Professional Documents
Culture Documents
au/~00007092/teaching/3CC/WW
W/chapter4.html
Chapter 4
Linear Feedback Shift Registers
4.1 Keystreams
In Example 2.6.1 (c) in Chapter 2 we introduced stream ciphers for which the plaintext,
ciphertext, and keystream elements are all integers modulo 2 (bits), and the keystream elements
are added to the plaintext elements to produce the ciphertext stream.
f(x1,x2,...,xm)=c1x1+c2x2+...+cmxm =
cjxj mod 2,
j=1
zi+m=
c z
j i+j1
(4.1)
j=1
This is called a linear recurrence relation of degree m. With this type of function an all
zero key K=(0,0,...,0) would produce an all zero keystream, so we avoid this. However, it is
possible to choose the constants c1,c2,...,cm in such a way that for any other key K=(k1,k2,...,km)
with at least one non-zero ki, the keystream generated by the linear recurrence relation has period
equal to 2m1. Justifying this depends on the theory of linear recurrence relations and the
existence of primitive polynomials over Z2. We look at this in the next section. Recall that the
key K must be transmitted to the receiver Bob by a secure channel so having a relatively short
key (of length m) compared with the period of the keystream (of period 2m1) is highly
desirable, provided it is not at the expense of the security of the stream cipher.
Example 1 Suppose m=4 and the rule for generating the keystream is
zi+4=zi+zi+1 mod 2.
For any initial key K apart from (0,0,0,0) this gives a keystream of period 15. For example,
starting with the key K=(1,1,0,0) we get the keystream
1,1,0,0,0,1,0,0,1,1,0,1,0,1,1,1,1,0,0,...
The first time we get a repeat of a 4-bit string is the repeat of 1,1,0,0 starting at the 16th position,
that is, after 15 distinct 4-bit strings. Any other non-zero initial key will produce a cyclic
permutation of this keystream - always the period is 15.
Example 2 Suppose m=3 and the rule for generating the keystream is
Example 3 The linear feedback shift register (LFSR) corresponding to the linear recurrence
relation of Example 4.1.1 is shown below.
Notice that we only show connections corresponding to the non-zero ci. Starting with
K=(1,1,0,0) we see the LFSR operating as below.
S4 S3 S2 S1 output
initial 0 0 1 1
last
0 0 0 1 1
S1+S2
1 0 0 0 1
0 1 0 0 0
0 0 1 0
0
1 0 0 1
0
1 1 0 0
1
etc.
(the auxhiliary polynomial). In the case of the linear recurrence relation (4.1) the polynomial
which is relevant is
f(x)=xm+cmxm1+... +c2x+c1
and is called the characteristic polynomial of the linear recurrence relation. Note that all the
ci Z2, and that all the signs are + signs because +1=1 in Z2. It turns out that the
corresponding LFSR to f(x) has keystream with the maximum possible period 2m1 if and only if
f(x) is a primitive polynomial over Z2.
Recall from Section 3.5 that a degree m polynomialf(x) Z2[x] is primitive if and only if f(x) is
irreducible and x is a primitive element of the field F constructed using f(x) (as described in
Section 3.5). Equivalently, f(x) is primitive if and only if f(x) is irreducible and the least positive
integer n such that f(x) divides xn1 is n=2m1. The main thing to remember is that these
polynomials exist for all values of m, and tables of them are available in the literature (see, for
example, tables in Beker and Piper's book on pages 195 and 404).
Example 1 In Example 4.1.1, the characteristic polynomial is f(x) = x4+x+1. It is irreducible
and indeed it is primitive. The associated LFSR has period 15 for all initial non-zero keys.
In Example 4.1.2, the characteristic polynomial is f(x) = x3+x2+x+1=(x+1)3 mod 2. As we saw,
different keys gave key-streams of periods 1, 2 or 4.
If the keystream from an LFSR has maximum period 2m1, then every one of the 2m1 possible
bit strings of length m (except the all-zero string) occurs as the contents of the m shift registers at
some stage, so it does not matter what our (not all-zero) initial key string is from the point of
view of getting a maximum period for the keystream. Of course it matters for decrypting the
ciphertext! A proof that we get this maximum period if and only if the characteristic polynomial
is primitive can be found in Section 5.8 of Beker and Piper's book. This proof is not required for
this unit.
The following is again not required for the unit. I developed it as a `game' to hint at how a
primitive polynomial f(x) might be linked to long periods of keystreams.
Suppose for some perverse reason that we play the following game: We imagine that the initial
key elements are polynomials in an indeterminate x, and in fact that the key is K=(1, x, x2, ...,
xm1). We imagine further that these polynomials are elements of a finite field constructed as in
Section 3.5 using a primitive polynomial f(x)=xm+cmxm1+...+c2x+c1, so that in this field we have
f(x)=0 and hence xm=cmxm1+...+c2x+c1. Now in an LFSR with characteristic polynomial f(x), the
initial contents of the m shift registers satisfy: S1 contains 1, S2 contains x, ..., Sm contains xm1.
After the first clock cycle we output the contents 1 of the shift register S1, we move the contents
of each other shift register into the shift register one step to the right, and we feed into the shift
register Sm the `feedback' which is c11 + c2 x+... +cmxm1=f(x)+xm=xm. Similarly after the second
clock cycle we output the contents x of S1, we move the contents of each other shift register into
the shift register one step to the right, and we feed into Sm the `feedback' which is c1x + c2x2+...
+cmxm=x(f(x)+xm)=xm+1. Thus the LFSR generates the following sets of states in the shift
registers:
Sm
initial xm1
feedback xm
xm+1
...
th
after i clock cycle xm+i
...
first repeat of initial states xm1
...
...
...
...
...
...
...
...
S2
x
x2
x3
...
xi+2
...
x
S1 output
1
x
1
2
x
x
... ...
xi+1 xi
... ...
1
xj
At some point we will get a repeat of the initial contents of the shift registers. If the first time this
happens is after the jth clock cycle, then the output element will be xj and we will have xj+1=1, and
this will be the first time this happens, that is, j will be the smallest positive integer such that
xj+1=1. This integer j is the period of the LFSR. By the definition of a primitive element in a field
of order 2m, the period is 2m1 x is a primitive element f(x) is a primitive polynomial.
4.3 Randomness
Clearly no periodic sequence, such as the keystream produced by a linear feedback shift register,
is truly random. In fact knowledge of any 2m consecutive output bits of a keystream with
characteristic polynomial f(x)=xm+cmxm1+...+c1 of degree m is sufficient to determine the
characteristic polynomial, and hence to determine the whole keystream. This is because we have
m equations
zm+i=c1zi+... +cmzm1+i
(i=1,...,m) in the unknowns c1,...,cm that can be solved by Gaussian elimination.
What we really want of the keystream is unpredictability rather than true randomness. If a
cryptanalyst intercepts part of the keystream then we want this knowledge to give the
cryptanalyst no information about what will come next in the keystream. Of course this is
impossible if the cryptanalyst had a whole cycle of the keystream. However if only a portion of
the keystream, considerably shorter than the period, is intercepted, then we want this to provide
no further information abut the rest of the keystream. Any keystream satisfying this general
property is called a pseudo-random sequence.
We saw that differing frequencies of the letters, or short strings of consecutive letters, in English
text enabled substitution ciphers to be broken easily with sufficient ciphertext. Similar ideas led
to the suggestion in 1967 by Solomon Golumb of several properties of the keystream which
might help to ensure that it could be used securely for encryption. To state these we need to
introduce some terminology. In a sequence of binary integers, a run is a string of consecutive
equal bits, for example the sequence 00011011 starts with a run of three 0's, followed by a run of
two 1's, then a run of one 0 and a run of two 1's. A run of 0's is called a gap while a run of 1's is
called a block.
Golumb's Randomness Principles: For a keystream of binary integers having period n, say
z1,z2, ..., zn, ...,
G1 Each consecutive string of length n from the keystream should contain exactly n/2
ones (and n/2 zeros) if n is even, or it should contain (n1)/2 ones if n is odd.
G2 In each consecutive string of length n from the keystream, half the runs should have
length 1, a quarter should have length 2, an eighth should have length 3, and in general,
for each i for which there are at least 2i+1 runs, 1/2i should have length i. Moreover for
each of these lengths there should be equally many gaps and blocks.
G3 For each i=1,...,n1, let A(i) be the number of j such that 1 j n and zj=zi+j. Then
we should have A(1)=A(2)=... = A(n1).
A keystream that satisfies all of Golumb's Randomness Principles is called a pseudo-noise
sequence.
The most familiar truly random sequence is probably the sequence of heads and tails obtained
from independent tosses of a fair coin. In this context G1 says there should be about equally
many heads and tails; G2 says that after a run of heads (or a run of tails) there is a 50/50 chance
that the run will end with the next coin toss; G3 reflects the independence of the coin tosses knowing the result of a given coin toss gives no information about the result of the next coin
toss.
While finding pseudo-noise sequences, that is, sequences satisfying Golumb's Randomness
Principles exactly, seems difficult, the principles provide the basis for several statistical tests
which can be applied to keystreams to give a measure of some of their randomness properties.
Example 1 Consider the sequence (zi)i 1 in the text above of period 8, namely
0001101100011011...
Each consecutive string of length 8 contains 4 zeros so it satisfies G.1. Next if we consider the
first 8-bit string we have 4 runs of which 1 has length 1 and 2 have length 2; for the 8-bit string
z2... z9 = 00110110, there are 5 runs of which 2 have length 1 and 3 have length 2; etc. So G.2 is
not satisfied. Finally A(1)=A(7)=4, A(2)=A(6)=2, A(3)=A(5)=4, A(4)=3, so G.3 is not satisfied.
zi+3=zi+1+zi mod 2,
for i 1, and give the keystream generated from the seed K=(1,1,1). Write down the
characteristic polynomial for this linear recurrence. Is it a primitive polynomial?
2. Construct a linear feedback shift register to generate the keystream in Question 1.
3. Consider the linear recurrence
zi+4=zi+3+zi+1+zi mod 2,
of degree m=4. Find the keystreams and periods generated from the keys (i) (1,1,1,1), (ii)
(0,0,0,1), (iii) (1,0,1,0), (iv) (0,0,1,0), (v) (1,0,1,1).
What is the characteristic polynomial of this linear recurrence? In what way does it help explain
your answers to parts (i)-(v)?
4. The exercise set in class concerned the following binary sequence constructed by the class:
0110110111111001010011011001101101111110010100110110
Check-out the extent to which the three Golumb Randomness Principles hold for this sequence.
1
0
1
1
1
0
1
0
1
1
0
0
1
0
1
1
0
0
1
0
The characteristic polynomial is f(x)=x3+x+1. Since the period of the sequence is 7=231 (the
maximum possible for the degree), this polynomial is primitive.
2. The LFSR has three shift registers S3, S2, S1, with connections going down from the output
side of S1 and S2.
3. (i) Keystream 1,1,1,1..., period 1; (ii) row 7 is the first repeat of the 4-bit string 1,0,0,0 so the
period is 6 and the keystream is 0,0,0,1,1,1 then repeated; (iii) row 3 is the first repeat of the 4-bit
string 0,1,0,1 so the period is 2 and the keystream is 1,0 then repeated; (iv) row 4 is the first
repeat of the 4-bit string 0,1,0,0 so the period is 3 and the keystream is 0,0,1 then repeated; (v)
row 4 is the first repeat of the 4-bit string 1,1,0,1 so the period is 3 and the keystream is 1,0,1
then repeated.
case (ii) S4 S3 S2 S1
initial 1 0 0 0
last
1 1 0 0
S1+S2+S4
1 1 1 0
0 1 1 1
0 0 1 1
0 0 0 1
1 0 0 0
case (iii) S4 S3 S2 S1
initial 0 1 0 1
last
1 0 1 0
S1+S2+S4
0 1 0 1
case (iv) S4 S3 S2 S1
initial 0 1 0 0
last
0 0 1 0
S1+S2+S4
1 0 0 1
0 1 0 0
case (v) S4 S3 S2 S1
initial 1 1 0 1
output
0
0
0
1
1
1
output
1
0
output
0
0
1
output
last
0 1 1 0
S1+S2+S4
1 0 1 1
1 1 0 1
1
0
1
01101101111110010100110110
Golumb Randomness Principles:
G1. 10 zeros and 16 ones: not equal so Golumb's first principle fails, but not too badly.
G2. For this we need to look at lots of `windows' of length 26 in the sequence so we write
out the sequence twice.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
0 1 1 0 1 1 0 1 1 1 1 1 1 0 0 1
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
0 1 0 0 1 1 0 1 1 0 0 1 1 0 1 1
33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
0 1 1 1 1 1 1 0 0 1 0 1 0 0 1 1
49 50 51 52
0 1 1 0
String No. Runs
G2
15
7.5
3.75
2-27
14
3.5
3-28
15
7.5
3.75
4-29
14
3.5
5-30
14
3.5
6-31
15
7.5
3.75
7-32
14
3.5
8-33
14
3.5
9-34
15
7.5
3.75
10-35
15
7.5
3.75
11-36
15
7.5
3.75
12-37
15
7.5
3.75
13-38
15
7.5
3.75
14-39
14
3.5
15-40
15
7.5
3.75
16-41
14
3.5
17-42
14
3.5
18-43
14
3.5
19-44
14
3.5
20-45
15
7.5
3.75
21-46
14
3.5
22-47
15
7.5
3.75
23-48
14
3. 5
24-49
14
3. 5
25-50
15
7.5
3.75
26-35
14
3.5
There are too many runs of length 2 and not enough of length 1.
G3.
i 1 2 3 4 5 6 7 8 9 10 11 12 13
A(i) 12 10 18 14 10 14 16 12 10 16 12 12 18
This is not too bad. Five values reasonably well distributed.
Chng 4
Phn hi tuyn tnh phm Shift Registers
4.1 keystreams
Trong V d 2.6.1 (c) trong Chng 2, chng ti gii thiu thut ton m ha
dng m ch th, bn m, v cc yu t keystream l cc s nguyn modulo 2
(bit), v cc yu t keystream c thm vo cc yu t th sn xut cc dng
m.
ez (x) = x + z mod 2 v dz (y) = y + z mod 2
to ra keystream z = z1, z2, ... chng ta thng bt u vi mt cht ngu
nhin chui ngn (phm K = (k1, k2, ..., km), i khi c gi l 'ht ging' trong
bi cnh ny) v m rng n thnh mt bit-chui di hn nhiu, cc keystream,
m chng ti hy vng l `ngu nhin tm kim '.
Tuy nhin, i vi mt pad mt ln phm hoc ht di nh thng ip r v khng
m rng l cn thit; trong trng hp ny cc keystream thc s ngu nhin, v
cc thut ton m ha mt ln-pad l khng th ph v. ( l n khng th ph
v l kt qu ca Shannon, thy sau ny.) i vi my mt m khc keystream l
lc tt nht gi ngu nhin, v xc nh nhng g ny c ngha l kh kh khn,
xem Phn 4.3.
Nu keystream c to ra mt cch c lp ca chui ch th, sau mt m
dng c gi l ng b. Bt u vi kha K = (k1, k2, ..., km) c chiu di m,
chng ti a z1 = k1, z2 = k2, ..., ZM = km, v to ra keystream cht ZM tip
theo + 1 = f (z1, z2, ..., ZM) l mt chc nng ca cc yu t trc. Nh mt hm
f l i khi c gi l mt chc nng phn hi. Chng ti tip tc theo cch
ny, to ZM + 1 + i = f (zi, zi + 1, ..., ZM + i), vi mi i s dng cc chc nng
tng t. Ch c 2m chui bit di m nn sm hay mun chng ta s tm thy
mt chui zi, zi + 1, ..., ZM + i m l bng mt chui zj trc, zj + 1, ..., ZM + j
(j <i), v sau chng ta s tm ZM + i + l = ZM + j + l cho tt c cc l> 0.
Nh vy cc keystream cho mt dng ng b mt m z = z1, z2, ... l nh k v
nht l s nguyn dng d sao zi + d = zi cho tt c cc s nguyn i> 0 c gi
l thi k ca n. T cuc tho lun ny r rng l giai on d l nhiu nht 2m
mt chui gi nhiu.
Trnh t thc s ngu nhin quen thuc nht c l l trnh t ca ngi ng u
v ui thu c t tung c lp ca mt ng xu cng bng. Trong bi cnh ny
G1 ny th cn c khong khng km nhiu u v ui; G2 ni rng sau mt
ca ngi ng u (hoc chy ui) c mt c hi 50/50 l chy s kt thc vi
cc ng tin tip theo qung; G3 phn nh s c lp ca tung ng xu - bit
kt qu ca mt tr tung ng xu c cho khng c thng tin v kt qu ca cc
ng xu qung ti.
Trong khi tm kim cc chui gi nhiu, c ngha l, cc trnh t p ng nguyn
tc Randomness Golumb ca chnh xc, c v kh khn, cc nguyn tc cung cp
c s cho mt s kim tra thng k c th c p dng cho keystreams a
ra mt bin php khc v tnh cht ngu nhin ca h.
V d 1 Xt dy (zi) i 1 trong cc vn bn nu trn ca k 8, c th l
0001101100011011 ...
Mi chui lin tip ca di 8 cha 4 s khng n p ng G.1. Tip theo,
nu chng ta xem xt cc chui 8-bit u tin chng ta c 4 chy trong 1 c
chiu di 1 v 2 c chiu di 2; cho chui 8-bit z2 ... z9 = 00.110.110, c 5 chy
trong 2 c chiu di 1 v 3 c chiu di 2; vv V vy, G.2 l khng hi lng.
Cui cng A (1) = A (7) = 4, A (2) = A (6) = 2, A (3) = A (5) = 4, A (4) = 3, do
khng phi l G.3 hi lng.
4.4 Tp th dc Set: LFSR ca
1. Tm cc khong thi gian ca mi quan h tuyn tnh ti pht
zi + 3 = zi + 1 + zi mod 2,
cho ti 1, v cung cp cho cc keystream to ra t ht ging K = (1,1,1). Vit cc
a thc c trng cho s ti pht tuyn tnh ny. N l mt a thc nguyn thy?
2. Xy dng mt tuyn tnh thay i ng k thng tin phn hi to ra
keystream trong Cu hi 1.
3. Hy xem xt vic ti din tuyn tnh
zi + 4 = zi + 3 + zi + 1 + zi mod 2,
bc m = 4. Tm cc keystreams v thi gian to ra t cc phm (i) (1,1,1,1), (ii)
(0,0,0,1), (iii) (1,0,1,0), (iv ) (0,0,1,0), (v) (1,0,1,1).
Cc a thc c trng ca s ti tuyn tnh ny l g? Bng cch no n gip
gii thch cu tr li ca bn n cc b phn (i) - (v)?
4. Vic thit lp trong lp hc lin quan cc dy nh phn sau y c xy dng
bi cc lp:
0110110111111001010011011001101101111110010100110110
Kim tra-ra mc m ba nguyn tc Randomness Golumb gi cho chui ny.
4.5 Gii php: ca LFSR
1. K = (1,1,1) to ra keystream 1,1,1,0,0,1,0,1,1,1, .... iu ny c thi hn 7 k
t khi ln u tin 3-bit chui 1,1,1 c lp i lp li hng 8 di y.
S3 S2 S1 u ra
ban u 1 1 1
S1 + S2 cui cng 0 1 1 1
0011
1001
0100
1010
1101
1110
Cc a thc c trng l f (x) = x3 + x + 1. K t thi k ca dy l 7 = 123
(ti a c th cho cc mc ), a thc ny l nguyn thy.
2. LFSR c ba s thay i ng k S3, S2, S1, vi cc kt ni i xung t pha
u ra ca S1 v S2.
3. (i) keystream 1,1,1,1 ..., giai on 1; (ii) lin tip 7 l lp li u tin ca
chui 1,0,0,0 4-bit, do thi gian l 6 v keystream l 0,0,0,1,1,1 sau lp i
lp li; (iii) hng 3 l lp li u tin ca chui 0,1,0,1 4-bit, do khong thi
gian l 2 v keystream l 1,0 sau lp i lp li; (iv) lin tip 4 l lp li u
21-46 14 7 3,5 6 7
22-47 15 7,5 3,75 8 6
23-48 14 7 3. 5 6 7
24-49 14 7 3. 5 6 7
25-50 15 7,5 3,75 8 6
26-35 14 7 3,5 6 7
C qu nhiu ngi chy c chiu di 2 v khng di 1.
G3.
i 1 2 3 4 5 6 7 8 9 10 11 12 13
A (i) 12 10 18 14 10 14 16 12 10 16 12 12 18
y khng phi l qu xu. Nm gi tr hp l phn phi tt.