 In this lesson we'll be looking at an improved version of the LFSR stream cipher which we can obtain by combining more than one LFSR generator together. So LFSR ciphers I've seen are great at producing statistically random key streams, but as we just saw in our previous lesson, are very susceptible to known plaintext attacks. But turns out that by combining multiple LFSR systems together can create a system that's more resilient to known plaintext attacks and also have a longer period in the random digits that are being created. We'll do this by XORing the two LFSR output streams together to generate a new key stream and we'll call this method the LFSR sum stream cipher. We'll do this by first defining two LFSR systems, and this is just an example that we could expand out to other sized systems, but for now we'll look at a 3-bit LFSR and a 5-bit LFSR that have the following definitions. Our 3-bit system will be obtained by taking the previous bit number 1 and bit number 2 denoted by b1 and b2, added together mod 2 in order to determine the new value for bit 3. For our 5-bit LFSR system, we'll do this similarly. Here we'll use the letter C instead of the letter B so we can keep track of the bits 1 and 2 for the different LFSR systems respectively. And the definition for this 5-bit system will be that we'll take the previous bit 1, 2, and 4, add them together in mod by 2 in order to determine the new value for bit number 5. We'll communicate the seed values using a 6-bit digit key, or 6 bits of information. For our example here, we'll use 0, 1, 1, 0, 1, 0. And the first two bits will be used for setting the seed value of our 3-bit system. They'll seed the values for bit 2 and bit 3. And then the second round of bits of the last 4 bits of our key will be used for seeding the 5-bit LFSR. So that 1, 0, 1, 0 will set the bit values for bits 5, 4, 3, and 2 respectively. Both LFSRs will have their first bit always set equal to the value of 1. And this is to help avoid the situation where any one of these LFSRs has a state where all the values of the bits in a particular row are set to 0. So you might have seen in a previous lesson that when that happens, it's kind of set and stuck in that state. We can't get out of it, and our pseudo-random number generator no longer works. And the last piece of information we need is how are we going to combine these two LFSR outputs to generate our key stream for encryption. We'll do that by taking off, just like we've seen before, the first two bits from each of the LFR systems add in mod by 2 to generate the first bit of our key stream. So let's take a look at how this will work in practice. Let's start by looking at the way the LFSR 3-bit system will work. So we'll take our seed value of 0, 1. And as we mentioned, we'll put those into the positions of 0, 1, 1 to bit 3 and bit 2 in our table here, and we can follow those calculations down to complete this system. For the 5-bit, we could do the same thing. We'll take our 1, 0, 1, 0, set those to be the values for bits 5, 4, 3, and 2, have that value of 1 for the set for bit number 1. And we can apply these rules to fill out our table. And now we have two output streams, one for each of these LFSR systems. We'll line up our outputs. Here we are. We'll notice that the LFSR 3, if you were to follow that along, has a period of 7, meaning every 7 bits we come back to the beginning of the cycle and the next 7 bits will be the same as the 7 bits that preceded it. Our LFSR 5, our 5-bit system, has a period of 15. So every 15 bits of information that are generated, the pattern will start over. Now, if we XOR these two output streams together, we'll get the key stream that we'll actually use for encryption. And one note about this key stream is that it has a period of 105. And in fact, that 105 comes from it being the least common multiple of the individual periods of the component systems. So 7 and 15, their least common multiple is 105. Now that adds a nice security feature in that we can take two simple LFSR systems and combine them in this method to create one with a much longer period than it would be able to create just one more complex LFSR system to get the same period. So there's some simplicity here of the individual components. And we can actually XOR them together pretty easily to generate this more complex system. Say we take the first 16 bits from that key stream and we'll use that to encrypt two pieces of plain text here, lowercase n, lowercase c. We can see that we have the ASCII representation of that plain text written out in binary. And we can XOR the key stream with the plain text to determine our ciphertext message in binary, which happens to turn into the ciphertext slash t or the tab button on your keyboard and then a left curly break. So those are the two characters in ASCII that those convert to. And that is kind of, in essence, what the LFSR some cipher will do. It operates in the end very similarly to a similar or a simple one LFSR system. But we'll see it does add some security and it's not just from increasing the length of the period. We'll see how this is a little bit more resilient to a known plain text attack in the next part of this lesson. So let's take a look about how this system is a bit more secure than just using one single LFSR cipher on its own. So here's the ciphertext in the plain text that we just deduced from the last page. And we can XOR those together. Say we were able to guess that first character of the plain text and we XOR that with the ciphertext we intercepted, we could determine the key stream, those first eight bits of our key stream here. Now, with a single LFSR, we were able to kind of work that backwards and determine the seed value. And once we had the seed value, we had enough information to go ahead and generate as much of the key stream as we needed to deduce the rest of our plain text message. Let's see why this doesn't work in this particular system. If we have our key stream, here is a possible combination of LFSR three outputs and LFSR five outputs that would have generated that key stream if we were to XOR those together. So that's one possible way that we could have had the LFSR outputs. And if that was the correct possible pairing, we could work those individually back to get the seed values for the three bit and the five bit systems. But we don't know for sure that that's a actual correct output pairing because here's yet another one. Notice that this is a completely different pairing of outputs from an LFSR three and an LFSR five system, but they would have produced the same key stream. And that's kind of the crux of the added security here. Just knowing the key stream that was used to encrypt the ciphertext doesn't give us any particular information about either one of the LFSR output streams. You could have gotten to that zero in the key stream by having a one and a one in both the three and the five bit system or a zero and a zero in the three and the five bit systems. You could have gotten to that one in the key stream by having a one and a zero or a zero and a one. This multiple opportunities to get to the same key stream value is what adds the security. Without having some additional information about the individual LFSR outputs, there's no way to determine which values each of those LFSR systems use to get to the key stream. Now, we will see, however, in just a moment that there's still a way to crack this cipher if you know some of the key stream. So here's how we can begin to recover the seed values for our individual LFSR systems. Here, we'll take a look at our three bit system that uses the same definition that we saw before. We could obtain the value for bit three by looking at the preceding rows values for bits one and two and X oring them together or just adding mod two. But instead of having the actual values for the seed, we're going to use these placeholders of K one and K two, where K one is the initial value for bit three and K two is the initial value for bit two. And we're going to set up a system where ultimately we'll be able to solve for these two values. And once we do, we'll have the seed for this LFSR and we could generate as much of the key stream or of its output that contributes to the key stream that we might need. So we'll keep applying the rules like we have done in the past to generate subsequent rows of our table. Again, we don't have the actual values for K one and K two, so we'll use them as variables to produce expressions for those values in the table. And here we'll see that this pattern in column three for bit three, we can simplify a little bit using some rules of modular arithmetic. Normally we would take the preceding value for bit one, which is one plus K two, add that to the value for bit two, which is K one plus K two. And when we combine like terms, you would have had the expression one plus K one plus two times K two. But if we were to mod that expression by two, it would simplify down to just one plus K one. Because we know that doubling K two and then taking the mod two of that will always result in that being equivalent to zero. And if you're not quite sure of that logic, you could try a couple of values of K two. If K two were zero, we'd have two times zero, which is equivalent to zero in mod two. But if we had two times one, the result would be two, and two is also equivalent to zero in mod two. So it doesn't matter the value of K two, twice K two will always be equivalent to zero as long as you're working with the modulus of two. And that fact here will be the crux of much of our simplification that we can use for the rest of this process. We can see it again in the next row. If we were to take bit one and bit two from the preceding row and add them together, we'd have one plus two times K one plus two times K two. And using the same logic from the previous row, we know that that's just equivalent to one in mod two. And we have the rest of our table now filled out. We're gonna set this aside, but we will come back and specifically look at the values of bit one in this column, and more specifically the expressions for those bits since we don't have numerical values for most of the rows. But since they are the output of this three bit system, that we'll be using to generate the key stream. Let's look at the same process now for our five bit system. Again, we have the same definition as before, and we'll start to fill in the rows to compute new values or expressions for those values for these bits. Like we've seen in the past, we can simplify some of these rows in order to reduce down their expressions to the simplest form. And we're gonna take a look at that column for C one since those are the bits that will be combined with the column for B one, from the outputs from our three bit system to generate our key stream. Let's collect all that information all in one place. Here's the expressions that represent the first seven bits output from each of the three bit and the five bit LFSR systems. And if we were to add those together, we can simplify those down as well to obtain the following expressions. So we now know with the first seven bits from our LFSR sum, which in theory should be our key stream that we're using to encrypt the message. Assuming that we now know the C values, we could just plug in chug here and determine the following zeros and ones for this LFSR sum. Now, how is this useful to us? Well, as we've seen previously is that if we can guess a piece of plain text and we intercept the corresponding cipher text, we can use that to compute the actual key stream that we believe to be true. And now we can set up a system of equivalencies knowing that the first bit in the key stream that we got from our guess at the plain text and the intercepted cipher text would match up with the first bit from the LFSR system with the given definitions that we have. And then likewise, the second bit corresponds with our expression and the second bit placeholder, third with third and so on. So the key stream that we have from the known plain text should correspond to the values, the theoretical values that these expressions will compute for the LFSR sum with the given definitions for the system. And let's see how that's helpful. We can use all of those correspondences to set up what's called a system of congruences. It's like a system of equations but just in a particular modulus. So for example, I would know that k2 plus k6 is congruent to one in mod two. How did I know that? Let's go back a previous slide. It's because bit one is k2 plus k6 from the computed LFSR sum system and I have a computed key stream value of one. So I know that those should be congruent. We can set up similar congruences for the remaining bits. So we know that k1 plus k5 is congruent to one mod two. One plus k2 plus k4 is congruent to one. k1 plus k2 plus k3 is congruent to one. k is one, two, four and six is congruent to zero. And one plus k1 plus k3 plus k5 plus k6 is congruent to zero. So we've got a lot of different equations here but the good news is we have six unknowns, k is one through six and we have six equations or equivalent statements that govern those relationships. And if you remember from solving equations and in the other math course you've taken that should be enough for us to determine all the values of these unknowns. In fact, solving systems of congruences like this more specifically linear congruences is something that a computer is really good at. So we won't focus too much of this course on trying to figure out how we can do this manually. We'll let the computer take care of this work most of the time as it'll be much more accurate and certainly quicker than what we could do by hand. But let's take a look at this one in particular that we can solve by hand due to a unique setup that these equations form for us. So we're actually gonna add all six of these equations together because I've noticed a pattern here in the coefficients for each of these terms. We'll see that when we add up and there's a reason why we had these grouped the way they are on the screen with their individual like terms lined up above each other is that if we were to add the column that had our constants of one, we'll see that we have an even number of those terms spread out across the six equations. Two of them, and only two of them had a term with a constant in it. And if I were to add those two together they would be equivalent to zero in mod two. Again, apply in the same logic that we saw before. Likewise, if we were to add up another column here, say with the K two values, there's four of those. And four K twos are equivalent to zero mod two regardless of whatever value K two ends up being equivalent to, whether it's a zero or a one that statement is the same. And we can apply that logic all the way down the line. K ones, there's four of those. There's two K threes, two K fours, two K fives. The only terms that had an odd number spread out across all six of these is the K six column. So we have three K sixes, which is equivalent to just one K six when we mod by two. Again, we're kind of reducing that by two. Which allows us to create a much simpler equation once we add all these up. Just that K six is congruent to zero in mod two. We now have one piece of information that we can now use to apply to other equations in that system to start solving for other values of K. So if we know that K two plus K six is congruent to one and we now know that K six is congruent to zero, we really know that K two plus zero is congruent to one, which implies that K two itself is congruent to one. And now we've got a second piece of information. Applying that to another equation in the system, we now know that one plus K two plus K four is congruent to one. And when we substitute one in for K two, we're able to deduce that K four itself is congruent to one. And we're gonna keep applying this over and over again until we have all six values for these six different K's that we were looking for. And at this point, we have all of the seeds that we need for both of the LFSR systems. And if we have the seeds, we can compute the output for those two systems and combine them together to generate the key stream that we need. So even though it wasn't as straightforward as when we intercept a ciphertext and have a guess at the known plain text with just one LFSR, we can't just work it backwards directly to get the seed values. We can always set up the system of congruences in order to combine these equations together and solve for the seed values this way. It's important to note out that note that this system really works well for us because all of these LFSR systems are in fact linear, that's the L and LFSR. If these were to be combined in a different way where we didn't have just sums of these K values, but perhaps multiplicative terms, so like K2 times K6 instead of K2 plus K6, this would be a much more complex mathematical problem and add much more security to the system. We'll see in our next lesson that that's exactly what's been done in the past to attempt to encrypt from pretty sensitive information using the content scrambling system. That's it for this lesson on LFSR sum stream ciphers. At this point, you should know how to still use a known plain text attack in order to set up a system of linear congruences that you can use to solve for the individual seed values and the individual LFSRs.