# Lecture 8: Stream ciphers - LFSR sequences

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 Lecture 8: Stream ciphers - LFSR sequences Thomas Johansson T. Johansson (Lund University) 1 / 42

2 Introduction Symmetric encryption algorithms are divided into two main categories, block ciphers and stream ciphers. Block ciphers tend to encrypt a block of characters of a plaintext message using a fixed encryption transformation A stream cipher encrypt individual characters of the plaintext using an encryption transformation that varies with time. A stream cipher built around LFSRs and producing one bit output on each clock = classic stream cipher design. T. Johansson (Lund University) 2 / 42

3 A stream cipher keystream generator z 1, z 2,... m 1, m 2,... c 1, c 2,... z = z 1, z 2,... keystream key K T. Johansson (Lund University) 3 / 42

4 A stream cipher Design goal is to efficiently produce random-looking sequences that are as indistinguishable as possible from truly random sequences. Recall the unbreakable Vernam cipher. For a synchronous stream cipher, a known-plaintext attack (or chosen-plaintext or chosen-ciphertext) is equivalent to having access to the keystream z = z 1, z 2,..., z N. We assume that an output sequence z of length N from the keystream generator is known to Eve. T. Johansson (Lund University) 4 / 42

5 Type of attacks Key recovery attack: Eve tries to recover the secret key K. Distinguishing attack: Eve tries to determine whether a given sequence z = z 1, z 2,..., z N is likely to have been generated from the considered stream cipher or whether it is just a truly random sequence. Distinguishing attack is a much weaker attack T. Johansson (Lund University) 5 / 42

6 Distinguishing attack Let D(z) be an algorithm that takes as input a length N sequence z and as output gives either X or RANDOM. With probability 1/2 the sequence z is produced by generator X and with probability 1/2 it is a purely random sequence. The probability that D(z) correctly determines the origin of z is written 1/2 + ɛ. If ɛ is not very close to zero we say that D(z) is a distinguisher for generator X. T. Johansson (Lund University) 6 / 42

7 Distinguishing attack - example Assume that Alice sends one of N public images {I 1, I 2,..., I N } to Bob. Eve observes the ciphertext c. Guess that the plaintext is the image I 1, i.e., m = I 1. Calculate ẑ = m + c and compute D(ẑ). If the guess m = I 1 was correct then D(ẑ) = X. If not, D(ẑ) = RANDOM. T. Johansson (Lund University) 7 / 42

8 More on attacks Building a (synchronous) stream cipher reduces to the problem of building a generator that is resistant to all distinguishing attacks. There are essentially always both distinguishing attacks and key recovery attacks on a cipher. Exhaustive keysearch; complexity 2 k An attack is considered successful only if the complexity of performing it is considerably lower than 2 k key tests. T. Johansson (Lund University) 8 / 42

9 Building blocks for stream ciphers MEMORY linear feedback shift registers, or LFSRs for short. tables (arrays) Combinatorial function Nonlinear Boolean functions, S-boxes XOR, Modular addition, (cyclic) rotations, (multiplications) T. Johansson (Lund University) 9 / 42

10 Example of a stream cipher design LFSR 1 s (1) j LFSR 2. LFSR n s (2) j. s (n) j z i f T. Johansson (Lund University) 10 / 42

11 Linear feedback shift registers... -c L -c L-1 -c 2 -c 1 s 0,s 1,... s j-l s j-l+1... s j-2 s j-1 s j A register of L delay (storage) elements each capable of storing one element from F q, and a clock signal. Clocking, the register of delay elements is shifted one step and the new value of the last delay element is calculated as a linear function of the content of the register. T. Johansson (Lund University) 11 / 42

12 LFSR sequences The linear function is described through the coefficients c 1, c 2,..., c L F q and the recurrence relation is for j = L, L + 1,.... With c 0 = 1 we can write s j = c 1 s j 1 c 2 s j 2 c L s j L, L c i s j i = 0, for j = L, L + 1,.... i=0 The shift register equation. The first L symbols s 0, s 1,..., s L 1 form the initial state. T. Johansson (Lund University) 12 / 42

13 LFSR sequences The coefficients c 0, c 1,..., c L are summarized in the connection polynomial C(D) defined by C(D) = 1 + c 1 D + c 2 D c L D L. Write < C(D), L > to denote the LFSR with connection polynomial C(D) and length L. D-transform of a sequence s = s 0, s 1, s 2... as assuming s i F q. S(D) = s 0 + s 1 D + s 2 D 2 +, The indeterminate D is the delay and its exponent indicate time. T. Johansson (Lund University) 13 / 42

14 LFSR sequences We assume s i = 0 for i < 0. The set of all such sequences having the form f(d) = f i D i, f i F q, is denoted F q [[D]] and called the ring of formal power series. i=0 T. Johansson (Lund University) 14 / 42

15 Theorem The set of sequences generated by the LFSR with connection polynomial C(D) is the set of sequences that have D-transform S(D) = P (D) C(D), where P (D) is an arbitrary polynomial of degree at most L 1, P (D) = p 0 + p 1 D p L 1 D L 1. Furthermore, the relation between the initial state of the LFSR and the P (D) polynomial is given by the linear relation p 0 p 1. p L 1 = c c L 1 c L s 0 s 1. s L 1. T. Johansson (Lund University) 15 / 42

16 LFSR sequences and extension fields Let π(x) be an irreducible polynomial over F q and assume that its coefficients are π(x) = x L + c 1 x L c L. This means that π(x) is the reciprocal polynomial of C(D). Construct the extension field F q L through π(α) = 0. β from F q L can be expressed in a polynomial basis as where β 0, β 1,... β L 1 F q. β = β 0 + β 1 α + + β L 1 α L 1, T. Johansson (Lund University) 16 / 42

17 LFSR sequences and extension fields Assume that the (unknown) element β is multiplied by the fixed element α. The result is αβ = β 0 α + β 1 α β L 1 α L. Reducing α L using π(α) = 0 gives αβ = c L β L 1 + (β 0 c L 1 β L 1 )α + + (β L 2 c 1 β L 1 )α L 1. -c 1 -c 2 -c L-1 -c L... T. Johansson (Lund University) 17 / 42

18 LFSR sequences and extension fields -c 1 -c 2 -c L-1 -c L... It is quickly checked that when j L. s j = c 1 s j 1 c 2 s j 2 c L s j L, p 0 = s 0, p 1 = s 1 + c 1 s 0, etc, where p 0, p 1,..., p L 1 is the initial state The sequence fulfills the shift register equation, but uses p 0, p 1,... p L 1 as initial state. T. Johansson (Lund University) 18 / 42

19 LFSR sequences and extension fields The set of LFSR sequences, when C(D) is irreducible, is exactly the set of sequences possible to produce by the implementation of multiplication of an element β by the fixed element α in F q L. For a specific sequence specified as S(D) = P (D)/C(D) the initial state is the first L symbols whereas the same sequence is produced in the figure if the initial state is p 0, p 1,..., p L 1. T. Johansson (Lund University) 19 / 42

20 Properties of LFSR sequences A sequence s =..., s 0, s 1,... is called periodic if there is a positive integer T such that s i = s i+t, for all i 0. The period is the least such positive integer T for which s i = s i+t, for all i 0. The LFSR state runs through different values. The initial state will appear again after visiting a number of states. If deg C(D) = L, the period of a sequence is the same as the number of different states visited, before returning to the initial state. T. Johansson (Lund University) 20 / 42

21 Properties of LFSR sequences C(D) irreducible: the state corresponds to an element in F q L, say β. The sequence of different states that we are entering is then where T is the order or α. β, αβ, α 2 β,..., α T 1 β, α T β = β, If α is a primitive element (its order is q L 1), then obviously we will go trough all q L 1 different states and the sequence will have period q L 1. Such sequences are called m-sequences and they appear if and only if the polynomial π(x) is a primitive polynomial. T. Johansson (Lund University) 21 / 42

22 Example Length 4 LFSR with connection polynomial C(D) = 1 + D + D 2 + D 3 + D 4 in F 2. Starting in (0001), we return after 5 clockings of the LFSR. There are three cycles of length 5 and one of length one. Explanation: F 2 4, we get through π(x) = x L C(x 1 ) = x 4 + x 3 + x 2 + x + 1 and π(α) = 0. α 5 = 1 and ord(α) = 5. So starting in any nonzero state β F 2 4, we will jump between the states β, αβ, α 2 β, α 3 β, α 4 β, α 5 β = β. T. Johansson (Lund University) 22 / 42

23 Example Length 4 LFSR with connection polynomial C(D) = 1 + D + D 4 in F 2. Starting in (0001), we return after 15 clockings of the LFSR. Explanation: F 2 4, we get through π(x) = x L C(x 1 ) = x 4 + x and π(α) = 0. α 15 = 1 and ord(α) = 15. π(x) primitive polynomial. So starting in any nonzero state β F 2 4, we will jump between all nnzero states before returning. T. Johansson (Lund University) 23 / 42

24 Properties of LFSR sequences The different state cycles that will appear for an arbitrary LFSR. [s 0, s 1,..., s T 1 ] denote the periodic and causal sequence s 0, s 1,..., s T 1, s 0, s 1,..., s T 1, s 0,..., where s i F q, i = 0, 1,..., T 1. (s 0, s 1,..., s N 1 ) denote a sequence where the first N symbols are s 0, s 1,..., s N 1 (and the upcoming symbols are not defined), where s i F q, i = 0, 1,..., N 1. T. Johansson (Lund University) 24 / 42

25 Properties of LFSR sequences If s = [1, 0, 0,..., 0] then ii s = [0, 1, 0,..., 0] then S(D) = 1 + D T + D 2T + = S(D) = D + D T +1 + D 2T +1 + = In general, if s = [s 0, s 1,..., s T 1 ] then 1 1 D T. D 1 D T S(D) = s 0 1 D T + s 1D 1 D T +... = s 0 + s 1 D + s 2 D s T 1 D T 1 1 D T. (1) T. Johansson (Lund University) 25 / 42

26 Properties of LFSR sequences Definition The period of a polynomial C(D) is the least positive number T such that C(D) (1 D T ). Calculated by division of 1 by C(D) and continuing until the we receive the first remainder of the form 1 D N. Then the period is T = N. (example) T. Johansson (Lund University) 26 / 42

27 Properties of LFSR sequences Theorem If gcd(c(d), P (D)) = 1 then the connection polynomial C(D) and the sequence s with D-transform S(D) = P (D) C(D) have the same period (the period of s is the same as the period of the polynomial C(D)). Note: This C(D) gives the shortest LFSR generating s. Any other connection polynomial generating s must be a multiple of C(D). (example) T. Johansson (Lund University) 27 / 42

28 Properties of LFSR sequences Theorem If two sequences, s A and s B, with periods T A and T B have D-transforms S A (D) = P A(D) C A (D), S B(D) = P B(D) C B (D), then the sum of the sequences s = s A + s B has D-transform S(D) = S A (D) + S B (D) and period lcm(t A, T B ), assuming gcd(p A (D), C A (D)) = 1, gcd(p B (D), C B (D)) = 1, gcd(c A (D), C B (D)) = 1. (example) T. Johansson (Lund University) 28 / 42

29 LFSR cycle sets Introduce the cycle set for C(D) (assuming L = deg C(D)). Written in the form n 1 (T 1 ) n 2 (T 2 ).... 1(1) 3(5), one cycle of length one and three cycles of length 5. n 1 (T ) n 2 (T ) = (n 1 + n 2 )(T ). T. Johansson (Lund University) 29 / 42

30 LFSR cycle sets Already established facts: If C(D) is a primitive polynomial of degree L over F q then the cycle set is 1(1) (1)(q L 1). If C(D) is an irreducible polynomial then the cycle set is 1(1) (ql 1) (T ), T where T is the period of the polynomial C(D) (or the order of α when π(α) = 0). T. Johansson (Lund University) 30 / 42

31 LFSR cycle sets - remaining cases Theorem If C(D) = C 1 (D) n then the cycle set of C(D) is 1(1) (ql 1 1) T 1 (T 1 ) ql1 (q L1 1) T 2 (T 2 ) q(n 1)L1 (q L1 1) T n (T n ), where deg C(D) = L and T j is the period of the polynomial C 1 (D) j. Theorem If C 1 (D) is irreducible with period T 1, then the period of the polynomial C 1 (D) j is T j = p m T 1 where p is the characteristic of the field and m the integer satisfying p m 1 < j p m. (example) T. Johansson (Lund University) 31 / 42

32 LFSR cycle sets - remaining cases Theorem For a connection polynomial C(D) factoring like C(D) = C 1 (D) n 1 C 2 (D) n2 C m (D) nm, C i (D) irreducible, has cycle set S 1 S 2 S m, where S i is the cycle set for C n i i, and (n 1 )T 1 (n 2 )(T 2 ) = (n 1 n 2 gcd(t 1, T 2 )(lcm(t 1, T 2 )) and the distributive law holds for and. (example) T. Johansson (Lund University) 32 / 42

33 Decimation An m-sequence s = s 0, s 1, s 2,... Define the sequence s obtained through decimation by k, defined as the sequence s = s 0, s k, s 2k, s 3k,.... s correspond to multiplication of β by the fixed element α. It is clear that s corresponds to multiplication of β by the fixed element α k, i.e, the cycle of different states correspond to the sequence β, α k β, α 2k β,..., α (T 1)k β, α T k β = β. the period of s is ord(α k ) and ord(α k ) = q L 1/ gcd(q L 1, k). T. Johansson (Lund University) 33 / 42

34 Decimation - advanced F q L through a degree L polynomial π(x) F q [x] with π(α) = 0. Let β F q and consider the set of polynomials F(β) = {f(x) F q [x] : f(β) = 0}. The set will contain at least one polynomial of degree L. Let f 0 (x) be the polynomial in F(β) of lowest degree. Any other polynomial f(x) in F(β) can be written as f(x) = q(x)f 0 (x) + r(x), deg r(x) < deg f 0 (x) and 0 = f(β) = q(β)f 0 (β) + r(β) = r(β). So r(β) = 0 and this means that f 0 (x) f(x) for all polynomials f(x) in F(β). T. Johansson (Lund University) 34 / 42

35 Decimation - minimal polynomial The polynomial f 0 (x) is called the minimal polynomial of the element β. The minimal polynomial to β, now denoted π β (x), can be calculated as π β (x) = (x β)(x β q )(x β q2 ) (x β qd 1 ), where d is the smallest integer such that q d 1 mod ord(β) (d is the number of conjugates of β). T. Johansson (Lund University) 35 / 42

36 The reciprocal of the minimal polynomial π β (x) gives the connection polynomial for a minimal LFSR producing a sequence corresponding to the state sequence β, α k β, α 2k β,..., α (T 1)k β, α T k β = β. The decimated sequence s can be generated by an LFSR with a connection polynomial being the reciprocal of π α k(x). (example) T. Johansson (Lund University) 36 / 42

37 Statistical properties of LFSR sequences The importance of LFSR sequences in general and m-sequences in particular is due to their pseudo randomness properties. s = s 0, s 1,... is an m-sequence, recall that an r-gram is a subsequence of length r, Theorem for t = 0, 1,.... (s t, s t + 1,..., s t+r 1 ), Among the q L 1 L-grams that can be constructed for t = 0, 1,..., q L 2, every nonzero vector appears exactly once. T. Johansson (Lund University) 37 / 42

38 Statistical properties of LFSR sequences Run-distribution properties of m-sequences. A run of length r in a sequence s is a subsequence of exactly r zeros (or ones). This means that the r zeros must have a one before. T. Johansson (Lund University) 38 / 42

39 Statistical properties of LFSR sequences Theorem The run distribution of any m-sequence of length 2 L 1 is given as length 0-runs 1-runs 1 2 L 3 2 L L 4 2 L 4... L L L 0 1 Total 2 L 2 2 L 2 T. Johansson (Lund University) 39 / 42

40 Statistical properties of LFSR sequences The autocorrelation function. Let x, y be two binary sequences of the same length n. The correlation C(x, y) between the two sequences is defined as the number of positions of agreements minus the number of disagreements. The autocorrelation function C(τ) is defined to be the correlation between a sequence x and its τth cyclic shift, i.e., C(τ) = n ( 1) x i+x i+τ, (2) i=1 where subscripts are taken modulo n and addition in the exponent is mod 2 addition. T. Johansson (Lund University) 40 / 42

41 Statistical properties of LFSR sequences Theorem If s is an m-sequence of length 2 L 1, then { 2 C(τ) = L 1 if τ 0 (mod n) 1 otherwise T. Johansson (Lund University) 41 / 42

42 Statistical properties of LFSR sequences More comments: The decimation of an m-sequence or the sum of two different m-sequences are (under some assumptions) again m-sequences. One property is completely away from random sequences. Let the binary m-sequence be generated by the recursion s j = L i=1 c is j i. By forming a set of random variables X j = L i=0 c is j i, j L we see that P (X j = 0) = 1. An extreme point of nonrandomness. T. Johansson (Lund University) 42 / 42

### Algebraic Attacks on SOBER-t32 and SOBER-t16 without stuttering

Algebraic Attacks on SOBER-t32 and SOBER-t16 without stuttering Joo Yeon Cho and Josef Pieprzyk Center for Advanced Computing Algorithms and Cryptography, Department of Computing, Macquarie University,

### Network Security: Cryptography CS/SS G513 S.K. Sahay

Network Security: Cryptography CS/SS G513 S.K. Sahay BITS-Pilani, K.K. Birla Goa Campus, Goa S.K. Sahay Network Security: Cryptography 1 Introduction Network security: measure to protect data/information

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

### Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 12 Block Cipher Standards

### (x + a) n = x n + a Z n [x]. Proof. If n is prime then the map

22. A quick primality test Prime numbers are one of the most basic objects in mathematics and one of the most basic questions is to decide which numbers are prime (a clearly related problem is to find

### Quotient Rings and Field Extensions

Chapter 5 Quotient Rings and Field Extensions In this chapter we describe a method for producing field extension of a given field. If F is a field, then a field extension is a field K that contains F.

### MODULAR ARITHMETIC. a smallest member. It is equivalent to the Principle of Mathematical Induction.

MODULAR ARITHMETIC 1 Working With Integers The usual arithmetic operations of addition, subtraction and multiplication can be performed on integers, and the result is always another integer Division, on

### Chapter 4, Arithmetic in F [x] Polynomial arithmetic and the division algorithm.

Chapter 4, Arithmetic in F [x] Polynomial arithmetic and the division algorithm. We begin by defining the ring of polynomials with coefficients in a ring R. After some preliminary results, we specialize

### The application of prime numbers to RSA encryption

The application of prime numbers to RSA encryption Prime number definition: Let us begin with the definition of a prime number p The number p, which is a member of the set of natural numbers N, is considered

### Introduction to Finite Fields (cont.)

Chapter 6 Introduction to Finite Fields (cont.) 6.1 Recall Theorem. Z m is a field m is a prime number. Theorem (Subfield Isomorphic to Z p ). Every finite field has the order of a power of a prime number

### Example: Systematic Encoding (1) Systematic Cyclic Codes. Systematic Encoding. Example: Systematic Encoding (2)

S-72.3410 Cyclic Codes 1 S-72.3410 Cyclic Codes 3 Example: Systematic Encoding (1) Systematic Cyclic Codes Polynomial multiplication encoding for cyclic linear codes is easy. Unfortunately, the codes obtained

### minimal polyonomial Example

Minimal Polynomials Definition Let α be an element in GF(p e ). We call the monic polynomial of smallest degree which has coefficients in GF(p) and α as a root, the minimal polyonomial of α. Example: We

### 3. Applications of Number Theory

3. APPLICATIONS OF NUMBER THEORY 163 3. Applications of Number Theory 3.1. Representation of Integers. Theorem 3.1.1. Given an integer b > 1, every positive integer n can be expresses uniquely as n = a

### Finite Fields and Error-Correcting Codes

Lecture Notes in Mathematics Finite Fields and Error-Correcting Codes Karl-Gustav Andersson (Lund University) (version 1.013-16 September 2015) Translated from Swedish by Sigmundur Gudmundsson Contents

### Mathematics of Cryptography Modular Arithmetic, Congruence, and Matrices. A Biswas, IT, BESU SHIBPUR

Mathematics of Cryptography Modular Arithmetic, Congruence, and Matrices A Biswas, IT, BESU SHIBPUR McGraw-Hill The McGraw-Hill Companies, Inc., 2000 Set of Integers The set of integers, denoted by Z,

### The finite field with 2 elements The simplest finite field is

The finite field with 2 elements The simplest finite field is GF (2) = F 2 = {0, 1} = Z/2 It has addition and multiplication + and defined to be 0 + 0 = 0 0 + 1 = 1 1 + 0 = 1 1 + 1 = 0 0 0 = 0 0 1 = 0

### CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

### Lecture 13: Factoring Integers

CS 880: Quantum Information Processing 0/4/0 Lecture 3: Factoring Integers Instructor: Dieter van Melkebeek Scribe: Mark Wellons In this lecture, we review order finding and use this to develop a method

### Galois Fields and Hardware Design

Galois Fields and Hardware Design Construction of Galois Fields, Basic Properties, Uniqueness, Containment, Closure, Polynomial Functions over Galois Fields Priyank Kalla Associate Professor Electrical

### Basic Algorithms In Computer Algebra

Basic Algorithms In Computer Algebra Kaiserslautern SS 2011 Prof. Dr. Wolfram Decker 2. Mai 2011 References Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, 1993. Cox, D.; Little,

### Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)

### Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

Breaking The Code Ryan Lowe Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and a minor in Applied Physics. As a sophomore, he took an independent study

### COMP 250 Fall 2012 lecture 2 binary representations Sept. 11, 2012

Binary numbers The reason humans represent numbers using decimal (the ten digits from 0,1,... 9) is that we have ten fingers. There is no other reason than that. There is nothing special otherwise about

### Elementary Number Theory We begin with a bit of elementary number theory, which is concerned

CONSTRUCTION OF THE FINITE FIELDS Z p S. R. DOTY Elementary Number Theory We begin with a bit of elementary number theory, which is concerned solely with questions about the set of integers Z = {0, ±1,

### Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Discrete Mathematics, Chapter 4: Number Theory and Cryptography Richard Mayr University of Edinburgh, UK Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 1 / 35 Outline 1 Divisibility

### The mathematics of RAID-6

The mathematics of RAID-6 H. Peter Anvin First version 20 January 2004 Last updated 20 December 2011 RAID-6 supports losing any two drives. syndromes, generally referred P and Q. The way

### Software Implementation of Gong-Harn Public-key Cryptosystem and Analysis

Software Implementation of Gong-Harn Public-key Cryptosystem and Analysis by Susana Sin A thesis presented to the University of Waterloo in fulfilment of the thesis requirement for the degree of Master

### Some facts about polynomials modulo m (Full proof of the Fingerprinting Theorem)

Some facts about polynomials modulo m (Full proof of the Fingerprinting Theorem) In order to understand the details of the Fingerprinting Theorem on fingerprints of different texts from Chapter 19 of the

### Modern Block Cipher Standards (AES) Debdeep Mukhopadhyay

Modern Block Cipher Standards (AES) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Introduction

### 11 Multivariate Polynomials

CS 487: Intro. to Symbolic Computation Winter 2009: M. Giesbrecht Script 11 Page 1 (These lecture notes were prepared and presented by Dan Roche.) 11 Multivariate Polynomials References: MC: Section 16.6

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. #01 Lecture No. #10 Symmetric Key Ciphers (Refer

### The mathematics of RAID-6

The mathematics of RAID-6 H. Peter Anvin 1 December 2004 RAID-6 supports losing any two drives. The way this is done is by computing two syndromes, generally referred P and Q. 1 A quick

### CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

### March 29, 2011. 171S4.4 Theorems about Zeros of Polynomial Functions

MAT 171 Precalculus Algebra Dr. Claude Moore Cape Fear Community College CHAPTER 4: Polynomial and Rational Functions 4.1 Polynomial Functions and Models 4.2 Graphing Polynomial Functions 4.3 Polynomial

### Continued Fractions and the Euclidean Algorithm

Continued Fractions and the Euclidean Algorithm Lecture notes prepared for MATH 326, Spring 997 Department of Mathematics and Statistics University at Albany William F Hammond Table of Contents Introduction

### Network Security. Chapter 6 Random Number Generation. Prof. Dr.-Ing. Georg Carle

Network Security Chapter 6 Random Number Generation Prof. Dr.-Ing. Georg Carle Chair for Computer Networks & Internet Wilhelm-Schickard-Institute for Computer Science University of Tübingen http://net.informatik.uni-tuebingen.de/

### Problem Set 7 - Fall 2008 Due Tuesday, Oct. 28 at 1:00

18.781 Problem Set 7 - Fall 2008 Due Tuesday, Oct. 28 at 1:00 Throughout this assignment, f(x) always denotes a polynomial with integer coefficients. 1. (a) Show that e 32 (3) = 8, and write down a list

### Computer Algebra for Computer Engineers

p.1/14 Computer Algebra for Computer Engineers Preliminaries Priyank Kalla Department of Electrical and Computer Engineering University of Utah, Salt Lake City p.2/14 Notation R: Real Numbers Q: Fractions

### Factoring Polynomials

Factoring Polynomials Sue Geller June 19, 2006 Factoring polynomials over the rational numbers, real numbers, and complex numbers has long been a standard topic of high school algebra. With the advent

### 9 Modular Exponentiation and Cryptography

9 Modular Exponentiation and Cryptography 9.1 Modular Exponentiation Modular arithmetic is used in cryptography. In particular, modular exponentiation is the cornerstone of what is called the RSA system.

### CIS433/533 - Computer and Network Security Cryptography

CIS433/533 - Computer and Network Security Cryptography Professor Kevin Butler Winter 2011 Computer and Information Science A historical moment Mary Queen of Scots is being held by Queen Elizabeth and

### Copy in your notebook: Add an example of each term with the symbols used in algebra 2 if there are any.

Algebra 2 - Chapter Prerequisites Vocabulary Copy in your notebook: Add an example of each term with the symbols used in algebra 2 if there are any. P1 p. 1 1. counting(natural) numbers - {1,2,3,4,...}

### Application of cube attack to block and stream ciphers

Application of cube attack to block and stream ciphers Janusz Szmidt joint work with Piotr Mroczkowski Military University of Technology Military Telecommunication Institute Poland 23 czerwca 2009 1. Papers

### Fractions and Decimals

Fractions and Decimals Tom Davis tomrdavis@earthlink.net http://www.geometer.org/mathcircles December 1, 2005 1 Introduction If you divide 1 by 81, you will find that 1/81 =.012345679012345679... The first

### FACTORING SPARSE POLYNOMIALS

FACTORING SPARSE POLYNOMIALS Theorem 1 (Schinzel): Let r be a positive integer, and fix non-zero integers a 0,..., a r. Let F (x 1,..., x r ) = a r x r + + a 1 x 1 + a 0. Then there exist finite sets S

### Let s just do some examples to get the feel of congruence arithmetic.

Basic Congruence Arithmetic Let s just do some examples to get the feel of congruence arithmetic. Arithmetic Mod 7 Just write the multiplication table. 0 1 2 3 4 5 6 0 0 0 0 0 0 0 0 1 0 1 2 3 4 5 6 2 0

### 8 Primes and Modular Arithmetic

8 Primes and Modular Arithmetic 8.1 Primes and Factors Over two millennia ago already, people all over the world were considering the properties of numbers. One of the simplest concepts is prime numbers.

### SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct

### PROBLEM SET 6: POLYNOMIALS

PROBLEM SET 6: POLYNOMIALS 1. introduction In this problem set we will consider polynomials with coefficients in K, where K is the real numbers R, the complex numbers C, the rational numbers Q or any other

### Cryptanalysis of Grain using Time / Memory / Data Tradeoffs

Cryptanalysis of Grain using Time / Memory / Data Tradeoffs v1.0 / 2008-02-25 T.E. Bjørstad The Selmer Center, Department of Informatics, University of Bergen, Pb. 7800, N-5020 Bergen, Norway. Email :

### 3.4 Complex Zeros and the Fundamental Theorem of Algebra

86 Polynomial Functions.4 Complex Zeros and the Fundamental Theorem of Algebra In Section., we were focused on finding the real zeros of a polynomial function. In this section, we expand our horizons and

### FACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z

FACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z DANIEL BIRMAJER, JUAN B GIL, AND MICHAEL WEINER Abstract We consider polynomials with integer coefficients and discuss their factorization

### The Stream Cipher HC-128

The Stream Cipher HC-128 Hongjun Wu Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium wu.hongjun@esat.kuleuven.be Statement 1. HC-128 supports 128-bit

### Security and Authentication Primer

Security and Authentication Primer Manfred Jantscher and Peter H. Cole Auto-ID Labs White Paper WP-HARDWARE-025 Mr. Manfred Jantscher Visiting Master Student, School of Electrical and Electronics Engineering,

### Algebra 2 Chapter 1 Vocabulary. identity - A statement that equates two equivalent expressions.

Chapter 1 Vocabulary identity - A statement that equates two equivalent expressions. verbal model- A word equation that represents a real-life problem. algebraic expression - An expression with variables.

### Elements of Applied Cryptography Public key encryption

Network Security Elements of Applied Cryptography Public key encryption Public key cryptosystem RSA and the factorization problem RSA in practice Other asymmetric ciphers Asymmetric Encryption Scheme Let

### 7. Some irreducible polynomials

7. Some irreducible polynomials 7.1 Irreducibles over a finite field 7.2 Worked examples Linear factors x α of a polynomial P (x) with coefficients in a field k correspond precisely to roots α k [1] of

### Binary Number System. 16. Binary Numbers. Base 10 digits: 0 1 2 3 4 5 6 7 8 9. Base 2 digits: 0 1

Binary Number System 1 Base 10 digits: 0 1 2 3 4 5 6 7 8 9 Base 2 digits: 0 1 Recall that in base 10, the digits of a number are just coefficients of powers of the base (10): 417 = 4 * 10 2 + 1 * 10 1

### Network Security. Chapter 6 Random Number Generation

Network Security Chapter 6 Random Number Generation 1 Tasks of Key Management (1)! Generation:! It is crucial to security, that keys are generated with a truly random or at least a pseudo-random generation

### A NEW HASH ALGORITHM: Khichidi-1

A NEW HASH ALGORITHM: Khichidi-1 Abstract This is a technical document describing a new hash algorithm called Khichidi-1 and has been written in response to a Hash competition (SHA-3) called by National

### CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

### ECE 842 Report Implementation of Elliptic Curve Cryptography

ECE 842 Report Implementation of Elliptic Curve Cryptography Wei-Yang Lin December 15, 2004 Abstract The aim of this report is to illustrate the issues in implementing a practical elliptic curve cryptographic

### Notes 11: List Decoding Folded Reed-Solomon Codes

Introduction to Coding Theory CMU: Spring 2010 Notes 11: List Decoding Folded Reed-Solomon Codes April 2010 Lecturer: Venkatesan Guruswami Scribe: Venkatesan Guruswami At the end of the previous notes,

### RSA Attacks. By Abdulaziz Alrasheed and Fatima

RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

### it is easy to see that α = a

21. Polynomial rings Let us now turn out attention to determining the prime elements of a polynomial ring, where the coefficient ring is a field. We already know that such a polynomial ring is a UF. Therefore

### Physical-Layer Security: Combining Error Control Coding and Cryptography

1 Physical-Layer Security: Combining Error Control Coding and Cryptography Willie K Harrison and Steven W McLaughlin arxiv:09010275v2 [csit] 16 Apr 2009 Abstract In this paper we consider tandem error

### 4.3 Analog-to-Digital Conversion

4.3 Analog-to-Digital Conversion overview including timing considerations block diagram of a device using a DAC and comparator example of a digitized spectrum number of data points required to describe

### Winter Camp 2011 Polynomials Alexander Remorov. Polynomials. Alexander Remorov alexanderrem@gmail.com

Polynomials Alexander Remorov alexanderrem@gmail.com Warm-up Problem 1: Let f(x) be a quadratic polynomial. Prove that there exist quadratic polynomials g(x) and h(x) such that f(x)f(x + 1) = g(h(x)).

### Intro to Rings, Fields, Polynomials: Hardware Modeling by Modulo Arithmetic

Intro to Rings, Fields, Polynomials: Hardware Modeling by Modulo Arithmetic Priyank Kalla Associate Professor Electrical and Computer Engineering, University of Utah kalla@ece.utah.edu http://www.ece.utah.edu/~kalla

### Factoring Algorithms

Institutionen för Informationsteknologi Lunds Tekniska Högskola Department of Information Technology Lund University Cryptology - Project 1 Factoring Algorithms The purpose of this project is to understand

### Network Security. Omer Rana

Network Security Omer Rana CM0255 Material from: Cryptography Components Sender Receiver Plaintext Encryption Ciphertext Decryption Plaintext Encryption algorithm: Plaintext Ciphertext Cipher: encryption

### Overview of Symmetric Encryption

CS 361S Overview of Symmetric Encryption Vitaly Shmatikov Reading Assignment Read Kaufman 2.1-4 and 4.2 slide 2 Basic Problem ----- ----- -----? Given: both parties already know the same secret Goal: send

### Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

Kommunikationssysteme (KSy) - Block 8 Secure Network Communication Part II II Public Key Cryptography Dr. Andreas Steffen 2000-2001 A. Steffen, 28.03.2001, KSy_RSA.ppt 1 Secure Key Distribution Problem

### Cryptography Exercises

Cryptography Exercises 1 Contents 1 source coding 3 2 Caesar Cipher 4 3 Ciphertext-only Attack 5 4 Classification of Cryptosystems-Network Nodes 6 5 Properties of modulo Operation 10 6 Vernam Cipher 11

Hill Cipher Project K80TTQ1EP-??,VO.L,XU0H5BY,_71ZVPKOE678_X,N2Y-8HI4VS,,6Z28DDW5N7ADY013 Directions: Answer all numbered questions completely. Show non-trivial work in the space provided. Non-computational

### Theory of Computation Prof. Kamala Krithivasan Department of Computer Science and Engineering Indian Institute of Technology, Madras

Theory of Computation Prof. Kamala Krithivasan Department of Computer Science and Engineering Indian Institute of Technology, Madras Lecture No. # 31 Recursive Sets, Recursively Innumerable Sets, Encoding

### Basics of Polynomial Theory

3 Basics of Polynomial Theory 3.1 Polynomial Equations In geodesy and geoinformatics, most observations are related to unknowns parameters through equations of algebraic (polynomial) type. In cases where

### SOLVING POLYNOMIAL EQUATIONS

C SOLVING POLYNOMIAL EQUATIONS We will assume in this appendix that you know how to divide polynomials using long division and synthetic division. If you need to review those techniques, refer to an algebra

### Lecture 1: Course overview, circuits, and formulas

Lecture 1: Course overview, circuits, and formulas Topics in Complexity Theory and Pseudorandomness (Spring 2013) Rutgers University Swastik Kopparty Scribes: John Kim, Ben Lund 1 Course Information Swastik

### These axioms must hold for all vectors ū, v, and w in V and all scalars c and d.

DEFINITION: A vector space is a nonempty set V of objects, called vectors, on which are defined two operations, called addition and multiplication by scalars (real numbers), subject to the following axioms

### a 11 x 1 + a 12 x 2 + + a 1n x n = b 1 a 21 x 1 + a 22 x 2 + + a 2n x n = b 2.

Chapter 1 LINEAR EQUATIONS 1.1 Introduction to linear equations A linear equation in n unknowns x 1, x,, x n is an equation of the form a 1 x 1 + a x + + a n x n = b, where a 1, a,..., a n, b are given

### Lecture 4 Data Encryption Standard (DES)

Lecture 4 Data Encryption Standard (DES) 1 Block Ciphers Map n-bit plaintext blocks to n-bit ciphertext blocks (n = block length). For n-bit plaintext and ciphertext blocks and a fixed key, the encryption

### Zeros of a Polynomial Function

Zeros of a Polynomial Function An important consequence of the Factor Theorem is that finding the zeros of a polynomial is really the same thing as factoring it into linear factors. In this section we

### Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas El-Qawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.

### Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

### Lecture 13 - Basic Number Theory.

Lecture 13 - Basic Number Theory. Boaz Barak March 22, 2010 Divisibility and primes Unless mentioned otherwise throughout this lecture all numbers are non-negative integers. We say that A divides B, denoted

### Introduction to Hill cipher

Introduction to Hill cipher We have explored three simple substitution ciphers that generated ciphertext C from plaintext p by means of an arithmetic operation modulo 26. Caesar cipher: The Caesar cipher

1 Introduction to Cryptography and Data Security 1 1.1 Overview of Cryptology (and This Book) 2 1.2 Symmetric Cryptography 4 1.2.1 Basics 4 1.2.2 Simple Symmetric Encryption: The Substitution Cipher...

### The Advanced Encryption Standard (AES)

The Advanced Encryption Standard (AES) Conception - Why A New Cipher? Conception - Why A New Cipher? DES had outlived its usefulness Vulnerabilities were becoming known 56-bit key was too small Too slow

### Vocabulary Words and Definitions for Algebra

Name: Period: Vocabulary Words and s for Algebra Absolute Value Additive Inverse Algebraic Expression Ascending Order Associative Property Axis of Symmetry Base Binomial Coefficient Combine Like Terms

### The Division Algorithm for Polynomials Handout Monday March 5, 2012

The Division Algorithm for Polynomials Handout Monday March 5, 0 Let F be a field (such as R, Q, C, or F p for some prime p. This will allow us to divide by any nonzero scalar. (For some of the following,

### Post-Quantum Cryptography #4

Post-Quantum Cryptography #4 Prof. Claude Crépeau McGill University http://crypto.cs.mcgill.ca/~crepeau/waterloo 185 ( 186 Attack scenarios Ciphertext-only attack: This is the most basic type of attack

### Introduction to finite fields

Introduction to finite fields Topics in Finite Fields (Fall 2013) Rutgers University Swastik Kopparty Last modified: Monday 16 th September, 2013 Welcome to the course on finite fields! This is aimed at

### PUTNAM TRAINING POLYNOMIALS. Exercises 1. Find a polynomial with integral coefficients whose zeros include 2 + 5.

PUTNAM TRAINING POLYNOMIALS (Last updated: November 17, 2015) Remark. This is a list of exercises on polynomials. Miguel A. Lerma Exercises 1. Find a polynomial with integral coefficients whose zeros include

### some algebra prelim solutions

some algebra prelim solutions David Morawski August 19, 2012 Problem (Spring 2008, #5). Show that f(x) = x p x + a is irreducible over F p whenever a F p is not zero. Proof. First, note that f(x) has no

### HOMEWORK 5 SOLUTIONS. n!f n (1) lim. ln x n! + xn x. 1 = G n 1 (x). (2) k + 1 n. (n 1)!

Math 7 Fall 205 HOMEWORK 5 SOLUTIONS Problem. 2008 B2 Let F 0 x = ln x. For n 0 and x > 0, let F n+ x = 0 F ntdt. Evaluate n!f n lim n ln n. By directly computing F n x for small n s, we obtain the following

### Lecture 3: Finding integer solutions to systems of linear equations

Lecture 3: Finding integer solutions to systems of linear equations Algorithmic Number Theory (Fall 2014) Rutgers University Swastik Kopparty Scribe: Abhishek Bhrushundi 1 Overview The goal of this lecture