STREAM CIPHERS AND NUMBER THEORY North-Holland Mathematical Library Board of Honorary Editors: M. Artin, H. Bass, J. Eells, W. Feit, P.J. Freyd, F.W. Gehring, H. Halberstam, L.V. Hormander, J.H.B. Kernperman, W.A.J. Luxemburg, F.P. Peterson, I.M. Singer and A.C. Zaanen Board of Advisory Editors: A. Bjomer, R.H. Dijkgraaf, A. Dimca, A.S. Dow, J.J. Duistermaat, E. Looijenga, J.P. May, I. Moerdijk, S.M. Mori, J.P. Palis, A. Schrijver, J. Sjostrand, J.H.M. Steenbrink, F. Takens and J. van Mill VOLUME 55 ELSEVIER Amsterdam - Lausanne - New York - Oxford - Shannon - Singapore - Tokyo Stream Ciphers and Number Theory Thomas W. CUSICK Srure Utii~~>t-soift yN ew Yor-k at Bujjulo Cunsheng DING The Nationul University of Singapor.e Ari RENVALL Univer.sity oj'Tur-ku 1998 ELSEVIER Amsterdam - Lausanne - New York - Oxford - Shannon - Singapore - Tokyo ELSEVIER SCIENCE B.V. Sara Burgerhartstraat 25 P.O. Box 21 1, 1000 AE Amsterdam, The Netherlands Cuslck. Tho.as Id.. 1943- Sfre.. clohers and number theory 1 Thomar W. Ulrtrk. Cunrhmg Dlng. pL. rl fEu.. nr-l-ll .< North*ll.na .athe..tlcll Ilbrary ; r. 65) Inclu4.s Dlbliog~.phlc.l ref*r.nser and Index. ISBH 0-444-82873-7 (alk. paper) I. I*l.ber fh.07~. 2. CIO.h evS. I. Dlnp. C. (0~nSh.n.). 1662- 11. funrall. Arl. 1963- 111. Tltle. IV. Series 66-10345 CIP ISBN: 0 444 82873 7 O 1998 ELSEVIER SCIENCE B.V. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the publisher, Elsevier Science B.V., Copyright & Permissions Department, P.O. Box 52 1, 1000 AM Amsterdam, The Netherlands. Special regulations for readers in the U.S.A. -This publication has been registered with the Copyright Clearance Center Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923. Information can be obtained from the CCC about conditions under which photocopies of parts of this publication may be made in the U.S.A. All other copyright questions, including photocopying outside of the U.S.A., should be referred to the publisher. No responsibility is assumed by the publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or opera- tion of any methods, products, instructions or ideas contained in the material herein. @The paper used in this publication meets the requirements of ANSI/NISO 239.48- 1992 (Permanence of Paper). Printed in The Netherlands To Kathy, Alan and Laura To Weijuan and Xiang To Pirjo and Marko This Page Intentionally Left Blank Preface The goal of cryptography is the concealment of messages in such a way that only authorized people can read them. A cipher or cryptosystem is an algo- rithm for carrying out this concealment. If a message M is represented as a string of characters m l, m2, ... from some fixed character set or alphabet, then a cipher consists of two processes: encryption, a method for converting the message or plaintext into a ciphertext meant to be unreadable by unautho- rized people; and decryption, a method for recovering the message from the ciphertext. Broadly speaking, cryptosystems can be classified as either block ciphers or stream ciphers. A block cipher breaks up a message M into successive blocks M1, M2, ... of elements from the alphabet. There is a key set K such that each key k in the set corresponds to an encryption algorithm Ek which acts on the blocks of plaintext. Thus a plaintext M1, M2, ... is encrypted as Ek(M1),Ek(M2), .... There is a decryption algorithm Dk for each key k such that Dk(Ek(Mi)) = Mi; thus ciphertext can be converted back into plaintext if the key k and Dk are known. A stream cipher breaks up a message M into its component characters m l, m2, .... Each character mi is enciphered with the element ki of a keystream K = kl,k2, .... If we let Ek~(mi) de- note the encipherment of message character mi by keystream character ki (in many cases this encipherment will simply be the sum of ki and mi in some suitable Abelian group), then the ciphertext stream is Eki (ml), Ek2 (m2), .... There is a decryption procedure Dk~ for each keystream character such that Dk~(Ek,(mi)) = mi; thus ciphertext can be converted back into plaintext if the needed characters ki of the keystream and the corresponding Dk~ are known. Both block ciphers and stream ciphers are in common use today. Stream ciphers are especially prevalent in business, military and diplomatic settings. One advantage that stream ciphers have is that typically they can be imple- mented very efficiently in computing hardware. Since the security of a stream cipher depends on the randomness properties of the keystream, it is often easier to carry out a mathematical analysis of a stream cipher instead of a block cipher. VIII This book is almost entirely concerned with stream ciphers. We con- centrate on a particular mathematical model for such ciphers which we call additive natural stream ciphers. These ciphers use a natural sequence gener- ator to produce a periodic keystream. Full definitions of these concepts are given in Chapter 2. In this book we focus on keystream sequences which we can analyze using number theory. It turns out that we can deduce a great deal of information about the cryptographic properties of many classes of sequences by applying the terminology and theorems of number theory. We make these connections explicit by describing three kinds of bridges between stream ciphering prob- lems and number theory problems. A detailed summary of these ideas is given in the introductory Chapter 1. This is the first book devoted to the study of the extensive crossfertilization between stream ciphers and number theory. Many results in the book are new, and over seventy percent of the results described in this book are based on our recent research results. On the one hand, there are numerous instances where results from number theory are used to answer questions from cryptography. On the other hand, there are many cryptographic problems which suggest new avenues of research in number theory. A few dozen questions of this type, with greatly varying levels of difficulty, are scattered through the book and labelled as Research Problems. For the convenience of the reader, a list of brief summaries of these Research Problems is given in Appendix D. Launched in 1992, this project has taken us several years to complete. Dur- ing the whole process, we have benefited from discussions with and comments from several colleagues. We thank Mark Goresky, Tor Helleseth, Andrew Klapper, and Arto Salomaa for reading some parts of this book manuscript and providing us with valuable comments and suggestions. We are grateful to Harald Niederreiter for helpful suggestions and comments. We appreciate the excellent working conditions provided by the State University of New York at Buffalo, University of Turku, Turku Centre for Computer Science, and the National University of Singapore. We acknowledge good cooperation with Elsevier, especially with Drs. Arjen Sevenster, Ms. Claudette van Daalen, and Ms. Titia Kraaij. Finally, we thank all members of our families for their support. December 1997 Thomas W. Cusick Cunsheng Ding Ari Renvall Contents Preface VII 1 Introduction 1 1.1 Applications of Number Theory . . . . . . . . . . . . . . . . . . 1 1.2 An Outline of this Book . . . . . . . . . . . . . . . . . . . . . . 5 2 Stream Ciphers 11 2.1 Stream Cipher Systems . . . . . . . . . . . . . . . . . . . . . . 11 2.1.1 Additive Synchronous Stream Ciphers . . . . . . . . . . 13 2.1.2 Additive Self-Synchronous Stream Ciphers . . . . . . . . 14 2.1.3 Nonadditive Synchronous Stream Ciphers . . . . . . . . 14 2.1.4 Stream Ciphering with Block Ciphers . . . . . . . . . . 16 2.1.5 Cooperatively Distributed Ciphering . . . . . . . . . . . 18 2.2 Some Keystream Generators . . . . . . . . . . . . . . . . . . . . 21 2.2.1 Generators Based on Counters . . . . . . . . . . . . . . 22 2.2.2 Some Number-Theoretic Generators . . . . . . . . . . . 23 2.3 Cryptographic Aspects of Sequences . . . . . . . . . . . . . . . 25 2.3.1 Minimal Polynomial and Linear Complexity . . . . . . . 25 2.3.2 Pattern Distribution of Key Streams . . . . . . . . . . . 29 2.3.3 Correlation Functions . . . . . . . . . . . . . . . . . . . 31 2.3.4 Sphere Complexity and Linear Cryptanalysis . . . . . . 32 2.3.5 Higher Order Complexities . . . . . . . . . . . . . . . . 35 2.4 Harmony of Binary NSGs . . . . . . . . . . . . . . . . . . . . . 36 2.5 Security and Attacks . . . . . . . . . . . . . . . . . . . . . . . . 40 3 Primes. Primitive Roots and Sequences 43 3.1 Cyclotomic Polynomials . . . . . . . . . . . . . . . . . . . . . . 43 3.2 Two Basic Problems from Stream Ciphers . . . . . . . . . . . . 44 3.3 A Basic Theorem and Main Bridge . . . . . . . . . . . . . . . . 47 3.4 Primes. Primitive Roots and Binary Sequences . . . . . . . . . 50 3.5 Primes. Primitive Roots and Ternary Sequences . . . . . . . . . 55 IX