SEQUENCES AND THEIR APPLICA TION TO CRYPTOGRAPHY Ivan Landjev - PowerPoint PPT Presentation

SEQUENCES AND THEIR APPLICA TION TO CRYPTOGRAPHY Ivan Landjev New Bulga rian Universit y � Summer S ho ol Design and Se urit y of Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.�05.07.2013 �

0. Prelimina ries S. W. Golomb , Shift register sequen es, 1982 R. Lidl, H. Nederreiter , Finite �elds, En y lopaedia of Math. V ol. 20, Camb ridge Univ. Press, 1983. D. Jungni kel , Finite �elds - stru ture and a rithmeti s, BI Wissens haftsver- lag, 1993. G. Everest,A. v an der Poor ten, I. Shp arlinski, Th. W ard , Re ur- ren e sequen es, Math. Surveys and Monographs V ol. 104, AMS, 2003. A. V. Mikhalev, A. A. Ne haev , Linea r re urren e sequen es over mo dules, A ta Appli andae Mathemati ae 42(1996), 161-202. � Summer S ho ol Design and Se urit y of Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.�05.07.2013 � 1

k i k i c i c i . . . + + m i m i � Summer S ho ol Design and Se urit y of Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.�05.07.2013 � 2

. . . + + + . . . c n − 1 c n c 1 . . . a 0 a 1 a n − 1 � Summer S ho ol Design and Se urit y of Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.�05.07.2013 � 3

1. Basi Results Let F b e an a rbitra ry �eld (�nite o r in�nite). Consider an LFSR with feedba k o e� ients ( c 1 , c 2 , . . . , c n ) and initial ondi- tions a 0 , a 1 , . . . , a n − 1 where • • After t lo k y les the LFSR holds the ve to r ( a t , a t +1 , . . . , a t + n − 1 ) where a n = c 1 a n − 1 + c 2 a n − 2 + . . . + c n a 0 . � Summer S ho ol Design and Se urit y of Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.�05.07.2013 � 4 • a n + t − 1 = c 1 a n + t − 2 + c 2 a n + t − 3 + . . . + c n a t − 1 .

The shift register sequen e ( a k ) k ≥ 0 satis�es the linea r re urren e relation fo r k ≥ n , o r, with the onvention c 0 := − 1 : • a k = � n i =1 c i a k − i n F eedba k p olynomial, o r re ip ro al ha ra teristi p olynomial � c 0 a k − i = 0 , k ≥ n. i =0 • The t -th state ve to r of the LFSR: a ( t ) = ( a t , a t +1 , . . . , a n − t +1 ) . f ( x ) := − c 0 − c 1 x − . . . − c n x n . � Summer S ho ol Design and Se urit y of Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.�05.07.2013 � 5 •

F eedba k matrix: • . . . . . . . . . . . . . . . . . .   0 0 0 . . . 0 c n 1 0 0 . . . 0 c n − 1     0 1 0 . . . 0 c n − 2   A = .   Then a ( t +1) = a ( t ) A . In general, a ( t ) = a (0) A t , t ≥ 1 .     0 0 0 . . . 0 c 2   is the ompanion matrix of the re ip ro al ha ra teristi p olynomial 0 0 0 . . . 1 c 1 • A alled also the ha ra teristi p olynomial of the LFSR. f ∗ = x n f (1 x ) = x n − c 1 x n − 1 − . . . − c n − 1 x − c n . � Summer S ho ol Design and Se urit y of Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.�05.07.2013 � 6

W e identify an a rbitra ry sequen e ( a k ) k ≥ 0 over F with the fo rmal p o w er series • Theo rem. Let a = ( a k ) b e a sequen e over F with asso iated p o w er series ∞ a k x k ∈ F [[ x ]] . � a ( x ) = a ( x ) ∈ F [[ x ]] . Then a is a shift register sequen e resulting from a LFSR of length with the feedba k p olynomial f ∈ F [ x ] if and only if one has i =0 n fo r a suitable p olynomial g ∈ F [ x ] with deg g < n . Mo reover, the o rresp onden e b et w een the shift register sequen es a ( x ) = g ( x ) b elonging to f and the p olynomials g is a f ( x ) , bije tion. � Summer S ho ol Design and Se urit y of Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.�05.07.2013 � 7

Co rolla ry . Let a = ( a k ) b e a sequen e over F with asso iated p o w er series a ( x ) ∈ F [[ x ]] . Then a is a shift register sequen e if and only if a ( x ) b elongs to the �eld F ( x ) of rational fun tions over F . Example. (the Fib ona i sequen e) , ( a 0 , a 1 ) = (1 , 1) The Fib ona i sequen e an b e also obtained from a k = a k − 1 + a k − 3 + a k − 4 , A k = a k − 1 + a k − 2 ( a 0 , . . . a 3 ) = (1 , 1 , 2 , 3) . 1 − x − x 2 = 1 + x + 2 x 2 + 3 x 3 + 5 x 4 + 8 x 5 + 13 x 6 + . . . 1 a ( x ) = F eedba k p olynomial: 1 − x − x 3 − x 4 = ( x 2 + 1)(1 − x − x 2 ) . � Summer S ho ol Design and Se urit y of Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.�05.07.2013 � 8

Theo rem. Let a = ( a k ) b e a sequen e over F with asso iated p o w er series a ( x ) ∈ F [[ x ]] . Then there exists a uniquely determined moni p olynomial f 0 su h that a an b e obtained from some LFSR with feedba k p olynomial f if and only if f is a multiple of f 0 . Co rolla ry . Let a = ( a k ) b e a sequen e over F with asso iated p o w er series a ( x ) ∈ F [[ x ]] . Then there exists a uniquely determined moni p olynomial m ( x ) su h that a an b e obtained from some LFSR with ha ra teristi p olynomial f ∗ if and only if f ∗ is a multiple of m . The p olynomial m ( x ) is alled the minimal p olynomial of a , o r m ( x ) is the ha ra teristi p olynomial of the linea r re urren e relation of the least o rder. Note: The degree of f 0 ma y b e smaller than the length of the asso iated shift register p ro du ing a , whereas the degree of the minimal p olynomial alw a ys equals • this length. � Summer S ho ol Design and Se urit y of Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.�05.07.2013 � 9

F o r example, a = (0 , 1 , 1 , 1 , 1 , . . . ) , a k = a k − 1 with initial ondition (0 , 1) . The least length of a LFSR p ro du ing a is 2. The feedba k p olynomial is f 0 ( x ) = 1 − x ; The minimal p olynomial is m = x 2 − x . Theo rem. Let a = ( a k ) b e a shift register sequen e over the �eld F b elonging to the LFSR of length n with ha ra teristi p olynomial f ∗ . Then f ∗ is a tually the minimal p olynomial of a if and only if the �rst n state ve to rs a (0) , a re linea rly indep endent. a (1) , . . . , a ( n − 1) � Summer S ho ol Design and Se urit y of Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.�05.07.2013 � 10

Theo rem. Consider the linea r re urren e relation of o rder n with ha ra teristi p olynomial f ∗ ( x ) = x n − c 1 x n − 1 − . . . − c n − 1 x − c n n over the �eld F . If α 1 , . . . , α t a re distin t � ro ots of f ∗ (in some extension �eld E ( ∗ ) a k = c i a k − i , k ≥ n of F ) then i =1 de�nes a solution s = ( s k ) of (*) over E . Mo reover, the solutions (**) fo rm a ve to r spa e of dimensiom t over E . Co rolla ry . If the ha ra teristi p olynomial f ∗ of the linea r re urren e relation s k = λ 1 α k 1 + . . . + λ t α k ( ∗∗ ) t (*) has distin t ro ots α 1 , . . . , α n (in its splitting �eld E ), then all solutions of (*) over E a re of the fo rm (**) with t = n . � Summer S ho ol Design and Se urit y of Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.�05.07.2013 � 11

2. Ultimately P erio di Sequen es A sequen e a = ( a k ) is alled ultimately p erio di with p erio d r if it satis�es the ondition a k + r = a k fo r all su� iently la rge k . If this a tually holds fo r all k ≥ 0 , one alls a p erio di . Theo rem. Let a = ( a k ) b e an ultimately p erio di sequen e over some set S , • with least p erio d r 0 . Then the p erio ds of a a re p re isely the multiples of r 0 . Mo reover, if a should b e p erio di with some p erio d r , it is a tually p erio di with p erio d r 0 . If r 1 is the least p erio d of an ultimately p erio di sequen e a and if N is the smallest integer fo r whi h a k + r 1 = a k fo r all k ≥ N holds, one alls N the p rep erio d of a Thus a is p erio di if and only if it has p rep erio d 0. • � Summer S ho ol Design and Se urit y of Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.�05.07.2013 � 12

Theo rem. Let a = ( a k ) b e a sequen e over the �eld F with asso iated fo rmal p o w er series a ( x ) ∈ F [[ x ]] . Then a is ultimately p erio di with p erio d r if and only if (1 − x r ) a ( x ) is a p olynomial over F . Co rolla ry . Any ultimately p erio di sequen e over a �eld is a shift register sequen e. � Summer S ho ol Design and Se urit y of Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.�05.07.2013 � 13