Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.

Slides:



Advertisements
Similar presentations
1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.
Advertisements

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
Cryptography, Attacks and Countermeasures Lecture 3 - Stream Ciphers
“Advanced Encryption Standard” & “Modes of Operation”
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
AN IMPROVEMENT TO A CORRELATION ATTACK ON A5/1 H. Nikoonia, F. Amin, A. H. Jahangir Computer Engineering Department, Sharif University of Technology.
Modern Symmetric-Key Ciphers
LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012.
Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.
Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.
An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.
Session 2: Secret key cryptography – stream ciphers – part 2.
Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.
Intro 1 Introduction Intro 2 Good Guys and Bad Guys  Alice and Bob are the good guys  Trudy is the bad guy  Trudy is our generic “intruder”
Block Ciphers and the Data Encryption Standard
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Stream Ciphers.
Session 2 Symmetric ciphers 1. Stream cipher definition Recall the Vernam cipher: Plaintext Ciphertext (Running) key
Announcements: Matlab: tutorial available at Matlab: tutorial available at
PKZIP Stream Cipher 1 PKZIP PKZIP Stream Cipher 2 PKZIP  Phil Katz’s ZIP program  Katz invented zip file format o ca 1989  Before that, Katz created.
Linearization of Stream Ciphers in Terms of Cellular Automata Amparo Fúster-Sabater Institute of Applied Physics (CSIC) Madrid (Spain)
FEAL FEAL 1.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Lecture 23 Symmetric Encryption
CMEA 1 CMEA. CMEA 2 CMEA  Cellular Message Encryption Algorithm  Designed for use with cell phones o To protect confidentiality of called number o For.
ORYX 1 ORYX ORYX 2 ORYX  ORYX not an acronym, but upper case  Designed for use with cell phones o To protect confidentiality of voice/data o For “data.
Session 2: Secret key cryptography – stream ciphers – part 1.
Computer Security CS 426 Lecture 3
Lecture 3: Cryptographic Tools modified from slides of Lawrie Brown.
EE5552 Network Security and Encryption block 4 Dr. T.J. Owens CEng MIET Dr T. Itagaki MIET, MIEEE, MAES.
symmetric key cryptography
Block ciphers 2 Session 4. Contents Linear cryptanalysis Differential cryptanalysis 2/48.
Códigos y Criptografía Francisco Rodríguez Henríquez A Short Introduction to Stream Ciphers.
Cryptography and Network Security Chapter 6. Multiple Encryption & DES  clear a replacement for DES was needed theoretical attacks that can break it.
Slide 1 Stream Ciphers uBlock ciphers generate ciphertext Ciphertext(Key,Message)=Message  Key Key must be a random bit sequence as long as message uIdea:
One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.
Chapter 20 Symmetric Encryption and Message Confidentiality.
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
Stream Ciphers Making the one-time pad practical.
Stream Cipher July 2011.
Session 1 Stream ciphers 1.
Chapter 9: Algorithms Types and Modes Dulal C. Kar Based on Schneier.
CRYPTANALYSIS OF STREAM CIPHER Bimal K Roy Cryptology Research Group Indian Statistical Institute Kolkata.
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Cryptanalysis on Clock Controlled Stream Ciphers Shinsaku Kiyomoto KDDI R&D Laboratories Inc
Introduction to Modern Symmetric-key Ciphers
Le Trong Ngoc Security Fundamentals (2) Encryption mechanisms 4/2011.
Lecture 23 Symmetric Encryption
Bhupendra Singh Bhupendra Singh Scientist ‘B’ Scientist ‘B’ Centre for Artificial.
Block Ciphers and the Advanced Encryption Standard
Stream Cipher Introduction Pseudorandomness LFSR Design
Module :MA3036NI Symmetric Encryption -3 Lecture Week 4.
University of Malawi, Chancellor College
Slide 1 Vitaly Shmatikov CS 378 Stream Ciphers. slide 2 Stream Ciphers uRemember one-time pad? Ciphertext(Key,Message)=Message  Key Key must be a random.
Information and Network Security Lecture 2 Dr. Hadi AL Saadi.
@Yuan Xue CS 285 Network Security Block Cipher Principle Fall 2012 Yuan Xue.
หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.
Cryptography Lecture 16.
Cryptography Lecture 15.
Introduction to Modern Symmetric-key Ciphers
STREAM CIPHERS by Jennifer Seberry.
RC4 RC
Information and Computer Security CPIS 312 Lab 4 & 5
Cryptography Lecture 15.
Presentation transcript:

Stream Ciphers 1 Stream Ciphers

Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream cipher is initialized with short key  Key is “stretched” into long keystream  Keystream is used like a one-time pad o XOR to encrypt or decrypt  Stream cipher is a keystream generator  Usually, keystream is bits, sometimes bytes

Stream Ciphers 3 Stream Cipher  Generic view of stream cipher

Stream Ciphers 4 Stream Cipher  We consider 3 real stream ciphers o ORYX — weak cipher, uses shift registers, generates 1 byte/step o RC4 — strong cipher, widely used but used poorly in WEP, generates 1 byte/step o PKZIP — intermediate strength, unusual mathematical design, generates 1 byte/step  But first, we discuss shift registers

Stream Ciphers 5 Shift Registers  Traditionally, stream ciphers were based on shift registers o Today, a wider variety of designs  Shift register includes o A series of stages each holding one bit o A feedback function  A linear feedback shift register (LFSR) has a linear feedback function

Stream Ciphers 6  Example (nonlinear) feedback function f(x i, x i+1, x i+2 ) = 1  x i  x i+2  x i+1 x i+2  Example (nonlinear) shift register  First 3 bits are initial fill: (x 0, x 1, x 2 ) Shift Register

Stream Ciphers 7 LFSR  Example of LFSR  Then x i+5 = x i  x i+2 for all i  If initial fill is (x 0,x 1,x 2,x 3,x 4 ) = then (x 0,x 1,…,x 15,…) = …

Stream Ciphers 8 LFSR  For LFSR  We have x i+5 = x i  x i+2 for all i  Linear feedback functions often written in polynomial form: x 5 + x  Connection polynomial of the LFSR

Stream Ciphers 9 Berlekamp-Massey Algorithm  Given (part of) a (periodic) sequence, can find shortest LFSR that could generate the sequence  Berlekamp-Massey algorithm o Order N 2, where N is length of LFSR o Iterative algorithm o Only 2N consecutive bits required

Stream Ciphers 10 Berlekamp-Massey Algorithm  Binary sequence: s = (s 0,s 1,s 2,…,s n-1 )  Linear complexity of s is the length of shortest LFSR that can generate s  Let L be linear complexity of s  Then connection polynomial of s is of form C(x) = c 0 + c 1 x + c 2 x 2 + … + c L x L  Berlekamp-Massey finds L and C(x) o Algorithm on next slide (where d is known as the discrepancy)

Stream Ciphers 11 Berlekamp-Massey Algorithm

Stream Ciphers 12 Berlekamp-Massey Algorithm  Example:

Stream Ciphers 13 Berlekamp-Massey Algorithm  Berlekamp-Massey is efficient way to determine minimal LFSR for sequence  With known plaintext, keystream bits of stream cipher are exposed  With enough keystream bits, can use Berlekamp-Massey to find entire keystream o 2 L bits is enough, where L is linear complexity of the keystream  Keystream must have large linear complexity

Stream Ciphers 14 Cryptographically Strong Sequences  A sequence is cryptographically strong if it is a “good” keystream o “Good” relative to some specified criteria  Crypto strong sequence must be unpredictable o Known plaintext exposes part of keystream o Trudy must not be able to determine more of the keystream from a short segment  Small linear complexity implies predictable o Due to Berlekamp-Massey algorithm

Stream Ciphers 15 Crypto Strong Sequences  Necessary for a cryptographically strong keystream to have a high linear complexity  But not sufficient!  Why? Consider s = (s 0,s 1,…,s n-1 ) = 00…01  Then s has linear complexity n o Smallest shift register for s requires n stages o Largest possible for sequence of period n o But s is not cryptographically strong  Linear complexity “concentrated” in last bit

Stream Ciphers 16 Linear Complexity Profile  Linear complexity profile is a better measure of cryptographic strength  Plot linear complexity as function of bits processed in Berlekamp-Massey algorithm o Should follow n/2 line “closely but irregularly”  Plot of sequence s = (s 0,s 1,…,s n-1 ) = 00…01 would be 0 until last bit, then jumps to n o Does not follow n/2 line “closely but irregularly” o Not a strong sequence (by this definition)

Stream Ciphers 17 Linear Complexity Profile  A “good” linear complexity profile

Stream Ciphers 18 k-error Linear Complexity Profile  Alternative way to measure cryptographically strong sequences  Consider again s = (s 0,s 1,…,s n-1 ) = 00…01  This s has max linear complexity, but it is only 1 bit away from having min linear complexity  k -error linear complexity is min complexity of any sequence that is “distance” k from s  1-error linear complexity of s = 00…01 is 0 o Linear complexity of this sequence is “unstable”

Stream Ciphers 19 k-error Linear Complexity Profile  k -error linear complexity profile o k -error linear complexity as function of k  Example: o Not a strong s o Good profile should follow diagonal “closely”

Stream Ciphers 20 Crypto Strong Sequences  Linear complexity must be “large”  Linear complexity profile must n/2 line “closely but irregularly”  k -error linear complexity profile must follow diagonal line “closely”  All of this is necessary but not sufficient for crypto strength!

Stream Ciphers 21 Shift Register-Based Stream Ciphers  Two approaches to LFSR-based stream ciphers o One LFSR with nonlinear combining function o Multiple LFSRs combined via nonlinear func  In either case o Key is initial fill of LFSRs o Keystream is output of nonlinear combining function

Stream Ciphers 22 Shift Register-Based Stream Ciphers  LFSR-based stream cipher o 1 LFSR with nonlinear function f(x 0,x 1,…,x n-1 )  Keystream: k 0,k 1,k 2,…

Stream Ciphers 23 Shift Register-Based Stream Ciphers  LFSR-based stream cipher o Multiple LFSRs with nonlinear function  Keystream: k 0,k 1,k 2,…

Stream Ciphers 24 Shift Register-Based Stream Ciphers  Single LFSR example is special case of multiple LFSR example  To convert single LFSR case to multiple o Let LFSR 0,…LFSR n-1 be same as LFSR o Initial fill of LFSR 0 is initial fill of LFSR o Initial fill of LFSR 1 is initial fill of LFSR stepped once o And so on…

Stream Ciphers 25 Correlation Attack  Trudy obtains some segment of keystream from LFSR stream cipher o Of the type considered on previous slides  Can assume stream cipher is the multiple shift register case o If not, convert it to this case  By Kerckhoffs Principle, we assume shift registers and combining function known  Only unknown is the key o The key consists of LFSR initial fills

Stream Ciphers 26 Correlation Attack  Trudy wants to recover LFSR initial fills o She knows all connection polynomials and nonlinear combining function o She also knows N keystream bits, k 0,k 1,…,k N-1  Sometimes possible to determine initial fills of the LFSRs independently o By correlating each LFSR output to keystream o A classic divide and conquer attack

Stream Ciphers 27 Correlation Attack  For example, suppose keystream generator is of the form:  And f(x,y,z) = xy  yz  z  Note that key is 12 bits, initial fills

Stream Ciphers 28 Correlation Attack  For stream cipher on previous slide  Suppose initial fills are o X = 011, Y = 0101, Z = xixi yiyi zizi kiki bits i = 0,1,2,…23

Stream Ciphers 29 Correlation Attack  Consider truth table for combining function: f(x,y,z) = xy  yz  z  Easy to show that f(x,y,z) = x with probability 3/4 f(x,y,z) = z with probability 3/4  Trudy can use this to recover initial fills from known keystream

Stream Ciphers 30 Correlation Attack  Trudy sees keystream in table  Trudy wants to find initial fills  She guesses X = 111, generates first 24 bits of putative X, compares to k i kiki xixi  Trudy finds 12 out of 24 matches  As expected in random case

Stream Ciphers 31 Correlation Attack  Now suppose Trudy guesses correct fill, X = 011  First 24 bits of X (and keystream) kiki xixi  Trudy finds 21 out of 24 matches  Expect 3/4 matches in causal case  Trudy has found initial fill of X

Stream Ciphers 32 Correlation Attack  How much work is this attack? o The X,Y,Z fills are 3,4,5 bits, respectively  We need to try about half of the initial fills before we find X  Then we try about half of the fills for Y  Then about half of Z fills  Work is < 2 5  Exhaustive key search work is 2 11

Stream Ciphers 33 Correlation Attack  Work factor in general…  Suppose n LFSRs o Of lengths N 0,N 1,…,N n-1  Correlation attack work is  Work for exhaustive key search is

Stream Ciphers 34 Conclusions  Keystreams must be cryptographically strong o Crucial property: unpredictable  Lots of theory available for LFSRs o Berlekamp-Massey algorithm o Nice mathematical theory exists  LFSRs can be used to make stream ciphers o LFSR-based stream ciphers must be correlation immune o Depends on properties of function f

Stream Ciphers 35 Coming Attractions  Consider attacks on 3 stream ciphers o ORYX — weak cipher, uses shift registers, generates 1 byte/step o RC4 — strong, widely used but used poorly in WEP, generates 1 byte/step o PKZIP — medium strength, unusual design, generates 1 byte/step

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.