A Method for Generating Full Cycles by a Composition of NLFSRs

Elena Dubrova

Royal Institute of Technology – KTH

Stockholm, Sweden

p. 2 - WCC’2013 - April 15, 2013

• Problem addressed• Motivation• Contribution of the paper• Construction method• Conclusion and future work

Outline

p. 3 - WCC’2013 - April 15, 2013

• How to efficiently generate n-variate mappings of type {0,1}n {0,1}n whose state transition graphs have single cycles of the maximum possible length 2n?

Problem addressed

00

01

10

11

x1

x2

…

xn

f1(x1,x2,…,xn)f2(x1,x2,…,xn)

…

fn(x1,x2,…,xn)

p. 4 - WCC’2013 - April 15, 2013

• Single-cycle mappings are frequently used primitives in cryptography

• For stream ciphers, single-cycle property is important because then the sequence of generated states cannot be trapped in a short cycle

Motivation

p. 5 - WCC’2013 - April 15, 2013

• Feedback shift registers can be used to efficiently implement n-variate mappings {0,1}n

{0,1}n of type:

Implementation by FSRs

x1

x2

…

xn

x2

x3

…

f(x1,x2,…,xn)

p. 6 - WCC’2013 - April 15, 2013

• Linear Feedback Shift Register (LFSR)

Feedback Shift Registers

5 4 3 2 1

• n binary storage elements• linear feedback function• has cycle of length 2n-1 iff its characteristic

polynomial is primitive 5 4 3 2 1

• Non-Linear Feedback Shift Register (NLFSR)

p. 7 - WCC’2013 - April 15, 2013

• An NLFSR is invertible iff its feedback function is of type (“” is addition mod 2)

f(x1,x2,…,xn) = x1 g(x2,x3,…,xn)

• Conditions for single-cycle NLFSRs are not known

• There are 22n-1-n single-cycle n-bit NLFSRs• Existing algorithms for constructing single-cycle

NLFSRs are applicable to n < 32 Fredricksen, H. (1982) “A Survey of Full-Length Nonlinear Shift Register Cycle Algorithms”, SIAM Review, 24(2), 195-221

Dubrova, E. (2012) “List of Maximum-Period NLFSRs”, Cryptology ePrint Archive, 2012/166

NLFSRs

p. 8 - WCC’2013 - April 15, 2013

• If we place in parallel k NLFSRs with largest cycles of length L1, L2,…, Lk, we get a mapping with the largest cycle of length LCM(L1, L2,…, Lk)

Combining smaller NLFRs

NLFSR2

f2

… NLFSRk

fk

n1 + n2 +…+ nk state

NLFSR1

f1

Example:

n1 = 3, L1 = 7n2 = 4, L2 = 15n3 = 5, L2 = 31

7×15×31 = 3255

23+4+5 = 4096

p. 9 - WCC’2013 - April 15, 2013

• A method for generating single-cycle mappings of type {0,1}n×k {0,1}n×k using k NLFSRs of equal size n

Contribution of the paper

NLFSR2+

f2

NLFSR1+

f1

… NLFSRk+

fk

Extra logic

n × k state

p. 10 - WCC’2013 - April 15, 2013

• We used NLFSRs with two types of cycles– a cycle of length 2n-1 containing all non-0 states– a cycle of length 1 containing 0 state

Construction method

• If we place k such NLFSRs in parallel, we get a mapping with the following cycle structure:

• cycles of length 2n-1

• one cycle of length 1 (0 state)

i=0

k-12ni

• We will join these cycles into one by applying cycle-joining transformations

p. 11 - WCC’2013 - April 15, 2013

• In an NLFSR, any state has two possible successors and two possible predecessors

Cycle-joining transformations

input output

S 0 S 1

S 0 S 1

A B

• If A and B are contained in different cycles, by exchanging their successors we can join two cycles into one

A+ B+

p. 12 - WCC’2013 - April 15, 2013

Joining cycles by exchanging successors

A B

A+ B+

p. 13 - WCC’2013 - April 15, 2013

• If A and B are contained in the same cycle, by exchanging their successors, we split the cycles into two

Splitting a cycle

A

BA+

B+

p. 14 - WCC’2013 - April 15, 2013

• In our case, any state can have 2k possible successors and 2k possible predecessors

• We apply cycle-joining to the states of type:

• If A and B are in different cycles, by exchanging their successors we join two cycles into one

Our case

A

B

S1 c1 S2 c2 Sk ck…

S1 c’1 S2 c’2 Sk c’k…

c is the Boolean complement of c

p. 15 - WCC’2013 - April 15, 2013

• Successors can be exchanged by adding to the feedback function of every NLFSR minterms corresponding to the states A and B– For example, 1010 corresponds to minterm x4x3x2x1

– If feedback function f evaluates to 0 for the assignment 1010, then function f x4x3x2x1 evaluates to 1 for 1010

• The challenge is to join an exponential number of cycles using additional logic of linear size

How to exchange successors

p. 16 - WCC’2013 - April 15, 2013

• We chose as dedicated the states with the minimal decimal representation

• We proved that

– If A is a minimal state of a cycle, then B is contained in another cycle

– The set minterms corresponding to minimal states A of all cycles and the corresponding states B can be described by an expression of size O(nk)

Choosing dedicated states

A

B

S1 c1S2 c2

Sk ck…

S1 c’1S2 c’2 Sk c’k

…

p. 17 - WCC’2013 - April 15, 2013

• By exchanging successors of the minimal states of all cycles, we get one cycle of length 2n and other cycles of length 2n(2n-1)

First joining step

…

#Gates to add: O(nk)

k(n+4)-n-8 ANDs2k+1 ORsk XORs

Example: n=32, k=4Total #gates = 117

p. 18 - WCC’2013 - April 15, 2013

• Before computing the next state, the minimal state of each “flower” is transformed to the minimal state of next “flower”,etc, and finally the cycle of length 2n is appended

Joining the resulting cycles in one

… … …

…

#Gates to add: O(nk2) + one time step< 2nk ANDs, < nk2 ORs, < 2nk XORs

p. 19 - WCC’2013 - April 15, 2013

• We presented a method for generating single-cycle mappings of type {0,1}n×k {0,1}n×k using k NLFSRs of equal size n

• An logic block of size O(nk2) and an extra time step are required

• Future work involves security analysis of the presented method

Conclusion