A Method for Generating Full Cycles
by a Composition of NLFSRs
Elena
Dubrova
Royal Institute of Technology
–
KTH
Stockholm, Sweden
p.
2

WCC’2013

April 15, 2013
•
Problem addressed
•
Motivation
•
Contribution of the paper
•
Construction method
•
Conclusion and future work
Outline
p.
3

WCC’2013

April 15, 2013
•
How to efficiently generate n

variate
mappings of
type
{0,1}
n
{
0,1}
n
whose state transition graphs
have
single cycles
of the maximum possible
length 2
n
?
Problem addressed
00
01
10
11
x
1
x
2
…
x
n
f
1
(x
1
,x
2
,…,
x
n
)
f
2
(x
1
,x
2
,…,
x
n
)
…
f
n
(x
1
,x
2
,…,
x
n
)
p.
4

WCC’2013

April 15, 2013
•
Single

cycle mappings are frequently used
primitives in cryptography
•
For stream ciphers, single

cycle property is
important because then the sequence of
generated states cannot be trapped in a short
cycle
Motivation
p.
5

WCC’2013

April 15, 2013
•
Feedback shift
r
egisters can be used to
efficiently implement n

variate
mappings
{0,1}
n
{0,1}
n
of type:
Implementation by FSRs
x
1
x
2
…
x
n
x
2
x
3
…
f(x
1
,x
2
,…,
x
n
)
p.
6

WCC’2013

April 15, 2013
•
Linear Feedback Shift Register (LFSR)
Feedback Shift Registers
5
4
3
2
1
•
n binary storage elements
•
linear feedback
function
•
has cycle
of length 2
n

1
iff its characteristic
polynomial is primitive
5
4
3
2
1
•
Non

Linear Feedback Shift
Register
(
NLFSR)
p.
7

WCC’2013

April 15, 2013
•
An
NLFSR
is invertible
iff
its feedback function is
of
type (
“
” is addition mod 2)
f(x
1
,x
2
,…,
x
n
) = x
1
g
(x
2
,x
3
,…,
x
n
)
•
Conditions for single

cycle NLFSRs are not known
•
There are 2
2
n

1

n
single

cycle n

bit NLFSRs
•
Existing algorithms for constructing single

cycle
NLFSRs are applicable to n < 32
Fredricksen
, H. (1982) “A Survey of Full

Length Nonlinear Shift
Register Cycle Algorithms”,
SIAM Review
,
24
(2), 195

221
Dubrova
, E. (2012) “List of Maximum

Period NLFSRs”,
Cryptology
ePrint
Archive, 2012/166
NLFSRs
p.
8

WCC’2013

April 15, 2013
•
If we place in parallel k NLFSRs with largest cycles
of length
L
1
, L
2
,…,
L
k
, we get a mapping with the
largest
cycle of
length
LCM(L
1
, L
2
,…,
L
k
)
Combining smaller NLFRs
NLFSR
2
f
2
…
NLFSR
k
f
k
n
1
+ n
2
+…+
n
k
state
NLFSR
1
f
1
Example:
n
1
= 3,
L
1
= 7
n
2
= 4,
L
2
= 15
n
3
= 5,
L
2
= 31
7
×
15
×
31 =
3255
2
3+4+5
=
4096
p.
9

WCC’2013

April 15, 2013
•
A method for generating single

cycle mappings
of type
{0,1}
n
×
k
{0,1}
n
×
k
using k NLFSRs of
equal size n
Contribution of the paper
NLFSR
2
+
f
2
NLFSR
1
+
f
1
…
NLFSR
k
+
f
k
Extra logic
n
×
k state
p.
10

WCC’2013

April 15, 2013
•
We used NLFSRs with two types of cycles
–
a cycle of length 2
n

1 containing all non

0 states
–
a cycle of length 1 containing 0 state
Construction method
•
If we place k such NLFSRs in parallel, we get a
mapping with the following cycle structure:
•
cycles of length 2
n

1
•
one cycle of length 1 (0 state)
i
=0
k

1
2
ni
•
We will join these cycles into one by applying cycle

joining transformations
p.
11

WCC’2013

April 15, 2013
•
In an NLFSR, any state has two possible
successors and two possible predecessors
Cycle

joining transformations
input
output
S
0
S
1
S
0
S
1
A
B
•
If A and B are contained in different cycles, by
exchanging their
successors
we can join two
cycles into one
A
+
B
+
p.
12

WCC’2013

April 15, 2013
Joining cycles
by exchanging successors
A
B
A
+
B
+
p.
13

WCC’2013

April 15, 2013
•
If A and B are contained in the same cycle, by
exchanging their successors, we split the cycles
into two
Splitting a cycle
A
B
A
+
B
+
p.
14

WCC’2013

April 15, 2013
•
In our case, any state can have 2
k
possible
successors and 2
k
possible predecessors
•
W
e apply cycle

joining to the states of type:
•
If A and B are in
different cycles, by exchanging
their
successors we join
two cycles into
one
Our case
A
B
S
1
c
1
S
2
c
2
S
k
c
k
…
S
1
c’
1
S
2
c’
2
S
k
c’
k
…
c
is the Boolean
complement of c
p.
15

WCC’2013

April 15, 2013
•
Successors can be exchanged by adding to the
feedback function of every NLFSR
minterms
corresponding to the states A and B
–
For example, 1010 corresponds to
minterm
x
4
x
3
x
2
x
1
–
If feedback function f evaluates to 0 for the assignment
1010, then function f
x
4
x
3
x
2
x
1
evaluates to 1
for
1010
•
The challenge is to join an
exponential
number of
cycles using additional logic of
linear
size
How to exchange successors
p.
16

WCC’2013

April 15, 2013
•
We chose as dedicated the states with the
minimal decimal representation
•
We proved that
–
If A is a minimal state of a cycle, then B is contained in
another cycle
–
The set
minterms
corresponding to minimal states A of
all cycles and the corresponding states B can be
described by an expression of size O(
nk
)
Choosing dedicated states
A
B
S
1
c
1
S
2
c
2
S
k
c
k
…
S
1
c’
1
S
2
c’
2
S
k
c’
k
…
p.
17

WCC’2013

April 15, 2013
•
By exchanging successors of the minimal states
of all cycles, we get one cycle of length 2
n
and
other
cycles
of length
2
n
(2
n

1)
First joining step
#Gates to add: O(
nk
)
k(n+4)

n

8
ANDs
2k+1
ORs
k
XORs
Example: n=32, k=4
Total #gates = 117
p.
18

WCC’2013

April 15, 2013
•
Before computing the next state, the minimal state of
each “flower” is transformed to the minimal state of next
“flower”,etc, and finally the cycle of length 2
n
is appended
Joining the resulting cycles in one
…
#Gates to add:
O(nk
2
) + one time step
< 2nk
ANDs, < nk
2
ORs, <
2nk
XORs
p.
19

WCC’2013

April 15, 2013
•
We presented a method for generating single

cycle mappings of type
{0,1}
n
×
k
{0,1}
n
×
k
using
k NLFSRs of equal size n
•
An logic block of size O(nk
2
) and an extra time
step are required
•
Future work involves security analysis of the
presented method
Conclusion
Comments 0
Log in to post a comment