Design of new pseudorandom generators based on a filtered FCSR automaton

Feedback with Carry Shift Registers (FCSR) were introduced by M. Goresky and A. Klapper in 1993. They are very similar to classical Linear Feedback Shift Registers (LFSR) used in many pseudorandom generators. The main difference is the fact that the elementary additions are not additions modulo 2 but with propagation of carries. In this paper we propose a new generator designed from a FCSR automaton with known prime divisor. The FCSR structure is hidden by a filter on the cells of the FCSR automaton. Since this automaton has good non linear properties, the filter is simply a linear function, i.e. a XOR on some cells. We present two versions of our generator: the first one uses a static filter, the second one a dynamic filter produced by the key and the S-boxes of Rijndael. Linear Feedback Shift Register (LFSR) are the most used tool used to design fast random generators. Their properties are well known, among them the fact that the structure of a plain LFSR can be easily recovered from his output by the Berlekamp-Massey algorithm. Many methods have been used to thwart the Berlekamp-Massey attack because the high speed and simplicity of LFSRs are important benefits. Feedback with Carry Shift Registers (FCSR) were introduced by M. Goresky and A. Klapper in [7]. They are very similar to classical Linear Feedback Shift Registers (LFSR) used in many pseudorandom generators. The main difference is the fact that the elementary additions are not additions modulo 2 but with propagation of carries. The mathematical models for LFSR are equivalently linear recurring sequences over GF (2) or rational series in the set GF (2)[[x]]. For FCSR, the “good” model is the one of rational 2-adic numbers (cf. [9, 10]). As for the LFSR case, it is possible to recover the structure of a sequence generated by a FCSR (cf. [8, 4]). To avoid this problem, we propose to use a filter on the cells of the FCSR automaton. Since this automaton has good non-linear properties, the filter is simply a linear function, i.e. a XOR on some cells. The first section of this paper is devoted to the background about the link between eventually periodic binary sequences and 2-adic numbers. We recall the notion of 2-adic complexity and the generation of such sequences using shift registers and Galois architecture [10, 3]. The second section contains an extensive study of the FCSR automaton in its Galois version. The design and analysis of the new generator with a fixed filter is presented in the third section. ∗LACO, Université de Limoges, 123 avenue A. Thomas, 87060 Limoges CEDEX, France Email : [email protected] [email protected] Finally, in the fourth section, we explain that it is easy to replace the static filter by a dynamic filter using for example the S-boxes of Rijndael. 1 The 2-adic FCSR architectures for eventually periodic binary sequences 1.1 Representation of eventually periodic binary sequences with 2-adic numbers First, we will recall briefly some basic properties of 2-adic numbers. For more theoretical approach the reader can refer to [11]. A 2-adic integer is formally a power series s = ∑∞ n=0 sn2 n, sn ∈ {0, 1}. Clearly, such a series does not always converge in the classical sense, however, it can be considered as a formal object. Actually, this series always converges if we consider the 2-adic topology. The set of 2-adic integers is denoted by Z2. The addition and multiplication in Z2 can be performed by reporting the carries to the higher order term, i.e. 2n + 2n = 2n+1 for all n ∈ N. If there exists an integer N such that sn = 0 for all n ≥ N , then s is a positive integer. An important remark is the fact that −1 = ∑∞ n=0 2 n, which is easy to verify by computing 1 + ∑∞ n=0 2 n = 0. This fact allows us to compute the negative of a 2-adic integer very easily: if s = 2n + ∑∞ i=n+1 si2 i, then −s = 2n + ∑∞ i=n+1(1 − si)2. In particular, this implies that s is a negative integer if and only if there exists an integer N such that sn = 1 for all n ≥ N . Moreover, every odd integer q has an inverse in Z2 which can be computed by the formula q−1 = ∑∞ n=0 q ′n, where q = 1− q′. The following theorem gives a complete characterization of eventually periodic 2-adic binary sequences in terms of 2-adic integers (see [10] for the proof). Theorem 1 Let S = (sn)n∈N be a binary sequence and s = ∑∞ n=0 sn2 n be the associated 2-adic integer. The sequence S is eventually periodic if and only if there exist two numbers p and q in Z, q odd, such that s = p/q. Moreover, S is strictly periodic if and only if pq ≤ 0 and |p| ≤ |q|. An important fact is that the period of the rational number p/q is known since Gauss (cf. [10]): Theorem 2 Let S be an eventually periodic binary sequence, let s = p/q, with q odd and p and q coprime, be the corresponding 2-adic number in its rational representation. The period of S is the order of 2 modulo q, i.e., the smallest integer t such that 2t ≡ 1 (mod q). 1.2 Realization of eventually periodic binary sequences with FCSR circuits In the sequel, we identify the sequence S = (sn)n∈N and the 2-adic integer s = ∑n i=0 si2 i. The 2-adic division p/q can be easily performed by a Galois architecture using Feedback with Carry Shift Register (FCSR circuits). For simplification, we will only consider p ≥ 0 and odd q = 1− q′ < 0. If pq > 0, it is easy to compute −p/q and then to obtain p/q by the formula −s = 2n + ∑∞ i=n+1(1− si)2. Under the hypothesis q < 0 ≤ p, p < −q, p = ∑k−1 i=0 pi2 i, q = 1− 2d and d = ∑k−1 i=0 di2 i, the 2-adic division p/q is performed by the following circuit: pk−1 -pk−2 p1 p0 6 cp 6 cp6 6 cp6 6 cp6 dk−1 dk−2 d1 d0 Where the symbol denotes the addition with carry, i.e., it corresponds to the following scheme: HH a b cn−1 s=a⊕b⊕cn−1 cn=ab⊕acn−1⊕bcn−1 Definition 1 The 2-adic complexity of a binary eventually periodic sequence is the length (i.e., the number of cells) of the smallest FCSR generating S. Remark 1 Let S be a binary sequence. If S = p/q with p and q coprime integers, then the 2-adic (or FCSR) complexity Λ2 of S is the maximum of bitlengths of |p| and |q| (cf. [10]). As for the LFSR generators, a binary sequence generated by a FCSR generator cannot be used directly for cryptographic applications, since it is easy to recover this structure with a kind of Berlekamp-Massey algorithm [8], or with the Euclidean algorithm applied to integers [4]: Theorem 3 (Euclidean Algorithm Synthesis [4]) Let S be a an eventually periodic sequence with 2-adic complexity Λ2. Then it is possible to compute integers p, q such that the 2-adic expansion of p/q is S, using only the first 2Λ2 + 1 bits of S and in time O(Λ2). 1.3 Statistic quality of 2-adic binary sequences We consider a binary periodic sequence S generated by a FCSR with negative prime divisor q such that the order of 2 modulo q is exactly T = |q| − 1, i.e. the period of S is T . The main heuristic is the fact that, except from the 2-adic point of view, this sequence can be considered as random from the family of periodic sequences of period T . Note that when LFSR generators are used in cryptographic tools, a similar hypothesis is implicitly assumed for LFSR sequences. Experimentally, the sequences generated by a FCSR generator indeed succeeded the NIST test suite (cf. [16]). There exists another argument about the randomness of the FCSR sequences: in our practical application (cf. Part III) we consider a negative prime number q such that 2128 < −q < 2129. Moreover, the period of the generated sequence is |q| − 1. Consider any sequence (s0, . . . , s127) of 128 bits. Let s = ∑128 i=0 si2 i be the corresponding integer. Set p = sq mod 2128. Then the sequence (s0, . . . , s127) is the 128 first bits of the 2-adic expansion of p/q. In other word, since, except for p = 0, there is a single cycle, any sequence of 128 bits can be generated in a 2-adic sequence generated by our FCSR generator with a non-zero initialization. 2 The FCSR automaton This section is devoted to an extensive study of a FCSR circuit considered as an automaton. 2.1 Description of the automaton Let q = 1−2d be a negative prime. The FCSR generator with feedback prime q can be described as a circuit containing two registers: • The main register M with k binary memories (one for each cell), where k is the bitlength of d, that is 2k−1 ≤ d < 2k. • The carry register C with ` binary memories (one for each cell with a at its left) where ` + 1 is the Hamming weight of d. Using the binary expansion ∑k−1 i=0 di2 i of d, we put Id = {i | 0 ≤ i ≤ k − 2 and di = 1}. So ` = #Id. We also put d∗ = d− 2k−1. We will say that the main register contains the integer m = ∑k−1 i=0 mi2 i when it contains the binary values (m0, . . . ,mk−1). The contentm of the main register always satisfies 0 ≤ m ≤ 2k−1. In order to use similar notation for the carry register, we can think of it as a k bit register where the k − l bits of rank not in Id are always 0. The content c = ∑ i∈Id ci2 i of the carry register always satisfies 0 ≤ c ≤ d∗. Example 1 Let q = −347, so d = 174 = 0xAE, k = 8 and ` = 4. The following diagram shows these two registers: m(t) m7 m6 m5 m4 m3 m2 m1 m0 6 6 6 6 c(t) 0 0 c5 0 c3 c2 c1 0