Page : 1 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 Lecture-7 Secret-Key Ciphers Stream Ciphers: Design Principles Network Security Design Fundamentals ET-IDA , v27 Prof. W. Adi
Page : 2 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 Outlines Stream Ciphers Design Fundamentals Historical Overview Historical Overview Basic Definitions Basic Definitions Linear Feedback Shift Register Sequences Linear Feedback Shift Register Sequences Stream Cipher Design Principles Stream Cipher Design Principles Some Contemporary Standards Some Contemporary Standards
Page : 3 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 Additive Stream Cipher, similarity to the perfect Vernam Ciphers 1926 Key length not = Clear text length Key-tape Cipher Text X+Z Clear Text X Z + Clear Text X+Z+Z=X + Z ++ RKG Running Key Generator (no perfect secrecy!): Example: A5 in GSM Z RKG Clear Text Cipher Text Clear Text Z1 Z2 Z Z
Page : 4 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 Block Ciphers no internal memory involved Two Major Secret Key Cipher Classes Stream Ciphers includes internal memory Additive Stream Cipher General Stream Cipher Message pure comb. logic n Key n Cryptogram n Cipher Text Clear Text RKG + Clear Text + RKG memory Non-linear finite state machine (Running Key Generator RKG)
Page : 5 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 Stream Cipher Hagelin M-209 (2 nd World Ware) Sequence Length = 17x19x21x23x25x26 10 8 bits Key Length = 131 bits gcd (l i,l j )=1 Lengthes are relatively prime designed by Swedish cryptographer Boris Hagelin in the 1930s. l 1 =26 Electronic equivalent to the mechanical machine
Page : 6 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 Linear Feedback Shift Registers LFSR Basic Linear Sequence Generator (canonical form 1) Basic Linear Sequence Generator (canonical form 1) D transform format Have length L and Connection Polynomial: C(D) = 1 + C 1 D 1 + C 2 D C L D L for j L
Page : 7 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 Polynomial degree=m Linear Feedback Shift Registers LFSR Basic Linear Sequence Generator (canonical form 2) Basic Linear Sequence Generator (canonical form 2) Division engine in the ring of polynomials Z p(x) Division in the ring of polynomials modulo P(x)= 1 + p 1 x 1 + p 2 x p m x m 01 m p 1 p 2 p m Output sequence
Page : 8 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 Basic Linear Feedback Shift Register Structure LFSR LFSR output sequence is equivalent to dividing two polynomials: Example: MSB.... LSB Cycle length=3 The division 1/7 = Sequence Cycle length=6
Page : 9 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 Basic Linear Feedback Shift Register Structure LFSR Example Example C(D) = D 4 + D 3 + D 2 + D + 1 Cycle structure:{1(1), 3(5)}. Is irreducible (non-primitive) with period e= N = 5, N divides = 15 Period N=5 of irreducible polynomial of degree L divides 2 L -1 = = 15 its cycle structure is: Cycle length=5
Page : 10 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 Elements of the cyclic group Z * c(D) Basic Linear Feedback Shift Register Structure LFSR Example of a PN Sequence Example of a PN Sequence C(D) = D 3 + D + 1 is irreducible and primitive with period e=N = = 7. Cycle structure is {1(1), 1(7)}. Output sequence: Sequence properties: 1.The sequence length is 2 m -1 = 7 2. The number of 1‘s is 2 m-1 =4 3. The number of 0‘s is 2 m-1 –1 = 3 4. A shifted window of length m=3 on the sequence results with all 2 m -1 =7 non- zero m-bit binary patters (Window property) 5.The polynomial used and its reciprocal (mirrored pattern) result with the same sequence length C*(D) =D 3 C(D -1 ) = D 3 + D The number of primitive polynomials of degree m over GF(2) is: (2 m -1) / m = 2 Window property
Page : 11 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 Linear Feedback Shift Registers LFSR With maximum sequence lenght P-N-Sequence (Pseudo-Noise) characteristics P-N-Sequence (Pseudo-Noise) characteristics If the connection or division Polynomial of degree m is selected to be a primitive Polynomial,that is an irreducible polynomial, where the order of x is=2 m -1 (the highest possible order), then the output sequence is called a Pseudo-Noise (PN) sequence. In general, PN Sequences have the following properties: 1. The sequence length is 2 m The number of 1‘s is 2 m-1 3. The number of 0‘s is 2 m-1 –1 4. A shifted window of length m on the sequence results with all 2 m -1 non-zero m-bit binary patters (Window property) 5.The polynomial used and its reciprocal (mirrored pattern) result with the same sequence length 6.The number of primitive polynomials over GF(2) is: (2 m -1) / m
Page : 12 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 Basic Linear Feedback Shift Register Structure LFSR, Example of a PN Sequence Output sequence = Sequence properties: 1.The sequence length is 2 m -1= 15 2.The number of 1’s is 2 m-1 ₌ 8 3.The number of 0’s is 2 m-1 -1 = 7 4.A shifted window of length m=4 bits on the sequence results with all 2 m - 1= 15 non-zero 4-bit binary patters (window property) 5.The polynomial used and its reciprocal mirrored pattern result with the same sequence length C*(D)=D 4 +D The number of primitive polynomials of degree m over GF(2) is : ( 2 m – 1) / m = ( 2 4 – 1)/4 = Cycle structure is { 1(1), 1(15) } If C(D) is a primitive polynomial C(D) = D 4 +D +1, Then ist periode N = =
Page : 13 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 Linear Feedback Shift Register as a Key Generator? Primitive polynomial C(D) = D 4 + D of degree 4 => period N = = …. A bad Cipher ! Why? Output key stream (k i ) 4-bit window
Page : 14 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 Are PN-Sequences good for stream ciphers? Massey-Berlekamp Algorithm: It is possible to find the shortest connection Polynomial C(D) and the initial value of the register if only 2L bits of the sequence are known (example in former page can be cracked if only 2x4=8 bits of the key stream are known) Definition: The linear Complexity L(S) of a sequence S is: the length the S of the shortest LFSR that generates the sequence S. - Sequence randomness quality: very good - Security : very bad (Massey-Berlekamp Algorithm)
Page : 15 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 Non-Linear Feedback Shift Register Structure NLFSR Singular and Non-singular cases Singular and Non-singular cases Intial State complement c Non-singular over GF(2) if c 0 f : is any function Singular Non-Singular Non-linear feedback if using other than XOR functions other than XOR functions
Page : 16 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 Running Key Generators Hadamard Combiner LFSR1 LFSR2 S 2n S n S 1n <C 1 (D),L 1 > <C 2 (D),L 2 > C 1 (D) & C 2 (D) irreducible with periods N 1, N 2 and degree L 1, L 2 such that gcd(L 1, L 2 ) = 1 Linear complexity L(S 0, S 1, S 2...) = L 1.L 2 Sequence Period is N = lcm(N 1, N 2 ) = N 1. N 2 Bad output statistics of 1 and 0 distribution! Reason: AND gate results with 75% of Zeros as output for all input combinations.
Page : 17 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 Running Key Generators Geffe´s Running Key Generator C 1 (D), C 2 (D) and C 3 (D) irreducible with periods N 1, N 2 N 3 and degree L 1, L 2, L 3 such that gcd(L i, L j ) = 1 Linear complexity L(S n )= L 3 + L 1.L 2 + L 2.L 3 Sequence Period is N = lcm(N 1, N 2,N 3 ) complement LFSR 3 LFSR 2 LFSR 1 Better distribution of 1’s and 0’s !
Page : 18 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 Running Key Generators Massey-Rueppel gcd(L 1, L 2 ) = 1 C 1 (D), C 2 (D) are irreducible L 2 L 1 Linear complexity L(S n )= L 1.L 2 Sequence Period is N = lcm(N 1, N 2 ) Clock f 1 Clock f 2 < f 1 /2
Page : 19 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 Running Key Generators Non-linear Combination of LFSR Sequences If gcd (L i, L j ) = 1 and C 1 (D)... C n (D) are irreducible then: L(S 0, S 1,...S n ) = f k (L 1, L 2,...L n ) Example: for f k (x 1, x 2, x 3 ) = x 1 + x 2 x 3 + x 1 x 2 and L 1 = 5, L 2 = 7, L 3 = 9 L(S 1, S 2, S 3 ) = L 1 + L 2 L 3 + L 1 L 2 = = 103 Number of possible functions = 2 2n2n LFSR 1 LFSR 2 LFSR n
Page : 20 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 Designing a Running Key Generators Non-linear Combination of LFSR Sequences If C (D) is primitive then the resulting linear complexity is: F NLO= m= 3=L/2 For m = L/2 Linear Complexity L(S) 2 L- log L LFSR with primitive connection polynomial PN sequence: period 2 L -1 = =63 Non-linear function F with non-linear order NLO=m F = x 1.x 2 + x 3 + x 4.x 5.x 6 Where m is the non-linear order of the function F Design steps: 1.Select a primitive polynomial of degree L 2.Select a function F with a nonlinear order m=L/2 3.Select some low order terms in F (for good 1/0 distribution) 4.Compute effective linear complexity L(S) order =2 order =1 S 2
Page : 21 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 Self Synchronizing Stream Cipher Not Self Synchronising Cipher Self Synchronising Cipher Synchronises after L subsequent error free Symbols Block Cipher Or a highly non-linear function
Page : 22 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 The Most Widespread Stream Cipher The Most Widespread Stream Cipher GSM Mobile Phone Cipher : A5/1,2.. Unpublished Ciphers ! More than million devices worldwide!
Page : 23 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 GSM : Mobile Phone A5/1 Stream-Cipher LFSR1 LFSR2 LFSR3 Clock Control De-linearizer C C C Stop/go-1 Stop/go-2 Stop/go-3 Z(t) length = 23 Bits length = 22 Bits length = 19 Bits Effective key length = 40 Bits ? /1/1 /1/1 /1/1 L inear F eedback S hift R egister Published by Berkely Students, Effectively attacked by A. Shamir 1999/2000 The attack can find the key in less than a second on a single PC with 128 MB RAM and two 73 GB hard disks, by analysing the output of the A5/1 algorithm in the first two minutes of the conversation
Page : 24 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 The answer of GSM Association was : Mobile Phone Cipher A5/2 Clock Control LFSR: L inear F eedback S hift R egister LFSR1 C1 length = 19 Bits Majority Function LFSR2 C2 length = 21 Bits LFSR3 C3 length = 23 Bits LFSR4 C length = 16 Bits Key-Stream Majority Function Export version cracked by Barkan, Biham and Keller August a ciphertext-only attack on A5/2 that requires a few dozen milliseconds of encrypted off-the-air cellular conversation and finds the correct key in less than a second on a personal computer
Page : 25 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 List of all irreducible Polynomials up to degree 11 over GF(2 ) 1/2
Page : 26 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 List of all irreducible Polynomials upto degree 11 over GF(2) 2/2
Page : 27 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 All Primitive Polynomials up to degree 11 The number of primitive polynomials over GF(2) is: (2 m -1) / m
Page : 28 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering W. Adi 2011 Larger Primitive Polynomials Factorization of 2 n -1