by a Composition of NLFSRs

sunflowerplateAI and Robotics

Nov 21, 2013 (3 years and 8 months ago)

74 views

A Method for Generating Full Cycles
by a Composition of NLFSRs

Elena
Dubrova

Royal Institute of Technology


KTH

Stockholm, Sweden


p.
2

-

WCC’2013
-

April 15, 2013


Problem addressed


Motivation


Contribution of the paper


Construction method


Conclusion and future work

Outline

p.
3

-

WCC’2013
-

April 15, 2013


How to efficiently generate n
-
variate

mappings of
type
{0,1}
n


{
0,1}
n
whose state transition graphs
have
single cycles
of the maximum possible
length 2
n
?



Problem addressed

00

01

10

11

x
1

x
2



x
n

f
1
(x
1
,x
2
,…,
x
n
)

f
2
(x
1
,x
2
,…,
x
n
)



f
n
(x
1
,x
2
,…,
x
n
)



p.
4

-

WCC’2013
-

April 15, 2013


Single
-
cycle mappings are frequently used
primitives in cryptography


For stream ciphers, single
-
cycle property is
important because then the sequence of
generated states cannot be trapped in a short
cycle

Motivation

p.
5

-

WCC’2013
-

April 15, 2013


Feedback shift
r
egisters can be used to
efficiently implement n
-
variate

mappings
{0,1}
n


{0,1}
n
of type:


Implementation by FSRs

x
1

x
2



x
n

x
2

x
3



f(x
1
,x
2
,…,
x
n
)



p.
6

-

WCC’2013
-

April 15, 2013


Linear Feedback Shift Register (LFSR)




Feedback Shift Registers


5


4


3


2


1


n binary storage elements


linear feedback
function


has cycle
of length 2
n
-
1
iff its characteristic
polynomial is primitive





5


4


3


2


1



Non
-
Linear Feedback Shift
Register
(
NLFSR)


p.
7

-

WCC’2013
-

April 15, 2013


An
NLFSR
is invertible
iff

its feedback function is
of
type (


” is addition mod 2)

f(x
1
,x
2
,…,
x
n
) = x
1



g
(x
2
,x
3
,…,
x
n
)


Conditions for single
-
cycle NLFSRs are not known


There are 2
2
n
-
1
-
n

single
-
cycle n
-
bit NLFSRs


Existing algorithms for constructing single
-
cycle
NLFSRs are applicable to n < 32

Fredricksen
, H. (1982) “A Survey of Full
-
Length Nonlinear Shift
Register Cycle Algorithms”,
SIAM Review
,
24
(2), 195
-
221

Dubrova
, E. (2012) “List of Maximum
-
Period NLFSRs”,
Cryptology
ePrint

Archive, 2012/166




NLFSRs

p.
8

-

WCC’2013
-

April 15, 2013


If we place in parallel k NLFSRs with largest cycles
of length
L
1
, L
2
,…,
L
k
, we get a mapping with the
largest
cycle of
length
LCM(L
1
, L
2
,…,
L
k
)

Combining smaller NLFRs

NLFSR
2

f
2



NLFSR
k

f
k

n
1
+ n
2
+…+
n
k

state

NLFSR
1

f
1

Example:

n
1

= 3,
L
1

= 7

n
2

= 4,
L
2

= 15

n
3

= 5,
L
2

= 31

7
×
15
×
31 =
3255

2
3+4+5

=
4096

p.
9

-

WCC’2013
-

April 15, 2013


A method for generating single
-
cycle mappings
of type
{0,1}
n
×
k



{0,1}
n
×
k

using k NLFSRs of
equal size n


Contribution of the paper

NLFSR
2

+

f
2

NLFSR
1

+

f
1



NLFSR
k

+

f
k

Extra logic

n
×

k state

p.
10

-

WCC’2013
-

April 15, 2013


We used NLFSRs with two types of cycles


a cycle of length 2
n
-
1 containing all non
-
0 states


a cycle of length 1 containing 0 state


Construction method



If we place k such NLFSRs in parallel, we get a
mapping with the following cycle structure:



cycles of length 2
n
-
1



one cycle of length 1 (0 state)



i
=0

k
-
1

2
ni



We will join these cycles into one by applying cycle
-
joining transformations

p.
11

-

WCC’2013
-

April 15, 2013


In an NLFSR, any state has two possible
successors and two possible predecessors

Cycle
-
joining transformations

input

output

S


0

S


1


S


0


S


1

A

B


If A and B are contained in different cycles, by
exchanging their
successors

we can join two
cycles into one

A
+

B
+

p.
12

-

WCC’2013
-

April 15, 2013

Joining cycles

by exchanging successors

A

B

A
+

B
+

p.
13

-

WCC’2013
-

April 15, 2013


If A and B are contained in the same cycle, by
exchanging their successors, we split the cycles
into two


Splitting a cycle

A

B

A
+

B
+

p.
14

-

WCC’2013
-

April 15, 2013


In our case, any state can have 2
k

possible
successors and 2
k

possible predecessors


W
e apply cycle
-
joining to the states of type:





If A and B are in
different cycles, by exchanging
their
successors we join
two cycles into
one

Our case

A

B

S
1


c
1

S
2


c
2

S
k


c
k



S
1


c’
1

S
2


c’
2

S
k


c’
k



c


is the Boolean
complement of c

p.
15

-

WCC’2013
-

April 15, 2013


Successors can be exchanged by adding to the
feedback function of every NLFSR
minterms

corresponding to the states A and B


For example, 1010 corresponds to
minterm

x
4
x

3
x
2
x

1



If feedback function f evaluates to 0 for the assignment
1010, then function f


x
4
x

3
x
2
x

1
evaluates to 1

for
1010


The challenge is to join an
exponential

number of
cycles using additional logic of
linear
size

How to exchange successors

p.
16

-

WCC’2013
-

April 15, 2013


We chose as dedicated the states with the
minimal decimal representation


We proved that


If A is a minimal state of a cycle, then B is contained in
another cycle


The set
minterms

corresponding to minimal states A of
all cycles and the corresponding states B can be
described by an expression of size O(
nk
)



Choosing dedicated states

A

B

S
1


c
1

S
2


c
2

S
k



c
k



S
1


c’
1

S
2


c’
2

S
k


c’
k



p.
17

-

WCC’2013
-

April 15, 2013


By exchanging successors of the minimal states
of all cycles, we get one cycle of length 2
n

and
other
cycles
of length
2
n
(2
n
-
1)


First joining step

#Gates to add: O(
nk
)

k(n+4)
-
n
-
8

ANDs

2k+1


ORs

k


XORs

Example: n=32, k=4

Total #gates = 117

p.
18

-

WCC’2013
-

April 15, 2013


Before computing the next state, the minimal state of
each “flower” is transformed to the minimal state of next
“flower”,etc, and finally the cycle of length 2
n
is appended

Joining the resulting cycles in one



#Gates to add:
O(nk
2
) + one time step

< 2nk
ANDs, < nk
2

ORs, <
2nk
XORs

p.
19

-

WCC’2013
-

April 15, 2013


We presented a method for generating single
-
cycle mappings of type
{0,1}
n
×
k



{0,1}
n
×
k

using
k NLFSRs of equal size n


An logic block of size O(nk
2
) and an extra time
step are required


Future work involves security analysis of the
presented method


Conclusion