The proposed by Meier and Staffelbach Self-Shrinking Generator (SSG) which has efficient hardware implementation only with a single Linear Feedback Shift Register is suitable for low-cost and fast stream cipher applications. In this paper we generalize the idea of the SSG for arbitrary Galois Field
The binary Pseudorandom Sequences (PRSs) with maximum period and good statistical and correlation properties have established themselves as foundation for generation of many signals used in modern communication and information systems. Among the most important applications [
A great number of methods for generation of pseudorandom sequences are used in practice [
Self-shrinking generator [
The self-shrinking generator (SSG) was proposed by Meier and Staffelbach at Euro-crypt'94 in [
An attack on SSG requiring very small keystream data
The best tradeoff between time, memory and data complexity today is the new guess-and-determine cryptanalysis [
In this paper a
The paper is organized as follows. First, the basic principles of the
The basic principles of wide spread LFSR registers [
Real systems use pLSFR constructed in two different architectures Fibonachi and Galois. The properties of the finite Galois field [
If
pLFSR register with Fibonachi architecture.
Every element can remember one
During each clock cycle the following operations are performed. The content of stage 0 is output and forms part of the output sequence. The content of element A calculation of the linear recurrent dependency is done
The output sequence is described by (
Every configuration of this architecture is defined by the feedback coefficients
The generated sequence
pLFSR register with Galois architecture.
During each clock cycle the following operations are performed. The content of stage 0 is output and forms part of the output sequence. The content of element The output of the element 0 is implemented in every multiplier of feedbacks and a sum with the previous element by modulo
The Galois architecture of pLFSR is described by the feedback polynomial
The generated output sequence
One of the most important properties of the pLFSR is the maximal period [
The uniform allocation of the The number of appearances of all nonzero elements Every nonzero
Figure
3LFSR register with Galois architecture and length
The shrinking generator [
The self-shrinking generator is a modified version of the shrinking generator and was first presented by Meier and Staffelbach in [
The self-shrinking generator requires only one LFSR
The close relationship between shrinking and self-shrinking generator is shown in Figure
Shrinking and self-shrinking generator.
In [
The proposed
The pGSSG selects a portion of the output
The algorithm of the The The output pLFSR sequence is split into If When The shrunken Every
Binary transformation of
Binary presentation of | |||||
1 | 0 | 00 | 001 | 0011 | 0010 |
2 | 1 | 01 | 010 | 0100 | 0011 |
3 | — | 10 | 011 | 0101 | 0100 |
4 | — | 11 | 100 | 0110 | 0101 |
5 | — | — | 101 | 0111 | 0110 |
6 | — | — | 110 | 1000 | 0111 |
7 | — | — | — | 1001 | 1000 |
8 | — | — | — | 1010 | 1001 |
9 | — | — | — | 1011 | 1010 |
10 | — | — | — | 1100 | 1011 |
11 | — | — | — | — | 1100 |
12 | — | — | — | — | 1101 |
Let us chose Extended Galois field
3LFSR for
The feedback polynomial is
Let the initial state be
For all possible 3-tuples generated by the 3LFSR the 3GSSG output for a period will be
Output of the 3GSSG.
3-tuple | Output (binary) | 3-tuple | Output (binary) | 3-tuple | Output (binary) |
---|---|---|---|---|---|
1 | 21 | 20 | |||
1 | 020 | 21 | |||
21 | 22 | 001 | |||
012 | 1 | 011 | |||
1 | 20 | 1 | |||
1 | 22 | 010 | |||
1 | 1 | 1 | |||
002 | 021 | 22 | |||
022 | 20 |
The period of sequence is
The binary output is given in the brackets in Table
Let us chose Extended Galois field
3LFSR for
The feedback polynomial is
Let the initial state be
For a part of all possible 5-tuples generated by the 5LFSR the output of the 5SSG generator for a part of period will be
Output of the 5GSSG.
5-tuple | Output (binary) | 5-tuple | Output (binary) | 5-tuple | Output (binary) |
---|---|---|---|---|---|
1 | 1 | 332 | |||
314 | 00202 | 4230 | |||
1 | 4220 | 4114 | |||
1 | 20 | 4341 | |||
4240 | 334 | 23 | |||
1 | 340 | 03132 | |||
03430 | 1 | 04144 | |||
1 | 21 | 1 | |||
4013 | 02221 | 1 | |||
324 | 1 | 02024 | |||
23 | 20 | 22 | |||
1 | 1 | 00404 | |||
341 | 24 | 344 |
The period is
The research of the
In this section first the pGSSG period is established. Then is proven that the output pGSSG sequence is balanced, that is, the number of 1s and 0s are equal in a period of pGSSG sequence. In Section
Hence a
When pGSSG output sequence is transformed into balanced binary sequence the period will be
Since the
Results for simulated 3GSSG and 5GSSG.
Primitive polynomial | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
GF(33) | a3 + 2a2 + 1 | 26 | 18 | 6 | 6 | 6 | 18 | 9 | 9 | ||
GF(34) | a4 + 2a3 + 2 | 80 | 54 | 18 | 18 | 18 | 54 | 27 | 27 | ||
GF(35) | a5 + 2a2 + a + 1 | 242 | 162 | 54 | 54 | 54 | 162 | 81 | 81 | ||
GF(35) | a5 + 2a + 1 | 242 | 162 | 54 | 54 | 54 | 162 | 81 | 81 | ||
GF(36) | a6 + a + 2 | 728 | 486 | 162 | 162 | 162 | 486 | 243 | 243 | ||
GF(37) | a7 + a2 + 2a + 1 | 2186 | 1458 | 486 | 486 | 486 | 1458 | 729 | 729 | ||
GF(53) | a3 + 3a2 + 2 | 124 | 100 | 20 | 20 | 20 | 20 | 20 | 200 | 100 | 100 |
GF(54) | a4 + a2 + 2a + 3 | 624 | 500 | 100 | 100 | 100 | 100 | 100 | 1000 | 500 | 500 |
GF(55) | a5 + 4a + 2 | 3124 | 2500 | 500 | 500 | 500 | 500 | 500 | 5000 | 2500 | 2500 |
GF(56) | a6 + a + 2 | 15624 | 12500 | 2500 | 2500 | 2500 | 2500 | 2500 | 25000 | 12500 | 12500 |
GF(57) | a7 + 3a + 2 | 78124 | 62500 | 12500 | 12500 | 12500 | 12500 | 12500 | 125000 | 62500 | 62500 |
The encryption key for the
One
Minimum length of pLFSR to guarantee a given min key length.
512 bits | 1024 bits | |
2 | 512 | 1024 |
3 | 256 | 512 |
5, 7 | 171 | 342 |
11, 13 | 128 | 256 |
17, 19, 23, 29, 31 | 103 | 205 |
37, 41, 43, 47, 53, 59, 61 | 86 | 171 |
67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127 | 74 | 147 |
131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, 233, 239, 241, 251 | 64 | 128 |
To test statistical properties of the keystreams generated by the pGSSG with prime
Results from the NIST test suite for two sets of 100 keystreams of length 106, generated by the pGSSG.
NIST Statistical Test | 17GSSG | 257GSSG | ||
Pass rate | Pass rate | |||
Frequency | .798139 | 0.990000 | .955835 | 1.000000 |
Block-frequency | .334538 | 0.990000 | .834308 | 0.980000 |
Cumulative-sums 1 | .637119 | 0.990000 | .289667 | 1.000000 |
Cumulative-sums 2 | .851383 | 0.990000 | .595549 | 1.000000 |
Runs | .030806 | 1.000000 | .867692 | 1.000000 |
Longest-run | .867692 | 0.970000 | .162606 | 0.980000 |
Rank | .171867 | 1.000000 | .437274 | 1.000000 |
FFT | .574903 | 1.000000 | .191687 | 0.990000 |
Nonperiodic-templates* | .478512 | 0.988784 | .504990 | 0.990676 |
Overlapping-templates | .096578 | 0.990000 | .334538 | 0.990000 |
Universal | .213309 | 1.000000 | .129620 | 1.000000 |
Apen | .000230 | 0.960000 | .911413 | 1.000000 |
Random-excursions** | .246591 | 0.993663 | .564158 | 0.993738 |
Random-excursions-variant*** | .269248 | 0.992489 | .479677 | 0.996289 |
Serial 1 | .096578 | 1.000000 | .437274 | 0.990000 |
Serial 2 | .851383 | 1.000000 | .574903 | 0.990000 |
Lempel-ziv | .012650 | 0.990000 | .025193 | 0.980000 |
Linear-complexity | .739918 | 0.990000 | .971699 | 0.970000 |
*The given values are average of the all 148 nonperiodic-templates NIST tests.
**The given values are average of the all 8 random-excursions NIST tests.
***The given values are average of the all 48 random-excursions-variant NIST tests.
The results demonstrate that pGSSG keystreams have good randomness properties, that is, they are well balanced, uniform, scalable and uncompressible.
Unfortunately, the hardware implementation of the pGSSG is not as simple as the original SSG, because the algebraic operations are performed in the
The pGSSG is more suitable for software implementation. The cases with
The goal of the stream cipher attack based on a clock controlled generators is to recover the secret key that includes the initial state of the used LFSRs. For better security the key may contain the feedback polynomial of the LFSRs. In this section, the security of the pGSSG against the exhaustive search and entropy attacks are analysed.
The suggested from Maier and Staffelbach two general attacks named exhaustive search attack and entropy attack [
In these attacks we assume that the secret key consists only of the initial state of the
Let
Let then
From the knowledge of the first
Therefore the number of possibilities for the first
For the next known
Therefore, for reconstructing
The known bit portion of the sequence
Then we calculate the possible pLFSR states
The number of possible cases for the 5-tuples are
The entropy of the
Therefore, the entropy of the
For
The complexity of exhaustive search and entropy attack of the pGSSG for primes up to 17 is compared to the SSG and recently proposed MSSG [
A comparison of the complexity of the used attack for SSG, MSSG and pGSSG.
Attack | SSG | MSSG | pGSSG | |||||
Exhaustive search | ||||||||
Entropy |
The results show that the pGSSG is more secure than SSG and MSSG against exhaustive search and entropy attack. The complexity of the used pGSSG attack increases with increasing the prime
In this paper the generalization of the self-shrinking generator in Galois Field
The complexity of the exhaustive search and entropy attack of the pGSSG is established. It is shown that the pGSSG is more secure than SSG and MSSG against exhaustive search and entropy attack. It is proven that the complexity of the used pGSSG attack increases with increasing the prime
Above-mentioned properties give the reason to consider the pGSSG as a pseudorandom generator that can be useful as a part of modern stream ciphers.
However, there are some theoretical and practical issues that need to be addressed. From a theoretical point of view, improved cryptanalysis of the pGSSG keystream sequences is necessary to be done and the complexity of other known self-shrinking attacks like attack using long keystream segment, BDD-based attack and guess-and-determine attack, must be investigated.
On the practical side, the hardware FPGA implementation of the pGSSG generator must be designed. It will provide faster execution of the algebraic operations in the
The authors would like to thank the referees for their helpful comments.