Stream Ciphers (Symmetric Cryptography) Summary

Summary of Stream Ciphers (Symmetric Cryptography)

These are my complete notes for Stream Ciphers in Symmetric Cryptography.

I color-coded my notes according to their meaning - for a complete reference for each type of note, see here (also available in the sidebar). All of the knowledge present in these notes has been filtered through my personal explanations for them, the result of my attempts to understand and study them from my classes and online courses. In the unlikely event there are any egregious errors, contact me at jdlacabe@gmail.com.

Table Of Contents

III.I Intro to Stream Ciphers.

III.III L.F.S.R.'s.

III.II Random Number Generation.

III.IV Alt. Secure Stream Ciphers.

III. Stream Ciphers.

III.I Introduction to Stream Ciphers.

Fig. 3. - Symmetric Cryptography Hierarchy:

A Classification hierarchy of Symmetric Cryptography. There are two major branches of Symmetric Cryptography, Block Ciphers and Stream Ciphers. See section I.I for the full tree, and Rule 5 for Cryptanalysis.

# C. Rule 21. Stream Ciphers

Mathematical Definition:

(x_i, y_i, s_i) ∈ ℤ₂

Encryption: e_{s_i}(x_i) ≡ (x_i + s_i) mod 2

Decryption: d_{s_i}(y_i) ≡ (y_i + s_i) mod 2

x_i = The Plaintext bit at index i.
y_i = The Ciphertext bit at index i.
s_i = The "Key Stream" at index i, equivalent to 'k' (as in past ciphers). Here, it is the Key (at index i) fed into the encryption and decryption functions.
ℤ₂ = A ring of the first 2 integers: {0, 1}.
e_{s_i}(x_i) = Encryption function, a mathematical formula that converts each x bit into a y bit.
d_{s_i}(y_i) = Decryption function, a mathematical formula that converts each y bit into an x bit.
mod 2 = The modulus/remainder operator with respect to 2. Numbers can only be 0 or 1 in this reality.

Explanation:

A cipher that encrypts bits individually, processing one bit after another in a sequence. This is opposed to a Block Cipher (see Section IV), which takes in large amounts of bits all at once.

The modular 2 operation (see Rule 22) has its own symbol in cryptographic diagrams: a circle with a cross. In electrical engineering, the mod 2 function is known as the XOR gate, a type of binary gate ([[[[[).

Using this symbol, the encryption and decryption functions of the basic stream cipher can be depicted as shown:

A simple diagram displaying how a simple Stream Cipher (abiding by the encryption and decryption functions defined) would work. Note the usage of the XOR gate, or modulus 2 function.

If the key bit is zero, then the plaintext bit will pass through unchanged, but if the key bit is 1, then the plaintext bit will flip (like binary). Thus, if the keystream (by divine intervention) is straight 0's, then the plaintext will go unencrypted.

The central complexity of the Stream Cipher is the generation of the "Key Stream", e.g. the stream of bits with which the plaintext is encrypted. This generation must be performed through Random Numbers - see Rule 23.

# Key Stream: A stream of characters that is combined with the plaintext to produce the ciphertext in a Stream Cipher, or, in the case of asynchronous stream ciphers, combined with a previous ciphertext to produce a new ciphertext.

The key stream is derived from the key and the seed. Generally, the key stream is denoted as "s_i", while the seed itself is s₀, the initial position (which may have been created using an actual TRNG) from which all recursive stream ciphers evolve from in their encryption functions, at least all ciphers that use the PRNG algorithm, like the LCG (see Rule 25).

# Synchronous Stream Cipher: A Stream Cipher in which the key stream depends solely on the key, generated independently of the plaintext or ciphertext. Examples include Salsa20 & ChaCha.

# Asynchronous Stream Cipher: A Stream Cipher in which the key stream depends on the ciphertext in addition to the key - the key generation is reliant on previous ciphertext, making it a risky operation. An example is the Cipher Feedback (CFB) mode.

# C. Rule 22. Mod 2 addition and subtraction are the same operation (an XOR gate). Multiplication complicates things, but in all instances where the mod 2 function is limited to addition or subtraction, the results will be identical no matter which operation is applied.

Note that this does NOT extend to the modulus of any other number - only for two. See the Vigenère Cipher (Rule 17), which works akin to a stream cipher, for proof.

III.II Random Number Generation.

# C. Rule 23. Random Number Generators (RNG):

The means with which a system can generate random numbers, for the purposes of constructing/filling a keystream with random bits, are split into three main mechanisms:

True Random Number Generators (TRNGs): "True" random numbers stem from random physical processes that cannot be reproduced.

Such natural sources of entropy include flipping a coin, rolling a die, thermal noise, mouse movement, and keystroke timing.

Hardware and cryptographic systems have tried a lot of different techniques over the years to create a TRNG by analyzing/recording internal characteristics of the computer. Most modern CPU's have a TRNG within a TPM (trusted platform module) on the motherboard.

Pseudo Random Number Generators (PRNGs): An RNG system that is random, but reproducable. Because PRNG's are computed, they are inherently deterministic processes. Since they are deterministic, Alice and Bob can generate the same key stream independently of one another, only needing to know the initial "seed", which is like the key for the key.

Often, PRNG's are computed with the following function:

s_i+1 = f(s_i)

s₀ = The initial seed value, which may be an actual TRNG.
f(s_i) = The 'randomizer' function, which performs whatever upon the seed in order to computationally randomize it.

This recursive generation is the form taken by the Linear Congruential Generator (see Rule 25).

The rand() function in C is a PRNG and uses a seed of 12345, with the following function as the randomizer:
S_i+1 = ((1103515245 × s_i) + 12345) mod 2³¹.

Cryptographically Secure Pseudorandom Number Generators (CSPRNGs): PRNG's that have an additional property: the numbers must be unpredictable.

Given n output bits (s_i, s_i+1, ..., s_i+(n-1)), it is computationally infeasible to construct s_i+n.

While in most applications, PRNG systems are perfectly fine and suited to create 'random' numbers for whatever purpose, they form very unsecure cryptosystems, and thus in cryptography, the additional property of unpredictability is required.

# Unconditional Security: A cipher is "unconditionally secure" (or "information-theoretically secure") if it cannot be broken even with infinite computing resources.

Even if a key is 2^1000 bits, it would not be considered "unconditionally secure", because 2^1000 computers (a patently not infinite amount of computers) would be able to break the key in one second. This is despite the fact that such levels of computing power will never be realized in human history.

Thus, though there are very many ciphers that are "practically" secure (forming the backbone of our modern cybersecurity systems), they are not unconditionally secure.

# Computational Security: A cryptosystem is computationally secure if the best known algorithm for breaking it requires at least t operations, where 't' is some ridiculous number far beyond the reach of modern brute-force computational abilities.

# C. Rule 24. One Time Pad (OTP)

The One Time Pad (also referred to as the "Vernam cipher"), as it were, is the unconditionally secure, perfect encryption algorithm, unbreakable in any meaningful way. The OTP is a stream cipher with the following properties:

1) The Keystream bits s_i must originate from a TRNG.

2) Each Key stream bit must be used only once.

Knowledge of the Key Stream must be exclusively limited to the involved parties, of course. At the end of the data transfer, the party that received the data must destroy the key so that it cannot be used by another party to decrypt the message after the fact. This is the same reason why reusing keys is extremely risky and nullifies the security benefits of the OTP.

The security of cryptosystem draws from the fact that, without knowledge of the keystream, even a brute-force attack would be futile, because any two text strings are equally as probable to be a particular word in the plaintext: if a four letter word were to be encrypted, it is equally probable for it to be "when", "stop", or "abcd".

There is one fundamental drawback of the OTP, however, that prevents its universal application: since keystream bits cannot be reused, the key has to be as long as the plaintext. A 400MB file, 8 bits to the byte, would entail a 3.2GB key.

Fig. 4. - Practical Stream Ciphers:

A diagram of how all practical stream ciphers should function, with the modular 2 addition highlighted and the key stream generator (which varies from cipher to cipher) displayed.

# Bit-length: The number of bits required to represent an integer as a binary number. The capital letter 'A', for example, has an ASCII value of 65, which is 1000001, meaning a bit-length of 7. It is often calculated using log₂, since binary positions are dictated by powers of two.

# C. Rule 25. Linear Congruential Generator (LCG):

Mathematical Definition:

(A, B, s_i) ∈ ℤ_m
Key K = (A, B)

S_{i + 1} ≡ ((A × S_i) + B) mod m

S_{i + 1} = The following value in the keystream, which is recursively using the value of the previous bit in the keystream (along with the key) to calculate the new value. It is exactly ⌈log₂ m⌉ (bit-length of m) bits long.
S₀ = The initial seed value, which may have been created using a TRNG. It is exactly ⌈log₂ m⌉ (bit-length of m) bits long.
S_i = The Key Stream at index i. It is exactly ⌈log₂ m⌉ (bit-length of m) bits long.
ℤ_m = A ring of m integers.
A = The multiplied value of the key. It is exactly ⌈log₂ m⌉ (bit-length of m) bits long.
B = The "shift parameter" value of the key, only used for the addition operation. It is exactly ⌈log₂ m⌉ (bit-length of m) bits long.
mod m = The modulus/remainder operator, which represents the usage of modular arithmetic, with all numbers represented by their remainder with respect to m.

Explanation:

A means of generating a unique key stream using the PRNG system, based on the attributes of the key and the seed. This makes it more practical a system than the One Time Pad, but much easier to break (see Rule 26).

Of course, separate from the nature of the function/equation itself, note that there are no "Encryption" or "Decryption" functions, because the given equation is merely for composing the keystream (in the Rule 23 PRNG-style), while the equation for the Stream Cipher itself remains the same (Rule 21).

# C. Rule 26. HOW TO CRACK A LINEAR CONGRUENTIAL GENERATOR (LCG):

In order to crack a rudimentary LCG system and discover the full keystream to decrypt the system, the attacker only needs to know three characters of the plaintext that were encrypted (along with all of the ciphertext). Generally, in encrypting a document (such as Microsoft Word or Excel), there will be file or protocol header information at the start (like the version number), which will always be the same initial symbols being encrypted. Therefore, knowledge of the attacker of these plaintext characters, in addition to the ciphertext, can be assumed.

With knowledge of the LCG key-stream equation, the attacker would know S₀, S₁, and S₂ only. There would thus be three unknowns, A, B, and m. However, the set of commonly used m values is relatively small (see list) could possibly be, and so iterating through them using brute-force (once A and B have been discovered) would be very simple: calculate the associated key stream for each probable m value, then check each key stream using the stream cipher decryption function (see Rule 21) and the known ciphertext, until the correct key stream (and thus m value) is found. Thus, m is considered one of the known variables.

The attacker only has to create a system of equations-style problem (using the three known plaintext characters and the ciphertext) in order to isolate A and B, respectively.

S₁ ≡ ((A × S₀) + B) mod m
S₂ ≡ ((A × S₁) + B) mod m

A = ((S₁ - S₂) × (S₀ - S₁)⁻¹) mod m
B = (S₁ - (S₀ × (S₁ - S₂) × (S₀ - S₁)⁻¹)) mod m

After finding A and B, all that would be left to be done is to brute-force m as previously described, and the system would be cracked.

III.III Linear Feedback Shift Registers.

# Clocked Storage Element (CSE): A storage container that captures information at a specific moment in time, storing it until needed. In electrical engineering, CSE's are part of clocking subsystems and respond to Clock signals (E.E. Rule [[[[[).

# C. Rule 27. A "Flip-flop" is a clocked storage element that stores a single bit. There is an input, an output, and a Clock Input that determines whether any inputted bit is to be stored or not.

The general symbology used in diagrams for a flip-flop is as follows:

A diagram of the basic functions of the flip-flop electrical component. D is the input, Q is the output. Ignore the Q with the line for now. Courtesy of buildcircuitelectronics.

And here is a diagram showing how the output relies on clock signals to accept an input change, if any:

A diagram detailing how the clock signal will influence what data from the input is stored and produced in the output. As shown, the flip-flop will only store the first event captured in the input when the clock signal becomes active, regardless of whether the input changes while the clock signal is still active. Courtesy of Wikipedia.

# Shift Register: A "shift register" is akin to a system, a concatentation of several individual flip-flops, each sending a signal to the next until the final flip-flop, which will produce each bit of the output. It is one half of an LFSR.

An example of a shift register, with three flip-flops, with every new value sent receiving a clock signal:

A shift register, complete with three flip-flops, and a starting value of 1-0-0. Data moves over once, and then each change is moved over until there are no more changes to be moved.

# C. Rule 28. Linear Feedback Shift Registers:

Mathematical Definition:

The equation depends on the specific characteristics of the LFSR. Specifically, the number of flip-flops, the number of mod 2 functions, and which flip-flops have mod 2 functions. The following formula applies to all LFSR's and is fully explained/derived in Rule 29:

(S_i, P_j) ∈ ℤ₂
(i, j) ∈ ℤ_m

$$S_{m+1} \equiv \left( \sum_{j=0}^{m-1} S_{i+j} \times P_{j} \right) \mod 2$$
m = The number of flip-flops in the LFSR. This number determines both the length of the state register and the period (see Rule 31) of the output sequence.

i = The offset in the shift register, e.g., the number bit of the key stream that is being found. This is why it is ∈ ℤ_m - it can go no greater than value m.

j = The index variable for each individual flip-flop, which have the potential to contribute to the feedback path, as determined by the feedback coefficient.

S_{m + 1} = The next output bit into the keystream produced by the LFSR after shifting.

S_{i + j} = The bit held by a particular flip-flop j, at a specific offset in the shift register i. This is the value being inputted into the multiplier function from the flip-flop.

P_j = The feedback coefficient of flip-flop j. Either 0 or 1.

mod 2 = The modulus/remainder operator with respect to 2. Numbers can only be 0 or 1 in this reality.

Explanation:

There is an inherent relationship between electrical engineering and Cryptography, specifically in how Cryptography developed: in the early days of the development of the Stream Cipher, the goal was to create a 'small' stream cipher, e.g. a stream cipher that could be implemented in hardware without using too much power.

Today, all stream ciphers fit one of two categories: ciphers optimized for software implementation, and ciphers optimized for hardware implementation. A prime example of the latter are "Shift Register-Based Stream Ciphers", in particular shift registers with feedback, better known as Linear Feedback Shift Registers.

Occasionally referred to as cryptographic "linear recurrences" by various demented individuals, Linear Feedback Shift Registers are algorithms of key stream generation that utilize yet another PRNG, and are thus crackable with some effort (see Rule 35).

Many ciphers, such as the A51 cipher, consist of multiple LFSRs (in the case of A51, 3), which greatly enhance the security of the cipher and validate the usage of LFSR's for legitimate cryptographic purposes ([[[[[[[[[ how?).

LFSR's incorporate a standard Shift Register with a feedback mechanism/path, generating fresh input for the first flip-flop using some output data. This is done by a modular 2 addition function (an XOR gate), which can be performed between the value from the final flip-flop and any other located in the shift register. Multiple mod2 functions can be added in fact, complicating the structure of the LFSR.

The mod 2 calculation is first performed in the initial state of the shift register, before the first clock cycle, pre-computing the value that will be used as input for the first flip-flop on the first clock cycle.

Remember: The feedback mechanism that the outputs take uses a mod2 function, but the actual input into the first flip-flop itself is without any special system - it is directly taking in the given number.

Very important to notice in the progress of an LFSR is that there will be a distinct pattern that holds in each calculated value (placed below the flip-flops on a diagram), known as the Diagonal Rule: each bit value will be translated diagonally to the right, for as many flip-flops as there are to the right, continually. Note this pattern in the diagram below:

A Linear Feedback Shift Register, complete with three flip-flops and a full period of values, which compose one complete key stream.

The specific mathematical formula of the key produced by the LFSR depicted is:
S_i+3 ≡ (s_i+1 + s_i) mod 2.

# Feedback Path/Feedback Mechanism: The path in which all the XOR gates (or other operations) are located, streaming back to the first flip-flop for the new input. This mechanism, when combined with a shift register, helps form an LFSR.

# State (in regard to LFSR's): Also referred as the "initialization vector" of the LFSR in this context. The bits of the flip-flops at a particular shift register offset. Given knowledge of an LFSR state and the XOR-positions/feedback path, the following state, produced through another shift register offset, can be determined.

Even without knowledge of the XOR positions, by pure knowledge of the first state, every flip-flop bit in the following state (except for the first F.F., the recipient of the input of the feedback state) can be determined, as a result of the diagonal rule described in Rule 28.

# C. Rule 29. LFSR Generalization:

To generalize the LFSR so that a general equation can be applied, several new mathematical operations must be introduced.

First, the number of flip-flops in the register can be generalized to an arbitrary 'm' number of times, which is the simplest generalization to be made.

It is possible for any of the flip-flops to have an XOR gate, and for there to be as many XOR gates as flip-flops, minus one. Since all of the flip-flops have a chance at being part of the feedback path, a multiplier function must be added after each flip-flop, between the path after the flip-flop and any possible XOR gate above on the feedback path. Thus, the multiplier controls the way to the XOR gate, and essentially acts as an on-or-off switch.

A generalized LFSR, with every possible link between a flip-flop and the feedback path having a multiplier function, serving as the 'switch' determining whether that flip-flop is included as a part of the XOR operation.

The multiplier function works by multiplying the value of the flip-flop (the Input value I) by the internal P-value, which is determined by whether the flip-flop actually has an XOR gate or not (see below). The p-value can only be a binary value: p_i ∈ ℤ₂.

The multipliers (labeled P₀ to P_m-1) have their own values, known as "feedback coefficients". These values are dictated by the "switch", e.g. if there is or isn't a connection to an XOR gate from that flip-flop. Furthermore, there is an input I and output O that travels from the multiplier onto the XOR gate path.

If the switch is closed (e.g. there IS an XOR gate connected to that flip-flop, and thus a connection to the feedback path), then the p-value will equal 1, since the input is equal to the output: O = p_i × I = I.

If the switch is open (no XOR gate), then the p-value will equal 0. The output O is equal to 0, and since O = p_i × I, and I is not necessarily 0, then p_i must equal 0.

For the following formula, you must assume that s_m is the sum of all of the XOR gates, e.g. the preloaded value that is ready to be inputted into the first flip-flop after the initial state has finished being processed. Thus, the second complete XOR-ing of the values (the second value inputted into the first flip-flop) will be S_m+1, and so on. The value of the input into the first flip-flop is the result of the summation of all of the possible XOR operations that could be present in the LFSR.

(S_i, P_j) ∈ ℤ₂
(i, j) ∈ ℤ_m
$$S_{m+1} \equiv \left( \sum_{j=0}^{m-1} S_{i+j} \times P_{j} \right) \mod 2$$
m = The number of flip-flops in the LFSR. This number determines both the length of the state register and the period (see Rule 31) of the output sequence.

i = The offset in the shift register, e.g., the number bit of the key stream that is being found. This is why it is ∈ ℤ_m - it can go no greater than value m.

j = The index variable for each individual flip-flop, which have the potential to contribute to the feedback path, as determined by the feedback coefficient.

S_{m + 1} = The next output bit into the keystream produced by the LFSR after shifting.

S_{i + j} = The bit held by a particular flip-flop j, at a specific offset in the shift register i. This is the value being inputted into the multiplier function from the flip-flop.

P_j = The feedback coefficient of flip-flop j. Either 0 or 1.

mod 2 = The modulus/remainder operator with respect to 2. Numbers can only be 0 or 1 in this reality.

# Primitive Polynomials: A form of irreducible polynomials, akin to a "prime" polynomial, with the only "factors" being 1 and the polynomial itself. [[[[[[[EXPLAIN IN A MORE COHESIVE AND FULLY ELABORATED MANNER[[[[[[[[.

# C. Rule 30. Types of LFSRs:

In practice, there are three types of LFSRs, the properties of which are the result of the feedback coefficients and degree.

Primitive Polynomial-based: These LFSRs are composed of primitive polynomials (see definition), and produce a maximum-length sequence, the only LFSRs to do so.

Non-Primitive Irreducible Polynomial-based: Using irreducible polynomials that are not "primitive", these LFSRs produce a period that is totally independent of the initial value/"state" of the register. These algorithms do not produce maximum-length sequences.

Reducible Polynomial-based: These LFSRs have a sequence/period dependent on the initial state of the register. Of course, these algorithms can never produce a maximum-length sequence.

# C. Rule 31. The Period is the number of different strings of numbers that can occur in a specific LFSR before repeating. In the LFSR given in Rule 28 (with 3 flip-flops), this number is 7, e.g. all possible states.

A simple principle can thus be derived: The maximum possible period (or sequence length) generated by an LFSR of degree m is 2^m - 1.

As soon as a previous bit pattern/sequence (a 'state') is reached, then the cycle will repeat itself. Only certain feedback configurations (P_m-1, ..., P₀) yield maximum length sequences, regardless of the initial bit pattern/state (!). For any LFSR with a set number of flip-flops, m, and a given positioning/number of XOR gates, no matter what the initial state is, the period will always be the same.

This is why the given value is the maximum possible period of an LFSR - only some reach it.

There are patterns within the LFSR, specifically that of the positioning of the XOR gates with respect to the degree m, that can be used to determine if an LFSR will produce a maximum-length period or not - see Rule 34 for more information. These patterns require knowledge of the Polynomial Representation of LFSR's, described in Rule 32.

# C. Rule 32. The only string of bits that can never appear in an LFSR is straight 0's. Such a thing is only possible if the initial setting is all straight 0's, which is a ridiculous thought not to be entertained.

# C. Rule 33. Polynomial Representation of LFSR's:

All that is needed to represent the nature of an LFSR (devoid of the initial state) is the degree m (the number of flip-flops), and the feedback coefficients. These characteristics can be represented in simple polynomial form:

P(x) = x^m + P_m-1 × x^m-1 + ... + P₁ × x + P₀

m = The number of flip-flops.
x = The simple polynomial variable, nothing to be plugged in.
P_m-1 = The feedback coefficient of the very first multiplier function (and thus, the flip-flop it represents) in the sequence. P_m would be to the left of the first flip-flop, along the very end of the feedback path, and thus is always 1 and is unnotated. The sequence P_m to P₀ represents all multiplier functions, left to right.

For example: The LFSR depicted in Rule 28 would be represented as x³ + x + 1.

Even if there were no XOR gates in the entire LFSR, then the equation would still be x^m + 1, representing the ending and beginning points of feedback path.

What you are really looking at when you see a polynomial expression of an LSFR is the degree of the first term, and all of the terms in between the first term and the last term, because there is always going to be a +1 at the end. Otherwise, the output would not be incorporated into the feedback path, which is utterly preposterous and is never seen in the real world.

There are patterns in LFSR polynomials that can be used to determine whether the LFSR has a maximum-length period or not, described in Rule 34.

# C. Rule 34. Deriving Maximum-Length Periods from LFSR Polynomials:

Only LFSR's with primitive polynomials (see definition) yield maximum-length sequences.

Below is a table showcasing an example primitive polynomial for each m value 2-128. Note that there are multitudes of primitive polynomials for any given m value, too many to produce a complete list. There are 6.92 × 10⁷ primitive polynomials for an LFSR of m 31.

In the table below, take the values as representing the degrees in reverse order: x^0 + x^1 + x^2, for example. This ensures the +1, a necessary component of any LFSR polynomial as explained in Rule 33.

A table showcasing an example primitive polynomial for each m value 2-128.

# C. Rule 35. HOW TO CRACK A LINEAR FEEDBACK SHIFT REGISTER (LFSR):

While Linear Feedback Shift Register's have the properties of relative randomness and are exceedingly efficient (with 100 flip-flops, a miniscule amount of space in hardware, producing a period of 2¹⁰⁰ - 1), it fails on the last hurdle: unpredictability.

By its very nature, an LFSR is a deterministic means of producing a key stream, thus opening it up to vulnerabilities that can be exploited. The main principle that must be acknowledged in attempting to 'break' or 'crack' any stream cipher that utilizes an LFSR is as follows:

If an attacker knows (at least) 2m output values of an LFSR, he can recover the entire LFSR configuration.

Oscar, as always knows the complete ciphertext string. Furthermore, he knows the degree m of the LFSR, and, most damningly, he knows the first few plaintext characters: x₀, ..., x_{2m - 1}. With the header information, it is still realistic for that amount of plaintext to be known to the attacker.

Given this knowledge, Oscar simply has to follow a 3-step process in order to recover the entire key:

Step 1:
Utilizing the definition of the encryption function of a stream cipher, the key stream at position i can be isolated:

i ∈ ℤ_2m

S_i ≡ (x_i + y_i) mod 2.

Thus, Oscar is able to recover the first 2m output bits (the output/keystream bits) of the LFSR, which is not enough: the maximum possible period is 2^m - 1, so there remain a considerable number of output bits that need to be recovered.

Step 2:
In order to discover the remaining bits, the feedback coefficients of the multiplier functions must be discovered. This is done using the generalized summation equation of the LFSR. Expanding out the summation will produce the following equation:

S_m ≡ (S_m-1 × P_m-1 + ... + S₀ × P₀) mod 2

The only unknowns in this equation are every single feedback coefficient. Thus, there are a total of m unknowns that need to be solved for. In order to solve for the total of m unknowns, a system-of-equations type problem, with m equations, must be created:

S_m ≡ (S_m-1 × P_m-1 + ... + S₀ × P₀) mod 2

S_m+1 ≡ (S_m × P_m-1 + ... + S₁ × P₀) mod 2

.
.
.

S_2m-1 ≡ (S_2m-2 × P_m-1 + ... + S_m-1 × P₀) mod 2

As was done for Linear Congruential Generators, each unknown can easily be solve for by Gaussian Elimination ([[[[[) or Matrix Inversion ([[[[[[[[).

Step 3:
Now that Oscar knows all of the Feedback Coefficients, he can build the LFSR himself.

He can determine the initial state using the output bits that are already known (using the Diagonal Rule, see Rule 28), and from there he will be able to compute the full keystream, S_2m+1 and beyond.

With the keystream, Oscar will now, of course, be able to recover the full plaintext:

x_i ≡ (y_i + s_i) mod 2

III.IV Alternate Secure Stream Ciphers.

# The Development of Modern Stream Ciphers:

During the 1990s, stream ciphers were a center of attention for many cryptanalysts, who ruthlessly revealed vulnerabilites and weaknesses that opened particular popular ciphers of the time - this would fuel the predominance of block ciphers in modern cryptographic communications.

As a result, the eSTREAM project was established in 2004 by the "European Network of Excellence in Cryptology" (an E.U. front), which called for the development (and expert selection) of stream ciphers.

By 2008, several new, highly secure stream ciphers were developed, divided into two main categories/profiles:

1. Stream ciphers designed for implementation in software with high-volume data transfer requirements. Examples: Salsa20 (Rule 36) & ChaCha (Rule [[[[).

2. Stream ciphers designed for hardware implementation, with low power consumption, storage capabilities, and gate counts. Example: Trivium (Rule [[[[).

# Add-Rotate-XOR (ARX) Ciphers: An algorithm in a cryptosystem that only uses additions, rotations, and XOR operations to generate its keystream.

# "Nonce": A number used only once.

# C. Rule 36. Salsa20:

Mathematical Definition:

[[[[[To be completed at a later date. I have determined this topic: "Salsa20", to be non-essential to the learning and understanding of the major fundamentals of Cryptography, and so it has been placed in the low-priority learning register.[[[[[

Explanation:

"Salsa20" is a family of profile-1 stream ciphers, developed in 2005. The PRNG utilizes a 32-bit ARX framework, with additional layers of security added through increased 'rounds' of encryption: the base cipher (Salsa20/20) uses 20 ciphers, while reduced-round, faster varients use 12 rounds (Salsa20/12) and 8 rounds (Salsa20/8), respectively.

Salsa20/20 (hereafter referred to as "Salsa20") supports key lengths of either 128 or 256 bits, though 256 is recommended. [[[[[To be completed at a later date. I have determined this topic: "Salsa20", to be non-essential to the learning and understanding of the major fundamentals of Cryptography, and so it has been placed in the low-priority learning register.[[[[[

# C. Rule 37. [[[[[Reserved for Future Usage. If additional rules are needed, then the WoO system will be used.[[[[[ [[[[[To be completed at a later date. I have determined this topic: "Salsa20, ChaCha, and Trivium", to be non-essential to the learning and understanding of the major fundamentals of Cryptography, and so it has been placed in the low-priority learning register.[[[[[

# C. Rule 38. [[[[[Reserved for Future Usage. If additional rules are needed, then the WoO system will be used.[[[[[ [[[[[To be completed at a later date. I have determined this topic: "Salsa20, ChaCha, and Trivium", to be non-essential to the learning and understanding of the major fundamentals of Cryptography, and so it has been placed in the low-priority learning register.[[[[[

# C. Rule 39. [[[[[Reserved for Future Usage. If additional rules are needed, then the WoO system will be used.[[[[[ [[[[[To be completed at a later date. I have determined this topic: "Salsa20, ChaCha, and Trivium", to be non-essential to the learning and understanding of the major fundamentals of Cryptography, and so it has been placed in the low-priority learning register.[[[[[