Using Sage to crack an LFSR
I will begin with a motivating example in which . I will then describe how to generalize this approach to the situation when .
We know that to solve a degree 3 LFSR from known keystream , we must solve this system of equations:
In the language of linear algebra, this problem can be translated into matrix form:
where is a matrix, are the unknown taps, and is the last bits of the known key stream.
More explicitly, we need to solve this linear system:
If you do not find this notation familiar, you may need to spend a few minutes reviewing matrix multiplication.
Sage has built-in libraries for solving these kinds of problems.
The syntax is the following:
We now give an example in the next cell.
You can think of the code in the above box as cracking an LFSR with initial state
and taps given by
The equation solved is exactly the one given in the book for , and bits of known plaintext.
The known 6 bits of the keystream are:
The code then tells us the taps.
Here we write the state transitions resulting from the taps and the initial state:
ParseError: KaTeX parse error: Unknown column alignment: 0 at position 15: \begin{array} 0̲010 \rightarrow…Observe that the output,
is exactly as expected.
This gives good reason to believe that the LFSR will generate the desired keystream.
Note that sage returns the solution () to the equation below with the indexes on the 's in increasing order.
However the usual notation for LFSRs would write these in reverse order,
and taps given by
For this reason we will need to reverse the Sage output to make it correspond with the tap input given in the file lfsr.c
.
The simple example just given generalizes to solving the problem from Project 2. The only difference is that the degree is now , which is a little bit larger than 3.
In order to solve Project 2 you will need to use a known plaintext attack to recover bits of keystream,
Once you know these bits, you will need to use Sage to solve the linear system
Sage will then solve for the vector . You can then reverse the order of these bits and use them to load into the LFSR. Together with the known initial state you can then generate the keystream and decrypt the ciphertext.
The Sage code you need to do this is provided below. Everything is ready except for the values in the matrix
and the vector
If you can provide these, then the Sage code will proceed to solve
and return . As stated above, this bit string will need to be reversed (and converet to hex) in order to feed into lfsr.c
.
The Sage code below automatically does that part, so that the hex output can be directly pasted into lfsr.c
.
The thing that you must do is to supply the files S.mat.sage
and V.mat.sage
from which the data is loaded.
Right now these files contain toy data. For example, here is S.mat.sage
:
This plays the role of the matrix of state bits
Here is V.mat.sage
:
This plays the role of the known state bits
The problem is that right now they are too small, and contain irrelevant data.
You must fill them up with real data pertinent to the problem posed in Project 2.
Because this would require a major amount of typing (mostly to produce the matrix, which has 4096 entries), you will want to use computer code to make the files S.mat.sage
and V.mat.sage
.
The outline of the code for doing this is provided for you in this function in lfsr.c
:
You can then run the Sage coded provided below, and you will then have the taps for the target LFSR.
When S.mat.sage
and V.mat.sage
contain the right data for the problem, the hex output from the previous cell can be pasted into the taps
variable in lfsr.c
to produce the keystream.
This keystream can then be used to decrypt the target.