Table Of ContentSTREAM CIPHERS AND
NUMBER THEORY
North-Holland Mathematical Library
Board of Honorary Editors:
M. Artin, H. Bass, J. Eells, W. Feit, P.J. Freyd, F.W. Gehring,
H. Halberstam, L.V. Hormander, J.H.B. Kernperman, W.A.J. Luxemburg,
F.P. Peterson, I.M. Singer and A.C. Zaanen
Board of Advisory Editors:
A. Bjomer, R.H. Dijkgraaf, A. Dimca, A.S. Dow, J.J. Duistermaat,
E. Looijenga, J.P. May, I. Moerdijk, S.M. Mori, J.P. Palis, A. Schrijver,
J. Sjostrand, J.H.M. Steenbrink, F. Takens and J. van Mill
VOLUME 55
ELSEVIER
Amsterdam - Lausanne - New York - Oxford - Shannon - Singapore - Tokyo
Stream Ciphers and
Number Theory
Thomas W. CUSICK
Srure Utii~~>t-soift yN ew Yor-k at Bujjulo
Cunsheng DING
The Nationul University of Singapor.e
Ari RENVALL
Univer.sity oj'Tur-ku
1998
ELSEVIER
Amsterdam - Lausanne - New York - Oxford - Shannon - Singapore - Tokyo
ELSEVIER SCIENCE B.V.
Sara Burgerhartstraat 25
P.O. Box 21 1, 1000 AE Amsterdam, The Netherlands
Cuslck. Tho.as Id.. 1943-
Sfre.. clohers and number theory 1 Thomar W. Ulrtrk. Cunrhmg
Dlng. pL. rl fEu.. nr-l-ll .< North*ll.na .athe..tlcll Ilbrary ; r. 65)
Inclu4.s Dlbliog~.phlc.l ref*r.nser and Index.
ISBH 0-444-82873-7 (alk. paper)
I. I*l.ber fh.07~. 2. CIO.h evS. I. Dlnp. C. (0~nSh.n.). 1662-
11. funrall. Arl. 1963- 111. Tltle. IV. Series
66-10345
CIP
ISBN: 0 444 82873 7
O 1998 ELSEVIER SCIENCE B.V. All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system or transmitted in
any form or by any means, electronic, mechanical, photocopying, recording or otherwise,
without the prior written permission of the publisher, Elsevier Science B.V., Copyright &
Permissions Department, P.O. Box 52 1, 1000 AM Amsterdam, The Netherlands.
Special regulations for readers in the U.S.A. -This publication has been registered with the
Copyright Clearance Center Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923.
Information can be obtained from the CCC about conditions under which photocopies of
parts of this publication may be made in the U.S.A. All other copyright questions, including
photocopying outside of the U.S.A., should be referred to the publisher.
No responsibility is assumed by the publisher for any injury and/or damage to persons or
property as a matter of products liability, negligence or otherwise, or from any use or opera-
tion of any methods, products, instructions or ideas contained in the material herein.
@The paper used in this publication meets the requirements of ANSI/NISO 239.48- 1992
(Permanence of Paper).
Printed in The Netherlands
To Kathy, Alan and Laura
To Weijuan and Xiang
To Pirjo and Marko
This Page Intentionally Left Blank
Preface
The goal of cryptography is the concealment of messages in such a way that
only authorized people can read them. A cipher or cryptosystem is an algo-
rithm for carrying out this concealment. If a message M is represented as a
string of characters m l, m2, ... from some fixed character set or alphabet, then
a cipher consists of two processes: encryption, a method for converting the
message or plaintext into a ciphertext meant to be unreadable by unautho-
rized people; and decryption, a method for recovering the message from the
ciphertext.
Broadly speaking, cryptosystems can be classified as either block ciphers
or stream ciphers. A block cipher breaks up a message M into successive
blocks M1, M2, ... of elements from the alphabet. There is a key set K such
that each key k in the set corresponds to an encryption algorithm Ek which
acts on the blocks of plaintext. Thus a plaintext M1, M2, ... is encrypted as
Ek(M1),Ek(M2), .... There is a decryption algorithm Dk for each key k such
that Dk(Ek(Mi)) = Mi; thus ciphertext can be converted back into plaintext
if the key k and Dk are known. A stream cipher breaks up a message M
into its component characters m l, m2, .... Each character mi is enciphered
with the element ki of a keystream K = kl,k2, .... If we let Ek~(mi) de-
note the encipherment of message character mi by keystream character ki (in
many cases this encipherment will simply be the sum of ki and mi in some
suitable Abelian group), then the ciphertext stream is Eki (ml), Ek2 (m2), ....
There is a decryption procedure Dk~ for each keystream character such that
Dk~(Ek,(mi)) = mi; thus ciphertext can be converted back into plaintext
if the needed characters ki of the keystream and the corresponding Dk~ are
known.
Both block ciphers and stream ciphers are in common use today. Stream
ciphers are especially prevalent in business, military and diplomatic settings.
One advantage that stream ciphers have is that typically they can be imple-
mented very efficiently in computing hardware. Since the security of a stream
cipher depends on the randomness properties of the keystream, it is often
easier to carry out a mathematical analysis of a stream cipher instead of a
block cipher.
VIII
This book is almost entirely concerned with stream ciphers. We con-
centrate on a particular mathematical model for such ciphers which we call
additive natural stream ciphers. These ciphers use a natural sequence gener-
ator to produce a periodic keystream. Full definitions of these concepts are
given in Chapter 2.
In this book we focus on keystream sequences which we can analyze using
number theory. It turns out that we can deduce a great deal of information
about the cryptographic properties of many classes of sequences by applying
the terminology and theorems of number theory. We make these connections
explicit by describing three kinds of bridges between stream ciphering prob-
lems and number theory problems. A detailed summary of these ideas is given
in the introductory Chapter 1.
This is the first book devoted to the study of the extensive crossfertilization
between stream ciphers and number theory. Many results in the book are new,
and over seventy percent of the results described in this book are based on our
recent research results. On the one hand, there are numerous instances where
results from number theory are used to answer questions from cryptography.
On the other hand, there are many cryptographic problems which suggest
new avenues of research in number theory. A few dozen questions of this
type, with greatly varying levels of difficulty, are scattered through the book
and labelled as Research Problems. For the convenience of the reader, a list
of brief summaries of these Research Problems is given in Appendix D.
Launched in 1992, this project has taken us several years to complete. Dur-
ing the whole process, we have benefited from discussions with and comments
from several colleagues. We thank Mark Goresky, Tor Helleseth, Andrew
Klapper, and Arto Salomaa for reading some parts of this book manuscript
and providing us with valuable comments and suggestions. We are grateful to
Harald Niederreiter for helpful suggestions and comments. We appreciate the
excellent working conditions provided by the State University of New York
at Buffalo, University of Turku, Turku Centre for Computer Science, and the
National University of Singapore. We acknowledge good cooperation with
Elsevier, especially with Drs. Arjen Sevenster, Ms. Claudette van Daalen,
and Ms. Titia Kraaij. Finally, we thank all members of our families for their
support.
December 1997 Thomas W. Cusick Cunsheng Ding Ari Renvall
Contents
Preface VII
1 Introduction 1
1.1 Applications of Number Theory . . . . . . . . . . . . . . . . . . 1
1.2 An Outline of this Book . . . . . . . . . . . . . . . . . . . . . . 5
2 Stream Ciphers 11
2.1 Stream Cipher Systems . . . . . . . . . . . . . . . . . . . . . . 11
2.1.1 Additive Synchronous Stream Ciphers . . . . . . . . . . 13
2.1.2 Additive Self-Synchronous Stream Ciphers . . . . . . . . 14
2.1.3 Nonadditive Synchronous Stream Ciphers . . . . . . . . 14
2.1.4 Stream Ciphering with Block Ciphers . . . . . . . . . . 16
2.1.5 Cooperatively Distributed Ciphering . . . . . . . . . . . 18
2.2 Some Keystream Generators . . . . . . . . . . . . . . . . . . . . 21
2.2.1 Generators Based on Counters . . . . . . . . . . . . . . 22
2.2.2 Some Number-Theoretic Generators . . . . . . . . . . . 23
2.3 Cryptographic Aspects of Sequences . . . . . . . . . . . . . . . 25
2.3.1 Minimal Polynomial and Linear Complexity . . . . . . . 25
2.3.2 Pattern Distribution of Key Streams . . . . . . . . . . . 29
2.3.3 Correlation Functions . . . . . . . . . . . . . . . . . . . 31
2.3.4 Sphere Complexity and Linear Cryptanalysis . . . . . . 32
2.3.5 Higher Order Complexities . . . . . . . . . . . . . . . . 35
2.4 Harmony of Binary NSGs . . . . . . . . . . . . . . . . . . . . . 36
2.5 Security and Attacks . . . . . . . . . . . . . . . . . . . . . . . . 40
3 Primes. Primitive Roots and Sequences 43
3.1 Cyclotomic Polynomials . . . . . . . . . . . . . . . . . . . . . . 43
3.2 Two Basic Problems from Stream Ciphers . . . . . . . . . . . . 44
3.3 A Basic Theorem and Main Bridge . . . . . . . . . . . . . . . . 47
3.4 Primes. Primitive Roots and Binary Sequences . . . . . . . . . 50
3.5 Primes. Primitive Roots and Ternary Sequences . . . . . . . . . 55
IX
