binary one-time pad and linear feedback shift...

Binary One-time Pad and

Linear Feedback Shift Registers

1

Bob and Alice want to communicate in binary securely using the

same basic idea as a letter-based one-time pad. Eve is listening...

1101011110111... 10111010111...

2

Setup: Alice and Bob agree on a common stream of bits k0, k1,

k2, . . .

Encipherment: To prepare binary plaintext x0, x1, x2, . . ., Alice

calculates ciphertext y0, y1, y2, . . . by

yi = (xi + ki) MOD 2, i = 0,1,2, . . .

Decipherment: To decipher received ciphertext y0, y1, y2, . . .,

Bob calculates plaintext x0, x1, x2, . . . by

xi = (yi + ki) MOD 2, i = 0,1,2, . . .

This works because a + b ≡ a − b (mod2) for all a and b (in

particular, a and b equaling 0 and 1.

3

Example

With the key 11011101 11111011 10010011 01110000

encipher: P L A N

4

Solution

ASCII for the plaintext: 80, 76, 65, 78

binary plain: 01010000 01001100 01000001 01001110key: 11011101 11111011 10010011 01110000

cipher: 10001101 10110111 11010010 00111110

ASCII ciphertext: 141, 183, 210, 62

5

Example Decipher

10010101 10111110 11011111 00100000

which was enciphered with the key

11011101 11111011 10010011 01110000

and interpret result as four ASCII values

6

Solution Add bits modulo 2:

cipher 10010101 10111110 11011111 00100000key 11011101 11111011 10010011 01110000

plain 01001000decoded

7

Solution Add bits modulo 2:

cipher 10010101 10111110 11011111 00100000key 11011101 11111011 10010011 01110000

plain 01001000 01000101decoded

8

Solution Add bits modulo 2:

cipher 10010101 10111110 11011111 00100000key 11011101 11111011 10010011 01110000

plain 01001000 01000101 01001100decoded

9

Solution Add bits modulo 2:

cipher 10010101 10111110 11011111 00100000key 11011101 11111011 10010011 01110000

plain 01001000 01000101 01001100 01010000decoded

10

Solution Add bits modulo 2:

cipher 10010101 10111110 11011111 00100000key 11011101 11111011 10010011 01110000

plain 01001000 01000101 01001100 01010000decoded H E L P

11

A true binary one-time pad

was proved unbreakable in

Claude E. Shannon (1916-

2001), Communication The-

ory of Secrecy Systems, Bell

System Technical Journal,

1949.

Source: www-groups.dcs.st-and.ac.uk/~history/Mathematicians/Shannon.html

12

Feedback Shift Registers

Feedback shift registers are circuits or programs that simulate

random streams of 0’s and 1’s. Output from these passes some

standard tests for randomness.

13

Motivational illustration: Four neighbors have extablished a pat-

tern by which they leave their porch lights on at night:

Anne does what Barbara did the night before

Barbara does what Cathy did the night before

Cathy does what Denise did the night before

Denise leaves her light on if either Anne or Barbara (but not

both) left their’s on the night before; otherwise she leaves it

off

14

On a particular night, Denise’s light was on, Cathy’s off, Bar-

bara’s off, and Anne’s off. Determine Anne’s pattern of porch

lighting on successive nights.

15

Denise, Cathy, Barbara, and Anne’s porch-lighting scheme

A′ ← B

B′ ← C

C′ ← D

D′ ← (B + A) MOD 2

+

D ABC

with initial assignments

D = 1 C = 0 B = 0 A = 0

16

t D C B A0 1 0 0 01 0 1 0 02 0 0 1 03 1 0 0 14 1 1 0 05 0 1 1 06 1 0 1 17 0 1 0 18 1 0 1 09 1 1 0 110 1 1 1 011 1 1 1 112 0 1 1 113 0 0 1 114 0 0 0 115 1 0 0 016 0 1 0 017 0 0 1 018 1 0 0 119 1 1 0 020 0 1 1 021 1 0 1 122 0 1 0 123 1 0 1 024 1 1 0 1

17

The “random” pattern in column A begins repeating at t = 15.

18

Generic linear feedback shift register (LFSR)

b′1 ← b2

b′2 ← b3...

b′n−1 ← bn

b′n ← (cnbn + cn−1bn−1 +

· · · + c2b2 + c1b1) MOD 2,

where

19

• bn, bn−1, . . ., b2, b1 are variables taking value 0 or 1,

• cn, cn−1, . . ., c2, c1 are coefficients (constants, either 0 or 1)

chosen in advance,

• prime (′) indicates the updated value of the variable.

20

Example

b′1 ← b2

b′2 ← b3

b′3 ← b4

b′4 ← b5

b′5 ← (0 · b5 + 1 · b4 +

0 · b3 + 1 · b2 + 1 · b1) MOD 2

+

b5 b2 b1b3b4

c1 = 1

c2 = 1c4 = 1

Initial values

b5 = 1 b4 = 0 b3 = 1 b2 = 0 b1 = 0

21

Internal States of LFSR

b5 b4 b3 b2 b11 0 1 0 00 1 0 1 00 0 1 0 11 0 0 1 01 1 0 0 10 1 1 0 01 0 1 1 01 1 0 1 11 1 1 0 10 1 1 1 00 0 1 1 10 0 0 1 10 0 0 0 11 0 0 0 00 1 0 0 01 0 1 0 00 1 0 1 0

22

Output (sequence from b1):

001010011011100 0010100110111000 . . .

This can be used as a key in a binary one-time pad.

23

Feedback Shift Registers in Spreadsheet

1

23

456789

1 01 11 21 31 41 51 61 71 81 92 02 12 22 32 42 52 62 7

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z AA AB AC AD

Linear feedback shift register Nonlinear feedback shift register

1 0 0 0 0 1 0 0 0 1 1 0 1 0 0

1 1 0 0 0 1 1 0 0 0 1 1 0 1 01 1 1 0 0 1 1 1 0 0 0 1 1 0 10 1 1 1 0 0 1 1 1 0 0 0 1 1 01 0 1 1 1 1 0 1 1 1 1 0 0 1 11 1 0 1 1 1 1 0 1 1 0 1 0 0 10 1 1 0 1 0 1 1 0 1 0 0 1 0 00 0 1 1 0 0 0 1 1 0 1 0 0 1 01 0 0 1 1 1 0 0 1 1 1 1 0 0 10 1 0 0 1 0 1 0 0 1 1 1 1 0 01 0 1 0 0 1 0 1 0 0 0 1 1 1 00 1 0 1 0 0 1 0 1 0 1 0 1 1 10 0 1 0 1 0 0 1 0 1 0 1 0 1 10 0 0 1 0 0 0 0 1 0 0 0 1 0 10 0 0 0 1 0 0 0 0 1 0 0 0 1 01 0 0 0 0 1 0 0 0 0 1 0 0 0 11 1 0 0 0 1 1 0 0 0 0 1 0 0 01 1 1 0 0 1 1 1 0 0 1 0 1 0 00 1 1 1 0 0 1 1 1 0 1 1 0 1 01 0 1 1 1 1 0 1 1 1 0 1 1 0 11 1 0 1 1 1 1 0 1 1 0 0 1 1 00 1 1 0 1 0 1 1 0 1 1 0 0 1 10 0 1 1 0 0 0 1 1 0 0 1 0 0 11 0 0 1 1 1 0 0 1 1 0 0 1 0 00 1 0 0 1 0 1 0 0 1 1 0 0 1 0

=MOD(R3+T3*V3,2)

=B3

=C3

=D3

=E3

=MOD(B3+C3+E3,2)

24

Cryptanalysis of LFSR

Example Suppose 1 1 0 1 0 1 1 0 is the output of a 4-bit LFSR.

What is the formula for the LFSR?

25

Solution We can complete part of the “state table” and then

fill backward:

b4 b3 b2 b11 0 1 10 1 0 11 0 1 01 1 0 10 1 1 0

0 1 10 1

0

26

The LFSR has the form

b′4 ← (c4b4 + c3b3 + c2b2 + c1b1) MOD 2,

where the c’s are unknown. The boxed values are produced

when b’s from the line above are substituted. This gives four

congruences in the four unknowns c1, c2, c3, and c4:

27

c4 · 1 + c3 · 0 + c2 · 1 + c1 · 1 ≡ 0 (1)

c4 · 0 + c3 · 1 + c2 · 0 + c1 · 1 ≡ 1 (2)

c4 · 1 + c3 · 0 + c2 · 1 + c1 · 0 ≡ 1 (3)

c4 · 1 + c3 · 1 + c2 · 0 + c1 · 1 ≡ 0 (4)

These simplify to

c4 + c2 + c1 ≡ 0 (5)

c3 + c1 ≡ 1 (6)

c4 + c2 ≡ 1 (7)

c4 + c3 + c1 ≡ 0 (8)

28

Add (5) and (7) to get

c1 ≡ 1

Substitute this into (6) to get

c3 ≡ 0.

Substitute these into (8) to get

c4 ≡ 1.

Substitute c4 into (7) to get

c2 ≡ 0.

29

Thus the LFSR is

b′4 ← (1 · b4 + 0 · b3 + 0 · b2 + 1 · b1) MOD 2

or

b′4 ← (b4 + b1) MOD 2

30