# by a Composition of NLFSRs

AI and Robotics

Nov 21, 2013 (4 years and 5 months ago)

82 views

A Method for Generating Full Cycles
by a Composition of NLFSRs

Elena
Dubrova

Royal Institute of Technology

KTH

Stockholm, Sweden

p.
2

-

WCC’2013
-

April 15, 2013

Motivation

Contribution of the paper

Construction method

Conclusion and future work

Outline

p.
3

-

WCC’2013
-

April 15, 2013

How to efficiently generate n
-
variate

mappings of
type
{0,1}
n

{
0,1}
n
whose state transition graphs
have
single cycles
of the maximum possible
length 2
n
?

00

01

10

11

x
1

x
2

x
n

f
1
(x
1
,x
2
,…,
x
n
)

f
2
(x
1
,x
2
,…,
x
n
)

f
n
(x
1
,x
2
,…,
x
n
)

p.
4

-

WCC’2013
-

April 15, 2013

Single
-
cycle mappings are frequently used
primitives in cryptography

For stream ciphers, single
-
cycle property is
important because then the sequence of
generated states cannot be trapped in a short
cycle

Motivation

p.
5

-

WCC’2013
-

April 15, 2013

Feedback shift
r
egisters can be used to
efficiently implement n
-
variate

mappings
{0,1}
n

{0,1}
n
of type:

Implementation by FSRs

x
1

x
2

x
n

x
2

x
3

f(x
1
,x
2
,…,
x
n
)

p.
6

-

WCC’2013
-

April 15, 2013

Linear Feedback Shift Register (LFSR)

Feedback Shift Registers

5

4

3

2

1

n binary storage elements

linear feedback
function

has cycle
of length 2
n
-
1
iff its characteristic
polynomial is primitive

5

4

3

2

1

Non
-
Linear Feedback Shift
Register
(
NLFSR)

p.
7

-

WCC’2013
-

April 15, 2013

An
NLFSR
is invertible
iff

its feedback function is
of
type (

f(x
1
,x
2
,…,
x
n
) = x
1

g
(x
2
,x
3
,…,
x
n
)

Conditions for single
-
cycle NLFSRs are not known

There are 2
2
n
-
1
-
n

single
-
cycle n
-
bit NLFSRs

Existing algorithms for constructing single
-
cycle
NLFSRs are applicable to n < 32

Fredricksen
, H. (1982) “A Survey of Full
-
Length Nonlinear Shift
Register Cycle Algorithms”,
SIAM Review
,
24
(2), 195
-
221

Dubrova
, E. (2012) “List of Maximum
-
Period NLFSRs”,
Cryptology
ePrint

Archive, 2012/166

NLFSRs

p.
8

-

WCC’2013
-

April 15, 2013

If we place in parallel k NLFSRs with largest cycles
of length
L
1
, L
2
,…,
L
k
, we get a mapping with the
largest
cycle of
length
LCM(L
1
, L
2
,…,
L
k
)

Combining smaller NLFRs

NLFSR
2

f
2

NLFSR
k

f
k

n
1
+ n
2
+…+
n
k

state

NLFSR
1

f
1

Example:

n
1

= 3,
L
1

= 7

n
2

= 4,
L
2

= 15

n
3

= 5,
L
2

= 31

7
×
15
×
31 =
3255

2
3+4+5

=
4096

p.
9

-

WCC’2013
-

April 15, 2013

A method for generating single
-
cycle mappings
of type
{0,1}
n
×
k

{0,1}
n
×
k

using k NLFSRs of
equal size n

Contribution of the paper

NLFSR
2

+

f
2

NLFSR
1

+

f
1

NLFSR
k

+

f
k

Extra logic

n
×

k state

p.
10

-

WCC’2013
-

April 15, 2013

We used NLFSRs with two types of cycles

a cycle of length 2
n
-
1 containing all non
-
0 states

a cycle of length 1 containing 0 state

Construction method

If we place k such NLFSRs in parallel, we get a
mapping with the following cycle structure:

cycles of length 2
n
-
1

one cycle of length 1 (0 state)

i
=0

k
-
1

2
ni

We will join these cycles into one by applying cycle
-
joining transformations

p.
11

-

WCC’2013
-

April 15, 2013

In an NLFSR, any state has two possible
successors and two possible predecessors

Cycle
-
joining transformations

input

output

S

0

S

1

S

0

S

1

A

B

If A and B are contained in different cycles, by
exchanging their
successors

we can join two
cycles into one

A
+

B
+

p.
12

-

WCC’2013
-

April 15, 2013

Joining cycles

by exchanging successors

A

B

A
+

B
+

p.
13

-

WCC’2013
-

April 15, 2013

If A and B are contained in the same cycle, by
exchanging their successors, we split the cycles
into two

Splitting a cycle

A

B

A
+

B
+

p.
14

-

WCC’2013
-

April 15, 2013

In our case, any state can have 2
k

possible
successors and 2
k

possible predecessors

W
e apply cycle
-
joining to the states of type:

If A and B are in
different cycles, by exchanging
their
successors we join
two cycles into
one

Our case

A

B

S
1

c
1

S
2

c
2

S
k

c
k

S
1

c’
1

S
2

c’
2

S
k

c’
k

c

is the Boolean
complement of c

p.
15

-

WCC’2013
-

April 15, 2013

Successors can be exchanged by adding to the
feedback function of every NLFSR
minterms

corresponding to the states A and B

For example, 1010 corresponds to
minterm

x
4
x

3
x
2
x

1

If feedback function f evaluates to 0 for the assignment
1010, then function f

x
4
x

3
x
2
x

1
evaluates to 1

for
1010

The challenge is to join an
exponential

number of
linear
size

How to exchange successors

p.
16

-

WCC’2013
-

April 15, 2013

We chose as dedicated the states with the
minimal decimal representation

We proved that

If A is a minimal state of a cycle, then B is contained in
another cycle

The set
minterms

corresponding to minimal states A of
all cycles and the corresponding states B can be
described by an expression of size O(
nk
)

Choosing dedicated states

A

B

S
1

c
1

S
2

c
2

S
k

c
k

S
1

c’
1

S
2

c’
2

S
k

c’
k

p.
17

-

WCC’2013
-

April 15, 2013

By exchanging successors of the minimal states
of all cycles, we get one cycle of length 2
n

and
other
cycles
of length
2
n
(2
n
-
1)

First joining step

nk
)

k(n+4)
-
n
-
8

ANDs

2k+1

ORs

k

XORs

Example: n=32, k=4

Total #gates = 117

p.
18

-

WCC’2013
-

April 15, 2013

Before computing the next state, the minimal state of
each “flower” is transformed to the minimal state of next
“flower”,etc, and finally the cycle of length 2
n
is appended

Joining the resulting cycles in one

O(nk
2
) + one time step

< 2nk
ANDs, < nk
2

ORs, <
2nk
XORs

p.
19

-

WCC’2013
-

April 15, 2013

We presented a method for generating single
-
cycle mappings of type
{0,1}
n
×
k

{0,1}
n
×
k

using
k NLFSRs of equal size n

An logic block of size O(nk
2
) and an extra time
step are required

Future work involves security analysis of the
presented method

Conclusion