Cryptography - Sage

More documents

Recommendations

Info

Before discussing the mathematical definition of linear feedback shift registers (LFSR’s),we address the question “Why?”. A LFSR is essentially an elementary algorithm forgenerating a keystream, which has the following desirable properties:1. Easy to implement in hardware.2. Produce sequences of long period.3. Produce sequences with good statistical properties.4. Can be readily analyzed using algebraic techniques.A LFSR is defined by n stages, labelled R n−1 , . . . , R 1 , R 0 , each storing one bit, andhaving one input and output, and a timer which mark clock cycles i = 0, 1, 2, . . . . At thei-th clock cycle:1. The contents of stage 0 is output;2. The contents of R i moves to R i−1 , for 1 ≤ i ≤ n − 1; and3. Stage R n−1 is the bit sum of a prescribed subset of stages 0, 1, . . . , n − 2.We may denote the contents of stage R j at time i by s i+j , and the algorithm for updatingthe contents of stage R n−1 gives a recurrence relation∑n−1s n+i = c n−j s i+j ,j=0where c j , 1 ≤ j ≤ n are fixed bit constants specifying the stages which contribute to thebit sum. By setting c 0 = 1 we can express the relation as ∑ nj=0 c n−js i+j = 0.We identify the constants c k with coefficients of a polynomialg(x) =n∑c k x k ,k=0which we call the connection polynomial of the LFSR. Moreover, if can take the LFSRoutput bits s j as the coefficients of a power seriess(x) =∞∑s j x j ,j=0then the recurrence relation expresses the fact that s(x)g(x) is a polynomial f(x) of degreeless than n. In other words, the power series takes the form s(x) = f(x)/g(x).6.3. Linear Feedback Shift Registers 51
Exercise. Verify that the equality f(x) = s(x)g(x), for f(x) a polynomial of degree lessthan n, gives rise to the the stated recurrence for the coefficients of s(x).The LFSR is said to be nonsingular if c n ≠ 0. The condition that c n = · · · = c n−k = 0gives rise to a LFSR in which the feedback reduces to at most n − k − 1 terms, hence, afterthe initial k bits are output, the LFSR sequence reduces to one which can be modelled bya LFSR of length n − k − 1. For this reason we hereafter make the assumption that theLFSR is nonsingular.We note that since the next state of the shift register (i.e. the contents of the collection ofstages) depends only on the current contents, and there are 2 n possible states, the outputsequence is eventually periodic. Since the all zero initial state maps to itself, it is clearthat the maximal period for any LFSR of length n is 2 n − 1. The connection polynomial issaid to be primitive if the period of the LFSR output sequence, beginning at any nonzerostate, is 2 n − 1.We note that the output sequence has period N if and only if (X N +1)s(x) is a polynomialof degree at most N − 1. On the other hand, since s(x) = f(x)/g(x), if f(x) and g(x)have no common factor, then it follows by the unique factorization of polynomials thatg(x) divides X N + 1. In particular, if g(x) is irreducible, since deg(f(x)) < deg(g(x)), itfollows that f(x) and g(x) have no common factors. In summary, an irreducible connectionpolynomial of a LFSR must divide x N + 1 where N is the period of any nonzero outputsequence.The theorem below shows that in fact every polynomial g(x) in F 2 [x] with nonzeroconstant term must divides X N +1 for some N. The special feature of irreducible connectionpolynomials, and especially primitive polynomials, is that we will be able to compute thevalue of N and, for primitive polynomials, that it is takes the the maximal possible value.Lemma 6.1 If g(x) is not divisible by x, then there exists a polynomial u(x) such thatx u(x) mod g(x) = 1.Proof. Since the constant term of g(x) is 1, the polynomial u(x) = (g(x) + 1)/x satisfiesx u(x) = g(x) + 1, from which the lemma follows. □Theorem 6.2 Every polynomial g(x) in F 2 [x] coprime to x divides x N + 1 for some N.Proof. Consider the sequence of remainders mod g(x):1 mod g(x), x mod g(x), x 2 mod g(x), x 3 mod g(x), . . .Since every remainder is a unique polynomial of degree at most n − 1, there are at most 2 ndistinct elements in this sequence. It follows that there is some N such that x i mod g(x)equals x N+i mod g(x) for all sufficiently large i. Since g(x) is not divisible by x, it followsfrom the previous lemma that we can cancel the powers of x i to obtain x N mod g(x) = 1.We conclude that x N + 1 is divisible by g(x). □52 Chapter 6. Stream Ciphers
Page 1 and 2:
Author (David R. Kohel) /Title (Cry
Page 4 and 5:
CONTENTS1 Introduction to Cryptogra
Page 6: PrefaceWhen embarking on a project
Page 10 and 11: information. We introduce here some
Page 12 and 13: ut strings in A ∗ map injectively
Page 14 and 15: CHAPTERTWOClassical Cryptography2.1
Page 16 and 17: LV MJ CW XP QO IG EZ NB YH UA DS RK
Page 18 and 19: As a special case, consider 2-chara
Page 20 and 21: Note that if d k = 1, then we omit
Page 22: ExercisesSubstitution ciphersExerci
Page 25 and 26: Ciphertext-only AttackThe cryptanal
Page 27 and 28: of size n, suppose that p i is the
Page 29 and 30: Note that ZKZ and KZA are substring
Page 31: Checking possible keys, the partial
Page 34 and 35: sage: X = pt.frequency_distribution
Page 36 and 37: CHAPTERFOURInformation TheoryInform
Page 38 and 39: For each of these we can extend our
Page 40 and 41: in terms of the cryptosystem), then
Page 42 and 43: CHAPTERFIVEBlock CiphersData Encryp
Page 44 and 45: Deciphering. Suppose we begin with
Page 46 and 47: The Advanced Encryption Standard al
Page 48 and 49: 1. Malicious substitution of a ciph
Page 50 and 51: locks M j−1 , . . . , M 1 as well
Page 52: where X = K ⊕ M = (X 1 , X 2 , X
Page 55: 6.2 Properties of Stream CiphersSyn
Page 59 and 60: n 2 n − 11 12 33 74 155 316 637 1
Page 61 and 62: Exercise 6.6 In the previous exerci
Page 63 and 64: Exercise 6.9 Compute the first 8 te
Page 65 and 66: which holds since −4 = 17 + (−1
Page 67 and 68: must therefore have a divisor of de
Page 69 and 70: Shrinking Generator cryptosystemLet
Page 72 and 73: CHAPTEREIGHTPublic Key Cryptography
Page 74 and 75: Initial setup:1. Alice and Bob publ
Page 76 and 77: We apply this rule in the RSA algor
Page 78 and 79: the discrete logarithm problem (DLP
Page 80 and 81: Man in the Middle AttackThe man-in-
Page 82: Exercise 8.6 Fermat’s little theo
Page 85 and 86: k < p − 1 with GCD(k, p − 1) =
Page 88 and 89: CHAPTERTENSecret SharingA secret sh
Page 90: using any t shares (x 1 , y 1 ), .
Page 93 and 94: sage-------------------------------
Page 95 and 96: sage: x.is_unit?Type:builtin_functi
Page 97 and 98: Python (hence SAGE) has useful data
Page 99 and 100: sage: n = 12sage: for i in range(n)
Page 101 and 102: sage: I = [55+i for i in range(3)]
Page 103 and 104: sage: I = [7, 4, 11, 11, 14, 22, 14
Page 105 and 106: ExercisesRead over the above SAGE t
Page 107 and 108:
102
Page 109 and 110:
Solution. The block length is the n
Page 111 and 112:
Solution.below.The coincidence inde
Page 113 and 114:
analysis of the each of the decimat
Page 115 and 116:
arbitrary permutation of the alphab
Page 117 and 118:
In order to understand naturally oc
Page 119 and 120:
We do this by first verifying the e
Page 121 and 122:
Solution.None provided.Linear feedb
Page 123 and 124:
Multiplying each through by the con
Page 125 and 126:
Solution. The linear complexity of
Page 127 and 128:
If a, b, and c are as above, then f
Page 129 and 130:
Exercise 8.5 Use SAGE to find a lar
Page 131 and 132:
Solution. Now we can verify that e
Page 133 and 134:
which has no common factors with p
Page 135 and 136:
sage: p = 2^32+61sage: m = (p-1).qu
Page 137 and 138:
sage: a5 := a^n5sage: c5 := c^n5sag
Page 139 and 140:
The application of this function E
Page 141 and 142:
5. (∗) How many elements a of G h
Page 143:
1. The value f(0) of the polynomial
show all

Cryptography - Sage

Create successful ePaper yourself

Delete template?

Save as template?