SASC Workshop

October 14-15, 2004

The Bit-Search Generator Aline Gouget and Herv´e Sibert France Telecom Research and Development 42 rue des Coutures BP 6243 F-14066 Caen, France {aline.gouget,herve.sibert}@francetelecom.com

Abstract. We present the construction of a pseudorandom generator, that we call the Bit-Search Generator (BSG), based on a single input sequence. The construction is related to the so-called Self-Shrinking Generator which is known for its simplicity (conception and implementation-wise) linked with some interesting properties. After presenting the general running, we give a description of the BSG by using permutations and we study some properties of it. We also give statistical results.

1

Introduction

The usual way to design a hardware-oriented stream cipher consists in combining the output of one or several LFSRs in order to obtain a pseudorandom sequence of bits having good properties. Among these properties, the most regarded ones are the period and the linear complexity. These properties are obviously not sufficient, as they do not guarantee that the resulting sequences will resist algebraic or correlation attacks. Usual design techniques to obtain cryptographically suitable pseudorandom sequences include applying (sufficiently) complicated Boolean functions on the outputs or the internal states of several LFSRs, and having the clocking of some LFSRs controlled by a combination of (possibly other) LFSRs. One drawback of these techniques is that they can result in a cipher that can be too complicated or slow for the fast synchronous encryption in cheap hardware stream ciphers are usually dedicated to. Another interesting technique is to decimate the output of an LFSR in an irregular way. This is the point of two well-known pseudorandom generators: the Shrinking Generator [1] and the Self-Shrinking Generator [3]. Recall that the Shrinking Generator takes two pseudorandom bit sequences as an input, and uses the first sequence in order to to shrink the second sequence as follows: the two sequences are read simultaneously, and the bit of the second sequence is taken if the current bit of the first sequence equals 1, otherwise it is discarded. The Self-Shrinking Generator takes only one input sequence of bits. The bits of this sequence are read pairwise, and the second bit of each pair is taken only if the first bit equals 1, otherwise the pair is discarded. Both generators use the result of a search of 1’s along a bit sequence in order to determine the bit they output. Indeed, in the case of the Shrinking Generator, a cursor moves along a sequence and when it finds a 1, the corresponding bit of the second sequence is taken. In the case of the Self-Shrinking Generator, a cursor reads a bit out of two along the sequence and, when it encounters a 1, the following bit in the sequence is taken.

Page 60

SASC Workshop

October 14-15, 2004

Instead of using a search of 1’s along a bit sequence in order to determine the output bit, the construction we propose uses the search of some bit b, where b varies during the process, and the variations depend on the bit sequence; this explains the name of the generator which is Bit-Search Generator (BSG). During the search process of a bit b, a cursor moves along an input sequence. The search process ends when a bit b is found, and the output is 0 if the search process ends after reading only one bit, and otherwise, the output is 1. Then, the value of the bit b for the next search process corresponds to the value of the following bit of the sequence. The sketch of our paper is as follows: in the first section, we describe the general construction of the BSG and we introduce the notation and definitions that are needed in the paper. In the second section, we show how it can be modelled using permutations over 3 elements and we prove theoretical results for the general case when the input sequence is periodic. In the third section, we give theoretical results for the case when the input is given by a maximum length LFSR. We prove results on the periodicity of the output sequences thus obtained, including a lower bound on the period length. Furthermore, we show that the average output rate of the BSG in this case equals 1/3 (this is obviously the case for random input sequences), whereas the average output rate of both the Shrinking and the Self-Shrinking Generator is 1/4. Finally, we give statistical results on the linear complexity.

2

The construction

The principle of the BSG consists in searching for some bit along the input sequence, and to output 0 if the search ended immediately (that is, if the first bit read during the search was the good one), and 1 otherwise. Consider a window that is located before the first bit on the input sequence. The window moves on to read the first bit of the sequence, and then moves along the sequence until it encounters this bit again. If the window has read only two bits (i.e., the first bit read by the window was followed by the same bit), then the BSG outputs 0, otherwise it outputs 1. The window then reads the next bit following its position, then moves along the input sequence to find it, and so on. Example 1. The action of the BSG on the input 0101001110100100011101 is described by the following: 11 |{z} 010 |{z} 010 |{z} 00 |{z} 11 |{z} 101 . 010 1001 |{z} | {z } |{z} 1

2.1

1

0

1

1

0

0

1

The BSG Algorithm

A more proper definition of the BSG within the shape of an algorithm is as follows: Definition 1. Let (s0 , s1 , s2 , . . .) be a sequence of bits. The Bit-Search Generator is defined by the following algorithm: 1. Initialization – place a window ”before” the bit s0 2. Repeated process (a) move the window over the next bit of the sequence 2

Page 61

SASC Workshop

(b) (c) (d) (e) (f )

October 14-15, 2004

b ← current bit in the window move the window over the next bit of the sequence if the bit in the window is equal to b, then a ← 0, else a ← 1 while the bit in the window is not b, move the window over the next bit of the sequence output a

3. End condition – end of the sequence or remote call Return now to Example 1 and consider the action of the BSG on the sequence obtained by deleting the first bit of the previous input sequence: Example 2. The action of the BSG on the input 101001110100100011101 is described by the following:

01 11 |{z} 00 10001 101 |{z} 11 |{z} 00 |{z} 101 |{z} | {z } |{z} |{z} 1

0

0

1

0

1

0

.

−

When the end condition of the BSG algorithm is involved by, for instance, the end of the sequence, the output state of the generator depends on the last (done) instruction. In Example 1, the last search process (step 2e) is complete since it succeeds when the cursor reaches the last bit of the sequence, whereas, in Example 1, the search process is interrupted while looking for a 0 and the last search process is incomplete.

2.2

Notation and definitions

Let s = (s0 , s1 , . . .) be an infinite sequence. The sequence s is said T -periodic if si = si+T for all s ≥ 0 and the sequence is periodic if it is T -periodic for some positive integer T . The output sequence of the BSG for input sequence s is denoted BSG(s). For a finite input sequence s = (s0 , . . . , sn ), BSG(s) denotes the sequence BSG(s0 , . . . , sm ), where m is the greatest integer such that the last search process (step 2e) is complete. The length of a given finite sequence s = (s0 , . . . , sn ) is denoted ℓ(s). Let b ∈ {0, 1}. The complementary of b in {0, 1} is denoted b. For practical purposes, we define the shift of a sequence, and next, we introduce a notation for the output of the BSG when the input sequence is shifted:

Definition 2. For two infinite sequences of bits s = (s0 , s1 , . . .) and s′ = (s′0 , s′1 , . . .), we say that s′ is (k-)shifted from s if there exists k ≥ 0 satisfying s′i = si+k for every i ≥ 0. For s = (s0 , s1 , . . .) a sequence of bits, we denote by BSG(s, i) the output sequence of the BSG for input sequence (si , si+1 , . . .). Given an infinite sequence s, we will call output sequence set of the BSG for input s, the set of output sequences BSG(s, i), i ≥ 0. Remark 1. In this paper, we do not consider the case of an infinite sequence of 0’s or of an infinite sequence of 1’s; the output of the BSG is, in such case, an infinite sequence of 0’s. 3

Page 62

SASC Workshop

3

October 14-15, 2004

General case: the BSG and permutations

At first glance, it seems that, when one shifts the input sequence, this yields a new output of the BSG, and it is not clear how the different outputs thus obtained are related with one another. The aim of this part is to show that, for an input sequence s that can be shifted (for example, being entered into the BSG only from some si ), all the possible output sequences are obtained by shifting one among 3 main sequences deduced from s. We now present more precisely the notion of state in relation with the output state of the BSG. Consider the window moving along the input sequence. After reading the bit inside the window, the window has three possible states: – The first state is when the last bit read is the bit that was looked for (then the window gets an ”empty” state, denoted by ”∅”), – The second state is when the last bit read is 1 while 0 was looked for, or when it is 0 and nothing was looked for (then the window gets a ”0” state, meaning we are looking for 0), – The last one is when the last bit read is 0 while 1 was looked for, or when it is 1 and nothing was looked for (then the window gets a ”1” state). In the BSG Algorithm, the initial state of the window is ∅. In the repeated process of the algorithm defining the BSG, the end of Step 2e corresponds exactly to the recognition of the next state ∅. Furthermore, each time the state of the window returns to ∅ corresponds exactly to the output of one bit by the BSG (Step 2f). The state of the window is updated after each reading of a bit; Table 3 shows how the state is modified when a 0 or a 1 is read. We see that, for b = 0, 1, reading the bit b permutes the ∅ state and the b state. From now Table 1. Action of 0 and 1 on the state S of the window

0 0 ∅ 1

S ∅ 0 1

1 1 0 ∅

on, we denote by S the set of states S = {∅, 0, 1}, and by Id, t0 and t1 the identity and the transpositions (∅ 0) and (∅ 1) respectively. When the window moves along the input sequence (s0 , s1 , . . .), each bit si read by the window acts on the state of the window by applying tsi on it. We now define the output state of the BSG for a finite sequence (s0 , s1 , . . . , sk ). Definition 3. Let (s0 , s1 , . . . , sk ) be a finite sequence of bits. The output state of the BSG Algorithm for input (s0 , . . . , sk ) is defined by: OS(s0 , . . . , sk ) = tsk ◦ tsk−1 ◦ . . . ◦ t0 (∅) . In other words, the output state of the BSG Algorithm for input (s0 , . . . , sk ) is the empty state if the last execution of Step 2e is complete, and otherwise it is the value of the current searched bit b. Furthermore, the state of the window moving along the sequence s = (s0 , s1 , . . .) after reading the bit si is OS(s0 , . . . , si ). 4

Page 63

SASC Workshop

October 14-15, 2004

Lemma 1. Let k be a positive integer, s = (s0 , s1 , . . .) be an infinite sequence of bits and s′ = (sk+1 , sk+2 , . . .) be a k+1-shifted sequence of s. Then, OS(s0 , . . . , si ) = OS(sk+1 , . . . , si ) holds for some i ≥ k + 1 if, and only if, we have OS(s0 , . . . , sk ) = ∅. Proof. We have OS(s0 , . . . , si ) = OS(sk+1 , . . . , si ), which means tsi ◦ tsi−1 ◦ · · · tsk+1 ◦ tsk · · · ◦ t0 (∅) = tsi ◦ tsi−1 ◦ · · · tsk+1 (∅). This in turn is equivalent to tsk · · · ◦ t0 (∅) = ∅. ⊔ ⊓ The following proposition implies that the output sequence set of the BSG for input sequence s can be described from a small number of sequences BSG(s, i). Proposition 1. Let s = (s0 , s1 , s2 , . . .) be an infinite sequence of bits where both 0 and 1 appear infinitely many times. Let k denotes the minimal index for which we have sk 6= s0 . Then, for every i ∈ IN, the sequence BSG(s, i) is shifted from one sequence among BSG(s, 0), BSG(s, 1) and BSG(s, k + 1). Proof. We deal here with two cases, namely i ≤ k and i > k. In the first case, by definition of k, we have sj = s0 for every j ∈ {0, . . . , i−1}. Then, if i is even, then OS(s0 , . . . , si−1 ) = ∅ and the sequence BSG(s, i) is shifted from BSG(s, 0). If i is odd, we have OS(s1 , . . . , si−1 ) = ∅ and the sequence BSG(s, i) is shifted from BSG(s, 1). Consider now the case i > k. For i = k + 1, the result is obvious. Suppose now i > k + 1. We have to prove that one of the three states OS(s0 , . . . , si−1 ), OS(s1 , . . . , si−1 ) and OS(sk+1 , . . . , si−1 ) is equal to the empty state. In order to achieve this, we prove that the three output states are all distinct. As the bit sk is read for the first time at index k starting from s0 , reading sk cannot be the end of a search, so we have OS(s0 , . . . , sk ) ∈ {0, 1}. For similar reasons, we have OS(s1 , . . . , sk ) ∈ {0, 1}. From Lemma 1, we deduce {OS(s0 , . . . , sk ), OS(s1 , . . . , sk )} = {0, 1}. Now, let p = tsi−1 ◦ · · · ◦ tsk+1 . Then, we have: OS(sk+1 , . . . , si−1 ) = p(∅) , OS(s0 , . . . , si−1 ) = p(OS(s0 , . . . , sk )) , OS(s1 , . . . , si−1 ) = p(OS(s1 , . . . , sk )) . Therefore, the three states p(∅), p(OS(s0 , . . . , sk )) and p(OS(s1 , . . . , sk )) are all distinct. We deduce that the sequence BSG(s, i) is shifted from one of the three sequences BSG(s, 0), BSG(s, 1) BSG(s, k + 1). ⊔ ⊓ We consider the output of the BSG when the input sequence is periodic, which is the case for what the BSG is intented: generating good pseudorandom sequences from input sequences given by an LFSR. Notice that when the input sequence is periodic, then if a bit (0 or 1) appears at least once in the sequence, then it appears infinitely many times. In the sequel, all the input sequences we consider are of period length at least 2. Proposition 2. Let s = (s0 , s1 , . . . , sn ) be an infinite T -periodic sequence of bits. Then, BSG(s) is periodic and there exists an integer k, with 1 ≤ k ≤ 3, such that BSG(s0 , . . . , skT −1 ) is a period of BSG(s). Proof. Consider the permutation p = tsT −1 ◦ · · ·◦ ts0 . Let k ∈ {1, 2, 3} be the order of p. Then OS(s0 , . . . , skT −1 ) = pk (∅) = ∅ holds so that, for every n ≥ 0, we have BSG(s0 , . . . , skT −1 ) = BSG(snkT , . . . , sn(k+1)T −1 ) which is then a period of BSG(s). ⊔ ⊓ 5

Page 64

SASC Workshop

October 14-15, 2004

Remark 2. It is obvious that, on an average basis, the BSG output rate is 1/3. Intuitively, we refer to the modelization of the BSG, which is run along by a window that takes the states ∅, 0 and 1. Each time the window takes the state ∅ corresponds to the output of a bit. Now, consider the three windows running in parallel along the input sequence with their initial state being respectively ∅, 0, 1. When a bit is read by the three windows, there is always exactly one window in each state. Thus, for each bit read by the three windows, one bit is output, which yields the average ratio and the fact that, when a whole period of length T has been read by the three windows, T bits have been output.

4

Case of maximum length LFSRs

All along this section, we review the case when the input sequence s is the output of a maximum length LFSR. 4.1

Period of output sequences

The aim of this subsection is twofold: we first state a theoretical lower bound on the period length of the output of the BSG, and then we give experimental results indicating that the T T period length of BSG(s) is always rather very close to 2 3−1 or 2·(2 3 −1) , with T the period of the maximum length LFSR. As we have seen in Section 3, the output of the BSG for input an infinite T -periodic sequence s is also periodic, and there exists a unique minimal integer k, with 1 ≤ k ≤ 3, such that a period of the output is BSG(s0 , . . . , skT −1 ). Now, this does not answer the issue of possible subperiods appearing within the finite sequence BSG(s0 , . . . , skT −1 ). In other words, there might exist a finite sequence (s′0 , . . . , s′q ) such that BSG(s0 , . . . , skT −1 ) = (s′0 , . . . , s′q , . . . , s′0 , . . . , s′q ). The proof of the next result is quite complicated, and its detailed proof will appear in the extended version of the paper. Nevertheless, we will give here an outline of the proof.

Proposition 3. Suppose s is the output of a maximum length LFSR of degree L ≥ 3. The period length of BSG(s) is at least L−2 ⌋−1 4 . 2 ⌊

Sketch of Proof. The first step of the proof consists in finding a ”good” lower bound on the length of the sequence BSG(s0 , . . . , skT −1 ). As we look for a lower bound, we suppose we are in the worst case, namely k = 1, and we can also suppose sT −1 = 0 without loss of generality. We observe that, for every index i, with 0 ≤ i ≤ T − 3, such that (si , si+1 , si+2 ) = (1, 1, 0), we have OS(s0 , . . . , sj ) = ∅ for at least one integer j among i, i + 1 and i + 2, so that there is an output bit corresponding to sj . Now, the distribution of patterns in a sequence produced by a maximum length LFSR is well-known [2], and in particular the sequence (1, 1, 0) appears at least 2L−3 times in (s0 , . . . , sT −1 ), so the length ℓ(BSG(s0 , . . . , sT −1 )) is at least 2L−3 . But, as we stated, possible subperiods have to be dealt with, so the goal of the remaining of the proof is to find an upper bound on the number of subperiods in BSG(s0 , . . . , sT −1 ). 6

Page 65

SASC Workshop

October 14-15, 2004

The next step consists in comparing the sequence BSG(s) with the sequence s′ defined by s′i = s2i ⊕ s2i+1 . Using a result from [4], we deduce that s′ is shifted from s, so it has the same distribution of 0’s and 1’s as s. We then establish an injection from the set of cyclic gaps of given length n of BSG(s0 , . . . , sT −1 ) (gaps are sequences of consecutive 0’s, surrounded by 1’s, and cyclic gaps means the sequences are read cyclicly, looping to the beginning of the sequence after its end) to the set of cyclic gaps of length n of (s′0 , . . . , s′T −1 ). Now, the number of cyclic gaps of length n in (s′0 , . . . , s′T −1 ) is equal to 2L−n−2 so, if the sequence BSG(s0 , . . . , sT −1 ) has a cyclic gap of 0’s of length n (i.e., if BSG(s) contains a sequence of 0’s of length n), then it has at most 2L−n−2 subperiods as each subperiod should contain such a sequence of 0’s. As we have shown ℓ(BSG(s0 , . . . , sT −1 )) ≥ 2L−3 , we deduce that the minimal period length of BSG(s) is at least 2L−3−(L−n−2) = 2n−1 . The last step consists in finding a long zero sequence in BSG(s), so as to maximize n in the previous bound. Every sequence of length L (apart from that of L 0’s) appears in s so, in particular, the sequence 0, . . . , 0, 1, 0, . . . , 0 appears as a subsequence of s. It is easy to prove | {z } | {z } ⌈ L−1 2 ⌉

⌊ L−1 2 ⌋

that, whatever the output state of the BSG is before this subsequence, reading this sequence ⊔ ⊓ will have it output at least ⌊ L−2 4 ⌋ 0’s, which yields the final result.

The bound of Proposition 3 seems experimentally to be far from optimal, because no subperiod appears when the input is produced by a maximal length LFSR with feedback polynomial of degree L at most 16. Thus, in all these cases, the bound 2L−3 of the proof of Proposition 3 is valid. When the input is given by a maximal length LFSR, we can obtain several output sequences, depending on the initialization of the LFSR. Now, all the possible outputs of this LFSR are shifted from one another [2]. Therefore, the set of possible outputs is the output sequence set for input s, where s is some arbitrary output of the LFSR. From Proposition 1, we deduce that for a given sequence s, the output sequence set of the BSG on the input sequence s can be easily described from at most 3 distinct output sequences. In the case of maximal length LFSR, one can show that we need only 2 distinct output sequences, that one of these sequences is some BSG(s, i) with a period of the form BSG(si , . . . , si+T −1 ), and that the other is some BSG(s, j) with a period of the form BSG(sj , . . . , sj+2T −1 ), with OS(sj , . . . , sj+T −1 ) 6= ∅ (the proof relies on the fact that the period length of the input is odd, so that the corresponding permutation is of order 2). Moreover, when no subperiod appears in, respectively, BSG(si , . . . , si+T −1 ) and BSG(sj , . . . , sj+2T −1 ), the sum of the periods of the two sequences BSG(s, i) and BSG(s, j) is equal to T = 2L − 1 (this fact comes from Remark 2). Therefore, the average period length of the ouput sequence is always equal to T /2. Experimentally, the periods are very close to T3 and 2T 3 , depending on whether the period is read on one or two periods of the input sequence (namely, respectively for the sequences we denoted above by BSG(s, i) and BSG(s, j)). Thus, we divide the obtained sequences into short ones (read on one period) and long ones (read on two periods). The results are given in Table 4.1. For each degree L, we give the minimal and the maximal period lengths of short and long output sequences for all possible maximum length LFSRs of degree L as the input.

7

Page 66

SASC Workshop

October 14-15, 2004

Table 2. Period statistics for maximum-length LFSRs

L

3 4 5 6 7 8 9 10 11 12 13 14 15 16

4.2

Average short period length 3 4 10 22 41.67 84.63 169 341.1 682.91 1364.08 2731.34 5460.08 10923.04 21846.16

Minimal short period length 3 4 9 22 36 82 159 328 657 1330 2658 5344 10776 21619

Maximal short period length 3 4 12 22 45 88 183 358 714 1399 2796 5587 11082 22075

Average long Minimal long Maximal long period length period length period length 4 4 4 11 11 11 22 19 21 41 41 41 91 82 85.33 173 167 170.38 340 328 342 695 665 681.9 1390 1333 1364.09 2765 2696 2730.92 5533 5395 5459.66 11039 10796 10922.92 21991 21685 21843.96 43916 43460 43688.84

Linear complexity of output sequences

For the linear complexity, we did not find theoretical bounds, but the statistics for maximumlength LFSRs of degree L ≤ 16 indicate a good behavior of the linear complexity. In Table 4.2, we give the average linear complexity (denoted by LC), and its minimal and maximal values for short and long output sequences. These values are to be compared with those in Table 4.1: indeed, they show that the linear complexity is always almost equal to the period, and the detailed statistics for each maximum-length LFSR of degree L ≤ 16 show the same.

5

Conclusion

We have presented the construction of a new PRNG, the Bit-Search Generator. This generator has experimentally good properties, and it has an average output rate of 1/3. It looks very simple and complicated at the same time, which makes it very easy to implement and very fast, but also quite hard to study. Nevertheless, theoretical properties that we have shown indicate that it has a strong algebraic basis.

References 1. D. Coppersmith, H. Krawczyk, Y. Mansour, The Shrinking Generator, Advances in Cryptology – CRYPTO’93 Proceedings, LNCS 773, Springer-Verlag, D. R. Stinson, ed., (1993), 22–39. 2. S. Golomb, Shift Register Sequences, Revised Edition, Aegean Park Press, (1982). 3. W. Meier, O. Staffelbach, The Self-Shrinking Generator, Advances in Cryptology – EUROCRYPT’94 Proceedings, LNCS 950, Springer-Verlag, A. DeSantis, ed., (1994), 205–214. 4. R. A. Rueppel, Analysis and Design of Stream Ciphers, Springer-Verlag, (1986).

8

Page 67

SASC Workshop

October 14-15, 2004

Table 3. Linear complexity statistics for maximum-length LFSRs

L

3 4 5 6 7 8 9 10 11 12 13 14 15 16

Average short lin. compl. 3 4 9.67 21 40.11 84.25 167.04 340.43 681.17 1363.32 2729.65 5459.09 10921.47 21845.29

Minimal short lin. compl. 3 4 8 21 36 81 156 327 655 1330 2653 5343 10776 21619

Maximal short lin. compl. 3 4 12 21 45 88 181 358 713 1399 2796 5587 11082 22075

9

Page 68

Average long lin. compl. 4 11 20.67 40 84.89 167.88 341 681.03 1363.43 2730.24 5458.55 10921.96 21843.08 43687.94

Minimal long lin. compl. 4 11 19 40 82 158 328 664 1327 2696 5391 10796 21685 43460

Maximal long lin. compl. 4 11 22 40 91 173 352 695 1390 2765 5532 11035 21991 43916