Anand Thesis

download Anand Thesis

of 62

Transcript of Anand Thesis

  • 8/6/2019 Anand Thesis

    1/62

    SEARCH ALGORITHMS FOR FCSR

    ARCHITECTURES AND PROPERTIES OF THE FCSR

    COMBINER GENERATOR

    A THESIS

    submitted by

    S. ANAND

    in fulfillment for the award of the degree

    of

    MASTER OF SCIENCE (BY RESEARCH)

    FACULTY OF ELECTRICAL ENGINEERING

    ANNA UNIVERSITY : CHENNAI 600 025

    DECEMBER 2005

  • 8/6/2019 Anand Thesis

    2/62

    ii

    ANNA UNIVERSITY : CHENNAI 600025

    BONAFIDE CERTIFICATE

    Certified that this thesis titled SEARCH ALGORITHMS FOR FCSR AR-

    CHITECTURES AND PROPERTIES OF THE FCSR COMBINER GENERA-

    TOR is the bonafide work of Mr. S. ANAND who carried out the research under

    my supervision. Certified further that to the best of my knowledge the work reported

    herein does not form part of any other thesis or dissertation on the basis of which a

    degree or award was conferred on an earlier occasion on this or any other candidate.

    Dr. Gurumurthi V. Ramanan

    Supervisor

    Member, Research Staff

    AU-KBC Research Centre

    MIT Campus of Anna University

    Chennai 600 025

  • 8/6/2019 Anand Thesis

    3/62

    iii

    ABSTRACT

    The feedback-with-carry shift register (FCSR) is an important primitive in the

    design of stream ciphers. In the first part of this thesis, we propose efficient methods

    to search for FCSR architectures of guaranteed period and 2-adic complexity. We de-

    vise extended versions of these methods that yield architectures of guaranteed period

    and 2-adic complexity, given additional design constraints such as a fixed number of

    feedback tap connections. We also propose a search algorithm for a generalisation of

    the basic FCSR architecture called the d-FCSR, and discuss the difficulty of finding

    valid architectures for values of the parameter dother than d= 2.

    In the second part of the thesis, we study the problem of improving the com-

    plexity of FCSR sequences by combining the outputs of two or more FCSRs nonlin-

    early. We then prove results that establish the period and bounds on the complexity

    of sequences obtained by combining the outputs of two 2-adic FCSRs using the XOR

    function.

  • 8/6/2019 Anand Thesis

    4/62

    iv

    ACKNOWLEDGEMENTS

    It is a pleasure to acknowledge the help and guidance I have received from

    many people over the past four years. I would like to record my deepest appreciation

    and thanks to my supervisor, Dr. Gurumurthi V. Ramanan, for all his help, inspiration,

    and above all, for his faith in me. I was greatly inspired by a course on Discrete

    and Algebraic Structures that he gave some four years ago, and it led directly to my

    decision to join the M.S. programme. Whether it was prodding me on when I was

    lazy, or encouraging me to bravely fight on when the research was going nowhere, or

    exhorting me to be more ambitious, Guru was always trying to bring out the best in

    me. For this and much more, many thanks.

    I would like to express my profound gratitude to Prof. C. N. Krishnan for

    allowing me to work at the AU-KBC Research Centre. His gesture came at a particu-

    larly crucial time in my life, and if in the long run, my life is counted a success, then

    it would be in no small measure due to the opportunity Prof. Krishnan provided me.

    My thanks are also due to all the faculty members of the AU-KBC Research

    Centre, especially, Mr. M. Sethuraman, my joint-supervisor, and Prof. S. V. Ra-

    manan. I have learnt a great deal from both of them, and in many ways, I rather hope

    to emulate their approach to problems and life in general.

    I would also like to thank all my friends and colleagues at AU-KBC, especially,

    Raja, Sujith, Vijayalakshmi, Satish, and Muthuraja, for their comradeship, all-round

    help and good humour.

    Finally, I thank my parents and family for their patience and understanding.

    S. Anand

  • 8/6/2019 Anand Thesis

    5/62

    v

    TABLE OF CONTENTS

    CHAPTER NO. TITLE PAGE NO.

    ABSTRACT iii

    LIST OF TABLES vii

    LIST OF FIGURES viii

    1 INTRODUCTION 1

    1.1 PSEUDORANDOM NUMBER GENERATORS 1

    1.2 THE DESIGN OF STREAM CIPHERS 4

    1.2.1 The requirements for a good stream cipher 5

    1.3 CONTRIBUTIONS OF THIS THESIS 7

    2 FEEDBACK-WITH-CARRY SHIFT REGISTER SEQUENCES 9

    2.1 THE PRECURSORS OF THE FCSR 9

    2.1.1 The lagged Fibonacci generator (LFG) 10

    2.1.2 The addition-with-carry generator (AWC) 11

    2.1.3 The linear feedback shift register (LFSR) 132.2 REVIEW OF 2-ADIC NUMBERS 14

    2.3 THE FEEDBACK-WITH-CARRY SHIFT REGISTER 16

    2.3.1 Operation of the FCSR 16

    2.4 ANALOGIES BETWEEN LFSR AND FCSR THEORY 18

    2.5 PROPERTIES OF FCSR SEQUENCES 21

    3 SEARCH ALGORITHMS FOR FCSR ARCHITECTURES 23

    3.1 THE SEARCH ALGORITHMS 24

  • 8/6/2019 Anand Thesis

    6/62

    vi

    3.1.1 Search algorithm for the LFG 25

    3.1.2 Search algorithm for the AWC 26

    3.1.3 The basic FCSR search algorithm 27

    3.1.4 FCSR search with additional constraints 29

    3.1.5 Search algorithm for d-FCSRs 32

    4 FCSR COMBINER GENERATORS 37

    4.1 NOTATION 41

    4.2 MAIN RESULTS 42

    4.2.1 Period of the FCSR XOR combiner 44

    4.2.2 Symmetric complementarity 47

    4.2.3 2-adic complexity of the FCSR XOR combiner 47

    4.2.4 Linear complexity of the FCSR XOR combiner 49

    5 CONCLUSIONS AND FUTURE DIRECTIONS 50

  • 8/6/2019 Anand Thesis

    7/62

    vii

    LIST OF TABLES

    TABLE NO. TABLE NAME PAGE NO.

    4.1 Truth table for the XOR function 41

  • 8/6/2019 Anand Thesis

    8/62

    viii

    LIST OF FIGURES

    FIGURE NO. FIGURE NAME PAGE NO.

    1.1 Diagrammatic representation of a stream cipher 4

    2.1 The Lagged Fibonacci Generator 10

    2.2 The Add-with-Carry Generator 12

    2.3 Fibonacci-configured LFSR 13

    2.4 Fibonacci-configured FCSR 17

    4.1 2-adic FCSR Combiner with XOR combiner function 41

  • 8/6/2019 Anand Thesis

    9/62

    1

    CHAPTER 1

    INTRODUCTION

    Pseudorandom sequences are required in a wide variety of applications such as

    Monte-Carlo simulation, spread spectrum communication, radar ranging, randomised

    algorithms and cryptography. Some of the desirable properties of pseudorandom se-

    quences used in simulation are an extremely long period, uniform distribution of n-

    tuples for all n, good lattice structure in high dimensions, and ease of computation

    both in hardware and in software. In cryptographic applications, in addition to all

    of these properties, the sequences must satisfy much more stringent requirements.

    For example, the pseudorandom number generators (PRNGs) used in stream cipher

    cryptography must be unpredictable. Since a PRNG forms the keystream generator

    of a stream cipher, the unpredictability of its output sequence is crucial to the overallsecurity of the cipher system.

    In this thesis, we present algorithms to efficiently generate good architectures

    for a general class of PRNGs called the feedback-with-carry shift register (FCSR) and

    also investigate how the period and other important cryptographic properties of these

    generators may be increased. In Section 1.1 we explore the notion of pseudoran-

    domness from a practical point of view. In Section 1.2 of this chapter we take a

    practitioners approach to stream cipher design and enumerate some desirable char-

    acteristics of good stream ciphers. In Section 1.3 we present an overview of our

    contributions to the area of stream cipher design.

    1.1 PSEUDORANDOM NUMBER GENERATORS

    Everyone seems to have an intuitive conception of randomness. Philosophers

    and mathematicians have grappled with the problem of defining randomness for cen-

  • 8/6/2019 Anand Thesis

    10/62

    2

    turies. The subject has a long and rich history with some of the landmark theoretical

    contributions of the last century coming from von Mises, Wald, Church, Kolmogorov,

    Chaitin, Schnorr and Rissanen. Later Blum, Micali and Yao laid the foundations of

    the theory of pseudorandom sequences and effective information.

    From a practical standpoint, a large number of methods have been developed

    to generate random sequences using the ordinary arithmetic operations of a computer.

    These sequences are generated deterministically and are therefore called pseudoran-

    dom or quasirandom sequences. When the method of generation has been carefully

    selected, such sequences have been found to be useful in a wide variety of applica-

    tions. Some of the historically significant pseudorandom generators in the literature

    are von Neumanns middle-square generator, the linear congruential generator (LCG),

    the multiplicative congruential generator (MCG) and the additive number generator.

    These generators produce uniformly distributed pseudorandom numbers. However, a

    number of them have been shown to be relatively poor sources of randomness. For

    example, Marsaglia (1968), in his landmark paper, showed that the numbers produced

    by the LCG fall mainly on planes in a high dimensional space. For an account of the

    theory of the LCG and the subsequent development of this subject we refer to Knuth

    (1998).

    For practical purposes, we need some clear definition of randomness and here

    we will follow the exposition of Golomb (1967). In some sense, there is no truly

    random finite sequence. At best we can identify certain properties as being associated

    with randomness, and accept sequences that have these properties as random. When

    an ideal coin is tossed, we notice that:

    1. The number of heads is roughly equal to the number of tails.

    2. Approximately one-half the runs have length 1, one-fourth have length 2, and

    so on.

    3. A sequence of coin tosses possesses a special kind of auto-correlation function

    with a strong peak in the middle that tapers offrapidly at the ends.

  • 8/6/2019 Anand Thesis

    11/62

    3

    The autocorrelation function may be defined as follows. Suppose (an) = {a0, a1, . . .}

    is a sequence of real terms, then the autocorrelation C() is defined as

    C() = limN

    1

    N

    Nn=1

    anan+,

    provided the limit exists. If (an) is a periodic sequence with period T, this reduces to

    C() =1

    T

    Tn=1

    anan+.

    Here represents a phase shift of the sequence and the autocorrelation is then ameasure of the similarity between the sequence and its phase shift.

    From our observations on the coin-flipping phenomenon we are led to a def-

    inition of randomness of periodic binary sequences that was first made precise by

    Golomb (1967). These are called Golombs randomness postulates. Suppose a peri-

    odic binary sequence of period T is represented using the symbols +1 and 1 rather

    than the usual 1 and 0. Then, Golombs randomness postulates are:

    R1: In every period, the number of+1s is nearly equal to the number of

    1s. ThusT

    n=1 an 1.

    R2: In every period, half the runs have length one, one-fourth have length

    two, one-eighth have length three, etc., as long as the number of runs so

    indicated exceeds 1. Moreover, for each of these lengths, there are equally

    many runs of+1s and 1s.

    R3: The autocorrelation function C() is two-valued.

    TC() =

    Tn=1

    anan+ =

    T if = 0

    K if 0 < < T.

    These three conditions are independent of each other. Any sequence that satisfies

    these conditions is called a pseudonoise sequence or PN sequence.

  • 8/6/2019 Anand Thesis

    12/62

    4

    1.2 THE DESIGN OF STREAM CIPHERS

    Stream ciphers are private-key encryption algorithms that operate on the plain-

    text one bit at a time. They are extremely fast and easy to implement in both hardware

    and software. In addition, they usually have very minimal memory and hardware re-

    source requirements and therefore find applications in memory-constrained or area-

    constrained devices such as smart cards, etc. Stream ciphers have been especially

    popular in military communications since they offer a practical alternative to the one-

    time pad, albeit without its absolute security guarantee. In this section we present a

    general introduction to stream cipher design using the terminology of Beker and Piper

    (1982).

    The structure of a stream cipher is shown diagrammatically in Figure 1.1. The

    algorithm or keystream generator is usually a finite state machine such as one or

    more LFSRs with additional boolean logic. The initial state of the pseudorandom

    keystream generator represents the key of the stream cipher. The keystream when

    XOR-ed with the binary plaintext gives the ciphertext. The cryptanalyst, although

    not strictly a part of the system, is included in the diagram merely to indicate where

    interception is likely to occur.

    Key

    Algorithm

    Infinite binary sequence (keystream)

    Binary plaintext

    Ciphertext

    Interceptor (cryptanalyst)

    Figure 1.1: Diagrammatic representation of a stream cipher

  • 8/6/2019 Anand Thesis

    13/62

    5

    Conventional block encryption algorithms such as AES can also be used like a

    stream cipher by running them in one of the so-called feedback modes, namely, output

    feedback mode (OFB) and cipher feedback mode (CFB). However, an important point

    of difference between block ciphers used in feedback mode and the stream ciphers is

    that in the latter, there is no error propagation: any error in one of the ciphertext bits

    does not affect subsequent ciphertext bits. In many applications, the propagation of

    errors is undesirable and in such situations, stream ciphers are preferable to block

    ciphers.

    As is usual in cryptography, we must never understimate the cryptanalyst and

    this means we must assume:

    C1: The cryptanalyst has a complete knowledge of the cipher system, and

    all the security lies in the key.

    C2: The cryptanalyst has obtained a considerable amount of ciphertext.

    C3: The cryptanalyst knows the plaintext equivalent of a certain amount

    of ciphertext.

    These assumptions may seem pessimistic but they are, at any rate, realistic and any

    cipher system must be secure under these assumptions. Naturally, the terms consid-

    erable amount and certain amount in the assumptions would need to be quantified

    and their precise values would depend upon the system and the level of security de-

    sired.

    1.2.1 The requirements for a good stream cipher

    If we accept the assumptions C1C3 above, then the requirements for stream

    ciphers may be stated as:

    A1: The number of choices for the key must be large enough that the

    cryptanalyst cannot try them all.

  • 8/6/2019 Anand Thesis

    14/62

    6

    A2: The infinite keystream must have a guaranteed minimum length for its

    period. We then only encipher plaintexts that are shorter than this period.

    A3: The ciphertext must appear to be random.

    A4: The system must appear to be nonlinear.

    Loosely, we may say that a random sequence is one in which knowledge of a num-

    ber of consecutive elements does not help anyone trying to predict the next one. Since

    the keystream generator is a finite state machine, its output is periodic, and therefore

    the keystream sequence cannot be truly random. Nevertheless, if the period is large

    enough, we can obtain sequences that are effectively random in the sense implied by

    Golombs postulates. In practice, the cryptographer hopes that the length of the se-

    quence obtained by the cryptanalyst is small compared to the period of the keystream.

    Therefore it is important that the keystream sequence not only appear random over

    the entire period, but it should also have good local randomness properties. Statisti-

    cal tests for investigating local randomness properties of sequences are thus a useful

    tool in stream cipher cryptography.

    It is important to realise that the requirements such as long period, high non-

    linearity and good statistical properties only offer the necessary conditions for a good

    sequence. By no means do they guarantee a secure system. Further, the properties

    stated are independent in the sense that no two of them guarantee another, and there-

    fore, they must all be separately and carefully checked. In practice, it is seen that

    many of the pseudorandom generators suffer from a number of statistical defects.

    This motivates our development of search algorithms for generating FCSRs with pre-

    scribed characteristics such as period and distribution properties.

    Practically speaking, the steps involved in the design of a stream cipher may

    be outlined roughly as follows:

    1. Choice of the pseudorandom keystream generator:

    (a) the designer specifies some performance parameters for the keystream se-

  • 8/6/2019 Anand Thesis

    15/62

    7

    quences such as period, complexity, and distribution.

    (b) a large number of architectures that meet the requirements in (a) are gener-

    ated, and a battery of statistical tests are performed on these architectures

    to find any statistical flaws in the generators.

    (c) those architectures that pass all or most of the statistical tests are accepted

    as potential architectures for the stream cipher.

    2. Choice of an appropriate boolean function to mask the structure of the keystream

    generator. Shift registers cannot be used directly as keystream generators since

    it is easy to recover their parameters from a small segment of their output se-

    quences. Hence nonlinear boolean functions are used to hide the structure of

    the shift register.

    In the next chapter, we look at a number of shift register architectures that have been

    proposed recently, and we develop a common framework to analyse their output se-

    quences. In particular, we describe a common generalisation of these generators,

    namely, the FCSR, and show how the theory of the FCSR parallels that of the well-

    known LFSR.

    1.3 CONTRIBUTIONS OF THIS THESIS

    The pseudorandom generators found in most systems are realised as feedback

    shift registers and in this thesis, we look at a nonlinear variant of the feedback shift

    register called the feedback-with-carry shift register (FCSR). Our focus is on FCSRssince they are a common generalisation of several previously proposed pseudorandom

    number generators such as the linear congruential generation (LCG), the linear feed-

    back shift register (LFSR), the add-with-carry generator (AWC), and the multiply-

    with-carry generator (MWC). All of our algorithms and results can thus be applied to

    sequences generated by any one of these generators as well.

    In the first part of this thesis, we propose efficient algorithms to search for

    FCSR architectures given a set of constraints on the period, complexity, and distribu-

  • 8/6/2019 Anand Thesis

    16/62

    8

    tion properties of the output sequence. An FCSR architecture is completely charac-

    terised by a parameter called the connection integer. Once the connection integer

    is fixed, we can determine properties such as the period of the generated sequence,

    the susceptibility of the sequence to cryptanalysis measured by linear complexity

    and 2-adic complexity, and the distribution properties of the sequence. These prop-

    erties are independent of the initial seed and may be computed from the connection

    integer. Our search algorithms can be used to generate connection integers of FCSRs

    with guaranteed properties like period, complexity and distribution. These algorithms

    ensure that a large numbers of PRNGs that satisfy at least two of the necessary con-

    ditions (viz., A1 and A2) can be generated efficiently. The search algorithms are a

    contribution towards step 1(b) of the stream cipher design process outlined in the

    preceding section.

    In the second part of this thesis we look at combiners using FCSRs as a prac-

    tical method of meeting the requirements A3 and A4. We consider a combiner gen-

    erator that use two 2-adic FCSRs as primitives and the bit-wise XOR operation as

    the combining function. We study the periodicity, symmetric complementarity, and

    bounds on the linear complexity and 2-adic complexity of FCSR XOR combiner gen-

    erators. This forms our contribution towards step 2 in the stream cipher design pro-

    cess.

    The thesis is organised as follows. In Chapter 2, we present some basic results

    in the theory of FCSRs. In the third chapter we propose algorithms to search for

    FCSR architectures given a set of requirements such as period and number of tap

    connections. We also propose a search algorithm for a generalisation of the 2-adic

    FCSR called the delayed feedback-with-carry shift register (d-FCSR). In Chapter 4

    of this thesis, we look at some methods of increasing the 2-adic complexity of FCSRs

    and prove bounds on the complexity of a family of FCSR combiner generators. In

    Chapter 5, we summarise our contributions and discuss some directions for future

    research.

  • 8/6/2019 Anand Thesis

    17/62

    9

    CHAPTER 2

    FEEDBACK-WITH-CARRY SHIFT REGISTER SEQUENCES

    In Section 1.1 of this chapter we briefly describe some precursors of the FCSR

    such as the lagged Fibonacci generator (LFG), the add-with-carry (AWC) genera-

    tor and the linear feedback shift register (LFSR) generator using a formalism due to

    Marsaglia. Section 1.2 contains the elements of the theory of 2-adic numbers that is

    required for the study of FCSRs. We also survey some basic results in the theory of

    2-adic FCSR sequences in Section 1.3. In Section 1.4 of this chapter, we present three

    alternative but equivalent ways of describing LFSR and FCSR sequences. Finally, in

    Section 1.5, we collect all useful results about FCSR sequences.

    2.1 THE PRECURSORS OF THE FCSR

    The pseudorandom number generators described in this thesis can all be de-

    scribed by means of a function acting iteratively on a set. Let X be a finite set and a

    feedback function f : X X. For a given initial seed value x X, the pseudorandom

    sequence is generated using the sequence

    x := f0(x), f(x), f2(x), f3(x), . . . , (2.1)

    where fi+1(x) = f(fi(x)) for all i 0 (Marsaglia 1992).

    We will show how this simple mechanism can be used to describe the lagged

    Fibonacci generator (LFG), the Marsaglia and Zaman addition with carry generator

    (AWC), and the 2-adic FCSR in sections (2.1.1), (2.1.2) and (2.3), respectively.

  • 8/6/2019 Anand Thesis

    18/62

    10

    qs

    qr

    ...a n-1 a n-2 a n-r+1 a n-ra

    i

    Figure 2.1: The Lagged Fibonacci Generator

    2.1.1 The lagged Fibonacci generator (LFG)

    Let Xbe the set of 1rvectors x = (x1, x2, x3, . . . , xr), with elements xi in some

    finite set S endowed with a binary operation . For the lagged Fibonacci generators,

    denoted by F(r, s, ), the feedback function f is defined by

    f(x1, x2, . . . , xr) = (x2, x3, . . . , xr, x1 xr+1s) (2.2)

    where r > s. When S is the set of integers modulo a power of 2 with the binary

    operations + or or , the following result of Marsaglia and Tsay (1985) enables

    us to compute the period of the sequence generated using equation (2.2). It is clear

    that x, f0(x), f(x), f2(x), f3(x), . . . , is a sequence of vectors generated by the matrix

    of integers representing f.

    Theorem 2.1.1 Let f be the r r (companion) matrix of integers with odd determi-

    nant representing the feedback function. Let S be the set of integers modulo 2

    n

    andthe binary operation be either + or . In order that the sequence of vectors de-

    termined by x, f0(x), f(x), f2(x), f3(x), . . . , mod2n have period (2r 1)2n1 for every

    n 1 and every initial vector of integers x not all even, it is necessary and sufficient

    that f have order j = 2r 1, in the group of non-singular matrices for mod 2, order

    2j for mod 4 and order 4j for mod 8. If the F(r, s,+) generator has maximal period

    (2r 1)2n1, for integers mod 2n, then the F(r, s, ) generator on the set S of odd

    integers mod 2n

    has period (2r

    1)2n3

    .

  • 8/6/2019 Anand Thesis

    19/62

    11

    Statistical performance of LFGs

    When the operation is , the XOR operation, the performance ofF(r, s, )

    is very poor. Empirical studies have noted that they perform poorly with respect to

    statistical tests and have very short periods. They fail many of the DIEHARD battery

    of tests, namely the parking lot tests, mtuple test, OPSO test, birthday spacings tests,

    OPERM test, runs test and the rank tests. In this sense they are similar to shift-register

    sequences. The F(r, s, ) is known to fail the birthday-spacings test. The F(r, s, )

    performs well and passes all the above tests as well as the lattice test.

    Among the lagged Fibonacci generators the ones using multiplication on odd

    integers modulo 232 are the best. F(r, s,+), F(r, s, ) and F(r, s, ) do well on monkey

    tests. F(r, s, )may fail for pairs (r, s) such as (31, 13) or (17, 5) because of their in-

    adequate period, in contrast to other lagged Fibonacci generators, which have periods

    about 232+r (Marsaglia 1984).

    2.1.2 The addition-with-carry generator (AWC)

    Marsaglia and Zaman (1991) proposed a new class of random number genera-

    tors with enormous periods. They were broadly classified into add-with-carry (AWC)

    and subtract-with-borrow (SWB) generators. Using the Marsaglia formalism, the

    AWC generator can be easily described as follows.

    Let b, r, s Z+, be positive integers where b is the base, r > s, r and s are the

    lags. Define X = {0, 1, . . . b 1} {0, 1}. Let x = (x1, x2, . . . , xr, c) X, be the seed

    vector, where 0 xi < b and c {0, 1} is the carry bit. Define the feedback function

    f : X X as

  • 8/6/2019 Anand Thesis

    20/62

    12

    mod bdiv b

    qs

    qr

    ...m n-1 a n-1 a n-2 a n-r+1 a n-ra

    i

    Figure 2.2: The Add-with-Carry Generator

    f(x1, x2, . . . , xr, c) = (x2, x3, . . . , xr, xr+1s + x1 + c, 0) i f xr+1s + x1 + c < b(x2, x3, . . . , xr, xr+1s + x1 + c, 1) i f xr+1s + x1 + c b (2.3)

    Using the Marsaglia formalism, we first generate the sequence of (r+1)-tuples

    x := f0(x), f(x), f2(x), f3(x) . . . We generate the pseudorandom sequence (yi), where

    yi {0, 1, . . . , b 1} using the sequence of (r+ 1)-tuples in the following fashion. At

    the ith iteration the first coordinate of the (r+ 1)-tuple fi(x) is defined to be yi. The

    period of (yi)i0 is the same as the period of the sequence of (r+ 1)-tuples (fi(x))i0

    (Marsaglia and Zaman 1991). This means that the first relements of the sequence are

    precisely the first rcoordinates of the seed vector x.

    Theorem 2.1.2 The sequence of digits formed by the AWC generator is in reverse

    order the same as the sequence of digits in the base -b expansion of a fraction kbr+bs1

    .

    From this it is easy to see that the period of the sequence generated by equation (2.3)

    is the order ofb in the multiplicative group Z

    (br+bs1)Z

    , when br

    + bs

    1 is a prime.When br+ bs 1 is composite, let k

    br+bs1= c

    d, where (c, d) = 1. Then the period of

    the sequence is the order ofb in the multiplicative groupZ

    dZ

    .

    This means that for b approximately 232 and r around 20, periods of 2640 are

    attainable using only rmemory locations and simple computer arithmetic. The other

    carry/borrow generators introduced by Marsaglia and Zaman are simply variations of

    the above function. The N-adic FCSR generalizes the AWC and the MWC generators.

  • 8/6/2019 Anand Thesis

    21/62

    13

    Statistical performance of AWCs

    Some of the statistical properties of the AWC and SWB generators were con-

    sidered by Couture and LEcuyer (1994, 1997). One of their observations was that

    the AWC generators failed the spectral test for some values of the lags. They are also

    known to fail the birthday spacings test (Marsaglia 1993). The synthesis algorithm

    for the AWC generator was given by Bach (1998). The approach is similar to the

    synthesis of the 1/p generator given in Blum, Blum and Shub (1986).

    2.1.3 The linear feedback shift register (LFSR)

    Linear feedback shift registers have an architecture similar to FCSRs. Their

    properties are well understood. We give below a description of the LFSR over F2 in

    the same formalism used to describe the LFG and AWC.

    Let qi {

    0, 1}, for i

    =1, 2, . . . r, be the taps and let a

    =(a0, a1, . . . , ar1), where

    ai {0, 1}, be the seed vector. Define X= {0, 1}r. The feedback function f : X X

    is

    f(a0, a1, . . . , ar1) = (a1, a2, . . . , ar1,

    rk=1

    qkark). (2.4)

    Figure 2.3: Fibonacci-configured LFSR

    During each iteration the register cells are tapped, their contents added modulo

  • 8/6/2019 Anand Thesis

    22/62

    14

    2, the first coordinate is output (in Figure 2.3, the rightmost bit of the shift register),

    the contents of the register are shifted to the right and the sum computed previously

    is taken as the rth coordinate of the vector. In Figure 2.3, this sum is returned to the

    leftmost bit of the register as the new entry.

    The general theory of LFSRs is based on the algebra of finite fields. Excellent

    accounts of this theory may be found in the books of Golomb (1967), Rueppel (1986)

    and Beker and Piper (1982).

    The theory of FCSRs is analogous to that of LFSRs. However, the analysis

    of the 2-adic FCSR is based on the theory of 2-adic numbers. Before discussing thetheory of FCSRs we review the theory of 2-adic numbers in the next section.

    2.2 REVIEW OF 2-ADIC NUMBERS

    The analysis of FCSRs is based on the arithmetic of 2-adic numbers. In 1904,

    Hensel introduced the concept of 2-adic, and in general, p-adic numbers for p prime.

    A 2-adic number may be described as a binary number

    = . . . 3210.12 . . . k (2.5)

    where i {0, 1}, whose representation extends infinitely to the left of the binary

    point, but has only finitely many places to the right of the point. 2-adic numbers

    represented by equation (2.5) may also be thought of as formal Laurent series

    =

    i=k

    i2i, (2.6)

    where i {0, 1}.When there are no non-zero bits to the right of the binary point (i.e.

    k= 0), the 2-adic numbers are called 2-adic integers.

    Z2 = {

    i=0

    i2i|i {0, 1}} (2.7)

  • 8/6/2019 Anand Thesis

    23/62

    15

    The set of 2-adic integers is denoted by Z2. The 2-adic integers form a ring with

    additive identity 0 and multiplicative identity 1 = 1 20. Addition in Z2 is performed

    by carrying overflow bits to higher order terms, so that 2i + 2i = 2i+1. Using the fact

    that in Z2, 1 1 = 0, it is easy to see that,

    1 = 1 + 21 + 22 + 23 + . (2.8)

    From the binary (base-2) representation of positive integers, it is clear thatZ2 contains

    all positive integers. The identity

    = (1) = (1 + 21 + 22 + 23 + )(0 + 12 + + r2r) (2.9)

    shows that Z2 contains the negative integers. In general, for an arbitrary 2-adic num-

    ber , calculating the additive inverse , can be done as follows. Expressing in

    the form = 2r(1 +

    i=0 i2i), where r is an integer, we have

    = 2r(1 +

    i=

    0

    i2i) (2.10)

    where i denotes the complementary bit and i+i = 1. The 2-adic numbers, denoted

    by Q2 form a field under addition and multiplication. Below are some examples of

    2-adic expansions of integers and rationals.

    Example 2.2.1 We give the 2-adic representation of the numbers 17, 1

    7, 9

    2, 1

    10

    1

    7= . . . 110110110110111.0,

    1

    7= . . . 001001001001001.0,

    9

    2= . . . 0000100.10,

    1

    10= . . . 1100111001100110.1 (2.11)

    Note that1

    7 and 1

    7 , are 2-adic integers, while9

    2 and1

    10 are 2-adic rationals.

  • 8/6/2019 Anand Thesis

    24/62

    16

    The rational number 17= 0111.0 has an eventually periodic 2-adic expansion and

    17= 001.0 has a strictly periodic 2-adic expansion. In both these cases, note that the

    period is just the multiplicative order of 2 in the field Z7Z

    .

    In Z2, the ring of 2-adic integers, every odd integer Z has a unique multi-

    plicative inverse. Thus, the ring Z2 contains every rational number p/q provided q is

    odd. In fact

    Z2 = {p

    q| p, q Z, q 0 and q is odd}. (2.12)

    This gives an alternative description ofZ2. These ideas may be extended to develop

    the theory ofp-adic and N-adic numbers.

    We have given a very sketchy account of the theory of 2-adic numbers. For a

    more comprehensive treatment of the theory, we refer to the books by Koblitz (1984),

    Mahler (1973) and Gouva (2003).

    2.3 THE FEEDBACK-WITH-CARRY SHIFT REGISTER

    2.3.1 Operation of the FCSR

    A generalization of the AWC generator and the multiply-with-carry (MWC)

    generator was described independently by Marsaglia (1994), Couture and LEcuyer

    (1997), and in a series of papers by Klapper and Goresky (1993, 1997). Klapper

    and Goresky called them feedback-with-carry shift registers (Klapper and Goresky

    1997). Using the same framework as before, the 2-adic FCSR can be described as

    follows.

    Fix taps qi {0, 1}, for i = 1, 2, . . . r and let q0 = 1. Define X = {0, 1}r

    Z.

    Let a = (a0, a1, . . . , ar1, mr1) X, be a seed vector, where mr1 Z is the initial

    memory and ai {0, 1}. Let r =r

    k=1 qkark+ mr1. Define the feedback function

  • 8/6/2019 Anand Thesis

    25/62

    17

    q1mod 2div 2

    q2

    qr-1

    qr

    ...mn-1 an-1 an-2 an-r+1 an-rai

    ...

    Figure 2.4: Fibonacci-configured FCSR

    f : X X to be

    f(a0, a1, . . . , ar1, mr1) = (a1, a2, . . . , ar1, r

    k=1

    qkark + mr1 (mod 2), mr),

    (2.13)

    where mr = r. Here is the floor function. The above equation also makes it

    clear how (2.13) generalises (2.4). As in the generators described earlier, the output

    sequence yi {0, 1} is generated using the sequence of (r+ 1) vectors a = f0(a),

    f(a), f2(a), . . . . For all i 0, yi is defined to be the first coordinate of the (r+ 1)-

    tuple fi(a). As before, this means that the first r output bits will be just the first r

    coordinates of the seed vector and the period of the sequence (yi)i0 the same as that

    of (fi(a))i0. The function described in (2.13) shows how the FCSRs differ from the

    AWC generators defined in (2.3). The carry part in (2.3) which is denoted by c in the

    (r+ 1)-tuple is 0 or 1, whereas the analogous memory in (2.13) which is denoted by

    mr1 is allowed to take integer values. Klapper and Goresky proved that the memory

    can be bounded in terms of the number of non-zero qis. Much of the theory they

    develop for their 2-adic FCSR parallels that of linear feedback shift registers (LFSR)over F2.

    The 2-adic FCSR may be generalised to the p-adic and the N-adic case, and

    the analogues of equation (2.13) are obtained by replacing 2 by p and N respectively

    and making the suitable allowances for the tap coefficients and the initial loadings.

    An alternative description of the operation of the FCSR may be given as fol-

  • 8/6/2019 Anand Thesis

    26/62

    18

    lows. Fix an odd positive integer q and let

    q + 1 = q121 + q22

    2 + . . . + qr2r (2.14)

    be the binary expansion ofq + 1, where r = log2(q + 1) and qi {0, 1}. Then the

    2-adic FCSR with connection integer q has r stages and feedback connections given

    by the bits {q1, q2, . . . , qr} in Equation 2.14. This is shown in Figure 2.4. By letting

    q0 = 1, we may write q =r

    i=0 qi2i. The contents of the register are denoted by

    an1, an2, . . . , anr and the operation of the 2-adic FCSR is as follows:

    A1. Form the integer sum n =r

    k=0 qkank+ mn1.

    A2. Shift contents one step to the right, output the rightmost bit anr.

    A3. Place an = n mod q into the leftmost cell of the shift register.

    A4. Replace the memory integer mn1with mn = (n an)/2 = n/2.

    Thus we see that an FCSR is a feedback shift register that is similar to the

    LFSR except that it has a small amount of auxiliary memory. The difference is that

    during each iteration, the memory which is an integer is added to the sum of the

    tapped bits and the parity of this quantity, which isr

    k=1 qkark+ mr1 (mod 2)

    ,

    is taken to be the rth coordinate of the new vector (in the Figure 2.4, the leftmost bit).

    The higher order bits are retained as the new value of the memory (i.e., mr). Figure

    2.3 and Figure 2.4 illustrate the equations (2.4) and (2.13) respectively. Note that in

    both cases, the right-most bit corresponds to the first coordinate of the (r+ 1)-tupleand is the output at every loop.

    2.4 ANALOGIES BETWEEN LFSR AND FCSR THEORY

    From the discussions in the preceding sections, it should be clear that we can

    formulate three different but equivalent descriptions of the LFSR and FCSR. Here we

    compare the LFSR and FCSR and show how their theories are analogous.

  • 8/6/2019 Anand Thesis

    27/62

    19

    Let F be a finite field and let q1, q2, . . . , qr F. The linearly recurrent sequence

    of order r with multipliers q1, q2, . . . , qr F and initial state (a0, a1, . . . , ar1) is the

    unique solution to the equations

    aj = q1aj1 + q2aj2 + + qrajr (2.15)

    for j r. Such a sequence can be desribed in three equivalent ways. First, it is

    the output of an LFSR with r register cells, tap coefficients qi F, and initial reg-

    ister loading given by a0, a1, . . . , ar1 F. The connection polynomial q(x) F[x]

    associated with the recurrence equation (2.15) and the LFSR is given by

    q(x) = q0 +

    ri=1

    qixi

    where q0 = 1. Secondly, the sequence a0, a1, a2, . . . is the coefficient sequence in the

    power series expansion of a rational function p(x)/q(x):

    p(x)

    q(x)= a0 + a1x + a2x

    2 +

    where the denominator polynomial is, as before, dependent only upon the taps of the

    corresponding LFSR. The numerator polynomial is given by

    p(x) =

    r1j=0

    ji=0

    qiajixj.

    And thirdly, the LFSR sequences also have a trace representation given by

    aj = T rL/F(aj)

    where L is an extension field ofF that contains all the roots ofF, a L is dependent

    upon the initial state of the LFSR, T rL/F is the trace function from L to F, and is an

    appropriate root ofq(x) in L.

    Similarly, for the FCSR, let N be a positive integer. Let q1, q2, . . . qr Z/(N),

  • 8/6/2019 Anand Thesis

    28/62

    20

    a1, a1, . . . , ar1 Z/(N), and let the initial memory mj1 Z. The FCSR sequence is

    then the unique solution to the with-carry linear recurrence

    aj + Nmj = q1aj1 + q2aj2 + + qrajr+ mj1 (2.16)

    for j r. Here, the right hand side of equation 2.16 is first computed as an integer

    Z. Then aj is obtained by reducing modulo N, and the new memory mj is computed

    as N

    . Again, we may give three alternative descriptions of such a sequence. First,

    it is the output of an FCSR with r main register cells, tap coefficients given by the qi

    and initial state given by the ai. The connection integer associated with the FCSR is

    q = q0 +

    ri=1

    qiNi

    Z

    where q0 (and hence q) is relatively prime to N. Secondly, it is the coefficient se-

    quence of the N-adic expansion of the rational number

    p

    q= a0 + a1N+ a2N

    2 +

    where the numerator is given by

    p =

    r1j=0

    ji=0

    qiajiNj

    mr1Nr.

    Thirdly, FCSR sequences also possess an exponential representation in which the

    general term may be written as

    aj = (aj (mod q)) (mod N)

    where = N1 (mod q) and a Z/(q) is an element that depends upon the initial

    state. In the right hand side of the equation above, the quantity aj is first reduced

    modulo q and represented as an integer in the range {0, 1, . . . , q 1} and then this

    integer is reduced modulo N.

  • 8/6/2019 Anand Thesis

    29/62

    21

    2.5 PROPERTIES OF FCSR SEQUENCES

    The purpose of this section is to collect in one place, all of the results on FCSRs

    that are relevant to the later parts of the thesis. Here and in what follows, letQ2 denote

    the field of 2-adic numbers. The following facts are known about the 2-adic FCSR:

    1. (Klapper and Goresky 1997) If a sequence a = (ai)i0 is the output of a 2-adic

    FCSR, and Q2 is the 2-adic number associated with this sequence, then a

    is eventually periodic and = p/q, where q is the connection number of the

    FCSR. Conversely, every eventually periodic binary sequence whose associated

    2-adic number is = p/q is the output of a 2-adic FCSR with connection integer

    q.

    2. (Klapper and Goresky 1997) If = p/q Q2 is the 2-adic number associated

    with the output sequence of a 2-adic FCSR, then the sequence is strictly periodic

    if and only ifq < p 0. If this condition is not satisfied, then the sequence is

    eventually periodic.

    3. (Gauss 1801) If = p/q Q2 is the 2-adic number associated with the output

    sequence of a 2-adic FCSR, then the period of the sequence is the multiplicative

    order of 2 modulo q.

    4. (Klapper and Goresky 1997) If = p/q Q2, and if 2 is a primitive root modulo

    q, then the period of the FCSR sequence with connection integer q is maximal

    and equal to (Z

    qZ) = (q), where denotes Eulers totient function. Such a

    sequence is called an -sequence. This requires that q = pm for some odd prime

    p and some positive integer m.

    5. (Goresky and Klapper 1995) Every binary -sequence possesses the property of

    symmetrical complementarity: in any binary -sequence of period 2t, where t

    is a positive integer, the second half of any segment of length 2t is the bit-wise

    complement of the first half. However, the converse of this statement is not

    true. For example, the sequence generated by a 2-adic FCSR with connection

  • 8/6/2019 Anand Thesis

    30/62

    22

    integer q = 17 is symmetrically complementary with period 8, but it is not an

    -sequence since 2 is not a primitive root modulo 17.

    6. (Goresky and Klapper 1995) Every binary -sequence possesses the nearly deBruijn property: if the -sequence is generated by a 2-adic FCSR with connec-

    tion integer q, then in any given period of the sequence, every binary string of

    length of length log2(q) occurs at least once and every binary string of length

    log2(q) + 1 occurs at most once.

    7. (Mittelbach and Finger 2004) Any strictly periodic sequence generated by a 2-

    adic FCSR with connection integer q is symmetrically complementary if and

    only ifq divides 2T/2 + 1, where T is the period of the sequence.

    8. (Xu 2000) The linear complexity of an -sequence of period 2tis at most t+ 1.

    For a more detailed account of the properties of FCSR sequences, including proofs of

    these assertions, the reader is referred to the papers of Klapper and Goresky (1997),

    Goresky and Klapper (1995), Mittelbach and Finger (2004), and the dissertation of

    Xu (2000).

    In this chapter we have briefly surveyed the theory of FCSR sequences and

    seen how many of the results in this theory closely resemble those in the theory of

    LFSR sequences. In the next chapter, we will use these results to devise simple but

    effective algorithms to generate a large number of FCSR architectures. The algo-

    rithms ensure that the output sequences of these architectures satisfy the necessary

    conditions for keystream generators mentioned in Chapter 1.

  • 8/6/2019 Anand Thesis

    31/62

    23

    CHAPTER 3

    SEARCH ALGORITHMS FOR FCSR ARCHITECTURES

    We have stated the requirements for pseudorandom sequences in Chapter 1

    and studied some of their properties in Chapter 2. Now we turn to ways of finding ar-

    chitectures that generate such sequences. In practice, while designing feedback shift

    registers for use in stream ciphers, the cryptographer would like to start by specifying

    a set of criteria on the minimum period, complexity, and distribution properties of

    the output sequence of the shift register. The next step would be to generate a large

    number of architectures that satisfy these criteria. This is followed by performing

    extensive statistical tests on sequences generated by each of these architectures and

    rejecting any that fail the tests. A number of statistical test suites are available for this

    purpose such as the statistical testing suite developed by the NIST, the DIEHARD

    battery of tests of George Marsaglia, and ENT of John Walker. If a particular archi-

    tecture passes all or most of these tests, the cryptographer can then have a measure of

    confidence in the quality of the sequence generated by the shift register architecture.

    In this chapter, we devise simple, practical algorithms to generate a large num-

    ber of FCSR architectures with specified properties. The cryptographer may specify

    these desirable properties in terms of some performance parameters of the output

    sequences such as:

    1. the output sequences must have a period greater than some specified value,

    2. the output sequences must have a 2-adic complexity greater than a specified

    value,

    3. the output sequences must have a specified distribution property, such as, for

    example, the nearly de Bruijn property.

  • 8/6/2019 Anand Thesis

    32/62

    24

    Hardware or memory resource limitations may give rise to additional constraints such

    as:

    1. the number of cells in the main register must not exceed a specified value,

    2. the number of non-zero taps must not exceed a specified value, or must be ex-

    actly equal to some value.

    The search algorithms presented in this chapter solve some of these problems. These

    algorithms are by no means the most computationally efficient, and we have not at-

    tempted to analyse their computational complexity. Further, use of these algorithms

    to generate parameters for FCSRs does not guarantee the security of a stream cipher.

    However, they ensure that the necessary conditions for good quality output sequences

    hold, and serve as effective and practical tools to aid the cryptographer in stream

    cipher design.

    3.1 THE SEARCH ALGORITHMS

    The general idea of the search algorithms for FCSRs is as follows. Suppose

    we require a number of FCSR architectures which must have a guaranteed minimum

    period ofT. We need to generate an integer q such that the multiplicative order of 2

    modulo q is at least T. Our basic search algorithm does exactly this. Essentially, we

    look for those cyclic groups in which the subgroup generated by 2 has a large enough

    order. In order to ensure good distribution properties and complexity measures for the

    FCSR sequences, we restrict our attention to cyclic groups Z/qZ, where q is either an

    odd prime or a power of an odd prime, and test for the primitivity of 2 modulo q.

    There may be additional constraints on q such as a fixed number of tap con-

    nections. A moments consideration shows that if the register size is rand the number

    of non-zero taps is h, then there are r1Ch1 potential connection integers that satisfy

    the constraints on the register size and the number of non-zero taps. In this case, it

    may not be feasible to exhaustively generate all the potential connection integers and

  • 8/6/2019 Anand Thesis

    33/62

    25

    test whether they satisfy the specified criterion on the period. We therefore devise a

    simpler sliding window-based approach to the problem. More complex algorithms

    could be designed based on ideas developed by Knuth for generating n-tuples.

    For the case of the d-FCSR, we develop an algorithm that generates connection

    integers q of the form q = q0 + q1 such that q20

    pq21= N where p is a square-free

    modulus, and where the norm N is a prime greater than the desired minimum period.

    For this search problem, p, a square-free integer, d= 2, and T, the minimum period,

    are specified and q0 and q1 are to be determined.

    In the rest of this section we describe each of these search algorithms in detail.The first two search algorithms for the LFG and the AWC are almost trivial, but we

    present them here for the sake of completeness.

    3.1.1 Search algorithm for the LFG

    Input:

    Minimum period, T > 0

    Modulus or base, m = 2n, n > 0

    Number of architectures to be generated, R > 0

    Output:

    R values of the long lag ri such that the period of the corresponding LFGs is

    greater than T for every si, such that 0 < si < ri.

    Algorithm L:

    [1. Compute minimum r] Compute the smallest integer ksuch that 2k > T/2n1 + 1.

    Let this value ofkbe denoted kmin.

  • 8/6/2019 Anand Thesis

    34/62

  • 8/6/2019 Anand Thesis

    35/62

    27

    [2.] Calculate the power of the base ksuch that bk < T < bk+1.

    [3.] Set j = 1.

    [4.] Compute m = bk+ bj 1.

    [5.] If the order ofb mod m T, set i = i + 1, ri = kand si = j; ifi = n go to step 8.

    [6.] Set j = j + 1; if j < kgo to step 4.

    [7.] Set k= k+ 1 and go to step 3.

    [8.] Output ri and si for i = 1, 2, . . . , n.

    In this algorithm we generate integers of the form m = bk+ bj 1 where k > j

    and ensure that the order ofb modulo m is greater than T. The initial value for k is

    chosen such that it is the greatest exponent of 2 for which 2k < T. Since j < k, if

    the initial value ofk is any smaller, then m cannot be greater than T . Therefore, we

    eliminate the case of smaller starting values for kfrom our search.

    Example 3.1.2 Let b = 10 and minimum T = 1123. Then the lags (4,1), (4, 2), (4, 3),

    and (5, 2) give rise to sequences of periods 5004, 3366, 5768, and 1614, respectively.

    3.1.3 The basic FCSR search algorithm

    The basic strategy for this algorithm is as follows: generate a prime larger

    than the specified period and compute the order of 2 modulo. If this is greater than

    the specified period, we accept the prime as valid. Otherwise, we may proceed by

    generating a smaller prime and check 2 is a primitive root modulo this smaller prime.

  • 8/6/2019 Anand Thesis

    36/62

    28

    If 2 is also primitive modulo the square of this prime, then it follows that 2 is primitive

    modulo any power of the prime. We can then choose that power of the prime as

    connection integer for which the period is greater than the value specified.

    Algorithm S:

    Input:

    Minimum period, T > 0

    Number of architectures to be generated, R > 0

    Output:

    R connection integers q such that the order of 2 modulo q > T

    [0. Initialise] Set C 0; ifT < POWERING_ THRESHOLD go to step 1;

    else go to step 4.

    [1. Generate prime] Generate a prime q larger than T.

    [2. Compute order] If order of 2 mod q is less than T, set q q + 2 and

    compute the next prime greater than q; else store q and order of 2 mod q and set

    C C+ 1

    [3. Is C < R?] IfC < R, set q q + 2 and go to step 1; else ifC = R, return

    the C connection integers and the corresponding orders of 2 modulo each of these

    connection integers.

    [4. Powering] Set A START_ PRIME.

    [5. Compute next prime] Generate a prime, q, greater than A.

    [6. Check primitivity] If the order of 2 mod q is not equal to q 1 (primitivity

    check), set A q + 2 and go to step 5.

  • 8/6/2019 Anand Thesis

    37/62

    29

    [7. ] If 2(q1) 1 modulo q2, then 2 is primitive modulo q2 and also primitive

    modulo qk with order qk qk1.

    Increment count R R + 1, store qk and order of 2 modulo qk; if 2(q1) 1

    mod q2 set A q + 2 and go to step 5.

    [8. Is C < R?] IfC < R, set q q + 2 and go to step 1; else ifC = R, return

    the C connection integers and the corresponding orders of 2 modulo each of these

    connection integers.

    This algorithm uses two machine dependent constants, namely, START_PRIME

    and POWERING_THRESHOLD. These constants are used to determine when to

    switch from generating prime connection integers to prime power connection inte-

    gers, and the value of the smallest prime base to choose for the powering subroutine.

    Considerable tweaking may be required in order to find the right values for a given

    machine.

    Example 3.1.3 Let minimum T = 169. Then the following connection integers spec-

    ify valid architectures: q = 173, 179, 181, 197. The respective periods are 172, 178,

    180, 196. In this case, it turns out that the connection integers all have 2 as a primitive

    root.

    3.1.4 FCSR search with additional constraints

    An important consideration in the implementation of FCSR circuits in hard-

    ware is the number of multipliers required. The greater the number of multipliers

    required, the greater the area, cost and power dissipation of the chip. Hardware de-

    signers may therefore impose absolute limits on the number of multipliers that can

    be used in the FCSR implementation. These limits constrain the number of non-zero

    feedback connections that a valid FCSR architecture can have.

    If the register size is rand the number of non-zero taps is h, where r h > 0,

  • 8/6/2019 Anand Thesis

    38/62

    30

    then there are r1Ch1 potential connection integers that satisfy the criteria on the

    register size and the number of non-zero taps. For large r, and h approximately equal

    to r/2, it may not be feasible to check every possible connection integer with h non-

    zero taps. The strategy we adopt is as follows: we fix the tap at the right extremity

    of the main register, that is the register cell closest to the output. Thus the minimum

    value ofq is br1. This leaves h1 taps to be assigned to r1 register cells. We begin

    by assigning a block or window ofh 1 1s to the leftmost taps. At every iteration this

    block is moved right, and the corresponding connection integer is checked to see if it

    meets the period requirement. When the block reaches the right extreme, we begin

    again from the left end, but introduce a zero in the left-most position of the block.

    This block is again slid towards the right until it reaches the right extreme. In the next

    iteration, another zero is introduced to the left extreme of the block, and the block

    is again slid towards the right. We repeat this procedure until we have the requisite

    number of connection integers or until all the bits are zero in the window, in which

    case, we may continue the search by repeating the procedure for r+ 1, r+ 2, and so

    on.

    We now describe the algorithm that returns FCSR architectures of a specified

    minimum period and a specified number of non-zero taps.

    Input:

    Minimum period, T > 0

    Base, b > 1

    Number of non-zero taps, h > 0

    Minimum register size, r h

    Number of architectures required, n > 0

    Output:

  • 8/6/2019 Anand Thesis

    39/62

    31

    n integers Qi such that the order of 2 modulo each Qi is greater than T, and

    such that Qi + 1 has h non-zero coefficients in its base-2 expansion.

    Algorithm F:

    [1.] Set i = 0.

    [2.] Let qmin = 2r 1 and q = 2 + 22 + 23 + + 2h1.

    [3.] Set = 0.

    [4.] Calculate q = qmin + 2q.

    [5.] If order of 2 modulo q T, set i = i + 1 and Qi = q. Ifi = n go to step 16.

    [6.] Set = + 1; if < (r h 1) go to step 4.

    [7.] Set k= 1.

    [8.] Let s = 2(k+2) + 2(k+3) + + 2(h+1).

    [9.] Compute s = qmin + 21 + 22 + + 2k.

    [10.] Set = 0.

    [11.] Compute q = s + 2s.

    [12.] If order of 2 modulo q T, set i = i + 1 and set Qi = q. Ifi = n go to step 1.

    [13.] Set = + 1; if < (r h 1), go to step 11.

  • 8/6/2019 Anand Thesis

    40/62

    32

    [14.] Set k= k+ 1; ifk < h, go to step 8.

    [15.] Set r= r+ 1and go to step 2.

    [16.] Output Qi, for i = 1, 2, . . . , n.

    This algorithm is certainly not the most efficient way to generate connection

    integers with a fixed number of non-zero taps. It should be noted, however, that the

    general problem is hard. In fact, we cannot even be sure that there are sufficiently

    many connection integers with the given number of non-zero taps in their binary ex-

    pansion. This problem is related to much deeper questions in number theory concern-

    ing the number of primes that have exactly k1-bits or 0-bits in their binary expansion.

    Wagstaff(2001) considered primes with a fixed number of 1s or 0s in their binary ex-

    pansion and asked whether there exists any k for which we can prove that there are

    infinitely many primes with exactly k1-bits in their binary expansions. He also posed

    the related question of whether there exists any k for which we can prove that there

    are infinitely many primes with k1-bits. Wagstaffconjectured that the answers to

    both questions are positive, and that any k 3 is sufficient.

    Example 3.1.4 Let minimum period be 1356 and let the number of non-zero taps be

    7. Then the connection integers 3041, 2293, 2957 give rise to sequences of period

    1520, 2292, 2956, respectively.

    3.1.5 Search algorithm for d-FCSRs

    Operation of the delayed-FCSR (d-FCSR)

    The operation of the d-FCSR is similar to the 2-adic FCSR except that each

    carried bit is delayed d 1 steps before being added. In this section, we give a brief

    desription of the theory of the d-FCSR after the fashion of Goresky and Klapper

    (1995). A more detailed account of the theory may be found in Goresky and Klapper

  • 8/6/2019 Anand Thesis

    41/62

    33

    (1995). Let p denote an integer and let d 1 such that d p is an irreducible

    polynomial in over the rational numbers. Note that this occurs only when p is not

    a kth power, for any prime k dividing d. Let R be the positive real solution to

    d = p. We define the ring Z[] as the set of all real numbers of the form

    u0 + u1 + u22 + + ud1

    d1 (3.1)

    with ui Z. The fraction field ofZ[], denoted Q[], is the set of all real numbers of

    the form given by Equation 3.1 with ui Q. Every element ofQ[] may be expressed

    as a fraction u/v with u, v Z[]. We can also view Q[] as a vector space over Q of

    dimension d with the basis vectors given by {1, , 2, . . . , d1}, and the elements of

    Z[] in Q[] are referred to as the lattice points ofQ[].

    We define the ring Z as the set of all infinite formal expressions of the form

    = a0 + a1 + a22 +

    where ai

    T = {0, 1, . . . , p 1} with the obvious operations of addition and multipli-

    cation using d = p. Note that when d = 1, Z[] = Z, Q[] = Q, and Z = Zp, the

    p-adic numbers. Now any element u/q Q[] where u, q Z[] is also in Z if and

    only if the denominator q =d1

    i=0 qii is invertible modulo , which is equivalent to

    q0 being relatively prime to p. Then the -adic expansion ofu/q given by

    u

    q=

    i=0ai

    i Z

    where ai T is unique and we refer to the sequence a0, a1, a2 . . . as the coefficient

    sequence ofu/q. The output of a d-FCSR is defined to be the coefficient sequence of

    the -adic expansion of the fraction u/q where u, q Z[] and where q is invertible

    modulo .

  • 8/6/2019 Anand Thesis

    42/62

    34

    Search algorithm for d= 2

    The algorithm searches for a connection integer q of the form q = q0 + q1

    such that

    q20 pq21 = N (3.2)

    where p is a square-free modulus and N is a prime greater than the desired minimum

    period. The equation

    Input:

    Degree or delay, d= 2.

    Modulus or base, p, a square-free integer.

    Minimum period required, T

    Output:

    q0 and q1 satisfying norm(q) = N(q) = q20

    pq21= N

    [0. Next prime] Generate the next prime N greater than T.

    [1. Check Legendre symbol] If the Legendre symbol

    p

    N

    = 1, go back to step 0 to

    get the next prime. Continue until the prime N generated in the step 0 is such that

    p

    N = 1 . When p

    N = 1, go to the next step (note: p

    N 0 since N is prime andN p).

    [2. Solve quadratic congruence] We solve the equation x2 p (mod N). Let the

    solution be x0.

    [3. Subroutine: Modified Cornacchias algorithm]

    Input: x0, the solution of the quadratic congruence

  • 8/6/2019 Anand Thesis

    43/62

    35

    Output: If there is a solution, the algorithm returns q0 and q1.

    Given x0 and N, define two sequences (an)and (rn) as follows:

    x0 = a0 N+ r0

    N= a1 r0 + r1

    ri = ai+2 ri+1 + ri+2

    The algorithm stops at some k, where r2k

    < N < r2k1

    If the equation q20 pq

    21= N has a solution, it is

    q0 = rk1, q1 =

    N

    r

    2

    k1

    p

    If no solution is generated in this step go to step 0 else, proceed.

    [4. Compute m] Compute m =pq1

    q0. Compute the order ofm modulo N. If order of

    m < T, go to step 0 and generate next prime.

    [5. Output q] Output q0, q1 and order ofm modulo N.

  • 8/6/2019 Anand Thesis

    44/62

    36

    Example 3.1.5 Let p = 6 and let the minimum period be 133. Then connection

    integers 193, 211, 283, 331 correspond to the elements 17 + 4, 19 + 5, 17 + ,

    25 + 7, respectively, and the periods of their output sequences are 192, 210, 141,

    165, respectively.

    The d-FCSR with d 3

    The theory of the d-FCSR for d 3 is not well-understood. For instance, an

    optimal estimate on the memory needed for implementing a d-FCSR is not known

    when d 3 (Klapper and Goresky 1997). This makes the search algorithm impracti-

    cal for the d-FCSR for d 3 with the approach taken by us. However, when d= 2,

    an analogue of the analysis for N-adic FCSRs hold good. More work is needed on

    d-FCSRs for d 3 in order that the search for architectures can be carried out in the

    same manner we have outlined in this chapter.

  • 8/6/2019 Anand Thesis

    45/62

    37

    CHAPTER 4

    FCSR COMBINER GENERATORS

    Linear feedback shift registers (LFSRs) have been the workhorses of stream

    cipher design for the past several decades. They are well-understood, easy to imple-

    ment both in hardware and software, and are extremely fast. An important measure of

    the security of a classical stream cipher is the linear complexity of the pseudorandom

    keystream generator used in its design. The linear complexity of a sequence is de-

    fined as the size of the smallest LFSR that generates the given sequence. Sequences

    of low linear complexity are susceptible to cryptanalysis via the Berlekamp-Massey

    algorithm (Massey 1969). Hence the LFSR cannot directly be used as a keystream

    generator in stream ciphers. By introducing suitable nonlinearities in the output or

    feedback function of the LFSR, it is often possible to increase the linear complexity,and thus reduce the predictability, of the output sequence.

    A number of methods have been devised to increase the linear complexity of

    sequences by including nonlinear feed-forward functions in an LFSR-based keystream

    generator. For example, two LFSR sequences a and b of periods T1 and T2 respec-

    tively may be combined using the XOR function to yield a new sequence c of period

    T. In general, n LFSRs may be used and combined using some nonlinear boolean

    function. Such a construction is called a combination generator or combiner. There

    is a huge amount of literature on this subject and families of constructions such as

    clock-controlled generators, combiners and filter generators have been studied exten-

    sively over the last three decades. Here, we only mention the papers by Groth (1971),

    Key (1976), Gollmann and Chambers (1989), and Massey and Serconek (1996). The

    books by Rueppel (1986) and Schneier (1996) also provide good accounts of the the-

    ory.

  • 8/6/2019 Anand Thesis

    46/62

    38

    Key (1976) first studied the effect of combining two LFSR sequences using the

    bit-wise AND operation as the combining function. He found that when the two LF-

    SRs had distinct irreducible characteristic polynomials of degree rand s respectively,

    1. the product sequence (bit-wise AND) has period equal to the LCM of the peri-

    ods of the two LFSRs, and

    2. the linear complexity of the product sequence is rs.

    Key also proved bounds on the complexity of filtered LFSR sequences in which

    shifted phases of a single LFSR sequence are combined nonlinearly. These re-

    sults have subsequently been improved by a number of investigators (Herlestam 1985,

    Rueppel and Staffelbach 1987, Golic 1989, Gttfert and Niederreiter 1993, Kolokotro-

    nis and Kalouptsidis 2003, and Lam and Gong 2004).

    FCSR sequences share many of the important properties of LFSR sequences.

    Like the LFSRs, FCSRs cannot be used directly in stream ciphers: FCSR sequences

    have high linear complexity and good statistical properties but they are synthesised

    by a 2-adic analogue of the Berlekamp-Massey algorithm. This algorithm, due to

    de Weger (1986) is based on the theory of approximation lattices of p-adic numbers

    and gives rise to the notion of 2-adic complexity of a sequence. Upper bounds on

    the linear and 2-adic complexity of-sequences and lower bounds on some special

    types of-sequences were established in the work of Klapper and Goresky (1997),

    Xu (2000), and Seo et al (2000). Stream ciphers using FCSRs still remain largely

    unexplored (Schneier 1996). To our knowledge, there have been only a handful of

    papers describing or analysing the properties of stream cipher designs based on FC-

    SRs (Arnault, Berger and Necer 2002, Arnault and Berger 2004, Arnault and Berger

    2005, Mittelbach and Finger 2004, Tasheva, Bedzhev and Stoyanov 2004). There

    have been no previous attempts to determine the period, linear complexity and 2-adic

    complexity of combiners using FCSRs. Mittelbach and Finger (2004) carried out a

    large number of numerical experiments and conjectured upper bounds on the linear

    complexity of particular type of generator called the Geffe generator in which 2-adic

  • 8/6/2019 Anand Thesis

    47/62

    39

    FCSRs were used as primitives. Our results, on the other hand, are the first to prove

    upper bounds on the 2-adic complexity of combiner generators.

    According to Arnault and Berger (2005), the feedback function of the FCSR

    is highly nonlinear and hence FCSR sequences are resistant to linear attacks such as

    the Berlekamp-Massey algorithm. They claim that a linear filter function adequately

    masks the 2-adic structure of the FCSR. Further, they state that linear functions are

    optimal from the point of view of resilience and that linear functions provide protec-

    tion against certain correlation attacks. Linear functions are also the easiest from the

    implementation point of view. For this reason, we chose our combiner function to be

    the XOR operation.

    In this thesis, we study the periodicity, symmetric complementarity, linear

    complexity and 2-adic complexity of combiner generators that use two 2-adic FC-

    SRs as primitives and the XOR operation as the combining function. When the two

    FCSRs have odd-prime power connection integers with 2 as a primitive root, we de-

    termine the period of the output sequence (Theorem 4.2.3). We prove that when the

    prime factors of the connection integers of the two FCSRs belong to different equiv-

    alence classes modulo 4, the output sequence is symmetrically complementary. We

    then use this property to derive upper bounds on the linear complexity and the 2-adic

    complexity of the output sequence of the FCSR-combiner (Anand and Ramanan, to

    appear in ASIACCS06).

    With the aim of proving results similar to those of Key and others for the case

    of FCSRs, we conducted a large number of numerical experiments using FCSRs asthe primitives in a combiner generator (see Figure 4.1). The experimental procedure

    that was used to obtain the observations was as follows:

    1. Fix two distinct prime power connection integers q1 and q2 such that 2 is prim-

    itive modulo q1 and q2.

    2. Generate all possible strictly periodic sequences with these connection integers.

    Let the set of all strictly periodic sequences (excluding the all-zeroes and all-

  • 8/6/2019 Anand Thesis

    48/62

    40

    ones sequences) with q1 as connection integer be denoted S q1. (These sequences

    correspond to all fractions p1/q1 such that 0 > p1 > q1 and gcd(p1, q1) = 1.)

    Clearly, |S q1 | = (q1) where is Eulers totient function. Similarly, let S q2

    denote the set of all strictly periodic sequences (excluding the all-zeroes and

    all-ones sequences) with q2 as connection integer. Then, |S q2 | = (q2).

    3. Compute the bit-wise XOR of every pair of sequences (a, b) S q1 S q2 . There

    are exactly (q1)(q2) such pairs corresponding to every pair of possible values

    ofp1 and p2.

    4. For each sequence output by step 3, synthesise the sequence using de Wegers

    algorithm. Observe the period, complexity, and structure of the connection in-

    teger of the output sequence.

    5. Repeat steps 1-4 for another pair of values ofq1 and q2.

    Based on the observations made while conducting these experiments, we were able to

    conjecture a number of results on the period, complementarity and 2-adic complexity

    of combiner sequences. These results are proved in Theorems 4.2.3, 4.2.4 and 4.2.6.

    Our aim in this chapter is to prove these results and derive useful design principles

    from them.

    Consider the truth table for the XOR function which is shown in Table 1. We

    denote complementation by the symbol . Let x, y {0, 1} and let the symbol

    denote the XOR function or addition modulo 2. It is easy to verify the following two

    facts from the truth table:

    Fact 4.0.1 x y = x y = x y

    Fact 4.0.2 x y = x y

  • 8/6/2019 Anand Thesis

    49/62

    41

    Table 4.1: Truth table for the XOR function

    x y x y x y x y x y

    0 0 0 1 1 0

    0 1 1 0 0 1

    1 0 1 0 0 1

    1 1 0 1 1 0

    Figure 4.1: 2-adic FCSR Combiner with XOR combiner function

    4.1 NOTATION

    With reference to the combiner in Figure 4.1, we now fix the notation for the

    rest of this chapter. Let r1 and r2 be two odd primes, not necessarily distinct. Let

    q1 = re11

    and q2 = re22

    be two prime powers where e1, e2 > 0 and such that 2 is a

    primitive root modulo q1 and q2. Let a := (ai)i0 and b := (bi)i0 be two strictly

    periodic binary sequences generated by 2-adic FCSRs with connection integers q1

    and q2, respectively. Let T1 = (r1 1)re111

    and T2 = (r2 1)re212

    be the periods of

    the two sequences a and b respectively and let L = lcm(T1, T2). Let c := (ci)i0 :=

    a b := (ai bi)i0 be the output sequence obtained by computing the element-wise

    exclusive-OR ofa and b. Let T be the period of the sequence c and let p/q be the

    rational number in lowest terms, whose 2-adic expansion coincides with the sequence

    c.

  • 8/6/2019 Anand Thesis

    50/62

    42

    4.2 MAIN RESULTS

    Before we proceed to discuss the main theorems, we need a couple of useful

    lemmas. The first of these is a well-known fact that can be easily derived from the

    results in any introductory textbook on number theory such as, for example, from

    Theorem 95 of Hardy and Wright (1979).

    Lemma 4.2.1 Let q = re be a power of an odd prime rsuch that 2 is a primitive root

    modulo q. Then r is of the form 4k 1 where k is odd.

    Proof: (from Hardy and Wright (1979))

    The proof is by contradiction. Suppose r = 4k 1 where k is even. Then

    r= 4k 1 = 8k 1 for some integer k. Consider the quadratic character of 2 modulo

    q. We know from Eulers criterion on quadratic residues that ( 2p

    ) = 2(p)/2 1 mod

    p for any prime p, where the sign is taken according as p 1 (mod 8) or p 3

    (mod 8), and where denotes Eulers totient function. Since r= 8k 1, this implies

    that 2(r)/2 +1 (mod r) and that 2 is a quadratic residue modulo r. Therefore 2

    is also a quadratic residue modulo q and 2(q)/2 +1 (mod q). But this contradicts

    the fact that if 2 is a primitive root modulo q then 2i +1 (mod q) for no i < (q).

    Hence kcannot be even.

    Lemma 4.2.2 Let q1 = re11

    and q2 = re22

    be two powers of odd primes r1 and r2 such

    that 2 is a primitive root modulo q1 and q2. Let T1 = (r1 1)re11

    1 , T2 = (r2 1)re21

    2

    and let L = lcm(T1, T2).

    i. Ifr1 r2 (mod 4) and ifr1 = 4k1 + 1 and r2 = 4k2 1, then L/T1 is odd and

    L/T2 is even.

    ii. Ifr1 r2 (mod 4), then both L/T1 and L/T2 are odd.

    Proof:

  • 8/6/2019 Anand Thesis

    51/62

    43

    (i.) We have

    L = lcm(T1, T2) = T1T2/ gcd(T1, T2).

    Therefore,

    L/T2 =T1

    gcd(T1, T2)=

    4k1(4k1 + 1)e11

    gcd(4k1(4k1 + 1)e11, (4k2 2)(4k2 1)

    e21)

    =2k1(4k1 + 1)

    e11

    gcd(2k1(4k1 + 1)e11, (2k2 1)(4k2 1)

    e21).

    This is clearly an even number since the denominator is odd and therefore divides

    k1(4k1 + 1)e11 (by Lemma 4.2.1). By similar arguments, L/T1 will be seen to be an

    odd number.

    (ii.) We can prove this for both r1 r2 1 (mod 4) and r1 r2 1 (mod 4)

    by using Lemma 4.2.1 in an argument similar to the one above.

    Case 1: r1

    r2 +

    1 (mod 4)

    L/T1 =T2

    gcd(T1, T2)=

    4k2(4k2 + 1)e21

    gcd(4k1(4k1 + 1)e21, 4k2(4k2 + 1)e21)

    =k2(4k2 + 1)

    e21

    gcd(k1(4k1 + 1)e21, k2(4k2 + 1)e21).

    This is odd since k1 and k2 are both odd by Lemma 4.2.1. Similarly, L/T2 is also odd.

    Case 2: r1 r2 1 (mod 4)

    L/T1 =T2

    gcd(T1, T2)=

    (4k2 2)(4k2 2)e21

    gcd((4k1 2)(4k1 2)e21, (4k2 2)(4k2 2)e21)

    =(2k2 1)(4k2 2)

    e21

    gcd((2k1 1)(4k1 2)e21, (2k2 1)(4k2 2)

    e21).

    This is clearly again an odd number. Similarly, L/T2 is also odd.

  • 8/6/2019 Anand Thesis

    52/62

    44

    Under the same assumptions as in Lemma 4.2.2, consider the expression (T1

    T2) (mod 4). Without loss of generality, assume that r1 = 4k1 + 1 and r2 = 4k2 1.

    Then,

    T1 = (r1 1)re11

    1= 4k1(4k1 + 1)

    e11

    and

    T2 = (r2 1)re21

    2= (4k2 2)(4k2 1)

    e21.

    Therefore,

    T1 T2 = 2[2k1(4k1 + 1)e11 (2k2 1)(4k2 1)

    e21].

    The first term inside the square brackets is even while the second term is odd. This

    implies that T1 T2 = 2m where m is some odd integer. Therefore we must have

    T1 T2 2 (mod 4). (4.1)

    We will use equation (4.1) in the proof of Theorem 4.2.3.

    4.2.1 Period of the FCSR XOR combiner

    Theorem 4.2.3 Let q1 = re11

    and q2 = re22

    be two prime powers where e1, e2 > 0 and

    such that 2 is a primitive root modulo q1 and q2. Let a := (ai)i0 and b := (bi)i0 be

    two strictly periodic binary sequences generated by 2-adic FCSRs with connection

    integers q1 and q2, and c := (ci)i0 := a b := (ai bi)i0 . Let T1 = (r1 1)re111

    and T2 = (r2 1)re212 be the periods of the two sequences a and b respectively and

    let L = lcm(T1, T2).

    If r1 r2 (mod 4), the sequence c has period L; if r1 r2 (mod 4), the

    sequence c has period L/2.

    Proof:

  • 8/6/2019 Anand Thesis

    53/62

    45

    The sequence a is an -sequence and has the following properties:

    ai = ai+(2n)T1/2 and ai = ai+(2n+1)T1/2, i = 0, 1, 2, . . . (4.2)

    for any fixed integer n 0. Similarly, for the sequence b we have

    bi = bi+(2n)T2/2 and bi = bi+(2n+1)T2/2, i = 0, 1, 2, . . . (4.3)

    for any fixed integer n 0. Let the period of the sequence c be denoted by T.

    Case 1: (r1 r2 (mod 4))

    We will prove that T = L/2 by first showing that T | L2

    and then by proving

    that L2

    | T. By Lemma 4.2.2 when r1 r2 (mod 4), both L/T1 and L/T2 are odd.

    Putting (2n+ 1) = L/T1 and (2n+ 1) = L/T2 in equations (4.2) and (4.3) respectively,

    we have ai = ai+L/2 and bi = bi+L/2 for every i 0. That is,

    ci = ai bi = ai+L/2 bi+L/2 = ai+L/2 bi+L/2 = ci+L/2. (4.4)

    Hence T, which is the smallest period of the sequence c, must divide L/2. On the

    other hand, ifT is the period, ci = ci+T for every i 0. This implies that ai = ai+T

    and bi = bi+T, or that ai = ai+T and bi = bi+T. In either case, T is a common multiple

    ofT1/2 and T2/2. Since L/2 is the least common multiple ofT1/2 and T2/2, we must

    have L2

    | T. Therefore, T = L/2.

    Case 2: (r1

    r2 (mod 4))

    We will prove that T = L by first showing that T | L and then by showing that

    L | T. First, note that since L is a multiple of both T1 as well as T2, we must have

    ai = ai+L and bi = bi+L for every i 0. Hence ci := ai bi = ai+L bi+L := ci+L for

    every i 0, and since T is the (smallest) period ofc, T | L.

    On the other hand, ifT is the period of the sequence c, then ci = ci+T for every

    i 0, which implies either that ai bi = ai+T bi+T or that ai bi = ai+T bi+T (by

  • 8/6/2019 Anand Thesis

    54/62

    46

    Fact 4.0.2) for every i 0. This implies either that ai = ai+T and bi = bi+T, or that

    ai = ai+T and bi = bi+T, for all i 0. Suppose the latter holds. Then T must be an odd

    multiple ofT1/2 as well as ofT2/2. That is, T = (2m1+1)T1/2 and T = (2m2+1)T2/2

    for some integers m1 and m2. Hence, (2m1 + 1)T1/2 = (2m2 + 1)T2/2, which implies

    2m1T1 + T1 = 2m2T2 + T2. Therefore, we must have T2 T1 = 2(m1T1 m2T2) = 0

    (mod 4). Since T1 and T2 are even, this contradicts the fact that ifr1 r2 (mod 4),

    we must have T2 T1 2 (mod 4) (by equation 4.1). Therefore, T cannot be an odd

    multiple ofT1/2 and T2/2. We consider the other possibility that T is an even multiple

    ofT1/2 and T2/2. This implies that T = 2m1T1/2 and T = 2m2T2/2 for some integers

    m1 and m2. Therefore, T is a common multiple of both T1 and T2. Since L is the least

    common multiple ofT1 and T2, it must divide any common multiple ofT1 and T2.

    Therefore, L | T. Since we have already proved that T | L, this means that T = L.

    We have established that the period T of the FCSR XOR-combiner is

    T = T1 T2/ gcd(T1, T2), ifr1

    r2 (mod 4)T1 T2/2 gcd(T1, T2), ifr1 r2 (mod 4)

    (4.5)

    We may say that combining two -sequences using the XOR function yields a

    sequence whose period, is approximately the product of the the individual -sequences.

    To obtain maximum period, r1and r2 must be chosen so that they do not belong to the

    same equivalence class modulo 4 and for proper choices ofr1and r2, the period of the

    XOR-combiner can be made as large as T1 T2/2.

    In the next theorem, we prove that ifr1 r2 (mod 4), the output sequence of

    the combiner considered in Figure 4.1 is symmetrically complementary.

  • 8/6/2019 Anand Thesis

    55/62

    47

    4.2.2 Symmetric complementarity

    Theorem 4.2.4 Let all assumptions be the same as in Theorem 4.2.3. Ifr1 r

    2

    (mod 4), then the sequence c is symmetrically complementary.

    Proof:

    When r1 r2 (mod 4), L/T1 is odd and L/T2 is even by Lemma 4.2.2. There-

    fore, from equation (4.2) and equation (4.3) ai = ai+L/2 and bi = bi+L/2 for every i 0,

    which implies that

    ci = ai bi = ai+L/2 bi+L/2, i = 0, 1, 2, . . . . (4.6)

    By Fact 4.0.1 of the bit-wise XOR operation we now have

    ci = ai+L/2 bi+L/2 = ai+L/2 bi+L/2 = ci+L/2, i = 0, 1, 2, . . . . (4.7)

    Since we know from Theorem 4.2.3 that the sequence c has period L, equation (4.5)we see from equation 4.7 that c is symmetrically complementary.

    4.2.3 2-adic complexity of the FCSR XOR combiner

    Before we prove upper bounds on the 2-adic complexity of the output se-

    quence, we first define the 2-adic complexity of a binary sequence following Xus

    definition ofN-adic complexity (Xu 2000). Let s := s0 s1s2 . . . be an infinite periodic

    binary sequence and let

    i=0 si2i = p/q Z2 be the fraction in lowest terms whose

    2-adic expansion agrees with the sequence s.

    Definition 4.2.5 The 2-adic complexity of the sequence s is defined to be the integer

    (s) = max(log2(|p|), log2(|q|)).

  • 8/6/2019 Anand Thesis

    56/62

    48

    If the sequence s is strictly periodic, then p/q < 0 and |p| < |q|, so that (s) is

    simply equal to log2(|q|). We determine an upper bound on the 2-adic complexity

    of the FCSR XOR-combiner in the following theorem.

    Theorem 4.2.6 Let all assumptions be the same as in Theorem 4.2.3. Ifr1 r2

    (mod 4), the 2-adic complexity of the output sequence c of the FCSR combiner, de-

    noted by (c) satisfies (c) < L/2 + 1 = T/2 + 1. Ifr1 r2 (mod 4), the 2-adic

    complexity of the sequence c satisfies (c) < L/2 = T.

    Proof:

    Let q be the denominator of that fraction expressed in lowest terms, whose

    2-adic expansion agrees with the sequence c. Let T be the period of the sequence c.

    Ifr1 r2 (mod 4), then by Theorem 4.2.4 and by Fact 7 about FCSR se-

    quences in Chapter 2, we must have q | 2T/2 + 1. We also know by theorem 4.2.3 that

    T = L. Therefore, q | 2L/2 + 1. The maximum value ofq occurs when q = 2L/2 + 1

    and in such a case, (c) = log2

    (q) < L/2 + 1.

    Ifr1 r2 (mod 4), then the period of the output sequence c is T = L/2. We

    know that for any sequence of period T, q | 2T 1 and the maximum value ofq for a

    given T occurs when q = 2T 1. Hence, (c) = log2(q) < L/2.

    Even though it seems to be difficult to prove a lower bound on the 2-adic

    complexity of the XOR combiner, numerical experiments point to a lower bound of

    L/2 max((a), (b)) when r1 r2 (mod 4). In this context, we point out that for a

    fixed pair of connection integers (q1, q2) of the type considered in this chapter, most

    of the output sequences attain the upper bound on the 2-adic complexity. Numerical

    experiments also show that for most such pairs of connection integers, all output

    sequences attain the upper bound.

    We observe from Theorem 4.2.3 and Theorem 4.2.6 that for both cases r1

  • 8/6/2019 Anand Thesis

    57/62

    49

    r2 (mod 4) and r1 r2 (mod 4) the period of the output sequence grows roughly

    quadratically with the periods of the input sequences. However, for the case r1

    r2 (mod 4), due to the symmetric complementarity of the output sequence, its 2-

    adic complexity bound is half of the period; for the case r1 r2 (mod 4) the 2-adic

    complexity bound is the period of the output sequence.

    4.2.4 Linear complexity of the FCSR XOR combiner

    We now turn to the problem of determining an upper bound on the linear com-

    plexity of the FCSR combiner.

    Theorem 4.2.7 The linear complexity of the FCSR XOR combiner in Figure 4.1 is

    (T1 + T2)/2 + 2.

    Proof:

    From the result of Xu (2000) specialised to the 2-adic case, we know that the

    linear complexity of the individual -sequences are upper bound by T1/2 + 1 and

    T2/2 + 1, where Tis are the periods of the individual -sequences. From the work

    of Massey (1969) it is well-known that the linear complexity of a linear combination

    of sequences is at most the sum of their linear complexities. Applying this result we

    see that the linear complexity of the FCSR XOR combiner is at most the sum of the

    linear complexities of the individual FCSRs.

  • 8/6/2019 Anand Thesis

    58/62

    50

    CHAPTER 5

    CONCLUSIONS AND FUTURE DIRECTIONS

    We have proposed practical algorithms to search for good FCSR architectures

    given a set of design constraints. We also proposed a search algorithm for d-FCSRs

    when d = 2. These algorithms offer valuable aid to the stream cipher cryptographer

    in choosing the keystream generator carefully. More work is needed on d-FCSRs for

    d 3 in order that the search for architectures can be carried out in the same manner

    we have outlined in this thesis.

    We derived the exact period of a certain family of combiners using 2-adic

    FCSRs as primitives. We also prove upper bounds on the 2-adic complexity and linear

    complexity of these sequences. It must be emphasised here that our results give the

    exact period of the combiner using two 2-adic FCSRs and not just a bound. These are

    the only available results in the literature till date regarding combiners using 2-adic

    FCSRs.

    The results of Chapter 4 lead to the following design principle. If we desire

    large period sequences without regard to 2-adic complexity, then it is better to choose

    r1 r2 (mod 4). If we desire sequences with 2-adic complexity that is large com-

    pared to the period, then it is better to choose r1 r2 (mod 4).

    It remains to be seen how far the search algorithms can be optimised for each

    of the special cases of the FCSR architectures, especially the 2-adic FCSR and the

    d-FCSR. The properties of more general classes of FCSR combiners using arbitrary

    combining functions and an arbitrary number of FCSRs need to be investigated.

  • 8/6/2019 Anand Thesis

    59/62

    51

    REFERENCES

    1. Anand S. and Ramanan G. V. (2006) Periodicity, complementarity and com-plexity of 2-adic FCSR combiner generators (Accepted for publication in Pro-ceedings of the ACM Symposium on Information, Computer and Communica-

    tions Security, ASIACCS 06, Taipei, Taiwan).

    2. Arnault F. and Berger T.-P. (2004) Design of new pseudorandom generatorsbased on a filtered FCSR automaton, In Proceedings of the SASC Workshop,pages 109120.

    3. Arnault F. and Berger T.-P. (2005) F-