78 IEEE TRANSACTIONS ON COMPUTERS, VOL. C-34, NO.

1, JANUARY 1985

Correspondence

Boolean Integral Calculus for Digital Syktems F (x) = xi (or xi) (1)
JERRY H. TUCKER, MOIEZ A. TAPIA, AND The partial derivatives can also be defined alternately as follows:
A. WAYNE BENNETT
dF / dF
Abstract -The concept of Boolean integration is introduced and F(x
~F(x) ~-
=

'\ Xi= ) XiO =

(2)
developed. When the changes in a desired function are specified in terms i

of changes in its arguments, then ways of "integrating" (i.e., realizing) the

function, if it exists, are presented. Boolean integral calculus has applica-
tions in design of logic circuits.
Index Terms -Base of Boolean function, Boolean calculus, Boolean
differential, Boolean differential expression, Boolean integration, com-
patible integral, direct and inverse partial derivatives, edge-sensitive
flip-flops, exact integral.
I. INTRODUCTION
In recent years the concepts of Boolean differentiation, deriva-
tives, differential, and other operators have been developed and
applied to digital analysis and testing [1]-[3], [6]. While designing
digital systems, situations are encountered [7], [9] when it is desired
for the output of a system to change as a function of the changes in
its input. With these and possibly other situations in mind, the
concept of Boolean integration is presented.
II. BOOLEAN FUNCTION AND ITS BASE
Throughout the correspondence, unless stated otherwise, a Bool-
ean function F (xl, x2, , xj) of n Boolean variables xl, x2, X,n
will be assumed. Also, it will be assumed that only one variable
xi, 1 c i s n, can change at a time.
Definition 2.1: The set of 2n binary vectors or points
(xI,x2, *.* ,xn) where xi = 0 or 1, 1 c i c n, such that xi and xj
may or may not be equal if i jI, will be called the Boolean set of
variables XI, X2s, Xn, denoted by B (n). The Boolean set of
(n - 1) variablesxl, x2, ,xi- l, xi+ l, x,, written x/xi, will be
denoted by B(n/i).
Definition 2.2: Given a set S, 4 C S C B (n), a function F (x) is
said to be based on the set S provided (F(x) x=bO) 1 if and only
if bo E S.
On the other hand, if a function F(x) is given, then the set
S = {b b E B (n) and F (b) = I} is called the base of the function
F(x) and denoted by BASE F(x).
III. BOOLEAN DIFFERENTIATION
In the area of Boolean differentiation, the concepts of direct and
inverse partial derivates have been reported earlier [6].
Definition 3.1: The direct (or inverse) partial derivative of F (x)
with respect to xi, 1 c- i n, denoted by aF or dF is defined as
-
dF = (F(x) . (F( ) =d
(3)
a3~~i xi=o, Xi=I dxt.,
IV. BOOLEAN DIFFERENTIAL
Boolean differential, introduced by Talantsev [4], [5] and further
developed by Brown and Young [6], is analogous to the differential
of a function in the calculus of real variables and expresses
the change in a Boolean function in terms of a change in one of
its arguments.
Definition 4.1: dF will denote changes in the value of function
F. These changes can be from "O" to " 1 " or " 1 " to "0." dxi or d xi will
denote a change in the variable xi. The expression dF = dxi means
that a "positive" (or "negative") change in xi causes a "positive" (or
"negative") change in F. The expression dF = dxi means that a
"positive" (or "negative") change in xi causes a "negative" (or
"positive") change in F. In order to relate dF, dxi, dxj, and F, we
will need to define dF, dxi, and dxi, for all i, as entities in a Boolean
algebraic system (i.e., as Boolean variables). When dF, dxi, and dx
are treated as Boolean variables, they have Boolean values as
defined below:
0 implies no change occurring in value of V
(4)
1, implies a change in value of V.
Definition 4.2: The Boolean differential of F, denoted by dF, is
defined as
dF = En d1ax- dxi N+
d1.1
dxj . - (5)
The Boolean differential of F is useful in analysis as it shows
how F is affected by changes in xi_ 1 c i < n. In synthesis, it is of
interest to address ourselves to the question: "Is it possible to find
a function that undergoes changes as a consequence of changes in
its argument in accordance with a given specification?" The answer
to this question will be pursued in the next section.
V. BOOLEAN INTEGRATION
Suppose it is desired that the output of a system change the same
way as some of its inputs under certain conditions, and that the out-

put change the opposite way as some inputs under other conditions,
a function of (n - 1) variables xi,x2, * *Xi,Xi+l ,xn that is when the inputs change. In order to specify this desired relationship
based on the set formed by the union of all possible points xlxi in between the changes in the output in terms of the changes in the
the set B (n/i) such that inputs, we introduce differential expression defined next.
Definition 5.1: A differential expression, denoted by dH, is a
Manuscript received June 13, 1983; revised November 21, 1983. Boolean expression of the form
J. H. Tucker is with NASA Langley, Hampton, VA 23665. n
M. A. Tapia is with the Department of Electrical and Computer Engineering, dH = , (ai dxi + pi dx-i) (6)
University of Miami, Coral Gables, FL 33124. i=l
A. W. Bennett is with the Department of Electrical and Computer Engineer-
ing, Clemson University, Clemson, SC 29631. where in general ai and A3i are functions of the (n - 1) variables

0018-9340/85/0100-0078$01.00 tD 1985 IEEE

IEEE TRANSACTIONS ON COMPUTERS, VOL. c-34, NO. 1, JANUARY 1985 79

xl, x2,** , x, 1, xi+ 1,* xn, and ai and P3i are independent of xi for n
all i, 1 .i ' n. dH = , (agi dxi +
i=l
PSi d xi) (16)
It is easy to see that the Boolean differential of a function F(x) as
given in (5) is a differential expression; however, the converse is not is compatibly integrable and F1 is a compatible integral of dH, then
true. For a differential expression to be a differential, there must every "one" of f dH is also a "one" of Fl, and every "one"s of fo dH
exist a function such that its differential is the same as the is a "zero" of Fi.
given differential expression. For the expression dH in (6) to be a Lemma 5.2: If the differential expression
differential, there must exist a function H(x) such that, for all
i, 1 'S i . n,
dH = E (ai dxi + pidx1i) (17)
i=l
OH
ai = (7) satisfies the equation
axi
and
(J dH) . (f dH) =O for all x E B(n), (18)
OH
pi = _
adx
(8) then

Given differential expression dH as described in (6), in order to

determine whether a function F exists that changes due to changes (a) a1f dH = aixi, (b) ai dH = cii,
in its arguments as specified in the differential expression dH, we
need the following definitions. and (c) a1 (fdH) aixi. (19)
Definition 5.2: F is said to be the exact integral of dH, denoted
by fE dH, and dH is said to be exactly integrable if
Theorem 5.1: A differential expression
dH = E (ai dxi + i d xi) (9)
dH =
n
, (ai dxi + 1id xi) (20)
i=1
i=i
and for all i, 1 s i S n
is compatibly integrable if and only if
OF aF
a ci and - -=3i. (10)
Oxi axi (fdH) ( dH) = for all x E B(n) . (21)
Definition 5.3: F is said to be a compatible integral of dH,
denoted by f dH, and dH is said to be compatibly integrable if If (21) is satisfied, then a compatible integral of dH is given by
aF OF
-D ai and D_ r,3 (1 1) F = dH + (o dH) (22)
axi -
Ax
for all i, 1 . i c n. where fr is an arbitrary function of x.
Observe that by the definition given above if dH is exactly Proof: First we will prove the necessity part of the theorem.
integrable, then F = fE dH goes through exactly the changes Suppose dH is compatibly integrable so that there exists F,(x)
which are described in dH. such that
In what follows we will obtain ways of finding all possible com-
patible integrals of dH, if dH is compatibly integrable. To accom-
plish this we need the following integral operators. F1 = dH. (23)
Definition 5.4: The zeroth-order integral of dH, denoted by
fo dH, is defined as Also, suppose that there exists bo such that

0
dH = E (a&ij +
i=l
3ixi) (12)
[(I0 dH ( dH)] |-
(24)
where which implies that
n
dH = >
i=1
(aidxi + idx-i). (13) (fdH) x=bo 1 and (fdH) | 1. (25)

Also, the first-order integral of dH, denoted by f1 dH, is defined as From Lemma 5.1 and (25), bo is a "one" of F, as well as a "zero"
n
of F1, which is not possible. Hence, the right-hand side of (24)
cannot be 1 which proves the necessity part of the theorem.
1, dH = E (aixi + PIA).
i=l To prove sufficiency, AND both the sides of (22) by ai. Then
Definition 5.5: A binary point bo E B (n) is said to be "one" (or
"zero") of a function F(x) if a1F = a1f dH + /aia* (f dH)
F(bo) = 1 (or 0). (15) = aixi + Ia1ixi (from Lemma 5.2)
For the sake of brevity, we will present the following lemmas = aixi( + it)
without proofs.
Lemma 5.1: If the differential expression =- aixi. .(26)
80 IEEE TRANSACTIONS ON COMPUTERS, VOL. C-34, NO. 1, JANUARY 1985

Since ai is independent of xi, then

f dc = X1X2X3 + X1X2X3 (36)
aF a(aiF)
ai- =
axi dxi Obviously,
- a(aixi) [from (26)]
Oxi (dC dC) =0. (37)
= ai. (27) Hence, by Theorem 5.1 a compatible integral does exist.
Hence, Also, the set D referred to in (32) is
OF
a
D = DoUD = {(0, 0, 0), (0, 1, 1)}. (38)
D a1. (28)
Oxi -
Thus, Oi(x), 1 i . 4, can be constructed as follows:
Similarly, 61(X) = 0, 02(X) X1X2X3, 03(X) = XiX2X3, 04(X)
OF
aF = X1iX2X3 + XilX2X3 (39)
axi
DA3. (29)
The four solutions are
Hence, by Definition 5.2, F is a compatible integral of dH. Ci = x1x2x3 + X1X2X3 ±
+ 6, 1 . i . 4. (40)
Q.E.D. .1

A word regarding the arbitrary function +f(x) in (22) is in order. Also, it can be shown that Cl is the exact integral of dC.
If sets Do and' DI, 4 C Di C B(n), i = 0 and 1, are bases
(Definition 2.2) of functions Jo dH and fC dH, then every distinct
if would give rise to a distinct compatible integral, provided if VI. POTENTIAL FOR FURTHER APPLICATIONS
is based on a subset (not necessarily proper) of D = DoUDI. In fact, The traditional methods of the analysis and the synthesis of logic
if 4, is based on a subset of D, then the factor (fo
dH) that is ANDed
with jf in (22) may be dropped since Do DoUD1 = D. This leads
circuits are based on Boolean algebra and utilize the functional
relationships between the output and input values (or levels). Analy-
to generation of all compatible integrals of the differential expres- sis and design by Boolean calculus focuses on the changes in the
sion as shown in the next theorem which can be proved by obtaining output function in terms of changes in input arguments. The new
a set of Boolean equations from the hypothesis of the theorem and concepts of integration, the ways of integrating a Boolean differ-
solving them [8]. ential, and the necessary and sufficient condition for its compatible
Theorem 5.2: Let integrability open an avenue to new areas of applications. Because
n of the nature of these applications, the specification in terms of the
dH = 3 (aidxi + Pi dxi) (30) changes in the output of a system or a subsystem as a consequence
i=l of the changes in the inputs of the system or the subsystem is more
be a differential expression. If significant and desirable than that in terms of the functional re-
lationship between output and input values. It should be noted here
that clock-triggered flip-flops, synchronous counters, and many
(a) dH * dH = 0 for all x e B(n), (31) other MSI and LSI circuits are sensitive to input transitions. It is
premature to predict long-term utility of Boolean calculus, but the
(b) Do and D, are bases of fo dH and ,l dH, respectively, (c) the potential benefits dictate a need for further investigation [7], [9].
number of distinct points in the set
D = (DoUDI) is m, (32) VII. CONCLUSIONS
(d) Oi(x), 1 < i . 2m, is a function based on a subset of Boolean calculus is a powerful tool for analysis as well as syn-
thesis of logic circuits. The use of Boolean integration in synthesis
D, Oj(x) +9 Oj(x) for all i, j, i *j, I'j 2' , of asynchronous circuits using clock-triggered flip-flops has led to
circuits which require fewer flip-flops and logic gates than circuits
and synthesized using conventional methods [7], thus reducing com-
plexity, cost, and size and improving reliability.
(e) Fi = dH + O6, (33) Earlier methods to realize a function from the specified changes
in its value in terms of changes in its arguments do not possess the
simplicity and the ease of the integration method presented here.
then Fi is a compatible integral of dH. Recognizing the fact that we do have don't-care conditions and/or
Example 5.1: A clock function C (xI, x2, x3) is to be realized transitions in real-life situations, the concept of a compatible inte-
which goes through, at least, the transitions specified in the gral was introduced in order to generalize the concept of the exact
differential expression integral. Moreover, if the exact integral does not exist for a specified
differential but a compatible integral does, then the undesired tran-
dC = (x2x3 + x2x3) dxi + (IX3) dx2 sitions (changes) in the integral may be inhibited using a simple
+ (x1X3) dii + (Xii2) dx3 + (XIX2) dT. (34) logic circuit.
Find C, if it exists. We have
ACKNOWLEDGMENT
dc = X1X2X3 + XiX2X3 + XlX2X3 + X1X2X3 (35) The authors are pleased to gratefully acknowledge the helpful
suggestions offered by Dr. W. G. Batte, Prof. F. G. Gray, and R. D.
and Hofler for the research reported here.
IEEE TRANSACTIONS ON COMPUTRRS, VOL. c-34, NO. 1, JANUARY 1985 81

REFERENCES
[1] J. H. Tucker, "A transition calculus for Boolean functions," Ph.D. dis- I LFSR I n

sertation, Dep. Elec. Eng., Virginia Polytech. Inst. and State Univ.,
Blacksburgh, VA, May 1974.
[2] J. H. Tucker, M. A. Tapia, and A. W. Bennett, "Boolean differentiation
and integration using Karnaugh maps," in Proc. IEEE Southeast Conf.,
Williamsburg, VA, Apr. 1977.
[3] A. Thayse and M. Davio, "Boolean differential calculus and its application
to switching theory," IEEE Trans. Comput., vol. C-22, pp. 409-420,
Apr. 1973.
[4] A. D. Talantsev, "On the analysis and synthesis of certain electrical cir-
cuits by means of special logical operators," Avt. i Telem., vol. 20, no. 7,
pp. 898-907, 1959.
[5] V. G. Lazarev and E. I. Piil, "The simplification of pulse-potential forms,"
Avt. i Telem., vol. 24, no. 2, pp. 271-276, Feb. 1963.
[6] A. Brown and H. Young, "Toward an algebraic theory of the analysis and
testing of digital networks," AAS & ORS Annu. Meet., Denver, CO,
June 17-20, 1969, AAS Paper 69-236.
[7] J. R. Smith, Jr. and C. H. Roth, Jr., "Analysis and synthesis of asyn-
chronous sequential networks using edge-sensitiveflip-flops," IEEE
Trans. Comput., vol. C-20, pp. 847-855, Aug. 1971.
[8] M. A. Tapia and J. H. Tucker, "Complete solution of Boolean equations,"
IEEE Trans. Comput., vol. C-29, pp. 662-665, July 1980.
[9] M. A. Tapia, "Application of Boolean calculus to digital system design,"
in Proc. IEEE Southeast Conf., Nashville, TN, Apr. 14-16, 1980.
Decrypting a Class of Stream Ciphers Using Ciphertext Only
T. SIEGENTHALER
Abstract -Pseudonoise sequences generated by linear feedback shift
registers [1] with some nonlinear combining function have been
proposed [2]-[5] for cryptographic applications as running key generators
in stream ciphers. In this correspondence it will be shown that the number
of trials to break these ciphers can be significantly reduced by using
correlation methods. By comparison of computer simulations and the-
oretical results based on a statistical model, the validity of this analysis is
demonstrated. Rubin [6] has shown that it is computationally feasible to
solve a cipher proposed by Pless [2] in a known plaintext attack, using as
few as 15 characters. Here, the number of ciphertext symbols is deter-
mined to perform a ciphertext-only attack on the Pless cipher using the
correlation attack. Our conclusion from the analysis is that the pseudo-
noise generator's output sequence and the sequences generated by the
linear feedback shift registers should be uncorrelated. This leads to con-
straints for the nonlinear combining function to be used.
Index Terms -Correlation, cryptanalysis, exhaustive trials,
noise generator.
I. INTRODUCTION
In conventional cryptography pseudonoise (pn) generators con-
sisting of s linear feedback shift registers (LFSR's) of length ri
(i = 1, 2, * , s) are used. The combining function f is arbitrary
but known. However, to avoid a cryptanalytic attack by the
Berlekamp-Massey shift register synthesis algorithm [7], [8], only
nonlinear functions can be used (see Fig. 1). These pn-generators
have been proposed as running key generators in stream ciphers (see
Fig. 2). The symbol PD denotes bit-by-bit modulo-2 addition
I L F SRj n
I L FS SR/ Z (nx,**,n
Fig. 1. A class of pn-generators with a nonlinear combining function f.
PLAI NTEXT I PHERTEXT
Fig. 2. Running key generator in a stream cipher.
registers. The initial condition and feedback connection of the
LFSRi are referred to as the LFSRi part of the key. Further, it is
assumed that the feedback connections of all LFSR's of length ri
(i = 1, s) , are primitive [1]
or in other words that all LFSR's
generate a maximal length sequence of period2ri - 1. The number
R of differentprimitive feedback connections for an LFSR can be
determined from its length ri [1]. A lengthri (binary) LFSR has 2ri
different initial states, however, the all zero state which generates
the all zero sequence is not allowed. Therefore, a total of Ri (2ri - 1)
choices for the LFSRi part of the key exist and the total number K
of keys for the pn-generator given in Fig. 1 is
K = Il Ri(2r - 1).
In a brute force attack and a worst case situation all of the K keys
have to be applied which is by definition not feasible for a com-
putationally secure pn-generator. However, a weakness ofcorrelation
the gen-
erators which belong to the class of Fig. 1 may be the
between some of the inputs xi and the output z. Based on
this correlation [11]
it is demonstrated in Section II that the LFSRi
part of the key can be found independent of the LFSRj partsof
(j = 1, s; j*
i) with approximatelyRK 2ri tests. Making use
that for finding the key of the pn-generator, the number of trials can
be significantly reduced from K to approximately
-=E1Ri
i=I2ri
II. STATISTICAL MODEL FOR A CIPHERTEXT-ONLY ATTACK
In this section, a statistical model is used to find the LFSRi part
of the key, i.e., the initial state and feedback connection of the
LFSRi i e {1, * * s}. Further, the number of tests to find the
LFSRi-part of the key is determined as a function of the number of
ciphertext digits used in the correlation attack. Let the inputs
xn, xn,,2 xn of the functionf in Fig. 3 be generated by independent
s

throughout the whole correspondence. We assume that the key and identically distributed (i.i.d) random variables (r.v.) Xn with
of the cryptographic system specifies the initial states and the probability distribution Px such that = 0) = P(Xn
P(X' 1)
=
feedback coefficients of the different (binary) linear feedback shift for all i and n. The function f generates i.i.d. r.v. Zn =
Manuscript received July 11, 1983; revised November 18, 1983. P(Zn
X]2n''nXn
n ) with probability distribution Pz where
= 0) = P(Zn = 1) and
The author is with the Institute for Communication Technology, Federal
Institute of Technology, 8092 Zurich, Switzerland. P(Zn = XP)
= qi. (1)

0018-9340/85/0100-0081$01.00 1985 IEEE