Lecture8 9 Slides

8/12/2019 Lecture8 9 Slides

1/42

Lecture 8: Stream ciphers - LFSR sequences

Thomas Johansson

T. Johansson (Lund University) 1 / 42


2/42

Introduction

Symmetric encryption algorithms are divided into two main categories,block ciphers and stream ciphers.

Block ciphers tend to encrypt a block of characters of a plaintext

message using a fixed encryption transformationA stream cipher encrypt individual characters of the plaintext using anencryption transformation that varies with time.

A stream cipher built around LFSRs and producing one bit output on eachclock = classic stream cipher design.



3/42

A stream cipher

keystreamgenerator

m1, m2, . . . c1, c2, . . .

z1, z2, . . .

z= z1, z2, . . . keystream

keyK



4/42

A stream cipher

Design goal is to efficiently produce random-looking sequences thatare as indistinguishable as possible from truly random sequences.

Recall the unbreakable Vernam cipher.

For a synchronous stream cipher, a known-plaintext attack (orchosen-plaintext or chosen-ciphertext) is equivalent to having accessto the keystream z=z1, z2, . . . , zN.

We assume that an output sequencez of length N from the

keystream generator is known to Eve.



5/42

Type of attacks

Key recovery attack: Eve tries to recover the secret key K.

Distinguishing attack: Eve tries to determine whether a given

sequence z= z1, z2, . . . , zN is likely to have been generated from theconsidered stream cipher or whether it is just a truly random sequence.

Distinguishing attack is a much weaker attack



6/42

Distinguishing attack

Let D(z) be an algorithm that takes as input a length N sequence zand as output gives either X or RANDOM.

With probability 1/2 the sequence z is produced by generator X and

with probability 1/2 it is a purely random sequence.The probability that D(z) correctly determines the origin ofz iswritten1/2 +.

If is not very close to zero we say that D(z) is a distinguisherfor

generator X.



7/42

Distinguishing attack - example

Assume that Alice sends one ofNpublic images {I1, I2, . . . , I N} to Bob.

Eve observes the ciphertext c.

Guess that the plaintext is the image I1, i.e., m= I1.

Calculate z=m + c and compute D(z).

If the guess m= I1 was correct then D(z) =X. If not,D(z) =RANDOM.



8/42

More on attacks

Building a (synchronous) stream cipher reduces to the problem ofbuilding a generator that is resistant to all distinguishing attacks.

There are essentially always both distinguishing attacks and keyrecovery attacks on a cipher.

Exhaustive keysearch; complexity 2k

An attack is considered successful only if the complexity of performingit is considerably lower than 2k key tests.



9/42


10/42


11/42

Linear feedback shift registers

sj-L

sj-L+1

sj-2

sj-1

s0,s

1,... s

j. . .

. . .-cL

-cL-1

-c2 -c1

A register ofL delay (storage) elements each capable of storing one

element fromFq, and a clock signal.

Clocking, the register of delay elements is shifted one step and the newvalue of the last delay element is calculated as a linear function of thecontent of the register.



12/42

LFSR sequences

The linear function is described through the coefficientsc1, c2, . . . , cL Fq and the recurrence relation is

sj = c1sj1 c2sj2 cLsjL,

forj =L, L+ 1, . . ..With c0= 1 we can write

L

i=0

cisji= 0, forj =L, L+ 1, . . . .

The shift register equation.

The first L symbols s0, s1, . . . , sL1 form the initial state.



13/42

LFSR sequences

The coefficients c0, c1, . . . , cL are summarized in the connectionpolynomialC(D) defined by

C(D) = 1 +c1D+c2D2 + +cLD

L.

Write < C(D), L > to denote the LFSR with connection polynomialC(D) and length L.

D-transformof a sequence s= s0, s1, s2. . . as

S(D) =s0+s1D+s2D2 + ,

assumingsi Fq.

The indeterminateD is the delay and its exponent indicate time.



14/42

LFSR sequences

We assume si = 0 fori


15/42

Theorem

The set of sequences generated by the LFSR with connection polynomialC(D) is the set of sequences that have D-transform

S(D) = P(D)C(D)

,

whereP(D) is an arbitrary polynomial of degree at mostL 1,

P(D) =p0+p1D+. . .+pL1DL

1.

Furthermore, the relation between the initial state of the LFSR and theP(D) polynomial is given by the linear relation

p0p1

...pL1

=

1 0 0c1 1 . . . 0...

... ...

...cL1 cL2 . . . 1

s0s1...

sL1

.



16/42

LFSR sequences and extension fields

Let (x) be an irreducible polynomial over Fq and assume that itscoefficients are

(x) =xL +c1xL1 + +cL.

This means that (x) is the reciprocalpolynomial ofC(D).Construct the extension field FqL through () = 0.

from FqL can be expressed in a polynomial basis as

=0+1+ +L1L1

,

where 0, 1, . . . L1 Fq.


S d fi ld


17/42


Assume that the (unknown) element is multiplied by the fixed element .The result is

=0+12 + +L1

L.

Reducing L using () = 0 gives

= cLL1+ (0 cL1L1)+ + (L2 c1L1)L1.

. . .

-c1

-c2

-cL-1

-cL


LFSR d i fi ld


18/42


. . .

-c1

-c2

-cL-1

-cL

It is quickly checked that

sj = c1sj1 c2sj2 cLsjL,

when j L.p0=s0, p1=s1+c1s0, etc, where p0, p1, . . . , pL1 is the initial state

The sequence fulfills the shift register equation, but usesp0, p1, . . . pL1 as initial state.


LFSR d i fi ld


19/42


The set of LFSR sequences, when C(D) is irreducible, is exactlythe set of sequences possible to produce by the implementation

of multiplication of an element by the fixed element in FqL

.For a specific sequence specified as S(D) =P(D)/C(D) the initialstate is the first L symbols whereas the same sequence is produced inthe figure if the initial state is p0, p1, . . . , pL1.


P ti f LFSR


20/42

Properties of LFSR sequences

A sequence s=. . . , s0, s1, . . . is called periodic if there is a positiveinteger T such that si =si+T, for all i 0.

Theperiod is the least such positive integer T for whichsi =si+T, for

all i 0.The LFSR state runs through different values. The initial state willappear again after visiting a number of states. Ifdeg C(D) =L, theperiod of a sequence is the same as the number of different statesvisited, before returning to the initial state.


P ti f LFSR


21/42


C(D) irreducible: the state corresponds to an element in FqL , say .

The sequence of different states that we are entering is then

,,2 , . . . , T1, T=,

where T is the order or .

If is a primitive element (its order is qL 1), then obviously we willgo trough all qL 1 different states and the sequence will have periodqL 1. Such sequences are calledm-sequencesand they appear if andonly if the polynomial (x) is a primitive polynomial.



22/42

Example


23/42

Example

Length4LFSR with connection polynomialC(D) = 1 + D + D4 in F2.

Starting in (0001), we return after 15 clockings of the LFSR.

Explanation: F24 , we get through (x) =xLC(x1) =x4 +x3 + 1

and () = 0.

15 = 1 and ord() = 15. (x) primitive polynomial.

So starting in any nonzero state F24 , we will jump between allnnzero states before returning.




24/42


The different state cycles that will appear for an arbitrary LFSR.

[s0, s1, . . . , sT1] denote the periodic and causal sequence

s0, s1, . . . , sT

1, s0, s1, . . . , sT

1, s0, . . . ,

where si Fq, i= 0, 1, . . . , T 1.

(s0, s1, . . . , sN1) denote a sequence where the first N symbols ares0, s1, . . . , sN1 (and the upcoming symbols are not defined), where

si Fq, i= 0, 1, . . . , N 1.




25/42


Ifs= [1, 0, 0, . . . , 0] then

S(D) = 1 +DT +D2T + = 1

1 DT.

iI s= [0, 1, 0, . . . , 0] then

S(D) =D +DT+1 +D2T+1 + = D

1 DT

In general, ifs= [s0, s1, . . . , sT1] then

S(D) = s0

1 DT+

s1D

1 DT+. . .=

s0+s1D+s2D2 +. . . sT1DT1

1 DT .

(1)




26/42


Definition

The period of a polynomialC(D) is the least positive number T such thatC(D)|(1 DT).

Calculated by division of 1 by C(D) and continuing until the wereceive the first remainder of the form 1 DN. Then the period isT =N.

(example)




27/42


Theorem

Ifgcd(C(D), P(D)) = 1 then the connection polynomialC(D) and thesequenceswith D-transform

S(D) =P(D)

C(D)

have the same period (the period ofsis the same as the period of thepolynomialC(D)).

Note: This C(D) gives the shortest LFSR generating s. Any otherconnection polynomial generating smust be a multiple ofC(D).

(example)




28/42


TheoremIf two sequences, sA andsB, with periodsTA andTB have D-transforms

SA(D) = PA(D)

CA(D), SB(D) =

PB(D)

CB(D),

then the sum of the sequencess= sA+ sB has D-transformS(D) =SA(D) +SB(D) and periodlcm(TA, TB), assuminggcd(PA(D), CA(D)) = 1, gcd(PB(D), CB(D)) = 1,gcd(CA(D), CB(D)) = 1.

(example)


LFSR cycle sets


29/42

LFSR cycle sets

Introduce the cycle setforC(D) (assuming L= deg C(D)).

Written in the form n1(T1) n2(T2) . . ..

1(1) 3(5), one cycle of length one and three cycles of length 5.

n1(T) n2(T) = (n1+n2)(T).


LFSR cycle sets


30/42

LFSR cycle sets

Already established facts:

IfC(D) is a primitive polynomial of degree L over Fq then the cycleset is

1(1) (1)(qL 1).

IfC(D) is an irreducible polynomial then the cycle set is

1(1) (qL 1)

T (T),

whereT is the period of the polynomial C(D)(or the order ofwhen() = 0).


LFSR cycle sets - remaining cases


31/42

LFSR cycle sets remaining cases

Theorem

IfC(D) =C1(D)n then the cycle set ofC(D) is

1(1) (qL1 1)

T1(T1)

qL1(qL1 1)

T2(T2)

q(n1)L1(qL1 1)

Tn(Tn),

wheredeg C(D) =L andTj is the period of the polynomialC1(D)j.

Theorem

IfC1(D) is irreducible with periodT1, then the period of the polynomial

C1(D)j isTj =pmT1 wherep is the characteristic of the field andm theinteger satisfyingpm1 < j pm.

(example)


LFSR cycle sets - remaining cases


32/42

y g

Theorem

For a connection polynomialC(D) factoring like

C(D) =C1(D)n1C2(D)

n2 Cm(D)nm,

Ci(D) irreducible, has cycle setS1 S2 Sm, whereSi is the cycle setforCnii , and

(n1)T1 (n2)(T2) = (n1n2 gcd(T1, T2)(lcm(T1, T2))

and the distributive law holds forand.

(example)


Decimation


33/42

An m-sequences=s0, s1, s2, . . .

Define the sequence s obtained through decimation byk, defined asthe sequence

s =s0, sk, s2k, s3k, . . . .

s correspond to multiplication ofby the fixed element . It is clearthat s corresponds to multiplication ofby the fixed element k, i.e,the cycle of different states correspond to the sequence

, k, 2k , . . . , (T1)k, Tk=.

the period ofs is ord(k) and ord(k) =qL 1/ gcd(qL 1, k).


Decimation - advanced


34/42

FqL through a degree L polynomial (x) Fq[x] with () = 0.

Let Fq and consider the set of polynomials

F() = {f(x) Fq[x] :f() = 0}.

The set will contain at least one polynomial of degree L.

Let f0(x) be the polynomial in F() of lowest degree. Any otherpolynomial f(x) inF() can be written as f(x) =q(x)f0(x) +r(x),deg r(x)< deg f0(x) and

0 =f() =q()f0() +r() =r().

So r() = 0 and this means that f0(x)|f(x) for all polynomials f(x)in F().


Decimation - minimal polynomial


35/42

p y

The polynomial f0(x) is called the minimal polynomialof the element.

The minimal polynomial to , now denoted (x), can be calculated

as(x) = (x )(x

q)(x q2

) (x qd1

),

where d is the smallest integer such that qd 1 mod ord() (d is thenumber of conjugates of).



36/42

The reciprocal of the minimal polynomial (x) gives the connectionpolynomial for a minimal LFSR producing a sequence corresponding tothe state sequence

, k, 2k , . . . , (T1)k, Tk=.

The decimated sequence s can be generated by an LFSR with aconnection polynomial being the reciprocal ofk(x).

(example)


Statistical properties of LFSR sequences


37/42

The importance of LFSR sequences in general and m-sequences inparticular is due to their pseudo randomness properties.

s=s0, s1, . . . is an m-sequence, recall that an r-gram is asubsequence of length r,

(st, st+ 1, . . . , st+r1),

fort= 0, 1, . . ..

Theorem

Among theqL 1 L-grams that can be constructed fort= 0, 1, . . . , q L 2, every nonzero vector appears exactly once.




38/42

Run-distribution propertiesofm-sequences.

A run of length r in a sequence sis a subsequence ofexactlyr zeros(or ones). This means that the r zeros must have a one before.




39/42

TheoremThe run distribution of anym-sequence of length 2L 1 is given as

length 0-runs 1-runs

1 2L3 2L3

2 2L

4 2L

4...

... ...

L 2 1 1L 1 1 0

L 0 1Total 2L2 2L2




40/42

The autocorrelation function.

Let x,y be two binary sequences of the same length n.

The correlation C(x,y) between the two sequences is defined as thenumber of positions of agreements minus the number ofdisagreements.

The autocorrelation function C() is defined to be the correlationbetween a sequence x and its th cyclic shift, i.e.,

C() =n

i=1

(1)xi+xi+, (2)

where subscripts are taken modulo n and addition in the exponent ismod 2 addition.




41/42

Theorem

Ifs is an m-sequence of length 2L 1, then

C() =

2L 1 if 0 (mod n)1 otherwise




42/42

More comments:

The decimation of an m-sequence or the sum of two differentm-sequences are (under some assumptions) again m-sequences.

One property is completely away from random sequences. Let thebinary m-sequence be generated by the recursion sj =

Li=1cisji.

By forming a set of random variables Xj =L

i=0cisji, j L we seethat P(Xj = 0) = 1. An extreme point of nonrandomness.


Documents

Lecture8 9 Slides