## Are you sure?

This action might not be possible to undo. Are you sure you want to continue?

by Thomas W. Cusick, Cunsheng Ding, and Ari R. Renvall

Ratings:

Length: 492 pages4 hours

This is the unique book on cross-fertilisations between stream ciphers and number theory. It systematically and comprehensively covers known connections between the two areas that are available only in research papers. Some parts of this book consist of new research results that are not available elsewhere. In addition to exercises, over thirty research problems are presented in this book. In this revised edition almost every chapter was updated, and some chapters were completely rewritten. It is useful as a textbook for a graduate course on the subject, as well as a reference book for researchers in related fields.

· Unique book on interactions of stream ciphers and number theory.

· Research monograph with many results not available elsewhere.

· A revised edition with the most recent advances in this subject.

· Over thirty research problems for stimulating interactions between the two areas.

· Written by leading researchers in stream ciphers and number theory.

Publisher: Elsevier ScienceReleased: Feb 17, 2004ISBN: 9780080541839Format: book

You've reached the end of this preview. Sign up to read more!

Page 1 of 1

**—A.R. **

**Thomas W. Cusick, Cunsheng Ding and Ari Renvall **

Since the publication of this monograph in 1998, a considerable amount of advances on interactions between stream ciphers and number theory has been made. The objective of this revised edition is to report the recent advances and correct typos and errors in the original version. Most chapters are revised. In particular, **Chapter 6 is completely rewritten. **

We thank Y.-H. Park, D. Hong and E. Chun for pointing out an error in computing the linear complexity of the prime-square generator in **Chapter 8 of the original edition. We are grateful to S.S. Bedi and R. Pillai for pointing an error in Section 14.6, and for providing us with the source code of their C-implementation of the 2-RA algorithm. **

August 2003

**Thomas W. Cusick, Cunsheng Ding and Ari Renvall **

The goal of cryptography is the concealment of messages in such a way that only authorized people can read them. A *cipher *or *cryptosystem *is an algorithm for carrying out this concealment. If a message *M *is represented as a string of characters *m*1, *m*2, … from some fixed character set or *alphabet*, then a cipher consists of two processes: *encryption*, a method for converting the message or plaintext into a ciphertext meant to be unreadable by unauthorized people; and *decryption*, a method for recovering the message from the ciphertext.

Broadly speaking, cryptosystems can be classified as either *block ciphers *or *stream ciphers*. A block cipher breaks up a message *M *into successive blocks *M*1, *M*2, … of elements from the alphabet. There is a *key set K *such that each key *k *in the set corresponds to an encryption algorithm *Ek *which acts on the blocks of plaintext. Thus a plaintext *M*1, *M*There is a decryption algorithm *Dk *for each key *k *; thus ciphertext can be converted back into plaintext if the key *k *and *Dk *are known. A stream cipher breaks up a message *M *into its component characters *m*1, *m*2, …. Each character *m*1 is enciphered with the element *ki *of a *keystream *denote the encipherment of message character *mi *by keystream character *ki *(in many cases this encipherment will simply be the sum of *ki *and *mi *. There is a decryption procedure *Dki *; thus ciphertext can be converted back into plaintext if the needed characters *ki *of the keystream and the corresponding *Dki *are known.

Both block ciphers and stream ciphers are in common use today. Stream ciphers are especially prevalent in business, military and diplomatic settings. One advantage that stream ciphers have is that typically they can be implemented very efficiently in computing hardware. Since the security of a stream cipher depends on the randomness properties of the keystream, it is often easier to carry out a mathematical analysis of a stream cipher instead of a block cipher.

This book is almost entirely concerned with stream ciphers. We concentrate on a particular mathematical model for such ciphers which we call *additive natural stream ciphers*. These ciphers use a *natural sequence generator *to produce a periodic keystream. Full definitions of these concepts are given in **Chapter 2. **

In this book we focus on keystream sequences which we can analyze using number theory. It turns out that we can deduce a great deal of information about the cryptographic properties of many classes of sequences by applying the terminology and theorems of number theory. We make these connections explicit by describing three kinds of *bridges *between stream ciphering problems and number theory problems. A detailed summary of these ideas is given in the introductory **Chapter 1. **

This is the first book devoted to the study of the extensive crossfertilization between stream ciphers and number theory. Many results in the book are new, and over seventy percent of the results described in this book are based on our recent research results. On the one hand, there are numerous instances where results from number theory are used to answer questions from cryptography. On the other hand, there are many cryptographic problems which suggest new avenues of research in number theory. A few dozen questions of this type, with greatly varying levels of difficulty, are scattered through the book and labelled as Research Problems. For the convenience of the reader, a list of brief summaries of these Research Problems is given in **Appendix D. **

Launched in 1992, this project has taken us several years to complete. During the whole process, we have benefited from discussions with and comments from several colleagues. We thank Mark Goresky, Tor Helleseth, Andrew Klapper, and Arto Salomaa for reading some parts of this book manuscript and providing us with valuable comments and suggestions. We are grateful to Harald Niederreiter for helpful suggestions and comments. We appreciate the excellent working conditions provided by the State University of New York at Buffalo, University of Turku, Turku Centre for Computer Science, and the National University of Singapore. We acknowledge good cooperation with Elsevier, especially with Drs. Arjen Sevenster, Ms. Claudette van Daalen, and Ms. Titia Kraaij. Finally, we thank all members of our families for their support.

December 1997

Number theory, which Gauss called the queen of mathematics, has fascinated the human mind since the beginning of recorded history. Arithmetic was already quite sophisticated in Mesopotamia at the end of the third millennium B.C. [**178]. Number theory has a great influence not only on other branches of mathematics, but also on many other sciences, such as physics, biology, digital signal processing, coding, computing, and public-key cryptology as well as stream ciphers. **

Ciphers, which are usually divided into block and stream ciphers, have been used for millennia to safeguard military and diplomatic communications. Today stream ciphers are still the most used ones in practice for these purposes. The main reason may be that the theory of stream ciphers is much more analytical, while only relatively few aspects of typical block ciphers can be mathematically measured and analyzed. Another important reason may be that well-designed stream ciphers can destroy statistical properties of the plaintext, while block ciphers may not.

It is not strange that number theory and stream ciphers are closely related, since many ciphers actually manipulate numbers. One aim of this book is to set up bridges between number theory and stream ciphers, and to stimulate the interaction between the two fields. Another one is to design some promising keystream generators based on number theory.

This introductory chapter is organized as follows: **Section 1.1 presents a number of other sciences upon which number theory has an important impact. Section 1.2 gives a brief introduction to the book. **

Number theory is an ancient field of study and its content is vast. It has several branches, such as elementary number theory, algebraic number theory, analytic number theory, the geometry of numbers, etc. Sometimes it may be difficult to say whether some mathematical topics should belong to number theory or not. For example, it is difficult to draw a strict line between number theory and algebra. One might regard class field theory as a part of abstract algebra

rather than number theory

.

Many number-theoretic problems had a great impact upon the development of entire branches of mathematics. For example, the study of the distribution of primes sparked the development of the theory of functions of a complex variable and, in particular, that of the theory of entire functions. Fermat’s Last Theorem led to the creation of the theory of algebraic numbers, one of the most important and flourishing branches of modern number theory. It also happens that some of the most fundamental concepts of modern algebra (actually, of all modern mathematics) such as groups, rings, fields, modules, to name only a few, are obtained by the processes of abstraction and generalization from situations we meet in elementary number theory [**178]. **

when *q *is a Fermat prime, any factor of *q *− 1 is a power of 2. The Fourier transform

exists whenever *n *is a divisor of 2*m *and ωis an element of order *n*. By using the Cooley-Tukey algorithm (see [**additions. **

is quite convenient if the integers are represented as *m*a Fourier transform of block length *n *exists for every *n *. These are sometimes called *Mersenne number transforms*. There are also other number transforms [**24, 298, 387]. **

Coding is an important field of communications theory and engineering.There are quite a number of number-theoretic concepts which are related to codes. Among the most notable ones are group characters and character sums, and Diophantine equations. Character sums are powerful tools for the control of the correlation property of codes for code-division multiple-access systems [**200, 207], and for the computation of the weight distribution of some linear codes [198]. Cyclotomy also has applications in coding theory [301]. **

The Chinese Remainder Theorem developed in the first century B.C. has wide applications in algorithms, modular computation, computer systems, coding theory, digital signal processing, and cryptology [**134]. The discrete Fourier transform has an important impact on many fields, but it is only a special case of the Chinese remainder transform which includes quite a number of popular transform techniques [134]. **

The applications of number theory in public-key cryptography and authentication are well-known. The RSA system, based on number theory, remains one of the most promising public-key cryptosystems [**111, 113, 318, 337, 312]. On the other hand, RSA is one of the main motivations for the investigation of factorization, as the security of RSA depends on the assumption that factoring large integers is difficult. Modular hashing is also an important topic of cryptography [357]. **

Number theory also has applications in physics and biology as well as in other sciences. It is even possible for the theory of quadratic partitions to have applications in chemistry [**387] **

The application of number theory to stream ciphers looks quite natural, because many ciphers manipulate numbers. The design of pseudorandom number generators is one of the main issues in stream ciphering, where pseudorandom number sequences are often employed as keystreams.

The study of linear recurring sequences has a very long history which was traced from the year 1202 to 1918 by Dickson [**110]. One of the most famous linear recurring sequences is the Fibonacci sequence defined by **

. These *Fibonacci numbers *occur in counting the number of leaves, petals and seed grains of many plants [**387]. During the 19th century, recurring series of rational integers were frequently studied. Lucas sequences, which were used for primality testing by Lucas, are one such example. **

The first systematic investigation of a linear recurrence modulo *m *was done in 1920 by Carmichael. Nine years later Carmichael gave an account of earlier results, and showed that the recurrence problem is intimately related with many other parts of elementary number theory. Important developments in the study of linear recurrence sequences can be found in Engstrom [**147], Ward [434–444], Hall [185]–[188], Zieler [472], Selmer [390],and Golomb [169]. A lot of references about linear recurrence sequences can be found in [276, 390]. **

Though the investigation of sequences dates back at least to 1202, those early investigations were not done from the cryptographic point of view. In spite of the recent intensive investigations of cryptographic sequences, the cryptographic theory of sequences is far from mature. Some sequences were known centuries ago, but their cryptographic properties still remain unknown. One important problem for modern cryptologists is to analyze the cryptographic properties of those sequences. It is interesting to note there are indeed some cryptographically attractive sequences developed centuries ago. Among them are some Legendre sequences which may have more ideal cryptographic attributes than many keystream sequences designed today [**123]. It seems that recently much more attention has been given to sequences based on the theory of finite fields and algebra than to sequences based on number theory. **

The distribution problem of quadratic and other power residues and nonresidues has been attacked by many mathematicians for centuries with only limited success. The irregular

distributions of power residues, primes and primitive roots are not only useful in constructing some cryptographic building blocks, but also in other fields. For example, quadratic residues are used in a proposal for designing a concert hall ceiling in [**387]. **

Primes can also be defined in fields other than the rational numbers, for instance, in some algebraic number fields. In the complex number field we have the Gaussian primes defined in the Gaussian ring *Z*[*i*]. Those primes form an interesting pattern [**387], which has been used in weaving tablecloths and tiling floors. We also have the Eisenstein primes defined in the ring Z. Some primes defined in the integer ring Z remain prime in these two rings, others not. The Eisenstein primes form also an interesting pattern with hexagonal symmetry [387]. These primes can also be used to construct keystream generators. **

Some purely number-theoretic problems could also have a deep cryptographic significance. Our first example is the distribution of primitive roots. Concerning this problem Artin conjectured that every integer *a*, not equal to −1 or to a square, is a primitive root of infinitely many primes. Recently an important progress about Artin’s conjecture has been made: Let *p*1, *p*2 and *p*3 be three distinct primes, then at least one of them is a primitive root for infinitely many primes [**195]. If Artin’s conjecture is proven to be true, this means that building good cryptographic sequences over any field is possible. Our second example is Fermat’s Last Theorem, which led to algebraic number theory. A proof of Fermat’s Last Theorem means that building good cryptographic sequences with periods equal to powers of primes over many fields is theoretically possible. Our third example is the theory of class fields. Some results from class field theory can be used to prove some cryptographically meaningful results. In this book we will need the quadratic partition of primes. Thus, we need to know whether the set **

contains infinitely many primes. If it does, what is their density? These questions are cryptographically important for some applications. Class field theory can give us some answers.

The word cyclotomy means circle-division.

This problem and cyclotomic polynomials together with cyclotomic numbers were investigated by many mathematicians for a long time. Now these problems have been found to be very useful in designing keystream sequences. Cyclotomies and generalized cyclotomies constitute in fact one of the theoretical bases for many of the generators presented in this book. The stability of (generalized) cyclotomic numbers leads to cryptographically useful properties for many cyclotomic generators. It is useful in cyclotomy to have the Riemann Hypothesis for curves over finite fields, which was proved by Weil in 1948 [**449]. This implies the cryptographic significance of the Riemann Hypothesis. Thus, the cryptographic importance of the genus of algebraic curves and of algebraic function fields follows. **

In summary, a considerable number of number-theoretic problems are related to the design and analysis of stream ciphers. It seems that no other field has as many applications to stream ciphers as does number theory. This may explain why the secret agencies of some countries require a prereview of papers of certain types about number theory. Indeed, some cryptographic problems can be settled only if progress in some number-theoretic problems can be made.

We do not claim to cover all of the cryptographic applications of number theory. In this book we intend only to give examples to illustrate that number theory is not only a pure mathematical science, but also a very applicable science.

In this book some bridges between the design of stream ciphers and some number-theoretic problems are built for the first time. With those bridges the applications of number theory to the design and analysis of stream ciphers are then investigated. In our approach, old number-theoretic problems are stressed and new ones are proposed from the cryptographic point of view. Those cryptography-related number-theoretic problems call forfurther developments in number theory. The main purpose in writing this book is to invoke an interaction between number theory and stream ciphers. This book is organized as follows.

**Chapter 2 is an introduction to synchronous and self-synchronous stream ciphers, as well as some keystream generators and some cryptographic factors of sequences. It is intended to introduce only some basic notions. A number of keystream generators are briefly described. **

**Chapter 3 is about primes and primitive roots as well as sequences, and aims at finding pairs of primes and primitive roots for the purpose of designing keystream sequences. The main cryptographic idea of this chapter is the search for a good partnership, as defined in the chapter, in order to get sequences with both large linear complexity and good linear complexity stability. A main bridge between number theory and stream ciphers is also set up. **

**Chapter 4 is devoted to cyclotomy and its applications to the design of cryptographic functions. The cryptographic significance of cyclotomic numbers is illustrated. A number of cryptographic functions whose nonlinearity depends on (generalized) cyclotomic numbers are introduced. **

Based on the results of **Chapter 4, Chapter 5 is devoted to the search for special primes for stream ciphering purposes. The cryptographic values of various kinds of special primes with respect to specific finite fields are analyzed. The sexes of twin primes are introduced and their distributions are investigated. A comparison between primes for stream ciphering and those for RSA is made. It is shown that the distribution problem for special primes is of cryptographic importance. **

**Chapter 6 is devoted to functions with optimum nonlinearity, and gives a well-rounded treatment of non-Boolean functions with perfect and almost perfect nonlinearity. **

**Chapter 7 is about the differential analysis of sequences. A natural sequence generator realization of sequences is given and the differential analysis of sequences is introduced. The linear complexity of difference-set characterized and almost difference-set characterized sequences is calculated. The cryptographic importance of Barker sequences is shown. **

Based on the results of foregoing chapters, **Chapter 8 builds some binary cyclotomic generators. Many security aspects of the generators are analyzed.Chapter 9 gives a detailed analysis of a particular type of cyclotomic generator. **

In **Chapter 10 a nonbinary generator based on cyclotomy is designed and its security problems are discussed. Some cryptographic ideas behind the cyclotomic generators are also analyzed. **

**Chapter 11 is dedicated to generators based on permutations. One importantcryptographic technique employed in this chapter is that for ensuring good + bad = good. Cryptographic permutations and some design problems of cyclic-key generators are discussed. Two generators based on permutations are given. **

**Chapter 12 investigates the application of the theory of quadratic partitions to stream ciphers. There are two motivations for our interest in quadratic partitions: One is the design and analysis of some cryptographic functions, and the other is that we need them to give us some primes in integer domains other than Z for the purpose of designing key stream generators based on the arithmetic of the integer domains. Some cryptographic quadratic forms are discussed, and some elementary results about quadratic forms are introduced. **

**Chapter 13 introduces the theory of group characters and shows the importance of group characters in designing keystream generators. One of the most important cryptographic ideas in this chapter is that sometimes linear functions are cryptographically more attractive than nonlinear functions. This shows that linear mappings with respect to some operations could give the best nonlinear cryptographic mappings in another context. **

**Chapter 14 is mainly about the 2-adic approach to the design and analysis of binary sequences. The relation between the Blum-Blum-Shub sequences [26] and the class numbers of imaginary quadratic fields is another main topic of this chapter. **

**Chapter 15 describes some fast stream ciphering algorithms based on primes and gives some theoretical results obtained using material from some previous chapters. Compared with other software-oriented algorithms, the ciphering algorithms presented in this chapter are more amenable to analysis. **

**Chapter 16 discusses some cryptographic problems and philosophies. Among the topics are nonlinearity and linearity of cryptographic mappings, stability and instability, stability and diffusion, the stability of local nonlinearities and differences, correlation stability, pattern stability and mutual information stability, localness and globalness, and goodness versus badness. **

The design and analysis of the natural sequence generators, which have been systematically investigated only recently, are among the main topics of this book. One aim of this book is to bridge stream ciphers and number theory. Another aim is to design and analyze a number of cryptographic generators by making use of the bridges. The third aim is to stress old number-theoretic problems and to propose new ones from cryptographic viewpoints. In this book, over thirty cryptography-related research problems are presented. A list of them is given in **Appendix D. **

There are gaps between some number-theoretic problems and streamcipher problems because bridges between them have not been set up yet. In this book we try to bridge some of these gaps. Naturally, there are more gaps which remain to be bridged. Thus, the cryptographic meaning and importance of some number-theoretic problems mentioned in this book may be only partially elucidated.

The first set of bridges between some stream ciphering problems and number-theoretic problems is depicted in **Figure 1.1.a, where the main cryptographic problems are the linear and sphere complexity of sequences, and the number-theoretic problems include cyclotomic polynomials, special primes, primitive roots and their distribution, and some topics related to these topics. **

**Figure 1.1 **The first two sets of bridges.

The second set of bridges considered in this book is depicted in **Figure 1.1.b, where the bridge between p-ary sequences and p, and the balance of some sequences is closely related to the class numbers of some quadratic fields. The theory of permutations is the main issue for permutation generators. The third set of bridges is depicted in Figure 1.2, where quite a number of cryptographic and number-theoretic problems are involved. **

**Figure 1.2 **The third set of bridges.

This book by no means covers all number-theoretic generators. There are also other very interesting ones. Among them are, for example, the quadratic residue generator and the index generator which have been proven to possess some interesting cryptographic properties. For details about these generators we refer to [**26, 25, 249], where a nice treatment has been given. However, we will come to some properties of the Blum-Blum-Shub generator in Section 14.8. **

This chapter introduces some basic notions about stream ciphers and describes some keystream generators. **Section 2.1 is devoted to the description of synchronous and self-synchronous stream ciphers, and some approaches to the construction of stream ciphers based on block ciphers. Section 2.2 introduces some keystream generators. Section 2.3 considers some cryptographic aspects of sequences, such as linear complexity, weight complexity, sphere complexity, autocorrelation and crosscorrelation functions, pattern distribution, quadratic span and maximum order complexity. Section 2.4 shows the consistency and harmony of the binary natural sequence generator which is the main topic of this book. Section 2.5 considers the security of and attacks on stream ciphers generally. **

Ciphering systems are generally classified into block and stream ciphers, in analogy to error-correcting codes which are subdivided into block and convolutional codes. The essential distinction between block and stream ciphers is the memory, as is shown in **Figures 2.1(a) and 2.1(b). **

**Figure 2.1 **The difference between block and stream ciphers.

A block cipher breaks each plaintext message into successive blocks and enciphers each block *M *under the control of a key *k *into a ciphertext block *C *= (*c*1, …, *cn*), where the plaintext and ciphertext alphabet are usually identical. Each block is typically several characters long. Simple substitution and homophonic substitution ciphers [**103] are examples of block ciphers, even though the unit of encipherment is a single character. This is because the same key is used for each character. A stream cipher specifies a device with internal memory that enciphers the jth digit mj of the message stream into the jth digit cj of the ciphertext stream by means ofa function which depends on both the secret key k and the internal state of the stream cipher at time j. The sequence z∞ = z0z1 · · · which controls the enciphering is called the key stream or running key. The deterministic automaton which produces the key stream from the actual key k and the internal state is called the running-key generator or keystream generator. **

A stream cipher is *periodic *if the keystream repeats after *d *characters for some fixed *d*; otherwise it is nonperiodic. Ciphers generated by Rotor and Hagelin machines [**103] are periodic stream ciphers. The Vernam cipher is an example of a nonperiodic stream cipher. **

There are two different approaches to stream encryption: synchronous methods and self-synchronous methods. In a *synchronous stream cipher*, the next state depends only on the previous state and not on the input so that the succession of states is independent of the message stream. The key stream is therefore generated independently of the message stream. Consequently, the enciphering transformation is memoryless, but time-varying. Thus, if a ciphertext character is lost during transmission, the sender and receiver must resynchronize their generators before they proceed further. Furthermore, this must be done in a way which ensures that no part of the key stream is repeated (thus the keystream generator should not be reset to an earlier state). It is therefore natural, in a synchronous stream cipher,to separate the enciphering transformation from the generation process of time-varying parameters which control the deciphering transformation.

In a *self-synchronous stream cipher*, each keystream character is derived from a fixed number *n *of preceding cipher characters. Thus, if a ciphertext character is lost or altered during transmission, the error propagates forward for *n *characters, but the cipher resynchronizes itself after *n *correct ciphertext characters have been received. Self-synchronous stream ciphers are nonperiodic because each key character is functionally dependent on the entire preceding message stream.

**Figures 2.1.a and 2.1.b depict block and stream ciphers respectively. In Figure 2.1.a M and C stand for plaintext and ciphertext block respectively, and Ek is the encryption transformation specified by a key k. In Figure 2.1.b mj and cj are the plaintext and ciphertext character respectively, zj the keystream character at time j, f a function for producing the keystream, and Ezj a function for combining the keystream character zj and the plaintext character mj. A practical difference between a block and a stream cipher is that the redundancy of a natural language may remain in the ciphertext under a block cipher, while it has been usually made very small with a well-designed stream cipher. This may explain why stream ciphers are still popular in practice. **

As mentioned above, in a synchronous stream cipher, the key stream, *z*∞ = *z*0*z*1 · · ·, is independent of the message stream. The algorithm that generates the stream must be deterministic so that the stream can be reproduced for decipherment. One important kind of synchronous stream ciphers is the *additive synchronous stream ciphers *depicted by **Figure 2.2, where thecharacters of the key stream are from an Abelian group ( G, +) and the ciphertext character ci is the addition of the key stream character zi and message stream character mi, and **

−denotes the inverse operation of

+.

**Figure 2.2 **Additive synchronous stream ciphers.

The main design problem for this kind of stream cipher is the design of the keystream generator. Because the way to combine plaintext and ciphertext characters is very simple, keystream generators for additive synchronous stream ciphering should be strong enough.

In a self-synchronous stream cipher each keystream character is derived from a fixed number *n *of preceding ciphertext characters. The idea of this kind of cipher traces back to the time of Vigenère in the 16th Century. Autokey ciphers and cipher feedback systems are examples of additive self-synchronous stream ciphers [**103]. **

An *autokey cipher *is one in which the key is derived from the message it enciphers. Another important class of self-synchronous stream ciphers consists of those where the cipher is fed back to the keystream generator as depicted in **Figure 2.3. The main problems concerning this kind of stream ciphers are the design of the keystream generator and the way in which the feedback ciphertext character is used in the keystream generator. This kind of stream cipher is rather difficult to design and analyze because of the feedback **

Close Dialog## Are you sure?

This action might not be possible to undo. Are you sure you want to continue?

Loading