A Method for Generating Full Cycles
by a Composition of NLFSRs
Elena Dubrova
Royal Institute of Technology – KTH
Stockholm, Sweden
Outline
•
•
•
•
•
Problem addressed
Motivation
Contribution of the paper
Construction method
Conclusion and future work
p. 2 - WCC’2013 - April 15, 2013
Problem addressed
• How to efficiently generate n-variate mappings of
type {0,1}n  {0,1}n whose state transition graphs
have single cycles of the maximum possible
length 2n?
00
x1
f1(x1,x2,…,xn)
x2
f2(x1,x2,…,xn)
11
01
…
xn

…
fn(x1,x2,…,xn)
p. 3 - WCC’2013 - April 15, 2013
10
Motivation
• Single-cycle mappings are frequently used
primitives in cryptography
• For stream ciphers, single-cycle property is
important because then the sequence of
generated states cannot be trapped in a short
cycle
p. 4 - WCC’2013 - April 15, 2013
Implementation by FSRs
• Feedback shift registers can be used to
efficiently implement n-variate mappings
{0,1}n  {0,1}n of type:
x1
x2
…
xn

x2
x3
…
f(x1,x2,…,xn)
p. 5 - WCC’2013 - April 15, 2013
Feedback Shift Registers
• Linear Feedback Shift Register (LFSR)
5
4
3
2
1
• Non-Linear
Feedback
Shift Register (NLFSR)
• n binary storage
elements
• linear feedback function
• has cycle of length 2n-1 iff its characteristic
polynomial
is primitive
5
4
3
2
1
p. 6 - WCC’2013 - April 15, 2013
NLFSRs
• An NLFSR is invertible iff its feedback function is of
type (“” is addition mod 2)
f(x1,x2,…,xn) = x1  g(x2,x3,…,xn)
• Conditions for single-cycle NLFSRs are not known
n-1-n
2
• There are 2
single-cycle n-bit NLFSRs
• Existing algorithms for constructing single-cycle
NLFSRs are applicable to n < 32
Fredricksen, H. (1982) “A Survey of Full-Length Nonlinear Shift
Register Cycle Algorithms”, SIAM Review, 24(2), 195-221
Dubrova, E. (2012) “List of Maximum-Period NLFSRs”, Cryptology
ePrint Archive, 2012/166
p. 7 - WCC’2013 - April 15, 2013
Combining smaller NLFRs
• If we place in parallel k NLFSRs with largest cycles
of length L1, L2,…, Lk, we get a mapping with the
largest cycle of length LCM(L1, L2,…, Lk)
f2
f1
NLFSR1
NLFSR2 …
Example:
fk
NLFSRk
n1 + n2 +…+ nk state
n1 = 3, L1 = 7
n2 = 4, L2 = 15
n3 = 5, L2 = 31
7×15×31 = 3255
23+4+5 = 4096
p. 8 - WCC’2013 - April 15, 2013
Contribution of the paper
• A method for generating single-cycle mappings
of type {0,1}n×k  {0,1}n×k using k NLFSRs of
equal size n
+
fk
f2
f1
NLFSR1
+
NLFSR2
… +
NLFSRk
Extra logic
p. 9 - WCC’2013 - April 15, 2013
n × k state
Construction method
• We used NLFSRs with two types of cycles
– a cycle of length 2n-1 containing all non-0 states
– a cycle of length 1 containing 0 state
• If we place k such NLFSRs in parallel, we get a
mapping with the following cycle structure:
k-1
•
2
ni
cycles of length 2n-1
i=0
• one cycle of length 1 (0 state)
• We will join these cycles into one by applying cyclejoining transformations
p. 10 - WCC’2013 - April 15, 2013
Cycle-joining transformations
• In an NLFSR, any state has two possible
successors and two possible predecessors
input
A
A+ 0
output
S
S
0
S
1
1
S
B
B+
• If A and B are contained in different cycles, by
exchanging their successors we can join two
cycles into one
p. 11 - WCC’2013 - April 15, 2013
Joining cycles by exchanging successors
A
+
A
B
B
+
p. 12 - WCC’2013 - April 15, 2013
Splitting a cycle
• If A and B are contained in the same cycle, by
exchanging their successors, we split the cycles
into two
A
B
+
A
B
p. 13 - WCC’2013 - April 15, 2013
+
Our case
• In our case, any state can have 2k possible
successors and 2k possible predecessors
• We apply cycle-joining to the states of type:
A
S1
c1
S2
c2 …
Sk
ck
B
S1
c’1
S2
c’2 …
Sk
c’k
c is the Boolean
complement of c
• If A and B are in different cycles, by exchanging
their successors we join two cycles into one
p. 14 - WCC’2013 - April 15, 2013
How to exchange successors
• Successors can be exchanged by adding to the
feedback function of every NLFSR minterms
corresponding to the states A and B
– For example, 1010 corresponds to minterm x4x3x2x1
– If feedback function f evaluates to 0 for the assignment
1010, then function f  x4x3x2x1 evaluates to 1 for
1010
• The challenge is to join an exponential number of
cycles using additional logic of linear size
p. 15 - WCC’2013 - April 15, 2013
Choosing dedicated states
• We chose as dedicated the states with the
minimal decimal representation
• We proved that
A
S1
c1
S2
c2 …
Sk
ck
B
S1
c’1
S2
c’2 …
Sk
c’k
– If A is a minimal state of a cycle, then B is contained in
another cycle
– The set minterms corresponding to minimal states A of
all cycles and the corresponding states B can be
described by an expression of size O(nk)
p. 16 - WCC’2013 - April 15, 2013
First joining step
• By exchanging successors of the minimal states
of all cycles, we get one cycle of length 2n and
other cycles of length 2n(2n-1)
#Gates to add: O(nk)
k(n+4)-n-8
2k+1
k
ANDs
ORs
XORs
Example: n=32, k=4
Total #gates = 117
p. 17 - WCC’2013 - April 15, 2013
Joining the resulting cycles in one
• Before computing the next state, the minimal state of
each “flower” is transformed to the minimal state of next
“flower”,etc, and finally the cycle of length 2n is appended
…
#Gates to add: O(nk2) + one time step
< 2nk ANDs, < nk2 ORs, < 2nk XORs
p. 18 - WCC’2013 - April 15, 2013
Conclusion
• We presented a method for generating singlecycle mappings of type {0,1}n×k  {0,1}n×k using
k NLFSRs of equal size n
• An logic block of size O(nk2) and an extra time
step are required
• Future work involves security analysis of the
presented method
p. 19 - WCC’2013 - April 15, 2013