a method for generating full cycles by a composition of nlfsrs elena dubrova royal institute of...
TRANSCRIPT
A Method for Generating Full Cycles by a Composition of NLFSRs
Elena Dubrova
Royal Institute of Technology – KTH
Stockholm, Sweden
p. 2 - WCC’2013 - April 15, 2013
• Problem addressed• Motivation• Contribution of the paper• Construction method• Conclusion and future work
Outline
p. 3 - WCC’2013 - April 15, 2013
• How to efficiently generate n-variate mappings of type {0,1}n {0,1}n whose state transition graphs have single cycles of the maximum possible length 2n?
Problem addressed
00
01
10
11
x1
x2
…
xn
f1(x1,x2,…,xn)f2(x1,x2,…,xn)
…
fn(x1,x2,…,xn)
p. 4 - WCC’2013 - April 15, 2013
• Single-cycle mappings are frequently used primitives in cryptography
• For stream ciphers, single-cycle property is important because then the sequence of generated states cannot be trapped in a short cycle
Motivation
p. 5 - WCC’2013 - April 15, 2013
• Feedback shift registers can be used to efficiently implement n-variate mappings {0,1}n
{0,1}n of type:
Implementation by FSRs
x1
x2
…
xn
x2
x3
…
f(x1,x2,…,xn)
p. 6 - WCC’2013 - April 15, 2013
• Linear Feedback Shift Register (LFSR)
Feedback Shift Registers
5 4 3 2 1
• n binary storage elements• linear feedback function• has cycle of length 2n-1 iff its characteristic
polynomial is primitive 5 4 3 2 1
• Non-Linear Feedback Shift Register (NLFSR)
p. 7 - WCC’2013 - April 15, 2013
• An NLFSR is invertible iff its feedback function is of type (“” is addition mod 2)
f(x1,x2,…,xn) = x1 g(x2,x3,…,xn)
• Conditions for single-cycle NLFSRs are not known
• There are 22n-1-n single-cycle n-bit NLFSRs• Existing algorithms for constructing single-cycle
NLFSRs are applicable to n < 32 Fredricksen, H. (1982) “A Survey of Full-Length Nonlinear Shift Register Cycle Algorithms”, SIAM Review, 24(2), 195-221
Dubrova, E. (2012) “List of Maximum-Period NLFSRs”, Cryptology ePrint Archive, 2012/166
NLFSRs
p. 8 - WCC’2013 - April 15, 2013
• If we place in parallel k NLFSRs with largest cycles of length L1, L2,…, Lk, we get a mapping with the largest cycle of length LCM(L1, L2,…, Lk)
Combining smaller NLFRs
NLFSR2
f2
… NLFSRk
fk
n1 + n2 +…+ nk state
NLFSR1
f1
Example:
n1 = 3, L1 = 7n2 = 4, L2 = 15n3 = 5, L2 = 31
7×15×31 = 3255
23+4+5 = 4096
p. 9 - WCC’2013 - April 15, 2013
• A method for generating single-cycle mappings of type {0,1}n×k {0,1}n×k using k NLFSRs of equal size n
Contribution of the paper
NLFSR2+
f2
NLFSR1+
f1
… NLFSRk+
fk
Extra logic
n × k state
p. 10 - WCC’2013 - April 15, 2013
• We used NLFSRs with two types of cycles– a cycle of length 2n-1 containing all non-0 states– a cycle of length 1 containing 0 state
Construction method
• If we place k such NLFSRs in parallel, we get a mapping with the following cycle structure:
• cycles of length 2n-1
• one cycle of length 1 (0 state)
i=0
k-12ni
• We will join these cycles into one by applying cycle-joining transformations
p. 11 - WCC’2013 - April 15, 2013
• In an NLFSR, any state has two possible successors and two possible predecessors
Cycle-joining transformations
input output
S 0 S 1
S 0 S 1
A B
• If A and B are contained in different cycles, by exchanging their successors we can join two cycles into one
A+ B+
p. 12 - WCC’2013 - April 15, 2013
Joining cycles by exchanging successors
A B
A+ B+
p. 13 - WCC’2013 - April 15, 2013
• If A and B are contained in the same cycle, by exchanging their successors, we split the cycles into two
Splitting a cycle
A
BA+
B+
p. 14 - WCC’2013 - April 15, 2013
• In our case, any state can have 2k possible successors and 2k possible predecessors
• We apply cycle-joining to the states of type:
• If A and B are in different cycles, by exchanging their successors we join two cycles into one
Our case
A
B
S1 c1 S2 c2 Sk ck…
S1 c’1 S2 c’2 Sk c’k…
c is the Boolean complement of c
p. 15 - WCC’2013 - April 15, 2013
• Successors can be exchanged by adding to the feedback function of every NLFSR minterms corresponding to the states A and B– For example, 1010 corresponds to minterm x4x3x2x1
– If feedback function f evaluates to 0 for the assignment 1010, then function f x4x3x2x1 evaluates to 1 for 1010
• The challenge is to join an exponential number of cycles using additional logic of linear size
How to exchange successors
p. 16 - WCC’2013 - April 15, 2013
• We chose as dedicated the states with the minimal decimal representation
• We proved that
– If A is a minimal state of a cycle, then B is contained in another cycle
– The set minterms corresponding to minimal states A of all cycles and the corresponding states B can be described by an expression of size O(nk)
Choosing dedicated states
A
B
S1 c1S2 c2
Sk ck…
S1 c’1S2 c’2 Sk c’k
…
p. 17 - WCC’2013 - April 15, 2013
• By exchanging successors of the minimal states of all cycles, we get one cycle of length 2n and other cycles of length 2n(2n-1)
First joining step
…
#Gates to add: O(nk)
k(n+4)-n-8 ANDs2k+1 ORsk XORs
Example: n=32, k=4Total #gates = 117
p. 18 - WCC’2013 - April 15, 2013
• Before computing the next state, the minimal state of each “flower” is transformed to the minimal state of next “flower”,etc, and finally the cycle of length 2n is appended
Joining the resulting cycles in one
… … …
…
#Gates to add: O(nk2) + one time step< 2nk ANDs, < nk2 ORs, < 2nk XORs
p. 19 - WCC’2013 - April 15, 2013
• We presented a method for generating single-cycle mappings of type {0,1}n×k {0,1}n×k using k NLFSRs of equal size n
• An logic block of size O(nk2) and an extra time step are required
• Future work involves security analysis of the presented method
Conclusion