secretKey ⊕ (secretKey ≪ 1), is randomness lost?

Question

A truly random secret key is run through a cipher

secretKey ⊕ (secretKey  ≪ 1)

is randomness lost? As in, is the computational cost to guess the ciphertext from secretKey ⊕ (secretKey << 1) lower than the cost to guess secretKey?

Answer 1

While bmm6o's answer is correct, I want to give another angle onto things.

The function / transformation you described is linear! Specifically, it is a linear function over the vector space $\mathbb F_2^n$ if you consider $n$-bit inputs. Now this means, that you can apply all the tricks you learned in linear algebra to this transformation, which is characterized by the following matrix for $n=4$ (assuming $\ll$ denotes cyclic shift instead of logical shift):

\begin{equation} \begin{pmatrix} x_1'\\x_2'\\x_3'\\x_4' \end{pmatrix} = \begin{pmatrix} 1&0&0&1\\ 1&1&0&0\\ 0&1&1&0\\ 0&0&1&1 \end{pmatrix} \cdot \begin{pmatrix} x_1\\x_2\\x_3\\x_4 \end{pmatrix} \end{equation}

If $\ll$ denotes logical shift (i.e. fill up on the right with 0 instead of what was pushed out), then simply replace the top-right $1$ with $0$.

As it turns out, if you have the top-right $1$, the determinant of the matrix is $0$ which also means, the transformation is not a permutation, as there's no unique inverse function!

However, if we use the version with a logical shift instead, we always get a determinant of $1$ and thus the confirmation that this indeed describes a permutation (and if we want to, we can also invert it).

---

To see the above assertions, let's call the matrix $A$ and the value of the top-right bit $b$. Note $A-I$ is the companion matrix to the polynomial $x^n-b$, which means the characteristic polynomial of $A-I$ is $x^n-b$. Now the characteristic polynomial of a matrix $B$ is equal to $\det(B-xI)$, which in our case is $\det((A-I)-xI)=\det(A-(x+1)I)$ which for $x=-1$ yields $\det(A)=(-1)^n-b$, however in $\mathbb F_2$, $-1$ is equal to $1$, meaning $\det(A)=1-b$, which implies that the key transformation is invertible (and thus entropy-preserving) iff a logical instead of a cyclical shift is used for all values sizes of the input and output! Credit goes to Will Jagy for the inspiration (and for a shorter, but more mathy explanation).

Answer 2

The function $f(x) = x \oplus (x << 1)$ defines a permutation:

000 -> 000
001 -> 011
010 -> 110
011 -> 101
100 -> 100
101 -> 111
110 -> 010
111 -> 001

So there is no loss of entropy.

Answer 3

Converting my comments into an answer:

If your secret key is cryptographically secure, you don't really gain anything by applying such a shift-XOR — but indeed, there is no entropy loss.

What's a bit unclear to me is why you would do that, or which (cryptographic) problem are you trying to solve by doing so.

In the end, you're merely applying a cryptographically insecure permutation on a secret… with no entropy loss but no real cryptographic gain either.

Depending on the specific scenario you might have in mind, let me drop a heads-up that using several outputs/derivations of a secret permuted this way can and will introduce attack vectors.

Answer 4

If by 'truly random secret key' you mean a sequence of random bits; and if you then XOR (exclusive or) those random bits with an equal amount of cipertext that was derived somehow from that secret key, I would say the result is also random.

This appears to be an example of a One Time Pad, where the ciphertext is the message and the 'truly random secret key' is the key. Given a random key the same length as the message, the output of a OTP is indistinguishable from a random value.