Correlation Immunity - Probabilistic & Statistical Methods in Cryptology An Introduction by S

Here, the model of the key generator is the following: There are m LFSR yielding the outputs{x(ij)}i_≥0(1≤j≤m). These LFSR streams are gathered

by a non-linear combining functionf :IBm_→_IB _{to yield the output}

zi =f(x(1)i , x

(2)

i , . . . , x

(m)

i ).

On a ”short time” basis, the LFSR outputs may be well modeled byninde- pendent symmetric binary sources. Now take for examplem= 3 and

f(x1, x2, x3) :=x1x2+x1x3+x2x3.

One sees that if the LFSR are modeled as above, then P(zi = 0) =P(zi =

1) = 1/2. But, if the LFSR 1 (i.e., that which generates the sequence

{x(1)_i }i≥0) is known, we can mount the following correlation attack to ﬁnd

the true phase of LFSR 1 and thus ﬁnd its initial state: If we multiply{zi}i_≥0

with the shifted sequence{x(1)i }i≥0 in the ”correct” phase, then we see from

the deﬁnition off that the 1 occurs with probability 3/8 instead of just 1/4 as it would be with true binary symmetric random sequences. This type of attack can be done for every LFSR.

So a natural question is how to choose the combining function f to avoid such attacks.

70 5 Pseudo-random Number Generators

Deﬁnition 5.2.A functionf :IBm_→_IB _{is called}_h_{-th order correlation im-}

mune if, whenever X1, X2, . . . , Xm are independent unbiased IB-valued ran-

dom variables, thenZ :=f(X1, X2, . . . , Xm)is independent of all ﬁnite sub-

sequences(Xi1, X12, . . . , Xih)(1≤i1≤. . .≤ih≤m).

The signiﬁcation ofh-th order correlation immunity lies in the fact that if a non-linear combination functionf is h-th order correlation immune, then it is not possible to mount a correlation attack on any combination ofhinput sequences.

For a function f :IBm_→_IB_{, its Fourier (or Walsh-Hadamard) transform is}

deﬁned as

F(ω) :=

x∈IBm

f(x)(−1)x,ω (ω∈IBm).

One has the following inversion formula:

f(x) := 2−m

ω∈IBm

F(ω)(−1)x,ω.

Now correlation immunity can be characterized in terms of Fourier transforms as follows:

Theorem 5.9.(Xiao-Massey Spectral Test) The function f :IBm_→_IB

ish-th order correlation immune iﬀ its Fourier transformF satisﬁes F(ω1, ω2, . . . , ωm) = 0

for all ω = (ω1, ω2, . . . , ωm) ∈ IBm with 1 ≤ wH(ω) ≤ h (where wH(ω)

denotes the Hamming weight (i.e. the number of entries 1) of the vectorω).

The proof of Theorem 5.9 follows from the following two lemmas:

Lemma 5.7.LetXbe a random vector consisting ofmindependent unbiased IB-valued random variablesX1, X2, . . . , Xm,f :IBm→IB,ω∈IBm\{0}and

putZ :=f(X1, X2, . . . , Xm). Then Z is independent of X, ωiﬀF(ω) = 0.

Proof:Since PZ|X,ω(1|b) = |{x∈IB m_:_f₍_x_{) = 1}_,_{x, ω}₌_b_}| |{x∈IBm_:_{x, ω}₌_b_}| = 2−(m−1) x∈IBm:x,ω=b f(x), we get PZ|X,ω(1|0)−PZ|X,ω(1|1) = 2−(m−1) x_∈IBm f(x)(−1)x,ω = 2−(m−1)F(ω).2

Lemma 5.8.A discrete random variable Z is independent of the random vectorY = (Y1, Y2, . . . , Ym)∈IBmiﬀ for every a∈IBm,Z is independent of

Y, a.

The proof follows directly from considering Fourier transforms (see Bryniels- son (1989)).2

We point out that Theorem 5.9 is really applicable in practice, since to com- pute the Fourier transform needs at mostO(m2m) additions and subtractions (see Massey (1997), p. 3.63). However, high-order correlation immunity can- not happen if the nonlinear order λ of the function f is too high. Let us explain this in detail: Letf :IBm_→_IB_{. Then the so-called algebraic normal}

form of the functionf is

f(x1, x2, . . . , xm) =a0+a1x1+a2x2+. . .+amxm

+a1,2x1x2+a1,3x1x3+. . .

+. . .

+a1,2,...,mx1x2. . . xm,

where the coeﬃcients are given by the inversion formula

a1,2,...,k= x_∈S₁_,₂_,...,k f(x1, x2, . . . , xm) (5.16) and S1,2,...,k := {x:xk+1 =xk+2 =. . .=xm= 0} : 1≤k≤m−1 {x} : k=m, (5.17)

etc. (see Siegenthaler (1984)).

Deﬁnition 5.3.The nonlinear order λ of a function f : IBm _→ _IB _{is the}

maximum number of variablesxj that occur in a term of the algebraic normal

form of f.

Theorem 5.10.(Siegenthaler’s Inequality) If λ denotes the nonlinear

order of the functionf :IBm_→_IB_{and if}_f _is_h_{-th order correlation immune,}

then

h≤m−λ.

Proof:Assumefish-th order correlation immune for someh∈ {1,2, . . . , m−

1}. We show that no product ofm−h+ 1 or more variablesxj can occur in

the algebraic normal form off. Deﬁne the numbers

N1,2,...,k=|{x∈IBm:x∈S1,2,...,k, f(x) = 1}|. (5.18)

Let Z := f(X) where X is a vector of m independent unbiased IB-valued random variables. Then we get

72 5 Pseudo-random Number Generators P(Z = 1 | Xk+1=Xk+2=. . .=Xm= 0) = N1,2,...,k 2k (1≤k≤m−1) (5.19) and P(Z = 1) = N1,2,...,m 2m . (5.20) We obtain P(Z = 1 | Xk+1=Xk+2=. . .=Xm= 0) =P(Z= 1) (m−h≤k≤m−1) and hence from (5.19) and (5.20)

N1,2,...,m 2m = N1,2,...,m₋1 2m−1 =. . .= N1,2,...,m₋h 2m−h , which implies N1,2,...,k = 2k−(m−h)N1,2,...,m₋h (m−h≤k≤m). (5.21)

From (5.21), for m−h+ 1 ≤k ≤ m, these numbers must be even, which implies, from (5.16) and (5.17)

a1,2,...,k = 0 (m−h+ 1≤k≤m).

However, this argument not only applies to the ﬁrstkcomponents of x, but to anykcomponents ofx, which proves the assertion.2

The tradeoﬀ given by Siegenthaler’s Inequality does not exist if the combining functionf is allowed to have memory. We will not persue this track further and only refer to Rueppel (1986), Chapter 9.

Further seminal papers on correlation attacks are e.g. Chepyzhov, Smeets (1991) and Meier, Staﬀelbach (1989), (1991), (1992).

In document Probabilistic & Statistical Methods in Cryptology An Introduction by Selected Topics pdf (Page 75-78)