 0-th step to the i-th step of the algorithm. For any two finite binary sequences, S and S, of same length let d H (S,S ) denote the Hamming distance between S and S. We slightly abuse the notation because we also use d H (S,S ) to denote the Hamming distance between the first periods of S,S A(). It is straightforward to derive the following lemma from the Games-Chan algorithm. emma 2. et S be a 2 n -periodic binary sequence. For any t integers r 1,,r t such that 0 < r 1 < r 2 < < r t n, we have if and only if ψ u 1 (S) = 2 n (2 n r 1 + 2 n r 2 + + 2 n rt ) (7) (S) = ψu 1 (S) exactly when u {r 1,,r t }. For any S A() where is as in equation (7), the following properties of vectors ψ l (S), 0 l n, are straightforward to obtain. P1: If l = r i 1, for some i {1,,t}, then w H (ψ l (S)) = 2 w H (ψ l+1 (S)). P2: For any l r i 1, for all i {1,,t}, we have w H (ψ l (S)) w H (ψ l+1 (S)). By P l, 0 l n, denote the number of distinct possibilities, over all sequences in A(), for the 2 n l -vector during the l-th step such that the 2 n l 1 -vector during the (l + 1)-th step is fixed. It is straightforward to get the following properties. 4

P3: If l = r i 1, for some i {1,,t}, then P l = 1. P4: For any l r i 1, for all i {1,,t}, we have P l = 2 2n l 1. We also use the following result in the next section. emma 3. et S A() with 0 represented as (S) = 2 n (2 n r 1 + 2 n r 2 + + 2 n rt ), (8) where 0 < r 1 < r 2 < < r t n. et S S be any other 2 n -periodic binary sequence such that m l 1 (S) = m l 1 (S ) for some l {1,,n}. If d H (ψ l (S),ψ l (S )) 0, then d H (S,S ) 2 b d H (ψ l (S),ψ l (S )), (9) where b, 1 b t, is the unique integer determined by the inequality r b l < r b+1 assuming r 0 = 0 and r t+1 = n + 1. Proof. Since m l 1 (S) = m l 1 (S ) and r b l < r b+1, from emma 2 during the first l 1 steps of the Games-Chan algorithm ψ u 1 (S) = ψu 1 (S) and ψu 1 (S ) = ψ u 1 (S ) if and only if u {r 1,,r b }. (10) The algorithm has a 2 n l -periodic sequence as input in the l-th step. So, let d H (ψ l (S),ψ l (S )) = g, for some 1 g 2 n l. (11) et p j, 0 p j 2 n l 1 1, j = 1,,g, be the positions where ψ l (S) and ψl (S) differ. If l r b > 0, for each p j, j = 1,,g, from equation (10) we have either or ψ l 1 (S) pj = ψ l 1 (S ) pj and ψ l 1 (S) pj +2 n l ψl 1 (S ) pj +2n l, (12) ψ l 1 (S) pj ψ l 1 (S ) pj and ψ l 1 (S) pj +2 = n l ψl 1 (S ) pj +2n l. (13) That is, for the g positions where ψ l (S) and ψ l (S ) differ, there are at least g positions where ψ l 1 (S) and ψ l 1 (S ) differ. Using a similar argument we see that d H (ψ l c (S),ψ l c (S )) g, 0 c l r b. (14) Equation (14) holds trivially if l = r b. We note that for each of S and S, the (r b 1)-th step has a 2 n r b+1 -periodic binary sequence whose left and right halves are equal and either half gets input to the r b -th step. Thus, from equation (14), we have d H (ψ r b 1 (S),ψ r b 1 (S )) 2g = 2 d H (ψ l (S),ψ l (S )). (15) Using equation (15), the lemma follows by induction on b. 5

3 Expression for k min ()-error inear Complexity In this section we analyze the structure of the Games-Chan algorithm to derive an expression to enumerate all possible values of k min ()-error linear complexity of sequences in A() in terms the coefficients in the binary expansion of 2 n. We handle the case when 1 < < 2 n as the results are simple when = 0 or 1 and as we already know the results when = 2 n [4]. We need the following generalization of [1, emma 2] whose proof is similar to that of emma 2 in [1]. emma 4. For any sequence S = (s 0,,s 2 n 1) A(), we have 2 n 2 n r, r = 1,,n, if and only if 2 r 1 i=0 s j+i 2 n r = 0 for j = 0,, 2 n r 1. We prove an auxiliary result that is used in the main result of this section. emma 5. et S A() with 1 < < 2 n. Consider the representation of as = 2 n (2 n r 1 + 2 n r 2 + + 2 n rt ), (16) where r 0 = 0 < r 1 < r 2 < < r t < n + 1 = r t+1 and 1 t n 1. et S be any 2 n -periodic binary sequence such that d H (S,S ) = k min () = 2 t and (S ) = 2 t(s). Define the two integers and l 1 = min{i : 0 i n 1 and m i (S ) m i (S)} (17) l 2 = min{i : 0 i n 1 and d H (ψ i (S),ψ i (S)) = 2 t j with r j i < r j+1 }. (18) Then we have l 1 = l 2. Proof. From emma 1 we know k min () = 2 t which implies (S ) < (S). We note that there exists at least one integer i, 0 i n 1, such that m i (S ) m i (S) since otherwise (S) = (S ). Hence the set on the right hand side of equation (17) is not empty. From the procedure of the Games-Chan algorithm and using the fact (S ) < (S) equation (17) implies ψ l 1 (S) ψ l 1 (S) and ψ l 1 (S ) = ψ l 1 (S ). (19) From equation (19) we get d H (ψ l 1 (S )) d H (ψ l 1 (S)). (20) et b be the unique integer determined by the inequality r b l 1 < r b+1. Since ψ rt 1 (S) = (S) and because the vectors considered during all the steps, except the last one, of the ψ rt 1 6

Games-Chan algorithm have nonzero Hamming weight, we have w H (ψ rt 1 (S)) 2. So using properties P1 and P2 we get w H (ψ l 1+1 (S)) 2 t b and thus d H (ψ l 1 (S)) 2 t b. (21) Now we show that d H (ψ l 1 (S)) = 2 t b. If not, we have d H (ψ l 1 (S)) > 2 t b by equation (21). By equation (20) this implies d H (ψ l 1 (S )) > 2 t b. (22) But from emma 3 we know d H (S,S ) 2 b d H (ψ l 1 (S )). Since d H (S,S ) = 2 t, this implies d H (ψ l 1 (S )) 2 t b. This contradicts the inequality in (22). Thus we have d H (ψ l 1 (S)) = 2 t b. (23) From equation (23) we know that the set on the right hand side of equation (18) is not empty and l 2 l 1. By a denote the unique integer determined by the inequality r a l 2 < r a+1. Because there are a steps before the l 2 -th step where the left and right halves are equal it is evident from equation (27) that altering ψ l 2 (S) such that ψ l 2 (S) = ψ l 2 (S) and propagating these changes to the 0-th step of the Games-Chan algorithm will require exactly 2 a 2 t a = 2 t changes in S (2n). But if l 2 < l 1, forcing ψ l 2 (S) = ψ l 2 (S) will result in a 2 n -periodic binary sequence S such that d H (S,S ) = 2 t and (S ) < (S ). This contradicts the fact that (S ) = 2 t(s). Thus we have l 2 = l 1. Theorem 6. et S A() with 1 < < 2 n. Consider the representation of as = 2 n (2 n r 1 + 2 n r 2 + + 2 n rt ), (24) where r 0 = 0 < r 1 < r 2 < < r t < n + 1 = r t+1 and 1 t n 1. Define the integer w = min{i : r i = n + i t, 1 i t + 1}. Then kmin ()(S) is 0 or is in one of the two forms or j 1 j,l,c := 2 n 2 n r i 2 n l + C, 1 j w 1, r j 1 l r j 2, and 1 C 2 n l 1 1, w 1 w,l,c := 2 n 2 n r i 2 n l + C, r w 1 l r w 3 and 1 C 2 n l 1 2 t w+1. (25) (26) Proof. From emma 1 and equation (24) merr(s) = k min () = 2 t. The sequences in A() whose 2 t -error linear complexity is 0 are those with exactly 2 t 1s per period. For any other sequence S in A() we show that the 2 t -error linear complexity is in one of the forms as stated in the theorem. 7

Define the integer l as in equation (18). That is l = min{i : 0 i n 1 and d H (ψ i (S),ψ i (S)) = 2 t j with r j i < r j+1 }. (27) We already know that the set on the right hand side of equation (27) is not empty due to the intermediate findings of emma 5. By b denote the unique integer determined by the inequality r b l < r b+1. From the proof of emma 5 we know that altering ψ l (S) such that ψ l (S) = ψl (S) and propagating these changes to the 0-th step of the Games-Chan algorithm will require exactly 2 t changes in S (2n). We also see that it is necessary to alter ψ l (S) so that ψ l (S) = ψl (S) to achieve the smallest linear complexity that can be obtained by making exactly 2 t errors in S (2n) since the remaining n l steps can only add a maximum of 2 n l 1 to the linear complexity of the modified sequence. Note that l r j 1, j = 1,,t, since ψ r j 1 (S) = ψ r j 1 (S), j = 1,,t. Next we show that l + 1 i n 1, w H (ψ i (S)) = 2 t j with r j i < r j+1. (28) If equation (28) does not hold, then let m be any integer such that l + 1 m n 1 and w H (ψ m (S)) 2 t a where a is uniquely determined by the inequality r a m < r a+1. Since ψ rt 1 (S) = ψ rt 1 (S), we have w H(ψ rt 1 (S)) 2. So using properties P1 and P2 we get w H (ψ m (S)) 2 t a. This implies w H (ψ m (S)) > 2 t a since we assumed w H (ψ m (S)) 2 t a. Again, using P1 and P2 we have w H (ψ l+1 (S)) > 2 a b 2 t a = 2 t b which contradicts the fact d H (ψ l (S),ψl (S)) = 2t b. Thus w H (ψ m (S)) = 2 t a and so equation (28) holds. To obtain the form of 2 t(s) we consider two cases based on the value of w. Case 1: w t First we show that n r i = t i for i = w,,t. From the definition of w in the theorem statement we have n r w = t w. et z, w < z t, be the smallest integer such that n r z t z. Since r i+1 < r i, i = 1,,t 1, using the definition of z we have n r z < t z. Using this we have n r t < n r t 1 < < n r t (t z) t z 1, which implies n r t (t z 1) (t z) = 1. This contradicts that fact that n r t 0 since 0 < r 1 < < r t n from the hypothesis. Thus we have n r i = t i for i = w,,t, which implies = 2 n (2 n r 1 + + 2 n r w 1 + 2 t w + 2 t w 1 + + 2 0 ). (29) From equations (24), (29) and emma 2 this means that the left and right halves are equal from the (r w 1)-th step to (n 1)-th step of the execution of the Games-Chan algorithm. Using the fact that n r w = t w, this implies that the 2 t w+1 -vector considered during the (r w 1)-th step ψ rw 1 (S) = (ψ rw 1 (S) 0,,ψ rw 1 (S) 2 t w+1 1) = (1,, 1) (30) is an all 1 vector. From the definition of w, equation (30) also implies that w H (ψ rw 2 (S)) = 2 t w+1. That is d H (ψ rw 3 (S),ψ rw 3 (S)) = 2 t w+1. (31) 8

By equation (31) and using the definition of l in equation (27) we have l r w 3. We consider two cases based on the value of l. Case 1a: r w 1 l r w 3 We first note that this case occurs only when the binary expansion of as in equation (24) satisfies r w 1 r w 3. Throughout this case we use the fact that n r w = t w. From the definition of l in equation (27) we have d H (ψ l (S),ψl (S)) = 2t w+1. We already know that making 2 t w+1 changes in ψ l (S) so that ψ l (S) = ψl (S) is necessary to achieve the the smallest linear complexity possible by making k min () = 2 t changes in S (2n). But we have to decide for each of the 2 t w+1 positions where ψ l (S) and ψl (S) differ, whether the change should be made in ψ l (S) or at the corresponding position in ψl (S). In this case there is a unique of making these 2 t w+1 changes so that the linear complexity of the 2 n l 1 -periodic binary sequence with period equal to either of the equal halves obtained by forcing ψ l (S) = ψl (S) is as small as possible. Next we describe a unique way of making these changes. et ψ l+1 (S ) = ψ l (S) = ψl (S) be the 2n l 1 -vector obtained after forcing ψ l (S) = ψl (S) such that the linear complexity of the 2 n l 1 -periodic binary sequence with period ψ l+1 (S ) is as small as possible. The left and right halves of the vectors considered are not equal from the r w 1 -th step to the (r w 2)-th step of the Games-Chan algorithm when executed with input sequence S. From equation (30) ψ rw 1 (S) is a 2 t w+1 -vector with all 1s. Hence for all v = r w 1,r w 1 + 1,,r w 2 due to the procedure of the Games-Chan algorithm we have 2 rw v 1 1 j=0 ψ v (S) i+j2 t w+1 = 1 for i = 0,, 2 t w+1 1. (32) et p i, 0 p i 2 n l 1 1, i = 0,, 2 t w+1 1, be the positions where ψ l (S) and ψl (S) differ. This means w H (ψ l+1 ) = 2 t w+1 with 1s at positions p i, i = 0,, 2 t w+1 1. As equation (32) is valid for v = l+1, this implies that the mapping p i p i mod 2 t w+1 is oneone and onto since otherwise w H (ψ rw 1 (S)) < 2 t w+1. Hence for each p i, i = 0,, 2 t w+1 1, only one of the choices, that is, changing ψ l (S) p i or ψ l (S) p i results in the 2 n l 1 -vector ψ l+1 (S ) that satisfies 2 rw l 2 1 j=0 ψ l+1 (S ) i+j2 t w+1 = 0 for i = 0,, 2 t w+1 1. (33) The contribution to (S) during the first l 1 steps of the algorithm is w 1 w 1 (2 n 1 + 2 n 2 + + 2 n l ) 2 n r i = 2 n 2 n l 2 n r i. Thus the 2 t -error linear complexity of S is of the form w 1 2 t(s) = 2 n 2 n l 2 n r i + C, (34) 9

where C is the linear complexity of the 2 n l 1 -periodic binary sequence with period ψ l+1 (S ). By equation (33) and emma 4 the value C in equation (34) satisfies C = ((ψ l+1 (S )) ) 2 n l 1 2 t w+1. (35) Also, ψ l+1 (S ) is not the all zero vector from the definition of l in equation (27), which implies C 1. Thus from equations (34) and (35) 2 t(s) is in the form w,l,c given in equation (26). Case 1b: r j 1 l r j 2, 1 j w 1 From the definition of l in equation (27) we have d H (ψ l (S),ψl (S)) = 2t j+1 Also, by equation (28) we have w H (ψ r j 1 (S)) = 2 t j+1. Since j w we have n r j > t j and so ψ r j 1 (S) is not an all 1 vector. More specifically if then G = {g : ψ r j 1 (S) g = 0,g = 0,, 2 n r j+1 1} Using a similar argument as that in Case 1a we have G = 2 n r j+1 2 t j+1. (36) j 1 2 t(s) = 2 n 2 n l 2 n r i + C, (37) where C is the linear complexity of the 2 n l 1 -periodic binary sequence with period ψ l+1 (S ), which is equal to either of the equal halves obtained by forcing ψ l (S) = ψl (S) such that the lowest possible linear complexity is achieved. The left and right halves of the vectors considered from the l-th step to the (r j 2)-th step are not equal. So by equation (36) due to the procedure of the Games-Chan algorithm we have and 2 r j l 1 1 f=0 2 r j l 1 1 f=0 ψ l (S) i+f2 n r j +1 = 0 for i G (38) ψ l (S) i+f2 n r j +1 = 1 for i {0,, 2 n r j+1 1} G. (39) et p i, 0 p i 2 n l 1 1, i = 0,, 2 t j+1 1, be the positions where ψ l (S) and ψl (S) differ. This means w H (ψ l+1 (S)) = 2 t j+1. By equations (38) and (39), this implies that the mapping p i p i mod 2 n rj+1 is one-one since otherwise w H (ψ rj 1 (S)) < 2 t j+1. We can see the mapping is not onto from equation (36). Also, each element in G does not occur as the inverse image of any element of the set {p i : i = 0,, 2 t j+1 }. We split the summation in equation (38) into two separate summations involving terms exclusively from ψ l (S) or 10

ψ l (S). For each i G we have Σ (l,i) = and Σ (l,i) = 2 r j l 2 1 f=0 2 r j l 2 1 f=0 ψ l (S) i+f2 n r j +1 ψ l (S) i+f2 n r j +1. (40) For each i G, from equations (38) and (40) we know that Σ (l,i) + Σ (l,i) = 0 which implies Σ (l,i) = Σ (l,i) = 0 or Σ (l,i) = Σ (l,i) = 1. Note that none of the terms involved in the summations of equation (38) can be altered when forcing ψ l (S) = ψl (S). Using these remarks we can see that by making appropriate changes at one of the positions p i or p i + 2 n l 1, for each i = 0,, 2 t j+1 in ψ l (S), we can only guarantee that w H (ψ l+1 (S )) is even by forcing ψ l (S) = ψl (S). Thus the value C in equation (37) satisfies 1 C 2 n l 1 1. Hence 2 t(s) is in the form j,l,c, 1 j w 1, as in equation (25). Case 2: w = t + 1 The proof in this case is similar to that for Case 1 and both forms in equations (25) and (26) are identical. This completes the proof of the theorem. 4 Counting Functions In this section we derive expressions for the number of sequences in A() with fixed k min ()- error linear complexity. We need some preliminary results to obtain the counting functions. Next we give a generalization of [1, emma 3] using a more straightforward approach. emma 7. et S A() such that 1 2 n 2 r, r = 1,,n 1. et S be a 2 n -periodic binary sequence corresponding to the polynomial S (x) = S(x) + g x it, t=0 where 0 g 2 r 1 and i t {0,, 2 n 1}, t = 0,,g. If the mapping i t i t mod 2 r is one-one, then we have (S ) > (S). Proof. Consider the two polynomials a(x) = g x it and a (x) = t=0 g x it mod 2r, (41) t=0 where the integers i t, t = 0,,g, are as given in the hypothesis. We have S (x) = S(x) + a(x). (42) 11

First we show that a(x) is not divisible by (1 + x) 2r. Since the mapping i t i t mod 2 r is one-one, the polynomial a (x) = g t=0 mod xit 2r is not equal to 0 and has degree less than r. Hence we have (1 + x) 2r a (x). (43) Any positive integer i can be uniquely represented as i = q 2 r + (i mod 2 r ) for some integer q. We have x i + x i mod 2r = x i mod 2r (1 + x q2r ) = x i mod 2r (1 + x q ) 2r. Thus x i + x i mod 2r is divisible by (1 + x) 2r. From equation (41), this implies (1 + x) 2r (a(x) + a (x)). (44) From equations (43) and (44) we know that a(x) is not divisible by (1 + x) 2r. Thus we have deg(gcd((1 + x) 2n,a(x))) 2 r 1. (45) Since S A(), we have S(x) = (1 +x) 2n b(x) for some polynomial b(x) F 2 [x] such that b(1) = 1. Since it is given that 2 n 2 r, we have From equations (42), (45), and (46) we have deg(gcd((1 + x) 2n,S(x))) = 2 n 2 r. (46) (S ) = 2 n deg(gcd(1 + x 2n,S (x))) = 2 n deg(gcd((1 + x) 2n,S(x) + a(x))) 2 n 2 r + 1 > (S). This completes the proof of the lemma. Theorem 8. et N kmin ()(C) be the number of sequences in A(), 1 < < 2 n, with fixed k min ()-error linear complexity C. et be represented as = 2 n (2 n r 1 + 2 n r 2 + + 2 n rt ), where r 0 = 0 < r 1 < r 2 < < r t < n + 1 = r t+1 and 1 t n 1. et j,l,c be defined as in equations (25) and (26) and let w = min{i : r i = n + i t, 1 i t + 1}. Then for 1 j w, if 1 C 2 n l 1 2 n r j+1 then N kmin ()=2 t( j,l,c) = 2 ρ(j,l,c), where j 1 ρ(j,l,c) = 2 n 2 n l 2 n r i + w j 1 i=0 (r w i r w i 1 1)2 t w+i+1 + (r j l 1)2 t j+1 + C 1. (47) Also, N kmin ()=2 t(0) = 2ρ(0), where ρ(0) = w 2 i=0 (r w i r w i 1 1)2 t w+i+1 + (r 1 1)2 t and N kmin ()=2 t(c) = 0 for all C not in the form j,l,c as in equations (25) and (26). 12

Proof. From equations (25) and (26) the k min ()-error linear complexity of S A() is of the form j 1 j,l,c = 2 n 2 n r i 2 n l + C for 1 j w (48) where r j 1 l r j 2 (For l = r w 2, there exist no positive values for C in equation (26) and hence no valid values for w,l,c ). We determine the counting function for the number of sequences in A() with k min ()-error linear complexity equal to each of the values j,l,c in equation (48) when 1 C 2 n l 1 2 n r j+1. From the definition of l in equation (27) and by equation (28), for any S A() if r j 1 l r j 2 we know We consider two cases based on the value of w. w H (ψ l+1 (S)) = w H (ψ r j 1 (S)) = 2 t j+1. (49) Case 1: w t From equation (30) for any S A() the 2 t w+1 -vector ψ rw 1 (S) is an all 1 vector. et D 1 (j,l,c) be the number of distinct 2 n l 1 -vectors ψ l+1 (S) over all S A() such that the 2 n rw+1 -vector ψ rw 1 (S) is an all 1 vector. To determine D 1 (j,l,c) we make the following observations. (i) By equation (28) it is evident that during the execution of Games-Chan algorithm form the l + 1-th step to the (n 1)-th step the Hamming weight of the vectors considered does not change between two consecutive steps except when going from the (r i 1)-th step to the r i -th step for i = j,,t. (ii) Using (i) the procedure of the Games-Chan algorithm also implies that over all sequences in A() for any integer a such that l + 1 a < r j or r i a < r i 1 for some i {j,,t}, the number of distinct vectors in the a-th step that result in a fixed vector v in the (a + 1)-th step is 2 w H(v). (iii) The definition of w implies n r w = t w. From these observations and by using property P1 recursively we obtain D 1 (j,l,c) = w j 1 i=0 (2 r w i r w i 1 1 ) 2t w+i+1 (2 r j l 2 ) 2t j+1. (50) ecall that ψ l+1 (S ) is the 2 n l 1 -vector obtained by forcing ψ l (S) = ψl (S) so that the least linear complexity is achieved by making k min () errors in S (2n). et D 2 (j,l,c), 1 C 2 n l 1 2 n rj+1, be the number of choices for ψ l+1 (S ) such that the linear complexity of the 2 n l 1 -periodic sequence with period ψ l+1 (S ) is C. By equation (5), we have D 2 (j,l,c) = 2 C 1 for 1 C 2 n l 1 2 n rj+1. (51) Over all S A(), for a fixed ψ l+1 (S) = v with w H (v) = 2 n rw+1 and for a fixed choice of ψ l+1 (S ) with ((ψ l+1 (S )) ) = C, the number of possibilities, denoted by D 3 (w,l,c), for ψ l (S) such that ψ l (S) + ψl (S) = v and d H(ψ l (S),ψ l+1 (S ) ψ l+1 (S )) = 2 n rw+1 is D 3 (w,l,c) = 2 2t j+1, (52) 13

where ψ l+1 (S ) ψ l+1 (S ) is the 2 n l -vector formed by concatenating two copies of ψ l+1 (S ). et p i, 0 p i 2 n l 1 1, i = 0,, 2 t j+1 1, be the positions where ψ l (S) and ψl (S) differ. From Cases 1a and 1b of the proof of Theorem 6 the mapping p i p i mod 2 n r j+1 is one-one. Using this mapping and the condition 1 C 2 n l 1 2 n r j+1, by emma 7 for fixed ψ l+1 (S) and ψ l+1 (S ) each of the 2 2t j+1 possibilities for ψ l (S) satisfies (ψ l (S)) > C and (ψ l (S)) > C. (53) By equations (50)-(53), using properties P3 and P4 recursively we obtain We have N 2 t( j,l,c ) = P 0 P 1 P l 1 D 1 (j,l,c)d 2 (j,l,c)d 3 (j,l,c). (54) j 1 P 0 P 1 P l 1 = (P ri 1 P ri 2)(P rj 1 P l 1 ) = ( j 1 ) 2 Pr i r i 1 1 z=1 2 n r i +z 2 Pl r j 1 1 z=0 2 n l+z. By equations (50)-(53) and (55) a straightforward algebraic simplification of the right hand side of equation (54) gives N 2 t( j,l,c ) = 2 ρ(j,l,c) with ρ(j,l,c) as in equation (47). We note that the condition in equation (53) is necessary to avoid double counting in determining the number of distinct possibilities for ψ l (S) over all S A() such that ψ l+1 (S) and ψ l+1 (S ) are fixed. Case 2: w = t + 1 In this case we note that the two possibilities for vectors in the (n 1)-th step of the Games- Chan algorithm are 01 and 10. Using this it can be shown that the expression for D 1 (j,l,c) in equation (50) holds for w = t + 1. The remaining details are similar to those in Case 1. To obtain N 2 t(0) we only have to count the number of S A() with w H (S) = 2 t. By equation (28) and property P1 the expression for N 2 t(0) follows using an argument similar to that for finding D 1 (j,l,c) as in equation (50). This completes the proof of the theorem. 5 Conclusion In this paper we studied the k-error linear complexity of 2 n -periodic binary sequences by performing a rigorous analysis of the Games-Chan algorithm. We derived an expression for all the possible values of k-error linear complexities of 2 n -periodic binary sequences with fixed linear complexity when k is the minimum number of changes needed to the lower the linear complexity. For certain sets of these values, we obtained the corresponding number of sequences with fixed linear complexity and k-error linear complexity. Our results further research in analyzing the stability of linear complexity of 2 n -periodic binary sequences. These results, however, have limited importance for practical cryptography in part due to the restriction to 2 n -periodic sequences. (55) 14

Acknowledgements The first author thanks Dr. Zongming Fei for providing office space and resources while researching for this paper. eferences [1] Z. Fengxiang and Q. Wenfeng. The 2-error linear complexity of 2 n -periodic binary sequences with linear complexity 2 n 1. Journal of Electronics (China), 24(3):390 395, 2007. [2]. A. Games and A. H. Chan. A fast algorithm for determining the complexity of a pseudo-random sequence with period 2 n. IEEE Trans. Inform. Theory, 29(1):144 146, 1983. [3] K. Kurosawa, F. Sato, T. Sakata, and W. Kishimoto. A relationship between linear complexity and k-error linear complexity. IEEE Trans. Inform. Theory, 46(2):694 698, 2000. [4] W. Meidl. On the stability of 2 n -periodic binary sequences. IEEE Trans. Inform. Theory, 51(3):1151 1155, 2005. [5] W. Meidl and H. Niederreiter. Counting functions and expected values for the k-error linear complexity. Finite Fields and Applications, 8:142 154, 2002. [6] W. Meidl and H. Niederreiter. inear complexity, k -error linear complexity, and the discrete fourier transform. J. Complexity, 18(1):87 103, 2002. [7] W. Meidl and H. Niederreiter. On the expected value of linear complexity and the k-error linear complexity of periodic sequences. IEEE Trans. Inform. Theory, 48(11):2817 2825, 2002. [8] W. Meidl and A. Venkateswarlu. emarks on the k-error linear complexity of p n -periodic sequences. Design, Codes and Cryptography, 42(2):181 193, 2007. [9]. A. ueppel. Analysis and Design of Stream Ciphers. Springer, 1986. [10] M. Stamp and C. F. Martin. An algorithm for the k-error linear complexity of binary sequences with period 2 n. IEEE Trans. Inform. Theory, 39(4):1398 1401, 1993. 15

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback