Anand Thesis
-
Upload
ahmed-naeem -
Category
Documents
-
view
230 -
download
0
Transcript of Anand Thesis
-
8/6/2019 Anand Thesis
1/62
SEARCH ALGORITHMS FOR FCSR
ARCHITECTURES AND PROPERTIES OF THE FCSR
COMBINER GENERATOR
A THESIS
submitted by
S. ANAND
in fulfillment for the award of the degree
of
MASTER OF SCIENCE (BY RESEARCH)
FACULTY OF ELECTRICAL ENGINEERING
ANNA UNIVERSITY : CHENNAI 600 025
DECEMBER 2005
-
8/6/2019 Anand Thesis
2/62
ii
ANNA UNIVERSITY : CHENNAI 600025
BONAFIDE CERTIFICATE
Certified that this thesis titled SEARCH ALGORITHMS FOR FCSR AR-
CHITECTURES AND PROPERTIES OF THE FCSR COMBINER GENERA-
TOR is the bonafide work of Mr. S. ANAND who carried out the research under
my supervision. Certified further that to the best of my knowledge the work reported
herein does not form part of any other thesis or dissertation on the basis of which a
degree or award was conferred on an earlier occasion on this or any other candidate.
Dr. Gurumurthi V. Ramanan
Supervisor
Member, Research Staff
AU-KBC Research Centre
MIT Campus of Anna University
Chennai 600 025
-
8/6/2019 Anand Thesis
3/62
iii
ABSTRACT
The feedback-with-carry shift register (FCSR) is an important primitive in the
design of stream ciphers. In the first part of this thesis, we propose efficient methods
to search for FCSR architectures of guaranteed period and 2-adic complexity. We de-
vise extended versions of these methods that yield architectures of guaranteed period
and 2-adic complexity, given additional design constraints such as a fixed number of
feedback tap connections. We also propose a search algorithm for a generalisation of
the basic FCSR architecture called the d-FCSR, and discuss the difficulty of finding
valid architectures for values of the parameter dother than d= 2.
In the second part of the thesis, we study the problem of improving the com-
plexity of FCSR sequences by combining the outputs of two or more FCSRs nonlin-
early. We then prove results that establish the period and bounds on the complexity
of sequences obtained by combining the outputs of two 2-adic FCSRs using the XOR
function.
-
8/6/2019 Anand Thesis
4/62
iv
ACKNOWLEDGEMENTS
It is a pleasure to acknowledge the help and guidance I have received from
many people over the past four years. I would like to record my deepest appreciation
and thanks to my supervisor, Dr. Gurumurthi V. Ramanan, for all his help, inspiration,
and above all, for his faith in me. I was greatly inspired by a course on Discrete
and Algebraic Structures that he gave some four years ago, and it led directly to my
decision to join the M.S. programme. Whether it was prodding me on when I was
lazy, or encouraging me to bravely fight on when the research was going nowhere, or
exhorting me to be more ambitious, Guru was always trying to bring out the best in
me. For this and much more, many thanks.
I would like to express my profound gratitude to Prof. C. N. Krishnan for
allowing me to work at the AU-KBC Research Centre. His gesture came at a particu-
larly crucial time in my life, and if in the long run, my life is counted a success, then
it would be in no small measure due to the opportunity Prof. Krishnan provided me.
My thanks are also due to all the faculty members of the AU-KBC Research
Centre, especially, Mr. M. Sethuraman, my joint-supervisor, and Prof. S. V. Ra-
manan. I have learnt a great deal from both of them, and in many ways, I rather hope
to emulate their approach to problems and life in general.
I would also like to thank all my friends and colleagues at AU-KBC, especially,
Raja, Sujith, Vijayalakshmi, Satish, and Muthuraja, for their comradeship, all-round
help and good humour.
Finally, I thank my parents and family for their patience and understanding.
S. Anand
-
8/6/2019 Anand Thesis
5/62
v
TABLE OF CONTENTS
CHAPTER NO. TITLE PAGE NO.
ABSTRACT iii
LIST OF TABLES vii
LIST OF FIGURES viii
1 INTRODUCTION 1
1.1 PSEUDORANDOM NUMBER GENERATORS 1
1.2 THE DESIGN OF STREAM CIPHERS 4
1.2.1 The requirements for a good stream cipher 5
1.3 CONTRIBUTIONS OF THIS THESIS 7
2 FEEDBACK-WITH-CARRY SHIFT REGISTER SEQUENCES 9
2.1 THE PRECURSORS OF THE FCSR 9
2.1.1 The lagged Fibonacci generator (LFG) 10
2.1.2 The addition-with-carry generator (AWC) 11
2.1.3 The linear feedback shift register (LFSR) 132.2 REVIEW OF 2-ADIC NUMBERS 14
2.3 THE FEEDBACK-WITH-CARRY SHIFT REGISTER 16
2.3.1 Operation of the FCSR 16
2.4 ANALOGIES BETWEEN LFSR AND FCSR THEORY 18
2.5 PROPERTIES OF FCSR SEQUENCES 21
3 SEARCH ALGORITHMS FOR FCSR ARCHITECTURES 23
3.1 THE SEARCH ALGORITHMS 24
-
8/6/2019 Anand Thesis
6/62
vi
3.1.1 Search algorithm for the LFG 25
3.1.2 Search algorithm for the AWC 26
3.1.3 The basic FCSR search algorithm 27
3.1.4 FCSR search with additional constraints 29
3.1.5 Search algorithm for d-FCSRs 32
4 FCSR COMBINER GENERATORS 37
4.1 NOTATION 41
4.2 MAIN RESULTS 42
4.2.1 Period of the FCSR XOR combiner 44
4.2.2 Symmetric complementarity 47
4.2.3 2-adic complexity of the FCSR XOR combiner 47
4.2.4 Linear complexity of the FCSR XOR combiner 49
5 CONCLUSIONS AND FUTURE DIRECTIONS 50
-
8/6/2019 Anand Thesis
7/62
vii
LIST OF TABLES
TABLE NO. TABLE NAME PAGE NO.
4.1 Truth table for the XOR function 41
-
8/6/2019 Anand Thesis
8/62
viii
LIST OF FIGURES
FIGURE NO. FIGURE NAME PAGE NO.
1.1 Diagrammatic representation of a stream cipher 4
2.1 The Lagged Fibonacci Generator 10
2.2 The Add-with-Carry Generator 12
2.3 Fibonacci-configured LFSR 13
2.4 Fibonacci-configured FCSR 17
4.1 2-adic FCSR Combiner with XOR combiner function 41
-
8/6/2019 Anand Thesis
9/62
1
CHAPTER 1
INTRODUCTION
Pseudorandom sequences are required in a wide variety of applications such as
Monte-Carlo simulation, spread spectrum communication, radar ranging, randomised
algorithms and cryptography. Some of the desirable properties of pseudorandom se-
quences used in simulation are an extremely long period, uniform distribution of n-
tuples for all n, good lattice structure in high dimensions, and ease of computation
both in hardware and in software. In cryptographic applications, in addition to all
of these properties, the sequences must satisfy much more stringent requirements.
For example, the pseudorandom number generators (PRNGs) used in stream cipher
cryptography must be unpredictable. Since a PRNG forms the keystream generator
of a stream cipher, the unpredictability of its output sequence is crucial to the overallsecurity of the cipher system.
In this thesis, we present algorithms to efficiently generate good architectures
for a general class of PRNGs called the feedback-with-carry shift register (FCSR) and
also investigate how the period and other important cryptographic properties of these
generators may be increased. In Section 1.1 we explore the notion of pseudoran-
domness from a practical point of view. In Section 1.2 of this chapter we take a
practitioners approach to stream cipher design and enumerate some desirable char-
acteristics of good stream ciphers. In Section 1.3 we present an overview of our
contributions to the area of stream cipher design.
1.1 PSEUDORANDOM NUMBER GENERATORS
Everyone seems to have an intuitive conception of randomness. Philosophers
and mathematicians have grappled with the problem of defining randomness for cen-
-
8/6/2019 Anand Thesis
10/62
2
turies. The subject has a long and rich history with some of the landmark theoretical
contributions of the last century coming from von Mises, Wald, Church, Kolmogorov,
Chaitin, Schnorr and Rissanen. Later Blum, Micali and Yao laid the foundations of
the theory of pseudorandom sequences and effective information.
From a practical standpoint, a large number of methods have been developed
to generate random sequences using the ordinary arithmetic operations of a computer.
These sequences are generated deterministically and are therefore called pseudoran-
dom or quasirandom sequences. When the method of generation has been carefully
selected, such sequences have been found to be useful in a wide variety of applica-
tions. Some of the historically significant pseudorandom generators in the literature
are von Neumanns middle-square generator, the linear congruential generator (LCG),
the multiplicative congruential generator (MCG) and the additive number generator.
These generators produce uniformly distributed pseudorandom numbers. However, a
number of them have been shown to be relatively poor sources of randomness. For
example, Marsaglia (1968), in his landmark paper, showed that the numbers produced
by the LCG fall mainly on planes in a high dimensional space. For an account of the
theory of the LCG and the subsequent development of this subject we refer to Knuth
(1998).
For practical purposes, we need some clear definition of randomness and here
we will follow the exposition of Golomb (1967). In some sense, there is no truly
random finite sequence. At best we can identify certain properties as being associated
with randomness, and accept sequences that have these properties as random. When
an ideal coin is tossed, we notice that:
1. The number of heads is roughly equal to the number of tails.
2. Approximately one-half the runs have length 1, one-fourth have length 2, and
so on.
3. A sequence of coin tosses possesses a special kind of auto-correlation function
with a strong peak in the middle that tapers offrapidly at the ends.
-
8/6/2019 Anand Thesis
11/62
3
The autocorrelation function may be defined as follows. Suppose (an) = {a0, a1, . . .}
is a sequence of real terms, then the autocorrelation C() is defined as
C() = limN
1
N
Nn=1
anan+,
provided the limit exists. If (an) is a periodic sequence with period T, this reduces to
C() =1
T
Tn=1
anan+.
Here represents a phase shift of the sequence and the autocorrelation is then ameasure of the similarity between the sequence and its phase shift.
From our observations on the coin-flipping phenomenon we are led to a def-
inition of randomness of periodic binary sequences that was first made precise by
Golomb (1967). These are called Golombs randomness postulates. Suppose a peri-
odic binary sequence of period T is represented using the symbols +1 and 1 rather
than the usual 1 and 0. Then, Golombs randomness postulates are:
R1: In every period, the number of+1s is nearly equal to the number of
1s. ThusT
n=1 an 1.
R2: In every period, half the runs have length one, one-fourth have length
two, one-eighth have length three, etc., as long as the number of runs so
indicated exceeds 1. Moreover, for each of these lengths, there are equally
many runs of+1s and 1s.
R3: The autocorrelation function C() is two-valued.
TC() =
Tn=1
anan+ =
T if = 0
K if 0 < < T.
These three conditions are independent of each other. Any sequence that satisfies
these conditions is called a pseudonoise sequence or PN sequence.
-
8/6/2019 Anand Thesis
12/62
4
1.2 THE DESIGN OF STREAM CIPHERS
Stream ciphers are private-key encryption algorithms that operate on the plain-
text one bit at a time. They are extremely fast and easy to implement in both hardware
and software. In addition, they usually have very minimal memory and hardware re-
source requirements and therefore find applications in memory-constrained or area-
constrained devices such as smart cards, etc. Stream ciphers have been especially
popular in military communications since they offer a practical alternative to the one-
time pad, albeit without its absolute security guarantee. In this section we present a
general introduction to stream cipher design using the terminology of Beker and Piper
(1982).
The structure of a stream cipher is shown diagrammatically in Figure 1.1. The
algorithm or keystream generator is usually a finite state machine such as one or
more LFSRs with additional boolean logic. The initial state of the pseudorandom
keystream generator represents the key of the stream cipher. The keystream when
XOR-ed with the binary plaintext gives the ciphertext. The cryptanalyst, although
not strictly a part of the system, is included in the diagram merely to indicate where
interception is likely to occur.
Key
Algorithm
Infinite binary sequence (keystream)
Binary plaintext
Ciphertext
Interceptor (cryptanalyst)
Figure 1.1: Diagrammatic representation of a stream cipher
-
8/6/2019 Anand Thesis
13/62
5
Conventional block encryption algorithms such as AES can also be used like a
stream cipher by running them in one of the so-called feedback modes, namely, output
feedback mode (OFB) and cipher feedback mode (CFB). However, an important point
of difference between block ciphers used in feedback mode and the stream ciphers is
that in the latter, there is no error propagation: any error in one of the ciphertext bits
does not affect subsequent ciphertext bits. In many applications, the propagation of
errors is undesirable and in such situations, stream ciphers are preferable to block
ciphers.
As is usual in cryptography, we must never understimate the cryptanalyst and
this means we must assume:
C1: The cryptanalyst has a complete knowledge of the cipher system, and
all the security lies in the key.
C2: The cryptanalyst has obtained a considerable amount of ciphertext.
C3: The cryptanalyst knows the plaintext equivalent of a certain amount
of ciphertext.
These assumptions may seem pessimistic but they are, at any rate, realistic and any
cipher system must be secure under these assumptions. Naturally, the terms consid-
erable amount and certain amount in the assumptions would need to be quantified
and their precise values would depend upon the system and the level of security de-
sired.
1.2.1 The requirements for a good stream cipher
If we accept the assumptions C1C3 above, then the requirements for stream
ciphers may be stated as:
A1: The number of choices for the key must be large enough that the
cryptanalyst cannot try them all.
-
8/6/2019 Anand Thesis
14/62
6
A2: The infinite keystream must have a guaranteed minimum length for its
period. We then only encipher plaintexts that are shorter than this period.
A3: The ciphertext must appear to be random.
A4: The system must appear to be nonlinear.
Loosely, we may say that a random sequence is one in which knowledge of a num-
ber of consecutive elements does not help anyone trying to predict the next one. Since
the keystream generator is a finite state machine, its output is periodic, and therefore
the keystream sequence cannot be truly random. Nevertheless, if the period is large
enough, we can obtain sequences that are effectively random in the sense implied by
Golombs postulates. In practice, the cryptographer hopes that the length of the se-
quence obtained by the cryptanalyst is small compared to the period of the keystream.
Therefore it is important that the keystream sequence not only appear random over
the entire period, but it should also have good local randomness properties. Statisti-
cal tests for investigating local randomness properties of sequences are thus a useful
tool in stream cipher cryptography.
It is important to realise that the requirements such as long period, high non-
linearity and good statistical properties only offer the necessary conditions for a good
sequence. By no means do they guarantee a secure system. Further, the properties
stated are independent in the sense that no two of them guarantee another, and there-
fore, they must all be separately and carefully checked. In practice, it is seen that
many of the pseudorandom generators suffer from a number of statistical defects.
This motivates our development of search algorithms for generating FCSRs with pre-
scribed characteristics such as period and distribution properties.
Practically speaking, the steps involved in the design of a stream cipher may
be outlined roughly as follows:
1. Choice of the pseudorandom keystream generator:
(a) the designer specifies some performance parameters for the keystream se-
-
8/6/2019 Anand Thesis
15/62
7
quences such as period, complexity, and distribution.
(b) a large number of architectures that meet the requirements in (a) are gener-
ated, and a battery of statistical tests are performed on these architectures
to find any statistical flaws in the generators.
(c) those architectures that pass all or most of the statistical tests are accepted
as potential architectures for the stream cipher.
2. Choice of an appropriate boolean function to mask the structure of the keystream
generator. Shift registers cannot be used directly as keystream generators since
it is easy to recover their parameters from a small segment of their output se-
quences. Hence nonlinear boolean functions are used to hide the structure of
the shift register.
In the next chapter, we look at a number of shift register architectures that have been
proposed recently, and we develop a common framework to analyse their output se-
quences. In particular, we describe a common generalisation of these generators,
namely, the FCSR, and show how the theory of the FCSR parallels that of the well-
known LFSR.
1.3 CONTRIBUTIONS OF THIS THESIS
The pseudorandom generators found in most systems are realised as feedback
shift registers and in this thesis, we look at a nonlinear variant of the feedback shift
register called the feedback-with-carry shift register (FCSR). Our focus is on FCSRssince they are a common generalisation of several previously proposed pseudorandom
number generators such as the linear congruential generation (LCG), the linear feed-
back shift register (LFSR), the add-with-carry generator (AWC), and the multiply-
with-carry generator (MWC). All of our algorithms and results can thus be applied to
sequences generated by any one of these generators as well.
In the first part of this thesis, we propose efficient algorithms to search for
FCSR architectures given a set of constraints on the period, complexity, and distribu-
-
8/6/2019 Anand Thesis
16/62
8
tion properties of the output sequence. An FCSR architecture is completely charac-
terised by a parameter called the connection integer. Once the connection integer
is fixed, we can determine properties such as the period of the generated sequence,
the susceptibility of the sequence to cryptanalysis measured by linear complexity
and 2-adic complexity, and the distribution properties of the sequence. These prop-
erties are independent of the initial seed and may be computed from the connection
integer. Our search algorithms can be used to generate connection integers of FCSRs
with guaranteed properties like period, complexity and distribution. These algorithms
ensure that a large numbers of PRNGs that satisfy at least two of the necessary con-
ditions (viz., A1 and A2) can be generated efficiently. The search algorithms are a
contribution towards step 1(b) of the stream cipher design process outlined in the
preceding section.
In the second part of this thesis we look at combiners using FCSRs as a prac-
tical method of meeting the requirements A3 and A4. We consider a combiner gen-
erator that use two 2-adic FCSRs as primitives and the bit-wise XOR operation as
the combining function. We study the periodicity, symmetric complementarity, and
bounds on the linear complexity and 2-adic complexity of FCSR XOR combiner gen-
erators. This forms our contribution towards step 2 in the stream cipher design pro-
cess.
The thesis is organised as follows. In Chapter 2, we present some basic results
in the theory of FCSRs. In the third chapter we propose algorithms to search for
FCSR architectures given a set of requirements such as period and number of tap
connections. We also propose a search algorithm for a generalisation of the 2-adic
FCSR called the delayed feedback-with-carry shift register (d-FCSR). In Chapter 4
of this thesis, we look at some methods of increasing the 2-adic complexity of FCSRs
and prove bounds on the complexity of a family of FCSR combiner generators. In
Chapter 5, we summarise our contributions and discuss some directions for future
research.
-
8/6/2019 Anand Thesis
17/62
9
CHAPTER 2
FEEDBACK-WITH-CARRY SHIFT REGISTER SEQUENCES
In Section 1.1 of this chapter we briefly describe some precursors of the FCSR
such as the lagged Fibonacci generator (LFG), the add-with-carry (AWC) genera-
tor and the linear feedback shift register (LFSR) generator using a formalism due to
Marsaglia. Section 1.2 contains the elements of the theory of 2-adic numbers that is
required for the study of FCSRs. We also survey some basic results in the theory of
2-adic FCSR sequences in Section 1.3. In Section 1.4 of this chapter, we present three
alternative but equivalent ways of describing LFSR and FCSR sequences. Finally, in
Section 1.5, we collect all useful results about FCSR sequences.
2.1 THE PRECURSORS OF THE FCSR
The pseudorandom number generators described in this thesis can all be de-
scribed by means of a function acting iteratively on a set. Let X be a finite set and a
feedback function f : X X. For a given initial seed value x X, the pseudorandom
sequence is generated using the sequence
x := f0(x), f(x), f2(x), f3(x), . . . , (2.1)
where fi+1(x) = f(fi(x)) for all i 0 (Marsaglia 1992).
We will show how this simple mechanism can be used to describe the lagged
Fibonacci generator (LFG), the Marsaglia and Zaman addition with carry generator
(AWC), and the 2-adic FCSR in sections (2.1.1), (2.1.2) and (2.3), respectively.
-
8/6/2019 Anand Thesis
18/62
10
qs
qr
...a n-1 a n-2 a n-r+1 a n-ra
i
Figure 2.1: The Lagged Fibonacci Generator
2.1.1 The lagged Fibonacci generator (LFG)
Let Xbe the set of 1rvectors x = (x1, x2, x3, . . . , xr), with elements xi in some
finite set S endowed with a binary operation . For the lagged Fibonacci generators,
denoted by F(r, s, ), the feedback function f is defined by
f(x1, x2, . . . , xr) = (x2, x3, . . . , xr, x1 xr+1s) (2.2)
where r > s. When S is the set of integers modulo a power of 2 with the binary
operations + or or , the following result of Marsaglia and Tsay (1985) enables
us to compute the period of the sequence generated using equation (2.2). It is clear
that x, f0(x), f(x), f2(x), f3(x), . . . , is a sequence of vectors generated by the matrix
of integers representing f.
Theorem 2.1.1 Let f be the r r (companion) matrix of integers with odd determi-
nant representing the feedback function. Let S be the set of integers modulo 2
n
andthe binary operation be either + or . In order that the sequence of vectors de-
termined by x, f0(x), f(x), f2(x), f3(x), . . . , mod2n have period (2r 1)2n1 for every
n 1 and every initial vector of integers x not all even, it is necessary and sufficient
that f have order j = 2r 1, in the group of non-singular matrices for mod 2, order
2j for mod 4 and order 4j for mod 8. If the F(r, s,+) generator has maximal period
(2r 1)2n1, for integers mod 2n, then the F(r, s, ) generator on the set S of odd
integers mod 2n
has period (2r
1)2n3
.
-
8/6/2019 Anand Thesis
19/62
11
Statistical performance of LFGs
When the operation is , the XOR operation, the performance ofF(r, s, )
is very poor. Empirical studies have noted that they perform poorly with respect to
statistical tests and have very short periods. They fail many of the DIEHARD battery
of tests, namely the parking lot tests, mtuple test, OPSO test, birthday spacings tests,
OPERM test, runs test and the rank tests. In this sense they are similar to shift-register
sequences. The F(r, s, ) is known to fail the birthday-spacings test. The F(r, s, )
performs well and passes all the above tests as well as the lattice test.
Among the lagged Fibonacci generators the ones using multiplication on odd
integers modulo 232 are the best. F(r, s,+), F(r, s, ) and F(r, s, ) do well on monkey
tests. F(r, s, )may fail for pairs (r, s) such as (31, 13) or (17, 5) because of their in-
adequate period, in contrast to other lagged Fibonacci generators, which have periods
about 232+r (Marsaglia 1984).
2.1.2 The addition-with-carry generator (AWC)
Marsaglia and Zaman (1991) proposed a new class of random number genera-
tors with enormous periods. They were broadly classified into add-with-carry (AWC)
and subtract-with-borrow (SWB) generators. Using the Marsaglia formalism, the
AWC generator can be easily described as follows.
Let b, r, s Z+, be positive integers where b is the base, r > s, r and s are the
lags. Define X = {0, 1, . . . b 1} {0, 1}. Let x = (x1, x2, . . . , xr, c) X, be the seed
vector, where 0 xi < b and c {0, 1} is the carry bit. Define the feedback function
f : X X as
-
8/6/2019 Anand Thesis
20/62
12
mod bdiv b
qs
qr
...m n-1 a n-1 a n-2 a n-r+1 a n-ra
i
Figure 2.2: The Add-with-Carry Generator
f(x1, x2, . . . , xr, c) = (x2, x3, . . . , xr, xr+1s + x1 + c, 0) i f xr+1s + x1 + c < b(x2, x3, . . . , xr, xr+1s + x1 + c, 1) i f xr+1s + x1 + c b (2.3)
Using the Marsaglia formalism, we first generate the sequence of (r+1)-tuples
x := f0(x), f(x), f2(x), f3(x) . . . We generate the pseudorandom sequence (yi), where
yi {0, 1, . . . , b 1} using the sequence of (r+ 1)-tuples in the following fashion. At
the ith iteration the first coordinate of the (r+ 1)-tuple fi(x) is defined to be yi. The
period of (yi)i0 is the same as the period of the sequence of (r+ 1)-tuples (fi(x))i0
(Marsaglia and Zaman 1991). This means that the first relements of the sequence are
precisely the first rcoordinates of the seed vector x.
Theorem 2.1.2 The sequence of digits formed by the AWC generator is in reverse
order the same as the sequence of digits in the base -b expansion of a fraction kbr+bs1
.
From this it is easy to see that the period of the sequence generated by equation (2.3)
is the order ofb in the multiplicative group Z
(br+bs1)Z
, when br
+ bs
1 is a prime.When br+ bs 1 is composite, let k
br+bs1= c
d, where (c, d) = 1. Then the period of
the sequence is the order ofb in the multiplicative groupZ
dZ
.
This means that for b approximately 232 and r around 20, periods of 2640 are
attainable using only rmemory locations and simple computer arithmetic. The other
carry/borrow generators introduced by Marsaglia and Zaman are simply variations of
the above function. The N-adic FCSR generalizes the AWC and the MWC generators.
-
8/6/2019 Anand Thesis
21/62
13
Statistical performance of AWCs
Some of the statistical properties of the AWC and SWB generators were con-
sidered by Couture and LEcuyer (1994, 1997). One of their observations was that
the AWC generators failed the spectral test for some values of the lags. They are also
known to fail the birthday spacings test (Marsaglia 1993). The synthesis algorithm
for the AWC generator was given by Bach (1998). The approach is similar to the
synthesis of the 1/p generator given in Blum, Blum and Shub (1986).
2.1.3 The linear feedback shift register (LFSR)
Linear feedback shift registers have an architecture similar to FCSRs. Their
properties are well understood. We give below a description of the LFSR over F2 in
the same formalism used to describe the LFG and AWC.
Let qi {
0, 1}, for i
=1, 2, . . . r, be the taps and let a
=(a0, a1, . . . , ar1), where
ai {0, 1}, be the seed vector. Define X= {0, 1}r. The feedback function f : X X
is
f(a0, a1, . . . , ar1) = (a1, a2, . . . , ar1,
rk=1
qkark). (2.4)
Figure 2.3: Fibonacci-configured LFSR
During each iteration the register cells are tapped, their contents added modulo
-
8/6/2019 Anand Thesis
22/62
14
2, the first coordinate is output (in Figure 2.3, the rightmost bit of the shift register),
the contents of the register are shifted to the right and the sum computed previously
is taken as the rth coordinate of the vector. In Figure 2.3, this sum is returned to the
leftmost bit of the register as the new entry.
The general theory of LFSRs is based on the algebra of finite fields. Excellent
accounts of this theory may be found in the books of Golomb (1967), Rueppel (1986)
and Beker and Piper (1982).
The theory of FCSRs is analogous to that of LFSRs. However, the analysis
of the 2-adic FCSR is based on the theory of 2-adic numbers. Before discussing thetheory of FCSRs we review the theory of 2-adic numbers in the next section.
2.2 REVIEW OF 2-ADIC NUMBERS
The analysis of FCSRs is based on the arithmetic of 2-adic numbers. In 1904,
Hensel introduced the concept of 2-adic, and in general, p-adic numbers for p prime.
A 2-adic number may be described as a binary number
= . . . 3210.12 . . . k (2.5)
where i {0, 1}, whose representation extends infinitely to the left of the binary
point, but has only finitely many places to the right of the point. 2-adic numbers
represented by equation (2.5) may also be thought of as formal Laurent series
=
i=k
i2i, (2.6)
where i {0, 1}.When there are no non-zero bits to the right of the binary point (i.e.
k= 0), the 2-adic numbers are called 2-adic integers.
Z2 = {
i=0
i2i|i {0, 1}} (2.7)
-
8/6/2019 Anand Thesis
23/62
15
The set of 2-adic integers is denoted by Z2. The 2-adic integers form a ring with
additive identity 0 and multiplicative identity 1 = 1 20. Addition in Z2 is performed
by carrying overflow bits to higher order terms, so that 2i + 2i = 2i+1. Using the fact
that in Z2, 1 1 = 0, it is easy to see that,
1 = 1 + 21 + 22 + 23 + . (2.8)
From the binary (base-2) representation of positive integers, it is clear thatZ2 contains
all positive integers. The identity
= (1) = (1 + 21 + 22 + 23 + )(0 + 12 + + r2r) (2.9)
shows that Z2 contains the negative integers. In general, for an arbitrary 2-adic num-
ber , calculating the additive inverse , can be done as follows. Expressing in
the form = 2r(1 +
i=0 i2i), where r is an integer, we have
= 2r(1 +
i=
0
i2i) (2.10)
where i denotes the complementary bit and i+i = 1. The 2-adic numbers, denoted
by Q2 form a field under addition and multiplication. Below are some examples of
2-adic expansions of integers and rationals.
Example 2.2.1 We give the 2-adic representation of the numbers 17, 1
7, 9
2, 1
10
1
7= . . . 110110110110111.0,
1
7= . . . 001001001001001.0,
9
2= . . . 0000100.10,
1
10= . . . 1100111001100110.1 (2.11)
Note that1
7 and 1
7 , are 2-adic integers, while9
2 and1
10 are 2-adic rationals.
-
8/6/2019 Anand Thesis
24/62
16
The rational number 17= 0111.0 has an eventually periodic 2-adic expansion and
17= 001.0 has a strictly periodic 2-adic expansion. In both these cases, note that the
period is just the multiplicative order of 2 in the field Z7Z
.
In Z2, the ring of 2-adic integers, every odd integer Z has a unique multi-
plicative inverse. Thus, the ring Z2 contains every rational number p/q provided q is
odd. In fact
Z2 = {p
q| p, q Z, q 0 and q is odd}. (2.12)
This gives an alternative description ofZ2. These ideas may be extended to develop
the theory ofp-adic and N-adic numbers.
We have given a very sketchy account of the theory of 2-adic numbers. For a
more comprehensive treatment of the theory, we refer to the books by Koblitz (1984),
Mahler (1973) and Gouva (2003).
2.3 THE FEEDBACK-WITH-CARRY SHIFT REGISTER
2.3.1 Operation of the FCSR
A generalization of the AWC generator and the multiply-with-carry (MWC)
generator was described independently by Marsaglia (1994), Couture and LEcuyer
(1997), and in a series of papers by Klapper and Goresky (1993, 1997). Klapper
and Goresky called them feedback-with-carry shift registers (Klapper and Goresky
1997). Using the same framework as before, the 2-adic FCSR can be described as
follows.
Fix taps qi {0, 1}, for i = 1, 2, . . . r and let q0 = 1. Define X = {0, 1}r
Z.
Let a = (a0, a1, . . . , ar1, mr1) X, be a seed vector, where mr1 Z is the initial
memory and ai {0, 1}. Let r =r
k=1 qkark+ mr1. Define the feedback function
-
8/6/2019 Anand Thesis
25/62
17
q1mod 2div 2
q2
qr-1
qr
...mn-1 an-1 an-2 an-r+1 an-rai
...
Figure 2.4: Fibonacci-configured FCSR
f : X X to be
f(a0, a1, . . . , ar1, mr1) = (a1, a2, . . . , ar1, r
k=1
qkark + mr1 (mod 2), mr),
(2.13)
where mr = r. Here is the floor function. The above equation also makes it
clear how (2.13) generalises (2.4). As in the generators described earlier, the output
sequence yi {0, 1} is generated using the sequence of (r+ 1) vectors a = f0(a),
f(a), f2(a), . . . . For all i 0, yi is defined to be the first coordinate of the (r+ 1)-
tuple fi(a). As before, this means that the first r output bits will be just the first r
coordinates of the seed vector and the period of the sequence (yi)i0 the same as that
of (fi(a))i0. The function described in (2.13) shows how the FCSRs differ from the
AWC generators defined in (2.3). The carry part in (2.3) which is denoted by c in the
(r+ 1)-tuple is 0 or 1, whereas the analogous memory in (2.13) which is denoted by
mr1 is allowed to take integer values. Klapper and Goresky proved that the memory
can be bounded in terms of the number of non-zero qis. Much of the theory they
develop for their 2-adic FCSR parallels that of linear feedback shift registers (LFSR)over F2.
The 2-adic FCSR may be generalised to the p-adic and the N-adic case, and
the analogues of equation (2.13) are obtained by replacing 2 by p and N respectively
and making the suitable allowances for the tap coefficients and the initial loadings.
An alternative description of the operation of the FCSR may be given as fol-
-
8/6/2019 Anand Thesis
26/62
18
lows. Fix an odd positive integer q and let
q + 1 = q121 + q22
2 + . . . + qr2r (2.14)
be the binary expansion ofq + 1, where r = log2(q + 1) and qi {0, 1}. Then the
2-adic FCSR with connection integer q has r stages and feedback connections given
by the bits {q1, q2, . . . , qr} in Equation 2.14. This is shown in Figure 2.4. By letting
q0 = 1, we may write q =r
i=0 qi2i. The contents of the register are denoted by
an1, an2, . . . , anr and the operation of the 2-adic FCSR is as follows:
A1. Form the integer sum n =r
k=0 qkank+ mn1.
A2. Shift contents one step to the right, output the rightmost bit anr.
A3. Place an = n mod q into the leftmost cell of the shift register.
A4. Replace the memory integer mn1with mn = (n an)/2 = n/2.
Thus we see that an FCSR is a feedback shift register that is similar to the
LFSR except that it has a small amount of auxiliary memory. The difference is that
during each iteration, the memory which is an integer is added to the sum of the
tapped bits and the parity of this quantity, which isr
k=1 qkark+ mr1 (mod 2)
,
is taken to be the rth coordinate of the new vector (in the Figure 2.4, the leftmost bit).
The higher order bits are retained as the new value of the memory (i.e., mr). Figure
2.3 and Figure 2.4 illustrate the equations (2.4) and (2.13) respectively. Note that in
both cases, the right-most bit corresponds to the first coordinate of the (r+ 1)-tupleand is the output at every loop.
2.4 ANALOGIES BETWEEN LFSR AND FCSR THEORY
From the discussions in the preceding sections, it should be clear that we can
formulate three different but equivalent descriptions of the LFSR and FCSR. Here we
compare the LFSR and FCSR and show how their theories are analogous.
-
8/6/2019 Anand Thesis
27/62
19
Let F be a finite field and let q1, q2, . . . , qr F. The linearly recurrent sequence
of order r with multipliers q1, q2, . . . , qr F and initial state (a0, a1, . . . , ar1) is the
unique solution to the equations
aj = q1aj1 + q2aj2 + + qrajr (2.15)
for j r. Such a sequence can be desribed in three equivalent ways. First, it is
the output of an LFSR with r register cells, tap coefficients qi F, and initial reg-
ister loading given by a0, a1, . . . , ar1 F. The connection polynomial q(x) F[x]
associated with the recurrence equation (2.15) and the LFSR is given by
q(x) = q0 +
ri=1
qixi
where q0 = 1. Secondly, the sequence a0, a1, a2, . . . is the coefficient sequence in the
power series expansion of a rational function p(x)/q(x):
p(x)
q(x)= a0 + a1x + a2x
2 +
where the denominator polynomial is, as before, dependent only upon the taps of the
corresponding LFSR. The numerator polynomial is given by
p(x) =
r1j=0
ji=0
qiajixj.
And thirdly, the LFSR sequences also have a trace representation given by
aj = T rL/F(aj)
where L is an extension field ofF that contains all the roots ofF, a L is dependent
upon the initial state of the LFSR, T rL/F is the trace function from L to F, and is an
appropriate root ofq(x) in L.
Similarly, for the FCSR, let N be a positive integer. Let q1, q2, . . . qr Z/(N),
-
8/6/2019 Anand Thesis
28/62
20
a1, a1, . . . , ar1 Z/(N), and let the initial memory mj1 Z. The FCSR sequence is
then the unique solution to the with-carry linear recurrence
aj + Nmj = q1aj1 + q2aj2 + + qrajr+ mj1 (2.16)
for j r. Here, the right hand side of equation 2.16 is first computed as an integer
Z. Then aj is obtained by reducing modulo N, and the new memory mj is computed
as N
. Again, we may give three alternative descriptions of such a sequence. First,
it is the output of an FCSR with r main register cells, tap coefficients given by the qi
and initial state given by the ai. The connection integer associated with the FCSR is
q = q0 +
ri=1
qiNi
Z
where q0 (and hence q) is relatively prime to N. Secondly, it is the coefficient se-
quence of the N-adic expansion of the rational number
p
q= a0 + a1N+ a2N
2 +
where the numerator is given by
p =
r1j=0
ji=0
qiajiNj
mr1Nr.
Thirdly, FCSR sequences also possess an exponential representation in which the
general term may be written as
aj = (aj (mod q)) (mod N)
where = N1 (mod q) and a Z/(q) is an element that depends upon the initial
state. In the right hand side of the equation above, the quantity aj is first reduced
modulo q and represented as an integer in the range {0, 1, . . . , q 1} and then this
integer is reduced modulo N.
-
8/6/2019 Anand Thesis
29/62
21
2.5 PROPERTIES OF FCSR SEQUENCES
The purpose of this section is to collect in one place, all of the results on FCSRs
that are relevant to the later parts of the thesis. Here and in what follows, letQ2 denote
the field of 2-adic numbers. The following facts are known about the 2-adic FCSR:
1. (Klapper and Goresky 1997) If a sequence a = (ai)i0 is the output of a 2-adic
FCSR, and Q2 is the 2-adic number associated with this sequence, then a
is eventually periodic and = p/q, where q is the connection number of the
FCSR. Conversely, every eventually periodic binary sequence whose associated
2-adic number is = p/q is the output of a 2-adic FCSR with connection integer
q.
2. (Klapper and Goresky 1997) If = p/q Q2 is the 2-adic number associated
with the output sequence of a 2-adic FCSR, then the sequence is strictly periodic
if and only ifq < p 0. If this condition is not satisfied, then the sequence is
eventually periodic.
3. (Gauss 1801) If = p/q Q2 is the 2-adic number associated with the output
sequence of a 2-adic FCSR, then the period of the sequence is the multiplicative
order of 2 modulo q.
4. (Klapper and Goresky 1997) If = p/q Q2, and if 2 is a primitive root modulo
q, then the period of the FCSR sequence with connection integer q is maximal
and equal to (Z
qZ) = (q), where denotes Eulers totient function. Such a
sequence is called an -sequence. This requires that q = pm for some odd prime
p and some positive integer m.
5. (Goresky and Klapper 1995) Every binary -sequence possesses the property of
symmetrical complementarity: in any binary -sequence of period 2t, where t
is a positive integer, the second half of any segment of length 2t is the bit-wise
complement of the first half. However, the converse of this statement is not
true. For example, the sequence generated by a 2-adic FCSR with connection
-
8/6/2019 Anand Thesis
30/62
22
integer q = 17 is symmetrically complementary with period 8, but it is not an
-sequence since 2 is not a primitive root modulo 17.
6. (Goresky and Klapper 1995) Every binary -sequence possesses the nearly deBruijn property: if the -sequence is generated by a 2-adic FCSR with connec-
tion integer q, then in any given period of the sequence, every binary string of
length of length log2(q) occurs at least once and every binary string of length
log2(q) + 1 occurs at most once.
7. (Mittelbach and Finger 2004) Any strictly periodic sequence generated by a 2-
adic FCSR with connection integer q is symmetrically complementary if and
only ifq divides 2T/2 + 1, where T is the period of the sequence.
8. (Xu 2000) The linear complexity of an -sequence of period 2tis at most t+ 1.
For a more detailed account of the properties of FCSR sequences, including proofs of
these assertions, the reader is referred to the papers of Klapper and Goresky (1997),
Goresky and Klapper (1995), Mittelbach and Finger (2004), and the dissertation of
Xu (2000).
In this chapter we have briefly surveyed the theory of FCSR sequences and
seen how many of the results in this theory closely resemble those in the theory of
LFSR sequences. In the next chapter, we will use these results to devise simple but
effective algorithms to generate a large number of FCSR architectures. The algo-
rithms ensure that the output sequences of these architectures satisfy the necessary
conditions for keystream generators mentioned in Chapter 1.
-
8/6/2019 Anand Thesis
31/62
23
CHAPTER 3
SEARCH ALGORITHMS FOR FCSR ARCHITECTURES
We have stated the requirements for pseudorandom sequences in Chapter 1
and studied some of their properties in Chapter 2. Now we turn to ways of finding ar-
chitectures that generate such sequences. In practice, while designing feedback shift
registers for use in stream ciphers, the cryptographer would like to start by specifying
a set of criteria on the minimum period, complexity, and distribution properties of
the output sequence of the shift register. The next step would be to generate a large
number of architectures that satisfy these criteria. This is followed by performing
extensive statistical tests on sequences generated by each of these architectures and
rejecting any that fail the tests. A number of statistical test suites are available for this
purpose such as the statistical testing suite developed by the NIST, the DIEHARD
battery of tests of George Marsaglia, and ENT of John Walker. If a particular archi-
tecture passes all or most of these tests, the cryptographer can then have a measure of
confidence in the quality of the sequence generated by the shift register architecture.
In this chapter, we devise simple, practical algorithms to generate a large num-
ber of FCSR architectures with specified properties. The cryptographer may specify
these desirable properties in terms of some performance parameters of the output
sequences such as:
1. the output sequences must have a period greater than some specified value,
2. the output sequences must have a 2-adic complexity greater than a specified
value,
3. the output sequences must have a specified distribution property, such as, for
example, the nearly de Bruijn property.
-
8/6/2019 Anand Thesis
32/62
24
Hardware or memory resource limitations may give rise to additional constraints such
as:
1. the number of cells in the main register must not exceed a specified value,
2. the number of non-zero taps must not exceed a specified value, or must be ex-
actly equal to some value.
The search algorithms presented in this chapter solve some of these problems. These
algorithms are by no means the most computationally efficient, and we have not at-
tempted to analyse their computational complexity. Further, use of these algorithms
to generate parameters for FCSRs does not guarantee the security of a stream cipher.
However, they ensure that the necessary conditions for good quality output sequences
hold, and serve as effective and practical tools to aid the cryptographer in stream
cipher design.
3.1 THE SEARCH ALGORITHMS
The general idea of the search algorithms for FCSRs is as follows. Suppose
we require a number of FCSR architectures which must have a guaranteed minimum
period ofT. We need to generate an integer q such that the multiplicative order of 2
modulo q is at least T. Our basic search algorithm does exactly this. Essentially, we
look for those cyclic groups in which the subgroup generated by 2 has a large enough
order. In order to ensure good distribution properties and complexity measures for the
FCSR sequences, we restrict our attention to cyclic groups Z/qZ, where q is either an
odd prime or a power of an odd prime, and test for the primitivity of 2 modulo q.
There may be additional constraints on q such as a fixed number of tap con-
nections. A moments consideration shows that if the register size is rand the number
of non-zero taps is h, then there are r1Ch1 potential connection integers that satisfy
the constraints on the register size and the number of non-zero taps. In this case, it
may not be feasible to exhaustively generate all the potential connection integers and
-
8/6/2019 Anand Thesis
33/62
25
test whether they satisfy the specified criterion on the period. We therefore devise a
simpler sliding window-based approach to the problem. More complex algorithms
could be designed based on ideas developed by Knuth for generating n-tuples.
For the case of the d-FCSR, we develop an algorithm that generates connection
integers q of the form q = q0 + q1 such that q20
pq21= N where p is a square-free
modulus, and where the norm N is a prime greater than the desired minimum period.
For this search problem, p, a square-free integer, d= 2, and T, the minimum period,
are specified and q0 and q1 are to be determined.
In the rest of this section we describe each of these search algorithms in detail.The first two search algorithms for the LFG and the AWC are almost trivial, but we
present them here for the sake of completeness.
3.1.1 Search algorithm for the LFG
Input:
Minimum period, T > 0
Modulus or base, m = 2n, n > 0
Number of architectures to be generated, R > 0
Output:
R values of the long lag ri such that the period of the corresponding LFGs is
greater than T for every si, such that 0 < si < ri.
Algorithm L:
[1. Compute minimum r] Compute the smallest integer ksuch that 2k > T/2n1 + 1.
Let this value ofkbe denoted kmin.
-
8/6/2019 Anand Thesis
34/62
-
8/6/2019 Anand Thesis
35/62
27
[2.] Calculate the power of the base ksuch that bk < T < bk+1.
[3.] Set j = 1.
[4.] Compute m = bk+ bj 1.
[5.] If the order ofb mod m T, set i = i + 1, ri = kand si = j; ifi = n go to step 8.
[6.] Set j = j + 1; if j < kgo to step 4.
[7.] Set k= k+ 1 and go to step 3.
[8.] Output ri and si for i = 1, 2, . . . , n.
In this algorithm we generate integers of the form m = bk+ bj 1 where k > j
and ensure that the order ofb modulo m is greater than T. The initial value for k is
chosen such that it is the greatest exponent of 2 for which 2k < T. Since j < k, if
the initial value ofk is any smaller, then m cannot be greater than T . Therefore, we
eliminate the case of smaller starting values for kfrom our search.
Example 3.1.2 Let b = 10 and minimum T = 1123. Then the lags (4,1), (4, 2), (4, 3),
and (5, 2) give rise to sequences of periods 5004, 3366, 5768, and 1614, respectively.
3.1.3 The basic FCSR search algorithm
The basic strategy for this algorithm is as follows: generate a prime larger
than the specified period and compute the order of 2 modulo. If this is greater than
the specified period, we accept the prime as valid. Otherwise, we may proceed by
generating a smaller prime and check 2 is a primitive root modulo this smaller prime.
-
8/6/2019 Anand Thesis
36/62
28
If 2 is also primitive modulo the square of this prime, then it follows that 2 is primitive
modulo any power of the prime. We can then choose that power of the prime as
connection integer for which the period is greater than the value specified.
Algorithm S:
Input:
Minimum period, T > 0
Number of architectures to be generated, R > 0
Output:
R connection integers q such that the order of 2 modulo q > T
[0. Initialise] Set C 0; ifT < POWERING_ THRESHOLD go to step 1;
else go to step 4.
[1. Generate prime] Generate a prime q larger than T.
[2. Compute order] If order of 2 mod q is less than T, set q q + 2 and
compute the next prime greater than q; else store q and order of 2 mod q and set
C C+ 1
[3. Is C < R?] IfC < R, set q q + 2 and go to step 1; else ifC = R, return
the C connection integers and the corresponding orders of 2 modulo each of these
connection integers.
[4. Powering] Set A START_ PRIME.
[5. Compute next prime] Generate a prime, q, greater than A.
[6. Check primitivity] If the order of 2 mod q is not equal to q 1 (primitivity
check), set A q + 2 and go to step 5.
-
8/6/2019 Anand Thesis
37/62
29
[7. ] If 2(q1) 1 modulo q2, then 2 is primitive modulo q2 and also primitive
modulo qk with order qk qk1.
Increment count R R + 1, store qk and order of 2 modulo qk; if 2(q1) 1
mod q2 set A q + 2 and go to step 5.
[8. Is C < R?] IfC < R, set q q + 2 and go to step 1; else ifC = R, return
the C connection integers and the corresponding orders of 2 modulo each of these
connection integers.
This algorithm uses two machine dependent constants, namely, START_PRIME
and POWERING_THRESHOLD. These constants are used to determine when to
switch from generating prime connection integers to prime power connection inte-
gers, and the value of the smallest prime base to choose for the powering subroutine.
Considerable tweaking may be required in order to find the right values for a given
machine.
Example 3.1.3 Let minimum T = 169. Then the following connection integers spec-
ify valid architectures: q = 173, 179, 181, 197. The respective periods are 172, 178,
180, 196. In this case, it turns out that the connection integers all have 2 as a primitive
root.
3.1.4 FCSR search with additional constraints
An important consideration in the implementation of FCSR circuits in hard-
ware is the number of multipliers required. The greater the number of multipliers
required, the greater the area, cost and power dissipation of the chip. Hardware de-
signers may therefore impose absolute limits on the number of multipliers that can
be used in the FCSR implementation. These limits constrain the number of non-zero
feedback connections that a valid FCSR architecture can have.
If the register size is rand the number of non-zero taps is h, where r h > 0,
-
8/6/2019 Anand Thesis
38/62
30
then there are r1Ch1 potential connection integers that satisfy the criteria on the
register size and the number of non-zero taps. For large r, and h approximately equal
to r/2, it may not be feasible to check every possible connection integer with h non-
zero taps. The strategy we adopt is as follows: we fix the tap at the right extremity
of the main register, that is the register cell closest to the output. Thus the minimum
value ofq is br1. This leaves h1 taps to be assigned to r1 register cells. We begin
by assigning a block or window ofh 1 1s to the leftmost taps. At every iteration this
block is moved right, and the corresponding connection integer is checked to see if it
meets the period requirement. When the block reaches the right extreme, we begin
again from the left end, but introduce a zero in the left-most position of the block.
This block is again slid towards the right until it reaches the right extreme. In the next
iteration, another zero is introduced to the left extreme of the block, and the block
is again slid towards the right. We repeat this procedure until we have the requisite
number of connection integers or until all the bits are zero in the window, in which
case, we may continue the search by repeating the procedure for r+ 1, r+ 2, and so
on.
We now describe the algorithm that returns FCSR architectures of a specified
minimum period and a specified number of non-zero taps.
Input:
Minimum period, T > 0
Base, b > 1
Number of non-zero taps, h > 0
Minimum register size, r h
Number of architectures required, n > 0
Output:
-
8/6/2019 Anand Thesis
39/62
31
n integers Qi such that the order of 2 modulo each Qi is greater than T, and
such that Qi + 1 has h non-zero coefficients in its base-2 expansion.
Algorithm F:
[1.] Set i = 0.
[2.] Let qmin = 2r 1 and q = 2 + 22 + 23 + + 2h1.
[3.] Set = 0.
[4.] Calculate q = qmin + 2q.
[5.] If order of 2 modulo q T, set i = i + 1 and Qi = q. Ifi = n go to step 16.
[6.] Set = + 1; if < (r h 1) go to step 4.
[7.] Set k= 1.
[8.] Let s = 2(k+2) + 2(k+3) + + 2(h+1).
[9.] Compute s = qmin + 21 + 22 + + 2k.
[10.] Set = 0.
[11.] Compute q = s + 2s.
[12.] If order of 2 modulo q T, set i = i + 1 and set Qi = q. Ifi = n go to step 1.
[13.] Set = + 1; if < (r h 1), go to step 11.
-
8/6/2019 Anand Thesis
40/62
32
[14.] Set k= k+ 1; ifk < h, go to step 8.
[15.] Set r= r+ 1and go to step 2.
[16.] Output Qi, for i = 1, 2, . . . , n.
This algorithm is certainly not the most efficient way to generate connection
integers with a fixed number of non-zero taps. It should be noted, however, that the
general problem is hard. In fact, we cannot even be sure that there are sufficiently
many connection integers with the given number of non-zero taps in their binary ex-
pansion. This problem is related to much deeper questions in number theory concern-
ing the number of primes that have exactly k1-bits or 0-bits in their binary expansion.
Wagstaff(2001) considered primes with a fixed number of 1s or 0s in their binary ex-
pansion and asked whether there exists any k for which we can prove that there are
infinitely many primes with exactly k1-bits in their binary expansions. He also posed
the related question of whether there exists any k for which we can prove that there
are infinitely many primes with k1-bits. Wagstaffconjectured that the answers to
both questions are positive, and that any k 3 is sufficient.
Example 3.1.4 Let minimum period be 1356 and let the number of non-zero taps be
7. Then the connection integers 3041, 2293, 2957 give rise to sequences of period
1520, 2292, 2956, respectively.
3.1.5 Search algorithm for d-FCSRs
Operation of the delayed-FCSR (d-FCSR)
The operation of the d-FCSR is similar to the 2-adic FCSR except that each
carried bit is delayed d 1 steps before being added. In this section, we give a brief
desription of the theory of the d-FCSR after the fashion of Goresky and Klapper
(1995). A more detailed account of the theory may be found in Goresky and Klapper
-
8/6/2019 Anand Thesis
41/62
33
(1995). Let p denote an integer and let d 1 such that d p is an irreducible
polynomial in over the rational numbers. Note that this occurs only when p is not
a kth power, for any prime k dividing d. Let R be the positive real solution to
d = p. We define the ring Z[] as the set of all real numbers of the form
u0 + u1 + u22 + + ud1
d1 (3.1)
with ui Z. The fraction field ofZ[], denoted Q[], is the set of all real numbers of
the form given by Equation 3.1 with ui Q. Every element ofQ[] may be expressed
as a fraction u/v with u, v Z[]. We can also view Q[] as a vector space over Q of
dimension d with the basis vectors given by {1, , 2, . . . , d1}, and the elements of
Z[] in Q[] are referred to as the lattice points ofQ[].
We define the ring Z as the set of all infinite formal expressions of the form
= a0 + a1 + a22 +
where ai
T = {0, 1, . . . , p 1} with the obvious operations of addition and multipli-
cation using d = p. Note that when d = 1, Z[] = Z, Q[] = Q, and Z = Zp, the
p-adic numbers. Now any element u/q Q[] where u, q Z[] is also in Z if and
only if the denominator q =d1
i=0 qii is invertible modulo , which is equivalent to
q0 being relatively prime to p. Then the -adic expansion ofu/q given by
u
q=
i=0ai
i Z
where ai T is unique and we refer to the sequence a0, a1, a2 . . . as the coefficient
sequence ofu/q. The output of a d-FCSR is defined to be the coefficient sequence of
the -adic expansion of the fraction u/q where u, q Z[] and where q is invertible
modulo .
-
8/6/2019 Anand Thesis
42/62
34
Search algorithm for d= 2
The algorithm searches for a connection integer q of the form q = q0 + q1
such that
q20 pq21 = N (3.2)
where p is a square-free modulus and N is a prime greater than the desired minimum
period. The equation
Input:
Degree or delay, d= 2.
Modulus or base, p, a square-free integer.
Minimum period required, T
Output:
q0 and q1 satisfying norm(q) = N(q) = q20
pq21= N
[0. Next prime] Generate the next prime N greater than T.
[1. Check Legendre symbol] If the Legendre symbol
p
N
= 1, go back to step 0 to
get the next prime. Continue until the prime N generated in the step 0 is such that
p
N = 1 . When p
N = 1, go to the next step (note: p
N 0 since N is prime andN p).
[2. Solve quadratic congruence] We solve the equation x2 p (mod N). Let the
solution be x0.
[3. Subroutine: Modified Cornacchias algorithm]
Input: x0, the solution of the quadratic congruence
-
8/6/2019 Anand Thesis
43/62
35
Output: If there is a solution, the algorithm returns q0 and q1.
Given x0 and N, define two sequences (an)and (rn) as follows:
x0 = a0 N+ r0
N= a1 r0 + r1
ri = ai+2 ri+1 + ri+2
The algorithm stops at some k, where r2k
< N < r2k1
If the equation q20 pq
21= N has a solution, it is
q0 = rk1, q1 =
N
r
2
k1
p
If no solution is generated in this step go to step 0 else, proceed.
[4. Compute m] Compute m =pq1
q0. Compute the order ofm modulo N. If order of
m < T, go to step 0 and generate next prime.
[5. Output q] Output q0, q1 and order ofm modulo N.
-
8/6/2019 Anand Thesis
44/62
36
Example 3.1.5 Let p = 6 and let the minimum period be 133. Then connection
integers 193, 211, 283, 331 correspond to the elements 17 + 4, 19 + 5, 17 + ,
25 + 7, respectively, and the periods of their output sequences are 192, 210, 141,
165, respectively.
The d-FCSR with d 3
The theory of the d-FCSR for d 3 is not well-understood. For instance, an
optimal estimate on the memory needed for implementing a d-FCSR is not known
when d 3 (Klapper and Goresky 1997). This makes the search algorithm impracti-
cal for the d-FCSR for d 3 with the approach taken by us. However, when d= 2,
an analogue of the analysis for N-adic FCSRs hold good. More work is needed on
d-FCSRs for d 3 in order that the search for architectures can be carried out in the
same manner we have outlined in this chapter.
-
8/6/2019 Anand Thesis
45/62
37
CHAPTER 4
FCSR COMBINER GENERATORS
Linear feedback shift registers (LFSRs) have been the workhorses of stream
cipher design for the past several decades. They are well-understood, easy to imple-
ment both in hardware and software, and are extremely fast. An important measure of
the security of a classical stream cipher is the linear complexity of the pseudorandom
keystream generator used in its design. The linear complexity of a sequence is de-
fined as the size of the smallest LFSR that generates the given sequence. Sequences
of low linear complexity are susceptible to cryptanalysis via the Berlekamp-Massey
algorithm (Massey 1969). Hence the LFSR cannot directly be used as a keystream
generator in stream ciphers. By introducing suitable nonlinearities in the output or
feedback function of the LFSR, it is often possible to increase the linear complexity,and thus reduce the predictability, of the output sequence.
A number of methods have been devised to increase the linear complexity of
sequences by including nonlinear feed-forward functions in an LFSR-based keystream
generator. For example, two LFSR sequences a and b of periods T1 and T2 respec-
tively may be combined using the XOR function to yield a new sequence c of period
T. In general, n LFSRs may be used and combined using some nonlinear boolean
function. Such a construction is called a combination generator or combiner. There
is a huge amount of literature on this subject and families of constructions such as
clock-controlled generators, combiners and filter generators have been studied exten-
sively over the last three decades. Here, we only mention the papers by Groth (1971),
Key (1976), Gollmann and Chambers (1989), and Massey and Serconek (1996). The
books by Rueppel (1986) and Schneier (1996) also provide good accounts of the the-
ory.
-
8/6/2019 Anand Thesis
46/62
38
Key (1976) first studied the effect of combining two LFSR sequences using the
bit-wise AND operation as the combining function. He found that when the two LF-
SRs had distinct irreducible characteristic polynomials of degree rand s respectively,
1. the product sequence (bit-wise AND) has period equal to the LCM of the peri-
ods of the two LFSRs, and
2. the linear complexity of the product sequence is rs.
Key also proved bounds on the complexity of filtered LFSR sequences in which
shifted phases of a single LFSR sequence are combined nonlinearly. These re-
sults have subsequently been improved by a number of investigators (Herlestam 1985,
Rueppel and Staffelbach 1987, Golic 1989, Gttfert and Niederreiter 1993, Kolokotro-
nis and Kalouptsidis 2003, and Lam and Gong 2004).
FCSR sequences share many of the important properties of LFSR sequences.
Like the LFSRs, FCSRs cannot be used directly in stream ciphers: FCSR sequences
have high linear complexity and good statistical properties but they are synthesised
by a 2-adic analogue of the Berlekamp-Massey algorithm. This algorithm, due to
de Weger (1986) is based on the theory of approximation lattices of p-adic numbers
and gives rise to the notion of 2-adic complexity of a sequence. Upper bounds on
the linear and 2-adic complexity of-sequences and lower bounds on some special
types of-sequences were established in the work of Klapper and Goresky (1997),
Xu (2000), and Seo et al (2000). Stream ciphers using FCSRs still remain largely
unexplored (Schneier 1996). To our knowledge, there have been only a handful of
papers describing or analysing the properties of stream cipher designs based on FC-
SRs (Arnault, Berger and Necer 2002, Arnault and Berger 2004, Arnault and Berger
2005, Mittelbach and Finger 2004, Tasheva, Bedzhev and Stoyanov 2004). There
have been no previous attempts to determine the period, linear complexity and 2-adic
complexity of combiners using FCSRs. Mittelbach and Finger (2004) carried out a
large number of numerical experiments and conjectured upper bounds on the linear
complexity of particular type of generator called the Geffe generator in which 2-adic
-
8/6/2019 Anand Thesis
47/62
39
FCSRs were used as primitives. Our results, on the other hand, are the first to prove
upper bounds on the 2-adic complexity of combiner generators.
According to Arnault and Berger (2005), the feedback function of the FCSR
is highly nonlinear and hence FCSR sequences are resistant to linear attacks such as
the Berlekamp-Massey algorithm. They claim that a linear filter function adequately
masks the 2-adic structure of the FCSR. Further, they state that linear functions are
optimal from the point of view of resilience and that linear functions provide protec-
tion against certain correlation attacks. Linear functions are also the easiest from the
implementation point of view. For this reason, we chose our combiner function to be
the XOR operation.
In this thesis, we study the periodicity, symmetric complementarity, linear
complexity and 2-adic complexity of combiner generators that use two 2-adic FC-
SRs as primitives and the XOR operation as the combining function. When the two
FCSRs have odd-prime power connection integers with 2 as a primitive root, we de-
termine the period of the output sequence (Theorem 4.2.3). We prove that when the
prime factors of the connection integers of the two FCSRs belong to different equiv-
alence classes modulo 4, the output sequence is symmetrically complementary. We
then use this property to derive upper bounds on the linear complexity and the 2-adic
complexity of the output sequence of the FCSR-combiner (Anand and Ramanan, to
appear in ASIACCS06).
With the aim of proving results similar to those of Key and others for the case
of FCSRs, we conducted a large number of numerical experiments using FCSRs asthe primitives in a combiner generator (see Figure 4.1). The experimental procedure
that was used to obtain the observations was as follows:
1. Fix two distinct prime power connection integers q1 and q2 such that 2 is prim-
itive modulo q1 and q2.
2. Generate all possible strictly periodic sequences with these connection integers.
Let the set of all strictly periodic sequences (excluding the all-zeroes and all-
-
8/6/2019 Anand Thesis
48/62
40
ones sequences) with q1 as connection integer be denoted S q1. (These sequences
correspond to all fractions p1/q1 such that 0 > p1 > q1 and gcd(p1, q1) = 1.)
Clearly, |S q1 | = (q1) where is Eulers totient function. Similarly, let S q2
denote the set of all strictly periodic sequences (excluding the all-zeroes and
all-ones sequences) with q2 as connection integer. Then, |S q2 | = (q2).
3. Compute the bit-wise XOR of every pair of sequences (a, b) S q1 S q2 . There
are exactly (q1)(q2) such pairs corresponding to every pair of possible values
ofp1 and p2.
4. For each sequence output by step 3, synthesise the sequence using de Wegers
algorithm. Observe the period, complexity, and structure of the connection in-
teger of the output sequence.
5. Repeat steps 1-4 for another pair of values ofq1 and q2.
Based on the observations made while conducting these experiments, we were able to
conjecture a number of results on the period, complementarity and 2-adic complexity
of combiner sequences. These results are proved in Theorems 4.2.3, 4.2.4 and 4.2.6.
Our aim in this chapter is to prove these results and derive useful design principles
from them.
Consider the truth table for the XOR function which is shown in Table 1. We
denote complementation by the symbol . Let x, y {0, 1} and let the symbol
denote the XOR function or addition modulo 2. It is easy to verify the following two
facts from the truth table:
Fact 4.0.1 x y = x y = x y
Fact 4.0.2 x y = x y
-
8/6/2019 Anand Thesis
49/62
41
Table 4.1: Truth table for the XOR function
x y x y x y x y x y
0 0 0 1 1 0
0 1 1 0 0 1
1 0 1 0 0 1
1 1 0 1 1 0
Figure 4.1: 2-adic FCSR Combiner with XOR combiner function
4.1 NOTATION
With reference to the combiner in Figure 4.1, we now fix the notation for the
rest of this chapter. Let r1 and r2 be two odd primes, not necessarily distinct. Let
q1 = re11
and q2 = re22
be two prime powers where e1, e2 > 0 and such that 2 is a
primitive root modulo q1 and q2. Let a := (ai)i0 and b := (bi)i0 be two strictly
periodic binary sequences generated by 2-adic FCSRs with connection integers q1
and q2, respectively. Let T1 = (r1 1)re111
and T2 = (r2 1)re212
be the periods of
the two sequences a and b respectively and let L = lcm(T1, T2). Let c := (ci)i0 :=
a b := (ai bi)i0 be the output sequence obtained by computing the element-wise
exclusive-OR ofa and b. Let T be the period of the sequence c and let p/q be the
rational number in lowest terms, whose 2-adic expansion coincides with the sequence
c.
-
8/6/2019 Anand Thesis
50/62
42
4.2 MAIN RESULTS
Before we proceed to discuss the main theorems, we need a couple of useful
lemmas. The first of these is a well-known fact that can be easily derived from the
results in any introductory textbook on number theory such as, for example, from
Theorem 95 of Hardy and Wright (1979).
Lemma 4.2.1 Let q = re be a power of an odd prime rsuch that 2 is a primitive root
modulo q. Then r is of the form 4k 1 where k is odd.
Proof: (from Hardy and Wright (1979))
The proof is by contradiction. Suppose r = 4k 1 where k is even. Then
r= 4k 1 = 8k 1 for some integer k. Consider the quadratic character of 2 modulo
q. We know from Eulers criterion on quadratic residues that ( 2p
) = 2(p)/2 1 mod
p for any prime p, where the sign is taken according as p 1 (mod 8) or p 3
(mod 8), and where denotes Eulers totient function. Since r= 8k 1, this implies
that 2(r)/2 +1 (mod r) and that 2 is a quadratic residue modulo r. Therefore 2
is also a quadratic residue modulo q and 2(q)/2 +1 (mod q). But this contradicts
the fact that if 2 is a primitive root modulo q then 2i +1 (mod q) for no i < (q).
Hence kcannot be even.
Lemma 4.2.2 Let q1 = re11
and q2 = re22
be two powers of odd primes r1 and r2 such
that 2 is a primitive root modulo q1 and q2. Let T1 = (r1 1)re11
1 , T2 = (r2 1)re21
2
and let L = lcm(T1, T2).
i. Ifr1 r2 (mod 4) and ifr1 = 4k1 + 1 and r2 = 4k2 1, then L/T1 is odd and
L/T2 is even.
ii. Ifr1 r2 (mod 4), then both L/T1 and L/T2 are odd.
Proof:
-
8/6/2019 Anand Thesis
51/62
43
(i.) We have
L = lcm(T1, T2) = T1T2/ gcd(T1, T2).
Therefore,
L/T2 =T1
gcd(T1, T2)=
4k1(4k1 + 1)e11
gcd(4k1(4k1 + 1)e11, (4k2 2)(4k2 1)
e21)
=2k1(4k1 + 1)
e11
gcd(2k1(4k1 + 1)e11, (2k2 1)(4k2 1)
e21).
This is clearly an even number since the denominator is odd and therefore divides
k1(4k1 + 1)e11 (by Lemma 4.2.1). By similar arguments, L/T1 will be seen to be an
odd number.
(ii.) We can prove this for both r1 r2 1 (mod 4) and r1 r2 1 (mod 4)
by using Lemma 4.2.1 in an argument similar to the one above.
Case 1: r1
r2 +
1 (mod 4)
L/T1 =T2
gcd(T1, T2)=
4k2(4k2 + 1)e21
gcd(4k1(4k1 + 1)e21, 4k2(4k2 + 1)e21)
=k2(4k2 + 1)
e21
gcd(k1(4k1 + 1)e21, k2(4k2 + 1)e21).
This is odd since k1 and k2 are both odd by Lemma 4.2.1. Similarly, L/T2 is also odd.
Case 2: r1 r2 1 (mod 4)
L/T1 =T2
gcd(T1, T2)=
(4k2 2)(4k2 2)e21
gcd((4k1 2)(4k1 2)e21, (4k2 2)(4k2 2)e21)
=(2k2 1)(4k2 2)
e21
gcd((2k1 1)(4k1 2)e21, (2k2 1)(4k2 2)
e21).
This is clearly again an odd number. Similarly, L/T2 is also odd.
-
8/6/2019 Anand Thesis
52/62
44
Under the same assumptions as in Lemma 4.2.2, consider the expression (T1
T2) (mod 4). Without loss of generality, assume that r1 = 4k1 + 1 and r2 = 4k2 1.
Then,
T1 = (r1 1)re11
1= 4k1(4k1 + 1)
e11
and
T2 = (r2 1)re21
2= (4k2 2)(4k2 1)
e21.
Therefore,
T1 T2 = 2[2k1(4k1 + 1)e11 (2k2 1)(4k2 1)
e21].
The first term inside the square brackets is even while the second term is odd. This
implies that T1 T2 = 2m where m is some odd integer. Therefore we must have
T1 T2 2 (mod 4). (4.1)
We will use equation (4.1) in the proof of Theorem 4.2.3.
4.2.1 Period of the FCSR XOR combiner
Theorem 4.2.3 Let q1 = re11
and q2 = re22
be two prime powers where e1, e2 > 0 and
such that 2 is a primitive root modulo q1 and q2. Let a := (ai)i0 and b := (bi)i0 be
two strictly periodic binary sequences generated by 2-adic FCSRs with connection
integers q1 and q2, and c := (ci)i0 := a b := (ai bi)i0 . Let T1 = (r1 1)re111
and T2 = (r2 1)re212 be the periods of the two sequences a and b respectively and
let L = lcm(T1, T2).
If r1 r2 (mod 4), the sequence c has period L; if r1 r2 (mod 4), the
sequence c has period L/2.
Proof:
-
8/6/2019 Anand Thesis
53/62
45
The sequence a is an -sequence and has the following properties:
ai = ai+(2n)T1/2 and ai = ai+(2n+1)T1/2, i = 0, 1, 2, . . . (4.2)
for any fixed integer n 0. Similarly, for the sequence b we have
bi = bi+(2n)T2/2 and bi = bi+(2n+1)T2/2, i = 0, 1, 2, . . . (4.3)
for any fixed integer n 0. Let the period of the sequence c be denoted by T.
Case 1: (r1 r2 (mod 4))
We will prove that T = L/2 by first showing that T | L2
and then by proving
that L2
| T. By Lemma 4.2.2 when r1 r2 (mod 4), both L/T1 and L/T2 are odd.
Putting (2n+ 1) = L/T1 and (2n+ 1) = L/T2 in equations (4.2) and (4.3) respectively,
we have ai = ai+L/2 and bi = bi+L/2 for every i 0. That is,
ci = ai bi = ai+L/2 bi+L/2 = ai+L/2 bi+L/2 = ci+L/2. (4.4)
Hence T, which is the smallest period of the sequence c, must divide L/2. On the
other hand, ifT is the period, ci = ci+T for every i 0. This implies that ai = ai+T
and bi = bi+T, or that ai = ai+T and bi = bi+T. In either case, T is a common multiple
ofT1/2 and T2/2. Since L/2 is the least common multiple ofT1/2 and T2/2, we must
have L2
| T. Therefore, T = L/2.
Case 2: (r1
r2 (mod 4))
We will prove that T = L by first showing that T | L and then by showing that
L | T. First, note that since L is a multiple of both T1 as well as T2, we must have
ai = ai+L and bi = bi+L for every i 0. Hence ci := ai bi = ai+L bi+L := ci+L for
every i 0, and since T is the (smallest) period ofc, T | L.
On the other hand, ifT is the period of the sequence c, then ci = ci+T for every
i 0, which implies either that ai bi = ai+T bi+T or that ai bi = ai+T bi+T (by
-
8/6/2019 Anand Thesis
54/62
46
Fact 4.0.2) for every i 0. This implies either that ai = ai+T and bi = bi+T, or that
ai = ai+T and bi = bi+T, for all i 0. Suppose the latter holds. Then T must be an odd
multiple ofT1/2 as well as ofT2/2. That is, T = (2m1+1)T1/2 and T = (2m2+1)T2/2
for some integers m1 and m2. Hence, (2m1 + 1)T1/2 = (2m2 + 1)T2/2, which implies
2m1T1 + T1 = 2m2T2 + T2. Therefore, we must have T2 T1 = 2(m1T1 m2T2) = 0
(mod 4). Since T1 and T2 are even, this contradicts the fact that ifr1 r2 (mod 4),
we must have T2 T1 2 (mod 4) (by equation 4.1). Therefore, T cannot be an odd
multiple ofT1/2 and T2/2. We consider the other possibility that T is an even multiple
ofT1/2 and T2/2. This implies that T = 2m1T1/2 and T = 2m2T2/2 for some integers
m1 and m2. Therefore, T is a common multiple of both T1 and T2. Since L is the least
common multiple ofT1 and T2, it must divide any common multiple ofT1 and T2.
Therefore, L | T. Since we have already proved that T | L, this means that T = L.
We have established that the period T of the FCSR XOR-combiner is
T = T1 T2/ gcd(T1, T2), ifr1
r2 (mod 4)T1 T2/2 gcd(T1, T2), ifr1 r2 (mod 4)
(4.5)
We may say that combining two -sequences using the XOR function yields a
sequence whose period, is approximately the product of the the individual -sequences.
To obtain maximum period, r1and r2 must be chosen so that they do not belong to the
same equivalence class modulo 4 and for proper choices ofr1and r2, the period of the
XOR-combiner can be made as large as T1 T2/2.
In the next theorem, we prove that ifr1 r2 (mod 4), the output sequence of
the combiner considered in Figure 4.1 is symmetrically complementary.
-
8/6/2019 Anand Thesis
55/62
47
4.2.2 Symmetric complementarity
Theorem 4.2.4 Let all assumptions be the same as in Theorem 4.2.3. Ifr1 r
2
(mod 4), then the sequence c is symmetrically complementary.
Proof:
When r1 r2 (mod 4), L/T1 is odd and L/T2 is even by Lemma 4.2.2. There-
fore, from equation (4.2) and equation (4.3) ai = ai+L/2 and bi = bi+L/2 for every i 0,
which implies that
ci = ai bi = ai+L/2 bi+L/2, i = 0, 1, 2, . . . . (4.6)
By Fact 4.0.1 of the bit-wise XOR operation we now have
ci = ai+L/2 bi+L/2 = ai+L/2 bi+L/2 = ci+L/2, i = 0, 1, 2, . . . . (4.7)
Since we know from Theorem 4.2.3 that the sequence c has period L, equation (4.5)we see from equation 4.7 that c is symmetrically complementary.
4.2.3 2-adic complexity of the FCSR XOR combiner
Before we prove upper bounds on the 2-adic complexity of the output se-
quence, we first define the 2-adic complexity of a binary sequence following Xus
definition ofN-adic complexity (Xu 2000). Let s := s0 s1s2 . . . be an infinite periodic
binary sequence and let
i=0 si2i = p/q Z2 be the fraction in lowest terms whose
2-adic expansion agrees with the sequence s.
Definition 4.2.5 The 2-adic complexity of the sequence s is defined to be the integer
(s) = max(log2(|p|), log2(|q|)).
-
8/6/2019 Anand Thesis
56/62
48
If the sequence s is strictly periodic, then p/q < 0 and |p| < |q|, so that (s) is
simply equal to log2(|q|). We determine an upper bound on the 2-adic complexity
of the FCSR XOR-combiner in the following theorem.
Theorem 4.2.6 Let all assumptions be the same as in Theorem 4.2.3. Ifr1 r2
(mod 4), the 2-adic complexity of the output sequence c of the FCSR combiner, de-
noted by (c) satisfies (c) < L/2 + 1 = T/2 + 1. Ifr1 r2 (mod 4), the 2-adic
complexity of the sequence c satisfies (c) < L/2 = T.
Proof:
Let q be the denominator of that fraction expressed in lowest terms, whose
2-adic expansion agrees with the sequence c. Let T be the period of the sequence c.
Ifr1 r2 (mod 4), then by Theorem 4.2.4 and by Fact 7 about FCSR se-
quences in Chapter 2, we must have q | 2T/2 + 1. We also know by theorem 4.2.3 that
T = L. Therefore, q | 2L/2 + 1. The maximum value ofq occurs when q = 2L/2 + 1
and in such a case, (c) = log2
(q) < L/2 + 1.
Ifr1 r2 (mod 4), then the period of the output sequence c is T = L/2. We
know that for any sequence of period T, q | 2T 1 and the maximum value ofq for a
given T occurs when q = 2T 1. Hence, (c) = log2(q) < L/2.
Even though it seems to be difficult to prove a lower bound on the 2-adic
complexity of the XOR combiner, numerical experiments point to a lower bound of
L/2 max((a), (b)) when r1 r2 (mod 4). In this context, we point out that for a
fixed pair of connection integers (q1, q2) of the type considered in this chapter, most
of the output sequences attain the upper bound on the 2-adic complexity. Numerical
experiments also show that for most such pairs of connection integers, all output
sequences attain the upper bound.
We observe from Theorem 4.2.3 and Theorem 4.2.6 that for both cases r1
-
8/6/2019 Anand Thesis
57/62
49
r2 (mod 4) and r1 r2 (mod 4) the period of the output sequence grows roughly
quadratically with the periods of the input sequences. However, for the case r1
r2 (mod 4), due to the symmetric complementarity of the output sequence, its 2-
adic complexity bound is half of the period; for the case r1 r2 (mod 4) the 2-adic
complexity bound is the period of the output sequence.
4.2.4 Linear complexity of the FCSR XOR combiner
We now turn to the problem of determining an upper bound on the linear com-
plexity of the FCSR combiner.
Theorem 4.2.7 The linear complexity of the FCSR XOR combiner in Figure 4.1 is
(T1 + T2)/2 + 2.
Proof:
From the result of Xu (2000) specialised to the 2-adic case, we know that the
linear complexity of the individual -sequences are upper bound by T1/2 + 1 and
T2/2 + 1, where Tis are the periods of the individual -sequences. From the work
of Massey (1969) it is well-known that the linear complexity of a linear combination
of sequences is at most the sum of their linear complexities. Applying this result we
see that the linear complexity of the FCSR XOR combiner is at most the sum of the
linear complexities of the individual FCSRs.
-
8/6/2019 Anand Thesis
58/62
50
CHAPTER 5
CONCLUSIONS AND FUTURE DIRECTIONS
We have proposed practical algorithms to search for good FCSR architectures
given a set of design constraints. We also proposed a search algorithm for d-FCSRs
when d = 2. These algorithms offer valuable aid to the stream cipher cryptographer
in choosing the keystream generator carefully. More work is needed on d-FCSRs for
d 3 in order that the search for architectures can be carried out in the same manner
we have outlined in this thesis.
We derived the exact period of a certain family of combiners using 2-adic
FCSRs as primitives. We also prove upper bounds on the 2-adic complexity and linear
complexity of these sequences. It must be emphasised here that our results give the
exact period of the combiner using two 2-adic FCSRs and not just a bound. These are
the only available results in the literature till date regarding combiners using 2-adic
FCSRs.
The results of Chapter 4 lead to the following design principle. If we desire
large period sequences without regard to 2-adic complexity, then it is better to choose
r1 r2 (mod 4). If we desire sequences with 2-adic complexity that is large com-
pared to the period, then it is better to choose r1 r2 (mod 4).
It remains to be seen how far the search algorithms can be optimised for each
of the special cases of the FCSR architectures, especially the 2-adic FCSR and the
d-FCSR. The properties of more general classes of FCSR combiners using arbitrary
combining functions and an arbitrary number of FCSRs need to be investigated.
-
8/6/2019 Anand Thesis
59/62
51
REFERENCES
1. Anand S. and Ramanan G. V. (2006) Periodicity, complementarity and com-plexity of 2-adic FCSR combiner generators (Accepted for publication in Pro-ceedings of the ACM Symposium on Information, Computer and Communica-
tions Security, ASIACCS 06, Taipei, Taiwan).
2. Arnault F. and Berger T.-P. (2004) Design of new pseudorandom generatorsbased on a filtered FCSR automaton, In Proceedings of the SASC Workshop,pages 109120.
3. Arnault F. and Berger T.-P. (2005) F-