View
7
Download
0
Category
Preview:
Citation preview
Pseudorandom Sequences: Generation Primitivesand Complexity Measures
Ramakanth Kavuluru
Department of Computer ScienceUniversity of Kentucky
Computer Science @ WKU
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 1 / 35
Outline
1 BackgroundPseudorandom SequencesAlgebra
2 Generation PrimitivesLinear Feedback Shift RegistersFeedback with Carry Shift Registers
3 Complexity MeasuresLinear and N-adic ComplexityExtended Complexity MeasuresResults and Future Work
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 2 / 35
Outline
1 BackgroundPseudorandom SequencesAlgebra
2 Generation PrimitivesLinear Feedback Shift RegistersFeedback with Carry Shift Registers
3 Complexity MeasuresLinear and N-adic ComplexityExtended Complexity MeasuresResults and Future Work
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 3 / 35
Random Sequences
What is a random sequence?
A sequence which is output by a truly random source.
What is a truly random source?non-deterministicequally likely selection for each symbol of the alphabet.
Examples:Rolling an unbiased dieThe points in time at which a radioactive source decaysTime difference between mouse movements
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 4 / 35
Random Sequences
What is a random sequence?
A sequence which is output by a truly random source.
What is a truly random source?non-deterministicequally likely selection for each symbol of the alphabet.
Examples:Rolling an unbiased dieThe points in time at which a radioactive source decaysTime difference between mouse movements
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 4 / 35
Pseudorandom Sequences
Appear random and generated by expanding a seed (PRNGs).
Examples:Roll a die a bunch of times. Store the values generated in a listand reproduce.Use a mathematical formula: sn+1 = a · sn + c mod m,0 < a, s0, c < m.
Advantages:EfficientDeterministic: Can be reproduced with the same seed.
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 5 / 35
Randomness Tests
Kolmogorov’s test: A given sequence S is random if
|S| ≤ Smallest program that outputs S.
Golomb’s randomness postulates for binary strings over {−1, 1}
R-1 A balance of −1s and 1s.
R-2 Two runs of length k for each run of length k + 1.
R-3 A two level auto-correlation function.
1n
n∑i=1
aiai+τ =
{1 if τ = 0;K if 0 < τ < n.
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 6 / 35
Stream Ciphers and Pseudorandom Sequences
Stream cipher:Private key cryptosystem.Encrypts one symbol at a time.Uses pseudorandom sequences.
Let M: message, K: key stream, C: cipherSender: Send the cipher C = M ⊕ K across the channel.Receiver: Extract the message M = C ⊕ K .
Sequences should satisfyRandomness Properties.Large period.Fast generation.Resistance to specific attacks (Berlekamp-Massey).
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 7 / 35
Outline
1 BackgroundPseudorandom SequencesAlgebra
2 Generation PrimitivesLinear Feedback Shift RegistersFeedback with Carry Shift Registers
3 Complexity MeasuresLinear and N-adic ComplexityExtended Complexity MeasuresResults and Future Work
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 8 / 35
Finite Fields
A (commutative) ring is a set R with two binary operations ∗ and + onR such that the following properties hold:
1 ∀a, b ∈ R, a + b = b + a and ab = ba.2 ∀a, b, c ∈ R, a + (b + c) = (a + b) + c and a(bc) = (ab)c.3 ∃e+, e∗ ∈ R such that ∀a ∈ R, ae∗ = a and a + e+ = a.4 For each a ∈ R, ∃ − a such that a + (−a) = e+.5 ∀a, b, c ∈ R, a(b + c) = ab + ac.
R is a field if it is a ring and for each a 6= 0 ∈ R, ∃a−1 so thataa−1 = e∗.
TheoremFor each q = pi , where p is a prime and i ≥ 1, there exists a finite fieldFq with q elements. These are all the finite fields.
Fq[x ] is the ring of polynomials with coefficients in Fq.
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 9 / 35
Periodic Sequences and Generating Functions
DefinitionA sequence S = s0, s1, s2, · · · is eventually periodic with period T ifsn+T = sn holds for all n ≥ n0 for some n0 ≥ 0. S is periodic if n0 = 0.
The generating function of an S = s0, s1, · · · is
∞∑i=0
six i .
Closed forms for some well known sequences:
1, 1, 1, · · · : 11 − x
.
1, 2, 3, · · · : 1(1 − x)2 .
0, 1, 1, 2, 3, 5, · · · : 11 − x − x2 .
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 10 / 35
Rational Generating Functions for Periodic Sequences
Consider S below with preperiod n0 + 1 and period T
s0, s1, ..., sn0︸ ︷︷ ︸preperiod
, (sn0+1, · · · , sn0+T︸ ︷︷ ︸period T
)∞.
The generation function of S is
G(S)
= s0 + s1x + · · ·+ sn0xn0 +sn0+1xn0+1 + · · ·+ sn0+T xn0+T
1 − xT
=(1 − xT )(s0 + s1x + · · ·+ sn0xn0) + sn0+1xn0+1 + · · ·+ sn0+T xn0+T
1 − xT
=u(x)
g(x)for some u(x), g(x) ∈ Fq[x ].
FCSR
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 11 / 35
Outline
1 BackgroundPseudorandom SequencesAlgebra
2 Generation PrimitivesLinear Feedback Shift RegistersFeedback with Carry Shift Registers
3 Complexity MeasuresLinear and N-adic ComplexityExtended Complexity MeasuresResults and Future Work
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 12 / 35
Definition of LFSRs
gi , aj ∈ Fq, field
ar−1 ar−2 · · · a0
� ��g1 � ��
g2 � ��gr· · ·
- -
ar = g1ar−1 + · · ·+ gr a0
Output A = a0, a1, · · · , ar−1, ar , ar+1, · · ·
Analysis:generating function A(x) =
∑i aix i
connection polynomial g(x) = −1 + g1x + g2x2 + · · ·+ gr x r
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 13 / 35
Properties of LFSRs
LFSR sequences are eventually periodic.
The generating function of LFSR sequences is rational
A(x) =u(x)
g(x), u(x) ∈ Fq[x ]
Periodic iff deg(u) < deg(g)
If gcd(u, g) = 1 period is the smallest T such that g(x)|xT − 1.
m-sequence: If g(x) primitive, period = qr − 1
m-sequences: uniform – each nonzero r -tuple occurs once(R1,R2,R3)
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 14 / 35
rand() and random()
rand() uses multiplicative congruential generator:
sn+1 = a · sn mod m, where m is prime and a 6= 0.
Source: National Energy Research Scientific Computing Center“the low dozen bits generated by the rand subroutine go through acyclic pattern, while all the bits generated by the random subroutineare usable”Source: Comments from the GNU source file random_r.c“The random number generation technique is a linear feedback shiftregister approach, employing trinomials (since there are fewer terms tosum up that way). In this approach, the least significant bit of all thenumbers in the state table will act as a linear feedback shift register,and will have period 2deg −1(where deg is the degree of the polynomialbeing used, assuming that the polynomial is irreducible and primitive).”
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 15 / 35
Outline
1 BackgroundPseudorandom SequencesAlgebra
2 Generation PrimitivesLinear Feedback Shift RegistersFeedback with Carry Shift Registers
3 Complexity MeasuresLinear and N-adic ComplexityExtended Complexity MeasuresResults and Future Work
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 16 / 35
Feedback with Carry Shift Registers (FCSRs)Goresky, Klapper, ’93
N ∈ Z, N ≥ 2.
mr−1 ar−1 ar−2 · · · a0
� ��g1 � ��
g2 � ��gr· · ·∑
-
� - -
��
�
mod Ndiv N
g1, g2, · · · , gr ∈ S = {0, 1, · · · , N − 1}.State change: define ar ∈ S and mr ∈ Z by
ar + Nmr = mr−1 + g1ar−1 + · · ·+ gr a0.
Connection number: g = −1 + g1N + g2N2 + · · ·+ gr N r .
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 17 / 35
Ring of N-adic integers
ZN =
{ ∞∑i=0
aiN i = α(A, N) : ai ∈ S
}
Addition: To add∑
aiN i +∑
biN i =∑
ciN i :
c0 + Nd1 = a0 + b0, 0 ≤ c0 < N
c1 + Nd2 = a1 + b1 + d1, 0 ≤ c1 < N
−1 = (N − 1) + (N − 1)N + (N − 1)N2 + · · ·
Multiplication is similar
A =∑
aiN i ∈ ZN is invertible iff gcd(a0, N) = 1
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 18 / 35
Properties of FCSRs
For an r -stage FCSR let w =∑r
i=1 gi .
Denote zr−1 : initial memory, z : memory in any state.
Periodic state ⇒ 0 ≤ z < w .
zr−1 ≥ w or zr−1 < 0 ⇒ within dlogN(|zr−1|)e+ r steps 0 ≤ z < w .
So FCSR sequences are eventually periodic.
N-adic number α(A, N) = u/g, some u ∈ Z, and gcd(g, N) = 1.LFSR
Periodic iff −g ≤ u ≤ 0
If gcd(u, g) = 1, period is the smallest T such that g|(NT − 1).
`-sequence: When g = pt , p a prime, period = (p − 1)pt−1.
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 19 / 35
Outline
1 BackgroundPseudorandom SequencesAlgebra
2 Generation PrimitivesLinear Feedback Shift RegistersFeedback with Carry Shift Registers
3 Complexity MeasuresLinear and N-adic ComplexityExtended Complexity MeasuresResults and Future Work
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 20 / 35
Linear Complexity
Definition
The linear complexity λ(A) of a sequence A = (a0, a1, · · · ) over Fq isthe length of smallest LFSR that can generate A.
Let A be a periodic sequence with period T .
Let a(x) = a0 + a1x + · · ·+ aT−1xT−1. Then
∞∑i=0
aix i =a(x)
1 − xT =u(x)
g(x), gcd(u(x), g(x)) = 1.
g(x) is called the minimal connection polynomial.
λ(A) = T − deg(gcd(a(x), 1 − xT )) = deg(g(x)).
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 21 / 35
N-adic Complexity
Definition
The N-adic span ΛN(A) of an N-ary, eventually periodic sequenceA = (a0, a1, · · · ) is the smallest value of Λ among all FCSRs that output A.
Λ = r + max(blogN(r∑
i=0
gi)c+ 1, blogN(|m|)c+ 1) + 1
Definition
Let α(A, N) = −p/q, with gcd(p, q) = 1. The the N-adic complexity of A isthe real number φN(A) = logN(max(|p|, |q|)).
|(ΛN(A)− 2)− φN(A)| ≤ logN(φN(A)) + 1
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 22 / 35
Why Study Complexity Measures?
Answer: Shift Register Synthesis Algorithms
Input: First few symbols, usually, linear in the complexity.Output: Shift Register that outputs the sequence
Algorithm # Symbols t ≥ TimeBerlekamp-Massey
(Massey) 2λ O(t2)
Rational Approximation(N = 2, Klapper and Goresky) 2dφ2e+ 2 O(t2 log t log log t)
Rational Approximation(N > 2, Xu) 6(3 + dφNe) O(t2 + tN2 log3 N)
Euclidean Approximation(N not a square, Arnault et al.) 2dφNe+ 3 O(t2)
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 23 / 35
Outline
1 BackgroundPseudorandom SequencesAlgebra
2 Generation PrimitivesLinear Feedback Shift RegistersFeedback with Carry Shift Registers
3 Complexity MeasuresLinear and N-adic ComplexityExtended Complexity MeasuresResults and Future Work
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 24 / 35
nth Linear Complexity
In practice, if an attacker can recover a prefix of the keystream,then the system is vulnerable.
Attacker: Run shift register synthesis algorithms on finite prefixes.
Thus every prefix should have λ as high as possible.
Definition (Rueppel)The nth linear complexity λn(A) is defined as the length of the shortestLFSR whose first n terms are a0, a2, ..., an−1. The sequenceλ1(A), λ2(A), ... of integers is called the linear complexity profile of A.
Example: Let A = (0, · · · , 0, 1)∞ with period T .
Then λ(A) = T but λn(A) = 0, for n = 1 · · ·T − 1.
Similar measures for N-adic complexity.
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 25 / 35
Error Linear Complexity Measures
In practice, if an attacker can recover all but a few symbols of thekeystream then the system is insecure.
Attacker: Try all one symbol changes of the known keystream.Choose the one that leads to a message that makes sense.
Definition (Ding)
The k -error linear complexity λerrk (A) of a periodic sequence A is the
smallest linear complexity that can be obtained by changing k or fewersymbols of a single period and repeating the period.
Example: Let A = (0, · · · , 0, 1)∞. Then λerr1 (A) = λdel
1 (A) = 0.
Similarly we have λdelk (A), λins
k (A), and λoperk (A).
Similar measures for N-adic complexity and finite sequences.
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 26 / 35
Number of Changes Needed to Lower the Complexity
Definition
minsub(A) is the minimum number of substitutions required to modifya single period so that the linear complexity of the modified sequenceis less than the original sequence.
Similarly mindel(A), minins(A) and minoper(A).For i ∈ N with radix p form i =
∑l−1j=0 ijpj define Prod(i) =
∏l−1j=0(ij + 1).
Theorem (Kurosawa et al.)
For a periodic sequence A with period T = pd , d ∈ Z+, we haveminsub(A) = Prod(T − λ(A)).
Similarly minsubN(A), mindelN(A), mininsN(A), and minoperN(A) forφN(A).
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 27 / 35
Outline
1 BackgroundPseudorandom SequencesAlgebra
2 Generation PrimitivesLinear Feedback Shift RegistersFeedback with Carry Shift Registers
3 Complexity MeasuresLinear and N-adic ComplexityExtended Complexity MeasuresResults and Future Work
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 28 / 35
Problems on Complexity Measures
1 Determine counting functions and expected values.
2 Determine good upper and lower bounds.
3 Investigate the asymptotic behavior for nonperiodic sequences.
4 Design efficient algorithms to compute a complexity measure.
5 Design efficient algorithms to find the smallest generator.
6 Construct sequences with high complexity and error complexity.
Special cases can also be considered if the general ones are hard.Results
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 29 / 35
Counting Functions and Average Behavior
Let N(n,k)(c) denote the number of sequences A with λerr(n,k)(A) = c.
Theorem (Gustavson)
N(n,0)(0) = 1. If 1 ≤ c ≤ n then,
N(n,0)(c) = (q − 1)qmin(2c−1,2n−2c).
Theorem (Rueppel)
If T = 2d , then the expected linear complexity E0 of a random periodicT -periodic binary sequence is given by
E0 = T − 1 + 2−T .
Results
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 30 / 35
Asymptotic Behavior
Ultimately nonperiodic sequences: linear complexity increasesunboundedly.
Normalized linear complexity: δn(A) = λn(A)/n
δn(A) does not have a single limit but a set of accumulation points.
Dai et al.: Set of accumulation points for normalized λ is∆ = [B, 1 − B]
Klapper: Set of accumulation points for normalized φN is∆N = [B, 1 − B] when N is a power of 2 or 3
Sequences exist for each B ∈ [0, 1/2] with ∆ = [B, 1 − B] and∆N = [B, 1 − B].
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 31 / 35
Lower Bounds on k -operation Linear Complexity
Theorem (Kavuluru and Klapper)
Let A be a sequence over Fq of period T . Then1 λoper
k (A) ≥ min(λ(A), T/k − λ(A)) if the number of deletions isgreater than or equal to the number of insertions.
2 λoperk (A) ≥ min(λ(A), (T + 1)/k − λ(A)) if the number of deletions
is less than the number of insertions.
Corollary
Let A be a not all zero sequence of period T . Then
minoper(A) >T
2λ(A).
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 32 / 35
Lower Bounds on k -operation N-adic Complexity
Theorem (Kavuluru and Klapper)
Let A be a sequence over {0, · · · , N − 1} of period T . Then1 φoper
N,k (A) > min(φN(A), T/k + logN((N − 1)/N(N + 1))− φN(A)) ifthe number of deletions is greater than the number of insertions.
2 φoperN,k (A) > min(φN(A), logN(NT − 1)− (k − 1)T/k − φN(A)− 1) if
the number of deletions is equal to the number of insertions.3 φoper
N,k (A) > min(φN(A), (T +1)/k + logN((N−1)/N(N+1))−φN(A))if the number of deletions is less than the number of insertions.
Corollary
Let A be an N-ary periodic sequence with period T . We have
minoperN(A) >T
2φN(A) + 3.
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 33 / 35
Problem Space
Settings
LFSRs, FCSRs, AFSRs
Sequences, Multisequences
Periodic, Finite Length
Conventional, k -error, k -insert
k -delete, k -operation, minerror
arithmetic k -error
Special Cases: k = 1, 2, T = pd
Fix Fq, N, or (R, π, S)
Problems
Counting functions
Expected values
Complexity bounds
Complexity computation
Shift register synthesis
Asymptotic behavior
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 34 / 35
Yes!, the Last Slide
Thank You
Ramakanth Kavuluru (Univ. of Kentucky) Sequences: Generation and Complexity Computer Science @ WKU 35 / 35
Recommended