Linearization of Stream Ciphers in Terms of Cellular Automata

Linearization of Stream Ciphers in Terms of Cellular Automata • Amparo Fúster-Sabater • Institute of Applied Physics (CSIC) • Madrid (Spain) • amparo@iec.csic.es A. Fúster-Sabater Gjøvik University College June 2006

Overview • Introduction • Basic structures • LFSR-Based Keystream Generators • Cellular Automata (CA) • Linear model of a class of Keystream Generators • Contributions to Cryptanalysis • Conclusions A. Fúster-Sabater Gjøvik University College June 2006

“Linearity is the curse of the cryptographer” - James L. Massey - Crypto’89 A. Fúster-Sabater Gjøvik University College June 2006

Stream Cipher Procedure • sender 001…10 010…11 110…01 …..(plain text) 011…01 000…10 010…11 …..(keystream seq.) 010…11 010…01 100…10 …..(ciphered text) • receiver 010…11 010…01 100…10 …..(ciphered text) • Stream cipher: design of keystream sequence generators with pseudorandomness characteristics 011…01 000…10 010…11 …..(keystream seq.) 001…10 010…11 010…11 …..(plain text) A. Fúster-Sabater Gjøvik University College June 2006

1 0 0 0 Linear Feedback Shift Register (LFSR) • LFSR’s Parameters: • Length L • Characteristic polynomial • They work: • Shifting of the binary content • Feedback bit entrance • Generated sequence:1 0 0 0 1 1 1 1 …… A. Fúster-Sabater Gjøvik University College June 2006

Linear Feedback Shift Registers • LFSRs generate PN-sequences: • Long period • Good statistics • Low linear complexity • Cryptographic applications:Non-linear combinations of LFSRs • Non-linear filters • Non-linear combining generators • Clock-controlled generators A. Fúster-Sabater Gjøvik University College June 2006

xi Cellular Automata (CA) • One-dimensional CA: Register of n cells updated according to a function of k variables (Rule) • Cell xit+1 depends on k = 2r+1 neighbour cells xit+1 = ( xti-r, …, xti , …, xti+r) • Linear CA: is a linear function A. Fúster-Sabater Gjøvik University College June 2006

xi Classification of CA • Uniform or Regular CA All the cells follow the same rule  • Hybrid CA Different cells follow different rules i • Null boundary conditions Cells adjacent to the extreme cells are supposed with permanent null content • Periodic boundary conditions Extreme cells are supposed adjacent A. Fúster-Sabater Gjøvik University College June 2006

Linear Cellular Automata • k =3 • Rule 90 xit+1 = xti-1xti+1 111 110 101 100 011 010 001 000 0 1 0 1 1 0 1 0 01011010 (binary) = 90 (decimal) • Rule 150 xit+1 = xti-1 xti xti+1 111 110 101 100 011 010 001 000 1 0 0 1 0 1 1 0 10010110 (binary) = 150 (decimal) A. Fúster-Sabater Gjøvik University College June 2006

150 90 150 150 90 150 1 1 . . 1 0 . . 1 1 . . 0 1 . . 0 0 . . 0 0 . . Cellular Automata(rules 90 & 150) L=6cells • 2Lstates grouped in state cycles • Number of different sequences,T, LC A. Fúster-Sabater Gjøvik University College June 2006

References • S. Wolfram, Cellular Automata as Models of Complexity, Nature, Vol. 311, pp. 419, 1984. • S. Wolfram, Random Sequence Generation by Cellular Automata , Avd. Appl. Math., Vol. 7, pp.127 – 169, 1986. • S. Zhang et al. Quantitative Analysis for Cellular Automata and LFSR as BIST Generators, J. Electro. Testing, 7 (3), 1995. • M. Serra et al. Analysis of One-dimensional CA and their Aliasing Properties, IEEE Trans. Comp. Aided Design, 9 (2), 1990. • A.K. Das et al. Efficient Characterization of Cellular Automata , IEE Proc. Part E. 1, pp. 81-87, 1990. • S. J. Cho et al. Computing Phase Shifts of 90/150 CA Sequences. Proc. ACRI 2004, LNCS, 3305, pp. 31 – 39, 2004. • A. Fúster et al. Concatenated Automata in Stream Ciphers. To appear in Proc. ACRI 2006, LNCS, 2006. A. Fúster-Sabater Gjøvik University College June 2006

150 90 90 LFSRs v CA Characteristic polynomial • Simple implementation • Pattern Generators: circuit testing • Interchangeable structures A. Fúster-Sabater Gjøvik University College June 2006

More References • CACharacteristic Polynomial • S. Zhang et al., Quantitative Analysis for Linear Hybrid Cellular Automata and LFSR as Built-In Self-Test Generators for Sequential Faults, J. of Electronic Testing: Theory and Applications, 7 (1995), 209 – 221. • Characteristic Polynomial CA • K. Cattel and J.C. Muzio, The Synthesis of One-Dimensional Linear Hybrid Cellular Automata, IEEE Trans. On Computer-Aided Design. 15 (1996) 325-335. A. Fúster-Sabater Gjøvik University College June 2006

A Class of LFSR-Based Generators: Clock-Controlled Shrinking Generators • A wide class of binary sequence generators • Made up of two LFSRs: R1 and R2 • R1 (Selector register)clocked normally • R2(Generating register)clocked irregularly • According to a rule P, the bits of register R1 control the clock of register R2 • This construction allows users to generate a large family of different sequences using the same registers and initial states but changing the rule P A. Fúster-Sabater Gjøvik University College June 2006

The Shrinking Generator (Crypto’93) • Very simple binary sequence generator • Made up of two LFSRs: R1 and R2 • According to a rule P, register R1(selector register) decimates the sequence produced by register R2 ai R1 cj clock P bi R2 A. Fúster-Sabater Gjøvik University College June 2006

The Shrinking Generator • {ai} binary sequence generated byR1 • {bi} binary sequence generated byR2 • {cj} output sequence of the SG: “the shrunken sequence” • Decimation rule P: • If ai = 1  cj = bi • If ai = 0  biis discarded A. Fúster-Sabater Gjøvik University College June 2006

The Shrinking Generator: Example LFSRs: • R1 : • R2 : Decimation rule P: • {ai}= 1 0 0 1 1 1 0 1 0 0 1 1 1 0 1 0 … • {bi}= 1 00 0 1 0 0 1 10 1 0 1 1 1 1 … • {cj}= 1 0 1 0 1 1 0 1 1 … The underlined bits 1 and 0 are discarded A. Fúster-Sabater Gjøvik University College June 2006

Cryptographic characteristics of the shrunken sequence • Period: • Linear Complexity: • Number of 1’s: quasi-balanced sequence A. Fúster-Sabater Gjøvik University College June 2006

P Xt Clock-Controlled Shrinking Generators ai R1 cj Binary cell contents • Remark: Double decimation • A. Kanso, Clock-Controlled Shrinking Generators. Proc. ACISP’03, LNCS 2727, 2003 clock bi’ bi R2 A. Fúster-Sabater Gjøvik University College June 2006

P X R1 CCSG: An Example For the same LFSRs as before and Decimation rule X: (if Xt =1 => the shrinking generator) • {bi}= 1 0 0 0 1 0 0 1 1 0 1 0 1 1 1 1 0 0 0 1 0 0 1… • {X}= 2 1 1 2 2 2 1 2 1 1 2 2 2 1 2 1 1 2 2… • {bi’}= 1 0 0 1 0 1 1 0 1 1 1 0 1 0 1 0 1 0 1 1… Decimation rule P: • {ai}= 1 0 0 1 1 1 0 1 0 0 1 1 1 0 1 0 … • {bi’}= 1 00 1 0 1 1 0 11 1 0 1 0 1 0 … • {cj}= 1 1 0 1 0 1 0 1 1 … R2 A. Fúster-Sabater Gjøvik University College June 2006

CCSG in terms of CA • Given • expressing it in terms of A Clock-Controlled Shrinking Generator characterized by its LFSRs Null Hybrid Linear Cellular Automata with rules 90 and 150 A. Fúster-Sabater Gjøvik University College June 2006

Fact 1: • The characteristic polynomial of the shrunken sequence is of the form: • P(x) is an L2- degree primitive polynomial • Nsatisfies A. Fúster-Sabater Gjøvik University College June 2006

R1 Fact 2: P R2 P(x)depends exclusively on: • The characteristic polynomial P2(x) of the register R2 • The length L1 of the register R1 • Different SG will have the same characteristic polynomial. A. Fúster-Sabater Gjøvik University College June 2006

Algorithm of Linearization • Input: A Shrinking Generator (given L1 , L2 , P2(x)) • Output: Two linear CA corresponding to the given SG A. Fúster-Sabater Gjøvik University College June 2006

Step 1: Computation of P(x) • P(x) is obtained from L1 and P2(x) • P(x) is the characteristic polynomial of the cyclotomic Coset E being a primitive root in A. Fúster-Sabater Gjøvik University College June 2006

Step 2: Computation of the CA corresponding to P(x) • Apply to P(x) the “Cattel and Muzio synthesis algorithm” to determine the two linear hybrid CA of length L2 whose characteristic polynomials are P(x) • Codify both CA according to: rule 90=0 andrule 150= 1 A. Fúster-Sabater Gjøvik University College June 2006

Step 3: Computation of the CA corresponding to the given SG For each obtained CA: 1. Complement its least significant bit S 2. Compute its mirror image S* and concatenate both strings • Iterate 1. and 2. (L1-1) times A. Fúster-Sabater Gjøvik University College June 2006

Algorithm (An Example) • Shrinking Generator: • R1 (not needed) • R2 Step 1 • is the characteristic polynomial ofCoset 7 A. Fúster-Sabater Gjøvik University College June 2006

Algorithm (An Example) Step 2 • Determine two linear CA corresponding to via Cattel and Muzio algorithm • Both CA are codified: (0 = ley90, 1 = ley 150) 0 1 1 1 1 1 1 1 1 0 A. Fúster-Sabater Gjøvik University College June 2006

Algorithm (Step 3) • First automata: 0 1 1 1 1 0 1 1 1 00 1 1 1 0 0 1 1 1 0 0 1 1 1 11 1 1 1 0 0 1 1 1 0 • Second automata: 1 1 1 1 0 1 1 1 1 11 1 1 1 1 1 1 1 1 1 1 1 1 1 00 1 1 1 1 1 1 1 1 1 L1 -1 times L1 -1 times A. Fúster-Sabater Gjøvik University College June 2006

Linearization Algorithm for CCSGs • CCSG: given • R1 (not needed) • R2 • Xt • In Step 1, is the characteristic polynomial of Coset E • The other steps of the algorithm are as before • CCSGs can be expressed in terms of linear CA too A. Fúster-Sabater Gjøvik University College June 2006

CA: Applications • {cj} = {0 1 0 1 1 0 1 0 0 ...} • From n intercepted bits • n-1 bits (2ndcolumn) • n-2 bits (3rd column) • 1 bit (nth column) …… … A. Fúster-Sabater Gjøvik University College June 2006

Reconstruction of the shrunken sequence • From n intercepted bits of the shrunken sequence • IDEA: use these bits to determine portions of the shrunken sequence A. Fúster-Sabater Gjøvik University College June 2006

Symmetry for CA: CA 1000110001 A. Fúster-Sabater Gjøvik University College June 2006

Other sequences generated by CA • Different shrinking generators • The same R2 • DifferentR1with lengthL1 • LFSR-based generators • Different rules of decimation • Clock-controlled shrinking generators A. Fúster-Sabater Gjøvik University College June 2006

1 R2 R1 R3 0 Other Sequence Generators: The Alternating Generator • Introduced by C. Gunther (Eurocrypt’87) clock Addition of two different CA A. Fúster-Sabater Gjøvik University College June 2006

Other Sequence Generators: The Gollmann Generator • Introduced by D. Gollmann (IEE Proc. 1988) 1 R1 R2 R3 clock Addition of two (or more) CA A. Fúster-Sabater Gjøvik University College June 2006

Conclusions LFSR-based structures Cellular Automata Classes of CC Generators are a Subset of Linear Cellular Automata Linear Models describe the behavior of the CC Sequence Generators A. Fúster-Sabater Gjøvik University College June 2006

Conclusions • Very simple algorithm to convert different classes of CC generators into linear CA-based model • A wide class of non-linear binary generators can be expressed as linear models (by concatenation) • A wide class of different binary generators are included in the same cellular automata • The algorithm can be applied to CC generatorsin a range of cryptographic interest A. Fúster-Sabater Gjøvik University College June 2006

For the Future • Apply the same technique of linearization to other nonlinear LFSR-based keystream generators A. Fúster-Sabater Gjøvik University College June 2006

Linearization of Stream Ciphers in Terms of Cellular Automata

Linearization of Stream Ciphers in Terms of Cellular Automata

Presentation Transcript

Cellular Automata

Cellular Automata

Cellular Automata

Stream Ciphers

Cellular Automata

Stream Ciphers

Stream Ciphers

CELLULAR AUTOMATA

Cellular Automata

Cellular Automata

Stream ciphers 2

Stream Ciphers

Stream Ciphers

Stream Ciphers

Cellular Automata

Cellular Automata

Stream Ciphers and Block Ciphers

Stream Ciphers

Stream Ciphers

Cellular Automata

Cellular Automata