ПОТОЧНЫЕ ШИФРЫ. Результаты зарубежной открытой криптологии

,
, . -
: ", ,
,
,
"...

1997
,
,
" , ,

.
,
, "1, -
, .
"
, ,
.
, ,
.

, -,
.
,
, .
, "" ,
-
.
."2
" , , . ,
, , , ,
. ,
,
,
,
, - ,
,
. , ,
;
."3
" , - - , "1 ...
1
, Internet "
", 1995
2
. , . ., " ", CRC Press, 1996 .,

3
"" " " .., 1839 .
II

0.
0.1 ..........................................................
0.2
...................................................................................................................
0.3 ........................................................................
0.3.1 ..................
0.3.2 .......................
7
8
1.
1.1 .............................................................................................. 10
1.2 ................................................................... 11
1.3 ........................................................................................ 13
1.4 .........................................................................................
14
2.
2.1 ......................................................................................
16
2.1.1 .............................................................
2.1.2 .......................................
16
18
2.2 .............................................................
20
2.2.1 () ....................................
2.2.2
....................................................................................................
2.2.3
...................................................................................................
21
2.3 ......................................................................................................
24
2.3.1 ..
2.3.2 ...................
2.3.3 , .....................
25
27
29
III
22
24
2.4 ..................................................................................................... 33
3.

3.0 .................................................................................................. 35
3.1 .................................................... 36
3.1.1 .........................................................................................
3.1.2 ......................................................................................
3.1.2.1 ..................................................................
3.1.2.2 ....................................................................................
3.1.2.3 .......................................................................
3.1.2.4 ............................................................................................
3.1.2.5 ..................................................................
3.1.2.6 ............................................................................
3.1.2.7 ..................................................................................
3.1.2.8 l- ...................................................................
3.1.2.9 ......................................................................
3.1.3 .......................................................
36
37
37
38
38
39
39
39
41
42
42
43
3.2 ............................
43
3.2.1 ....................................................................
3.2.2 - ..........................................
3.2.3 - .........................
3.2.4 ...............................................
3.2.5 ...............................................................................................
3.2.5.1 ..............
3.2.5.2 .......................................
3.2.5.3 .......................
3.2.6 .......................................................................
43
44
47
50
51
51
53
54
56
3.3 ...................................................................... 57
3.3.1 ......................................................................... 57
3.3.2 ....................... 58
3.4 .............................
59
3.4.1 ................................................ 59
3.4.2 ..................................... 60
3.4.3 ................. 61
IV
3.5 .........................................................................................
64
3.5.1 ........................................................................................... 64
3.5.2 ....................................................................................... 65
3.5.3 .......................................................................................... 66
3.6 : - .............................
68
4.
4.0 ................................................ 69
4.1 ........................................................................................
70
4.1.1 - ....................................................... 70
4.1.2
............................................. 72
4.2 ...................................................................................
77
4.3 .....................
80
4.3.0 ...................................................................................................
4.3.1 ..................................................
4.3.2 ............................
4.3.3
...........................................................................................
4.3.4
- ........................................................................................
4.3.5 : .......................
4.3.6 ............................................
80
84
86
94
97
102
4.4 - ...............................................................................
104
4.4.0 ......................................................................................
4.4.1 :
- ...........................................................................................
4.4.2 : " " .........
4.4.3 ......................................................
4.4.4 ............................................................................
4.4.5 .......
4.4.6 - ...........
104
89
105
107
110
111
114
117
5. .

5.0 ...........................................................................................................
119
5.1 k.................................................................. 122

5.1.1 ................................... 122
5.1.2 - ................................ 124
5.1.3 ...................................... 126
5.2 - ................
129
5.2.1 .................................................................. 130

5.2.2 .................................................................... 131
5.2.3 .............................................................. 131
5.3 - ..........................................................................................................
132
5.3.1 - - .......... 133

5.3.2 .......................................................................................... 134
5.3.3 ..................................................................... 137
5.4 .............................................
141
5.4.1 ..........................
141
5.4.2 ,
, ............................... 142
5.4.2.1 ..................................
5.4.2.2 ............................
5.4.2.3 ..........................
5.4.2.4 ,
.......................................
142
145
147
149
5.4.3 ....................................................................................... 150

5.4.3.1 ............................................................. 150
5.4.3.2 ...... 151
5.4.3.3 ......... 152
5.5 ........................................................... 153
VI
6.

6.0 ......................
154
6.1 ..................
155
6.1.1 , ........
155
6.1.1.1 , "-" "- " ...........

6.1.1.2 ............................................................
6.1.1.3 ................................................
6.1.1.4 ...........................................................................
6.1.1.5 .......................................................................
155
156
158
159
160
6.1.2 ..............................................................................
161
6.1.2.1 [d,k]- .............................................................

6.1.2.2 ...............................................................
161
162
6.2 ............................................................................................ 163

6.2.1 "k,m"- ...........................................
6.2.2 ..................................................................................
6.2.3 ...............................................................
164
166
169
6.3 ........................................................ 173

6.3.1 ...................................................................................
6.3.1.1 , ,
................................................................................................
6.3.1.2 e-
.................
6.3.1.3 ...........................
6.3.1.4 ..............................
173
173
175
178
179
6.3.2 - (Fish) ............................ 180

6.3.2.1 Fish ...................... 180
6.3.2.2 Fish ................................................................ 181
6.3.3 ...........................................................................
184
6.3.3.1 ..........................................................................
6.3.3.2 ,
..........................................................
185
VII
185
6.3.3.3 ......................................................................................
187
6.4 .......................................................
190
6.4.1 ............................................................
6.4.2
...............
6.4.3 .......................
6.4.4
.......................................................................
190
192
196
200
7.
7.1 ...........................................................................................................
208
7.1.1 ............................................... 208

7.1.2 ........................................ 209
7.1.3 ........................................... 212
7.2 1 .................
213
7.2.1 .................................................................................
7.2.2 1 .................................
7.2.3 , ..........................................
7.2.4 ....................................................
213
214
216
217
7.3 ................................
219
7.3.1
...........................
7.3.2 .....................
7.3.3 ........................
7.3.4 .....................................................................................
219
222
224
227
7.4 2- ............................................. 228

7.4.1 2- .................................................................................
7.4.2 , , ...............
7.4.3 ................................................................................................
7.4.4 2- ....................................................................
7.4.5 .......................................................
7.4.6 2- ...........................................................
7.4.7 ......................
7.4.8 .....................
VIII
229
230
232
235
237
239
240
241
8.

8.1 ..................................................................................................
245
8.1.1 .............................................................................................
8.1.2 ............................................................................................
8.1.3 - .........................................................
8.1.4 .....................................................................................
8.1.5 ...........................................................
8.1.6 .....................................................................................
8.1.7 "1/p" ...............................................................................................
8.1.8 ...............................................................................
8.1.9 ........................................................................................
8.1.10 .................................................................................
8.1.11 ....................................................................................
245
246
247
248
249
250
251
253
254
255
256
8.2 5 ............................................................................................................ 257

8.2.1 ...................................................................................
8.2.2 ......................................................................................
257
259
8.3 RC4 .........................................................................................................
260
8.3.1 ................................................................................... 260

8.3.2 ................................................................................................... 262
8.4 SEAL ..................................................................................................... 263
8.4.1 ...........................................................
8.4.2 SEAL ..........................................................................................
8.4.3 ........................................................................................
8.4.4 SEAL ..............................................................................................
263
264
265
268
8.5 1990- ............................................................................. 268

8.5.1 - - ......
8.5.2 () .........
8.5.3 () ..........................................
8.5.4 WAKE .............................................................................................
8.5.5 PIKE ................................................................................................
8.5.6 GOAL ..............................................................................................
8.5.7 ORYX .............................................................................................
8.5.8 ISAAC ............................................................................................
8.5.9 Chameleon - .............................................
IX
268
271
273
275
276
277
278
280
283
8.6 ........................................................................ 284

8.6.1 ..................................................................................... 285
8.6.2 ................................................................. 286
8.6.3 ....................... 287
9.
9.1 " " .................................................................................
290
9.2 ..................................................
291
9.2.1 ................................................. 292

9.2.2 .............................................. 294
9.2.3 - .................................................................. 296
9.3 ........................................................................ 297
9.3.1 ................................................. 297
9.3.2 ............................................................................... 298
9.3.3 ............................................................................ 299
9.4 ........................................................................................ 300
9.4.1 ............................................................ 300
9.4.2 ........................ 302
9.5 : 302
9.5.1 ................................................ 302
9.5.2 , .............. 305
9.5.3 ............................................................................... 306
9.6 ........................................................... 307
9.7 .........................................................
310
9.7.1 ..................................................................................
9.7.2 ....................................................................................................
9.7.3 .......................................................................
9.7.4 ................................................................................
310
311
313
315
10.
10.0 ..............................................................................
317
10.1 ..................................................................
319
10.1.1 ........................................................................... 320

10.1.2 .................................................................................................... 322
10.1.2.1 ............................................
10.1.2.2 - ..............................................................
10.1.2.3 RSA ..............................................................................
10.1.2.4 ..................................................
322
324
326
327
10.2 ................................................................................ 329

10.2.1 ................................................................................................ 330
10.2.2 " " .............................................................................. 330
10.2.3 .............................................................................................. 332
10.3 .............................................................................................
333
10.4 POTP ...............................................................................
334
.
I. ............................................
II. .................................................................
III. .................................................................
IV. ..................................................................................................
V. ......................................................................................
337
338
338
339
339
.......................................................................................................... 341
- ......................................................... 369
- ................................................. 378
XI
0.
0.1

( "" "").
( ETH,
), :
[241].
/ .
,
. , ,
,
.
. ( )
( , )
, .
,
.
,
. (1835-1903),
.
: , ,
. ,
, ,
. ,
-
, ,
.
,

,
(
). , -
, ""
( ).

(
,
, ) [241].
0.
,
.

( ) , .
, ,
.
,
, .
,
.

.
: "
;

" [339].

"" ( "") "".

1997 . ,
, , -
.
DES-
[277]
DES.
, .
,
[322].
, , ,
, .
, ,
Eurocrypt
, Crypto . . , ,
DES,
-
(ETH, ).
,
, ,
- :
Crypto AG, Gretag AG, Omnisec AG ..
,
ETH 1980-
(IACR).
0.
,
, , [376]. ( "
" - ,
).
-
( "", ),
, .
.
, , (
); ,
. m
m = m0m1...mn-1,
k k = k0k1...kn-1. c = c0c1...cn-1

ci = mi ki 0 i n-1,
- (XOR).
[360] ,
, , - ""
. , :
,
, ,
.

-, -,
" " (. 1).
, ,

. ,
, ,
.
, ,
, .
,
. , "
" ,
, .
,
.
(),
.
" ", ,

,
(. 3).
0.
,
.
,
,
,
.

() () (. 2).
,
, .

,
.
0.2

,

. 1980- Crypto
AG, 1989
R3 Security Engineering.
[330]
[334] [339],
80-
( , [339]). ,

[338].
,
, .
1. (. 1). -
,
. - (
)
. ,
"" :
, .
,
. ,
,
. ,
4
0.
, , . ,
,
, .
, ,
, -
,
, (
) .
2. (. 3, 4, 5, 6, 7, 8, 9). - ,
.
- "" ,
- ""
. - ,
( , , "--",
..) . ,
,
.
, , ,
, .
-, ,
. () ,
.
,
.
3. (. 10.1).
, ,
. ,
.
- ()
()
. -
, (
).
() ()
. , - ;
.
""
-- (RSA).
4. (. 10.2).
, ,
,
. ,
0.
,
.
,
. ,
, , ,
.
() ,
,
, .
.
- ,
, .
- ,
,
, -
. ,
.
0.3
, ,

[339]. X , Y -
, Z - , S -
( ) , K - . xi , yi , zi si
, , , ,
i. k K
PK.
,
.

si+1 = F(k, si, xi)
yi = f(k, si, xi),
F - , f - .
yi = xi + F(ki, si),
, ,
[233].
{zi = f(k, si) : i 1}
0.
.
, .
0.3.1 .

.
.
:
si+1 = F(k, si)
zi = f(k, si).
s0 k, , ,
. -
k zl = z1, z2 ... zl.

G:K Z l
zl = G(k),
k zl .
kn n l (n,l) - {0,1}n {0,1}l , zl = G(kn).

{Gn: n 1} (n, l(n))-, l -
n,
n.

, :
[101]: ,
( ).
si+1 = F(si)
zi = f(k, si)
F -
.
f.
( ) [64]:
f .
si+1 = F(k, si)
zi = f(si).
0.
f 1- (,
). ,
k :
s0 = k
si+1 = F(si)
zi = f(si).
.

. ,
. -,
, ,
, ,
.
,
,
,
.
- ,
, .

.
""; ,
,
, . -

.
0.3.2
,
, ,
, (),
.
, ,
- , .
( CFB- DES [278]):
si+1 = F(yi-1, yi-2 ,... , yi-N)
zi = f(k,si).
N
. .
, ( ) () f
0.
.
, ,
.
N
, .
.
N (
). N

.
,

,
[344].

[396].
, -
. (
)
.
[233].

,
(. . 8.6).
.
1.
1.1 [241]
1949 .
, ,
.
- -
y=x k
x - (A = 0, B = 1, ... , Z = 25), k - , y -
, 26 ( 23 3 = 0, 23 4 = 1
..).
,
. , 1926 . . ,
American Telephone & Telegraph,
[376].
, , x, y k
{0,1}, 2 (0 0 = 0,
0 1 = 1, 1 1 = 0). , ,
,
.
, ,
- , .
, , ,
,
. , [376]
" ", ,
, ""
. 1949 ,
, ,
"", .
1949 "
" [360]
. , -,
,
, [359].
1949 1948 , -
. ,
10
1.
,

.
, 1949
, 1948
. 1976
" " [100].
, -
,
,
. , ,
,
. ,
[263]
.
- ,
, .
1.2 [339]
[360]
- .
,
.
, ,
[101],
,
.
()

,
.
( )
.
, "" :
,
. ,
,

.
Xn = X1, X2, . . . Xn n- ,
n
Y = Y1, Y2, . . . Yn n- ,
K - , PK. H(Xn)
H(Xn | Yn) -
Yn , Xn Yn
11
1.
I(Xn ; Yn) = H(Xn) - H(Xn | Yn)

. :
1. I(Xn ; Yn) = 0 n; Xn Yn ,
. ,

. , ()
D(K, yn) yn K,
PK, yn ()
.
H(K) H(Xn). ,
.
, ,

. , ,
.
2. 0 < I(Xn ; Yn) < H(Xn) n;
, (
). ,
H(K | Yn) > 0. ,
H(K | Yn) > 0 n , .
Xn,
Xn. , ;

.
, [169]. ,
.
3. I(Xn ; Yn) H(Xn) n;
(
). .

nu = min {n : H(K | Yn) 0},
,
. , .
nu = H(K) / (1 - h) , h
, (1 - h) - . ,
nu = ,
[96], [101].
,
,
. , ,
.
12
1.
, ,
- ( ) [360][376].
- , .
:
: : xi, i = 1,2, . . .
:
ki, i = 1,2, . . .
: yi = xi ki , i = 1,2, . . . ,
XOR ().
- ,

. ,
.
, I(Xn ; Yn) = 0.
.
, . ,
,
, , , " "
.
,
,
,
.
, h=0, nG,u H(K).
1.3 [339]

nG,u H(K) ,
, nG,u .
,
, ,
e ( ) .

[246]. , e
H(K). [348] ,
.
13
1.
G = {Gn}:
: () k - f: Im Im; m2m.
1. y i0 = i i = 0, 1, . . ., 22m - 1.
2. j = 0, 1, 2
y ij +1 = (R ( y ij ), L ( y ij ) f (R ( y ij )))
(L R )
Gn(k): y i3 , i = 0, 1, . . ., 22m - 1.
, k n = m2m ( ), Gn(k)
2m22m. , n
n2 . -
, [224].
M- DES- ,
i (-) fi. ,

( )
fi.
,
. G = {Gn}
, ( )
T = {Tn}, e(n) Gn(k). ,
2
e(m) = 2 m/ 3- (log m) . [337]
, . , ,
e(m) = 4m Gn(k).
(
3), ,
f g.
[290] , , [403],
,
[224]. , G
.
- ,
.
, m2m + O(m) [337].
, ,
Gn.
,
. ,

, .
14
1.
1.4 [241]

. ,
" ,

" [360].
,
, ,
, .
,
: " ,

".

"". ,
[360].

, .
, W(n),
(
, Cray),
n .
,
. W(n) n
, W()
, " ". ,
W(n)
. ,
W(n)
,
, .
( ,
, )
W(n).
"
" Wh(n),
n , "
". ", ",
, Wh(). ,
, Wh()
,
" " .
W() << Wh(),
Wh().
!
15
2.
2.1
2.1.1 [346]

,
. ,

.
.
-

Xn = (a Xn - 1 + b) mod m,
Xn - n- , Xn - 1 - .
a, b m - : a - , b - , m - .
( ) X0.
, m. a, b m
,
( " ") m - 1. , ,
b m.
[197] [214].
- [356].
, [307],
. ,
, 2, 3, 4, 5
6 [83][197]. ,
.
,
. -
.
16
2.

:
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
a
106
211
421
430
936
1366
171
859
419
967
141
625
1541
1741
1291
205
421
1255
281
1093
421
1021
1021
1277
741
2041
2311
1807
1597
1861
2661
4081
3661
3877
3613
1366
8121
4561
7141
9301
4096
2416
17221
36261
84589
b
1283
1663
1663
2531
1399
1283
11213
2531
6173
3041
28411
6571
2957
2731
4621
29573
17117
6173
28411
18257
54773
24631
25673
24749
66037
25673
25367
45289
51749
49297
36979
25673
30809
29573
45289
150889
28411
51349
54773
49297
150889
374441
107839
66037
45989
17
m
6075
7875
7875
11979
6655
6075
53125
11979
29282
14406
134456
31104
14000
12960
21870
139968
81000
29282
134456
86436
259200
116640
121500
117128
312500
121500
120050
214326
244944
233280
175000
121500
145800
139968
214326
714025
134456
243000
259200
233280
714025
1771875
510300
312500
217728
2.
,
; m , a b
.
, m [198],
.
[84],

.
[322]( . 2.2). 1960-

[229]
"
"
,
. [313][314][315], [198],
[303], [172], ,
[121]
,
. ,

( )
Xn = (a Xn - 12 + b Xn - 1 + c) mod m

Xn = (a Xn - 13 + b Xn - 12 + c Xn - 1 + d) mod m
, , , [120]
[41] ,
.
[204], [205], [369].
,
.
[212],
,
,
. [204]
,
.
2.1.2
,
, ,
.
.
18
2.

[389][213]. ,

.
" " [346] 32-
( (231-85)(231-249))
:
static long s1 = 1 ; /* "long" 32 */
static long s2 = 1 ;
#define MODMULT(a,b,c,m,s) q = s/a; s = b*(s-a*q) - c*q; if (s<0) s+=m
;
/* MODMULT(a,b,c,m,s) s*b mod m, m=a*b+c 0cm */
/* combinedLCG . (0,1).
* . 231-85 231-249,
* . */
double combinedLCG (void)
{
long q ;
long z ;
MODMULT ( 53668, 40014, 12211, 2147483563L, s1 )

MODMULT ( 52774, 40692, 3791, 2147483399L, s2 )
z = s1 - s2 ;
if ( z < 1 )
z += 2147483562 ;
return z * 4.656613e-10 ;
/* . combinedLCG initLCG,
* s1 1 2147483562,
* s2 1 2147483398 */
void initLCG ( long InitS1,
{
s1 = InitS1 ;
s2 = InitS2 ;
}
long InitS2
, -231+85
231-85. 1018.
16-, :
static int
s1 = 1 ; /*
"int"
static int
s2 = 1 ;
static int
s3 = 1 ;
#define MODMULT(a,b,c,m,s) q = s/a; s =
/* MODMULT(a,b,c,m,s) s*b mod
, m=a*b+c 0 <= c <=
16
b*(s-a*q) - c*q;
m,
m */
*/
if
(s<0)
s+=m ;
/* combinedLCG . (0,1)
* 215-405, 215-1041
* 215-1111, . */
double combinedLCG (
{
int q ;
int z ;
void
19
2.
MODMULT ( 206, 157,

MODMULT ( 217, 146,
MODMULT ( 222, 142,
z = s1 - s2 ;
if ( z > 706 )
z -= 32362 ;
z += s3 ;
if ( z < 1 )
z += 32362 ;
return z * 3.0899e-5
21, 32363, s1 )
45, 31727, s2 )
133, 31657, s3 )
/* combinedLCG initLCG ,
* s1 1 32362,
* s2 1 31726, s3 - 1 31656
*/
void initLCG ( long InitS1,
{
s1 = InitS1 ;
s2 = InitS2 ;
}
long InitS2
, -32363
32363. 1.6x1013.
b 0.
2.2 [45]
- s0, s1, ... , si

k
si a j f j (s0 ,K , si -1 ) mod m .
j =1

. , ,
fj, aj m .
2.2.1.
- -
si a si - 1 + b mod m.
x0, x1, ... , xi t si - ,
. xi "" t
, si.
20
2.
, ,
a, b m.
2.2.2.
2.2.1 ()

. ,
fj, aj m.
s1, ... , si - 1, "" si. ,
, . ,
,
, log m k.

[303],
. (
[198],
log m.) ,
. [212]
, ,
, k = 1, f - ,
si - 1. , [204] ,
, fj
,

log m.
()
- ,
. , , -
aj.
f1 (s0 ,K , si -1 )
f2 ( s0 ,K , si -1 )
Bi =
.
M
f k ( s0 ,K , si -1 )
, , - , ,
, k i, gj , j = 1,...,i , , gi 0
g i Bi = j =0 g j B j . g i si j = 0 g j s j mod m .
i -1
i -1
, si
( , g i si j = 0 g j s j ), m
i -1
, si. m
log m k.
21
2.
m, i.
m$ m.
1. si - 1 Bi Bi j = 0 g j B j mod m$ .
i -1
2. (1) , p p j = 0 g j s j mod m$ p si,

i -1
m$ ( m$ , p - si).
, p si, m$ ( m$ , p - si). ,
m$ (1) k log m$ +1 .
,
.
2.2.2

, a, b m.
, ,
, [120] [121] [172].
,
sj .
.
, ,

.
si - ,
si a si - 1 + b mod m.
n = log2 m. 0 < b < 1 , bn - ,
si = xi 2bn + yi,
yi - bn si , xi - (1 - b)n si.
,
x1, ... , xi - 1, xi.
, b = 0, b 0,
x$ = xi - xi-1. -
s$ = si - si - 1, s$i a s$i - 1 mod m.
x$i,
xi.
L , (m, 0, ... , 0) k - 1
22
2.
(ai - 1, 0, ... , 0, -1, 0, ... , 0), i = 2, ... , k ,

-1 i- . w = (w1, ... , wk) L
w s
0 mod m .
i i
i =1
.
(1). L wj , j = 1, ... , k.
i =1
i =1
i =1
wij si = wij xi 2 bn + wij yi .

(2).
k
w
i =1
yi <
m
,
2
j = 1, ... , k, , (1) - 0 mod m,

xi , k
si, i = 1, ... , k.
(2),
.
[120]. m - , e > 0 , k - .
ck (e , k) , m > (e , k) (1-b)n >
n( k1 + e ) + ck , , ,
(2) 1 - O(m-e /2)
a.
d 0e -1
: ck = O(k2) (e , k) = e 2 k
d0.
. m, ,
k =3 m.

,
,
. ,
.
23
2.
2.2.3

, a, b
m. [41], (O(log log m)),
- . [369] ,
. ( 2.2.2),
, .
m. vi
(xi+1 - xi, xi+2 - xi +1, xi+3 - xi+2). 1

k
l v
i =1
i i
=0
, [173].
wi (si+1 - si, si+2 - si +1, si+3 - si +2).
k
u = li w i .
i =1
, k
6(1 - b ) log m , ,
a, u . u - , 1 .
1 ,
. , x0, ... , xi - 1 ,
h xi.
xi. , 1 ,
(1 - b)n xi 6(1 - b ) log m2 .
, a m.
, 1 , P ( z ) = i = 0 li z i
k -1
P(a) 0 mod m. , ,
1,
m a.
2.3

,
, - [20].
: , ,
,
. ,
24
2.
, -
.
2.3.1

:
. , -
, : r ,
, r- . ,
, ( ).
,
.
1 , . -
, .

(. ).
,
( , ), .
, ,
2,
. ( qi {0,1}
. mod 2.)

[34],
, .
- 3,

[196].
25
2.
1. r q1, q2, . . ., qr
q(X) = qrXr + qr - 1X r - 1 + ... + q1X + 1
qi Z/(2).
.
2. , a = (a0, a1, a2, . . . ) - ,
r q(X). q(X) , g
GF(2r) - q(X), i = 0,1,2,...
ai = Tr(Agi)
A GF(2r) (
). Tr : GF(2r) GF(2) .
3. a = (a0, a1, a2, . . . )
A(X) =
i=0
ai X i ,
Z/(2)[[X]]
mod 2. ([163]),
a ,

A(X) = r(X)/q(X) Z/(2)[[X]],
q(X) - ,
a. a
deg(r) < deg(q).
4.
a
a ( span(a));
( . 3.2).
( )
-,
r(X)/q(X) Z/(2)[[X]]
. : ()
, a; ()
, .. 2span(a) .
5.

a = (a0, a1, a2, . . .) b = (b0, b1, b2, . . .) (X) =
A(X) + B(X) Z/(2)[[X]] . a b
26
2.
, c,
a b (. 3.4).
6.
, m- - -
T = 2r - 1 ( r - ).
: m- -
,
. (
) : m r
( ).
m- ;
-1 (. 3.1).

(, ,
).
1955
("") ,
. ,
,
: , ,
,
. ,
,
[196]. (
,
1990- 2- , . 7.4).
2.3.2
n 2n-1 .
,
2n-1 , . ( 2n-1,
2n ,
, .)
2n - 1 -
.
m- ( ml-, maximum length). ,

m- ,
.
, ,
mod 2.
27
2.
- . n -
n -1
, x 2 + 1 , xd + 1
d, 2n-1. ( [163] [405].)
,
mod 2 . -
, . -
-
. [217][218].

mod 2 [318]. ,
, ,
- (2q - 1, q - ), .
, , ,
.
mod 2
. (,
) [25] [197],
( , 31). , ,
,
31, 16 (
). ,
.
, , ,
.
n
x 2 mod p .
" " M.- [24],
" -" .
-
1. gx n GF(q);
2. ux := x;
3. for k := l to (n DIV 2) do
4.
ux := ux^q mod gx;
5.
if (gx, ux-x) = 1 then go to 1 fi;
6.
od
( ) ""
( " "
). GF(q)
q; mod 2 q = 2.
mod 2 ; "ux^q" - ,
, "mod gx" - .
,

5.
,
, ;
28
2.
, .

n n (
). , 12800
1279, 20 .

() ( ) [318].

1996 . [381].
, . f - GF(2)
, g(x) = f(x2 + x + 1) k,
h(x) = xkg(x - 1) .
" " [346]
"" mod 2 .
, , (32, 7, 5, 3, 2, 1, 0) ,
mod 2:
x32 + x7 + x5 + x3 + x2 + x + 1
. . - 0
1. 0
, .
, .
2.3.3 ,
,
, , ,
[346],
.
.
. - XOR
(-) .
(32, 7, 5, 3, 2, 1, 0)
, 32- XOR , , , , ,
-
232 - 1 , .
29
2.
. mod 2
(1,0)
(2,1,0)
(3,1,0)
(4,1,0)
(5,2,0)
(6,1,0)
(7,1,0)
(7,3,0)
(8, 4, 3, 2, 0)
(9,4,0)
(10,3,0)
(11,2,0)
(12, 6, 4, 1, 0)
(13, 4, 3, 1, 0)
(14, 5, 3, 1, 0)
(15,1,0)
(16, 5, 3, 2, 0)
(17,3,0)
(17,5,0)
(17,6,0)
(18,7,0)
(18, 5, 2, 1, 0)
(19, 5, 2, 1, 0)
(20,3,0)
(21,2,0)
(22,1,0)
(23,5,0)
(24, 4, 3, 1, 0)
(25,3,0)
(26, 6, 2, 1, 0)
(27, 5, 2, 1, 0)
(28,3,0)
(29,2,0)
(30, 6, 4, 1, 0)
(31,3,0)
(31,6,0)
(31,7,0)
(31,13,0)
(32, 7, 6, 2, 0)
(32, 7, 5, 3, 2, 1, 0)
(33,13,0)
(33, 16, 4, 1, 0)
(34, 8, 4, 3, 0)
(34, 7, 6, 5, 2, 1, 0)
(35,2,0)
(36,11,0)
(36, 6, 5, 4, 2, 1, 0)
(37, 6, 4, 1, 0)
(37, 5, 4, 3, 2, 1, 0)
(38, 6, 5, 1, 0)
(39,4,0)
(40, 5, 4, 3, 0)
(41,3,0)
(42, 7, 4, 3, 0)
(42, 5, 4, 3, 2, 1, 0)
(43, 6, 4, 3, 0)
(44, 6, 5, 2, 0)
(45, 4, 3, 1, 0)
(46, 8, 7, 6, 0)
(46, 8, 5, 3, 2, 1, 0)
(47,5,0)
(48, 9, 7, 4, 0)
(48, 7, 5, 4, 2, 1, 0)
(49,9,0)
(49, 6, 5, 4, 0)
(50, 4, 3, 2, 0)
(51, 6, 3, 1, 0)
(52,3,0)
(53, 6, 2, 1, 0)
(54, 8, 6, 3, 0)
(54, 6, 5, 4, 3, 2, 0)
(55,24,0)
(55, 6, 2, 1, 0)
(56, 7, 4, 2, 0)
(57,7,0)
(57, 5, 3, 2, 0)
(58,19,0)
(58, 6, 5, 1, 0)
(59, 7, 4, 2, 0)
(59, 6, 5, 4, 3, 1, 0)
(60,1,0)
(61, 5, 2, 1, 0)
(62, 6, 5, 3, 0)
(63,1,0)
(64, 4, 3, 1, 0)
(65,18,0)
(65, 4, 3, 1, 0)
(66, 9, 8, 6, 0)
(66, 8, 6, 5, 3, 2, 0)
(67, 5, 2, 1, 0)
(68, 9, 0)
(68, 7, 5, 1, 0)
(69, 6, 5, 2, 0)
(70, 5, 3, 1, 0)
(71,6,0)
(71, 5, 3, 1, 0)
(72,10,9,3,0)
(72, 6, 4, 3, 2, 1, 0)
(73,25,0)
(73, 4, 3, 2, 0)
(74, 7, 4, 3, 0)
(75, 6, 3, 1, 0)
(76, 5, 4, 2, 0)
(77, 6, 5, 2, 0)
(78, 7, 2, 1, 0)
(79,9,0)
(79, 4, 3, 2, 0)
(80, 9, 4, 2, 0)
(80, 7, 5, 3, 2, 1, 0)
(81,4,0)
(82, 9, 6, 4, 0)
(82, 8, 7, 6, 1, 0)
(83, 7, 4, 2, 0)
(84,13,0)
(84, 8, 7, 5, 3, 1, 0)
(85, 8, 2, 1, 0)
(86, 6, 5, 2, 0)
(87,13,0)
(87, 7, 5, 1, 0)
(88,11,9,8,0)
(88, 8, 5, 4, 3, 1, 0)
(89,38,0)
(89,51,0)
(89, 6, 5, 3, 0)
(90, 5, 3, 2, 0)
(91, 8, 5, 1, 0)
(91, 7, 6, 5, 3, 2, 0)
(92, 6, 5, 2, 0)
(93,2,0)
(94,21,0)
(94, 6, 5, 1, 0)
(95,11,0)
(95, 6, 5, 4, 2, 1, 0)
(96,10,9,6,0)
(96, 7, 6, 4, 3, 2, 0)
30
(97, 6, 0)
(98,11,0)
(98, 7, 4, 3, 1, 0)
(99, 7, 5, 4, 0)
(100,37,0)
(100, 8, 7, 2, 0)
(101, 7, 6, 1, 0)
(102,6,5,3,0)
(103,9,9)
(104,11,10,1,0)
(105,16,0)
(106,15,0)
(107,9,7,4,0)
(108,31,0)
(109,5,4,2,0)
(110,6,4,1,0)
(111, 10,0)
(111,49,0)
(113,9,0)
(113,15,0)
(113,30,0)
(114,11,2,1,0)
(115,8,7,5,0)
(116,6,5,2,0)
(117,5,2,1,0)
(118,33,0)
(119,8,0)
(119,45,0)
(120,9,6,2,0)
(121,18,0)
(122,6,2,1,0)
(123,2,0)
(124,37,0)
(125,7,6,5,0)
(126,7,4,2,0)
(127,1,0)
(127,7,0)
(127,63,0)
(128, 7, 2, 1, 0)
(129,5,0)
(130,3,0)
(131,8,3,2,0)
(132,29,0)
(133,9,8,2,0)
(134,57,0)
2.
mod 2 ()
(135,11,0)
(135,16,0)
(135,22,0)
(136,8,3,2,0)
(137,21,0)
(138,8,7,1,0)
(139,8,5,3,0)
(140,29,0)
(141,13,6,1,0)
(142,21,0)
(143,5,3,2,0)
(144,7,4,2,0)
(145,52,0)
(145,69,0)
(146,5,3,2,0)
(147,11,4,2,0)
(148,27,0)
(149,10, 9,7,0)
(150,53,0)
(151,3,0)
(151,9,0)
(151,15,0)
(151,31,0)
(151,39,0)
(151,43,0)
(151,46,0)
(151,51,0)
(151,63,0)
(151,66,0)
(151,67,0)
(151,70,0)
(152,6,3,2,0)
(153,1,0)
(153,8,0)
(154, 9, 5, 1, 0)
(155,7,5,4,0)
(156,9,5,3,0)
(157, 6, 5, 2, 0)
(158, 8, 6, 5, 0)
(159,31,0)
(159,34,0)
(159,40,0)
(160, 5, 3, 2, 0)
(161,18,0)
(161,39,0)
(161,60,0)
(162, 8, 7, 4, 0)
(163,7,6,3,0)
(164, 12, 6, 5, 0)
(165, 9, 8, 3, 0)
(166, 10, 3, 2, 0)
(167,6,0)
(170,23,0)
(172,2,0)
(174,13,0)
(175,6,0)
(175,16,0)
(175,18,0)
(175,57,0)
(177,8,0)
(177,22,0)
(177,88,0)
(178,87,0)
(183,56,0)
(194,87,0)
(198,65,0)
(201,14,0)
(201,17,0)
(201,59,0)
(201,79,0)
(202,55,0)
(207,43,0)
(212,105,0)
(218,11,0)
(218,15,0)
(218,71,0)
(218,83,0)
(225,32,0)
(225,74,0)
(225,88,0)
(225,97,0)
(225,109,0)
(231,26,0)
(231,34,0)
(234,31,0)
(234,103,0)
(236,5,0)
(250,103,0)
(255,52,0)
(255,56,0)
(255,82,0)
(258,83,0)
(266,47,0)
31
(270,133,0)
(282,35,0)
(282,43,0)
(286,69,0)
(286,73,0)
(294,61,0)
(322,67,0)
(333,2,0)
(350,53,0)
(366,29,0)
(378,43,0)
(378,107,0)
(390,89,0)
(462,73,0)
(521,32,0)
(521,48,0)
(521,158,0)
(521,168,0)
(607,105,0)
(607,147,0)
(607,273,0)
(1279,216,0)
(1279,418,0)
(2281,715,0)
(2281,915,0)
(2281,1029,0)
(3217,67,0)
(3217,576,0)
(4423,271,0)
(9689,84,0)
2.
-
:
int
LFSR ()
{
static unsigned long ShiftRegister = 1 ;
/* 0 *./
ShiftRegister = ( ( ( ( ShiftRegister
^ ( ShiftRegister >>
^ ( ShiftRegister ) )
& 0x00000001 )
<< 31)
| ( ShiftRegister >>
return
ShiftRegister & 0x00000001 ;
}
>>
6)
4)
2)
1)
1)
31)
,
, .
, ,

. - 16 ( 32,
) .
, .
, ,
.
- [206].
. ,
" ". ,

,
[307].
, XOR-
;
. , ,
,
,
, [322].
:
#define
mask
0x80000057
static unsigned long ShiftRegister=1 ;

void seed_LFSR ( unsigned long seed )
{
if
( seed == 0 ) /* */
seed = 1 ;
ShiftRegister = seed ;
}
32
2.
int
{
modified_LFSR
if
}
(void)
( ShiftRegister & 0x00000001 ) {

ShiftRegister = (ShiftRegister ^ mask) >> 1) | 0x80000000 ;
return
1 ;
else
{
ShiftRegister >>= 1 ;
return
0 ;
, XOR .
,
. ,
, VLSI-.
, ,
, ;
, - .

,
. , ,
2.3.2, ,
. - ,
.
,
.
mod 2
. , ,
k, 2k-1.
[164][310][311].
2.4 [346]
, ,
.
, .

, ,
.
, ,
: [163], [217], [354], [404].
,
.
, - ,
- XOR-. VLSI-

.
33
2.

. ,
(. 4.3 4.4);
.
, 64 , DES
. , -,
(. 6.3)
, DES.
, ,
- , , -
,
.

.
,

. ,
Cray (Cray 1, Cray X-MP, Cray YMP) ,
" ".

,
. ,
" ",
.
,
. ,
" ", ,
.
34
3.
3.0
, ,
, ,
, .

, , . [322],
.
: ,
,
?

, .
,
- ?
.
( )
"- "
[364]. , ,
, .
, ,
- ,
.
,
"" ,
( 10).
,
:
,
;
- - ,
[322].
35
3.
3.1
3.1.1

"" "".

,
.

[163].
.
G1. "1" "0" ,

.
G2. ( )
, ,
.. ,
"1" "0".
G3. , p,
d. d,
0 d p-1,
Ad, Dd.
d (Ad - Dd)/p
, d
.
, G3,
( ).
G3 - ,
:
.
, ,
,
.
,

, : ,
, [20]. ,
, , ,
.
, G1-G3 "", "-". ,
36
3.
,
.
,
,
[113], [330].
3.1.2
3.1.2.1
,
, ,
.

,
. ,
N, ,
N ,
.
,
[249]. T

N
N - T : B {"", ""},
BN N sN = s1, . . .,sN
( ) "" ""
ST = { sN : T (sN) = ""} BN
"" "".
, "" . (
).
,
ST
, r = N . r
2
, r 0.001...0.01.
N T
, ST.

() fT, N
N
. , R N

, fT (RN),
. fT t1 t2
,
P[fT (RN) t1] + P[fT (RN) t2] = r.
37
3.
, P[fT (RN) t1] P[fT (RN) t2] r/2. ST

| ST | = r2N
""
ST = { sN BN : fT (sN) t1 fT (sN) t2}.

fT
, fT (RN)
() -
.
- d ( d - ).
,
t1 t2 r N.
,
. d - d
1.

(-) .
3.1.2.2
, , TF, fT(sN)

2 N
N
si - .
2
N i =1
f TF (s N ) =
"" RN = R1, . . . , RN
,
N/2 N/4, E[Ri] = 1/2
D[Ri] = 1/4 1 i N. ,
f TF (R N ) N
,
t2 = - t1 2.5 ... 3.
3.1.2.3
TS L sN
N/L L (, L=8),
ni(sN) i 0 i 2L - 1.

L2 L
f TS (s ) =
N
N
2 L -1
ni (s N ) - L2 L .
i= 0
, N / (L2L) -
ni(sN), (L2L)/N - (
38
3.
) , 1.
f TS ( R N ) N
c2 2L - 1 .
- [197],
5, N / (L2L) > 5. ,
L 5 L 2L .
3.1.2.4
TR L sN ni0 (s N )
- 0- i , , ni1 ( s N ) - 1- i
0 i L ( L = 15).
(nib (s N ) - N / 2 i + 2 ) 2
f TR (s ) =
N / 2 i+2
b {0,1} i = 1
N
f T ( R N ) N
c2 2L , -
,
.
3.1.2.4
sN = s1, . . .,sN "
t" s1 s1 + t , s2 s2 + t, . . ., sN
- t sN , 2.
t.
3.1.2.5 .
,
1990- .
,
() l.
l-,
.
l-;
l-.
[249]
"Omnisec AG"

()
.
,
l, ,
39
3.
(log2) l-
. ,
. Q K,
l-
. Q (l-),
Tab 2l.
Tab
l-. - l-
, Tab . [249] ,
Q 10 2l . K , ,
, , (K 1000
2l).
1 Q+ K
f = log 2 (i - Tab[s(i )])
K i = Q+ 1
Tab[s(i)] - Tab
l- s(i) , i.
f
l=8 (, , Tab V = 256) :
program UniversalTest(input,output);
const
L=8; V=256; Q=2000; K=20000;
var i,n:
integer ;
sum,fTU:
real;
tab:
array [0..V-1] of integer;
block:
array [0..max] of integer;
begin
for i := 0 to V-1 do tab[i] := 0;
(* *)
for n := 1 to Q do tab[block[n]]:= n;(* *)
sum := 0.0;
for n := Q+1 to Q+K do begin
sum := sum + ln (n - tab[block[n]]);
tab[block[n]] := n ;
end ;
fTU := (sum / K) / ln (2.0) ; writeln (fTU) ;
end.
E(f) D(f) f,
, , s(i) .
0.8
32
c( L, K ) 0.7 + (4 + ) K - 3/ l / 15 .
l
l
:
f - E( f )
z=
c( L , K ) D( f )
.
. ,
, l(102l + 10002l) .
40
3.
l
1
2
3
4
5
6
7
8
E(f)
0.7326495
1.5374383
2.4016068
3.3112247
4.2534266
5.2177052
6.1962507
7.1836656
D(f)
0.690
1.338
1.901
2.358
2.705
2.954
3.125
3.238
l
9
10
11
12
13
14
15
16
E(f)
8.1764248
9.1723243
10.170032
11.168765
12.168070
13.167693
14.167488
15.167379
D(f)
3.311
3.356
3.384
3.401
3.410
3.416
3.419
3.421
3.1.2.6 [170]
l- 1995
.

,
.
,

R ( l-,

).
,
R N ,
1/N. M0,
, t N

n
R
N - t
N N -t
t +n
P ( M 0 = t ) = (-1)
.
1 n
t n=0
N
m0 s02
1 R
)
N
1
1
2
s 02 = N (1 - ) R (1 - N (1 - ) R ) + N ( N - 1)(1 - ) R .
N
N
N
m 0 = N (1 -
R,N R/N 0
w = M0 - N + R
R2
l = Ne - N + R
.
2N
N - M0 - , w
. , w -
-
41
R
N
3.
, ,
. , ,
R N, , R N ,
. ,
, ,
.
,
, R=2r l-
, r = l/2 +3. [197]
r2r
2r l- . r 32 (l 64).
3.1.2.7 l-

5, ,
5 l 2l .
l(102l + 10002l) .
l
+3
l 2 2 ,
l-.
, [170].
l-
6
8
14
14 336
1.1510
2.3210
6
9
16
32 768
5.2410
1.0610
8
10
20
1.0510
2.1210
1.64105
24
2.01109
4.071011
7.86105
10
12
28
3.7610
7.5910
3.67106
32
6.871011
1.391014
1.68107
.
3.1.2.8

.
,
.
, k
pi (i = 1, . . . ,k), ,
-.
L = -2 i =1 log e pi - 2k
k
[116].
42
3.
,
- [370].

. -
. .
3.1.3
, ,
,
[322]. ,
p , p
. (
.) p
, p .
, , p (
) , .
;
,
. ,
, , ,
. ,
,
,
. ,

.
3.2
3.2.1

( ) ,
L ,
.
, L(sl) sl = s0, s1, . . . , sl-1
L , sl,
L sl .
: L(sl)
L ,
c0, c1, . . . , cL ,
sj + c1sj-1 + . . . + cLsj-L = 0 ,
L j l.
43
3.

. [238], ,
( )
, . ,
, - [232],
2L
. (
GF(2),
0 1).
- - [316].
,
.
, -
( )
[301] [334].
3.2.2 -
- ,
a0, a1, . . .
[232][ 35].

f(x) = fnxn + fn - 1xn - 1 + . . . + f1x + 1
L .
, (L, f(x)), deg f(x) L.
. r,
r = 1, , a0,
a1, . . . , ar. , ,
(Lr, f(r)(x)).
;
. r-
(L1, f(1)(x)), (L2, f(2)(x)), . . . , (Lr - 1, f(r - 1)(x)).
- (Lr, f(r)(x)),
a0, . . . , ar.
,
.
r- (r - 1)-
( , GF(2)):
44
3.
Lr -1
a$r = - f j( r -1) a r - j .
j =1
Dr ar
, :
Lr - 1
Dr = ar - a$r =a r + f j( r -1) a r - j .
j =1
,
Lr - 1
D r = f j( r -1) a r - j .
j =0
Dr = 0, (Lr, f(r)(x)) = (Lr - 1, f(r - 1)(x)) r- .

:
f(r)(x) = f(r - 1)(x) + Axl f(m - 1)(x),
A - , l - f(m - 1)(x) - ,
.
,
Lr - 1
Lr -1
Lr -1
j =0
j =0
j =0
D r = f j( r ) a r - j = f j( r -1) a r - j + A f j( m-1) a r - j - l .
m, l A. m r ,
Dm0; l = r - m A = -Dm-1Dr.
D r = D r -
Dr
D = 0,
Dm m
a0, . . . , ar - 1, ar.
m, Dm 0. m
, Lm > Lm-1,
.
-
.
. a1, . . . , an ,
f(0)(x) = 1, t(0)(x) = 1 L0 = 0 ,
f(n)(x):
45
3.
n -1
D r = f j( r -1) a r - j ,
j=0
Lr=dr(r - Lr-1)+(1 - dr)Lr ,

- D r x f ( r -1) ( x )
f ( x ) 1
(r )
= -1
,
( r -1)
( x)
t ( x ) D r d r (1 - d r ) x t
(r)
r = 1,2,...,2n, dr = 1, Dr 0 2Lr-1 r-1, dr = 0

. f(2r)(x) ,
f0(2r) = 1
n -1
a r + f j( 2r ) a r - j = 0,
j =1
r = L2r + 1, ..., 2r.

Dr , , dr = 0.
Dr-1dr = 0.
- - .
r- ,
f(r)(x). f(r)(x) r/2,
2n , 2n2 =
2n
r=0
. , ,
- n2, , , O(n2).
46
3.
3.2.3 -
. . [86],

F2 ((x )) = {a = a i x - i | m Z , a i F2 }
i=m
F2.
.
(I). a F2((x)) :
0
i= m
i =1
a = a i x - i + a i x - i = [a ] ( ) + {a } ( ) ,
Ord (a) F2((x)):
- , a = 0
Ord (a ) =
-w
w, a 0 [x a ] = 1.
,
Ord (ab) = Ord (a) + Ord (b),
Ord (a + b) max{Ord (a), Ord (b)}, , Ord(a)
Ord (b)} .
, Ord(a) F2((x)).
F2((x)) F2((x))
, ,
Ord(a). ()
v (x )
F2((x)): a F2((x)) n N ,
u (x )
u(x) , a
n,
Ord (
v (x )
- a ) < - n.
u (x )
,
u(x), v(x) = [u(x)a],
u(x):
47
3.
Ord({u(x)a}) - deg u(x) < - n.

u(x) .
(II).
a = {ai | i 0},
a = a i x - i -1 ,
i=0
,
.
F2((x))
. u(x)
sn = (a0, a1, . . . , an-1) a ,
n,
a.
(III).
. a
a ~ [q0(x), q1(x), . . . , qk(x), . . .],
a0 = a,
ak = a'k-1,
q0(x) = [a0], a'1 = {a0 },

qk(x) = [ak], a'k+1 = {ak },
, a'k 0, .

uk(x) = qk(x)uk - 1(x) + uk - 2(x)
vk(x) = qk(x)vk - 1(x) + vk - 2(x)

u0(x) = 1, u - 1(x) = 0 ; v0(x) = q0(x), v - 1(x) = 1 ,

k
d 0 = 0 ; d k = deg u k (x ) = deg q i (x ) , k 1
i =1
dN + 1 = , a'N + 1 = 0. ,
dk < dk + 1 , deg qk(x) 1 k 1. [86]
1. dk - 1 + dk n dk + dk + 1 , u(x)
, u(x) = uk(x) + h(x)uk - 1(x), deg h(x) < 2dk - n .
(IV). uk(x)
,
48
3.
. ,
, ,
. , -.

wk
q k (x ) = x k
t - jk , r
k 1
r =1
0 = j k ,1 < j k , 2 < ... < j k ,wk t k

wk
r
q k ,r ( x ) = x
tk - jk ,i
i =1
1 k wk ,
uk(x), vk(x)
uk,r (x) vk,r (x),
uk,r (x) = qk,r (x)uk - 1(x) + uk - 2(x)
vk,r (x) = qk,r(x)vk - 1(x) + vk - 2(x).

, uk,r (x) k
dk. , k 1 1 r wk
Ord({uk,r (x)a}) = - dk - 1 - jk, r + 1 ,
j k , wk +1 = t k + t k +1 .
Wn(a) ,
() n a ,
.
2. fn(x),
1, 0 n < d 1
f n (x ) =
u k ,r (x ), k 1, d k -1 + d k + j k ,r n < d k -1 + d k + j k , r +1
ln = deg fn(x).
1) fn(x) Wn(a),
2) n d1 , fn(x) Wn + 1 (a), fn + 1(x) = fn(x);
f n ( x ) + x ( m - lm ) - ( n - ln ) f m ( x ), ( m - l m ) - (n - ln ) 0,
f n +1 ( x ) = ( n - ln ) - ( m- lm )
f n ( x ) + f m ( x ), ( m - l m ) - (n - ln ) < 0,
x
m - , lm < ln .
[86] , ,
-
49
3.
-, ,
fn(x), 2.
3.2.4
-
, ,
.
,
, ,
.
,
,
p, 1, 0.
p,
si+p = si i 0,
. ,
p - 1 .
[188] ,
, ,
,
(0 1) .
,
q, q
.
GF(2) , GF(q).
, , ,
[72]
. :
.

, .
, [125][ 324] ,
2n,
. ,

[126][ 124]
[48].
[32] , -
.
50
3.
3.2.5

, 1980-
"Crypto AG". 1984 .
" " [330], "
" [334], 1986 .
" " 1992
" " [339].
,
,
,
.
3.2.5.1
a N- F,
() "
" aN = (a0, a1, . . . , aN-1) F
" " AN = (A0, A1, . . . , AN-1),
N -1
Ai = a j a ij
i = 0, 1, . . . , (N - 1).
j=0

1 N -1
aj =
Ai a -ij
N * i =0
j = 0, 1, . . . , (N - 1) ,
N* = N mod p, F p; N* = N, F
.

, [345]. i- Ai
aN (a0i , a1i,
a2i, . . . , a(N - 1) i ). ,
AN = a F ,
1
1
L
1
1
2
a
L
1 a
F=
M
1 a N -1 a 2 ( N -1) L
51
a ( N -1)( N -1)
1
N -1
3.
,
aN =
1
A N F -1 ,
N*
F -1
1
1
-1
1 a
=
M
1 a - ( N -1)
-2
a - 2 ( N -1)
L
L
L
a - ( N -1)( N -1)
1
- ( N -1)
aN, M(aN), ,
N aN:
a1 L
a2 L
a0
a1
N
M (a ) =
M
a N -1
a0 L
a N -1
a0
.
a N -2
L = L() - = a0, a1, a2 . . . . ,

, L - , L+1 -
M(aN) .
M(aN) L. ,
L i N - 1
(, L ). , M(aN) L. ,
, = (aN)
M(aN).
M(aN)
M(aN) = F-1 DA F -1 ,
F-1 - , DA - NN ,
AN. , a - N , F F-1 . ,
rang (M(aN)) = rang (DA) .
DA AN,
wH(AN). ,
[33], [237].
.
52
3.
N
= (a ) " "
AN " ", AN -
aN,
L((aN)) = wH(AN).
,
(AN)
aN, aN - AN,
wH(aN) =L((AN)).

""
"" .
3.2.5.2
f : F n R
2

F (w ) = f (x )(-1)w x ,
x
w x
w1x1 w2x2 . . . wnxn.
f
f ( x ) = 2 - n F (w )(-1) w x .
w
f :Fn R
2
-
[f(x)] = [f(0), f(1), . . . , f(2n - 1)] ,
f(x) = f(x1, x2, . . . , xn) x = x1 + x22 + . . . + xn2n-1. ,
F: F n R f -
2
[F(w)] = [F(0), F(1), . . . , F(2n - 1)] .

[F(w)] = [f(x)] Hn ,
53
3.
Hn n. Hn
H0 = [1]
1
1
Hn =
H n- 1 ,
1 - 1
. Hn2 = 2nIn,

[f(x)] = 2-n[F(w)] Hn .
f : F n F
2
2
0 1, f.
f$: F n {-1,+1} ,
2

f$( x ) = ( -1) f ( x ) ,

F$(w ) = (-1) f ( x )w x .
x
F$(w ) F(w)
F$(w ) = 2 n d (w ) - 2 F (w )
F (w ) = 2 n-1 d (w ) -
1 $
F (w )
2
d(w) = 1 w = 0 0 .
,
f, f$
F$ .
3.2.5.3
.
f : FqN Fq - Fq. f
()
f ( x) =
c x
i qN
x = (x1 , . . ., xN) FqN , i = (i1 , . . ., iN) ZqN , ci Fq
54
3.
N
x i = x nin .
n= 1
i .
n =1 n
. 1.
f -,
.
f : F n F . f
2
2
-
[f(x)] = [f(0), f(1), . . . , f(2n - 1)]
f(x) = f(x1, x2, . . . , xn) x = x1 + x22 + . . . + xn2n-1.
f -
[ai] = [a0 , a1, . . . , a2n-1 ]
ai = a(i1, i2, . . . , in) i = i1 + i22 + . . . + in2n-1.
[177] ( . Philips
Crypto) [334]
[ai] = [f(x)] An,

[f(x)] = [ai] An,
An
A0 = [1]
1 1
An =
An -1 ,
1 - 1
. , An - ,
An2 = I .

[177] [334]. [f1(x)] [f2(x)] - [f(x)].
[ai] = [f(x)] An = [[f1(x)] An-1, ([f1(x)] + [f2(x)]) An-1]
, A0.
GF(q) [177].
55
3.
3.2.6 .
1980-
. Li -
si = (s0, s1, . . . , si-1). L1, L2, . . . , Ll
sl.
Li
. [331] Li:
i 1 ( -1) i
+ +
+ O(i 2 -i )
2 4
36
86
Var( Li ) =
+ O(i 2 - i )
81
E( Li ) =
[366]
Fq. ,
; q
1/q. , Fq,
i/2.

() [85] [280] [281] [380]. ,

i/2, , ,
i/2,
Li = (i + 1) / 2 i 1. [331] , ~s ,
i = 2j -1 ,
.
[85] .
[236] -. [379]
,
. , ~s
, s0=1 s2i =
s2i-1 si-1 i 1.
[281].
i
,
i. [282] ,
lim i Li / i = 1 / 2 Fq.
[283], ~s ,
c ( ),
1
Li - cLog i i 1 ,
2
Log i = max{1, log i }, Fq
.
56
3.
[301] ,
.
(
[283] , lim i Li (sm ) / i = 1 / 2 ~
sm = sm, sm+1,...,
m 0, ~s Fq .
, ,
,
c ( , m),
1
L i (~
sm ) - cLog i m 0 i 1 .
2
, -
, [283] ,
.

:

. [366]
.
3.3
3.3.1

- .

.
,

. , - (, )
.
, ,
.
,
, .
,
,
. ,
. ,
,
.
57
3.
, ,
,
,
. ,
[322].
,
,
. [322] . ,
, 1 /,
232 29 8.5 ,
.
1980 ()
FIPS-81,
DES ( ) [278].
, OFB DES
.
8 64 . ,
64
232, .
64, 263,
. , OFB DES
64 [91].
, ,
.
, ,

.
,
,
"" . ,
, .
, , , p ,
p - . ""
.
3.3.2
Fq
q p.
Fq- ~s = (sT) ,
si + c1si-1 + . . . +cLsi-L = 0 , L i
- ,
~s .
58
3.
m~s (x) = xL + c1xL-1 + . . . + cL ,

,
~s . 1; m~s
,
~s . ~s
,
,
, " " (.,
, [184] [272] [407]). m~s (x) K mk(x)
ek,
K
m~s (x ) = mkek (x ) .
k =1
, , dk , ak - k- .
i- ~s
K d k -1
si = a kiq
k =1 j = 0
Akq, l GF (q d k ), Ak , ek 0
ek - 1
A
l=0
qj
k ,l
i + l
,
p Fq.
m~s (x) - ~s ,
T ~s (
) m~s (x). Tk
mk(x) , ak , ([25] [217])
T = pe (T1, . . . , TK),
e - , pe max{e1, . . . , eK}.
3.4
3.4.1
Fq- , -
. ~
z =~
x +~
y . [167]

L ( x~) + L ( y~ ) - 2 (Tx , Ty ) L ( ~
z ) L ( x~ ) + L ( ~
y).
59
3.
, , L ( ~
z ) = L ( x~ ) + L ( ~
y ) (Tx,Ty) = 1 (x - 1)
m~x , m~y [136].
-
[334]
(Tx , Ty )
(Tx , Ty )
[167]
Tz (Tx , Ty ) ,
[354].
, Tz = TxTy , [136].
3.4.2
(
[174] ,

)
~
z =~
x~
y
zi = xi yi ,
i = 0, 1, 2 . . .
,
[174] [407]. , ,
-
, , -
.
, ( ,
),
, -
. [354] ,
,
- .
, 1881 ,
.
[174] [175]
,
-:
~
~
~
L ( z ) = L (x ) L ( y ) ,
m~x , m~y , .
, .
Tx Ty,
[335] : m x~
60
3.
m ~y - , -
,
ord(q) mod ty = Lx
ord(q) mod t q t, ty
Ty / (Tx,Ty). m x~ m ~y ,
ord(q) mod ty = Lx, ord(q) mod
tx = Ly. [136] ,
,
. (
), .
t (qL - 1),
ord(q) mod t = L,
-. ,
() t ,
( ) t.
t > 1, qL-1, qi-1, i < L,
qL-1. FL.
, t FL,
q t L. ,
L
, ty q y - 1. ,
q > 1 L > 2, qL-1 ,
q = 2 L = 6. , FL
L- . ,
N m-
, 2 [335].
, , ,
Tx Ty, [136] [167]: , (Tx,Ty) = 1 (
).
- (. [217] [354]).
3.4.3
1994
[165]
.
.
(I). Fq q
p. F
( ) fF[x]
MF(f)
F f.
61
3.
F =
Fq,
M(f) MF(f).
- s F ms F[x].
:
f,gFq[x],
mst Fq[x] - st = (sn t n ) n= 0
Fq , s
= ( s n ) n=
0 M(f) t = ( t n ) n= 0 M(g). [407]
Z(f,g)
Fq[x], mst
s M(f) t M(g). ,
A(f,g)Fq[x], mst s
M(f) t M(g). ,
A(f,g) | mst | Z(f,g)
s M(f) t M(g). f,gFq[x]
A(f,g) = Z(f,g),
mst = A(f,g) = Z(f,g)
s M(f) t M(g),
, - st
s t.
(II). A(f,g)
(, N,
N0).
. a,bN ab i+j+1 ,
i + j

p, i,jN0 0 i a - 1
i
0 j b - 1.
, max(a,b) ab a + b - 1.
,
a + b - 2
ab = a + b - 1
0 mod p.
a -1
f g - Fq.
, f(0) 0 g(0)0. E - fg
Fq, a1, . . .,ar E - f
a1,..,ar, b1, . . ., bs E - g b1,..,bs.
62
3.
C = {(i,j) N2 : 1 i r 1 j s}.
g1, . . ., gt -
C
aibj c (i,j) C.
Cd = {(i,j) C : aibj = gd } 1 d t.

t
A(f,g)(x) =
*( x - g
d =1
) ed Fq[x],
, d,
: Cd (i,j),
a i + b j - 2
0 mod p akbl < aibj (k,l) Cd c (k,l) (i,j).

ai - 1
(i,j) Cd ed = aibj = ai + bj - 1.
(III). ,
-.
. f,g Fq[x] - f(0)g(0)0, s
M(f) t M(g). mst st A(f,g). ,
L(st) st
L(st) deg (A(f,g)).
.
1. ( s n ) n=
0 F -
m F[x] ,
s x - n -1 ( s n ) n=
0
n= 0 n
h/m , h F[x], deg(h) < deg(m), (h,m) =

1.
2. F - p, a ,b F ab 0,
a,bN. s MF((x - a)a) t MF((x - b)b)
mst F[x] -
mst(x) = (x - ab)c
c cN0, s t
0 c ab. , c = a + b - 1 ,
a + b - 2

0 mod p .
a -1
63
3.
3.5
3.5.1

" .
" . [177],
Philips-Crypto.
.
, ,
, . ,
, ,

.

. ,
. ,
[177].

,
.
([274] [177])
, ,
- ( - ) [408], [409].
, -
, ,
. - ,
.
, ,
,
.
,
- , ,
[113],
[289] (. 3.5.3).
,
-. [177]
, .
,
,
.
-
[73] (. 3.5.2).

,
64
3.
.
,
.

[71], [185] -
. , ,
,
.
, 2-
[189], [191]. 2- ,
,
[333],
7.4 .
,
,
, [190], [192].
3.5.2
1989 . [73]
.
.
f(X) ,
m
f ( X ) = a i , j xi x j ,
i =1 j =1
ai,j Z2 1 i,j m, i j. , s = s1, s2, . . ., s8 -

8, 3

s1
s2
s3
s4
s5
s2
s3
s4
s5
s6
s1 s 2
s2 s 3
s3 s4
s 4 s5
s5 s6
s3
s4
s5
s6
s7
s1 s3
s2 s 4
s 3 s5
s 4 s6
s5 s 7
a1
s 2 s3
s4
a2
s 3 s4
s
a 1, 2 5
= s6 .
s4 s5
a3
s5 s6
s7
a 1, 3
s6 s 7
s8
a 2 ,3
,
s 3. ,
-, "-"
, , ,
( )
, .
65
3.
k s nk, fk(X) -
. sk +1 f (sk - nk + 1 ,..., sk ) , ,
. , , -,
.
k
, n k < ;
2
(k + 1)- nk [334]. -
,
. ,
, ,
.
,
Fk(s) fk(X) 0 k n. , ,
,
.
3.5.3
1992 '
()

, "
" [289].

/
w Y [3].
Y, Y

,
'
. [3] .. .
,
: () Y w, w Y ; () Y,
Y; ()
Y1 Y2, ,
Y1 , Y2. ().
" ",
" ". w = w1, w2, . . . , wn,$ - n + 1
, $ - , n + 1.
w, wi, wi+1, . . . , wn,$.

w. v(i) - ,
i w. v(1),v(2),...,v(n)
T(w), w. T(w) n ,
n w, ,
, i, - v(i) 0 i n.
h(T(w)) - .
66
3.
s = 010101110010$ .
k,
1
2
s = si, si+1, . . . , si + k - 1 s = sj, sj+1, . . . , sj + k - 1 ,
s1i+h= s2j+h, 0 h < k, si + k sj + k . , s' = si,
si+1, . . . , si + k - 1 s -.
f(x1,x2,...,xk) k s,
f(si, si+1, . . . , si + k - 1) = si + k sj + k = f(sj, sj+1, . . . , sj + k - 1)

w (w)
w, |(w)| (w).
, |(w)| h(T(w)) - 1. s =
010101110010$ (s) = 0101 |(s)| = 4. |(w)| = h(T(w))-1,
. ,

. (n+1)-
s = 1, 014,02,...,
43 0$ ,
n -1
|(s)| = n - 2, M(s) = 1 (,
$,
). , s -
s', s
- b1, b2, b1,b2{$}. , [289]
. s
T(s) u , u
, $.
, -
.
67
3.
3.6 : - .
- [339]
. - ,
-
, , , ... ,
.
, (.
): ,
;
"--"
(
), (
). , ,
,
[20] [301] [334] [360],
:
1. , ;
2. : ,
, ..;
3. , l-;
4.:
;
5. :
;
6. ,
m, , ..

. -
( ,
). ,
.
,
. ,
, .
, ,
.
- ,
.
"" ,
""
68
4.
4.0

. -
-
( ) .
(. 4.2). -

( - );
- (.
4.1).
, -
,
. ,
(. 4.3 4.4) ,
.
(. 8)
. -, ,
, ,
, (RAM) .., . , - , ,
69
4.

() .
,
.
, .
,
, ,
- [232].
,
(,
m-)
m-. L C(D)
<C(D), L>.
4.1

( ).
-
:
: m- <C(D), L>
: f : F2L F2
a0
i = 1, 2, . . .
1. ( F): ai = F(ai - 1)
2. zi = f(ai)
: zi,
i = 1, 2, . . .
4.1.1. -
, -, 1971.
" " [166]
,
.
. ,
, .
,
, ,
,
.
. ,
[339], ,
70
4.
. , -
.
, ( ) T
, T, f,
. -,
,
L
x 2 -1 - 1 . 2L - 1 ,
2L - 1 .
[334], 2L - 1 ,
2L - 1 f.
, , ,
.

2L - 1 ,
.
, f. f,
, , .
, , ,
.
[184] , f k,
~
z
k
L
L(~
z ) Lk = .
j =1 j

, ,
. - (.
5.3) [207] ,
L / 2 L / 4
L(~
z)
2 ,
L / 4
L 4. [26],
[334] ,
. ~
z N
k- (k < L) m ~s ,
N -1
~
z = c j ~s j ~
s j +d ... ~
s j + ( k -1)d ,
j=0
71
4.
(d, 2L - 1) = 1, ~
z
L
L(~
z ) - ( N - 1)
k
, k-
f', , k' k.
,
.
[334] ,
f k m- L.
, Pn - k,
Lk ,
L
Pn e - Lk / L 2 > e -1/ L .
, L.
1994 [242]
m-.

, n- GF(qn)
(.
3.2.5.1). [184], ,
m-
, .
4.1.2.

1995 .- .-

(-) [341].
,
( ,
).
(I) . S -
, ms(x)GF(2)[x] ; L -
; a GF(2L) - ms(x).
f k-
, . f - k
S, f = sn + t0 sn + t1 ... sn+ tk -1 , tj (j=0,1,...,k-1) - ,
0 t0 < t1 < . . . < tk-1 < 2L-1.
f .
72
4.
[334],
- :
aE GF(2L) -
,
e0
a t0 2
e1
a t0 2
AE =
.
t 0 2 ek -1
a
L
L
K
K
e0
a t k -1 2
e1
a t k -1 2
0.
.
e k -1
a t k -1 2
a GF(2L) (j=0,1,...,k-1) k (sn + t j ) . E, E, -

E = 2 e0 + 2 e1 + ...+2 ek -1 , ei (i=0,...,k-1) -
[0,L). aE
.
.
. E ,
AE .
, E
E.
L k "". , E
:
(i) E E = 2 e0 + 2 e1 + ...+2 ek -1 .
(ii) L- , "1" {ei}i=0,...,k-1.
(iii) AE .
E = 2 e0 + 2 e1 + ...+2 ek -1 F = 2 f 0 + 2 f1 +...+2 f l -1 - L- k < l.
E F , {ei}i=0,...,k-1 {fi}i=0,...,l-1. , "" E
F. L- {En} = {E1, ... , EN } OR[{En}]
L- , OR L-
. , " n {1, ... , N}, En OR[{En}].
. Ed
, Ed
E d = 2 e0 + 2 e1 +...+2 ek -1 , ei d i (mod L) (i=0,...,k-1), d -
L , (d, L) = 1.
AEd Ad.
"j- 1 Ed" L- , Ed ,
, ej. , , ,

[340]:
73
4.
. f - , . f
k- ,
.
. L
F( L )
L NLL, N L =
( F(L)
2
). NL
, L - .
, , k
f.
(II) .
: .
. -,
N ,
. , m (m < N)
. , (N - m)
.
, .
. E d = 2 e0 + 2 e1 +...+2 ek -1
j{0,...,k-1}, j- -
(, "j- -") ,
Fdj
Fdj = 2 f 0 + 2 f 1 + ...+2 f k -1 , {ei}i=0,...,k-1; i j {fi}i=0,...,k-1.
, j- - Fdj - ,
L- "" L- ,
Ed, , (j-1).
, AF j Adj . j- -
d
{F } = {Fdj,1 ,..., Fdj, N } .

j
d ,n
. Fdj - j- -,
Adj (k-1)- ( j-
j- ), :
e0
a t0 2
.
e j -1
a t0 2
e j +1
a t0 2
.
t 0 2 e k -1
a
e0
. a t i -1 2
.
.
e j -1
. a t i -1 2
e j +1
. a t i -1 2
.
.
t i - 1 2 e k -1
. a
e0
a t i +1 2
.
e j -1
a t i +1 2
e j +1
a t i +1 2
.
t i + 1 2 e k -1
a
74
e0
. a t k -1 2
.
.
e j -1
. a t k -1 2
0.
e j +1
. a t k -1 2
.
.
t k -1 2 e k -1
. a
4.
. Ed -
j{0,...,k-1}. j- -
{Fd j,n } Ed'
, Ed' OR[ {Fdj,n } ], {Fdj,n }
.
[341] ,
L- .
(III) . L ( ) k (
) 2 < k < L - 2, D
. - .
FDC(i) (i = 1, ... , NL) L- , i-
.
FC(i,j) (j = 1, ... , k - 1) L- ,
FDC(i) j- "1" "0". , FC(i,0)-
FC(i,k-1).
CD(i,j) L- , j- j
{Fd i , n } . L- CD(i,j), ,
. , ,
AND. ,
XOR FC, ,
1 CD(i,j).
m - , ( mpri) L- CD(i,j) .
mpri
a(n) (n = 1, ... ,
) mpri- m "".
m
VOR , OR
m CD(i,j) , "" a(n).
Vl - ,
AND VOR FDC(i).
" 1" " 2" - .
1
NL d.
FDC(i) (i = 1, ... , NL).
D = L NL.
FC(i,j). m = L - k.
CD(i,j).
AND FDC(l) (l=1,..., NL) CD(i,j).
, FDC(l),
CD(i,j) m = m - 1.
XOR FC(o,p) (o = 1,..., i - 1; p = 1,..., k - 1; o = i; p =
1,..., j - 1) CD(i,j).
75
4.
, - "1",
CD(i,j) m = m - 1.
[341]
L=11, k=6, d=1,2,3,4,5 N11=5.
D = 242.
.
,

6 m- 11.
,
( 6 m-
11) 22 6 GF(211).
[197].

L. G
, .
76
4.
L
11
17
23
29
37
43
47
53
k
6
9
12
15
19
22
24
27
G
22
184
363
770
1296
1764
2115
2702
242
3128
8349
22330
47952
75852
99405
143206
: ,

- .

-.
4.2
Fq- f : F F .
, N

N
q
f i Z .
N
2
:
:
: N <Cj(D), Lj>
f : FqN Fq
: N a0(j) .
i = 1, 2, . . .
1. j = 1, . . . , N
c j
ai(j)
2. zi = f(ai(1) , . . . , ai(N))
:
zi,
i = 1, 2, . . .
f* : ZN Z , f ,
f * (x) = ci* x i ,
i
ci* = 0 ci = 0 ci* = 1 ci 0 [335]. , 3

, ,
77
4.
,
[174] [335]
L( ~
z ) f*(L1 , . . . , LN)
Tz (T1 , . . . , TN).
[184] ,
, f m- - .
[334] ,
.
:
1. N Fq-, ,
, Cj(D)
Lj,
L( ~
z ) = f*(L1 , . . . , LN).
2. N F2-"", ,
, - - Lj,

L( ~
z ) = f*(L1 , . . . , LN), Lj j- .
,
,
. [335] ,
150 ,
2146.
[136],
(. 3.4) . N
GF(q)- - ,
L( ~
z ) f*(L1 - 1, . . . , LN - 1),
Lj j- .
f : Fq Fq, q = pm,
f(x) = xe e 0 e q - 1. [174] [175]

, ~
z = f (~
x) = ~
x e ( )

x ) + ek - 1
L (~
e
~
L (x )
,
ek
k
ek - p- e = e0 + e1 + . . . em-1pm-1. [49] ,
, x~
78
4.
L( x~ ) = L.

p = 2,
L(~
x ) = LWH ( e ) ,
WH(e) e.
q -1
f (x ) = a x i . [49] , p = 2 x~
i= 0
L( f ( ~
x )) =
WH ( i )
i : ai 0
[72]. ~s L Fq, q - ,
f : Fq F2 - ( ).
~
z = f( ~s ). ,

qL -1 ~
~
L (z ) =
L (u ) ,
q-1
u~
,
f Fq,
.
,
. [75]

, , q .
f : Fq2 Fq ,
:
f (x , y ) =
a
z
( i , j )
2
q
ij
xi y j .
[49], p = 2 ~
x,~
y -
L1 L2 ,
~
z = f (~
x,~
y )
L( f (~
x,~
y )) =
WH ( i )
1
( i , j ):aij 0
LW2 H ( j ) .
1996 [243],
1994 m- [242],

79
4.
.
, . -
,
.
-
,
. "
".
,
- ,
( 6, 7, 8, 9).
4.3
4.3.0
- ,
,
. ,

: ,
f
[37] [254] [363] [397];
,
f [119] [362].
,

. ,

.

,
.
-
"--".
, , ,
,
JPL (Jet Propulsion Laboratory)
1950- [162] [373]. ,
,
. :
80
4.

- ,
, ,
-
.
,
,
. 70-80- [37] ,

f (
, ).
JPL.
1984
(ETH, )
[361],
(. 4.3.1).

R ki , i = 1,2,...,R
, .
.
, ,
R
i =1
ki
R
i =1
k i .
. , ,

,
, "-",
R
i =1
2 ki .

, , ,
[46], [129] [302].
.
, k,
50.
,
. ,
,
, .
, ,
-, : "

" [339].
81
4.
1989 ,
.
[R87] , t -
(t < 10),
, ,
. ,
, ,
,
(. 4.3.2).
. an ,
t , p(x) k
p(x) = c0 + c1x + c2x2 + . . . + ckxk ,
c0 = 1 c1, c2, . . . , ck {0,1}. (aj)

k
aj = c1 aj - 1 + c2 aj - 2 + . . . + ck aj - k =
c a
i =1
n- i
j = k, k + 1, k + 2, . . .
t
{c1,c2,...,ck} p(x).
GF(2) ci = 1.
,
, t + 1 - (aj):
L = a0 + a1 + a2 + . . . + at = 0 ,
ai ,
ci.
, zn
() - an,
, , .
-
.
: , ;
, .
,
, .
. ,
.
O(k) ,
t . [254][78],
,
L, ( t
k, k ).
82
4.
, ,
- (ai) (zi),
,
.

[78] [267] [397].
- 1996 . [296]
.
,
.
-,
.

3 4.
O(22k/3),
k, 100 (. 4.3.3).
1990-
,
.
- ,
[266], [267], [268], [270] [81] [147].
[78], [119], , , [398].
, :

(. 4.3.4 4.3.6).
( )
1994
[226].
"
",
(. 4.3.5).

:
.
, -,
f (. 5), , -, .
83
4.
4.3.1
( 4.2)
, f : F2N F2 ~
z
( j)
~
a , j- . f ,

, , f ,
pj = P(f(A1, . . . ,AN)=Aj). pj
,
a~ ( j ) , j- . ,
j- ,
()
(1 - pj). ,
( j)
~
a .
a0(j) (
), zn ,
a~ ( j ) ( , a~ ( j ) ).
[363] " " (
" "). ,
, .
:
: < Li , Ci(D), f>
zn n
: N a0(j)
j = 1, 2, . . . , N
1. , f,
("") pj = P(z=a(j)).
pj = , j j = j+1.
2. ( ):
L
d = 1 () 2 j - 1
a. -
84
4.
Ca~ ( j ) , ~z (d ) =
( j)
1 n
(-1) zi (-1) ai + d
n i =1
b. Ca~ ( j ) , ~z (d ) , T,
c, d = d + 1.
c. d z n
a~d( j )
d. , dj -
j+1 - , d = d + 1.
: {a0(j)} ,
.
, ,
T.
Pf = P( Ca~ ( j ) , ~z (d ) T | ) ,
" ".
Pm = P( Ca~ ( j ) , ~z (d ) <T | ),
. Pm
, , Pm = 0.01 ,
.
Pf = 2-L. T
n [363]. , "" p = 0.75,
Pm = 0.01 L = 41,
n = 355 T = 0.394.
Pm + 2LPf,
[50].
T = 0.408 Pm = 0.022 Pf=0.0172-41.
k .
, ,
[51]. n=300
1000 ,
0.98 .
A
N
j =1
Lj
, f ""),

N
j =1
Lj
. , ,
85
4.
,
" " ( "divide et impera" " ").
. ,
Lj f
. Lj 50
.
4.3.2
( 4.3.1) , j ,
( ).

, " ".
, . ,
a~ ( j ) ~
z , a~ ( j ) ,
~
z , ,
.
, (HTL BruggWindisch) (GRETAG AG) [254],
. ,
zn ,
, an,
, .
, ,
, a~ ( j ) . t
, a~ ( j ) . ai
t + 1 , :
aj = c1aj-1 c2aj-2 . . . cLaj-L,
, ck 0, c0=1. ,
ai,
C(D). ,
k
(C (D)) 2 = C (D 2 )
- , t.
,
. , m
. a a~ ( j )
m ,
LRk = a Ak = 0
86
k = 1, . . . , m ,
4.
Ak - t a~ ( j ) .
a~ ( j ) (1 - p)
:
LRk = z Zk
k = 1, . . . , m ,
Zk - t ~
z
z. z
h LRk , .
, h ,
p = P(z = a) p*. z = a,
h , z a.
, h z = a
h z a ,
. ,
[254],
, ,
.
B: /
: < Lj , Cj(D), f>
n zn
j = 1, 2, . . . , N
1. ("") pj = P(z=aj)
f , N f.
pj = , j j = j+1
2. : zn
a. m t+1 ,
zn
n
m = ( t j + 1) log(
)
2L j
b. h m , Lj zn
h .
c. zn
pj* , h m zn .
Lj , pj*
I0 ajn.
2. :
a. a0(j)
-
(a(j))n zn.
b. , a0(j)
,
87
4.
I0 1, 2, ...
,
a0(j) .
: {a0(j) | j = 1, . . . , N} ,
.

. ,
a0 .

;
,
, .
B O(2cL) 0 c 1; c
"" p, t, n/L. B
,
zn, t (t 10),
"" (p 0.6).
, B : t > 16,
p 0.75, . ,
B
:
1. f , k-
( 5.1).
2. (L 100) ,
(t 10).
B ,
, . ,
, .
:
" " zn ,
" " an, aL
( ); . . . "
" [397] ,
zn,
( ) ,
. m/2, m -
.
.
[123].
88
4.
4.3.3

( 4.3.2),
, ,
,
10. ,
,

.
1995 () . .
[295].
,
- ,
, , .
, ,
.
1996 . [296],
,
, .
O(22k/3)
.
100 .
(I). .
.
, , [219].
(n,k) GF(2) - 2k
n (n-) , GF(2). n-
.
- V2n n-
n.
G (n,k) C GF(2) - k n,

V2k n- V2n . 2k C
GF(2) G.
w(a) a
. d(a,b) a b
, . C
d a b

d = min{d(a,b) : a,b C, a b}
= min{w(a)}.
89
4.
k n G k
(n - k) n H c (n - k)
n. n- a ,
G, , aH = 0.
, GH = 0.
a = (a0, a1, . . . , an - 1) b = (b0, b1, . . . , bn - 1) - ,
:
a b = a0 b0 + a1 b1 + . . . + an - 1 bn - 1 .
C - (n,k) , C* -
, C
, C* = { a | a b = 0 , b C}. C G
H, C* H
G. , C* - (n, n - k) , C* -
- C. , C*
2n - k , V2n - k ,
- V2k .
V2n x ,
n - 1. ,
.. a = (a0, a1, . . . , an - 1) a(x)=a0+a1x+. . .+an-1xn-1.
(n,k) , , a = (a0,
a1, . . . , an - 1) C, a' = (an - 1, a0, a1, . . . , an - 2) C.
an - 1 + a0x + a1x2. . .+an-2xn-1,
xa(x) (mod xn + 1). , C
n (mod xn + 1).
(n,k) C g(x)
(n - k), . C
:
g (x )
xg (x )
G=
.
M
k -1
x g (x )
C g(x) q(x), q(x) -
k - 1 . a(x) C :
a(x) = q(x) g(x) 0 (mod g(x)).
g(x) , xn + 1, g(x)h(x) =
xn + 1. h(x) k .
a(x), g(x),
90
4.
a(x)h(x) 0 (mod xn + 1).

C - (n,k) g(x).
C* g*(x) = xk h(x -1),
xn + 1
.
h (x ) =
g (x )
(II) .
,
2k - 1, k p(x),
.
k > 3 C
, :
- : n = 2k - 1;
- : k.
C - ,
p(x) k.
g(x) = xn + 1 / p*(x), p*(x) - ,
p(x), p*(x) = xk p(x -1). , p*(x) -
k.
C " " 2k - 1 2k - 1.
, 2k - 1 -
g(x).
, 2k - 1
C 2k - 1
, k.
k- , C,
,
, , ,
.
C - (2k - 1, 2k - k - 1)
C*, p(x). ,
C*, - , -
. , 3.
, , -
,
-.

.
(n,k) C H.
H - (n, n - k) , C*,
- C. a C h C*
,
h a = h0a0 + h1 a1 + . . . + hn - 1an - 1 = 0
91
4.
,
2n - k.
, a C
. .
e = (e0, e1, . . . , en - 1),
z = (z0, z1, . . . , zn - 1).
z = a + e.
b C* :
L = h z = h0z0 + h1 z1 + . . . + hn - 1zn - 1 .
z - C , L ;
, , z , L .
,
L e:
L = h z = h (a + e) = h e = h0e0 + h1 e1 + . . . + hn - 1en - 1 .
.
i- , xi , xj
.

S = {h(x) = xi + xj + xn - 1 | 0 i < j n - 1},
h(x) C*, (2k - 1, 2k - k - 1) - C.
S xn - 1.
, ,
. ,
3. , S ,
xn - 1. h(x) S :
h(x) = xi + xj + xn - 1 0 mod p(x).
h(x) xn - 1 + xj 0 j n - 1,
xi , xn - 1 + xj + xi p(x).
. xn - 1 + xj p(x) , " " (
), , xi
. h(x) = xn - 1 + xj + xi - ,
xn - 1. , xn - 1 + xi,
h(x). , (n - 1) / 2 = 2k - 1 - 1 ,
xn - 1.
92
4.
3.
3, xn - 1, . , ,
x0, xn-1. h(x) , ,

. ,
, x0. ,
, j .
[254],
.
3
, x0.
3
1. []
T < 2k - 1, , nmax T < 2k - 1
3.
2. [ ] j = nmax - 1.
n
3. [] x max + x p(x) ,
xi.
j
x i + x j + xnmax .
4. [] j = j - 1. j > 0 , 3.
.
,
2.
, 3, (n, k)
, 2k - 1 - 1.
3 N = 2k - 1 O(22k).
,
T << N.
O(T 2).
4. ,
,
,
3 .
4.
4.
, .
,
4. ,
.
93
4.
, 4
3. ,
x0, i, j s, t , 0 s. , x j - s = xd
, 4:
x0 + xi + xj - s+ x t + j - s = x0 + xi + xd + x t + d.
j < s, d' = s - j . ,
max{t + d, t + d'} < T, 4, x0.
, | d | < T/2, .
, m
-. r - m
. p ,
3 T/2 ( 4),
p = 1 - e-rT/2N rT/2N , rT << N. r ,
pr = r2T/2N m. r,
, .
, ,
N = 2k/3,

4.
O(22k/3),
. ,
100 .
4.3.4
-
1991
[267] ,
,
,
.
" ".
z = {z i } iN=1
- a = {ai }iN=1 , zi = ai ei, - 2,
e = {ei }iN=1 - P{ei = 1} = p i =
1, . . ., N. , f(x) -
r. - - a = {ai }iN=1
94
4.
z = {z i } iN=1 , r < N < 2r - 1, N

, .
, ,
-. ,
f(x) (., [78]).
, , ( )
W, W ,
. [254]
.
f(x) ,
, N - 1.
,
w + 1, w - .
,
.
i = {p k (i )}|k=i 1| (|i| i) -
, i- , i = 1, . . ., N.
c k (i ) = l p (i ) z l .
k
e , .
, ,

( [267]):
pi = P (ei = 1|{ck (i )} |k=i1| )
q i |k=i 1| q k (i ) ck (i ) (1 -q k (i )) ck (i )
=
q i |k=i1| q k (i ) ck (i ) (1 -q k (i )) ck (i ) + (1 - q i )|k=i1| (1 - q k (i )) ck (i ) q k (i ) ck (i )
i = 1, . . ., N , qi , i-
1; c k (i ) = 1 - ck (i ), q k (i ) = (1 - l =1 (1 - 2q ml )) / 2 .
w
{ml } wl =1
, pk(i), k = 1, ..., |i|

i = 1, . . ., N. [81], ,
. ,
[268].

p. .
.
,
,

. pi , ei
1, zi , pi
1 - pi.

pe ( ).
. -,
95
4.

, , -,
,
(
).
, " "
, pe 0,
. ( [254]), pe
e,
1. .

.
.
- ()
.

- : z = {z i } iN=1 , p, ()
i = {p k (i )}|k=i 1| , i = 1, . . ., N.
- : j = 0, k = 0 qi = p, i = 1, . . ., N, j - , k . kmax,
e J -
.
- : ,
( ) pe e ,
J .
- : ,
kmax, , ,
.
- 1: {ck (i )}|k=1i | , i = 1, . . ., N,
.
, 7.
J , 6.
- 2: ,
pi, i = 1, . . ., N.
- 3: pi > 0.5, zi = zi 1 , pi = 1 - pi , i = 1, . . ., N.
- 4:
: qi = pi, i = 1, . . ., N.
1
N
- 5: p e = i =1 pi > e , j 1 1.
N
- 6: qi = p, i = 1, . . ., N k 1. k < kmax,
1.
- 7: ai = zi, i = 1, . . ., N. .
- : - a = {ai }iN=1 = z = {z i } iN=1 .
96
4.
. 1995
, ,
,
[147]. ,
. 5
.
.
3
, zi = zi 1. ,
- pi 1 - pi (

, [410]).
, . ,
,
.
, .
- , ,
. , ,
, ,
. , ,

C, qi = p, i = 1, . . ., N.
.
1
N
p > e C,
i =1 i
N
j 1 1.
- 5: p e =
C
, [81].
4.3.5 :
1994 [226]
,
(As + n) mod 2 = r, s - N, n r
- M, A - .
s A r.
" ".
, s
, r M
, n, , (
0). A
.
97
4.
(I) . ,
s :
P (s| r , A ) =
P (r| s, A ) P (s)
.
P ( r| A )
(1)
- s, s,
s. , 2N
.
- , s
,
(., , [176] [4] [110] [297] [128]
[36]). : "
(1) , s
?".
1972
: "" , (1),
Q(s;q),
q.
P(s|A,r) P(s).
,
F (q ) = Q(s; q ) log
s
Q(s; q )
.
P ( s)
(2)
F(q) ,
q, Q(s;q) = P(s) s. , Q
, F q . q*,
F(q),
Q(s;q*) P(s). , ,
s, Q(s;q*), s,
P(s). ,
Q(s;q*), ,
P(s).
(II)
,
Q(s; q ) q n (sn ; q n ) ,
n
qn, qn :
1
q n ( sn = 1; q n ) =
q n1
1 + e -q n
1
q n ( sn = 0; q n ) =
q n0
1 + e +q n
98
(3)
4.
n = 1, . . . ,N. ,
log( q n1 / q n0 ) = qn.
, F,
(2), q , wA - A (
).
:
F(q) = EL(q) + EP(q) - S(q),
(4)
" EL(q)", " EP(q)" " S(q)".

""
S (q ) - Q(s; q ) log Q(s; q ) = - [q n0 log q n0 + q n1 log q 1n ] ,
s

S (q ) = - q n0 q n1q n ; " "
q n
E P (q ) - Q(s; q ) log P(s) = - bn q n1 ,
s
bn = log[P(sn =1) / P(sn =0)],

E (q ) = - q n0 q n1 bn ;
qn P
" "
E L (q ) - Q(s; q ) log P( r| s , A) = - g m Q(s; q ) t m (s) + const .
s
q .
g - (1,-1)- (
), .
P(r| s, A ) = emtm ( s ) (1 - em ) (1- t m ( s )) , e - .
m
:
log P (r| s, A ) = t m (s) log
m
em
+ const
1 - em
t m (s)g m + const
m
gm = log[em/(1-em)].
, EL, tm(s)
Q(s;q), , n Amn sn mod 2 = 1.
m ,
1
0
p m,
n p m,n n = 1 ... N. ,
t m1n = n =1 Amn sn mod 2 1 0, .
n
99
4.
p m1 ,n = qn0 p m1 ,n -1 + qn1 pm0 ,n -1

Amn = 1;
p m0 ,n = qn0 p m0 ,n -1 + qn1 pm1 ,n -1
p m1 ,n = p m1 ,n -1
Amn = 0.
p m0 ,n = p m0 ,n -1
(5)
1
0
p m,0
= 0 pm,0
= 1. ,
m A:
Q(s; q )t
(s) = pm1 , N .
pm1 , N -
tm = Ams mod 2 , qn1
0.5, pm1 , N 0.5. , EL
:
E L (q ) = - g m pm1 , N .
m
EL
. , ""
rm,1 n rm,0 n n = N ... 1. ,
t mnN = n =n Amn sn mod 2 1 0, .
N
, (5).
, :
E (q ) = - q n0 q n1 g m d mn ,
q n L
m
d mn = ( p m1 , n-1 rm1,n +1 + p m0 ,n -1 rm0, n+1 ) - ( p 1m,n -1 rm0, n+1 + p m0 , n-1 rm1,n +1 ) .
,
= q n0 q n1 qn - bn - g m d mn .
qn
m
" ",
q.
"" b,
. -
. , q
q n = b + b g m d m ,n ,
m
100
n = 1,..., N .
4.
(III). . ,
wA. ,
NwA. , .

- : - r, A, p,
b (b0), b (bf),
b (bmax) .
- : = 0, b =b0,
+ 1 rm = 1
, m = 1, ... , M
gm =
- 1 rm = 0
p
b = qn = log
, n = 1, ..., N
1 - p
p 1m, 0 = rm1, 0 = 0
, m = 1,..., M .
p m0 , 0 = rm0, 0 = 1
- :
, b bmax.
- 1: q n1 , q n0 , n = 1, . . ., N (3).
- 2: ( ) p m1 , n p m0 , n m = 1 ... M n = 1 ... N
(5).
- 3: ( ) rm1,n rm0,n , (5)
-
, m = M , ..., 1 n = N , ..., 1.
4: qn, n = 1, ..., N (6).
5: .
6: , (4).
, 1.
7: b bf, b =b bf. b < bmax,
, 1.
8: q: qn > 0,
1; 0, n = 1, ..., N. 2
.

: b0 = 0.25; bf = 1.4; bmax = 4.
101
4.
4.3.6
[R87],
,
,
(. 4.3.0). "
" [142],
:
. ( ,

[123] [231].)
,
[254],
,
.
, (, [78]),
, ,
.
,
" " (, . 4.3.4) "
" (, . 4.3.5). 1996 [81]
.
50 10000
.
:

2
4
6
31
50
72
1+x3+x31
1+x2+x3+x4+x50
1+x+x2+x3+x4+x6+x72
C -
. C 10.
C = 100.
: b0 = 0.25,
bf = 1.4, bmax = 4. ()

.
,
, N-1 ( 9999).
log 2 ( N - 1) / r + 1 , r -
f(x). 31, 50 72
9, 8 8, . [254],
. ,
102
4.
.
.
.

, . ,
.
( -
-,
[80]). ,
" " [266], r ,
(r - ). r
, .
, -
- .
- ,
-
.
. ( )
.

[268],
,
.

1
w -1
w
1- M
,
2
Mw - ( w + 1) ,
. p > pcr,
. ,
, ,
(. 4.3.3). , ,
.

. ,

-, .
[410]
, .
, [268],

. , ,
, ,
N
1 + (1 - 2 p ) w w
p
>1 ,
1 - p w W 1 - (1 - 2 p )w
p cr =
103
4.
p - ; Nw - w (
, , ); W , . ,
,

.
4.4 -
4.4.0

-
.
61 127
[250] [211] [52].

[251].
- [361] [363] [254].
,
-. ,
[392], [141].
-
.
" ",
, [362] (. 4.4.1).

[363]. ,
,
, f(x) (..
) [254]. ,
[268].
, f(x) ,
, [9], -
f ( ) [78].
,
" " [254]; f(x) n,
104
4.
n ( n2 )
2
. 1994 ,
2
-
n 128 [375]. ,
-

.
1994
[13],
, -
(. 4.4.2). ,
- ,
. 1996
[148] ,
-
. ,
" ", ,
- (. 4.4.3 - 4.4.6).

4.4.1 :
-
. ,
zn,
: (1)
; (2) ,
. , (2L - 1)
. ,
m- L
.
- .

.
,
m-,
,
g. ; k
f, k , f,
g = f
.
1 T -1
Ca~ , ~z (d ) = ( -1) zi ( -1) ai - d
T i =0
105
4.
~s ~
z . [362]
Ca~ , ~z F$
f$(x ) = (-1) f ( x )
Ca~ , ~z = 2 - k (1 +
1 $
f$(0)
)F (v (d )) ,
T
T
v(d) L ,
d- ~
s ( d ) ~s .
, -
, F$(v (d )) . F$(v (d ))
v(d),
, f. ,
2k -1 - .
k di ,
~
s (d i ) . ,
f
F$ ,
- Ca~ , ~z .
,
. n ,
. n, k,
f , Ca~ , ~z . ,
[362]
, -, ~
s (d i ) .
: -
: <C(D), L>
zn n
1. - d 0 d 2L - 2
1 n -1
Ca~ , ~z (d ) = ( -1) zi ( -1) ai - d
n i =0
2. L Ca~ , ~z (d).
3. a~ (d 1 ), ..., a~ (d m ) m n
a~ (d 1 ), a~ (d 2 ),... , d1, d2 , . . . .
4. g m a~ (d 1 ), ..., a~ (d m )
~
z.
(d j )
: m { a 0
g: F2m F2 .
106
4.
, ,
, m- L
f', ,
[334]. , ,
L
. , ,
( )
.
,
L < 50 [362].
4.4.2 : " "

,
,
1994
( ) [13].
, ,
,
,
.

-.
(I) . , "
" [12],
. . ,
:
, ,
" ". - ,
h(x) Ki.
h: Ki = Si + Si+1, Ki
Si; Ki = Si Si+1 , Ki = 1 ,
Si = 1. , -

,
"" h(l(x)) l(x).
107
4.
(II) . . ,
h
h(x1, x2, x3, x4, x5) = x1 + x2 + (x1 + x3)(x2 + x4 + x5) + (x1 + x4) (x2 + x3) x5.
[210] , ,
[211]; ,
,
(. 5.1).
,
-,
; "
" , [106]. ,
h, - , - , h.
Ki = f(Si - 2, Si - 1, Si, Si + 1, Si+2), Ki - 2, . . . , Ki+2 Si,
Si, Si = g(Ki-2,Ki-1, Ki, Ki+1,
Ki+2). , Ki - 2, . . . , Ki+2 Si - 4, . . . , Si + 4,
9-
, 5 . , 9 5,
h h .
5- h 512 ,
:
0
1
2
3
4
5
6
7
18
16
14
20
16
14
21
17
8
9
10
11
12
13
14
15
11
17
12
12
23
13
13
19
16
17
18
19
20
21
22
23
16
18
16
18
12
10
15
15
24
25
26
27
28
29
30
31
23
17
10
18
17
15
19
17
,
,
. , (21 26),
, , 26, , :
001010101
001110001
001110010
100110001
100110010
101001011
101110001
101110010
110110001
110110010
108
4.
, , ,
- . , Ki, . . . , Ki+4 = 11010,
Si+2=1, Si+3=0 Si+4=0 0.9 .
0.7, 0.8 .. ,

, [119], .
-
/ h .
, ,
. , 17 ,
9, : 17
. , , Ki, . . . , Ki+4 = 01001,
, Si+1=0.
" ".
, h - , m 1 ,
m , ,
,
. ,
.
0.8-0.9,
[226].
, , Ki Si .
, , 5 6
. , ,
Ki, . . . , Ki+4 = 11010, Si+2 = 1 + Si+3 .
; , Ki Ki+4 , Si+3 =
Si+4 = Si+5. ,
.

? -
[255] (. 5.3). , . -
h(x1, x2, x3, x4, x5, x6) = x1 + x2 + x3 + x1x4 + x2x5 + x3x6
, , - ,
. ,
(12,15,30,31,47,60,61,62,63),
100 .
: , 17 12 , 12
S1 = S2 = 1 S4 = S5 = S11 = 0.
-: -,
.
- 0 1 7,11,23
27, , ,

( 31 00010111011).
109
4.
, - - - -
.
, [251] [250],
- k ,
n n- 2k- .
: ,
2k . :
k
. , - , [250],
21 32 ******10110.
, .
(III) .
.
- ,
. ,
. , - .
, ,
-,
.
, , ,
:
"" (
).
, ,
.
4.4.3
[13] , ,
(. 4.4.2). ,

-, 1996 [148].
, ,
. x = ( x (t ))t = - r -
-1
2r - 1 ( ( x (t ))t = - r - ).
f(z1, z2, . . . , zn) - n (n r) ,
n
g = (g i )i =1 - (
), g1=0 gn r-1. y = ( y(t ))t = 0

-
y(t) = f(x(t - g1), . . . , x(t - gn)),
110
t 0.
(1)
4.
t
y tm = ( y (i ))i = t - m+1 x tm = ( x (i ))it = t - m+1 m
t. , y tm = Fm (x tm+g n ) , Fm - m-
m+gn ,
f g.
[13] , g -
(gn = n - 1) n
. Fn -.
, y tn = Fn ( x t2 n -1 ) . -
y tn x t2 n-1
Fn. ,
x t2n -1
y tn . ,
,
() - f,
1.

- - f
g .
, , 2 2g +1 ,
, ,
2 2g +1 .
[13]
.
[148], , f,
g, ,
f.
, ,
, , , -
, .
, , M = gn - g1 = gn r - 1.
, 1996
,
[334].
4.4.4
-
, , -
, .
, ,
( ,
), - ( ,
111
4.
.. , ),
. ,
, - ,
.

[141] [149].
,
x = ( x (t ))t= - r .
, y = ( y(t ))t = 0
, - f .
, y -
, Fm, m
, m 1. ,
, .
. - M
(
) , FM+1
.
-
.
. - - f,
g,
, , (
), f(z1, z2,...,zn) (z2,...,zn),
,
f(z1, z2, . . . , zn) = z1 + g(z2, . . . ,zn),
f(z1, z2,...,zn) (z1, ... ,zn
,
f(z1, z2, . . . , zn) = zn + g(z1, ... ,zn - 1).
(2)
- 1
),
(3)
. ,
(" "),
.
, ,
. -
,
r, - f
g. , - (2).
(1)
112
4.
x(t) = y(t) + g(x(t - g2), . . . , x(t - gn)),
t 0.
(4)
, -,
, (),
. , .
(3) ,
.
:
1. ( ) M ( x (t ))t-1= - M
.
2. (4), ( x (t ))tr=-0M -1
r - M -1
( y (t ))t = 0 .
3. , ( x (t ))tN=-1
r- M
r ( x (t ))rt =--MM-1 .
N -1
4. (1), ( y$(t ))t = r - M ( x (t ))tN=-r 1- 2 M
( y (t ))tN=-1
r - M . ,
. 1.
, ,
2M,
M, - r.

M ,
r - 1. ,
. ,
g = (id )tn=-01 , d . ,
, d,
d .
, -
f, ? , p+
(z2, . . . ,zn), f (
) z1; , , p-
(z1, . . . ,zn - 1), f ( )
zn. p+ p-,

. -

r - M .
, , . [148]
.
, -
,

113
4.
, ( ) ( ) M+1
. , M
, ,
.
4.4.5
- ,
- f g .
(I) . . G = {gi : 1 i
n} - n ,
g = (g i ) in= 1 , g1 = 0 gn = M r - 1.
Gt = {gi + t : 1 i n - 1}, t 0 - G. I(t) = | Gt G |

Gt G , . t>M
Imax = max {I(t) : 1 t M }. , G
I(t) = 0.
d, ,
d Gt = {g1 + id : 1 i n}. G
,
.
(, , [219]).
I(t) - ,
f, t. ,
FM+1
: , ,
. ,
.
. I(t)
G; ,
G;
Imax ,
.
1.
t 1 I(t)
G , t.
2. G
M
I (t ) =
t =1
n(n - 1)
.
2
114
(5)
4.
3. Imax
1 Imax n - 1
(6)
, G
.
, G
. , G
n M n(n - 1)/2.
M r - 1, , n ,
2r . G - , n , Imax
M, M
.
, . [223]) , (.,
, [219] [223]).
(6) , r n(n - 1)/2,
2r .
, n ,
G , Imax
r n. 1
G, .
, l G
l, l -
( l = 1
). ,
n(n - 1) / (2l) M r - 1, M
. Imax = l , l = n (n - 1) / (2 (r - 1)) ,
G l , n(n - 1) / (2l)
M r - 1. l
,
.
, r
n G, Imax .

l l.
(II) -.
, , -
- [361] (.
5.1). -
4.4.4. f m , g
(m-1). ,
115
4.
- ,
[148] .
n
X (t ) = ( x (t - g i ))i =1
( ) x,
y(t), t 0. (1)
y(t) = f(X(t)). , T k = (t i ) ik=1
( ) k
;
y(T k ) = ( y(t i )) ik=1 X (T k ) = Ui =1 X (t i ) , X(Tk)

k
. y(Tk) - k- X(Tk). ,
T k1 T k 2 P( X( T k1 ) | y( T k 2 ) )
, , T k1 , X( T k1 ),
, T k 2 , y( T k 2 ) (
,
).
4.
G - l f m .
k , 1 k m / l +1, Tk y(Tk)
X(Tk).
5. G f - 4. k1 k2 ,
k1,k2 1 2 k1 + k2 m / l +1, T k1 T k 2
y( T k 2 ) X( T k 2 )
X( T k1 ).
2. G, f, k1 , k2 , T k1 T k 2 5.
P ( X (T k1 )| y (T k1 T k 2 )) = P ( X (T k1 )| y (T k1 ))
(7)
T k1 T k 2 T k1 T k 2 . ,
1 k m / l +1 T k = (t i ) ik=1
k
P( X (T k )| y (T k )) = P( X ( t1 )| y ( t1 )) P( X ( t i )| y ( t i ), X (( t j ) ij-=11 )).
(8)
i =2
, 2 ,
m / l +1
- - f, - f
( . ). , ,
( ,
,
f), m / l +2
.
116
4.
.
k = m / l +2 ,
T k = (t i ) ik=1 , y(Tk)
X(Tk) X(Tk),
X(ti), 1 i k.
n f.
G - l,
l 1. ,
-,
:
m / l + 1
K = (m / l + 2) n - l
.
(9)
-
2K, 2K
22K. , ,

m / l +2 . m
l, n, K .
K l ,
r n/m, , n
2rl . , K
l, . , n m
l. ,
f, n
.
4.4.6 -
[148]
-:
- r
k - f
r
, ,
k
.
- - f
4.4.4
- :
() g , M
,
r - 1;
117
4.
() ,
, g
1 ( g
).
- , ,
K (9) . :
() n f ;
() g l-
, l r n;
() m f
l.
-
f ( ,
)
. n
.
,
,
n (, , [372] [391] [401]).
-
"" "".
,
[144][ 145].
, .
118
5. .
.

.
5.0

. [37]
,
-,
.
1984 , ,
- [361].
,

[334] [339].
,
- (. 5.1).
[361]
() - .
. 1991
, , ,
-
[55]. 1993 ,

[352].
-
-
-
.
,
,
119
5. .
"" (.
5.2). 1989
[255],
. ,

,
. ,
, "
", , ,
"-".
- (. 5.3), (GF(2))m ,
f(x), (x = (x1 , . . . , xm)),
([105][ 328][ 59]):
- f - 1 (
(GF(2))m) ;
- s (GF(2))m x f(x) + f(x + s)
(.. 2m - 1);
- fc(x) = (-1) f(x), . .
( -1)
f$c ( s ) =
x ( GF ( 2 ))
f ( x ) + x s
f$ ( s) = 2
2
c
s ( GF ( 2 ))
2m
, 2m/2.
[208] , -
n
q
Zq ,
q - . [285]
-.
q-
f: Z nq Z q
, a Z nq b Z q
|{ x : f(x) = f(x + a) + b }| = qn-1.
, -. -
, q - .
, - ( ) f : Z np Z p
p n. [285]
120
5. .
, , p- -, p - ,
.
() - .
- . [395]
, 1980- . 5.3
, -,
1990- - .
, -
: -
( ),
, , .
-
, 5.4.1.
, n
,

, 50%
. k
, k
50% .
(), ,
1. 1985
[383], . [118], [2].
(. .)
1990-1991 [304] [305].
5.4.2 (
-) ,
,
. ,
[351][ 353].
- , - 1997
, " " [402].
1985
[79] , , , [23].
F n- m- (n,m,t)-,
m- , t
, n - t 2n - t
. , -
, [361], -
. 5.4.3

.

"
" [339] ( 5.5).
121
5. .
5.1 k
-,
.
.
-

1984 [361]
5.1.1
Vm - m- GF(2).
, -
Vm [0, 2m - 1].
. , ai
, i.
f - Vm GF(2) ( Vm). f
m x1, x2, . . . , xm ,
f f(x), x = (x1, x2, . . . , xm).
, ,
w, x, y z; - wi, xi, yi zi, i - .
f
. f
, f(x) = a1x1 . . . am xm c, aj, c GF(2).
, f , c = 0.
f - (1,-1)-,
f (a
)
f (a 0 )
((-1)
, (-1) f (a 1 ) , ... , (-1) 2m -1 ) ; f - (0, 1)-,
( f (a 0 ), f (a 1 ),..., f (a 2 m -1 )) . , f
, 2m - 1 ().

, ab, a,b. , , a,bVm,
a,b = a1b1 . . . am bm, GF(2);
a b - (1,-1)-, a,b = i =1 a i bi ,
m
.
- -
. f - Vm. X - ,
xVm 2-m, Xi -
, i- xi GF(2), Y -
, f, Y = f(X). , f
k, Y
X i1 , ... , X ik k [361].
122
5. .
[392] , , Y = f(X)

b1X1 b2X2 . . . bm X m
(b1 , . . . , b m ) Vm , , 1 W(b) k, W(b)
( ) b.

[51] .
p(x|y)
X1,...,Xk k
p( x| y)( -1)
b ,x
= E[( -1) b , X | Y = y ] =
x Vm
= E[( -1)
b , X
]=
p( x)( -1)
b ,X
x Vm
, p(x|y) p(x) , .
, f$ f Vm

f$(b ) =
f (x )(-1)
b ,x
x Vm
b Vm. , f(x) b,x ,

.

[392]. f Vm
k, f$(b) = 0
b Vm , 1 W(b) k.
[361] ,
. k
Vm d
k + d m. Vm,
(m - 1)
g(x1, x2, . . . , xm) = x1 x2 . . . xm g(x1, x2, . . . , xm) = x1 x2 . . . xm 1,
. , k0 m-1,
k + d m - 1 [361].
[392] ,
k
(m - k) f .
, , . f
, , [361].
123
5. .
, , -
,
f .
- k-
"--".
5.1.2 -
(I).
[361]. f1 f2 - Vm
k. , ,
f(u,x) = (u 1) f1(x) u f2(x)
(1)
- k- Vm+1, u -
GF(2), x = (x1, x2, . . . , xm).
(II). . , . , . . INRIA
1991 [55] ,
f1 f2
f$1 (l) + f$2 (l) = 0, l Vm , W(l) = k,
f k + 1. ,
,
:
1. g(x) 1 g(x);
2. g(x) g( x ), x = (1 x1, 1 x2, . . . , 1 xm);
g - - k- Vm. , 1 g(x)
, g( x ) . ,
f(x) = (u 1) g(x) u (1 g(x)) = u g(x)

f(x) = (u 1) g(x) u g( x ) = g(x) u (g(x) g( x ))
- (k + 1)- Vm+1.
.
- . m n -
m > n. r pj, j = 1, 2, ..., n - Vm - n.
x = (x1, x2, . . . , xn) y = (y1, y2, . . . , ym - n).
124
5. .
n
f ( y , x ) = x j p j ( y ) r ( y ).
(2)
j =1
f k- Vm, k - , k
min{W(P(y)) | y Vm - n} - 1, P(y) = (p1(y), p2(y), . . . , pn(y)).
(III). 1993 , -
. ()
[352].

. d =
(i1, . . . , is) Vs Dd(y) Vs
Dd(y) = (y1 i1 ) . . . (ys i s ),
y = (y 1, y2, . . . , ys), i = 1 i
() i. , Dd(y) = 1
, y = d, f
Vs + t
f ( y , x ) = Dd ( y ) f (d , x ),
d Vs
x = (x1, x2, . . . , xt).

m n - m > n. , Fm,n = {j0...0, j0...1, . .
. , j1...1} - , 2m - n Vn,
Vm - n. Fm,n -,
, Fm,n.
x=(x1, x2, . . . , xn) y=(y1, y2, . . . , ym - n).
g( y, x) =
d Vm - n
Dd ( y )j d ( x ) r ( y ).
(3)
f k- Vm, k - ,
k min{W(gd) | d Vm - n} - 1, jd(x) = gd , x Fm,n gd Vn.
,

.

. k n, 0 k < n, W k,n
Vn, k + 1 ,
W k,n = {j | j (x) = b, x, b Vn , W(b) k + 1},
125
5. .
x = (x1, x2, . . . , xn).

, .
m k, m 3 0 k < m - 1, k-
- Vm
.
1. n , k < n < m.
2. Fm,n
W k,n. , Fm,n 2m - n,
.
3. (3).
,
-
, .
5.1.3
1985 [333] ,
-
. , ()

.
n
z i = x j ,i g (s i -1 )
j =1
s i = F (s i -1 , x i -1 )
si i,
n - 1 ( n -
). F g ,
,
,
. , 1 ,
.
, n

,
. i- i-
.
.
1990 [256]
1 .
126
5. .

.
f , g: F2n F2 - X - ,
x F2n 2-n.
Z = f(X) Y = g(X)
f g. - f g
C fg (t ) = (-1) f ( x ) (-1) g ( x t )
x
, c(f,g), [255],
c(f,g) = 2-nCfg(0).
, g - () g(x) = w1x1 . . . wnxn.
Lw(x).
c( f , Lw ) = 2 - n ( -1) f ( x ) ( -1) wx = 2 - n F$(w ) .
x
, Z = f(X) Lw(X) ,
c( f,Lw) = 0, , ,
F$(w ) =0. -
- Lw, ,
WH(w). ,
f [255],
C 2 ( f ) = c 2 ( f , Lw )
w
= 2 - 2 n F$2 (w )
w
=2
-n
( x)
= 1,
. ,
f, .
1
. zi i
xj,0, xj,1, . . . , xj,i 1 j n ,

i
w
k = 0 j =1
j ,k
127
x j ,k .
5. .
2n(i+1) .
1 ,
f 0 , f s : F2n +1 F2
zi = f0(x1,i, . . . , xn,i,si-1)
si = fs(x1,i, . . . , xn,i,si-1)
a = (w0 ,w1 , . . . , wn-1, 0) b = (w0 ,w1 , . . . , wn-1, 1)
, s.
C2(f0) :
C 2 ( f 0 ) = c 2 ( f 0 , La ) c 2 ( f 0 , Lb )
a
= C 02 ( f 0 ) + C12 ( f 0 ) = 1
, C2(fs) C02 ( f s ) + C12 ( f s ) . [256] ,
zi, 1-
N = 2n(m+1) ( 1 m i)
Lw , m =
k = i - m j =1
j ,k
x j ,k
c
n =1
2
n
= C02 ( f 0 ) + C12 ( f 0 )[1 - (C12 ( f s )) m ].
, 1,
C0(fs) = 0, C02(f0). ,
f0, fs, 1-
.
( ). 1- , Lw,m

n
j =1
s j - s j = k = i - m w j , k x j ,k , sj i
j- . , , 1 ,
[334]. ,

N - [256]. ""
[333] n
(
. 7.2).
128
5. .
5.2 -
1989 [255]
.
,

. ,
.
,

. ,
.
,
.
, , .
:
,
(, ) .
f(x1, x 2,. . . , xn),
x1,
x 2,. . . , xn. - ,
. , , f(x1, x 2,. . . , xn)
(1+x1)(1+x2) . . . (1+xn),
g(x1, x 2,. . . , xn) = x1x 2. . . xn . ,
,
.
,
( ).

.
f g
d(f,g) = |{x {0,1}n : f(x) g(x)}|,
, .
-
,
.
,
(
). ,
,
"-".
129
5. .
5.2.1
f Lw
c(f, Lw)
d(f, Lw) = 2n-1(1 - c(f, Lw))

F$(w )
d ( f , Lw ) = 2 n-1 -
1 $
F (w ) .
2
2n-1, d(f, w x) =
d d(f, w x 1) = 2n - d. , f
m, d(f, Lw) = 2n-1
Lw(x) = w x WH(w) m. , ,
.
d(f,S) f S
d ( f , S ) = min{d ( f , g )}
g S
, f f S. ,
f A
d(f, A) = 2 n -1 -
1
max{| F$(w )|}
2 w
, d(f, A) ,
F$2 (w ) . ,
F$ (w ) = 2
2
2n
, w , F$2 (w ) 2n. ,
n f
n
d(f, A) 2 n -1 - 2 2
-1
, n
f
n
d(f, A) 2 n -1 - 2 2
130
-1
-2
5. .
[255] , d(f,A) , d(f, A)

.
5.2.2
- L
, 1980-
DES-. , f
[76] [114] a F2n , a F2n , x F2n
f(x) = f(x a) , f(x) f(x a).
a 0.
.
f(x) = x1x2 x2 x2 x3 ,
a=(1,0,1). [255] ,
d(f,L) 2n-2
, d(f,L) , d(f,L)
.
5.2.3
,
[255] . ,
,
(" a 0)
|{x {0,1}n : f(x) = f(x a)}| = |{x {0,1}n : f(x) f(x a)}| = 2n/2,
, a f(x) f(x a)
x . , f
, Cf(a)
C f (a ) = f$(x a ) f$(x ) = 0
("a 0) .
- ( Cf(a)
F$2 (w ) ),
:
F$2 (w ) =2n .
131
5. .
, a 1 -
, | F$(w ) | = 2n/2 w.
-, [328] . ,
(-)
; n (-)
2n-1 - 2(n/2) - 1
2n-2 .
5.3 -
, - - ,
. , ,
(GF(2))n.
- . 1960- ,
[328]
10 , 1976 [353]. 1990- (,
, )

" -" .. 1972 [103]
" " (
5.4). 1974 [104]
, " " .
-
, [105]:
. f : F2n F2 - ,
S1 = {x: f(x) = 1} F2n
n
-1
-1
(2 n ,2 n -1 2 2 ,2 n - 2 2 2 ) .
( S1 2 n -1 2 2
n
, xS1
2 n - 2 2 2
x = y z y,z S1.)
-1
-1
- ,
- .
[328], - n,
n/2.
-:
1. n = 2m g - ;
f(x1 , . . . , xn) = g(x1 , . . . , xm) x1 xm+1 . . . xm xn
-.
132
5. .
2. x = (x1 , . . . , xn) a(x), b(x) c(x) - -

a(x) b(x) c(x) - -.
f(x1 , xn+1, xn+2) = a(x)b(x) a(x)c(x) b(x)c(x) [a(x) b(x)] xn+1 [a(x) c(x)] xn+2 xn+1xn+2
-.
5.3.1 - -
-
( , . [105][ 285]).
[253].
2 F, n p , n = 2p.
. . .
. g :
- p :
Fp -
().
p
p
f : F n = F F F ,
f(x,y) = x p(y) g(y)
-. ( "" .)
(
) [286] "".
. f :
F m (),
Fn f(u+w) + f(u)
v Fm qn - m u Fn.
w
- .
. f :
F m -
,
-, Fm
u a c f ( u) -.
[286] - . f :
Fm -
, f1, f2, . . . , fm - f. ,
fi, i = 1, 2, ...,m, - ,
133
5. .
fi(x,y) = x pi(y) gi(y),

pi -
Fp, gi - Fp. f = (f1, f2, . . . , fm) - -
, pi, i = 1, 2, ...,m, Fp. , m p.
Fp () p
[287]. A -
. A, Ai, - Fp.
, ,
, I, A,A2, . .
., Ap - 1 - A , , .
- n m
, n 2m, . p
. n x y.
y, , , p(y), p - ()
Fp. m
x .
,
x.
.
.
p
gi, , , [287].
5.3.2
- - :
,
.
, . -
1993 [57]. ,
1975 ,
-. 1993
-
- [287].
(I). - D
, . :
-,
, "".
134
5. .
, . [104],
. f - - Fn. ,
p- E. ,
FE E, f +FE - -.
- D.
. - D :
(x,y) a FE(x,y) + x p(y), (x,y) Fp
Fp.
FE - E = E1 E2, E1 E2 Fp , dim E1 + dim E2 = p , p - Fp ,
p(E2) = E1 ( , x p(y) = 0 (x,y) E).

- .
[287]. n = 2p = 4s, s - .
- Fn Fs
A. p,
C - s,
C1 C2. ,
, s, ,
I, A,A2, . . ., As - 1
Fp. E2 , Fp,
p ,
C1. E2 - A
, , p , I = A0, A, A2,
..., As - 1.
E1 = p(E2) = E2 .
E1 -
Fp, s
e1 = (c0, . . . , cs, 0, . . . , 0)
e2 = (0, c0, . . . , cs, 0, . . . , 0)
es = (0, . . . , 0, c0, . . . , cs),
c0, . . . , cs C1.
G - Fp, s ,
(1, 0, . . . ,0), (0, 1, 0, . . . , 0), . . . .
FG, Fp,
135
5. .
FG(x) = FG(x1, . . . , xp) = (xs + 1 + 1)(xs + 2 + 1) . . . (xp + 1).

E1, E1
FG. E2
s
E 2 ( y1 , ... , y p ) = ( e j y + 1).
j =1
FE
E ( x , y ) = E1 E 2 ( x , y ) = E1 ( x )E 2 ( y )
(x,y) Fn.
i = 1, 2, ...,s (x,y) Fp
Fp
fi(x,y) = diFE(x,y) + x Ai - 1(y),

di = 0 1, f = (f1, f2, . . . , fs). f - -
D.
Fn
Fs,
(II). -, , C [57].
, E , p. ,
- .
(, ). L -
Fp, p - Fp ,
l
Fp Fp
Fp, p
-1
(l + L ) - .
x p(y) + L^ ( x )
-.
-, .
C [287]. r - 1 s, A , r p - r, r p/2. C r, L - A r,
p ,
C. s Fp ,
l Fp, s -1(l + L ) .
p Bs, B - I, A, A2, . . ., Ar - 1.
i = 1, 2, ...,m, m r (x,y) Fp Fp
136
5. .
fi(x,y) = x Ai - 1(s(y)) + di L^ ( x ) ,
di = 0 1. f = (f1, f2, . . . , fm) :
C.
Fn
Fm
- -
5.3.3
1994 [108]
-,
- [253]
[105] . ,
- ,
.
(I). .
( ). L - GF(2n).
(s, f, y) ,
s : L GF(2) ,
f : L L ,
y : L L .
f = fs, f, y L2, (s, f, y),
:
x + y (y)
s
y 0
f (x , f ( y )) =
y
0 .
f
supp f = U ( yS + y ( y )) {f ( y )},
y L
S = supp s .
(s, f, y) -, fs, f, y
-.
- -,
- -.
-. , g(x,y) = x, p(y) + h(y) , p GF(2)n, h - GF(2)n, , -
.
-. E = GF(22n) E
L=GF(2n). a E E = L[a].
x = x2
137
(x E ),
5. .
E : L.
x a x / x
h:
E * E *
-
H = {z E* : zz = 1 }.
h L*. , H -
- E*/L*, xL* (x E*). ,
H @ E*/L*,
#H = 2n + 1.
H1 = H \ {1}. - - -

D(Z ) = U zL *,
zZ
Z H1 2n - 1.
g,
V GF(2), gW:
g W (a ) = (-1) g ( x ) + a , x .
x V
x ,y = Tr(xy),
g L,
(x ,u), (y, v) = Tr(xy + uv),
g L2.

.
. U - V = GF(2)n, y0 V.
""- r : V U , s : V GF(2)
supp sW y0 + U
138
5. .
t U
s(x) = t r(x) + x, y0.

, s , y0 U.
. L = GF(2n) (s, f, y) - .
1. s - , (s, f, y) - - f, y.
-.
2. , f y - , (s, f, y) - - s.
fs, f, y fs, id, 0 . - fs, id, 0.
3. 1 2
-.
f(x) = xd, y(x) = xd' ( y = 0) d,d' < 2n - 1,
U L y0 L\U ,
:
(a) f , d 2n - 1,
() f y , d d' 2,
() f y y0 + U.
s : L GF(2)
, s W - y0 + U. ,
s
s(x) = t r(x) + Tr(xy0),

r : L U - "",
, t - U.
(s, f, y) - -, -, -.
-
x
x

tr + y d '-1 + Tr + y d '-1 y 0 y 0
f (x , y ) = y

y
0 y = 0
(II) .
f : GF(2)m GF(2)
Rf = max {|fW(a)| : a GF(2)m }.
Rf f. ,
,
Rf.
139
5. .
- .
,
" - "
. ,

, -. .
. W = GF(2)n V = W2. f - - V,
- 2n , n-
. , f(x,0) = 0 xW.
q : W GF(2). x,yW
f (x , y ), y 0
Q(x , y ) =
q (x ), y = 0.
Q -
f W ( a , b) + q W ( a ), a 0
Q W ( a , b) =
0, a = 0.
, , ,
RQ = 2n + Rq .
,
,
. ,
, , () ,
" " -,
.
,
2n n

RB(2n) 2n + RB(n),
RB(m) = min {Rf | f : GF(2)m GF(2) }.

.
140
5. .
5.4
5.4.1

. -
, . (.
5.3), - ,
. , - , -,
, .
;
-
. ,

.
1985 [383]
(), S-
(., , [97]).
. , ,
1

2
. ,
P(f(X) = f(X a)) =
(" a : WH(a) = 1)
1
.
2
, f ,
1:
(" a : WH(a) = 1)
-
(" a : WH(a) = 1)
Cf(a) = 0.
F$ (w )( -1)
2
w a
F$2 (w )
= 0.
-
, [118]. ,
m: f m [118] [220]
, , f m
, ( -).
[220] , 2n+1 n ,
n - 2.
141
5. .
(-)
. ,
, a 1.
, - , .
[304] 2n+1 , n - 2.
,
1990 (. , .
, . , . . ) [304]
, . ,
f : F2n F2 k,
(" a : 1 WH(a) k)
P(f(X) = f(X a)) =
1
.
2
PC(k) ,
k. , f PC(k),
(" a : 1 WH(a) k)
Cf(a) = 0,
, -:
F$ (w )( -1)
2
w a
= 0.
w :1 WH ( a ) k
, PC(1),
PC(n).
5.4.2 ,
,
1993-1995 . , .-. .
,

[351][ 353].
5.4.2.1 .
, Vn GF(2) (
Vn), Vn - n- GF(2). ,
Vn n , ,
.
- - .
-
Vn [0, 2n - 1],
142
5. .
. , ai ,
i.
f - Vn. f - (1,-1))
f (a
,
((-1) f (a 0 ) , (-1) f (a 1 ) , ... , (-1) 2 m -1 ) ;
f - (0, 1)-, ( f (a 0 ), f (a 1 ),..., f (a 2m -1 )) .
(0, 1)- ( (1,-1)-) ,
, (
). , .
, (a 0 ,... , a 2 n -1 ) (b0 ,..., b2 n -1 ) - f g
Vn, (a 0 b0 ,..., a 2 n -1 b2 n -1 ) - f(x) g(x), x = (x1, x2, .
. . , xn). , - (a 0 ,..., a 2 n -1 ) = ( - a 0 ,...,- a 2 n -1 ) - 1 f(x).
f , f(x) = a1x1 . . . am xm c,
aj, c GF(2). , f , c = 0.
, .
W(a) a - a.
a b , d(a,b)
- , .
f g Vn d(f,g) = d(xf, xg), xf xg f g, . f, Nf ,
- f Vn.

a,b. , , a,bVn, a,b = a1b1 . . . an bn,
GF(2); a b - (1,-1)-,
a,b = i =1 a i bi , .
n
A mn B st,
A B, - ms nt,
a11 B a12 B L
M L
AB = M
a m1 B a m2 B L
a1n B
M ,
a mn B
aij - i- j- A. ,
a m b n -
mn, a b = (a1b, a2b, . . . , amb), ai i- a.
(1,-1)- H n , HHt= nIn,
Ht - H, In - n.
, 1, 2 4.
,
- -. 2n, Hn,
143
5. .
1 1
H 0 = 1, H n =
H n-1 , n = 1,2, ... .
1 - 1
, Hn Hn = Hs Ht s t, s + t = n.
, .
li
l0
l
1
,
Hn =
M
l 2 n -1
li - hi = ai,x, ai - Vn,
i, x = (x1, x2, . . . , xn). :
Vn - Hn.
, Hn Vn.
,
, .
d = (i1, . . . , ip) Vp Dd(y) Vp
Dd (y1, y2, . . . , yp) = (y1 i1 1) . . . (ys ip 1).
f 0 , f 1 ,..., f 2 p -1 - Vq. xi - fi , i = 0,1,...,2p-1,
x - x0 , x1 ,..., x2 p -1 , x = (x0 , x1 ,..., x2 p -1 ) .
, x - Vp+q
f ( y, x) =
2 p -1
ai
i= 0
( y ) f i ( x ),
y = (y1, y2, . . . , yp), x = (x1, x2, . . . , xq), ai - Vp,

i. , x1 , x2 - f1 , f2 Vn,
h = (x1,x2) - Vn+1 (1 u) f1 (x1,. . .,xn) u f2 (x1,...,xn).
-
.
. f Vn -,
2
n
2
(-1)
f ( x ) b , x
= 1
x Vn
b Vn. f(x) b,x

. -
-.
144
5. .
, - Vn , n - .
- . [103]
-.
. f - Vn , x - f.
:
(i) f - -;
1
(ii) x,l = 2 2 l 2n;

(iii) f(x) f(x a) a Vn;
1
(iv) f(x) a,x 2 n-1 2 2
n -1
" a Vn.
(iv) , f - - Vn, f(x) h(x) - h Vn.

. f - Vn . , f
1. a Vn,
f(x) f(x a) - .
2. k,
a Vn 1 W(a) k.
n - , -
n. - -
.
.
f Vn Nf 2n - 1 - 2 n - 1.
,
-.
- . Vn (n 3)
[353] ,
1
n -1
n -1
2 2 - 2, n = 2 k
2
1
,
N f n - 1
n -1
2
2 - 2
, n = 2k + 1

x , x.
5.4.2.2 .
.
.
f g - Vn, xf xg,
. f g
145
5. .
d(f,g) = 2n - 1 -
1
xf, xg .
2
,
.
. f1 f2 - Vn, g - Vn+1,
g(u, x1, . . . , xn) = (1 u) f1(x1, . . . , xn) u f2(x1, . . . , xn).
(1)
, x1 x2, f1 f2, ,
x1, l P1 x2, l P2
l 2n, P1 P2 - .
g
Ng 2n -
1
( P1 + P2).
2
- V2k+1, ,
V2k+1 . ,
, ,
-. [255].
. (1), f1 f2 - - V2k, Ng 22k - 2k.
,
.
. f0, f1 , f2 f3 - Vn, x0,x1,x2 x3,
. , xi, l Pi 0 i 3
l 2n, Pi -
. g - Vn+2,
3
g ( y , x ) = Da i ( y ) f i ( x ),
i=0
y = (y1,y2), x = (x1, . . . , xn),
(2)
ai
- V2,
1
i. Ng 2n+1 - ( P0 + P1 + P2 + P3).
2
, n - , f0, f1 , f2 f3 - - Vn,
Ng 2n + 1 - 2
n+1

, 2t, t 1.
(1) (2) .
- -.
146
5. .
. f(x1, . . . , x2k) - - V2k,, h0 -

f(0,x2,. . . , x2k) h1 - f(1,x2,. . . , x2k).
l 22k -1,
-2k h0, l 2k -2k h1, l 2k.
,
f(0,x2,. . . , x2k) f(1,x2,. . . , x2k) 22k - 2 - 2k - 1. ,
, -
. -
, [353]
, .
5.4.2.3 .
, - 22k 22k - 1 + 2k - 1
22k - 1 - 2k - 1 , . [255],
2k - 1 -
V2k , 22k - 1 + 2k .
, -
22k - 2 . (. 5.4.2.2 ). ,
,

.
, -
2k
2 , , ,
V2k ,
-.
V2k + 1, k 14,
, ,
-.
V2k. n 4, n = 4t,
n = 4t + 2, t 1.
. t 1
(i) f V4t , Nf 24t - 1 - 2 2t - 1 - 2 t,
(ii) f V4t + 2 , Nf 24t + 1 - 2 2t - 2 t.

. , n 4
n = 2m, m 2, n = 2s(2t + 1), s 1 t 1.
n = 2m, m 2. -,
H 2m -1 .
m- 1
m- 1
2 2 2 2 .
- ,
m- 2
H 2 m - 2 . 2 2 .
- .
147
5. .
,
22 = 4. (1,1,1,1)
(1,-1,1,-1). .
,

22
-1
1 2 m -1
m
2
(2
+ 2 2 - 2 + ...+2 2 + 2 2 2 ).
2
n = 2s(2t + 1), s 1 t 1,
.
, 22t + 1.
l 0* = (e2 t , e 2 t +1 , ... , e2 t +1 -1 ) ,
- (e 0 , e1 ,..., e 2 t +1 -1 ) , ei - Ht+1.
.
. n 4 f* Vn,

Nf*
1 2 m -1
2 m -1
2m -2
22
2
2
2
2
(
+
+
...
+
+ 2 2 2 ),
n = 2m ,
2
s
1 2 s -1 ( 2 t +1)
s- 2
2 ( 2 t + 1) -1
2
- (2
+ 2 2 ( 2 t +1) +...+2 2 ( 2 t +1) + 2 2 t +1 + 2 t +1 ), n = 2 s (2 t + 1)
2
V2k + 1.
, [353].
. x1 - f1 Vs, x2 - f2 Vt.
1. f1(x1, . . . , xs) f2(y1, . . . , yt) - Vs+t, f1 f2
;
2. x1 x2 - f1(x1, .
. . , xs) f2(y1, . . . , yt).
. x1 - f1 Vs, x2 - f2 Vt.
g(x1, . . . , xs, y1, . . . , yt) = f1(x1, . . . , xs) f2(y1, . . . , yt).

, x1, l1 P1 x2, l2 P2, l1 -
2s, l2 -
2t, P1 P2 - . g

Ng 2s + t - 1 -
148
1
P1 P2.
2
5. .
5.4.2.4 ,
.

,
. .
V2k +1. f - - V2k, g V2k +1,
g(x1, . . . , x2k + 1) =
= (1 x1) f(x2, . . . , x2k + 1) x1(1 f(x2, . . . , x2k + 1)) =
= x1 f(x2, . . . , x2k + 1).
[353] ,
gV2k +1,
g (1,0, ... ,0). g Ng 22k - 2k.
V2k. f - - V2k - 2, g - V2k,
f
g(x1, . . . , x2k ) =
= (1 x1) (1 x2) f(x3, . . . , x2k) (1 x1)x2(1 f(x3, . . . , x2k)) =
= x1(1 x2)(1 f(x3, . . . , x2k)) x1x2 f(x3, . . . , x2k)) =
= x1 x2 f(x3, . . . , x2k).
, g
gV2k,
g = (c1,c2,0, ... ,0), c1,c2 GF(2). g
Ng 22k - 1 - 2k.
,
.
,
, ,
, -
. ,
.
, ,
, .
,
. ,
.
1. f - - V2k g*(x1, . . . , x2k + 1 ) = x1 f(x1 x2,
x1 x3, . . , x1 x2k + 1). g* - V2k + 1
2k. g*
Ng* 22k - 2k.
149
5. .
V2k,
g1* g2*. , ,
4k/3, 2k - 1.
2. , 2k = 3t + c, c = 0,1 2.
V2k,
2t - 1 ( = 0 1), 2t ( = 2).
22k - 1 - 2k.
g1* = (a1, . . . , a3t + c ) g2*= (b1, . . . , b3t + c ),
1 j = 1, ... ,2 t + c1 ,
aj =
0 j = 2 t + c1 + 1, ...,3t + c.
0 j = 1,..., t + c2 ,
bj =
1 j = 2 t + c2 + 1,...,3t + c.
c = 1, c1 = 0, c2 = 1; c1 = c2 = c/2.
5.4.3
5.4.3.1

[79] [23] [29] [402].
. F = (f1, . . . , fm) - Vn Vm, n m 1, x = (x1, . . . ,
xn) Vn.
1. F
T = {j1, . . . , jt} {1, . . . , n}, (a1, . . . , at) Vt
(f1(x), . . . , fm(x)) |x j1 = a1 ,...,x j t = a t

Vm 2n - m - t , (x i1 ,..., x in - t )
Vn-t . t 0, {i1, . . . , in-t}={1, . . . , n}-{j1, . . . , jt}
i1 < i2 < . . . < in-t.
2. F (n,m,t)-, F
T {1, . . . , n} |T | = t. t
.
, (n,m,t)- n - m t.
150
5. .
- ,
(. 5.1). , (n,1,t)- -
, t.
, XOR-,
-.
. F = (f1, . . . , fm) - Vn Vm, n m 1, fj -
Vn. F - , ( , Vm 2n - m
, x Vn ) ,
f1, . . . , fm .
.
. F = (f1, . . . , fm) - Vn Vm, n m 1, fj -
Vn. F (n,m,t)- ,
m
f1, . . . , fm , f(x) = j =1 c j f j (x ) (n,1,t) .
, F = (f1, . . . , fm) - (n,m,t)- ,
G = (f1, . . . , fs) - (n,s,t)- 1 s m. ,
, (n,m,t)- 2m - 1
- t Vn. ,
(n,m,t)- , ,
- -.
, [402] , f - (n,1,t)-
, j(x) = c1x1 . . . cnxn
W(c1,...,cn) t f(x) j(x) ( ,
t, [392]).
, F (n,m,t)- ,
(n,m,s)- 1 s t.
5.4.3.2

: "" "" - "" "".
,
[23] [29],
.

[371].
[29].
, () . fi - (ni,1,ti)- , i = 1,2. ,
f1(x) f2(y) - (n1 + n2,1, t 1 + t 2) - .
s ,
s - 1 +
151
t .
j =1 j
5. .
[402] ,
F = (f1, . . . , fm) (n,m,t)- , G(x,y,z) = (F(x)F(y),F(y)F(z)) (3n,2m,2t+1)- , x,y,z Vn. , G(x,y,z,u) = (F(x) F(y),
F(y) F(z), F(z) F(u)) - (4n,3m,2t+1)- , x,y,z,u Vn. ,
(n,m,t)- ,
((h+1)kn, hkm,2k(t+1)-1)- h = 2,3,... k = 1,2,...
.
.
F = (f1, . . . , fm) - (n1,m,t1)- G = (g1, . . . , gm) - (n2,m,t2) . P(z) = F(x) G(y) = (f1(x) g1(y), . . . , fm(x) gm (y)) -
(n1+n2,m,t1+t2)- .
F = (f1, . . . , fk) - (n1,k,t1)- G = (g1, . . . , gl) - (n2,l,t2) . P(z) = (f1(x), . . . , fk(x), g1(y), . . . , gl (y)) - (n1+n2,k+l,r) , r = min{t1,t2}.
5.4.3.3
, . .
, ,
,
[23] [29].
[372], ,
,
.
. [402]
. ,
, ,
,
.
, , F - (n,m,t)- , G -
Vm, P = G o F , P(x) = G(F(x)), - .
, (n,m,t)-
2m! (n,m,t)- .
, F - (n,m,t)- , G -
Vm, NG, P = G o F - (n,m,t)- ,
() P NP =2n-m NG, ()
P , G. ,
(n,m,t)- , (n,m,t) P,
1
n- m
N P 2 n -1 - 2 2 m - 1.

.
152
5. .
5.5

, [339] ,
.

2n c 2 = 1 (
). ,
. ,
, - -, f
.
, n
N ,
2n N . "
" ,
N . , [255]
[333] - f ,
, N .
.
,
[255] - (
) 2(n/2)-1 ()
. "
".
,
, ,
.
153
6.
6.0
,
, - ,
. ,
,
. ,
-
, ,
.

1980- [158].
[19].
6.1
. [339],
: (I) (II)
. 6.2 6.3
-
,
. 6.4
.
,
, ,
( ) . ,

.
, ,
( )
[323].
, ,
- ;
. ,
, .
154
6.
, (,
)
. ,
,
[135].

80- ,
, 90-
[322].
-
.
6.1
[339],

: ( 6.1.1)
( 6.1.2).
6.1.1 ,
6.1.1.1 , "-" "- "
- ,
.
:
: : <L1, C1(D)> T1
<L2, C2(D)> T2
L
f : F2 1 Z T
2
: x0, y0 , , f
i = 1, 2, ...
1. 1 f(xi).
2. 2 f(xi) ys(i) , s(i)
, 2
i.
3. zi = ys(i).
: zi , i = 1, 2, ...

155
6.
zi = ys(i)
s (i ) = f (x k ) .
k =1
f
. f(xi) = xi ,
,
" -" [28] [377]. ,
0 ,
. ,
i i+1,
, 1. ,
, (
)
. "-"
1 , f(xi) = 1 + xi,
" - ". [65]
BRM- (Binary Rate Multiplier), f

n -1
f (x i ) = 1 + x i - j 2 j
j= 0
n L1 .
6.1.1.2

. 1974 [374].
.
, ,
.
T1
S = s (T1 ) = f (x k ) .
k =1
, (S, T2) ,
. ,
T1((S, T2)/S) = T1T2/(S, T2).
(S, T2) = 1, ,
T1 = T1T2.
, (S, T2) = 1 .
,
, .
[288] ( , 1975 ).
.
T1 ,
156
6.
{z j + kT1 } k = {ys ( j + kT1 ) } k = {ys ( j ) + kS } k

1 j T1. T1 - S-
y$ . CS(D)
, S-.
CS (D T1 )
. ,
L(z$) L2 T1 . "-"
, m, T1 = 2 L1 - 1 (L1, L2) = 1 [28].
, , - ,
CS (D T1 ) . , CS(D) L
T. p, T1, ,
p T, (2L-1)/T, CS (D T1 ) . , CS (D T1 )
LT1. [65] [288] [355] [365] [377]. ,
"-" "--"
, - -
m- T = 2L-1 [377],
T2, TL. T1 =2n [168]
1
L(z$) > L2 T1 , , C2(D) .
2
"--"
m, , l- l (L2+1)/2
, m y$.
[135]
. m-,
TC,
0 d i 2 L2 - 1 . i di ,
. d$
. ,
L2TC ,
2 T2/(S,T2) L2. ,
, ,
, m-
TC L2.
1 TC L2.
157
6.
6.1.1.3
"-"
,
[168]. "-",
;
.
:
: : <LC, CC(D)> TC
< L1, C1(D), L2, C2(D)>
: x0, y0(1), y0(2)
i = 1, 2, ...
1. C xi
2. xi = 1, 1 ys(1()i )
xi = 0, 2 y i(-2s) (i )
3. zi = ys(1()i ) + y i(-2s) (i )
: zi , i = 1, 2, ...
[168] ,
TC = 2k. C1(D) C2(D)
, (T1,T2) = 1,
T = 2kT1T2,
:
( L1 + L2 )2 k -1 < L (z$) ( L1 + L2 )2 k .
, (S,T1) = (TC - S, T2) =
=(T1, T2) = 1
T1, T2 1
T = TCT1T2. [168],
x$ x$
L + L' - 2(T,T'),
L( z$) ( L1 + L2 - 2) TC .
m-,
l- l min{L1, L2} 2-l
O(1 / 2 L1 - l ) + O(1 / 2 L2 - l ) , .
,
|t| TC -1.
[168] ,
"--" .
4LC,
.
158
6.
. ,
,

.
6.1.1.4
,

,
, .
[67] [154] [187] [374] [377].
:
: : <L, C(D)> T0
N ,
: s0(n), n = 1, . . . , N
i = 1, 2, ...
1. 1 y i(1)
2. n = 2 ... N
n- y i( n-1)
y i( n ) = y i( n-1) ss( nn )-1 (i )
i
s n-1 (i ) = y i( k -1)
k =1
n- y i( n-1) +1
3. zi = y i( N )
: zi , i = 1, 2, . . .
: m- [158]
[187] [374] [377] p-. m-
T0 = 2L-1.
.
, n-
T0n LT0n-1.
T0N
1 + L(T0 + . . . + T0N-1), LT0N-1.
p-
p. ,
, p-
159
6.
Cp(D) = 1 + D + . . . + Dp-1. Cp(D) ,

2 - GF(p). 2- [67].
[203], 37%
2-. p2 2p-1-1, p- pN,
. ,
, ,
1, pN-1. [157] : ,
, ,
,
. . p (2p-2)n ((2p-2)/p)n,
p.
. 6.2
6.1.1.5
- , 1993
IBM , [82] ( .
6.3). , ,

. ,
' [143] (. 6.4)
, (. 6.1.2.2).
, ( ), .
,
, 1,
.
, m-,

. ,
m-,
.
. [322],
,
,
m-. ,
, ,
.
,
, .
[82], ,
.
[206].
160
6.
6.1.2
6.1.2.1 [d,k]-
[336] ,
. , ,
d , , ,
k .
.
[d,k]- .
[d,k]-:
: : <L, C(D)> T0
f : {0,1} Z T
0
: y0
i = 0, 1, 2, ...
1. zi = ys(i)
2. f(ys(i)) s(i)
s(i + 1) = s(i) + f(ys(i))

: zi , i = 0, 1, 2, . . .
, [d,k]-
, (
) . ,
. ,
, T0 = 2L - 1.
2L - 2 , ,
d k.
, T (3/4)(2L - 1). d - T0,
: [d, k] = [d][1, k'],
[1, k']-. ,

2
TL = (2 L - 1)
3
[d, k] = [g][1, 2] mod (2L-1) (g, 2L-1) = 1.

[d, k] = [g][1, 2L-1] mod (2L-1) (g, 2L-1) = 1.

l- . ,
[1, 2]-
2L - 1 , .
161
6.
,
,
, , ,
.
:
. d, k 2 ,
zi = ys(i) + 1 s(i + 1) = s(i) + f(ys(i) )
.
[67] ,
,
. , , zi = ys(i)
,
ys(i), . . . , ys(i) - (z - 1) = 0.
. L - z ,
T = 2L - 1 - (2/3)(2L - z - 1).
(L, z), 2- T. T - 2, Cp(D) = 1 + D + . . . + DT-1 ,
T T - 1.
p, p
.
6.1.2.2

1994 [259] ( . 6.3).

, , .
. 1, . 0, .
, ,
,
.
.
,
, . ,
,
, ,
. [82], , ,
, .
, ,
,
162
6.
, . ,
,
[322].
6.2
- "" ( 6.1.1) ,
, ..

[154] [158].
,
( )
, [154]. ,
[154] [156].
, , [157].
,
, ,
. "" ,

.
,

. ,

.
, ,
(
1, ),

.

[261]. ,

,
. ,
. ,
, 10
.
, .-. , .-. .-. 1995

" " [294].
Tn ,
163
6.
.

. Sn = Tnk - 1

k- .
.
, 10- 100
. , 9- 100-
, 10-
.
6.2.1 "k,m "-

"-" .
,
. 1989 . [159]
"k,m"-
, p-.
(I) .
GF(2).
k,m- k 0 m
1. , "-" - "0,1".
2
( , ).
0...0 1...1. 0,1- ,
, [154] [157] . ( probn(w)
w ,
n , , 1.)
1. 0,1- n p, p 3 ,
:
- pn;
164
6.
- , d
pn - 1
, d -
p-1
p p2 /| 2p - 1 - 1;
1
- lim prob n ( w ) = |w | ;
n
2
- (2p
.
- 1
- 2)
: 0,1-
[157].
()
. , (2p - 2)n,
((2p - 2) / p)n - .
(II) k,m-. 0,1-
k,m-. [159] :
1. a) k,m- n p, p 3 , k m
pn.
) k,m- n p, p 3 , p2 /| 2p - 1 - 1, k m,
,
pn - 1
d
, d 1.
p-1
) k,m- p, p 3 , k m, .
.
) k,m- p, p 3 , k m,
1
lim prob n ( w ) = |w | .
n
2
,
) , , . 1,2 3 ,
. s-
s 1. ,
1/3n:
1 3n
1 3n
prob n ( w ) n |w | .
3n 2 |w |
3 2
(III) k,m-.
,
. ,
. k,m- 1.
- ,
. , - ,
165
6.
.
, .
:
2. a) q q' k,m- ,
,
.
) k,m- , k p - m.
(IV) k,m- .
2. k,m- p, p 3 , k m, .
. n k,m p, p 3, , k m,
- pn;
pn - 1
- d
, d 1
p-1
p2 /| 2p - 1 - 1;
1
- lim prob n ( w ) = |w | ;
n
2
- (2p - 2)n
, k - m (mod p).
k,m-
. k,-k, ,
((2p - 2)/2p)n. , 1,2 3
,
(. ).
6.2.2
,
( , p) [161].
(I) .
. ,

, , () ,
.

[160].
,
() (., , 5 [202]). ,
166
6.
, "1,-1"-
, ,
.
,
. n , p,
np2
.

[157]. ,
,
np2 ,
.
. ,
.
(II) . . [260] [261]
"-", - XOR-
.
"-"
. , .
1.
.
1,
11=0. , . ,
. , ,
1/2 .
167
6.

.
,
00. 0 ,
- 10, 01. 1/2.
0 10 3/4. (
) 10 (11, ).

, ,
. ,
[261]. ,
, "-".
(III) . [159] (. )

, 1,2- 3.
1,2-, q(0)
100.
x1x2 2. q(2) y1y2,
q(0) x1x2, .
00
01
10
11
100
001/00
100/01
100/11
010/10
001
010/10
001/11
001/00
100/01
010
100/01
010/00
010/10
001/11
, ,
x: = 2x 2 + x1 , y: = 2 y 2 + y1 , 1000,
0011, 0102.
2
0
3
1
0
1/2
0/0
0/1
2/3
1
2/3
1/1
1/2
0/0
2
0/0
2/2
2/3
1/1
q(2) x q(0) y,
,
0
1
2
3
0
0/0
0/3
1/2
2/1
1
0/1
1/0
1/3
2/2
168
2
0/2
1/1
2/0
2/3
6.
,
, :
3y + q(0) = 4q(2) + x, .. 3y + q(0) x mod 4.
,
. , x ,
y q(0).
,
, 1,2- 3 [159].

,
m- , ,

( ).
,
.
,
.
, ,
.

,
.
6.2.3
-
m-,
[158][339]. , 1993 .
[261]
,
"-". " "
m-,
[262].
(I) . "-" L L
()
d, .
169
6.
(1) ,
n- (2 n L) (n - 1) .
sn*(t) n t, en - 1(t) -
AND(n-1), : en - 1(t) = 0 sn*(t + 1) = sn*(t).
mod 2 , : en(t) = en - 1(t) sn*(t), t
eL - 1(t) sL*(t).

, (T)
(LC) . [400],
T = (2d - 1)L LC d(2d - 1)L - 1.
[261].
L
(), .
:
(i) Gh* = { gh*(t)} (1 h L) - , h
Zh - 1 = { zh - 1(t)} (z0(t) = 1, zk(t) = zk - 1(t) gk*(t), 1 k L);
(ii) h1, ... , hN (1 h1 < ... < hN L) - h, zh - 1(t) = 0,
h1, ... , hN ,
gh*(t + 1) = gh*(t), h {h1, ... , hN},
t + 1 (L - N)
.
A = {a(t)}
:
~
A = {a~ ( t )} = { a(t) a(t + 1)},
A(q) = a(0), a(1), . . . , a(q - 1), q 1.
~
[262] , Z L
~
Z h (h = 1, 2, ..., L-1),
Nh={nh(t)}, ().
~
zh ( t ) ~
z L (t ) (, , nh(t)=0)
L+1-h
1/2 + 1/2
.
170
6.
~
Z L ,k , ( 0 k L - 1), ,
~
z L ,k ( t ) = ~
zL ( t ) ~
zk ( t ) ,
~
. Z L , h-1
~
Gh* (1 h L),
z
(t )
. g~ * (t ) ~
h
L+1-h
1/2+1/2
L ,h -1
(II) . L- ,
Sk* = {sk*(t)} Ek = {ek(t)} (e0(t) = 1, ek(t) = ek - 1(t) sk*(t), 1 k L).
~
E L , k -1 Rk (1 k L) ,
~
e
(t ) = ~
e (t ) ~
e (t ) r (t ) = ~
s * (t ) e~
(t ) , .
L , k -1
k -1
L , k -1
, , L
( ) f1(x), f2(x), ... ,
fL(x) . S1*, S2*, ... , SL*
G1*, G2*, ... , GL*.
, E L( N )
. ,
N)
h , E h( -1
fh(x).
~ ( N - 1)
(N )
(N )
E L E h -1 , E L ,h-1 :
~
E L( N,h--11) = ~
sh* (0) rh (0), ~
sh* (1) rh (1),..., ~
sh* ( N - 1) rh ( N - 1)
= sh* (0) sh* (1) rh (0), sh* (1) sh* (2) rh (1),..., sh* ( N - 1) sh* ( N ) rh ( N - 1),
rh(t)
171
6.
Prob(rh ( t ) = 0) =
1
1
+ L +1- h .
2 2
N)
E h( -1
en - 1(t) = 0 sn*(t + 1) = sn*(t),
sh*(t) sh*(t + 1) rh(t), sh*(t + 1) sh*(t)
~
E L( N,h--11) . ,
def
D(LM,h)-1 = d L ,h -1 (0),..., d L ,h -1 ( M - 1)
= sh* (t 0 ) sh* (t 0 + 1) rh (t 0 ),,..., sh* (t M -1 ) sh* (t M -1 + 1) rh (t M -1 ),
t0 < t1 < ... < tM - 1 - E h( -N1-1) , M, , -
~
N/2 (, e0(t) = 1, E L( N,h--11) D(LM,h)-1 h=1).
Sh(M+1) = sh(0), sh(1), ... , sh(M) ,
h , .
h t0 < t1 < ... < tM - 1,
d L ,h -1 ( t ) = sh ( t ) sh ( t + 1) rh ( t ) = ~
sh ( t ) rh ( t ), 0 t M - 1, rh ( t ) = rh (t t ),
Prob( rh ( t ) = 0) = 1 / 2 + 1 / 2 L +1- h .
~
, D(LM,h)-1 S h( M ) ,
.
~
, S h( M ) h,
~
S h
, .
- Sh
, fh(x),
.
~
Sh(N), Eh(N) E L( N,h -1) .
,
(h + 1) , fh+1(x).
. E0(N) ( e0(0), e0(1), ... , e0(N-1))
, (h=1) EL(N) f1(x).
172
6.
, L-
L .
,

. ,
. ,
h=1 L,
, L .
6.3
6.3.1
1993 ( DES), ,
IBM,
[82].
, " ",
, , ,
( ,
) .

.
6.3.1.1 , ,

() ,
.
. -
,

"1" .
, a0,a1,... , s0,s1,... - .
z0,z1,..., ai,
si "1".
. ( , -
"" .) , k = 0,1,2..., zk = a ik , ik k- "" s0,s1,....
().
.
,
.
173
6.
.
( ) .
( ) ,
. (
, ,
XOR-).
A, - S ( "").
|A| |S| - . , (
) a0,a1,... s0,s1,...
, A- S-.
, z0,z1,...
Z-.
,
() .
,
.

, .
.
. A S Z. TA TS
A- S-.
- A S (.. );
- (TA,TS) = 1,
Z
TA 2|S| - 1 = (2|A|-1) 2|S|-1
LC,
|A| 2|S| - 2 < LC |A| 2|S| - 1.
,
,
(
). ,
. ,
,
: ,
, m-.

( ) - .
174
6.
6.3.1.2 e-

. n
, f : {0,1}n {-1,1}.
- 2n-
,
< g , f >= 2 - n
f ( x ) g ( x) = E ( gf ) .
x {0,1} n
, ||f|| = < f , f > ,

.
Z 2n . S
{1,...,n} cS, :
+ 1 x i = 2m
i S
c S ( x1 , ... , x n ) =
.
1
iS xi = 2l + 1
:
- A, B: cAcB = cADB, ADB - A B.
- {cS} S {1,...,n} , .. AB,
<cA,cB >= 0 A <cA,cA >= 1.
( )
, ..
S cS c S , cS - . f -
f cS. f
S {1,...,n}, S- , f$ (S),
, cS, f = f$( S ) c .
S
cS - ,
f$ (S) = <f, cS >.
f$ (S) = Pr[f(x) = iSxi] - Pr[f(x) iSxi],
x = (x1, x2, . . . , xn) .

- .
{0,1}n [0,1]. m,
x m( x) = 1 m(x) 0. m
. , ()
- U(x) = 1/2n, , U$ (S) = 0, S , U$ ( ) = 1/2n.
175
6.
e-, ""
.
. m {0,1}n e-,
S {1,...,n}, | m$ (S)| e2- n.
e- 1990 . . [275],

.
[6] e-
.
. D(m,n) n,
A m, A
m GF(2),
A
m. D(m,n) - (n-1)/2m-
.
f - {0,1}n . L1
L1(f) = S | f$( S )| . [209] e-
m L1-:
|EU[f] - Em[f]| eL1(f),

U - . f
m .
, ,
.
L1 , .
, , {0,1}n , :
L1(fg) L1(f)L1(g) L1(f + g) L1(f) + L1(g).
, L1 :
x , L1(sum) = n.
AND(x) = x , L1(AND) = 1.
n
- sum(x) =
-
i =1
i i
- B {0,1,*} template (): templateB(x) = 1

, x B 0 1 B, bi *
bi = xi. (, template10*1*(10110) = 1, template10*1*(00110) = 0.)
B {0,1,*}n L1(templateB) = 1.
176
6.
.
- , .
, A - ,
m GF(2). X n i1, . . . , in A- (, ij 2m-1).
Y =
n
i =1
yi , yi - {0,1}- Pr[yi =1] = 1/2. ,
X n2/2m, X Y
(n3 + n2)/2m, , , |E[Xk] - E[Yk]| nk/2m.
-
,
. , X n A Y - n .
B {0,1,*}n - .
|E[templateB(X)] - E[templateB(Y)]| n/2m.
, ik(A) k-
, EA[ik(A)] = O(k).
.
, -
(, ,
, , ,
). , .
. Z - ,
A S.
X - n Z-
(, n|S| 2|A| ), Y =
n
i =1
yi , yi - {0,1}-
Pr[yi = 1] = 1/2, |X|

n2/2|A|, X Y (n3 + n2)/2|A|,
, , |E[Xk] - E[Yk]| nk/2|A|.
X - n A, Y -
n , B {0,1,*}n - ,
|E[templateB(Z)] - E[templateB(Y)]| = O( n/2|A|).

. X1 X2 - Z-,
l, X1 X2 O( l/2|A|).
P - k- (), Xk - k
Z, , Xk = P
2-k O( k/2|A|).
177
6.
6.3.1.3

.
S. A S,
S. ,
|S| |A|, - O(2|S||A|3).
A ,
, ,
. ,
A,
S ( S ).
- S t- S.
Z ( t/2 ) t pi = ai si. (, A-,
S-, Z,
, si = 0, ).
- ,
|A||S| (. [339]). , t = 2|A||S|
-
pi.
|A||S|.
S-
Zi. ,
S ( 22|S|/|S|),
pi (.. O((|A||S|)2)) ).
Z |A||S|.
.
|S|
, , 2|S|-2|A| . ,

.
O(2|S||A|2). , 2|S||A|
. ,
,
.
6.3.1.4
. ,
"1" S. ,
1 . . -
178
6.
, .
,
( , ""
). ,
,
( ).

, ,
. .

.
. ,
(16 24 ) ,
, (310-7 24 ). , ,
"0" "1". ( ) -
A-, "" S ,
.

. ,
.

- .
,
.
.
.
,
. 1993
, ,
IBM [206].
. , ,
2.5 / IBM 33 -.
61-64 .
, (, 32 )
, ..
.
,
. ,
.
179
6.
6.3.2 - (Fish)
6.3.2.1 Fish
1993 . , Siemens AG,
[38],
Fish
[197] (Fish - Fibonacci shrinking).
32-
. 33- Intel 486 15
/ .
. A S. A
a0,a1,... GF(2)nA. S s0,s1,...
GF(2)nS. , , ,
s0,s1,... d: GF(2)nS GF(2).
, A.
S. -
, .
: d(si) = 1, ai si ,
. , i1,i2,...,ik,..., ik - k-
s0,s1,... d(si) = 1. :
z0,z1,..., a i1 , a i2 ,... ; h0,h1,... , si1 , si2 ,... .
hj d(hj) = 1.
nA = 1 nS = 1. d()
, z0,z1,... .
32- nA = 32 nS = 32.
A S ,
, [197] (. 8.1.10),
. A S:
ai = ai-55 + ai-24 mod 232
si = si-52 + si-19 mod 232,
+ ,
. a-55,a-54,...a-1 s-52,s-51,...,s-1
.
180
6.

.
d: GF(2)32 GF(2) 32-
d(b31,b30,...,b0) = b0.
z0,z1,... ,
. ,
z0,z1,... h0,h1,... (z2i,z2i+1) (h2i,h2i+1),
32- r2i r2i+1
:
c2i = z2i (h2i h2i+1)
d2i = h2i+1 (c2i z2i+1)
r2i = c2i d2i
r2i+1 = z2i+1 d2i ,
- XOR - AND.
c2i z2i+1, c 1 h2i+1.
h2i h2i+1 1 d.
z2i z2i+1 r2i r2i+1,
r2i r2i+1 z2i z2i+1. ,
Fish
.
Fish
.
. ,
, .
6.3.2.2 Fish
1994 ,

[14]. - Fish,
"" (. 6.3.2.1).
, ,
,
181
6.
si = an - 1 si - 1 + an - 2 si - 2 + . . . + a1 si - n + 1 + a0 si - n (mod m),
m - 2. X n + ai X i ,
, ,
(. [43]).
, , ,
2. ,
-
X n + a i X i , a'i ai (mod 2).
" -
(FISH)" .
-, A S,

ai = ai-55 + ai-24 mod 232
si = si-52 + si-19 mod 232.
si ai zi, si hi. j-
ai ai,j, :
si,0=1, ai zk , si - hk. ,
XOR AND, ci:
c2i = z2i (h2i h2i+1)
c 2i+1 = z2i+1.
ri ci () c(2i),j c(2i+1),j
, h(2i+1),j = 1.
,
- , A
: {zi,0} - {ai,0}, {si,0}.
{si,0},
251 .
:
, ,
.
.
( .) [82],
. , A
[334], , 1/8 {ai,0, a(i+31),0,
a(i+55),0} zi,0. - ,
S, ,
z(i-12),0 + zi,0 + z(i+15),0, ,
182
6.
. ,
z(i - x),0 + zi,0 + z(i + y),0, x () 12 19, y - 9 15.
, zi,0
A. 1/4 ,
zi,j, 12% , ,
. zi,0 = 1 , z(i-19),0 ... z(i-12),0 = 11110111,
z(i+9),0...z(i+15),0 = 111111, (0,1,1) ,
12- ,
A. , ,
, , 25
S.
, "-
" S. , , z(i-12),0 + zi,0 + z(i+15),0,
15 s(i-31),0, ..., si,0 , 12 si,0, ..., s(i+24),0;
3 25 , si=si2+si-19.
(
240 ).
O(|A|3) O(|A|)
, [7]. ,
|A| , ai,0
,
ai,0 , . ,
2|A| ,
S, ,
.
, , , ri
, z(i-x),0 + zi,0 +
z(i+y),0 A.
, ri.
16 () :
r0
r1
r2
r3
=
=
=
=
0110101011010110
1010001101011010
1001011010110111
0011100110011011
, h(2i+1),j = 0, z(2i+1),j = r(2i+1),j; z(2i+1),j = r(2i),j.

, r(2i+1),j = r(2i),j, z(2i+1),j. ri
zi:
z0
z1
z2
z3
=
=
=
=
???????????????0
??10?01??101??10
???????????????1
00?1????10?1??11
183
6.
, z(2i+1), 1/4
zi 1/8 ai. , 212 , ,

zi-x = ????????????0110
zi = ????????????1011
zi+y = ????????????0001
25
.
.
si,0 ai,0,
ai; ai,j
j. , [254], 0.125
,
550 5500 ( ). ,
2k, GF(2),
, . ,
[226] (. 4.3.5), ai,1,
ai,2 ai,31.
ai, si, ri, r(2i),j
r(2i+1),j. zi
h(2i+1),j, - si,j.
: si,0 si,1, si,2 si,31.
FISH (
""), , ,
, .
PIKE ( ""),
A5,
GSM ( . 8, 8.5.5
8.2).
6.3.3
1994 . (HTL Brugg-Windisch)
(Gretag AG) -
[259].
,
,
, . [82].
184
6.
- -
.
- a = (a0,a1,a2,...)
((a0,a1), (a2,a3), ... ). (a2i, a2i + 1)
(1,0) (1,1), 0 1,
, .
(0,0) (0,1), , ,
s = (s0,s1,s2,...). ,

3/4 , 4 .
- , , ,
. ,
- .
6.3.3.1
-
? , ,
, (a0,a2,a4,...)
N , (a1,a3,a5,...) -
.
, (a0,a2,... ,a2N - 2) (a1,a3,... ,
a2N - 1), . ,

.
, ,
.
1 2 f(x) g(x),
. b = (b0,b1,b2,...) c = (c0,c1,c2,...) -
.
a = (c0, b0, c1, b1, c2, b2, ... )
. , a
f(x2) g(x2) = f(x)2 g(x)2.
,
.
[82] ( 6.3.1)
, ,
-. , .
[82] ,
.
185
6.
6.3.3.2 ,

,
( m-).
a = (a0,a1,a2,...) -
m- N, a 2N - 1. ,
s, a,
, 2N - 1.
.
. P L -
N
P 2 N /2 ,
L > 2 N / 2-1 .
.
, P
N > 3, P = 2N - 1.
L : 2N - 2 < L 2N - 1.
,
, , N = 200
1030.
,
2N - 1: m- 3,
an = an-2 + an-3,
2 4.
m- N < 20,
.

m- N 15.
N,
2
3
4
5
6
7
8
9
10
11
12
13
14
15
-
m-
1
2
2
6
6
18
16
48
60
176
144
630
756
1800
Lminimum
Lmaximum
2
2
5
10
25
54
118
243
498
1009
2031
4072
8170
16362
2
3
5
13
28
59
122
249
504
1015
2038
4085
8180
16371
0
1
3
3
4
5
6
7
8
9
10
11
12
13
186
6.
, ,
P P - 1,
P
i=0
sn - i = 0 .
m--

2N - 1 - 1.
: N = 4,
, , 2N - 1 - d, d = N - 2.
N = 4. , 2
N -1
N 15 ( x 2 - 1) / ( x - 1) N - 2 -
m--, N.
, m- .
6.3.3.3

.

. ,
.
(s0,s1,s2,...) - . s0
(aj,aj + 1) , j .
-
j. s0, , aj = 1 aj + 1 = s0.
(aj + 2, aj + 3) : aj + 2 = 1 aj + 3 = s1,
s1; aj + 2 = 0, aj + 3 = 0 aj + 2 = 0,
aj + 3 = 1, .
. ,
n , N = 2n

S = 3n-1 3 N / 2 = 2 ((log 2 3) / 2 ) N = 2 0.79 N .
(1)
, .
(aj + 2, aj + 3). , ,
aj + 2 = 1 1/2. , 1/2,
- 1/4.

H = -(1/2) log2(1/2) - (1/4) log2(1/4) - (1/4) log2(1/4) = 3/2.

, n 3n/2. ,
187
6.
N
23N / 4. , N = 200
150 .
,
.
, , . ,
, .

.
23N / 4, N - .
, , ,
, . ,
,
, .
, (
m-).
ak + ak + t + ak + t + s = 0, k N. aj -
, s0 .
- m-
B1 = (aj, aj + 1, . . ., aj + m - 1)
B2 = (aj + t, aj + t + 1, . . ., aj + t + m - 1)
m.
B2 = (aj + t + s, aj + t + s + 1, . . ., aj + t + s + m - 1)
.
.
. m-
, s/4 t/4
.
,
. ,
. (1), 3m/2 B1.
,
B2, 3m/2 B2.
, B2 .
, 3m/23m/2 = 3m (B1, B2).
, 3m/2 B3.
, p = 3m/2/2 m B3
. ,
(B1, B2) p .
T = 3m
3 m / 2 3 3m / 2
= m = 2 [ 3(log 2 3) / 2- 1]m = 2 1.38m
2m
2
188
(2)
6.
. 22m .
, 22m,
m-
B1 = (aj - 1, aj - 2, . . ., aj - m)
B2 = (aj + t - 1, aj + t - 2, . . ., aj + t - m)
j j + t, . (B1, B2)
T = 21.38m (B1, B2). (B1, B2) (B1, B2) 4m
-. N , m = N/4. ,
22N/2 , T 2 = 2 [ 3(log 2 3)/ 2 -1] N / 2 = 2 0. 69 N
. .
20.69N,
. , ,
, , , ,
20.75N .
- "--".
(B1, B2) (B1, B2), .
k m-
. k22m, (21.38m)k .
2km -. N
k = N/(2m). k > 2 ,
- ,
(21.38m) N/(2m) = 20.69N, k = 2.
,
f. ,
m- (B1, . . ., Bf). ,
(2), :
T = (3
m/ 2
3m / 2
)
= 3(( f +1) / 2 ) m 2 - m = 2 [(log2 3)( f +1)/ 2 -1]m .
m
2
f
"--", k = 2
. k = 2 2fm -.
m = N/(2f). 22N/2,
T 2 = 2 [(log 2 3)( f +1) / 2 -1] N / f = 2 [(log 2 3)(1/ 2 -1/ ( 2 f )] N . f = 4
20.74N, f
20.79N, (1), .
,
. ,
.
. ,
.
189
6.

, .
N
20.75N, .
,
.
j(2N - 1)/N , N 2N.
, 21.75N.
6.4
6.4.1
,
,
- ,
[142].

[158], [339], , [106], [135].
,
, ,
.
,
.
, -
(
) . ,

.

, .
(,
, ,

.)
, ,
4,
. , 1990-
[137] [138] ,
" - ",
,
.
() ,
(, ),
,
190
6.
. ,
.

.
[138] ,
. ,
,
-
,
,
. ,
, ,
.
, " ",
. ,
, ,
,
[411].

,
, .

,
.
,
-. ,
,
, . ,
,
, ,
. - ,

.
, .

[269] (. 6.4.2),
.
[139] ,
-
(). - ,

.
.
, , ,
.
191
6.
[143]
1994 '
(. 6.4.3).

(
), (
d ). ,
.
,
[322].

. 1995 [146],

, (. 6.4.4).

-,
[144] (. 7).

, .

.
,
,
, .
,
,
,
, , .
,

( )
.
6.4.2

1992
[269]
X0 () ,
.
{xn} -
, X0. {yn}
f ( n)
yn = xf(n) , f(n) = n +
s ,
i =1
192
n = 1, 2, ... ,
6.
{sn} - ,
.
.
.
{sn} .
, sn = 0. , {yn}
,
{xn}. {sn}
(...)
{Sn}, P(Sn = 1) = p n.
:
X0 ,
, p 0.5 {sn} { y n } nN=1 .
(I) . , d
,
- {xn} {yn}.

(), . [343]. [216]

. ,
, , -
, . -
.
{ y n } nN=1
( ) -
.
, ,
, , ,
.
{x$n } nM=1 - -,
X$ , M N. d - {x$ } M { y } N .
0
n =1
:
H0: { y n } nN=1 X$0 ;
H1: { y n } nN=1 X$0 .
193
n =1
6.
, d - D
(
): {P(D | H0)} {P(D | H1)}.
, ( N). t N ,
" " " "
( I II ), Pm Pf. Pm
(, 10-3), Pf - (, Pf 2-L),
(1).
X$0 :
- {x$n } nM=1 ,
- d {x$n } nM=1 { y n } nN=1 ,
- t , H0 H1.

.
, ,
: ,
, ( H0);
, { y n } nN=1 {x$n } nM=1 .
(II) .
, [292]
[ 293].

( {a i } iM=1 , {bi } iN=1 )
{a i } iM=1 {bi } iN=1 , M N.
d* D
:
d* = max { l | ( {a i }iD=+1l , {bi } il=1 ) = D }.
, d*
, [292]. ,
, [292] -
(M - N) N u(i,j) ,
u(i,0) = i
i = 0, 1, . . . , M - N,
u(0,j) = u(0,j - 1) + (aj bj), j = 0, 1, . . . , N,
u(i,j) = min{[u(i - 1,j) + 1], [u(i,j - 1) + (ai+j bj)]}, i = 1, . . . , M - N; j = 1, . . . , N.
,
N
d * = d u ( M - N , 0 ),u ( M - N , j ),
j =1
194
6.
1 k = l
d : d k ,l =
.
0 k l
, d*
D*. [269]
D*.
1. , {a i } iM=1 {bi } iN=1 - ...
H0.
P ( D* = d | H 0 ) =
f (d )
,
N -1 - ( M - N + i ) M - N + i M - N - ( N + i ) N + i
+ 2
2
M - N i=0
i
i=0
-( M - N + d ) M - N + d
, d N -1
2
d
.
f (d ) = M - N
2 - ( N +i ) N + i , d = N
i = 0
i
2. {bi } iN=1 {a i } iM=1 M - N ,
H1.
1 d = N
P ( D* = d | H1 ) =
.
0 0 < d N - 1
(III) .
:
H1, d* = N,
H0.
, Pm
M
Pm = P ( S i > M - N ) =
i =1
M i
p (1 - p) M - i .
i = M - N +1 i
M

: { y n } nN=1 , p .
I. : N, p Pm
M.
195
6.
II. :
:
X$0
, {x$m } mM=1 ;
, d* {x$m } mM=1
{ y n } nN=1 ;
d* = N, X$
0
.
III. : ,
, .
: X0 , .
,
, 2L, L - . ,
, N ,
, M - N. ,
2L(M - N).
6.4.3
1994 ',
, [143]
,
- .
,
, d .
.
~
(I) . , X = {~
x t }t =1 -
, ... (
) . ,
~
~
D = {d t } t=1 - ...
~
, X . P = {P(d)}dD
~
d t t 1, D .
~ ~
X D
~
Y = {~
y t } t =1 :
yt = x
di )
, t 1.
i =1
, yt-1
yt dt-1 X ( dt 1), yt-1
196
6.
( dt = 0). D , D,
D = {k,m} , {k,m}- [159].
D = [1,k] = {1,2,...,k}, , [1,k]- (
[138], [139]). D
, D-.
~
, Y
, 0 D.
P(X,Y)
X = {x t } mt =1 Y = {y t } tn=1 m n,

.
pd P

pd = 1 -
1
, d = dP ( d ),
d
d D
,
~
~
X Y
.

.
(II) .
D , Y = { y i } ni =1 n
D- X = {x i } mi =1 m,
n D = {d i } in=1 ,
di D yi = x ( j =1 d j ) , 1 i n. , Y D- X,
i
,
[411] D = {1,2}. , X
Y, D .
: X yt-1,
X yt D.
O(mn). -
[138] D = [1,k],
[269] D = Z+.
, () ,
.
O(n(m-n)).
D- ,
Y n D- X m(n)

. m(n) X ,
197
6.
P ( i =1 d i > m( n)) Pm -
n
, . m(n) =
n/(1 - pd) + n , pd - , - , Pm.
, Pf,
D-
r
PD,Y(n,m(n)) Pf = 1 - (1 - PD,Y(n,m(n)) ) 2 -1 ( r - ).
, PD,Y(n,m(n)) - , Y
n D- X
m. Pf 0
2r PD,Y(n,m(n)) 1,
n .
n r,
n.
D-
D .
, D = Z+, .
PZ + ,Y ( n , m) PY(n,m). [143] .
1. Y n

m- n
n - 1 + k - n- k
PY ( n, m) = P+ ( n , m) =
2
k
k=0
n -1 m

= 1 - 2-m
k =0 k
P+(m,n). ,
{m(n)} n=1
n
= 1- l,
n m ( n )
lim
0 l 1,
:
lim-
log P+ ( n, m( n)) 1 - H (l )
, 0 l 0.5
=
n
1- l
0.5 l = 0.5
lim P+ ( n , m( n)) =
.
n
0.5 < l 1
1
198
6.
H(x) = -xlog x - (1 - x)log(1 - x) - (

2).
.
2. D Z+
D- pd , pd < 0.5
n
n r
1 - pd
.
1 - H ( pd )
pd 0.5, .
, , Z+-
, pd 0.5.
(III) .
. ,
, .
,
. D = [1,k]
[139].
, Z+-
,
P(d) = pd - 1(1 - p), d Z+. , pd = p. ,
,
~
~
Y X

~
X p. ,

, .
- P(X,Y)

X = {x t } mt =1 Y = {y t } tn=1 , m n. P(e,s)
X e+ s = {x t } te=+1s e + s Y s = {y t } ts=1
s, 1 s n 1 e m - n. d(x,y)
, 0.5 x y .
,
P(e,s) = P(e - 1,s) p + P(e,s - 1)(1 - p)d(xe + s,ys),
1 s n 1 e m - n , P(e,0) = pe P(-1,s) = 0.
P(X,Y) = P(m - n, n).
199
6.
O(n(m - n)). ,

,
Y n
X m(n)
.
. m(n) ,
limn n/m(n) = 1 - p, , m(n) = n/(1 - p).
,
. ,
0 p < 1 ,
n
n> r
1- p
,
C
C - " ", r - . C
, C ,
C ( p) = (1 -
p
p
) log( 2 - p) + log p.
2
2
6.4.4

1995 [146],

.
,
,
.
,
. ,
- .
, ,
(. [82]). , X = {x t } t= 0
, D = {d t } t= 0 - ,
Y = {y t } t = 0
yt = x(t +
t
d )
i=0 i
200
, t 0.
(1)
6.
,
(, , ) . ,
,
, [82]. -

. ,
.
, ,

. D -

P = {P(d)}dD, D -
d
p=
, d = d D dP ( d ). ,
1+ d
.
(I) . r
f ( z ) = 1 + i =1 f i z i = 1 + k = 1 z ik , 1 i1 < . . . < iw = r, W = w + 1 -
r
f(z). f(z)
r$
w
$
f$( z ) = 1 + f$ z i = 1 + z i k , 1 i$ <... < i$ = r i$ - i$ i - i , 1 k w,
i =1
k =1
k -1
k -1
i$0 = i 0 = 0 . f$( z ) , f(z), r$

, r. , f$( z ) = f(z).
1992 [141]
(, . 7.3.3),
[144] ,
w
y t + y t - i$k = 0
(2)
k =1
(1 + c)/2 t r$,
c
P = {P(d)}dD.

d
P(d) = p (1 - p), d 0,
p > 0. P
, p = p , p -
. [144]
c= p
r - r$
(1 - p)
201
r$+ 1
Dk
,
k =1
k
w
D$
(3)
6.
Dk = ik - ik - 1 - 1 D$ k = i$k - i$k -1 - 1, 1 k w.

. ,
, , , ,
. ,
, ,
.
. " " {et},
, f$, {yt},
et = y t + k =1 y t -i$k , t r$,
w

c .
. ,
-.
n c n0 n1 , -

( n0 - n1 ) 2
c =
= nc 2 ,
n
2
(4)
c' = (n0 - n1)/n c. ,

10-3 , n ( ) 10/ c2 .

,
def
D$ k = D$opt
k = (1 - p )( D k + 1) , 1 k w.
(5)
, cf,
c f = (1 - p)
w+ 1
D k - D$k
opt
k =1
$opt D k
(1 - p) D k $opt .
Dk
(6)
cf , p
, , -
,
, r w .
p
2pp
c f @ (1 - p)
1 - p
202
w
2
D k
k =1
1
2
(7)
6.
cf
:
2pp r
c f @ (1 - p)
1 - p w
w
2
(8)
, , cf
, ,
, (10/(1-p)2)(2pp/(1-p))w((r-w)/w)w.
p, pDk < 2 - p k,

c f (1 - p)
r +1
2w
r +1
(9)
,
10/(1-p)2(r+1) 10/(1- 2w/r) 2(r+1).
(II) .
,
,
, - (, , [82]).
f
. f
, ,
. ( ) ,
. (3)
f$ f
(5), c' (. (4))
f.
: ,
.
, r f
. - f$,
, (6).
r$ (1 - p)r + pw. , p = 1/2, r$@ (r + w)/2,
r$ - 1
. w w - 1
. - ,
c'
w. , - (4),
. ,
w, .
, w . f 10 r$/cf2,
203
6.
r$ , ,
, 10/cf2. f , cf
(8) p, p w/r,
(9) p, p < w/r.
c' .

-. -
, , .
,
.
- f.
,
(5). , f c'
(3) ,
- .
, .
.
, f
c'
, , .

,
- . ,
f ,
,
,
(5). , , ,
. ,
. g g
zi. ,
-
(. 4) [254] [397] [78].
- -
, ,
. . ,
(3)
D$i , (5) k = i.
,
D$i , i = 1, .

c f ( D$ i ) =
$
$ Di
p D i - D i (1 - p) D i $ .
Di
k i ( D k + 1)
(1 - p ) w +1
204
6.
D$i ,
, 1/c, c
c (f i ) - cf i-
(6), Di (, c (f i ) /(1 - p)w). c
(8) (9).
D$1
1/c D$1 ,

D$1 , .
D$ , , 1/c
2
, D$1 .
, D$ .
i
w ,
, ,
.
-.
,
.
- D$i
, .
,

[254] [397] [78] [267] [268] ( 4.3.4).
, ,
_
1/ c ,
-
c / c , c - c f(i ) ,
_
c = (1 - p) w +1 p
-
1
2
r-1
w - 1 / 2
- w+
1
2
(III) .
, - f r
.

. -

.
-
-,
(I). - {dt}
, .
,
205
6.
{yt}, dt - , , yt
t. : ,
r ,
. (,
,
,
.)

P =
{P(d)}dD. , dt
.
dt ,
yt - 1 yt.
dt , dt
. "" ( 4.3.2),
, ,
.

.
h(z) = 1+ k = 1 z jk , 1 j1 < . . . < jw = m,
w
w
$
$ ,
m W = w + 1, h$( z ) = 1 + k =1 z j k , 1 $
j1 < ... < $
jw = m
h(z). tk = jk - jk - 1 - 1 t$k = j$k - j$k -1 - 1, 1 k w,
j0 = $
j0 = 0 .
h(z) , ti = d, dD. h(z)
h$( z ) , t$i = 0. ,
yt - 1 yt, h$( z )
. h(z)
d, i , ti = d. Hd
d.
,
.
dt .
P$t ( d ) , dt = d
, H$ (
d
Hd,
[146]). c( h$) - ,
h$ , dt = d.
,
, ,
dt d. ,
,
206
6.
P$( d )
P( d )
$
$
=
(1 + c( h$)) 1- s ( h ) (1 - c( h$)) s ( h ) ,
$
1 - P ( d ) 1 - P ( d ) h$H$d
(10)
s(h$) - ,
h$, t . ,
( "") dt = d
.
- ,
(10),
.
, 4.3.4. ,
d ,
, (10), .
, ,
c( h$) , P =
{P(d)}d . c( h$)
D
t$k + 1 t k
$
c( h$) = (1 - p 0 ) p tk k -t k (1 - p k ) ,
t$k
k i
pk

.
, ,
,
. -
,
, . [146]

N
w
d ,w
(1 - p) w > 1 ,
Nd,w w + 1 Hd, p -
.
, h w + 1 m
p (2pp/(1-p)(m-w)/( w - 1))(w - 1)/2.
,
,
.
.
207
7.
7.1
7.1.1
[361],

- .

[334].
,

(. 5.1.3).
, , -
[333], - [240], " "
[92].
[257]
(. 7.2). ,
,
,
, [255].
, .
,
M ,
[141] [149] (. 7.3). ,
M + 1
M + 1 ,
.
,
. ,
- ,
,
. ,
208
7.
. ,
, ,
, , ,
. ,
, ,
, - .
,
. ,
,
, (. 4.3). ,
1/2, ,
, M.
, ,

:
-
,
[142].

[342], 1997
" " SAC '97.
,
: (1)

; (2)
; (3)

; (4)

: - ; -.
7.1.2
90- -

, "
" () [189] [190] [192] [196] (. 7.4).
- , .
0 1,
.
209
7.

s. (s mod 2) s
, ( s / 2 )
.
,
, (-) .
-
:
2- . ,
.
-, ,
(. 2.3.1).
1. r q1, q2, . . ., qr
q = qr2r + qr - 12 r - 1 + ... + q12 - 1.
-
- .
2. a = (a0, a1, a2, . . . )
q, g = 2-1 Z/(q) -
2 q, A Z/(q) , i = 0,1,2,...
ai =(Agi (mod q)) (mod 2).

3. a = (a0, a1, a2, . . . )
a =
i =0
ai 2 i ,
2- Z2. a
, 2- a
, r q,
a = r/q Z2.
210
7.
q - ,
a. a
a < 0 |r| < |q|.
4.
a 2- a.
( )
2- . -
: () ,
a; () 2M + 2log(M)
( M 2- a).
,
, : ,
(, ),
. ,
.
5. , [240],
a = (a0, a1, a2, . . .) b = (b0, b1, b2, . . .)
.
c = (c0, c1, c2, . . .) g = a + b Z2 2- (
g = i = 0 ci 2 i ). , 2- c
2-
a b.
6. , l- - -
T = q - 1 ( q - ). l q, 2
. l- -
, ()
1/q.

, m-.

. ,
c a b, ,
, (5) , 2- c 2 a b. , (4)
, c
() 2span2(c) .
- ,
- .
" " [346]
211
7.
,
, ,
, .
7.1.3 [142]
-
, . -
"--".
[299],
, ,
() "--".
.
,
,
,
,
, , ,
. ()
,
,
,

.
W(e1, ... , eK, s)
K ei + s, 1 i K,
s (. [140]). , , W(e1,...,eK,s)
. ,
, .
W(S, e1,..., eK, s), S
, [299].
,
"--". ,

yt = f'(s't, x't) + e(st, xt), t 0

s't + 1 = G'(s't, x't), t 0
x't - xt t, s't -
st t, yt - t, e . ,
,
f' G', . ,
212
7.

, x't. ,
x't xt s't st , , ,
"--"
. e
. ,
W(S, e1,..., eK, s)
.
. , .
-
.
,
[142],
,
, . ,
. ,

.
7.2 1
,
-,
ci i ci 2 = 1 [255].
1990 ,
[256].
, ,
, ,
, .
,

. .
7.2.1
[333]
,
(
)
. ,
GF(2) ,
.
A =
(a0, a1, . . .) B = (b0, b1, . . .). n n
, a = an - 12 n - 1 + ... + a12 + a0 b = bn - 12 n - 1 + ... + b12 +
b0. z = a + b n
213
7.
Z = (z0, z1, . . .). A B - ,

Z . zj

zj = f0(aj, bj, sj - 1) = aj + bj +sj - 1
sj = f1(aj, bj, sj - 1) = ajbj + ajsj - 1 + bjsj - 1 ,

sj - 1 , s-1 = 0.
,
.
A B
, Z = (z0,
z1, . . .) . , zj aj, bj aj + bj.
, , , zj aj + bj + aj - 1 aj + bj + bj - 1
p = P(zj = aj + bj + aj - 1) = P(zj = aj + bj + bj - 1) = 0.75 .

, c = 2p - 1 =
0.5. , , i, 1 i j,
N = 2i + 1 - 2
j
s=
k = j-i
a k + b k bk ,
ch
N
c
h =1
2
h
= 1-
1
.
2i
, 1 i . ,
1,
. ,
1 .
7.2.2 1
1
f0 f1
zj = f0(x1j, ... , xnj, sj - 1)
sj = f1(x1j, ... , xnj, sj - 1).
214
7.
sj , Xm = (xm0, xm1, xm2, ... ), 1 m n,

.
,
f0, f1: GF(2)n+1 GF(2)
. f : GF(2)n+1 GF(2)
Lw(x) = wx (w,x GF(2)n+1)
F ( w) =
f (x)(-1)
x GF ( 2 )
w x
n+1
, ,
+1 -1 ( f(x) (-1)f(x)).
f Lw
c(f, Lw) = F(w) / 2n+1.
f0 (x,s) f1 (x,s), x GF(2)n,

L(x,s) = wx
L(x,s) = wx + s.
f0
c0(w) = F0(w,0)/2n+1 c1(w) = F0(w,1)/2n+1, F0
f0. ,

C02 =
c ( w)
0
w GF ( 2 )
, C12 =
c ( w)
1
w GF ( 2 )
f1 d0(w) = F1(w,0)/2n+1 d1(w) = F1(w,1)/2n+1,

D02 =
w GF ( 2 )
( w ) 2 , D12 =
w GF ( 2 )
( w) 2 .

C02 + C12 = 1 D02 + D12 = 1.
,
1 .
215
7.
. 1 i j. zj
s1, s2, ... , sN
j
s=
k = j - i m =1
mk
x mk ,
c
h =1
2
h
ch
= C02 + C12 (1 - (D12 ) i ).
N = 2(i + 1)n s. ,
.
, ,
1, D0 = 0, C02.
Xm = (xm0, xm1, xm2, ... ), 1 m n,
, zj
-.
s = m=1 ( k = j -i wmk x mk ). , m
n
sm = k = j - i w mk x mk m- . -
j
sm , "--".
[334][255]
(. 5.1).
,
,
, m, 1 m n,
k wmk 0. ,
[255].
7.2.3 ,

. ,
zj = 0 zj = 1.
,

. zj aj + bj , zj aj+bj
.
, s
1. , zj + 1 = zj + 2 = ... = zj + s = 0.
sj + s 1 1 - 2-s.
, t, 1 t s,
P(sj + s = sj + s - 1 = ... = sj + t = 1) = 1 - 2-t. , s
216
7.
0.
.
. (1) ,
zj + 1 = zj + 2 = ... = zj + s = 0, zj + s + 1 = 1. t, 1 t
s, s - t + 2
zj + t + 1 = a j + t + 1 + b j + t + 1 + 1 = 0
zj + t + 2 = a j + t + 2 + b j + t + 2 + 1 = 0
zj + s + 1 = a j + s + 1 + b j + s + 1 + 1 = 1
zj + s + 2 = a j + s + 2 + b j + s + 2 + a j + s + 1
1 - 2-t.
(2) ,
zj + 1 = zj + 2 = ... = zj + s = 1, zj + s + 1 = 0. t, 1 t
s, s - t + 2
zj + t + 1 = a j + t + 1 + b j + t + 1 + 1 = 1
zj + t + 2 = a j + t + 2 + b j + t + 2 + 1 = 1
zj + s + 1 = a j + s + 1 + b j + s + 1 + 1 = 0
zj + s + 2 = a j + s + 2 + b j + s + 2 + a j + s + 1
1 - 2-t.
,
, ,
.
,
.
7.2.4
,
, . ,
,
. , zj + 1 , ... , zj + s
0 1. , zj + t + 1, ... , zj + s + 2 ,
(s - t + 2) ,
1 - 2-t. t,
,
. aj bj
, s - t + 2
. -
217
7.
,
.
N - , k - (
). s
0 1. , n .
t,
"" d = s - t + 2 . ,
nd . , nd > k,
nd = ak, a > 1. m = k / d a -1 n ""
. , m , .
1. m n
k .
2. , 1 ,
. , ,
1.

. ,
, r , , r 2-t.
,
q , m .
, rn ( rn
). q
rn
rn
rn
q = 1 - 1 L 1
n
n - 1
n - (m - 1)
m
rn
ar
> 1
= 1 a - 1
n - m
.
. 200 ,
k = 400. , N = 50000 .
,
n
N
2s
s. s = 7, n = 390
7. t = 4. d = s - t + 2 = 5 - , r = 2-4 = 1/16 -
, . , m = k/d = 80
, . a a = n/m = 390/80 = 4.88.
218
7.
4.88 1
q > 1
3.88 16
80
= 0.0014 q -1 < 699 ,
, , 700 .
,

. ,
, ( )
"".
[368] ,
,
. ,

, .
7.3
1996 [149],

. ,
, .

. .
7.3.1

M N -
,

St + 1 = F(Xt, St), t 0,
yt = f(Xt, St), t 0,
F: GF(2)N GF(2)M GF(2)M - ,
f: GF(2)N GF(2)M GF(2) - , St = (s1t, . . . , sMt) -
t, S0 - , Xt = (x1t, . . . , xNt) -
t, yt - t. F(X, S) f(X, S)
, .
219
7.
,
(
) {xit } t = 0 ,
1 i N.
, . ,
. , {y t } t = 0 -
. -
.

. F: GF (2 ) n1 GF (2) n2 GF (2) m
n = n1 + n2 .
Z = F(X, Y), X GF (2) n1 Y GF (2) n2 . , X Y . -
Z X.

NXZ = #{Y: Z = F(X, Y)}
NZ =
X GF ( 2 ) n1
XZ
Z GF ( 2 ) m
XZ
= 2 n2 ,
X GF (2) n1 .
, Z X N XZ = 2 - n1 N Z Z
X, Z X X Z
, N XZ = 2 n2 . ,
Z X ,
.
LW(X) = WX X,
W GF (2) n1 , LV(F) = VF F, V GF (2) m . [255]
LV(F) LW
cVW =
1
2 n -1
# {( X , Y ):V F ( X , Y ) = W X } - 1 .
,

NXZ, .
220
7.
1.
def
C0 =
def
C1 =
cV2 0 =
V 0
V 0 W 0
1
2m
2
VW
N
Z 2 N -ZM - 1,
1
2 n1 + m
N
N
X Z 2 n2XZ-m - 2 n -Zm ,
V 0 W
def
2
=
C2 = C 0 + C1 = cVW
2 n1 + m
N
2 n2XZ-m - 1.
X
Z
1. C0 0 F
, 2m - 1 F . C1 0
F(X,Y) X,
2m - 1 - C0 , C0, F(X,Y)
X. C2
0 F(X,Y)
X, 2m - 1
F(X,Y) X.
, C1
() F(X,Y) X,
, F(X,Y)
X. , C0
F(X,Y)
F(X,Y).
-
- C2 m = 1
n2 = 0.
2.
- .
3. F(X,Y) X

X.
1 ,
.
n1, n2 m, ,
n2 m. , F(X,Y)
X, n2 < m. ,
221
7.
.
C1, C2 - C0 = 0,
. C2 ,
.
2. F(X,Y) - m- n1 X
n2 Y. n2 = m - k, 0 k m.
C2 2k - 1 F(X,Y)
Y X.
7.3.2
M
N . , m t m - 1,
ytm = (yt, ..., yt - m + 1) Xtm = (Xt, ..., Xt - m + 1) m
m t, .
,
ytm = Fm(Xtm, St - m + 1),
t m - 1,
m 1, Fm -
GF(2)mN GF(2)M GF(2)m , f
- F.
Fm(Xm, S).

, - " ",

.
1. M N
. m 1,
Lv m Lw
Nm ,
Lv(ytm) m
Lw(Xtm) m
t m - 1. m 1,
, Lv , Lw
N
.
, m = M + 1
Lv, ,
Lw ,
. ,
f(X,S) S,
, Lv , Lw
N .
222
7.
2. M N
. m 1,
C(m)
m
ytm m
Xtm t m - 1
C (m) C (m) C (m), m 1,
1 m M ,
0,
C (m) = m- M
- 1, m M + 1,
2
C (m) = 2 - 1,
m 1.
C(m) m 1
t m - 1 M ytM
M XtM,
FM(XM, S) S XM.
C (m) m 1
.
. ,
2
m
m
.
, ,
( 2M)
,
2
m
.
2 - , [255]
.
,
. 2m - M - 1 2m - 1
(2m - 1)2mN
m > M. , M = 1 m = 2
, , ,
[257]. ,
2 -(mN + M) / 2 m > M,
.
m = M+1, 1,
2 -(MN + M + N) / 2.
2-N/2.
,
223
7.
. ,
N,
-,

, M .
-
, 2.
(
- ). ,
, - f(X,S) X. ,

. M = 1.
f(X,s) = s + g(X).
s,
,
g(X) .
[333] 1
, g(X) .
M = 1, -
. M > 1
F(X,S),
S.
7.3.3

() .
,
( M + 1
M + 1 )
.
(),
.

. - ,
.

.
f
- F.
M+1
. ,
- .
,

(. 3). -
224
7.
. ,
,
.
.
, ,

St + 1 = ASt + BXt + D(Xt, St), t 0,
yt = CSt + DXt + e (Xt, St), t 0,
-; A, B, C, D - ; e
D = (d1, . . . , dM) - ,
.
, {e ( X t , S t )} t = 0 {d i ( X t , S t )} t= 0 ,
1 i M, ,

, .
(D-) (.,
, [131]). , S, X, D, e, y
z {St}, {Xt}, {D(Xt, St)}, {e (Xt, St)}, {yt},
.
S = zAS + zBX + zD
D + S0,
y = CS + DX + e.

C adj( zA - I)B
C adj( zA - I)
y = D ( zD + S 0 ) + e ,
X
det( zA - I)
det( zA - I)
def
I - , det(zA - I) = j(z), j(0) = 1, - ,

A ,
A ( M); () adj(zA - I) - z
M - 1.
O(M3(N+1)).
y=
1 N
1 M
g
(
z
)
x
+
h (z)(zd j + s j 0 ) + e ,
i
j (z ) i =1 i
j (z ) j = 1 j
(1)
xi dj {xit} {dj(Xt, St)},

gi(z) hj(z) M M - 1, 1 i N, 1 j M, .
j (z ) = k = 0 j k z k , g i (z ) = k = 0 g ik z k h j (z ) = k = 0 h jk z k ,
:
M
M -1
225
7.
M
j y
k =0
t -k
= gik xi , t - k + e( X tM +1 , St - M ),
t M,
(2)
i =1 k = 0
M -1
e( X tM +1 , S t - M ) = h jk d j ( X t -1- k , S t -1- k ) + j k e ( X t - k , S t - k ), t M ,
(3)
j =1 k = 0
, St-k - ( X tM-k
- k -1 , S t - M )
0 k M - 1. (2) ,
1. (2) ,
e . ,
. ,
, St
t 0. e (3)
, ,
.
, ,
e
. , ,
. ,
.
4. m n
ci , 1 i m.
, ,
2n

c O(m/2n).
i =1 i

n = MN + N + M ( X tM +1 , S t - M ) . ,
,
,
, , . ,

,
,
.
,
,
,
(3) . ,
.
,
.
,
226
7.
,
. (M+1)2M+N
. ,
M,

.
7.3.4
M N
, . yi(z)
, , {xit},
0 i N. ,
, , , . -

,
-
. ,
, .
-
, MN , ,
7.3.3. , MN ,
. . ,
(2) (1).
, (2), gi(z)
. ,
-, yi(z) gi(z) .

. , yi(z) - gi(z), i- (2). ,
- ,
, ,
.

. -
, .

.
"-" , N. , ,

[254](. 4.3).
,
227
7.
- (2), gi(z) , N,
. ,
"--", yi(z) gi(z) i.
, , ,
,
. ,
[333] ( 5.1)
. , N

, .
7.3.2, ,
. ,
, ,
,
- .
.
N , ,
(1) (2). ,
(2). (1)
, (2).
(2),
.
,
.
7.4 2-
1993
( ) (
)

- 2- .
, -

(
), DES-

.

([189] [190] [191] [192] [193] [195] [196]), ,

().
228
7.
2- ,
.

, , ,
. ,
.
1997
[196].
7.4.1 2-
2 ,
, [112] [199] [197].
2- - a =
i =0
a i 2 i , ai {0,1}.
,
.
2- Z2. Z2 Z/(2)[[X]]
X , Z2 ""
, 2i + 2i = 2i + 1.
. Z2
0 1 = 1 20. (
2, 2
Y Y i + Y i = Y i + 1. 2 Y
, 2-
.)
- , -1
-1 = 1 + 21 + 22 + 23 + . . .,
1 . ,
. -q
Z2
-q = (1 + 21 + 22 + 23 + ...)(q0 + q12 + ... + qr2r).

Z Z2 . -1
, , .
a = 2r (1 +
-a = 2r (1 +
i =0
a i 2 i ),
229
i =0
a i 2 i ),
7.
a i ( ).
, a +-a = 0. ,
-a 0
, .
+1 -1
(). Z2 , ,
a = 120 + a121 + a222 + ... ,

1, ()
a-1 = 120 + b121 + b222 + ... ,

. ,
q Z Z2 . , Z2
p/q, , q .
.
1. -
a = p/q ( q )
a,
a (a0, a1, a2, . . .) 2-
. a a 0 |a|<1.
,
.
1. p q , -q < p 0, q ,
2- a = p/q
T = ordq(2).
7.4.2 , ,
,
7.1.2.
q Z, r =
log 2 (q + 1)
( ).
q + 1 = q12 + q222 + ... + qr2r
230
7.
q + 1 ( qr = 1).
r log 2 r ( , . ).
{ q1, q2, ..., qr}.
7.1.2 S .
r ,
an - 1, an - 2, . . . , an - r + 1, an - r .
:
1. s n = k = 1 q k a n - k + mn -1 .
r
2. , an - r.
3. an = sn (mod 2) .
4. mn - 1 mn = (sn - an )/2 = s n / 2 .
q ,
.
.
m
, . m2,
m1, m0, , , . S
, FA. (
).
(1)...(4)
() :
1. s n = k =1 q k a n - k .
r
2. s'n mn-1 = m i 2 i
3. .
4. , an - r.
.
- m. ,
231
7.
,
.
r
q = -1 + q12 + q222 + ... + qr2r. w qi, i = 1,...,r ,
q + 1. - m
. , ,
.
2. ,

0 m < w ( ,
, log 2 ( w - 1) +1 ).
mn - 1 w,
0 m < w log 2 ( mn-1 - w) + r .
mn - 1 < 0,
0 m < w log 2 (| mn-1 |) + r .
.
7.4.3
2-
. , r q = -1 + q12 + q222 + ... + qr2r,
mr - 1 ar - 1, ar - 2, . . . , a1, a0.
a = (a0, a1, a2, . . . ), 2- a = a0 +

a12 + a222 + a323 + ... Z2 , 2- (
).
r -1
p = q j a i - j 2 i - mr -1 2 r ,
i=0 j=0
q0 = -1, q = i = 0 q i 2 i .
r
3. q > 0, mr - 1
ar - 1, ar - 2, . . . , a1, a0 a 2-
a = p/q, ,
p
a = a i 2 i = Z2 .
q
i=0
1, 2 3 :
232
7.
2. a = (a0, a1, a2, . . . ) -

, 2- a = a i 2 i a = p/q, q -
, a.
a - p 0 |p| < |q|.
0 m < WH (q + 1),
WH - .
,
:
1. m = 1, aj = 0 ( p = -2r);
2. m = 1, a0 = 1, aj = 0 ( p = q - 2r + 1);
3. m = 0, ar - 1 = 1, aj = 0 ( p = - 2r - 1).
-q < p < 0 p q, 1
T = ordq(2). p q ,
ordq(2). p 0 p - q,
, .
, a = p/q
r -1
p = q j a i - j 2 i - mr -1 2 r , mr-1 .
i=0 j=0

.
. ,
a = p/q ( q - ).
, , 2 a ?
r = log 2 (q + 1) . q = i = 0 q i 2 i q0 = -1 qi {0,1} i > 0.
r
r q. mr-1
a0, a1, . . ., ar - 1 p q
r -1
a=
q a
k =0 i =0
k -i
2 k - mr -1 2 r
p
,
q
.
1. a0 + a12 + a222 +... + ar - 12r - 1 = p/q (mod 2r). ( r 2 p/q.) ,
. , -
, . O(r2).
233
7.
2.
y = i = 0 j = 0 q j a i - j 2 i , ,
r -1
.
3. m = (y - p)/2r O(r).
q, a0, a1, . . ., ar - 1 m
, 2- p/q.
, , 2-
a = p/q, , (
).
( a > 0) ( a < 0).
, : () m
= 0 ai = 0; () m = WH(q + 1) - 1 ai = 1.
?
4. r
( qr = 1). .
m ,
"1"
log 2 (1 + m) (
"0"). m<0,
"1":
, "0"
log 2 (WH ( q + 1) +| m|-1) ; ,
"0" log 2 (| m|2 r / (2 r - 1)) .
m=0,
, 0.
-.
-
. a = (a0, a1, a2, . . . ) -
, r
q(X). q(X) , g GF(2r) - q(X) 2r ,
i = 0,1,2,...
ai = Tr(Agi)
A GF(2r) (
). Tr : GF(2r) GF(2) .

, .
5. a = (a0, a1, a2, . . . )
q. g = 2-1 Z/(q) -
2 q. A Z/(q)
, i = 0,1,2,...
234
7.
ai = Agi (mod q) (mod 2).

(mod q) (mod 2) , Agi
q 0 q - 1,
2 Z/(2). ( q ,
Z/(q)Z/(2), (mod q) (mod 2)
.)
.
b = (b0,
b1, b2, . . . ), S.

. (. (1))
s n = mn -1 + i =1 q i a n - i
r
s n = bn + mn -1 + i =1 q i a n -i ,
r
a
r
a=
b = i = r bi 2 i Z2
b + x + mr -1 2 r -
i =1
r -i -1
q 2 a
j =0
1 - i =1 q i 2 i
r
2j
,
- 2- , b,
x = a0 + a12 + a22 +... + ar - 12r - 1 , ,

. , .
6. q, ai = 0 (i=0,1,..., r-1)
mr-1 = 0, b = b0, b1, b2, . . .,
, 2-
a = b/q.
, Z- 2- (
), ""
q.
: q(X) ,
b(X) = brXr + br+1Xr+1 + . . . , ,
b(X)/q(X).
235
7.
7.4.4 2-
, 2-
,
. ,
, ,
, , , ,
- .
2- .
,
.
( ,
), , ,
.
. 2 "
+ " ,
. ,
.
: span (
, + ) complexity
( ) a. a ,
( ) complexity(a ) . ,
log2(complexity(a)).
, ,
.
a = (a0, a1, a2, . . . ) -
. ,
q = -1 + q12 + q222 + ... + qr2r m, qr = 1 (
r = log 2 (q + 1) ).
l = r + max(log 2 (WH (q + 1)) + 1, log 2 (| m|) + 1) + 1

, WH(q+1) qi (1 i r).
. 2- l2(a)
a = (a0, a1, a2, . . . ) - l,
, a.
p
Z2 - , 2-
q
i=0
a .
a = a i 2 i =
. 2- a
f2(a) = log2(F(p,q)), F(p,q) = max(|p|,|q|).
236
7.
, 2-

|(l2(a) - 2) - f2(a)| log2(f2(a))
|(l2(a) - 2) - f2(a)| log2(l2(a) - 2)) + 1.
[240] [334],

,
.
7. a b - . c
, a b
. 2- c

f2(c) f2(a) + f2(b) + 1.

2-
l2(c) l2(a) + l2(b) + 2log2(l2(a)) + 2log2(l2(b)) + 2.

2- m-?
, , m-
2- .
8. a - T = 2N - 1.
, 2T - 1 - . 2- a T + 2.
, 2-
T log2(r+1) + 1, r -
2T - 1.
7.4.5
, a = (a0, a1, a2, . . . ) -
. ,
a. ,
- (. 3.2.2).
: (1) , a; (2)
, .. 2span(a)
. , . ,
(, ),
. ,
.
237
7.
Z/(2)[[X]]
A(X)=
i =0
ai X i
Z/(2)[[X]]
(. 3.2.3, [86] [385]). ,

a =
i =0
a i 2 i
Q2
2-
, .
,
[384].
-,
: ,
a ( 9);
2M+2log(M) , M - 2- a ( 10).
p-
, [384].
f = (f1,f2) ZZ
F(f)=max(|f1|,| f2|). f = (f1,f2) - , d Z - , df= (df1, df2).
, a0, a1, a2, ...
a, 2- a..
(f1,f2), a.= f1/f2, F(f)
.

begin
ai ak-1
a = ak-12k-1
f = (0,2)
g = (2k-1,1)
while do
ak
a = a + ak2k
if ag2 - g1 0 (mod 2k + 1) then
f = 2f
else if F(f) < F(g) then
d F(f + dg)
g,f = f + dg, 2g
else
d F(g + df)
g,f = g + df, 2f
fi fi
k = k + 1
od
return g
end
. ag2 - g1 0 (mod 2k + 1)
,
238
7.
ag2 - g1 af2 - f1 . , ,
d , F(f + xg) (, F(g + xf))
x. [384],
. , , : ag2
- g1 0 (mod 2k + 1) F(g) < F(f). g1 g2, d ,
(f1 - f2)/(g1 - g2) -(f1 + f2)/(g1 + g2).
, F(f + dg) d.
g1 = g2 , . F(g) > F(f),
f g .
9. g = (g1,g2) ,
T ai. : g2 - ,
ag2 - g1 0 (mod 2T),

g' = (g'1,g'2),
F(g') F(g).
10. a = (a0, a1, a2, . . . ) - 2- a =
i =0
a i 2 i = p/q,
p,qZ, (p,q) = 1. T 2f 2 (a ) + 1 ai,

2-
g= (p,q). ( T 2l 2 (a ) + 2 log 2 (l 2 (a )) .)
.
4DM + O(T2), D -
, M - ,
T- . T O(T2 logT log logT). ,
, ,
.
,
.
7.4.6 2-
[240] ( 7.2) m a1, a2, ... ,ak " "
.
, ,
-. ai
Ti,
, L = T1T2...Tk.
, 7 , 2-
T1 + T2 +...+ Tk.+ log2(k), 2239
7.
Ti + log 2 (k ) + log 2 ( Ti + log 2 (k )). ,

Ti , 2-
kL1/k + log2(k) + log2(kL1/k + log2(k))
.
.

.
D1. (, ) 2T
b,
a1, a2, ... ,ak.
D2.
q p.
D3. , 7.4.3, ,
, 2-
a = p/q.
T = T1 + T2 + ... + Tk. +
O(log ( i (Ti ) )) + O(log2(k)) , b. ,
m- 2L-1 c L = 7,11,13,15,16 17
279. , 2-
218, 219 ,
.
, 32 , 242.
7.4.7
-
.
,
, .
, 1
q T = q - 1. , q - ,
2 - q.
0 1,
. m .
. l- - (
T = q - 1), q,
2 - .
1 1 - (, )
1/q:
240
7.
1/q = b02 -1 + b12 -2 + b32 - 3 + ... .

( )
:
log 2 (q ) ,
log 2 (q ) +1
[228].
q, 2
, Maple Pari. , ,
q = 2128 + 25 + 24 + 22 - 1
2 T = q - 1. ,
-
, N(n) q < n , ordq(2) = q-1,
N (n ) = A
n ln 2 ln 2 (n )
n
,
+ O
2
ln 2 (n)
ln 2 (n)
A = 0.3739558136 ( ) - .
, 37.4% . ,

[196].
l-.
,
, 2 - .
11. q - p, q = pe, 2 q.
a - -,
q.
a .
s - , - s . a - ,
-,
q.
a 2.
241
7.
7.4.8
" "
[346], ,
. :
, , ;
, .
10 000, 2
( q - 1).

q + 1. , 9949
1,2,3,4,6,7,9,10,13, 9950 = 213 + 210 + 29 + 27 + 26 + 24 + 23 + 22 + 21.

2
5
11
13
19
29
37
53
59
61
67
83
101
107
131
139
149
163
173
179
181
197
211
227
269
293
317
347
349
373
379
389
419
421
443
461
467
491
653
659
661
677
701
709
757
773
787
797
821
827
829
853
859
877
883
907
941
947
1019
1061
1091
1109
1117
1123
1171
1187
1213
1229
1237
1259
1277
1283
1291
1301
1307
1373
1549
1571
1619
1621
1637
1667
1669
1693
1733
1741
1747
1787
1861
1867
1877
1901
1907
1931
1949
1973
1979
1987
1997
2027
2029
2053
2069
2083
2099
2131
2141
2213
2221
2237
2243
2267
2269
2293
2477
2531
2539
2549
2557
2579
2621
2659
2677
2683
2693
2699
2707
2741
2789
2797
2803
2819
2837
2843
2851
2861
2909
2939
2957
2963
3011
3019
3037
3067
3083
3187
3203
3253
3299
3307
3323
3347
3539
3547
3557
3571
3581
3613
3637
3643
3659
3677
3691
3701
3709
3733
3779
3797
3803
3851
3853
3877
3907
3917
3923
3931
3947
3989
4003
4013
4019
4021
4091
4093
4099
4133
4139
4157
4219
4229
4397
4451
4483
4493
4507
4517
4547
4603
4621
4637
4691
4723
4787
4789
4813
4877
4933
4957
4973
4987
5003
5011
5051
5059
5077
5099
5107
5147
5171
5179
5189
5227
5261
5309
5333
5387
5443
5477
242
5693
5701
5717
5741
5749
5779
5813
5827
5843
5851
5869
5923
5939
5987
6011
6029
6053
6067
6101
6131
6173
6197
6203
6211
6229
6269
6277
6299
6317
6323
6373
6379
6389
6397
6469
6491
6547
6619
6781
6803
6827
6829
6869
6883
6899
6907
6917
6947
6949
6971
7013
7019
7027
7043
7069
7109
7187
7211
7219
7229
7237
7243
7253
7283
7307
7331
7349
7411
7451
7459
7477
7499
7507
7517
7523
7541
7717
7757
7789
7829
7853
7877
7883
7901
7907
7933
7949
8053
8069
8093
8117
8123
8147
8171
8179
8219
8221
8237
8243
8269
8291
8293
8363
8387
8429
8443
8467
8539
8563
8573
8597
8627
8669
8677
8861
8867
8923
8933
8963
8971
9011
9029
9059
9173
9181
9203
9221
9227
9283
9293
9323
9341
9349
9371
9397
9419
9421
9437
9467
9491
9533
9539
9547
9587
9613
9619
9629
9643
9661
9677
9733
9749
7.
509
523
541
547
557
563
587
613
619
1381
1427
1451
1453
1483
1493
1499
1523
1531
2309
2333
2339
2357
2371
2389
2437
2459
2467
3371
3413
3461
3467
3469
3491
3499
3517
3533
4243
4253
4259
4261
4283
4349
4357
4363
4373
5483
5501
5507
5557
5563
5573
5651
5659
5683
6637
6653
6659
6691
6701
6709
6733
6763
6779
7547
7549
7573
7589
7603
7621
7643
7669
7691
8693
8699
8731
8741
8747
8803
8819
8821
8837
9803
9851
9859
9883
9901
9907
9923
9941
9949
4- ,
32 , 64
, 96 128 . a, b, c d q,
2 - :
q = 2a + 2b + 2c + 2d .

q - 1.

(32,6,3,2)
(32,7,5,2)
(32,8,3,2)
(32,13,8,2)
(32,13,12,2)
(32,15,6,2)
(32,16,2,1)
(32,16,3,2)
(32,16,5,2)
(32,17,5,2)
(32,19,2,1)
(32,19,5,2)
(32,19,9,2)
(32,19,12,2)
(32,19,17,2)
(32,20,17,2)
(32,21,9,2)
(32,21,15,2)
(32,23,8,2)
(32,23,21,2)
(32,25,5,2)
(32,25,12,2)
(32,27,25,2)
(32,29,19,2)
(32,29,20,2)
(32,30,3,2)
(32,30,7,2)
(32,31,5,2)
(32,31,9,2)
(32,31,30,2)
(64,24,19,2)
(64,25,3,2)
(64,25,4,2)
(64,25,11,2)
(64,25,19,2)
(64,27,5,2)
(64,27,16,2)
(64,27,22,2)
(64,28,19,2)
(64,28,25,2)
(64,29,16,2)
(64,29,28,2)
(64,31,12,2)
(64,32,21,2)
(64,35,29,2)
(64,36,7,2)
(64,37,2,1)
(64,37,11,2)
(64,39,4,2)
(64,39,25,2)
(64,41,5,2)
(64,41,11,2)
(64,41,27,2)
(64,43,21,2)
(64,43,28,2)
(64,45,28,2)
(64,45,41,2)
(64,47,5,2)
(64,47,21,2)
(64,47,30,2)
(64,49,19,2)
(64,59,28,2)
(64,59,38,2)
(64,59,44,2)
(64,60,49,2)
(64,61,51,2)
(64,63,8,2)
(64,63,13,2)
(64,63,61,2)
(96,15,5,2)
(96,21,17,2)
(96,25,19,2)
(96,25,20,2)
(96,29,15,2)
(96,29,17,2)
(96,30,3,2)
(96,32,21,2)
(96,32,27,2)
(96,33,5,2)
(96,35,17,2)
(96,35,33,2)
(96,39,21,2)
(96,40,25,2)
(96,41,12,2)
(96,41,27,2)
(96,41,35,2)
(96,42,35,2)
(96,43,14,2)
(96,44,23,2)
(96,45,41,2)
(96,47,36,2)
243
(96,55,53,2)
(96,56,9,2)
(96,56,51,2)
(96,57,3,2)
(96,57,17,2)
(96,57,47,2)
(96,58,35,2)
(96,59,46,2)
(96,60,29,2)
(96,60,41,2)
(96,60,45,2)
(96,61,17,2)
(96,63,20,2)
(96,65,12,2)
(96,65,39,2)
(96,65,51,2)
(96,67,5,2)
(96,67,25,2)
(96,67,34,2)
(96,68,5,2)
(96,68,19,2)
(96,69,17,2)
(96,69,36,2)
(96,70,23,2)
(96,71,6,2)
(96,71,40,2)
(96,72,53,2)
(96,73,32,2)
(96,77,27,2)
(96,77,31,2)
(96,77,32,2)
7.
(64,3,2,1)
(64,14,3,2)
(64,15,8,2)
(64,17,2,1)
(64,17,9,2)
(64,17,16,2)
(64,19,2,1)
(64,19,18,2)
(96,83,60,2)
(96,83,65,2)
(96,83,78,2)
(96,84,65,2)
(96,85,17,2)
(96,85,31,2)
(96,85,76,2)
(96,85,79,2)
(96,86,39,2)
(96,86,71,2)
(96,87,9,2)
(96,87,44,2)
(96,87,45,2)
(96,88,19,2)
(96,88,35,2)
(96,88,43,2)
(96,88,79,2)
(96,89,35,2)
(96,89,51,2)
(96,89,69,2)
(96,89,87,2)
(96,92,51,2)
(96,92,71,2)
(96,93,32,2)
(96,93,39,2)
(96,94,35,2)
(96,95,4,2)
(96,95,16,2)
(96,95,32,2)
(96,95,44,2)
(96,95,45,2)
(128,5,4,2)
(128,15,4,2)
(128,21,19,2)
(128,25,5,2)
(128,26,11,2)
(128,27,25,2)
(64,49,20,2)
(64,52,29,2)
(64,53,8,2)
(64,53,43,2)
(64,56,39,2)
(64,56,45,2)
(64,59,5,2)
(64,59,8,2)
(128,31,25,2)
(128,33,21,2)
(128,35,22,2)
(128,37,8,2)
(128,41,12,2)
(128,42,35,2)
(128,43,25,2)
(128,43,42,2)
(128,45,17,2)
(128,45,27,2)
(128,49,9,2)
(128,51,9,2)
(128,54,51,2)
(128,55,45,2)
(128,56,15,2)
(128,56,19,2)
(128,56,55,2)
(128,57,21,2)
(128,57,37,2)
(128,59,29,2)
(128,59,49,2)
(128,60,57,2)
(128,61,9,2)
(128,61,23,2)
(128,61,52,2)
(128,63,40,2)
(128,63,62,2)
(128,67,41,2)
(128,69,33,2)
(128,71,53,2)
(128,72,15,2)
(128,72,41,2)
(128,73,5,2)
(128,73,65,2)
(128,73,67,2)
(128,75,13,2)
(128,80,39,2)
(128,80,53,2)
(96,49,31,2)
(96,51,30,2)
(96,53,17,2)
(96,53,19,2)
(96,53,32,2)
(96,53,48,2)
(96,54,15,2)
(96,55,44,2)
(128,81,55,2)
(128,82,67,2)
(128,83,60,2)
(128,83,61,2)
(128,83,77,2)
(128,84,15,2)
(128,84,43,2)
(128,85,63,2)
(128,87,57,2)
(128,87,81,2)
(128,89,81,2)
(128,90,43,2)
(128,91,9,2)
(128,91,13,2)
(128,91,44,2)
(128,92,35,2)
(128,95,94,2)
(128,96,23,2)
(128,96,61,2)
(128,97,25,2)
(128,97,68,2)
(128,97,72,2)
(128,97,75,2)
(128,99,13,2)
(128,99,14,2)
(128,99,26,2)
(128,99,54,2)
(128,99,56,2)
(128,99,78,2)
(128,100,13,2)
(128,100,39,2)
(128,101,44,2)
(128,101,97,2)
(128,103,46,2)
(128,104,13,2)
(128,104,19,2)
(128,104,35,2)
(128,105,7,2)
244
(96,77,33,2)
(96,77,71,2)
(96,78,39,2)
(96,79,4,2)
(96,81,80,2)
(96,83,14,2)
(96,83,26,2)
(96,83,54,2)
(128,105,11,2)
(128,105,31,2)
(128,105,48,2)
(128,107,40,2)
(128,107,62,2)
(128,107,102,2)
(128,108,35,2)
(128,108,73,2)
(128,108,75,2)
(128,108,89,2)
(128,109,11,2)
(128,109,108,2)
(128,110,23,2)
(128,111,61,2)
(128,113,59,2)
(128,114,83,2)
(128,115,73,2)
(128,117,105,2)
(128,119,30,2)
(128,119,101,2)
(128,120,9,2)
(128,120,27,2)
(128,120,37,2)
(128,120,41,2)
(128,120,79,2)
(128,120,81,2)
(128,121,5,2)
(128,121,67,2)
(128,121,95,2)
(128,121,96,2)
(128,123,40,2)
(128,123,78,2)
(128,124,41,2)
(128,124,69,2)
(128,124,81,2)
(128,125,33,2)
(128,125,43,2)
(128,127,121,2)
8.
8.1
,
1970-1980- .
[339].
8.1.1
1973 .. [129]
3 ,
f : F23 F2 ,
f(x1, x2, x3) = x3 x1x2 x2x3.
Lj Cj(D)
, ,
.
:
: : 3 <Lj, Cj(D)>
: aj0
i = 1, 2, ...
1. j = 1, 2, 3
j
aji
2. zi = a3i a1ia2i a2ia3i
: zi , i = 1, 2, ...
245
8.
- , T = T1T2T3
. L(~
z ) = L3 + L1L2 + L2L3 .
,
, .
f 1 3, P(f(X) = X1)
= P(f(X) = X3) = 3/4. , f : F23 F2 ,
f'(x1, x2, x3) = x1x2 x1x3 x2x3 f,
,
.
. 8.1.4 .
8.1.2
1977. [302], ,
, J-K
. J-K
y j = x (j1) y j -1 (1 x (j1) x (j 2 ) ) ,
yj j. ,
J-K ,
. ,
.
J-K ,

. 4,
. Lj
Cj(D) .
:
: : 8 <Lj, Cj(D)>
: a0(1), . . . , a0(8)
i = 0, 1, 2, ...
k = 1, 2, 3, 4
a.
b. k-
y 4( ki ) = a 4( 2i k -1) y 4( ki -)1 (1 a 4( 2i k -1) a 4( i2 k ) )
. z 4i + k = y 4( ki )
: zl , l = 1, 2, ...
246
8.
, ,
. [329]
, "--"
,
, 15 .
, , J-K
. - f
, , -
, ,
I(Z; X1) = I(Z; X2) = 0.189 .
, ,
4.3.
8.1.3 -
1980- [181] [182]
,
.
f. ,
1, 2.

. h
1 h L1 2h L2. Lj,
Cj(D) h .
-:
: : 2 <Lj, Cj(D)>
h j = (j0, j1, . . . , jh-1) ,
0 j0 < j1 . . . < jh-1 L1
: s0(1), s0(2)
i = 1, 2, ...
1. 1 2
2.
h -1
a i = 2 k s i(1) ( j k )
k =0
3.
z i = s i( 2 ) (q (a i ))
q - {0, 1, . . . , 2h-1} {0, 1, . . . , L2-1}
: zi , i = 1, 2, ...
247
8.
, ,
, .. (L1,L2) = 1. [181],
T = (2 L1 - 1)(2 L2 - 1) .

h
L1
L(~
z ) L2 (1 + ) ,
i =1 i
2 h < L1 - 1, , h
. h = L1 - 1, L( ~
z ) = L2 (2 L1 - 1) . [182] ,
C (t ) = -1 / (2 L2 - 1)
t, 1 t T - 1.
,
[346],
" " [7] [399] [93]
(. 9).
8.1.4
1984 [47]

. M
f.
M, Lj Cj(D)
, ,
.
:
: : M <Lj, Cj(D)>
: a10, . . . , aM0 M
i = 1, 2, ...
1. j = 1, . . . , M
j
aji
2.
M
M
1 j =1 a ji > 2
zi =
M
M
0 a ji
j =1
2
: zi , i = 1, 2, ...
248
8.
,
M . M = 3,
f
:
z i = a 1i a 2i a 1i a 3i a 2i a 3i ,
mod 2 . -
, T = T1 T2 T3 .

L( ~
z ) = L1 L2 + L1 L3 + L2 L3 .
,
. - f

I(Z; Xj) - 0.189 j. ,

.
8.1.5
[234] , "
".
:
y i = Fk (x i , . . . , x i - M )
M
= x i + c j (i , k )x i - j
j =1
cj(i,k) i, k.
, M
, (
)
. M- M
M ,
.
" " ,
,
. L1, L2 ( ) d1, d2
.
:
: : 2 <Lj, Cj(D)> d1, d2
: a0(1), a0(2)
249
8.
i = 1, 2, ...
1. 1 d1
2. 2 d2
3.
zi =
min{ L1 , L2 }
a
k =1
1k
a 2k
: zi , i = 1, 2, ...
- [234],
L(~
z ) = L1 L2 C1(D) C2(D)
, (L1,L2) = 1 , (d1,T1) = (d2,T2) =1, T1,T2
,
. T ~
z Tz T1T2/(q1). , C1(D) C2(D) GF(2) L1 > L2. ,
(2 L2 - 1)(2 L1 -1 - 1) ,
1 / (2 L1 - 1) .
" "
. ,
,
,
() . ,
:
~
z
~
L3; z
, d3 > 1.

, [346],
[399].
, L1 L2 - , d -
,
L1 + L2 + log2d.
8.1.6
Crypto85 [390]

. (
) ai Zn.
()
:
a'k = F(ak - r, ak - r + 1, . . ., ak + r)
250
8.
r F. ,

.

N.
,
F N. [390]

a'k = ak - 1 (ak ak + 1)
F .
:
: : N
(, , f )
: a(0) = (a0(0), a1(0), . . . , aN - 1(0))
i = 1, 2, ...
1.
ak(i) = ak - 1(i -1) (ak(i -1) ak + 1(i -1))
k = 0, 1, . . . , N - 1, mod N.
2. - k
zi = ak(i)
: zi , i = 1, 2, ...

,
, . ,

. [258]
,

. . [90] ,
.
251
8.
8.1.7 "1/p"
"1/p-" ,
[99] [197]. [40]
,
F(x) = bx mod N.
F(x) = x2 mod N
1/p-.
b > 1 .
1/p- p, b,
x0 Zp*. 1/p-
x0/p b. , b , x0 p b. ,
, , b-
, x0 p b.
1/p :
: : b > 1
: p (p,b) = 1, x0 Zp*
i = 1, 2, ...
1.
xi = F(xi-1) = bxi-1 mod p
2.
zi = f(xi-1) = bxi-1 div p
: zi , i = 1, 2, ...
[40] ,
T = p - 1, p b - mod p.
. ,
p - 1.
, b-
|p| - 1 , b |p|
(|p| b- p).

. , b k= log b (2 p 2 ) zm,
. . . , zm+k ,
.
zm, . . . , zm+k / bk . xm/p 1/bk 1/2p2.
252
8.
(p,b) = 1,
, xi-1 = b-1xi mod p.
8.1.8
1980- [333]
.
( ,
). f :
ZN
Z,
z = i =1 x i ,
N
, .
,
, F2 ,
. [333]
:
:
: : N <Lj, Cj(D)>
: N C0
i = 1, 2, ...
1. x1i, x2i, . . . , xNi
2.
N
S i = x ki + Ci -1
k =1
3.
zi = Si mod 2
Si
Ci =
2
: zi , i = 1, 2, ...
[333] , N
r-
T = Ti, Ti
. m-
,
, L( ~
z ) (2 L1 - 1)(2 L2 - 1) .
,
.

253
8.
(N - 1),
.
[256]
1 (. 5.1.3 7.2). ,
1 , ,
x1,i x1,i- 1 x2,i ( ,
,
). [368]
. ,
N N,
0 N.
,
. 7.1.1, 7.2.4 7.4.6.
8.1.9
1985 [332] " "
. ,
, "" . ,
, NP- [127].
L
S. - ,
, S.
, x = x1, x2 ,
. . . , xL S, , x.

[332]. , NP-
( )
.
:
: : <L, C(D)>, Q
: L w1, . . . , wL N
x0 = x10, x20 , . . . , xL0
i = 1, 2, ...
1.
2.
L
S i = x ki wi mod Q
k =1
3. Si Zi
254
8.
: Zi , i = 1, 2, ...
2L - 1,
, j- ~s j
2L-1. [334] , Q = 2N, ~s j , j~
S ,
j
2
L
L (~
sj )
k =1 k
L
L
L (~
sj ) = 2 L - 1
k =1 k
j < log L
j log L
, log L 2L ,
. j
L log L j log L .
,
.
. ,
,
[358] [44],
, .
[322].
8.1.10 [346]
(
),
[197]. ,
.
X1, X2, X3,..., Xm n- ,
8, 16, 32 - .
. i-
Xi = (Xi - a + Xi - b + Xi - c + . . . + Xi - m) mod 2n.
a, b, c, ... , m ,
2n - 1. -
.
, (55,24,0) - mod 2 (. 2.2). ,
:
Xi = (Xi - 55 + Xi - 24) mod 2n.
255
8.
,
. ,
.
[43].
1990- FISH
(. 6.3.2) PIKE (. 8.5.5).
8.1.11
, 1984
1988 Associated Press [130].
-: 8-
f h. 64
.
,
1994 [52] [53].
"-" ( ,
) ,
.
F,
F ,
F. ,
, 24, 5, 6 29, .
24
, 40 .
, 40
227 . , F
,
.
227 218 ,
264 ,
256
8.
. -, 8 Sparc,
4 [53].
8.2 5
5 - ,
GSM (Group Special Mobile).
, -
.
A5 .
,
. A5
, - INTERNET
[346].
8.2.1
,
Eurocrypt '97 [152].
f i (z ) = l = 0 f i , l z l
ri
i ri (i = 1,2,3). , r1 = 19, r2 = 22, r3 = 23. ,

(
).
Si(0) = (x i (t )) rti=-01 i xi =
( x i (t )) t = 0
2 ri - 1 , i xi(t) =
257
ri
l =1
f i ,l x i ( t - l ) , t ri.
8.
Si(t) = ( si , l (t )) rli=1 i t 0
"/", , ti
i, . [346] ,
t1 = 10, t2 = 11, t3 = 12.
(t) = ( C(t )) t =1
C(t) = g (s1,t1 (t - 1), s2 ,t 2 (t - 1), s3,t 3 (t - 1)) ,
g - 4- ,
g(s1, s2, s3) = {i,j}, si = sj sk i < j k i,j; g(s1, s2, s3) = {1,2,3}, s1 = s2 = s3.
, C(t) ,
y(t)
y(t) = s1,1(t) + s2,1(t) + s3,1(t), t 1
( ). ci = ( ci (t )) t =1
i (,
ci(t) = 1 , ci(t) = 0),
C. y(t)
y(0) S(0), y= ( y(t )) t = 0
. 100 ( y (t )) 100
t =1
, 114
, 100 ,
114
. ,
.

. - 22- ,
, , .
64 (
1 ),
22-
,
. , p = ( p(t )) 0t = -21 , t,
-21 t 0, "/",
p(t) . 22

.
, GSM A5
,
.
(
"" ). , , 64-
,
"" (master) , ,
258
8.
128- ,
. ,

.
8.2.2
. A5 Internet
. ,

240 :
,

[11] ( " ", . 9.1).
.
. , 1994 -
IEE
A5. ,
- [11].

: (a)
(
1993. "Mobile Europe");
[7] , [94].
1997 A5,
[152]. -
, " ". , 64
. ,
" "
. ,
240.
"-". [152] ,
"-" "
".
. , T M 263.32, T
M - ( 128- ), .
O(M),
, ,
T / 102. , T 227.67 M 235.65.

" ",

[16] [171].
259
8.
A5. .. [70]
,
. ,
40% A5 ,
, (223 - 1)4/3 .
8.3 RC4
1980-

.
,
, RC4.
RC4 - ,
1987 RSA Data Security [346] [319].
RC2, RC4 - ,
.
, . RC4
1 / 33 ( RC2)
,
[115] (
).

.
1994 -
Internet. , RSA,
RC4, .
, , ,
, ,
. Internet
, , .
RC4
, Lotus Notes, Apple Computer's AOCE, Oracle Secure SQL,
CDPD.
8.3.1
- " " " ".
[346].
.
(S- 8 8): S0, S1, . . ., S255.
0 255,
. i j, .
:
260
8.
i = (i+1) mod 256

j = (j+Si) mod 256
swap Si and Sj
t = (Si+Sj) mod 256
K = St
K XOR
, XOR' .
- 10 DES-.
S- . :
S0 = 0, S1 = 1, . . ., S255 = 255. 256-
, :
K0, K1, . . ., K255. j . :
for i=0 to 255
j = (j+Si+Ki) mod 256
swap Si and Sj
( ). , RC4
21700 (256! 2562) , . S-
: i , j
, .
"" [151]. ,
RC4 , n,
n = 8.
RC4 t
n
S t = (S t (l )) l2= 0-1 , 2n n- n- - it jt.
, M = n2n + 2n .
n- t Zt.
i0 = j0 = 0. RC4 t 1
:
it = it - 1 + 1
jt = jt - 1 + S t - 1(it)
S t (it) = S t - 1(jt), S t (jt) = S t - 1(it)
Z t = S t (S t (it) + S t (jt)),
2n. , ,
, . n Z = ( Z t ) t =1 .
S0
n
K = ( K l ) l2= 0-1 ,
261
8.
n
(l ) 2l = 0-1 . , j0 = 0 1 t 2n
jt = (jt - 1 + S t - 1(t - 1) + K t - 1) mod 2n, S t - 1(t - 1)
S t - 1(jt). , S0.
K , ,
, .
8.3.2

RC4.
RSA Data Security ,
, ,
.
RSA Labs [325]: " ,
RC4,
,
10100. RC4
,
RC4".
[151],
Eurocrypt '97. ,
, RC4, ,
. , ,
[144][150], , M (
),
" ".
- [141] (. 7.3.3).
- ,
, 1/2.
-
RC4.
,
c,
(1+ c)/2.
.
z = ( z t ) t=1
RC4,
z&= ( z&t = z t + z t +1 ) t =1 &

z&= (&
z&
t = z t + z t + 2 ) t =1
&
, . , z& 1, 0, z&
-3n
n
1 , 152 2 .
,
c, O(c-2),
64n/225. , n = 8, ,
240 1012.
.
2M/2 ,
262
8.
,
.

RC4 ,
n.
8.4 SEAL
SEAL - ,
IBM ( Software-optimized Encryption Algorithm) [326]. SEAL
,

. 32-
: 32-
- .
SEAL
,
( , DES 10-30 ).
486-
58 . ,

[346].
8.4.1
SEAL , :
. 160- k
32- ( ) n, SEAL n L- k(n).
L , 64 .
, k ,
k(n) L- n
.
, SEAL
: ,
.
:
i, j -
j-.
: .
.
263
8.
, .
512- ?
SEAL n
XOR - k(n). ,
,
.

, .
, ,
. k
n- k(n).
[346].
[326].
8.4.2 SEAL
.
a, ,
() .
. SEAL
,
() a ( )
, .
, . SEAL -
, " ".
, [134].
SEAL, ,
: 160- a
32- n L- SEALa(n).
L
,
512 4096 .
, SEALa() " ",
a . ,
{0,1}160, , , .

.
a x, "" .
, n
. x n
(n, x SEALa(n)), L = | x | SEALa(n).
. ,
(
MD5 SHA),
264
8.
( Khufu DES).
,
.
3 .
8.4.3
. 32- "",
8- - "". l.
x t x0 x1 . . . xt - 1.
"0",
"a"-"f" 10-15, . y t
y t ; , i- y t - y(i - t) mod 32.
,, AND, OR XOR; A
A, A+B - , (
mod 232). "||" , odd() - ,
, - .
. , SEAL
. L - . , L
, L 6410248. ,
L' , L' - 128, L.
. - T, R S,
a. a .
G,
SHA,
[276].

Ga(i) 160- a 0 i < 232.
i 32- ,
- i. 5-7
[276] .
. 0 t 19 Kt =
0x5a827999 ft(B,C,D) = (B C) ( B D). 20 t 39 Kt = 0x6ed9eba1
ft(B,C,D) = B C D. 40 t 59 Kt = 0x8f1bbcdc ft(B,C,D) = (B
C) (B D) (C D). 60 t 79 Kt = 0xca62c1d6 ft(B,C,D) = B C
D.
160- a 32-
, a = H0H1H2H3H4 , 512- M1
i || 0480. :
a. M1 16 W0, W1, ... ,W15 , W0 - ,
W0=i, W1 = W2 =...=W15.
b. t = 16 79 Wt = Wt - 3 Wt - 8 Wt - 14 Wt - 16.
265
8.
c. A = H0, B = H1, C = H2, D = H3, E = H4.

d. t = 0 79
TEMP = A 27 + ft(B,C,D) + E + Wt + Kt
E = D; D = C; C = B 2; B = A; A = TEMP
e. H0 = H0 + A; H1 = H1 + B; H2 = H2 + C; H3 = H3 + D; H4 = H4 + E;
M1 Ga(i) - 160-
H0H1H2H3H4.
G G ,
32- 160-. G Ga(i) =
H ii mod 5 , H 0i H1i H 2i H 3i H 4i = G a (i / 5 ) . , G -
G, .

0 i < 512,
T[i] = Ga(i)
S[j] = Ga(0x1000 + j) 0 j < 256,
R[k] = Ga(0x2000 + k) 0 k < 4 ( L - 1) / 8192 .
, SHA
- 131 512
, 207 64 .
. L, T, R S, a,
32- n, n L-
y.
SEAL ( 32- L )
function SEALa(n)
y = l;
for l 0 to do
Initializea(n,l,A,B,C,D,n1,n2,n3,n4);
for i 1 to 64 do
PA&0x7fc;
BB+T[P/4]; AA9; BBA;
QB&0x7fc;
CCT[Q/4]; BB9; CC+B;
P(P+C)&0x7fc; DD+T[P/4]; CC9; DDC;
Q(Q+D)&0x7fc; AAT[Q/4]; DD9; AA+D;
P(P+A)&0x7fc; BBT[P/4]; AA9;
Q(Q+B)&0x7fc; CC+T[Q/4]; BB9;
P(P+C)&0x7fc; DDT[P/4]; CC9;
Q(Q+D)&0x7fc; AA+T[Q/4]; DD9;
y y || B+S[4i-4] || S[4i-3] || D+S[4i-2] || AS[4i-1];
if |y| L then return (y0y1 ...yL-1);
if odd(i) then (A,C) (A+n1,C+n2)
else (A,C) (A+n3,C+n4)
266
8.
( : 4 -
, , .
.)
Initialize n l
A, B, C, D, n1, n2, n3, n4. :
SEAL
procedure Initializea(n,l,A,B,C,D,n1,n2,n3,n4)
AnR[4l];
B(n8)R[4l+1];
C(n16)R[4l+2];
D(n24)R[4l+3];
for j 1 to 2 do
PA&0x7fc; BB+T[P/4]; AA9;
PB&0x7fc; CC+T[P/4]; BB9;
PC&0x7fc; DD+T[P/4]; CC9;
PD&0x7fc; AA+T[P/4]; DD9;
(n1,n2,n3,n4)(A,B,C,D);
PA&0x7fc; BB+T[P/4]; AA9;
PB&0x7fc; CC+T[P/4]; BB9;
PC&0x7fc; DD+T[P/4]; CC9;
PD&0x7fc; AA+T[P/4]; DD9;

[346].
, T 2- S- 9*32. SEAL
32- A,B,C,D,
n R T.
, 8 .
9 (A,B,C D)
267
8.
T. , T , ,
XOR' (A,B,C D).
.
XOR
( ) . 8 A, B, C D
, (
XOR) - S.
A C , n1, n2, n3, n4; -
.
:
1. , , S- (T).
2.
( XOR).
3. ,
( ni, A C
)
4. ,
.
8.4.4 SEAL
, ,
- SEAL.
.
, ( , DES)

[346].
8.5 1990-
8.5.1 -
-
1990 "Philips Crypto"

[178], -. ,
" ", ,
-. ,

. ,
"" , .
.
268
8.
-.
[409].
, [408],
,
. ,
" "
().
, ,
, "".
,
, ,
-. .
Lb,
Lb z.
.
z
, z.
, ,
Ls. ,
(""), -.
.
Lb, Lb z
.
.
Wi = wi1 wi2 wi3 i- , wi1

, ; wi2 ,
; wi3 -,
.
-.
- ,
GF(2). - ,
, , .
wi2 ,
.
269
8.
- - -
. ,
wi1 wi2 , .
,
.
,
, wi2 = 0 i, .
" ",
.
s0, s1, ... ,sr - 1 p0,
p1, ... , pr - 1 , si = (s0,i , s1,i , ... , s pi -1,i ) sj,i GF(2). Wj
r- (sj,0, sj,1, ... , sj,r - 1), .
r- Wj p = (p0,p1,...,pr - 1).
, Lb = 2r. , ,
Wj = (0, ... ,0), zj - 1; Wj = (0, ... ,1),
zj - 2; Wj = (1, ... ,1), z j - 2 r .
z :
z j = z j - I (W j ) + 1
= F (W j , z j -1 , ..., z j - 2 r )
= 1+
2 r -1
F (W
i= 0
)z j - i - 1 ,
I(Wj) r- Wj,
Fi, i = 0,1,...,2r - 1, - GF(2) r GF(2),
1, I ( X ) = i ,
Fi ( X ) =
0, I ( X ) i .
,

, .
270
8.
. z
. ,
, , r s0,s1,...,sr-1
r
p, Wi = Wi - 1 = . . . = W i + 2- 2 r = (0, ... ,0), pd
d p. d z
, , dj = zj + zj - 1 j. d
z , pz z pd,
d . , pz = 2pd,
z - .
. d
r L ,
. , d ,
.
, ,
, [330].
, r
.
d

r=1
3
x + x +1
7
6
4
x + x +1
15
12
x5 + x2 +1
31
30
6
x + x +1
63
48
x7 + x3 +1
127
126
x8 + x4 + x3 + x2 +1
255
250
x9 + x4 +1
511
510
10
3
x + x +1
1023
1007
11
2
x + x +1
2047
2046
L(d)
r=2
r=3
10
31
56
127
255
511
1013
2047
14
31
60
120
254
510
1022
2047
8.5.2
1993 ..
[G144]. ,
2e, ,
. ,
, S- (. 8.5.3).
: ()
; ()
271
8.
( ); () ;
() .
.
n -1
a t + n = c j a t + j mod 2 e , t = 0,1,2, ...

j=0
a0, a1, ... ,an-1 . at ct - e- ,

at .
at, - k
at (k e).

(DSP), .
,

XOR
. ,
n -1
n -1
a t = c j a t + j mod 2 e XOR d j a t + j mod 2 e , t = 0,1,2,...

j =0
j =0
h (x ) = x n + j = 0 (c j + d j )x j mod 2 -
n -1
at
a t = i = 0 a t ,i 2 i , a t ,i {0,1} . {a0, a1, a2, ... } a ,

e-1
{a0,i, a1,i, a2,i, ... } ai. h(x) n, ai 2k(2n-1),

k = 0,1,...,i. , i, 1 40,
.
.
dj. dj ,
, : 2e - 1(2n-1).
, dj :
, mod 4.
[68]. , ak
k 3 4/2n - 4/4n.
272
8.
n (n 100).

, ci di i l, l - ,
n. , h(x) xn + g(x) deg g(x)
l. h(x)
, , [367]. , n , N = 2n - 1, ,
n
x 2 x mod( h(x ),2) . n ( GF(2))
. ( - 31, 61, 89, 107,
127.) n - , ,
n , 1/n,
.
8.5.3 ()
, 1993 .. [69]
(. 8.5.2).
[66],
.
A k- .
n (n k),
.
( n ,
.) XOR' k
S-, - k-
k- .
. k = n.
K : () ( (2n - 1)K); ()
k- ,
[66].
. n - 32 ,
.
"", .
273
8.
- ,
a GF(2n),
, , [164],
as, s N = 2n - 1 [25]. s
"" . p1, p2, ... , pl N.
" " l si, 1 si <
pi, s = i ( N / pi )si mod N . n = 32
2+1, 22+1, 24+1, 28+1 216+1, si 31 . ( n = 31
, N = 2n - 1 - ,
GF(231), 0 1, .)
S-. 32- S-
, [388] (. 8.5.4). t - 256 32- , 24
"", 8- "" 0
255.
Sbox(x) = (x >> 8) XOR t[x AND 255].
>> .
- (
), 8- .
. A ,
- 1 2 [66]. , ,
.
, S,
Nr ( r ), N [66]. ( N
= 2n - 1.) , 2 A ,
- a, b, c d. 4
(Nr - (-1)r)/4, (Nr - (-1)r)/4, (Nr - (-1)r)/4 (Nr + 3(-1)r)
[66]. (, Nr (-1)r mod 4,
.) x, y, z, t. - a, b,
c, d. 4S mod N = (-1) r(3t - x - y - z). , (a, b, c, d) = (1,2,3,4),
, 6, 2.
n = 32, N = 232 - 1 3 S.
(a, b, c, d) = (1,2,4,5) ,
4S mod N 8, 4.
,
. , 5-
32 . 5
, XOR' ,
5 .
. n
, 1,...,2n-1.
274
8.
q (q k), J[a] a (0 a Q)
n- . Q = 2q - 1.
u v, :
v = u + J[a] mod 2n, v < u , v 1.
Nr , 2q a
(Nr - (-1)r) / 2q; a (-1) r + (Nr - (-1)r)/ 2q
. , S, ,
(( N r - (-1) r ) / 2 q )( a = 0 J [a ]) + (-1) r J [a ] . N,
Q
2qS mod N = ( -1) r ((a = 0 J [a ]) - 2 q J [a ]) N.

Q
, a, J[a]
N,
Q
a =0
J [a ] 0 mod N .
, . a 0 Q - 1
"" sia, 1 sia < pi, J [ a ] = i( N / pi ) sia mod N .
J [a ] i( N / pi ) xi mod N , x i = a = 0 sia mod pi . xi

a=0
Q -1
Q -1
, si, Q - 1, pi; ,
J[Q] siQ = pi - xi.
8.5.4 WAKE
WAKE 1993
[388]. WAKE -
Word Auto Key Encryption ( "
"). 32-
:
.
WAKE - .
275
8.
32- S-
256 32- . S- :
,
- .
S- Si.
( ) 4 : a0, b0, c0, d0.
Ki 32- D:
Ki = di .
Ti XOR Ki
Pi. :
ai + 1 = M(ai, Pi XOR di)
bi + 1 = M(bi, ai + 1)
ci + 1 = M(ci, bi + 1)
di + 1 = M(di, ci + 1)
M S-:
M(x,y) = (x + y) >> 8 S(x + y) i.
>> - , . 8
x + y) S-. S, . ,
.
, WAKE - .
. ,
. WAKE,
Dr. Solomon's Anti-Virus [346].
8.5.5 PIKE
1994 [14],
FISH, - (. 6.3.2).
- FISH
- PIKE,
, A5 (. 8.2).
PIKE - (
, . 8.1.10):
ai = ai - 55 + ai - 24 (mod 232)
ai = ai - 57 + ai - 7 (mod 232)
ai = ai - 58 + ai - 19 (mod 232)
276
8.
, FISH
, ,
.
. , .
, , .
,
.
XOR
. , FISH,
3, 2.75
.
,
, 232
. , ,
SHA (. 8.4.3) , 700
.
8.5.6 GOAL
1994 ,
,
- GOAL (, Goli's
Algorithm) [145]. GOAL

.
.
f n 100 W = w + 1 5.
"" , ,
.
mod 232 , w .
. 32-
, .
16- ,
mod 2 16-
.
16
15 , .
16 ,
1615 , - mod 2
. ,

"" 2-16, .
[149].
277
8.
1- . 16 15-
.
, .
"1-2 " mod
2 16 ,
.
1, , ,

16- .
,
. 32
3 .
.
- . . .
,
,
, n, .
2n+5
, 216n. , ,
232n, . [135].
(. 9.4).
, mod 2
,
f(x32)
, ,
. ,
mod 232 ,
mod 232 - mod 2,
32- 16-,
.
"--" ,

, .
, ,
. , , 1615
,
.
8.5.7 ORYX
ORYX ,
.
A5, ,
INTERNET [378].
278
8.
. : 32 , A, B K; S-,
L 0 255 .
, 96 .
,
, .
,
. ,
, 96
.
ORYX ,
XOR .
.
1. K .
2. A ,
, K.
3. B ,
K.
4. A, B K
:
= High8(K) L[High8(A)] L[High8(B)],
High8 - 8 , L - S.
. 1997 (
, ),
( " "
Counterpane Systems) ( Counterpane
Systems) INTERNET [378],
ORYX. , ,
24 216 ( ).

.
"--",

. ,
8 A, B K. ,
K A , , B
.
: 24
. 8 ,
() 24 .
, 29/32 .
279
8.
, ,
K, A B, .
, ,
. 8
, . ,
8 A B 8 K.
24
.
, , ,
ORYX - , ,

. ,
, .
8.5.8 ISAAC
ISAAC ORYX,
. ISAAC -
,
1993-1996 .
RC4 RSA (. 8.3),
, RC4 ORYX,
.
ISAAC,
RC4,
( , 28295 ..)
, .
- "ISAAC" 1996
-
[179]. -
.
IA. , IA (Indirection, Addition - ,
) , :
, .
.
Typedef unsigned int u4; /*4- , 32 */
#define ALPHA
#define SIZE
#define ind(x)
(8)
(1<ltALPHA)
(x&(SIZE-1))
static void ia(m,r,bb)

u4 *m;
u4 *r;
u4 *bb;
/* : SIZE ALPHA- */
/* : , m */
/* */
280
8.
register u4 b,x,y,i;
b = *bb;
for (i=0; i<SIZE; ++i)
{
}
}
x = m[i];
m[i] = y = m[ind(x)] + b;
r[i] = b = m[ind(y>gtALPHA)] + x;
/* m */
/* r */
*bb = b;
RC4, IA m 256 .
RC4, m 2ALPHA .
RC4, IA . RC4, , IA - ,
. RC4, IA m,
,
.
IBAA. IA IBAA (Indirection, Barrelshift, Add and
Accumulate - , , ).
-
.
, IBAA ( ISAAC) r[]
m[].
IBAA .
/*
^ XOR, & AND, a<ltb a b.
barrel(a) a 19 ,
ind(x) (x AND 255), (x mod 256)
*/
281
8.
typedef
#define
#define
#define
#define
unsigned int u4;

/* unsigned four bytes, 32 bits */
ALPHA
(8)
SIZE
(1<ltALPHA)
ind(x)
((x)&(SIZE-1))
barrel(a) (((a)<lt19)^((a)>gt13)) /* beta=32,shift=19 */
static void ibaa(m,r,aa,bb)

u4
u4
u4
u4
{
*m;
*r;
*aa;
*bb;
/*
/*
/*
/*
: SIZE ALPHA- */
: , m */
: */
*/
register u4 a,b,x,y,i;
a = *aa; b = *bb;
for (i=0; i<SIZE; ++i)
{
x = m[i];
a = barrel(a) + m[ind(i+(SIZE/2))];
m[i] = y = m[ind(x)] + a + b;
r[i] = b = m[ind(y>gtALPHA)] + x;
}
*bb = b; *aa = a;
/* set a */
/* set m */
/* set r */
IBAA a. ,
a - m[ind(i+(SIZE/2))]. barrel(a) - a,
. ,
m[ind(x)] m[ind(y>gtALPHA)].
ISAAC. IBAA ISAAC
(Indirection, Shift, Accumulate, Add and Count - , , ,
): , ;
;
. .
ISAAC .
/* & AND, ^ XOR, a<ltb a b
* ind(mm,x) 2..9 x, (floor(x/4) mod 256)*4
* rngstep barrel(a) a^(a<lt13)
*/
typedef unsigned int u4; /* unsigned four bytes, 32 bits */
typedef unsigned char u1; /* unsigned one byte, 8 bits */
#define ind(mm,x) (*(u4 *)((u1 *)(mm) + ((x) & (255<lt2))))
#define rngstep(mix,a,b,mm,m,m2,r,x) \
{ \
x = *m; \
a = (a^(mix)) + *(m2++); \
*(m++) = y = ind(mm,x) + a + b; \
*(r++) = b = ind(mm,y>gt8) + x; \
}
static void isaac(mm,rr,aa,bb,cc)
282
8.
u4
u4
u4
u4
u4
{
*mm;
*rr;
*aa;
*bb;
*cc;
/*
/*
/*
/*
/*
: SIZE ALPHA- */
: , m */
: */
*/
: ALPHA- */
register u4 a,b,x,y,*m,*m2,*r,*mend;
m=mm; r=rr;
a = *aa; b = *bb + (++*cc);
for (m = mm, mend = m2 = m+128; m<mend; )
{
rngstep( a<lt13, a, b, mm, m, m2, r, x);
rngstep( a>gt6 , a, b, mm, m, m2, r, x);
rngstep( a<lt2 , a, b, mm, m, m2, r, x);
rngstep( a>gt16, a, b, mm, m, m2, r, x);
}
for (m2 = mm; m2<mend; )
{
rngstep( a<lt13, a, b, mm, m, m2, r, x);
rngstep( a>gt6 , a, b, mm, m, m2, r, x);
rngstep( a<lt2 , a, b, mm, m, m2, r, x);
rngstep( a>gt16, a, b, mm, m, m2, r, x);
}
*bb = b; *aa = a;
IBAA ISAAC .
rngstep(). rngstep() - IBAA,
.
*m++. m[i] *m++, r[i] *r++, m[i(SIZE/2)] *m2++
.
a^(mix). IBAA 4 :
a^(a<lt13), a^(a>gt6), a^(a<lt2) a^(a>gt16).
cc. , 240.
.
ind(x). ISAAC - 2..9 x 10..17 y ( IBAA 0..7 8..15).
, , .
, ISAAC 18.75
32- .
8.5.9 Chameleon -
1997
[15],

- ,
.
283
8.
"" ,
.
?

.
, ,
,
.
, ,
.
" -",
. ""
.
.
.
A. 216 64-
- 512 - B.
, 64- , 64-
B,
XOR . ,
XOR' (
XOR' ).
B 4
512 KB .
, . , ,
16- , , (
) .
8.6
(. 0.3.2),
, - , ,
,
. ,
,
. ,
,
, Eurocrypt '91 [248].
1992 ICCS/ISITA '92
. , . . ,

[87]. - - 1995
[90],
.
.
284
8.
8.6.1

nm ( ) k.
,
, nm
fc. ,
.

.
.
:
(k , IV ) = J (K , Q)
- nm + 1
... c 0 = IV
z t = f c [k ](c t - nm ... c t -1 ).
J - , K
Q - k
IV.
,
. K
IV
.
, nm
. ns ,
nm
nmns .

,
, (nmns)-1.
285
8.
,
. (
, , ns = 1) ,
.

.
8.6.2
[248]
-.
-, .
.
,
[248]. [90] " Y".
: 3-
g[k].
:
.
.
.
192 4 - .

s[k]. ,
g[k]. - k
256 8 , g[k].
,
, .
-
,
.
286
8.
. , , ,
.
-
, ,

.
(. 9)
[90], .
8.6.3

-
().
- "G",
.
. -

() ,
.
q ( j)
t+1
= q ( j -1) + E[k ](q ( j - 2 ) ,..., q (1) , c t ).
q(j) q(j - 1)
,
. , R, ,
.
. : c - nm - t
t
q ( nm ) . , "" ,
1 .
, " ". 2-15 R,
,
, , .
96 .
: 2- j = 89,
93, 95 96, 128 .
k , , 96 : k0, ... , k95.
, ,

G[k]i(j)(q,c) = qi(j-1) + kj-1 + (qi(v))( qi(w) + 1) + 1,
287
8.
0 v, w < j - 1. ,
, .
, 2 EXOR .
15 Gi(96) ,
G[k]i(96)(q,c) = qi(95) ( q0(95 - i) + 1) + (qi(94))( qi(94 - i) + 1).
, Y,
.
G. - ,
G, 7 . 
, a. a<0> q 128.
<1> <7> , 0. a<1>
a<5> 53. , ,
>
< 0>
< 0>
< 0>
< 0>
G 4<i1mod
53 = a 128 - i + a i + 18 + a 113- i (a i + 1 + 1) + 1,
0 i < 53. 2 5
-1>
< j - 1>
G4 + a i<+j1-1> (a i<+j2-1> + 1) + 1,
53 = a i
0 i < 53. 52,

0. a<6> 12. 6

Gi< 6> = a 4<i5> + a 4<i5+>3 + a 4<i5+>1 (a 4<i5+>2 + 1) + 1,
a<7> 3 ,
Gi< 7> = a 4<i6> + a 4<i6+>1 + a 4<i6+>2 + a 4<i6+>3 .
,
288
8.
z = a 0< 7 > + a 1< 7 > + a 2<7 > .

.
G. ,
G.

() 2 EXOR ,
, .
,
d. .
1
G . ,

. 2 EXOR ,

100 /.
289
9.
,
1990-
.
9.1 " "

1990-
[7],

. ,
n , 2n - O (1).
" ". 1993
[8],
2n/2.
(. 8.1.3).
[180],
[20] 1980- ,
(EBU) [111].
, ,
. 1
, 2;
.
,
, 1 31 (31,28)
2 32 (32,31,30,10).
262 ,

.
, , .
, [7],
1, ,
2. ,
290
9.
, 2,
- 1 .
[93] ,
" "
. ,
230 ,
- . ,

(, A5, ..).
.

.
, -
. , x31 + x28 + 1
1 . ,
[8].
,
1,
.
, 1- 18- 1,
b1, ... , b18. b32 = b1 + b4, b33 = b2 + b5,
b46 = b15 + b18. b63 = b32 + b35,
. 18
18 + 15 + 12 + 9 + 6 + 3 64 , 13 + 10
+ 7 + 4 + 1 36 . , 24
109 71 . ,
- 18 24 , .
, 221 .
,
, .
,
2n/2, n - . , ,
.
9.2
,
, -
.
. 1993 . , .
. ,
[89].
291
9.
9.2.1
,
,
. ,
- .
,
.

,
.
. ,
,
. ()
.
, .

. .
,
.
- ,
.
,
. ,
() ,
.
,
.
.
( ) -
, .

( )
(, ).
,
, . ,
,
.
zi
() .
,
st+1 = Fs(st,p)
zt = f0(st,p),
292
9.
st - t, p - ,
.
v
p.
st+1 = Fs(st,p,e),
e - , h .

. v h e-, .
e- .

() , p,
. K.
v p K
Fk():
(v, p) = Fk(K).
v p
, r
Fr():
(vi, pi) = Fr(K, r).
p r.
, r
. r
, ,
.
(, m) ""
.
.
m : z = zm zm + 1 zm + 2... .
() Fr() m.
, "
", 3 : ,
Fr() , l.
,
.
"" -.
vi ( p),
, .
( )
293
9.
.
. ,
i-
(vi , pi ) = Fr ( K , ri ) zi : zim zim +1 zim + 2 ... .
,
, l .
. ,
-
.
9.2.2

, "-" (. 4.1).
Z2
.

. , .
" " i-
:
si0 = AK Ri
sit +1 = Fsit
A F - . , n.
, F - ( ).
Ri - , ri.

s tp t.
s 0p si0 .
, - zi.
s 0p = F - t s tp
si0 = s 0p Ri R p
mod 2 sit s tj
sit s tj = Ft (Ri Rj).
294
9.
- .

. ,
u, j . u
s.
uit = Gsit .

.
, utp
t. j stp . stp
s 0p F t s 0p = stp , j s 0p .
m u tp , mj (
) s 0p . n
, s 0p . ,
u
n
j
t
p
, .
u tp t. ( t
.) , zp.
up f0(up) = zp.
, zi . f0(ui) = zi ui = up G(Ri
Rp). ,
f0(up GFt(Ri Rp)) = zi
zi, .
j . j,
1. j ,
u.
2j f0().
, ,
j. j jn
.
j 2
n
f0()
- .
. ,
.
,
. ,
,
f0().
295
9.
9.2.3 -

- [180] (. 8.1.3):
. b
2b . a0a1...ab,
b
d 0d 1 ... d 2 -1 , z,

z = da, a =
a 2
i
a - ab - 1 ... a1a0 . up
ap dp . ui uj i,j , ai aj , di
dj. , zp zi , ap ai = 0. zp = zi ,
a
a
ap ( ai) d, d p p d i p = 0 . zp zi ,
.
ap .
ze , zf , ae ap = 0. ap
b ( ). ap ,
2b - b
dp ,
z gi , a gi = ap i 0 i < 2b.
u b + 2b
. jn , j = b + 2b.

j j
n
. ,
.

a. , ,
2b.
,

[111]. 256
b =5. [88]
,
.
296
9.
9.3
1980-90-

DES- [30]. 1993
,
[107]. ,
:
,
, N.
9.3.1

N ().
(S)N N, "+" -
(G,+), f(x) - ZN G.
.

s N. ZN
f(i) = si, i ZN .
, , ,
.
.
297
9.
9.3.2
, f(x), N
ht = h0 h1 ... ht - 1 ,
, h0.
C(f)i = {x : x ZN, f(x) = i } i = 0,1.
.
1. (i, j; w) c (i, j) GG w ZN ,
d f (i, j; w) = |C(f)i (C(f)j - w)|
(1)
, ,
D f (i, j; w) = C(f)i (C(f)j - w).
(2)
2. ht
i * *...* j w + 1 .
i k'- ,
k D f (i, j; w) - k'.
d f (i, j; w) , k .
(i', j'; w') D f (i', j'; w') - k''.
k (D f (i, j; w) - k') (D f (i', j'; w') - k'').
, ,
k, .
? 1
d f (i, j; w) , w ZN
C(f)j C(f)i ,

w = xj - xi ,
xj C(f)j , xi C(f)i .
(1) (2) .
:
w w ,
Ci Cj, .
298
9.
9.3.3
,
. ,
.
f(x).
. n = log2N,
I(k; h0 = 0) = n - log2 |C(f)0| ,
I(k; h0 = 1) = n - log2 |C(f)1| .
, |C(f)0| + |C(f)1| = N,
2 n - I ( k ;h0 = 0) + 2 n- I ( k ;h0 =1) = N .
,
, .
,
, .
hi hj ( ) (hi, hj, |i - j|)
" ". , , , , (i, j; w),
.
, ,
I(k;(i, j; w)) (i, j; w) Z2 Z2 ZN,
:
I = n - log2 df(i, j; w) = n - log2 |C(f)i (C(f)j - w)|
.
,

.
1. :
(i, j; w) =| C ( f ) i |, i Z 2 , w Z N ;
(i, j; w) =| C ( f ) j |, j Z 2 , w Z N ;
f
(i , j )Z 2 Z 2
(i, j; w) = N , w Z N .
299
9.
2. :
n - I ( k ;( i , j ; w ))
=| C ( f ) i |, i Z 2 , w Z N ;
n - I ( k ;( i , j ; w ))
=| C ( f ) j |, j Z 2 , w Z N ;
n - I ( k ;( i , j ; w ))
= N , w ZN ;
n - I ( k ;( i , j ; w ))
( i , j ) Z2 Z 2
= N 2.
(i , j ; w)
G. ,
.
, .
9.4
1994 ,
[145].

[144]. ,
,
, ,
. [144]
,
() [141] (. 7.3).
,

. ,
.

.
,
.
9.4.1

St+1 = F(St), t 0
300
9.
yt = f(St), t 0,
F : GF(2)M GF(2)M - ,
f : GF(2)M GF(2) - , St = (s1t, . . . , sMt) -
t, M - , yt - t, S0 =
(s1,0, . . . , sM,0) - .
, ,
.
F f -
, yt = f(F t (S0)), F t t-
F, F 0 - , t 0. S0
,
.
F f, , ,
yt S0. , ,
F f . , M+1
(yt, . . . , yt - M) S0
t M, S0 M. ,
L(yt, ... , yt - M), S0
t M. ,
St t 0,
S0.
L(yt, ... , yt - M), St - M, t M,
, yt.

. ,
,
M
.
,
M
yt = a i yt -i + et , t M .
i =1
,
M+1 ,
2M M .
O(22M), M
.

[141], 7.3.3.

.
301
9.
9.4.2

: (. 6.4),
(. 7.3). [145]
: - (. 8.1.8),
(. 6.3.1), (.
6.2.1 8.5.3), (.
8.5.2).
9.5 :

-
,
,
.

. 1996
. . [95]

.
- ,

.
- ()
(). ,
.
,
.
(
), .
, ,
"".
, ,
.
9.5.1
- ,
1983 , [186].

. ,
302
9.
. " "
.
. ,
,
.
,
E1 E2:
- DE
P( E ) = e kT ,
DE = E2 - E1, k - T - .
-
(. [264]).
1, DE 0
P( E ) = -TDE
e , DE < 0.

? ,
( ) . ,
,
( ) ,
.
. "
", .
, DE > 0.
. ,
. - , ,
,
,
.
, ,
. ,

.
.
- , ""
( ).
.
- " " ( . ).
, ,
, .
303
9.
,
.
- ,
.
.
1.
2.
3.
4.
(, ).
.
T = T(0).
T :
- . ,
.
- .
-
.
- ,
.
- ,
.
5. , ,
4.
. , .
1. .
, .
2. , .
, .
()
T(k+1) = a T(k) = ak T(0) , 0 < a < 1.
a 0.9, 0.99.
() : K .
T(k+1) =
K-k
T(0) , k = 1, 2, ... ,K.
K
3. , ,
. .
K ( , K ).
, ,
( 0).
304
9.
9.5.2 ,
,
, 3 ,
[363] (. 4.3.1).
.
, .
.
,
.
, ,
,
-. ,
, .

-,
. , ""
.
1. .
.
, .

.
.
.
,
. , -
, ,
0.5,
.
2. .
-

pi 1 - pi , .
. ,
( 10 10 000).
3.
.
,
. , ,
.

.
305
9.
,

.
9.5.2
, ,
, .
,
. , ,
. ,
,
, " "
.
, ,
. ,
(
, ,
).
, "" .
,
" " ( " " -
). "" .
306
9.
.
.
, , ,
.
.
-
.
" ", , .

. .
, ,
. ,
.
,
.
" ". ,
, ,
,
.
,
,
.
.
. ,
, -
. , ,
.
-
, . ,
.
, ,
.
9.6
1996 Vodafone (
Racal Comsec Ltd.)
[17] ( ""
).

.
.
.
307
9.
S0 S1 ... Si ...
k0
k1
... ki
...
, -
, i- i- .
S0.
S - , n =
log2(|S|), 2n.
.
n
,
2n. .
. ,
. 2m + n - 1,
M = 2m
n-
.
, R = 2r
, n -.
2m n-
2r n- ,
.
, ,
,
. ,
m + r n.
,
, 2n .
;
,
,
.
. ,
ks + 1 ... ks + M + n - 1. M = 2m n-
:
k s +1
k
s+ 2
M
k s+ M
L
L
O
L
k s+ n
k s+ n + 1
M
k s + M + n -1
308
9.
(,
); (n + m)2m
(n + m2)2m.
S ,
n- S,
.
,
m2. , 2n - m
, .
m = n/2, ,
2 n / 2 = | S | , n 2 2 n/ 2 | S | n 2 n / 2 | S | .
.
- ,
.
R = 2r S1 ... SR
n- -:
S1 : k 1,1
k
S2 : 2 ,1
M M
S R : k R,1
L
L
O
L
k 1,n
k 2 ,n
M
k R ,n
(,
); (n + r)2r (n + r2)2r.

, n-
.
r2, , 2n - r ,
.
r = n/2, ,
2 n / 2 = | S | , n 2 2 n/ 2 | S | n 2 n / 2 | S | . r
> n/2, ,
> n2n/2 > n22n/2,
< 2n/2 < n22n/2 ,
.
. ,
,
(, ).
(, XOR 8
).
.
309
9.
. . [109]
, ,
, n/2
. ,
,
: (
), , ""
( ); ,
(
).
. ,
, , ,
.

, .

, :
i 2i .
9.7
1996
[194], ,
, .
,
, ,
" ".
9.7.1
, -
. ,
, -
, - ,
. - ,
,
. ""
.
,
. ,
,
310
9.
,
.
, ,
,
. , ,
- (. 3.2.2), n 2n
.
(., , [74] [166] [184] [334] [335]),

( , [189] [193]). "
,
?", .
[394] .-.
[39] (. 10). .
, -
, .
,
. -,

( "
"). , ,
( )
. -, , ,
- . ,
,
.
.
9.7.2
-
(), .
n F: {0,1} n {0,1}n,
. n- x = (x0, ... , xn-1).
x x0, - F(x).
, x

. F
, F.

. ,
,
. ,
( ) , , 1.

311
9.
.
, .
F - ,

F. Fn F n.
B - , ,
F- B, lF(B), - n , B
Fn.
,
. d(n) - F F.
, F - , d(n) O(log(n)). , (
) F - .
, , .
- , ,
B, F,
B.
T F - ,
b0, ..., bk-1,
1. T , F F;
2. n - F, T n- a , k
F a - b0, ..., bk-1.
B
, . T , :
1. ;
2. p(n) , n = lF(B), b0, ..., bk-1 k p(n), T
F F n , B.
F , F . , ,
, . ,
(. 3.2) (. 7.4).
,
, ()
; ()
.
B = B1, B2, ... -
, pB(n) - Bn. LF,B(n) = lF(Bn). B
F-,
1. F - ;
2. k > 0
LF,B(n) = W(log(pB(n))k).
312
9.
n
F , Bn. - ,
B ,
1. B F- ;
2. F ,
B,
.
.
f(n) - . , f(n) - ,
d > 0, f(n) O(2n/d). , f(n) - , d > 0,
f(n) W(nk).
, ,
, .
,
, .
, .
9.7.3

, ,
.
1. h(n) - .
F ,
F ' F F
S,
lF ' (S) h(lF(S)).
. T FT ,
T. F1, F2, ... -
, FT .
T 1, T 2, ... .
F , "" .
i - 1 F ki - 1 ,
F1, ... , F i - 1. , i.
p(n) - , B, Ti
, B p(lFi(B)) B.
p(n) = nd . r , ,
, F , ,
k r
313
9.
2k/d > h(k + 3).

n 2r < p(n). k 2k p(n) <2k+1.
F G k+3,
2k+1 - 1 , 2k+1- .
F k+1, m-
( 2k+1 - 1). - k
XOR k+1 .
G k+3 , xk + 2 x0
. k+1 , k+1 F. x1
, k+1 1. x0 ( )
x1 x2 . x1 0, k+1 G
k+1 F, x0 = x1 x2 . G
2(2k+1 - 1). F,
F.
F 0,1,1,...,1, G -
0,1,1,...,1,0,1. . B1 B2 -
. p(n) < 2k+1, Ti
p(n) . ,
, , Bm
lFi(Bm) > n 2k/d > h(k + 3).
F ki .
lFi(Bm) > h(k + 3) h(ki) = h(lF(Bm)),
. i.
, F (..
), F
. ..
, B,
, i, LFi,B(m) O(h(LF,B(m))), h(n)
.
. ( )
.
, , 1. ,
-
B. ,
B . .., LFi,B(m) W(h(LF,B(m))).

.
314
9.
2. h(n) - .
B = B1,B2,...
,
) B F,
, Bm ,
log Bm ;
) F ' , m ,

LF ',B(m) h(log(period(Bm))).
, h ,
, 9.7.2.
2 ,
1. .
, i
Fi , Bi ( Bi) . ,
.
2 , h
, .
3. h(n) = 2n/d - , B = B1,B2,... -
.
F
, i
lF(Bi) h(log(period(Bi))).
,
.
,
.
9.7.4

.
, .
F ,
- F-,
.
, , (
315
9.
"") .
, - 2-
,
. , -. ,
F, lF(B)
F, B. , F
. 1 2 ,
.
, -
.
,
. ,
.
. ,
.
316
10.
10
10.0
-
, ,
[82]. ,

. ,
. ,

,
...
.

[394]. .
,
: .
, ,
"" ,
"" .
,
,
-
"" [40] [39] [ 357].
10.1.

,
.
, ,
. ,
[249]
. ,
,
(. 3.1.2.6).
Omnisec AG
317
10.
,
.
, ,
[201],

. - ,
,
.

, -,
,
[322].
:
"
- " [27]
-

. [62] [63] [230].
50 ,
, "c ,
" [360].
, - ,
W(n)
W() (. 1).
80-
" ", 10.2
. - ,
1985 . . [235]. K . ""
, (
) 2K ,
. ,
, -
... . ,
, ,
,
.
, W()
" ", ,
" ". , Eurocrypt '90 [247]
, R,
, ,
[241].
318
10.
10
,
" ". 10.3
" ",
.
- ,
: , , ..
10.4,
- 1995 POTP (Power One Time Pad).
,
, .
10.1

[339].
-
. ,
, .
(
/ )
.
-
, , .
,
. ,
. - (1)
, (2)
.
, (1) , (2)
.
, ,
.
"" , [39],
[40], - (RSA) [5] [265].

.
,
, " ", ,
"". ( )
, ,
"" ( ) , ""
.
, ,
.
319
10.
10.1.1
G - {Gn: n 1}
Gn. Gn: {0, 1}n {0, 1}l
xn n zl l(n) , l n. zl = Gn(xn) ,
Gn xn.
mR,l l , mR,l(sl) = 2-l . , mG,l(n)
zl, Gn
( , mR,n).
zl
mG,l(zl) = 2- n #{xn: Gn(xn) = zl }.

mG - {mG,l(n): n 1}
G; , G mG.
-
. zi i
i.
.
"
" ( "") [39] [394].
( ) C = {Cn: n 1} -
Cn in < l(n)
. , C
G, , Cn zi+1,
"" . , , C
G ( "G C"),
P(n) , n
Pr(Cn(zi) = zi+1)
1
1
+
2 P ( n)
zl mG,l(n).
, G C, , , n
P(n)
Pr(Cn(zi) = zi+1) <
1
1
+
.
2 P ( n)
, , G , C,
, , n , P(n) i < l(n)
320
10.
Pr(Cn(zi) = zi+1) <
1
1
+
.
2 P ( n)
.
, ,
,
- . ,

, .
.

,
.
[394].

T = {Tn: n 1} -
Tn l(n)
. , T
G, , 1
rl, mR,l, ""
, 1 zl,
mG,l(n). ,
, T G, P(n) ,
n
| pnT ,G - pnT , R |
1
,
P ( n)
pnT ,G , pnT , R , T 1
, mG,l(n) mR,l.
, G T,
P(n) , , n
| p nT ,G - p nT , R | <
1
.
P(n)
[394] .
, .
: G C
, T.
: G ,
T .
, ( ) ,
,
321
10.
. , ,
, .
, .
, [39]
. f = {fn : Xn Xn} -
, .
B = {Bn : Xn {0,1}} - Xn,
. x Xn
( ), fn x, zi = Bn(fni (x)) 1 i l(n).
B - f, zl
( ) , , ,
T ( , ).
:
1. - [39]
f n : Z p* x a y = a x mod p Z p*
B n : Z *p y a half p (x ) {0,1}.
2. [40]
f n : QRN x a y = x 2 mod N QRN
Bn : QRN y a lsb( x ) {0,1}.
3. RSA [5]
f n : Z N* x a y = x e mod N Z N*
Bn : Z N* y a lsb( x ) {0,1}.
""
, ,
RSA. , ""
,
. .
10.1.2
10.1.2.1
RSA
[357].
, Y
mod N
di = 1/ei mod F(N)
322
10.
mod N d = 1/e mod F(N).

e1, e2, . . . , el - ,
ei -. RSA- N = pq n , ei
- F(N) S ZN.
{p,q} N.
:
: : N,
() S, ZN
e1, e2, . . . , el
: p, q
i = 1, 2, ... l S di = 1/ei mod F(N)
Z i = S 1/ ei mod N
: Zi , i = 1, 2, ... , l
, n- ,
. [357] :
: P(n) , Cn
(, N n S ZN,
Z1 Z2, . . ., Zl
d(n) )
An |Cn|+P(n), RSA
N, S d(n) .
An ,
X = Y 1/ e1 mod N Cn.
An: DN(Y) mod N
: Y, N
1. S = Y e2 ...el mod N E = ei; i = 2, ..., l
Zi = S
1/ ei
=Y
e1ei
mod N
.
2. Cn N, S, Z2, . . . , Zl Z1.
3. -
E
E
E
E
, . . . , = a1 + . . . + a l
=1
el
e1
el
e1
323
10.
4. Z i = X E / ei mod N
Z 1a1 Z 2a 2 ... Z la l = ( X E / e1 ) a1 ( X E / e2 ) a 2 ... ( X E / el ) a l = X
: X = Y 1/ e1 mod N
Cn d(n) n, An,
S = Y E / e1 mod N - . ,

RSA. RSA- ,
. , RSA
,
,
. [39] ,
, . ,
.
, N 2n+k, Zi
1 k/N 0 2n/N.
10.1.2.2 -
p a
Z *p - mod p. y Z *p ,
a indexp,a(y), 0 x p - 2
, y = ax mod p. p, a , y
indexp,a(y). ,
. y QRp, y p, indexp,a(y) = 2t t < (p - 1)/2.
y QRp - at mod p,
, at + (p - 1)/2 mod p, .
p a x Z *p
, indexp,a(x) < (p - 1)/2. [39] ,
,
p a,
.
p -1
x
<
2
half p ( x ) =
p -1
0 x
.
2
324
10.
- [39]:
: : (p, a)
: x1 Z *p
i = 1, 2, ... l
a. zi = halfp(xi)
b. xi+1 a xi mod p
: zi
" "
mod p. [39] .
: ,
p, a y = ax halfp(x) 1/P'(n)
p n 1/2 + 1/P(n), ,
Q(n), , p, a y
indexp,a(y) 1/P'(n) p
n 1 - 1/Q(n).
, z1, . . . , zl z0
1 - 1/e(n), halfp(x) p, a y = ax
. y
z1, . . . , zl;
z0, halfp(x) 1 - 1/e(n).
,
1/2 + 1/P(n) ,
. ,
"" ,
[39] [203]:
: P P',
C, ( ) n 1,
p n, C
1 - 1/P(n), 1/P'(n).
,
(). , [394] ,

, , , "".
-
, [39]. [183] [222],
log log p .
,
log log p .
325
10.
10.1.2.3 RSA
RSA- [5] - ,
[39], f(x) = xe mod N , B(x) =
lsb(x) ( x) -
f. e 3. N - |n|,
p q , (e,F(N)) = 1. RSA
(N, e, x).
RSA:
: : (N, e).
: x Z N*
1. x0 x
2. i = 1, 2, ... l
a. xi xei-1 mod N
b. zi lsb(xi)
: zi , i = 1, 2, ... , l
RSA. [5]
.
: , , y = xe mod N, e N,
x TB(n)
, + e(n),
, RSA- T(n)
O(e - 8 (n) n3 TB(n)).
TB(n) - n, T(n), RSA-
. z0
z1, . . . , zl lsbN(x)
y = xe mod N. , z1, . . . , zl RSA y x1. z1, . . . , zl
b, z0 + e(n). z0
lsbN(x0), , b lsbN(x) + e(n).
e(n) = 1/P(N)
, RSA.
RSA
,
x 1/P(N). , T
, RSA-.
, RSA "".
326
10.
, , xe mod N, e N,
x + e(n)
T,
:
1. [1,N];
2. xe mod N , x [1,N],
e(n). ,
, RSA,
, , RSA n, .
,
[134], , xe mod N RSA
zl,
, RSA-
"".
[5] ,
log n x.
, RSA . , ""
log n RSA-.
( log n )
- .
, ,
.
RSA- [265]: e 3 - . N
n ( ,
n/2), (e, F(N)) = 1, M, N2/e,
[1,N]
:
1. [1,N];
2. xe mod N x [1, M].
,
[134], ,
xe mod N RSA zl,
,
RSA- "".
(e - 2)/e , 2/e
.
.
10.1.2.4
N p q.
y Z N* N, y = x2 mod N
327
10.
x Z N* . N QRN.
y QRN . p = q = 3 mod N,
QRN. ,
QRN ' x a x 2 mod N QRN

"" " ";
QRN ' y a
y mod N QRN.
. , N
,

.
[40]:
: : N n
: x1 QRN.
i = 1, 2, ... l
1. zi = lsb(xi)
2. xi+1 = xi2 mod N
: zi , i = 1, 2, ... , l
p = q = 3 mod 4, Z N* +1 ,
-1.
Z N* (+1) Z N* (-1). Z N* (-1) Z N* (+1)
N.
N x Z N* (+1) , x
N. ,
, - .

. [40] ,

*
x = y mod N N y Z N (+1).
[133] [40].
: ,
N y QRN x = y mod N
1/P'(n) N n 1/2 + 1/P(n),
, Q(n), ,
328
10.
N x Z N* (+1)
1/P'(n) N n 1 - 1/Q(n).
, z1, . . . , zl
z0 + e(n),
x = y mod N . y
z1, . . . , zl;
z0, lsb(x) + e(n).
, 1/2 + 1/P(n) ,

. , ""
, ,
[40] [203].
: P P',
C, ( ) n 1, N n,
C 1 - 1/P(n),
1/P'(n).
,
(). , [394]
,
, , , "".
10.2
,
, ( )
. 10.1,
- ,

( ). -
, . , ,
. ,
()
. ,
, ,
, .

, ,
.
-
329
10.
, ,
.
. -
, ,
.
- ,
,
, - .
,
,
.
10.2.1

[102] (. [239]):
:
: x = x1, x2, . . .
k: n-
1. 2n r1 , r2 , ... , r2 n .
2. k- rk
x.
: y = x rk r1 , r2 ,..., r2 n 2n + 1 .

.
,
,
. ,
,
. ,
, O(2n).
[339],
, 2n
n,
.
330
10.
10.2.2 " "

[235]
, " " (
10.0).
" ":
: x~ = x1, x2, . . .
: n- 0 k < 2n.
1. k- r1, r2, . . . , rk
2. ~
z = z1, z2, . . .
3. i = 1, 2, ...
.
y (1) :
~
~
y (1) = xi zi
.
:
~
y ( 2)
ri 1 i k
y i( 2 ) =
k <i
z k - i
4. ~
y (1) ~
y ( 2) .
: ( y i(1) , y i( 2) ) , i = 1, 2, ...
y i(1) , y i( 2)
, r1, r2, . . . , rk
k. , ,
k , .
" " [235]
:
: , k
(
d 2- n)
E (B ) 2 n / 2 1 - 2 - n d -1 (1 + 2 - n (d - 1 - 1)) ,
B .
331
10.
, ,
, :
2n/2 ,
. ,
: ,
( 2n )
, . :
" ,
, - ,
". .
10.2.3
, " ",
[247] , ,
(
) 1 ,
( ).
-
(
).
:
: xN = (x1, x2, . . ., xN) 2N

R[s,t], 1 s S , 0 t T - 1
kS = (k1, . . . , kS) ST
1.
S
z i = R[s, (k s + i - 1) mod T ] mod 2
1 i N
s= 1
2.
yN = xN zN
: yN.
, ,
,
. V,
P(XN,V),
.
( )
Ai = (Bi,Ci) . Oi = R[Bi,Ci] -
Ai i- . ,
332
10.
i- , - YN , Oi-1
Ai-1,
V. ,
N
i-1
i-1
P(Ai |Y V A O ), i 1. [247] :
: E ,
P(XN,V) OM AM
R
I(XN; YN AM OM | V, E) = 0 P(E) 1 - NdS
d = M/ST - .
, E ,
(YN, AM, OM )
XN , , . ,
- , ,
E . P(E) < NdS.
,
,
.
[241],
- ,
" "
("
,
"). () ,
, ,
1.
10.3

"". ,
, - ":
" [132]
[317] [21];
[279];
[312]; - [300].
,
(
). ,
333
10.
,
, :
xn + 1 = A xn(1 - xn), 0 < xn < 1.
,
. ,
A
, .
,
. , [225]
,
:
g(x) = ((B + 1)(1 +
1 B
) )( x(1 - x) B), 1 B 4, 0 < x < 1.
B

:
.

.
, ,

. ,
,
. -
, .
"" ,
[386] [387].
:
.
,
[273].
.
, ,

. ,
, ,
[318]. ,
, ""
.
334
10.
10.4 POTP
c Power One Time Pad,
" ",
1995 .
- [393],
- ELEMENTRIX TECHNOLOGIES LTD.,
.
, ,
, .
POTP
,
, , , .
Internet: Web- Elementrix
(http://www.elementrix.co.il)
Sci.crypt [252].
, POTP - "

;
,
, , ,
" [393].
( -
)
[308]. " Elementrix
,
-
," - . "Elementrix
.
," - -,
. "
",
: "POTP
.
, .
, Internet
".
, " "
. ,

. , Elementrix,
[252].
POTP - ,
,
335
10.
. ,
K0 ( )
1024 , Si ""
Ci 832 . i- :
Ki = f(Ki-1, Ci-1)
Si = H(Ki-1)
Ci = Pi XOR Si ,
Ki - i, Si - i- , Ci Pi -
( 832 ), . f H
, , H - -, 1024
832 , f - -, 1856 1024 .
- .
" " , " ".
, :

. -
. (
), 24 .
,
...
,
. ,
, ,

, .
- Elementrix ,
, " "
POTP -.
, 1997 WWW- Elementrix,
, .
Web- POTP...
Elementrix Technologies Ltd .
336
.
. ,
World Wide Web -
.

, . ,
, - .
I.
,
, -
.
, ,
, ,
, [306].

" ",
,
. SEAL,
IBM. ,
, ,
,
. ( -
"
" A5 ORYX.)

: ,
, ,
. (
, 1990-

, ).
,
. ,
,
337

, ,
. , ,
,
.

[306].
: SEAL , RC4
, , GOAL (
).
II.

.
,
. ?
-
, ,
.
, : -
, ,
.. ,

.
,
,
RISC-.
, [10].
III.

. , ,
,
. ,

[306].

, ,
, ,
[10].

, / ,
/ /xor
.
338

/.
,
, . 90-
8 .
IV.

, , -,
. ,
,
[306].
.
-
.

, . ,
. P/NP-
, , ,
[306].
V.
,
,
. ,
,
[98].
,

, ,
, .
,
[339]
, , ,
, ,
[347]. ,
, , , -
. .
, .
, -
.
,
. ,
339
, .
. .
, ,
- . .
, .
, . ,
,
. .
, , ,
. : , ,
,
, .
- :
, .
, .
,
.
- ,
, , .
- ,
- .
-
. ,
.
-
. , ,

. , -
, /, - .
, ,
, ,
- [347].
- . ...
340
1. C. M. Adams and S.E. Tavares, "Generating and Counting Binary Bent Sequences",
in IEEE Trans. Inf. Theory, vol 36, no 5, 1990
2. C. M. Adams and S.E. Tavares, "The use of bent sequences to achieve higher-order
strict avalanche criterion", Technical Report, TR 90-013, Departament of Electrical
Engineering, Queen's University, 1990
3.
A.V. Aho, J.E. Hopcroft and J.D. Ullman. The Design and Analysis of Computer
Algorithms. Addison-Wesley Publishing Company, 1974
4. S.V.B. Aiyer, M. Niranjan, F. Fallside. A theoretical investigation into the

performance of the Hopfield model, IEEE Trans. On Neural Networks, 1(2): 204215, 1990
5. W. Alexi, B. Chor, O. Goldreich, and C. P. Schnorr, "RSA and Rabin functions:
Certain parts are as hard as the whole," SIAM J. Comput., vol. 17, pp. 194-209, April
1988.
6. N. Alon, O. Goldreich, J. Hastad and R. Peralta. Simple constructions of almost kwise independent random variables. In 31th Annual Symposium on Foundations of
Computer Science, St.Louis, Missoury, pp 544-553, 1990.
7. R. Anderson. "Solving a class of stream ciphers", Cryptologia, 14(3):285-288,1990
8. R. Anderson. "Faster attack on certain stream ciphers", Electr. Lett., 29(15):13221323, July 1993
9. R. Anderson. "Derived Sequence Attacks on Stream Ciphers", presented at the rump
session of Crypto 93
10. R. Anderson. Preface to "Fast Software Encryption - Cambridge Security
Workshop", pages V-VI, Springer-Verlag, Berlin, 1994.
11. R. Anderson, post to Newsgroups: sci.crypt (from rja14@cl.cam.ac.uk),
1994, Subject: A5
17 Jun
12. R. Anderson. "Why Cryptosystems Fail", in Communications of the ACM , v 37 no

11 (November 1994) pp 32-40
13. R. Anderson. "Searching for the optimum correlation attack". Fast Software
Encryption - Second International Workshop, Leuven, December 1994, SpringerVerlag, Berlin, 1995, pp 137-143
341
14. R. Anderson. "On Fibonacci Keystream Generators". Fast Software Encryption Second International Workshop, Leuven, Dec. 1994, Springer-Verlag, Berlin, 1995,
pp 346-352
15. R. Anderson and C. Manifavas, "Chameleon - A New Kind of Stream Cipher", in Fast
Software Encryption - Fourth International Workshop, Haifa, Israel, Jan. 1997,
Springer-Verlag, Berlin, 1997.
16. K.B. Athreya and P.E.Ney, Branching Process. Berlin, Springer-Verlag, 1972
17. S. Babbage. "A Space/Time Trade-Off in Exhaustive Search Attacks Stream
Ciphers", 9 April 1996, presented at the rump session of Eurocrypt 96
18. A.D. Barnard, J.R. Silvester, W.G. Chambers, "Guaranteeing the period of linear
recurring sequences (mod 2e)", IEE Proceedings-E, 140, 243-245, (Sept 1993).
19. U. Baum and S. Blackburn. Clock-controlled pseudorandom generators on finite
groups. Fast Software Encryption - Second International Workshop, Leuven,
December 1994, Springer-Verlag, Berlin, 1995
20. H. Beker and F. Piper, Cipher Systems: the Protection of Communications, London:
Northwood Books, 1982.
21. K. Beker and M. Dorfler. Dynamic systems and fractals. Cambridge University Press,
New York, 1989.
22. B. Benjauthrit and I. S. Reed, "Galois switching functions and their applications,"
IEEE Trans. Comput., vol. C-25, pp. 78-86, Jan. 1976.
23. C.H. Bennett, G. Brassard and J.M. Robert, "Privacy amplification by public
discussion", SIAM J. Computing, vol. 17, pp. 210-229, 1988
24. M. Ben-Or , Probabilistic algorithms in finite fields, Proceedings of the 22nd IEEE
Foundations of Computer Science Symposium. 1981. Pp. 394-398
25. E. R. Berlekamp, Algebraic Coding Theory, New York: McGraw-Hill, 1968.
26. J. Bernasconi and C. G. Gnther, "Analysis of a nonlinear feedforward logic for
binary sequence generators," BBC Tech. Rep., 1985.
27. T. Beth and Zong-duo Dai. "On the complexity of pseudo-random sequences - or: If
you can describe a sequence it can't be random". In J.J. Quisquater and J. Vandewalle,
editors, Advances in Cryptology - Eurocrypt '89, pages 533-543, Springer-Verlag,
Berlin, 1990.
342
28. T. Beth and F. Piper, "The stop-and-go generator," in Lecture Notes in Computer
Science 209; Advances in Cryptology: Proc. Eurocrypt '84, T. Beth, N. Cot, and
I. Ingemarsson, Eds., Paris, France, April 9-11, 1984, pp. 88-92. Berlin: SpringerVerlag. 1985.
29. J. Bierbrauer, K. Gopalakrishnan and D.R. Stinson. "Bounds on resilient functions
and orthogonal arrays," in Advances in Cryptology: Proc. Crypto '94, 1994 vol 839,
LNCS, pp 247-256, Springer-Verlag, Berlin
30. E. Biham and A. Shamir. Differential Cryptanalysis of the Data Encryption Standard.
Springer-Verlag, New York, 1993.
31. E. Biham and P. Kocher. A known plaintext attack on the PKZIP encryption. Fast
Software Encryption - Second International Workshop, Leuven, December 1994,
Springer-Verlag, Berlin, 1995
32. S.R. Blackburn. A generalisation of the discrete Fourier transform: an algorithm to
determine the minimum polynomial of a periodic sequence. September 1993. Preprint.
33. R. E. Blahut, '"Transform techniques for error-control codes," IBM J. Res. Develop.
vol. 23, pp. 299-315, 1979.
34. R.E. Blahut. Theory and Practice of Error Control Codes. Addison-Wesley, 1983.
35. R.E. Blahut. Fast Algorithms for Digital Signal Processing. Addison-Wesley, 1985.
36. A. Blake and A. Zisserman. Visual Reconstruction, MIT Press, Cambridge Mass.,
1987
37. W. Blaser and P. Heinzmann, "New cryptographic device with high security using
public key distribution," Proc. IEEE Student Paper Contest 1979-80, pp.145153,1982.
38. U. Blcher and M. Dichtl. Fish: A Fast Software Stream Cipher. In R. Anderson,
editor, Fast Software Encryption - Cambridge Security Workshop, pages 41-44,
39. M. Blum and S. Micali. How to generate cryptographically strong sequences of
pseudo-random bits. SIAM Journal on Computing, 13(4):850-863, 1984.
40. L. Blum, M. Blum, and M. Shub, "A simple unpredictable pseudo-random number
generator," SIAM J. Comput., vol. 15, pp. 364-383, 1986.
41. J. Boyar (Plumstead). Inferring sequences produced by a linear congruential generator
missing low-order bits. Journal of Cryptology, 1(3):177-184, 1989.
343
42. J. Boyar (Plumstead). "Inferring sequences produced by pseudo-random number

generators", Jour. Of ACM, Vol.36, No.1, 1989, pp. 262-280.
43. R.P. Brent, "On the periods of generalised Fibonacci sequences", in Mathematics of
Computation v 63 no 207 (July 1994) pp 389-401
44. E.F. Brickell. Breaking iterated knapsacks. In G.R. Blakley and D.Chaum, editors,
Advances in Cryptology - Crypto '84, pages 342-358, Springer-Verlag, New York,
1985.
45. E.F. Brickell and A.M. Odlyzko , "Cryptanalysis. A Survey of Recent Results", in
G.J. Simmons, editor. Contemporary Cryptology, The Science of Information
Integrity; pp 501-540. IEEE Press, New York, 1992.
46. J. O. Brer, "On nonlinear combinations of linear shift register sequences," in Proc.
IEEE ISIT, les Arcs, France, June 21-25 1982
47. J. O. Brer, "On pseudo random sequences as crypto generators," in Proc. Int. Zurich
Seminar on Digital Communication, Switzerland, 1984.
48. N.G. de Bruijn. A combinatorial problem. Nederl. Akad. Wetensch. Proc., 49:758764, 1946.
49. L. Brynielsson, "On the linear complexity of combined shift register sequences," in
Lecture Notes in Computer Science 219; Advances in Cryptology: Proc. Eurocrypt
'85, F. Pichler, Ed., Linz, Austria, April 1985, pp. 156-166. Berlin: Springer-Verlag,
1986.
50. L. Brynielsson, "Wie man den richtigen Schlssel in einem Heuhaufen findet,"
Kryptologie Aufbauseminar J., Kepler Universitt, Linz, Austria, 1987.
51. L. Brynielsson, "Below the unicity distance," Workshop on Stream Ciphers,
Karlsruhe, Germany 1989.
52. TR Cain, AT Sherman, "How to Break Gifford's Cipher", in Proceedings of the 2nd
ACM Conference on Computer and Communications Security (ACM, Nov 94) pp
198-209
53. T.R. Cain and A.T. Sherman , "How to break Gifford's Cipher", CRYPTOLOGIA, vol
XXI, 1997, n 3, pp 237-286
54. P. Camion and A. Canteaut "Construction of t-Resilient Functions over a Finite
Alphabet", in Lecture Notes in Computer Science; Advances in Crypology: Eurorypt
'96 Proc.,Springer-Verlag 1996, pp. 283-293
344
55. P.Camion, C. Carlet, P. Charpin and N. Sendrier, "On correlation-immune functions,"

in Lecture Notes in Computer Science vol.576; Advances in Crypology: Crypto '91
Proc., pp 87-100. Berlin: Springer-Verlag, 1991.
56. C. Carlet, "Partially-bent fuctions", Advances in Cryptology - Crypto '92, pages 280291, Springer-Verlag, New York, 1993.
57. C. Carlet, "Two New Classes of Bent Functions", in Lecture Notes in Computer
Science vol. 765; Advances in Crypology: Eurorypt '93 Proc.,Springer-Verlag 1994,
pp. 77-101
58. C. Carlet, J. Seberry and X.-M. Zhang "Comments on 'Generating and Counting
Binary Bent Sequences'", in IEEE Trans. Inf. Theory, vol 40, no 2, page 600, 1994.
59. C. Carlet, "Hyper-bent functions", in Proceedings of the 1st Int. Conference on the
theory and Applications of Cryptology, Pragocrypt '96, CTU Publishing House,
1996, pp 145-155
60. C. Carlet, "More Correlation-Immune and Resilient Functions over Galois Fields and
Galois Rings ", in LNCS 1233; Proc. Eurocrypt '97, Berlin: Springer-Verlag, 1997.
61. J. Carrol and L. Robins, Computer Cryptanalysis, Technical Report No.223, 1988,
Departament of Computer Science, The University of Western Ontario, London,
Ontario.
62. G.J. Chaitin. Information, Randomness and Incompleteness. World Scientific
Publishing, Singapore, 1987.
63. G.J. Chaitin. On the length of programs for computing finite binary sequences. J.
ACM, 13(4):547-569, October 1966.
64. C.M. Campbell, "Design and specification of cryptographic capabilities," IEEE
Commun. Soc. Mag., vol. 16, pp. 15-19, 1978.
65. W.G. Chambers and S. M. Jennings, "Linear equivalence of certain BRM shiftregister sequences," Electron. Lett., vol. 20, Nov. 1984.
66. W.G. Chambers, "Clock-controlled shift registres in binary sequence generators," IEE
Proc. E., vol. 135, pp. 17-24, 1988.
67. W.G. Chambers and D. Gollmann, "Generators for sequences with nearmaximal linear
equivalence," IEE Proc. E., vol. 135, pp. 67-69, 1988.
68. W.G. Chambers and Z-D. Dai, "On binary sequences from recursion modulo 2e made
non-linear by the bit-by-bit XOR-fuction", Lecture Notes in Computer Science vol
547 Advances in Cryptology:Proc. Eurocrypt'91, Springer-Verlag,, pp 200-204,
1992
345
69. W.G. Chambers, "Two Stream Ciphers", In R. Anderson, editor, Fast Software
Encryption - Cambridge Security Workshop, pages 51-55, Springer-Verlag, Berlin,
1994.
70. W.G. Chambers, "On Random Mappings and Random Permutations", Fast Software
Encryption - Second International Workshop, Leuven, December 1994, SpringerVerlag, Berlin, 1995, pp 22-28
71. A.H. Chan. On quadratic m-sequences. In R. Anderson, editor, Fast Software
Encryption - Cambridge Security Workshop, pages 166-173, Springer-Verlag, Berlin,
1994.
72. A. H. Chan and R. A. Games, "On the linear span of binary sequences obtained from
finite geometries," in Lecture Notes in Computer Science 263; Advances in
Cryptology: Proc. Crypto '86, A. M. Odlyzko, Ed., Santa Barbara, CA, Aug. 11-15,
1986, pp. 405-417. Berlin: Springer-Verlag, 1987.
73. A.H. Chan and R.A. Games. On the quadratic spans of periodic sequences. In G.
Brassard, editor, Advances in Cryptology - Crypto '89, pages 82-89, Springer-Verlag,
New York, 1990.
74. A.H. Chan and R.A. Games. "On the linear span of binary sequences from finite
geometries, q odd". IEEE Transactions on Information Theory 36, 548-552 (1990)
75. A. H. Chan, M. Goresky, and A. Klapper, "Correlation functions of geometric
sequences," Proc. Eurocrypt 90, I. Damgard, Ed., Springer Verlag .
76. D. Chaum and J. H. Evertse, "Cryptanalysis of DES with a reduced number of
rounds," in Lecture Notes in Computer Science 218; Advances in Cryptology: Proc.
Crypto '85, H. C. Williams, Ed., Santa Barbara, CA, Aug. 18-22, 1985, pp. 192-211.
Berlin: Springer-Verlag, 1986.
77. U. Cheng. Properties of Sequences. PhD thesis, University of Southern California,
1981.
78. V. Chepyzhov and B. Smeets. On a fast correlation attack on certain stream ciphers.
In D.W. Davies, editor, Advances in Cryptology - Eurocrypt '91, pages 176-185,
79. B. Chor, O. Goldreich, J. Hastad, J. Friedman, S. Rudich and R. Smolensky. "The bit
extaction problem or t-resilient functions," IEEE Symposium on Foundations of
Computer Science, vol. 26, pp. 396-407, 1985.
80. G.C. Clark and J.B. Cain. Error-Correcting Coding for Digital Communications.
New York: Plenum Press, 1982
346
81. A. Clark, J. Goli, E. Dawson. "A Comparison of Fast Correlation Attacks". In Fast
Software Encryption - Third International Workshop, Cambridge, February 1996, pp.
145-157, Springer-Verlag, Berlin, 1996
82. D. Coppersmith, H. Krawczyk, and Y. Mansour. The shrinking generator. In D.R.
Stinson, editor, Advances in Cryptology - Crypto '93, pages 22-39, Springer-Verlag,
New York, 1994.
83. C. Coveyou and R.D. MacPherson, "Fourier Analysis of Uniform Random Number
Generators," Journal of the ACM, v. 14, n. 1, 1967, pp. 100-119.
84. Zong-duo Dai. Binary sequences derived from ML-sequences over rings. 1986.
Preprint.
85. Zong-duo Dai, "Proof of Rueppel's linear complexity conjecture," IEEE Trans.
inform. Theory, vol. 32, pp. 440-443, May 1986.
86. Zong-duo Dai and Kencheng Zeng, "Continued Fractions and the Berlekamp-Massey
Algorithm," In J. Seberry and J. Pieprzyk, editors, Advances in Cryptology Auscrypt '90, pages 24-31, Springer Verlag, Berlin, 1990.
87. J. Daemen, R. Govaerts, and J. Vandewalle. On the Disign of High Speed SelfSynchronizing Stream Ciphers. In Singapore ICSS/ISITA '92 Conference
Proceedings, IEEE 1992, pages 279-283.
88. J. Daemen, R. Govaerts, and J. Vandewalle. Cryptanalysis of MUX-LFSR based
scramblers. In State and Progress in the Research of Cryptography, 1993, pages 5561, 1993.
89. J. Daemen, R. Govaerts, and J. Vandewalle. "Resynchronization weakness in
synchronous stream ciphers". Advances in Cryptology - Eurocrypt '93, LNCS vol
765, pages 159-167, Springer-Verlag, 1994.
90. J. Daemen. Cipher and Hash Function Design. PhD thesis, Katholieke Universiteit
Leuven, 1995.
91. D.W. Davies and W.L. Price. Security for Computer Networks: An Introduction to
Data Security in Teleprocessing and Electronic Funds Transfer. John Wiley & Sons,
New York, 1984.
92. E. Dawson and B.Goldburg, "Universal logic sequences", In J. Seberry and J.
Pieprzyk, editors, Advances in Cryptology - Auscrypt '90, pages 426-432, Springer
Verlag, Berlin, 1990.
93. E. Dawson and A.Clark, "Cryptanalysis of Universal Logic Sequences", Advances in
Cryptology - Eurocrypt '93, Springer Verlag, Berlin.
347
94. E. Dawson and A.Clark, "Divide and conquer attacks on certain classes of stream
ciphers", Cryptologia XVIII, N 1, 1994 pp 25-40.
95. E. Dawson and A.Clark, "Discrete Optimisation: A Powerful Tool for
Cryptanalysis?", in Proceedings of the 1st Int. Conference on the theory and
Applications of Cryptology, Pragocrypt '96, CTU Publishing House, 1996, pp 425450
96. D. E. Denning, Cryptography and Data Security, Reading, MA: Addison-Wesley,
1983.
97. Y. Desmedt, J. J. Quisquater, and M. Davio, "Dependence of output on input of
DES: Small avalanche characteristics," in Lecture Notes in Computer Science 196;
Advances in Cryptology: Proc. Crypto '84, G. R. Blakley and D. Chaum, Eds., Santa
Barbara, CA, Aug. 19-22, 1984, pp. 359-376. Berlin: Springer-Verlag, 1985.
98. Y. G. Desmedt, "Cryptanalysis of conventional and public key cryptosystems," Proc.
SPRCI'89, Rome, Nov. 23-24, 1989.
99. L. Dickson. History of the Theory of Numbers. Chelsea Pub. Co., London, 1919.
100. W. Diffie and M. Hellman, "New directions in cryptography," IEEE Trans. Informat.
Theory, vol. IT-22, pp. 644-654, Nov. 1976.
101. W. Diffie and M. Hellman, "Privacy and authentication: An introduction to
cryptography," Proc. IEEE, vol. 67, pp. 397-427, 1979.
102. W. Diffie, Private communication with R.Rueppel, July 1984.; (in "Contemporary
Cryptology", G.Simmons, Ed. , IEEE Press, New York, p. 124, 1992)
103. J. F. Dillon, "A survey of bent functions", The NSA Technical Journal (1972), pp
191-215 (unclassified)
104. J. F. Dillon, "Elementary Hadamard difference sets", Ph..D. Thesis, University of
Maryland, 1974
105. J. F. Dillon, "Elementary Hadamard difference sets," Proc. 6th Southeastern Conf.
Combinatorics, Graph Theory, and Computing, Boca Raton, FL, pp. 237- 249, 1975;
in Congressus Numerantium No. XIV, Utilitas Math., Winnipeg, Manitoba, 1975.
106. C Ding, G Xiao, W Shan, "The Stability Theory of Stream Ciphers" , Springer LNCS
v 561 (1991)
107. C. Ding, "The Differential Cryptanalysis and Design of Natural Stream Ciphers". In
Fast Software Encryption, Cambridge Security Workshop, December 1993, pages
101-115, Springer-Verlag, Berlin, 1994
348
108. H. Dobbertin, "Construction of Bent Functions and Balanced Boolean Functions with
High Nonlinearity", Fast Software Encryption - Second International Workshop,
Leuven, December 1994, Springer-Verlag, Berlin, 1995, pp 61-74
109. M.W. Dodd, "Simultaneous Correlation to Many Linear Functionals: a New
Cryptanalytic Technique which Can Almost Halve the Effective Key Size of Certain
Stream Ciphers", Proc. 4th IMA Conference on Cryptography and Coding,
Cirencester, 1993, (published by the IMA, ed. P.G.Farrell, 1995).
110. R. Durbin and D.Willshaw, An analogue approach to the travelling salesman problem
using an elastic net method, Nature 326: 689-91 (1987)
111. Specification of the Systems of the MAC/Packet Family. EBU Technical Document
3258-E, October 1986.
112. H.D. Ebbinghaus et al., Numbers, Graduate Texts in Mathemattics vol. 123, Springer
Verlag, N.Y., 1990.
113. E.D. Erdmann. Empirical Tests of Binary Keystreams. Master's thesis, University of
London, 1992.
114. J. H. Evertse, "Linear structures in block cyphers," in Lecture Notes in Computer
Science 304; Advances in Cryptology: Proc. Eurocrypt '87, D. Chaum and W. L.
Price, Eds., Amsterdam, The Netherlands, April 13-15, 1987, pp. 249-266. Berlin:
Springer-Verlag, 1988.
115. P. Fahn. Answers to Frequently Asked Questions About Today's Cryptography. RSA
Laboratories, September 1993. Version 2.0.
116. L. J. Folks, Combination of Independet Tests, Handbook of Statistics, 4, Elsevier,
1984, 113-121.
117. R.P.Feynman. Statistical Mechanics, W.A.Benjamin, Inc. (1972)
118. R. Forr, "The strict avalanche criterion: Spectral properties of boolean functions and
an extended definition," in Lecture Notes in Computer Science 403; Advances in
Cryptology: Proc. Crypto '88, pp. 450-468. Berlin: Springer-Verlag, 1990.
119. R. Forr, "A fast correlation attack on nonlinearly feedforward filtered shift-register
sequences," in Lecture Notes in Computer Science 434; Advances in Cryptology;
Proc. Eurocrypt '89, J.-J. Quisquater and J. Vandewalle, Eds., Houthalen, Belgium,
April 10-23, 1989, pp. 586-595. Berlin: Springer-Verlag, 1990.
120. A.M. Frieze, J. Hastad, R. Kannan, J.C. Lagarias, and A. Shamir. Reconstructing
truncated integer variables satisfying linear congruences. SIAM Journal on
Computing, 17(2):262-280, April 1988.
349
121. A.M. Frieze, R. Kannan, and J.C. Lagarias. Linear congruential generators do not
produce random sequences. IEEE Symposium on Foundations of Computer Science,
480-484, 1984.
122. J. Gait, "A new nonlinear pseudorandom number generator," IEEE Trans. Software
Eng., vols. S E3, no. 5, pp. 359-363, Sept. 1977.
123. R. G. Gallager, "Low-density parity-check codes," Cambridge, MA: MIT Press 1963.
124. R.A. Games. There are no de Bruijn sequences of span n with complexity 2n . Journal
of Combinatorial Theory, Series A, 34:248-251, 1983.
125. R.A. Games and A.H. Chan. A fast algorithm for determining the complexity of a
binary sequence with period 2n . IEEE Transactions on Information Theory, IT29:144-146, 1983.
126. R.A. Games, A.H. Chan, and E.L. Key. On the complexities of de Bruijn sequences.
Journal of Combinatorial Theory, Series A, 33:233-246, 1982.
127. M. R. Garey and D. S. Johnson, Computers and Intractability, New York: W. H.
Freeman, 1979.
128. A.H. Gee and R.W. Prager. Polyhedral combinatorics and neural networks, Neural
Computation 6: 161-180, (1994)
129. P. R. Geffe, "How to protect data with ciphers that are really hard to break,"
Electronics, Jan. 4, 1973, pp 99-101
130. D.K. Gifford, J.M. Lucassen and S.T. Berlin, "The Application of Digital Broadcast
Communication to Large Scale Information Systems", IEEE Journal on Selected
Areas in Communications, v 3, n 3, May 1985, pp. 457-467.
131. A. Gill, Linear Sequential Circuits, McGraw-Hill, New York, 1966
132. J. Gleick, Chaos: Making a New Science. Viking Penguin: New York, 1987.
133. S. Goldwasser and S. Micali, "Probabilistic encryption and how to play mental poker
keeping secret all partial information," J. Comput. Sys. Sci., vol. 28, no. 2, Apr. 1984.
134. O. Goldreich, S. Goldwasser, and S. Micali, "How to construct random functions," J.
ACM, vol. 33, no. 4, pp. 792-807, 1986.
135. J. Goli and M. V. Zivkovi, "On the linear complexity of nonuniformly decimated
pn-sequences," IEEE Trans. inform. Theory, vol 34, pp. 1077-1079, Sept. 1988.
136. J. D. Goli, "On the linear complexity of functions of periodic GF(q)-sequences,"
IEEE Trans. Inform. Theory, vol. IT-35, pp. 69-75, Jan. 1989.
350
137. J. D. Goli and M.J. Mihaljevi, "A noisy clock-controlled shift register cryptanalytic
concept based on sequence comparison approach," Advances in Cryptology Eurocrypt '90, Lecture Notes in Computer Science vol. 473;I.Damgard, Ed., pp. 487491, Springer-Verlag, 1990.
138. J. D. Goliand M.J. Mihaljevi, "A generalized correlation attack on a class of stream
ciphers based on the Levenshtein distance," Journal of Cryptology , 3(3):201-212,
1991
139. J. Goli and S.V. Petrovi, "A generalized correlation attack with a probabilistic
constrained edit distance," In R.A. Rueppel, ed, Advances in Cryptology - Eurocrypt
'92, Lecture Notes in Computer Science vol. 658; pages 472-476, Springer-Verlag,
Berlin, 1993.
140. J. Goli and S.V. Petrovi, "Constrained edit distance for a memoryless function of
strings," invited introductory paper, Proceedings of the Second Spanish Conf.
Cryptology, Madrid, pp. 1-23, Oct. 1992.
141. J. Goli, Correlation via linear sequential circuit approximation of combiners with
memory. In R.A. Rueppel, editor, Advances in Cryptology - Eurocrypt '92, pages
113-123, Springer-Verlag, Berlin, 1993.
142. J. Goli, "On the security of shift register based keystream generators". In Fast
Software Encryption, Cambridge Security Workshop, December 1993, pages 90-100,
143. J. D. Goli and L. O'Connor. Embedding and probabilistic correlation attacks on
clock-controlled shift registers. In Advances in Cryptology - Eurocrypt '94, pages
230-343, Springer-Verlag, Berlin.
144. J. Goli, Intrinsic statistical weakness of keystream generators. In J. Pieprzyk and R.
Safavi-Naini, editors, Advances in Cryptology - Asiacrypt '94, pages 91-103,
145. J. Goli, Linear cryptanalysis of stream ciphers. In Fast Software Encryption - Second
International Workshop, Leuven, December 1994, Springer-Verlag, Berlin, 1995
146. J. D. Goli, Towards fast correlation attacks on irregularly clocked shift registers. In
L.C. Guillou and J.J. Quisquater, editors, Advances in Cryptology - Eurocrypt '95,
pages 248-262, Springer-Verlag, Berlin, 1995.
147. J. Goli, M. Salmasizadeh, A. Clark, A. Khodkar and E. Dawson, "Discrete
Optimisation and Fast Correlation Attacks", Cryptographic Policy and Algorithms Brisbane '95, Lecture Notes in Computer Science 1029;E.Dawson and J. Goli, Eds.,
pp. 188-202, Springer-Verlag, 1996.
351
148. J. Goli, "On the Security of Nonlinear Filter Generators". In Fast Software
Encryption - Third International Workshop, Cambridge, February 1996, pp. 173-188,
149. J. Goli, "Correlation Properties of a General Binary Combiner with Memory",
J.Cryptology (1996) 9: 111-126
150. J. Goli, "Linear models for keystream generators", IEEE Trans. Computers,vol. C45, pp. 41-49, Jan. 1996.
151. J. D. Goli, "Linear Statistical Weakness of Alleged RC4 Keystream generator", in
Lecture Notes in Computer Science 1233; Advances in Cryptology: Proc. Eurocrypt
'97, W. Fumy, Ed., May 1997, pp. 226-238, Berlin: Springer-Verlag, 1997
152. J. D. Goli, "Cryptanalysis of Alleged A5 Stream Cipher", in Lecture Notes in
Computer Science 1233; Advances in Cryptology: Proc. Eurocrypt '97, W. Fumy,
Ed., May 1997, pp. 239-255, Berlin: Springer-Verlag, 1997
153. J. Goli, A. Clark and E. Dawson, "Generalized inversion attack on nonlinear filter
generators", submitted
154. D. Gollman, "Pseudo random properties of cascade connections of clock controlled
shift registers," in Lecture Notes in Computer Science 209; Advances in Cryptology:
Proc. Eurocrypt '84, T. Beth, N. Cot, and I. Ingemarsson, Eds., Paris, France, April
9-11, 1984, pp. 93-98. Berlin: Springer-Verlag, 1985.
155. D. Gollmann. Linear Recursions of Cascaded Sequences. Contributions to General
Algebra 3, Hoelder-Pichler-Tempsky, Wien, Teubner, Stuttgart, 1985
156. D. Gollmann. Correlation analysis of cascaded sequences. December 1986. Talk
presented at 1st IMA Conference on Cryptography and Coding.
157. D. Gollman and W. G. Chambers, "Lock-in effect in cascades of clock-controlled
shift-registers," in Lecture Notes in Computer Science 330; Advances in Cryptology:
Proc. Eurocrypt '88, C. G. Gnther, Ed., Davos, Switzerland, May 25-27, 1988, pp.
331-343. Berlin: Springer-Verlag, 1988.
158. D. Gollmann and W. G. Chambers, "Clock-controlled shift registers: A review," IEEE
J. Selected Areas Commun., vol. 7, pp. 525-533, May 1989.
159. D. Gollmann and W. G. Chambers, "A cryptanalysis of stepk,m-cascades.," Advances
in Cryptology: Proc. Eurocrypt '89,LNCS vol 434, J.-J.Quisquater, J.Vandevalle
Eds., Springer-Verlag, pages 680-687, 1990.
160. D. Gollmann, "Automata Theory and Cryptography", Proc. Cryptography and
Coding 1989, C.J.Mitchell (ed.), Oxford University Press, pp. 67-74, 1992
352
161. D. Gollmann, "Cryptanalysis of Clock Contolled Shift Registers", In R. Anderson,

162. S. W. Golomb, "Deep space range measurements," Jet Propulsion Laboratory,
Pasadena, CA Research Summary, No. 36-1, 1960.
163. S. W. Golomb, Shift Register Sequences, San Francisco: Holden Day, 1967. (and also
reprint: Aegan Park Press, 1982)
164.
J.A. Gordon, "Very Simple Method to Find the Minimal Polynomial of an Arbitrary
Non-Zero Element of a Finite Field," Electronic Letters, v. 12, n. 25, 9 Dec 1976, pp.
663-664.
165. R. Gottfert and H. Niederreiter. A general lower bound for the linear complexity of
the product of shift-register sequences. In Advances in Cryptology - Eurocrypt '94,
Springer-Verlag, Berlin.
166. E. J. Groth, "Generation of binary sequences with controllable complexity," IEEE
Trans. Inform. Theory, vol. IT-17, no. 3, May 1971.
167. C. G. Gnther, "On some properties of the sum of two pseudorandom sequences,"
paper presented at Eurocrypt'86, Linkoping, Sweden, May 20-22, 1986.
168. C. G. Gnther, "Alternating step generators controlled by de Bruijn sequences,"
in Lecture Notes in Computer Science 304; Advances in Cryptology: Proc.
Eurocrypt' 87, D. Chaum and W. L. Price, Eds., Amsterdam, The Netherlands, April
169. C. G. Gnther, "A universal algorithm for homophonic coding," in Lecture Notes in
Computer Science 330; Advances in Cryptology: Proc. Eurocrypt'88, C. G. Gnther,
Ed., Davos, Switzerland, May 25-27, 1988, pp. 405-414. Berlin: Springer-Verlag,
1988.
170. H.M.Gustafson, E.P.Dawson and J.Dj.Goli, "Randomness Measures Related to
subset occurence", in Lecture Notes in Computer Science 1029; Advances in
Cryptology: Proc. Cryptography: Policy and Algorithms, Ed Dawson, J.Golic (Eds.),
Brisbane, Queensland, Australia, July 1995, pp. 132-143. Berlin: Springer-Verlag,
1996.
171. T.H.Harris, The Theory of Branching Processes. Berlin, Springer-Verlag, 1963
172. J. Hastad and A. Shamir. The cryptographic security of truncated linearly related
variables. In Proceedings of the 17th ACM Symposium on Theory of Computing,
pages 356-362, 1985.
353
173. J. Hastad, B. Just, J. Lagarias and C.P. Schnorr. "Polynomial time algorithms for
finding integer relations among real numbers", SIAM J. Comput., vol. 18, pp. 859881, 1989.
174. T. Herlestam, "On the complexity of functions of linear shift register sequences," Int.
Symp. Inform. Theory, Les Arc, France, 1982.
175. T. Herlestam, "On functions of linear shift register sequences," in LNCS 219;
Advances in Cryptology: Eurocrypt'85, pp. 119-129. Berlin: Springer-Verlag, 1986.
176. J.J. Hopfield and D.W.Tank. Neural computation of decisions in optimization
problems, Biological Cybernetics 52: 1-25, (1985)
177. C. J. Jansen, "Investigations on nonlinear stream cipher systems: Construction and
evaluation methods", Ph.D. thesis, Eindhoven University of Technology, The
Netherlands, 1989.
178. C. J. Jansen and D.E. Boekke, "A Binary Sequence Generator Based on Ziv-Lempel
Source Coding". In J.Seberry and J.Pieprzyk, eds., Advances in Cryptology Auscrypt '90, pages 156-164, Springer Verlag, Berlin, 1990.
179. R.J. Jenkins, "ISAAC", In Fast Software Encryption - Third International Workshop,
Cambridge, February 1996, pp. 41-49, Springer-Verlag, Berlin, 1996
180. S.M. Jennings. A Special Class of Binary Sequences. PhD thesis, University of
London, 1980.
181. S. M. Jennings, "Multiplexed sequences: Some properties of the minimum polynomial," in Lecture Notes in Computer Science 149; Cryptography: Proc. Workshop
Cryptography, T. Beth, Ed., Burg Feuerstein, Germany, March 29-April 2, 1982, pp.
182. S. M. Jennings, "Autocorrelation function of the multiplexed sequence," IEE Proc.,
vol. 131, no. 2, pp. 169-172, Apr. 1984.
183. B. Kaliski, A pseudo random bit generator based on elliptic logarithms, M. Sc. thesis,
Massachusetts Institute of Technology, 1987.
184. E. L. Key, "An analysis of the structure and complexity of nonlinear binary sequence
generators," IEEE Trans. Inform. Theory, vol. IT-22, no. 6, pp. 732-763, Nov. 1976.
185. L.H. Khachaturian. The lower bound of the quadratic spans of de Bruijn sequences.
Designs, Codes and Cryptography, 3:29-32, 1993.
186. S. Kirkpatrick, C.D. Gelatt and M.P. Vecchi, "Optimization by simulated annealing",
Science, 220 (4598):671-680, 1983.
354
187. K. Kjeldsen and E. Andresen, "Some randomness properties of cascaded sequences,"

IEEE Trans. Inform. Theory, vol. IT-26, pp. 227-232, March 1980.
188. A. Klapper. The vulnerability of geometric sequences based on fields of odd
characteristic. Journal of Cryptology, 7(1):33-52, 1994.
189. A. Klapper and M. Goresky. 2-adic shift registers. In R. Anderson, editor, Fast
Software Encryption - Cambridge Security Workshop, pages 174-178, SpringerVerlag, Berlin, 1994.
190. A. Klapper. Feedback with carry shift registers over finite fields. Fast Software
Encryption - Second International Workshop, Leuven, December 1994, SpringerVerlag, Berlin, 1995
191. A. Klapper and M. Goresky. Feedback registers based on ramified extensions of the
2-adic numbers, Advances in Cryptology - Eurocrypt '94 (LNCS vol 950), pages 215222, Springer-Verlag, Berlin, 1995.
192. A. Klapper and M. Goresky. Large period nearly de Bruijn FCSR sequences. In L.C.
Guillou and J.J. Quisquater, editors, Advances in Cryptology - Eurocrypt '95, pages
193. A. Klapper and M. Goresky. Cryptanalysis based on 2-adic rational approximation.
Advances in Cryptology - Crypto '95 (LNCS vol 963), pages 262-273, SpringerVerlag, Berlin, 1995.
194. A. Klapper. On the Existence of Secure Feedback Registers, Advances in Cryptology
- Eurocrypt '96 (LNCS vol 1070), pages 256-267, Springer-Verlag, Berlin, 1996.
195. A. Klapper and M. Goresky. Arithmetic cross-correlation of FCSR sequenses.
University of Kentucky technical report no. 262-96, 1996
196. A. Klapper and M. Goresky. Feedback Shift Registers, 2-Adic Span, and Combiners
with Memory, Journal of Cryptology (1997) 10: 111-147
197. D.E. Knuth. The Art of Computer Programming. Volume 2, Addison-Wesley,
Reading, Mass., 2nd edition, 1981.
198. D.E. Knuth. Deciphering a Linear Congruential Encryption. Technical Report
024800, Stanford University, 1980.
199. N. Koblitz. P-Adic Numbers, p-Adic Analysis, and Zeta Functions.Graduate Texts in
Mathematics Vol. 58, Springer-Verlag, New York, 1984
200. N. Koblitz. A Course in Number Theory and Cryptography. Springer-Verlag, New
York, 1987.
355
201. . . . " ",

, 1:3-11, 1965.
202. A.G. Konheim, Cryptography: A Primer, John Wiley and Sons, New York, 1981
203. E. Kranakis, Primality and Cryptography, Stuttgart: Teubner, Wiley, 1986.
204. H. Krawczyk. How to predict congruential generators. In G. Brassard, editor,
1990.
205. H. Krawczyk. "How to predict congruential generators," Journal of Algorithms,
v.13, n. 4, Dec 1992, pp. 527-545
206. H. Krawczyk. "The Shrinking Generator: Some Practical Considerations", Fast
Software Encryption, Cambridge Security Workshop Proceedings, Springer-Verlag,
1994, pp. 45-46
207. P. V. Kumar and R. A. Scholtz, "Bounds on the linear span of bent sequences," IEEE
Trans. Inform. Theory, vol. IT-29, pp. 854-862, Nov. 1983.
208. P. V. Kumar, R. A. Scholtz, and L. R. Welch, "Generalized bent functions and their
properties," J. Combinatorial Theory, Ser. A 40, pp. 90-107, 1985.
209. E. Kushilevitz and Y. Mansour. Learning decision trees using the Fourier spectrum.
In Proceedings of the 23rd Annual ACM Symposium on Theory of Computing, pp
455-464, May 1991.
210. GJ Khn, "Algorithms for Self-Synchronising Ciphers", in Proc COMSIG 88
211. G Khn, F Bruwer, W Smit, "Vinnige Veeldoelige Enkripsievlokkie", supplementary
paper to Proceedings of Infosec 1990
212. J.C. Lagarias and J.A. Reeds. Unique extrapolation of polynomial recurrences. SIAM
Journal on Computing, 17(2):342-362, April 1988.
213. P. L'Ecuyer, "Efficient and Portable Combined Random Number Generators",
Communications of the ACM. v. 31 , n. 6, Jun 1988, pp. 742-749,774.
214. P. L'Ecuyer, Random numbers for simulation. Communications of the ACM. 1990,
33(10): 86-97.
215. A. Lempel and M. Cohn, "Maximal families of bent sequences," IEEE Trans.Inform.
Theory, vol. IT-28, pp. 865-868, Nov. 1982.
216. A. Levenshtein, Binary codes capable of correcting deletions, insertions, and
reversals. Sov. Phy. Dokl., Volume 10, (1966) 707-710
356
217. R. Lidl and H. Niederreiter, "Finite Fields," in Encyclopedia of Mathematics and Its
Applications, Vol. 20, Reading, MA: Addison-Wesley, 1983.
218. R. Lidl and H. Niederreiter, Introduction to Finite Fields and Their Applications,
London, Cambridge University Press, 1986.
219. S. Lin and D.J.Jr. Costello, Error Control Coding: Fundamentals and Applications.
Englewood Cliffs, NJ: Prentice-Hall, 1983
220. S. Lloyd, "Counting functions satisfying a higher order strict avalanche criterion," in
LNCS 434: Advances in Cryptology; Eurocrypt'89, pp.63-74. Springer-Verlag, 1990.
221. S. Lloyd. Counting binary functions with certain cryptographic properties. Journal of
Cryptology, 5(2):107-131, 1992.
222. D. L. Long and A. Wigderson, "How discrete is the discrete log?" in Proc. 15th ACM
Symposium on Theory of Computation, Apr. 1983.
223. R. Lorentzen and R. Nilsen, "Application of linear programming to the optimal
difference triangle set problem," IEEE Trans. Inform.Theory, vol. IT-37, pp 14861488, Sep 1991
224. M. Luby and C. Rackoff, "How to construct pseudorandom permutations from
pseudorandom functions," SIAM J. Comput. vol. 17, pp. 373-386, 1988.
225. R. Matthews, On the Derivation of a "Chaotic" Encryption Algorithm. Cryptologia.
1989. 13: 29-42.
226. DJC MacKay, "A Free Energy Minimization Framework for Inference Problem in
Modulo 2 Arithmetic". Fast Software Encryption - Second International Workshop,
Leuven, December 1994, Springer-Verlag, Berlin, 1995, pp 179-195
227. F. J. MacWilliams and N. J. A. Sloane, "The theory of error correcting codes,"
Amsterdam: North-Holland, 1977.
228. D. Mandelbaum, Arithmetic codes with large distance. IEEE Trans. Info. Theory, vol.
IT-13, 1967 pp.237-242
229. G. Marsaglia. Random numbers fall mainly in the planes. Proc. N.A.S., 61:25-28,
1968.
230. P. Martin-Lf. The definition of random sequences. Inform. Contr., 9:602-619, 1966.
231. J. L. Massey, Threshold Decoding. Cambridge, MA: MIT Press, 1963
357
232. J. L. Massey, "Shift-register synthesis and BCH decoding," IEEE Trans. Inform.
Theory, vol. IT-15, pp. 122-127, Jan. 1969.
233. J. L. Massey, A. Gubser, A. Fischer, P. Hochstrasser, B. Huber, and R. Sutler, "A
self-synchronizing digital scrambler for cryptographic protection of data," in
Proceedings of International Zurich Seminar, March, 1984.
234. J. L. Massey and R. A. Rueppel, "Linear ciphers and random sequence generators
with multiple clocks," in Lecture Notes in Computer Science 209; Advances in
Cryptology: Proc. Eurocrypt'84, T. Beth, N. Cot, and I. Ingemarsson, Eds., Paris,
France, April 9-11, 1984, pp. 74-87. Berlin: Springer-Verlag, 1985.
235. J. L. Massey and I. Ingemarsson, "The Rip van Winkle cipher - a simple and provably
computationally secure cipher with a finite key," in Abstracts of Papers. IEEE Int.
Symp. Inform. Theory, Brighton, England, June 24-28, 1985.
236. J. L. Massey, "Delayed-decimation/square sequences," Proc. 2nd Joint SwedishSoviet Workshop on Information Theory, Granna, Sweden, Apr. 14-19, 1985.
237. J. L. Massey and M. Z. Wong, "The characterization of all binary sequences with
perfect linear complexity profiles," in Abstracts of Papers, Eurocrypt'86, Linkoping,
Sweden, May 20-22, 1986, pp. 3-4A-3-4B.
238. J. L. Massey, "Cryptography and System Theory," Proc. 24th Allerton
Conf.Commun., Control, Comput., Oct. 1-3, 1986.
239. J. L. Massey, "Probabilistic encipherment," Elektrotechnik und Maschinenbau, vol.
104, no. 12, Dec. 1986.
240. J. L. Massey and R. A. Rueppel, "Method of, and apparatus for, transforming a digital
sequence into an encoded form", U.S. Patent No. 4,797,922, 1989.
241. J. L. Massey, "Contemporary Cryptology: An Introduction", in G.J. Simmons, editor.
Contemporary Cryptology, The Science of Information Integrity; pp 1-40. IEEE
Press, New York, 1992.
242. J.L. Massey and S. Serconek. A Fourier transform approach to the linear complexity
of nonlinearly filtered sequences. In Y. Desmedt, editor, Advances in Cryptology Crypto '94, pages 332-340, Springer-Verlag, New York, 1994.
243. J.L. Massey and S. Serconek. "Linear Complexity of Periodic Sequences: A General
Theory". Advances in Cryptology - Crypto '96, pages 358-371, Springer-Verlag, New
York, 1996.
244. J. L. Massey, "Applied digital information theory," Lecture Notes, Swiss Federal
Institute of Technology, Zurich.
358
245. M. Matsui. Linear cryptanalysis method for DES cipher. In T. Helleseth, editor,
Advances in Cryptology - Eurocrypt '93, pages 386-397, Springer-Verlag, Berlin,
1994.
246. U. Maurer and J. L. Massey, "Perfect local randomness in pseudo-random
sequences," in Lecture Notes in Computer Science 435; Advances in Crypology:
Proc. Crypto'89, G. Brassard, Ed., Santa Barbara, CA, Aug. 20-24. 1981 110-112.
Berlin: Springer-Verlag, 1990.
247. U. Maurer, "A provable-secure strongly-randomized cipher," in Lecture Notes in
Computer Science 473; Advances in Cryptology: Proc. Eurocrypt'90, 1. Damgard,
Ed., Aarhus, Denmark, May 21-24. 1990, pp. 361-373. Berlin: Springer-Verlag.
248. U.M. Maurer. New approaches to the design of self-synchronizing stream ciphers. In
D.W. Davies, editor, Advances in Cryptology - Eurocrypt '91, pages 458-471,
249. U.M. Maurer. "A universal statistical test for random bit generators, " J. Cryptol.,
vol. 5, no. 2, pp. 89-105, 1992.
250. G Mayhew, R Frazee, M Bianco, "The Kinetic Protection Device", in Proceedings of
the 15th National Computer Security Conference (NIST, 1992) pp 310-318
251. G Mayhew, "A Low Cost, High Speed Encryption System and Method", in Proc
1994 IEEE Computer Society Symposium on Research in Security and Privacy
(IEEE, 1994) pp 147-154
252. L. McCarthy , post to Newsgroups: sci.crypt (from lmccarth@cs.umass.edu), 27 Aug
1996, Subject: Elementrix and POTP encryption
253. R. L. McFarland, "A family of difference sets in non-cyclic groups," J. Combinatorial
Theory, Ser. A, 15, pp. 1-10, 1973.
254. W. Meier and O. Staffelbach, "Fast correlation attacks on certain stream ciphers,"
Journal of Cryptology, vol. I, no. 3, pp. 159-176, 1989.
255. W. Meier and O. Staffelbach, "Nonlinearity criteria for cryptographic functions," in
Lecture Notes in Computer Science 434; Advances in Cryptology; Proc.
Eurocrypt'89, J.-J. Quisquater and J. Vandewalle, Eds., Houthalen, Belgium, April
256. W. Meier and O. Staffelbach, "Correlation properties of combiners with memory in
stream ciphers," in Lecture Notes in Computer Science 473; Advances in Cryptology:
Proc. Eurocrypt'90, I. Damgard, Ed., Aarhus, Denmark, May 21-24. 1990, pp. 204213. Berlin: Springer-Verlag.
359
257. W. Meier and O. Staffelbach. Correlation properties of combiners with memory in

stream ciphers. Journal of Cryptology, 5(1):67-86, 1992.
258. W. Meier and O. Staffelbach. Analysis of pseudo random sequences generated by
cellular automata. In D.W. Davies, editor, Advances in Cryptology - Eurocrypt '91,
pages 186-199, Springer-Verlag, Berlin, 1992.
259. W. Meier and O. Staffelbach. The self-shrinking generator. In Advances in
Cryptology - Eurocrypt '94, Springer-Verlag, pp. 205-214
260. R. Menicocci. Cryptanalysis of a two-stage Gollmann cascade generator. In
Proceedings of SPRC '93, W.Wolfowicz (ed.), pp. 62-69, 1993
261. R. Menicocci. Short Gollmann cascade generators may be insecure. In Proceedings of
the 4th IMA Conference on Cryptography and Coding, Cirencester, 1993
262. R. Menicocci. "A systematic attack on clock controlled cascades." In Advances in
Cryptology - Eurocrypt '94, pages 450-455, Springer-Verlag, Berlin.
263. R.C. Merkle, "Secure communication over insecure channels," Comm. ACM, vol. 21,
pp. 294-299, Apr. 1978.
264. N. Metropolis, A.W. and M.N. Rosenbluth, A.H. and E. Teller. "Equations of state
calculations by fast computing machines". Journal of Chemical Physics, 21(6):10871092, 1953.
265. S. Micali and C. P. Schnorr, "Efficient, perfect random number generators," preprint,
Massachusetts Institute of Technology, University of Frankfurt, 1988
266. M.J. Mihaljevi and J. Goli. A fast iterative algorithm for a shift register initial state
reconstruction given the noisy output sequence. In J. Seberry and J. Pieprzyk, editors,
Advances in Cryptology - Auscrypt '90, pages 165-175, Springer Verlag, Berlin,
1990.
267. M.J. Mihaljevi and J. Goli. "A comparison of cryptanalytic principles based on
iterative error correction ", In D.V. Davies, editor, Advances in Cryptology Eurocrypt '91, pages 527-531, Springer-Verlag, Berlin, 1992.
268. M.J. Mihaljevi and J. Goli. "Convergence of a Bayesian iterative error-correction
procedure on a noisy shift register sequence", In R.A. Rueppel, editor, Advances in
Cryptology - Eurocrypt '92, pages 124-137, Springer-Verlag, Berlin, 1993.
269. M.J. Mihaljevi. "An approach to the initial state reconstruction of a clock-controlled
shift register based on a novel distance measure", Advances in Cryptology - Auscrypt
'92, pages 349-356, Springer-Verlag, Berlin, 1993.
360
270. M.J. Mihaljeviand J. Goli. "A parity-check weight distribution for maximum-length
sequences", Abstracts of the Second International Conference on Finite Fields,
University of Nevada, Las Vegas, p. 35, 1993.
271. M.J. Mihaljevi. A correlation attack on the binary sequence generators with timevarying output function. In J. Pieprzyk and R. Safavi-Naini, editors, Advances in
Cryptology - Asiacrypt '94, pages 67-79, Springer-Verlag, Berlin, 1995.
272. L. M. Milne-Thomson, "The calculus of finite differences," London: Macrnillan and
Co., 1951.
273. D. Mitchell, Nonlinear Key Generators. Cryptologia. 1990. 14: 350-354.
274. S. Mund. Ziv-Lempel complexity for periodic sequences and its cryptographic
application. In D.W. Davies, editor, Advances in Cryptology - Eurocrypt '91, pages
275. J. Naor and M. Naor. Small bias probability spaces: efficient construction and
applications. In Proceedings of the 22nd Annual ACM Symposium on Theory of
Computing, Baltimore, Maryland, pp 213-223, May 1990.
276. National Institute of Standards and Technology (NIST). FIPS Publication 180:
Secure Hash Standard (SHS). May 11, 1993.
277. National Institute of Standards and Technology (NIST). FIPS Publication 46-2: Data
Encryption Standard. December 30, 1993.
278. National Institute of Standards and Technology (NIST). FIPS Publication 81: DES
Modes of Operation. December 2, 1980. Originally issued by National Bureau of
Standards.
279. G. Nicolis and I. Prigogine. Exploring Complexity. W. H. Freeman and Company:
New York, 1989.
280. H. Niederreiter, "Continued fractions for formal power series, pseudorandom
numbers, and linear complexity of sequences," contributions to General Algebra 5,
Proc. Conf. Salzburg, Teubner, Stuttgart, 1986.
281. H. Niederreiter, "Sequences with almost perfect linear complexity profile," in Lecture
Notes in Computer Science 304; Advances in Cryptology: Proc. Eurocrypt'87, D.
Chaum and W. L. Price, Eds., Amsterdam, The Netherlands, April 13-15, 1987, pp.
282. H. Niederreiter, "Probabilistic theory of linear complexity," in Lecture Notes in
Computer Science 330; Advances in Cryptology: Proc. Eurocrypt'88, C. G. Gnther,
Ed., Davos, Switzerland, May 25-27, 1988, pp. 191-209. Berlin: Springer-Verlag,
1988.
361
283. H. Niederreiter, "Keystream sequences with a good linear complexity profile for every
starting point," in Lecture Notes in Computer Science 434; Advances in Cryptology;
Proc. Eurocrypt'89, J.-J. Quisquater and J. Vandewalle, Eds., Houthalen, Belgium,
April 10-23, 1989, pp. 523-532. Berlin: Springer-Verlag, 1990.
284. H. Niederreiter. The linear complexity profile and the jump complexity of keystream
sequences. In I.B. Damg_ard, editor, Advances in Cryptology - Eurocrypt '90, pages
285. K. Nyberg, "Construction of bent functions and difference sets," in Lecture Notes in
Computer Science 473; Advances in Cryptology:Proc. Eurocrypt'90, I. Damgard,
Ed., Aarhus, Denmark, May 21-24. 1990, pp. 151-160. Berlin: Springer-Verlag.
286. K. Nyberg, "Perfect Nonlinear S-boxes" in Lecture Notes in Computer Science 547;
Advances in Cryptology:Proc. Eurocrypt'91, Springer-Verlag, 1992
287. K. Nyberg, "New Bent Mappings Suitable for Fast Implementation", In R. Anderson,
288. P. Nyffeler, Binare Automaton und ihre linearen Rekursionen, Ph.D. thesis, University
of Berne, 1975.
289. L. O'Connor and T. Snider. Suffix trees and string complexity. In R.A.Rueppel,
editor, Advances in Cryptology - Eurocrypt '92, pages 138-152, Springer-Verlag,
Berlin, 1993.
290. Y. Ohnishi, A study on data security. Master thesis (in Japanese), Tohuku University,
Japan, 1988.
291. J.D. Olsen, R.A. Scholtz and L.R.Welch. "Bent functions sequences", IEEE
Transactions on Information Theory, IT-28 No 6, 858-864
292. B.J. Oommen, Recognition of noisy subsequences using constrained edit distance.
IEEE Trans Pattern Analysis Mach. Intell., Volume PAMI-9, September (1987) 636685
293. B.J. Oommen, Correction to recognition of noisy subsequences using constrained edit
distance. IEEE Trans Pattern Analysis Mach. Intell., Volume PAMI-10, November
(1988) 983-984
294. S.-J. Park, S.-J. Lee and S.-Ch. Goh. On the Security of the Gollmann Cascades.
Advances in Cryptology - Crypto '95 (LNCS vol 963), pages 148-156, SpringerVerlag, Berlin, 1995.
362
295. W. T. Penzhorn and G. J. Khn, " Computation of Low-Weight Parity Checks for
Correlation Attacks on Stream Ciphers". Proc. 5th IMA Conference Cryptography
and Coding, Cirencester, England, Dec. 1995, pages 74-83, Springer-Verlag, 1995.
296. W. T. Penzhorn, "Correlation Attacks on Stream Ciphers: Computing Low-Weight
Parity Checks Based on Error-Correcting Codes". In Fast Software Encryption Third International Workshop, Cambridge, February 1996, pp. 159-172, SpringerVerlag, Berlin, 1996
297. C. Peterson and B. Soderberg. A new method for mapping optimization problems
onto neural networks, Int. Journal Neural Systems, (1989)
298. S.V. Petrovi and J. Goli, "String editing under a combination of constraints,"
Information Sciences,74:151-163, 1993.
299. S.V. Petrovi and J. Goli, "A divide and conquer attack on clock-controlled shift
registers combined by a function with memory", submitted, 1993
300. C. Pickover, Pattern Formation and Chaos in Networks. Communications of the
ACM, 1988, 31: 136-151..
301. F. Piper, "Stream ciphers," Elektrotechnik und Maschinenbau, vol. 104, no. 12, pp.
564-568, 1987.
302. V. S. Pless, "Encryption schemes for computer confidentiality," IEEE Trans.
Comput., vol. C-26, pp. 1133-1136, Nov. 1977.
303. J. Plumstead (Boyar). Inferring a sequence generated by a linear congruence. In
Proceedings of 23rd IEEE Symposium on Foundations of Computer Science, pages
153-159, 1982.
304.
B. Preneel, W. Van Leekwijck, L. Van Linden, R. Govaerts, and J. Vandewalle,

"Propagation characteristics of boolean functions," in Lecture Notes in Computer
Science 473; Advances in Cryplology: Proc. Eurocrypt'90, 1. Damgard, Ed., Aarhus,
Denmark, May 21-24. 1990, pp. 161-173. Berlin: Springer-Verlag.
305. B. Preneel, R. Govaerts, and J. Vandewalle, "Boolean functions satisfying higher

order propagation criteria" in Lecture Notes in Computer Science 547; Advances in
Cryplology: Proc. Eurocrypt'91,1991, pp. 141-152. Berlin: Springer-Verlag.
306. B. Preneel, "Introduction". Fast Software Encryption - Second International
Workshop, Leuven, December 1994, Springer-Verlag, Berlin, 1995, pp 1-5
307. W.H.Press, B.P.Flannery, S.A. Teukolsky and W.T. Vetterling, Numerical Recipes in
C: The Art of Scientific Computing, Cambridge University Press, 1988.
363
308. Pr Newswire, "Elementrix announces revolutionary encryption for Internet and all
digital communication", September 29, 1995
309. N. Proctor. A self-synchronizing cascaded cipher system with dynamic control of
error-propagation. In G.R. Blakley and D. Chaum, editors, Advances in
Cryptology - Crypto '84, pages 174-190, Springer-Verlag, New York, 1985.
310. M. O. Rabin, "Probabilistic Algorithm for Testing Primality," SIAM Journal on
Computing, v. 9, n. 2, May 1980, pp. 273-280
311. M. O. Rabin, "Fingerprinting by Random Polynomials," Technical Report TR-15-81,
Center for Research in Computing Technology, Harvard University, 1981.
312. S. Rasband, Chaotic Dynamics of Nonlinear Systems. John Wiley & Sons: New
York, 1990.
313. J.A. Reeds. "Cracking a random number generator." Cryptologia, 1, January 1977.
314. J.A. Reeds. "Cracking a Multiplicative Congruential Encryption Algorithm", in
Iinformation Linkage Between Applied Mathematics and Industry, P.C.C Wang, ed.,
Academic Press, 1979, pp.467-472.
315. J.A. Reeds, "Solution of Challenge Cipher," Cryptologia, v. 3, n. 2, Apr 1979, pp.
83-95.
316. J.A. Reeds and N.J.A. Sloane. Shift register synthesis (modulo m). SIAM Journal on
Computing, 14(3):505-513, 1985.
317. E. Rietman, Exploring the Geometry of Nature. Windcrest Books, Blue Ridge
Summit, PA., 1989.
318. T. Ritter. The Efficient Generation of cryptographic Confusion Sequences.
Cryptologia, 1991, 15(2): 81-139
319. R.L. Rivest. The RC4 Encryption Algorithm. RSA Data Security, Inc., March 12,
1992.
320. R.L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures
and public-key cryptosystems. Communications of the ACM, 21(2):120-126,
February 1978.
321. M.J.B. Robshaw. Block Ciphers. Technical Report TR - 601, RSA Laboratories,
revised July 1995.
322. M.J.B. Robshaw. Stream Ciphers. Technical Report TR - 401, RSA Laboratories,
revised July 1995.
364
323. M.J.B. Robshaw. On Binary Sequences with Certain Properties. PhD thesis,
University of London, 1992.
324. M.J.B. Robshaw. On evaluating the linear complexity of a sequence of least period 2n
Designs, Codes and Cryptography, 4:263-269, 1994.
325. M.J.B. Robshaw. Security of RC4. Technical Report TR - 401, RSA Laboratories.
326. P. Rogaway and D. Coppersmith. A software-optimized encryption algorithm. In R.
Anderson, editor, Fast Software Encryption - Cambridge Security Workshop, pages
327. C.A. Ronce. Feedback Shift Registers. Volume 169 of Lecture Notes in Computer
Science, Springer-Verlag, Berlin, 1984.
328. O. S. Rothaus, "On bent functions," J. Combinatorial Theory, vol. 20, pp. 300-305,
1976.
329. F. Rubin "Decrypting a stream cipher based on J-K flip-flops," IEEE Trans Comput.,
vol. C-28, no. 7, pp. 483-487, July 1979.
330. R.A. Rueppel. New Approaches to Stream Ciphers. PhD thesis, Swiss Federal
Institute of Technology, Zurich, 1984.
331. R. A. Rueppel, "Linear complexity and random sequences," in Lecture Notes in
Computer Science 219; Advances in Cryptology: Proc. Eurocrypt'85, F. Pilcher, Ed.,
Linz, Austria, April 1985, pp. 167-188. Berlin: Springer-Verlag, 1986.
332. R. A. Rueppel and J. L. Massey, "The knapsack as a nonlinear function," IEEE Int.
Symp. Inform. Theory, Brighton, UK, May 1985.
333. R. A. Rueppel, "Correlation immunity and the summation combiner," in Lecture
Notes in Computer Science 218; Advances in Cryptology: Proc. Crypto'85, H. C.
Williams Ed., Santa Barbara, CA, Aug. 18-22, 1985, pp. 260-272. Berlin: SpringerVerlag, 1986.
334. R. A. Rueppel, Analysis and Design of Stream Ciphers, Berlin: Springer-Verlag,
1986.
335. R. A. Rueppel and O. Staffelbach, "Products of sequences with maximum linear
complexity," IEEE Trans.Inform.Theory, vol. IT-33, no. I,pp. 124-131,Jan. 1987.
336. R. A. Rueppel, "When shift registers clock themselves," in Lecture Notes in Computer
Science 304; Advances in Cryptology: Proc. Eurocrypt'87, D. Chaum and W. L.
Price, Eds., Amsterdam, The Netherlands, April 13-15, 1987, pp. 53-64. Berlin:
365
337. R. A. Rueppel, "On the security of Schnorr's pseudo random sequence generator," in
Lecture Notes in Computer Science 434; Advances in Cryptology; Proc.
Eurocrypt'89, J.-J. Quisquater and J. Vandewalle, Eds., Houthalen, Belgium, April
338. R. A. Rueppel, "Security models and notions for stream ciphers," Proc. 2nd IMA
Conf. Cryptography and Coding, Cirencester, England, Dec. 1989.
339. R. A. Rueppel, "Stream ciphers," in G.J. Simmons, editor. Contemporary Cryptology,
The Science of Information Integrity; pp 65-134. IEEE Press, New York, 1992.
340. A. Fuster-Sabater and P. Caballero-Gil. On the linear complexity of nonlinearly
filtered PN-sequences. In J. Pieprzyk and R. Safavi-Naini, editors, Advances in
Cryptology - Asiacrypt '94, pages 80-90, Springer-Verlag, Berlin, 1995.
341.
A. Fuster-Sabater and P. Caballero-Gil. "Linear Span of a Set of Periodic Sequence

Generators". Proc. 5th IMA Conference Cryptography and Coding, Cirencester,
England, Dec. 1995, pages 22-33, Springer-Verlag, 1995.
342. M. Salmasizadeh, J. Golic, E. Dawson and L. Simpson. "A Systematic Procedure for
Applying Fast Correlation Attacks to Combiners with Memory", Proc. of Fourth
Annual Workshop on Selected Areas in Cryptography - SAC '97, Ottawa, August
1997, preprint.
343. D. Sankoff and J.B. Kruskal, Time Warps, String Edits and Macro Molecules: The
Theory and Practice of Sequence Comparison. Reading, MA: Addison-Wesley, 1983
344. J. E. Savage, Some simple self-synchronizing digital data scramblers. Bell Sys.Tech.
J., vol. 46, no. 2, pp. 449-487, Feb. 1967.
345. T. Schaub, A linear complexity approach to cyclic codes, Ph.D. thesis, Swiss Federal
Institute of Technology, Zurich, 1988.
346. B. Schneier, Applied Cryptography, 2nd edition, John Wiley & Sons, New York,1996
347. B. Schneier "Cryptography, Security and the Future", Communications of the ACM,
v. 40, n. 1, Jan 1997.
348. C. P. Schnorr, "On the construction of random number generators and random
function generators," in Lecture Notes in Computer Science 330; Advances in'
Cryptology: Proc. Eurocrypt'88, C. G. Gunther, Ed., Davos, Switzerland, May 2527, 1988, pp. 225-232. Berlin: Springer-Verlag, 1988.
349. J. Seberry and M. Yamada. "Hadamar Matrices, Sequences and Block Designs". In
J.H.Dinitz and D.R. Stinson, editors, Contemporary Design Theory: A Collection of
Surveys,chapter 11, pages 431-559, John Wiley and Sons, Inc, 1992.
366
350. J. Seberry and X.M. Zhang. "Highly Nonlinear 0-1 balanced functions satisfying strict
avalanche criterion". Presented at AUSCRYPT '92, 1992.
351. J. Seberry, X.M. Zhang, and Y. Zheng. "Nonlinearly balanced Boolean functions and
their propagation characteristics". In D.R. Stinson, editor, Advances in Cryptology Crypto '93, pages 49-60, Springer-Verlag, New York, 1994.
352. J. Seberry, X.M. Zhang and Y. Zheng, "On Constructions and Nonlinearity of
Correlation Immune Functions" In T. Helleseth, editor, Advances in Cryptology Eurocrypt '93, pages 181-199, Springer-Verlag, Berlin, 1994.
353. J. Seberry, X.-M. Zhang and Y Zheng, "Nonlinearity and Propagation Characteristics
of Balanced Boolean Functions", Information and Computation, Vol. 119, No 1, pp
1-13, 1995
354. E. S. Selmer, Linear recurrence relations over finite fields. Lecture Notes, University
of Bergen, Bergen, Norway, 1966.
355. J. A. Serret, "Cours d'algebre superieure," Tome II, p. 154, Gauthier-Villars, Paris,
1886.
356. E.H. Sibley, "Random Number Generators: Good Ones Are Hard to Find",
Communications of the ACM, v.31, n.10, Oct 1988, pp. 1192-1201
357. A. Shamir, "On the generation of cryptographically strong pseudo-random sequences,
" 8th Int. Colloquimum of Automata, Languages, anp Programming, Lecture Notes in
Computer Science 62, Springer-Verlag, 1981.
358. A. Shamir. A polynomial time algorithm for breaking the basic Merkle-Hellman
cryptosystem. IEEE Transactions on Information Theory, IT-30(5):699-704, Sept.
1984.
359. C. E. Shannon , "A mathematical theory of communication," Bell Syst. Tech. J.,
vol.27, pp. 379-423, 623-656, July and October 1948
360. C. E. Shannon, "Communication theory of secrecy systems," Bell Syst. Tech. J.,
vol.28, pp. 656-715, Oct. 1949
361. T. Siegenthaler, "Correlation-immunity of nonlinear combining functions for
cryptographic applications," IEEE Trans. Inform. Theory, vol. IT-30, pp. 776-780,
Oct. 1984.
362. T. Siegenthaler, "Cryptanalyst's representation of nonlinearly filtered ml-sequences,"
in Lecture Notes in Computer Science 219; Advances in Cryptology:
Proc.
Eurocrypt'85, F. Pilcher, Ed., Linz, Austria, April 1985, pp. 103-110. Berlin:
367
363. T. Siegenthaler, "Decrypting a class of stream ciphers using ciphertext only," IEEE
Trans. Comput., vol. C-34, pp. 81-85, Jan. 1985.
364. G.J. Simmons, editor. Contemporary Cryptology, The Science of Information
Integrity. IEEE, New York, 1992.
365. B. Smeets, "A note on sequences generated by clock-controlled shift registers," in
Lecture Notes in Computer Science 219; Advances in Cryptology: Proc.
Eurocrypt'85, F. Pilcher, Ed., Linz, Austria, April 1985, pp. 40-42. Berlin: SpringerVerlag, 1986.
366. B. Smeets, "The linear complexity profile and experimental results on a randomness
test of sequences over the field Fq," IEEE Int. Symp. Inform. Theory, Kobe, Japan,
June 19-24, 1988.
367. B. Smeets and W.G. Chambers, "Windmill pn-sequences generators", IEE
Proceedings-E, vol 136, pp 401-404 (Sept 1989).
368. O. Staffelbach and W. Meier, "Cryptographic significance of the carry for ciphers
based on integer addition," In A.J. Menezes and S.A. Vanstone, editors, Advances in
Cryptology - Crypto '90, pages 601-615, Springer-Verlag, New York, 1990.
369. J. Stern, "Secret Linear Congruential Generators Are Not Cryptogaphically Secure",
Proceedings of the 28th Symposium on Foundations of Computer Science, 1987,
pp.421-426.
370. M. A. Stephens and R.B.D. D'Agostino, Tests Based on EDF Statistics, Goodness of
Fit Techniques, Statistics, Textbooks and Monographs, 68, Marcell Dekker Inc.,
1986, 97-193.
371. D.R. Stinson, "Resilient functions and large sets of orthogonal arrays," Congressus
numerantium, vol. 92, pp. 105-110, 1993
372. D.R. Stinson and J.L. Massey, "An infinite class of counterexamples to a conjecture
concerning nonlinear resilient functions", Journal of Cryptology, vol.8(3), pp. 167173, 1995
373. R. C. Titsworth, "Optimal ranging codes," IEEE Trans. Space Electron. Telemetry,
pp. 19-30, March 1964.
374. S. A. Tretter, "Properties of PN2 sequences," IEEE Trans. Inform. Theory, vol. IT20, pp. 295-297, March 1974.
375. PC van Oorschot, MJ Wiener, "Parallel Collision Search with Application toHash
Functions and Discrete Logarithms", in Proceedings of the 2nd ACM Conference on
Computer and Communications Security (ACM, Nov 94) pp 210-218
368
376. G. S. Vernam, "Cipher printing telegraph systems for secret wire and radio
telegraphic communications," J. Amer. Inst. Elec. Eng., vol. 45, pp. 109-115, 1926.
377. R. Vogel, "On the linear complexity of cascaded sequences," in Lecture Notes in
Computer Science 209; Advances in Cryptology: Proc. Eurocrypt'84, T. Beth, N.
Cot, and I. Ingemarsson, Eds., Paris, France, April 9-11, 1984, pp. 99-109. Berlin:
378. D. Wagner, B. Schneier and J. Kelsey, "Cryptanalysis of ORYX", Preprint, May 4,
1997
379. M. Z. Wang and J. L. Massey, "The characteristics of all binary sequences with
perfect linear complexity profiles," paper presented at Eurocrypt'86, Linkoping,
Sweden, May 20-22, 1986.
380. M. Wang, "Linear complexity profiles and continued fractions," in Lecture Notes in
Computer Science 434; Advances in Cryptology; Proc. Eurocrypt'89, J.-J.
Quisquater and J. Vandewalle, Eds., Houthalen, Belgium, April 10-23, 1989, pp. 571585. Berlin: Springer-Verlag, 1990.
381. M.Z. Wang, "Algorithm for recursively generating irreducible polynomials",
Electronic Letters , v 32 no 20 (26/9/96) p 1875
382. M. Ward. The arithmetical theory of linear recurring series. Transactions of the
American Mathematical Society, 35:600-628, (July 1933).
383. A. F. Webster and S. E. Tavares, "On the design of S-boxes," in Lecture Notes in
Computer Science 218; Advances in Cryptology: Proc. Crypto'85, H. C. Williams,
Ed., Santa Barbara, CA, Aug. 18-22, 1985, pp. 523-534. Springer-Verlag, 1986.
384. B.M.M. de Weger, Approximation lattices of p-adic numbers, J. Num. Th. Vol. 24,
1986, pp. 281-292.
385. L.R. Welch and R.A. Scholtz, Continued fractions and Berlekamp's algorithm. IEEE
Trans. Info. Theory vol. 25, 1979 pp. 19-27.
386. D.D. Wheeler, Problems with Chaotic Cryptosystems. Cryptologia. 1989. 13(3):
243-250.
387. D.D. Wheeler and R. Matthews, Supercomputer Investigations of a Chaotic
Encryption Algorithm. Cryptologia. 1989. 15(2): 140-152.
388. D.J. Wheeler, "A Bulk Data Encryption Algorithm", In R. Anderson, editor, Fast
Software Encryption - Cambridge Security Workshop, pages 125-134, SpringerVerlag, Berlin, 1994.
369
389. B.A. Wichman and I.D. Hill, "An Efficient and Portable Pseudo-Random Number
Generator", Applied Statistics, v. 31, 1982, pp. 188-190.
390. S. Wolfram, "Cryptography with cellular automata," in Lecture Notes in Computer
Science 218; Advances in Cryptology: Proc. Crypto'85, H. C. Williams, Ed., Santa
Barbara, CA, Aug. 18-22, 1985, pp. 429-432. Berlin: Springer-Verlag, 1986.
391. C.-K. Wu, "Boolean functions in cryptology," Ph.D. thesis, Xidian University, China,
1993
392. G. Z. Xiao and J. L. Massey, "A spectral characterization of correlation-immune
functions," IEEE Trans. Inform. Theory, vol. 34, no. 3, pp. 569-571, May 1988.
393. E. Yanovsky, "Protected communication method and system". European Patent No
EP 667691, 1995.
394. A. C. Yao, "Theory and applications of trapdoor functions," Proc. 25th IEEE
Symp. Foundations Comput. Sci., New York, 1982.
395. R. Yarlagadda and J.E.Hershey, "Analysis and synthesis of bent sequences," Proc.
IEE, vol. 136, pt. E., pp. 112-123, March 1989.
396. L. E. Zegers, Common bandwidth transmission ot data signals and wide-band
pseudonoise synchronization waveforms," Philips Res. Reports Suppl., no. 4, 1972
397. K. Zeng and M. Huang, "On the linear syndrome method in cryptanalysis," in LNCS
403; Advances in Cryptology: Crypto'88, S. Goldwasser, Ed., Santa Barbara, CA,
Aug. 21-25, 1987, pp. 469-478. Berlin: Springer-Verlag, 1990.
398. K. Zeng, C.H. Yang, and T.R.N. Rao. An improved linear syndrome algorithm in
cryptanalysis with applications. In A.J. Menezes and S.A. Vanstone, editors,
1990.
399. K. Zeng, C.H. Yang, and T.R.N. Rao. On the linear consistency test in cryptanalysis
with applications. In G. Brassard, editor, Advances in Cryptology - Crypto '89, pages
167-174, Springer-Verlag, New York, 1990.
400. K. Zeng, C.H. Yang, D.Y. Wei, and T.R.N. Rao. Pseudorandom bit generators in
stream-cipher cryptography. Computer n 24, pp 8-17, February 1991.
401. X.-M. Zhang and Y.Zheng, "On nonlinear resilient functions," Advances in
Cryptology - Eurocrypt '95, Lecture Notes in Computer Science, vol.921, L.C.
Guillou ed., Springer-Verlag, pp. 274-288, 1995
402. X.-M. Zhang and Y.Zheng, "Cryptographically resilient functions,"
Transactions on Information Theory, September 1997
370
IEEE
403. Y. Zheng, T. Matsumoto, and H. Imai, "Impossibility and optimality results on

constructing pseudorandom permutations," in Lecture Notes in Computer Science
434; Advances in Cryptology; Proc. Eurocrypt'89, 1989, pp. 412-422. Berlin:
404. N. Zierler, "Linear recurring sequences," J. Soc. Indust. Appl. Math., vol. 7, no.1, pp.
31-48, March 1959.
405. N. Zierler, "Primitive Trinomials Whose Degree Is a Mersenne Exponent,"
Information and Control, vol. 15, pp. 67-69, 1969.
406. N. Zierler and J. Brillhart, "On Primitive Trinomials (mod 2)," Information and
Control, vol. 13, no. 6, pp. 541-544, Dec. 1968.
407. N. Zierler and W. H. Mills, "Products of linear recurring sequences," J. Algebra, vol.
27, no. 1, pp. 147-157, Oct. 1973.
408. J. Ziv and A. Lempel. On the complexity of finite sequences. IEEE Trans.
Information Theory, 22:75-81, 1976.
409. J. Ziv and A. Lempel. A universal algorithm for sequential data compression. IEEE
Trans. Information Theory, 23(3):337-343, 1977.
410. M.V.ivkovi, "On two probabilistic decoding algorithms for binary linear codes",
IEEE Trans. Information Theory, 37:1707-1716, Nov. 1991.
411. M.V.ivkovi, "An algorithm for the initial state reconstruction of the clockcontrolled shift register", IEEE Trans. Information Theory, 37:1488-1490, Sep.
1991.
371
1/p generator
"1/p"
252
2-adic complexity
2-
236
2-adic numbers
2-
210
2-adic span
2-
65,211,236
2-adic value (of a register)
2- ()
210,232
A5 (algorithm)
257
adaptive algorithm
211,237
additive generator
180,255
additive natural stream cipher
297
affine function
122,143
algebraic degree (of a function)
122,142
algebraic normal form (ANF)
()
54,142
algorithm resetting
96
almost bent function
109
alternating step generator
158
ANF transformation
55,123
asymmetric cipher
asynchronous cipher
augmented function
108
autocorrelation function
36
autocorrelation test
39
balanced function
122,143
balanced sequence
27,143
base polynomial
272
Ben-Or algorithm
28
bent mapping
133
bent function
109,120,129, 132,144
bent sequence
144
bent triple
- ()
137
Berlekamp-Massey algorithm
26,44
binary derivative
262
binary symmetric channel (BSC)
()
84,94
birthday paradox
" "
259
372

block cipher
2,141
Blum-Micali generator
324
BRM-generator (Binary Rate Multiplier)
BRM ( )
156
carry (operation)
()
211
cascade generator
154,159,163
CDPD
CDPD
260
cellular automaton
250
Chameleon
"" ()
283
chaotic cipher
319,334
chosen-ciphertext attack
chosen-plaintext attack
cipher feedback mode
ciphertext
ciphertext-only attack
cleartext
clock-controlled shift register
154
combination generator, combiner
, --
69,77
conditional complementing shift register

(CCSR)
congruential generator

()

287
connection polynomial
25
constrained edit distance (CED)
()
212
constrained embedding attack
191
constrained Levenshtein distance
190
correlation attack
80,84
correlation coefficient
127
correlation immune function
119,122
cost function
302
Counterpane Systems
Counterpane Systems
279
critical branching process
259
critical noise probability
103
cross-correlation function
84,127
Crypto AG
2,4,50
cryptoanalysis
cryptogram
cryptography
373
20

cryptology
cyclic code
90
De Bruijn function
110
De Bruijn property
27
De Bruijn sequence
27,50,252
degenerate initial loading
234
deletion rate
197,201
dense polynomial
33
[d,k]-self-decimation generator
[d,k]-
161
decimation of sequence
154,190
DES (Data Encryption Standard)
DES
2,173
difference decimation sequence
157
difference set
132
differential cryptanalysis
297
Diffie's randomized cipher
330
digital signal processor (DSP)
DSP
272
directed acyclic word graph
64
direct matching algorithm
197
discrepancy
65
distance between functions
129
divide-and-conquer attack
"--"
80,85
D-transform
D-
225
e-bias distribution
e-
176
Elementrix Technologies
334
embedding attack
196
equidistant set
114
error-free information set
103
evolution program
306
exhaustive search
81,162,178
fast correlation attack
81,86
fast resetting
97
feedback clock control
154
feedback integer
210,231
feedback polynom
26
feedback shift-register
25
374

feedback shift-register with carry
operation, FCSR
Fibonacci register
29
Fibonacci sequence
181
filter generator
69-77
finite state machine
57
Fish (algorithm)
Fish
180
fitness function
306
forward clock control
( )
154
free energy minimisation
97
frequency test
38
Fourier transform
51,175
full adder
, 3
231
full positive difference set
114
Galois register
29,32
GCHQ (Government Communications

Head-Quarter)
Geffe generator
(-
)

259
generating function
225
generator matrix
89
generator polynomial
90
genetic algorithm
302,306
geometric sequence
50,79
Gifford generator
256
GOAL (algorithm)
GOAL
277
Golomb postulates
36
Gretag AG
2,86
GSM (Group Special Mobile)
GSM
257
Hadamard matrix
54,143
Hadamard product
60
Hamming code
91
Hamming distance
86,89,120,143
Hamming weight
52,79,89,123,143
historical work characteristic (of cipher)
()
15
IA (generator)
IA
280
IBAA (generator)
IBAA
281
ideally secure cryptosystem
5,12,15
375
209
81,245

IBM
--,
160,263
information set
103
information vector
91
initialization vector
293
inner product generator
249
interlacing
()
154,160
interleaving
()
154,160
interleaved sequence
185
intersection coefficient
114
intractability hypothesis
319
inverse attack
113
iterative probabilistic decoding
94
ISAAC (generator)
ISAAC
280
Jennings generator
247
Kerckhoffs' assumption
keystream
keystream generator
Khufu
Khufu ()
264
knapsack generator
254
Kronecker product
143
known-ciphertext attack
known-plaintext attack
lagged Fibonacci generator
180
Lempel-Ziv complexity
64
Levenshtein distance
193
LFSR-sequence
27
linear complexity
()
26,43
linear complexity profile
56
linear complexity profile test
57
linear congruential generator (LCG)
()
4,16,20
linear feedback shift register (LFSR)
4,24-34,
linear function

()

linear cryptanalysis
300
linear recurrence sequence
25
linear sequential circuit approximation

(LSCA)

()
192,201,224,300
376
122,143

linear span
26,43
linear structure function
131
local randomization
13
lock-in effect
160,163
look-up table
339
l-sequence
l-
211,240
Maple
Maple
241
Maurer's randomized cipher
332
maximal period generator
16
maximum order complexity
64
MD5 (hash-algorithm)
MD5
264
meet-in-the-middle attack
" "
104,259,290
Mersenne exponent
273
Metropolis algorithm
303
m-sequence
m-
27,70
m-sequence cascade
m-
159
multiplexer generator
247,290,296
National Security Agency (NSA)
34,132
next bit test (predictor)
()
320
nonlinearity
143
non-uniform decimation
155
objective function
302
Omnisec AG
2,39,317
one-time pad
3,13
on-line algorithm
"-"
65
orthogonal code
90
ORYX (algorithm)
ORYX
278
Pari
Pari
241
parity check
82
parity-check matrix
90
parity-check polynomial
90
Parseval equation
120
partial joint probability
199
perfect generator
319,321
perfectly secure cryptosystem
3,4,12
perfect nonlinear function
120,131
377

period of register
25
period of sequence
25,57
Philips Crypto
55,64,268
PIKE (algorithm)
PIKE
276
plaintext
Pless generator
81,246
pn-sequence, (pseudo-noise ...)
-, (- ...)
36
positive difference set
115
POTP (Power One Time Pad)
" "
319,334
practical security
15
predictor (next bit test)
( )
320
primitive polynom
probabilistic constrained edit distance
(PCED)
propagation criterion of degree k

()
k
27
191
pseudo-random function family
263
pseudo-random sequence
pseudo-random sequence generator
public key cryptosystem
quadratic residue generator
327
quadratic span
64
R3 Security Engineering
R3 Security Engineering
Racal Comsec
307
randomized cipher
318
randomizer
6,318,329
RC2 (algorithm)
RC2 ()
260
RC4 (algorithm)
RC4
260
regular clocking and no memory
69
regular decimation
()
155
repetition test
41
resilient function
121,150
resynchronization
258,292
reversion attack
259
ripple adder
231
Rip van Winkle cipher
" "
331
root presence test
73
378
121,142

RSA (algorithm)
RSA
322
RSA generator
RSA
326
running key generator
run test
39
sampled sequence
()
190
S-box
(S-)
260,267,274
Schnorr generator
13
scrambler
SEAL (algorithm)
SEAL
263
secret key
secret key cryptosystem
Secure Hash Algorithm (SHA)
SHA
265,277
self-shrinking generator
162,184
self-synchronizing cipher
7,8,284
semi-infinite sequence
42
serial test
38
sequence of function
122,143
Shamir's generator
322
shrinking generator
154,160,173
shrunk polynomial
201
Siemens AG
180
simulated annealing
()
302
singular device
161
sliding window
103
span
()
43
sparse polynomial
33
spectral radius
139
stage
32
state
()
57,231
statistical test
321
"stepk,m"-cascade
"k,m"-
164
step-once-twice generator
--
156
stop-and-go generator
156
stream cipher
strict avalanche criterion, SAC
121,141
substitution probability
199
379

suffix tree
64,66
summation combiner
65,128,213,253
switch controlled feedback shift register
270
Sylvester-Hadamard matrix
symmetric cipher
synchronization loss
292
synchronous cipher
taps
25,174
template
177
theoretical security
14
threshold generator
248
total correlation
126,127
truncated congruential generator
20
truth table of function
122,143
Turing-Kolmogorov complexity
318
Turing machine
318
unconditionally secure cryptosystem
12
unicity distance
12
uniform decimation
155
uniformity test
38
universal test
39
variable connections
()
174
Vernam cipher
3,10,13
WAKE (algorithm)
WAKE
275
Walsh-Hadamard matrix
143
Walsh transformation
53,120,123,215
Wolfram generator
250
work characteristic (of cipher)
()
15,318
Ziv-Lempel compression algorithm
268
380
143
2-
2-adic complexity
236
2-
2-adic numbers
210
2-
2-adic span
65,211,236
2- ()
2-adic value (of a register)
210,232
National Security Agency (NSA)
34,132
Hadamard matrix
54,143
Hadamard product
60
adaptive algorithm
211,237
additive generator
180,255
additive natural stream cipher
297
--,
IBM
160,263
()
algebraic normal form (ANF)
54,142
algebraic degree (of a function)
122,142
RSA
RSA (algorithm)
322
Ben-Or algorithm
28
Berlekamp-Massey algorithm
26,44
DES
DES (Data Encryption Standard)
2,173
Metropolis algorithm
303
direct matching algorithm
197
Ziv-Lempel compression algorithm
268
MD5
MD5 (hash-algorithm)
264
SHA
Secure Hash Algorithm (SHA)
265,277
Fish
Fish (algorithm)
180

()

linear sequential circuit approximation

(LSCA)
asymmetric cipher
192,201,224,300
2
asynchronous cipher
" "
meet-in-the-middle attack
104,259,290
"--"
divide-and-conquer attack
80,85
embedding attack
196
constrained embedding attack
191
known-plaintext attack
known-ciphertext attack
chosen-plaintext attack
381
chosen-ciphertext attack
ciphertext-only attack
affine function
122,143
base polynomial
272
unconditionally secure cryptosystem
12
bent mapping
133
bent sequence
144
- ()
bent triple
137
bent function
109,120,129, 132,144
block cipher
2,141
fast correlation attack
81,86
fast resetting
97
initialization vector
293

()

probabilistic constrained edit distance

(PCED)
substitution probability
191
Hamming weight
52,79,89,123,143
degenerate initial loading
234
"1/p"
1/p generator
252
[d,k]-
[d,k]-self-decimation generator
161
BRM ( )
BRM-generator (Binary Rate Multiplier)
156
IA
IA (generator)
280
IBAA
IBAA (generator)
281
ISAAC
ISAAC (generator)
280
RSA
RSA generator
326
Blum-Micali generator
324
Wolfram generator
250
keystream generator
running key generator
Geffe generator
81,245
Gifford generator
256
Jennings generator
247
quadratic residue generator
327
maximal period generator
16
--
step-once-twice generator
156
Pless generator
81,246
382
199
pseudo-random sequence generator
alternating step generator
158
inner product generator
249
stop-and-go generator
156
Shamir's generator
322
Schnorr generator
13
genetic algorithm
302,306
geometric sequence
50,79
intractability hypothesis
319
Gretag AG
2,86
binary derivative
262
()
binary symmetric channel (BSC)
84,94
suffix tree
64,66
differential cryptanalysis
297
Kerckhoffs' assumption
D-
D-transform
225
lagged Fibonacci generator
180
ideally secure cryptosystem
5,12,15
inverse attack
113
information set
103
information vector
91
historical work characteristic (of cipher)
15
iterative probabilistic decoding
94
m-
m-sequence cascade
159
cascade generator
154,159,163
quadratic span
64
cellular automaton
250
Hamming code
91
, --
combination generator, combiner
69,77
congruential generator
20
()
R Security Engineering
R Security Engineering
Counterpane Systems
Counterpane Systems
279
correlation attack
80,84
correlation immune function
119,122
correlation coefficient
127
383
intersection coefficient
114
Crypto AG
2,4,50
GOAL
GOAL (algorithm)
277
Khufu ()
Khufu
264
ORYX
ORYX (algorithm)
278
PIKE
PIKE (algorithm)
276
RC2 ()
RC2 (algorithm)
260
RC4
RC4 (algorithm)
260
SEAL
SEAL (algorithm)
263
WAKE
WAKE (algorithm)
275
A5 (algorithm)
257
cryptoanalysis
cryptogram
cryptography
cryptology
propagation criterion of degree k
121,142
critical noise probability
103
critical branching process
259
Kronecker product
143
linear recurrence sequence
25
()
linear complexity
26,43
linear function
122,143
()
linear congruential generator (LCG)
4,16,20
linear cryptanalysis
300
linear span
26,43
local randomization
13
Maple
Maple
241
Pari
Pari
241
parity-check matrix
90
Sylvester-Hadamard matrix
143
Walsh-Hadamard matrix
143
finite state machine
57
Turing machine
318
free energy minimisation
97
parity-check polynomial
90
positive difference set
115
384
difference set
132
" "
POTP (Power One Time Pad)
319,334
multiplexer generator
247,290,296
directed acyclic word graph
64
nonlinearity
143
non-uniform decimation
155
constrained Levenshtein distance
190
one-time pad
3,13
Omnisec AG
2,39,317
"-"
on-line algorithm
65
orthogonal code
90
cleartext
plaintext
" "
birthday paradox
259
algorithm resetting
96
()
variable connections
174
()
carry (operation)
211
()
interlacing
154,160
period of sequence
25,57
period of register
25
dense polynomial
33
connection polynomial
25
feedback polynom
26
full positive difference set
114
, 3
full adder
231
semi-infinite sequence
42
augmented function
108
threshold generator
248
generator matrix
89
generator polynomial
90
De Bruijn sequence
27,50,252
difference decimation sequence
157
Fibonacci sequence
181
sequence of function
122,143
serial test
38
Golomb postulates
36
385
synchronization loss
292
stream cipher
almost bent function
109
practical security
15
( )
predictor (next bit test)
320
ANF transformation
55,123
Walsh transformation
53,120,123,215
Fourier transform
51,175
primitive polynom
parity check
27
82
generating function
225
sparse polynomial
33
()
interleaving
154,160
interleaved sequence
185
look-up table
339
linear complexity profile
56
pseudo-random sequence
-, (- ...)
pn-sequence, (pseudo-noise ...)
36
()
work characteristic (of cipher)
15,318
uniform decimation
155
()
regular decimation
155
()
span
43
randomizer
6,318,329
randomized cipher
318
Diffie's randomized cipher
330
Maurer's randomized cipher
332
knapsack generator
254
unicity distance
12
Levenshtein distance
193
distance between functions
129
()
constrained edit distance (CED)
212
Hamming distance
86,89,120,143
discrepancy
65
reversion attack
259
Galois register
29,32
switch controlled feedback shift register
270
386

()

linear feedback shift register (LFSR)
4,24-34,
clock-controlled shift register
154
feedback shift-register
25

,

()

feedback shift-register with carry operation,

FCSR
conditional complementing shift register
(CCSR)
Fibonacci register
209
cipher feedback mode
resynchronization
258,292
LFSR-sequence
27
Racal Comsec
307
self-shrinking generator
162,184
self-synchronizing cipher
7,8,284
feedback clock control
154
balanced sequence
27,143
balanced function
122,143
error-free information set
103
De Bruijn property
27
secret key
pseudo-random function family
263
shrunk polynomial
201
shrinking generator
154,160,173
Siemens AG
180
symmetric cipher
()
simulated annealing
302
singular device
161
synchronous cipher
GSM
GSM (Group Special Mobile)
257
sliding window
103
scrambler
Lempel-Ziv complexity
64
maximum order complexity
64
Turing-Kolmogorov complexity
318
perfect nonlinear function
120,131
perfectly secure cryptosystem
3,4,12
perfect generator
319,321
387
287
29

()
state
57,231
spectral radius
139
DSP
digital signal processor (DSP)
272
CDPD
CDPD
260
statistical test
321
deletion rate
197,201
strict avalanche criterion, SAC
121,141
total correlation
126,127
ripple adder
231
summation combiner
65,128,213,253
regular clocking and no memory
69
()
sampled sequence
190
(S-)
S-box
260,267,274
truth table of function
122,143
theoretical security
14
autocorrelation test
39
repetition test
41
root presence test
73
linear complexity profile test
57
uniformity test
38
run test
39
()
next bit test (predictor)
320
exhaustive search
81,162,178
taps
25,174
universal test
39
( )
forward clock control
154
resilient function
121,150
Parseval equation
120
decimation of sequence
154,190
truncated congruential generator
20
Philips Crypto
55,64,268
filter generator
69-77
autocorrelation function
36
De Bruijn function
110
cross-correlation function
84,127
linear structure function
131
388
fitness function
306
cost function
302
"" ()
Chameleon
283
chaotic cipher
319,334
objective function
302
feedback integer
210,231
cyclic code
90
partial joint probability
199
frequency test
38
template
177
"k,m"-
"stepk,m"-cascade
164
" "
Rip van Winkle cipher
331
Vernam cipher
3,10,13
public key cryptosystem
secret key cryptosystem
ciphertext
keystream
(-
)

GCHQ (Government Communications

Head-Quarters)
evolution program
259
equidistant set
114
Mersenne exponent
273
Elementrix Technologies
334
l-
l-sequence
211,240
m-
m-sequence
27,70
e-
e-bias distribution
176
lock-in effect
160,163
stage
32,159
389
306

ПОТОЧНЫЕ ШИФРЫ. Результаты зарубежной открытой криптологии

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

ПОТОЧНЫЕ ШИФРЫ. Результаты зарубежной открытой криптологии

Загружено:

Авторское право:

Доступные форматы

,

. , . ., " ", CRC Press, 1996 .,

"" " " .., 1839 .

5.1 k.................................................................. 122

5.2.1 .................................................................. 130

5.3.1 - - .......... 133

5.4.3 ....................................................................................... 150

6.1.1.1 , "-" "- " ...........

6.1.2.1 [d,k]- .............................................................

6.2 ............................................................................................ 163

6.3 ........................................................ 173

6.3.2 - (Fish) ............................ 180

7.1.1 ............................................... 208

7.4 2- ............................................. 228

8.2 5 ............................................................................................................ 257

8.3 RC4 .........................................................................................................

8.3.1 ................................................................................... 260

8.5 1990- ............................................................................. 268

8.6 ........................................................................ 284

9.2.1 ................................................. 292

10.1.1 ........................................................................... 320

10.2 ................................................................................ 329

10.4 POTP ...............................................................................

I(Xn ; Yn) = H(Xn) - H(Xn | Yn)

[322]( . 2.2). 1960-

MODMULT ( 53668, 40014, 12211, 2147483563L, s1 )

MODMULT ( 206, 157,

2. (1) , p p j = 0 g j s j mod m$ p si,

(ai - 1, 0, ... , 0, -1, 0, ... , 0), i = 2, ... , k ,

wij si = wij xi 2 bn + wij yi .

j = 1, ... , k, , (1) - 0 mod m,

static unsigned long ShiftRegister=1 ;

( ShiftRegister & 0x00000001 ) {

G1. "1" "0" ,

, P[fT (RN) t1] P[fT (RN) t2] r/2. ST

ST = { sN BN : fT (sN) t1 fT (sN) t2}.

Dr = 0, (Lr, f(r)(x)) = (Lr - 1, f(r - 1)(x)) r- .

Lr=dr(r - Lr-1)+(1 - dr)Lr ,

r = 1,2,...,2n, dr = 1, Dr 0 2Lr-1 r-1, dr = 0

r = L2r + 1, ..., 2r.

Ord({u(x)a}) - deg u(x) < - n.

a ~ [q0(x), q1(x), . . . , qk(x), . . .],

q0(x) = [a0], a'1 = {a0 },

uk(x) = qk(x)uk - 1(x) + uk - 2(x)

vk(x) = qk(x)vk - 1(x) + vk - 2(x)

0 = j k ,1 < j k , 2 < ... < j k ,wk t k

vk,r (x) = qk,r(x)vk - 1(x) + vk - 2(x).

L = L() - = a0, a1, a2 . . . . ,

x = (x1 , . . ., xN) FqN , i = (i1 , . . ., iN) ZqN , ci Fq

m~s (x) = xL + c1xL-1 + . . . + cL ,

a1,..,ar, b1, . . ., bs E - g b1,..,bs.

0 mod p akbl < aibj (k,l) Cd c (k,l) (i,j).

h/m , h F[x], deg(h) < deg(m), (h,m) =

ai,j Z2 1 i,j m, i j. , s = s1, s2, . . ., s8 -

w, wi, wi+1, . . . , wn,$.

f(si, si+1, . . . , si + k - 1) = si + k sj + k = f(sj, sj+1, . . . , sj + k - 1)

a GF(2L) (j=0,1,...,k-1) k (sn + t j ) . E, E, -

{F } = {Fdj,1 ,..., Fdj, N } .

ci* = 0 ci = 0 ci* = 1 ci 0 [335]. , 3

f(x) = xe e 0 e q - 1. [174] [175]

a(x)h(x) 0 (mod xn + 1).

z = {z i } iN=1 , r < N < 2r - 1, N

, pk(i), k = 1, ..., |i|

" EL(q)", " EP(q)" " S(q)".