390 Codes, Ciphers, and Cryptography Polygraphic Substitution Ciphers – Hill’s System.
Session 2: Secret key cryptography – stream ciphers – part 1.
-
date post
22-Dec-2015 -
Category
Documents
-
view
234 -
download
1
Transcript of Session 2: Secret key cryptography – stream ciphers – part 1.
![Page 1: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/1.jpg)
Session 2: Secret key cryptography – stream
ciphers – part 1
![Page 2: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/2.jpg)
The Vernam cipher
Message 00011 01111 01101 Cryptogram 11000 01010 00110
Running key 11011 00101 01011 Running key 11011 00101 01011
Cryptogram 11000 01010 00110 Message 00011 01111 01101
Key distribution centre
transmitter receiver
![Page 3: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/3.jpg)
The Vernam cipher
Advantage: Unconditionally secure.Disadvantage: Requires one key bit for
every plaintext bit.Because of that, if the level of security is
not the highest one (the red phone line, etc.), instead of the Vernam cipher, a stream cipher can be used.
![Page 4: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/4.jpg)
xi
Key
zi zi
yi
Deterministic algorithm
xi
Deterministic algorithm
The stream cipher procedure
xi zi = yiyi zi = xi
TRANSMITTER RECEIVER
Key
![Page 5: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/5.jpg)
Stream ciphers
The key is short – much shorter than the length of the plaintext (on average).
The key determines the initial state of a deterministic algorithm.
Based on the initial state, the algorithm generates the running key sequence.
The running key sequence is summed modulo 2 with the bits of the plaintext.
![Page 6: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/6.jpg)
Stream ciphers
Vernam cipher
(running key)Stream cipher
(running key)
Lengthtext Lengthseq. YES
Used once YES
Randomness Pseudorandomness
Running key Algorithm + key
c3
c2
c1
![Page 7: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/7.jpg)
Stream ciphersDo not satisfy the perfect secrecy
conditions (the running key is not random but pseudorandom).
However, stream ciphers possess practical secrecy. The level of security depends on the design.
Advantage: the secret key is short – it is the only piece of information that the transmitter and the receiver must share.
![Page 8: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/8.jpg)
The running key:
1. What are general characteristics of these sequences?
2. What generators produce them?
![Page 9: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/9.jpg)
Stream ciphers
Enciphering bit after bit
Generation of pseudorandom sequences:
• Long period
• Pseudorandomness properties
• Unpredictability
Key space large enough
Etc.
![Page 10: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/10.jpg)
Running keys
The running key sequences generated by pseudorandom sequence generators are ultimately periodic (i.e. they may have an aperiodic prefix).
The period must be at least as long as the length of the plaintext.
In practice, this period is much longer.
![Page 11: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/11.jpg)
Running keys
Example:
T = 2100 - 1 ≈ 1.26 1030 bits
Vc = 1.2 108 bits/sec 3.33 1014 years
22200 times the age of the universe
(1.5 1010 years) to generate the whole
period.
![Page 12: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/12.jpg)
Running keys
Distribution of zeros and ones
…… 0100110100111010110010010 ……• a run of length k – k consecutive equal digits
between two different digits.
• runs of zeros (gaps)• runs of ones (blocks)
![Page 13: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/13.jpg)
Running keys:
Autocorrelation
• Autocorrelation in phase:• Autocorrelation out of phase:• A – Number of coincidences• D – Number of no coincidences• T – Period• k - Shift
( ) ( ) /AC k A D T Original seq. 1 0 1 1 0 0 1 0 1 0 0 0 0 1 1 1
Shifted seq. 0 0 1 0 1 0 0 0 0 1 1 1 1 0 1 1
( ) 1AC k ( ) [ 1,1]AC k
![Page 14: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/14.jpg)
Golomb’s pseudorandomness postulates
G1: In each period of the considered sequence, the
difference between the number of 1s and the number of 0s
must not overcome unity.
G2: In each period of the considered sequence, half of the
runs, of the total number of observed runs, has the length 1,
one fourth has the length 2, one eight has the length 3 … etc.
For each length, there will be the same number of blocks and
gaps.
G3: The autocorrelation AC(k) out of phase must be constant
for each k.
![Page 15: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/15.jpg)
Explanation of the Golomb´s postulates
G1: The 1s and 0s must appear along the
sequence with the same probability.
G2: different n-grams (samples of n consecutive
digits) must occur with the correct probability.
G3: Computation of the coincidences between a
sequence and its shifted version must not give
any information about the period of the
sequence.
![Page 16: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/16.jpg)
Golomb´s postulates
A finite sequence that satisfies the 3 Golomb´s postulates is denominated PN sequence (Pseudo-Noise).
Its properties are equal to the properties of a random sequence with uniform distribution.
![Page 17: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/17.jpg)
Unpredictability
Given a part of a sequence of any length, a cryptanalyst cannot predict the next digit with a probability of success greater than 0.5.
A measure of unpredictability: Linear complexity.
![Page 18: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/18.jpg)
Basic structures
Generators based on linear congruencies Feedback shift registers
• Non linear feedback shift registers (NLFSR)
• Linear feedback shift registers (LFSR)
![Page 19: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/19.jpg)
Linear congruencies
The recurrence of the type
The parameters a, b and m can be used as the secret key.
X0 is the seed that initializes the process. If the parameters a, b and m are chosen in an
appropriate way, the numbers Xi are not repeated until they cover entirely the segment [0,m-1].
)(mod1 mbaXX ii
![Page 20: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/20.jpg)
Linear congruencies
Example:
,...8,1,6,7,4,13,2,3,0,9,14,15,12,5,10,11,8,1
1
16mod35
0
1
X
XX ii
![Page 21: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/21.jpg)
Linear congruencies
Security of the generator: bad• Given a sufficiently long portion of the
sequence, it is possible to deduce the parameters m, a and b, i.e. the key.
![Page 22: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/22.jpg)
Feedback shift registers
A feedback shift register (FSR):• n flip-flops (stages)
• A feedback function – to express each new element of the output sequence as a function of the n previous elements.
The contents of the flip-flops is shifted one position at every clock pulse.
![Page 23: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/23.jpg)
Feedback shift registers
![Page 24: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/24.jpg)
Shift registers
The state of the register – the contents of the stages between two clock pulses.
The initial state – the contents of the stages at the moment of the beginning of the process.
The state diagram of a FSR is cyclic if the feedback function is not singular, i.e. it has the form: ntantatatagta 1,,2,1
![Page 25: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/25.jpg)
Shift registers
The period of the produced sequence depends on the number of stages n of the FSR and the characteristics of the function g.
The maximum possible period is 2n.The key – the initial contents of the FSR.
The feedback function can also be kept secret.
![Page 26: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/26.jpg)
Shift registersExample 1: n=3
x1 x2 x3 g
0 0 0 0
0 0 1 0
0 1 0 0
0 1 1 0
1 0 0 0
1 0 1 1
1 1 0 1
1 1 1 0
![Page 27: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/27.jpg)
Shift registers
Example 1 (cont.)• Algebraic normal form of the function g:
3121321 ),,( xxxxxxxg
![Page 28: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/28.jpg)
Feedback shift registers
Example 1 (cont.)
The DeBruijn graph - singular
![Page 29: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/29.jpg)
Feedback shift registersExample 2: n=3
x1 x2 x3 g
0 0 0 0
0 0 1 1
0 1 0 0
0 1 1 1
1 0 0 0
1 0 1 1
1 1 0 1
1 1 1 0
![Page 30: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/30.jpg)
Feedback shift registers
Example 2 (cont.)• Algebraic normal form of the function g:
321321 ),,( xxxxxxg
![Page 31: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/31.jpg)
Feedback shift registers
Example 2 (cont.)
The DeBruijn graph – non singular
![Page 32: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/32.jpg)
Problems with NLFSRA systematic method of their analysis
and manipulation does not exist – the mathematical theory is not well developed.
It is possible to obtain the sequences whose period is 2n – De Bruijn sequences.
However, the De Bruijn sequences do not satisfy the Golomb’s G3 postulate.
![Page 33: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/33.jpg)
LFSR
The most important devices for generation of pseudorandom sequences.
Their feedback function is a linear recurrence – linear recurrent sequences of order n.
1,1,0
21 21
ni
n
cc
ntactactacta
![Page 34: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/34.jpg)
LFSRTo avoid the null sequence, the initial
state must be different from the all-zero state.
The largest number of different states is 2n-1.
It is possible to associate the characteristic polynomial to every linear recurrence.
nnxcxcxcxf 2
211
![Page 35: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/35.jpg)
LFSR
Example: A LFSR of length 4.
Generated sequence: 1 1 1 0 1 0 1 ……
1 0 0 0
1 1 0 0
1 1 1 0
1 1 1 1
0 1 1 1
1 0 1 1
0 1 0 1
1 0 1 0
41 tatata
Initial state
Feedback polynomial
Linear recurrence
![Page 36: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/36.jpg)
LFSR
The characteristics of the output sequence of the LFSR depend on the characteristics of the feedback polynomial.
The feedback polynomial can be:• reducible
• irreducible
• primitive
![Page 37: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/37.jpg)
LFSR
The fundamental theorem of arithmetic:• Every positive integer can be represented in a
unique way as a product of prime factors.
Analogue in a GF:• Every polynomial in a GF can be represented
in a unique way as a product of irreducible factors.
![Page 38: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/38.jpg)
LFSR
An irreducible polynomial has no irreducible factors except 1 and itself.
Theorem:• The polynomial in a field GF(pm) has
as factors all the irreducible polynomials whose degree divides k.
xxkmp
![Page 39: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/39.jpg)
LFSR
Thus, if a polynomial f(x) of degree n in GF(pm) does not have common factors with
then it is irreducible. 2
1,modn
kxfxxkmp
![Page 40: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/40.jpg)
LFSR
Example:
GF(2)
11 2422 xxxxxxxx
![Page 41: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/41.jpg)
LFSREuclidean algorithm
• For determining G.C.D. between two integers.
• The same algorithm can be used to determine G.C.D. between two polynomials.
• The divisor from the previous step of the algorithm is iteratively divided by the remainder from the previous step until the remainder is 0.
• The G.C.D. is the remainder obtained in the penultimate step of the algorithm.
![Page 42: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/42.jpg)
LFSR
Example – integers• Find (18,12)
18=112+6
12=26+0
(18,12)=6
![Page 43: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/43.jpg)
LFSR
Example – polynomials in GF(2)• Find (x5+x4+x2+x, x4+x3+x2+x)
(x5+x4+x2+x)=x(x4+x3+x2+x)+(x3+x)
(x4+x3+x2+x)=(x+1)(x3+x)+0
(x5+x4+x2+x, x4+x3+x2+x)=(x3+x)
![Page 44: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/44.jpg)
LFSR
Example - Determine if the polynomial is irreducible.
Then, the given polynomial is not irreducible.
421 xxxf
111,1
1,1mod2242
242422
xxxxxx
xxxxxx
![Page 45: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/45.jpg)
LFSR
Example – Determine if the polynomial
is irreducible.
Then, the given polynomial is irreducible.
41 xxxf
2
4
22
11,1
1,1mod4
4422
n
xx
xxxxxx
![Page 46: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/46.jpg)
LFSRA primitive polynomial of degree n in
GF(pm)• is irreducible
• does not divide
Example:• The polynomial of degree 4 in
GF(2) is irreducible and does not divide any of the polynomials . Because of that, it is primitive.
1,1 nmk pkx
41 xxxf
1,,1,1 142 xxx
![Page 47: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/47.jpg)
LFSR
The reciprocal polynomial of the polynomial f(x) of degree n
If f(x) is primitive, f*(x) is also primitive.
x
fxxf n 1)(*
![Page 48: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/48.jpg)
LFSR
Example: primitive.
primitive.
41 xxxf
434
4 1111
)(* xxxx
xxf
![Page 49: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/49.jpg)
Period of the LFSR (reducible)
000110000100101001010010
4 2 2 21 ( 1)( 1)x x x x x x
0000
011010111101
001110011100111011110111
![Page 50: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/50.jpg)
Generators with reducible feedback polynomials
The length of the output sequence depends on
the initial state.
The period T satisfies with the
possibility of secondary periods whose length
divides the period T.
Not adequate for use in cryptography.
2 1LL T
![Page 51: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/51.jpg)
Period of the LFSR (irreducible)
00011000110001100011
0000
00101001010010100101
11110111101111011110
![Page 52: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/52.jpg)
Generators with irreducible feedback polynomial
The length of the output sequence does not
depend on the initial state.
The period T is a factor of
Not adequate for use in cryptography.
2 1L
![Page 53: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/53.jpg)
Period of the LFSR (primitive)
0000
100011001110111101111011010110101101011000111001010000100001
PN-sequence (m-sequence)
The maximum possible period for this
type of generator 111010110010001 …..
![Page 54: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/54.jpg)
Generators with primitive feedback polynomial
The length of the sequence does not depend on
the initial state
The period is
Adequate for use in cryptography, because the
output sequence satisfies all the Golomb’s
postulates.
2 1LT
![Page 55: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/55.jpg)
How many primitive polynomials of degree L are there?
But not all of them are good. It is not recommended to use the polynomials with very concentrated coefficients. There are attacks against LFSRs with that property.
The period of the sequence must have the smallest possible number of prime factors. These prime factors must be as large as possible.
(2 1) /L L 11 . 176
24 . 276480
L No
L No
![Page 56: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/56.jpg)
Mersenne primes
• Those are prime numbers whose form is 2L-1.
• Example: 261-1=2305843009213693951 is a Mersenne prime.
• Example: 263-1=
=727312733792737649657 is not a Mersenne prime. It is not recommended for LFSRs.
• Thus, the best strategy is to use the LFSRs with a primitive polynomial of degree L such that 2L-1 is a Mersenne prime.
• The numbers 261-1, 289-1, 2107-1, 2127-1, etc. are Mersenne primes.
![Page 57: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/57.jpg)
PN-sequences and Golomb’s postulatesG1:
G2:
2 1LT 1. 0' 2 1LNo s
1.1' 2LNo s Long. Gaps Blocks
1
2
: : :
r
: : :
L-2 1 1
L-1 1 0
L 0 1
Total
32L42L
32L42L
22L r 22L r
22L 22L
![Page 58: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/58.jpg)
PN-sequences and Golomb’s postulates
G3:
1 0 0 0 1 1 1 1 0 1 0 1 1 0 0
0 0 0 1 1 1 1 0 1 0 1 1 0 0 1
1 0 0 1 0 0 0 1 1 1 1 0 1 0 1
(1) (7 8) /15AC
1 0 0 0 1 1 1 1 0 1 0 1 1 0 0
0 0 1 1 1 1 0 1 0 1 1 0 0 1 0
1 0 1 1 0 0 1 0 0 0 1 1 1 1 0
(2) (7 8) /15AC
PN-sequences satisfy the Golomb’s postulates
![Page 59: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/59.jpg)
Linear complexity (unpredictability)
The concept of sequence complexity: quantity of sequence
symbols necessary to determine the rest of it.
General idea: Associate a LFSR to every sequence.
Linear complexity = The length of the smallest LFSR
capable of generating the given sequence.
Berlekamp-Massey algorithm (1969)
• Input: The considered binary sequence
• Output:
and the initial contents( ),P x L
![Page 60: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/60.jpg)
Linear complexity
Sequence 1:
Seq. generated by a LFSR (primitive pol.)
VERY PREDICTABLE
Sequence 2: random
1000111101000011011110100010100
VERY UNPREDICTABLE
31LONG bits
( ), 15, 2 30P x L L L bits
127 382 1 10LONG bits
( ), 127, 2 254P x L L L bits
![Page 61: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/61.jpg)
Linear complexity
Example: The output sequence: 1110… The initial state: a0, a1, a2, a3.
The output bits: y0=1, y1=1, y2=1, y3=0 The equations:
41 xxxf
323
212
101
030
ayy
ayy
ayy
aay
Linear system – easy to solve!
a 3210y0 1100y1 1110y2 1111y3 0111
![Page 62: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/62.jpg)
Linear complexity
A random sequence of length 2L has expected linear complexity L.
When a random sequence of length L is repeated periodically, the value of its linear complexity approaches the length of its period.
![Page 63: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/63.jpg)
The Berlekamp-Massey algorithm Input to one step: n digits of a sequence.Determines the characteristics of the
minimum LFSR capable of generating them. If the digit n+1 of the sequence can be
generated by the current LFSR, the length of the current LFSR is preserved.
Otherwise, a longer LFSR is needed, capable of generating the n+1 digits.
Etc.
![Page 64: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/64.jpg)
The Berlekamp-Massey algorithm
Theorem 1• If <C(D),L> generates the prefix sn of the intercepted
sequence, but does not generate sn+1, then
• Example
LnsLC n 11
0 1 1
1 0 1
1 1 0
0 1 1
1 0 1
1 1 0
0 1 1
Generates 110110, but does not generate
1101100
LC(1101100)6+1-2
Discrepancy
![Page 65: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/65.jpg)
The Berlekamp-Massey algorithm
Theorem 2• If <C(D),L> generates sn, but does not generate
sn+1 (discrepancy n0) and <C*(D),L*> generates sm, but does not generate sm+1 (discrepancy m0), where 0mn, then
generates sn+1.
mnLLDCDDC mn
m
n *,max,*
![Page 66: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/66.jpg)
The Berlekamp-Massey algorithm
Theorem 3• If <C(D),L> with L=LC(sn) generates sn, but does not
generate sn+1, then
nnn sLCnsLCsLC 1,max1
![Page 67: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/67.jpg)
= n
*= m
X=n-m
![Page 68: Session 2: Secret key cryptography – stream ciphers – part 1.](https://reader035.fdocuments.us/reader035/viewer/2022081506/56649d7e5503460f94a60d70/html5/thumbnails/68.jpg)
The Berlekamp-Massey algorithm
Example
N=7, GF(2), s0,…,s6=1,1,0,1,0,0,1
Solution
C(D)=1+D+D3, L=3
0 1 1 1
1 0 1 1
0 1 0 0
0 0 1 1
1 0 0 0
1 1 0 0
1 1 1 1