JPH0629969A - Random number generating circuit using nonlinear circuit - Google Patents

Abstract

PURPOSE:To improve the linear complexity of L cryptography of linear calculation type by combining a nonlinear circuit with the combination between a linear feedback shift register and a key register. CONSTITUTION:A nonlinear circuit 5 defines an m-variable nonlinear function Z on a function GF(2) as shown in the equation by using a threshold level (t) (t=2<d>+1, (d>0)) to realize the nonlinear function whose number of variables is expressed as m=2<d+1>+1. Furthermore, a content of a key register 3 is constant. A linear feedback shift register 2 and a key register 3 are combined by ANDs 4 to form a random number generating circuit 1, and ANDs 4 between the linear feedback shift register 2 and the key register 3 are inputted to a nonlinear circuit 5. Since the random numbers obtained therefrom has very large linear complexity, the analysis is difficult, and random number series with high statistical randomness is generated, random numbers with high security are obtained. Furthermore, the nonlinearization of the random numbers is automatically attained at a high speed by the nonlinear circuit.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a simple random number generating circuit using a non-linear function, which is constructed for the purpose of application to cryptographic communication.

[0002]

2. Description of the Related Art A simple mechanism capable of generating high-quality random numbers at high speed is indispensable for realizing a highly secure encryption machine. For that purpose, it is necessary to develop a basic random number generation circuit that is a building block of the random number generation mechanism.

As the cipher, a linear operation type L cipher created by using a linear feedback shift register disclosed in Japanese Patent Publication No. 50-22363 and a desired number of single character substitution tables are selected and used. There is a non-linear operation type P cipher created.

The L-cipher is a 2n-stage linear feedback
A block cipher that uses a shift register to linearly convert an original text (n bits) into a ciphertext (n bits) with a key (n bits). The P-cipher is, for example, a conversion table having integers from 0 to 15 as elements. 16 tables are prepared, the original text (64 bit), the key (64
Each 4 bits) is divided into 16 blocks of 4 bits each, and the 4-bit taple of the original text and the key is divided into 0 to 15
It is a block cipher that is expressed in decimal and non-linearly converts the original text into ciphertext using the selected substitution table matrix.

In the above example, the P-cipher is apparently a block cipher of size 64 bits in which the original text (64 bits) is non-linearly converted into a ciphertext (64 bits) with a key (64 bits). , Original text (4 bits) key (4 bits)
It is a block cipher with a size of 4 bits that is non-linearly converted into a ciphertext (4 bits).

[0006]

As described above, there are two types of ciphers, a linear operation type L cipher and a non-linear operation type P cipher. However, since the L cipher has a linear encryption operation, If the pair with the ciphertext is leaked, there is a problem that the key and the feedback coefficient are algebraically solved.

Further, since the P-cipher is a non-linear operation type, it basically has a higher cipher strength than the L-cipher, but since it has a small block size, it can be easily executed by a selective plaintext attack. When the substitution matrix and the key are restored and a sufficient amount of pairs are leaked to a third party, there is a problem that a similar situation may occur due to a known plaintext attack.

Further, since the P ciphertext is manually encrypted by using the substitution table matrix, there is a problem that the encryption of the original text and the original culture of the ciphertext take time and effort.

Therefore, the present invention was devised to solve the above-mentioned problems in the prior art. The technical problem is to compensate the weakness called linearity of L cryptography with a non-linear circuit. The purpose is to dramatically increase linear complexity.

[0010]

The means for solving the above technical problem is to provide a random number generator having a linear feedback shift register for generating an M sequence having an n-th order feedback polynomial and an n-stage key register. A source circuit and a non-linear circuit that inputs the logical product of a linear feedback shift register and a key register, and an m-variable non-linear function z = f (x on GF (2) which is a function of the non-linear circuit. equation using _1, x _2, ···, a x _m), the threshold value t

## EQU1 ## and the threshold value t is t = 2 ^d +1 (d> 0). Similarly, the number of variables m is set to m = 2 ^{d + 1} +1.

[0011]

The operation of the present invention will be described below with reference to the drawings, tables and mathematical formulas showing the embodiments of the present invention. In the following description, one linear feedback, shift register and one key register are combined,
The target is a random number generation circuit as a building block that nonlinearizes the output of this combination through a nonlinear circuit.

M-variable nonlinear function on GF (2) z = f (x
₁ , x ₂ , ..., x _m ) using the threshold value t

It is defined as shown in [Equation 1]. The non-linear function z is a Boolean function that outputs 1 if the arithmetic sum of the input variables is greater than or equal to a certain threshold value, and outputs 0 otherwise. As an example, the truth table for m = 4 and t = 2

[Table 1] Shown in. this

The Boolean function in the case of [Table 1] is z = x ₁ x ₂ + x ₁ x ₃ + x ₂ x ₃ + x ₂ x ₄ + x ₃ x ₄ . However, + indicates a logical sum.

Formula

If the logical function given by [Equation 1] is expressed by an m-variable polynomial on GF (2), the m-variable function z on GF (2) is z = f (x ₁ , x ₂ , ... x _m ) z, x _i εGF
(2) and all formulas as m-variable polynomials on GF (2)

[Equation 2] Expressed as Here, the coefficient a _{i1 ...}

[Equation 3] According to.

This formula

[Formula 2] and mathematical formula

[Formula 3]

When applied to the m-variable function z shown in [Table 1], z = x ₁ x ₂ + x ₁ x ₃ + x ₁ x ₄ + x ₂ x ₃ + x ₂ x ₄ + x ₃ x ₄ + x ₁ x ₂ x ₃ x ₄ Become. However, + indicates an exclusive OR.

Next, the m-variable nonlinear function on GF (2) is expressed by

## EQU00002 ## The degree of the polynomial f in the case of the polynomial expression as shown in FIG. In the truth table of the m-variable nonlinear function, the output z
If N (m, t) is the number of 1s appearing in the column,
(m, t) is a mathematical formula

[Equation 4] Given in. However, this formula

In Equation 4, t represents a threshold value.

Where { _m C _i mod 2} is _m B _i ,
{N (m, t) mod 2} When the B (m, t), B (m, t) = m B t + m B t + 1 + ·· + m B m ( where + is the exclusive Which is the disjunction)

The degree of the polynomial shown in [Equation 2] is [m-th order when B (m, t) = 1 and (m− when B (m, t) = 0]
1) the following and below]. By the way, the binomial coefficient _m C _i (i = 0,
The generating function of (1, ..., m) is

[Equation 5] The binomial coefficient _m B _i (i = 0,
Similarly, the generating function of (1, ..., m)

[Equation 6] Will be given in.

Assuming that the number of variables is m = 2 ^d (d> 0),

Is a mathematical formula

[Equation 7] Therefore, [when the nonlinear function in the case where the number of variables is a power of 2 is represented by a polynomial, the degree thereof is equal to the number of variables]. Formula

In equation (7), the number of terms less than the order of x ^{t −1} is only 1, so that B (2 ^d , t) = 1 QED.

[Mathematical formula-see original document]

In Equation 6, 0 ≦ s <2 ^d , t <2 ^d, and 2 ^d
= G, the formula

[Equation 8] Which gives [[the number of variables is 2 ^d +
If s and the threshold t is s <t, the degree of the polynomial is 2 ^d ]. Formula

In [Equation 8], the terms below the (t-1) th order are [1 + x]
^{Since s} (however, + is an exclusive OR), B (m,
t) = 0 QED.

From this, the number of variables is 2 ^d + s,
In addition, the order of the polynomial when the threshold value t is 1 <t <s is 2 ^d when [B (s, t-1) = 0 and 2 when B (s, t-1) = 1.
^d + s].

In this way, the order of the polynomial function is obtained according to each threshold value and the number of input variables. In order to apply the nonlinear function to cryptography, the number of 0s and 1s in the output sequence in the truth table is obtained. Must be equal. Therefore,
The number of variables m is 2t-1. Further, in order to increase the complexity of the output sequence and make the analysis difficult, it is desirable that the polynomial has a large degree. By the way, when the number m of variables is in the range of 2 ^d ≦ m <2 ^{d + 1} , the degree of the polynomial is 2
It is constant at ^d . Therefore, in order to obtain the maximum complexity with the minimum variable, it is sufficient to set m = 2 ^d +1. From this, the threshold value t = 2 ^d +1 d> 0 and the number of variables m
= ^{2d + 1 + 1} .

As an example, θ = 2 ¹ + 1 = 3, m = 2 ² +
The truth table for 1 = 5

[Table 2] Shown in. The blue function z in this case is z = x ₁ x ₂ x ₃ + x ₁ x ₂ x ₄ + x ₁ x ₂ x ₅ + x ₁ x ₃ x ₄ + x ₁ x ₃ x ₅ + x ₁ x ₄ x ₅ + x ₂ x ₃ the _{x 4 + x 2 x 3 x} 5 + x 2 x 4 x 5 + x 3 x 4 x 5. In addition, + indicates a logical sum. Also, the polynomial is f
(x1, x2, x3, x4, x5) = x ₁ x ₂ x ₃ + x ₁ x ₂ x ₄ + x ₁ x ₂ x ₅ + x ₁ x ₃ x ₄ + x ₁ x ₃ x ₅ + x ₁ x ₄ x ₅ + x ₂ x ₃ x ₄ + x ₂ x ₃ x ₅ + x ₂ x ₄ x ₅ + x ₃ x ₄ x ₅ + x ₁ x ₂ x ₃ x ₄ + x ₁ x ₂ x ₃ x ₅ + x ₁ x ₂ x ₄ x ₅ + x ₁ x ₃ the _{x 4 x 5 + x 2 x} 3 x 4 x 5 + x 1 x 2 x 3 x 4 x 5. In addition, + is an exclusive OR.

Next, the above-mentioned threshold value t = 2 ^d +1 d>
Non-linearization of the M sequence by a non-linear function with 0 and the number of variables m = 2 ^{d + 1} +1 will be described. The degree of the feedback polynomial (primitive irreducible polynomial) of the linear feedback shift register that generates the M sequence is n. A non-linear binary random number sequence is generated by adding the above-mentioned non-linear function, which is a logic circuit, to this linear feedback shift register. The term "non-linearization" used herein means that the number of stages of an equivalent linear feedback shift register that generates a sequence is significantly larger than the original number n of stages.

A basic configuration of a binary random number generating circuit composed of n stages of linear feedback shift registers, n stages of key registers and a non-linear circuit is shown.

FIG. 1 shows. this

In FIG. 1, a non-linear circuit 5 realizes the non-linear function described above, that is, a non-linear function with a threshold value t = 2 ^d +1 d> 0 and the number of variables m = 2 ^{d + 1} +1. The contents of the key register 3 are constant. The linear feedback shift register 2 and the key register 3 are combined by a logical product 4 to form a random number generation circuit 1, and the logical product 4 of the linear feedback shift register 2 and the key register 3 is input to the nonlinear circuit 5. To be done.

The internal states of the linear feedback shift register 2 and the key register 3 are represented by n-dimensional vectors Y = (y ₁ , y _2, ..., Y _n ) and K = (k ₁ , k ₂ ,.
···, K _n ). For a key vector that is a constant vector, the formula

[Equation 9] Then, m = 2 ^{d + 1} + 1 ≦ n. However, d is an integer satisfying d ≧ 0. Formula

The non-linear function z is given by

[Equation 10] Transforms into. The key vector K is a constant vector, and the number m of 1's contained in it is (2 ^{d + 1} +
1). The element of the corresponding shift register vector Y of the linear feedback shift register 2 is taken out, and the m-dimensional vector X is newly defined as X = (x ₁ , x ₂ ,.
_m )

[Equation 10] is a mathematical formula

[Equation 11] And this formula

[Equation 11] is a mathematical formula

It is nothing but the condition that m = 2 ^{d + 1} +1 and t = 2 ^d +1 are added to m and the threshold value t of the equation (1).

By the way, it is known that the linear feedback that gives an equivalent output sequence, the minimum number of stages of the shift register 2, that is, the linear complexity depends on the degree of the polynomial expressing the nonlinearity. Threshold value t = 2 ^d + 1, m = 2
The degree of the polynomial in the case of ^{d + 1} +1 is 2 as described above.
^{It is d + 1} . Also, the linear complexity #L when n is an odd number
(n, degf) is the formula

[Equation 12] It is known to be given in. However, degf indicates the degree of the polynomial. Therefore,

1 shows the linear complexity of a binary sequence generated by the circuit according to the present invention shown in FIG.

[Equation 13] Given in.

This formula

When the specific numerical value of the linear complexity of the binary sequence given by [Equation 13] is selected such as n = 61 and d = 4,
Since the order is 2 ⁵ = 32, the linear complexity #L (n, degf)
Is the formula

[Numerical equation 14] It becomes as shown in. Therefore, to obtain a linearly equivalent polynomial, an output sequence of about 3.2 * 10 ¹⁸ bits is needed.
Furthermore, since the cycle length of this output sequence is 2 ⁶¹ −1 = 2.3 * 10 ¹⁸ , the required sequence length is about 1.4 times the total period.

The random number generated by the circuit of the present invention has a period p = 2 ⁿ −1 equal to the period of the linear feedback shift register 2 in addition to the above characteristics, and the number of 0 = The number of 1s = 2 for 2 ^n-1 −1
^It has the characteristic of being ^n-1 .

[0028]

Since the present invention has the above-mentioned structure, it has the following effects. Since the non-linear circuit is simply combined with the combination of the linear feedback shift register and the key register, the circuit configuration is extremely simple and, therefore, is extremely effective as a building block of the random number generation mechanism.

Since the obtained random number has a very large linear complexity, it is difficult to analyze it, and a statistically random high-quality random number sequence is generated. Therefore, a highly safe random number can be obtained. it can.

Since the non-linearization of random numbers is automatically and rapidly achieved by a non-linear circuit, encryption and decryption can be performed quickly and accurately, and thus highly secure cryptographic communication can be achieved quickly and accurately. it can.

[0031]

[Brief description of drawings]

FIG. 1 is a circuit diagram showing an embodiment of a basic circuit configuration of the present invention.

[Explanation of symbols]

 1; Random number source circuit 2; Linear feedback shift register 3; Key register 4; Logical product 5; Non-linear circuit

Claims (1)

[Claims] 1. A linear feedback shift register (2) for generating an M sequence having an nth order feedback polynomial.
Random number generation circuit (1) having an n-stage key register (3)
And a non-linear circuit (5) that inputs the logical product (4) of the linear feedback shift register (2) and the key register (3)
GF (2), which is a function of the nonlinear circuit (5)
The above m-variable nonlinear function z = f (x ₁ , x ₂ , ..., x _m ).
Using the threshold t, And a threshold value t is t = 2 ^d +1 (d> 0). Similarly, a random number generation circuit using a non-linear circuit in which the number of variables m is set to m = 2 ^{d + 1} +1.