COMBINING AND FILTERING FUNCTIONS IN THE FRAMEWORK OF NONLINEAR-FEEDBACK SHIFT REGISTER

: Strong cryptography of stream ciphers is determined according to the ability of the generated pseudorandom sequence to resist analytical attacks. One of the main components of the pseudorandom stream cipher sequence generating algorithm is Boolean functions for combining and filtering. The paper considers the possibility of applying nonlinear-feedback shift registers that generate a maximum length sequence as a combining or filtering function. The main indicators of cryptographic strength of such functions as: balance, the prohibitions presence, correlation immunity and nonlinearity are examined in this work. The study analyzes and demonstrates correlation immunity and nonlinearity experimental values for all nonlinear feedback shift registers that generate a maximum length sequence, for register sizes up to 6 cells inclusively, and register sizes up to 9 cells inclusively with algebraic degree of the polynomial under 2. The possibility of optimizing the process of selecting Boolean functions according to the criteria of maximum correlation immunity and nonlinearity with various algebraic degrees and minimization of the number of monomials in the polynomial is studied.


RESEARCH MODEL
In the general block diagram of a combination generator (Fig. 1) and filter generator (Fig. 2) of the pseudorandom sequence (PRS) that use several linear-feedback shift registers (LFSR) or nonlinearfeedback shift registers (NLFSR), - , the function f is usually considered either a combination or a filtering function of L variables.
In general, a Boolean reflection 2 2 : is a Boolean function that corresponds to NLFSR. Boolean functions will be represented in the form of polynomials (a Zhegalkin polynomial or an algebraic normal form -ANF) in a field 2 F : ( Let us assume, that For all sequences, except for one (generated by 1 s ), a part of matches will be 2 / 1  . By that we define that the part of the key is the 1 s state. If the function f has a correlation with all its variables (or with all but one -then the state of the register corresponding to this variable, will be found the last, with the information about all other registers' state), then the generator key is found in L l l 2 2 1 + + tries, which is much less complicated.
Nonlinearity. In practice [3][4][5] the cryptographic transformations, which have properties close to those of linear functions, in many cases lead to a significant decrease in the cipher stability. That is why, the functions, whose properties exclude the weaknesses typical of the functions close to the linear ones, play an important role in cryptography. Thus, the desired property of a function is its nonlinearity that is given a broad meaning: as an opposition to linearity. In block and stream ciphers, the application of a high nonlinearity function increases the cipher stability in regard to the linear and differential cryptanalysis methods.

PROBLEM STATEMENT
A lack of description of different cryptographic properties connection is observed in literature. In work [1], as cipher components, it is necessary to choose the functions that are "good from every side", which in reality is a very difficult task, since many properties contradict each other. Although the theoretical results show that in a random function, many cryptographic parameters are close to optimal ones. The question is how to choose it?
In addition to optimizing cryptographic performance, in practical implementation it is necessary to take into account the simplicity of implementation (both software and hardware). The less resources (memory, the number of simple operations -in software implementation; the logical elements and the possibility of their parallelizationin hardware) are spent by the algorithm to form the next bit, the higher is the possibility to get a faster, cheaper in manufacturing, and less energyconsuming final product.
The work can be viewed as an extension of the materials obtained by the authors and stated in [3][4][5] for the case of using ANF with nonlinearity of a random order. The results presented in [3][4][5] are given here for integrity.
The article analyzes the possibility of using M-NLFSR as either a combination or filtering function. It also studies the problem of M-NLFSR selection optimization by the criteria of maximum correlation immunity and nonlinearity at different algebraic degrees, as well as the possibility of minimizing the number of monomials used.

DEFINITIONS USED
where Hamming weight or simply the weight of a binary vector is the number of units among its components. The Hamming weight of a Boolean function is the weight of the vector of its values. The weight of a vector or function is denoted by between the two functions f and g is the weight of the function g f  . In other words, it is the number of those ). In case L is odd, the exact value of the maximum distance is unknown. The term "maximally nonlinear function" can be seen in Ukrainian literature, whereas in English, the term "bent function" is more typical. The analogy between the terms is not complete. For an even number of variables L , bent functions and maximally nonlinear functions coincide, however for an odd L , bent functions (unlike maximally nonlinear functions) do not exist. In addition, all bent functions are not balanced (unlike the functions of the corresponding M-NLFSR, as it will be shown below), which makes them vulnerable to statistical analysis.

BALANCE
M-NLFSR, as does M-LFSR, generates a modified de Bruijn sequence, and if we add to the consideration the state of filling all cells with nulls, then the resulting function will be balanced. In the equally probable and independent selection of Boolean function f arguments, which forms the M-NLFSR, the probabilities of its values, respectively, are equal A. Kuznetsov, O.  However, one should be careful, since a fully balanced filtering function in one form or other transfers the properties of the input sequence to the generated sequence [7]. For example, in work [8], was established a new criterion, that states: "the filtering function preserves prohibitions (in the corresponding sense) only if it is completely balanced". Thus, if the input function enters a sequence "far" from a random one, then its statistical properties will be poor in the output.

CORRELATION IMMUNITY
The statements and theorems given in this and the next sections are aimed at reducing the amount of work, and are given without proof. The latter is public and is shown, for example, in [1][2][9][10][11].
The presence of a correlative immune function of the degree m means that the values of the function ) (X f Z = are statistically independent of any set from, at most, m components of a random argument vector . This is equivalent to the condition that the output of the transformation does not include information about the vectors from the input of the transformation and that has a Hamming weight of no more than ( ) Siegentaler's inequality is one of many contradictions in the cryptographic properties of functions: the high order of the correlation immune function entails its low algebraic degree and vice versa.
If the function Thus, there are The value of the maximum stability order for m -optimal functions, depending on the length of the register and the algebraic degree, is given in Table 1.   Table  2), as well as the M-LFSR and M-NLFSR 2nd order for 9  L (see Table 3). As it can be seen in Tables 2-3 ), which has no correlation immunity.

NONLINEARITY
Nonlinearity of function f , as it is mentioned above, is the distance from f to the class of affine functions L A : (4) The following statements show that the higher the order of the correlation immune function is, the lower the top limit of its nonlinearity is.  Table 4 shows the calculated values of the formulas above with the maximum possible nonlinearity of the balanced function, depending on its stability. However, the value of the nonlinearity given in Table 4 is not necessarily achievable. Let us denote a maximally possible nonlinearity of 252 function and L is even, it is true, that In [12] it is indicated that for odd L and 7  L . Also [12] refers to the proved inequality These results do not contradict with the results obtained in this work and given below.
The obtained results of the distribution on the non-linearity of the entire set of M-NLFSR sized below 6  L are summarized in Table 5. The Tables 6 and 7 summarize the distribution  results for   6  L , depending on the nonlinearity and the maximum order of stability, and the Tables 8 and  9 contain similar results for the 2nd order M-NLFSR  if   9 7   L .
It is shown that M-NLFSR achieve the value of the correlation immunity that corresponds to moptimal functions for all studied L . However, there are a large number of functions that have no correlation immunity. In addition, functions can be m -optimal and m -saturated at the same time.
A number of m -optimal and simultaneously msaturated functions corresponding to M-NLFSR are given, which also possess the minimum number of ANF monomials, which allows us to minimize costs (temporary and hardware) for generating PRS (for given sizes) on their basis. Prospective direction of a further research is the argumentation of practical recommendations concerning the implementation of the introduced method and the ways of its use in different mechanisms of an information security of telecommunications networks and systems [30][31][32][33][34][35][36][37].
This research might be useful to us while improving various methods of information security, as well as to other practical applications [38][39][40][41][42][43].