Pseudorandom Sequences: Generation Primitives and

Pseudorandom Sequences: Generation Primitivesand Complexity Measures

Ramakanth Kavuluru

Department of Computer ScienceUniversity of Kentucky

Computer Science @ WKU

Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 1 / 35

Outline

1 BackgroundPseudorandom SequencesAlgebra

2 Generation PrimitivesLinear Feedback Shift RegistersFeedback with Carry Shift Registers

3 Complexity MeasuresLinear and N-adic ComplexityExtended Complexity MeasuresResults and Future Work


Outline





Random Sequences

What is a random sequence?

A sequence which is output by a truly random source.

What is a truly random source?non-deterministicequally likely selection for each symbol of the alphabet.

Examples:Rolling an unbiased dieThe points in time at which a radioactive source decaysTime difference between mouse movements


Random Sequences

What is a random sequence?

A sequence which is output by a truly random source.

What is a truly random source?non-deterministicequally likely selection for each symbol of the alphabet.

Examples:Rolling an unbiased dieThe points in time at which a radioactive source decaysTime difference between mouse movements


Pseudorandom Sequences

Appear random and generated by expanding a seed (PRNGs).

Examples:Roll a die a bunch of times. Store the values generated in a listand reproduce.Use a mathematical formula: sn+1 = a · sn + c mod m,0 < a, s0, c < m.

Advantages:EfficientDeterministic: Can be reproduced with the same seed.


Randomness Tests

Kolmogorov’s test: A given sequence S is random if

|S| ≤ Smallest program that outputs S.

Golomb’s randomness postulates for binary strings over {−1, 1}

R-1 A balance of −1s and 1s.

R-2 Two runs of length k for each run of length k + 1.

R-3 A two level auto-correlation function.

1n

n∑i=1

aiai+τ =

{1 if τ = 0;K if 0 < τ < n.


Stream Ciphers and Pseudorandom Sequences

Stream cipher:Private key cryptosystem.Encrypts one symbol at a time.Uses pseudorandom sequences.

Let M: message, K: key stream, C: cipherSender: Send the cipher C = M ⊕ K across the channel.Receiver: Extract the message M = C ⊕ K .

Sequences should satisfyRandomness Properties.Large period.Fast generation.Resistance to specific attacks (Berlekamp-Massey).


Outline





Finite Fields

A (commutative) ring is a set R with two binary operations ∗ and + onR such that the following properties hold:

1 ∀a, b ∈ R, a + b = b + a and ab = ba.2 ∀a, b, c ∈ R, a + (b + c) = (a + b) + c and a(bc) = (ab)c.3 ∃e+, e∗ ∈ R such that ∀a ∈ R, ae∗ = a and a + e+ = a.4 For each a ∈ R, ∃ − a such that a + (−a) = e+.5 ∀a, b, c ∈ R, a(b + c) = ab + ac.

R is a field if it is a ring and for each a 6= 0 ∈ R, ∃a−1 so thataa−1 = e∗.

TheoremFor each q = pi , where p is a prime and i ≥ 1, there exists a finite fieldFq with q elements. These are all the finite fields.

Fq[x ] is the ring of polynomials with coefficients in Fq.


Periodic Sequences and Generating Functions

DefinitionA sequence S = s0, s1, s2, · · · is eventually periodic with period T ifsn+T = sn holds for all n ≥ n0 for some n0 ≥ 0. S is periodic if n0 = 0.

The generating function of an S = s0, s1, · · · is

∞∑i=0

six i .

Closed forms for some well known sequences:

1, 1, 1, · · · : 11 − x

.

1, 2, 3, · · · : 1(1 − x)2 .

0, 1, 1, 2, 3, 5, · · · : 11 − x − x2 .


Rational Generating Functions for Periodic Sequences

Consider S below with preperiod n0 + 1 and period T

s0, s1, ..., sn0︸︷︷︸preperiod

, (sn0+1, · · · , sn0+T︸︷︷︸period T

)∞.

The generation function of S is

G(S)

= s0 + s1x + · · ·+ sn0xn0 +sn0+1xn0+1 + · · ·+ sn0+T xn0+T

1 − xT

=(1 − xT )(s0 + s1x + · · ·+ sn0xn0) + sn0+1xn0+1 + · · ·+ sn0+T xn0+T

1 − xT

=u(x)

g(x)for some u(x), g(x) ∈ Fq[x ].

FCSR


Outline





Definition of LFSRs

gi , aj ∈ Fq, field

ar−1 ar−2 · · · a0

� ��g1 � ��

g2 � ��gr· · ·

- -

ar = g1ar−1 + · · ·+ gr a0

Output A = a0, a1, · · · , ar−1, ar , ar+1, · · ·

Analysis:generating function A(x) =

∑i aix i

connection polynomial g(x) = −1 + g1x + g2x2 + · · ·+ gr x r


Properties of LFSRs

LFSR sequences are eventually periodic.

The generating function of LFSR sequences is rational

A(x) =u(x)

g(x), u(x) ∈ Fq[x ]

Periodic iff deg(u) < deg(g)

If gcd(u, g) = 1 period is the smallest T such that g(x)|xT − 1.

m-sequence: If g(x) primitive, period = qr − 1

m-sequences: uniform – each nonzero r -tuple occurs once(R1,R2,R3)


rand() and random()

rand() uses multiplicative congruential generator:

sn+1 = a · sn mod m, where m is prime and a 6= 0.

Source: National Energy Research Scientific Computing Center“the low dozen bits generated by the rand subroutine go through acyclic pattern, while all the bits generated by the random subroutineare usable”Source: Comments from the GNU source file random_r.c“The random number generation technique is a linear feedback shiftregister approach, employing trinomials (since there are fewer terms tosum up that way). In this approach, the least significant bit of all thenumbers in the state table will act as a linear feedback shift register,and will have period 2deg −1(where deg is the degree of the polynomialbeing used, assuming that the polynomial is irreducible and primitive).”


Outline





Feedback with Carry Shift Registers (FCSRs)Goresky, Klapper, ’93

N ∈ Z, N ≥ 2.

mr−1 ar−1 ar−2 · · · a0

� ��g1 � ��

g2 � ��gr· · ·∑

-

� - -

��

�

mod Ndiv N

g1, g2, · · · , gr ∈ S = {0, 1, · · · , N − 1}.State change: define ar ∈ S and mr ∈ Z by

ar + Nmr = mr−1 + g1ar−1 + · · ·+ gr a0.

Connection number: g = −1 + g1N + g2N2 + · · ·+ gr N r .


Ring of N-adic integers

ZN =

{ ∞∑i=0

aiN i = α(A, N) : ai ∈ S

}

Addition: To add∑

aiN i +∑

biN i =∑

ciN i :

c0 + Nd1 = a0 + b0, 0 ≤ c0 < N

c1 + Nd2 = a1 + b1 + d1, 0 ≤ c1 < N

−1 = (N − 1) + (N − 1)N + (N − 1)N2 + · · ·

Multiplication is similar

A =∑

aiN i ∈ ZN is invertible iff gcd(a0, N) = 1


Properties of FCSRs

For an r -stage FCSR let w =∑r

i=1 gi .

Denote zr−1 : initial memory, z : memory in any state.

Periodic state ⇒ 0 ≤ z < w .

zr−1 ≥ w or zr−1 < 0 ⇒ within dlogN(|zr−1|)e+ r steps 0 ≤ z < w .

So FCSR sequences are eventually periodic.

N-adic number α(A, N) = u/g, some u ∈ Z, and gcd(g, N) = 1.LFSR

Periodic iff −g ≤ u ≤ 0

If gcd(u, g) = 1, period is the smallest T such that g|(NT − 1).

`-sequence: When g = pt , p a prime, period = (p − 1)pt−1.


Outline





Linear Complexity

Definition

The linear complexity λ(A) of a sequence A = (a0, a1, · · · ) over Fq isthe length of smallest LFSR that can generate A.

Let A be a periodic sequence with period T .

Let a(x) = a0 + a1x + · · ·+ aT−1xT−1. Then

∞∑i=0

aix i =a(x)

1 − xT =u(x)

g(x), gcd(u(x), g(x)) = 1.

g(x) is called the minimal connection polynomial.

λ(A) = T − deg(gcd(a(x), 1 − xT )) = deg(g(x)).


N-adic Complexity

Definition

The N-adic span ΛN(A) of an N-ary, eventually periodic sequenceA = (a0, a1, · · · ) is the smallest value of Λ among all FCSRs that output A.

Λ = r + max(blogN(r∑

i=0

gi)c+ 1, blogN(|m|)c+ 1) + 1

Definition

Let α(A, N) = −p/q, with gcd(p, q) = 1. The the N-adic complexity of A isthe real number φN(A) = logN(max(|p|, |q|)).

|(ΛN(A)− 2)− φN(A)| ≤ logN(φN(A)) + 1


Why Study Complexity Measures?

Answer: Shift Register Synthesis Algorithms

Input: First few symbols, usually, linear in the complexity.Output: Shift Register that outputs the sequence

Algorithm # Symbols t ≥ TimeBerlekamp-Massey

(Massey) 2λ O(t2)

Rational Approximation(N = 2, Klapper and Goresky) 2dφ2e+ 2 O(t2 log t log log t)

Rational Approximation(N > 2, Xu) 6(3 + dφNe) O(t2 + tN2 log3 N)

Euclidean Approximation(N not a square, Arnault et al.) 2dφNe+ 3 O(t2)


Outline





nth Linear Complexity

In practice, if an attacker can recover a prefix of the keystream,then the system is vulnerable.

Attacker: Run shift register synthesis algorithms on finite prefixes.

Thus every prefix should have λ as high as possible.

Definition (Rueppel)The nth linear complexity λn(A) is defined as the length of the shortestLFSR whose first n terms are a0, a2, ..., an−1. The sequenceλ1(A), λ2(A), ... of integers is called the linear complexity profile of A.

Example: Let A = (0, · · · , 0, 1)∞ with period T .

Then λ(A) = T but λn(A) = 0, for n = 1 · · ·T − 1.

Similar measures for N-adic complexity.


Error Linear Complexity Measures

In practice, if an attacker can recover all but a few symbols of thekeystream then the system is insecure.

Attacker: Try all one symbol changes of the known keystream.Choose the one that leads to a message that makes sense.

Definition (Ding)

The k -error linear complexity λerrk (A) of a periodic sequence A is the

smallest linear complexity that can be obtained by changing k or fewersymbols of a single period and repeating the period.

Example: Let A = (0, · · · , 0, 1)∞. Then λerr1 (A) = λdel

1 (A) = 0.

Similarly we have λdelk (A), λins

k (A), and λoperk (A).

Similar measures for N-adic complexity and finite sequences.


Number of Changes Needed to Lower the Complexity

Definition

minsub(A) is the minimum number of substitutions required to modifya single period so that the linear complexity of the modified sequenceis less than the original sequence.

Similarly mindel(A), minins(A) and minoper(A).For i ∈ N with radix p form i =

∑l−1j=0 ijpj define Prod(i) =

∏l−1j=0(ij + 1).

Theorem (Kurosawa et al.)

For a periodic sequence A with period T = pd , d ∈ Z+, we haveminsub(A) = Prod(T − λ(A)).

Similarly minsubN(A), mindelN(A), mininsN(A), and minoperN(A) forφN(A).


Outline





Problems on Complexity Measures

1 Determine counting functions and expected values.

2 Determine good upper and lower bounds.

3 Investigate the asymptotic behavior for nonperiodic sequences.

4 Design efficient algorithms to compute a complexity measure.

5 Design efficient algorithms to find the smallest generator.

6 Construct sequences with high complexity and error complexity.

Special cases can also be considered if the general ones are hard.Results


Counting Functions and Average Behavior

Let N(n,k)(c) denote the number of sequences A with λerr(n,k)(A) = c.

Theorem (Gustavson)

N(n,0)(0) = 1. If 1 ≤ c ≤ n then,

N(n,0)(c) = (q − 1)qmin(2c−1,2n−2c).

Theorem (Rueppel)

If T = 2d , then the expected linear complexity E0 of a random periodicT -periodic binary sequence is given by

E0 = T − 1 + 2−T .

Results


Asymptotic Behavior

Ultimately nonperiodic sequences: linear complexity increasesunboundedly.

Normalized linear complexity: δn(A) = λn(A)/n

δn(A) does not have a single limit but a set of accumulation points.

Dai et al.: Set of accumulation points for normalized λ is∆ = [B, 1 − B]

Klapper: Set of accumulation points for normalized φN is∆N = [B, 1 − B] when N is a power of 2 or 3

Sequences exist for each B ∈ [0, 1/2] with ∆ = [B, 1 − B] and∆N = [B, 1 − B].


Lower Bounds on k -operation Linear Complexity

Theorem (Kavuluru and Klapper)

Let A be a sequence over Fq of period T . Then1 λoper

k (A) ≥ min(λ(A), T/k − λ(A)) if the number of deletions isgreater than or equal to the number of insertions.

2 λoperk (A) ≥ min(λ(A), (T + 1)/k − λ(A)) if the number of deletions

is less than the number of insertions.

Corollary

Let A be a not all zero sequence of period T . Then

minoper(A) >T

2λ(A).


Lower Bounds on k -operation N-adic Complexity

Theorem (Kavuluru and Klapper)

Let A be a sequence over {0, · · · , N − 1} of period T . Then1 φoper

N,k (A) > min(φN(A), T/k + logN((N − 1)/N(N + 1))− φN(A)) ifthe number of deletions is greater than the number of insertions.

2 φoperN,k (A) > min(φN(A), logN(NT − 1)− (k − 1)T/k − φN(A)− 1) if

the number of deletions is equal to the number of insertions.3 φoper

N,k (A) > min(φN(A), (T +1)/k + logN((N−1)/N(N+1))−φN(A))if the number of deletions is less than the number of insertions.

Corollary

Let A be an N-ary periodic sequence with period T . We have

minoperN(A) >T

2φN(A) + 3.


Problem Space

Settings

LFSRs, FCSRs, AFSRs

Sequences, Multisequences

Periodic, Finite Length

Conventional, k -error, k -insert

k -delete, k -operation, minerror

arithmetic k -error

Special Cases: k = 1, 2, T = pd

Fix Fq, N, or (R, π, S)

Problems

Counting functions

Expected values

Complexity bounds

Complexity computation

Shift register synthesis

Asymptotic behavior


Yes!, the Last Slide

Thank You


Documents

Pseudorandom Sequences: Generation Primitives and