stream ciphers - andreas klein

7/25/2019 Stream Ciphers - Andreas Klein

1/398


2/398

Stream Ciphers


3/398

Andreas Klein

Stream Ciphers


4/398

Andreas KleinDept. of Pure Mathem. & Computer AlgebraState University of GhentGhent, Belgium

ISBN 978-1-4471-5078-7 ISBN 978-1-4471-5079-4 (eBook)

DOI 10.1007/978-1-4471-5079-4Springer London Heidelberg New York Dordrecht

Library of Congress Control Number: 2013936538

Mathematics Subject Classification: 94A60, 68P25, 11T71

Springer-Verlag London 2013This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part ofthe material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,broadcasting, reproduction on microfilms or in any other physical way, and transmission or informationstorage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology

now known or hereafter developed. Exempted from this legal reservation are brief excerpts in connectionwith reviews or scholarly analysis or material supplied specifically for the purpose of being enteredand executed on a computer system, for exclusive use by the purchaser of the work. Duplication ofthis publication or parts thereof is permitted only under the provisions of the Copyright Law of thePublishers location, in its current version, and permission for use must always be obtained from Springer.Permissions for use may be obtained through RightsLink at the Copyright Clearance Center. Violationsare liable to prosecution under the respective Copyright Law.The use of general descriptive names, registered names, trademarks, service marks, etc. in this publicationdoes not imply, even in the absence of a specific statement, that such names are exempt from the relevantprotective laws and regulations and therefore free for general use.While the advice and information in this book are believed to be true and accurate at the date of pub-lication, neither the authors nor the editors nor the publisher can accept any legal responsibility for anyerrors or omissions that may be made. The publisher makes no warranty, express or implied, with respectto the material contained herein.

Printed on acid-free paper

Springer is part of Springer Science+Business Media (www.springer.com)
http://www.springer.com/http://www.springer.com/mycopyhttp://www.springer.com/


5/398

Preface

Cryptographic ciphers come in two flavours: symmetric (AES, etc.) and asymmetric(RSA, etc.). The symmetric ciphers are further divided into block ciphers and streamciphers. Block ciphers work on large blocks simultaneously (typically comprising128 or 256 bits) and have no internal state (at least not in their basic version). Streamciphers work on single bits or single words and need to maintain an internal state tochange the cipher at each step.

Typically stream ciphers can reach higher speeds than block ciphers, but theirtheory is less developed. This is why stream ciphers are often skipped in books on

cryptography.This does not reflect the real importance of stream ciphers. They are used inseveral everyday applications (for example RC4 is used in wireless LAN and mobiletelephones use A5). This book should fill the gap and provide a detailed introductionto stream ciphers.

I wrote this book in the years 20082010 when I had a research position at GhentUniversity.

I want to thank all my colleagues in Ghent for the pleasant time I had there, butespecially Prof. Leo Storme who first gave me the opportunity to come to Ghent.We did some nice research together.

I also thank the team of the Springer Verlag who did a great job in improvingthis book. In addition I want to thank the anonymous referee, without whom thechapter on the Blum-Blum-Shub generator would be missing and there would be noexercises.

Andreas KleinWettenberg, Germany

v


6/398

Contents

1 Introduction to Stream Ciphers . . . . . . . . . . . . . . . . . . . . . 11.1 History I: Antique Ciphers . . . . . . . . . . . . . . . . . . . . . . 11.2 Lessons from History: The Classification of Ciphers . . . . . . . . 31.3 History II: The Golden Age of Stream Ciphers . . . . . . . . . . . 81.4 Lessons from the Enigma . . . . . . . . . . . . . . . . . . . . . . 81.5 History III: Towards Modern Cryptography . . . . . . . . . . . . . 101.6 When to Use Stream Ciphers? . . . . . . . . . . . . . . . . . . . . 111.7 Outline of the Book . . . . . . . . . . . . . . . . . . . . . . . . . 11

Part I Shift Register-Based Stream Ciphers

2 Linear Feedback Shift Registers. . . . . . . . . . . . . . . . . . . . . 172.1 Basic Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.2 Algebraic Description of LFSR Sequences . . . . . . . . . . . . . 18

2.2.1 Generating Functions . . . . . . . . . . . . . . . . . . . . 192.2.2 Feedback Polynomials Without Multiple Roots . . . . . . . 202.2.3 Feedback Polynomials with Multiple Roots . . . . . . . . . 21

2.2.4 LFSR Sequences as Cyclic Linear Codes . . . . . . . . . . 232.3 Properties of m-Sequences . . . . . . . . . . . . . . . . . . . . . . 24

2.3.1 Golombs Axioms . . . . . . . . . . . . . . . . . . . . . . 242.3.2 Sequences with Two Level Auto-Correlation . . . . . . . . 272.3.3 Cross-Correlation of m-Sequences . . . . . . . . . . . . . 29

2.4 Linear Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . 302.4.1 Definition and Basic Properties . . . . . . . . . . . . . . . 302.4.2 The Berlekamp-Massey Algorithm . . . . . . . . . . . . . 332.4.3 Asymptotic Fast Computation of Linear Complexity . . . . 37

2.4.4 Linear Complexity of Random Sequences . . . . . . . . . 422.5 The Linear Complexity Profile of Pseudo-random Sequences . . . 44

2.5.1 Basic Properties . . . . . . . . . . . . . . . . . . . . . . . 442.5.2 Continued Fractions . . . . . . . . . . . . . . . . . . . . . 46

vii


7/398

viii Contents

2.5.3 Classification of Sequences with a Perfect LinearComplexity Profile . . . . . . . . . . . . . . . . . . . . . . 48

2.6 Implementation of LFSRs . . . . . . . . . . . . . . . . . . . . . . 502.6.1 Hardware Realization of LFSRs . . . . . . . . . . . . . . . 51

2.6.2 Software Realization of LFSRs . . . . . . . . . . . . . . . 523 Non-linear Combinations of LFSRs . . . . . . . . . . . . . . . . . . . 59

3.1 De Bruijn Sequences . . . . . . . . . . . . . . . . . . . . . . . . . 593.2 A Simple Example of a Non-linear Combination of LFSRs . . . . 643.3 Different Attack Classes . . . . . . . . . . . . . . . . . . . . . . . 65

3.3.1 Time-Memory Trade-off Attacks . . . . . . . . . . . . . . 653.3.2 Algebraic Attacks . . . . . . . . . . . . . . . . . . . . . . 653.3.3 Correlation Attacks . . . . . . . . . . . . . . . . . . . . . 66

3.4 Non-linear Combinations of Several LFSR Sequences . . . . . . . 663.4.1 The Product of Two LFSRs . . . . . . . . . . . . . . . . . 673.4.2 General Combinations . . . . . . . . . . . . . . . . . . . . 70

3.5 Non-linear Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 723.6 Correlation Immune Functions . . . . . . . . . . . . . . . . . . . 75

3.6.1 Definition and Alternative Characterizations . . . . . . . . 753.6.2 Siegenthalers Inequality . . . . . . . . . . . . . . . . . . 783.6.3 Asymptotic Enumeration of Correlation Immune Functions 80

4 Correlation Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

4.1 CJS-Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 914.1.1 The Basic Version . . . . . . . . . . . . . . . . . . . . . . 914.1.2 Using Relations of Different Size . . . . . . . . . . . . . . 944.1.3 How to Search Relations . . . . . . . . . . . . . . . . . . . 964.1.4 Extended Relation Classes . . . . . . . . . . . . . . . . . . 984.1.5 Twice Step Decoding . . . . . . . . . . . . . . . . . . . . 1014.1.6 Evaluation of the Relations . . . . . . . . . . . . . . . . . 103

4.2 Attacks Based on Convolutional Codes . . . . . . . . . . . . . . . 1054.2.1 Introduction to Convolutional Codes . . . . . . . . . . . . 1054.2.2 Decoding Convolutional Codes . . . . . . . . . . . . . . . 1074.2.3 Application to Cryptography . . . . . . . . . . . . . . . . 111

4.3 Attacking LFSRs with Sparse Feedback Polynomials . . . . . . . 114

5 BDD-Based Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 1175.1 Binary Decision Diagrams . . . . . . . . . . . . . . . . . . . . . . 117

5.1.1 Ordered BDDs . . . . . . . . . . . . . . . . . . . . . . . . 1185.1.2 Free BDDs . . . . . . . . . . . . . . . . . . . . . . . . . . 124

5.2 An Example of a BDD-Based Attack . . . . . . . . . . . . . . . . 1265.2.1 The CipherE0 . . . . . . . . . . . . . . . . . . . . . . . . 126

5.2.2 AttackingE0 . . . . . . . . . . . . . . . . . . . . . . . . . 1276 Algebraic Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

6.1 Tools for Solving Non-linear Equations . . . . . . . . . . . . . . . 1316.1.1 Grbner Bases . . . . . . . . . . . . . . . . . . . . . . . . 131


8/398

Contents ix

6.1.2 Linearization . . . . . . . . . . . . . . . . . . . . . . . . . 1436.2 Pre-processing Techniques for Algebraic Attacks . . . . . . . . . . 147

6.2.1 Reducing the Degree . . . . . . . . . . . . . . . . . . . . . 1476.2.2 Dealing with Combiners with Memory . . . . . . . . . . . 149

6.3 Real World Examples . . . . . . . . . . . . . . . . . . . . . . . . 1516.3.1 LILI-128 . . . . . . . . . . . . . . . . . . . . . . . . . . . 1516.3.2 E0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

7 Irregular Clocked Shift Registers . . . . . . . . . . . . . . . . . . . . 1557.1 The Stop-and-Go Generator and the Step-Once-Twice Generator . 1557.2 The Alternating Step Generator . . . . . . . . . . . . . . . . . . . 1577.3 The Shrinking Generator . . . . . . . . . . . . . . . . . . . . . . . 158

7.3.1 Description of the Cipher . . . . . . . . . . . . . . . . . . 1597.3.2 Linear Complexity of the Shrinking Generator . . . . . . . 159

7.3.3 Correlation Attacks Against the Shrinking Generator . . . . 1617.4 Side Channel Attacks . . . . . . . . . . . . . . . . . . . . . . . . 163

Part II Some Special Ciphers

8 The Security of Mobile Phones (GSM) . . . . . . . . . . . . . . . . . 1698.1 The GSM Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 1698.2 A5/2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

8.2.1 Description of A5/2 . . . . . . . . . . . . . . . . . . . . . 1708.2.2 An Instance of a Ciphertext-Only Attack . . . . . . . . . . 172

8.2.3 Other Attacks Against A5/2 . . . . . . . . . . . . . . . . . 1758.3 A5/1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

8.3.1 Description of A5/1 . . . . . . . . . . . . . . . . . . . . . 1768.3.2 Time-Memory Trade-off Attacks . . . . . . . . . . . . . . 1768.3.3 Correlation Attacks . . . . . . . . . . . . . . . . . . . . . 179

9 RC4 and Related Ciphers . . . . . . . . . . . . . . . . . . . . . . . . 1839.1 Description of RC4 . . . . . . . . . . . . . . . . . . . . . . . . . 1839.2 Application of RC4 in WLAN Security . . . . . . . . . . . . . . . 184

9.2.1 The WEP Protocol . . . . . . . . . . . . . . . . . . . . . . 1849.2.2 The WPA Protocol . . . . . . . . . . . . . . . . . . . . . . 1859.2.3 A Weakness Common to Both Protocols . . . . . . . . . . 187

9.3 Analysis of the RC4 Key Scheduling . . . . . . . . . . . . . . . . 1909.3.1 The Most Likely and Least Likely RC4 Permutation . . . . 1919.3.2 Discarding the First RC4 Bytes . . . . . . . . . . . . . . . 196

9.4 Chosen IV Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 1999.4.1 Initialization Vector Precedes the Main Key . . . . . . . . 1999.4.2 Variants of the Attack . . . . . . . . . . . . . . . . . . . . 2009.4.3 Initialization Vector Follows the Main Key . . . . . . . . . 202

9.5 Attacks Based on Golics Correlation . . . . . . . . . . . . . . . . 2029.5.1 Initialization Vector Follows the Main Key . . . . . . . . . 2049.5.2 Initialization Vector Precedes the Main Key . . . . . . . . 2059.5.3 Attacking RC4 with the FirstnBytes Discarded . . . . . . 207


9/398

x Contents

9.5.4 A Ciphertext-Only Attack . . . . . . . . . . . . . . . . . . 2099.6 State Recovering Attacks . . . . . . . . . . . . . . . . . . . . . . 2099.7 Other Attacks on RC4 . . . . . . . . . . . . . . . . . . . . . . . . 212

9.7.1 Digraph Probabilities . . . . . . . . . . . . . . . . . . . . 213

9.7.2 Fortuitous States . . . . . . . . . . . . . . . . . . . . . . . 2189.8 RC4 Variants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

9.8.1 An RC4 Variant for 32-Bit Processors . . . . . . . . . . . 2229.8.2 RC4A . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2249.8.3 Modifications to Avoid Known Attacks . . . . . . . . . . . 227

10 The eStream Project . . . . . . . . . . . . . . . . . . . . . . . . . . . 22910.1 Trivium . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22910.2 Rabbit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23210.3 Mosquito and Moustique . . . . . . . . . . . . . . . . . . . . . . 235

11 The Blum-Blum-Shub Generator and Related Ciphers . . . . . . . . 24111.1 Cryptographically Secure Pseudo-random Generators . . . . . . . 24111.2 The Blum-Blum-Shub Generator . . . . . . . . . . . . . . . . . . 24411.3 Implementation Aspects . . . . . . . . . . . . . . . . . . . . . . . 24711.4 Extracting Several Bits per Step . . . . . . . . . . . . . . . . . . . 25111.5 The RSA Generator and the Power Generator . . . . . . . . . . . . 25311.6 Generators Based on Other Hard Problems . . . . . . . . . . . . . 25411.7 Unconditionally Secure Pseudo-random Sequences . . . . . . . . . 256

Part III Mathematical Background

12 Computational Aspects. . . . . . . . . . . . . . . . . . . . . . . . . . 26112.1 Bit Tricks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

12.1.1 Infinite 2-adic Expansions . . . . . . . . . . . . . . . . . . 26112.1.2 Sideway Addition . . . . . . . . . . . . . . . . . . . . . . 26212.1.3 Sideway Addition for Arrays . . . . . . . . . . . . . . . . 263

12.2 Binary Decision Diagrams, Implementation Aspects . . . . . . . . 26412.2.1 Memory Management . . . . . . . . . . . . . . . . . . . . 264

12.2.2 Implementation of the Basic Operations . . . . . . . . . . 26612.2.3 Implementation of Reordering Algorithms . . . . . . . . . 26712.2.4 Emulating a BDD Base . . . . . . . . . . . . . . . . . . . 271

12.3 The O-Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . 27212.4 The Complexity Classes Pand NP . . . . . . . . . . . . . . . . 27312.5 Fast Linear Algebra . . . . . . . . . . . . . . . . . . . . . . . . . 278

12.5.1 Matrix Multiplication . . . . . . . . . . . . . . . . . . . . 27812.5.2 Other Matrix Operations . . . . . . . . . . . . . . . . . . . 28912.5.3 Wiedmanns Algorithm and Black Box Linear Algebra . . 291

13 Number Theory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29313.1 Basic Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29313.2 The Group(Z/nZ) . . . . . . . . . . . . . . . . . . . . . . . . . 29413.3 The Prime Number Theorem and Its Consequences . . . . . . . . . 295


10/398

Contents xi

13.4 Zsigmondys Theorem . . . . . . . . . . . . . . . . . . . . . . . . 29713.5 Quadratic Residues . . . . . . . . . . . . . . . . . . . . . . . . . 29913.6 Lattice Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . 301

14 Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30514.1 Basic Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . 30514.2 Irreducible Polynomials . . . . . . . . . . . . . . . . . . . . . . . 30514.3 Primitive Polynomials . . . . . . . . . . . . . . . . . . . . . . . . 30714.4 Trinomials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30814.5 The Algebraic Normal Form . . . . . . . . . . . . . . . . . . . . . 309

15 Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31115.1 Measure Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . 31115.2 Simple Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

15.2.1 The Variation Distance . . . . . . . . . . . . . . . . . . . 31215.2.2 The Test Problem . . . . . . . . . . . . . . . . . . . . . . 31315.2.3 Optimal Tests . . . . . . . . . . . . . . . . . . . . . . . . 31415.2.4 Bayesian Statistics . . . . . . . . . . . . . . . . . . . . . . 315

15.3 Sequential Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . 31615.3.1 Introduction to Sequential Analysis . . . . . . . . . . . . . 31615.3.2 Martingales . . . . . . . . . . . . . . . . . . . . . . . . . 31615.3.3 Walds Sequential Likelihood Ratio Test . . . . . . . . . . 31915.3.4 Brownian Motion . . . . . . . . . . . . . . . . . . . . . . 322

15.3.5 The Functional Central Limit Theorem . . . . . . . . . . . 32616 Combinatorics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

16.1 Asymptotic Calculations . . . . . . . . . . . . . . . . . . . . . . . 32916.2 Permutat ions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33216.3 Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

Part IV Exercises with Solutions

17 Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33917.1 Proposals for Programming Projects . . . . . . . . . . . . . . . . 344

18 Solutions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Part V Programs

19 An Overview of the Programs . . . . . . . . . . . . . . . . . . . . . . 365

20 Literate Programming . . . . . . . . . . . . . . . . . . . . . . . . . . 37120.1 Introduction to Literate Programming . . . . . . . . . . . . . . . . 37120.2 Pweb Design Goals . . . . . . . . . . . . . . . . . . . . . . . . . 37120.3 Pweb Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

20.3.1 Structure of a WEB-Document . . . . . . . . . . . . . . . 37220.3.2 Text Sections . . . . . . . . . . . . . . . . . . . . . . . . . 37220.3.3 Code Sections and Modules . . . . . . . . . . . . . . . . . 37320.3.4 Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374


11/398

xii Contents

20.3.5 Special Variable Names . . . . . . . . . . . . . . . . . . . 37520.3.6 Include Files . . . . . . . . . . . . . . . . . . . . . . . . . 37520.3.7 Conditional Compilation . . . . . . . . . . . . . . . . . . 37520.3.8 More pweb Commands . . . . . . . . . . . . . . . . . . . 376

20.3.9 Compatibility Features . . . . . . . . . . . . . . . . . . . 37620.3.10 Common Errors . . . . . . . . . . . . . . . . . . . . . . . 37620.3.11 Editing pweb Documents . . . . . . . . . . . . . . . . . . 37720.3.12 Extending pweb . . . . . . . . . . . . . . . . . . . . . . . 377

Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395


12/398

List of Figures

Fig. 1.1 Encrypting a text with a Vigenre cipher . . . . . . . . . . . . . . 3Fig. 1.2 Stream-oriented block cipher modes . . . . . . . . . . . . . . . . 5Fig. 1.3 Encrypting a text with an auto key cipher . . . . . . . . . . . . . 5Fig. 1.4 A synchronous stream cipher . . . . . . . . . . . . . . . . . . . . 6Fig. 1.5 A self-synchronizing stream cipher . . . . . . . . . . . . . . . . . 7

Fig. 2.1 A feedback shift register . . . . . . . . . . . . . . . . . . . . . . 18Fig. 2.2 The sum of two LFSRs . . . . . . . . . . . . . . . . . . . . . . . 32Fig. 2.3 Construction for the Berlekamp-Massey algorithm . . . . . . . . 35

Fig. 2.4 Combination of the two LFSRs of Fig.2.3 . . . . . . . . . . . . . 35Fig. 2.5 The linear complexity profile of 1010111100010011010111100 . 45Fig. 2.6 A typical linear complexity profile . . . . . . . . . . . . . . . . . 45Fig. 2.7 The Fibonacci implementation of an LFSR . . . . . . . . . . . . 51Fig. 2.8 The Galois implementation of an LFSR . . . . . . . . . . . . . . 51Fig. 2.9 Right shift over several words . . . . . . . . . . . . . . . . . . . 53

Fig. 3.1 The smallest de Bruijn graphs . . . . . . . . . . . . . . . . . . . 60Fig. 3.2 The Geffe generator . . . . . . . . . . . . . . . . . . . . . . . . . 64Fig. 3.3 A simple non-linear filter . . . . . . . . . . . . . . . . . . . . . . 72Fig. 3.4 1 cos(x) 2 2 x2 . . . . . . . . . . . . . . . . . . . . . . . . . 86Fig. 4.1 A simple convolutional code . . . . . . . . . . . . . . . . . . . . 105Fig. 4.2 Three different encoders of the same code . . . . . . . . . . . . . 106Fig. 4.3 An example for the Viterbi algorithm . . . . . . . . . . . . . . . . 108Fig. 4.4 A tree diagram for a(2, 1)encoder . . . . . . . . . . . . . . . . . 109

Fig. 5.1 A non-reduced binary decision diagram . . . . . . . . . . . . . . 118Fig. 5.2 A reduced binary decision diagram . . . . . . . . . . . . . . . . . 118Fig. 5.3 Reducing a binary decision diagram . . . . . . . . . . . . . . . . 118

Fig. 5.4 Algorithm5.2applied to the diagram of Fig.5.1. . . . . . . . . . 122Fig. 5.5 The melt of two BDDs . . . . . . . . . . . . . . . . . . . . . . . 123Fig. 5.6 A free binary decision diagram . . . . . . . . . . . . . . . . . . . 125Fig. 5.7 The control graph of the free BDD in Fig.5.6 . . . . . . . . . . . 125

xiii


13/398

xiv List of Figures

Fig. 5.8 The cipherE0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127Fig. 5.9 Basic BDDs for attackingE0 . . . . . . . . . . . . . . . . . . . . 129

Fig. 6.1 A combiner with memory . . . . . . . . . . . . . . . . . . . . . . 149

Fig. 6.2 The LILI-128 keystream generator . . . . . . . . . . . . . . . . . 152Fig. 7.1 The stop-and-go generator . . . . . . . . . . . . . . . . . . . . . 156Fig. 7.2 The alternating step generator . . . . . . . . . . . . . . . . . . . 158Fig. 7.3 The shrinking generator . . . . . . . . . . . . . . . . . . . . . . . 159

Fig. 8.1 Outline of the GSM protocol . . . . . . . . . . . . . . . . . . . . 170Fig. 8.2 Diagram of A5/2 . . . . . . . . . . . . . . . . . . . . . . . . . . 171Fig. 8.3 Diagram of A5/1 . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Fig. 9.1 The S-box of the Temporal Key Hash (Part 1) . . . . . . . . . . . 188

Fig. 9.2 Temporal Key Hash (Part 1) . . . . . . . . . . . . . . . . . . . . 188Fig. 9.3 Temporal Key Hash (Part 2) . . . . . . . . . . . . . . . . . . . . 188Fig. 9.4 The graph representation ofS= (0 1)(2 3) = (3 1)(2 3)(1 2)(0 1) 193Fig. 9.5 The FMS-attack key scheduling . . . . . . . . . . . . . . . . . . 200Fig. 9.6 Digraph repetition . . . . . . . . . . . . . . . . . . . . . . . . . . 217Fig. 9.7 Example of a 3-fortuitous state . . . . . . . . . . . . . . . . . . . 218

Fig. 10.1 The cipher Trivium . . . . . . . . . . . . . . . . . . . . . . . . . 230Fig. 10.2 The cipher Rabbit . . . . . . . . . . . . . . . . . . . . . . . . . . 233Fig. 10.3 The cipher Moustique . . . . . . . . . . . . . . . . . . . . . . . . 236Fig. 10.4 Mapping betweenq ijanda

(0)k . . . . . . . . . . . . . . . . . . . 237

Fig. 12.1 Memory layout . . . . . . . . . . . . . . . . . . . . . . . . . . . 265Fig. 12.2 A BDD node in memory . . . . . . . . . . . . . . . . . . . . . . 265Fig. 12.3 Variable swapping . . . . . . . . . . . . . . . . . . . . . . . . . . 268Fig. 12.4 The variable 3 jumps up . . . . . . . . . . . . . . . . . . . . . . 269Fig. 12.5 Moving a variable from the top to the bottom . . . . . . . . . . . 270Fig. 12.6 Sifting down . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270Fig. 12.7 A Turing machine . . . . . . . . . . . . . . . . . . . . . . . . . . 274

Fig. 15.1 A Brownian motion path . . . . . . . . . . . . . . . . . . . . . . 323

Fig. 16.1 Comparison ofb

a f(x)dx and 1/2f(a) + f (a + 1) + +

f (b 1) + 1/2f(b) . . . . . . . . . . . . . . . . . . . . . . . . 330Fig. 16.2 A labeled tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Fig. 18.1 Binomial coefficients modulo 2 . . . . . . . . . . . . . . . . . . . 352Fig. 18.2 Basic BDD for attacking the self-shrinking generator . . . . . . . 355Fig. 18.3 The densities ofN(0, 1)and N(0, 2) . . . . . . . . . . . . . . . 362

Fig. 19.1 An example of the Doxygen documentation . . . . . . . . . . . . 366Fig. 19.2 An example of the pweb documentation . . . . . . . . . . . . . . 366

Fig. 20.1 The literate programming environment . . . . . . . . . . . . . . . 372


14/398

List of Tables

Table 1.1 The Vigenre tableau . . . . . . . . . . . . . . . . . . . . . . . 4

Table 2.1 Tests for the algorithms . . . . . . . . . . . . . . . . . . . . . . 42Table 2.2 Speed of different LFSR implementations (128 bit LFSR) . . . . 57Table 2.3 Speed of an LFSR with feedback polynomialz127 + z + 1 . . . . 57

Table 4.1 A Fano metric for a(2, 1)convolutional code and a BSC withp = 0.25 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Table 4.2 Example of the sequential decoding algorithm . . . . . . . . . . 111

Table 9.1 A 4-order, 7-generative pattern . . . . . . . . . . . . . . . . . . 213Table 9.2 Digraph probabilities of RC4 . . . . . . . . . . . . . . . . . . . 216Table 9.3 The number of fortuitous states and their expected occurrence . . 222

Table 10.1 Number of bits per cell in the CCSR of Moustique . . . . . . . . 237Table 10.2 Bit updating in the CCSR of Moustique . . . . . . . . . . . . . 238

Table 12.1 Comparing sideway addition algorithms for arrays . . . . . . . . 264

Table 12.2 Speed of Pans algorithm . . . . . . . . . . . . . . . . . . . . . 287Table 14.1 Primitive and irreducible polynomials over F2of low weight . . 310

Table 18.1 Comparison of block cipher modes . . . . . . . . . . . . . . . . 347

Table 20.1 Files needed by pweb . . . . . . . . . . . . . . . . . . . . . . . 378

xv


15/398

List of Algorithms

Algorithm 2.1 The Berlekamp-Massey algorithm . . . . . . . . . . . . . . 34Algorithm 2.2 Massey(i,i) . . . . . . . . . . . . . . . . . . . . . . . . . 38Algorithm 2.3 feedback(i) . . . . . . . . . . . . . . . . . . . . . . . . . 42Algorithm 2.4 Right shift over several words . . . . . . . . . . . . . . . . 53Algorithm 2.5 Sideway addition mod 2 (32 bit version) . . . . . . . . . . 53Algorithm 2.6 Sideway addition mod 2 (without multiplication) . . . . . . 54Algorithm 2.7 LFSR byte-oriented implementation (table look-ups) . . . . 55Algorithm 2.8 Parallel sideway addition mod 2 . . . . . . . . . . . . . . . 56Algorithm 2.9 LFSR update with parallel sideway addition mod 2 . . . . . 57Algorithm 2.10 Generating an LFSR sequence with the feedback

polynomial zn + zk + 1 . . . . . . . . . . . . . . . . . . . 58

Algorithm 4.1 Simple fast correlation attack (CJS) . . . . . . . . . . . . . 93Algorithm 4.2 Twice step decoding . . . . . . . . . . . . . . . . . . . . . 102Algorithm 4.3 Fast Fourier transform over the group Z2 . . . . . . . . . . 105Algorithm 4.4 Viterbi decoding . . . . . . . . . . . . . . . . . . . . . . . 108Algorithm 4.5 Sequential decoding . . . . . . . . . . . . . . . . . . . . . 110Algorithm 4.6 Meiers and Staffelbachs attack against LFSRs with sparse

feedback polynomials . . . . . . . . . . . . . . . . . . . . 115

Algorithm 5.1 Counting solutions of an ordered BDD . . . . . . . . . . . 119Algorithm 5.2 Reducing an ordered BDD . . . . . . . . . . . . . . . . . . 120Algorithm 5.3 Check that a given BDD is free . . . . . . . . . . . . . . . 124

Algorithm 6.1 Multivariate division with remainder . . . . . . . . . . . . 135Algorithm 6.2 Buchbergers algorithm . . . . . . . . . . . . . . . . . . . 140Algorithm 6.3 The Grbner walk . . . . . . . . . . . . . . . . . . . . . . 142Algorithm 6.4 XL-algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 146Algorithm 6.5 F4algorithm (simplified) . . . . . . . . . . . . . . . . . . 147

Algorithm 7.1 The alternating step generator . . . . . . . . . . . . . . . . 158Algorithm 7.2 The alternating step generator (alternative form) . . . . . . 159

xvii


16/398

xviii List of Algorithms

Algorithm 8.1 A5/2 initialization . . . . . . . . . . . . . . . . . . . . . . 174Algorithm 8.2 A5/1 initialization . . . . . . . . . . . . . . . . . . . . . . 176Algorithm 8.3 Enumerating special states of A5/1 . . . . . . . . . . . . . 178

Algorithm 9.1 RC4 key scheduling . . . . . . . . . . . . . . . . . . . . . 184Algorithm 9.2 RC4 pseudo-random generator . . . . . . . . . . . . . . . . 184Algorithm 9.3 Temporal Key Hash . . . . . . . . . . . . . . . . . . . . . 186Algorithm 9.4 Temporal Key Hash S-box . . . . . . . . . . . . . . . . . . 187Algorithm 9.5 CRC encoding . . . . . . . . . . . . . . . . . . . . . . . . 189Algorithm 9.6 CRC decoding . . . . . . . . . . . . . . . . . . . . . . . . 189Algorithm 9.7 Idealized RC4 key scheduling . . . . . . . . . . . . . . . . 191Algorithm 9.8 Computing the key from an early permutation state . . . . . 203Algorithm 9.9 A simple internal state recovering attack . . . . . . . . . . 211

Algorithm 9.10 Computing the digraph probabilities . . . . . . . . . . . . . 213Algorithm 9.11 Computing the digraph probabilities (1. Transformation) . . 215Algorithm 9.12 Computing the digraph probabilities (2. Transformation,

inner loops) . . . . . . . . . . . . . . . . . . . . . . . . . . 215Algorithm 9.13 Searching fortuitous states . . . . . . . . . . . . . . . . . . 219Algorithm 9.14 Enumerating fortuitous states (fast) . . . . . . . . . . . . . 220Algorithm 9.15 RC4(n,m) key scheduling . . . . . . . . . . . . . . . . . . 223Algorithm 9.16 RC4(n,m) pseudo-random generator . . . . . . . . . . . . . 223Algorithm 9.17 RC4(n,m) pseudo-random generator, old version . . . . . . 224Algorithm 9.18 RC4A pseudo-random generator . . . . . . . . . . . . . . . 225

Algorithm 9.19 RC4 key scheduling . . . . . . . . . . . . . . . . . . . . . 227Algorithm 9.20 Pauls suggestion for key scheduling . . . . . . . . . . . . 228

Algorithm 10.1 Trivium key stream generation . . . . . . . . . . . . . . . . 230Algorithm 10.2 Trivium key scheduling . . . . . . . . . . . . . . . . . . . 231

Algorithm 11.1 The Blum-Micali generator . . . . . . . . . . . . . . . . . 243Algorithm 11.2 Discrete logarithm generator . . . . . . . . . . . . . . . . . 243Algorithm 11.3 The Blum-Blum-Shub generator . . . . . . . . . . . . . . . 244

Algorithm 11.4 Enhancing the success probability . . . . . . . . . . . . . . 245Algorithm 11.5 Montgomery reduction . . . . . . . . . . . . . . . . . . . . 250Algorithm 11.6 Variation of the Blum-Blum-Shub generator for use with

Montgomery reduction . . . . . . . . . . . . . . . . . . . . 251Algorithm 11.7 A variation of the Blum-Micali generator that outputsj

bits per step . . . . . . . . . . . . . . . . . . . . . . . . . 252Algorithm 11.8 The RSA generator . . . . . . . . . . . . . . . . . . . . . . 253Algorithm 11.9 The Fisher-Stern generator . . . . . . . . . . . . . . . . . . 255Algorithm 11.10 The QUAD cipher . . . . . . . . . . . . . . . . . . . . . . 256

Algorithm 12.1 Sideway addition based on table look-up . . . . . . . . . . 262Algorithm 12.2 Sideway addition (64 bit words) . . . . . . . . . . . . . . . 263Algorithm 12.3 Sideway addition Harley-Seal method . . . . . . . . . . . . 264Algorithm 12.4 Winograds algorithm for multiplying small matrices . . . . 279


17/398

List of Algorithms xix

Algorithm 12.5 Strassens algorithm to multiply 2 2 matrices . . . . . . . 280Algorithm 12.6 Pans matrix multiplication . . . . . . . . . . . . . . . . . 286Algorithm 12.7 Multiplication of 64 64 binary matrices . . . . . . . . . . 287Algorithm 12.8 Multiplication of 8

8 binary matrices (MXOR) . . . . . . 288

Algorithm 13.1 Evaluating the Jacobi symbol . . . . . . . . . . . . . . . . 301Algorithm 13.2 LLL basis reduction . . . . . . . . . . . . . . . . . . . . . 302Algorithm 13.3 Coppersmiths method (univariate case) . . . . . . . . . . . 303

Algorithm 14.1 Choosing a random primitive element ofFq . . . . . . . . . 307

Algorithm 15.1 Walds sequential test . . . . . . . . . . . . . . . . . . . . 320

Algorithm 17.1 Sideway addition mod 2 . . . . . . . . . . . . . . . . . . . 340

Algorithm 17.2 A weak variation of the RC4 pseudo-random generator . . . 342

Algorithm 18.1 Choosing a random de Bruijn sequence . . . . . . . . . . . 351Algorithm 18.2 Binary Decision Diagrams: The ternary-and operator . . . . 353Algorithm 18.3 Binary Decision Diagrams: The constrain operator . . . . . 355Algorithm 18.4 Sideway addition for sparse words . . . . . . . . . . . . . . 358


18/398

Chapter 1

Introduction to Stream Ciphers

1.1 History I: Antique Ciphers

The art of writing secret messages is very old. In the early days few people couldwrite, so effectively every text was encrypted. It took a millennium for true cryp-tosystems to appear. An early example was the Scytale () which wasused by the Spartanians in the Persian wars (3rd century BC). Cryptography hasbeen reinvented many times independently. For an extensive history of the subject,see [141].

Another cipher was used by the Roman emperor Gaius Julius Caesar. Suetonwrites:

Exstant et [epistolae] ad Ciceronem, item ad familiares de rebus, in quibus, si

qua occultius perferenda erant, id est sic structo litterarum ordine, ut nullum

verbum effici poset; quae si qui investigare et persequi velit, quartam elemen-

torum litteram, id est D pro A et perinde reliquas commutet.

In English this reads:

There exist [letters from Caesar] to Cicero and his friends in which he uses a

cipher, when something has to be transmitted confidentially, i.e. he changedthe order of the letters in such a way that no word could be recognized. If onewants to read the content, he must convert the fourth letter, i.e. D, into an Aand must proceed with the other letters in the same way.

Ancient cryptology did not distinguish between the algorithm used for encryption(the cipher) and the secret key. It took more than a millennium for the modern dis-tinction between cipher and key to be introduced. In 1883 Kerckhoffs [146] statedhis famous principle: The security of an encrypted message must not rely on thesecurity of the encryption algorithm, but only on the security of the secret key.

History has provedKerckhoffs principleto be true many times. In modern cryp-tography we always require that the cipher has to be public and that there is publicresearch about its security. Many people have thought that they could violate theprinciple and use a secret cipher. The result has always been the same: sooner or

A. Klein,Stream Ciphers, DOI10.1007/978-1-4471-5079-4_1, Springer-Verlag London 2013

1
http://dx.doi.org/10.1007/978-1-4471-5079-4_1http://dx.doi.org/10.1007/978-1-4471-5079-4_1


19/398

2 1 Introduction to Stream Ciphers

later (most times sooner) the cipher was leaked to the public and usually the cipherhad some serious flaws.

We transform Caesars cipher into a modern cipher with a key by declaring thatthe cipher is the substitution of each letter by another and that the key should be a

permutation of the alphabet which the sender and the receiver have to agree on. Thisclass of ciphers is called monoalphabetic. The key space has size 26! 288 whichis, even for modern computers, too big to do an exhaustive search.

However, with the development of statistics it became clear that simple monoal-phabetic ciphers can be broken by analyzing letter frequencies. At first, this wasonly known to some experts in the military and the secret service, but in time theapproach became publicly known. In the 19th century attacks against monoalpha-betic ciphers had become a popular theme in adventure literature (see Edgar AllanPoe [213] or Arthur Conan Doyle [81]).

So the simple idea of the monoalphabetic cipher needs an extension. There arethree ways to obfuscate the letter frequency.

In ahomophone cipherwe assign several ciphertext symbols to each letter. Com-mon letters likeeare assigned many different ciphertext symbols and rare letterslikezget only a few. Each time we want to encode a letter we choose one of theassociated ciphertext symbols at random.

The Beale cipher [275], which is probably the most famous cryptogram inhistory, is of this type. The oldest known usage of a homophone cipher is datedat 1401 (see [141]).

In apolyalphabetic cipherone uses very simple substitutions for each letter (nor-mally cyclic shifts or involutions), but the substitution is changed for every letterin a previously agreed way. Changing the substitution masks the redundancy inthe plaintext.

The oldest use of a polyalphabetic cipher is dated at 1568 (see [141]). TheEnigma machine, which is famous for its role in the second world war (seeSect.1.3), is a sophisticated example of a polyalphabetic cipher.

In apolygraphic cipherone groups the letters in blocks and uses a substitution onthe block. This masks the letter frequency and, if the block size is large enough,

blocks will almost never repeat, which is a good defense against attacks based onthe redundancy in the plaintext.Polygraphic ciphers are relatively new. The Playfair cipher, which was in-

vented in 1854 by Charles Wheatstone (see [141]), is the oldest known example.

All three approaches provide security against simple attacks based on letter fre-quency. Homophone ciphers have the disadvantage that the ciphertext is longer thanthe plaintext, which is unacceptable in many applications. Furthermore they are notwell suited for automatic encryption, which is the reason that homophone ciphers

do not play a role in modern cryptography.The other two approaches work well. The modern descendants of polyalphabetic

ciphers are known asstream cipherswhile the polygraphic ciphers are the ancestorsof the modernblock ciphers.


20/398

1.2 Lessons from History: The Classification of Ciphers 3

SECRETSECRETSECRETSECRETSECRETSECRETSECRETSECRETSECRETMANYYEARSAGOICONTRACTEDANINTIMACYWITHAMRWILLIAMLEGRANDEEPPCWETJEYSKTSFXTRGLIFRRARVZQSGANMLLCDVOMNCMSQNVKJEPU

Fig. 1.1 Encrypting a text with a Vigenre cipher

1.2 Lessons from History: The Classification of Ciphers

To get a feeling for the modern ciphers, it helps to understand their historic counter-parts. The most famous polygraphic cipher is the Vigenre cipher. It is named afterthe French cryptologist BLAISE DEV IGENRE, but it is older (see [141]).

The idea is simply to change the width of the cyclic-shift used in the Caesarcipher for every letter. One selects a keyword, for example SECRET. On the firstletter of the plaintext we apply the cyclic shift that would move A to the first letter

of the keyword. (In the example we would apply the shift AS, BT , . . . ,Z R.) On the second letter we apply the shift that maps Ato the second letterof the keyword and so on. After we reach the last letter of the keyword we then goback and use the first letter again.

Example 1.1 Let us encrypt the first sentence of Edgar Allan Poes novel TheGold-Bug. The keyword is SECRET. In Fig.1.1you see in the first row therepeated keyword, in the second row the plaintext, and in the third row the cipher-text.

The first few characters already demonstrate that the Vigenre cipher can mapdifferent plaintext characters to the same character in the ciphertext and that dif-ferent characters in the ciphertext may encode the same plaintext character. Thus itprevents the simple cryptanalysis that works against the monoalphabetic ciphers.

The decryption is similar: one must simply apply the reverse shift. As an aidfor carrying out the encryption and decryption one can use the Vigenre tableau(Table1.1) which shows the results of all possible shifts.

The Vigenre cipher is easily susceptible to cryptographic attacks that first re-

cover the length of the keyword (such as the Kasiski test and Friedmans coincidenceindex, see for example [259]). Here the attacker must solve several Caesar ciphers,which can be done by searching for the most frequent letter (usually correspondingto the letterE ).

Nevertheless the Vigenre cipher has some interesting features:

If the keyword is completely random and has the same length as the plaintext,one obtain the one-time pad, which is unconditionally secure.1 One can think

1This is an important point that is often missed. Cryptography and proofs have a very specialrelation.What does it mean to say that a one-time pad is provably unconditionally secure? It is of course

pointless to try to guess a pattern in a truly random sequence. This is exactly what the proof says.However, there are some rare examples where people try to use a one time-pad, but use a (weakly)


21/398


22/398


Fig. 1.2 Stream-oriented block cipher modes

SECRETMANYYEARSAGOICONTRACTEDANINTIMACYWITHAMRWILLIAMLMANYYEARSAGOICONTRACTEDANINTIMACYWITHAMRWILLIAMLEGRANDEEPPCXMRFYESITGNZFIEHRWRNKGXLMNKLPQFHCKNEBSLURITPRZAZV

Fig. 1.3 Encrypting a text with an auto key cipher

encryption function for every letter, but one could also say that it is a polygraphiccipher which work on blocks of the length of the keyword.

In modern cryptography block ciphers are normally used in a stream-orientedmethod. The naive idea of using a block cipher by applying it successively to themessage blocks (ci= E(mi , k)) is called the electronic code book (ECB) mode.The disadvantage of this mode is that the same plaintext is always encryptedinto the same ciphertext block, which leaks information. Figure 1.2 show threepopular operation modes for block ciphers. In all these modes the block cipher isused as a source of pseudo-random numbers. For further reference, see [90].

When the important idea is the changing internal state we use the term streamcipher, and when it is the division of the plaintext into blocks we use the termblock cipher.

Several variants of the Vigenre cipher have been introduced to deal with theproblem of the short period in the cipher. An interesting idea is the auto key cipher.

In the Vigenre cipher the keyword is repeated until it has the same length as themessage. In an auto key cipher the message itself is used as part of the key

Example 1.2 We encrypt the same text as in Example1.1with an auto key cipher.The keyword is again SECRET. In Fig.1.3you see the encryption. Note how themessage is used as part of the key.

The Vigenre and auto key ciphers exhibit an important difference, which is used

to classify stream ciphers. Either the cipher generates its key stream independentlyfrom the message or the message becomes a part of the feedback function. In thefirst case one speaks of a synchronous stream cipherand in the second case onespeaks of aself-synchronizingorasynchronous stream cipher.


23/398


Fig. 1.4 A synchronous stream cipher

In general a synchronous stream cipher has the form

xi+1 = f (xi ,k),

zi= g(xi ,k),ci= h(zi , mi ),

where kdenotes the key, xi is the internal state at time i and mi and ci are the ithbit (letter) in the message and the ciphertext, respectively (see Fig.1.4). f is thefeedback function of the cipher, g is the key stream extractor and hcombines thekey stream (zi )iN with the message stream (mi )iN. x0 is called the initial stateand may depend on the key.

In most applications we will take the exclusive or operation as the combiner

(ci= zi mi ) and the feedback and extraction function do not depend on the key(xi+1= f (xi ), zi= g(xi )), i.e. the key is only used to choose the initial internalstatex0. In this special case we speak of a binary additive stream cipher.

An important feature of synchronous stream ciphers is that they assure only theconfidentially of the data, but not its integrity. An active attacker can simply flipthe bits of the ciphertext, which flips the corresponding plaintext bits. To preventactive attacks one needs in addition a message authentication code (MAC). It isremarkable how many applications fail to observe this simple fact (see for examplethe GSM-protocol Chap.8or WEP Sect.9.2.1).

To prevent active attacks and to transmit data over a noisy channel one must useAlgorithm1.1. The important part is that the error-correcting code must be appliedlast (see the lesson from the Enigma code (Sect. 1.4)).

Algorithm 1.1Submitting data over a noisy channel using a synchronous streamcipher1. Compute the hashhof the messagemunder a cryptographic hash function.2. Encryptmusing the synchronous stream cipher. Append hto the ciphertextc .3. Apply an error-correcting code tochand transmit the result.

Aself-synchronizing stream ciphergenerates the keystream as a function of thekey and a fixed number of preceding ciphertext digits (or, what is equivalent, a fixednumber of preceding plaintext digits).


24/398


Fig. 1.5 A self-synchronizing stream cipher

The encryption has the form

xi= (ci1, . . . , cit),zi= g(xi ,k),ci= h(zi , mi ),

where the initial state x0= (c1, . . . , ct) may depend on the key (see Fig. 1.5).The CFB-mode of block ciphers is an example of a self-synchronizing cipher.Self-synchronizing stream ciphers have advantages over synchronous stream ci-phers.

A deletion or insertion of a bit in the ciphertext will cause only a finite numberof plaintext bits to change, i.e. the cipher establishes proper decryption automati-cally after a loss of synchronization (the self-synchronizing property).

If an attacker flips some bits in the ciphertext, the errors will propagate and severalother bits in the plaintext will flip. Most likely this results in a nonsense text, i.e.we detect the active attack. So, in contrast to synchronous stream ciphers, one

needs no extra hash function to secure the message against active attacks. Since every bit of the plaintext influences all subsequent bits of the ciphertext, thestatistical properties of the plaintext are dispersed through the ciphertext. Henceself-synchronizing stream ciphers may be more resistant against attacks basedon redundancy in the plaintext. The reader can try an experiment and attempt tobreak a Vigenre cipher and an auto key cipher (see Exercises17.3and17.4).Most people find the first task easier.

However, self-synchronizing stream ciphers also have disadvantages. The sepa-ration of key stream generation and encryption in synchronous stream ciphers makes

the implementation easier. It also makes the analysis of the cipher easier and helpsin security proofs. So self-synchronizing stream ciphers may be more secure, butthere is always a risk of large undetected security holes, since we understand themless. Most modern stream ciphers are synchronous stream ciphers.


25/398


1.3 History II: The Golden Age of Stream Ciphers

At the beginning of the 20th century cryptography took the step from simple cryp-tosystems which can be applied manually to complex systems which need machines

to implement. Since this time, the question of whether a given cipher can fit on theavailable hardware has always been important for the success of the cipher.

The challenge was to implement the new cryptosystems on, for example, me-chanical typewriters and telegraphs. People first began to experiment with electrictypewriters where the keys connected to the output in some random fashion (Hebren1915). However, such ciphers are only monoalphabetic. The next step was to put thewires on a rotor that change its position after each letter. Hebren advertised such acipher in 1921 as unbreakable, but it was still very weak. Combining several rotorsof different speed finally gave a satisfactory system.

In the 1920s rotor machines were independently invented several times in dif-ferent countries (Hugo Alexander, Netherlands; Arvid Gerhard Damm, Sweden;Arthur Scheribus, Germany) and quickly became a standard for cryptography. Thefact that rotor machines work so well with telegraphy and typewriters, together withthe high level of security that can be achieved by these machines, left almost noroom for other types of cryptosystem.

The most famous rotor machine of all time is the German Enigma machine in-vented by the engineer Arthur Scheribus, who founded his Chiffriermaschinen Ak-tiengeselschaftin 1923. Despite all advertisements, the Enigma was not a commer-

cial success at first. This changed in 1934 when Hitler started to rearm Germanyand the Wehrmacht decided that the Enigma should become the new cryptographymachine for the German army.

The main difference between the Enigma and other rotor machines of that time isthat it reflects the signal at the end and sends it through the rotors a second time. Thiseffectively doubles the number of rotors, but has the consequence that the cipherbecomes involutionary, i.e. ifXis sent toAthenAmust be sent toX. Being involu-tionary must not generally be regarded as a disadvantage for a cipher. The fact thatdecrypting and encrypting can be done by the same machine can be considered as

positive. In fact many modern ciphers (including all binary additive stream-ciphers)have this property. However, in the case of the Enigma, it was a serious flaw which,together with other flaws, made it possible for the allies in the second world war tobreak the cipher. The cryptographic success of the allies had a significant impact onthe course of the war.

1.4 Lessons from the Enigma

The Enigma had several flaws that could be used in cryptanalysis, but the operatorsalso made several protocol failures. One interesting aspect is the following (see also[16]).


26/398

1.4 Lessons from the Enigma 9

For each message the operator selects a message key consisting of three letters. Then the message key is repeated () and these six letters are en-crypted with the current days key and transmitted to another station. The repetitionshould help to detect transmission errors. This protocol violates the advice given

in Algorithm1.1that the error detecting code should always be applied last and inthis case the mistake led to the following attack developed by Polish cryptographersunder Rejewski.

The technique of sending the signal through the rotors twice ensures that theEnigma applies a permutation of the 26 letters of the alphabet consisting of 13 dis-

joint cycles to the plaintext. This is itself already a weakness, since it is impossibleto map a letter to itself. Thus the ciphertext leaks information about the plaintext,but we will not discuss this weakness.

Call a permutation of the 26 letters of the alphabet that consists of 13 disjoint

cycles anEnigma permutation. The attack is based on the following lemma.Lemma 1.1 Let and be two Enigma permutations. Then for every lN thepermutation contains an even number of cycles of lengthl .

If()is a transposition in or then and lie in different cycles of ofthe same length.

Proof The enigma permutations partition the set of letters into parts of the form{p1, . . . , p2k} where contains the involutions (p1p2),(p3p4), . . .(p2k1p2k )while contains the involutions(p2kp1),(p2p3) , . . . , ( p2k

2p2k

1).

On the set {p1, . . . , p2k} we find that is (p1p3 . . . p2k1)(p2p4 . . . p2k ). Thuscycles of lengthl come in pairs. Furthermore an involution (pi pi+1)of or hasone letter in each cycle.

Lets assume that the following 6-tuples are encrypted session keys from one day.

HKI CED HTN CYA HGI CCD DPN BUA WDB XAUSHZ SHV QGU QCN UQT DBG DEF BGH EJN GOAZFN WLA RDC OAY GPR IUO MSO EDR YWW MWTKNA LQM SGK SCE VFY ULC BAM NZL BAJ NZI

NIT PFG JMH VTB XPH AUB TTT JYG KWS LWWERV GXX JTT VYG PNJ TQI ILM KNL DSP BDJAIF ZFH EAY GZC ZAM WZL ZFP WLJ IOS KPWUBC DRY CZK RSE LWM FWL BFO NLR VNV UQXTWM JWL JPF VUH LST FDG KST LDG VNV UQXJPF VUH PND TQS YNJ MQI GYJ IJI PSB TDU

What can we derive from this observation? Denote by 1, . . . , 6the six unknownpermutations the Enigma performs with the days key. Let us try to reconstruct 14.In the collection of the 50 session keys 24 different letters occur in the first position.We know from the observed message

AIF ZFHthat

1

4maps

Ato

Zand so on.

Only the images ofF and O are missing, but Lemma1.1gives us enough extrainformation to fill the gap. One obtains

14 = (AZWX)(CROH)(BNPTJVUD)(EGIKLFYM)(Q)(S)


27/398


This is a lot of information. We certainly know that 1and 4interchange QandS, so we have already determined some part of the session keys. For the other partsour uncertainly has decreased dramatically. For example, we know that if we see anAin the first position the session key must start with either C,R,OorH.

In addition the knowledge of14 can help to determine the wires on the firstrotor of the Enigma. (This was important before the allies were able to capture anEnigma machine.) Operation failures such as choosing weak keys like AAA helpthe cryptanalyst further. This short sketch is of course not a full cryptanalysis ofthe Enigma, but it shows how Polish cryptanalysts and later the English team atBletchley Park could attack the Enigma. It also shows that choosing the wrong orderof encryption and error detecting code is a serious mistake that helps the attacker.More about the cryptanalysis of the Enigma can be found in [220,268].

At the time this attack was of course a military secret, but now the second world

war is long over, the enemies have become friends and the military secret has be-come a textbook exercise. So why do people continue to repeat the errors fromthe Enigma and implement the same protocol failure in our modern mobile phones(Chap.8) and computers (Sect.9.2.1)?

1.5 History III: Towards Modern Cryptography

In the days of the rotor machines stream ciphers dominated cryptography. There wasalmost nothing else. Being at the very top is not always a good position, you can onlylose. For stream ciphers modern cryptography is the story of decline. However, itis better to say that modern cryptography is a story of normalization. Block cipherswere underestimated for many centuries.

The change to electronic devices was no problem for stream ciphers. (Linear)feedback shift registers are perfectly suited to the new hardware and give satisfactoryresults.

The first setback for stream ciphers was the data encryption standard (DES) ci-pher in 1973, a block cipher. This was the first time that a cryptosystem had becomea public standard. Naturally it drew much research interest.

In 1977, with the RSA cryptosystem, the first example of asymmetric cryptog-raphy was published. Asymmetric cryptography is today an important part of manyprotocols.

With the success of modern computers stream ciphers encountered more prob-lems. A processor loads a word (or a block) into its registers, manipulates it andthen writes it back. This fits perfectly with the idea of block ciphers, but less to theidea of a stream cipher. Many modern block ciphers (IDEA, AES, . . . ) are perfectlyadapted to software implementation.

In the 1990s stream ciphers had a renaissance in mobile devices (telephones,wireless LAN, bluetooth). The first generation of mobile devices had no generalpurpose processor and energy efficiency had top priority. Stream ciphers were per-fect for this job. However, this renaissance was not without troubles.


28/398

1.6 When to Use Stream Ciphers? 11

One point was that often a design criterion for the new ciphers was: Do not makeit too safe. This was especially true for the ciphers A5/1 and A5/2 used in GSMmobile phones (see Chap.8), and the first WLAN standard WEP (see Chap.9) alsocontains some needless weaknesses. This gave many people the wrong impression

that stream ciphers must be insecure.The second point is that mobile devices rapidly become more powerful. A mod-

ern smart phone is just a very small general purpose computer. Together with themore powerful embedded processors, block ciphers become a more and more at-tractive solution for these devices.

1.6 When to Use Stream Ciphers?

Block ciphers are better understood than stream ciphers. The main reason is thatfor block ciphers it is easy to modularize the problem. One can study the operationmode without looking at the underlying cipher or one can look at a single round ofa DES-like cipher and begin to study APN-functions. For stream ciphers there is al-most no such modularity and often the key scheduling and the keystream generationinteract in a complicated way. The result is that block ciphers are easier to use.

So if one has no special requirement, my advice is always: use a standard blockcipher (AES is perfect), but use it in a stream cipher mode. (The ECB mode isworse, but the CBC mode also loses against most stream cipher modes with respect

to information leakage and parallelism. This is especially true if you compare theCBC mode with the modern counter mode CTR, see Exercise17.1.)However, there are applications where this is not practicable (otherwise I would

not have written this book). In embedded devices the goal is to save gates and energy.A shift register-based stream cipher needs fewer gates by several magnitudes thaneven a simple embedded CPU.

Stream ciphers can reach a higher speed than block ciphers. On a standard com-puter a factor of 3 is not unusual if one compares an implementation of AES with astream cipher designed for software implementation. If one is willing to use special-ized hardware, even more is possible, for example the cipher Trivium (Sect.10.1)

can generate 64 bits per clock cycle. This is far higher than anything which is pos-sible with block ciphers.

At the time of writing, hard disk space is growing faster than CPU speed. Thismay be an indication that in future we will have a greater need for high speed ci-phers. Another area in which stream ciphers may find an important application areRFID devices. Here low energy consumption is important and stream ciphers beatblock ciphers in this aspect.

1.7 Outline of the Book

The book is divided into five parts. Part I covers the theory of shift register-basedstream ciphers. Shift registers are perfect for specialized hardware and, despite all


29/398


attempts to design good software stream ciphers, shift register-based stream ciphersare still the most important class of stream cipher.

Chapter2is a survey of linear feedback shift registers. It develops the theory ofgenerating functions, describes the famous Berlekamp-Massey algorithm and covers

implementation aspects.Pure linear functions are weak as cryptographic functions. So one must use non-linear combinations of linear feedback shift registers to obtain good stream ciphers.Chapter3contains the basic concepts of non-linear combinations of linear feedbackshift registers. It gives an overview of different attack classes and introduces basicconcepts such as algebraic complexity and correlation immune functions.

With Chap.4we begin the cryptanalysis of stream ciphers. The first attack classwe study are correlation attacks. These attacks try to use statistical abnormalities torecover a part of the internal state. This attack principle is old, but in recent yearsmany improvements have been made.

Chapter5covers a relative new type of attack. Binary Decision Diagram-basedattacks were introduced in 2002 by M. Krause. The idea behind these attacks isremarkably simple. The set of internal states that is consistent with the observedoutput sequence describes a Boolean function. BDDs are a tool to efficiently handlethe Boolean functions. The attack successively computes BDDs that describe theinternal state with increasing accuracy until it finally yields a unique solution. Thisis more efficient that the complete key search, but requires a lot of memory.

Chapter6covers algebraic attacks. The idea of these attacks is to express thestream cipher as a system of non-linear equations. The chapter has a short introduc-

tion to the branch of computer algebra which is used to solve such equations (es-pecially Grbner bases). Examples of algebraic attacks against real world cipherscomplete the chapter.

Chapter7will introduce stream ciphers with irregular clock control. Irregularclock control is an attractive way to create strong ciphers and some of the sim-plest examples of stream ciphers with irregular clock control are still unbroken. Thedrawback is that it is very hard to prove any property of the cipher, which makesundetected weaknesses more likely. Ciphers with irregular clock control are also es-pecially susceptible to side channel attacks. This may be the reason why most real

world ciphers have regular clock control.PartIIcontains the description and cryptanalysis of some special ciphers.The ciphers A5/1 and A5/2 which are used in GSM security are presented in

Chap.8. They are shift register-based and we use them as real world examples forthe attacks described in the first part.

Chapter9is about the cipher RC4. This cipher was optimized for use on 8-bitprocessors and is not based on shift registers. It is especially famous since it is usedin the wireless LAN standard. When used correctly, RC4 is unbroken, but the keyscheduling of RC4 is weak and its careless use allows related key attacks.

The ECRYPT Stream Cipher Project [85] was run from 2004 to 2008 to identify a

portfolio of promising new stream ciphers. Chapter10describes some of the ciphersfrom this project as examples of modern stream cipher design.

Chapter 11 covers some ciphers which are provable as secure as some (hopefully)hard number theoretic problem. These ciphers are very secure, but unfortunately


30/398

1.7 Outline of the Book 13

slow in comparison to other ciphers in this book. They are mostly used as part of akey generation protocol.

I assume that the reader is familiar with basic mathematics (number theory, al-gebra, combinatorics and statistics), but sometimes I have had to use more exotic

concepts. The chapters in PartIIIcollect some background material.Exercises with solutions can be found in PartIV.Implementation for most algorithms covered by this book can found athttp://

cage.ugent.be/~klein/streamcipher. Chapter19gives an overview of the programs.To document the programs I wrote a new literate programming tool. It is freely

available and, perhaps after reading this book, the reader may want to use it for theirown projects. Chapter20contains the user manual for this tool.
http://cage.ugent.be/~klein/streamcipherhttp://cage.ugent.be/~klein/streamcipherhttp://cage.ugent.be/~klein/streamcipherhttp://cage.ugent.be/~klein/streamcipher


31/398

Part I

Shift Register-Based Stream Ciphers


32/398

Chapter 2

Linear Feedback Shift Registers

2.1 Basic Definitions

In a hardware realization of a finite state machine it is attractive to use flip-flopsto store the internal state. With n flip-flops we can realize a machine with up to2n states. The update function is a Boolean function from{0, 1}n to{0, 1}n. Wecan simplify both the implementation and the description if we restrict ourselves tofeedback shift registers.

In a feedback shift register (see Fig.2.1) we number the flip-flops F0, . . . , Fn1.

In each time step Fi takes the value ofFi1for i >0 and F0is updated accordingto the feedback functionf: {0, 1}n {0, 1}. We will always assume that the valueofFn1is the output of the shift register.

Feedback shift registers are useful tools in coding theory, in the generation ofpseudo-random numbers and in cryptography. In this chapter we will summarizeall results on linear feedback shift registers relevant to our study of stream ciphers.For other applications of feedback shift registers I recommend the classical book ofSolomon W. Golomb [115].

Mathematically the sequence (ai )iN generated by a shift register is just a se-quence satisfying then-term recursion

ai+n = f (ai , . . . , ai+n1). (2.1)This definition is, of course, not restricted to binary sequences and most of ourresults will hold for shift register sequences defined over any (finite) field or some-times even for sequences defined over rings.

We will call a shift register linear if the feedback function is linear. Thus:

Definition 2.1 A linear feedback shift register(LFSR) sequence is a sequence(a

i)

iNsatisfying the recursion

ai+n =n1j=0

cjai+j. (2.2)

A. Klein,Stream Ciphers, DOI10.1007/978-1-4471-5079-4_2, Springer-Verlag London 2013

17
http://dx.doi.org/10.1007/978-1-4471-5079-4_2http://dx.doi.org/10.1007/978-1-4471-5079-4_2


33/398

18 2 Linear Feedback Shift Registers

Fig. 2.1 A feedback shiftregister

Since the next value depends only on the preceding n values, the sequence mustbecome periodic. The state (ai , . . . , ai+n1) = (0, . . . , 0)leads to the constant se-quence 0, thus the period of an LFSR sequence over Fqcan be at most q n 1. If inadditionc0 = 0, we can extend the sequence backwards in time via

ai= c10

ai+n n1j=1

cjaj+n

which proves that it is ultimately periodic.As we have already seen in the introduction, a necessary condition for the secu-

rity of a system is that the generated pseudo-random sequence has a large period.Thus the sequences of maximal period are of special interest.

Definition 2.2 An LFSR sequence over Fq with period qn 1 is called an m-sequence(maximal sequence).

2.2 Algebraic Description of LFSR Sequences

In this section we develop an algebraic description of LFSR sequences. We espe-cially want to find a closed formula for an LFSR sequence. One way to reach thisgoal is to study the companion matrixof the LFSR sequence. We have

ak+1

...

ak+

n

1ak+n

=

0 1 0...

. . .

0 0 1c0 c1 . . . cn1

ak...

ak+

n

2ak+n1

(2.3)

and thus

ak...

ak+n2ak+n1

=

0 1 0...

. . .

0 0 1c0 c1 . . . cn1

k

a0...

an2an1

. (2.4)

Transforming the companion matrix to Jordan normal form makes it easy to com-pute the k-th power and transforming it back gives a closed formula for the LFSRsequence.

In the next section we will take another approach that is based on generatingfunctions.


34/398

2.2 Algebraic Description of LFSR Sequences 19

2.2.1 Generating Functions

This section contains the part of the theory of generating functions that we need, butfor those who want to learn more about generating functions, I recommend [119].

Definition 2.3 Thegenerating functionA(z)associated to a sequence (ai )iNis theformal power seriesA(z) =i=0 ai zi .

A generating function is useful because it describes an entire sequence with asingle algebraic object.

By the recursion (2.2) we find:

A(z) n

1

j=0cjA(z)znj = g(z)

A(z)

1 n1j=0

cjznj

= g(z) (2.5)

for some polynomialg(z)of degree at mostn 1.The polynomial 1

n1j=0 cjz

nj is important enough to deserve a name.

Definition 2.4 For an LFSR sequence with recursion formula (2.2) we call

f (z) = zn n1j=0

cjzj (2.6)

thefeedback polynomialof the LFSR. Thereciprocal polynomial1 is denoted by

f(z) = zn

f1

z= 1

n1j=0 c

jzn

j

. (2.7)

FromEq.(2.5) we derive a closed formula for the generation function of an LFSRsequence:

A(z) = g(z)f(z)

. (2.8)

For the derivation of the closed form of ai it is useful to begin with the case

where the feedback polynomialf (z)has no multiple roots.

1f(z)is sometimes called the feedback polynomial. As the literature has not adopted a uniquenotation, it is important to check which notation is being used.


35/398


2.2.2 Feedback Polynomials Without Multiple Roots

Let f (z)be a feedback polynomial without multiple roots and let1, . . . , nbe the

different zeros off (z). Then f(z) =nj=1(1 zj)and thus we get the partialfraction decompositionA(z) = g(z)

f(z)=

nj=1

bj

1 zj. (2.9)

All we need to obtain a closed formula from the partial fraction decompositionis the geometric sum

i=0

zi = 11 z

and thus

A(z) =n

j=1

bj

1 zj

=

n

j=1

bj

i=0

(jz)i

=

i=0

n

j=0bj

ij

zi . (2.10)

This gives us the closed formula

ai=n

j=0bj

ij (2.11)

for the LFSR sequence.Formula (2.11) holds if the feedback polynomial has no multiple roots. For sep-

arable irreducible feedback polynomials we can transform (2.11) to the followingtheorem. Note that over finite fields and fields with characteristic 0 every polynomialis separable. We will not deal with other fields in this book.

Theorem 2.1 Let(ai )iN be an LFSR sequence overFq and letbe a zero of theirreducible feedback polynomial.Then

ai= TrFqn /Fq

i

(2.12)

for some Fqn .


36/398


Proof We have already proved that the sequence (ai )iN has a unique closedform (2.11). Since the feedback polynomial is irreducible, its zeros have the form

whereis an automorphism ofFqn /Fq . Buta i= aifor alli . Thus Equation (2.11)is invariant under. Therefore the coefficientsbjare conjugated, i.e.

ai=

Aut(Fqn /Fq )

i = TrFqn /Fq i.

Corollary 2.1 Under the conditions of Theorem2.1 the period of the sequence isthe multiplicative ordero()of.

As already mentioned in the previous section, the period qn 1 is of specialinterest. Thus the following feedback polynomials are special.

Definition 2.5 An irreducible polynomial of degree n overFq is primitiveif theorder of its zeros is q n 1.

2.2.3 Feedback Polynomials with Multiple Roots

Now we want to determine all possible periods of LFSR sequences.First we consider the easy case where the feedback polynomial is reducible, but

has no multiple roots. In this case we can factor the feedback polynomial f andwrite the generating function (see Eq. (2.8)) of(ai )iNas

A(z) = g(z)f(z)

=k

j=1

gj(z)

fj(z)

where the polynomialsfjare the different irreducible factors of the feedback poly-nomialf.

Thus the sequence (ai)

iN can be represented as a sum of k LFSR sequences

(a(j )i )iN with irreducible feedback polynomial. By Corollary 2.1 the period of

(a(j )i )iN divides q

nj 1 where nj= deg fj and hence the sequence (ai )iN=kj=1(a

(j )i )iNhas period

p = lcm(1, . . . , k)

wherejis the period of(a(j )i )iN.

To analyze the case of multiple roots we need an additional tool. In this case the

partial fraction decomposition of the generation function yields:

A(z) = g(z)f(z)

=n1

j=1

bj,1

1 zj+

n2j=1

bj,2

(1 zj)2+ +

nrj=1

bj,r

(1 zj)r


37/398


with n1 n2 nr nr+1= 0 where nk+1, . . . , nk are roots offof multi-plicityk . So to get a closed formula we need in addition the power series of 1

(1z)k.We can find the power series either by computing the (k 1)th derivative of

11

z

=i

=0 z

i or we use the binomial theorem

(1 + x)r =

i=0

r

i

xi .

For a negative integer we get

1

(1 z)k=

i=0

ki

(1)i zi

= i=0

k + i 1

i

zi

=

i=0

k + i 1

k 1

zi .

This leads to the closed formula

ai=

n1j=0 bj,1

i

j+

n2j=0 bj,2

i +1

1

i

j+ +

nkj=0 bj,k

i +k

1

k 1 ij=

n1j=0

bj,1ij+

n2j=0

bj,2iij+ +

nkj=0

bj,k ik1ij (2.13)

where the last transformation uses the fact that

k1+ik1, k = 1, . . . , n, is a basis for

the polynomials of degree less than k. Note that the converse is also true. Given asequence in the form of Eq. (2.13) we can reverse all previous steps and find the

linear recurrence satisfied by that sequence.From Eq. (2.13) we can immediately see the period of the sequence (ai )iN.The power series (ij)iN has a period i where i |qnj 1 and nj is the degreeof the minimal polynomial ofj. And since we are working inFq , the period of apolynomial series(i k)iNis the characteristicp ofFq . Thus

= p lcm(1, . . . , k)where1, . . . , kare the different orders of1, . . . , n1 .

We summarize the results of this section in the following theorem.

Theorem 2.2 Let(ai )iN be an LFSR sequence overFq , q= pe. Then the period of(ai )iN is either

= lcm(1, . . . , k) (2.14)


38/398


wherej|qnj 1andk

j=1 nj nor

= p lcm(1, . . . , k) (2.15)

wherej|qnj 1andn1 +kj=1 nj n.Proof We have already proved that the period must have either the form (2.14) or(2.14). Now we prove the converse that for each such there is an LFSR sequencewith period a.

Let be of the form (2.14). Choosej Fqnjsuch thatjhas orderj. Withoutloss of generality we may assume that Fq (j) = Fqnj, if not just replace nj by asmallernj. The sequence

xi=k

j=1TrF

qnj/Fq

ij

is a linear shift register sequence with feedback polynomial

f (z) =k

j=1

nj1l=0

1 zqlj

.

The sequencejhas period since the subsequencesijand hence TrFqnj/Fq (i

j)

have periodj (1 j k).If is of the form (2.15), we find that the sequence

xi= i TrFq

nj/Fq

i1+ k

j=2TrF

qnj/Fq

ij

is a linear shift register sequence with feedback polynomial

f(z) =nj1

l=0

1 zql1

2 kj=1

nj1l=0

1 zqlj

and period = p lcm(1, . . . , k). The additional factor pis for the period of thepolynomiali in Fq .

2.2.4 LFSR Sequences as Cyclic Linear Codes

Another description of LFSR sequences is based on coding theory.


39/398


The LFSR defines a linear mapping from its initial state (a0, . . . , an1) to itsoutput sequence(ai )iN. For fixedNwe may interpret the mapping

C

:(a0, . . . , an1)

(a0, . . . , aN1)

as a linear code of length Nand dimensionn.A parity check matrix of the code is

H=

c0 . . . cn1 1 0 . . . 00 c0 . . . cn1 1 0 . . . 0

. . . . . .

. . .

0 0 c0 . . . cn1 1

. (2.16)

If we look at a full period of the LFSR, i.e. if we choose N= p, then the resultinglinear code is cyclic and f(z)is its parity check polynomial.

The codeC also has a uniquesystematic generator matrix

G =

1 0 cn,0 cN1,0

. . ....

...

0 1 cn,n

1

cN

1,n

1

. (2.17)

We have(a0, . . . , aN1) = (a0, . . . , an1)G, i.e.

ak=n1i=0

ck,i ai . (2.18)

We will use this linear representation of the elementak in terms of the initial statein several attacks.

2.3 Properties of m-Sequences

2.3.1 Golombs Axioms

Linear shift register sequences of maximal length (m-sequences) have many desir-able statistical properties.

The best known of these properties is that they satisfy Golombs axioms forpseudo-random sequences [115].

We study a periodic binary sequence (ai )iNwith period length p. Then the threeaxioms for(ai )iNto be a pseudo-random sequence are:


40/398

2.3 Properties of m-Sequences 25

(G1) In every period the number of ones is nearly equal to the number of zeros,more precisely the difference between the two numbers is at most 1:

p

i=1(1)

ai 1.(G2) For anyk-tuple b, let N(b)denote the number of occurrences of the k -tuple

bin one period.Then for anyk with 1 k log2 pwe haveN(b) Nb 1for anyk-tuplesb and b .

(G2) A sequence of consecutive ones is called ablockand a sequence of consecu-tive zeros is called agap. A runis either a block or a gap.In every period, one half of the runs has length 1, one quarter of the runs haslength 2, and so on, as long as the number of runs indicated by these fractionsis greater than 1.Moreover, for each of these lengths the number of blocks is equal to thenumber of gaps.

(G3) The auto-correlation function

C() =p1i=0

(1)ai (1)ai+

is two-valued.

Axiom (G1) is called the distribution test, Axiom (G2) is the serial testandAxiom (G3) is the auto-correlation test. In[115] Golomb uses (G2) instead of(G2). Axiom (G2) was introduced in [169] and is in some respects more useful thanthe original axiom.

The distribution test (G1) is a special case of the serial test (G2). However, (G1)

is retained for historical reasons, and sequences which satisfy (G1) and (G3), butnot (G2), are also important.

Theorem 2.3(Golomb [115]) Everym-sequence satisfies(G1)(G3).

Proof An m-sequence is characterized by the fact that the internal state of the lin-ear feedback shift register runs through all elements ofFn2\{(0, . . . , 0)}. Since atany time the next n output bits form the current internal state, this means that(at, . . . , at+n1)runs over all elements ofFn2\{(0, . . . , 0)}where truns from 0 to2

n

1. This proves

N (a1, . . . , ak) =

2nk 1 fora1 = = ak= 0,2nk otherwise.


41/398


Thus an m-sequence passes the serial test for blocks of length up tonand henceit satisfies (G2) and (G1).

A run of length k is just a subsequence of the form 1, 0, 0, . . . , 0, 1 with k ze-ros and a block of length kis a subsequence of the form 0, 1, 1, . . . , 1, 0. We have

already proved that an m-sequence contains exactly 2nk2 subsequences of typek n 2. This is the statement of (G2).

We find C(0) = 2n 1 as one value of the auto-correlation function. We nowproveC( ) = 1 for 0 < < 2n 1. By Theorem2.1we have ai= TrF2n /F2 (i )for a primitive elementofF2n and ai+= TrF2n /F2 (i ). Note that we have thesame in both equations, since(ai )iNand(ai+)iNsatisfy the same recurrence.Thus ai+ ai+= TrF2n /F2 ((+ )i ) and hence (ai+ ai+)iN is also an m-sequence. By (G1) we have

C() =p

1

i=0(1)ai+ai+ = 1.

Thus the auto-correlation function takes just the two values 2n 1 and 1.

Besides the Golomb axioms, m-sequences also satisfy other interesting equa-tions:

Theorem 2.4 Every m-sequence satisfies:

(a) For every0 < k < 2n 1there exists a for whichai+ ai+k= ai+

for alliN.This is called theshift-and-add property.(b) There exists a such that

ai2j+= ai+for alli, jN.This is called theconstancy on cyclotomic cosets.

Proof We have already used and proved the shift-and-add property when we demon-strated that an m-sequence satisfies the auto-correlation test.

By Theorem2.1we know that ai= TrF2n /F2 (i )for some F2n and a prim-itiveF2n . We choosesuch that = 1.

Then

ai+= TrF2n /F2

i+

= TrF2n /F2i

= TrF2n /F2i2j sincex x2j is an automorphism ofF2n /F2= TrF2n /F2

i2

j+= ai2j+.


42/398

2.3 Properties of m-Sequences 27

The shift-and-add property is of special interest since it characterizes the m-sequences uniquely.

Theorem 2.5 Every sequence which satisfies the shift-and-add property is an m-

sequence.

Proof LetA = (ai )iNbe a sequence of periodpwhich has the shift-and-add prop-erty. Then the p shifts of the sequence, together with the zero sequence, form anelementary Abelian group. It follows that p + 1 = 2n for some n N. Let Ak de-note the sequence(ai+k)iN. Anynsuccessive shifts of the sequenceAform a basisof the elementary Abelian group, thus we can write Anas a linear combination ofA0, . . . , An1, i.e.

An =n1k=0

ckAk .

Reading the last equation element-wise gives

ai+n =n1k=0

ckai+k,

i.e. the sequenceAsatisfies a linear recurrence. Since the period ofAisp = 2n 1,

it is an m-sequence.

2.3.2 Sequences with Two Level Auto-Correlation

It is a natural question whether the converse of Theorem2.3holds. Golomb conjec-tured that it does and indicated in a passage of his book (Sect. 4.7 in [115]) that hehad a proof, but the actual answer turns out to be negative (see also [114]).

To put this answer in a bigger context we will study sequences which satisfy Ax-iom (G3), which have a strong connection to design theory. We make the followingdefinition.

Definition 2.6 LetGbe an additive group of order v and letD be ak-subset ofG.D is called a (v,k,)-difference setofG, if for every element h = 0 in Gthe

equation

h = d d

has exactlysolutions withd , d

D. IfG

=Z/vZ is a cyclic group we speak of a

cyclic(v, k, )-difference set.

The connection between sequences satisfying (G3) and difference sets is givenby the following theorem.


43/398


Theorem 2.6 The following statements are equivalen