linearization of stream ciphers in terms of cellular automata amparo fúster-sabater institute of...

Linearization of Stream Ciphers in Terms of Cellular Automata

Amparo Fúster-SabaterInstitute of Applied Physics (CSIC)

Madrid (Spain)

[email protected]

A. Fúster-Sabater Gjøvik University College June 2006

Overview Introduction Basic structures

LFSR-Based Keystream Generators Cellular Automata (CA)

Linear model of a class of Keystream Generators

Contributions to Cryptanalysis Conclusions


“Linearity is the curse of the cryptographer”

- James L. Massey - Crypto’89


001…10 010…11 110…01 ….. (plain text)

011…01 000…10 010…11 ….. (keystream seq.)

010…11 010…01 100…10 ….. (ciphered text)

• sender

011…01 000…10 010…11 ….. (keystream seq.)

010…11 010…01 100…10 ….. (ciphered text)

001…10 010…11 010…11 ….. (plain text)

• receiver

Stream Cipher Procedure

Stream cipher: design of keystream sequence generators with pseudorandomness characteristics


Linear Feedback Shift Register (LFSR)

4 1x x

LFSR’s Parameters: Length L

Characteristic polynomial

They work: Shifting of the binary content

Feedback bit entrance

Generated sequence: 1 0 0 0 1 1 1 1 ……

0001

1 0 0 0

0 0 0 1

0 0 1 1

0 1 1 1

1 1 1 1

1 1 1 0

1 1 0 1

1 0 1 0


Linear Feedback Shift Registers LFSRs generate PN-sequences:

Long period Good statistics Low linear complexity

Cryptographic applications: Non-linear combinations of LFSRs Non-linear filters Non-linear combining generators Clock-controlled generators


Cellular Automata (CA) One-dimensional CA:

Register of n cells updated according to a function of k

variables (Rule )

Cell xit+1 depends on k = 2r+1 neighbour cells

xit+1 = ( xt

i-r, …, xti , …, xt

i+r)

Linear CA: is a linear function

xi


Classification of CA

Uniform or Regular CAAll the cells follow the same rule

Hybrid CA

Different cells follow different rules i

Null boundary conditionsCells adjacent to the extreme cells are supposed with

permanent null content Periodic boundary conditions

Extreme cells are supposed adjacentxi


Linear Cellular Automata k =3

Rule 90 xit+1 = xt

i-1 xti+1

111 110 101 100 011 010 001 000 0 1 0 1 1 0 1 0

01011010 (binary) = 90 (decimal)

Rule 150 xit+1 = xt

i-1 xti xt

i+1

111 110 101 100 011 010 001 000

1 0 0 1 0 1 1 010010110 (binary) = 150 (decimal)


Cellular Automata (rules 90 & 150)

L=6 cells

00..

01..

11..

00..

150 90 150 150 90 150

10..

11..

• 2L states grouped in state cycles

• Number of different sequences, T, LC


References1. S. Wolfram, Cellular Automata as Models of Complexity, Nature,

Vol. 311, pp. 419, 1984.

2. S. Wolfram, Random Sequence Generation by Cellular Automata , Avd. Appl. Math., Vol. 7, pp.127 – 169, 1986.

3. S. Zhang et al. Quantitative Analysis for Cellular Automata and LFSR as BIST Generators, J. Electro. Testing, 7 (3), 1995.

4. M. Serra et al. Analysis of One-dimensional CA and their Aliasing Properties, IEEE Trans. Comp. Aided Design, 9 (2), 1990.

5. A.K. Das et al. Efficient Characterization of Cellular Automata , IEE Proc. Part E. 1, pp. 81-87, 1990.

6. S. J. Cho et al. Computing Phase Shifts of 90/150 CA Sequences. Proc. ACRI 2004, LNCS, 3305, pp. 31 – 39, 2004.

7. A. Fúster et al. Concatenated Automata in Stream Ciphers. To appear in Proc. ACRI 2006, LNCS, 2006.


LFSRs v CA

3 2( ) 1P x x x

1 1 0

1 0 1

0 1 0

1 0 0

0 0 1

0 1 1

1 1 1 Simple implementation Pattern Generators: circuit testing Interchangeable structures

1 0 0

1 1 0

0 1 1

1 1 1

0 0 1

0 1 0

1 0 1

150 90 90

Characteristic

polynomial


More References CA Characteristic Polynomial

S. Zhang et al., Quantitative Analysis for Linear Hybrid Cellular Automata and LFSR as Built-In Self-Test Generators for Sequential Faults, J. of Electronic Testing: Theory and Applications, 7 (1995), 209 – 221.

Characteristic Polynomial CA K. Cattel and J.C. Muzio, The Synthesis of One-

Dimensional Linear Hybrid Cellular Automata, IEEE Trans. On Computer-Aided Design. 15 (1996) 325-335.


A Class of LFSR-Based Generators: Clock-Controlled Shrinking Generators

A wide class of binary sequence generators Made up of two LFSRs: R1 and R2

R1 (Selector register) clocked normally

R2 (Generating register) clocked irregularly

According to a rule P, the bits of register R1

control the clock of register R2

This construction allows users to generate a large family of different sequences using the same registers and initial states but changing the rule P


The Shrinking Generator (Crypto’93)

Very simple binary sequence generator Made up of two LFSRs: R1 and R2

According to a rule P, register R1(selector register) decimates the sequence produced by register R2

R1

R2

Pclock

bi

ai

cj


The Shrinking Generator {ai} binary sequence generated by R1

{bi} binary sequence generated by R2

{cj} output sequence of the SG:

“the shrunken sequence”

Decimation rule P:

1. If ai = 1 cj = bi

2. If ai = 0 bi is discarded


The Shrinking Generator: ExampleLFSRs:

1. R1 :

2. R2 :

Decimation rule P:

{ai}= 1 0 0 1 1 1 0 1 0 0 1 1 1 0 1 0 … {bi}= 1 0 0 0 1 0 0 1 1 0 1 0 1 1 1 1 … {cj}= 1 0 1 0 1 1 0 1 1 …

The underlined bits 1 and 0 are discarded

3 21( ) 1,P x x x

4 32 ( ) 1,P x x x

1 3,L 1 (1,0,0)IS

2 (1,0,0,0)IS 2 4,L


Cryptographic characteristics of the shrunken sequence

Period:

Linear Complexity:

Number of 1’s:

quasi-balanced

sequence

)1( 12 2)12( LLT

)1(2

)2(2

11 22 LL LLCL

)1()1( 12 22'1. LLsNo


Clock-Controlled Shrinking Generators

Remark: Double decimation

A. Kanso, Clock-Controlled Shrinking Generators. Proc.

ACISP’03, LNCS 2727, 2003

Binary cell contents P

Xt

R2

R1

ai

bi

bi’

cj

1 2

0 1 111 2 ( ) 2 ( ) 2 ( ) 0

w

wt i i iX A t A t A t w L

clock


CCSG: An ExampleFor the same LFSRs as before and

Decimation rule X: (if Xt =1 => the shrinking generator)

{bi}= 1 0 0 0 1 0 0 1 1 0 1 0 1 1 1 1 0 0 0 1 0 0 1… {X}= 2 1 1 2 2 2 1 2 1 1 2 2 2 1 2 1 1 2 2… {bi

’}= 1 0 0 1 0 1 1 0 1 1 1 0 1 0 1 0 1 0 1 1…

Decimation rule P:

{ai}= 1 0 0 1 1 1 0 1 0 0 1 1 1 0 1 0 … {bi

’}= 1 0 0 1 0 1 1 0 1 1 1 0 1 0 1 0 … {cj}= 1 1 0 1 0 1 0 1 1 …

P

X

00 11 2 ( ) 0tX A t w L

R1

R2


Given

expressing it in terms of

A Clock-Controlled Shrinking Generator characterized by its

LFSRs

Null Hybrid LinearCellular Automata

with rules 90 and 150

CCSG in terms of CA


Fact 1: The characteristic polynomial of the

shrunken sequence is of the form:

P(x) is an L2- degree primitive polynomial

N satisfies

( ( ))NP x

)1()2( 11 22 LL N


Fact 2:P(x) depends exclusively on:

1. The characteristic polynomial P2(x) of the register R2

2. The length L1 of the register R1

Different SG will have the same characteristic polynomial.

R1

R2

P


Algorithm of Linearization

Input: A Shrinking Generator

(given L1 , L2 , P2(x))

Output: Two linear CA corresponding to the given SG


Step 1: Computation of P(x)

P(x) is obtained from L1 and P2(x)

P(x) is the characteristic polynomial of the cyclotomic Coset E

being a primitive root in

110 1222 LE

122 2( ) ( )( ) ( )LE E EP x x x x

)2( 2LGF


Step 2: Computation of the CA corresponding to P(x)

Apply to P(x) the “Cattel and Muzio synthesis

algorithm” to determine the two linear hybrid CA of

length L2 whose characteristic polynomials are P(x)

Codify both CA according to:

rule 90 = 0 and rule 150 = 1


Step 3: Computation of the CA corresponding to the given SG

For each obtained CA:

1. Complement its least significant bit S

2. Compute its mirror image S* and concatenate both strings

Iterate 1. and 2. (L1-1) times


Algorithm (An Example) Shrinking Generator:

R1 (not needed)

R2

Step 1 is the characteristic polynomial of Coset 7

1 13, ( )L P x5 4 2

2 25, ( ) 1L P x x x x x

( )P x

7 14 19 5 2( ) ( )( ) ( ) 1P x x x x x x

0 1 22 2 2 7E


Step 2 Determine two linear CA corresponding to

via Cattel and Muzio algorithm

Both CA are codified:

(0 = ley 90, 1 = ley 150)

0 1 1 1 1

1 1 1 1 0

Algorithm (An Example)

5 2( ) 1P x x x


Algorithm (Step 3) First automata:

0 1 1 1 1 0 1 1 1 0 0 1 1 1 00 1 1 1 0 0 1 1 1 1 1 1 1 1 0 0 1 1 1 0

Second automata:1 1 1 1 0 1 1 1 1 1 1 1 1 1 11 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 1 1

L1 -1 times

L1 -1 times


Linearization Algorithm for CCSGs CCSG: given

R1 (not needed)

R2

Xt

In Step 1, is the characteristic polynomial of Coset E

The other steps of the algorithm are as before CCSGs can be expressed in terms of linear CA too

1 1, ( )L P x

2 2, ( )L P x

( )P x

1 1(1 2 ) 2 1LwE

1 2

0 1 111 2 ( ) 2 ( ) 2 ( ) 0

w

wi i iA t A t A t w L


{cj} = {0 1 0 1 1 0 1 0 0 ...}

90 150 150 150 90 90 150 150 150 …

0 1 1 0 1 1 1 0 1 …

1 0 0 0 1 0 0 1

0 1 0 1 0 1 1

1 1 0 1 0 1

1 0 0 1 0

0 1 1 1

1 0 1

0 0

0

CA: Applications

From n intercepted bits n-1 bits (2nd column) n-2 bits (3rd column)

1 bit (nth column)


……

…

Reconstruction of the shrunken sequence From n intercepted bits of the shrunken

sequence

IDEA: use these bits to determine portions of the shrunken sequence

2

1 2 3 ( 1)2

n nn n bits


Symmetry for CA:P1 P4 P5 P15 P6 P1 P8 P12 P7 P6

P2 P5 P4 P3 P9 P2 P10 P7 P12 P9

P3 P13 P11 P2 P10 P3 P9 P14 P16 P10

P4 P1 P2 P11 P7 P4 P14 P9 P6 P7

P5 P2 P1 P13 P12 P5 P16 P6 P9 P12

P6 P7 P12 P8 P1 P6 P15 P5 P4 P1

P7 P6 P9 P14 P4 P7 P11 P2 P1 P4

P8 P14 P16 P6 P15 P8 P1 P13 P11 P15

… … … … … … … … … …

P12 P9 P6 P16 P5 P12 P13 P1 P2 P5

P13 P3 P15 P5 P16 P13 P12 P8 P10 P16

P14 P8 P10 P7 P11 P14 P4 P3 P15 P11

P15 P11 P13 P1 P8 P15 P6 P16 P14 P8

P16 P10 P8 P12 P13 P16 P5 P15 P3 P13

CA

1

0001

1000

1


Other sequences generated by CA Different shrinking generators

The same R2

Different R1 with length L1

LFSR-based generators Different rules of decimation Clock-controlled shrinking generators


Other Sequence Generators: The Alternating Generator


clock

Introduced by C. Gunther (Eurocrypt’87)

2 3( ) ( ) ( )r sP x P x P x 1 112 , 2L Lr s

R3

R2

1

0

R1

Addition of two different CA

Introduced by D. Gollmann (IEE Proc. 1988)


Other Sequence Generators: The Gollmann Generator

clock

1

R1 R2 R3

1 2 3( ) ( ) ( ) ( )r sP x P x P x P x 1 112 , 2L Lr s

Addition of two (or more) CA

ConclusionsLFSR-basedstructures

CellularAutomata

Classes of CC Generators are a Subset of Linear Cellular Automata

Linear Modelsdescribe the behavior of the

CC Sequence Generators A. Fúster-Sabater Gjøvik University College June 2006

Conclusions

Very simple algorithm to convert different classes of

CC generators into linear CA-based model A wide class of non-linear binary generators can be

expressed as linear models (by concatenation) A wide class of different binary generators are

included in the same cellular automata

The algorithm can be applied to CC generators in a

range of cryptographic interest


For the Future

Apply the same technique of linearization to

other nonlinear LFSR-based keystream

generators


linearization of stream ciphers in terms of cellular automata amparo fúster-sabater institute of...

Documents

t i x t

x t ir

x t i r linear ca

linear cellular automata

neighbour cells x

cellular automata rules

rule hybrid ca different

n cells