Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.

Slides:



Advertisements
Similar presentations
1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.
Advertisements

Cryptography, Attacks and Countermeasures Lecture 3 - Stream Ciphers
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Random Number Generation. Random Number Generators Without random numbers, we cannot do Stochastic Simulation Most computer languages have a subroutine,
Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.
Session 2: Secret key cryptography – stream ciphers – part 2.
Cryptography and Network Security Chapter 3
CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos
Ch11 Curve Fitting Dr. Deshi Ye
Random number generation Algorithms and Transforms to Univariate Distributions.
Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.
© 2010 Pearson Prentice Hall. All rights reserved Single Factor ANOVA.
Session 4 Asymmetric ciphers.
Session 2 Symmetric ciphers 1. Stream cipher definition Recall the Vernam cipher: Plaintext Ciphertext (Running) key
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.
Stream cipher diagram + + Recall: One-time pad in Chap. 2.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
Sample size computations Petter Mostad
Complexity 19-1 Complexity Andrei Bulatov More Probabilistic Algorithms.
Chapter 11 Multiple Regression.
Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Linear and generalised linear models
Cryptanalysis on Substitution- Permutation Networks Jen-Chang Liu, 2005 Ref: Cryptography: Theory and Practice, D. R. Stinson.
Session 2: Secret key cryptography – stream ciphers – part 1.
Computer Security CS 426 Lecture 3
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Cryptanalysis. The Speaker  Chuck Easttom  
EE5552 Network Security and Encryption block 4 Dr. T.J. Owens CEng MIET Dr T. Itagaki MIET, MIEEE, MAES.
ETM 607 – Random Number and Random Variates
Statistical Hypothesis Testing. Suppose you have a random variable X ( number of vehicle accidents in a year, stock market returns, time between el nino.
Chapter 2 Basic Encryption and Decryption. csci5233 computer security & integrity 2 Encryption / Decryption encrypted transmission AB plaintext ciphertext.
Block ciphers 2 Session 4. Contents Linear cryptanalysis Differential cryptanalysis 2/48.
Códigos y Criptografía Francisco Rodríguez Henríquez A Short Introduction to Stream Ciphers.
1 CSI5388: Functional Elements of Statistics for Machine Learning Part I.
One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
Random-Number Generation Andy Wang CIS Computer Systems Performance Analysis.
Chapter 7 Random-Number Generation
Tests for Random Numbers Dr. Akram Ibrahim Aly Lecture (9)
Basic Concepts in Number Theory Background for Random Number Generation 1.For any pair of integers n and m, m  0, there exists a unique pair of integers.
The Examination of Residuals. Examination of Residuals The fitting of models to data is done using an iterative approach. The first step is to fit a simple.
Disclosure risk when responding to queries with deterministic guarantees Krish Muralidhar University of Kentucky Rathindra Sarathy Oklahoma State University.
National Institute of Science & Technology Cryptology and Its Applications Akshat Mathur [1] Cryptology and Its Applications Presented By AKSHAT MATHUR.
Session 1 Stream ciphers 1.
Week 10Complexity of Algorithms1 Hard Computational Problems Some computational problems are hard Despite a numerous attempts we do not know any efficient.
CRYPTANALYSIS OF STREAM CIPHER Bimal K Roy Cryptology Research Group Indian Statistical Institute Kolkata.
DIFFERENTIAL CRYPTANALYSIS Chapter 3.4. Ciphertext only attack. The cryptanalyst knows the cryptograms. This happens, if he can eavesdrop the communication.
Linear Feedback Shift Register. 2 Linear Feedback Shift Registers (LFSRs) These are n-bit counters exhibiting pseudo-random behavior. Built from simple.
Alternative Wide Block Encryption For Discussion Only.
NEW DIRECTIONS IN CRYPTOGRAPHY Made Harta Dwijaksara, Yi Jae Park.
CS519, © A.SelcukDifferential & Linear Cryptanalysis1 CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk.
Stream Cipher Introduction Pseudorandomness LFSR Design
Algorithmics - Lecture 41 LECTURE 4: Analysis of Algorithms Efficiency (I)
1.  How does the computer generate observations from various distributions specified after input analysis?  There are two main components to the generation.
@Yuan Xue CS 285 Network Security Block Cipher Principle Fall 2012 Yuan Xue.
Understanding Cryptography – A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl Chapter 2 – Stream Ciphers These slides were.
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.
Chapter 9 Hypothesis Testing.
Chapter 7 Random-Number Generation
Cryptography and Network Security Chapter 7
Cryptography Lecture 5.
Randomness and Statistical Tests
Random Number Generation
Cryptography Lecture 15.
Stream Cipher Structure
Presentation transcript:

Stream ciphers 2 Session 2

Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75

PN generators with LFSRs Computational complexity of the Berlekamp- Massey algorithm is quadratic in the length of the minimum LFSR capable of generating the intercepted sequence. Thus, if the linear complexity is very high, then the task of predicting the next bits of the sequence is too complex. 3/75

PN generators with LFSRs Linear complexity achievable with a sole LFSR is small. Then, in order to prevent the cryptanalysis of a pseudorandom sequence generator, we must design it in such a way that its linear complexity is too high for the practical application of the Berlekamp-Massey algorithm. 4/75

PN generators with LFSRs Since LFSRs have nice properties regarding statistics of their output sequences, a good idea is to base PN generators on LFSRs. But to increase linear complexity, we have to combine outputs of several LFSRs in non- linear manner – through non-linear Boolean functions. 5/75

Algebraic normal form It is the form of a Boolean function that uses only the operations  and  In the ANF, the product that includes the largest number of variables is denominated non linear order of the function. Example: The non linear order of the function f(x 1,x 2,x 3 )=x 1  x 1 x 3  x 2 x 3 is 2. 6/75

Algebraic normal form The ANF of a Boolean function can be determined from its truth table. 7/75 The Möbius transform

Algebraic normal form Example: n=3 8/75 x0x0 x1x1 x2x2 f

Algebraic normal form u=000u=001u=010 9/ a 000 =f(0,0,0)=0 a 001 =f(0,0,0)+ +f(0,0,1)=0+1=1 a 010 =f(0,0,0)+ +f(0,1,0)=0+0=0 xxx

Algebraic normal form u=011u=100u=101 10/ a 011 =f(0,0,0)+ f(0,0,1) +f(0,1,0)+f(0,1,1)= =0 a 100 =f(0,0,0)+ +f(1,0,0)=0+0=0 a 101 =f(0,0,0)+ f(0,0,1) +f(1,0,0)+f(1,0,1)= =0 xxx

Algebraic normal form u=110u=111 11/ a 110 =f(0,0,0)+ f(0,1,0) +f(1,0,0)+f(1,1,0)= =1 a 111 =f(0,0,0)+ f(0,0,1) +f(0,1,0)+f(0,1,1)+ f(1,0,0) +f(1,0,1)+f(1,1,0)+ f(1,1,1) = 0 Then: f(x 0,x 1,x 2 )=a 001 x 2 +a 110 x 0 x 1 =x 2 +x 0 x 1 x

Non-linear combiners In these generators, the keystream sequence is obtained by combining the output sequences of various LFSRs in a non linear manner. Example – it is possible to use a Boolean function (without memory). 12/75

Non-linear combiners If F is a Boolean function of N periodic input sequences a 1 (t), a 2 (t),..., a N (t), then the output sequence b(t) = F(a 1 (t), a 2 (t),..., a N (t)) is a linear combination of various products of sequences. These products are determined by determining the ANF of the function F. 13/75

Non-linear combiners Given the ANF of the function F, if we create a function F* from F in such a way that instead of the sum and product modulo 2 in F we use the sum and product of integers, for the linear complexity and the period of the output sequence of F the following holds: 14/75

Non-linear combiners Example (1) – If the characteristic polynomials of the input sequences are: 15/75 All these polynomials are primitive!

Non-linear combiners Example (2) – Then 16/75

Non-linear combiners The sum of N sequences in GF(q) (1) – The equality holds if the characteristic polynomials of the input sequences do not have common factors. 17/75

Non-linear combiners The sum of N sequences in GF(q) (2) – Obviously, if the periods of the input sequences are mutually prime then 18/75

Non-linear combiners The sum of N sequences in GF(q) (3) – Example: 19/75 Primitive! The periods are Mersenne primes

Non-linear combiners The product of N sequences in GF(q) (1) – Theorem (Golić, 1989) If Per(a i ) are mutually prime, then – Theorem (Lidl, Niedereiter) Per(a i ) are mutually prime 20/75

Non-linear combiners Example 21/75 Primitive! The periods are Mersenne primes

Non-linear combiners The general case (1) – Let be the Boolean function obtained by removing all the products from the function F except those of the maximum order. Let be the corresponding integer function. 22/75

Non-linear combiners The general case (2) – Theorem (Golić, 1989) F depends on all the N input variables. Per(a i ) are mutually prime. Then 23/75

Non-linear combiners The general case (3) – Example (1) 24/75

Non-linear combiners The general case (4) – Example (2) If the characteristic polynomials of the input sequences are: Then 25/75 Primitive, periods Mersenne primes

Non-linear combiners The general case (5) – Example – Geffe’s generator (1) 26/75

Non-linear combiners The general case (6) – Example – Geffe’s generator (2) – Equivalent scheme 27/75

Non-linear combiners The general case (7) – Example – Geffe’s generator (3) If we set the feedback polynomials primitive, with periods that are Mersenne primes: Then 28/75

Statistical testing of PN generators The output sequence of a generator of pseudorandom sequences looks random, but it is not. Pseudorandom generators expand a truly random sequence (the key) to a much longer sequence, such that an adversary cannot distinguish between the pseudorandom sequence and a truly random sequence. 29/75

Statistical testing of PN generators In order to obtain a guarantee of the security of this type of generators, various statistical tests are applied, especially designed for this purpose. The fact that a generator passes a set of statistical tests should be considered a necessary condition, although not a sufficient one, for the security of the generator. 30/75

Statistical testing of PN generators If the result X of an experiment can take any real value, then X is a continuous random variable. The probability density function f(x) of a continuous random variable X can be integrated and the following holds: f(x)  0, for all x  R For all a, b  R the following holds 31/75

Statistical testing of PN generators A continuous random variable has a normal distribution with the mean  and the variance  2 if its probability density function is: We say that X is If X is, then we say that X has a standard normal distribution. 32/75

Statistical testing of PN generators If the random variable X is, then the variable is. The Euler’s gamma function: 33/75

Statistical testing of PN generators A continuous random variable X has a  2 distribution with degrees of freedom if its probability density function is 34/75

Statistical testing of PN generators A statistical hypothesis H is an affirmation about the distribution of one or more random variables. A hypothesis test is a procedure based on the observed values of the random variable that leads to the acceptance or rejection of the hypothesis H. 35/75

Statistical testing of PN generators The test only provides a measure of the strength of evidence given by the data against the hypothesis. The conclusion is probabilistic. The level of significance  of the test of the hypothesis H is the probability of rejecting the hypothesis H when it is true. 36/75

Statistical testing of PN generators The hypothesis to be tested is denominated the null hypothesis, H 0. The alternative hypothesis is denoted by H 1 or H a. In cryptography: – H 0 – the given generator is a random sequence generator. –  is between 0,001 and 0,05. 37/75

Statistical testing of PN generators A test: – Determines a statistic for the sample of the output sequence. – This statistic is compared with the expected value for a random sequence. 38/75

Statistical testing of PN generators How is the comparison carried out? (1) – The computed statistic – X 0 – follows (usually) a  2 distribution with degrees of freedom. – It is assumed that this statistic takes large values for non random sequences. 39/75

Statistical testing of PN generators How is the comparison carried out? (2) – In order to achieve , a threshold X  is chosen (by means of the corresponding table), such that P(X 0 >X  )= . – If the value of the statistic for the sample of the output sequence, X s, satisfies X s >X , then the sequence fails on the test. 40/75

Statistical testing of PN generators Basic tests for cryptographic use: – frequency test, – serial test, – poker test, – runs test, – autocorrelation test, – etc. 41/75

Statistical testing of PN generators Frequency test (1) – Purpose: determine if the number of zeros and ones in a sequence s is approximately the same. – n 0 – number of zeros, n 1 – number of ones. – The statistic: 42/75

Statistical testing of PN generators Frequency test (2) – The statistic follows a  2 distribution with 1 degree of freedom. – The approximation is good enough if n  /75

Statistical testing of PN generators Serial test (1) – Tries to determine if the number of occurrences of 00, 01, 10 and 11, as subsequences of s is approximately the same. – The statistic: 44/75

Statistical testing of PN generators Serial test (2) – The statistic follows a  2 distribution with 2 degrees of freedom. – The approximation is good enough if n  /75

Statistical testing of PN generators Poker test (1) – A positive integer m is considered such that – The sequence s is divided into k parts of size m. – n i is the number of occurrences of the type i of the sequence of length m, 1  i  2 m (that is, i is the value of the integer whose binary representation is the sequence of length m. 46/75

Statistical testing of PN generators Poker test (2) – The test determines if every sequence of length m appears approximately the same number of times. – The statistic: – The statistic follows approximately a  2 distribution with 2 m -1 degrees of freedom. 47/75

Statistical testing of PN generators Runs test (1) – A run of length i – a subsequence of s formed by i consecutive zeros or i consecutive ones that are neither preceded nor followed by the same symbol. – A run of zeros – gap – A run of ones – block 48/75

Statistical testing of PN generators Runs test (2) – Purpose: determine if the number of runs of different lengths in the sequence s is that expected in a random sequence. – The number of gaps (or blocks) of length i in a random sequence of length n is – It is considered that k is equal to the largest integer i for which e i  5. 49/75

Statistical testing of PN generators Runs test (3) – We denote by B i and H i the number of blocks and gaps of length i in s, for each i, 1  i  k. – The statistic – The statistic follows approximately a  2 distribution with 2k-2 degrees of freedom. 50/75

Statistical testing of PN generators Autocorrelation test (1) – Checks the correlation between s and shifted versions of s. – An integer d, 1  d   n/2  is considered. – The number of bits in s that are not equal to the d-shifts is 51/75

Statistical testing of PN generators Autocorrelation test (2) – The statistic – The statistic follows approximately a N (0,1) distribution. – The approximation is good enough if n-d  /75

Cryptanalysis of stream ciphers 53/75 A Plaintext KEY decipher decrypt Cryptanalysis Ciphertext encipher Plaintext KEY B

Cryptanalysis of stream ciphers The problem of cryptanalysis – Given some information related to the cryptosystem (at least the ciphertext), determine plaintext and/or the key. The goal of the designer is to make this problem as difficult as possible for the cryptanalyst. 54/75

Cryptanalysis of stream ciphers General assumption – all the details of the cryptosystem are known to the cryptanalyst. The only unknown is the key. Types of attack – Ciphertext-only attack – Known plaintext attack – Chosen plaintext attack – Chosen ciphertext attack 55/75

Cryptanalysis of stream ciphers The ciphertext-only attack is the most difficult one for the cryptanalyst (in general). The more information known to the cryptanalyst, the easier the attack. 56/75

Cryptanalysis of stream ciphers The “brute force attack” – Elementary attack – no knowledge about cryptanalysis is necessary. – Assumptions The cryptosystem is known The ciphertext is known – The goal Determine the key/plaintext – The means Trying all the possible keys 57/75

Cryptanalysis of stream ciphers Complexity of the brute force attack – Extremely high, if there are many possible keys – impractical Key space – the total number of keys possible in a cryptosystem 58/75

Cryptanalysis of stream ciphers Examples of key space size 59/75 Key space – 40 bits 1  Key space – 56 bits (DES) 7  Key space – 128 bits 3  Key space – 256 bits 1  Number of 256-bit primes 1  Age of the Sun in seconds 1  Number of clock pulses of a 3GHz computer clock through the Sun’s age 5.4  10 26

Cryptanalysis of stream ciphers A cryptosystem’s security is ultimately determined by the size of its key space However, this is the upper limit of that security measure There may be a problem in the system design that may cause a significant reduction of the effective key space The task of the cryptanalyst – to find this pitfall and to use it to attack the system 60/75

Cryptanalysis of stream ciphers Basic attack methods against stream (and block) ciphers – Algebraic – Statistical Algebraic attacks (1) – The key symbols (e.g. bits) are the unknowns in the system of equations assigned to the PRNG 61/75

Cryptanalysis of stream ciphers Algebraic attacks (2) – Given all the details of the PRNG to be cryptanalyzed (except the key bits), determine the system of equations that relates the bits of the output sequence with the bits of the key – The designer’s goal To make this system as non-linear as possible The reason – non-linear systems are difficult to solve – there is no general method other than trying all the possible values of the variables: 2 n possibilities for a system with n variables. 62/75

Cryptanalysis of stream ciphers Algebraic attacks (3) – The problem of solving a non-linear system in GF(2) – the satisfiability problem (SAT) – Cook’s theorem (1971) SAT is NP-complete – However, some instances of the SAT problem may be easier to solve – The designer should check the system assigned to the PRNG 63/75

Cryptanalysis of stream ciphers Algebraic attacks (4) – Example – LFSR – The output sequence: 1110… – The initial state: a 0, a 1, a 2, a 3 – The output bits: y 0 =1, y 1 =1, y 2 =1, y 3 =0 – The equations 64/75 a 3210 y y y y Linear system – easy to solve!

Cryptanalysis of stream ciphers Algebraic attacks (5) – Example (1): consider the non-linear PRNG below 65/75

Cryptanalysis of stream ciphers Algebraic attacks (6) – Example (2): The system of equations (1) y1=(x1+x4)(x5+x7)=x1x5+x1x7+x4x5+x4x7 (2) y2=(x1+x4+x3)(x5+x7+x6)= =x1x5+x1x7+x1x6+x4x5+x4x7+x4x6+x3x5+x3x7+x3x6 … (we need 7 independent equations) 66/75

Cryptanalysis of stream ciphers Algebraic attacks (7) – Example (3): Methods of solving the system The brute force method: try all the possible solutions (all zeros are not permitted) The linearization method – Replace all the products by new variables – Solve the obtained linear system (e.g. by Gaussian algorithm) – Try to guess the variables that were included in the products, given the values of the new variables, in such a way that the overall system is consistent 67/75

Cryptanalysis of stream ciphers Algebraic attacks (8) – Example (4): The linearized system y 1 =z 1 +z 2 +z 3 +z 4 y 2 =z 1 +z 2 +z 5 +z 3 +z 4 +z 6 +z 7 +z 8 +z /75

Cryptanalysis of stream ciphers Algebraic attacks (9) – Other methods of solving non-linear systems, applied in cryptanalysis Linear consistency test (LCT) Methods of computational commutative algebra (Gröbner bases etc.) etc. – No matter how sophisticated the method of solving the system is applied, cryptanalysis of a seriously designed system always includes search 69/75

Cryptanalysis of stream ciphers Statistical methods (1) – In the previous example, the majority of the output symbols will be zero, due to the AND combining function – The non-linearity of the assigned system of equations is the highest possible – However, it is possible to make use of bad statistical properties of the output sequence to determine the plaintext sequence 70/75

Cryptanalysis of stream ciphers Statistical methods (2) – Example With the AND output combiner, the probability of zero in the output sequence will be ¾. This means that, upon enciphering with this sequence as the keystream, the probability that the plaintext bit is equal to the ciphertext bit is ¾. Consequence – easy reconstruction of the plaintext. 71/75

Cryptanalysis of stream ciphers Statistical methods (3) – Correlation – The output sequence coincides too much with one or more internal sequences – this enables correlation attacks – a kind of statistical attack. – Correlation attacks It is possible to divide the task of the cryptanalyst into several less difficult tasks – “Divide and conquer” 72/75

Cryptanalysis of stream ciphers Statistical methods (4) – Typical example – the Geffe’s generator 73/75 F balanced – good statistical properties

Cryptanalysis of stream ciphers Statistical methods (5) – Problem: Correlation! 74/75

Cryptanalysis of stream ciphers Statistical methods (6) – Since the output sequence is correlated with both input sequences, we can independently guess the input sequences’ bits with high probability if the output sequence is known. 75/75