This chapter presented Warbler-II, a new lightweight pseudorandom number genera- tor based on nonlinear feedback shift registers with desirable randomness properties. We provided a detailed mathematical description of Warbler-II including its mode of operations. We performed a security analysis of Warbler-II in two steps. First, we performed the statistical tests on the sequences generated by the PRNG speci- fied by the EPC C1 Gen2 standard and the NIST standard. Our PRNG passed all the statistical tests. We then characterized our PRNG by applying algebraic at- tacks, cube attacks, time-memory-data tradeoff attacks, Mihaljevi´c et al.’s attacks and weak initial states and fault injection attacks. A hardware implementation of Warbler-II in VHDL for the low-cost Spartan-3 XC3S50 FPGA device shows that Warbler-II can be implemented using about 58 slices. Warbler-II can be employed as a random number generator in the automatic tag identification protocol as well as the authentication protocols for RFID systems.
Chapter 9
Conclusions and Future Research
In this chapter, we summarize the research contributions of this thesis, and present the future research directions related to the subjects therein. The main contribu- tions of each chapter are presented.9.1
Conclusions
In this thesis, we concentrated on the design and analysis of cryptographically strong pseudorandom sequence and number generators. Specifically, we focused on the generation of de Bruijn sequences and span n sequences, which have good ran- domness properties such as maximum period, balance, and high linear complexity, and which are suitable for cryptographic applications. We fully exploited nonlinear feedback shift registers for generating de Bruijn sequences and span n sequences, and for designing random number generators.
We first studied the generation span n sequences using nonlinear feedback shift registers whose feedback functions are composed of a permutation and a trace func- tion over a finite field, a decimation number, and a t-tap position. Considering these parameters, a class of feedback functions in an NLFSR is formed and a number of span n sequences are produced. The span n sequence generation by this technique is called the structured search. In the structured search, we used WG transforma- tions, three-term functions, five-term functions, monomial functions with Kasami
exponent, and MCM functions as nonlinear feedback functions, and presented the number of span n sequences produced by each class of functions for 6 ≤ n ≤ 20. We study the linear span or complexity of new span n sequences. The linear complexity of a span n sequence lies in the range of (2n− 2 − 3n) and (2n− 2). The success
probability of obtaining a span n sequence in the structured search is empirically compared with the success probability of obtaining a span n sequence in a random generation method. The comparison showed that one can obtain a span n sequence with optimal or near-optimal linear complexity in the structured search with a bet- ter success probability. New span n sequences or span n sequences generated by the structured search can be used to design lightweight pseudorandom number gen- erators and stream ciphers. Moreover, they can be used in the composition method to generate long de Bruijn sequences.
We first refined the composition method so that we could generate long de Bruijn sequences, and then determined the linear complexity of a composited de Bruijn sequence. We conducted an analysis of a composited nonlinear feedback function that generates a de Bruijn sequence. In the analysis, we studied an approxima- tion of the feedback function by setting some product terms as constant functions. The cycle structure of an approximated feedback function and the linear complex- ity of a sequence generated by an approximated feedback function are determined. Our analysis also indicated that a composited de Bruijn sequence can be crypto- graphically strong if the starting span n sequence is of long period and optimal linear complexity. Moreover, we presented a few example of de Bruijn sequences of periods in the range of 235 and 240 with their algebraic forms. Furthermore, the
implementation issues of a feedback function of a composited NLFSR are taken into consideration.
We proposed a new pseudorandom number generator family, named Warbler family for resource-constrained smart devices such as RFID tags. Warbler family is a purely NLFSR-based PRNG family with desirable randomness properties. Warbler family is composed of two building blocks, namely a combination of modified de Bruijn blocks (CMDB) and a nonlinear feedback WG generator (NFWGG). The combination of modified de Bruijn blocks consists of a number of primitive NLFSRs.
The nonlinear feedback WG generator contains an NLFSR over an extension field and two WG transformation modules used for the feedback as well as filtering purpose. Randomness properties of an output sequence produced by the Warbler family are derived, followed by a description of the initilization and running phases of Warbler family. Some parameter selection criteria for an instance of the Warbler family are proposed to offer the best security level against known attacks.
We presented an instance, Warbler-I, of the Warbler family for the EPC Class-1 Generation-2 passive RFID tags. Considering the high power-consumption, large area and low throughput of TRNGs, we replace the TRNG used in previous works by a PRNG with good statistical properties. Warbler-I can generate sequences with good randomness properties such as period at least 237.32 and linear span
at least 218.58. In our design, the pseudorandom sequences are generated using
nonlinear feedback shift registers. The statistical tests specified by the EPC C1 Gen2 and NIST standards, algebraic attacks, cube attacks and time-memory-data tradeoff attacks are employed to characterize the security properties of the proposed PRNG. A comparison with the sponge-based PRNGs is also conducted. In addition, an FPGA implementation shows that Warbler-I can be implemented using 46 slices and can generate a 16-bit random number every 80 clock cycles after an initialization process of 36 clock cycles. Warbler-I perfectly satisfies the requirements of the EPC C1 Gen2 standard and hence a suitable candidate for the EPC C1 Gen2 standard. We proposed another instance, Warbler-II, of the Warbler family, which is de- signed for providing a better security level compared to Warbler-I. We described Warbler-II with its mathematical functions in detail. The CMDB of Warbler-II contains three primitive NLFSRs. The period and linear complexity of an output sequence produced by Warbler-II are at least 264.32 and 243.38, respectively. We per-
formed a detailed security analysis of Warbler-II in two steps. First, we performed the statistical tests on the sequences generated by Warbler-II specified by the EPC C1 Gen2 standard and the NIST standard. Our PRNG passed all the statisti- cal tests. Then, we characterized Warbler-II by applying algebraic attacks, cube attacks, time-memory-data tradeoff attacks, Mihaljevi´c et al.’s attacks, and weak initial states and fault injection attacks. A hardware implementation of Warbler-II
in VHDL for the low-cost Spartan-3 XC3S50 FPGA device shows that Warbler-II can be implemented using about 58 slices. Warbler-II can be used as a random number generator in the automatic tag identification and authentication protocols for RFID systems.