CC BY
0
2023 Математические методы криптографии № 62
УДК 519.7 DOI 10.17223/20710410/62/3
ON THE NUMBER OF l-SUITABLE BOOLEAN FUNCTIONS IN CONSTRUCTIONS OF FILTER AND COMBINING MODELS
OF STREAM CIPHERS1
T.A. Bonieh*, M. A. Panferov**, N. N. Tokareva*
* Novosibirsk State University, Novosibirsk, Russia,
**
E-mail: t.bonich@g.nsu.ru, m,panferov@g,nsu.ru, cryptoll27@mail.ru
It is well known that every stream cipher is based on a good pseudorandom generator. For cryptographic purposes, we are interested in generating pseudorandom sequences with the maximum possible period. A feedback register is one of the most known cryptographic primitives that is used to construct stream ciphers. We consider periodic properties of pseudorandom sequences produced by filter and combiner generators (two known schemes of stream generators based on feedback registers). We analyze functions in these schemes that lead to output sequences of period at least a given number l. We call such functions l-suitable and count the exact number of them for an arbitrary n.
Keywords: stream cipher, filter generator, combiner generator, Boolean function.
О ЧИСЛЕ l-ПОДХОДЯЩИХ БУЛЕВЫХ ФУНКЦИЙ В КОНСТРУКЦИЯХ ФИЛЬТРУЮЩЕЙ И КОМБИНИРУЮЩЕЙ
МОДЕЛЕЙ ПОТОЧНЫХ ШИФРОВ
* ** *
*
**
Известно, что любой поточный шифр основан на хорошем генераторе псевдослучайных чисел. В криптографических целях изучаются различные способы генерации псевдослучайных последовательностей с максимально возможным периодом. Регистр сдвига с обратной связью — один из криптографических примитивов, который используется для построения поточных шифров. В работе изучаются периодические свойства псевдослучайных последовательностей, создаваемых фильтрующим и комбинирующим генераторами (известными схемами поточных генераторов на основе регистров сдвига с обратной связью). В этих схемах анализируются функции, которые приводят к выходным последовательностям с периодом не менее заданного числа l Мы называем такие функции l-подходящими
n
Ключевые слова: поточный шифр, фильтрующий генератор, комбинирующий генератор, булева функция.
1The work is supported by the Mathematical Center in Akademgorodok under the agreement No. 075-15-2022-282 with the Ministry of Science and Higher Education of the Russian Federation.
1. Introduction
Symmetric ciphers are usually divided into block and stream ciphers. Stream ciphers are considered as more fast but not as secure as block ciphers. One of the most known cryptographic primitives that is used to construct stream ciphers is a feedback shift register (FSE), There are many attacks and defenses on such ciphers and countermeasures against them, see, for instance, [1, 2],
The task of studying feedback registers leads to the problem of studying a pseudorandom sequence (gamma) generated by a feedback register [3], Cryptographers who develop various pseudorandom number generators study the resulting gamma for the presence of the necessary properties. For example, it should have a large period, high linear complexity, and a uniform bit distribution [4], It is often important that the sequence be reproducible [5], Only if gamma has the required properties it can be considered for use in cryptographic applications [6], An important property of the generated sequence is the randomness. There should be independence of values, unpredictability and uniform distribution [7], Before using a pseudorandom sequence, it is necessary to evaluate its randomness. There are many different statistical tests for this, for example, NIST, Diehard, ENT test [8],
The properties of the pseudorandom sequence generated by FSE are well studied in the case when f is a linear function (LFSR). If f is nonlinear (see [9, 10]), there are too many open questions related to pseudorandom sequences that all are connected to analysis of nonlinear recurrent sequences, for example, see [11] for further review. That is why some nonlinear combinations of LFSEs are usually considered, for instance, filter and combining models of stream generators [6].
Let us recall a few definitions. Let Fn be the n-dimensional vector space over F2. A Boolean function in n variables is a function f : F^ ^ F2. A vector of values for a given Boolean function f is the vector (f (x(1)),...,f (x(2n))), where x(1),..., x(2n) are binary vectors in F£ that are lexicographically ordered. Any Boolean function / can be represented uniquely in its algebraic normal form (ANF): f (x1,... , xn) = 0 a/ ,
where P(N) is a power set of N = {1,..., n} and a/ G F2. For a Boolean function f, the
number of variables in the longest item of its ANF is called the algebraic degree of the
ff
called linear if it is affine and f (0) = 0. If algebraic degree of a function f is more than 1, f
A feedback shift register consists of two parts: a binary block x = (x1,..., xn) of length n
f f n
x
the register is changing its state using the feedback function. Gamma is a pseudorandom sequence generated by FSE, For functioning of the FSE the time is considered to be divided into clock cycles. On each clock cycle, the value f (x) is calculated first, then the register state x = (x1,..., xn-1, xn) goes to the state x' = (x2,..., xn, f (x)), while the bit x1 will
be written as the first bit of the generated gamma, A period is a length of repeating part f
uses nonlinear Boolean function as a feedback function. It is known that LFSE can be
n
be summed. If f (x1,..., xn) = a1x1 © a2x2 © ... © anxn, then the corresponding feedback polynomial is defined as p(z) = a1zn + a2zn-1 + ... + anz + 1, where a^ G F2, i = 1,..., n. If p(z) is a primitive polynomial, i.e., the primitive element of the field GF(2n) is its root,
/eP(N)
then the period of a pseudorandom sequence generated by LFSE is maximal, i.e., is equal to 2n — 1, As a result, primitive polynomials are mainly used in LSFRs,
There are many stream ciphers based on LFSE and NFSE, One of them is Grain, developed in 2004 [12]. It is constructed by combining model based on two shift registers, one with linear feedback and one with nonlinear feedback, and a nonlinear output function. Both linear and nonlinear shift register sizes are 80 bits. Another one is A5/1 cipher from GSM standard [13]. It has three LSFEs of lengths 19, 22 and 23 bits with irregular clocking. The registers are clocked in a stop/go fashion using a majority rule. The output is the sum of the last bits of the three registers. We could also mention the Gollmann cascade [14]. This cipher is representative of epv combining model. It consists of a series of LFSEs that are clock-controlled bv the previous LFSE. If all the LFSEs have the same length n, the linear complexity of a system with k LFSEs is equal to n(2n — 1)fc-1. Other examples of ciphers that are based on LFSE and NFSE are Geffe generator, Jennings generator, and Beth — Piper Stop-and-Go generator.
In this paper, we analyze pseudorandom sequences produced by filter and combiner generators. Namely, we study functions in these schemes that lead to pseudorandom sequences with a period not less than a given £ We call such functions ¿-suitable and count the exact number of them for an arbitrary n.
This paper is a modified continuation of the previous one [15].
2. The analysis of gamma for linear feedback shift register generators
2.1. Filter generators
n
to change states. A Boolean function h(x1,... , £n) applied to the current state generates a pseudorandom sequence (gamma). Let us note that the number of all possible functions h(x1,..., £n) is equal to 22". The work of the filter generator is shown in [16].
Let gamma be defined as 7 = (y1,y2,..., y2n-:l), where y1 = h(x1,... , £n), y2 = h(x2, ... ,£n,f (x1,..., £n)), etc., and f (x1,... , £n) is the feedback function. Since the number of all nonzero states is equal to 2n — 1, the maximum possible value of the gamma period is also 2n— 1. We would like to deter mine all l-suitable Boolean functions h in n variables. Functions which lead to gammas with a period less than a given I we would call ¿-unsuitable. Note that the number of such functions does not depend on a linear feedback function. But whether the function is l-suitable or not for the given generator, depends on the feedback function. When we count the number of l-suitable functions h, we do not consider a specific set of states. We say that there is a certain number of different states used by the generator (all sets that are generated by primitive polynomials fit this definition). Next, we study which pseudorandom sequences have the period not less than a given I. We analyze the number of l-unsuitable functions and the number of l-suitable functions. Thus, our reasonings do not affect the specific order of the states. Therefore, there will be the exact calculated number of l-suitable functions h for any set of states used by the generator.
Let us provide some examples of l-suitable and l-unsuitable functions. Let n = 4 be the length of a shift register, f (x1, x2, x3, x4) = x1 © x2 be a feedback function, and p(z) = = z4 + z3 + 1 be a corresponding primitive polynomial. Let h1(x1,x2, £3,£4) = x2x1 © ©X3X1 ©X3X2©£4£1 ©X1 ©X2©£3© 1 and h2(x1,X2,£3,£4) = £4X2X1 ©£2^1 ©£3£2©£3© 1
n
the Table.
States 0001 0010 0100 1001 0011 0110 1101 1010
hi(xi, x2, x3, X4) 1 0 0 1 0 0 1 0
h2(xi,X2,X3, X4) 1 0 1 1 0 1 1 0
States 0101 1011 0111 1111 1110 1100 1000 0001
hi(xi, X2, X3, X4) 0 1 0 0 1 0 0 1
h2(xi,X2,X3, X4) 1 0 1 1 0 0 1 1
Note that hi and h2 generate the gamma with periods 3 and 15. If l = 15, i.e., we need a gamma with maximum period, then h^ is an l-unsuitable function, h2 is a l-suitable function.
To begin with, we show the calculation of the number of l-unsuitable sequences. The number of aperiodic Boolean sequences has been studied in [17], we present our calculations of the number U of sequences with a period less than l (l-unsuitable sequences).
Lemma 1. Let l = q"1 q22 ... , where qj are pairwise distinct prime numbers, Wj G N. Then the number of l-unsuitable sequences is equal to
Ui = £ ((-Ifi+• • •+i2qi1-"1-• • q"k-,k) , where p = (Pi,... ,Pk). 3eFk ,3=0 ^ '
ll
sequences of length l = q"1 q222... q"k with a period less than l. Let Aj be a set of sequences
that can be divided on qj identical subsequences, i = 1,..., k Then Aj R Aj is a set of
sequences that can be divided on q^- identical subsequences, where i = j, i, j = 1,..., k
Then Aj U Aj is a set of sequences that can be divided on qj or qj identical subsequences,
k
where i = j i, j = 1,..., k Hence, all l-unsuitable sequences belong to the set |J Aj, and
j=i
k
Ul = | U Aj When a sequence is divided into qj identical subsequences, the length of the j=1
subsequence is equal to q2 q2 . ..qf-1 ...q£k. Since the elements of the subsequences are in {0,1}, then
, , , »"1 q"2 „"(i-1) »"i-1»"^1) q"k |Aj| = 2»1 »2 • • '»(i-1) qi »(i+1) • • '»k ,
»"1 »"2 q"(i-1) q"i-1q"(i+1) q"(j-1) q"j-1q"(j + 1) q"k |Aj R Aj | = 2q1 • • • q(i-1) qi q(i+1) • • • q(j-1) qj q(j+1) • • • ,
k
"1 -1 "2 -1 "k -1
HA i=1
2«1 «2 . . . ?fc
k
Therefore, we can compute | U Aj| using the inclusion-exclusion principle:
i=1
k
k
UAt=E |Ai|- E |Ai n Aj| + E |Ai n Aj n At|- .. i=1 i=1 1<i<j<k 1<i<j<t<k
k "2 "(¿-1) "¿-1 "(¿+1) +(-1)k-1|A1 n A2 n ... n Ak| = E 2q" q" . . .«(¿-1) q" «(¿-+1) . . .q" -
i=1
^ q"1 q"2 q"(i-1) q"i-1q"(i+1) q"(j-1) q"j-1q"(j+1) q"k - ^ 2q1 q2 ...q(i-1) qi q(i+1) ...q(j-1) qj q(j + 1) ...qk +
1<i<j<k
... + (-i)fc-i2qi1 1(h2 1...«fcfc 1 = y^ (^1)31+-^+12qi
11-P1 q^k-^
^GFk ,3=0
where ^ = (^1,..., ), ■
Let us prove the main result for filter generators.
Theorem 1. Let n e N and I is a divisor of 2n — 1, I = q"1 q"2 ... q"fc, where qi are pairwise distinct prime numbers, ui e N. Then the number of l-suitable Boolean functions nn is equal to
Proof. From Lemma 1 we know the number U of l-unsuitable sequences of the length 2n — 1, We can write all states of the register one bv one and from one state we get the
h
generates our gamma. Since there is no zero state in the set of states (it generates the cycle of length 1), function h can take any value (0 or 1) on zero vector. That is why there are exactly two Boolean functions that generate the same sequence.
Hence, the number of l-unsuitable functions is e qual to 2 U^, Then, the numb er of l-sui-table functions is 22n — 2 U^, ■
n
to gammas with period exactly equal to l
Theorem 2. Let n e N and I is a divisor of 2n — 1, I = q"1 q"2 ... q"fc, where qi are pairwise distinct prime numbers, ui e N. Then the number of Boolean functions in n variables that lead to gammas with period exactly equal to I for the filter generator
n
Proof. To calculate the number of functions that lead to gammas with a period exactly equal to I, we take the number of functions that lead to gammas with a period not greater than I and subtract the number of functions that lead to gammas with a period less than I, The number of functions that lead to gammas with a period not greater than I is equal to 2l+1, The remaining arguments are similar to those given in the proof of Theorem 1, ■
ni
own primitive polynomial for changing states, A Boolean function h(X1,... , Xm) generates a pseudorandom sequence gamma, where Xi is a bit string of register i, The work of the combiner generator is shown in [16].
Since we do not use zero state in LFSE, the total number of states does not exceed N = (2ni — 1)(2n2 — 1)... (2nm — 1) In this case, the maximum is reached when (ni, nj) = 1 for all i, j e {1,..., m}, i = j, and if all LFSRs have primitive feedback polynomials. Then
1N
We consider a more general model of a combiner generator. This generalized combining model is used in ciphers such as Grain [12], Note that the classical combining model does not allow to describe a number of modern stream ciphers based on the more complicated operating with bits from different registers.
^eFk „3=0
2,2, Combining model
Theorem 3. Let n, m, n1,..., nm G N E nj = n, and l is a divisor of (2n1 — 1)... x
j=i
x (2nm — 1) l = q"1 q"2 ... q^, where qj are pairwise distinct prime numbers, G N k G N.
ln with LFSRs of lengths ni,..., nm all based on primitive polynomials is equal to
22n _ 22n-(2nl — 1)...(2nm-1) ^ |"(_1)ßi+...+ßfc + 129ri-ß1 ...<£k
ßeFk ,ß=o
where P = (pi,..., pk),
Proof. Number of l-unsuitable sequences for the combiner generators is equal to Ul; in view of Lemma 1, Since we use only (2n1 —1)(2n2 — 1)... (2nm — 1) states and the total number of states is equal to 2n1 2n2 ... 2n™ = 2n then we have 2n — (2n1 — 1)(2n2 — 1)... (2n™ — 1) states, where our function can be equal to 0 or 1, Therefore, for one of these states we
ln the combiner generators equals 22n-(2n1 -i)(2"2-i)-(2nm-i) ul. Then, the number of l-suitable functions is equal to 22" — 22n-(2n1 -i)-(2"m-i) Ui. ■
n
l
ni,... , nm.
m
Theorem 4. Let n, m, n1,..., nm G N, E n = ^^d l is a divisor of (2ni _ 1)... x
i=1
x (2nm _ 1) l = q^1 q^2 ... where q» are pairwise distinct prime numbers, ^ G N k G N.
n
exactly equal to I for the combiner generator with LFSRs of lengths n1,..., nm all based on primitive polynomials is equal to
2l+(2n-(2ni — 1)...(2nm —1)) _ 22n-(2ni —1)...(2nm — 1) Y^ ((_1)ßl+...+ßfc + 12«"1-ßl...9fck),
ßeFk,ß=o
where ß = (ß1,..., ßk),
Proof. The proof is similar to that of Theorem 2 with the remark that the
number of functions that lead to gammas with a period not greater than l is equal to 2l+(2n — (2ni — 1) ...(2nm — 1)) m
3. Functions for models with nonlinear registers
A nonlinear feedback shift register (NFSR) consists of two parts: a binary vector x = (x1,..., xn) of length n and a nonlinear state function f : F^ ^ F2 in n variables.
Similarly to the linear case, let us consider the filter generator. We assume that NFSR passes over all 2n states, i.e., it has the maximum possible period.
Theorem 5. Let n G N and l = 24, t ^ n. Then the number of l-suitable Boolean n
is equal to 22" _ 22t .
Proof. The number of l-unsuitable sequences for the filter generator with NFSR is equal to 22t . Since we use all the states then the number of l-unsuitable sequences is equal ll functions in n variables for the filter generator with NFSR is equal to 22 . Therefore, the number of l-suitable functions is 22" — 22 . ■
Similarly, we propose to count the number of Boolean functions in n variables that lead to gammas with period exactly equal to l for the filter generator with NFSR,
Theorem 6. Let n e N and l = 2\ where t ^ n. Then the number of l-suitable Boolean functions in n variables that lead to gammas with period exactly equal to l for the filter generator with NFSR of the maximum possible period is equal to 2l — 22 .
Proof. To calculate the number of functions that lead to gammas with period exactly
l
than l (i.e., 2l) and subtract the number of functions that lead to gammas with a period less than l (i.e., 22t-1), ■
There is another question related to NFSRs: how to determine for which nonlinear
n
period 2n? This question is still open.
REFERENCES
1. Golic J. D. On the security of nonlinear filter generators. LNCS, 1996, vol. 1039, pp. 173-188.
2. Courtois N. T. and Meier W. Algebraic attacks on stream ciphers with linear feedback. LNCS, 2003, vol.2656, pp. 345-359.
3. Salhab O., Jweihan N., Jodeh M.A., et al. Survey paper: Pseudo random number generators and security tests. J. Theor. Appl. Inform. Technology, 2018, vol.96, pp. 1951-1970.
4. Hamza R. A novel pseudo random sequence generator for image-crvptographic applications. J. Inform. Security Appl., 2017, vol.35, pp. 119-127.
5. Goresky M. and Klapper A. Algebraic Shift Register Sequences. Cambridge, Cambridge University Press, 2012. 496 p.
6. Menezes A. J., Van Oorschot P. C., and Vanstone S. A. Handbook of Applied Cryptography. Boca Raton, CRC Press, 1996. 780 p.
7. Märton K., Suciu A., Sdcdrea C., and Cret O. Generation and testing of random numbers for cryptographic applications. Proc. Romanian Academy, 2012, vol.13, pp. 368-377.
8. Parvees M.Y.M., SamathJ.A., and BoseB.P. Crvptographicallv secure diffusion sequences — an attempt to prove sequences are random. Advances in Big Data and Cloud Computing. Advances in Intelligent Systems and Computing, 2019, vol.750, pp.433-442.
9. KeyE.L. An analysis of the structures and complexity of nonlinear binary sequence generators. IEEE Trans. Inform. Theory, 1976, vol.22, pp. 732-736.
10. Gorodilova A. A. Ot kriptoanaliza shifra k kriptograficheskomu svovstvu bulevov funktsii [From cryptanalvsis to cryptographic property of a Boolean function]. Prikladnava Diskretnava Matematika, 2016, no. 3(33), pp. 16-44. (in Russian)
11. Gluhov M. M., Elizarov V.P., and Nechaev A. A. Algebra [Algebra]. Moscow, Gelios ARV Publ., 2003. 336 p. (in Russian)
12. Hell M., Johansson T., and Meier W. Grain: A stream cipher for constrained environments. Intern. J. Wireless Mobile Computing, 2007, vol.2, no. 1, pp. 86-93.
13. Canteaut A. A5/1. Encyclopedia of Cryptography and Security, Boston, Springer, 2011, pp. 1-2.
14. Gollmann D. Kaskadenschaltungen taktgesteuerter Schieberegister als Pseudozufallszahlengeneratoren. PhD thesis, Johannes Kepler Universität Linz, Wien, 1986. (in German)
15. Bonich T.A., Panferov M. A., and TokarevaN.N. On the number of unsuitable Boolean functions in constructions of filter and combining models of stream ciphers. Prikladnava Diskretnava Matematika. Prilozhenie, 2020, vol.13, pp. 78-80.
16. Carlet C. Boolean functions for cryptography and error-correcting codes. Y. Crania and P. L. Hammer (eds.). Boolean Models and Methods in Mathematics, Computer Science, and Engineering, Cambridge, Cambridge University Press, 2010, pp. 257-397.
17. Golomb S. W. Shift Register Sequences. San Francisco, Holden-Dav, 1967.
