binary one-time pad and linear feedback shift...
TRANSCRIPT
Binary One-time Pad and
Linear Feedback Shift Registers
1
Bob and Alice want to communicate in binary securely using the
same basic idea as a letter-based one-time pad. Eve is listening...
1101011110111... 10111010111...
2
Setup: Alice and Bob agree on a common stream of bits k0, k1,
k2, . . .
Encipherment: To prepare binary plaintext x0, x1, x2, . . ., Alice
calculates ciphertext y0, y1, y2, . . . by
yi = (xi + ki) MOD 2, i = 0,1,2, . . .
Decipherment: To decipher received ciphertext y0, y1, y2, . . .,
Bob calculates plaintext x0, x1, x2, . . . by
xi = (yi + ki) MOD 2, i = 0,1,2, . . .
This works because a + b ≡ a − b (mod2) for all a and b (in
particular, a and b equaling 0 and 1.
3
Example
With the key 11011101 11111011 10010011 01110000
encipher: P L A N
4
Solution
ASCII for the plaintext: 80, 76, 65, 78
binary plain: 01010000 01001100 01000001 01001110key: 11011101 11111011 10010011 01110000
cipher: 10001101 10110111 11010010 00111110
ASCII ciphertext: 141, 183, 210, 62
5
Example Decipher
10010101 10111110 11011111 00100000
which was enciphered with the key
11011101 11111011 10010011 01110000
and interpret result as four ASCII values
6
Solution Add bits modulo 2:
cipher 10010101 10111110 11011111 00100000key 11011101 11111011 10010011 01110000
plain 01001000decoded
7
Solution Add bits modulo 2:
cipher 10010101 10111110 11011111 00100000key 11011101 11111011 10010011 01110000
plain 01001000 01000101decoded
8
Solution Add bits modulo 2:
cipher 10010101 10111110 11011111 00100000key 11011101 11111011 10010011 01110000
plain 01001000 01000101 01001100decoded
9
Solution Add bits modulo 2:
cipher 10010101 10111110 11011111 00100000key 11011101 11111011 10010011 01110000
plain 01001000 01000101 01001100 01010000decoded
10
Solution Add bits modulo 2:
cipher 10010101 10111110 11011111 00100000key 11011101 11111011 10010011 01110000
plain 01001000 01000101 01001100 01010000decoded H E L P
11
A true binary one-time pad
was proved unbreakable in
Claude E. Shannon (1916-
2001), Communication The-
ory of Secrecy Systems, Bell
System Technical Journal,
1949.
Source: www-groups.dcs.st-and.ac.uk/~history/Mathematicians/Shannon.html
12
Feedback Shift Registers
Feedback shift registers are circuits or programs that simulate
random streams of 0’s and 1’s. Output from these passes some
standard tests for randomness.
13
Motivational illustration: Four neighbors have extablished a pat-
tern by which they leave their porch lights on at night:
Anne does what Barbara did the night before
Barbara does what Cathy did the night before
Cathy does what Denise did the night before
Denise leaves her light on if either Anne or Barbara (but not
both) left their’s on the night before; otherwise she leaves it
off
14
On a particular night, Denise’s light was on, Cathy’s off, Bar-
bara’s off, and Anne’s off. Determine Anne’s pattern of porch
lighting on successive nights.
15
Denise, Cathy, Barbara, and Anne’s porch-lighting scheme
A′ ← B
B′ ← C
C′ ← D
D′ ← (B + A) MOD 2
+
D ABC
with initial assignments
D = 1 C = 0 B = 0 A = 0
16
t D C B A0 1 0 0 01 0 1 0 02 0 0 1 03 1 0 0 14 1 1 0 05 0 1 1 06 1 0 1 17 0 1 0 18 1 0 1 09 1 1 0 110 1 1 1 011 1 1 1 112 0 1 1 113 0 0 1 114 0 0 0 115 1 0 0 016 0 1 0 017 0 0 1 018 1 0 0 119 1 1 0 020 0 1 1 021 1 0 1 122 0 1 0 123 1 0 1 024 1 1 0 1
17
The “random” pattern in column A begins repeating at t = 15.
18
Generic linear feedback shift register (LFSR)
b′1 ← b2
b′2 ← b3...
b′n−1 ← bn
b′n ← (cnbn + cn−1bn−1 +
· · · + c2b2 + c1b1) MOD 2,
where
19
• bn, bn−1, . . ., b2, b1 are variables taking value 0 or 1,
• cn, cn−1, . . ., c2, c1 are coefficients (constants, either 0 or 1)
chosen in advance,
• prime (′) indicates the updated value of the variable.
20
Example
b′1 ← b2
b′2 ← b3
b′3 ← b4
b′4 ← b5
b′5 ← (0 · b5 + 1 · b4 +
0 · b3 + 1 · b2 + 1 · b1) MOD 2
+
b5 b2 b1b3b4
c1 = 1
c2 = 1c4 = 1
Initial values
b5 = 1 b4 = 0 b3 = 1 b2 = 0 b1 = 0
21
Internal States of LFSR
b5 b4 b3 b2 b11 0 1 0 00 1 0 1 00 0 1 0 11 0 0 1 01 1 0 0 10 1 1 0 01 0 1 1 01 1 0 1 11 1 1 0 10 1 1 1 00 0 1 1 10 0 0 1 10 0 0 0 11 0 0 0 00 1 0 0 01 0 1 0 00 1 0 1 0
22
Output (sequence from b1):
001010011011100 0010100110111000 . . .
This can be used as a key in a binary one-time pad.
23
Feedback Shift Registers in Spreadsheet
1
23
456789
1 01 11 21 31 41 51 61 71 81 92 02 12 22 32 42 52 62 7
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z AA AB AC AD
Linear feedback shift register Nonlinear feedback shift register
1 0 0 0 0 1 0 0 0 1 1 0 1 0 0
1 1 0 0 0 1 1 0 0 0 1 1 0 1 01 1 1 0 0 1 1 1 0 0 0 1 1 0 10 1 1 1 0 0 1 1 1 0 0 0 1 1 01 0 1 1 1 1 0 1 1 1 1 0 0 1 11 1 0 1 1 1 1 0 1 1 0 1 0 0 10 1 1 0 1 0 1 1 0 1 0 0 1 0 00 0 1 1 0 0 0 1 1 0 1 0 0 1 01 0 0 1 1 1 0 0 1 1 1 1 0 0 10 1 0 0 1 0 1 0 0 1 1 1 1 0 01 0 1 0 0 1 0 1 0 0 0 1 1 1 00 1 0 1 0 0 1 0 1 0 1 0 1 1 10 0 1 0 1 0 0 1 0 1 0 1 0 1 10 0 0 1 0 0 0 0 1 0 0 0 1 0 10 0 0 0 1 0 0 0 0 1 0 0 0 1 01 0 0 0 0 1 0 0 0 0 1 0 0 0 11 1 0 0 0 1 1 0 0 0 0 1 0 0 01 1 1 0 0 1 1 1 0 0 1 0 1 0 00 1 1 1 0 0 1 1 1 0 1 1 0 1 01 0 1 1 1 1 0 1 1 1 0 1 1 0 11 1 0 1 1 1 1 0 1 1 0 0 1 1 00 1 1 0 1 0 1 1 0 1 1 0 0 1 10 0 1 1 0 0 0 1 1 0 0 1 0 0 11 0 0 1 1 1 0 0 1 1 0 0 1 0 00 1 0 0 1 0 1 0 0 1 1 0 0 1 0
=MOD(R3+T3*V3,2)
=B3
=C3
=D3
=E3
=MOD(B3+C3+E3,2)
24
Cryptanalysis of LFSR
Example Suppose 1 1 0 1 0 1 1 0 is the output of a 4-bit LFSR.
What is the formula for the LFSR?
25
Solution We can complete part of the “state table” and then
fill backward:
b4 b3 b2 b11 0 1 10 1 0 11 0 1 01 1 0 10 1 1 0
0 1 10 1
0
26
The LFSR has the form
b′4 ← (c4b4 + c3b3 + c2b2 + c1b1) MOD 2,
where the c’s are unknown. The boxed values are produced
when b’s from the line above are substituted. This gives four
congruences in the four unknowns c1, c2, c3, and c4:
27
c4 · 1 + c3 · 0 + c2 · 1 + c1 · 1 ≡ 0 (1)
c4 · 0 + c3 · 1 + c2 · 0 + c1 · 1 ≡ 1 (2)
c4 · 1 + c3 · 0 + c2 · 1 + c1 · 0 ≡ 1 (3)
c4 · 1 + c3 · 1 + c2 · 0 + c1 · 1 ≡ 0 (4)
These simplify to
c4 + c2 + c1 ≡ 0 (5)
c3 + c1 ≡ 1 (6)
c4 + c2 ≡ 1 (7)
c4 + c3 + c1 ≡ 0 (8)
28
Add (5) and (7) to get
c1 ≡ 1
Substitute this into (6) to get
c3 ≡ 0.
Substitute these into (8) to get
c4 ≡ 1.
Substitute c4 into (7) to get
c2 ≡ 0.
29
Thus the LFSR is
b′4 ← (1 · b4 + 0 · b3 + 0 · b2 + 1 · b1) MOD 2
or
b′4 ← (b4 + b1) MOD 2
30