Tags: prng crypto
Rating:
## Solution
Here we look at the psuedorandom number generator, and we treat the `LSFR` component as a blackbox since we cannot reliably find any weaknesses there. Where we can look i at is the `next_byte(.)` function.
```python
def next_byte(self):
x = self.iv ^ self.mask
# self.next()
self.iv = self.LFSR()
x ^= x >> 16
x ^= x >> 8
return (x & 255)
```
which simplifies to
```python
def next_byte(self):
ret = self.x
self.x = self.LFSR_prime()
return x ^ self.mask_prime
```
From here, it is easy to show that the relationship between two consecutive outputs of `next_byte(.)` is constant.
Since we know that the first few bytes should be `X-MAS{` and that each plaintext byte should be less than 127, then we can easily generate the sequence of the random bytes.
__For full solution see the url__