Overview Introduction Generating keystream sequences What is a synchronous stream cipher? What are stream ciphers used for? Why use a stream cipher? Generating keystream sequences Methods Properties Stream cipher designs Traditional stream ciphers Modern stream ciphers Stream ciphers and integrity assurance Summary Semester 1, 2018 INN642

What is a stream cipher? A symmetric cipher where the plaintext and ciphertext are viewed as streams of characters Character size may be one bit, or n-bit word e.g. 8-bit (byte), 32 bit word, etc Encryption: Plaintext is transformed to ciphertext one character at a time, under control of a secret key Decryption: Transfomation is inverted, ciphertext is transformed to plaintext one character at a time, under control of secret key Semester 1, 2018 INN642

synchronous What is a ^ stream cipher? Keystream generated independently of plaintext or ciphertext Sender and receiver must be synchronised: the keystream character combined with a plaintext character at encryption must be combined with the corresponding ciphertext character at decryption Self-synchronous: Ciphertext used as input to the keystream generator Allows recovery from some deletion errors during transmission Some ciphertext decrypted incorrectly until ciphertext feedback re-synchronises keystream generator Semester 1, 2018 INN642

binary additive synchronous What is a ^ stream cipher? Binary additive synchronous stream cipher: Plaintext, keystream and ciphertext all streams of bits Combining operation is bitwise addition mod 2 (XOR) Encryption: c(t) = p(t)  z(t) Decryption: p(t) = c(t)  z(t) Semester 1, 2018 INN642

 t % this message is highly secret plaintext exclusive-OR plaintext binary additive synchronous What is a ^ stream cipher? Example: encryption plaintext this message is highly secret Use ASCII representation to convert alpha character to bitstream https://www.ascii-code.com/ t exclusive-OR plaintext 0 1 1 1 0 1 0 0  0 1 0 1 0 0 0 1 key The plaintext is encrypted character by character. t is converted to ascii 8-bit binary string (this step is encoding). The encryption key for the first character is an 8-bit secret string. Here the encryption algorithm is exclusive-OR. The 8-bit ciphertext string can also be represented by an ASCII symbol % 0 0 1 0 0 1 0 1 ciphertext Semester 1, 2018 INN642

 h £ this message is highly secret plaintext exclusive-OR plaintext binary additive synchronous What is a ^ stream cipher? Example: encryption plaintext this message is highly secret Use ASCII representation to convert alpha character to bitstream https://www.ascii-code.com/ h exclusive-OR plaintext 0 1 1 0 1 0 0 0  1 1 0 0 1 0 1 1 key The plaintext is encrypted character by character. t is converted to ascii 8-bit binary string (this step is encoding). The encryption key for the first character is an 8-bit secret string. Here the encryption algorithm is exclusive-OR. The 8-bit ciphertext string can also be represented by an ASCII symbol £ ? ciphertext Semester 1, 2018 INN642

  t % t this message is highly secret plaintext binary additive synchronous What is a ^ stream cipher? Example: decryption plaintext this message is highly secret t Use ASCII representation to convert to bitstream exclusive-OR plaintext 0 1 1 1 0 1 0 0  0 1 0 1 0 0 0 1 key The binary representation of the first ciphertext character is an 8-bit string. The decryption key is the same 8-bit string used for encryption. The decryption algorithm is exclusive-OR. For the next character, another 8-bit binary string will be used from the key. For the whole message, the key length must be equal to the length of the plaintext. % 0 0 1 0 0 1 0 1 ciphertext key  0 1 0 1 0 0 0 1 t 0 1 1 1 0 1 0 0 plaintext Semester 1, 2018 INN642

  h £ ? this message is highly secret plaintext binary additive synchronous What is a ^ stream cipher? Example: decryption plaintext this message is highly secret h Use ASCII representation to convert to bitstream exclusive-OR plaintext 0 1 1 0 1 0 0 0  1 1 0 0 1 0 1 1 key The binary representation of the first ciphertext character is an 8-bit string. The decryption key is the same 8-bit string used for encryption. The decryption algorithm is exclusive-OR. For the next character, another 8-bit binary string will be used from the key. For the whole message, the key length must be equal to the length of the plaintext. £ 1 0 1 0 0 0 1 1 ciphertext key  1 1 0 0 1 0 1 1 ? ? plaintext Semester 1, 2018 INN642

binary additive synchronous What is a ^ stream cipher? Major advantages: Encryption and decryption are performed quickly Combining operation is XOR Reciprocal cipher: Use same device to encrypt and to decrypt: lower implementation cost Major disadvantage: requires keystream synchronization (w.r.t position of streams) Semester 1, 2018 INN642

Binary additive synchronous stream cipher Example: loss of synchronisation (shifted keystream at receiver) plaintext this message is highly secret t Use ASCII representation to convert to bitstream exclusive-OR plaintext 0 1 1 1 0 1 0 0  0 1 0 1 0 0 0 1 key The binary representation of the first ciphertext character is an 8-bit string. The decryption key is the same 8-bit string used for encryption. The decryption algorithm is exclusive-OR. For the next character, another 8-bit binary string will be used from the key. For the whole message, the key length must be equal to the length of the plaintext. % 0 0 1 0 0 1 0 1 ciphertext key 0 1 0 1 0 0 0 1 1 1  b 0 1 1 0 0 0 1 0 plaintext Semester 1, 2018 INN642

What are stream ciphers used for? Providing confidentiality for real time communications: Mobile telephony: A5/1 in GSM standard GMR-1 and GMR-2 used in satellite phone Internet transmissions: RC4, Salsa20 Pay TV: DVB uses Common Scrambling Algorithm Used for resource constrained environments Can be much more efficient than block ciphers (another type of symmetric cipher – more on those next week ) Semester 1, 2018 INN642

Why use a stream cipher? Can offer a high level of security Depends on keystream properties: OTP provides perfect secrecy Generally faster than other symmetric (block) ciphers Useful for encryption/decryption in real-time: mobile phone, satellite pay TV, internet transmissions, etc Useful for resource constrained situations: Binary additive stream cipher: same implementation encrypt/decrypt Small implementation footprint Useful for devices with limited processing power or memory Limited error propagation: If a ciphertext bit is ‘flipped’ (0->1 or 1 -> 0), only that bit will decrypt incorrectly Note: if error is bit insertion or deletion, results in loss of synchronization – massive errors in recovered plaintext! Semester 1, 2018 INN642

Overview Introduction Generating keystream sequences What is a synchronous stream cipher? What are stream ciphers used for? Generating keystream sequences Methods Properties Stream cipher designs Traditional stream ciphers Modern stream ciphers Stream ciphers and integrity assurance Summary Semester 1, 2018 INN642

Generating keystream sequences Assume an attacker has access to ciphertext If they also know some plaintext, and can match to corresponding ciphertext: Then known plaintext-ciphertext pairs reveal underlying keystream segment: c(t) = p(t)  z(t) → c(t)  p(t) = z(t) Keystream is critical to stream cipher security: Given a segment of keystream, attacker should be unable to produce rest of keystream, or recover secret key for generator any faster than by guessing (brute force attack) Semester 1, 2018 INN642

Generating keystream sequences Two options for generating binary keystream sequences: Random sequence Used for One Time Pad (OTP) Deterministic sequence Also known as pseudorandom binary sequence Not actually random, faking randomness Most commonly used stream ciphers Semester 1, 2018 INN642

Generating keystream sequences Truly random One time pad: Key is: a truly random sequence of characters, at least as long as the plaintext, and used only once (Hence the name) OTP variations based on character type: English Alphabet OTP plaintext, keystream and ciphertext are alpha characters combining function is modulo 26 Vernam OTP (1917) plaintext, keystream and ciphertext characters are bits combining function is binary addition (XOR) Semester 1, 2018 INN642

Generating keystream sequences: Truly random Vernam OTP is provably secure (for confidentiality): Since keystream is truly random, all keystreams are equally likely. Given the ciphertext, all possible plaintexts are equally likely. However, OTP has key management problems: key generation key distribution Not practical for general use. Semester 1, 2018 INN642

Generating keystream sequences: Deterministic (pseudorandom) Traditionally, stream cipher designers made pseudorandom keystream generators where: the generator input is a small secret key, and the generator output is a longer keystream that appears random to an attacker (but is actually not random at all) Semester 1, 2018 INN642

Generating keystream sequences: Deterministic (pseudorandom) Security requirements: Keystream sequence produced by generator must be unpredictable, look like random sequence Large period, white noise characteristics Pass statistical tests, no distinguishers from random sequence Given: the structure of the generator and a segment of keystream, attacker should be unable to produce rest of keystream or recover secret key any faster than guessing Generator resists known styles of attack (algebraic, statistical, …) http://dilbert.com/strip/2001-10-25 Semester 1, 2018 INN642

Generating keystream sequences: Deterministic (pseudorandom) Example: Nonlinear filter generator Key is initial state of LFSR Keystream is produced by applying a nonlinear function to the contents of several stages of the LFSR Semester 1, 2018 INN642

Generating keystream sequences: Deterministic (pseudorandom) Maintaining synchronization: Critical for synchronous stream ciphers loss of synchronization = loss of data recovery from that point on Need process to deal efficiently with loss of synchronisation Traditional designs 1-1 mapping of Key -> Keystream, and can’t reuse keystream to encrypt another message Semester 1, 2018 INN642

Generating keystream sequences: Deterministic (pseudorandom) More recent stream cipher designs (after 2000) have pseudorandom keystream generators with two inputs: a secret key, and a known value, called an initialisation vector (IV) Semester 1, 2018 INN642

Generating keystream sequences: Deterministic (pseudorandom) Using keystream generators with 2 inputs: (K, IV) Treat each communication as series of frames/packets Encrypt each frame in communication with keystream formed using same key, but different frame number Loss of synchronization only results in loss of remaining data in that frame Rekey (reinitialise) for next frame = regain synchronization Example: A5/1 algorithm (used for GSM phone conversations) Each conversation encrypted using a different 64 bit key Conversation broken into frames of length 228 bits Key is used with 22 bit frame number to produce 228 bits of keystream (Encrypts about 4.6 milliseconds of conversation) Semester 1, 2018 INN642

Overview Introduction Generating keystream sequences What is a synchronous stream cipher? What are stream ciphers used for? Why use a stream cipher? Generating keystream sequences Methods Properties Stream cipher designs Traditional stream ciphers Modern stream ciphers Stream ciphers and integrity assurance Summary Semester 1, 2018 INN642

Generating keystream sequences: Desired properties Three basic properties for keystream sequences {z(t)}; t = 1, 2, 3, … : Large period Large linear complexity Noise-like characteristics (or good statistical properties) Semester 1, 2018 INN642

Generating keystream sequences: Desired properties: large period Sequence produced by a deterministic pseudorandom binary number generator is ultimately periodic. Period of binary sequence z(t) is said to be k if z(t + k) = z(t) for all t, and k is the smallest such number. Example: binary sequence 0111011101110111… z(t + 4) = z(t) for all t, so the period of z is k = 4. Semester 1, 2018 INN642

Generating keystream sequences: Desired properties: large period Attack on small period: If period of keystream sequence is smaller than the length of the plaintext, an attack is possible: Assume period of keystream is less than length of ciphertext. Implies that two sections of message are encrypted using same portion of keystream. May be able to identify where this overlap occurs using redundancy of the plaintext. Adding these two sections of ciphertext together modulo 2 cancels the keystream and gives the modulo 2 sum of the two plaintext strings. May be possible to attack this sum using redundancy of the plaintext. Semester 1, 2018 INN642

Generating keystream sequences: Desired properties: large period Attack on small period: Let p(t), c(t) and z(t) denote the plaintext, ciphertext and keystream bits at time t, respectively. Let k denote the period of the keystream. Then z(t + k) = z(t) c(t) = p(t) + z(t) for t = 1, …, k c(t + k) = p(t + k) + z(t + k) Therefore c(t) + c(t + k) = p(t) + p(t + k) Semester 1, 2018 INN642

Generating keystream sequences: Desired properties: large linear complexity Let z(t) be a finite length or periodic infinite binary sequence. There is a unique Linear Feedback Shift Register (LFSR) of shortest length which will produce z(t). The linear complexity of z(t) is defined to be the length of this LFSR. The minimal polynomial of z(t) is the connection polynomial of this LFSR. Semester 1, 2018 INN642

Generating keystream sequences: Desired properties: large linear complexity 0101011101100011111001101001000 This binary sequence has linear complexity 5. The sequence satisfies the recursion: ut = ut-2 + ut-5 for all t >4 Characteristic polynomial is f(x) = x5 + x3 + 1. Connection polynomial is C(D) = 1 + D2 + D5. The LFSR which produces this sequence is: Semester 1, 2018 INN642

Generating keystream sequences: Desired properties: large linear complexity Attack on low linear complexity: Berlekamp-Massey Algorithm James L. Massey, Shift-Register Synthesis and BCH decoding. IEEE Transactions on Information Theory, IT-15:122-127, January 1969. Given a sequence S = s0, s1, … , sn-1, the algorithm finds the connection polynomial C(D) = 1 + c1D + c2D2 + … + cLDL of degree at most L for minimum length LFSR which generates S Iterative algorithm: processes substrings of increasing length If the linear complexity of sequence S is L then the connection polynomial can be found provided 2L consecutive terms of S are known. Given the minimal polynomial and L consecutive terms, the entire sequence can be reproduced. Semester 1, 2018 INN642

Generating keystream sequences: Desired properties: noiselike characteristics For a periodic binary sequence to appear random it should have these characteristics: Approximately ½ the terms in one period of the sequence should be one (and ½ should be zero). In one period of the sequence, ½ the runs should have length one, ¼ the runs should have length two, 1/8 the runs should have length three, etc. The out-of-phase autocorrelation function is constant: C = A-D / p where: A and D are number of Agreements/Disagreements between shifted copies of periodic sequence and original, and p is the period length. Semester 1, 2018 INN642

Generating keystream sequences: Desired properties: noiselike characteristics A periodic sequence which satisfies these three characteristics exactly: Is said to be G-random, or described as a pseudo-noise (PN) sequence, and can be produced using an LFSR. Example: 1000110111010100001001011001111 Proportion of ones/zeroes: Number of ones = 16 Proportion (ones)= 16/31 Number of zeros = 15 Proportion (zeroes)= 15/31 Semester 1, 2018 INN642

Generating keystream sequences: Desired properties: noiselike characteristics Example (cont’d): 1000110111010100001001011001111 Analysis of run lengths: Runs of length 1 = 8 (= ½ the total runs) Runs of length 2 = 4 (= ¼ the total runs) Runs of length 3 = 2 (= 1/8 the total runs) Runs of length 4 = 1 (= 1/16 the total runs) Runs of length 5 = 1 (= 1/16 the total runs) Cyclic shifts of the periodic output: original 10001101 11010100 00100101 1001111 shift 1 11000110 11101010 00010010 1100111 shift 2 11100011 01110101 00001001 0110011 shift 3 11110001 10111010 10000100 1011001 ... The out-of phase autocorrelation function is constant: C = (A –D) / p Semester 1, 2018 INN642

Overview Introduction Generating keystream sequences What is a synchronous stream cipher? What are stream ciphers used for? Generating keystream sequences Methods Properties Keystream generator designs Traditional stream ciphers (single input: K) Modern stream ciphers (two inputs: K and IV) Stream ciphers and integrity assurance Summary Semester 1, 2018 INN642

Keystream generator designs These are finite state machines (FSM). State: storage for internal values Initialisation process: to fill internal state with initial value State update function: changes stored internal state values at each time step (clock) Output function: keystream output is function of current internal state values Keystream output: Can be a bit or an n-bit word Is completely determined by: initial internal state value, and state update and output functions So is entirely deterministic – but should look random! Semester 1, 2018 INN642

Keystream generator designs Traditional stream ciphers Designed with single input: secret key Often used key directly as initial state Examples: Linear Feedback Shift Registers (LFSRs) LFSR based designs: Nonlinear filter generator Nonlinear combiner generator Shrinking generator Dynamic table based designs: RC4 Block ciphers in certain modes OFB mode, counter mode Semester 1, 2018 INN642

Keystream generator designs Traditional Linear Feedback Shift Register (LFSR) Consider the following two characteristic polynomials: f (x) = x3 + x2 + 1 f (x) = x3 + x2 + x + 1 Set up two LFSRs, each of length 3, with tapsettings defined by these functions. Set the initial states for the both LFSRs to (0, 0, 1). Then the sequences produced are: (0, 0, 1, 1, 1, 0, 1, 0, 0, 1, 1, 1, 0, 1, 0, 0, …) (0, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, …) Which is preferable for cryptographic use? Why? Semester 1, 2018 INN642

Keystream generator designs Traditional LFSRs and m-sequences: Let {z(t)} be the sequence produced by an LFSR of length L. Then {z(t)} is a maximal length sequence (m-sequence) if: the feedback function is a primitive polynomial of degree L, and the initial state is not all-zero. Properties of {z(t)}: Period of {z(t)} is 2L -1 Linear complexity of {z(t)} is L {z(t)} is G-random NOTE: Low linear complexity is major weakness. Semester 1, 2018 INN642

Keystream generator designs Traditional Use LFSRs as building blocks in keystream generators, make use of good properties: long period, good stats BUT increase the linear complexity of z(t) by introducing nonlinearity through: Using a nonlinear “filter" function Using a nonlinear combining function can be memoryless or include memory Using one LFSR to control the ‘clock’ of another Semester 1, 2018 INN642

Keystream generator designs Example: nonlinear filter generator State: number of shift register stages State update function: linear feedback function Output function: nonlinear function of contents of LFSR stages Secret key: used as initial internal state Keystream: produced immediately Semester 1, 2018 INN642

Keystream generator designs Example: nonlinear filter generator Properties of nlfg sequences: If the feedback function is primitive, the initial state is non-zero, and the filter function is balanced, Then the period of z is 2L – 1 Linear complexity is high depends on degree of nonlinear function Statistical properties Good for bits (number of 0’s and 1’s across period), Can be less desirable for keystream n-tuples (pairs, triples, …) Semester 1, 2018 INN642

Keystream generator designs Example: nonlinear combiner generator State: total number of shift register stages (L1+L2+…+Ln) State update function: linear feedback functions of registers Output function: nonlinear function f of contents of final stage of each LFSR Secret key: used as initial internal state Keystream: produced immediately Semester 1, 2018 INN642

Keystream generator designs Traditional Properties of nonlinear combiner sequence: If the LFSRs have: primitive polynomials, non-zero initial states, and lengths which are pairwise relatively prime, Then Period of z is P = (2L1 -1) (2L2 -1)… (2Ln -1) Linear complexity LC = f (L1, L2, … , Ln), where f is the Boolean filter function, evaluated over integers Statistical properties are good for balanced f Semester 1, 2018 INN642

Keystream generator designs Traditional For regularly clocked generators, each time the underlying registers are clocked, a keystream bit is produced. Nonlinearity is introduced directly through nonlinear Boolean functions. An alternative method to introduce nonlinearity is through irregular clocking: keystream bits are not produced every time underlying registers are clocked, but at irregular intervals. Example: One LFSR is regularly clocked and the output is used to control the clocking of a second LFSR The second LFSR is called a clock controlled LFSR (CCLFSR) The output of the CCLFSR forms the keystream sequence Semester 1, 2018 INN642

Keystream generator designs Example: clock controlled generator Stop and Go generator (Beth and Piper, 1985) State: total number of shift register stages (LC+LD) Secret key: used as initial internal state State update function: If output of LFSRC is 0 then LFSRD is not clocked If output of LFSRC is 1 then LFSRD is clocked Output function: The output of LFSRD is the generator output Semester 1, 2018 INN642

Keystream generator designs Example: clock controlled generator Shrinking generator (1993) Uses one LFSR sequence to select bits from another sequence State update function: Clock LFSRA and LFSRS Output function: If output of LFSRs is 1 then output of LFSRA is used as keystream - otherwise it is discarded Semester 1, 2018 INN642

Keystream generator designs Traditional Dynamic table State: total size of table Secret key: used in initialisation phase to form initial entries in table. State update function: At each time interval, The values stored in the table are updated (permuted), and The table index values are updated. Output function: Choose a cell in the table, and output the value stored there. Example: RC4 Semester 1, 2018 INN642

Keystream generator designs Example (Dynamic table): RC4 Proprietary design by Rivest in 1987 Revealed on internet in 1994 Variable key length: L bytes: 0 < L < 256 Internal state: consists of table containing 256 entries: all distinct 8-bit words (permutation of integers 0-255), and two 8-bit pointers, i and j RC4 Initialisation: For i = 0 to 255, S[i ] = i j = 0 For i = 0 to 255 j = (j + S[i ] + key[i mod L]) mod 256 swap (S[i ]; S[j ]) Semester 1, 2018 INN642

Keystream generator designs Example (Dynamic table): RC4 RC4 State update and Output functions: i = j = 0 while not done i = (i + 1) mod 256 j = (j + S[i ]) mod 256 swap (S[i ]; S[j ]) t = (S[i ] + S[j ]) mod 256 output S[t] Keystream produced a byte at a time Keystream combined with plaintext using XOR Semester 1, 2018 INN642

Keystream generator designs Modern Both security and efficiency reasons to use keystream generator that takes two inputs: Key (secret, randomly chosen) + IV (known value) Timing of this design shift: post 2000 NESSIE (New European Schemes for Signatures, Integrity and Encryption) project from 2000 - 2003 March 2000 call for submissions Did not require use of IV or initialization (rekeying) algorithm Request made later (Phase 2) to add initialization process to submission eSTREAM ECRYPT Stream Cipher Project 2004 – 2008 November 2004 call for submissions Required stream ciphers to use two inputs: key and IV, and Initialization/rekeying process to be specified in submission Semester 1, 2018 INN642

Keystream generator designs Modern Two-input model means new … Efficiency issues: Need to use both key and IV to form initial state of generator before keystream can be produced Initialization process should not be inefficient Security issues: Threat model is different: attacker may now access multiple keystreams produced with same key, different IV produced with related keys, same IV, etc Possibility of new types of attacks Example: Differential attacks Level of significance of attacks: state recovery (recover internal state of generator at some time) vs. key recovery (recover secret key – can produce other keystreams) Semester 1, 2018 INN642

Keystream generator designs Modern Initialization efficiency considerations: Speed of initialization process For real-time applications where frame size is small, this process will be performed frequently Must not delay data transmission or recovery Implementation requirements: Does the initialization process require additional resources: Footprint (Hardware/software) Memory Power Can you use the same components and algorithms as keystream generation, or not? Semester 1, 2018 INN642

Keystream generator designs Modern Examples: A5/1 Trivium in eSTREAM (Profile 2 final portfolio) Grain Semester 1, 2018 INN642

Keystream generator designs Example: A5/1 Stream Cipher State: design uses 3 LFSRs Lengths 19, 22, 23 bits: State size is 19 + 22 + 23 = 64 bits Secret key: 64 bits Initialisation Vector: 22 bits Initialization process for A5/1 Initialization performed in 3 stages: Key loaded into state (linear operation) Frame number loaded into state (linear operation) State update function (majority clocking = implicit nonlinearity) applied 100 times without producing keystream Now keystream generator is in initial state Keystream generation State update function (majority clocking as before) Output function: XOR contents of last stage in each of 3 registers Semester 1, 2018 INN642

Keystream generator designs Example: A5/1 Stream Cipher keystream generation Semester 1, 2018 INN642

Keystream generator designs Example: Trivium included in eSTREAM final portfolio Profile 2 Hardware suitable cipher using 80-bit key, Key: 80 bits Initialisation Vector: 80 bits State: 288 bit nonlinear feedback shift register State update function: Nonlinear function (Quadratic) Updates three bits in internal state each iteration Same state update function for initialisation & keystream generation Semester 1, 2018 INN642

Keystream generator designs Example: Trivium Initialization process for Trivium: Load: key directly into part of the state IV directly into another part of the state, Fixed constant values into other stages (mostly 0’s, 3 x 1’s) Apply state update function 4 x 288 = 1152 times Keystream generation process: In each iteration: Apply state update function (as in initialisation process) Apply output function This is a linear function: XOR of contents of six stages That is, at each iteration we: update 3 bits of state, and output 1 bit of keystream Semester 1, 2018 INN642

Keystream generator designs Example: Grain v1 eSTREAM submission (modified version of original submission) Key: 80 bits Initialisation Vector: 80 bits State: 160 bits (an 80 bit LFSR and 80 bit NLFSR) State update function (during keystream generation): LFSR is autonomous, feedback is linear NFSR has nonlinear feedback (degree 6) and is combined with output of LFSR to update NFSR Output function: Nonlinear combination of contents from four stages of LFSR and one stage of NFSR added to linear combination of contents of seven stages of NFSR Semester 1, 2018 INN642

Keystream generator designs Example: Grain v1 Semester 1, 2018 INN642

Keystream generator designs Example: Grain v1 Grain v1 Initialization: Three step process: 80 bit key is loaded into NFSR 64 bit IV loaded into LFSR, remaining stages filled with ones Keystream generator clocked 160 times State update function during initialisation: Modified version of state update function used during keystream generation: No keystream bit produced, instead output is fed back into both LFSR and NFSR. Semester 1, 2018 INN642

Making it practical Efficiency aspects: Speed of keystream output Real-time applications: don’t delay data transmission or recovery Implementation requirements: Footprint (Hardware/software) Memory Power Maintaining synchronization: use 2 inputs: Key & IV Treat each communication as a series of frames/packets Encrypt each frame with a keystream formed from same key, but different frame number Loss of synchronization only results in loss of remaining data in that packet, next frame regains synchronization Semester 1, 2018 INN642

Making it practical Using 2-inputs (secret key, known IV) has implications: Efficiency: Need to use both key and IV to form initial state of generator before keystream can be produced Initialization process should not be inefficient Security: Attacker may access multiple keystreams produced with same key, different IV produced with related keys, same IV, etc Expands range of attacks to consider Differential attacks Security of initialization process as well as keystream generation Don’t want different key,IV pairs to produce same keystreams Level of significance of attacks: state recovery vs. key recovery Semester 1, 2018 INN642

Overview Introduction Generating keystream sequences What is a synchronous stream cipher? What are stream ciphers used for? Why use a stream cipher? Generating keystream sequences Methods Properties Stream cipher designs Traditional stream ciphers Modern stream ciphers Stream ciphers and integrity assurance Summary Semester 1, 2018 INN642

Stream ciphers and integrity assurance Encryption for confidentiality provides no assurance that message was not modified during transmission For binary additive stream ciphers: bitflip in ciphertext results in bitflip of corresponding recovered plaintext bit Detecting unauthorised modification: If only worried about accidental changes can use hash If threats include active attacker, use Message Authentication Code (MAC) (uses secret key) MACs usually based on hash functions or block ciphers Newer area of research is use of stream ciphers for MACs Accumulate MAC value based on both message and secret key Methods to perform this: direct and indirect message injection Semester 1, 2018 INN642

Stream ciphers for integrity assurance Encryption for confidentiality doesn’t give integrity assurance. Not even for our only provably secure cipher: OTP MAC doesn’t provide confidentiality. Need to send both message and MAC to receiver What if you need both confidentiality and integrity assurance? Could do this in two passes over the message Encryption first, followed by MAC of ciphertext is most secure Use different keys for encryption and MAC Efficiency advantage in forming MAC of ciphertext: If MAC(C) ≠ MAC(C’) then no need to waste time on decryption! Semester 1, 2018 INN642

Stream ciphers for integrity assurance What if you need both confidentiality and integrity assurance? Can this be done more efficiently than a two-pass process? Authenticated encryption combines mechanisms for both confidentiality and integrity assurance into same cipher Advantage: potential to be much more efficient Single key,IV pair and one pass over message Interest in AE evidenced by CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness http://competitions.cr.yp.to/caesar.html First round: submissions made March 2014 (57 submissions) Three rounds of assessment (15 candidates in third round) Some stream cipher designs incl: ACORN, MORUS and TIAOXIN Semester 1, 2018 INN642

Stream ciphers for integrity assurance Authenticated Encryption (AE): Encryption: 3 inputs: Plaintext M, key K, Initialisation vector IV 2 outputs: MAC/Tag T and Ciphertext C Decryption: 4 inputs: T, C, K and IV 1 output: If T’ ≠ T output ꓕ or if T’ = T output Plaintext Auth Encrypt M T ′ = T K T Sender Receiver Decrypt. ? C IV IV Semester 1, 2018 INN642

Stream ciphers for integrity assurance Authenticated Encryption with Associated Data (AEAD): Intended for use when you need: integrity assurance for the whole message, but confidentiality for only part of the message. Example: message transmission Need to see header information for routing (this is the AD), This part does not need confidentiality Don’t want alteration without detection, so do want integrity assurance Then rest of message needs confidentiality + integrity assurance Semester 1, 2018 INN642

Summary Binary additive synch. stream cipher design goal: Produce keystream sequences that appear random Keystream sequences are pseudorandom: produced by devices (FSM) implemented in hardware or software Structural features determine properties of keystream Properties of sequences known only for simple structures Stream cipher design has changed over time: Modern keystream generator designs: Use two inputs: secret key and known IV Bigger state, more complex functions than traditional, but Less is known about properties of sequences these designs produce Most recent development: Stream cipher designs providing authenticated encryption Semester 1, 2018 INN642