Professional Documents
Culture Documents
Week 6
Week 6
1. We should not use same key for encrypting two different messages. So, the below is not
allowed: M
C 1 = M1 K
M
C 2 = M2 K
2. The length of the key should be greater than or equal to the length of the message.
len(K) ≥ len(M )
We have clearly seen the reasons for this in earlier discussions. So, as we have seen we should
not repeat a secret key, every time we need to generate a perfectly random key where the propablity
of 0 and 1 for each bit is 1/2 each. Here, also if we have the length of the key less than the length
of the message, then we will not be able to perform this, as XOR will give the XOR of two message
bits which reveals information.
To solve this problem, we will try to generate a pseudo random secret key i.e. a key which is
not perfectly random but looks like it is perfectly random.
So, here we will take a perfectly random secret key K and public initialization vector iv and we
will pass them through a function F which will work as follows:
F (K, iv) = Z
where Zi ∈ {0, 1}
Here, we will not be able to distinguish between the perfectly random key ki and the random
looking key Zi .Here, we can say that it does not give the same output as coin flipping function but
it looks similar.
Z0 , Z1 , ..., Zn−1
M
M0 , M1 , ..., Mn−1
M M M
= M0 Z0 , M1 Z1 , ..., Mn−1 Zn−1
1
= C0 , C1 , ..., Cn−1
Also, we can see that reproducing the same key K which is generated randomly is nearly im-
possible but we can say that if we are given the same inputs K and iv, we can generate Zi s. So, we
can say that a pseudo random function is such a function which produces a random looking but
reproducible key under some particular function.
So, if there are 2 parties A and B where A is the sender and B is the receiver. Both A and B
have a same random key K and same function F. Now, A will use F(K,iv)L = Z and generate
the pseudo random key Z and now will generate ciphertext
L bits Ci = Mi Zi . Now, A will
send Ci and iv to B and B will generate back M as Ci Zi = Mi .
Here, also we can say that there is no relation between ivs and Ks. And so every Z is
completely different and there is no pattern involved in Zi s.
3. In F(K,iv), if K is selected randomly and is kept secret, then the outputs Z0 , ..., Zn−1 will be
indistinguishable from the bits string generated by using a random bit generator and so, F
function is also called as pseudo random bit generator.
4. In F(K,iv) = Zi where 0 ≤ i ≤ n, we can see that the length of the output bits will be very
large as compared to the length of the key. So, in the secret key K, if the repetetion will
start after l bits, where l is less than n, which was a problem in OTP, then also this will work
efficiently as the length of Z is very large. It can work for a very large no. of messages which
are nearly about the length 280 − 1 and produce efficient answers.
5. For F(K,iv), if we modify atleast one bit of iv in K, then there will be unpredictable change
in output Zi .
(1)
F (K, iv1 ) = Zi |0 ≤ i ≤ n − 1
(2)
F (K, iv2 ) = Zi |0 ≤ i ≤ n − 1
(1) (2)
Here, Zi and Zi are completely uncorrelated.
So, the ciphertexts generated by then for the same message M will be completely different.
2
3 Synchronous Stream Cipher
A synchronous stream cipher is the one in which the key stream is generated independently of the
plaintext and ciphertext bits.
So, we can say that S0 is the initial state and can be determined from the secret key K and iv.
sn−1 ··· s1 s0
So, at t=0
State S0 = sn−1 ··· s1 s0
At t=1 N
State S1 = sn−1 ··· s2 s1
N
Here, represents empty position and the output provided by S1 will be s0 .
Now, to replace the empty position we will create a feedback bit sn as follows:
3
So, now State S1 = Sn sn−1 ··· s2 s1
Similarly,N
At t=2
State S2 = sn sn−1 ··· s3 s2
Now, to replace the empty position we will create a feedback bit sn+1 as follows:
sn = L(S1 )
So, now State S2 = Sn+1 sn ··· s1
4
M M M
L(x) L(y) L(x y)
M M M M M M M M M M
= (1 x1 x2 ) (1 y1 y2 ) (1 (x1 y1 ) (x2 y2 ))
=1
L L
So, we can say that L(x,y) = 1 x y is not a linear function.
Now, we will try to create all the possible states of a LFSR of size 3 and linear function L =
L
s0 s2 .
s2 s1 s0
At t=0,
S0 = 1 0 1
At t=1,
S1 =L0 1 0
as 1 1 gives 0 and output given by S1 is 1.
At t=2,
S2 =L0 0 1
as 0 0 gives 0 and output given by S2 is 0.
At t=3,
S3 =L1 0 0
as 0 1 gives 1 and output given by S3 is 1.
At t=4,
S4 =L1 1 0
as 1 0 gives 1 and output given by S4 is 0.
At t=5,
S5 =L1 1 1
as 1 0 gives 1 and output given by S5 is 0.
At t=6,
S6 =L0 1 1
as 1 1 gives 0 and output given by S6 is 1.
At t=7,
S6 =L1 0 1
as 0 1 gives 1 and output given by S7 is 1.
And now, we can see that it starts repeating from its original configuration and so, at t=8 its
behaviour would be same as that at t=1 and similarly at t=9 it will be same as at t=2 and so on.
5
So, maximum number of unique non repeating states possible for a n bit register are 2n − 1
which here in this case are 7.
So, if we are provided with non zero initial state then it will repeat after 7 clockings if n=3.
But it can also repeat in less number of clockings depending upon the linear function L.
Now, for example if we take L=s0 and same initial state, then the result we will get will be as
follows:
At t=0,
S0 = 1 0 1
At t=1,
S1 = 1 1 0
as s0 was 1 so, sn will also be 1 and output given by S1 is also 1.
At t=2,
S2 = 0 1 1
as s0 was 0 so, sn will also be 0 and output given by S2 is also 0.
At t=4,
S4 = 1 0 1
as s0 was 1 so, sn will also be 1 and output given by S3 is also 1.
So, as we can see it has started repeating itself after only three clockings and so, we can say
that the earlier function was a good function as compared to this.
A n-bit LFSR will be called full periodic if the period of the LFSR is 2n − 1.
As, the name suggests LFSR is a n-bit register with a linear feedback function, so we have seen
how it varies with changing linear function but keeping initial state of register same and so, now
we will see the effect by changing one bit of initial state and keeping L as same.
Now, for example if we take L=s0 and different initial state 111, then the result we will get will
be as follows:
At t=0,
S0 = 1 1 1
At t=1,
S1 = 1 1 1
6
as s0 was 1 so, sn will also be 1 and output given by S1 is also 1.
Also, we can say that it has started repeating itself from the first clocking only and so, its period
is 1.
So, we can see that the period of LFSR not only depends on L but also depends on the initial
state of the register.
To make it depend only on the Linear feedback function L, we will define period,P as LCM of
the periods of all possible states with same linear function L.
C1 Cn-1
C2 Cn
f (x) ∈ F2 [x]
So, a linear feedback function of a n-bit LFSR can be linked with a polynomial of degree n in
F2 [x].
Also, as stated above we can also say that if S0 repeats itself after 2n − 1 clockings, then it is
called full periodic LFSR.
Now, depending on this connector polynomial, we can have the following properties:
1. If the connector polynomial (feedback polynomial) is primitive polynomial then the corre-
sponding LFSR will have of period of 2n − 1 if it is of n-bits.
7
3. If it is reducible, then different state will have different cycle length(diferent period).
which after putting in LFSR will have output bits as xi which can be also called as key stream bits
Zi .
Using this Zi , we can generate ciphertext bits usin stream cipher as belows:
M
mi Z i = Ci
Also, we can say that using LFSR we have matched the claim that size of key K can be less
here, as output generated by it will be 2n − 1 in case of n-bit key.
Now,applying plaintext attack, we can say that we know plaintext and ciphertext.so, we can
get Zi as:
M
Zi = m i Ci |0 ≤ i ≤ n − 1
Now, we can say if we get stream bits, we get keys and so, we get the output of LFSR which
was generated by applying linear function on K and thus, we get the keys.
We can say that if we are given with key stream bits, then we can prepare a system of linear
equations, which upon solving will give the original state which is the original key K.
8
L
Zi
Now, we will define Ci as M
Ci = m i Zi
Now, we will consider state update function of LFSR as having 2 parts Linear feedback and
shifting. So, state update function of LFSR as α.
St+1 = α(St )
Zt+1 = f (St+1 )
Now, we can say that if t-th state is represented as stn−1 , ..., st0 , then t+1-th state will be
where st+1
0 = st1 , st+1
1 = st2 , ..., st+1 t t+1 t t
n−2 = sn−1 and sn−1 = L(s0 , ..., sn−1 ).
st+1
0 0 1 0 ··· 0 st0
st+1 0 0 1 ··· 0 st1
1
S t+1 = . = 0 0 0 1 ··· 0
..
.
. 0 0 0 ··· 1
st+1 cn−1 cn−2 cn−3 c0 s+
n−1
n−1
M M M
L = cn−1 s0 Cn−2 s1 ... c0 sn−1
9
LFSR1
LFSR2 f Z1
LFSR3
x0 x1 f
0 0 0
0 1 0
1 0 0
1 1 1
Here, we can observe that the Pr [z = 0] = 3/4 and so, we can say that this is not a pseudo
random bit generator function and can be treated as combiner function.
9 Hash Function
h(x) = y where h: A → B
3. Given X and Y=h(X), it is practically infeasible to find X’ such that h(X) = h(X’).
If we consider a conversation between Alice and Bob, if So, let us consider that Alice has X
= Enc(M,K) and then he will send it to Bob who will receive X ∼ and we will produce X1 =
Dec(X ∼ , K). Also, Alice will produce S1 = h(M,K) and send it to Bob who will receive S2 .
Now, Bob will check if h(X1 ,K) = S2 , then Bob will accept it else he will reject.
10
So, here it works as message authentication where we are able to check whether X is altered
during communication or not.
A hash family is a four tuple (P,S,K,H) where the following conditions are satisfied.
2. S is the set of all possible messages which digests all authentication keys.
4. For each K1 ∈ K, there is a hash function hK1 ∈ H set such that hK1 : P → S such as
|P | ≥ |S|. More interestingly, we can say that |P | ≥ 2x|S|. Here, H will be the set of all hash
fuctions and hk1 is a hash function.
If the key is involved in computation of hashed value, then that hash is known as keyid hash
function whereas if the key is not involved in the computation of the hash function, then it is known
as un-keyid hash function.
9.1 Problem 1
h: p → S
Given y ∈ S, Find X ∈ P such that P(x) = y, then this problem is known as preimage finding
problem.
For a hash function h if you cannot find preimage in a feasible time, then it is known as preimage
resistant hash function or we can say that finding preimage is computationally hard for such hash
functions.
9.2 Problem 2
h: p → S
This problem is known as second preimage finding problem. If fiunding second preimage is
computationally hard, then it is called second preimage resistant hash function.
9.3 Problem 3
h: p → S
Find x,x’ ∈ P such that x ̸= x’ and h(x) = h(x’). This problem is known as collision finding
problem. If it is computationally hard to solve it, then it is called collision resistant hash function.
We can also say that if all the above problems are hard for some hash function, then it is the
most secure hash function.
11
9.4 Ideal hash function
Let h: p → S be an hash function, then h will be called ideal hash function if given x ∈ P to find
h(x) either you have to apply h on x or you have to hash into the tools corresponding to h(hash
table).
if yx = y
return x
Pr [Ei ] = 1/M
Pr [Ei′ ] = 1 − 1/M
Pr [E1 ∪ E2 ∪ ... ∪ EQ ]
= 1 − Pr [E1c ∩ E2c ∩ ... ∩ EQ
c
]
Q
Y
=1− Pr [Eic ]
i=1
= 1 − (1 − 1/M )Q
Above is the probablity for producing correct preimage which can be further expanded as
12
= Q/M
So, we can say that Pr [Preimage finding] = Q/M.
As, Q is a constant value, we can say that complexity of finding preimage = O(M).
13