This preview shows page 1. Sign up to view the full content.
Unformatted text preview: nd factoring n. This algorithm is slow, but there are speedups. As it turns out, you can use more than the least significant bit of each xi as a pseudorandom bit. According to [1569,1570,1571,35,36], if n is the length of xi, the least significant log2n bits of xi can be used. The BBS generator is comparatively slow and isn’t useful for stream ciphers. However, for highsecurity applications, such as key generation, this generator is the best of the lot. 17.10 Other Approaches to StreamCipher Design
In an informationtheoretic approach to stream ciphers, the cryptanalyst is assumed to have unlimited time and computing power. The only practical stream cipher that is secure against an adversary like this is a onetime pad (see Section 1.5). Since bits would be impractical on a pad, this is sometimes called a onetime tape. Two magnetic tapes, one at the encryption end and the other at the decryption end, would have the same random keystream on them. To encrypt, simply XOR the plaintext with the bits on the tape. To decrypt, XOR the ciphertext with the bits on the other, identical, tape. You never use the same keystream bits twice. Since the keystream bits are truly random, no one can predict the keystream. If you burn the tapes when you are through with them, you’ve got perfect secrecy (assuming no one else has copies of the tape). Another informationtheoretic stream cipher, developed by Claus Schnorr, assumes that the cryptanalyst only has access to a limited number of ciphertext bits [1395]. The results are highly theoretical and have no practical value, at least not yet. For more details, consult [1361,1643,1193]. In a randomized stream cipher, the cryptographer tries to ensure that the cryptanalyst has an infeasibly large problem to solve. The objective is to increase the number of bits the cryptanalyst has to work with, while keeping the secret key small. This can be done by making use of a large public random string for encryption and decryption. The key would specify which parts of the large random string are to be used for encryption and decryption. The cryptanalyst, not knowing t...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details