A Novel Stream Cipher on Feed forward Model

2016 International Conference on Electronic Information Technology and Intellectualization (ICEITI 2016) ISBN: 978-1-60595-364-9

A Novel Stream Cipher on Feed-forward Model

Yuhang Xing, Min Li and Litao Wang

ABSTRACT

Feed-forward model is a basic pseudo random sequence generator (PRSG) using in stream cipher. A novel feed-forward model is constructed. Inversion attack on feed-forward model is analysed and detailed inversion attack algorithms and complexity of these algorithms are given, design advice on being resistant to inversion attack is presented on the basis of complexity analysis.The random attributions of the generated number are test with regards to period, balance, correlation and run property. And the result shows that the random number generator generates numbers with very good randomness.

INTRODUCTION

Nonlinear combination generator is a kind of pseudo random sequence generator that is often used in stream cipher [1-2]. Pseudo random sequence generator is comprised of a linear feedback shift register and a feed-forward logic is most basic one. The model that consists of single register and feed-forward function is called feed-forward model in this paper. When feed-forward model of the synchronous stream cipher generator is designed in cryptography, it is always divided into two parts, the driving part and the nonlinear combination part [3]. The driving part uses the LFSR sequences and the nonlinear combination part do some confusion and diffusion with the sequences generated by linear part.

driving part will be obtained if it is designed well enough. And there are many attack methods with different feed-forward models, such as guess and decision attack, fast correlation attack and algebraic attacks [4-7]. J. Dj. Golic proposed the extended inversion attack specified to the feed-forward model in 2000. The attack is a known plaintext attack without exhaustive search of all possible initial state, and it shows its fast and simple features in some special situations. We propose a novel feed-forward model based on special state transition matrix by designing the state transition matrix. The model is analysed with the inversion attack, and the specific attack algorithm as well as the complexity analysis are also given in this paper. On the basis of complexity analysis, the design strategy of anti-inversion attack feed-forward model based on special state transition matrix is put forward.

In this paper, the symbols agree as follows:

2 {0,1}

F  _{, indicates the addition modulo 2, 2}m {0,1}m

F  _{means m-dimensional}

vector space on F; if 2

m

xF _{, denoted as}x( , , ,x x_{1 2}  x_m)_{; Z indicates the set of} integers and Z _{the set of positive integers. The finite field with q elements is} noted as GF q( )_.

SPECIAL STATE TRANSITION MATRIX AND FEED-FORWARD MODEL

In order to build a new class of feed-forward model, special state transition matrix is defined as follows,

Definition 1 We call such matrix in the form of T ( )cij a special state transition matrix, if

, if ; if 1; if 1; 0 else

i

i ij

i

a i j

b i j

c

d i j

 

 _{ }

  

  



， ，

.

where a b di, ,i iF2.

Theorem 1 Let T be a special state transition matrix on F2and primitive, there

is bi di 1,    1 i m 1.

Just as the feed-forward model of shift register transformation based on multiplication circuits, the following feed-forward model is defined. In this section we will discuss the situation when the state transition matrix is primitive [8].

Definition 2 Let T _{be special state transition matrix, then we call}

1 2 1 1 1 1 1 1 2 2 1 2 2 3

( , , ,x x  x T_m) (0,b x, , b_mx_m) ( a x a x, , , a x_{m m}) ( d x d x, , ,0) _,

the sequence generated by state transition transformation, which is a linear recursive sequence denoted as { }St t 1



 . This transformation is also call state

let : 2 2

n k

f F F _{be a multi-output Boolean function, and the positive}

integers 1, , ,2  nsatisfy112 n m. For t1, let 1 2 ( ) ( ) ( )

( , , , )

n

t t t

t

y  f x_ x_  x_

, then we say the sequence{ }yt t 1



 is the feed-forward sequence of the feed-forward

model designed by multiplication circuits based on special state transition matrix. The main problem of the feed-forward model is how to design the state transition matrix, tap positions, feed-forward function f. Special transition matrix is designed; Feed-forward function f is nonlinear usually, we use a nonlinear Boolean function existing and don’t design feed-forward function in the paper. We design tap positions of feed-forward model according to the following analysis. The basic problem of the feed-forward model is how to find the initial state when the state transition matrix, tap positions  1, , ,2  n , feed-forward function f and feed-forward sequence of { }St t 1



 are all given. All the feed-forward functions

discussed in the paper are Boolean functions, and so it is with the multi-output feed-forward function. Obviously, special state transition matrix discussed is primitive in the paper, so there is bi di 1,    1 i m 1.

INVERSION ATTACK ON THE FEED-FORWARD MODEL BASED ON SPECIAL STATE TRANSITION MATRIX

In this section, we first analyze the feed-forward model based on the multiplication circuits of special state transition matrix. There are two methods on inversion attack according to two conditions.

Condition I: If    1 i n 1_{，there is} d( i1, )i d( , ) n 1 ，d( , ) i j is denoted distance between i -th tap and j-th tap .

In general, we denote the input of f at time t (i.e. a segment obtained from the

t-th state St ) as 1 1 1

( ) ( ) ( ) ( ) ( ) ( )

1 2 1

( , , , , , )

n n

t t t t t t

X  x_ x_ x_  x_ x_

, where 1represents the starting

time.

Since 1 1 1

( 1) ( 1) ( 1) ( 1) ( 1) ( 1)

1 2 1

( , , , , , )

n n

t t t t t t

X   x_ x__ x__  x__ x_

, when  1 1, then

1 1 1 1 1 1 1 1 1

( 1) ( 1) ( 1) ( 1) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )

1 1 1 1 1 2 1

( , , , ) (0, , , ) ( , , , ) ( , , , )

n n n n n

t t t t t t t t t t t t

X   x_ x_  x_  x_  x_  a x_{ } a_ x_  a x_{ }  x_ x_  x_ (1)

When  1 1, then

1 1 1 1 1 1 1 1 1 1

( 1) ( 1) ( 1) ( 1) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )

1 1 1 1 1 1 2 1

( , , , _n ) ( , , , _n ) ( , , , _{n n}) ( , , , _n ) t t t t t t t t t t t t t X   x_ x__  x_  x_ x_  x_  a x_{ } a_x_ a x_{ }  x_ x_  x_

(1)If  1 1, with given X( 1)t , can be uniquely confirmed if ( )n 1

t

x_ has been

already known. (2)If  1 1, with given

( 1)t

X  , can be uniquely confirmed if ( )n 1, ( )n 1

t t

x x has been

already known.

So we can obtain all the possible solutions of ( 1)t

X  . That is all the possible

solutions of { ( )} 1

i i

X _{ can be easily calculated with the given} (1)

X , and then we can

filter the correct solution and find the initial stateS1of the recursive sequence.

Here we find all the possible solutions of ( 1)t

X  by determining whether the equation

1 2 3

( 1) ( 1) ( 1) ( 1)

1 ( , , , , n )

t t t t

t

y  f x x x  x (3)

is true: we exhaust all the possible ( )n 1

t

x _{， calculate all the possible}

1 1 1

( 1) ( 1) ( 1) ( 1)

1 2

( , , , , )

n

t t t t

x x x  x _{and retain a set of} ( 1)t

X  which make equation (3) true.

Condition II: If     1 i n 1_{，there is} d( i1, )i d( , ) n 1 .

In general, we denote the input of f at time t (i.e. a segment obtained from the

t-th state St ) as 1 1

( ) ( ) ( ) ( ) ( ) ( ) ( )

1 2 1

( , , , , , , , )

i i i

t t t t t t t

m

X  x x  x x x  x , where i1 represents the

starting time. So

1 1

1 1 1 1 1 1

( 1) ( ) ( ) ( ) ( ) ( )

1 1 1

( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )

1 1 2 2 1 1 2 3 1 1 2

(0, , , , , , , )

( , , , , , , , ) ( , , , , , , ,0)

i i i

i i i i i i i i i

t t t t t t

m

t t t t t t t t t t t

m m

X x x x x x

a x a x a x a x a x a x x x x x x

                                

    (4)

Then given ( )t

X , ( 1)t

X  can be uniquely confirmed if 1

( ) ( ) 1, 1

i i

t t

x x_ _{has been already}

known.

So we can obtain all the possible solutions of ( 1)t

X  . That is all the possible

solutions of { ( )} 1

i i

X _{ can be easily calculated with the given} (1)

X , and then we can

filter the correct solution and find the initial stateS1of the recursive sequence.

Here we find all the possible solutions of ( 1)t

X  by determining whether the equation

1 2 3

( 1) ( 1) ( 1) ( 1)

1 ( , , , , n )

t t t t

t

y  f x x x  x (5)

is true: we exhaust all the possible ( )n 1

t

x _{， calculate all the possible}

1 1 1

( 1) ( 1) ( 1) ( 1)

1 2

( , , , , )

n

t t t t

x x x  x _{and retain a set of} ( 1)t

X  which make equation (5) true.

Inputs of algorithm1 are listed as follows,

(1) The level of the linear sequence designed by multiplication circuits based on special state transition matrix is m;

(2) The structure parameters of the linear recurrence relation( , , , ,a a a1 2 3  am1);

(3) Feed-forward functionf _{and its tap positions} 1, , ,2  n; (4) Segment with length of T of the feed-forward sequence{ }yt t 1

  .

Output：The initial stateS1 of the linear recursive sequence generated by the

multiplication circuits based on special state transition matrix.

Pre-processing：

(1) For t1_{, compute the m-dimension vector} t on F2that makes

( )

1 1

n t

t

x  S

true. And denote ui a m-dimension vector on F2with the i-th component of it

equals 1 and all the others are 0. (2) For t1_{, let} ct 1if

( ) 1

n t

x _{has the linear constraint relation given by}

definition1, or ct 0. Then we find the numbers of the non-zero coefficient of the linear constraint relation equation when ct 1, and denote the minimum time of ( )n 1

t

x _{with the linear constraint relation as} t_1.

(3) For t m n 1 1, Examine whether the rank of the coefficient matrix of

the equations set with 1 1

( ) ( ) ( ) (1) (2) ( 1) 1

, , , , , , ,

n n n n

t t t t

x x  x x x  x _{(concerned with component}

1

S_{) is m. and denote the minimum time as} Tm when the rank is m.

Main Algorithms As Follows.

Step1 Let T Tm.

Step2 For any possible value of 1 1 1

(1) (1) (1) (1) (1)

1 2

( , , , , )

n

X  x x x  x _{, Select the input of f,}

1 2 3

(1) ₍ (1)_, (1)_, (1)_{, ,} (1)₎

n

x  x x x  x _{. Then calculate} z f x( (1))_{. Go to Step2 if} z y1 and select

the next possible value of 1 1 1

(1) (1) (1) (1) (1)

1 2

( , , , , )

n

X  x x x  x _{. Set t}_{2 and} deep1 _when

1

z y _{and go to Step3.}

Step3 Go to Step6 if tT_{. Exhaust} ( 1)n 1

t

x _if tt_{1, save the set} deep consisting of

all the possible values of ( 1)n 1

t

x _{and go to Step4. Else find the value of} ( 1)n 1

t

x _{a by}

using linear constraint relation, then go to Step5. Step4 Pop the first value of set deep;

Step5 According to (1) and the saved ( 1)t

X  ，calculate

1 1 1 1 1 1 1

( ) ( 1) ( 1) ( 1) ( 1) ( 1) ( 1) ( 1)

1 1 1 1 2

(0, , , ) ( , , , ) ( , , , )

n n n

t t t t t t t t

and save ( )t

X . Then get the input of f , 1 2 3

( ) ₍ ( )_, ( )_, ( )_{, ,} ( )₎

n

t t t t t

x  x x x  x _{, so as to obtain}

( )

( t )

z f x _{. If the set} deep is empty and zyt, minus deep by 1. Go back to Step2

to check the next possible values of (1)

X _if deep0_{, else go to Step4. If set} deep is

not empty, pop the next value of deep and redo Step5. Add t deep, by 1 when z yt and return to Step3.

Step6 The algorithm ends until all the possible solutions of the initial state are found according to ( )T

X _and

(1)_, (2)_{, ,} ( 1)

n n n

T

x x  x  _.

We can determine the time of the initial state by Tm. According to the above analysis of algorithm 1, if Tmm，it is better to select a bigger to make the expectation approximation2m T

of incorrect initial state smaller. It can be respected that the obtained initial state is unique with  10 _when Tm m.

The complexity of algorithm 1 is analysed as follows.

Theorem 2 GivenTm, , t1，then the maximum computational complexity of

algorithm 1 approximates to(t1 1)2n



 _{times execution of} f _{, its storage complexity}

is O(nTm)，and data complexity is Tm random numbers. The probability of

finding correct S1 closes to 2 2 1

m

m T m T m





 

  _ .

With the help of verification method of algorithm 1, its maximum computational complexity is (t1 1)2n



 _times f _{executions. Which means it’s far}

smaller than the half of maximum computational complexity.

Similarly, we can give results and algorithm of 11and condition II, which is

not given because of length of the paper is limited.

DESIGN STRATEGY OF ANTI-INVERSION ATTACK FEED-FORWARD MODEL

So as to resist the inversion attack, there are some issues we should pay attention to with the tap positions choosing in our method. According to theorem 1, assume that Tm,11，t1 are given, the maximum computation complexity of

algorithm 1 is closed to (t1 1)2n



 _{times executions of function} f _{. Obviously,}

assume that n mare given, the maximum computation complexity of algorithm 1

is closed to (1 1)2

m

t  _{the inversion attack is least effective when}

1 1

, 1, 2

n m i i

    _   _{, when i satisfies} 1

(1) (1)

( , )

i i

d x_ x_

    1 i n 1, which is the best

of input taps is n, 2 1 3 2 1 (1) (1) (1) (1) (1) (1)

( , ) ( , ) ( , )

n

d x_ x_ d x_ x_ d x_ x_

is the best design strategy of anti-inversion attack schemes.

EXPERIMENT AND TEST

A random number generator according to the feed-forward model based on special state transition matrix is implemented in C. Then we test the generated random number on a computer with Pentium IV 1.3GHz processor, 1GB memory. The random attributions of the generated number are test with regards to period, balance, correlation and run property. And the result shows that the random number generator based on special state transition matrix generates numbers with very good randomness.

REFERENCES

1. J. Dj. Golic. 1996. “On the security of nonlinear filter generators”. Fast Software Encryption.

1039: 173-188.

2. J. Dj. Golic, A. Clark, E. Dawson. 2000. “Generalized Inversion Attack on Nonlinear Filter

Generators”. IEEE Transactions on Computers, 49(10): 1100-1109.

3. Xinmei Wang, Guozhen Xiao, et al. 1991. Error correcting codes: Principles and Methods.

Press of Xidian University, pp. 23-101.

4. Forre R.A. 1990. “fast correlation attack on nonlinearly feedforward filtered shift-register

sequences”. In: Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques on Advances in Cryptology 1989. Houthalen, Belgium. pp. 586-595.

5. Pasalic E. 2009. “On guess and determine cryptanalysis of LFSR-based stream ciphers”. IEEE

Transactions on Information Theory. 55(7): 3398-3406.

6. Courtois N.T, Meier W. 2003. “Algebraic attacks on stream ciphers with linear feedback”.

Advances in Cryptology-Eurocrypt. pp. 345-359.

7. Wenfeng Yang, Yupu Hu, Hua Qiu. 2012. “Algebraic attacks two kinds of special nonlinear

filter generators”. High Technology Letters. 18(2): 151-154.

8. Palash Sarkar. 2000. “Computing shifts in 90/150 cellular automata sequences”. Discrete