[PPT] - SEQUENCES AND THEIR APPLICA TION TO CRYPTOGRAPHY Ivan Landjev PowerPoint Presentation

SLIDE 1 SEQUENCES AND THEIR APPLICA TION TO CRYPTOGRAPHY Ivan Landjev New Bulga rian Universit y

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

SLIDE 2 0. Prelimina ries S. W. Golomb, Shift register sequen es, 1982 R. Lidl, H. Nederreiter, Finite elds, En y lopaedia

f

Math. V

l.

20, Camb ridge Univ. Press, 1983. D. Jungni kel, Finite elds

stru ture

and a rithmeti s, BI Wissens haftsver- lag, 1993. G. Everest,A. v an der Poor ten, I. Shp arlinski, Th. W ard, Re urren e sequen es, Math. Surveys and Monographs V

l.

104, AMS, 2003. A. V. Mikhalev, A. A. Ne haev, Linea r re urren e sequen es

ver

mo dules, A ta Appli andae Mathemati ae 42(1996), 161-202.

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

1

SLIDE 3

. . . + + ci ci mi ki mi ki

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

2

SLIDE 4

a0 a1 an−1 . . . . . . . . . cn cn−1 c1 + + +

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

3

SLIDE 5 1. Basi Results

Let F

b e an a rbitra ry eld (nite

r

innite).

Consider

an LFSR with feedba k

e ients (c1, c2, . . . , cn)

and initial

ndi-

tions a0, a1, . . . , an−1 where

an = c1an−1 + c2an−2 + . . . + cna0.

After t

lo k y les the LFSR holds the ve to r (at, at+1, . . . , at+n−1) where

an+t−1 = c1an+t−2 + c2an+t−3 + . . . + cnat−1.

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

4

SLIDE 6

The

shift register sequen e (ak)k≥0 satises the linea r re urren e relation

ak = n

i=1 ciak−i

fo r k ≥ n ,

r,

with the

nvention c0 := −1:

n

i=0

c0ak−i = 0, k ≥ n.

F

eedba k p

lynomial,
r

re ip ro al ha ra teristi p

lynomial

f(x) := −c0 − c1x − . . . − cnxn.

The t
th

state ve to r

f

the LFSR: a(t) = (at, at+1, . . . , an−t+1).

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

5

SLIDE 7

F

eedba k matrix:

A =         . . . cn 1 . . . cn−1 1 . . . cn−2

. . . . . . . . . . . . . . . . . .

. . . c2 . . . 1 c1         .

Then a(t+1) = a(t)A. In general, a(t) = a(0)At , t ≥ 1.

A

is the

mpanion

matrix

f

the re ip ro al ha ra teristi p

lynomial

f ∗ = xnf(1 x) = xn − c1xn−1 − . . . − cn−1x − cn.

alled also the ha ra teristi p

lynomial
f

the LFSR.

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

6

SLIDE 8

W

e identify an a rbitra ry sequen e (ak)k≥0

ver F

with the fo rmal p

w

er series

a(x) =

∞

i=0

akxk ∈ F[[x]].

Theo rem. Let a = (ak) b e a sequen e

ver F

with asso iated p

w

er series

a(x) ∈ F[[x]].

Then a is a shift register sequen e resulting from a LFSR

f

length

n

with the feedba k p

lynomial f ∈ F[x]

if and

nly

if

ne

has

a(x) = g(x) f(x),

fo r a suitable p

lynomial g ∈ F[x]

with deg g < n . Mo reover, the

rresp
nden e

b et w een the shift register sequen es b elonging to f and the p

lynomials g

is a bije tion.

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

7

SLIDE 9 Co rolla ry . Let a = (ak) b e a sequen e

ver F

with asso iated p

w

er series

a(x) ∈ F[[x]].

Then a is a shift register sequen e if and

nly

if a(x) b elongs to the eld F(x)

f

rational fun tions

ver F

. Example. (the Fib

na i

sequen e)

Ak = ak−1 + ak−2

, (a0, a1) = (1, 1)

a(x) =

1 1−x−x2 = 1 + x + 2x2 + 3x3 + 5x4 + 8x5 + 13x6 + . . .

The Fib

na i

sequen e an b e also

btained

from ak = ak−1+ak−3+ak−4 ,

(a0, . . . a3) = (1, 1, 2, 3).

F eedba k p

lynomial: 1 − x − x3 − x4 = (x2 + 1)(1 − x − x2).
Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

8

SLIDE 10 Theo rem. Let a = (ak) b e a sequen e

ver F

with asso iated p

w

er series

a(x) ∈ F[[x]].

Then there exists a uniquely determined moni p

lynomial f0

su h that a an b e

btained

from some LFSR with feedba k p

lynomial f

if and

nly

if f is a multiple

f f0

. Co rolla ry . Let a = (ak) b e a sequen e

ver F

with asso iated p

w

er series

a(x) ∈ F[[x]].

Then there exists a uniquely determined moni p

lynomial m(x)

su h that a an b e

btained

from some LFSR with ha ra teristi p

lynomial f ∗

if and

nly

if f ∗ is a multiple

f m

.

The

p

lynomial m(x)

is alled the minimal p

lynomial
f a,
r m(x)

is the ha ra teristi p

lynomial
f

the linea r re urren e relation

f

the least

rder.

Note: The degree

f f0

ma y b e smaller than the length

f

the asso iated shift register p ro du ing a, whereas the degree

f

the minimal p

lynomial

alw a ys equals this length.

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

9

SLIDE 11 F

r

example, a = (0, 1, 1, 1, 1, . . .), ak = ak−1 with initial

ndition (0, 1).

The least length

f

a LFSR p ro du ing a is 2. The feedba k p

lynomial

is f0(x) = 1 − x ; The minimal p

lynomial

is m = x2 − x . Theo rem. Let a = (ak) b e a shift register sequen e

ver

the eld F b elonging to the LFSR

f

length n with ha ra teristi p

lynomial f ∗

. Then f ∗ is a tually the minimal p

lynomial
f a

if and

nly

if the rst n state ve to rs a(0) ,

a(1), . . . , a(n−1)

a re linea rly indep endent.

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

10

SLIDE 12 Theo rem. Consider the linea r re urren e relation

(∗) ak =

n

i=1

ciak−i, k ≥ n

f
rder n

with ha ra teristi p

lynomial f ∗(x) = xn−c1xn−1−. . .−cn−1x−cn
ver

the eld F . If α1, . . . , αt a re distin t ro

ts
f f ∗

(in some extension eld E

f F

) then

(∗∗) sk = λ1αk

1 + . . . + λtαk t

denes a solution s = (sk)

f

(*)

ver E .

Mo reover, the solutions (**) fo rm a ve to r spa e

f

dimensiom t

ver E .

Co rolla ry . If the ha ra teristi p

lynomial f ∗
f

the linea r re urren e relation (*) has distin t ro

ts α1, . . . , αn

(in its splitting eld E ), then all solutions

f

(*)

ver E

a re

f

the fo rm (**) with t = n .

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

11

SLIDE 13 2. Ultimately P erio di Sequen es

A

sequen e a = (ak) is alled ultimately p erio di with p erio d r if it satises the

ndition ak+r = ak

fo r all su iently la rge k . If this a tually holds fo r all

k ≥ 0,

ne

alls a p erio di . Theo rem. Let a = (ak) b e an ultimately p erio di sequen e

ver

some set S , with least p erio d r0 . Then the p erio ds

f a

a re p re isely the multiples

f r0

. Mo reover, if a should b e p erio di with some p erio d r , it is a tually p erio di with p erio d r0 .

If r1

is the least p erio d

f

an ultimately p erio di sequen e a and if N is the smallest integer fo r whi h ak+r1 = ak fo r all k ≥ N holds,

ne

alls N the p rep erio d

f a

Thus a is p erio di if and

nly

if it has p rep erio d 0.

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

12

SLIDE 14 Theo rem. Let a = (ak) b e a sequen e

ver

the eld F with asso iated fo rmal p

w

er series a(x) ∈ F[[x]]. Then a is ultimately p erio di with p erio d r if and

nly

if (1 − xr)a(x) is a p

lynomial
ver F

. Co rolla ry . Any ultimately p erio di sequen e

ver

a eld is a shift register sequen e.

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

13

SLIDE 15 Theo rem. Let a = (ak) b e a sequen e

ver

the eld F with asso iated fo rmal p

w

er series a(x) ∈ F[[x]]. Assume that a is p erio di with p erio d r . Then

ne

has the p

lynomial

identit y

f(x)s(x) = (1 − xr)g(x),

where f(x) = −c0 − c1x − . . . − cnxn is the feedba k p

lynomial
f

the asso iated LFSR and where the p

lynomials s(x)

and g(x) a re dened as follo ws

s(x) = a0 + a1x + . . . + ar−1xr−1, g(x) =

n−1

k=0
−

k

i=0

ciak−i

xk.
Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

14

SLIDE 16 3. Shift Register Sequen es

ver

Finite Fields Theo rem. Let a = (ak) b e a shift register sequen e

ver Fq

with minimal p

lynomial m(x)
f

degree n . Then a is ultimately p erio di with least p erio d

r1 ≤ qn − 1.

Co rolla ry . The ultimately p erio di sequen es

ver

a nite eld a re p re isely the shift register sequen es. Theo rem. Let a = (ak) b e a shift register sequen e

ver Fq

b elonging to a LFSR with feedba k p

lynomial

f(x) = −c0 − c1x − . . . − cnxn,

where cn = 0 . Then a is p erio di with least p erio d r1 ≤ qn − 1. Mo reover, the feedba k matrix A is invertible and r1 divides the

rder
f A.
Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

15

SLIDE 17

One

alls the sequen e d determined b y the feedba k p

lynomial

f(x) = −c0 − c1x − . . . − cnxn

and the initial

ndition (0, 0, . . . , 0, 1)

the impulse resp

nse

sequen e fo r the given LFSR. Theo rem. Let d b e the impulse resp

n e

sequen e

ver Fq

b elonging to the LFSR with feedba k p

lynomial

(∗) f(x) = −c0 − c1x − . . . − cnxn, cn = 0,

and feedba k matrix A. Then d(s) = d(t) if and

nly

if As = At fo r any t w

state

ve to rs d(s) = d(t) . Mo reover, the least p erio d

f

any shift register sequen e

a

whi h an b e

btained

from the given LFSR divides the least p erio d

f d.
Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

16

SLIDE 18 Theo rem. Let d = (dk) b e the impulse resp

nse

b elonging to the LFSR with feedba k p

lynomial (∗)

and feedba k matrix A

ver Fq

, and assume cn = 0 . Then d is p erio di with least p erio d r1 equal to the p erio d

f A.

Mo reover,

ne

has r1 = qn − 1 if and

nly

if f is a p rimitive p

lynomial.

Co rolla ry . Let q b e a p rime p

w

er and let n b e any p

sitive

integer. Then there exists a p erio di shift register sequen e with least p erio d qn − 1 b elonging to an LFSR

f

length n

ver Fq
Any

p erio di shift register sequen e b elonging to an LFSR

f

length n

ver Fq

and having least p erio d qn −1 is alled a maximal p erio d sequen e (m-sequen e),

r

a pseudo-noise sequen e (PN-sequen e).

One

alls t w

p

erio di sequen es a = (ak) and b = (bk) y li ally equivalent if there exists an integer r su h that bk+r = ak fo r all k ≥ 0.

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

17

SLIDE 19 Theo rem. Let a = (ak) b e an m

sequen e
ver Fq

b elonging to the LFSR with feedba k p

lynomial (∗)

and feedba k matrix A. Then f is a p rimitive p

lynomial

and a is y li ally equivalent to the impulse resp

nse

sequen e fo r the given LFSR. Mo reover, with ex eption

f

the zero sequen e, every shift register sequen e whi h an b e

btained

from the LFSR asso iated with f is y li ally equivalent to a

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

18

SLIDE 20

W

e

nsider

the p roblem

f

determining all shift register sequen es b elonging to an LFSR with given feedba k p

lynomial f

. Lemma. Consider an LFSR

f

length n

ver Fq

. Then there a re exa tly qn distin t shift register sequen es whi h an b e

btained

from the given LFSR. Theo rem. Consider an LFSR

f

length n

ver Fq

with feedba k p

lynomial f

as in (∗). Assume that f is irredu ible. Let α b e a ro

t
f f ∗

in the extension eld E = Fqn . Then the shift register sequen es b elonging to given LFSR a re p re isely the sequen es s = (sk)

f

the fo rm

sk = Tr E/Fq(θαk), k ≥ 0,

where θ is an a rbitra ry element

f E .

Mo reover, the element θ is uniquely determined b y the sequen e s . Ex ept fo r the trivial zero sequen e,

btained

fo r

θ = 0

, the sequen es s a re p erio di with least p erio d r1 = ord(f) and split into

qn−1 r1

lasses

f r1

sequen es ea h.

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

19

SLIDE 21 Theo rem. Consider an LFSR

f

length n

ver Fq

with feedba k p

lynomial f

as in (∗). Assume that f = f1 . . . fm is the p ro du t

f m

pairwise distin t moni irredu ible p

lynomials
f

degrees n1, . . . , nm , resp e tively . F

r i = 1, . . . , m

ho

se

a ro

t αi
f f ∗

i

in the extension eld Ei = Fqni . Then the shift register sequen e s = (sk) b elonging to the given LFSR an b e uniquely written in the fo rm

sk = Tr E1/Fq(θ1αk

1) + . . . Tr Em/Fq(θmαk m), k ≥ 0,

where θ1, . . . , θm a re a rbitra ry elements

f E1, . . . , Em

, resp e tively . Ex ept fo r the trivial zero sequen e, whi h b elongs to to θ1 = . . . = θm = 0 , the sequen e

s = s(θ1, . . . , θm)

is p erio di with least p erio d r1 whi h equals to the least

mmon

multiple

f

all those

rders ord(fi)

fo r whi h

ne

has θi = 0 . Co rolla ry . Under the assumption

f

the p revious theo rem the impulse resp

nse

sequen e d b elonging to the given LFSR has least p erio d equal to lcm{ord(fi) |

i = 1, . . . , m}.

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

20

SLIDE 22 Theo rem. Consider an LFSR

f

length n

ver Fq

with an irredu ible feedba k p

lynomial f

, and let α b e a ro

t
f f ∗

in the extension eld E = Fqn . Then the least p erio d

f

every shift register sequen e b elonging to the given LFSR divides the

rder
f α

in E , ord(α), and the value ord(α) a tually

urs.
Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

21

SLIDE 23 4. Bina ry Pseudo random Sequen es

Let a = (ak)

b e a p erio di sequen e

f F2

with least p erio d r . F

r

a given

m

tuple b = (b1, . . . , bm) ∈ Fm

2

w e w

uld

exp e t that the numb er

Za(b) = |{t | 0 ≤ t ≤ r − 1, (at, at+1, . . . , at+m−1) = b}|

is indep endent

f b

as long as this mak es sense.

If

w e

mpa

re a truly random bina ry sequen e a = (ak) with a shifted version

f

itself, w e w

uld

exp e t as many agreements as disagreements, sin e ea h

f

the pairs 00, 01, 10, 11 with a p robabilit y

f

ab

ut 1/4.

The auto

rrelation

fun tion

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

22

SLIDE 24

Ca(h)

f a

is dened b y

Ca(h) :=

r−1

k=0

(−1)ak−ak+h.

A

bina ry sequen e a is alled pseudo random if it satises the follo wing axioms: (1) (distribution test) |Za(0) − Za(1)| ≤ 1; (2) (serial test) |Za(b) − Za(b′)| ≤ 1 fo r any t w

distin t

bina ry m

tuples b

and b′ , p rovided that 2 ≤ m ≤ log2 r ; (3)(auto

rrelation

test) Ca(h) = c if h ≡ 0 (mod r), c

a
nstant.
Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

23

SLIDE 25 Theo rem. Any m

sequen e
ver F2

is a pseudo random sequen e. Co rolla ry . Let a = (ak) b e an m

sequen e

p ro du ed b y an LFSR

f

length n (and hen e with least p erio d 2n − 1)

ver F2

. Then there a re altogether 2n−2 runs

nsisting
f

zeros and b eginning with an entry at where 0 ≤ t ≤ r . These runs split into 2n−l−2 runs

f

length l fo r 1 ≤ l ≤ n − 2, and

ne

run

f

length

l = n

.

Let a = (ak)

b e any sequen e

ver

some set S , let h ≥ 0 and d ≥ 2 b e t w

integers

and dene a new sequen e u = u(d, h) = (uk) b y the rule uk := ah+kd ,

k ≥ 0.

One sa ys then that u is

btained

from a b y de imation. If a is a random sequen e, w e w

uld

exp e t u to b e a random sequen e again. Theo rem. Let a = (ak) b e an m

sequen e

p ro du ed b y an LFSR

f

length n

ver Fq

, and let u = u(d, h) b e a de imation

f a.

Then u an m

sequen e

if and

nly

if gcd(d, qn − 1) = 1 and u is a tually y li ally equivalent to a if

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

24

SLIDE 26 and

nly

if d = qj (mod qn − 1) fo r some j with 0 ≤ j ≤ n − 1. Mo reover, every shift register sequen e

ver Fq

whi h b elongs to an irredu ible minimal p

lynomial g

with g(0) = 0 and with degree n an b e

btained

from a b y a suitable de imation. Co rolla ry . Any t w

m
sequen es

b elonging to LFSR's

f

degree n

ver Fq

an b e

btained

from ea h

ther

b y de imation.

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

25

SLIDE 27 5. The Linea r Complexit y

f

a Shift Register Sequen e Theo rem. Let a = (ak) b e a shift register sequen e

ver

the eld F and let

m(x)

b e the minimal p

lynomial
f a

with n := deg m(x).Then m an b e

mputed

from the rst 2n elements

f a.

If a is a tually p erio di , m an b e

mputed

from any 2n

nse utive

elements.

The

degree n

f

the minimal p

lynomial m(x)
f

a shift register sequen e a is alled linea r

mplexit

y

f a

and is denoted b y L(a). Theo rem. Let a = (ak) b e a shift register sequen e

ver

the eld F b elonging to some LFSR

f

length N . Then the linea r

mplexit

y L(a) equals the maximum numb er

f

linea rly indep endent ve to rs among the state ve to rs

b(t) = (at, at+1, . . . , aN+t−1), t ≥ 0.

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

26

SLIDE 28 Mo reover, L(a) an also b e

btained

as the la rgest value

f n

fo r whi h the rst

n

state ve to rs b(0), b(1), . . . , b(n−1) a re linea rly indep endent. Co rolla ry . Let a = (ak) b e a shift register sequen e

ver

the eld F . Then

ne

has D(r)(a) = 0 fo r all but nitely many values

f r

. Here D(r)(a) is the Hank el determinant given b y

D(r)(a) :=

a0

a1 . . . ar−1 a1 a2 . . . ar

. . . . . . . . . . . .

ar−1 ar . . . a2r−2

.

Mo reover, the linea r

mplexit

y

f a

is the smallest p

sitive

integer n su h that

D(r)(a) = 0

fo r all r ≥ n + 1 .

Given

a p erio di sequen e a with least p erio d v

ver

the eld F , w e denote the

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

27

SLIDE 29

v

b

y-v matrix who e determinant is the v

th

Hank el determinant b y M , i.e.

M :=     a0 a1 . . . av−1 a1 a2 . . . av

. . . . . . . . . . . .

ar−1 av . . . a2v−2     .

W e all M the in iden e matrix

f a.

Co rolla ry . Let a = (ak) b e a p erio di sequen e

ver

the eld F . Then the linea r

mplexit

y L(a)

f a

equals the rank

ver F
f

the in iden e matrix M

f

a.

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

28

SLIDE 30 5. The Linea r Complexit y Prole

f

a Sequen e

a = (ak)N−1

k=0

(fo r an innite sequen e w e put N = ∞ )

ver F = Fq
Denote

b y Λk(a), k ≤ N , an LFSR

f

least degree

ver F

apable

f

p ro du ing a shift register sequen e s(k) whi h agrees with a

n

the rst k entries

a0, . . . , ak−1

.

mk(a)
the

ha ra teristi p

lynomial
f Λk(a);
Lk(a) := deg mk(a)
The

sequen e (Lk(a))N−1

k=0

is alled the linea r

mplexit

y p role

f a.
Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

29

SLIDE 31

Example.

Let a = (0, . . . , 0, λ)

f

nite length N

ver F

, λ = 0 . Then

Lk(a) =

1

fo r k = 1, . . . , N − 1

N

fo r k = N.

The

linea r

mplexit

y L(a)

f

a sequen e a is the maximum value

f

all Lk(a) if these values a re b

unded

and ∞

therwise.
Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

30

SLIDE 32 Lemma. Let a b e a sequen e

f

length N

ver F = Fq

. Then

Lk−1(a) ≤ Lk(a) ≤ k

, fo r all k ≤ N ;

L(a) = Lr+s(a)

if a is p erio di with p erio d r and p rep erio d s . Lemma. Let a and b b e t w

sequen es
f

length at least N

ver F

. Then

Lk(a + b) ≤ Lk(a) + Lk(b),

fo r all k ≤ N .

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

31

SLIDE 33 Theo rem. Let a b e a sequen e

f

length N

ver F = Fq

and let k b e p

sitive

integer with k + 1 ≤ N . Denote b y s = s(k) a shifte register sequen e whi h agrees with a in its rst k entries a0, . . . , ak−1 and b elongs to some LFSR Λk(a)

f

length Lk(a). Then

Lk+1(a) = Lk(a),

if sk = ak, and

Lk+1(a) = max(Lk(a), k + 1 − Lk(a)),

if sk = ak.

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

32

SLIDE 34 The Berlek amp-Massey Algo rithm Let a b e a sequen e

f

nite length N

ver F = Fq

. The follo wing algo rithm

mputes

integers Lk and p

lynomials

fk(x) = 1 − c(k)

1 x − c(k) 2 x2 − . . . − c(k) Lk(a)xLk(a)

fo r all k ≤ N .

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

33

SLIDE 35 (1)

L0 := 1

, L1 := 1 , f0 := 1 , f1 := 1 + x ; (2) for k = 1 to N − 1 (3)

δk := −ak + Lk

i=1 c(k) i

ak−i

; (4) if δk = 0 then fk+1 := fk , Lk+1 := Lk ; (5) else m := max{i | Li < Li+1}, (6)

Lk = max(Lk, k + 1 − Lk),

(7)

fk+1 : +fk − δkδ−1

m xk−mfm(x)

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

34

SLIDE 36 Example. Consider the bina ry sequen e

(1 1 0 1 0 1 1 1 0 1)

f

length N = 10 . The p

lynomial

in line (7) is

fk+1(x) := fk(x) + xk−mfm(x).

L0 = 0

, f0(x) = 1 , L1 = 1 , f1(x) = 1 + x

1 1, 1, 1, 1, . . .

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

35

SLIDE 37

k = 1

: δ1 = 0 , f2 = f1 , L2 = L1

k = 2

: δ2 = 1 , m = 0

f3 = f2 + x2f0 = 1 + x + x2

, L3 = max(1, 3 − 1) = 2

1 1 + (1, 1, 0), (1, 1, 0), . . . (1 1 0 1 0 1 1 1 0 1)

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

36

SLIDE 38

k = 3

: δ3 = 0 , f4 = f3 , L4 = L3

k = 4

: δ4 = 1 , m = 2

f5 = f4 + x2f2 = 1 + x + x3

, L5 = max(2, 5 − 2) = 3

1 1 + [1, 1, 0], (1, 0, 0, 1, 1, 1, 0), . . . (1 1 0 1 0 1 1 1 0 1)

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

37

SLIDE 39

k = 5

: δ5 = 1 , m = 4

f6 = f5 + xf4 = 1 + x2

, L3 = max(2, 6 − 2) = 3

1 1 [1, 1], (0, 1), (0, 1), (0, 1), . . . (1 1 0 1 0 1 1 1 0 1)

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

38

SLIDE 40

k = 6

: δ6 = 1 , m = 4

f7 = f6 + x4f4 = 1 + x3 + x4

, L7 = max(3, 7 − 3) = 4

1 1 1 + (1, 1, 0, 1, 0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0), . . . (1 1 0 1 0 1 1 1 0 1)

k = 7

: δ7 = 0 , f8 = f7 , L8 = L7

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

39

SLIDE 41

k = 8

: δ8 = 1 , m = 6

f9 = f8 + x2f6 = 1 + x2 + x3

, L8 = max(4, 9 − 4) = 5

1 1 1 1 + [1, 1], (0, 1, 0, 1, 1, 1, 0), (0, 1, 0, 1, 1, 1, 0), . . . (1 1 0 1 0 1 1 1 0 1)

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

40

SLIDE 42

k = 9

: δ9 = 1 , m = 8

f10 = f9 + xf8 = 1 + x + x2 + x3 + x4 + x5

, L7 = max(5, 10 − 5) = 5

1 1 1 + (1, 1, 0, 1, 0, 1), (1, 1, 0, 1, 0, 1), . . . (1 1 0 1 0 1 1 1 0 1)

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

41

SLIDE 43 5. Linea r Re urren e Sequen es

ver

Mo dules

R
mmutative

ring with identit y e ; M = RM is a (left) R

mo

dule

Any

fun tion

µ : N0 → M

is alled a sequen e

ver

the mo dule M .

The

set

f

all sequen es

ver M

is denoted b y M 1 .

Dene

a multipli ation

f

a p

lynomial G(x) =

s≥0 gsxs ∈ R[x]

b y a sequen e µ ∈ M 1 b y the follo wing rule

G(x)µ = ν, ν ∈ M 1, ν(i) =

s≥0

gsµ(i + s), i ∈ N0.

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

42

SLIDE 44

M 1

is a mo dule

ver

the ring P = R[x].

The

sequeen e µ ∈ M 1 is alled a linea r re urring sequen e (LRS)

f
rder

m

ver RM

if there exists a moni p

lynomial F(x) ∈ R[x], deg F = m

su h that F(x)µ = 0 .

F(x)

is alled a ha ra teristi p

lynomial
f µ
The

ve to r (µ(0), . . . , µ(m − 1)) is alled the initial ve to r

f µ
The

ha ra teristi p

lynomial
f µ
f

minimal degree is alled a minimal p

lynomial.

Its degree is alled rank

r

linea r

mplexit

y

f µ .
F
r

any subset M ⊂ M , the annihilato r

f M

in P is the ideal annP(M)

f

P

dened b y

annP(M) = {F(x) ∈ P | F(x)M = 0}.

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

43

SLIDE 45 A sequen e µ ∈ M 1 is LRS i annP(M) is a moni ideal, i.e.

ntains

a moni p

lynomial.
Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

44

SLIDE 46 Examples. 1. Geometri p rogression: fo r any α ∈ M , q ∈ R ;

µ = (α, αq, . . . , αqi, . . .) ∈ M 1.

Cha ra teristi p

lynomial: F(x) = x − q

; initial ve to r: µ(0) = α Minimal p

lynomial: x − q

. If annR(α) = 0 , then annP = P(x − q). 2. Arithmei p rogression: fo r any α, δ ∈ M ,

ν(i) = α + δi

is LRS with ha ra tersiti p

lynomial F(x) = (x − e)2

.

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

45

SLIDE 47 Initial ve to r: (ν(0), ν(1)) = (α, α + δ) If annR(δ) = 0 , then F(x) is the unique minimal p

lynomial.

If b ∈ annR δ \ 0, then F(x) + b(x − e) is a dierent minimla p

lynomial.

3. Congruen e sequen es: fo r any α, δ ∈ M , q ∈ R

ξ(0) = α, ξ(i + 1) = qξ(i) + δ

is LRS with ha ra tersiti p

lynomial F(x) = (x − e)(x − q).

Initial ve to r: (ξ(0), ξ(1)) = (α, αq + δ). Geometri and a rithmeti p rogression a re sp e ial ases

f
ngruen e

sequen es.

F(x)

is a minimal p

lynomial
f ξ

if either δ ∈ Rα

r δ = cα

and F(c+q)α = 0 .

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

46

SLIDE 48 4. The linea r sequen e: Let RM = R(α1, . . . , αm) b e f.g. R-mo dule F

r

given α ∈ M , ϕ ∈ End M dene

αϕ = (α, ϕ(α), . . . , ϕi(α). . . .) ∈ M 1. aϕ

is an LRS

f
rder m

with ha ra teristi p

lynomial F(x) = |xE − A|

where

A

is a matrix

ver R

dened b y

(ϕ(α1), . . . , ϕ(αm)) = (α1, . . . , αm)A.

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

47

SLIDE 49

Any

fun tion

µ : Nk

0 → M

is alled a k-sequen e

ver

the mo dule M .

µ = µ(z) = µ(z1, . . . , zk),

where zi a re free va riables

n N0

.

M k
the

set

f

all k

sequen es
One

an dene the stru ture

f

a Pk

mo

dule

n M k

. If µ ∈ M (k and

F(x) =

s1,...,sk∈N0

fs1,...,skxs1

1 . . . xsk k ∈ Pk = R[x1, . . . , xk]

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

48

SLIDE 50 then Fµ = nu , where ν ∈ M (k and

ν(z) =

s1,...,sk∈N0

fs1,...,skµ(z1 + s1, . . . , zk + sk).

F
r M ∈ M k

w e dene the annihilato r

f M

in Pk b y

annPk(M = {f(x) ∈ Pk | F(x)M = 0}.

The annihilato r is an ideal in Pk . W e all an ideal I

f R[x]

moni if there exist moni p

lynomials F1(x), . . . , Fk(x)

in R[x] su h that

F1(x1), . . . , Fk(xk) ∈ I.

The k
sequen e µ ∈ M k

is alled a k

re urren e

sequen e

ver M

if ann(µ)

Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

49

SLIDE 51 is a moni ideal

f Pk

. In this ase the moni p

lynomials F1(x1), . . . , Fk(xk)

a re alled elementa ry ha ra teristi p

lynomials
f µ

and the ideal (F1(x1), . . . , Fk(xk)) is an elementa ry ideal

f annPk(µ).
Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

50

SLIDE 52 Examples.

1. k
geometri

p rogression

2. k
a

rithmeti p rogression

3. k
ongruent

sequen e

4. k
linea

r sequen e 5. Sum

f

indep endent 1-LRS 6. Dire t sum

f

1-LRS 7. T enso r p ro du t

f

1-LRS

ver R

8. T enso r p ro du t

f

1-LRS

ver M
Summer

S ho

l

Design and Se urit y

f

Cryptographi , F un tions, Algo rithms and Devi es, Alb ena, 30.06.05.07.2013

51