Scribd
Upload
136 views3 pages

Ex 2

Uploaded by

luftheoneno2
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
136 views3 pages

Ex 2

Uploaded by

luftheoneno2
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

EXERCISE 2

STREAM CIPHERS

1. We will now analyze a pseudorandom number sequence generated by a Linear Feedback


Shift Register (LFSR) of degree 3 characterized by (p2 = 1, p1 = 0, p0 = 1).
(1) What is the sequence generated from the initialization vector: (s2 = 1, s1 = 0, s0 =
0)?
(2) What is the sequence generated from the initialization vector: (s2 = 0, s1 = 1, s0 =
1)?
(3) How are the two sequences related?

2. Assume we have a stream cipher whose period is quite short. We happen to know that
the period is 150–200 bits in length. We assume that we do not know anything else about
the internals of the stream cipher. In particular, we should not assume that it is a simple
LFSR. For simplicity, assume that English text in ASCII format is being encrypted.
Describe in detail how such a cipher can be attacked. Specify exactly what Oscar has to
know in terms of plaintext/ciphertext, and how he can decrypt all ciphertext.

3. Compute the first two output bytes of the LFSR of degree 8 and the feedback polynomial
(0, 1, 7) where the initialization vector has the value FF in hexadecimal notation.

4. In this problem, we will study LFSRs in more detail. LFSRs come in three flavors:
• LFSRs which generate a maximum-length sequence. These LFSRs are based on
primitive polynomials.
• LFSRs which do not generate a maximum-length sequence, but whose sequence
length is independent of the initial value of the register. These LFSRs are based on
irreducible polynomials that are not primitive. (Note that all primitive polynomials
are also irreducible.)
• LFSRs which do not generate a maximum-length sequence and whose sequence
length depends on the initial values of the register. These LFSRs are based on re-
ducible polynomials.
We will study examples in the following. Determine all sequences generated by the follow-
ing three polynomials:
(1) x 4 + x + 1
(2) x 4 + x 2 + 1
(3) x 4 + x 3 + x 2 + x + 1
Draw the corresponding LFSR for each of the three polynomials. Which of the polynomials
is primitive, which is only irreducible, and which one is reducible? Note that the lengths of
all sequences generated by each of the LFSRs should always add up to 2m − 1.
Date: November 27, 2024.
1
Introduction to Information Security Exercise 2
5. Given is a stream cipher based on a single LFSR as the keystream generator. The LFSR
has a degree of 256.
(1) How many plaintext/ciphertext bit pairs are needed to launch a successful attack?
(2) Describe all steps of the attack in detail and develop the formulae that need to be
solved.
(3) What is the key in this system? Why doesn’t it make sense to use the initial contents
of the LFSR as the key or as part of the key?

6. We conduct a known-plaintext attack on an LFSR-based stream cipher. We know that


the plaintext sent was:
1001 0010 0110 1101 1001 0010 0110
By tapping the channel, we observe the following stream:
1011 1100 0011 0001 0010 1011 0001
(1) What is the degree m of the key stream generator?
(2) What is the initialization vector?
(3) Determine the feedback coefficients of the LFSR.
(4) Draw a circuit diagram and verify the output sequence of the LFSR.

7. We want to perform an attack on another LFSR-based stream cipher. In order to process


letters, each of the 26 uppercase letters and the numbers 0, 1, 2, 3, 4, 5 are represented by
a 5-bit vector according to the following mapping:
A ↔ 0 = 000002
..
.
Z ↔ 25 = 110012
0 ↔ 26 = 110102
..
.
5 ↔ 31 = 111112

We happen to know the following facts about the system:


• The degree of the LFSR is m = 6.
• Every message starts with the header WPI.
We observe the following message on the channel (the fourth symbol is a zero): j5a0edj2b
(1) What is the initialization vector?
(2) What are the feedback coefficients of the LFSR?
(3) Write a program in your favorite programming language which generates the whole
sequence, and find the whole plaintext.
(4) Where does the thing after WPI live?
(5) What type of attack did we perform?
2
Introduction to Information Security Exercise 2
8. In this problem, we will look at pseudorandom number generators based on a linear
congruential generator (LCG). As we have seen in Section 2.2.1, an LCG is given by the
equations:
z0 ≡ seed
zi+1 ≡ a · zi + b mod m, i = 0, 1, . . .
We assume that the modulus m is public and that the key is formed by the parameters seed,
a, and b.
We consider now the problem that arises if we use an LCG as a keystream generator. We as-
sume the stream cipher is used for encrypting images given in GIF format. The keystream zi
encrypts a plaintext x i as follows:
yi ≡ x i + zi mod m
Since GIF files consist of 8-bit values, we need at least 256 possible values for x i . Thus, the
prime modulus m = 257 is a good choice.
Now, assume that the first six bytes in the header of a GIF image file consist of the letters
GIF89a, where each letter is encoded as an 8-bit ASCII character. An attacker who obtains
an encrypted GIF file finds the following ciphertexts at the beginning of the file: y1 = 32,
y2 = 166, and y3 = 87, which correspond to the plaintext bytes x 1 = G, x 2 = I, and x 3 = F.
(1) Describe how an attacker can compute the parameters a, b, and the seed with these
three plaintext bytes. Compute the parameters a, b, and the seed.
(2) What is this attack called? What are the prerequisites for a successful attack?
9. The linear congruential generator described in Section 2.2.1 can be extended such that
each new element zi+1 of the keystream is computed from the two previous elements zi and
zi−1 . In this case, two seed values z0 and z1 as well as three parameters a, b, and c along
with the modulus m are needed. The equation of the generator is given as:
zi+1 ≡ a · zi + b · zi−1 + c mod m
The keystream zi is used to encrypt letters given in 8-bit ASCII code on a character-by-
character basis. That means for each keystream value zi , one plaintext character x i is en-
crypted as:
yi ≡ x i + zi mod m
Oscar, the attacker, eavesdrops on the communication and happens to know that the ci-
phertext contains the name ALICE, starting at position i. Oscar observes the following
ciphertext symbols on the channel:
yi = 69, yi+1 = 47, yi+2 = 3, yi+3 = 88, yi+4 = 217
He also knows that the modulus m = 257 is being used.
Show how Oscar can compute the parameters a, b, and c.
10. Assume the initialization vector (IV) and the key of Trivium each consist of 80 all-zero
bits. Compute the first 70 bits s1 , . . . , s70 during the warm-up phase of Trivium. Note that
these are only internal bits, which are not used for encryption since the warm-up phase
lasts for 1152 clock cycles.

You might also like