Cryptography Reference
In-Depth Information
so,
CS
i
=
S
i
+1
for
i
=0
,
1
,...,L
−
1
.
For instance, take the case in Example 3.6.
0101
1000
0100
001 0
1
0
1
1
C
=
and
S
2
=
,
so
1
1
0
1
CS
2
=
=
S
3
=
S
L
=
S
0
.
LFSRs are amenable to hardware implementations, the costs of which are
low, and LFSRs are extremely fast. The choice of the bits to be tapped can
ensure a statistically random appearance of output bits. Thus, an LFSR can
be used as a PRNG, but not a CSPRNG, since LFSRs are very susceptible to
known-plaintext attacks. All a cryptanalyst needs is a few bits of consecutive
plaintext and corresponding ciphertext, then by adding modulo 2, eventually the
bits of the key are determined. Bitstrings output by a single LFSR are not secure
since sequential bits are linear, so it only takes 2
output bits of the LFSR to
determine it, even if the feedback scheme is unknown to the cryptanalyst. Thus,
LFSRs become a trade-off between speed and security. If one is not concerned
with security, but rather speed, such as in cable television transmission, then
LFSRs are a good bet. For systems of communications requiring high security,
they are not. However, they can be built into
non
-linear PRNGs. For examples
of this and a deeper insight into LFSRs, see [111], [169, pages 119-126], and
[283], as well as [287] for a cryptanalytic perspective.
In the concluding section of this chapter, we will look at the most popular
and highly secure stream cipher.
Diagram 3.9 A GenericLinear Feedbak Shift Register
←−−−−
⊕ ←−−−−
⊕ ←−−−−
−−−−→
−−−−→ −−−→
Search WWH ::
Custom Search