 So remember that the Vernum cipher gives us perfect secrecy, and we can implement it if we have a way of generating random numbers. And so the natural question is, can we use a LFSR to produce random numbers for a Vernum cipher? And the answer is no. Given enough of the key, Eve can use the linearity to find the remainder. So remember that in our analysis of any cryptographic system, we want to give Eve every possible advantage in breaking the system. If she still can't break it, it's a good system. And so one advantage we might give Eve is to allow her to use the system. And so Eve can get the key using what's known as a chosen plaintext attack. She creates some message M. She gets Alice to encrypt this as C. Then by comparing M and C, Eve can determine the key. So for example, suppose we have a LFSR based on a second-order recurrence relation, and Eve has determined the first three components of the key are 1, 1, 0. And let's determine the next three terms of the sequence. So again, we're giving Eve every possible advantage. She knows that this is a second-order recurrence relation, and she knows three terms of the output. And so the easy way to crack this system, since we know this is a second-order LFSR, we know it has period at most 2 to the power 2 minus 1 or 3. Since we have three terms and there isn't a repetition, we know the sequence must repeat. And so after these initial three terms, the sequence has to repeat itself 1, 1, 0, 1, 1, 0, and so on. OK, maybe that's too much of an advantage to give to Eve. So let's say we just know that the LFSR has produced output 1, 1, 0, 0, and from this information, let's determine possible recurrence relations and subsequent values. Now first of all, since a second-order linear recurrence relation can have period at most 2 to the power 2 minus 1 or 3 and we have four non-repeating terms, this has to come from a recurrence relation of order 3 or more. And if it's order 3, then we know every term is going to be some linear combination of the three preceding terms where we don't know the coefficients x1, x2, or x3. But we do know the first four values. We know a3 is 0, a2 is 0, a1 is 1, and a0 is 1. So we can substitute those in and get a congruence. And this congruence reduces to 0 congruent to x2 plus x3. Now remember, we're working mod 2, and so in order for x2 plus x3 to be congruent to 0, x2 has to be congruent to x3. So either both are 0 or both are 1. Meanwhile, our only congruence relation here doesn't tell us anything about x1, so x1 could be anything at all. And so that gives us four possible recurrence relations. x2 and x3 could both be 0 and x1 could also be 0. x2 and x3 could both be 1 and x1 could be 0. x2 and x3 could both be 0, but x1 could be 1. And x2 and x3 could both be 1 and x3 could also be 1. Now, note that this first congruence relation is going to produce zeros after the first few terms, so it's not a reasonable answer if we are assuming this actually is meant to be a pseudo-random number generator. So we'll ignore this first possibility as unreasonable. If we look at our other possibilities, this second recurrence relation, an, congruent to 0an-1 plus 1an-2 plus 1an-3 is going to give us a sequence. The next congruence relation, an, congruent to 1an-1 plus 0an-2 plus 0an-3 is going to give us a sequence. But again, since this is just going to produce an endless string of zeros after this point, it's probably not the one being used. And then finally, this last recurrence relation, an, congruent to 1an-1 plus 1an-2 plus 1an-3 is going to give us a sequence. And again, Eve now has two sequences, so she can test to see which one actually gives her the rest of the key. And if neither one works, she can assume the sequence is produced by a higher order recurrence relation and try those. So the question arises, could we use a higher order recurrence relation to make Eve's problem more difficult? Let's think about that. Since an nth order recurrence relation has n coefficients, we need n equations to solve for them all. So let's write down those congruences. And if we have this system of equations, we can solve for the coefficients exactly. And so that means if we know the values a0 through a2n-1, we can completely recover the coefficients. And that's a fairly modest set of values. And this means we can't simply use a higher order recurrence relation. Even if our recurrence relation relies on the preceding 1,000 terms, Eve only needs to know 2,000 bits of the sequence. So what can we do? Well, let's take a look at that next.