3

How can I calculate the polynomial and state of a LFSR given 2n (or more) non-consecutive keystream bits? It is known to be n bit. If they were consecutive, I could use the Berlekamp–Massey algorithm.

Simple example: n is 7 and I know the keystream is 0...0...1...0...1...0...1...1...1...0...1...0...1...0 where the . is an unknown bit

Any explanation or reference to paper or text book with algorithm will be greatly appreciated.

PurpleTree
  • 33
  • 3
  • I wonder if the question was related to a puzzle I'd created at the time: https://www.geocaching.com/geocache/GC7NE2Q_heroes-of-bp-5 :) :) – MartinC Sep 22 '18 at 16:58

1 Answers1

3

We are given the sequence $b_i$ for $i$ multiple of $m>1$ with $0\le i<2n\,m$.

  • If all the given $b_i$ are identical, we can't compute any missing $b_i$ (beyond a wild guess they are all $b_0$), stop.
  • Build the sequence of $2n$ known bits $c_j=b_{(j\,m)}$ with $0\le j<2n$.
  • Use Berlekamp–Massey to find a LFSR (polynomial $P$ of degree $k$ and $k$-bit initial state) matching $c_j$.
  • Find some period $p$ of the $c_j$. For small degree $k$, we can simulate operation of the LFSR until the state repeats (OK to say $k\le40$ on a PC) or we can use baby-step/giant-step (OK to say $k\le75$ on a PC, see final section of this former revision). But more generally, if $P$ factors into a product of irreducible polynomials of degrees $k_r$ (thus with $k=\sum k_r$), then a period is $p=\prod(2^{k_r}-1)$.
    Note: For large polynomial, we can still efficiently compute $c_j$ for large arbitrary $j$ (see this), once we have $P$ and starting state.
  • If $\gcd(m,p)=1$, then $b_i$ also has period $p$, thus $\forall j\in\Bbb N,\ c_j=b_{(j\,m\bmod p)}$ ; it follows that $\forall i\in\Bbb N, b_i=c_{(i\,m^{-1}\bmod p)}$
    Note: $m^{-1}\bmod p$ needs to be computed only once, e.g. with the half extended Euclidean algorithm.
    Note: with $p=\prod(2^{k_r}-1)$ and $m$ a power of two as in the question, $\gcd(m,p)=1$ always holds. If $\gcd(m,p)\ne1$, it might be possible to find a smaller period, by factoring $p$ and iteratively removing those factors that leave what remains a period, until finding the smallest period $p_\text{min}$ (which depends on the irreducible factors of $P$ being primitive or not, and on the starting point). $\gcd(m,p_\text{min})=1$ allows to conclude without guesswork.

Once $2k$ consecutive $b_j$ are found, an easy option to find the LFSR yielding them is to use Berlekamp–Massey again. The initial state of the LFSR for the $b_j$ (in Fibonacci form) is of course the first $k$ bits $b_i$.

Not covered (yet?): polynomial arithmetic would allow to directly derive the LFSR for the $b_j$ from the one for the $c_j$; and conclude when $\gcd(m,p_\text{min})\ne1$ and partial information on the $b_j$ is available.

fgrieu
  • 140,762
  • 12
  • 307
  • 587
  • Thank very much. I think I understand now. My initial example did not work as it failed in the gcd-step. I have changed it to one that is solvable. – PurpleTree Jun 07 '18 at 18:33
  • how does one "efficiently compute c_j for large arbitrary j"? – Les Jul 09 '18 at 01:19
  • @fgrieu - I'm confused. In #1 for example, let j=9, the binary expression for J is b1001 or 2^3 + 2^0, then "step the generator 2^i for each i"? Isn't that 9 steps? What if j=2305843009213693952 (mod (2^64-1)). To step the generator that many times would take years, wouldn't it? – Les Jul 09 '18 at 11:20
  • @fgrieu - I have opened a new question on efficiently finding $c_j$ for large $j$ - https://crypto.stackexchange.com/questions/60634/lfsr-jump-ahead-algorithm – Les Jul 09 '18 at 11:23
  • @fgrieu - what are the parameters to the baby-step-giant-step if I've computed a non-primitive P, order K in field GF($2^K$)? Am i correct in assuming Alpha = P and Beta is $2^K$-1, with the goal of finding $x$ where $a^x = beta$ ? – Les Jul 12 '18 at 14:56
  • @fgrieu - Please correct me if I am wrong. In your above answer describing BSGS, $K$ is the $P$ obtained by BM algorithm (aka, $c_j$), the generator is $S_0$ of the LSFR, and the goal is to find $x$ such that $S_0^x mod P == S_0$, $x > 0$. – Les Jul 13 '18 at 11:08
  • @fgrieu - Please ignore my last comment, even I found it confusing upon re-reading it. In your above answer describing BSGS, is $K$ the $P$ returned by BM algorithm? Or is $K = 2^n-1$? – Les Jul 13 '18 at 11:16
  • @fgrieu - Sorry, ignore the last one, too. (K cannot be P obviously). My coffee hasn't taken affect yet. $K$ is the degree of P which is <= n. – Les Jul 13 '18 at 11:27
  • @Les: Per the newly added math, your example generator has period $(2^{14}-1)(2^{21}-1)(2^{29}-1)/127=145241018455818369$. For the factorization, you can ask Wolfram's Alpha. – fgrieu Jul 13 '18 at 22:04
  • @fgrieu - thank you, that works. However, I ran my polynomial through Wolfram's Alpha and got 3 polynomials of degrees 14, 21, and 29 which line up with your k term in your factors, only when I read your answer, I would have come up with $(2^15-1)(2^22-1)(2^30-1), where my k values are the degrees of the 3 polynomials. What am I doing wrong? – Les Jul 16 '18 at 00:30
  • @Les: to get the shortest period, we take the period $\prod(2^{k_j}-1)$ where $k_j$ is the degree of irreducible polynomial factors, and pull out its (integer) factors while what remains is a period. Among reasons that is necessary: some of the irreducible polynomial factors might not be primitive; or/and said factors could divide the starting point (in Galois form); and I'm leaving aside what happens when an irreducible factor is squared. I know how to get the right result, but I'm less than fully comfortable with the subject, and asked there. – fgrieu Jul 16 '18 at 03:41
  • @fgrieu - This is very helpful, the period is correct. Additionally, I found by experimentation (for my purposes) that the period need not be the shortest. I tried several multiples of the shortest period and all of them also worked. The missing link for me is that Wolfram's Alpha gave me $(1+x+x^3+x^4+x^9+x^10+x^11+x^12+x^14) (1+x^2+x^6+x^7+x^12+x^13+x^15+x^16+x^18+x^19+x^21) (1+x^3+x^4+x^5+x^8+x^9+x^12+x^13+x^15+x^17+x^18+x^19+x^22+x^23+x^25+x^28+x^29)$ and the formula above tell me take $\displaystyle\prod(2^{k_r}-1)$ where $k_r$ is the degree (your comment uses the order). – Les Jul 16 '18 at 12:01
  • In other words, if I were to repeat this experiment on a different cipher and Wolfram's Alpha gave me similar factors with orders like say 12, 23, 29 (these are just made up), I would take their degrees and get $(2^13-1)(2^24-1)(2^30-1)$, and I would be wrong. Or, I could take the order of each instead (but then I would be guessing, I prefer not to guess). Is Wolfram's just adding the degree to each factor (similar to how $x^64$ is implicitly added to the characteristic polynomial)? Thanks again. – Les Jul 16 '18 at 12:08
  • Sorry about the Latex errors, I am still learning it. – Les Jul 16 '18 at 12:09
  • Embarrassing, I think I have my understanding of "order" and "degree" reversed. – Les Jul 17 '18 at 00:37