[CS304] Introduction to Cryptography and Network Security

Course Instructor: Dr. Dibyendu Roy Winter 2023-2024

Scribed by: Shah Vedant Rupeshkumar (202151143) Lecture (Week 6)

1 One Time Padding(OTP)

L
OTP : C = M K
We need to satisfy the following two conditions for the successful execution of OTP:

1. We should not use same key for encrypting two different messages. So, the below is not
allowed: M
C 1 = M1 K
M
C 2 = M2 K

2. The length of the key should be greater than or equal to the length of the message.

len(K) ≥ len(M )

We have clearly seen the reasons for this in earlier discussions. So, as we have seen we should
not repeat a secret key, every time we need to generate a perfectly random key where the propablity
of 0 and 1 for each bit is 1/2 each. Here, also if we have the length of the key less than the length
of the message, then we will not be able to perform this, as XOR will give the XOR of two message
bits which reveals information.

To solve this problem, we will try to generate a pseudo random secret key i.e. a key which is
not perfectly random but looks like it is perfectly random.

So, here we will take a perfectly random secret key K and public initialization vector iv and we
will pass them through a function F which will work as follows:

F (K, iv) = Z
where Zi ∈ {0, 1}

Here, we will not be able to distinguish between the perfectly random key ki and the random
looking key Zi .Here, we can say that it does not give the same output as coin flipping function but
it looks similar.

So, now we will perform bitwise XOR of message M and Z as follows:

Z0 , Z1 , ..., Zn−1
M
M0 , M1 , ..., Mn−1
M M M
= M0 Z0 , M1 Z1 , ..., Mn−1 Zn−1

1
 = C0 , C1 , ..., Cn−1
Also, we can see that reproducing the same key K which is generated randomly is nearly im-
possible but we can say that if we are given the same inputs K and iv, we can generate Zi s. So, we
can say that a pseudo random function is such a function which produces a random looking but
reproducible key under some particular function.

So, we can conclude the following observations:

1. Z0 , ..., Z( n − 1) will be a random looking key.

2. If we give same input (K,iv) then it will generate same Zi s.

So, if there are 2 parties A and B where A is the sender and B is the receiver. Both A and B
have a same random key K and same function F. Now, A will use F(K,iv)L = Z and generate
the pseudo random key Z and now will generate ciphertext
L bits Ci = Mi Zi . Now, A will
send Ci and iv to B and B will generate back M as Ci Zi = Mi .

Here, also we can say that there is no relation between ivs and Ks. And so every Z is
completely different and there is no pattern involved in Zi s.

3. In F(K,iv), if K is selected randomly and is kept secret, then the outputs Z0 , ..., Zn−1 will be
indistinguishable from the bits string generated by using a random bit generator and so, F
function is also called as pseudo random bit generator.

4. In F(K,iv) = Zi where 0 ≤ i ≤ n, we can see that the length of the output bits will be very
large as compared to the length of the key. So, in the secret key K, if the repetetion will
start after l bits, where l is less than n, which was a problem in OTP, then also this will work
efficiently as the length of Z is very large. It can work for a very large no. of messages which
are nearly about the length 280 − 1 and produce efficient answers.

5. For F(K,iv), if we modify atleast one bit of iv in K, then there will be unpredictable change
in output Zi .
(1)
F (K, iv1 ) = Zi |0 ≤ i ≤ n − 1
(2)
F (K, iv2 ) = Zi |0 ≤ i ≤ n − 1
(1) (2)
Here, Zi and Zi are completely uncorrelated.
So, the ciphertexts generated by then for the same message M will be completely different.

2 Types of stream cipher

The stream cipher can be divided into two types which are synchronous stream cipher and self
synchronous or asynchronous stream cipher.

2
3 Synchronous Stream Cipher
A synchronous stream cipher is the one in which the key stream is generated independently of the
plaintext and ciphertext bits.

The following functions are taken into consideration:

1. State update function : Si+1 = f (Si , K)

2. Key Generator Function: Zi = g(Si , K)

3. Ciphertext Generator Function: Ci = h(Zi , Mi )

So, we can say that S0 is the initial state and can be determined from the secret key K and iv.

4 Self Synchronizing stream cipher

A self synchronizing stream cipher or asynchronous stream cipher is one in which the key stream
bits are generated as a function of the key and a fixed number of previous ciphertext bits.

1. State: Ci = Ci−t , Ci−(t−1) , ..., Ci−1

2. State update function : σi+1 = E(σi , K)

3. Key Generator Function: Zi = g(σi , K)

4. Ciphertext Generator Function: Ci = h(Zi , Mi )

Here, σ0 = (C−t , C−t+1 , ..., C−1 ) is non secret initial state.

5 Linear Feedback Shift Register(LFSR)

It will work in a clocking number and its states will be different at different times. So, initially
we will consider a register of length n which can store n bits where each bit is denoted as si |si ∈ {0, 1}

sn−1 ··· s1 s0

So, at t=0
State S0 = sn−1 ··· s1 s0

At t=1 N
State S1 = sn−1 ··· s2 s1
N
Here, represents empty position and the output provided by S1 will be s0 .

Now, to replace the empty position we will create a feedback bit sn as follows:

sn = L(s0 , s1 , ..., sn−1 ) = L(S0 )

where L represents a linear function which takes n bits as inputs and produces 1 bit as output.

3
 So, now State S1 = Sn sn−1 ··· s2 s1

Similarly,N
At t=2
State S2 = sn sn−1 ··· s3 s2

Here, * represents empty position and the output provided by S2 will be s1 .

Now, to replace the empty position we will create a feedback bit sn+1 as follows:

sn = L(S1 )
So, now State S2 = Sn+1 sn ··· s1

So, the LFSR works as

L

sn-1 sn-2 sn-3 ... s0 OUTPUT

5.1 Linear Function L

L(s0 , s1 , ..., sn−1 ) = sn ∈ {0, 1}
L : {0, 1}n → {0, 1}
M M M
La = a0 .s0 a1 .s1 ... an−1 .sn−1
L
where . represents and which is * mod 2 and represents XOR which is + mod 2 and here, each
ai ∈ 0,1.
M M M M
L = a0 .s0 a1 .s1 ... an−1 .sn−1 an
So, we can say that if an = 0 then L = La and so, the function will be called a linear function
whereas if an = 1, then L ̸= La and so, it will represent an affine function. So, we can say that for
non zero an , L is known as affine function.
L L L
Also, we can say that if L(x) L(y) L(x y) = 0, then L is linear for all x,y ∈ {0,1}.
L
For example, we take L(x,y) = x y, then
M M M
L(x) L(y) L(x y)
M M M M M M M
= (x1 x2 ) (y1 y2 ) ((x1 y1 ) (x2 y2 ))
=0
L
So, we can say that L(x, y) = x y is a linear function.
L L
For example, we take L(x,y) = 1 x y, then

4
 M M M
L(x) L(y) L(x y)
M M M M M M M M M M
= (1 x1 x2 ) (1 y1 y2 ) (1 (x1 y1 ) (x2 y2 ))
=1
L L
So, we can say that L(x,y) = 1 x y is not a linear function.

Now, we will try to create all the possible states of a LFSR of size 3 and linear function L =
L
s0 s2 .

Here S will be represented as:

s2 s1 s0

At t=0,
S0 = 1 0 1

At t=1,
S1 =L0 1 0
as 1 1 gives 0 and output given by S1 is 1.

At t=2,
S2 =L0 0 1
as 0 0 gives 0 and output given by S2 is 0.

At t=3,
S3 =L1 0 0
as 0 1 gives 1 and output given by S3 is 1.

At t=4,
S4 =L1 1 0
as 1 0 gives 1 and output given by S4 is 0.

At t=5,
S5 =L1 1 1
as 1 0 gives 1 and output given by S5 is 0.

At t=6,
S6 =L0 1 1
as 1 1 gives 0 and output given by S6 is 1.

At t=7,
S6 =L1 0 1
as 0 1 gives 1 and output given by S7 is 1.

And now, we can see that it starts repeating from its original configuration and so, at t=8 its
behaviour would be same as that at t=1 and similarly at t=9 it will be same as at t=2 and so on.

5
 So, maximum number of unique non repeating states possible for a n bit register are 2n − 1
which here in this case are 7.

So, if we are provided with non zero initial state then it will repeat after 7 clockings if n=3.
But it can also repeat in less number of clockings depending upon the linear function L.

Now, for example if we take L=s0 and same initial state, then the result we will get will be as
follows:

At t=0,
S0 = 1 0 1

At t=1,
S1 = 1 1 0
as s0 was 1 so, sn will also be 1 and output given by S1 is also 1.

At t=2,
S2 = 0 1 1
as s0 was 0 so, sn will also be 0 and output given by S2 is also 0.

At t=4,
S4 = 1 0 1
as s0 was 1 so, sn will also be 1 and output given by S3 is also 1.

So, as we can see it has started repeating itself after only three clockings and so, we can say
that the earlier function was a good function as compared to this.

5.2 Period of LFSR

If we start with a non-zero initial state S0 which starts repeating itself after m clockings of LFSR,
then m will be the period of LFSR.
L
So, as we have seen earlier if we take a 3-bit LFSR with L= (S0 s2 , then the period would
be 7 whereas for same initial input if we take L=s0 , then the period would be 3.

A n-bit LFSR will be called full periodic if the period of the LFSR is 2n − 1.

As, the name suggests LFSR is a n-bit register with a linear feedback function, so we have seen
how it varies with changing linear function but keeping initial state of register same and so, now
we will see the effect by changing one bit of initial state and keeping L as same.

Now, for example if we take L=s0 and different initial state 111, then the result we will get will
be as follows:

At t=0,
S0 = 1 1 1
At t=1,
S1 = 1 1 1

6
as s0 was 1 so, sn will also be 1 and output given by S1 is also 1.

Also, we can say that it has started repeating itself from the first clocking only and so, its period
is 1.

So, we can see that the period of LFSR not only depends on L but also depends on the initial
state of the register.

To make it depend only on the Linear feedback function L, we will define period,P as LCM of
the periods of all possible states with same linear function L.

P eriod, P = LCM {P1 , P2 , ..., P2n −1 }

Now, as we have seen
sn+1 = L(s1 , ..., sn )
So, we can write a different LFSR as follows:

C1 Cn-1
C2 Cn

sn-1 sn-2 ... s1 s0

where,
M M M
L = C1 .sn−1 C2 .sn−2 ... Cn .s0
We can also see that we can connect this function L with a function f(x) which is a follows:

f (x) = 1 + C1 .x + C2 .x2 + ... + Cn .xn

Here, f(x) is known as connector polynomial of LFSR.

f (x) ∈ F2 [x]

So, a linear feedback function of a n-bit LFSR can be linked with a polynomial of degree n in
F2 [x].

Also, as stated above we can also say that if S0 repeats itself after 2n − 1 clockings, then it is
called full periodic LFSR.

Now, depending on this connector polynomial, we can have the following properties:

1. If the connector polynomial (feedback polynomial) is primitive polynomial then the corre-
sponding LFSR will have of period of 2n − 1 if it is of n-bits.

2. If the polynomial is irreducible, then the period of LFSR will divide 2n − 1.

7
 3. If it is reducible, then different state will have different cycle length(diferent period).

If we are given a n-bit LFSR, then we can state key K as

K = (k0 , ..., kn−1 )

which after putting in LFSR will have output bits as xi which can be also called as key stream bits
Zi .

Using this Zi , we can generate ciphertext bits usin stream cipher as belows:
M
mi Z i = Ci
Also, we can say that using LFSR we have matched the claim that size of key K can be less
here, as output generated by it will be 2n − 1 in case of n-bit key.

Now,applying plaintext attack, we can say that we know plaintext and ciphertext.so, we can
get Zi as:
M
Zi = m i Ci |0 ≤ i ≤ n − 1
Now, we can say if we get stream bits, we get keys and so, we get the output of LFSR which
was generated by applying linear function on K and thus, we get the keys.

We can say that if we are given with key stream bits, then we can prepare a system of linear
equations, which upon solving will give the original state which is the original key K.

The linear functions generated would be as:

L = a0 .s0 + ... + an−1 .sn−1 = sn

sn+1 = a0 .s1 + ... + an−1 .sn = L(s0 , ..., sn−1 )

6 LFSR with non linear filter function

We can define a function f as:
f : {0, 1}l → {0, 1}
Now, we will take a n-bit LFSR with n ≥ l and the working of LFSR would be as follows:

8
 L

sn-1 sn-2 ... s0

Zi
Now, we will define Ci as M
Ci = m i Zi
Now, we will consider state update function of LFSR as having 2 parts Linear feedback and
shifting. So, state update function of LFSR as α.

St+1 = α(St )
Zt+1 = f (St+1 )
Now, we can say that if t-th state is represented as stn−1 , ..., st0 , then t+1-th state will be

st+1 t+1 t+1

n−1 , sn−2 , ..., s0

where st+1
0 = st1 , st+1
1 = st2 , ..., st+1 t t+1 t t
n−2 = sn−1 and sn−1 = L(s0 , ..., sn−1 ).

We can represent the state update matrix as follows:

st+1
   
0 0 1 0 ··· 0 st0

 st+1   0 0 1 ··· 0 st1

 1    
S t+1 = . = 0 0 0 1 ··· 0

    .. 
.

 .   0 0 0 ··· 1  
st+1 cn−1 cn−2 cn−3 c0 s+
n−1
n−1

M M M
L = cn−1 s0 Cn−2 s1 ... c0 sn−1

7 LFSR with Combiner Function

f : {0, 1}l → {0, 1}

9
 LFSR1

LFSR2 f Z1

LFSR3

We define f as f(x0 , x1 ) = x0 .x1 , where . represents and operation.

x0 x1 f
0 0 0
0 1 0
1 0 0
1 1 1

Here, we can observe that the Pr [z = 0] = 3/4 and so, we can say that this is not a pseudo
random bit generator function and can be treated as combiner function.

8 Non Linear Feedback bit shift register(NFSR)

Here, in this register feedback function is non linear and the mordern ciphers are based on this
register as it is more secure.

f : {0, 1}l → {0, 1}

f = f (x) + f (y) + f (x + y)
So,
f (x0 , x1 , x2 ) = x0 + x1 .x2

9 Hash Function
h(x) = y where h: A → B

1. If X is altered to X’, then h(X’) will be completely different from h(X).

2. Given Y it is practically infeasible to find X such that h(X) = Y.

3. Given X and Y=h(X), it is practically infeasible to find X’ such that h(X) = h(X’).

If we consider a conversation between Alice and Bob, if So, let us consider that Alice has X
= Enc(M,K) and then he will send it to Bob who will receive X ∼ and we will produce X1 =
Dec(X ∼ , K). Also, Alice will produce S1 = h(M,K) and send it to Bob who will receive S2 .

Now, Bob will check if h(X1 ,K) = S2 , then Bob will accept it else he will reject.

10
 So, here it works as message authentication where we are able to check whether X is altered
during communication or not.

A hash family is a four tuple (P,S,K,H) where the following conditions are satisfied.

1. P is the set of all possible messages

2. S is the set of all possible messages which digests all authentication keys.

3. K is the key space.

4. For each K1 ∈ K, there is a hash function hK1 ∈ H set such that hK1 : P → S such as
|P | ≥ |S|. More interestingly, we can say that |P | ≥ 2x|S|. Here, H will be the set of all hash
fuctions and hk1 is a hash function.

If the key is involved in computation of hashed value, then that hash is known as keyid hash
function whereas if the key is not involved in the computation of the hash function, then it is known
as un-keyid hash function.

Now, we will see some problems involved with hash fuctions:

9.1 Problem 1
h: p → S

Given y ∈ S, Find X ∈ P such that P(x) = y, then this problem is known as preimage finding
problem.

For a hash function h if you cannot find preimage in a feasible time, then it is known as preimage
resistant hash function or we can say that finding preimage is computationally hard for such hash
functions.

9.2 Problem 2
h: p → S

Given x ∈ P and h(x) find x’ ∈ P such that x’ ̸= x and h(x’) = h(x).

This problem is known as second preimage finding problem. If fiunding second preimage is
computationally hard, then it is called second preimage resistant hash function.

9.3 Problem 3
h: p → S

Find x,x’ ∈ P such that x ̸= x’ and h(x) = h(x’). This problem is known as collision finding
problem. If it is computationally hard to solve it, then it is called collision resistant hash function.

We can also say that if all the above problems are hard for some hash function, then it is the
most secure hash function.

11
9.4 Ideal hash function
Let h: p → S be an hash function, then h will be called ideal hash function if given x ∈ P to find
h(x) either you have to apply h on x or you have to hash into the tools corresponding to h(hash
table).

10 Pre image Finding Problem

h: X → Y
where |Y | = m
Given y ∈ Y, x ∈ X such that h(x)=y.

Choose any x0 ∈ X such that |x0 | = Q

Now, we will perform exhaustive search kind of thing.

Given each x ∈ x0
Compute yx = h(x)

if yx = y
return x

It halts when we get the output. we can take probablity as

Pr [the above algorithm returns correct preimage]

and it also gives us the idea of time complexity which is of the order of 1/Pr .

Now, we will take

x0 = {x1 , x2 , ..., xQ }
Ei = eventh(xi ) = y|1 ≤ i ≤ Q

Pr [Ei ] = 1/M
Pr [Ei′ ] = 1 − 1/M

Pr [E1 ∪ E2 ∪ ... ∪ EQ ]
= 1 − Pr [E1c ∩ E2c ∩ ... ∩ EQ
c
]
Q
Y
=1− Pr [Eic ]
i=1

= 1 − (1 − 1/M )Q
Above is the probablity for producing correct preimage which can be further expanded as

= 1 − [1 − Q C1 .1/M + Q C2 .1/M2 + ...]

= 1 − [1 − Q C1 .1/M ]

12
 = Q/M
So, we can say that Pr [Preimage finding] = Q/M.

As, Q is a constant value, we can say that complexity of finding preimage = O(M).

13