Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
A THESIS
submitted by
S. ANAND
BONAFIDE CERTIFICATE
Certified that this thesis titled ‘SEARCH ALGORITHMS FOR FCSR AR-
TOR’ is the bonafide work of Mr. S. ANAND who carried out the research under
my supervision. Certified further that to the best of my knowledge the work reported
herein does not form part of any other thesis or dissertation on the basis of which a
degree or award was conferred on an earlier occasion on this or any other candidate.
ABSTRACT
design of stream ciphers. In the first part of this thesis, we propose efficient methods
to search for FCSR architectures of guaranteed period and 2-adic complexity. We de-
vise extended versions of these methods that yield architectures of guaranteed period
and 2-adic complexity, given additional design constraints such as a fixed number of
the basic FCSR architecture called the d-FCSR, and discuss the difficulty of finding
In the second part of the thesis, we study the problem of improving the com-
plexity of FCSR sequences by combining the outputs of two or more FCSRs nonlin-
early. We then prove results that establish the period and bounds on the complexity
of sequences obtained by combining the outputs of two 2-adic FCSRs using the XOR
function.
iv
ACKNOWLEDGEMENTS
S. Anand
v
TABLE OF CONTENTS
ABSTRACT iii
1 INTRODUCTION 1
1.1 PSEUDORANDOM NUMBER GENERATORS 1
1.2 THE DESIGN OF STREAM CIPHERS 4
1.2.1 The requirements for a ‘good’ stream cipher 5
1.3 CONTRIBUTIONS OF THIS THESIS 7
LIST OF TABLES
LIST OF FIGURES
CHAPTER 1
INTRODUCTION
turies. The subject has a long and rich history with some of the landmark theoretical
contributions of the last century coming from von Mises, Wald, Church, Kolmogorov,
Chaitin, Schnorr and Rissanen. Later Blum, Micali and Yao laid the foundations of
the theory of pseudorandom sequences and effective information.
For practical purposes, we need some clear definition of randomness and here
we will follow the exposition of Golomb (1967). In some sense, there is no truly
random finite sequence. At best we can identify certain properties as being associated
with randomness, and accept sequences that have these properties as random. When
an ideal coin is tossed, we notice that:
2. Approximately one-half the runs have length 1, one-fourth have length 2, and
so on.
N
1X
C(τ) = lim an an+τ ,
N→∞ N
n=1
provided the limit exists. If (an ) is a periodic sequence with period T , this reduces to
T
1X
C(τ) = an an+τ .
T n=1
Here τ represents a ‘phase shift’ of the sequence and the autocorrelation is then a
measure of the similarity between the sequence and its phase shift.
R1: In every period, the number of +1s is nearly equal to the number of
P
−1s. Thus T a ≤ 1.
n=1 n
R2: In every period, half the runs have length one, one-fourth have length
two, one-eighth have length three, etc., as long as the number of runs so
indicated exceeds 1. Moreover, for each of these lengths, there are equally
many runs of +1s and −1s.
These three conditions are independent of each other. Any sequence that satisfies
these conditions is called a pseudonoise sequence or PN sequence.
4
Stream ciphers are private-key encryption algorithms that operate on the plain-
text one bit at a time. They are extremely fast and easy to implement in both hardware
and software. In addition, they usually have very minimal memory and hardware re-
source requirements and therefore find applications in memory-constrained or area-
constrained devices such as smart cards, etc. Stream ciphers have been especially
popular in military communications since they offer a practical alternative to the one-
time pad, albeit without its absolute security guarantee. In this section we present a
general introduction to stream cipher design using the terminology of Beker and Piper
(1982).
Key
Ciphertext
Binary plaintext
Interceptor (cryptanalyst)
Conventional block encryption algorithms such as AES can also be used like a
stream cipher by running them in one of the so-called feedback modes, namely, output
feedback mode (OFB) and cipher feedback mode (CFB). However, an important point
of difference between block ciphers used in feedback mode and the stream ciphers is
that in the latter, there is no error propagation: any error in one of the ciphertext bits
does not affect subsequent ciphertext bits. In many applications, the propagation of
errors is undesirable and in such situations, stream ciphers are preferable to block
ciphers.
C1: The cryptanalyst has a complete knowledge of the cipher system, and
all the security lies in the key.
These assumptions may seem pessimistic but they are, at any rate, realistic and any
cipher system must be secure under these assumptions. Naturally, the terms ‘consid-
erable amount’ and ‘certain amount’ in the assumptions would need to be quantified
and their precise values would depend upon the system and the level of security de-
sired.
If we accept the assumptions C1–C3 above, then the requirements for stream
ciphers may be stated as:
A1: The number of choices for the key must be large enough that the
cryptanalyst cannot try them all.
6
A2: The infinite keystream must have a guaranteed minimum length for its
period. We then only encipher plaintexts that are shorter than this period.
Loosely, we may say that a ‘random’ sequence is one in which knowledge of a num-
ber of consecutive elements does not help anyone trying to predict the next one. Since
the keystream generator is a finite state machine, its output is periodic, and therefore
the keystream sequence cannot be truly random. Nevertheless, if the period is large
enough, we can obtain sequences that are effectively random in the sense implied by
Golomb’s postulates. In practice, the cryptographer hopes that the length of the se-
quence obtained by the cryptanalyst is small compared to the period of the keystream.
Therefore it is important that the keystream sequence not only appear random over
the entire period, but it should also have ‘good’ local randomness properties. Statisti-
cal tests for investigating local randomness properties of sequences are thus a useful
tool in stream cipher cryptography.
It is important to realise that the requirements such as long period, high non-
linearity and good statistical properties only offer the necessary conditions for a good
sequence. By no means do they guarantee a secure system. Further, the properties
stated are independent in the sense that no two of them guarantee another, and there-
fore, they must all be separately and carefully checked. In practice, it is seen that
many of the pseudorandom generators suffer from a number of statistical defects.
This motivates our development of search algorithms for generating FCSRs with pre-
scribed characteristics such as period and distribution properties.
Practically speaking, the steps involved in the design of a stream cipher may
be outlined roughly as follows:
(a) the designer specifies some performance parameters for the keystream se-
7
(b) a large number of architectures that meet the requirements in (a) are gener-
ated, and a battery of statistical tests are performed on these architectures
to find any statistical flaws in the generators.
(c) those architectures that pass all or most of the statistical tests are accepted
as potential architectures for the stream cipher.
In the next chapter, we look at a number of shift register architectures that have been
proposed recently, and we develop a common framework to analyse their output se-
quences. In particular, we describe a common generalisation of these generators,
namely, the FCSR, and show how the theory of the FCSR parallels that of the well-
known LFSR.
In the first part of this thesis, we propose efficient algorithms to search for
FCSR architectures given a set of constraints on the period, complexity, and distribu-
8
In the second part of this thesis we look at combiners using FCSRs as a prac-
tical method of meeting the requirements A3 and A4. We consider a combiner gen-
erator that use two 2-adic FCSRs as primitives and the bit-wise XOR operation as
the combining function. We study the periodicity, symmetric complementarity, and
bounds on the linear complexity and 2-adic complexity of FCSR XOR combiner gen-
erators. This forms our contribution towards step 2 in the stream cipher design pro-
cess.
CHAPTER 2
In Section 1.1 of this chapter we briefly describe some precursors of the FCSR
such as the lagged Fibonacci generator (LFG), the add-with-carry (AWC) genera-
tor and the linear feedback shift register (LFSR) generator using a formalism due to
Marsaglia. Section 1.2 contains the elements of the theory of 2-adic numbers that is
required for the study of FCSRs. We also survey some basic results in the theory of
2-adic FCSR sequences in Section 1.3. In Section 1.4 of this chapter, we present three
alternative but equivalent ways of describing LFSR and FCSR sequences. Finally, in
Section 1.5, we collect all useful results about FCSR sequences.
The pseudorandom number generators described in this thesis can all be de-
scribed by means of a function acting iteratively on a set. Let X be a finite set and a
feedback function f : X → X. For a given initial seed value x ∈ X, the pseudorandom
sequence is generated using the sequence
We will show how this simple mechanism can be used to describe the lagged
Fibonacci generator (LFG), the Marsaglia and Zaman addition with carry generator
(AWC), and the 2-adic FCSR in sections (2.1.1), (2.1.2) and (2.3), respectively.
10
q q r
s
where r > s. When S is the set of integers modulo a power of 2 with the binary
operations + or − or ∗, the following result of Marsaglia and Tsay (1985) enables
us to compute the period of the sequence generated using equation (2.2). It is clear
that x, f 0 (x), f (x), f 2 (x), f 3 (x), . . . , is a sequence of vectors generated by the matrix
of integers representing f.
Theorem 2.1.1 Let f be the r × r (companion) matrix of integers with odd determi-
nant representing the feedback function. Let S be the set of integers modulo 2n and
the binary operation be either + or −. In order that the sequence of vectors de-
termined by x, f 0 (x), f (x), f 2 (x), f 3(x), . . . , mod2n have period (2r − 1)2n−1 for every
n ≥ 1 and every initial vector of integers x not all even, it is necessary and sufficient
that f have order j = 2r − 1, in the group of non-singular matrices for mod 2, order
2 j for mod 4 and order 4 j for mod 8. If the F(r, s, +) generator has maximal period
(2r − 1)2n−1, for integers mod 2n , then the F(r, s, ∗) generator on the set S of odd
integers mod 2n has period (2r − 1)2n−3 .
11
Among the lagged Fibonacci generators the ones using multiplication on odd
integers modulo 232 are the best. F(r, s, +), F(r, s, −) and F(r, s, ⊕) do well on monkey
tests. F(r, s, ⊕)may fail for pairs (r, s) such as (31, 13) or (17, 5) because of their in-
adequate period, in contrast to other lagged Fibonacci generators, which have periods
about 232+r (Marsaglia 1984).
Marsaglia and Zaman (1991) proposed a new class of random number genera-
tors with enormous periods. They were broadly classified into add-with-carry (AWC)
and subtract-with-borrow (SWB) generators. Using the Marsaglia formalism, the
AWC generator can be easily described as follows.
Let b, r, s ∈ Z+ , be positive integers where b is the base, r > s, r and s are the
lags. Define X = {0, 1, . . . b − 1} × {0, 1}. Let x = (x1 , x2 , . . . , xr , c) ∈ X, be the seed
vector, where 0 ≤ xi < b and c ∈ {0, 1} is the carry bit. Define the feedback function
f : X → X as
12
q q r
div b mod b s
(x2 , x3 , . . . , xr , xr+1−s + x1 + c, 0) i f xr+1−s + x1 + c < b
f (x1 , x2 , . . . , xr , c) = (2.3)
(x2 , x3 , . . . , xr , xr+1−s + x1 + c, 1) i f xr+1−s + x1 + c ≥ b
Theorem 2.1.2 The sequence of digits formed by the AWC generator is in reverse
k
order the same as the sequence of digits in the base -b expansion of a fraction br +b s −1 .
From this it is easy to see that the period of the sequence generated by equation (2.3)
∗
is the order of b in the multiplicative group (br +bZs−1)Z , when br + b s − 1 is a prime.
k
When br + b s − 1 is composite, let = dc , where (c, d) = 1. Then the period of
br +b s −1
∗
Z
the sequence is the order of b in the multiplicative group dZ .
This means that for b approximately 232 and r around 20, periods of 2640 are
attainable using only r memory locations and simple computer arithmetic. The other
carry/borrow generators introduced by Marsaglia and Zaman are simply variations of
the above function. The N-adic FCSR generalizes the AWC and the MWC generators.
13
Some of the statistical properties of the AWC and SWB generators were con-
sidered by Couture and L’Ecuyer (1994, 1997). One of their observations was that
the AWC generators failed the spectral test for some values of the lags. They are also
known to fail the birthday spacings test (Marsaglia 1993). The synthesis algorithm
for the AWC generator was given by Bach (1998). The approach is similar to the
synthesis of the 1/p generator given in Blum, Blum and Shub (1986).
Let qi ∈ {0, 1}, for i = 1, 2, . . . r, be the taps and let a = (a0 , a1 , . . . , ar−1 ), where
ai ∈ {0, 1}, be the seed vector. Define X = {0, 1}r . The feedback function f : X → X
is r
X
f (a0 , a1 , . . . , ar−1 ) = (a1 , a2 , . . . , ar−1 , qk ar−k ). (2.4)
k=1
During each iteration the register cells are tapped, their contents added modulo
14
2, the first coordinate is output (in Figure 2.3, the rightmost bit of the shift register),
the contents of the register are shifted to the right and the sum computed previously
is taken as the rth coordinate of the vector. In Figure 2.3, this sum is returned to the
leftmost bit of the register as the new entry.
The general theory of LFSRs is based on the algebra of finite fields. Excellent
accounts of this theory may be found in the books of Golomb (1967), Rueppel (1986)
and Beker and Piper (1982).
where αi ∈ {0, 1}, whose representation extends infinitely to the left of the binary
point, but has only finitely many places to the right of the point. 2-adic numbers
represented by equation (2.5) may also be thought of as formal Laurent series
∞
X
α= αi 2i , (2.6)
i=−k
where αi ∈ {0, 1}.When there are no non-zero bits to the right of the binary point (i.e.
k = 0), the 2-adic numbers are called 2-adic integers.
∞
X
Z2 = { αi 2i |αi ∈ {0, 1}} (2.7)
i=0
15
The set of 2-adic integers is denoted by Z2 . The 2-adic integers form a ring with
additive identity 0 and multiplicative identity 1 = 1 · 20 . Addition in Z2 is performed
by ‘carrying’ overflow bits to higher order terms, so that 2i + 2i = 2i+1 . Using the fact
that in Z2 , 1 − 1 = 0, it is easy to see that,
−1 = 1 + 21 + 22 + 23 + · · · . (2.8)
From the binary (base-2) representation of positive integers, it is clear that Z2 contains
all positive integers. The identity
shows that Z2 contains the negative integers. In general, for an arbitrary 2-adic num-
ber α, calculating the additive inverse −α, can be done as follows. Expressing α in
the form α = 2r (1 + ∞ i
P
i=0 αi 2 ), where r is an integer, we have
∞
X
r
−α = 2 (1 + αi 2i ) (2.10)
i=0
where αi denotes the complementary bit and αi +αi = 1. The 2-adic numbers, denoted
by Q2 form a field under addition and multiplication. Below are some examples of
2-adic expansions of integers and rationals.
1 1
= . . . 110110110110111.0, − = . . . 001001001001001.0,
7 7
9 1
= . . . 0000100.10, = . . . 1100111001100110.1 (2.11)
2 10
1
Note that 7 and − 71 , are 2-adic integers, while 9
2 and 1
10 are 2-adic rationals.
16
1
The rational number 7 = 0111.0 has an eventually periodic 2-adic expansion and
− 17 = 001.0 has a strictly periodic 2-adic expansion. In both these cases, note that the
Z
period is just the multiplicative order of 2 in the field 7Z .
In Z2 , the ring of 2-adic integers, every odd integer α ∈ Z has a unique multi-
plicative inverse. Thus, the ring Z2 contains every rational number p/q provided q is
odd. In fact
p
Z2 = { | p, q ∈ Z, q , 0 and q is odd}. (2.12)
q
This gives an alternative description of Z2 . These ideas may be extended to develop
the theory of p-adic and N-adic numbers.
We have given a very sketchy account of the theory of 2-adic numbers. For a
more comprehensive treatment of the theory, we refer to the books by Koblitz (1984),
Mahler (1973) and Gouvêa (2003).
Fix taps qi ∈ {0, 1}, for i = 1, 2, . . . r and let q0 = −1. Define X = {0, 1}r × Z.
Let a = (a0 , a1, . . . , ar−1 , mr−1 ) ∈ X, be a seed vector, where mr−1 ∈ Z is the initial
P
memory and ai ∈ {0, 1}. Let σr = rk=1 qk ar−k + mr−1 . Define the feedback function
17
div 2 mod 2
q1 q2 ... qr-1 qr
f : X → X to be
r
X
f (a0 , a1 , . . . , ar−1 , mr−1 ) = (a1 , a2 , . . . , ar−1 , qk ar−k + mr−1 (mod 2), mr ),
k=1
(2.13)
where mr = bσr c. Here b c is the floor function. The above equation also makes it
clear how (2.13) generalises (2.4). As in the generators described earlier, the output
sequence yi ∈ {0, 1} is generated using the sequence of (r + 1) vectors a = f 0 (a),
f (a), f 2(a), . . . . For all i ≥ 0, yi is defined to be the first coordinate of the (r + 1)-
tuple f i (a). As before, this means that the first r output bits will be just the first r
coordinates of the seed vector and the period of the sequence (yi )i≥0 the same as that
of ( f i (a))i≥0 . The function described in (2.13) shows how the FCSRs differ from the
AWC generators defined in (2.3). The carry part in (2.3) which is denoted by c in the
(r + 1)-tuple is 0 or 1, whereas the analogous memory in (2.13) which is denoted by
mr−1 is allowed to take integer values. Klapper and Goresky proved that the memory
can be bounded in terms of the number of non-zero qi ’s. Much of the theory they
develop for their 2-adic FCSR parallels that of linear feedback shift registers (LFSR)
over F2.
The 2-adic FCSR may be generalised to the p-adic and the N-adic case, and
the analogues of equation (2.13) are obtained by replacing 2 by p and N respectively
and making the suitable allowances for the tap coefficients and the initial loadings.
q + 1 = q1 21 + q2 22 + . . . + qr 2r (2.14)
be the binary expansion of q + 1, where r = blog2 (q + 1)c and qi ∈ {0, 1}. Then the
2-adic FCSR with connection integer q has r stages and feedback connections given
by the bits {q1 , q2 , . . . , qr } in Equation 2.14. This is shown in Figure 2.4. By letting
q0 = −1, we may write q = ri=0 qi 2i . The contents of the register are denoted by
P
an−1 , an−2, . . . , an−r and the operation of the 2-adic FCSR is as follows:
Pr
A1. Form the integer sum σn = k=0 qk an−k + mn−1.
A2. Shift contents one step to the right, output the rightmost bit an−r .
A3. Place an = σn mod q into the leftmost cell of the shift register.
A4. Replace the memory integer mn−1with mn = (σn − an )/2 = bσn /2c.
Thus we see that an FCSR is a feedback shift register that is similar to the
LFSR except that it has a small amount of auxiliary memory. The difference is that
during each iteration, the memory which is an integer is added to the sum of the
P
r
tapped bits and the parity of this quantity, which is q a
k=1 k r−k + m r−1 (mod 2) ,
is taken to be the rth coordinate of the new vector (in the Figure 2.4, the leftmost bit).
The higher order bits are retained as the new value of the memory (i.e., mr ). Figure
2.3 and Figure 2.4 illustrate the equations (2.4) and (2.13) respectively. Note that in
both cases, the right-most bit corresponds to the first coordinate of the (r + 1)-tuple
and is the output at every loop.
From the discussions in the preceding sections, it should be clear that we can
formulate three different but equivalent descriptions of the LFSR and FCSR. Here we
compare the LFSR and FCSR and show how their theories are analogous.
19
Let F be a finite field and let q1, q2 , . . . , qr ∈ F. The linearly recurrent sequence
of order r with multipliers q1 , q2 , . . . , qr ∈ F and initial state (a0 , a1 , . . . , ar−1 ) is the
unique solution to the equations
r
X
q(x) = q0 + qi x i
i=1
p(x)
= a0 + a1 x + a2 x 2 + · · ·
q(x)
where the denominator polynomial is, as before, dependent only upon the taps of the
corresponding LFSR. The numerator polynomial is given by
j
r−1 X
X
p(x) = qi a j−i x j .
j=0 i=0
And thirdly, the LFSR sequences also have a trace representation given by
a j = T rL/F (aδ j )
a1 , a1 , . . . , ar−1 ∈ Z/(N), and let the initial memory m j−1 ∈ Z. The FCSR sequence is
then the unique solution to the with-carry linear recurrence
for j ≥ r. Here, the right hand side of equation 2.16 is first computed as an integer σ ∈
Z. Then a j is obtained by reducing σ modulo N, and the new memory m j is computed
asb Nσ c. Again, we may give three alternative descriptions of such a sequence. First,
it is the output of an FCSR with r main register cells, tap coefficients given by the qi
and initial state given by the ai . The connection integer associated with the FCSR is
r
X
q = q0 + qi N i ∈ Z
i=1
p
= a0 + a1 N + a2 N 2 + · · ·
q
j
r−1 X
X
p= qi a j−i N j − mr−1 N r .
j=0 i=0
where δ = N −1 (mod q) and a ∈ Z/(q) is an element that depends upon the initial
state. In the right hand side of the equation above, the quantity aδ j is first reduced
modulo q and represented as an integer in the range {0, 1, . . . , q − 1} and then this
integer is reduced modulo N.
21
The purpose of this section is to collect in one place, all of the results on FCSRs
that are relevant to the later parts of the thesis. Here and in what follows, let Q2 denote
the field of 2-adic numbers. The following facts are known about the 2-adic FCSR:
1. (Klapper and Goresky 1997) If a sequence a = (ai )i≥0 is the output of a 2-adic
FCSR, and α ∈ Q2 is the 2-adic number associated with this sequence, then a
is eventually periodic and α = p/q, where q is the connection number of the
FCSR. Conversely, every eventually periodic binary sequence whose associated
2-adic number is α = p/q is the output of a 2-adic FCSR with connection integer
q.
3. (Gauss 1801) If α = p/q ∈ Q2 is the 2-adic number associated with the output
sequence of a 2-adic FCSR, then the period of the sequence is the multiplicative
order of 2 modulo q.
5. (Goresky and Klapper 1995) Every binary `-sequence possesses the property of
symmetrical complementarity: in any binary `-sequence of period 2t, where t
is a positive integer, the second half of any segment of length 2t is the bit-wise
complement of the first half. However, the converse of this statement is not
true. For example, the sequence generated by a 2-adic FCSR with connection
22
6. (Goresky and Klapper 1995) Every binary `-sequence possesses the nearly de
Bruijn property: if the `-sequence is generated by a 2-adic FCSR with connec-
tion integer q, then in any given period of the sequence, every binary string of
length of length blog2 (q)c occurs at least once and every binary string of length
blog2 (q)c + 1 occurs at most once.
For a more detailed account of the properties of FCSR sequences, including proofs of
these assertions, the reader is referred to the papers of Klapper and Goresky (1997),
Goresky and Klapper (1995), Mittelbach and Finger (2004), and the dissertation of
Xu (2000).
In this chapter we have briefly surveyed the theory of FCSR sequences and
seen how many of the results in this theory closely resemble those in the theory of
LFSR sequences. In the next chapter, we will use these results to devise simple but
effective algorithms to generate a large number of FCSR architectures. The algo-
rithms ensure that the output sequences of these architectures satisfy the necessary
conditions for keystream generators mentioned in Chapter 1.
23
CHAPTER 3
1. the output sequences must have a period greater than some specified value,
2. the output sequences must have a 2-adic complexity greater than a specified
value,
3. the output sequences must have a specified distribution property, such as, for
example, the nearly de Bruijn property.
24
Hardware or memory resource limitations may give rise to additional constraints such
as:
1. the number of cells in the main register must not exceed a specified value,
2. the number of non-zero taps must not exceed a specified value, or must be ex-
actly equal to some value.
The search algorithms presented in this chapter solve some of these problems. These
algorithms are by no means the most computationally efficient, and we have not at-
tempted to analyse their computational complexity. Further, use of these algorithms
to generate parameters for FCSRs does not guarantee the security of a stream cipher.
However, they ensure that the necessary conditions for good quality output sequences
hold, and serve as effective and practical tools to aid the cryptographer in stream
cipher design.
The general idea of the search algorithms for FCSRs is as follows. Suppose
we require a number of FCSR architectures which must have a guaranteed minimum
period of T . We need to generate an integer q such that the multiplicative order of 2
modulo q is at least T . Our basic search algorithm does exactly this. Essentially, we
look for those cyclic groups in which the subgroup generated by 2 has a large enough
order. In order to ensure good distribution properties and complexity measures for the
FCSR sequences, we restrict our attention to cyclic groups Z/qZ, where q is either an
odd prime or a power of an odd prime, and test for the primitivity of 2 modulo q.
test whether they satisfy the specified criterion on the period. We therefore devise a
simpler ‘sliding window’-based approach to the problem. More complex algorithms
could be designed based on ideas developed by Knuth for generating n-tuples.
For the case of the d-FCSR, we develop an algorithm that generates connection
integers q of the form q = q0 + q1 π such that q20 − pq21 = N where p is a square-free
modulus, and where the norm N is a prime greater than the desired minimum period.
For this search problem, p, a square-free integer, d = 2, and T , the minimum period,
are specified and q0 and q1 are to be determined.
In the rest of this section we describe each of these search algorithms in detail.
The first two search algorithms for the LFG and the AWC are almost trivial, but we
present them here for the sake of completeness.
Input:
Output:
R values of the long lag ri such that the period of the corresponding LFGs is
greater than T for every si , such that 0 < si < ri .
Algorithm L:
[1. Compute minimum r] Compute the smallest integer k such that 2k > T/2n−1 + 1.
Let this value of k be denoted kmin.
26
[2. Iterate] Every r > kmin is a valid long lag satisfying the given constraints. Output
kmin and the next R − 1 integers greater than kmin as valid long lags ri .
We assume that the diamond operator used in the LFG is the XOR operation.
For a modulus 2n , the period of an LFG with r stages is then given by (2r − 1)2n−1.
The period does not depend upon the short lag. Since we desire LFGs with period
greater than T , it suffices if the long lag is such that 2r > T/2n−1 + 1. Clearly, if any r
satisfies this inequality, any other integer greater than r also satisfies it. The algorithm
is then a trivial consequence of this observation.
Example 3.1.1 Let m = 22 and let minimum T = 134. Since 27 > T/22−1 , any r ≥ 7
will be sufficient. Thus the periods for r = 7, 8, 9, . . . are respectively, 258, 510, 1022,
. . ..
Input:
Output:
R values of the long lag ri and short lag si such that the order of b modulo each
bri + b si − 1 is greater than T .
Algorithm W:
[1.] Set i = 0.
27
[2.] Calculate the power of the base k such that bk < T < bk+1.
[3.] Set j = 1.
[4.] Compute m = bk + b j − 1.
Example 3.1.2 Let b = 10 and minimum T = 1123. Then the lags (4,1), (4, 2), (4, 3),
and (5, 2) give rise to sequences of periods 5004, 3366, 5768, and 1614, respectively.
The basic strategy for this algorithm is as follows: generate a prime larger
than the specified period and compute the order of 2 modulo. If this is greater than
the specified period, we accept the prime as valid. Otherwise, we may proceed by
generating a smaller prime and check 2 is a primitive root modulo this smaller prime.
28
If 2 is also primitive modulo the square of this prime, then it follows that 2 is primitive
modulo any power of the prime. We can then choose that power of the prime as
connection integer for which the period is greater than the value specified.
Algorithm S:
Input:
Output:
[7. ] If 2(q−1) . 1 modulo q2, then 2 is primitive modulo q2 and also primitive
modulo qk with order qk − qk−1 .
Example 3.1.3 Let minimum T = 169. Then the following connection integers spec-
ify valid architectures: q = 173, 179, 181, 197. The respective periods are 172, 178,
180, 196. In this case, it turns out that the connection integers all have 2 as a primitive
root.
If the register size is r and the number of non-zero taps is h, where r ≥ h > 0,
30
r−1
then there are Ch−1 potential connection integers that satisfy the criteria on the
register size and the number of non-zero taps. For large r, and h approximately equal
to r/2, it may not be feasible to check every possible connection integer with h non-
zero taps. The strategy we adopt is as follows: we fix the tap at the right extremity
of the main register, that is the register cell closest to the output. Thus the minimum
value of q is br −1. This leaves h−1 taps to be assigned to r−1 register cells. We begin
by assigning a block or window of h − 1 1s to the leftmost taps. At every iteration this
block is moved right, and the corresponding connection integer is checked to see if it
meets the period requirement. When the block reaches the right extreme, we begin
again from the left end, but introduce a zero in the left-most position of the block.
This block is again slid towards the right until it reaches the right extreme. In the next
iteration, another zero is introduced to the left extreme of the block, and the block
is again slid towards the right. We repeat this procedure until we have the requisite
number of connection integers or until all the bits are zero in the window, in which
case, we may continue the search by repeating the procedure for r + 1, r + 2, and so
on.
Input:
Base, b > 1
Output:
31
n integers Qi such that the order of 2 modulo each Qi is greater than T , and
such that Qi + 1 has h non-zero coefficients in its base-2 expansion.
Algorithm F:
[1.] Set i = 0.
[3.] Set ` = 0.
[7.] Set k = 1.
[10.] Set ` = 0.
[11.] Compute q = s + 2` s0 .
This algorithm is certainly not the most efficient way to generate connection
integers with a fixed number of non-zero taps. It should be noted, however, that the
general problem is hard. In fact, we cannot even be sure that there are sufficiently
many connection integers with the given number of non-zero taps in their binary ex-
pansion. This problem is related to much deeper questions in number theory concern-
ing the number of primes that have exactly k 1-bits or 0-bits in their binary expansion.
Wagstaff (2001) considered primes with a fixed number of 1s or 0s in their binary ex-
pansion and asked whether there exists any k for which we can prove that there are
infinitely many primes with exactly k 1-bits in their binary expansions. He also posed
the related question of whether there exists any k for which we can prove that there
are infinitely many primes with ≤ k 1-bits. Wagstaff conjectured that the answers to
both questions are positive, and that any k ≥ 3 is sufficient.
Example 3.1.4 Let minimum period be 1356 and let the number of non-zero taps be
7. Then the connection integers 3041, 2293, 2957 give rise to sequences of period
1520, 2292, 2956, respectively.
The operation of the d-FCSR is similar to the 2-adic FCSR except that each
carried bit is delayed d − 1 steps before being added. In this section, we give a brief
desription of the theory of the d-FCSR after the fashion of Goresky and Klapper
(1995). A more detailed account of the theory may be found in Goresky and Klapper
33
u0 + u1 π + u2 π2 + · · · + ud−1πd−1 (3.1)
with ui ∈ Z. The fraction field of Z[π], denoted Q[π], is the set of all real numbers of
the form given by Equation 3.1 with ui ∈ Q. Every element of Q[π] may be expressed
as a fraction u/v with u, v ∈ Z[π]. We can also view Q[π] as a vector space over Q of
dimension d with the basis vectors given by {1, π, π2 , . . . , πd−1}, and the elements of
Z[π] in Q[π] are referred to as the lattice points of Q[π].
We define the ring Zπ as the set of all infinite formal expressions of the form
α = a0 + a1 π + a2 π 2 + · · ·
∞
u X i
= ai π ∈ Z π
q i=0
where p is a square-free modulus and N is a prime greater than the desired minimum
period. The equation
Input:
Degree or delay, d = 2.
Output:
[2. Solve quadratic congruence] We solve the equation x2 ≡ p (mod N). Let the
solution be x0 .
x 0 = a 0 × N + r0
N = a 1 × r0 + r1
···
···
s
2
N − rk−1
q0 = rk−1 , q1 =
−p
−pq1
[4. Compute m] Compute m = q0 . Compute the order of m modulo N. If order of
m < T , go to step 0 and generate next prime.
Example 3.1.5 Let p = 6 and let the minimum period be 133. Then connection
integers 193, 211, 283, 331 correspond to the elements 17 + 4π, 19 + 5π, 17 + π,
25 + 7π, respectively, and the periods of their output sequences are 192, 210, 141,
165, respectively.
CHAPTER 4
Linear feedback shift registers (LFSRs) have been the workhorses of stream
cipher design for the past several decades. They are well-understood, easy to imple-
ment both in hardware and software, and are extremely fast. An important measure of
the security of a classical stream cipher is the linear complexity of the pseudorandom
keystream generator used in its design. The linear complexity of a sequence is de-
fined as the size of the smallest LFSR that generates the given sequence. Sequences
of low linear complexity are susceptible to cryptanalysis via the Berlekamp-Massey
algorithm (Massey 1969). Hence the LFSR cannot directly be used as a keystream
generator in stream ciphers. By introducing suitable nonlinearities in the output or
feedback function of the LFSR, it is often possible to increase the linear complexity,
and thus reduce the predictability, of the output sequence.
Key (1976) first studied the effect of combining two LFSR sequences using the
bit-wise AND operation as the combining function. He found that when the two LF-
SRs had distinct irreducible characteristic polynomials of degree r and s respectively,
1. the product sequence (bit-wise AND) has period equal to the LCM of the peri-
ods of the two LFSRs, and
Key also proved bounds on the complexity of filtered LFSR sequences in which
shifted ‘phases’ of a single LFSR sequence are combined nonlinearly. These re-
sults have subsequently been improved by a number of investigators (Herlestam 1985,
Rueppel and Staffelbach 1987, Golić 1989, Göttfert and Niederreiter 1993, Kolokotro-
nis and Kalouptsidis 2003, and Lam and Gong 2004).
FCSRs were used as primitives. Our results, on the other hand, are the first to prove
upper bounds on the 2-adic complexity of combiner generators.
According to Arnault and Berger (2005), the feedback function of the FCSR
is highly nonlinear and hence FCSR sequences are resistant to linear attacks such as
the Berlekamp-Massey algorithm. They claim that a linear filter function adequately
masks the 2-adic structure of the FCSR. Further, they state that linear functions are
optimal from the point of view of resilience and that linear functions provide protec-
tion against certain correlation attacks. Linear functions are also the easiest from the
implementation point of view. For this reason, we chose our combiner function to be
the XOR operation.
With the aim of proving results similar to those of Key and others for the case
of FCSRs, we conducted a large number of numerical experiments using FCSRs as
the primitives in a combiner generator (see Figure 4.1). The experimental procedure
that was used to obtain the observations was as follows:
1. Fix two distinct prime power connection integers q1 and q2 such that 2 is prim-
itive modulo q1 and q2 .
2. Generate all possible strictly periodic sequences with these connection integers.
Let the set of all strictly periodic sequences (excluding the all-zeroes and all-
40
4. For each sequence output by step 3, synthesise the sequence using de Weger’s
algorithm. Observe the period, complexity, and structure of the connection in-
teger of the output sequence.
Based on the observations made while conducting these experiments, we were able to
conjecture a number of results on the period, complementarity and 2-adic complexity
of combiner sequences. These results are proved in Theorems 4.2.3, 4.2.4 and 4.2.6.
Our aim in this chapter is to prove these results and derive useful design principles
from them.
Consider the truth table for the XOR function which is shown in Table 1. We
denote complementation by the symbol · . Let x, y ∈ {0, 1} and let the symbol ⊕
denote the XOR function or addition modulo 2. It is easy to verify the following two
facts from the truth table:
Fact 4.0.1 x ⊕ y = x ⊕ y = x ⊕ y
Fact 4.0.2 x ⊕ y = x ⊕ y
41
4.1 NOTATION
With reference to the combiner in Figure 4.1, we now fix the notation for the
rest of this chapter. Let r1 and r2 be two odd primes, not necessarily distinct. Let
q1 = r1e1 and q2 = r2e2 be two prime powers where e1 , e2 > 0 and such that 2 is a
primitive root modulo q1 and q2 . Let a := (ai )i≥0 and b := (bi )i≥0 be two strictly
periodic binary sequences generated by 2-adic FCSRs with connection integers q1
and q2, respectively. Let T 1 = (r1 − 1)r1e1 −1 and T 2 = (r2 − 1)r2e2 −1 be the periods of
the two sequences a and b respectively and let L = lcm(T 1 , T 2 ). Let c := (ci )i≥0 :=
a ⊕ b := (ai ⊕ bi )i≥0 be the output sequence obtained by computing the element-wise
exclusive-OR of a and b. Let T be the period of the sequence c and let −p/q be the
rational number in lowest terms, whose 2-adic expansion coincides with the sequence
c.
42
Lemma 4.2.1 Let q = re be a power of an odd prime r such that 2 is a primitive root
modulo q. Then r is of the form 4k ± 1 where k is odd.
Lemma 4.2.2 Let q1 = r1e1 and q2 = r2e2 be two powers of odd primes r1 and r2 such
that 2 is a primitive root modulo q1 and q2 . Let T 1 = (r1 − 1)r1e1 −1 , T 2 = (r2 − 1)r2e2 −1
and let L = lcm(T 1 , T 2 ).
ii. If r1 ≡ r2 (mod 4), then both L/T 1 and L/T 2 are odd.
Proof:
43
(i.) We have
L = lcm(T 1 , T 2 ) = T 1 T 2 / gcd(T 1 , T 2 ).
Therefore,
Case 1: r1 ≡ r2 ≡ +1 (mod 4)
k2 (4k2 + 1)e2 −1
= .
gcd(k1 (4k1 + 1)e2 −1 , k2 (4k2 + 1)e2 −1 )
This is odd since k1 and k2 are both odd by Lemma 4.2.1. Similarly, L/T 2 is also odd.
Case 2: r1 ≡ r2 ≡ −1 (mod 4)
44
and
T 2 = (r2 − 1)r2e2 −1 = (4k2 − 2)(4k2 − 1)e2−1 .
Therefore,
The first term inside the square brackets is even while the second term is odd. This
implies that T 1 − T 2 = 2m where m is some odd integer. Therefore we must have
Theorem 4.2.3 Let q1 = r1e1 and q2 = r2e2 be two prime powers where e1 , e2 > 0 and
such that 2 is a primitive root modulo q1 and q2 . Let a := (ai )i≥0 and b := (bi )i≥0 be
two strictly periodic binary sequences generated by 2-adic FCSRs with connection
integers q1 and q2 , and c := (ci )i≥0 := a ⊕ b := (ai ⊕ bi )i≥0 . Let T 1 = (r1 − 1)r1e1 −1
and T 2 = (r2 − 1)r2e2 −1 be the periods of the two sequences a and b respectively and
let L = lcm(T 1 , T 2 ).
Proof:
45
for any fixed integer n ≥ 0. Let the period of the sequence c be denoted by T .
L
We will prove that T = L/2 by first showing that T | 2
and then by proving
L
that 2 | T . By Lemma 4.2.2 when r1 ≡ r2 (mod 4), both L/T 1 and L/T 2 are odd.
Putting (2n + 1) = L/T 1 and (2n + 1) = L/T 2 in equations (4.2) and (4.3) respectively,
we have ai = ai+L/2 and bi = bi+L/2 for every i ≥ 0. That is,
Hence T , which is the smallest period of the sequence c, must divide L/2. On the
other hand, if T is the period, ci = ci+T for every i ≥ 0. This implies that ai = ai+T
and bi = bi+T , or that ai = ai+T and bi = bi+T . In either case, T is a common multiple
of T 1 /2 and T 2 /2. Since L/2 is the least common multiple of T 1 /2 and T 2 /2, we must
L
have 2
| T . Therefore, T = L/2.
We will prove that T = L by first showing that T | L and then by showing that
L | T . First, note that since L is a multiple of both T 1 as well as T 2 , we must have
ai = ai+L and bi = bi+L for every i ≥ 0. Hence ci := ai ⊕ bi = ai+L ⊕ bi+L := ci+L for
every i ≥ 0, and since T is the (smallest) period of c, T | L.
On the other hand, if T is the period of the sequence c, then ci = ci+T for every
i ≥ 0, which implies either that ai ⊕ bi = ai+T ⊕ bi+T or that ai ⊕ bi = ai+T ⊕ bi+T (by
46
Fact 4.0.2) for every i ≥ 0. This implies either that ai = ai+T and bi = bi+T , or that
ai = ai+T and bi = bi+T , for all i ≥ 0. Suppose the latter holds. Then T must be an odd
multiple of T 1 /2 as well as of T 2 /2. That is, T = (2m1 +1)T 1/2 and T = (2m2 +1)T 2 /2
for some integers m1 and m2 . Hence, (2m1 + 1)T 1 /2 = (2m2 + 1)T 2 /2, which implies
2m1 T 1 + T 1 = 2m2 T 2 + T 2 . Therefore, we must have T 2 − T 1 = 2(m1T 1 − m2 T 2 ) = 0
(mod 4). Since T 1 and T 2 are even, this contradicts the fact that if r1 . r2 (mod 4),
we must have T 2 − T 1 ≡ 2 (mod 4) (by equation 4.1). Therefore, T cannot be an odd
multiple of T 1 /2 and T 2 /2. We consider the other possibility that T is an even multiple
of T 1 /2 and T 2 /2. This implies that T = 2m1 T 1 /2 and T = 2m2 T 2 /2 for some integers
m1 and m2 . Therefore, T is a common multiple of both T 1 and T 2 . Since L is the least
common multiple of T 1 and T 2 , it must divide any common multiple of T 1 and T 2 .
Therefore, L | T . Since we have already proved that T | L, this means that T = L.
We may say that combining two `-sequences using the XOR function yields a
sequence whose period, is approximately the product of the the individual `-sequences.
To obtain maximum period, r1 and r2 must be chosen so that they do not belong to the
same equivalence class modulo 4 and for proper choices of r1 and r2 , the period of the
XOR-combiner can be made as large as T 1 · T 2 /2.
In the next theorem, we prove that if r1 . r2 (mod 4), the output sequence of
the combiner considered in Figure 4.1 is symmetrically complementary.
47
Proof:
When r1 . r2 (mod 4), L/T 1 is odd and L/T 2 is even by Lemma 4.2.2. There-
fore, from equation (4.2) and equation (4.3) ai = ai+L/2 and bi = bi+L/2 for every i ≥ 0,
which implies that
Since we know from Theorem 4.2.3 that the sequence c has period L, equation (4.5)
we see from equation 4.7 that c is symmetrically complementary.
Before we prove upper bounds on the 2-adic complexity of the output se-
quence, we first define the 2-adic complexity of a binary sequence following Xu’s
definition of N-adic complexity (Xu 2000). Let s := s0 s1 s2 . . . be an infinite periodic
binary sequence and let ∞ i
P
i=0 si 2 = p/q ∈ Z2 be the fraction in lowest terms whose
2-adic expansion agrees with the sequence s.
Definition 4.2.5 The 2-adic complexity of the sequence s is defined to be the integer
φ(s) = max(blog2 (|p|)c, blog2 (|q|)c).
48
If the sequence s is strictly periodic, then p/q < 0 and |p| < |q|, so that φ(s) is
simply equal to blog2 (|q|)c. We determine an upper bound on the 2-adic complexity
of the FCSR XOR-combiner in the following theorem.
Proof:
If r1 . r2 (mod 4), then by Theorem 4.2.4 and by Fact 7 about FCSR se-
quences in Chapter 2, we must have q | 2T/2 + 1. We also know by theorem 4.2.3 that
T = L. Therefore, q | 2L/2 + 1. The maximum value of q occurs when q = 2L/2 + 1
and in such a case, φ(c) = blog2 (q)c < L/2 + 1.
We observe from Theorem 4.2.3 and Theorem 4.2.6 that for both cases r1 .
49
r2 (mod 4) and r1 ≡ r2 (mod 4) the period of the output sequence grows roughly
quadratically with the periods of the input sequences. However, for the case r1 .
r2 (mod 4), due to the symmetric complementarity of the output sequence, its 2-
adic complexity bound is half of the period; for the case r1 ≡ r2 (mod 4) the 2-adic
complexity bound is the period of the output sequence.
We now turn to the problem of determining an upper bound on the linear com-
plexity of the FCSR combiner.
Theorem 4.2.7 The linear complexity of the FCSR XOR combiner in Figure 4.1 is
(T 1 + T 2 )/2 + 2.
Proof:
From the result of Xu (2000) specialised to the 2-adic case, we know that the
linear complexity of the individual `-sequences are upper bound by T 1 /2 + 1 and
T 2 /2 + 1, where T i ’s are the periods of the individual `-sequences. From the work
of Massey (1969) it is well-known that the linear complexity of a linear combination
of sequences is at most the sum of their linear complexities. Applying this result we
see that the linear complexity of the FCSR XOR combiner is at most the sum of the
linear complexities of the individual FCSRs.
50
CHAPTER 5
It remains to be seen how far the search algorithms can be optimised for each
of the special cases of the FCSR architectures, especially the 2-adic FCSR and the
d-FCSR. The properties of more general classes of FCSR combiners using arbitrary
combining functions and an arbitrary number of FCSRs need to be investigated.
51
REFERENCES
27. Klapper A. and Goresky M. (1993) 2-adic shift registers. In Fast Software
Encryption, Cambridge Security Workshop, Lecture Notes in Computer Science,
volume 809.
28. Klapper A. and Goresky M. (1997) ‘Feedback shift registers, 2-adic span and
combiners with memory’ Journal of Cryptology, 10:111–147.
29. Knuth D. E. (1998) The Art of Computer Programming, Volume 2: Seminumer-
ical Algorithms. Addison-Wesley, 3rd edition.
30. Koblitz N. (1984) p-adic Numbers, p-adic Analysis, and Zeta Functions. Springer-
Verlag, New York, GTM Vol. 58.
31. Kolokotronis N. and Kalouptsidis N. (2003) ‘On the linear complexity of non-
linearly filtered PN-sequences’, IEEE Transactions on Information Theory,
49:3047–3059.
32. Lam C. C.-Y. and Gong G. (2004) ‘A lower bound for the linear span of filtering
sequences’, In Proceedings of the SASC Workshop, pages 220–233.
33. Mahler K. (1973) Introduction to p-adic Numbers and their Functions. Cam-
bridge University Press.
34. Mandelbaum D. (1967) ‘Arithmetic codes with large distance’, IEEE Transac-
tions on Information Theory, IT-13:237–242.
35. Marsaglia G. (1968) ‘Random Numbers Fall mainly in Planes’, Proceedings of
the National Academy of Sciences, 61(1), 25–28.
36. Marsaglia G. (1984) ‘A current view of random number generators’ Keynote
address, In Proceedings of the 16th Symposium on the Interface between Com-
puter Science and Statistics, Atlanta.
37. Marsaglia G. (1992) ‘The mathematics of random number generators’, In The
Unreasonable Effectiveness of Number Theory, Proceedings of the Symposium
on Pure Mathematics, volume 46, pages 73–90.
38. Marsaglia G. (1993) ‘Monkey tests for random number generators’ Computers
and Mathematics with Applications, 9:1–10.
39. Marsaglia G. (1994) ‘yet another rng’, posted to the Usenet newsgroup
sci.stat.math, August 1, 1994.
40. Marsaglia G. and Tsay L. H. (1985) ‘Matrices and the structure of random
number sequences’, Linear Algebra and Its Applications, 67:145–156.
41. Marsaglia G. and Zaman A. (1991) ‘A new class of random number generators’,
The Annals of Applied Probability, 1:462–480.
42. Marsaglia G. ‘DIEHARD battery of statistical tests’.
54
43. Massey J. L. (1969) ‘Shift-register synthesis and BCH decoding’, IEEE Trans-
actions on Information Theory, IT-15:122–127.
44. Massey J. L. and Serconek S. (1996) ‘Linear complexity of periodic sequences:
A general theory’, In Neal Koblitz, editor, Advances in Cryptology – CRYPTO’96,
Lecture Notes in Computer Science, volume 1109, pages 358–371.
45. Mittelbach M. and Finger A. (2004) ‘Investigation of FCSR-based pseudo-
random sequence generators for stream ciphers’, In Proceedings of the 3rd.
International Conference on Networking.
46. National Institute of Standards Technology, http://csrc.nist.gov/
47. Rueppel R. A. (1986) Analysis and Design of Stream Ciphers. Springer-Verlag,
1986.
48. Rueppel R. A and Staffelbach O. J. (1987) ‘Products of linear recurring se-
quences with maximum complexity’, IEEE Transactions on Information The-
ory, IT-33:124–131.
49. Schneier B. (1996) Applied Cryptography. John Wiley & Sons, 2nd edition.
50. Seo C., Lee S., Sung Y., Han K. and Kim S. (2000) ‘A lower bound on the linear
span of an FCSR’, IEEE Transactions on Information Theory, 46:691–693.
51. Tasheva Z., Bedzhev B. and Stoyanov B. (2004) ‘N-adic summation shrinking
generator – basic properties and empirical evidences’ (submitted to the IACR
e-print archive).
52. Wagstaff, S. (2001), ‘Prime Numbers with a Fixed Number of One Bits or Zero
Bits in Their Binary Representation’, Experimental Mathematics, 10:2, 267–
273.
53. Walker J. ‘ENT statistical test suite’, http://www.fourmilab.ch/
54. Xu J. (2000) ‘Stream Cipher Analysis Based on FCSRs’. Ph.D. dissertation,
University of Kentucky, Lexington, Kentucky.
55. Zierler N. and Mills W.H (1973) ‘Products of linear recurring sequences’, Jour-
nal of Algebra, 27:147–157.