Vilnius University INSTITUTE OF MATHEMATICS AND INFORMATICS INFORMATICS ENGINEERING (07 T) BLOCK CIPHER AND NON-LINEAR SHIFT REGISTER BASED RANDOM NUMBER GENERATOR QUALITY ANALYSIS Robertas Smaliukas October 2015 Technical Report MII-DS-07T-14-3 VU Institute of Mathematics and Informatics, Akademijos str. 4, Vilnius LT-08663, Lithuania www.mii.lt
Abstract Random Number Generators (RNGs) are an important building block for algorithms and protocols in cryptography. They are paramount in the construction of encryption keys and other cryptographic algorithm parameters. In practice, statistical testing is employed to gather evidence that a generator indeed produces numbers that appear to be random. In this report, random number generator based on three parallel linear feedback shift registers is tested using A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications and possible improvements to increase quality of it s randomness using non-linear shift registers, adding switchers, adding controlers, combining parallel linear with non-linear shift registers and self shrinking methods are analysed. Key words: random number generator, hypothesis test, P-value, Linear Feedback Shift Register (LFSR), Non-linear Feedback Shift Register (NFSR). MII-DS-07T-14-3 2
Table of Contents Introduction... 4 1 Linear Feedback Shift Register... 4 2 Random number (binary) sequence tests and results... 6 3 Linear Feedback Shift Register improvement analysis... 8 4 References... 13 MII-DS-07T-14-3 3
Introduction A random number generator is a computational or physical device (or software) designed to generate a sequence of numbers or symbols that lack any pattern. There are two principal methods used to generate random numbers. One measures some physical phenomenon that is expected to be random and then compensates for possible biases in the measurement process. The other uses computational algorithms that produce long sequences of apparently random results, which are in fact completely determined by a shorter initial value, known as a seed or key. Coin flipping is an example of the first principal while Pseudo Random Number is the example of the second principal. A "random number generator" based solely on deterministic computation cannot be regarded as a "true" random number generator, since its output is inherently predictable. A true random system would have no restriction on the same item appearing two, three or more times in succession or in the sequence of numbers. Whereas Unique Random number generator generates the sequence of numbers in which no one can be duplicated. In the field of cryptography, Random number generators are very useful as it facilitate the ability to run the same sequence of random numbers again by starting from the same random seed. So long as the seed is secret. Sender and receiver can generate the same set of numbers automatically to use as keys. Random number generators have a vital applications in gambling, completely randomized design, statistical sampling, computer simulation, and other areas where producing an unpredictable result is desirable. Many such applications of randomness have led to the development of several different methods for generating random data. Many of these have existed since ancient times; including dice, coin flipping, and the shuffling of playing cards. But those are not sufficient enough to fulfill are requirements so now a day s some other techniques are also used like: linear congruential generator, middle square method, probability density function, inversion method, acceptance-rejection method, hash function based random number generator, linear feedback shift register method etc. In computer security, suitable metrics are needed to investigate the degree of randomness for binary sequences produced by cryptographic random number generators (RNGs). Today, researchers are developing new hardware and software based RNGs. However, few standards address statistical analysis techniques that should be employed in practice. This paper will: list advantages and disadvantages of RNG based on feedback shift register, display experimental RNG testing results for all 10 RNGs using A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications. 1 Linear Feedback Shift Register A Linear Feedback Shift Register is a shift register whose input state is a linear function of its previous state. The only linear functions of single bits are XOR and inverse-xor; thus it is a shift register whose input bit is driven by the exclusive-or (XOR) of some MII-DS-07T-14-3 4
bits of the overall shift register value. The L-bit initial value of LFSR is called seed where L is called its length, the stream values produced by the register is completely determined by previous state. It can produce various random sequences by varying the taps. The bit position that affects next state is called tap. LFSR can also be used as a random number generator. By using the range (R) of random number it can be determined that how many bits (B) will be grouped together to represent a random number by the formula: If the range of random number is 0 to 63 then number of bits will be 6 to represent the random number. Generated sequences of random numbers are repeated to generate the required count of random numbers. The fastest moving era of computer science demands the non repeating random numbers in some applications. At those situations the existing approach can not satisfy the demand, that s why LFSR Based Unique Random Number Generators came in the focus. The pseudo noise PN generator is responsible for generating perfect random sequence. The proposed random number generator The proposed generator consists of three maximal length linear feedback shift registers (LFSRs), later referenced just as 3REG generator with thirty one, nineteen and fourteen taps. The feedback functions are chosen primitive to achieve a maximum period for each register [10].The feedback functions of the LFSRs are: Fig. 1 represents the RNG based on three linear feedback shift registers algorithm, which will be used for testing. The outputs of these LFSRs are connected through XOR gate. The period of the generated sequence is: MII-DS-07T-14-3 5
Figure 1: PN sequence generator. The key length of this pseudorandom number generator is (14+19+31) 64 so 64 initial values (0s or 1s) are required. This algorithm can be easily programmed using any modern programming language. Another big advantage is that it works faster than most other RNGs. 2 Random number (binary) sequence tests and results There are an infinite number of possible statistical tests, each assessing the presence or absence of a pattern which, if detected, would indicate that the sequence is nonrandom. Because there are so many tests for judging whether a sequence is random or not, no specific finite set of tests is deemed complete. In addition, the results of statistical testing must be interpreted with some care and caution to avoid incorrect conclusions about a specific generator. The NIST Test Suite is a statistical package consisting of 15 tests that were developed to test the randomness of (arbitrarily long) binary sequences produced by either hardware or software based cryptographic random or pseudorandom number generators. These tests focus on a variety of different types of non-randomness that could exist in a sequence. Some tests are decomposable into a variety of subtests. The 15 tests are: 1. The Frequency (Monobit) Test, 2. Frequency Test within a Block, 3. The Runs Test, 4. Tests for the Longest-Run-of-Ones in a Block, 5. The Binary Matrix Rank Test, 6. The Discrete Fourier Transform (Spectral) Test, MII-DS-07T-14-3 6
7. The Non-overlapping Template Matching Test, 8. The Overlapping Template Matching Test, 9. Maurer's "Universal Statistical" Test, 10. The Linear Complexity Test, 11. The Serial Test, 12. The Approximate Entropy Test, 13. The Cumulative Sums (Cusums) Test, 14. The Random Excursions Test, and 15. The Random Excursions Variant Test. A statistical test is formulated to test a specific null hypothesis (H 0 ). The null hypothesis under each test is that the sequence being tested is random. Associated with this null hypothesis is the alternative hypothesis (H a ) states that the sequence is not random. For each applied test, a decision or conclusion is derived that accepts or rejects the null hypothesis, i.e., whether the generator is (or is not) producing random values, based on the sequence that was produced. Each test is based on a calculated test statistic value, which is a function of the data. If the test statistic value is S and the critical value is t, then the Type I error probability is P(S > t Ho is true) = P(reject Ho H0 is true), and the Type II error probability is P(S t H0 is false) = P(accept H0 H0 is false). The test statistic is used to calculate a P- value that summarizes the strength of the evidence against the null hypothesis. For these tests, each P-value is the probability that a perfect random number generator would have produced a sequence less random than the sequence that was tested, given the kind of non-randomness assessed by the test. If a P-value for a test is determined to be equal to 1, then the sequence appears to have perfect randomness. A P-value of zero indicates that the sequence appears to be completely non-random. A significance level (α) can be chosen for the tests. If P-value α, then the null hypothesis is accepted; i.e., the sequence appears to be random. If P-value <α, then the null hypothesis is rejected; i.e., the sequence appears to be non-random. The parameter αdenotes the probability of the Type I error. Typically, α is chosen in the range [0.001, 0.01]. Proposed Three Linear Feedback Shift Register Generator failed the The Linear Complexity Test. All ten 5,000,000 byte sequences produced a P-value equal to zero, meaning the null hypothesis (sequence being tested is random) under this test is rejected. However 3REG generator did pass all the other tests for all 10 experimental sequences. The following table depicts test-by-test average of 10 P-values for the above reference generators that passed the NIST tests. Test No. LCG G-SHA1 BBSG MSG 3REG 1 0.5540677 0.6254126 0.5947807 0.5292109 0.3447995 MII-DS-07T-14-3 7
2 0.4504642 0.4710175 0.5856267 0.3732363 0.4806241 3 0.509554 0.574768 0.3801342 0.5755808 0.5823284 4 0.3298319 0.4988647 0.4760395 0.4963509 0.4829949 5 0.4884333 0.4646476 0.4132292 0.3551408 0.5109316 6 0.2392687 0.444735 0.4911075 0.382327 0.5166959 7 0.490443645 0.507031918 0.48344518 0.488216006 0.459775 8 0.5017448 0.2900201 0.514613 0.5124189 0.4257519 9 0.6017852 0.5406192 0.5984025 0.5091791 0.5142033 10 0.4620417 0.464612 0.3611264 0.3659363 0.0000000 11 0.61634955 0.41102745 0.52158945 0.5475205 0.5866082 12 0.4533295 0.5800665 0.5778958 0.4423716 0.31148725 13 0.606336 0.51923455 0.57387685 0.5158128 0.501684003 14 0.457911313 0.447000338 0.331634025 0.400410813 0.368927775 15 0.401442017 0.383205283 0.3595873 0.38536561 0.33791472 Total average 0.477533568 0.481484183 0.484205887 0.458605222 0.428315103 The constant 3REG failure during the linear complexity test suggests that this generator might be easily hacked based on the output bytes and recreated by intruder who doesn t have the starting seed 64-bit combination. Even very long sequences generated by 3REG do not pass the linear complexity test and P-values for this particular test are equal 0, meaning that this type of generator does not qualify as secure cryptographic generator. The other results put BBSG at the top of PRNGs with P-value average of: 0.484205887 closely followed by G-SHA1 and LCG, while MSG trails having significantly lower of average 15 test P-value. When it comes to good quality of randomness an experiment using very long sequence approach shows that BBSG, G-SHA1 and LCG are the best choice. 3 Linear Feedback Shift Register improvement analysis Non-Linear Feedback Shift Registers (NLFSRs) have been proposed as an alternative to Linear Feedback Shift Registers (LFSRs) for generating pseudo-random sequences for stream ciphers. In an (n,k)-nlfsr, the feedback can be taken from any of the n bits, and the next state functions can be any Boolean function of up to k variables. Our motivation for considering this type NLFSRs is that their Galois configuration makes it possible to compute each next state function in parallel, thus increasing the speed of output sequence generation. Thus, for stream cipher application where the encryption speed is important, (n,k)-nlfsrs may be a better alternative than the traditional Fibonacci ones. After deriving a number of properties of (n, k)- NLFSRs it is possible to MII-DS-07T-14-3 8
demonstrate that they are capable of generating output sequences with good statistical properties which cannot be generated by the Fibonacci type of NLFSRs. Second, it is shown that the period of the output sequence of an (n,k)-nlfsr is not necessarily equal to the length of the largest cycle of its states. We also present an algorithm for estimating the length of cycles of states of (n,k)-nlfsrs which uses Binary Decision Diagrams for representing the set of states and the transition relation on this set. For example We could improve proposed LSFR like this: In cryptography, the shrinking generator is a form of pseudorandom number generator intended to be used in a stream cipher. It was published in Crypto 1993 by Don Coppersmith, Hugo Krawczyk, and Yishay Mansour. The shrinking generator uses two linear feedback shift registers. One, called the A sequence, generates output bits, while the other, called the S sequence, controls their output. Both A and S are clocked; if the S bit is 1, then the A bit is output; if the S bit is 0, the A bit is discarded, nothing is output, and we clock the registers again. This has the disadvantage that the generator's output rate varies irregularly, and in a way that hints at the state of S; this problem can be overcome by buffering the output. Despite this simplicity, there are currently no known attacks better than exhaustive search when the feedback polynomials are secret. If the feedback polynomials are known, however, the best known attack requires less than A S bits of output. MII-DS-07T-14-3 9
The output of the selection rule does not have to be binary, as shown below A self-shrinking generator is a pseudorandom generator, which is based on the shrinking generator concept. Variants of the self-shrinking generator based on a linear feedback shift register (LFSR) are studied for use incryptography. MII-DS-07T-14-3 10
The ideas of self-shrinking and shrinking generators could also help especially when it comes to the test Linear Complexity test, that is failed every time so far. During the analysis it was found that there are many other ways to experiment with LSFR algorithm, for example: Windmill generator, where LSFR are not parallel: Grain where NSFR and LSFR are used together: MII-DS-07T-14-3 11
Implementation of control clock: MII-DS-07T-14-3 12
4 References 1. Schneier, B. (1996): Applied Cryptography: Protocols, Algorithms, and Source Code in C. New York: Wiley. 2. Menezes, A.J., Van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. Boca Raton, FL: CRC (1997). 3. Juremi, J., Mahmod, R., Sulaiman, S., Ramli, J. (2012). Enhancing advanced encryption standard S-box generation based on round key. International Journal of Cyber-Security and Digital Forensics, 1(3), 183 188. 4. Korn, G.A., Korn, T.M. (1961). Mathematical Handbook for Scientists and Engineers. McGraw-Hill, New York/Toronto/London. 5. Merkle, R. (1991). Fast software encryption functions. In: Advances in Cryptology: Proceedings of CRYPTO 90. Springer-Verlag, Berlin, pp. 476 501. 6. NIST Special Publication 800-22 revision 1a (April 2010). Technology Administration, US Department of Commerce. 7. Sakthivel, G. (2001). Differential cryptanalysis of substitution permutation networks and Rijndael-like ciphers. Master s project report, Rochester Institute of Technology. 8. Rajendra S.Katti, Xiaoyu Ruan and Hareesh Khattri, Multiple output Low Power Linear Feedback Shift Register Design," IEEE Transactions on Circuits and Systems-I, vol. 53, No.7 July 2006. 9. Panda Amit K, Rajput P, Shukla B, FPGA Implementation of 8, 16 and 32 Bit LFSR with Maximum Length Feedback Polynomial using VHDL, 2012 International Conference on Communication Systems and Network Technologies. 10. Shiv Dutta Mishra, Prof. Anurag Shrivastav Design and Analysis of FPGA based cryptographic N-bit parallel LFSR, International Journal of Latest Trends in Engineering & Technology (IJLTET), NOV 2013, Vol. 3, Issue 2, ISSN. 2278-621X. 11. Goresky, M. and Klapper, A.M. Fibonacci and Galois representations of feedback-with-carry shift registers, IEEE Transactions on Information Theory, Nov 2002, Volume: 48, On page(s): 2826 2836. 12. Efficient Shift Registers, LFSR Counters, and Long Pseudo-Random Sequence Generators, Application Note, Xilinx Inc. 13. ASSIS, F. and PEDREIRA, C. (2000): An Architecture for Computing Zech's Logarithms in GF(2m), IEEE Transactions on Computers 49 (5): 519-524. BETH, T. and PIPER, F. (1985): 14. The Stop-and-Go Generator. Lecture Notes in Computer Science 209 Springer Verlag: 88-92. 15. Automata to Attack the Shrinking Generator, IEICE Transactions on Fundamentals of Electronics Communications and Computer, E89-A: 1166-1172. Journal of Research and Practice in Information Technology, Vol. 41, No. 2, May 2009 MII-DS-07T-14-3 13
16. COPPERSMITH, D., KRAWCZYK, H. and MANSOUR, H. (1994): The Shrinking Generator. Lecture Notes in Computer Science 773 Springer-Verlag: 22-39. 17. FÚSTER-SABATER, A. (2004): Run Distribution in Nonlinear Binary Generators, Applied Mathematics Letters 17: 1427-1432. GOLIC, J. and O'CONNORS, L. A (1995): 18. Cryptanalysis of Clock-Controlled Shift Registers with Multiple Steps, Cryptography: Policy and Algorithms 41: 174-185. GOLLMANN, D. and CHAMBERS, W.C. (1989): 19. Clock-Controlled Shift Registers: A Review. IEEE Transactions on Selected Areas in Communications SAC-7 May: 525-533. GONG, G. (1995): Theory and Applications of q-ary Interleaved Sequences. IEEE Transactions on Information Theory, Volume 41, No. 2: 400-411. 20. Clock-Controlled Shrinking Generator of Feedback Shift Registers, Lecture Notes in Computer Science, vol. 2727, Springer Verlag: 443-451. 21. On Some Properties of the Shrinking Generator. Designs, Codes and Cryptography 23: 147-156. SIMPSON, L., GOLIC J. and DAWSON, E. (1998) 22. A Probabilistic Correlation Attack on the Shrinking Generator, Lecture Notes in Computer Science, vol. 1438, Springer Verlag: 147-158. 23. S. Golomb, Shift Register Sequences. Aegean Park Press, 1982. 24. B. Schneier, A self-study course in block-cipher cryptanalysis, Cryptologia, vol. XXIV, no. 1, pp. 18 33, 2000. 25. M. Robshaw, Stream ciphers, Tech. Rep. TR - 701, July 1994. 26. W. Meier and O. Staffelbach, Fast correlation attacks on certain stream ciphers, J. Cryptol., vol. 1, no. 3, pp. 159 176, 1989. 27. Y. Tarannikov, New constructions of resilent Boolean function with maximum nonlinearity, Lecture Notes in Computer Science, vol. 2355, pp. 66 77, 2001. 28. R. Bialota and G. Kawa, Modified alternating k generators, Des. Codes Cryptography, vol. 35, no. 2, pp. 159 174, 2005. 29. K. Zeng, C. Yang, D. Wei, and T. R. N. Rao, Pseudo-random bit generators in stream-cipher cryptography, Computer, 1991. MII-DS-07T-14-3 14