Sequences Linear Shift Registers and Stream Ciphers

1
Sequences Linear Shift Registers and Stream
Ciphers

• Tor Helleseth
• University of Bergen
• Norway

2
Outline

• - Motivation
• - Linear Feedback Shift Registers (LFSR)
• - Periodicity
• - Complexity
• - Nonlinear Feeedback Shift Registers
• - Applications to stream ciphers
• - Nonlinear generators
• - Filter generators
• - Clock controlled generators

3
One-time-pad
Plaintext
Plaintext
Cipher
100..
110..
110..
010...
010...
K
K

• Provable secure provided
• - Key K is random
• - Key K is as long as the message
• - Key K is used only one time

4
Key generator
Key

• Requirements for a good keystream
• Good randomness distribution
• Long period
• High complexity

5
Generation of Keystream

• For a good system one needs
• Linearity
• - To control the period of keystream
• - To control randomness of keystream
• Nonlinearity
• - To control complexity of keystream
• Combination of linearity and nonlinearity
• - To also get good randomness and
  preserve
• the period and complexity

6
Synchronous stream cipher

• Keystream is generated independent of the
  plaintext
• (and the ciphertext)
• - Initial state s0
  (depends on key K)
• - Next state function si f(si-1,K)
• - Keystream function zi g(si,K)
• - Output function ci h(zi,mi)
• (In additive stream cipher ci zi
  mi (mod 2))
• Needs synchronization between sender and receiver
• No error propagation

7
Synchronous Stream Cipher
8
Self-Synchronous Stream Cipher

• Keystream is generated from the key and a fixed
  number of previous ciphertext symbols
• - Initial state s0
  (depends on key K)
• - Next state function sif(ci-1,
  ci-2,, ci-T,K)
• - Keystream function zig(si,K)
• - Output function cih(zi,mi)
• (In additive stream cipher ci zi
  mi (mod 2))
• Self synchronization
• Limited error propagation

9
Difference Equation
st3 st1st (mod 2) (t0,1,2) s3
s1s0 s4 s2s1 Initial value of
s0, s1, s2 and the difference equation determines
(st)
10
Example 1 - LFSR
st3 st1 st
S0 S1 S2 0 0 1
0 1 0 1 0 1 0
1 1 1 1 1 1 1
0 1 0 0 ----------------- 0
0 1
Initial fill determines the sequence of
states Generates a periodic sequence
0010111... Maximal period 23-17
11
Example 2 - Cycle Structure
st3 st2st1st
0 0 1 0 1 1 1
1 0 1 0 0
--------------- 0 0 1
0 1 0 1 0 1
----------------- 0 1 0
1 1 1 --------------- 1
1 1

0 0 0 --------------- 0
0 0
Cycle (1100)
Cycle (01)
Cycle (1)
Cycle (0)
12
General Shiftregister

• Linear recursion
• stn cn-1stn-1 c1st1 c0st 0
  (c0 ? 0)
• Characteristic polynomial
• xn cn-1xn-1 c1x c0 0

13
Some Characteristic Polynomials
f(x)x3x1
f(x)x3x2x1
14
O(f) Sequences Generated by f(x)
S0
S1
Sn-1
c01

• Characteristic polynomial
• f(x) xn cn-1 xn-1 c1 x c0
• The initial vector (s0, s1,,sn-1) and f(x)
  define a sequence
• O(f) is the set of sequences generated by f(x)
• O(f) 2n
• O(f) is a vector space over 0,1

15
O(f) - f(x) x3 x 1
Sequences in O(f) 0000000
0010111 0101110 1011100 0111001 1110010
1100101 1001011

• Each initial state (s0,s1,s2) gives a sequence
• Eight different initial states gives eight
• different sequences
• In this case all nonzero sequences are cyclic
• shifts of each other

16
G(x) - Generating Function of a Sequence

• Given a sequence s0, s1, s2,
• Generating function
• G(x) s0s1xs2x2 s3x3 S si xi
• First Fundamental Identity
• - Let (st) be a sequence in O(f)
• - Then (due to recursion most terms
  disappear)
• G(x) f(x) f(x)
• where
• f(x)s0xn-1(s1cn-1s0)xn-2(s2cn-
  1s1cn-2s0)xn-3
• 
  (sn-1cn-1sn-2c1s0)
• and f(x) is the reciprocal polynomial
  of f(x)

8 i0
17
Example First Fundamental Identity

• (0010111) is generated by f(x) x3 x 1
• Generating function
• G(x) x2x4x5x6 x9x11x12x13 x16
• What is f(x) ?
• f(x) s0xn-1(s1cn-1s0)xn-2
  (s2cn-1s1cn-2s0)xn-3
• 
  (sn-1cn-1sn-2c1s0)
• 1
• G(x) x2/(x3x21)
• x2x4x5x6 x9x11x12x13
  x16

18
G(x) When (st) is Periodic

• Let (st) be periodic of period e
• Generating function
• G(x) (s0s1xse-1 xe-1 ) (1 xe
  x2e x 3e )
• (s0s1xs2x2 se-1 xe-1 )
  /(1-xe )
• s(x)/(1-xe )
• Combining with first fundamental identity gives
• G(x) s(x)/(1-xe )
  f(x)/f(x)
• Second Fundamental Identity
• (xe -1) f(x) s(x) f(x)
• where
• - (st) periodic of period e
• - f(x) s0xn-1(s1cn-1s0)xn-2
  (sn-1cn-1sn-2c1s0)
• - s(x) s0xe-1s1xe-2 se-1
• - f(x) xncn-1xn-1c0

19
Example Second Fundamental Identity

• (0010111) is generated by f(x) x3 x 1
• Generating function
• - s(x) 1xx2x4
• - f(x) 1
• - e7
• Second Fundamental Identity
• (xe -1) f(x) s(x) f(x)
• (x71)1 (1xx2x4)(x3x1)

20
Period of f(x)

• Definition
• The period of the polynomial f(x) is the smallest
  
• integer e such that f(x) divides xe-1
• Theorem
• Let (st) be a sequence in O(f) then
• (i) per(st) divides eper(f)
• (ii) There is at least one (ut) in O(f) with
  
• period eper(f)

21
Period of f(x) and Sequences in O(f)

• Proof (i) Note that f(x) F(x) xe-1 for some
  F(x).
• The first fundamental identity gives
• G(x) f(x)/f(x)
• f(x)F(x)/f(x)F(x)
  
• f(x)F(x)/(1-xe)
• which implies (st) in O(f) repeats with period e
  (i.e., e e)
• (ii) From the second fundamental identity
• (xe -1) f(x) s(x) f(x)
• Select f(x) 1 then
• f(x) xe -1
• Hence, e e and a sequence in O(f) with f(x) 1
  has
• period e

22
Cycle structure of O(f) - f(x) irreducible

• Theorem
• Let (st) be a nonzero sequence in O(f) where
  f(x) is
• irreducible. Then per(st) per(f) e
• Proof
• Note that (xe -1) f(x) s(x) f(x) and f(x) is
  irreducible
• Then, since gcd(f(x),f(x))1, then
• f(x) xe -1
• and therefore
• e e
• Hence, from the previous theorem
• e e

23
Example f(x)x6x31

• 000001001
• 000011011
• 000101101
• 001010011
• 000111111
• 001110111
• 010101111

• x6x31
• x7x4x
• x8x5x2
• x9x6x3 1
• per(f)9

24
Classical Method

• Linear recursion
• stn cn-1stn-1 c1st1 c0st 0
  (c0 ? 0)
• Characteristic polynomial
• xn cn-1xn-1 c1x c0 0
• If all zeros of f(x) are simple, then
• st S ai ait
• where ai, i1,2, are the zeros of f(x)

25
Example

• Recursion st3 st1
  st
• Characteristic polynomial f(x) x3 x 1
• Let a3 a1, then
• 1 a a2
• 1 1 0 0
• a 0 1 0
• a2 0 0 1
• a 3 1 1 0
• a4 0 1 1
• a5 1 1 1
• a6 1 0 1

• Zeros of f(x) are
• a, a2, a4
• Then
• st at a2t a4t
• (st) (1001011)

26
Example - Cycle structure of divisors

• f(x) x4x3x21
• O(f) (0), (0010111), (1101000), (1)

g(x) x3x1 O(g) (0), (0010111)
27
Some properties

1. O(f) O(g) O(lcmf,g)
2. O(f) n O(g) O(gcdf,g)

28
Determining cycle structure of O(f)

• Let f(x) ?i fi(x)ki , fi(x) irreducible
• To determine cycle structure of O(f) then
• 1. Determine the cycle structure of
  O(fi(x)ki)
• from the cycle structure (period) of
  fi(x)
• 2. Determine the cycle structure of O(gh)
• given the cycle structure of O(f) and
  O(f)

29
Cycle structure of O(fk) f irreducible

• Theorem
• Let f(x) be irreducible of degree n and period e
• Determine ? such that 2? lt k 2?1
• Then O(f) contains the following number of
  sequences
• with the following periods
• k 1 2
  4 k
• Seq(O(fk)\O(fk-1)) 1 2n-1 22n-2n
  24n-22n 2kn-22?n
• Period 1 e 2e
  4e 2?1e

30
Examples (I)

• Example 1
• f(x)x2x1, n2, e3
• Sequences 1 3
• Period 1 3
• Cycles 1 1
• O(f)(0),(011)
• Example 2
• f(x) (x2x1)2, n2, e3
• Sequences 1 3 12
• Period 1 3
  6
• Cycles 1 1
  2
• O(f)(0),(011),(000101),(001111)

31
Examples (II)

• Example 3
• f(x) (x1)k, n1, e1
• k 2 3 4 5
  6 7 8 9
• New Sequences 2 4 8 16 32 64 128
  256
• Period 2 4 4 8 8
  8 8 16
• Cycles 1 1 2 2 4
  8 16 16

32
Structure of O(gh) gcd(g,h)1

• Theorem
• Let gcd(g,h)1 i.e., O(gh) O(g) O(h).
• Then any sequence in O(gh) can be uniquely
• written as a sum of a sequence in O(g) and one in
  O(h)
• Proof
• Since gcd(g,h) 1 then O(g) O(h) O(gh).
• and the result follows since O(g) O(h)
  O(gh).

33
Period of sequences O(gh) gcd(g,h)1

• Theorem
• Let gcd(g,h)1. Let (ut) ? O(f) and (vt) ? O(g).
  Then
• per((ut)(vt)) lcmper(ut),
  per(vt)
• Proof
• Let t be smallest integer such that
• (ut t) (vt t) (ut) (vt)
• Hence,
• (ut t) (ut) (vt t) (vt) ?
  O(f) n O(g) (0)
• Therefore,
• per(ut) t and per(vt) t
• which implies
• t lcm(per(ut), per(vt))
  

34
Cycle structure of O(gh) gcd(g,h)1

• Let gcd(g,h)1 then O(gh) O(g) O(h)
• Let O(g) contain d1 cycles of length ?1,
  d1(?1)
• Let O(h) contain d2 cycles of length ?2 ,
  d2(?2)
• Combine by adding the corresponding sequences
• Sequences d1?1d2?2
• Period lcm?1 , ?2
• Cycles d1d2(?1, ?2)
• Formally (cycle structure found combining all
  cycles and formulae)
• d1(?1) d2(?2) d(?)
• where
• d d1d2(?1, ?2)
• ? lcm?1 , ?2

35
Exercises

• Exercise 1
• Let f(x)(x2x1)(x1)2
• Determine the cycle structure of O(f)
• Exercise 2
• Let f(x)(x1)2(x3x1)(x4x3x2x1)
• Determine the cycle structure of O(f)

36
Solution Exercise 1

• Let f(x) (x2x1)(x1)2
• g(x) x2x1, O(g) 1(1)1(3)
• h(x) (x1)2 , O(h) 2(1)1(2)
• The cycle structure of O(f) is
• 2(1)1(2)2(3)1(6)
• In fact, O(f) contains the cycles
• (000111), (001), (011), (01), (1), (0)

37
Solution Exercise 2

• Let f(x) x15x14x13x9x31
• (x1)2(x3x1)3(x4x3x2x1)f1(x)
  2 f2(x)2 f3(x)
• where
• f1(x) x1 O(f1) 2(1)
• f2(x) x3x1 O(f2)
  1(1)1(7)
• f3(x) x4x3x2x1 O(f3) 1(1)3(5)
• The cycle structure is
• O(f12) 2(1)1(2)
• O(f23) 1(1)1(7)4(14)16(28)
• O(f3) 1(1)3(5)
• Combining gives cycle structure of O(f)
• 2(1)1(2)2(7)17(14)64(28)6(5)3(10)6(35)
  51(70)192(40)

38
Maximal Sequences

• The maximal period of a sequence generated by a
• polynomial f(x) of degree n is at most 2n-1
• f(x) is said to be primitive if f(x) is
  irreducible of degree n
• and period 2n-1
• Then f(x) generates a maximal sequence of
  period 2n-1
• Some primitive polynomials and m-sequences
• - f(x) x3x1 (0010111)
• - f(x) x4x1 (000100110101111)
• - f(x) x5x21 (000010010110011111000110111
  0101)

39
Correlation of Sequences

• Let (at) and (bt) be binary sequences of period ?
  
• The crosscorrelation between (at) and (bt) at
• shift ? is
• ?a,b(?) ? (-1)
• The autocorrelation of (at) at shift ? is
• ?a,a(?) ? (-1)

?-1
at? - bt
t0
at? - at
?-1
t0
40
Two-level autocorrelation of m-sequences

• Let (st) be an m-sequence of period ?2n-1
• Then the autocorrelation of the m-sequence is
• ?s,s(?) 2n-1 if ?0 (mod
  2n-1)
• -1 if ??0
  (mod 2n-1)
• Proof Let ??0 (mod pn-1). Then
• ?s,s(?) ?t (-1)
• ?t (-1)
• -1 (since m-sequence is
  balanced)

st?-st
st?
41
Berlekamp-Massey algorithm

• Can determine the minimum polynomial
  f(x)xncn-1xn-1... c0
• of a sequence (st) from 2n successive bits s0,
  s1, ,s2n-1

sn sn1 s2n-1
s0, s1, ,sn-1 s1, s2, ,sn ..
sn-1, sn, ,s2n-2
c0 c1 cn-1

• Matrix has rank n if minimum polynomial has rank
  n
• There exists a very efficient algorithm due to
  Berlekamp
• and Massey to calculate c0, c1, , cn-1 in
  O(n2) operations

42
Nonlinear Shiftregisters

• Increases linear complexity of keystream
• Difficult to predict the period
• No general theory exists
• Often one combines linear shiftregisters and
  nonlinear shiftregisters to control period and
  complexity

43
Golombs Randomness Postulates

• Run Consecutive 0s or 1s
• Block Runs of 1s
• Gap Runs of 0s
• R1. The number of zeros and number of ones
  differ by at most one during a period of the
  sequence.
• R2. Half of the runs in a full cycle have length
  1, one 1/4 of all runs have length 2, 1/8 have
  length 3 etc, as long as the number of runs
  exceed one. Moreover, for each of these length
  there are equally many gaps and blocks.
• R3. The out of phase autocorrelation of the
  sequence always has the same value
• Note m-sequences obey and are the model for
  these postulates

44
Nonlinear Shift Registers

• A nonlinear recursion can be described using its
  truth table
• s0 s1 s2 f(s0 s1 s2)
• 0 0 0 0
• 0 0 1 0
• 0 1 0 0
• 0 1 1 1
• 1 0 0 1
• 1 0 1 1
• 1 1 0 1
• 1 1 1 0

• f s0s1s2

45
Nonlinear Functions

• s0 s1 s2 f(s0 s1 s2)
• 0 0 0 1
• 0 0 1 1
• 0 1 0 0
• 0 1 1 1
• 1 0 0 0
• 1 0 1 0
• 1 1 0 1
• 1 1 1 0

• How to find f(s0,s1,s2) from a given truth table?
• f(s0 ,s1,s2)(1s0)(1s1)(1s2)
• (1s0)(1s1)s2
• (1s0)s1s2
• s0s1(1s2)
• 1 s0s1s1s2

• Boolean functions in n-variable 22n
• Boolean linear functions in n-variable 2n

46
Table look up (Multiplexing)
Can construct complex cryptographic
transformations by table look-up
(n3) F y0 (x11)(x21)(x31)
y1(x11)(x21)x3 y7 x1x2x3
47
Example - deBruijn Sequence

• Let f(s0,s1,s2)1s0s1s1s2

110
111
101
011
010
100
001
000

• This gives a maximal sequence of length 2n and is
  called a deBruijn sequences
• deBruijn sequences of period 2n are 22n-1-n

48
Example Singular f

• Let f(s0,s1,s2)1s0s1s0s1s0s2s1s2

001
101
000
010
111
100
110
011

• Contains branch point and such an f is called
  singular
• f is nonsingular if and only if f
  s0g(s1,,sn-1)

49
Multiplication of sequences
(wt)(011010011001001010000)

• Product sequence has
• - Period 213x7
• - Linear complexity 6
• Increases the linear complexity in an easy way
  (need to be balanced)

50
Period of (utvt)

• Theorem
• Let gcd(per(ut), per(vt))1 then
• per(utvt) per(ut)per(vt)
• Proof
• If per(utvt) ? per(ut)per(vt) then per(utvt)
  kper(ut)
• where k per(vt). Decimate (utvt) by eper(ut)
  gives
• (u0v0), (u0ve), (u0v2e),
• of period klt per(vt). Since, gcd(e, per(vt))1
  this is a
• contradiction.

51
Linear Complexity of (utvt)

• Let (ut) ? O(f) and (vt) ? O(g)
• Let (wt) (ut vt)
• ut S ai ait where ai zeros of
  f(x)
• vt S bj ßjt where ßj zeros of
  g(x)
• Then
• (wt) S ai bj ait ßjt
• If h(x) has all products ai ßj as zeros
• then (wt) ? O(h)

52
Nonlinear Feed-Forward Register
Output
ut stst1 st2st3 st4st5

• Period 63
• Linear complexity 21
• Increases the linear complexity in an easy way

53
Properties of a Filter Generator

• Let (st) be an m-sequence of period 2n-1
• Let ut sttst2tstkt
• Then the linear complexity of (ut) is ( )
• Let zt S ci stidstidsti(k-1)d
• Then the linear complexity of (zt) is ( )(N-1)
• when at least one ci is nonzero

n k
N i0
n k
54
Non-linear Combination Generator

• z f(x1,x2,,xn) Boolean function

55
Linear Complexity

• Let LFSR i generate m-sequence of period 2Li-1
• Let gcd(Li,Lj) 1 for all i ? j
• Let Li 2 for all i
• Let f(x1,,xn) S aIXI (XIxi1..xit )
• Then linear complexity is
• f(L1,,Ln)

56
Geffe generator
LFSR 1 LFSR 2 LFSR 3

• Each LFSR generates m-sequence of period 2ni-1,
  (ni,nj)1
• z f(x1,x2,,xn) x1x2x2x3x3
• x21 ? f x1
• x20 ? f x3
• Period (2n1-1)(2n2-1)(2n3-1)
• Linear complexity n1n2n2n3n3

57
Correlation attack - Geffe generator
LFSR 1 LFSR 2 LFSR 3

• Correlation attack of Geffe generator (NB!
  Prob(zx1)¾)
• - Guess initial state of LFSR 1
• - Compare x1 and z
• - If agreement ¾ , guess is likely to
  be correct
• - If agreement ½ , guess is likely to
  be wrong

58
Cascade Coupling

• Output sequence
• 00 1 00 1 00
  1 0 a
• c a b 00 b0 00 b100 b2 0.
  (ct)
• For two m-sequences (at) and (bt) of period 2m-1
  the cascaded sequence has
• - Period (2m-1)2
• - Linear complexity m(2m-1)
• Randomness
• - Probability of 1 is approximately ¼
• - Can get a probability ½ by adding
  suitable
• combinations

(at)
(ct)
59
Shrinking Generator

• Coppersmith, Krawczyk og Mansour, 1993

ai
LFSR R1
clock
Yes
bi
ai1
LFSR R2
bi
No
Discard bi
60
Properties

• If gcd(L1, L2) 1, the period will be
  (2L2-1)2L1-1
• Linear complexity L is bounded by
• L22L1-2 lt L lt L22L1-1
• Statistical properties in the output sequence is
  almost
• uniform
• Security level of the generator is
  approximately 22L, i.e.
• selecting length of R1 and R2 close to 64,
  gives 128 bits
• security

61
From LFSR to stream cipher

• Non-linear combining
• Output from several LFSR as input to a non-linear
  function
• Non-linear filtering
• Read content of several cells in an LFSR with a
  non-linear function
• Clock-controlled generator
• Let LFSR control the clocking of another LFSR
  that generates the key stream
• Multiplexing

LFSR1
LFSR2
Multiplexer
ki