- Email: [email protected]
Cryptographic keys for improving the reliability of ciphers
research note
CRYPTOGRAPHIC KEYS FOR IMPROVING THE RELIABILITY OF CIPHERS
Czeslaw Ko~cielny and Wladyslaw Mochnacki present a new key generation
idea by using periodic sequences over spurious rings Received: 11 D e c e m b e r 7990. Revised paper received: 1 March "199"I
The spurious rings, denoted by SR(q), are an algebraic structure similar to the finite rings of q elements but they do not satisfy certain axioms of the rings. The sequences generated over SR(q) can be applied as cryptographic keys. Finding such a key is more difficult than the key generated over GF(q). In this paper, the properties of keys generated over SR(q) are presented. The advantages of the keys using the sequences over SR(q) for applications in stream cipher have been discussed. Keywords: cryptography, cryptographic keys, system security, ciphers
For the protection of stored or transmitted data against unauthorized access cryptographic systems are used. In the system with the secret key, the encryption/decryption algorithms have been published, but the key is kept secret. The power of the cipher depends on the encryption algorithm and the properties and protection of the key. The key must be resistant to attack, and attempts to break the cipher ought to make computer calculation difficult. Cryptographic systems generally employ modified pseudo-random sequences generated over finite fields G F(q). A cryptanalyst attacking the cipher searches for the recurrence generating the key or corresponding to the characteristic polynomial of the key. If the characteristic polynomial has the degree m the cryptanalyst needs only 2m characters of the key to determine this polynomial and the key sequence. It has been observed that it is possible to generate the sequences similar to pseudo-random sequences over a finite set of elements with the defined addition and Institute of EngineeringCybernetics,Technical Universityof Wroclaw, 27 WybrzezeWyspianskiegoSt, 50-370Wroclaw, Poland
multiplication tables which do not satisfy some axioms of the finite fields. Such algebraic structures are referred to as spurious rings, and are denoted by SR(q). It would thus be useful to define the notion of the spurious rings. Let:
(1)
be an algebraic system consisting of a finite set of elements SR = tSo,S1 . . . . . Sq_ 11 in which two internal binary operations, referred to as addition and multiplication, respectively, are defined, and let card SR = q, q-arbitrary positive integer/>2. System (1) forms a spurious ring if the following conditions are satisfied: (1) (2) (3)
is an arbitrary additive system. ] So C SR V Si C SR So " Si = Si " So = So.
is an arbitrary multiplicative system, SR* denotes SR - ISot.
The term 'arbitrary algebraic system' here means a
0140-3664/91/009557-05 © 1991 Butterworth-Heinemann Ltd voI 14 no 9 november 1991
557
research note groupoid, a quasi-group or a group, each of which can be abelian or non-abelian. The above definition can be used to construct a practically unlimited number of SR(q)s. The class of all possible SR(q)s contains all the isomorphic CF(q)s as its very small subclass. The term ‘all the isomorphic CF(q)s’ here denotes the fields whose elements are named O,l,w,. . . ,coq - 2 but which have various addition tables. It is well known that these fields, with accuracy up to isomorphism, represent the same finite field. For example, if is a multiplicative group generated by w, viz. SF = {O,l,o,w*,. . . ,LO~-~/, and if is an abelian groupoid, for which S,, = 0 satisfying the axioms 2 f 3 and additionally the axiom (4)
3 - 1 ESR[- 1 = 1 if [- 1 = wtq - ')'* if q is odd:
is
even1 or
then the number of spurious rings versus q, having various addition tables can be specified by the Table 1.
GENERATION AND PROPERTIES OF CRYPTOGRAPHIC KEYS Cryptographic keys are sequences of a certain finite set of elements, with a long period. The properties of such sequences are similar to random sequences but they ought to be reproduced. The period and complexity are the basic parameters of the key. The complexity of a sequence is defined as the ratio of the number of independent m-dimensional vectors to the total number of such vectors contained in the sequence.
Table 1.
Number of SR(q) if is a multiplicative group and is an abelian groupoid for which axioms 2 + 4 hold 9
Number of SR(q)
Number of isomorphic CF(q)
2 3 4 5 6 7 8 9 IO 11 12 13 14 15 16 17 18 19
1 3 9 53 265 2119 14833 148329 1334961 16019531 176214841 2467007773 32071101049 513137616783 7697064251745 138547156531409
1 2 0 2 2 2 0 4 0 4 0 0 2 8 0 6
558
In the case of finite fields, the periodic sequence can be generated by means of the recurrence: S m+j~=aO~Si+al~S,+i+...+am_,~S,_,+j (2) a,, S; ECF(q): j = 0,1,2, . . . This equation is a linear homogeneous equation with constant coefficients. The S&, . . . ,S, _ 1 is the initial sequence. The addition and multiplication are operations in CF(q). The polynomial p(x) corresponding to recurrence (I) is called the characteristic polynomial of the periodic sequence: p(x)=xm-am_,.xm-‘-...-al.x-a0
(3)
Some of the polynomials referred to as primitive polynomials generate sequences with the maximum period being equal to qm - 1. Such sequences are called pseudo-random sequences, and their properties are described elsewhere*. Each of the nonbinary pseudorandom sequence satisfies the structure property indicating that the sequence has the form: a,a.a,a*.a,. . . ,aqp2.a where a is the sequence of length (qm - 1 )/(q - I) and a is a primitive element of CF(q). This property makes it possible to reproduce all sequences from the fragment of a and is employed in the cryptanalysis. The number of independent vectors of length m in the periodic sequence equals m, and the number of all vectors is equal to the period of the sequence. The periodic sequences generated by the linear recurrences cannot be applied directly as a cryptographic key because of their complexity. To increase the complexity, we can use, for example, nonlinear generators. Such a generator can be constructed by the connection of a linear generator by using multiplication elements. In this way we can implement generators with higher complexity and a long period. In cryptanalysis the cryptanalyst must determine the key which was used. He searches for coefficients of the characteristic polynomial or a corresponding recurrence having an intercepted fragment of the key. Generally, for this purpose the cryptanalyst ought to know the fragment of 2m elements of the key and to be able to solve the set of m linear equations with m unknowns. In order to make a cryptanalysis difficult we increase the number of independent vectors in the key sequence. This increases the time and cost of breaking the cipher.
PERIODIC SEQUENCE OVER S/?(q) The SR(q) permits its elements to be added and multiplied and, therefore, it is formally possible to write down a linear recurrence relation (2) with constant coefficients over SR(q). To demonstrate the existence of sequences other than those generated over GF(q), the example of S/7(8) has been chosen. In this case the elements of SR(8) are represented by a set of integers {O,l, . . . ,7}. The addition and multiplication tables used in the experiments are shown in Table 2. If the addition is
computer communications
research note Table 2. Some possible addition and multiplication tables that allow construction of one GF(8) and three SR(8) Al +:01234567
A2 +:01234567
01234567 10472653 24051376 37506241 42160735 56327014 65743102 73615420
0:01234567 I:10357246 2:27046135 3:36105724 4:45720613 5:54613072 6:63572401 7:72461350
Ml .:01234567
M2 .:01234567
0: 1: 2: 3: 4: 5: 6: 7:
o:oooooooo
0: 1: 2: 3: 4: 5: 6: 7:
00000000 01234567 02345671 03456712 04567123 05671234 06712345 07123456
I:01234567 2:02653174 3:03576412 4:04362751 5:05147326 6:06715243 7:07421635
not commutative, the first component of the sum is taken from the left column of the addition table. It should be noted that Tables Al and Ml a r e isomorphic to the Tables of operation in CF(8). The addition of TableA does not satisfy the commutative and associative axioms. The non-zero part of Table M2 is the table of operation in the group being isomorphic with the addition group of CF(7). By combining these Tables of operation it is possible to construct one Cf(8) and three S/?(8) (Tables Al-M2, A2-Ml, A2-M2). It is assumed that the sequence will be generated by means of the following recurrence:
Table 3. Two examples of pseudo-random sequences over GF(8) No.
do
a1
Sequences
1
3
4
2
7
5
103635664305157116507372331702524553 20474677540626122760141344210... 107455175706344764605233653504122542 40371143130267732720156621610...
mum length. The SR(8) with the operation Tables A2-Ml are capable of producing 36 pseudo-random sequences. The coefficient a0 may change from 2 to 7 and a, -from 1 to 7, except for a0 and a, which satisfy the following congruence: a, = 3(8 - a,J + 1 (mod 7) The four such sequences are shown in Table 4. The SR(8) with operation Table Al -M2 is capable of producing six sequences with the maximum length, listed in Table 5. The above sequences do not satisfy the structure property of the pseudo-random sequences. In these sequences zeros do not appear as a regular pattern. The sequences with such a structure have not been known so far. The sequences generated overSRf8) with the operation Tables A2-M2 do not attain the maximum periods, and
Table 4. Examples of the pseudo-random sequences over SR(8) of A2-Ml type No.
aI)
al
Sequences
1
2
1
2
3
4
3
6
2
4
7
5
1022163612033274723044.31513405542624 506653735607764146701175257.10... 103663424305115646507337161702552313 20477453540622675760144127210... 106757622604535477402313255207161733 70564651150342436630127214410... 107434755706323644605212533504171422 40376731130265627720154516610...
-52 + j = aosj + aIS, + ,
where a;,$ t SR(q). In all the cases we regard the initial conditions as So = 1 and S, = 0. The period of the sequence generated over CF(q) depends on the type of characteristic polynomial. The number of primitive polynomials N can be calculated from the relation:
where o(x) is the Euler function Since there exist 18 primitive polynomials of the degree two over CF(8), it is possible to generate 18 types of pseudo-random sequences. Other polynomials generate the sequences with periods less than the maximum. Two examples of pseudo-random sequences are listed in Table 3. Recurrence (2) overtwo of theSR(8) with the operation Tables Al -M2 and A2-Ml generate sequences of maxi-
vol 14 no 9 november 1991
Table 5. All sequences of length 63 over SR(8) of Al-M2 type No.
a0
al
1
2
1
2
3
3
3
4
1
4
5
5
5
6
1
6
7
7
Sequences 102272153740332347120662607757361350 11417631670446452430556542510... 103764535504652736330723421220543241 44061751674770257156266013110... 104414022526476507737246742033435136 05545315701121756230661632710... 105361373304725742322015275414407677 06243565503451264660216.317110... 106636576405535675207717254160447461 27033730115143246022621342310... 107512537330242204136545506357143440 17467277056476266032152316110...
559
research note the pattern of sequence depends on the initial values So and S,.
APPLICATION OF PERIODIC SEQUENCES OVER M(q) IN CRYPTOGRAPHY In designing cryptographic systems two separate problems can be distinguished; the generation of cryptographic keys; and construction of cryptographic algorithms. This paper is devoted to cryptographic keys, therefore we assume a simple stream cipher where ciphering and deciphering are implemented by adding successive characters of a message and a key. A cryptanalysis process can be then confined to the searching of the characteristic polynomial of a cryptographic key. The methods of generating periodic sequences over CF(q) and S/?(q) are similar. In nonlinear circuits we can also use linear generators whose function is described by linear recurrence over S/7(q). The application of such generators in nonlinear circuits seems to be attractive because the finding of the characteristic polynomial is more difficult than in the case of conventional constructions for the following reasons: The number of SK(q) is much greater than the number of GF(q). If addition is not associative then the recurrence over S/?(q) depends on the permutation of components a$;. Recurrence coefficients cannot be found by the application of the typical numerical methods.
(I) (2)
(3)
Properties (I) and (2) make it possible to generate a larger number of set of keys, and property (3) causes an increase in the labour required to break the cipher. In cryptanalysis there appears the problem of calculating the coefficients of recurrence. The cryptanalyst is able to intercept the fragment of a cipher and the appropriate plain text, and it is possible for him to determine the fragment of the key. By using the fragment of the key So,&, . . . ,Szm _, it is possible to write down m linear equations with the m unknowns:
Soao+Slal +... +Sm_,am_, =S, S,ao+Szal+...+S,a,_l =S,+1
Sm_,ao+S,a, + . . .
+S2m-2am-1 = S2m-1
The solution of such a set of equations in the field of the real numbers requires an m* storage area and m3 operations. Let us consider, for example, the sequence fragment from Table 4 generated over SR(8) of A2-Ml type: 1 6 3 6 1 20... We search for the recurrence in the form: aoSj+a,Si+, =Si+2 By substituting the elements of the above sequence into
560
the recurrence equation we obtain the following equations: +.I +a,.6 = 3 ao.6 + al .3 = 6 The following factors a0 and a, satisfy the first equation: ao: 0 1 2 3 4 5 6 7 al: 5 4 1 0 2 6 3 7 From this table we can choose the values of the factors satisfying the second equations: a0 : 2 4 5 6 7 _.__ al :I 2 6 3 7 For the sequence generated over GF(q) we obtain a unique solution. In this case we must continue this process and write the next equation: ao.3 +a,.6 =l This equation is satisfied by the following pairs of factors a0 and al:
a0 : 2 4 5 7 a, 11 2 6 7 In this step one pair of factors has been eliminated. After the next two steps we shall obtain a unique solution: a0 = 2 and al = 1. We obtain this result after solving a set of five equations instead of two for the conventional key. In practice, the cryptanalyst does not know the degree of a polynomial and the operation tables of S/?(q). He must assume a polynomial of a higher degree and next determine the addition and multiplication tables. Thus the number of necessary computations increases. Generally, to obtain the key generated by the characteristic polynomial of the degree m over .9?(q), the cryptanalyst must solve the set of equations containing m or more equations with m unknowns. At the beginning he must assume the addition and multiplication tables, and next he may try to eliminate unknowns by substitutingthe S/?(q) elements to obtain a unique solution. This trial and error procedure ought to be continued until the solution is unique. The sequences presented in Table 5 deserve a special notice because these sequences do not satisfy the structure property. The cryptanalyst cannot reproduce it from the fragment of the key. Naturally, it is possible for him to find the generation polynomial, but this method requires much more time. CONCLUSION A new method for generating periodic sequences, presented in this paper, changes qualitatively the problems of designing and cryptanalysis of cryptographic keys. No general mathematical theory of the S/?(q) has been put forward so far. Therefore, the process of designing the key is an individual one which depends on the knowledge and experience of the designer.‘lt seems, however, that the solution may be found readily and rapidly by computer-aided research.
computer communications
research note A study of possible methods for cryptanalysis enables the construction of a cipher which would be resistant to attacks. The application of periodic sequences over%(q) allows us to design a unique key. The finding of such a key requires the use of an unconventional method of . cryptanalysis. This increases the amount of computatron to such a degree that the cipher becomes, in practice, analytically unbreakable.
vol 14 no 9 november 1991
REFERENCES Koscielny, C ‘Spurious Calois fields’, /EEE Pacific RIM Conf. on Commun., Comput. & Signal Process., Victoria, Canada fjune 1989) pp 416-418 2 McWilams, F J and Slone, N J A ‘Pseudo-random sequences and arrays’, Proc. IEEE, Vol 64 No 12 (1976) pp 1715-1929
1
561
CRYPTOGRAPHIC KEYS FOR IMPROVING THE RELIABILITY OF CIPHERS
Czeslaw Ko~cielny and Wladyslaw Mochnacki present a new key generation
idea by using periodic sequences over spurious rings Received: 11 D e c e m b e r 7990. Revised paper received: 1 March "199"I
The spurious rings, denoted by SR(q), are an algebraic structure similar to the finite rings of q elements but they do not satisfy certain axioms of the rings. The sequences generated over SR(q) can be applied as cryptographic keys. Finding such a key is more difficult than the key generated over GF(q). In this paper, the properties of keys generated over SR(q) are presented. The advantages of the keys using the sequences over SR(q) for applications in stream cipher have been discussed. Keywords: cryptography, cryptographic keys, system security, ciphers
For the protection of stored or transmitted data against unauthorized access cryptographic systems are used. In the system with the secret key, the encryption/decryption algorithms have been published, but the key is kept secret. The power of the cipher depends on the encryption algorithm and the properties and protection of the key. The key must be resistant to attack, and attempts to break the cipher ought to make computer calculation difficult. Cryptographic systems generally employ modified pseudo-random sequences generated over finite fields G F(q). A cryptanalyst attacking the cipher searches for the recurrence generating the key or corresponding to the characteristic polynomial of the key. If the characteristic polynomial has the degree m the cryptanalyst needs only 2m characters of the key to determine this polynomial and the key sequence. It has been observed that it is possible to generate the sequences similar to pseudo-random sequences over a finite set of elements with the defined addition and Institute of EngineeringCybernetics,Technical Universityof Wroclaw, 27 WybrzezeWyspianskiegoSt, 50-370Wroclaw, Poland
multiplication tables which do not satisfy some axioms of the finite fields. Such algebraic structures are referred to as spurious rings, and are denoted by SR(q). It would thus be useful to define the notion of the spurious rings. Let:
(1)
be an algebraic system consisting of a finite set of elements SR = tSo,S1 . . . . . Sq_ 11 in which two internal binary operations, referred to as addition and multiplication, respectively, are defined, and let card SR = q, q-arbitrary positive integer/>2. System (1) forms a spurious ring if the following conditions are satisfied: (1) (2) (3)
The term 'arbitrary algebraic system' here means a
0140-3664/91/009557-05 © 1991 Butterworth-Heinemann Ltd voI 14 no 9 november 1991
557
research note groupoid, a quasi-group or a group, each of which can be abelian or non-abelian. The above definition can be used to construct a practically unlimited number of SR(q)s. The class of all possible SR(q)s contains all the isomorphic CF(q)s as its very small subclass. The term ‘all the isomorphic CF(q)s’ here denotes the fields whose elements are named O,l,w,. . . ,coq - 2 but which have various addition tables. It is well known that these fields, with accuracy up to isomorphism, represent the same finite field. For example, if
3 - 1 ESR[- 1 = 1 if [- 1 = wtq - ')'* if q is odd:
is
even1 or
then the number of spurious rings versus q, having various addition tables can be specified by the Table 1.
GENERATION AND PROPERTIES OF CRYPTOGRAPHIC KEYS Cryptographic keys are sequences of a certain finite set of elements, with a long period. The properties of such sequences are similar to random sequences but they ought to be reproduced. The period and complexity are the basic parameters of the key. The complexity of a sequence is defined as the ratio of the number of independent m-dimensional vectors to the total number of such vectors contained in the sequence.
Table 1.
Number of SR(q) if
Number of SR(q)
Number of isomorphic CF(q)
2 3 4 5 6 7 8 9 IO 11 12 13 14 15 16 17 18 19
1 3 9 53 265 2119 14833 148329 1334961 16019531 176214841 2467007773 32071101049 513137616783 7697064251745 138547156531409
1 2 0 2 2 2 0 4 0 4 0 0 2 8 0 6
558
In the case of finite fields, the periodic sequence can be generated by means of the recurrence: S m+j~=aO~Si+al~S,+i+...+am_,~S,_,+j (2) a,, S; ECF(q): j = 0,1,2, . . . This equation is a linear homogeneous equation with constant coefficients. The S&, . . . ,S, _ 1 is the initial sequence. The addition and multiplication are operations in CF(q). The polynomial p(x) corresponding to recurrence (I) is called the characteristic polynomial of the periodic sequence: p(x)=xm-am_,.xm-‘-...-al.x-a0
(3)
Some of the polynomials referred to as primitive polynomials generate sequences with the maximum period being equal to qm - 1. Such sequences are called pseudo-random sequences, and their properties are described elsewhere*. Each of the nonbinary pseudorandom sequence satisfies the structure property indicating that the sequence has the form: a,a.a,a*.a,. . . ,aqp2.a where a is the sequence of length (qm - 1 )/(q - I) and a is a primitive element of CF(q). This property makes it possible to reproduce all sequences from the fragment of a and is employed in the cryptanalysis. The number of independent vectors of length m in the periodic sequence equals m, and the number of all vectors is equal to the period of the sequence. The periodic sequences generated by the linear recurrences cannot be applied directly as a cryptographic key because of their complexity. To increase the complexity, we can use, for example, nonlinear generators. Such a generator can be constructed by the connection of a linear generator by using multiplication elements. In this way we can implement generators with higher complexity and a long period. In cryptanalysis the cryptanalyst must determine the key which was used. He searches for coefficients of the characteristic polynomial or a corresponding recurrence having an intercepted fragment of the key. Generally, for this purpose the cryptanalyst ought to know the fragment of 2m elements of the key and to be able to solve the set of m linear equations with m unknowns. In order to make a cryptanalysis difficult we increase the number of independent vectors in the key sequence. This increases the time and cost of breaking the cipher.
PERIODIC SEQUENCE OVER S/?(q) The SR(q) permits its elements to be added and multiplied and, therefore, it is formally possible to write down a linear recurrence relation (2) with constant coefficients over SR(q). To demonstrate the existence of sequences other than those generated over GF(q), the example of S/7(8) has been chosen. In this case the elements of SR(8) are represented by a set of integers {O,l, . . . ,7}. The addition and multiplication tables used in the experiments are shown in Table 2. If the addition is
computer communications
research note Table 2. Some possible addition and multiplication tables that allow construction of one GF(8) and three SR(8) Al +:01234567
A2 +:01234567
01234567 10472653 24051376 37506241 42160735 56327014 65743102 73615420
0:01234567 I:10357246 2:27046135 3:36105724 4:45720613 5:54613072 6:63572401 7:72461350
Ml .:01234567
M2 .:01234567
0: 1: 2: 3: 4: 5: 6: 7:
o:oooooooo
0: 1: 2: 3: 4: 5: 6: 7:
00000000 01234567 02345671 03456712 04567123 05671234 06712345 07123456
I:01234567 2:02653174 3:03576412 4:04362751 5:05147326 6:06715243 7:07421635
not commutative, the first component of the sum is taken from the left column of the addition table. It should be noted that Tables Al and Ml a r e isomorphic to the Tables of operation in CF(8). The addition of TableA does not satisfy the commutative and associative axioms. The non-zero part of Table M2 is the table of operation in the group being isomorphic with the addition group of CF(7). By combining these Tables of operation it is possible to construct one Cf(8) and three S/?(8) (Tables Al-M2, A2-Ml, A2-M2). It is assumed that the sequence will be generated by means of the following recurrence:
Table 3. Two examples of pseudo-random sequences over GF(8) No.
do
a1
Sequences
1
3
4
2
7
5
103635664305157116507372331702524553 20474677540626122760141344210... 107455175706344764605233653504122542 40371143130267732720156621610...
mum length. The SR(8) with the operation Tables A2-Ml are capable of producing 36 pseudo-random sequences. The coefficient a0 may change from 2 to 7 and a, -from 1 to 7, except for a0 and a, which satisfy the following congruence: a, = 3(8 - a,J + 1 (mod 7) The four such sequences are shown in Table 4. The SR(8) with operation Table Al -M2 is capable of producing six sequences with the maximum length, listed in Table 5. The above sequences do not satisfy the structure property of the pseudo-random sequences. In these sequences zeros do not appear as a regular pattern. The sequences with such a structure have not been known so far. The sequences generated overSRf8) with the operation Tables A2-M2 do not attain the maximum periods, and
Table 4. Examples of the pseudo-random sequences over SR(8) of A2-Ml type No.
aI)
al
Sequences
1
2
1
2
3
4
3
6
2
4
7
5
1022163612033274723044.31513405542624 506653735607764146701175257.10... 103663424305115646507337161702552313 20477453540622675760144127210... 106757622604535477402313255207161733 70564651150342436630127214410... 107434755706323644605212533504171422 40376731130265627720154516610...
-52 + j = aosj + aIS, + ,
where a;,$ t SR(q). In all the cases we regard the initial conditions as So = 1 and S, = 0. The period of the sequence generated over CF(q) depends on the type of characteristic polynomial. The number of primitive polynomials N can be calculated from the relation:
where o(x) is the Euler function Since there exist 18 primitive polynomials of the degree two over CF(8), it is possible to generate 18 types of pseudo-random sequences. Other polynomials generate the sequences with periods less than the maximum. Two examples of pseudo-random sequences are listed in Table 3. Recurrence (2) overtwo of theSR(8) with the operation Tables Al -M2 and A2-Ml generate sequences of maxi-
vol 14 no 9 november 1991
Table 5. All sequences of length 63 over SR(8) of Al-M2 type No.
a0
al
1
2
1
2
3
3
3
4
1
4
5
5
5
6
1
6
7
7
Sequences 102272153740332347120662607757361350 11417631670446452430556542510... 103764535504652736330723421220543241 44061751674770257156266013110... 104414022526476507737246742033435136 05545315701121756230661632710... 105361373304725742322015275414407677 06243565503451264660216.317110... 106636576405535675207717254160447461 27033730115143246022621342310... 107512537330242204136545506357143440 17467277056476266032152316110...
559
research note the pattern of sequence depends on the initial values So and S,.
APPLICATION OF PERIODIC SEQUENCES OVER M(q) IN CRYPTOGRAPHY In designing cryptographic systems two separate problems can be distinguished; the generation of cryptographic keys; and construction of cryptographic algorithms. This paper is devoted to cryptographic keys, therefore we assume a simple stream cipher where ciphering and deciphering are implemented by adding successive characters of a message and a key. A cryptanalysis process can be then confined to the searching of the characteristic polynomial of a cryptographic key. The methods of generating periodic sequences over CF(q) and S/?(q) are similar. In nonlinear circuits we can also use linear generators whose function is described by linear recurrence over S/7(q). The application of such generators in nonlinear circuits seems to be attractive because the finding of the characteristic polynomial is more difficult than in the case of conventional constructions for the following reasons: The number of SK(q) is much greater than the number of GF(q). If addition is not associative then the recurrence over S/?(q) depends on the permutation of components a$;. Recurrence coefficients cannot be found by the application of the typical numerical methods.
(I) (2)
(3)
Properties (I) and (2) make it possible to generate a larger number of set of keys, and property (3) causes an increase in the labour required to break the cipher. In cryptanalysis there appears the problem of calculating the coefficients of recurrence. The cryptanalyst is able to intercept the fragment of a cipher and the appropriate plain text, and it is possible for him to determine the fragment of the key. By using the fragment of the key So,&, . . . ,Szm _, it is possible to write down m linear equations with the m unknowns:
Soao+Slal +... +Sm_,am_, =S, S,ao+Szal+...+S,a,_l =S,+1
Sm_,ao+S,a, + . . .
+S2m-2am-1 = S2m-1
The solution of such a set of equations in the field of the real numbers requires an m* storage area and m3 operations. Let us consider, for example, the sequence fragment from Table 4 generated over SR(8) of A2-Ml type: 1 6 3 6 1 20... We search for the recurrence in the form: aoSj+a,Si+, =Si+2 By substituting the elements of the above sequence into
560
the recurrence equation we obtain the following equations: +.I +a,.6 = 3 ao.6 + al .3 = 6 The following factors a0 and a, satisfy the first equation: ao: 0 1 2 3 4 5 6 7 al: 5 4 1 0 2 6 3 7 From this table we can choose the values of the factors satisfying the second equations: a0 : 2 4 5 6 7 _.__ al :I 2 6 3 7 For the sequence generated over GF(q) we obtain a unique solution. In this case we must continue this process and write the next equation: ao.3 +a,.6 =l This equation is satisfied by the following pairs of factors a0 and al:
a0 : 2 4 5 7 a, 11 2 6 7 In this step one pair of factors has been eliminated. After the next two steps we shall obtain a unique solution: a0 = 2 and al = 1. We obtain this result after solving a set of five equations instead of two for the conventional key. In practice, the cryptanalyst does not know the degree of a polynomial and the operation tables of S/?(q). He must assume a polynomial of a higher degree and next determine the addition and multiplication tables. Thus the number of necessary computations increases. Generally, to obtain the key generated by the characteristic polynomial of the degree m over .9?(q), the cryptanalyst must solve the set of equations containing m or more equations with m unknowns. At the beginning he must assume the addition and multiplication tables, and next he may try to eliminate unknowns by substitutingthe S/?(q) elements to obtain a unique solution. This trial and error procedure ought to be continued until the solution is unique. The sequences presented in Table 5 deserve a special notice because these sequences do not satisfy the structure property. The cryptanalyst cannot reproduce it from the fragment of the key. Naturally, it is possible for him to find the generation polynomial, but this method requires much more time. CONCLUSION A new method for generating periodic sequences, presented in this paper, changes qualitatively the problems of designing and cryptanalysis of cryptographic keys. No general mathematical theory of the S/?(q) has been put forward so far. Therefore, the process of designing the key is an individual one which depends on the knowledge and experience of the designer.‘lt seems, however, that the solution may be found readily and rapidly by computer-aided research.
computer communications
research note A study of possible methods for cryptanalysis enables the construction of a cipher which would be resistant to attacks. The application of periodic sequences over%(q) allows us to design a unique key. The finding of such a key requires the use of an unconventional method of . cryptanalysis. This increases the amount of computatron to such a degree that the cipher becomes, in practice, analytically unbreakable.
vol 14 no 9 november 1991
REFERENCES Koscielny, C ‘Spurious Calois fields’, /EEE Pacific RIM Conf. on Commun., Comput. & Signal Process., Victoria, Canada fjune 1989) pp 416-418 2 McWilams, F J and Slone, N J A ‘Pseudo-random sequences and arrays’, Proc. IEEE, Vol 64 No 12 (1976) pp 1715-1929
1
561