p-Adic Dynamical Systems and Cryptography - ABC stream cipher

p-Adic Dynamical Systems andCryptographyNon-Archimedean View on T -functionsVladimir AnashinRussian State University for the HumanitiesFaculty of Information Securityp-Adic Dynamical Systems and Cryptography – p. 1/65

T -functions: Where they come from?In 2002 Klimov and Shamir introduced to cryptocommunity a class of mappings they called T -functions:(α ↓ 0 , α↓ 1 , α↓ 2 , . . .) ↦→ (Φ 0(α ↓ 0 ), Φ 1(α ↓ 0 , α↓ 1 ), Φ 2(α ↓ 0 , α↓ 1 , α↓ 2 ), . . .).Here α ↓ i ∈ Bm is a Boolean columnar m-dimensionalvector; B = {0, 1}; Φ i : (B m ) (i+1) → B n maps (i + 1)Boolean columnar m-dimensional vectors α ↓ 0 , . . . , α↓ i ton-dimensional Boolean vector Φ i (α ↓ 0 , . . . , α↓ i ).These mappings are of interest for software-orientedciphers, since both arithmetic and bitwise logicaloperations, which are basic instructions for mostprocessors, are obviously T -functions.p-Adic Dynamical Systems and Cryptography – p. 2/65

T -functions: Where they come from?In 2002 Klimov and Shamir introduced to cryptocommunity a class of mappings they called T -functions:In mathematics these mappings are known more than 30years. The mathematical theory of these mappings iswell developed.In different areas of mathematics these mappings werestudied under different names, for instance:Triangle mappings, in the theory of Booleanfunctions;p-Adic Dynamical Systems and Cryptography – p. 2/65

T -functions: Where they come from?In 2002 Klimov and Shamir introduced to cryptocommunity a class of mappings they called T -functions:In mathematics these mappings are known more than 30years. The mathematical theory of these mappings iswell developed.In different areas of mathematics these mappings werestudied under different names, for instance:Triangle mappings, in the theory of Booleanfunctions;Determined functions, in automata theory;p-Adic Dynamical Systems and Cryptography – p. 2/65

T -functions: Where they come from?In 2002 Klimov and Shamir introduced to cryptocommunity a class of mappings they called T -functions:In mathematics these mappings are known more than 30years. The mathematical theory of these mappings iswell developed.In different areas of mathematics these mappings werestudied under different names, for instance:Triangle mappings, in the theory of Booleanfunctions;Determined functions, in automata theory;Compatible functions on the residue ring Z/2 n , inalgebra, etc.p-Adic Dynamical Systems and Cryptography – p. 2/65

T -functions: Where they come from?In early 90-th the non-Archimedean theory ofT -functions started, which treated T -functions ascontinuous mappings of the space Z 2 of 2-adic integers.p-Adic Dynamical Systems and Cryptography – p. 3/65

T -functions: Where they come from?In early 90-th the non-Archimedean theory ofT -functions started, which treated T -functions ascontinuous mappings of the space Z 2 of 2-adic integers.In our talk we introduce some methods and results fromthis theory. These methods are of use forthe design of fast and flexible stream ciphers basedon T -functions, and forthe study of important properties of these ciphers.p-Adic Dynamical Systems and Cryptography – p. 3/65

Stream encryption is easy!Take a plain text α 0 α 1 α 2 . . .p-Adic Dynamical Systems and Cryptography – p. 4/65

Stream encryption is easy!Take a plain text α 0 α 1 α 2 . . .add it modulo 2⊕p-Adic Dynamical Systems and Cryptography – p. 4/65

Stream encryption is easy!Take a plain text α 0 α 1 α 2 . . .add it modulo 2 ⊕to a key stream γ 0 γ 1 γ 2 . . .p-Adic Dynamical Systems and Cryptography – p. 4/65

Stream encryption is easy!Take a plain text α 0 α 1 α 2 . . .add it modulo 2 ⊕to a key stream γ 0 γ 1 γ 2 . . .and getp-Adic Dynamical Systems and Cryptography – p. 4/65

Stream encryption is easy!Take a plain text α 0 α 1 α 2 . . .add it modulo 2 ⊕to a key stream γ 0 γ 1 γ 2 . . .and getencrypted text ζ 0 ζ 1 ζ 2 . . .p-Adic Dynamical Systems and Cryptography – p. 4/65

Stream encryption is easy!To decrypt, takethe encrypted text ζ 0 ζ 1 ζ 2 . . .p-Adic Dynamical Systems and Cryptography – p. 5/65

Stream encryption is easy!To decrypt, takethe encrypted text ζ 0 ζ 1 ζ 2 . . .add it modulo 2 ⊕p-Adic Dynamical Systems and Cryptography – p. 5/65

Stream encryption is easy!To decrypt, takethe encrypted text ζ 0 ζ 1 ζ 2 . . .add it modulo 2 ⊕to the key stream γ 0 γ 1 γ 2 . . .p-Adic Dynamical Systems and Cryptography – p. 5/65

Stream encryption is easy!To decrypt, takethe encrypted text ζ 0 ζ 1 ζ 2 . . .add it modulo 2 ⊕to the key stream γ 0 γ 1 γ 2 . . .and getp-Adic Dynamical Systems and Cryptography – p. 5/65

Stream encryption is easy!To decrypt, takethe encrypted text ζ 0 ζ 1 ζ 2 . . .add it modulo 2 ⊕to the key stream γ 0 γ 1 γ 2 . . .and getthe plain text α 0 α 1 α 2 . . .p-Adic Dynamical Systems and Cryptography – p. 5/65

Shannon’s Theorem yields that the encryption is securewhenever one chooses key stream at random.p-Adic Dynamical Systems and Cryptography – p. 6/65

Shannon’s Theorem yields that the encryption is securewhenever one chooses key stream at random.And Kolmogorov’s complexity theory says that it isimpossible to produce a random sequence by adeterministic algorithm.p-Adic Dynamical Systems and Cryptography – p. 6/65

Shannon’s Theorem yields that the encryption is securewhenever one chooses key stream at random.And Kolmogorov’s complexity theory says that it isimpossible to produce a random sequence by adeterministic algorithm.Could we use stream encryption oncomputers in a way other than to storehuge amounts of key stream bits onhard drives?p-Adic Dynamical Systems and Cryptography – p. 6/65

We could.p-Adic Dynamical Systems and Cryptography – p. 7/65

We could.Given a family T of statistical tests, a pseudorandomsequence (with respect to T ) is the one that passes all thetests of T .p-Adic Dynamical Systems and Cryptography – p. 7/65

We could.Given a family T of statistical tests, a pseudorandomsequence (with respect to T ) is the one that passes all thetests of T .Assuming an adversary can use only the tests of T , hecan not distinguish a pseudorandom sequence from atruly random one.p-Adic Dynamical Systems and Cryptography – p. 7/65

We could.Given a family T of statistical tests, a pseudorandomsequence (with respect to T ) is the one that passes all thetests of T .Assuming an adversary can use only the tests of T , hecan not distinguish a pseudorandom sequence from atruly random one. That is, an adversary can not decryptthe message whenever a key stream is pseudorandom.p-Adic Dynamical Systems and Cryptography – p. 7/65

We could.Given a family T of statistical tests, a pseudorandomsequence (with respect to T ) is the one that passes all thetests of T .Assuming an adversary can use only the tests of T , hecan not distinguish a pseudorandom sequence from atruly random one. That is, an adversary can not decryptthe message whenever a key stream is pseudorandom.It is possible to produce apseudorandom sequence by analgorithm, under some reasonablechoices of T .p-Adic Dynamical Systems and Cryptography – p. 7/65

Pseudorandom number generatorPRNG produces a key stream.x ip-Adic Dynamical Systems and Cryptography – p. 8/65

Pseudorandom number generatorPRNG produces a key stream.x i+1 = f(x i )fstate updatex if : A → A is the state update function,p-Adic Dynamical Systems and Cryptography – p. 8/65

Pseudorandom number generatorPRNG produces a key stream.x i+1 = f(x i )fstate updatex iGoutputy i = G(x i )f : A → A is the state update function, G: A → B isthe output function.p-Adic Dynamical Systems and Cryptography – p. 8/65

The sequence of internal states {x i ∈ A} of the PRNG isthe sequencex 0 , x 1 = f(x 0 ), . . . , x i+1 = f(x i ) = f i+1 (x 0 ), . . .The output sequence {y i ∈ B} satisfies the lawy i = G(x i ), (i = 0, 1, 2, . . .).In classical stream ciphers a key is the initial state x 0 .A key is the only information that is not known to anadversary.p-Adic Dynamical Systems and Cryptography – p. 9/65

Most often the set of internal states (the internalalphabet) A is the set B n of all n-bit words; the outputalphabet B is the set B k of all k-bit words.It is convenient to associate the set B n to the residue ringZ/2 n up to the natural one-to-one correspondence:To each z ∈ Z/2 n = {0, 1, 2, . . . , 2 n − 1} therecorresponds one and the only n-bit word of B n , which isa base-2 expansion of z.Z/2 n ∋ z = ζ 0 + ζ 1 ∙ 2 + ζ 2 ∙ 2 2 + ∙ ∙ ∙ ←→ ζ 0 ζ 1 ζ 2 . . . ∈ B np-Adic Dynamical Systems and Cryptography – p. 10/65

Why dynamical systems?An autonomous dynamical system is a suite 〈X, μ, f〉,where X is a phase space (usually a metric space), μ is ameasure on X (e.g., probabilistic one); f : X → X is ameasurable mapping (usually, continuous).A trajectory of the point x 0 is a sequencex 0 , x 1 = f(x 0 ), . . . , x i+1 = f(x i ) = f i+1 (x 0 ), . . . .Dynamical systems theory prompts a very naturalapproach: Let 〈X, μ, f〉 be a dynamical system withdiscrete time. Take a point x 0 ∈ X as a key, and use thetrajectory as a source of pseudorandomness.p-Adic Dynamical Systems and Cryptography – p. 11/65

To make this approach to stream cipher designmeaningful, the following questions must be answered:How one could evaluate the trajectory on a digitalcomputer?p-Adic Dynamical Systems and Cryptography – p. 12/65

To make this approach to stream cipher designmeaningful, the following questions must be answered:How one could evaluate the trajectory on a digitalcomputer?What will be the performance?p-Adic Dynamical Systems and Cryptography – p. 12/65

To make this approach to stream cipher designmeaningful, the following questions must be answered:How one could evaluate the trajectory on a digitalcomputer?What will be the performance?How pseudorandom is the so produced sequence?p-Adic Dynamical Systems and Cryptography – p. 12/65

To make this approach to stream cipher designmeaningful, the following questions must be answered:How one could evaluate the trajectory on a digitalcomputer?What will be the performance?How pseudorandom is the so produced sequence?Is the corresponding generator secure?p-Adic Dynamical Systems and Cryptography – p. 12/65

Any use of chaos?Since early 90 th intensive studies were undertaken in thechaos-based cryptography.The leading idea of the latter is quite natural:Take a chaotic map f and make it discrete!The trajectory will hopefully look like random since themapping is chaotic (that is, sensitive to smallperturbations of the initial state).p-Adic Dynamical Systems and Cryptography – p. 13/65

Bad newsResults of such a straightforward approach turned out tobe rather disappointing:p-Adic Dynamical Systems and Cryptography – p. 14/65

Bad newsResults of such a straightforward approach turned out tobe rather disappointing:Example. A discrete version of the doubling map(Bernoulli shift) f(x) = (2 ∙ x) mod 1 is x i+1 ≡ 2 ∙ x i(mod 2 n ) becomes 0 after at most n iterations!!!p-Adic Dynamical Systems and Cryptography – p. 14/65

Bad newsResults of such a straightforward approach turned out tobe rather disappointing:Example. A discrete version of the doubling map(Bernoulli shift) becomes 0 after at most n iterations!!!One more example. A discrete version of the tent mapf(x) = 1 − 2 ∙ |x − 1 2| on [0, 1] always falls in very shortcycles, of length n at most!!!p-Adic Dynamical Systems and Cryptography – p. 14/65

Bad newsResults of such a straightforward approach turned out tobe rather disappointing:Example. A discrete version of the doubling map(Bernoulli shift) becomes 0 after at most n iterations!!!One more example. A discrete version of the tent mapalways falls in very short cycles, of length n at most!!!Yet another example. A discrete version of the logisticmap f(x) = 4 ∙ x ∙ (1 − x) mod 1 becomes 0 after atmost n 2 iterations!!! p-Adic Dynamical Systems and Cryptography – p. 14/65

L. Kocarev. Chaos-Based Cryptography: A Brief Overview (2001):Despite a huge number of papers published in the field ofchaos-based cryptography, the impact that this researchhas made on conventional cryptography is rathermarginal. This is due to two reasons:First, almost all chaos-based cryptographicalgorithms use dynamical systems defined on the setof real numbers, and therefore are difficult forpractical realization and circuit implementation.p-Adic Dynamical Systems and Cryptography – p. 15/65

L. Kocarev. Chaos-Based Cryptography: A Brief Overview (2001):Despite a huge number of papers published in the field ofchaos-based cryptography, the impact that this researchhas made on conventional cryptography is rathermarginal.First, almost all chaos-based cryptographicalgorithms are difficult for practical realization andcircuit implementation.Second, security and performance of almost allproposed chaos-based methods are not analyzed interms of the techniques developed in cryptography.Moreover, most of the proposed methods generatecryptographically weak and slow algorithms.p-Adic Dynamical Systems and Cryptography – p. 15/65

Shujun Li. When Chaos Meets Computers (2004):Digital computers are absolutely incapable of showingtrue long-time dynamics of some chaotic systems,including the tent map, the Bernoulli shift map and theiranalogues, even in a high-precision floating-pointarithmetic. Although the results cannot directlygeneralized to most chaotic systems, the risk of usingdigital computers to numerically study continuousdynamical systems is shown clearly. As a result, wereach the old saying that “it is impossible to doeverything with computers only”.p-Adic Dynamical Systems and Cryptography – p. 16/65

Despite these pessimistic conclusions of the two of keyresearchers of chaos-based cryptography, there are verypromising developments in stream cipher design relatedto dynamical systems theory.p-Adic Dynamical Systems and Cryptography – p. 17/65

Despite these pessimistic conclusions of the two of keyresearchers of chaos-based cryptography, there are verypromising developments in stream cipher design relatedto dynamical systems theory.Surprisingly, these developments arerelated neither to real nor to complex,but to the non-Archimedean dynamicalsystems theory!p-Adic Dynamical Systems and Cryptography – p. 17/65

What is a good PRNG?A cryptographic PRNG must meet the followingconditions:For (almost) all keys the output sequences must bepseudorandom (i.e., undistinguishable from a trulyrandom sequence up to the tests of T ).p-Adic Dynamical Systems and Cryptography – p. 18/65

What is a good PRNG?A cryptographic PRNG must meet the followingconditions:For (almost) all keys the output sequences must bepseudorandom (i.e., undistinguishable from a trulyrandom sequence up to the tests of T ).Given a segment y j , y j+1 , . . . , y j+s−1 of the outputsequence, finding the corresponding key must beinfeasible (in some properly defined sense).p-Adic Dynamical Systems and Cryptography – p. 18/65

What is a good PRNG?A cryptographic PRNG must meet the followingconditions:For (almost) all keys the output sequences must bepseudorandom (i.e., undistinguishable from a trulyrandom sequence up to the tests of T ).Given a segment y j , y j+1 , . . . , y j+s−1 of the outputsequence, finding the corresponding key must beinfeasible (in some properly defined sense).The PRNG must be suitable for software (orhardware) implementation; the performance must besufficiently fast.p-Adic Dynamical Systems and Cryptography – p. 18/65

In other words:The state update function f must providepseudorandomness; in particular, it must guaranteeuniform distribution and long period of the stateupdate sequence {x i }.p-Adic Dynamical Systems and Cryptography – p. 19/65

In other words:The state update function f must providepseudorandomnessThe output function G must not spoil thepseudorandomness (in particular, the outputsequence {y i } must be uniformly distributed andmust have long period); and moreover, G must makethe PRNG secure (in particular, given y i , it must bedifficult to find x i from the equation y i = G(x i )).p-Adic Dynamical Systems and Cryptography – p. 19/65

In other words:The state update function f must providepseudorandomnessThe output function G must not spoil thepseudorandomness ; and moreover, G must makethe PRNG secureTo make the PRNG suitable for software/hardwareimplementations, both f and G must becompositions of basic microprocessor instructions.p-Adic Dynamical Systems and Cryptography – p. 19/65

Designing PRNGTo satisfy condition 1 (of 3) a good secure PRNG mustmeet, one could take the state update functionf : Z/2 n → Z/2 n with a single cycle property; that is, fpermutes elements of Z/2 n cyclically.The state update sequencex 0 , x 1 = f(x 0 ), . . . , x i+1 = f(x i ) = f i+1 (x 0 ), . . .of n-bit words will have then the longest possible period(of length 2 n ), and strict uniform distribution; that is,each n-bit word will occur at the period exactly once.p-Adic Dynamical Systems and Cryptography – p. 20/65

Designing PRNGTo satisfy the first part of condition 2 one could take abalanced mapping G: Z/2 n → Z/2 k .That is, to each k-bit word the mapping G maps the samenumber of n-bit words (hence; k ≤ n). For k = nbalanced mappings are just invertible (that is, bijective,one-to-one) mappings.For k ≪ n balanced functions could be of use to satisfythe second part of the condition 2, since the equationy i = G(x i ) has too many solutions then, 2 n−k .p-Adic Dynamical Systems and Cryptography – p. 20/65

Designing PRNGTo satisfy condition 3, one must know how to constructsingle cycle (respectively, balanced) mappings out ofbasic microprocessor instructions, which include:integer arithmetic operations (addition,multiplication,...)bitwise logical operations (OR, XOR, AND, NOT)machine operations (shifts, masking, sometimescyclic shifts).p-Adic Dynamical Systems and Cryptography – p. 20/65

Designing PRNGTo satisfy condition 3, one must know how to constructsingle cycle (respectively, balanced) mappings out ofbasic microprocessor instructions, which include:integer arithmetic operations (addition,multiplication,...)bitwise logical operations (OR, XOR, AND, NOT)machine operations (shifts, masking, sometimescyclic shifts).This could be done with the use of2-adic analysis!p-Adic Dynamical Systems and Cryptography – p. 20/65

More attentive look ...Let z = δ 0 (z) + δ 1 (z) ∙ 2 + δ 2 (z) ∙ 2 2 + δ 3 (z) ∙ 2 3 + ∙ ∙ ∙ bea base-2 expansion for z ∈ N 0 ; then:y XOR z = y ⊕ z is a bitwise addition modulo 2:δ j (y XOR z) ≡ δ j (y) + δ j (z) (mod 2);y AND z is a bitwise multiplication modulo 2:δ j (y AND z) ≡ δ j (y) ∙ δ j (z) (mod 2);⌊ z 2⌋ is a shift towards less significant bits;2 ∙ z is a shift towards more significant bits;y AND z is the masking of z with the mask y;z (mod 2 k ) = z AND(2 k − 1) is a reduction of zmodulo 2 k p-Adic Dynamical Systems and Cryptography – p. 21/65

... and tiny observationsAll basic chip operations, with the only exception ofcyclic shifts, are well defined on the space Z 2 of all2-adic integers.p-Adic Dynamical Systems and Cryptography – p. 22/65

... and tiny observationsAll basic chip operations, with the only exception ofcyclic shifts, are well defined on the space Z 2 of all2-adic integers.The space Z 2 could be thought of as a set of all countableinfinite binary sequences.p-Adic Dynamical Systems and Cryptography – p. 22/65

... and tiny observationsAll basic chip operations, with the only exception ofcyclic shifts, are well defined on the space Z 2 of all2-adic integers.The following example proves that . . . 11111 = −1.+. . . 1 1 1 1. . . 0 0 0 1. . . 0 0 0 0p-Adic Dynamical Systems and Cryptography – p. 22/65

. . . 1 1 1 1 1 1p-Adic Dynamical Systems and Cryptography – p. 23/65Do you know that . . . 1010101 = − 1 3 ?×. . . 0 1 0 1 0 1. . . 0 0 0 0 1 1+. . . 0 1 0 1 0 1. . . 1 0 1 0 1

Do you know that . . . 1010101 = − 1 3 ?A calculator knows that either!p-Adic Dynamical Systems and Cryptography – p. 23/65

A short 2-adic tourSequences with only finite number of 1’s correspond tonon-negative rational integers in their base-2 expansions:. . . 00011 = 3p-Adic Dynamical Systems and Cryptography – p. 24/65

A short 2-adic tourSequences with only finite number of 0’s correspond tonegative rational integers:. . . 111100 = −4p-Adic Dynamical Systems and Cryptography – p. 24/65

A short 2-adic tourEventually periodic sequences correspond to rationalnumbers represented by irreducible fractions with odddenominators:. . . 1010101 = − 1 3p-Adic Dynamical Systems and Cryptography – p. 24/65

A short 2-adic tourSequences that are not (eventually) periodic correspondto no rational number:. . . 01111011101101p-Adic Dynamical Systems and Cryptography – p. 24/65

A short 2-adic tourDistance: d 2 (u, v) = 2 −k iffu ≡ v (mod 2 k ); u ≢ v (mod 2 k+1 )The longer are common initial segments ofsequences the closer are the points!The space Z 2 is complete with respect to the 2-adicdistance (metric) d 2 , and compact.p-Adic Dynamical Systems and Cryptography – p. 24/65

A short 2-adic tourAs usual, the norm is ‖u‖ 2 = d 2 (u, 0).The higher power of 2 is a factor of a 2-adicinteger the smaller the integer is!p-Adic Dynamical Systems and Cryptography – p. 24/65

A short 2-adic tourOnce distance and norm are defined, notions of limits,convergent series, continuous functions, derivatives, etc.,become meaningful:d 2 (−1, 3) = ‖(−1) − 3‖ 2 = ‖ − 4‖ 2 = 1 2 2 = 1 4 ;d 2limn→∞ 2n = 0;ln(−3) = −∞∑i=14 iiis a 2-adic integer!p-Adic Dynamical Systems and Cryptography – p. 24/65

More observationsBasic chip operations (with the exception of cyclicshifts) are well defined continuous Z 2 -valued functionsof 2-adic integer arguments.p-Adic Dynamical Systems and Cryptography – p. 25/65

More observationsBasic chip operations (with the exception of cyclicshifts) are well defined continuous Z 2 -valued functionsof 2-adic integer arguments.Moreover, all mentioned functions (with the exception ofthose defined by shifts towards less significant bits)satisfy Lipschitz condition with coefficient 1 with respectto the 2-adic metric.p-Adic Dynamical Systems and Cryptography – p. 25/65

More observationsBasic chip operations (with the exception of cyclicshifts) are well defined continuous Z 2 -valued functionsof 2-adic integer arguments.All compositions F of basic chip instructions (with theexceptions of cyclic shifts, and shifts towards lesssignificant bits) satisfy Lipschitz condition withcoefficient 1:‖F (a) − F (b)‖ 2 ≤ ‖a − b‖ 2p-Adic Dynamical Systems and Cryptography – p. 25/65

Terminology notesThe conditionF (a) ≡ F (b) (mod 2 k ) whenever a ≡ b (mod 2 k )is equivalent to the condition‖F (a) − F (b)‖ 2 ≤ ‖a − b‖ 2That is, F satisfy Lipschitz condition with coefficient 1iff F is a compatible mapping of the ring Z 2 into itself.p-Adic Dynamical Systems and Cryptography – p. 26/65

Terminology notesThe conditionF (a) ≡ F (b) (mod 2 k ) whenever a ≡ b (mod 2 k )is equivalent to the condition‖F (a) − F (b)‖ 2 ≤ ‖a − b‖ 2That is, F satisfy Lipschitz condition with coefficient 1iff F is a compatible mapping of the ring Z 2 into itself.‘Compatible’ is an algebraic term. In cryptography theyused to speak of ‘T -functions on n-bit words’ instead of‘compatible mappings of the residue ring Z/2 n intoitself’.p-Adic Dynamical Systems and Cryptography – p. 26/65

Terminology notesThis is a univariate T -function F :(χ 0 , χ 1 , χ 2 , . . .) F↦→ (ψ 0 (χ 0 ); ψ 1 (χ 0 , χ 1 ); ψ 2 (χ 0 , χ 1 , χ 2 ); . . .).Here χ j ∈ {0, 1}, and each ψ j (χ 0 , . . . , χ j ) is a Booleanfunction in Boolean variables χ 0 , . . . , χ j .Thus, F sends a number with the base-2 expansionχ 0 + χ 1 ∙ 2 + χ 2 ∙ 2 2 + ∙ ∙ ∙to the number with the base-2 expansionψ 0 (χ 0 ) + ψ 1 (χ 0 , χ 1 ) ∙ 2 + ψ 2 (χ 0 , χ 1 , χ 2 ) ∙ 2 2 + ∙ ∙ ∙p-Adic Dynamical Systems and Cryptography – p. 26/65

Yet another observationWe conclude:T -functions on n-bit words are just approximationsof 2-adic compatible functions (i.e., functions thatsatisfy Lipschitz condition with coefficient 1) up to aprecision 2 −n w. r. t. the 2-adic metric.That is, a T -function on n-bit words is just areduction modulo 2 n of a 2-adic function that satisfyLipschitz condition with coefficient 1p-Adic Dynamical Systems and Cryptography – p. 27/65

Yet another observationWe conclude:T -functions on n-bit words are just approximationsof 2-adic compatible functionsTo study properties of compatible functions (hence,properties of T -functions) one may use 2-adicanalysis, since compatible functions are continuous.p-Adic Dynamical Systems and Cryptography – p. 27/65

Yet another observationWe conclude:T -functions on n-bit words are just approximationsof 2-adic compatible functionsTo study properties of compatible functions (hence,properties of T -functions) one may use 2-adicanalysisIn addition to the basic ship operations, to constructcompatible functions one may use also subtraction,division by an odd integer, exponentiation of an oddintegerp-Adic Dynamical Systems and Cryptography – p. 27/65

Wild functionsFor instance, a computer evaluates the followingwild-looking function correctly, up to the best 2-adicprecision he can achieve:p-Adic Dynamical Systems and Cryptography – p. 28/65

Wild functionsFor instance, a computer evaluates the followingwild-looking function correctly, up to the best 2-adicprecision he can achieve:g(x) =(1 − 2 ∙) 7−8x 8x AND x 2 + x 3 OR x 49+10x 93 − 4 ∙ (5 + 6x 5 ) x6 XOR x 7p-Adic Dynamical Systems and Cryptography – p. 28/65

The virtual world is thenon-Archimedean world!p-Adic Dynamical Systems and Cryptography – p. 29/65

The virtual world is thenon-Archimedean world!All triangles are isosceles!p-Adic Dynamical Systems and Cryptography – p. 29/65

The virtual world is thenon-Archimedean world!All triangles are isosceles!Every point inside a circle is acenter of the circle!p-Adic Dynamical Systems and Cryptography – p. 29/65

Important:There is a tight connectionbetween the invertibilityproperty/single cycle property ofT -functions and metricproperties of the corresponding2-adic functionsp-Adic Dynamical Systems and Cryptography – p. 30/65

More 2-adic analysisThe space Z 2 is a measurable space, which is endowedwith a natural probabilistic measure, the normalizedHaar measure μ 2 .p-Adic Dynamical Systems and Cryptography – p. 31/65

More 2-adic analysisThe space Z 2 is a measurable space, which is endowedwith a natural probabilistic measure, the normalizedHaar measure μ 2 . Namely, the set a + 2 k Z 2 , i.e., the setof all 2-adic integers that are congruent to a modulo 2 k ,is a ball of radius 2 −k . By the definition, the volume ofthis ball is μ 2 (a + 2 k Z 2 ) = 2 −k .p-Adic Dynamical Systems and Cryptography – p. 31/65

More 2-adic analysisThe space Z 2 is a measurable space, which is endowedwith a natural probabilistic measure, the normalizedHaar measure μ 2 .The mapping F : S → S of the measurable space S witha probabilistic measure μ is said to preserve measure μ(or to be μ-preserving) iff μ(F −1 (S)) = μ(S) for everymeasurable subset S ⊂ S.p-Adic Dynamical Systems and Cryptography – p. 31/65

More 2-adic analysisThe space Z 2 is a measurable space, which is endowedwith a natural probabilistic measure, the normalizedHaar measure μ 2 .The mapping F : S → S of the measurable space S witha probabilistic measure μ is said to preserve measure μ(or to be μ-preserving) iff μ(F −1 (S)) = μ(S) for everymeasurable subset S ⊂ S. A μ-preserving mapping F issaid to be ergodic iff μ(S) = 1 or μ(s) = 0 for everymeasurable S such that F −1 (S) ⊂ S.p-Adic Dynamical Systems and Cryptography – p. 31/65

More 2-adic analysisThe space Z 2 is a measurable space, which is endowedwith a natural probabilistic measure, the normalizedHaar measure μ 2 .The mapping F : S → S of the measurable space S witha probabilistic measure μ is said to preserve measure μ(or to be μ-preserving) iff μ(F −1 (S)) = μ(S) for everymeasurable subset S ⊂ S. A μ-preserving mapping F issaid to be ergodic iff μ(S) = 1 or μ(s) = 0 for everymeasurable S such that F −1 (S) ⊂ S. Looselyspeaking, the invariant set of the ergodic mapping iseither nothing, or everything.p-Adic Dynamical Systems and Cryptography – p. 31/65

Using 2-adic analysisA compatible mapping F : Z 2 → Z 2 is said to bebijective (resp., transitive) modulo 2 k iff the inducedmapping x ↦→ F (x) (mod 2 k ) is a permutation (resp., apermutation with a single cycle) on Z/2 k .p-Adic Dynamical Systems and Cryptography – p. 32/65

Using 2-adic analysisA compatible mapping F : Z 2 → Z 2 is said to bebijective (resp., transitive) modulo 2 k iff the inducedmapping x ↦→ F (x) (mod 2 k ) is a permutation (resp., apermutation with a single cycle) on Z/2 k .Theorem 1. (Anashin, 2002) A compatible mappingF : Z 2 → Z 2 is bijective (accordingly, transitive )modulo 2 k for all k = 1, 2, 3, . . . iff it ismeasure-preserving (or, accordingly, ergodic ) withrespect to the normalized Haar measure μ 2 on Z 2p-Adic Dynamical Systems and Cryptography – p. 32/65

Using 2-adic analysisA compatible mapping F : Z 2 → Z 2 is said to bebijective (resp., transitive) modulo 2 k iff the inducedmapping x ↦→ F (x) (mod 2 k ) is a permutation (resp., apermutation with a single cycle) on Z/2 k .measure preservation=invertibility (mod 2 k ) for allk ∈ Nergodicity=single cycle property (mod 2 k ) for allk ∈ Np-Adic Dynamical Systems and Cryptography – p. 32/65

Important:Thus, ergodic functions couldserve as state update functions,whereas measure preservingfunctions could serve as outputfunctions of the PRNG.p-Adic Dynamical Systems and Cryptography – p. 33/65

Important:We must know how to constructergodic/measure-preservingfunctions out of basic chipinstructionsp-Adic Dynamical Systems and Cryptography – p. 33/65

Using 2-adic analysis once againTo construct measure-preserving/ergodic functions, veryoften we could use the following effect, which is due tothe ‘2-adic smoothness’ of compatible functions:A compatible function F : Z 2 → Z 2 ismeasure-preserving/ergodic iff the correspondingT -function F (mod 2 n ) on n-bit words (which is merelyan approximation of F with precision 12) is ninvertible/with a single cycle property!p-Adic Dynamical Systems and Cryptography – p. 34/65

Using 2-adic analysis once againFor crypto matters this gives:To verify whether a T -function is invertible/with asingle cycle property on N-bit words (where N is big)one should check whether it is invertible/with a singlecycle property on n-bit words, where n is often rathersmall!p-Adic Dynamical Systems and Cryptography – p. 34/65

Using 2-adic derivationsTheorem 2. (Anashin, 1993) Let a compatible functionF : Z 2 → Z 2 be uniformly differentiable on Z 2 . Then Fis ergodic if and only if it is transitive modulo 2 N 2(F )+2Here N 2 (F ) is such that∥F (x + h) − F (x)hwhenever ‖h‖ 2 ≤ 2 −N 2(F ) .− F ′ (x)∥ ≤ 124p-Adic Dynamical Systems and Cryptography – p. 35/65

Using 2-adic derivationsTheorem 2. (Anashin, 1993) Let a compatible functionF : Z 2 → Z 2 be uniformly differentiable on Z 2 . Then Fis ergodic if and only if it is transitive modulo 2 N 2(F )+2Example. (Klimov and Shamir, 2002) The functionx + (x 2 OR 5) is ergodic.p-Adic Dynamical Systems and Cryptography – p. 35/65

Using 2-adic derivationsTheorem 2. (Anashin, 1993) Let a compatible functionF : Z 2 → Z 2 be uniformly differentiable on Z 2 . Then Fis ergodic if and only if it is transitive modulo 2 N 2(F )+2Example. (Klimov and Shamir, 2002) The functionx + (x 2 OR 5) is ergodic.Note: In their publication Klimov and Shamir write that“...neither the invertibility nor the cycle structure ofx + (x 2 OR 5) could be determined by his (i.e., Anashin’s)techniques.” Quite the opposite, this could be easilydetermined by these techniques:p-Adic Dynamical Systems and Cryptography – p. 35/65

Using 2-adic derivationsTheorem 2. (Anashin, 1993) Let a compatible functionF : Z 2 → Z 2 be uniformly differentiable on Z 2 . Then Fis ergodic if and only if it is transitive modulo 2 N 2(F )+2Example. (Klimov and Shamir, 2002) The functionx + (x 2 OR 5) is ergodic.Proof. The function F (x) = x + (x 2 OR 5) is uniformlydifferentiable on Z 2 :F ′ (x) = 1 + 2x ∙ (x OR 5) ′ = 1 + 2x, and N 2 (F ) = 3since obviously (x + h) OR 5 = (x OR 5) + h wheneverh ≡ 0 (mod 8). Now to prove that F is ergodic, in viewof the above theorem it suffices to demonstrate that Finduces a permutation with a single cycle on Z/32. Oneverifies this by direct calculations.p-Adic Dynamical Systems and Cryptography – p. 35/65

How to determine ergodic functions?The following results, as well as the preceding ones,remain true (with some minor exceptions) for arbitraryprime p.Any function F : Z p → Z p could be represented byMahler’s interpolation series: F (x) = ∑ ∞j=0 c xj(j)forsuitable c j ∈ Z p . Recall⎧( x⎨x(x − 1) ∙ ∙ ∙ (x − i + 1), for i = 1, 2, . . .;=i)⎩i!1, for i = 0.An attempt to find an answer in terms of Mahler’sinterpolation series looks quite natural!p-Adic Dynamical Systems and Cryptography – p. 36/65

How to determine ergodic functions?Theorem 3. (Anashin, 1993) For p = 2 the functionF : Z p → Z p is compatible and ergodic iffF (x) = 1 + x +∞∑i=1(c i ∙ p ⌊log p(i+1)⌋+1 x,i)for suitable c i ∈ Z p . (Note: For p ≠ 2 remain sufficient,and not necessary).p-Adic Dynamical Systems and Cryptography – p. 36/65

ExamplesFor p = 2 the following is true:(Larin, early 80th; published 2002) A polynomialwith integer coefficients is ergodic iff it is transitivemodulo 8.p-Adic Dynamical Systems and Cryptography – p. 37/65

ExamplesFor p = 2 the following is true:(Anashin, 1993) The functionF (x) = a 0 + b 1 ∙ (x ⊕ a 1 ) + b 2 ∙ (x ⊕ a 2 ) + ∙ ∙ ∙ isergodic iff it is transitive modulo 4.p-Adic Dynamical Systems and Cryptography – p. 37/65

ExamplesFor p = 2 the following is true:(Anashin, 1993) The functionF (x) = a + a 0 ∙ δ 0 (x) + a 1 ∙ δ 1 (x) + ∙ ∙ ∙ iscompatible and ergodic iff ‖a‖ 2 = 1, a 0 ≡ 1(mod 4), and ‖a j ‖ 2 = 1 for j = 1, 2, . . .Here, we recall, δ j (x) = 1 2 j (x AND 2 j ) is the j-th bitin the base-2 expansion of x (we start enumerationwith j = 0). In other words, a compatible functionb + b 0 ∙ (x AND 1) + b 1 ∙ (x AND 2) + b 2 ∙ (x AND 2 2 ) + ∙ ∙ ∙is ergodic iff b ≡ 1 (mod 2), b 0 ≡ 1 (mod 4), andb j ≡ 1 (mod 2) for all j = 1, 2, 3, . . ..p-Adic Dynamical Systems and Cryptography – p. 37/65

ExamplesFor p = 2 the following is true:(Anashin, 1993) For arbitrary polynomialsu(x), v(x) ∈ Z 2 [x] the entire functionF (x) =v(x)2 ∙ u(x) + 1is ergodic iff it is transitive modulo 8p-Adic Dynamical Systems and Cryptography – p. 37/65

ExamplesFor p = 2 the following is true:(Kotomina, 1999) The functionf(x) = (. . . ((((x+c 0 )⊕d 0 )+c 1 )⊕d 1 )+∙ ∙ ∙+c m )⊕d m ,is ergodic iff f is transitive modulo 4p-Adic Dynamical Systems and Cryptography – p. 37/65

ExamplesFor p = 2 the following is true:(Anashin, 2002) The function F (x) = a ∙ x + a x isergodic iff a is oddp-Adic Dynamical Systems and Cryptography – p. 37/65

ExamplesFor p = 2 the following is true:(Anashin, 2002) A polynomial f(x) ∈ Q[x] ofdegree d with rational (and not necessarily integral)coefficients is integer-valued (i.e., f(Z 2 ) ⊂ Z 2 ))compatible, and ergodic iff f takes integral values atthe points 0, 1, . . . , 2 ⌊log 2(deg f)⌋+3 − 1, and themapping z ↦→ f(z) mod 2 ⌊log 2(deg f)⌋+3 , iscompatible and transitive on Z / 2 ⌊log 2 d⌋+3 (i.e.,modulo the biggest power of 2 not exceeding 8d);i.e., to verify whether all three properties holdsimultaneously, one has to make approximately 8devaluations of f(x)p-Adic Dynamical Systems and Cryptography – p. 37/65

Explicit formulaeThe following theorem gives a general construction thatenables one to build all ergodic mappings out ofcompatible ones.Theorem 4. (Anashin, 2002) DenoteΔU(x) = U(x + 1) − U(x). For p = 2 the functionF : Z p → Z p is compatible and ergodic ⇔F (x) = 1 + x + p ∙ ΔU(x), where U : Z p → Z p isarbitrary compatible function.Note. For p ≠ 2 only ⇐ is true.Note. Recall that any composition of basic microchipoperations (without cyclic shifts, and shifts towards lesssignificant bits) is a compatible function on Z 2 !p-Adic Dynamical Systems and Cryptography – p. 38/65

UsageThe presented results concern non-Archimedeanautonomous dynamical systems on Z 2 , which are notchaotic, only ergodic.In fact, these systems are not sensitive to minorperturbations of the initial position; moreover, they areisometries of the space Z 2 .p-Adic Dynamical Systems and Cryptography – p. 39/65

UsageThe presented results concern non-Archimedeanautonomous dynamical systems on Z 2 , which are notchaotic, only ergodic.Yet these dynamical systems are good for state updatefunctions of the PRNG, since they satisfy the conditionswe mentioned before.p-Adic Dynamical Systems and Cryptography – p. 39/65

UsageThe presented results concern non-Archimedeanautonomous dynamical systems on Z 2 , which are notchaotic, only ergodic.Yet these dynamical systems are good for state updatefunctions of the PRNG, since they satisfy the conditionswe mentioned before. Moreover, with the use of stateupdate functions of this kind one could design flexiblePRNG’s, where not only the initial state, but also thestate update function depends on key.p-Adic Dynamical Systems and Cryptography – p. 39/65

UsageThe presented results concern non-Archimedeanautonomous dynamical systems on Z 2 , which are notchaotic, only ergodic.Yet these dynamical systems are good for state updatefunctions of the PRNG, since they satisfy the conditionswe mentioned before. Similar theory is developed formeasure-preserving mappings, which are good for outputfunctions (we have to omit details due to the timeconstraints). In whole, these ideas lead to fast andflexible stream ciphers.p-Adic Dynamical Systems and Cryptography – p. 39/65

Adding flexibility... and securityA counter-dependent PRNG also producespseudorandom sequences. See the difference withordinary PRNG?x i+1 = f i (x i )f istate updatex iG ioutputy i = G i (x i )p-Adic Dynamical Systems and Cryptography – p. 40/65

Adding flexibility... and securityA counter-dependent PRNG also producespseudorandom sequences. See the difference withordinary PRNG?x i+1 = f i (x i )f istate updateSee?x iG ioutputy i = G i (x i )p-Adic Dynamical Systems and Cryptography – p. 40/65

Adding flexibility... and securityA counter-dependent PRNG also producespseudorandom sequences. See the difference withordinary PRNG?x i+1 = f i (x i )f istate updateSee?x iSee?outputG iy i = G i (x i )p-Adic Dynamical Systems and Cryptography – p. 40/65

Dynamical systems revisitedRecall that ordinary PRNG corresponds to anautonomous dynamical system.p-Adic Dynamical Systems and Cryptography – p. 41/65

Dynamical systems revisitedRecall that ordinary PRNG corresponds to anautonomous dynamical system.This is a non-autonomous dynamical system, which is acounterpart of a counter-dependent PRNG in dynamics.A non-autonomous dynamical system is a dynamicalsystem driven by another dynamical system.p-Adic Dynamical Systems and Cryptography – p. 41/65

Dynamical systems revisitedRecall that ordinary PRNG corresponds to anautonomous dynamical system.This is a non-autonomous dynamical system, which is acounterpart of a counter-dependent PRNG in dynamics.A theory similar to that of the preceding is developed forcounter-dependent PRNG.p-Adic Dynamical Systems and Cryptography – p. 41/65

Dynamical systems revisitedRecall that ordinary PRNG corresponds to anautonomous dynamical system.This is a non-autonomous dynamical system, which is acounterpart of a counter-dependent PRNG in dynamics.A theory similar to that of the preceding is developed forcounter-dependent PRNG. The main tool to construct acounter-dependent PRNG that outputs a sequence of amaximum period length, is a skew shift.p-Adic Dynamical Systems and Cryptography – p. 41/65

Skew shifts, wreath products, etc.What is a skew shift?p-Adic Dynamical Systems and Cryptography – p. 42/65

Skew shifts, wreath products, etc.What is a skew shift?Given a mapping U : Z → Z , and a set of mappingsV = {(V z : X → X): z ∈ Z}, a skew shift (or, a skewproduct or, a wreath product) is a mappingU ⋌ V : (z, x) ↦→ (U(z), V z (x))of the Cartesian product Z × X into itself.p-Adic Dynamical Systems and Cryptography – p. 42/65

Skew shifts, wreath products, etc.What is a skew shift?Given a mapping U : Z → Z , and a set of mappingsV = {(V z : X → X): z ∈ Z}, a skew shift (or, a skewproduct or, a wreath product) is a mappingU ⋌ V : (z, x) ↦→ (U(z), V z (x))of the Cartesian product Z × X into itself.Obviously, the skew shift U ⋌ V is bijective wheneverboth U and all V z are bijective.p-Adic Dynamical Systems and Cryptography – p. 42/65

Skew shifts, wreath products, etc.What is a skew shift?Given a mapping U : Z → Z , and a set of mappingsV = {(V z : X → X): z ∈ Z}, a skew shift (or, a skewproduct or, a wreath product) is a mappingU ⋌ V : (z, x) ↦→ (U(z), V z (x))of the Cartesian product Z × X into itself.Skew shifts are familiar to crypto community; recallFeistel network: The mapping it is based on is a skewshift (z, x) ↦→ (z, z ⊕ f(x)), where z, x ∈ B n ,f : B n → B n .p-Adic Dynamical Systems and Cryptography – p. 42/65

Skew shifts, wreath products, etc.What is a skew shift?Given a mapping U : Z → Z , and a set of mappingsV = {(V z : X → X): z ∈ Z}, a skew shift (or, a skewproduct or, a wreath product) is a mappingU ⋌ V : (z, x) ↦→ (U(z), V z (x))of the Cartesian product Z × X into itself.Skew shifts (in dynamical systems theory), which arealso known under the name of wreath products (in grouptheory, in automata theory) are often used to obtain newobjects with desirable properties out of given objectswith known properties.p-Adic Dynamical Systems and Cryptography – p. 42/65

Using the skew shiftsTheorem 5. (Anashin, 2004) Let F = {f 0 , . . . , f m−1 } be a finitesequence of compatible measure preserving mappings of Z 2 ontoitself such that(i) the sequence {(f i mod m (0)) mod 2: i = 0, 1, 2, . . .} is purelyperiodic, its shortest period is of length m;(ii) ∑ m−1i=0 f i(0) ≡ 1 (mod 2);(iii) ∑ m−1j=0∑ 2 t −1z=0 f j(z) ≡ 2 t (mod 2 t+1 ) for all t = 1, 2, . . . .Then the recurrence sequence Z defined by the relationx i+1 = f i mod m (x i ) is strictly uniformly distributed modulo 2 n forall n = 1, 2, . . . : That is, modulo each 2 n the sequence Z is purelyperiodic, its shortest period is of length 2 n m, and each element ofZ/2 n occurs at the period exactly m times.p-Adic Dynamical Systems and Cryptography – p. 43/65

Using the skew shiftsExample. Given 2-adic numbers c 0 , . . . , c m−1 ∈ Z 2 ,m > 1 odd, and compatible ergodic mappings(=T -functions with a single cycle property)h 0 , . . . , h m−1 . (The latter either could be stored inmemory, or could be produced on-fly out of basic chipinstructions, see e.g. theorem 4) The sequence{x i+1 = f i mod m (x i )} of internal states of acounter-dependent PRNG is periodic modulo 2 n andstrictly uniformly distributed modulo 2 n (that is, eacha ∈ Z/2 n occurs at the period the same number oftimes), and the length of its shortest period is m ∙ 2 n (thatis, maximum possible) , ifp-Adic Dynamical Systems and Cryptography – p. 43/65

Using the skew shiftsExample. Given 2-adic numbers c 0 , . . . , c m−1 ∈ Z 2 ,m > 1 odd, and compatible ergodic mappingsh 0 , . . . , h m−1 . The sequence of internal states of acounter-dependent PRNG is periodic modulo 2 n andstrictly uniformly distributed modulo 2 n , and the lengthof its shortest period is m ∙ 2 n , ifthe sequence {c i mod m mod 2: i = 0, 1, 2, . . .} isperiodic, and m is the length of its shortest periodp-Adic Dynamical Systems and Cryptography – p. 43/65

Using the skew shiftsExample. Given 2-adic numbers c 0 , . . . , c m−1 ∈ Z 2 ,m > 1 odd, and compatible ergodic mappingsh 0 , . . . , h m−1 . The sequence of internal states of acounter-dependent PRNG is periodic modulo 2 n andstrictly uniformly distributed modulo 2 n , and the lengthof its shortest period is m ∙ 2 n , ifthe sequence {c i mod m mod 2: i = 0, 1, 2, . . .} isperiodic, and m is the length of its shortest period∑ m−1j=0 c j ≡ 0 (mod 2)p-Adic Dynamical Systems and Cryptography – p. 43/65

Using the skew shiftsExample. Given 2-adic numbers c 0 , . . . , c m−1 ∈ Z 2 ,m > 1 odd, and compatible ergodic mappingsh 0 , . . . , h m−1 . The sequence of internal states of acounter-dependent PRNG is periodic modulo 2 n andstrictly uniformly distributed modulo 2 n , and the lengthof its shortest period is m ∙ 2 n , ifthe sequence {c i mod m mod 2: i = 0, 1, 2, . . .} isperiodic, and m is the length of its shortest period∑ m−1j=0 c j ≡ 0 (mod 2)f j (x) = c j ⊕ h j (x), or f j (x) = c j + h j (x)p-Adic Dynamical Systems and Cryptography – p. 43/65

Example circuitc iLc i+1 = L(c i )+h i (x i )h ix istate updateG ix i+1 = c i + h i (x i )outputy i = G i (x i )L(c) = 2 ∙ c ⊕ u ∙ δ n−1 (c); u agrees with coefficients of the polynomial up-Adic Dynamical Systems and Cryptography – p. 44/65

The ABC stream cipher: 6 Gbits/secc i = (c i,l ; c i,r )c i+1 = L(c i )Lc i+h(x) = ((((x + a 0 ) ⊕ b 0 ) + a 1 ) ⊕ b 1 ) + a 2h(x i )hc i,lc i,rS(x) = d + ∑ n−1x ix i+1 = c i,r + h(x i )plain text streamS++encrypted text streamj=0 d j ∙ δ n−j−1 (x)p-Adic Dynamical Systems and Cryptography – p. 45/65

The ABC stream cipher: 6 Gbits/secc i = (c i,l ; c i,r )c i+1 = L(c i )Lc i+h(x) = a + b ∙ (x ⊕ a 1 )h(x i )hc i,lc i,rS(x) = d + ∑ n−1x ix i+1 = c i,r + h(x i )plain text streamŜ++Ŝ(x) = (S(x))encrypted text streamj=0 d j ∙ δ n−j−1 (x)p-Adic Dynamical Systems and Cryptography – p. 45/65

The ABC stream cipher: Properties.The following is proved:Length P of the period of the output sequence is(2 2n−1 − 1) ∙ 2 n p-Adic Dynamical Systems and Cryptography – p. 46/65

The ABC stream cipher: Properties.The following is proved:Length P of the period of the output sequence is(2 2n−1 − 1) ∙ 2 nn-tuples of the output are uniformly distributed:μ(a)∣ P − 1 ∣ ∣∣∣< √ 1 ,2 n Pwhere μ(a) is the number of occurrences of ann-tuple a ∈ Z/2 n at the period.Note: For a truly random sequence of n-bit words of length Pthe above inequality holds with probability > 1 − 12 n .p-Adic Dynamical Systems and Cryptography – p. 46/65

The ABC stream cipher: Properties.The following is proved:Length P of the period of the output sequence is(2 2n−1 − 1) ∙ 2 nn-tuples of the output are uniformly distributed:μ(a)∣ P − 1 ∣ ∣∣∣< √ 1 ,2 n Pwhere μ(a) is the number of occurrences of ann-tuple a ∈ Z/2 n at the period.Linear complexity (over Z/2) of the output sequenceexceeds 2 n−1 p-Adic Dynamical Systems and Cryptography – p. 46/65

How random is the output?Frequency tests are those that consider occurrences of(overlapping) l-tuples in a binary output.p-Adic Dynamical Systems and Cryptography – p. 47/65

How random is the output?Frequency tests are those that consider occurrences of(overlapping) l-tuples in a binary output.That is, given a sequence X = x 0 , x 1 , x 2 , . . . ofnon-negative rational integers, one represents x i mod 2 nas an n-bit word x i mod 2 n (base-2 expansion ofx i mod 2 n ), considers a concatenationX ′ n = x i mod 2 n x i+1 mod 2 n x i+2 mod 2 n . . .and counts occurrences of patterns0, 1, 00, 01, 10, 11, 000, 001, . . ..p-Adic Dynamical Systems and Cryptography – p. 47/65

How random is the output?Frequency tests are those that consider occurrences of(overlapping) l-tuples in a binary output.That is, given a sequence X = x 0 , x 1 , x 2 , . . . ofnon-negative rational integers, one represents x i mod 2 nas an n-bit word x i mod 2 n (base-2 expansion ofx i mod 2 n ), considers a concatenationX ′ n = x i mod 2 n x i+1 mod 2 n x i+2 mod 2 n . . .and counts occurrences of patterns0, 1, 00, 01, 10, 11, 000, 001, . . .. For a good sequence allthe distributions must agree with the ones of a trulyrandom sequence. Obviously, this never holds for aperiodic sequence.p-Adic Dynamical Systems and Cryptography – p. 47/65

Randomness by KnuthDonald Knuth in his “The Art of ComputerProgramming" calls a finite binary sequence of length Trandom, whenever it satisfies the following condition:∣∣ν(β 0 . . . β l−1 )T− 1 2 l ∣ ∣∣∣≤ 1 √Tfor all 0 < l ≤ log 2 T , where ν(β 0 . . . β l−1 ) is thenumber of occurrences of the pattern β 0 . . . β l−1 in thesequence.p-Adic Dynamical Systems and Cryptography – p. 48/65

Randomness by KnuthDonald Knuth in his “The Art of ComputerProgramming" calls a finite binary sequence of length Trandom, whenever it satisfies the following condition:∣∣ν(β 0 . . . β l−1 )T− 1 2 l ∣ ∣∣∣≤ 1 √Tfor all 0 < l ≤ log 2 T , where ν(β 0 . . . β l−1 ) is thenumber of occurrences of the pattern β 0 . . . β l−1 in thesequence. So its is quite natural to say that a periodicsequence is random in the sense of Knuth iff its shortestperiod satisfy the above condition.p-Adic Dynamical Systems and Cryptography – p. 48/65

Randomness by KnuthDonald Knuth in his “The Art of ComputerProgramming" calls a finite binary sequence of length Trandom, whenever it satisfies the following condition:∣∣ν(β 0 . . . β l−1 )T− 1 2 l ∣ ∣∣∣≤ 1 √Tfor all 0 < l ≤ log 2 T , where ν(β 0 . . . β l−1 ) is thenumber of occurrences of the pattern β 0 . . . β l−1 in thesequence. Note that uniform distribution of thesequence X does not imply X n ′ is random in the sense ofKnuth!p-Adic Dynamical Systems and Cryptography – p. 48/65

Randomness by KnuthThe sequences produced by our generators of the(maximum possible) period length T are random in thesense of Knuth:∣∣ν(β 0 . . . β l−1 )T− 1 2 l ∣ ∣∣∣≤ 1 √Tfor all 0 < l ≤ log 2 T , where ν(β 0 . . . β l−1 ) is thenumber of occurrences of the pattern β 0 . . . β l−1 in thesequence.p-Adic Dynamical Systems and Cryptography – p. 48/65

Linear complexityLinearity tests are those that consider lineardependencies in the sequence.p-Adic Dynamical Systems and Cryptography – p. 49/65

Linear complexityDefinition. Let Z = {z i } be a sequence over a ring R.The linear complexity λ R (Z) of Z over R is the smallestr ∈ N 0 such that there exist c, c 0 , c 1 , . . . , c r−1 ∈ R (notall equal to 0) such that for all i = 0, 1, 2, . . . holdsc +∑r−1j=0c j ∙ z i+j = 0.p-Adic Dynamical Systems and Cryptography – p. 49/65

Linear complexityDefinition. Let Z = {z i } be a sequence over a ring R.The linear complexity λ R (Z) of Z over R is the smallestr ∈ N 0 such that there exist c, c 0 , c 1 , . . . , c r−1 ∈ R (notall equal to 0) such that for all i = 0, 1, 2, . . . holdsc +∑r−1j=0c j ∙ z i+j = 0.For instance, if R = Z/p n ; then geometrically thisequation means that all the points ( z ip, z i+1n p n, . . . , z i+r−1p n ),i = 0, 1, 2, . . ., of a unit r-dimensional Euclideanhypercube fall into parallel hyperplanes.p-Adic Dynamical Systems and Cryptography – p. 49/65

Linear complexityIn fact, linearity tests turn out to be ones of the mosteffective.For example, linear congruential generatorsx i+1 = a + b ∙ x i (mod 2 n ) do not pass these tests.Linear complexity over Z/2 n of linear congruentialgenerators is 2; hence, distribution of pairs in producedsequences is rather poor:All the points that correspond to pairs of consecutivenumbers fall into a small number of parallel straight linesin a unit square.p-Adic Dynamical Systems and Cryptography – p. 50/65

Linear complexityAll T -functions with a single cycle property produceuniformly distributed sequences. However, some ofthese T -functions produce bad sequences, which have anumber of linear dependencies modulo p n , and poordistribution of pairsp-Adic Dynamical Systems and Cryptography – p. 50/65

Linear complexityAll T -functions with a single cycle property produceuniformly distributed sequences. However, some ofthese T -functions produce bad sequences, which have anumber of linear dependencies modulo p n , and poordistribution of pairsExample. A T -function x + x 2 OR C has a single cycleproperty whenever C ≡ 5 (mod 8), or C ≡ 7 (mod 8)(Klimov and Shamir, 2002)However, the distribution of pairs of the sequenceproduced by this T -function varies from satisfactory(when there are few 1’s in more significant bit positions)to poor (when there are more 1’s).p-Adic Dynamical Systems and Cryptography – p. 50/65

For instance, this problem is not completely solved evenfor quadratic generators with a single cycle property,despite a number of works in the area (see e.g.Emmerich, 1997; Eichenauer-Hermann, 1995-1997, et.al.).p-Adic Dynamical Systems and Cryptography – p. 50/65Linear complexityAll T -functions with a single cycle property produceuniformly distributed sequences. However, some ofthese T -functions produce bad sequences, which have anumber of linear dependencies modulo p n , and poordistribution of pairsThis is not easy to find a T -function that guarantees gooddistribution of pairs.

Linear complexityAll T -functions with a single cycle property produceuniformly distributed sequences. However, some ofthese T -functions produce bad sequences, which have anumber of linear dependencies modulo p n , and poordistribution of pairsHowever, we can prove that with respect to the linearcomplexity over residue ring the sequenceX n = {f i (x 0 ) mod p n } over Z/p n , generated bycompatible ergodic polynomial f(x) ∈ Q p [x] of degree≥ 2, is ‘asymptotically good’.p-Adic Dynamical Systems and Cryptography – p. 50/65

Linear complexityAll T -functions with a single cycle property produceuniformly distributed sequences. However, some ofthese T -functions produce bad sequences, which have anumber of linear dependencies modulo p n , and poordistribution of pairsHowever, we can prove that with respect to the linearcomplexity over residue ring the sequenceX n = {f i (x 0 ) mod p n } over Z/p n , generated bycompatible ergodic polynomial f(x) ∈ Q p [x] of degree≥ 2, is ‘asymptotically good’.Theorem. (Anashin, 2002) lim n→∞ λ Z/p n(X n ) = ∞ .Moreover, λ Z/p n(X n ) tends to ∞ not slower than log n.p-Adic Dynamical Systems and Cryptography – p. 50/65

Coordinate sequences: Bad newsThe drawback of the sequence produced by a T -functionF : Z/2 k → Z/2 k with the single cycle property is thatthe less significant is the bit, the shorter is the period ofthe sequence it outputs; that is:Despite the length of the period of the sequenceS = {z 0 = z, z 1 = F (z 0 ), z 2 = F (z 1 ), . . .}of k-bit words is 2 k , the length of the period of the j th bitsequence (which is called the j th coordinate sequence)S j = {δ j (z 0 ), δ j (z 1 ), δ j (z 2 ), . . . , δ j (z i+1 ), . . .}is only 2 j+1 , (j = 0, 1, . . . , k − 1).p-Adic Dynamical Systems and Cryptography – p. 51/65

Coordinate sequences: Bad newsProposition (Anashin, 2004) The j th coordinatesequence S j is purely periodic, and 2 j+1 is the length ofits shortest period. The second half of the period is abitwise negation of the first half, i.e., ζ i+2j ≡ ζ i + 1(mod 2) for each i = 0, 1, 2, . . .. The linear complexityλ 2 (S j ) of S j over GF (2) is exactly 2 j + 1.p-Adic Dynamical Systems and Cryptography – p. 51/65

Coordinate sequences: Bad newsProposition (Anashin, 2004) The j th coordinatesequence S j is purely periodic, and 2 j+1 is the length ofits shortest period. The second half of the period is abitwise negation of the first half, i.e., ζ i+2j ≡ ζ i + 1(mod 2) for each i = 0, 1, 2, . . .. The linear complexityλ 2 (S j ) of S j over GF (2) is exactly 2 j + 1.Note. In fact, somewhat similar estimates hold for a2-adic span, another measure of complexity ofsequences, introduced by Klapper and Goresky.Similar results are true for coordinate sequences of thesequence of states of a counter-dependent PRNG.p-Adic Dynamical Systems and Cryptography – p. 51/65

Coordinate sequences: Bad newsProposition (Anashin, 2004) The j th coordinatesequence S j is purely periodic, and 2 j+1 is the length ofits shortest period. The second half of the period is abitwise negation of the first half, i.e., ζ i+2j ≡ ζ i + 1(mod 2) for each i = 0, 1, 2, . . .. The linear complexityλ 2 (S j ) of S j over GF (2) is exactly 2 j + 1.Note that the expectation of the linear complexity λ 2 (C)of a random sequence C of length T is T 2. Thus, thecoordinate sequences are rather good with respect totheir linear complexities.p-Adic Dynamical Systems and Cryptography – p. 51/65

Coordinate sequences: Bad newsProposition (Anashin, 2004) The j th coordinatesequence S j is purely periodic, and 2 j+1 is the length ofits shortest period. The second half of the period is abitwise negation of the first half, i.e., ζ i+2j ≡ ζ i + 1(mod 2) for each i = 0, 1, 2, . . .. The linear complexityλ 2 (S j ) of S j over GF (2) is exactly 2 j + 1.However, from the proof of the proposition it followsthat these good estimates holds only because the secondhalf of the period of a coordinate sequence is a bitwisenegation of the first half. In other words, the coordinatesequence is as ‘complex’ as the first half of its periodp-Adic Dynamical Systems and Cryptography – p. 51/65

Coordinate sequences: Bad newsProposition (Anashin, 2004) The j th coordinatesequence S j is purely periodic, and 2 j+1 is the length ofits shortest period. The second half of the period is abitwise negation of the first half, i.e., ζ i+2j ≡ ζ i + 1(mod 2) for each i = 0, 1, 2, . . .. The linear complexityλ 2 (S j ) of S j over GF (2) is exactly 2 j + 1.The important question is:Given a T -function with a single cycle property, whatbit sequence of length 2 j could be outputted as the firsthalf of the period of the j th coordinate sequence?p-Adic Dynamical Systems and Cryptography – p. 51/65

The answer is: ANY ONE, and independently of othercoordinate sequences.p-Adic Dynamical Systems and Cryptography – p. 51/65Coordinate sequences: Bad newsProposition (Anashin, 2004) The j th coordinatesequence S j is purely periodic, and 2 j+1 is the length ofits shortest period. The second half of the period is abitwise negation of the first half, i.e., ζ i+2j ≡ ζ i + 1(mod 2) for each i = 0, 1, 2, . . .. The linear complexityλ 2 (S j ) of S j over GF (2) is exactly 2 j + 1.The important question is:Given a T -function with a single cycle property, whatbit sequence of length 2 j could be outputted as the firsthalf of the period of the j th coordinate sequence?

Coordinate sequences: Good newsLet γ j (F, z) ∈ N 0 be such a number that its base-2 expansion agreeswith the first half of the period of the j th coordinate sequenceproduced by the T -function F with a single cycle property startingwith the initial state z; that is,γ j (F, z) = δ j (F (0) (z)) + 2δ j (F (1) (z)) + ∙ ∙ ∙ + 2 2j−1 δ j (F (2j−1) (z)).Obviously, 0 ≤ γ j (F, z) ≤ 2 2j − 1.Theorem (Anashin, 2004) Let Γ = {γ j ∈ N 0 : j = 0, 1, 2, . . .} be anarbitrary sequence of non-negative rational integers such that0 ≤ γ j ≤ 2 2j − 1 for j = 0, 1, 2, . . .. There exists a compatible andergodic mapping F : Z 2 → Z 2 and a 2-adic integer z ∈ Z 2 such thatγ j ≡ γ j (F, z) (mod 2 2j ) (j = 0, 1, 2, . . .)p-Adic Dynamical Systems and Cryptography – p. 52/65

Coordinate sequences: Good newsTheorem (Anashin, 2004) Let Γ = {γ j ∈ N 0 : j = 0, 1, 2, . . .} be anarbitrary sequence of non-negative rational integers such that0 ≤ γ j ≤ 2 2j − 1 for j = 0, 1, 2, . . .. There exists a compatible andergodic mapping F : Z 2 → Z 2 and a 2-adic integer z ∈ Z 2 such thatγ j ≡ γ j (F, z) (mod 2 2j ) (j = 0, 1, 2, . . .)Note: A proof of this theorem also uses p-adic techniques.Note: A similar theorem holds for coordinate sequences of statesequences of counter-dependent PRNG of a maximum periodlength.p-Adic Dynamical Systems and Cryptography – p. 52/65

Coordinate sequences: A remedyWhat output function G one should use? G must addsecurity, G must be balanced (for not to spoil the uniformdistribution), and G must cure the very unpleasant ‘loworder bits effect’ of T -functions.p-Adic Dynamical Systems and Cryptography – p. 53/65

Coordinate sequences: A remedyWhat output function G one should use? G must addsecurity, G must be balanced (for not to spoil the uniformdistribution), and G must cure the very unpleasant ‘loworder bits effect’ of T -functions. One way (that mightbe good) is to truncate low order bits. Are there otherways?p-Adic Dynamical Systems and Cryptography – p. 53/65

Coordinate sequences: A remedyWhat output function G one should use? G must addsecurity, G must be balanced (for not to spoil the uniformdistribution), and G must cure the very unpleasant ‘loworder bits effect’ of T -functions.Since the ‘low order bits effect’ is an inherent property ofT -functions, one should include in G some basic chipoperations other than T -functions. Thus, G will not be aT -function any more. Could one construct G this way,yet not ‘spoil’ good properties of the sequence of states?p-Adic Dynamical Systems and Cryptography – p. 53/65

Coordinate sequences: A remedyYES! This is how the solution looks schematically:f iπ permutes bits so thatδ 0 (π(x i )) = δ n−1 (x i );i.e., π sends the mostsignificant bit of x ito the least significantbit position!outputstate updatexx i+1 = f i (x i )iπG iy i = G i (π(x i ))p-Adic Dynamical Systems and Cryptography – p. 53/65

Coordinate sequences: A remedyAnd this is how all this sounds mathematically:Proposition 1. (Anashin, 2004) Let G i : Z 2 → Z 2(i = 0, 1, 2, . . . , m − 1) be compatible and ergodic mappings(=T -functions with a single cycle property). Forx ∈ {0, 1, . . . , 2 n − 1} let H i (x) = (G i (π(x))) mod 2 n , where π is apermutation of bits of x ∈ Z/2 n such that δ 0 (π(x)) = δ n−1 (x).Consider a sequence H = {H i (x i )}, where {x i } is the state updatesequence of our counter-dependent PRNG (see e.g. the examplecircuit).Then the shortest period of the j th coordinate sequenceH j = δ j (H) (j = 0, 1, 2, . . . , n − 1) is of length 2 n k j for a suitable1 ≤ k j ≤ m. Moreover, linear complexity of the sequence H jexceeds 2 n−1 , λ 2 (H j ) > 2 n−1 .p-Adic Dynamical Systems and Cryptography – p. 53/65

Three toolsTechniques that enable one to construct single cycle(resp., invertible, balanced) mappings out of basic chipoperations mainly utilize the following three approaches:non-Archimedean (p-adic) analysis for p = 2;skew shifts (=wreath products);Boolean representationsWe already have discussed the first and the second ofthese approaches.p-Adic Dynamical Systems and Cryptography – p. 54/65

Boolean representationsThe third of the three approaches, which is based on thetheory of Boolean functions, is more straightforward,and could be applied directly only to relatively short andsimple compositions of the basic chip instructions.However, on the one hand, this approach is tightlyconnected with the skew shift techniques and, on theother hand, it lies in a background of some resultsobtained within the non-Archimedean approach.p-Adic Dynamical Systems and Cryptography – p. 55/65

Boolean representationsBy the definition, a univariate T -function F is themapping(χ 0 , χ 1 , χ 2 , . . .) F↦→ (ψ 0 (χ 0 ); ψ 1 (χ 0 , χ 1 ); ψ 2 (χ 0 , χ 1 , χ 2 ); . . .),where χ j ∈ {0, 1}, and each ψ j (χ 0 , . . . , χ j ) is a Booleanfunction in Boolean variables χ 0 , . . . , χ j .It turns out that one could determine whether F isinvertible/with a single cycle property by analyzingalgebraic normal forms of Boolean functions ψ j .p-Adic Dynamical Systems and Cryptography – p. 55/65

Boolean representations: ANFRecall that the algebraic normal form, ANF, of theBoolean function ψ j (χ 0 , . . . , χ j ) is the representation ofthis function via ⊕ (addition modulo 2= logical‘exclusive or’) and ∙ (multiplication modulo 2 =logical‘and’= conjunction).p-Adic Dynamical Systems and Cryptography – p. 56/65

Boolean representations: ANFIn other words, the ANF of the Boolean function ψ is itsrepresentation in the formψ(χ 0 , . . . , χ j ) = β ⊕ β 0 χ 0 ⊕ β 1 χ 1 ⊕ . . . ⊕ β 0,1 χ 0 χ 1 ⊕ . . . ,where β, β 0 , . . . ∈ {0, 1}.Recall that the weight of the Boolean function ψ j in(j + 1) variables is the number of (j + 1)-bit words thatsatisfy ψ j ; that is, weight is the cardinality of the truth setof ψ j .p-Adic Dynamical Systems and Cryptography – p. 56/65

A folkloreTheorem 6. (folklore, more than 30 years old.) Aunivariate T -function F(χ 0 , χ 1 , χ 2 , . . .) F↦→ (ψ 0 (χ 0 ); ψ 1 (χ 0 , χ 1 ); ψ 2 (χ 0 , χ 1 , χ 2 ); . . .),is invertible iff for each j = 0, 1, . . . the Boolean functionψ j in Boolean variables χ 0 , . . . , χ j is linear with respectto the variable χ j ; that is, F is invertible ⇔ the ANF ofeach ψ j is of the formψ j (χ 0 , . . . , χ j ) = χ j ⊕ ϕ j (χ 0 , . . . , χ j−1 ),where ϕ j is the Boolean function that does not depend onthe variable χ j .p-Adic Dynamical Systems and Cryptography – p. 57/65

A folkloreTheorem 7. (folklore, more than 30 years old.) Themapping F has a single cycle property iff, additionally,the Boolean function ϕ j is of odd weight. The latter takesplace if and only if ϕ 0 = 1, and the full degree of theBoolean function ϕ j for j ≥ 1 is exactly j, that is, theANF of ϕ j contains a monomial χ 0 ∙ ∙ ∙ χ j−1 .Thus, F has a single cycle property ⇔ ψ 0 (χ 0 ) = χ 0 ⊕ 1,and for j ≥ 1 the ANF of each ψ j is of the formψ j (χ 0 , . . . , χ j ) = χ j ⊕ χ 0 ∙ ∙ ∙ χ j−1 ⊕ θ j (χ 0 , . . . , χ j−1 ),where the weight of θ j is even; i.e., deg θ j ≤ j − 1.p-Adic Dynamical Systems and Cryptography – p. 57/65

T -functions are also skew shifts!Note: Theorem 5 is a generalization of these folkloretheorems; the latter are special case of theorem 5 form = 1. The proof of this theorem uses skew shifttechnique. Important: a T -function(χ 0 , χ 1 , χ 2 , . . .) F↦→ (ψ 0 (χ 0 ); ψ 1 (χ 0 , χ 1 ); ψ 2 (χ 0 , χ 1 , χ 2 ); . . .),is just a composition of skew shifts:χ 0 ↦→ ψ 0 (χ 0 )(χ 0 , χ 1 ) ↦→ (ψ 0 (χ 0 ), ψ 1 (χ 0 , χ 1 ))((χ 0 , χ 1 ), χ 2 ) ↦→ ((ψ 0 (χ 0 ), ψ 1 (χ 0 , χ 1 )), ψ 2 (χ 0 , χ 1 , χ 2 )). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .p-Adic Dynamical Systems and Cryptography – p. 58/65

Using Boolean representationsAs it was said, direct use of these folklore results toverify whether a composition of arithmetic operationsand bitwise logical operations is invertible (or whether ithas single cycle property), is possible, but mainly forrather simple compositions.Note: The bit-slice techniques of Klimov and Shamir,which they introduced in 2002, are just re-statements ofthe above mentioned folklore theorems.p-Adic Dynamical Systems and Cryptography – p. 59/65

Using Boolean representationsFor instance, with the use of these folklore theorems thefollowing results (among others) were obtained:(Kotomina, 1999) The mappingf(x) = (. . . ((((x + c 0 ) ⊕ d 0 ) + c 1 ) ⊕ d 1 ) + ∙ ∙ ∙has a single cycle property on n bit words (n ≥ 2)iff it has this property on 2-bit words;(Anashin, 2004) For any T -function f with a singlecycle property and any T -function v the followingfunctions have single cycle property:f(x + 4 ∙ v(x)), f((x) ⊕ (4 ∙ v(x))), f(x) + 4 ∙ v(x),and f(x) ⊕ (4 ∙ v(x)).p-Adic Dynamical Systems and Cryptography – p. 59/65

Using Boolean representationsThe other use of these folklore results are constructionsof multivariate T -functions with a single cycle property.p-Adic Dynamical Systems and Cryptography – p. 59/65

s = 0, 1, . . . , m − 1, has a single cycle propertywhenever h is a univariate T -function with a single cycleproperty.p-Adic Dynamical Systems and Cryptography – p. 60/65Multivariate T -functionsIn 2004 Klimov and Shamir introduced a multivariateT -function H with a single cycle property. Them-variate mappingH : ( −→ x 0 , −→ x 1 , . . . , −→ x m−1 ) ↦→ (h 0 , h 1 , . . . , h m−1 )over n-bit words −→ x 0 , −→ x 1 , . . . , −→ x m−1 , defined byh s = −→ x s ⊕ ((h( −→ x 0 ∧ ∙ ∙ ∙ ∧ −→ x m−1 )⊕( −→ x 0 ∧ ∙ ∙ ∙ ∧ −→ x m−1 )) ∧ −→ x 0 ∧ ∙ ∙ ∙ ∧ −→ x s−1 ,

Multivariate T -functionsIn 2004 Klimov and Shamir introduced a multivariateT -function H with a single cycle property. In fact, thisis just a trick: The m-variate mapping H on n-bit wordsis a multivariate representation of a univariate T -functionover mn-bit words.p-Adic Dynamical Systems and Cryptography – p. 60/65

Multivariate T -functions: A trickGiven a univariate T -function F ,x = (χ 0 , χ 1 , χ 2 , . . .) F↦→ (ψ 0 (χ 0 ); ψ 1 (χ 0 , χ 1 ); ψ 2 (χ 0 , χ 1 , χ 2 ); . . .),arrange this mapping in columns of height m, this way:χ 0 χ m χ 2m . . .f 0↦→ ψ0 (x) ψ m (x) ψ 2m (x) . . .χ 1 χ m+1 χ 2m+1 . . .. . . . . . . . . . . .f 1↦→ ψ1 (x) ψ m+1 (x) ψ 2m+1 (x) . . .χ m−1 χ 2m−1 χ 3m−1 . . .f m−1↦→ ψ m−1 (x) ψ 2m−1 (x) ψ 3m−1 (x) . . .Now just assume the left-hand rows are new variables:−→ x j = (χ j , χ m+j , χ 2m+j , . . .), (j = 0, 1, . . . , m − 1)p-Adic Dynamical Systems and Cryptography – p. 61/65

Multivariate T -functions: A trickConsider the simplest example: F (x) = 1 + x. We haveδ j (F (x)) ≡ δ j (x) +j−1∏s=0δ s (x) (mod 2)(we assume the product over the empty set is 1); then them-variate representation F = (f 0 , f 1 , . . . , f m−1 ) of thismapping isf k ( −→ x 0 , . . . , −→ x m−1 ) = −→ (( k−1 ∧) ( m−1 ∧x k ⊕−→ x s ∧ (( −→ x r +1)⊕ −→ ))x r )s=0r=0=−→ x k ⊕(( k−1 ∧s=0−→ x s)∧((( m−1 ∧r=0−→ x r))+ 1⊕( m−1 ∧r=0−→ x r)))p-Adic Dynamical Systems and Cryptography – p. 61/65

where x = ( −→ x 0 , . . . , −→ x m−1 ), ⊞ ∈ {+, ⊕}, has p-Adic a single Dynamical Systems cycle and Cryptography pr-ty. – p. 62/65Using a trickProposition 2. (Anashin, 2004) Let t, j ∈ {0, 1, . . . , m − 1}, let allf (t)j (resp., g (t)j ) be univariate transitive (resp, bijective) modulo 2 nT -functions. Then the mapping F(x) = (f 0 (x), . . . , f m−1 (x))f 0 (x) = −→ x 0 ⊞( m−1 ∧(f (r)0 ( −→ x r ) ⊕ −→ )x r ) ;r=0f 1 (x) = −→ x 1 ⊞(g (0)1 ( −→ x 0 ) ∧( m−1 ∧(f (r)1 ( −→ x r ) ⊕ −→ ))x r ) ;r=0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .f m−1 (x) = −→ (( m−2 ∧x m−1 ⊞ g m−1( (t) −→ ) ( m−1 ∧x t ) ∧ (f m−1( (r) −→ x r ) ⊕ −→ ))x r ) ,t=0r=0

Coming back to p-adic analysisUnfortunately, no T -functions with a single cycleproperty, which are REALLY multivariate, are knowntoday. Among ‘natural’ functions these ones do notexist!p-Adic Dynamical Systems and Cryptography – p. 63/65

Coming back to p-adic analysisTheorem 8. (Anashin, 1993) Let the functionF = (f 1 , . . . , f n ): Z n p → Z n p be compatible, ergodic, anduniformly differentiable modulo p on Z p . Then n = 1.p-Adic Dynamical Systems and Cryptography – p. 63/65

Coming back to p-adic analysisNote: Compare to differentiability, the differentiability modulo p k isa weaker restriction. In fact,F (u + h) − F (u)h≈ F ′ k(u)≈ with arbitrarily high precision ⇒ differentiability≈ with precision not worse than p −k ⇒ differentiability mod p kp-Adic Dynamical Systems and Cryptography – p. 63/65

Coming back to p-adic analysisIn fact we have already used uniform differentiabilitymodulo p k when proving that some property holdsmodulo all p n whenever it holds modulo some p n 0 .p-Adic Dynamical Systems and Cryptography – p. 63/65

Coming back to p-adic analysisNote. (Anashin, 1993) All univariate invertibleT -functions on n-bit words are just reductions modulo 2 nof some compatible functions on Z 2 , which areuniformly differentiable modulo 2.p-Adic Dynamical Systems and Cryptography – p. 63/65

Coming back to p-adic analysisNote. (Anashin, 2004) Any transitive m-variate mappingU : (Z/2 n ) m → (Z/2 n ) m could be constructively (withthe use of skew shifts) raised to continuous mappingŨ : (Z 2 ) m → (Z 2 ) m , which is transitive modulo 2 N forall N ≥ n.p-Adic Dynamical Systems and Cryptography – p. 63/65

A ‘provable’ securityTo prove a cipher is secure one makes a‘polynomial-time’ reduction to one of plausible (but stillunproven) conjectures of ‘intractability’ of a certainproblem, which is ‘hard in average’.Within the class of our PRNG’s thus reduction (hence, a‘conditional proof’ of their security) is also possiblep-Adic Dynamical Systems and Cryptography – p. 64/65

A ‘provable’ securityFirst, we need a problem, which is plausibly hard inaverage.Consider a polynomial ψ(χ 0 , χ 1 , . . . , χ n−1 ) over Z/2 invariables χ 0 , χ 1 , . . . , χ n−1 ; for m ∈ N replace χ m j withχ j . Thus one obtains a Boolean polynomial, that is, analgebraic normal form, ANF, of a Boolean function. Todetermine whether k Boolean polynomials in n variableshave a common zero is an N P-complete problem.p-Adic Dynamical Systems and Cryptography – p. 64/65

A ‘provable’ securityWe conjecture: For k ≤ n it is intractable to find asolution of a system of k random Boolean equations inn indeterminates (under the assumption that the numberof monomials in each equation is polynomiallyrestricted).p-Adic Dynamical Systems and Cryptography – p. 64/65

A ‘provable’ securityNow, given Boolean polynomials ψ i , we construct aT -function f with a single cycle property in thefollowing way:For x ∈ Z 2 letΨ i (x) = ψ i (δ 0 (x), . . . , δ n−1 (x)) ∈ {0, 1} ⊂ Z 2 ; putf(x) = (1+x)⊕2 n+1 ∙Ψ 0 (x)⊕2 n+2 ∙Ψ 1 (x)⊕∙ ∙ ∙⊕2 n+k ∙Ψ k−1 (x)In view of the above mentioned folklore result (seetheorems 6 and 7) this function f is a T -function with asingle cycle property.p-Adic Dynamical Systems and Cryptography – p. 64/65

A ‘provable’ securityThen we construct a PRNG. Take f mod 2 n+k+1 as astate update function, G = ⌊ z2⌋ mod 2 k (a truncationn+1of n + 1 low order bits) as an output function, andx 0 ∈ {0, 1, . . . , 2 n − 1} as a key.The produced output sequence attains all the abovementioned properties (period of length 2 n+k+1 , uniformdistribution, etc.)p-Adic Dynamical Systems and Cryptography – p. 64/65

A ‘provable’ securityHowever, it is not difficult to show that to find a statex = χ 0 + χ 1 ∙ 2 + ∙ ∙ ∙ χ n−1 ∙ 2 n−1 given an output, anadversary (with probability 1 − 12) has to solve anBoolean systemψ i (χ 0 , χ 1 , . . . , χ n−1 ) = ε i(i = 1, 2, . . . , k),where ε i ∈ {0, 1} are determined by the output.p-Adic Dynamical Systems and Cryptography – p. 64/65

A ‘provable’ securityMoreover, with the use of the above technique it is clearhow to construct in a similar way a counter-dependentPRNG, which produces an output sequence that attainsall the above mentioned properties.That is, at each new step an adversary will have to solvea new system of Boolean equations, i.e., the left handpart of a system will change from step to step.p-Adic Dynamical Systems and Cryptography – p. 64/65

ConclusionsOn the one hand, it is possible to build fast and securestream ciphers based on 2-adic ergodic functions: Ourschemes attain performance 6 Gbit per second at 3 GHzIntel P4 processor.Use of these functions results in new cryptographicproperties, which make the cipher more secure: First ofall, this is a possibility of making the functionskey-dependent, and changing them dynamically duringthe encryption.p-Adic Dynamical Systems and Cryptography – p. 65/65

ConclusionsOn the other hand, one must be very careful whenchoosing T -functions for a stream cipher: Too many ofthese functions are fast, yet bad. One bad function amongothers good in a composition of a (counter-dependent)PRNG is enough to spoil the whole cipher!p-Adic Dynamical Systems and Cryptography – p. 65/65

ConclusionsCryptographic properties of T -functions aretightly connected with specific features of thecorresponding non-Archimedean dynamics.These dynamics are rich, intriguing, and worthdeeper study to develop new fast and secureciphers.p-Adic Dynamical Systems and Cryptography – p. 65/65