Implementation and Security Analysis of Construction Algorithm for Primitive Σ-LFSR

Masaryk University Faculty}w¡¢£¤¥¦§¨ of Informatics !"#$%&'()+,-./012345

Implementation and security analysis of construction algorithm for primitive σ-LFSR

MASTER THESIS

Susil Kumar Bishoi

Bangalore, December 2016 Declaration

Hereby I declare that this thesis is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source.

Susil Kumar Bishoi

Advisor: Prof. RNDr. Vaclav Matyas, M.Sc., Ph.D.

ii Acknowledgement

I am thankful to Shri Sanjay Burman, Director, CAIR for giving me the opportunity to study at Masaryk University. Many many thanks to Himanshu Kumar Haran, Ravi Yadav, Neelesh Tamrakar and Deepak Viswakarma for their support and useful discussions during my stay at Brno, Czech Republic. I am also thankful to Shri T. S. Raghavan for his valuable ideas on this work. I am grateful to my supervisor Prof. Vaclav Matyas for his kind guidance and useful comments on the text of this thesis. Last but not least, I thank my friends, my parents and in-laws, my wife Sangeeta, son Sudeetta and brother Bhagyadhar for their pa- tience and support during my studies.

iii Abstract

The software implementation LFSR is inefficient for modern processors as it produces only one new bit per step. This limits the speed of operation and resource utilization. So, word based LFSRs (σ-LFSRs) are so popular in case of software implementation. Both search algorithm and construction algorithm for σ-LFSRs provide a good col- lection of primitive σ-LFSRs and they are efficient in both hardware and software. However, the construction algorithm for σ-LFSRs using Horner’s form of polynomial generates efficient σ-LFSRs with lesser complexity of arithmetic operations. The aim of this thesis is the implementation of the construction algorithm on a 32/64-bit PC platform and then security analysis with respect to the cryptographic point of view. This thesis also contains the complexity analysis of the search algorithm for σ-LFSRs and the comparative performance of the construction algorithm with the search algorithm for primitive σ-LFSRs.

iv Keywords

Cryptography, Primitive LFSR, Pseudo Random Number Generator and σ-LFSR

v Contents

1 Introduction ...... 1 2 Primitive LFSR and Primitive σ-LFSR ...... 4 3 Horner’s Matrix ...... 8 4 Algorithm for Efficient Primitive σ-LFSR ...... 12 4.1 Search Algorithm ...... 12 4.1.1 Exhaustive Search Space of the Search Algorithm ...... 15 4.2 Construction Algorithm ...... 17 5 Implementation and Analysis of Construction Algorithm 19 5.1 Comparative Analysis with Search Algorithm ...... 19 5.2 Statistical Properties and Number of Tap Positions ..... 21 5.3 Weakness in Initialization of σ-LFSR States ...... 24 5.4 Different σ-LFSRs Constructed from Single Binary Primi- tive Polynomial ...... 25 5.5 Primitive σ-LFSR with Desired Number of Tap Points ... 27 6 Conclusion ...... 28

vi List of Figures

2.1 LFSR of order n 4 2.2 σ-LFSR of order n 6 4.1 σ-LFSR of order n 18 5.1 Comparison results for m = 8 21 5.2 Comparison results for n = 8 and n = 16 22 5.3 Experimental results for different word size m. 26

vii List of Tables

5.1 Summary of results for No. of taps = 3 23 5.2 Summary of results for No. of taps = 4 23 5.3 Summary of results for No. of taps = 5 24

viii List of Algorithms

1 Search Algorithm for Primitive σ-LFSR...... 14 2 Construction of efficient primitive σ-LFSR...... 17 3 Finding an efficient primitive σ-LFSR...... 20 4 Construction of Primitive σ-LFSR with k tap positions 27

ix 1 Introduction

Random bits are required in a wide variety of situations in cryptography. A True Random Number Generator (TRNG) can be used to generates these random bits. However, the TRNG design uses some uncontrollable physical processes as a source of true randomness and in most practical environments this is an inefficient procedure. So, a Pseudo Random Number Generator (PRNG) can be used in place of a TRNG. PRNG takes a small bit length seed (random) as input and produces a very large binary sequence which appears to be random. The concept of PRNG motivates the design of stream ciphers and in stream cipher design, Linear Feedback Shift Register (LFSR, see Golomb [3], Lidl and Niederreiter [6]) is used as one of the important basic building blocks. For example, it has been used in most of the modern stream ciphers like Grain, Mickey 2.0, Snow, Sosemanuk, etc.

In each cycle, LFSR produces only one new bit, so such ciphers are often referred as bit-oriented ciphers. It is well known that if the feedback polynomial of the LFSR is primitive, then for any non-zero initial state, the LFSR produces a maximum length periodic bit sequence, i.e., if the degree of the primitive feedback polynomial is n over F2, then the period of the non-zero bit sequence generated by LFSR is (2n − 1). Again, LFSR-based ciphers have not only a large period, but also have good statistical properties and low cost of implementation in hardware. So, LFSRs are quite useful in generation of pseudorandom bit sequences. However, in many situations such as high speed link encryption, an efficient software encryption is required and bit-oriented ciphers do not provide adequate efficiency. In case of LFSR of order n, total n shifting along with feedback computation is needed to produce one bit. So, LFSR takes O(n) bit ma- nipulations in order to produce only a single bit and could not take the advantage of available word based modern processors. So, the question arises, whether it is possible to design feedback shift register (FSR) that outputs a word instead of a bit in each cycle. A very natural and obvious way is to consider the LFSR over the binary extension field F2m . However, in software, the field multiplication is an expensive operation and so affects the software efficiency. Other

1 1. Introduction

technique is to exploit word operations of modern processors by using logic operations (such as XOR, AND, OR, complementary operation, left shift, right shift, cycle shift, etc.) and arithmetic operations (such as addition, subtraction, multiplication and division). These operations can be used in designing FSRs so as to enhance the efficiency in software implementation. In fact, Preneel in Fast Software Encryp- tion (FSE), 1994 [9] poses a question whether one can design fast and secure FSRs with the help of the word operations of modern processors and the techniques of parallelism. Tsaban and Vishne [11] ad- dressed this problem of Preneel in 2002 by introducing the notion of Transformation Shift Registers (TSRs). In 2007, Zeng et al. [12] generalized the idea of TSR and introduced the notion of word-oriented LFSR called σ-LFSR. In their paper, they proposed a search algorithm for generating efficient primitive σ-LFSRs. Their algorithm begins by randomly choosing some special matrices (for which matrix-vector multiplications can be computable using word operations) and then test the primitivity of the corresponding σ-LFSR. The software and hardware implementation of σ-LFSRs obtained through the search algorithm are quite efficient, but it is observed that for larger values of m and n, the search algorithm becomes little sluggish, that is, it finds primitive σ-LFSR after a very large number of attempts. There are construction algorithms available in the literature for producing primitive σ-LFSRs see for instance, [2, Theorem 6.1] and Krishnaswamy et al. [5]. These algorithms do not seem to produce efficient primitive σ-LFSRs. The construction algorithm based on the Horner matrix [1] is quite efficient as it uses only XOR and right shift operations for the feedback value computation. Again, this algorithm produces different σ-LFSRs of order n over F2m for different primitive polynomials of degree mn. One of the main objectives of this thesis is the implementation and security analysis of the construction algorithm given in [1]. This report also contains the comparative performance of the construction algorithm and the search algorithm [12] for primitive σ-LFSRs. In this thesis, we also propose an algorithm that generates a σ-LFSR of order n with k tap positions for 1 < k < n and studied the statistical properties of the bitstream produced by the σ-LFSRs generated from both the algorithms (i.e., construction and search algorithm). In the following section, some mathematical tools and techniques

2 1. Introduction are developed, those are required for constructing efficient primitive σ-LFSRs. The different steps of the construction algorithm and issues pertaining to its implementation are discussed in the subsequent sec- tions. The thesis is organized as follows. In section2, some definitions and results concerning σ-LFSRs are recalled. The Horner’s matrix given in [1] is revisited in the section3. Both search algorithm and construction algorithm for finding efficient primitive σ-LFSRs are discussed in section4, where the exhaustive search space of the search algorithm for σ-LFSRs is derived. In section5, the discussions about the implementation of the construction algorithm for primitive σ-LFSRs and then some related security analysis are discussed. Finally, conclusion is provided in section6.

3 2 Primitive LFSR and Primitive σ-LFSR

Let Fq denote the finite field with q elements, where q is a prime power and Fq[X] be the ring of polynomials in one variable X with coefficients in Fq. Denote Mm(Fq) the set of all m × m matrices with entries in Fq and GLm(Fq) be the set of all m × m invertible matrices. th For C ∈ Mm(Fq), Cij denotes the entry of the matrix C at i row and jth column. For any square matrix C, det(C) = |C| denotes its determinant whereas for a given set S, we denote its cardinality by |S|. dne denotes least positive integer greater than or equal to n. CT denotes the transpose of the matrix C. Let Im ∈ GLm(Fq) be the identity matrix. Let R ∈ Mm(Fq) be the right shift operator whose matrix form is given below   0 0 ··· 0 0  1 0 ··· 0 0     0 1 ··· 0 0  R =    ......   . . . . .  0 0 ··· 1 0

Figure 2.1: LFSR of order n

A sequence s0, s1, s2,... with elements from a finite field Fq is called periodic if there exists a nonnegative integer p such that si+p = si for all i ≥ 0 . The smallest such integer p is called the period of the sequence. For a periodic sequence, it is always possible to have a relation called linear recurring relation (LRR) among the elements as

4 2. Primitive LFSR and Primitive σ-LFSR

si+n = −(c0si + c1si+1 + ··· + cn−1si+n−1) (2.1)

where ci ∈ Fq and the integer n is called the degree of the LRR. It is well known that for a given periodic sequence in Fq there is a mini- mum degree LRR which satisfy the periodic sequence. The associated n n−1 polynomial f (x) = x − cn−1x − ... − c1x − c0 is called the characteristic polynomial of the LRR. Again, it is proved that the sequence generated by the LRR have period (qn − 1) if and only if the polynomial associated with the LRR is a primitive polynomial of degree n over the field Fq. LRRs are used in LFSRs (shown in the Figure 2.1) implementation. The above can be generalized as follows. For fixed positive integers m, let {α0,..., αm−1} be the vector space basis of Fqm over Fq. Then for any given s ∈ Fqm , there are unique s0,..., sm−1 ∈ Fq such that s = s0α0 + ··· + sm−1αm−1, and we shall denote the corresponding co-ordinate vector (s0,..., sm−1) of s by s. Evidently, the associ- m ation s 7−→ s gives a vector space isomorphism of Fqm onto Fq . El- m ements of Fq may be thought of as column vectors and so, for any m s ∈ Fq and C ∈ Mm(Fq) the matrix-vector multiplication Cs is a m well-defined element of Fq .

Definition 2.0.1. Let C0, C1,..., Cn−1 ∈ Mm(Fq) and then for any ∞ given n-tuple (s0,..., sn−1) of elements of Fqm , let (si)i=0 denote the infinite sequence of elements of Fqm determined by the following LRR:

si+n = C0si + C1si+1 + ··· + Cn−1si+n−1 i = 0, 1, . . . . (2.2)

The system (2.2) is called a sigma LFSR (σ-LFSR) of order n over Fqm , ∞ while the sequence (si)i=0 is referred to as the sequence generated by the σ-LFSR. The n-tuple (s0, s1,..., sn−1) is called initial states of the n n−1 σ-LFSR and the polynomial ImX − Cn−1X − · · · − C1X − C0 with matrix coefficients is called the matrix polynomial of the σ-LFSR. The ∞ sequence (si)i=0 is ultimately periodic if there are integers r, n0 with r ≥ 1 and n0 ≥ 0 such that sj+r = sj for all j ≥ n0. If n0 = 0, then the sequence is said to be periodic and in such case, the least positive ∞ integer r is called the period of the sequence (si)i=0. The following proposition [2, Proposition 4.2] gives some basic facts about the σ-LFSRs.

5 2. Primitive LFSR and Primitive σ-LFSR

Figure 2.2: σ-LFSR of order n

∞ Proposition 2.0.2. For the sequence (si)i=0 generated by the σ-LFSR of order n over Fqm , we have ∞ mn (i) (si)i=0 is ultimately periodic and its period is no more than q − 1; ∞ ∞ (ii) if C0 is nonsingular, then (si)i=0 is periodic. Conversely, if (si)i=0 is periodic whenever the initial state is of the form (b, 0, . . . , 0), where b ∈ Fqm with b 6= 0, then C0 is nonsingular.

An σ-LFSR of order n over Fqm is primitive if for any choice of nonzero initial state, the sequence generated by that σ-LFSR is periodic of period qmn − 1. n n−1 In view of the Proposition 2.0.2 if ImX − C − X − · · · − C X − n 1 1 C0 ∈ Mm Fq [X] is the matrix polynomial of primitive σ-LFSR then the matrix C0 is necessarily nonsingular. Again, corresponding to a n n−1 matrix polynomial ImX − Cn−1X − · · · − C1X − C0 ∈ Mm(Fq)[X], we can associate a (m, n)-block companion matrix T ∈ Mmn(Fq) of the following form   0 0 0 .. 0 0 C0 Im 0 0 .. 0 0 C   1   ......  T =   , (2.3)  ......     0 0 0 .. Im 0 Cn−2 0 0 0 .. 0 Im Cn−1 where Im denotes the m × m identity matrix over Fq, while 0 indi- cates the zero matrix in Mm(Fq). The set of all such (m, n)-block companion matrices T over Fq shall be denoted by σ-LFSR(m,n,q). Using

6 2. Primitive LFSR and Primitive σ-LFSR

a Laplace expansion or a suitable sequence of elementary column operations, we conclude that if T ∈ σ-LFSR(m,n,q), then det(T) = ± det(C0). Consequently,

T ∈ GLmn(Fq) ⇐⇒ C0 ∈ GLm(Fq). (2.4) where GLm(Fq) is the general linear group of all m × m nonsingular matrices over Fq. It may be noted that the block companion matrix (2.3) is the state n transition matrix for the σ-LFSR . If S0 := (s0, s1,..., sn−1) ∈ Fqm is n th the initial state and Sk := (sk, sk+1,..., sk+n−1) ∈ Fqm is the k state k of the σ-LFSR . Then Sk = S0T , for any k ≥ 0. We can identify the σ-LFSR with the block companion matrix (2.3). The following lemma [2, Lemma 5.1] reduces the calculation of an mn × mn determinant to an m × m determinant.

Lemma 2.0.3. Let T ∈ σ-LFSR(m,n,q) be given as in (2.3) and also let n n−1 M(X) ∈ Mm Fq[X] be defined by M(X) := ImX − Cn−1X − · · · − C1X − C0. Then the characteristic polynomial of T is equal to det (M(X)). The following characterization of primitive σ-LFSR can be easily extracted from the results given in [2] (see also [7, Theorem 4]).

Proposition 2.0.4. Let C0 ∈ GLm(Fq). Then the following are equivalent.

(i) An σ-LFSR (2.2) of order n over Fqm is primitive; (ii) o(T) = qmn − 1, where o(T) denotes the multiplicative order of T in GLmn(Fq) ;

(iii) det (M(X)) is a primitive polynomial over Fq of degree mn, where M(X) is same as defined in Lemma 2.0.3.

7 3 Horner’s Matrix

Definition 3.0.5. Let m and n be positive integers and let f (X) = mn i ∑ aiX be the polynomial of degree mn over Fq . We can express f (X) i=0 in the following form

n n n n f (X) = f0 + X ( f1 + X ( f2 + ··· + X ( fm−1 + X fm) ··· )) (3.1)

(i+1)n−1 k−in where fi(X) = ∑ akX for i = 0, 1, . . . , (m − 1) and fm(X) = k=in amn 6= 0. Note that the degree of each fi(X) is at most (n − 1). The representation of f (X) in (3.1) is referred as (m, n)-Horner’s form 1 of f (X).

Example 3.0.6. Let m = 4, n = 3, and let f (X) = 1 + X2 + X5 + X7 + 10 11 12 X + X + X ∈ F2[X]. Then (4, 3)-Horner’s form of f (X) is given by 3 3 3 3 f (X) = f0 + X ( f1 + X ( f2 + X ( f3 + X f4))),

2 2 2 where f0(X) = (1 + X ), f1(X) = X , f2(X) = X, f3(X) = (X + X ) and f4(X) = 1.

Corresponding to the (m, n)-Horner’s form of a given polynomial of degree mn over Fq , we can associate an m × m matrix as defined in the equation (3.2). This matrix would play a crucial role in the construction of efficient σ-LFSRs of order n over Fqm for generating pseudorandom vectors.

mn i Definition 3.0.7. Let f (X) = ∑ aiX be the polynomial of degree mn i=0

1. This name is motivated by Horner’s form of a polynomial used for computing the polynomial value with less number of multiplications.

8 3. Horner’s Matrix over Fq . The m × m matrix

 n  X 0 0 ··· 0 f0 −1 Xn 0 ··· 0 f   1   0 −1 Xn ··· 0 f   2  Hm(n, f ) =  ......  (3.2)  ......   n   0 0 0 ··· X fm−2  n 0 0 0 · · · −1 fm−1 + fmX corresponding to the (m, n)-Horner’s form (3.1) of f (X) is referred as (m, n)-Horner’s matrix of f (X).

For each j = 0, 1, . . . , n − 1, let Cj denotes the m × m matrix whose j entries are coefficients of X in the matrix Hm(n, f ). It is easy to see that the matrix Hm(n, f ) can be written as

n n−1 Hm(n, f ) = ImX + Cn−1X + ··· + C1X + C0. (3.3) It is clear from (3.3) that we can associate a σ-LFSR of order n over Fqm to these m × m matrices C0, C1,..., Cn−1. It is interesting to note that the matrices Ci(1 ≤ i ≤ n − 1) have the following special form   0 0 . . . 0 ai 0 0 . . . 0 a   n+i  0 0 . . . 0 a  Ci =  2n+i  (3.4)  ......   . . . . .  0 0 . . . 0 a (m−1)n+i m×m i.e., all columns are zero columns except the mth column. However, the matrix C0 is of the following form   0 0 . . . 0 a0 −1 0 . . . 0 a   n   0 −1 . . . 0 a  C0 =  2n  (3.5)  ......   . . . . .  0 0 . . . −1 a (m−1)n m×m The construction algorithm for efficient σ-LFSRs takes the advantage of these special structures. In Section5, we shall see in a greater

9 3. Horner’s Matrix

detail that why such a construction is fast and efficient. The following lemma gives the determinant of the matrix Hm(n, f ) and will be used in the sequel.

Lemma 3.0.8. Let Hm(n, f ) be the (m, n)-Horner’s matrix corresponding to the polynomial f (X) of degree mn over Fq as defined in (3.2). Then the determinant |Hm(n, f )| is equal to f (X).

Proof. Add Xn times the nth row to the (n − 1)th row of the matrix n th Hm(n, f ). This will remove the X in the (n − 1) row and it will not alter the determinant. Next, add Xn times the new (n − 1)th row to the (n − 2)th row. Continue successively until all the Xn terms on the main diagonal have been removed and the resultant matrix will be in the following form

  0 0 0 ··· 0 g0 −1 0 0 ··· 0 g   1   0 −1 0 ··· 0 g   2   ......   ......     0 0 0 ··· 0 gm−2 · · · − g 0 0 0 1 m−1 m×m

where

n n n n g0 = f0 + X ( f1 + X ( f2 + ··· + X ( fm−1 + X fm) ··· )) n n n g1 = f1 + X ( f2 + ··· + X ( fm−1 + X fm) ··· ) n n g2 = f2 + ··· + X ( fm−1 + X fm) . . n n gm−2 = fm−2 + X ( fm−1 + X fm) n gm−1 = fm−1 + X fm

which has the same determinant as Hm(n, f ). We can clean up the last column by adding to it appropriate multiples of the other columns so

10 3. Horner’s Matrix as to obtain   0 0 0 ··· 0 f (X) −1 0 0 ··· 0 0     0 −1 0 ··· 0 0    det (Hm(n, f )) = det  ......  .  ......     0 0 0 ··· 0 0  0 0 0 · · · −1 0

Finally, we can slide the last column to the first by successive column interchanges. We need (m − 1) interchanges, and so the determinant changes by (−1)(m−1). Further, if we pull out the negative sign in each of the rows in all except the first row, then the determinant gets multiplied by (−1)(m−1). It follows that the determinant of 2(m−1) Hm(n, f ) is (−1) times the determinant of the diagonal matrix diag ( f (X), 1, . . . , 1) and this proves the lemma.

11 4 Algorithm for Efficient Primitive σ-LFSR

4.1 Search Algorithm

The primitive σ-LFSRs generated by the search algorithm [12, Algo- rithm 1] proposed by Zeng et al. have very efficient and fast software implementation. These σ-LFSRs use some special linear transformation, namely the word operations provided by modern processors. Those operations are left (right) shift operation, combination of left right shift operations, circular rotation, AND, OR and XOR.

1. Left Shift Operation L and Right Shift Operation R. For x = (x0, x1, ..., xm−1), the left shift operator L is defined as L(x) = (x1, x2, ..., xm−1, 0) and the right shift operator R is defined as R(x) = (0, x0, x1, ..., xm−2). The matrix representation of the operator L is as follows

  0 1 ··· 0 0  . . . . .   ......    L =  0 0 ··· 1 0     0 0 ··· 0 1  ··· 0 0 0 0 m×m

where as the matrix representation of R is the transpose of the matrix L i.e.,   0 0 ··· 0 0  1 0 ··· 0 0    T  0 1 ··· 0 0  R = L =    ......   . . . . .  ··· 0 0 1 0 m×m

F 2. Left Right Shift Combination Operation s,t. F For given positive integers 0 < s, t < m, the operator s,t = th Ls + Rt i.e., it is an m × m matrix having all entries are 1 in s

12 4. Algorithm for Efficient Primitive σ-LFSR

upper sub-diagonal and tth lower sub-diagonal. For example   0 0 ··· 1 0  1 0 ··· 0 1    G =  0 1 ··· 0 0  m−2,1    ......   . . . . .  ··· 0 0 1 0 m×m F It is shown [12, Lemma 1] that s,t is invertible if and only if (s + t) | m. 3. Circular Rotation Operation σ and β. The right circular rotation σ is defined as σ(x) = σ(x0, x1, ..., xm−1) = (xm−1, x0, x1, ..., xm−2). The matrix representation of σ is as follows

  0 0 ··· 0 1  1 0 ··· 0 0     0 1 ··· 0 0  σ =    ......   . . . . .  ··· 0 0 1 0 m×m Similarly, the left circular rotation β is defined as the transpose of σ i.e., β(x) = β(x0, x1, ..., xm−1) = (x1, ..., xm−1, x0) and the matrix form of β is   0 1 0 ··· 0  0 0 1 ··· 0    T  . . . . .  β = σ =  ......     0 0 0 ··· 1  ··· 1 0 0 0 m×m

Note that σβ = Im.

4. AND operation Λγ. m−1 Let {αi}i=0 be the basis for F2m , then each γ ∈F2m can be ex- m−1 pressed as γ = ∑ ciαi, where ci ∈ F2. Then, for each x = i=0

13 4. Algorithm for Efficient Primitive σ-LFSR

m−1 (x0, x1, ..., xm−1) ∈ F2m , Λγ is defined as Λγ(x) = ∑ ciαixi. i=0 The matrix representation of Λγ is given below.   c0 0 ··· 0 0  0 c ··· 0 0   1   0 0 ··· 0 0  Λγ =    ......   . . . . .  ··· c 0 0 0 m−1 m×m

Using above four operators, two sets W and V are defined as follows. j k m W = {Λγ, L , R , ts,t | γ ∈ F2m , γ 6= 0 or 2 − 1; 0 < j, k, s, t < m} k V = {σ , ts,t | −m < k < m; 0 < s, t < m, (s + t)|m} Note that the elements of the set V are invertible. It is clear that the primitive σ-LFSRs with coefficients from V and W are suitable for fast software implementation. The steps of the search algorithm [12] is given in Algorithm1.

Algorithm 1 Search Algorithm for Primitive σ-LFSR Input: Order of σ-LFSR n and word size m Output: An efficient primitive σ-LFSR of order n over Fqm . 1: Randomly choose the coefficients of matrix polynomial M(x) = n n−1 ImX + Cn−1X + ··· + C1X + C0 having C0 ∈ V and S C1, C2,..., Cn−1 ∈ V W. 2: Compute the determinant g(x) = |M(x)|, which will be a polynomial of degree mn over F2. 3: If g(x) is primitive, M(x) will generate a primitive σ-LFSR otherwise go to step-1

Both the software and hardware implementation of σ-LFSRs obtained through the search algorithm are quite efficient. But for larger values of m and n, the search algorithm becomes sluggish to produce primitive σ-LFSR as it takes large number of attempts due to expo- nential increase in search space size. The explicit search space for the search algorithm for primitive σ-LFSR is derived in the follwing subsection.

14 4. Algorithm for Efficient Primitive σ-LFSR

4.1.1 Exhaustive Search Space of the Search Algorithm In order to compute the complexity of search space of Algorithm- 1, the number of elements in both the sets V and W are need to be calculated. The size of W is first derived in the following proposition.

Proposition 4.1.1. The size of the set W is 2m + m2 − 3.

j k Proof. Since the operators Λγ, L , R , ts,t are different for all values of m γ ∈ F2m , γ 6= 0, 2 − 1 and 0 < j, k, s, t < m. So, the size of W is

j k |W| = |Λγ| + |L | + |R | + | ts,t | = (2m − 2) + (m − 1) + (m − 1) + (m − 1)2 = (2m + m2 − 3). (4.1)

To compute the size of V, it is necessary to find the number of k F m k invertible σ for 0 < k < m and s,t for 0 < s, t < m. Since σ = Im, σ is invertible for all 0 < k < m. The following lemma tells the relation F between the linear transformation s,t and σ.

k F Lemma 4.1.2. For 0 < k < m, σ = k,m−k. Proof. Proof is obvious as

 k 0 0 ··· 0 1  1 0 ··· 0 0    G σk =  0 1 ··· 0 0  = Lk + Rm−k =   k,m−k  ......   . . . . .  ··· 0 0 1 0 m×m

Because of the above results, it is easy to see that V ⊆ W. Again, to compute |V| i.e., the size of V, it is sufficient to compute the number F F invertible s,t for 0 < s, t < m. It is proved in [12, Lemma 1] that s,t is invertible if and only if (s + t) | m. Therefore to find |V|, it is required to compute the number of distinct pairs (s, t) for which (s + t) | m. The following lemma computes this number.

15 4. Algorithm for Efficient Primitive σ-LFSR

Lemma 4.1.3. If the set of all distinct factors (> 1) of m is {d1, d2,..., dk}, then the number of distinct pairs (s, t) such that 0 < s, t < m and (s + t)|m k is ∑l=1(dl − 1). Proof. For each factor, the following table tells the number of distinct pairs (s, t) such that (s + t)|m.

Factor of m All possible pairs (s, t) Number of pairs d1 (1, d1 − 1), (2, d1 − 2),..., (d1 − 1, 1) (d1 − 1) d2 (1, d2 − 1), (2, d2 − 2),..., (d2 − 1, 1) (d2 − 1) ...... dk (1, dk − 1), (2, dk − 2),..., (dk − 1, 1) (dk − 1)

So, the total number of such pairs (s, t) is ((d1 − 1) + (d2 − 1) + ... + k (dk − 1)) = ∑l=1(dl − 1). This proves the lemma. Corollary 4.1.4. If m is prime, then the number of distinct pairs (s, t) such that 0 < s, t < m and (s + t)|m is (m − 1). Proof. The only divisor greater than 1 is m itself. So, the required number of distinct pairs is (m − 1). Corollary 4.1.5. If m = 2k, then the number of distinct pairs (s, t) such that 0 < s, t < m and (s + t)|m is (2k+1 − k − 2). Proof. Since m = 2k, the set of possible factors (greater than 1) of m are {2, 22, 23, . . . , 2k}. So, the total number of such pairs (s, t) is (1 + k k l k+1 3 + 7 + ... + 2 − 1) = ∑l=1(2 − 1) = (2 − k − 2). k Proposition 4.1.6. If m = 2 , then |V| is (2m − log2m − 2). Proof. Using corollary-4.1.5, it is clear that |V| = (2k+1 − k − 2) = 2m − log2m − 2. Since in most of the operating system, the word size is of the form 2k, now onwards we have considered m = 2k for some positive in- n n−1 teger k. Let ImX + Cn−1X + ··· + C1X + C0 be the primitive σ- polynomial generated by the search algorithm1. Then, C0 ∈ V and S C1, C2,..., Cn−1 ∈ V W = W. So, the size of the search space is |V||W|n−1. Thus, by the proposition 4.1.1 and 4.1.6, the exhaustive m 2 n−1 search space size is (2m − log2m − 2)(2 + m − 3) .

16 4. Algorithm for Efficient Primitive σ-LFSR 4.2 Construction Algorithm

There are construction algorithms available in the literature for producing primitive σ-LFSRs, see for instance, [2, Theorem 6.1] and Kr- ishnaswamy et al. [5]. These algorithms do not appear to produce an efficient σ-LFSR. On the other hand the construction algorithm proposed in [1] is very efficient in both hardware and software. Again, it constructs distinct primitive σ-LFSR of order n over Fqm from different binary primitive polynomial of degree mn. The sequential steps of the construction algorithm are described as follows.

Algorithm 2 Construction of efficient primitive σ-LFSR Input: A primitive polynomial f (X) of degree mn over Fq. Output: An efficient primitive σ-LFSR of order n over Fqm . 1: Express f (X) in its (m, n)-Horner’s form. 2: Construct (m, n)-Horner’s matrix Hm(n, f ) of f (X). 3: Express Hm(n, f ) in the form of matrix polynomial as described in (3.3), i.e.,

n n−1 Hm(n, f ) = ImX + Cn−1X + ··· + C1X + C0,

i where Ci is the m × m matrix whose entries are coefficients of X in the Horner’s matrix Hm(n, f ). 4: Return C0, C1,..., Cn−1.

The complexity of the construction algorithm is O(1) as it generates a primitive σ-LFSR from a given primitive polynomial just by rearranging the coefficients. Note that all the matrix coefficients Ci are of the form given in equation (3.4) and (3.5). Again, it is easy to see that C0 = R + Cc0, where R is the right shift operator and Cc0 has all its columns zero th except the m column, which is essentially the last column of C0. The structure of Cc0 is exactly same as Cj, j ≥ 1. Because of the following lemma which makes the implementation of σ-LFSRs generated from the construction algorithm very fast and efficient.

17 4. Algorithm for Efficient Primitive σ-LFSR

Lemma 4.2.1. For any matrix A ∈ Mm(F2) having all the columns zero th T m except the m column and for any vector s = [s0, s1,..., sm−1] ∈ F2 , we have As = sm−1vm th where vm represents the m column of the matrix A. Proof. Proof is obvious. By invoking Lemma 4.2.1, the recurrence relation (2.2) can be written as follows:

si+n = Rsi + Cc0si + C1si+1 + ··· + Cn−1si+n−1 = Rsi + α0v0 + α1v1 + ··· + αn−1vn−1, (4.2)

th where αi is the least significant bit (LSB) of si and vi is the m column T of the matrix Ci (0 ≤ i ≤ n − 1), that is vi = [ai, an+i,..., a(m−1)n+i] .

Figure 4.1: σ-LFSR of order n

It is clear that (4.2) can be computed by using only XOR and right shift operations which are both fundamental machine instructions and thus, provide an efficient software and hardware realization. Again, for feedback computation, it requires one right shift operation and at most n bitwise XOR operations. This happens only when each αi = 1 (i.e., each state stores odd integer value).

18 5 Implementation and Analysis of Construc- tion Algorithm

The construction algorithm for primitive σ-LFSR is implemented in C as well as in Maple-16. The used Test machine is Intel Xeon(R) CPU E5645 @ 2.40GHz x 12 with 8 GiB memory and 64-bit Linux operating system. For comparative analysis the search algorithm also implemented in Maple-16.

5.1 Comparative Analysis with Search Algorithm

The search algorithm is a randomize algorithm which first constructs a random σ-LFSR and then checks the primitiveness whereas the construction algorithm is a deterministic algorithm that directly constructs a primitive σ-LFSR from a given primitive polynomial over F2. In order to have a fair comparison, first a random polynomial f (x) of degree mn is generated over F2 and then tested for its primitivity. If f (x) is primitive, then using Algorithm1 the primitive σ-LFSR of order n over F2m is constructed. It may be remarked that for checking primitivity of a polynomial of degree mn over Fq, one needs to know the distinct prime factors of qmn − 1 beforehand. The computational complexity of finding distinct prime factors of qmn − 1 is very large. In fact, the factors of qmn − 1 can not be computed in polynomial time in general. However, for smaller values of q (note that in most of applications q is 2), many thanks to the Cunningham project [17], where the factorization of qmn − 1 is known for reasonable values of mn. Our algorithm is based on the assump- tion that the distinct prime factors of qmn − 1 are already known. The sequential steps of the randomize algorithm are described in Algo- rithm3. In Step2 of Algorithm3, one may use Ben-Or’s algorithm [13, 14] for irreducibility test, which is quite efficient in practice. It is pointed out in [14] that by using fast multiplication [15], the worst case complexity of Ben-Or’s algorithm is O(m2n2 log mn log log mn log mnq). As noted in [16, Section 1], in polynomial basis representation of Fqmn 2 2 over Fq, O(m n log mn log log mn log q) operations in Fq are needed

19 5. Implementation and Analysis of Construction Algorithm

Algorithm 3 Finding an efficient primitive σ-LFSR Input: Positive integers m and n, the prime power q, the distinct mn prime factors p1, p2, ··· , pk of q − 1. Output: An efficient primitive σ-LFSR of order n over Fqm . 1: Choose at random a monic polynomial f ∈ Fq[X] of degree mn. This is done by randomly selecting mn elements a0, a1, ··· , amn−1 mn mn−1 in Fq with a0 6= 0 and taking f (X) = X + amn−1X + ··· + a1X + a0. 2: Verify if f is irreducible. If f is not irreducible then go to Step1, otherwise go to Step3. 3: Verify if f is primitive. If f is not primitive then go to Step1, otherwise go to Step4. The primitivity test is done as follows: Compute mn h(X) = X(q −1)/pi mod f (X) for each i. If If h(X) 6= 1 for all k distinct prime factors pi then f is primitive. 4: Using Algorithm-2 return the required primitive σ-LFSR. for the exponentiation, with fast multiplication and repeated squar- ing. Thus the cost of Step3 is O(km2n2 log mn log log mn log q). Let α denote the probability that a given random monic polynomial of degree mn be primitive. Since the number of primitive polynomials mn of degree mn over Fq is φ(q − 1)/mn, where φ is Euler’s totient function. The value of α is given by φ(qmn − 1)/(mnqmn). Again, it is clear that the expected number of times the Algorithm3 to be iterated to find a primitive σ-LFSR is 1/α. So, the expected number of times Step2 to be executed is 1/α. It is well-known that the probability of a random monic polynomial of degree mn in Fq[X] being irreducible over Fq is close to 1/mn. So, the expected number of times Step3 to be executed is 1/(mnα). Thus the expected run time of Algorithm3 is (A + B), where A = α−1O(m2n2 log mn log log mn log mnq) and − B = (mnα) 1O(km2n2 log mn log log mn log q). Since the number of distinct prime factors of a given number N is bounded by log2 N, the value of k in our case is at most mn log2 q. Therefore for all practical purposes when the value of q is small, we can simply omit the second term B. As a consequence, the expected run time of Algorithm3 is given by O(α−1m2n2 log mn log log mn log mnq).

Remark 5.1.1. The Algorithm3 will produce φ(2mn − 1)/mn distinct

20 5. Implementation and Analysis of Construction Algorithm

Time vs (m=8,n)

search construction

3000

2500

2000

1500

Time (sec) 1000

500

0 48 40 9 32 8.5 24 16 8 8 7.5 0 7 Order n Word size m

Figure 5.1: Comparison results for m = 8

efficient primitive σ-LFSRs of order n over F2m , where φ is Euler’s totient function.

I have implemented both construction algorithm and search algorithm [12, Algorithm 1] in Maple-16 to generate primitive σ-LFSRs of varied length over different extension fields. Based on our experimental results, we have observed that the construction algorithm is much faster than the search algorithm. The figure 5.1 shows the comparison between the time taken by the search algorithm and construction algorithm for different values of n with m = 8. The figure 5.2 tells average time required with fixed value of n as 8 and 16.

5.2 Statistical Properties and Number of Tap Positions

The effect of number of tap points in LFSR is important forcryp- tographic usage while choosing a primitive polynomial. Because an LFSR with less number of tap positions is susceptible to fast correlation attack [18, 19]. The distribution of polynomials over F2 with respect to their weights are well studied in [20]. In this subsection, some

21 5. Implementation and Analysis of Construction Algorithm

Time vs (m,n=8) Time vs (m,n=16)

400 2000

300 1500

200 1000

Time (sec) 100 Time (sec) 500

0 0

32 9 32 17 24 24 16 8 16 16 8 Order n Word size m 8 0 0 Word size m 7 15 Order n

Figure 5.2: Comparison results for n = 8 and n = 16 experiments with respect to number of nonzero tap positions of the sigma polynomial are performed and studied the statistical properties on the output bitstream produced by the σ-LFSR. It is observed from the following experimental results that the more the number of taps in the sigma polynomial, the faster the diffusion process. The experiments are performed as follows

1. Initialize all n σ-LFSR states si with random m−bit wide numbers.

2. Run σ-LFSR for k iterations without collecting any bitstream. Then, for each iteration store the word si till 100n words are collected.

3. Then, perform walking one test on the states of σ-LFSR.

(a) For each walking 1’s test (i.e., only one bit of the initial states of σ-LFSR will be flipped and then execute step 2), generate 100n m-bit wide words and XOR with the initial 100n words and write the output word to a file in binary form. (b) As the total bit size of the σ-LFSR states is mn, the above process will produce mn number of files and each file will contain bitstream of length 100mn.

22 5. Implementation and Analysis of Construction Algorithm

For that we have experimented σ-LFSR of order n = 5 and word size m = 32. The summary of the results obtained from the statistical tests for different number of tap positions (i.e., 3, 4 and 5)inthe 5th order σ-LFSRs are given in the tables 5.1, 5.2 and 5.3 respectively. The above test is performed for several σ-LFSRs of order 5 over F2m having number of tap positions 3, 4 and 5. The statistical results are consistent in every cases. In the tables containing the summary of statistical results, first column tells the number of iterations k after which the keystream are collected and remaining other columns are the passing percentage of the respective test. In each case, we observed that the less number of iterations are required for better diffusion, when the number of tap points are more.

Number of Statistical Tests iterations k Monobit Serial Poker Runs Autocorrelation 20 0.03 0.03 0.03 0.05 0.05 50 0.19 0.22 0.62 0.63 0.78 70 0.79 0.83 0.89 0.89 0.92 90 0.98 0.96 0.94 0.91 0.94

Table 5.1: Summary of results for No. of taps = 3

Number of Statistical Tests iterations k Monobit Serial Poker Runs Autocorrelation 20 0.03 0.03 0.04 0.05 0.04 40 0.1 0.15 0.35 0.3 0.57 60 0.72 0.75 0.91 0.96 0.92 70 0.99 0.98 0.95 0.98 0.95

Table 5.2: Summary of results for No. of taps = 4

23 5. Implementation and Analysis of Construction Algorithm

Number of Statistical Tests iterations k Monobit Serial Poker Runs Autocorrelation 0 0.24 0.18 0.47 0.71 0.57 5 0.61 0.62 0.83 0.89 0.83 10 0.87 0.88 0.94 0.91 0.93 15 0.94 0.96 0.95 0.93 0.96

Table 5.3: Summary of results for No. of taps = 5

5.3 Weakness in Initialization of σ-LFSR States

From equation (4.2), it is clear that if all the states of the σ-LFSR are even, then each αi = 0 and only one active component will be present in the feedback function i.e., si+n = Rsi. Therefore, if all states are even and first k initial states s0, s1, ..., sk−1 are zero vectors, then σ- LFSR produces zero vector for first k cycles. In particular, if all states l si for 0 ≤ i < (n − 1) are zero vectors and sn−1 = 2 , for some integer l > 0, then following table gives the states of σ-LFSR after subsequent iteration numbers.

Iteration No. States of σ-LFSR (n-1) times z }| { 0 (d, 0, 0, ··· , 0) (n-2) times z }| { 1 (0, d, 0, 0, ··· , 0) (n-3) times z }| { 2 (0, 0, d, 0, 0, ··· , 0) . . . . (n-1) times z }| { n − 1 (0, 0, ··· , 0, d) (n-1) times d z }| { n ( 2 , 0, 0, ··· , 0) (n-2)times d z }| { n + 1 (0, 2 , 0, 0, ··· , 0) . . . .

24 5. Implementation and Analysis of Construction Algorithm

If in the content of stage 0 is the output word in each clock, then the first n(l + 1) words of the output sequence produces by the σ- LFSR are as follows

(n-1) times (n-1) times (n-1) times z }| { z }| { d z }| { d 0, 0, ··· , 0, d, 0, 0, ··· , 0, , ··· , 0, 0, ··· , 0, , ··· 2 2l Here each word is m−bit wide including 0. Note that there are (n − 1) zero vectors in each n consecutive output words till the n(l + 1)th cycle. So, the choice of initial values is significant for the quality of the resulting sequence. To avoid this problem, at least one of the initial state must be initialized with an odd number.

5.4 Different σ-LFSRs Constructed from Single Binary Primitive Polynomial

For a given binary LFSR of degree mn, we constructed different σ- LFSRs of order n1 over the field F2m1 such that m1n1 = mn and then analyze the total computation complexity for each σ-LFSR case . Since in most of the operating system, the word size is of the form 2k, we have considered mn = 2k for some positive integer k. Again, for a primitive polynomial of degree 2k, there will be k distinct primitive σ- LFSRs constructed from the same binary polynomial as the possible 0 1 k−1 values for m1 are 2 , 2 , . . . , 2 . For each m1 value, the construction algorithm returns n1 vectors {v0, v1,..., vn1−1}, where each vi is of m1-bit length. For better understanding, see the following example. Example 5.4.1. Let us consider the binary primitive polynomial f (x) = x32 + x31 + x27 + x26 + x25 + x20 + x19 + x15 + x14 + x11 + x9 + x7 + x6 + x5 + x4 + x2 + 1. Here degree of f (x) is 32 and so mn = 32 = 25. Then by taking m = 23 and 24 different σ-LFSRs are constructed using the construction algorithm of σ-LFSR as given below.

1. m = 23 and n = 22: v0 = 0x f 7, v1 = 0x54, v2 = 0x73, v3 = 0xb f .

2. For m = 24 and n = 2: v0 = 0xb f 2 f , v1 = 0x6775.

25 5. Implementation and Analysis of Construction Algorithm

From equation (4.2), it is clear that for a σ-LFSR of order n over F2m , it requires following operations in each cycle • For the feedback computation, it requires one right shift operation and at most (n − 1) XOR operations. • n shifting operations. So, in each cycle, at most 2n word operations are needed to produce an m−bit word. Again, in case of σ-LFSR of order n over F2m , a word of size m is generated in each iteration. So, to produce a bit- l stream of length l, a σ-LFSR will take d m e many iterations and re- l quired number of word operations is bounded by 2nd m e. This im- plies that for larger value of m, a σ-LFSR will take lesser number of word operations to produce bitstream of desired length l. For our experiment, we have taken mn = 512 and l = 220. Then for m = 1, 2, 22, . . . , 26, calculate the number of word operations needed to generate bitstream of length l. The following figure 5.3 summarize the results.

Figure 5.3: Experimental results for different word size m.

26 5. Implementation and Analysis of Construction Algorithm 5.5 Primitive σ-LFSR with Desired Number of Tap Points

In the section 5.2, we saw the importance of the number of tap positions in the σ-LFSR. However, it is preferable to have less number of nonzero tap positions in case of light weight cryptography. So, it is required to have an algorithm which can generate primitive σ-LFSRs of order n over F2m with desired number of tap points k < n. Algorithm 4 produces such σ-LFSRs.

Algorithm 4 Construction of Primitive σ-LFSR with k tap positions Input: Three positive integers m, n and k. Output: A primitive σ-LFSR of order n over F2m having k tap positions. mn j 1: Generate a random polynomial f (x) = ∑ ajx as follows j=0 Let the set S = ϕ, the empty set. for i from 1 to k { if (i = 1) then l = 0 else do { l = rand( ) mod n } while(l ∈ S) S = S ∪ {l} for j from 1 to m al+(j−1)n = rand( ) mod 2 } a0 = 1 and amn = 1 2: If f (x) is not primitive, go to step-1. 3: Else, take f (x) as input to Algorithm-1 which will return required σ-LFSR.

For given number of nonzero taps k, Algorithm4 chooses k different random indices l and constructs the matrix coefficients Cl. Then, constructs the polynomial f (x) using equation (3.4) and (3.5). If f (x) is primitive, then the construction algorithm for σ-LFSRs returns the desired primitive σ-LFSR with k number of taps.

27 6 Conclusion

The first objective of this thesis is the implementation and thense- curity analysis of the construction algorithm for primitive σ-LFSRs given in [1] on a 32/64-bit PC platform. The comparative performance of the construction algorithm and the search algorithm [12] for primitive σ-LFSRs is the secondary goals of this thesis. In this thesis both search algorithm and construction algorithm for generating efficient primitive σ-LFSRs are explained. In the search algorithm, the special matrix coefficients are selected from the subsets W and V to form the matrix polynomial. We studied those subsets in detail and proved that V ⊆ W. Again, in case of binary field F2, the actual size of the subset W is derived, where |W| = (2m + m2 − 3). In particular, if k m = 2 , then it is shown that |V| = (2m − log2m − 2). In this sce- nario, the exhaustive search space of the search algorithm for σ-LFSRs m 2 n−1 is (2m − log2m − 2)(2 + m − 3) . Both search algorithm and construction algorithm for σ-LFSRs produce primitive σ-LFSRs having very efficient implementation in both hardware and software. I implemented the search algorithm in Maple and the construction algorithm in both Maple and C for security analysis. My experiments show that the construction algorithm is much faster compared to the search algorithm in generating the primitive σ-LFSRs. The performance of the search algorithm de- creases drastically as the value of mn increases, where m is the word size and n is the order of the σ-LFSR. This thesis also contains several results related to the security of th bitstream generated by n order primitive σ-LFSRs over F2m . It is observed that the number of tap positions takes an important role in σ-LFSRs to achieve a faster diffusion, like in LFSRs. Several primitive σ-LFSRs with different m and n are considered, where mn = 2k for a positive integer k < 10. In each case, it is shown that the diffusion is faster when the number of tap positions is more. So, for a faster diffusion, it is always good to choose a primitive σ-LFSR having more number of nonzero tap positions. However, it is preferable to have less nonzero tap positions in case of light weight cryptography. So, depending upon the design criteria, the number of tap positions needs to be decided. In this report we have given an algorithm

28 6. Conclusion

that produces efficient primitive σ-LFSRs with the desired number of nonzero tap positions. Again, we have shown that if all the states of σ-LFSR generated by the construction algorithm are even, then the corresponding feedback value will be even. In particular, if the first n − 1 states s0, s1, ..., sn−2 of k σ-LFSR are initialized with zero vectors and the last state sn−1 = 2 , for some positive integer k, then next (n − 1) feedback vectors will be zero vectors only. Again, there will be (n − 1) zero vectors in each n consecutive output words generated by a σ-LFSR till the n(k + 1)th cycle. A similar kind of weakness occurs in case of the Lagged Fibonacci Generator (LFG). To counter this weakness, at least one of the initial states must be initialized with an odd number like in the LFG. It is shown in this thesis that several primitive σ-LFSRs of different order n can be constructed from a given primitive polynomial over the field F2. We also proved mathematically that for a larger value of word size m, the σ-LFSR takes less word operations to produce a bitstream of the desired length l and our experimental results also match with the formula. After analyzing the construction algorithm for primitive σ-LFSRs, I would suggest to select the σ-LFSRs with a larger word size m (i.e., 32 or 64) to take the advantage of modern word based operations in software implementations. Also, σ-LFSRs with more nonzero tap positions need to be selected for a faster diffusion and at least one state of the σ-LFSR must be initialized with an odd number.

29 Bibliography

[1] Bishoi, S.K., Haran, H.K. and Hasan, S.U.: Efficient Multiple-Recursive Matrix Method for generating Pseu- dorandom Vectors, Preprint, [Online], available: https:// arxiv.org/abs/1604.06753.

[2] Ghorpade, S.R., Hasan, S.U. and Kumari, M.: Primitive polynomials, Singer cycles, and word oriented linear feedback shift registers, Design Codes and Cryptography, Vol. 58, No. 2 (2011), 123-134.

[3] Golomb, S.W.: Shift Register Sequences. Cambridge, U.K.: Cambridge University Press, 1967.

[4] Krishnaswamy, S. and Pillai, H.K.: On the number of linear feedback shift registers with a special structure, IEEE Transactions on Information Theory, Vol. 58, No. 3, 2012, 288-296.

[5] Krishnaswamy, S. and Pillai, H.K.: On Multisequences and their Extensions, Preprint, 2012, [Online], available: http: //arxiv.org/pdf/1208.4501.pdf.

[6] Lidl, R. and Niederreiter, H.: Finite Fields, Cambridge Uni- versity Press, Cambridge, 1983.

[7] Niederreiter, H.: Factorization of Polynomials and Some Linear-Algebra Problems over Finite Fields, Linear Algebra and its Applications, 192 (1993), 301-328.

[8] Rifa, J. and Borrell, J.: A Fast Algorithm To Compute Irre- ducible and Primitive Polynomials in Finite Fields, Mathe- matical Systems Theory 28, 13-20 (1995).

[9] Preneel, B.: Introduction to the Proceedings of the Second Workshop on Fast Software Encryption, Vol. 1008 of Lec- ture Notes in Comput. Sci., 1-5, Springer, Berlin, 1995.

30 BIBLIOGRAPHY

[10] Alfred J. Menezes, Paul C. van Oorschot and Scott A. Van- stone: Handbook of Applied Cryptography. CRC Press, 1997.

[11] Tsaban, B. and Vishne, U.: Efficient feedback shift registers with maximal period, Linear Algebra and its Applications, 8 (2002), 256-267.

[12] Zeng, G., Han, W. and He, K.: High Efficiency Feedback Shift Register: σ-LFSR, Preprint, [Online], available: http: //eprint.iacr.org/2007/114.

[13] Ben-Or, M.: Probabilistic algorithms in finite fields. In Pro- ceedings of 22nd IEEE Symposium on Foundations of Computer Science (1981), pp. 394-398.

[14] Gao, S. and Panario, D.: Tests and construction of Ir- reducible Polynomials over Finite Fields, Foundations of Computational Mathematics, F. Cucker and M. Shub (EDs.), Springer 1997, 346-361.

[15] Cantor, D. and Kaltofen, E.: On fast multiplication of polynomials over arbitrary algebras, Acta Informatica 28 (1991), 693-701.

[16] Gao, S., Gathen, J.V., Panario, D. and Shoup, V.: Algorithms for Exponentiation in Finite Fields, Journal of Symbolic Computation, 29 (2000), 879-889.

[17] Brillhart, J., Lehmer, D.H., Selfridge, J.L., Tuckerman, B. and Wagstaf, S. S.: Factorization of bn ± 1, b = 2, 3, 5, 6, 7, 10, 11, 12 up to high powers, 2nd ed., Contemp. Math., Vol. 22, American Mathematical Society, Provi- dence, RI, 1988.

[18] Chepyzhov, V. and Smeets, B.: On a fast correlation attacks on certain stream ciphers. In: Eurocrypt’ 91, LNCS, vol. 547, pp 176-185, Springer, Berlin, 1992.

[19] Chepyzhov, V., Johansson, T. and Smeets, B.: A simple algorithm for fast correlation attacks on stream ciphers. In Fast

31 BIBLIOGRAPHY

Software Encryption, 2000, New York. LNCS, vol. 1978, pp 181-195, Springer, Berlin, 2001.

[20] Mishra, P. R., Gupta, I. and Gaba, N.: Distribution of primitive polynomials over GF(2) with respect to their weights, Mathematics and Computing, Vol. 139, Springer proceed- ing in Mathematics and Statistics, pp 441-449.