Download presentation
Presentation is loading. Please wait.
Published byAnne Booker Modified over 8 years ago
1
Chapter 5 Stream Cipher Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li http://cst.hit.edu.cn/~lizhijun lizhijun_os@hit.edu.cn
2
Zhijun LiS1034040/Autumn08/HIT2 Outline Stream Cipher Overview Pseudorandom Number Generator PRNGs –LFSR –BBS Stream Ciphers
3
Zhijun LiS1034040/Autumn08/HIT3 Block Cipher Review The ways to encrypt the message –Block ciphers c=c 1 c 2 …=e K (m 1 )e K (m 2 )… –Stream ciphers c=c 1 c 2 …=e k1 (m 1 )e k2 (m 2 )… key stream (k 1,k 2,…) –Block cipher is an instance of Stream cipher The key stream is K, K,…
4
Zhijun LiS1034040/Autumn08/HIT4 Stream Cipher OTP Review: C=P K and K is a random bits Stream ciphers: –Idea: replace “rand” by “pseudo rand” –Use Pseudorandom Number Generator (PRNG) –PRNG: {0,1} s → {0,1} n –The seed is the secret key E seed [M] = M PRNG(seed)
5
Zhijun LiS1034040/Autumn08/HIT5 Stream Cipher Architecture Plaintext Short Key: K Encryption Pseudorandom byte generator (key stream generator) M k C Plaintext Decryption Pseudorandom byte generator (key stream generator) Short Key: K Ciphertext
6
Zhijun LiS1034040/Autumn08/HIT6 Stream Cipher: Properties More maths –OTP have perfect secrecy –More maths in pseudorandomness Very fast –Encryption based on The same stream can be used only once –Known-plaintext attack –The period of PRNG should be long Used in many places –Network, DVD, Mobile
7
Zhijun LiS1034040/Autumn08/HIT7 Outline Stream Cipher Overview Pseudorandom Number Generator PRNGs –LFSR –BBS Stream Ciphers
8
Zhijun LiS1034040/Autumn08/HIT8 Definition: A PRNG (Pseudorandom Number Generator) G is deterministic polynomial algorithm s.t. –Expansion: l(n)>n, x, |G(x)| = l(|x|) –Pseudorandomness: {G(U n ); n 1} is polynomial indistinguishable from {U l(n) ; n 1}, where U n is a uniform random sequence PRNG
9
Zhijun LiS1034040/Autumn08/HIT9 Definition: Two random sequence {X n ; n 1} and {Y n ; n 1} are polynomial indistinguishable if: polynomial Boolean function f: {0,1}* {0,1} positive polynomial p(x) and n N |Pr(f(X n )=1) – Pr(f(Y n )=1)| < 1/p(n) Definition: Two random sequence {X n ; n 1} and {Y n ; n 1} are statistical indistinguishable if: (n) = ½ x {0,1} n |Pr(X n =x) - Pr(Y n =x)| < 1/p(n) Pseudorandomness
10
Zhijun LiS1034040/Autumn08/HIT10 Statistical Indistinguishable Polynomial Indistinguishable Polynomial Indistinguishable Statistical Indistinguishable Theorem: If G is a PRNG, then (l(n))= ½ x {0,1} l(n) |Pr(G(U n )=x) - Pr(U l(n) =x)| x {0,1} l(n) : Pr(G(U n )=x)>0, |X|=2 n (G is deterministic) Pr(G(U n )=x)=0, |X|=2 l(n) -2 n = ½(2 n (2 -n – 2 -l(n) )+(2 l(n) – 2 n )2 -l(n) ) = 1-2 n-l(n) 1-2 n-(n+1) = 1/2 Indistinguishable
11
Zhijun LiS1034040/Autumn08/HIT11 Monobit test: the number of 1’s and 0’s are almost equal Poker test: for a 20,000 bits, divide it into 4-bit segments, let n i is the number of occurrences of a number i, compute X=(16/5000) i=0 15 n i 2 – 5000, and 1.03<X<57.4 Runs test: for a 20,000 bits, the guideline of runs: Random Test of PRNG 12267-2733 21079-1421 3502-748 Required interval 4223-402 590-223 6+90-223
12
Zhijun LiS1034040/Autumn08/HIT12 If given a l 1 (n)=n+1 PRNG G 1, we can build a generator G with l(n)=p(n) as: –Initialization: s 0 with |s 0 |=n is the input of G –Iteration: G 1 (s i-1 )=x i s i, i=1,2,…,p(n) |s i |=n –Output: G(s 0 ) = x 1 x 2 …x p(n) Fact: The G build as before is a PRNG Expansion of PRNG
13
Zhijun LiS1034040/Autumn08/HIT13 Fact: The existence of PRNG and the existence of one-way function is equivalent –PRNG One-way function Suppose G is a PRNG with l(n)=2n, if x,y {0,1}* s.t. |x|=|y|, the function f(x,y)=G(x) f is a one-way function PRNG and One-way Function
14
Zhijun LiS1034040/Autumn08/HIT14 Outline Stream Cipher Overview Pseudorandom Number Generator PRNGs –LFSR –BBS Stream Ciphers
15
Zhijun LiS1034040/Autumn08/HIT15 K2K2 K1K1 K0K0 100 010 101 110 111 011 001 100 z 0 =0; z 1 =0; z 2 =1; z 3 =0; … An LFSR Example Output z2z2 z1z1 z0z0 K2K2 K1K1 K0K0
16
Zhijun LiS1034040/Autumn08/HIT16 C 0, C 1, …, C m-1 are the feedback coefficients C i =0 denotes an open switch (no connection) C i =1 denotes an closed switch (connection) Linear Feedback Shift Register
17
Zhijun LiS1034040/Autumn08/HIT17 LFSR Inside z i+m = j=0 m-1 C j z i+j mod 2; C j {0,1} i=0,1,2,… C 0 C 1 … C m-1 (z i+1, z i+2,…, z i+m-1 ) = z i+m z 3 =z 1 z 0, z 4 =z 2 z 1, …, z i+2 =z i+1 z i z2z2 z1z1 z0z0 K2K2 K1K1 K0K0
18
Zhijun LiS1034040/Autumn08/HIT18 Characteristic Polynomial Definition: for a sequence of {z i }, if z j c 1 z j-1 c 2 z j-2 … c L z j-L = 0, j L. then the characteristic polynomial for {z i } is p(x) = 1+c 1 x +c 2 x 2 + … +c L x L Example: p(x) = 1+x 2 +x 3 z2z2 z1z1 z0z0 K2K2 K1K1 K0K0
19
Zhijun LiS1034040/Autumn08/HIT19 Characteristic Polynomial Remark The characteristic polynomial is for periodical sequence, not only for LFSR If the period of {a i } is N, then z j -z j-N =0, p(x)=1-x N –Must exist a characteristic polynomial for periodical {a i } –May be many characteristic polynomials for {a i } –If there are two characteristic polynomial f(x) and g(x), then r(x)=gcd(f(x),g(x)) is also a characteristic polynomial –Polynomial with smallest degree is important
20
Zhijun LiS1034040/Autumn08/HIT20 K2K2 K1K1 K0K0 100 010 101 110 111 011 001 100 z j = z j+7 ; j 1 Every LFSR is periodic –Because of limited states –Limited registers in LFSRs Maximum Sequence Length –The maximum period of G z2z2 z1z1 z0z0 K2K2 K1K1 K0K0 The Period of LFSR
21
Zhijun LiS1034040/Autumn08/HIT21 Maximum Length of LFSR Theorem: The maximum sequence length of LFSR is 2 n -1, where n is the number of registers Proof: –For K={k 0, k 1,…, k n }, there are 2 n different states –The sequence for K is K 1,K 2,…,K 2 n,K i,… K i must be in K 1,K 2,…,K 2 n So repeated –If bits in K are all zero, should be excluded –So 2 n -1
22
Zhijun LiS1034040/Autumn08/HIT22 m-sequence Definition: The sequence generated by LFSR with maximum sequence length is m-sequence Remark of m-sequence {z i }: –The period of {z i } is 2 n -1 –Satisfy the Golomb randomness In a period, the number of 0 and 1 is 2 n-1 -1 and 2 n-1 Others …
23
Zhijun LiS1034040/Autumn08/HIT23 Inside for m-sequence Theorem: {a i } is an m-sequence if and only if its characteristic polynomial p(x) is primitive Definition: if p(x) is a irreducible with degree n and its rank of p(x) is 2 n -1, then the p(x) is a primitive polynomial Definition: the rank of p(x) is the minimum p s.t. p(x)|x p -1
24
Zhijun LiS1034040/Autumn08/HIT24 Inside for m-sequence Definition: the generating function of a sequence {a i } is: A(x) = i=0 a i x i Theorem: if the characteristic polynomial for {a i } p(x)=1+c 1 x+…+c L x L, then A(x) = g(x)/p(x), where g(x) = j=0 L-1 ( i=0 j c i a j-i )x j Proof: –p(x)A(x)= j=0 L-1 ( i=0 j c i a j-i )x j + j=L ( i=0 L c i a j-i )x j – i=0 L c i a j-i = 0 –So p(x)A(x) = g(x)
25
Zhijun LiS1034040/Autumn08/HIT25 Inside for m-sequence Theorem: if p(x) with degree n is the characteristic polynomial for {a i }, the rank of p(x) is p and the period of {a i } is r, then r|p Proof: –{a i } is periodical, A(x)=( n=0 N-1 a n x n )( k=0 x kN )= ( n=0 N-1 a n x n )/(1-x N ) –p(x)|x p -1 p(x)q(x) = x p -1 –p(x)A(x) = g(x) (x p -1)A(x) = q(x)g(x) –deg(q(x))=p-n, deg(g(x))=n-1, so deg((x p -1)A(x)) = p-1 –So the N in A(x) is p –a i+p =a i, and let p=kr+t, a i+p =a i+kr+t =a i+t =a i, so t=0 –So r|p
26
Zhijun LiS1034040/Autumn08/HIT26 Inside for m-sequence Theorem: if m(x) is the characteristic polynomial with smallest degree of {a i }, then the period of {a i } = the rank of m(x) (r=p) Proof: –r|p –{a i } can be generated by LFSR with r registers –1-x r is also a characteristic polynomial for {a i } –m(x)|1-x r x p -1 | 1-x r –p|r
27
Zhijun LiS1034040/Autumn08/HIT27 Inside for m-sequence Fact: an m-sequence (r=2 n -1) iff its characteristic polynomial p(x) with rank 2 n -1 Note: How to find a primitive polynomial –A condition: p(x) is irreducible –A fact: for any n, there must exist a primitive polynomial with degree n –Find: there are table for primitive polynomials –Example: p(x)=x 4 +x+1
28
Zhijun LiS1034040/Autumn08/HIT28 Example: Two LFSRs K3K3 K2K2 K1K1 K0K0 1100 0110 0011 0001 1000 1100 Example1: –m=4 –C 0 =1, C 1 =1, C 2 =1, C 3 =1 –p(x)=1+x+x 2 +x 3 +x 4 –r=5 K3K3 K2K2 K1K1 K0K0 1100 0110 1011 0101 1010 1101 1110 1111 0111 0011 0001 1000 0100 0010 1001 1100 Example2: –m=4 –C 0 =1, C 1 =1, C 2 =0, C 3 =0 –p(x)=1+x+x 4 –r=15=2 4 -1
29
Zhijun LiS1034040/Autumn08/HIT29 Another Focus for LFSR A LFSR with primitive polynomial can produce a m-sequence Another focus: –Given a sequence {a i }, how to build a simplest LFSR to produce {a i } –Definition: for sequence a=a 0,a 1,…,a N-1, the linear complexity of a (or C(a)) is the smallest number of registers in LFSR which can produce a
30
Zhijun LiS1034040/Autumn08/HIT30 Linear Complexity Remark Let the linear complexity of {a i } is L A know-plaintext attack: Complexity: –L is known: use linear relations O(L) –L is unknown: use Berlekamp-Massey algorithm O(L 2 ) L 2 1 c. c c.. n+L-1 n+1 n a. a a.. n+L-2 n n-1 a. a a.. n+L-3 n-1 n-2 a. a a... ….. n-1 n-L+1 n-L a. a a.. … …
31
Zhijun LiS1034040/Autumn08/HIT31 Nonlinear Sequence f() is nonlinear Features: –The period of output sequence is 2 n –The sequence with maximum length is M-sequence –M-sequence has good random properties –The number of M-sequence is 2 2 n-1 - n –#Nonlinear function=2 2 n -2 n, where #linear function=2 n znzn z1z1 z0z0 f(z 0,z 1,…,z n ) …
32
Zhijun LiS1034040/Autumn08/HIT32 Practical Nonlinear Sequence General nonlinear sequence is infant Practical nonlinear sequence –Use m-sequence as the driven sequence –Forward feedback sequence –Nonlinear combination sequence –Clock-controlled sequence
33
Zhijun LiS1034040/Autumn08/HIT33 Forward Feedback Sequence Fact: –Its period is 2 n -1 –Its linear complexity is exponentially increasing znzn z1z1 z0z0 z2z2 … f output m-sequence
34
Zhijun LiS1034040/Autumn08/HIT34 Nonlinear Combination Sequence Theorem: let r i is the linear complexity of LFSR i, if r i s coprime, then for the output sequence Its period is i=1 n (2 r i -1) Its linear complexity is f(r 1,…,r n ) LFSR 1 LFSR 2 LFSR n f(x) output
35
Zhijun LiS1034040/Autumn08/HIT35 Geffe Generator f(a 1,a 2,a 3 )=(a 1 a 2 ) (( a 1 ) a 3 ) If the length of LFSR 1, LFSR 2, LFSR 3 is n 1,n 2,n 3 Its linear complexity is (n 1 +1)n 2 +n 1 n 3 Its period is lcm(n 1,n 2,n 3 ) LFSR 2 LFSR 3 LFSR 1 output addr a2a2 a3a3 a1a1
36
Zhijun LiS1034040/Autumn08/HIT36 Clock-Controlled Sequence Idea: Use some m-sequence to control the back (or forward) of other m-sequences Advantages: –Its linear complexity is exponential with the number of registers in LFSR –Its linear complexity can be controlled easily Disadvantages: –Not good randomness –Many long runs
37
Zhijun LiS1034040/Autumn08/HIT37 Stop-and-go Generator Remark: –Long period and large linear complexity –Correlation attack in LFSR 1 But not weaken the security essentially LFSR 2 LFSR 3 LFSR 1 clock output
38
Zhijun LiS1034040/Autumn08/HIT38 Attack to Nonlinear Sequence Correlation attack Idea: Divide and Conquer Reason: Key space –Brute force: i=1 n (2 r i -1) –DC attack: i=1 n 2 r i Method: –If Pr(z k =x i )=1/2+ , then z k is correlated with x i –Search the key space of x i, and use correlation to test LFSR 1 LFSR 2 LFSR n f(x) output correlation zkzk xixi
39
Zhijun LiS1034040/Autumn08/HIT39 A Correlation Attack Example The f is: Y = X 1 if X 3 = 0 = X 2 if X 3 = 1 Prob[P=0] = 0.58 Prob[Y=X 1 ] = 3/4 Prob[Y=X 2 ] =1/4 Prob[C=X 1 ] = Prob[Y=X 1 ] Prob[P=0] + Prob[Y!=X 1 ] Prob[P=1] = ? 0.54 0.5 LFSR1 LFSR2 LFSR3 f Y P C X1X1 X2X2 X3X3
40
Zhijun LiS1034040/Autumn08/HIT40 Outline Stream Cipher Overview Pseudorandom Number Generator PRNGs –LFSR –BBS Stream Ciphers
41
Zhijun LiS1034040/Autumn08/HIT41 Blum Blum Shub Another method to generate the pseudorandom sequence is based on difficult problem Shamir generator –Factoring problem BBS generator –Quadratic residual problem
42
Zhijun LiS1034040/Autumn08/HIT42 Definition: b is a quadratic residue modulo p if x Z p * such that x 2 b mod p Q p is the set of all quadratic residues modulo p –Let g be generator of Z p *, then b=g a is a quadratic residue iff. a is even –|Q p | = (p-1)/2 Quadratic Residue
43
Zhijun LiS1034040/Autumn08/HIT43 A element b in Q p has exactly two square roots –b has at least two square roots if x 2 b mod p, then (p-x) 2 b mod p –b has at most two square roots in Z p * if x 2 b mod p and y 2 b mod p –then x 2 – y 2 0 mod p –then p | (x+y)(x-y), either x=y, or x+y=p Square Root of Elements in Q p
44
Zhijun LiS1034040/Autumn08/HIT44 Legendre Symbol The Legendre symbol is defined If p is an odd prime and a is an integer a p = 0 if p|a 1 if a Q p -1 if a Q p
45
Zhijun LiS1034040/Autumn08/HIT45 Euler’s Criterion a p Theorem: = a (p-1)/2 mod p Proof: If a = x 2, then a (p-1)/2 = x (p-1) = 1 (mod p) If a (p-1)/2 =1, let a = g j, where g is a generator –Then g j(p-1)/2 = 1 (mod p) –(p-1)|j(p-1)/2, thus j must be even –Therefore, a=g j is a quadratic residue
46
Zhijun LiS1034040/Autumn08/HIT46 let n>2 be odd with prime factorization n = p 1 e1 p 2 e2 …p k ek Definition: The Jacobi symbol of n is Note: The Jacobi symbol can be computed without factoring n! Jacobi Symbol = a n a p1p1 a p2p2 a pkpk … e1e1 e2e2 ekek
47
Zhijun LiS1034040/Autumn08/HIT47 let n>2 be odd with prime factorization n = p 1 e 1 p 2 e 2 …p k e k Fact1: x 2 =a mod p iff x 2 =a mod p e Fact2: x 2 =a mod n iff x 2 =a mod p i e i for all i {1,…,k} Theorem: x 2 =a mod n has solutions iff = 1 for all i {1,…,k}, and has 2 k solutions Proof: By CRT –x b i,1, b i,2 mod p i e i, so has 2 k xs s.t. x 2 =a mod n by CRT x 2 = a mod n a p
48
Zhijun LiS1034040/Autumn08/HIT48 Square Roots of x 2 1 mod pq Fact: if n=pq, then x 2 1 (mod n) has four solutions: x 2 1 (mod n) iff both x 2 1 (mod p) and x 2 1 (mod q) –Two trivial solutions: 1 and n-1 1 is solution to x 1 (mod p) and x 1 (mod q) n-1 is solution to x -1 (mod p) and x -1 (mod q) –Two other solutions solution to x 1 (mod p) and x -1 (mod q) solution to x -1 (mod p) and x 1 (mod q) Example: n=3 5=15 –x 2 1 (mod 15) has the following solutions: 1, 14; 4, 11(by CRT)
49
Zhijun LiS1034040/Autumn08/HIT49 Blum Blum Shub Generator Blum Blum Shub (BBS) generator Initialization: –For n, select two primes p,q R [2 n/2-1, 2 n/2 ] such that p q 3 mod 4 –The seed x 0 R [1, N] such that = =1 Expansion: –For an input sequence x i, x i+1 x i 2 mod n Output: –y i = x i mod 2 x0x0 p x0x0 q
50
Zhijun LiS1034040/Autumn08/HIT50 BBS Generator Example N = 192649 = 383 503 sXiXi YiYi 020749 11431351 21776711 3970480 4899920 51740511 6806491 7456631 8694420 91868940 101770460 111379220 121231751 1386300 141143860 15148631 161330151 171060651 18458700 191371711 20480600
51
Zhijun LiS1034040/Autumn08/HIT51 BBS Generator Analysis Fact: If there is a distinguisher D which tells BBS from random sequence, then D can be converted into a probabilistic polynomial-time algorithm A which guess the x -1 mod 2 given x 0 Z N Q+ (D A) Note: N=pq, p and q are two primes –Z N Q+ = {x Z N | = = 1} –Z N Q- = {x Z N | = = -1} x p x q x p x q
52
Zhijun LiS1034040/Autumn08/HIT52 Quadratic Residue Problem Definition: Given N=pq, and an integer x Z N Q, the QRP is does x Z N Q+ ? Fact: From algorithm A, we can build algorithm B (A B) Algorithm B(N,x) where x Z N Q (1) Let x 0 x 2 mod N (2) Call A(N,x 0 ) = b {0,1} (3) If b x mod 2 then x Z N Q+, else x Z N Q-
53
Zhijun LiS1034040/Autumn08/HIT53 Why B can Work? Theorem: If N=pq with p q 3 mod 4, then each quadratic residue mod N has exactly one square root which is a quadratic residue Proof: –x 2 a mod N have four solutions: r 1 =(b mod p, c mod q), -r 1 =(-b mod p, -c mod q), r 2 =(-b mod p, c mod q), -r 2 =(b mod p, -c mod q) – = = because =(-1) (p-1)/2 =(-1) 2m+1 =-1 – = = - r1r1 N b p c q -r 1 N p r2r2 N b p c q p r1r1 N
54
Zhijun LiS1034040/Autumn08/HIT54 Why B can Work? For algorithm A –The x -1 is a quadratic residue –A(N,x 0 ) mod 2 is the parity bit of x -1 For Algorithm B(N,x) –(1) Let x 0 x 2 mod N –(2) Call A(N,x 0 ) = b {0,1} –(3) If b x mod 2 then x Z N Q+, else x Z N Q- –If b is the parity bit of x, x is a quadratic residue
55
Zhijun LiS1034040/Autumn08/HIT55 Outline Stream Cipher Overview Pseudorandom Number Generator PRNGs –LFSR –BBS Stream Ciphers
56
Zhijun LiS1034040/Autumn08/HIT56 A5
57
Zhijun LiS1034040/Autumn08/HIT57 A5 Remark Clock-controlled sequence –Driven by three m-sequence –Produced by three LFSRs –Majority function is nonlinear Application –A5 can protect the voice communication in GSM
58
Zhijun LiS1034040/Autumn08/HIT58 RC4 Overview Designed by Ron Rivest in 1987, public in 1994 Simple and effective design –Very fast and very easy to remember Byte-oriented stream cipher –The internal states is a byte array S[0..255] –S[0..255] is a permutation of 0 to 255 Applications –In SSL to protect the Internet traffic –In WEP to protect the wireless links
59
Zhijun LiS1034040/Autumn08/HIT59 RC4: Initialisation Produce a initial permutation from the key K (K is divided into L bytes. In fact, this is a pad) Initialisation: for i=0 to 255 do S[i] = i; j = 0; for i=0 to 255 do j = (j + S[i] + K[i mod L]) mod 256; swap (S[i], S[j]);
60
Zhijun LiS1034040/Autumn08/HIT60 RC4: Encryption Two indexes: i, j with i=j=0 Produce one byte of keystream Ks: i = (i + 1)mod 256;(Loop for next Ks) j = (j + S[i])mod 256; swap (S[i], S[j]); t = (S[i] + S[j])mod 256; Ks = S[t]; Encryption: C i = M i S[t]
61
Zhijun LiS1034040/Autumn08/HIT61 RC4: Example K 56756756 S 01234567 j = (j + S[i] + K[i]) mod 256; swap (S[i], S[j]);i = 0 j = 5 S 51234067 S 54071632 i = (i + 1) mod 8; j = (j + S[i]) mod 8; swap (S[i], S[j]); t = (S[i] + S[j]) mod 8; k = S[t]; i = (0+1) mod 8 = 1 j = (0+S[1]) mod 8 = 4 S 51074632 t = (S[4]+S[1])) mod 8 = 1 + 4 mod 8 =5 k = S[5] = 6
62
Zhijun LiS1034040/Autumn08/HIT62 Note of Steps in RC4 Encryption i=(i + 1)mod 256: Every array element is used once after 256 iterations j=(j + S[i])mod 256: Makes the ouput depend non-linearly on the array swap(S[i], S[j]): Makes sure the array is evolved as the iteration t=(S[i] + S[j])mod 256: Makes sure the output sequence reveals little about the internal state of the array
63
Zhijun LiS1034040/Autumn08/HIT63 RC4 Security The period of RC4 is 256! 2 1700 Claimed secure against known attacks –Have some analyses, none practical
64
Zhijun LiS1034040/Autumn08/HIT64 Summary Stream Cipher Architecture Pseudorandomness Number Generator PRNGs –LFSR –BBS Stream Ciphers –A5 –RC4
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.