Presentation is loading. Please wait.

Presentation is loading. Please wait.

Session 2 Symmetric ciphers 1. Stream cipher definition Recall the Vernam cipher: Plaintext 000110111101101 Ciphertext 110000101000110 (Running) key 110110010101011.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Session 2 Symmetric ciphers 1. Stream cipher definition Recall the Vernam cipher: Plaintext 000110111101101 Ciphertext 110000101000110 (Running) key 110110010101011."— Presentation transcript:

1 Session 2 Symmetric ciphers 1

2 Stream cipher definition Recall the Vernam cipher: Plaintext 000110111101101 Ciphertext 110000101000110 (Running) key 110110010101011 (Running) key 110110010101011 Ciphertext 110000101000110 Plaintext 000110111101101 Key distribution centre Receiver Transmitter 2/85

3 Stream cipher definition Advantage of the Vernam cipher – Unconditionally secure Disadvantage – Requires one key bit for every plaintext bit Because of that, if the level of security is not the highest one (the red phone line, etc.), instead of the Vernam cipher, a stream cipher can be used 3/85

4 Stream cipher definition xixi Key zizi zizi yiyi xixi x i  z i = y i y i  z i = x i TRANSMITTERRECEIVER xixi Deterministic algorithm Key COMM. CHANNEL 4/85

5 Stream cipher definition The key is short – much shorter than the length of the plaintext (on average) The key determines the initial state of a deterministic algorithm Based on the initial state, the algorithm generates the running key sequence The running key sequence bits are summed modulo 2 with the corresponding bits of the plaintext 5/85

6 Stream cipher definition Similarities and differences between the Vernam cipher and a stream cipher Vernam cipher (running key) Stream cipher (running key) Length text  Length seq. YES Used once YES RandomnessPseudorandomness 6/85

7 Stream cipher properties do not satisfy the perfect secrecy conditions (the running key is not random but pseudorandom) possess practical secrecy; the level of security depends on the design advantage: the secret key is short – it is the only piece of information that the transmitter and the receiver must share 7/85

8 The running key What are general characteristics of these sequences? What generators produce them? 8/85

9 The running key Pseudorandom sequences: – long period – pseudorandomness properties – unpredictability – etc. 9/85

10 The running key The running key sequences generated by pseudorandom sequence generators are ultimately periodic (i.e. they may have an aperiodic prefix) The period must be at least as long as the length of the plaintext In practice, this period is much longer 10/85

11 The running key Example: T = 2 100 - 1 ≈ 1.26  10 30 bits If we generate 120 Mbits/s: V c = 1.2  10 8 bits/sec  3.33  10 14 years 22200 times the age of the universe (1.5  10 10 years) to generate the whole period 11/85

12 The running key Distribution of zeros and ones …… 0100110100111010110010010 …… – a run of length k are k consecutive equal digits between two different digits. – runs of zeros (gaps) – runs of ones (blocks) 12/85

13 The running key Autocorrelation Autocorrelation in phase: Autocorrelation out of phase: A – Number of coincidences D – Number of no coincidences T – Period k – Shift Original seq.1011001010000111 Shifted seq.0010100001111011 13/85

14 The running key Golomb’s pseudorandomness postulates: – G 1 : In each period of the considered sequence, the difference between the number of 1s and the number of 0s must not overcome unity 14/85

15 The running key Golomb’s postulates – G 2 : In each period of the considered sequence, half of the runs, of the total number of observed runs, has the length 1, one fourth has the length 2, one eight has the length 3 … etc. For each length, there will be the same number of blocks and gaps 15/85

16 The running key Golomb’s postulates – G 3 : The autocorrelation AC(k) out of phase must be constant for each k 16/85

17 The running key Explanation of the Golomb’s postulates: – G 1 : The 1s and 0s must appear along the sequence with the same probability – G 2 : different n-grams (samples of n consecutive digits) must occur with the correct probability 17/85

18 The running key Explanation of the Golomb’s postulates – G 3 : Computation of the coincidences between a sequence and its shifted versions must not give any information about the period of the sequence 18/85

19 The running key PN sequence (Pseudo-Noise): – A finite sequence that satisfies the 3 Golomb’s postulates – Its properties are equal to the properties of a random sequence with uniform distribution 19/85

20 The running key Unpredictability – Given a part of a sequence of any length, a cryptanalyst cannot predict the next digit with a probability of success greater than 0.5 – A measure of unpredictability: Linear complexity 20/85

21 The running key PN sequence generators – Generators based on linear congruencies – Generators based on feedback shift registers Linear feedback shift registers (LFSRs) Non-linear feedback shift registers – etc. 21/85

22 Linear congruencies The recurrence of the type The parameters a, b and m can be used as the secret key X 0 is the seed that initializes the process 22/85

23 Linear congruencies If the parameters a, b and m are chosen in an appropriate way, the numbers X i are not repeated until they cover completely the segment [0,m -1] Example: 23/85

24 Linear congruencies Security of the generator: bad – Given a sufficiently long portion of the sequence, it is possible to deduce the parameters m, a and b, i.e. the key 24/85

25 Feedback shift registers A feedback shift register (FSR): – n flip-flops (stages) – A feedback function – to express each new element of the output sequence as a function of the n previous elements The contents of the flip-flops is shifted one position at every clock pulse 25/85

26 Feedback shift registers 26/85

27 Feedback shift registers The state of the register – the contents of the stages between two clock pulses The initial state – the contents of the stages at the moment of the beginning of the process 27/85

28 Feedback shift registers The state diagram of a FSR is cyclic if the feedback function is not singular, i.e. it has the form: 28/85

29 Feedback shift registers The period of the produced sequence depends on the number of stages n and the characteristics of the function g The maximum possible period is 2 n The key – the initial contents of the FSR The feedback function can also be kept secret 29/85

30 Example 1: n =3 x1x1 x2x2 x3x3 g 0000 0010 0100 0110 1000 1011 1101 1110 Feedback shift registers 30/85

31 Example 1 – Algebraic normal form of the function g : Feedback shift registers 31/85

32 Example 1 The DeBruijn graph - singular Feedback shift registers 32/85

33 Example 2: n =3 x1x1 x2x2 x3x3 g 0000 0011 0100 0111 1000 1011 1101 1110 Feedback shift registers 33/85

34 Example 2 – Algebraic normal form of the function g : Feedback shift registers 34/85

35 Example 2 The DeBruijn graph – non singular Feedback shift registers 35/85

36 Problems with non-linear FSR – A systematic method of their analysis and manipulation does not exist – the mathematical theory is not well developed – The sequences generated by non-linear FSR have period 2 n – De Bruijn sequences; these sequences do not satisfy the Golomb’s G 3 postulate Feedback shift registers 36/85

37 The most important devices for generation of pseudorandom sequences Their feedback function is a linear recurrence – linear recurring sequences of order n Linear feedback shift registers 37/85

38 To avoid the null sequence, the initial state must be different from the all-zero state The largest number of different states is 2 n -1 Linear feedback shift registers 38/85

39 It is possible to associate the characteristic (feedback) polynomial to every linear recurrence Linear feedback shift registers 39/85

40 Example: A LFSR of length 4. Generated sequence: 1 1 1 0 1 0 1 ……  1000 1100 1110 1111 0111 1011 0101 1010 Initial state Feedback polynomial Linear recurrence Linear feedback shift registers 40/85

41 The characteristics of the output sequence of the LFSR depend on the characteristics of the feedback polynomial The feedback polynomial can be: – reducible – irreducible – primitive Linear feedback shift registers 41/85

42 0001 1000 0100 1010 0101 0010 0000 0110 1011 1101 0011 1001 1100 1110 1111 0111 Linear feedback shift registers Example 1: Reducible feedback polynomial 42/85

43 LFSRs with reducible feedback polynomial: – The length of the output sequence depends on the initial state – Not adequate for use in cryptography Linear feedback shift registers 43/85

44 0001 1000 1100 0110 0011 0000 0010 1001 0100 1010 0101 1111 0111 1011 1101 1110 Linear feedback shift registers Example 2: Irreducible feedback polynomial 44/85

45 LFSRs with irreducible feedback polynomial: – The length of the output sequence does not depend on the initial state (except the all-zero state) – The period T is a factor of, L is the length of the LFSR – Not adequate for use in cryptography Linear feedback shift registers 45/85

46 0000 1000 1100 1110 1111 0111 1011 0101 1010 1101 0110 0011 1001 0100 0010 0001 PN-sequence (m-sequence) The maximum possible period for this type of generator 111010110010001 ….. Linear feedback shift registers Example 3: Primitive feedback polynomial 46/85

47 LFSRs with primitive feedback polynomial: – The length of the sequence does not depend on the initial state (except the all-zero state) – The period is – Adequate for use in cryptography, because the output sequence satisfies all the Golomb’s postulates Linear feedback shift registers 47/85

48 Linear complexity – The length of the smallest LFSR capable of generating the given sequence – The Berlekamp-Massey algorithm (1969): – Input: the given binary sequence – Output: and the initial state Linear feedback shift registers 48/85

49 The Berlekamp-Massey algorithm – Input to one step: n digits of a sequence – Determines the characteristics of the minimum LFSR capable of generating them – If the digit n +1 of the sequence can be generated by the current LFSR, the length of the current LFSR is preserved – Otherwise, a longer LFSR is needed Linear feedback shift registers 49/85

50 The Berlekamp-Massey algorithm – Computational complexity of the Berlekamp- Massey algorithm is quadratic in the length of the minimum LFSR capable of generating the intercepted sequence – Thus, if the linear complexity is very high, then the task of predicting the next bits of the sequence is too complex Linear feedback shift registers 50/85

51 The Berlekamp-Massey algorithm – Then, in order to prevent the cryptanalysis of a pseudorandom sequence generator, we must design it in such a way that its linear complexity is too high for the application of the Berlekamp-Massey algorithm Linear feedback shift registers 51/85

52 The goals: – Preserve good characteristics of the PN-sequences – Increase the linear complexity The key is the initial state Different families of generators Pseudorandom generators with LFSRs 52/85

53 Combinational generators: – Non-linear filter 1 LFSR Several stages of the LFSR combined in a non-linear Boolean function – Non-linear combiner Several LFSRs, whose outputs are combined in a non-linear Boolean function Pseudorandom generators with LFSRs 53/85

54 Non-linear filter Pseudorandom generators with LFSRs 54/85

55 Non-linear combiner Pseudorandom generators with LFSRs 55/85

56 Algebraic normal form – It is the form of a Boolean function that uses only the operations  and  – In the ANF, the product that includes the largest number of variables is denominated non linear order of the function – Example: The non linear order of the function f (x 1,x 2,x 3 )=x 1  x 2 x 3  x 1 x 3 is 2 Pseudorandom generators with LFSRs 56/85

57 Non-linear filter – In general, it is difficult to calculate the value of the linear complexity of the resulting sequence – However, under some special conditions, it is possible to estimate the linear complexity of the resulting sequence Pseudorandom generators with LFSRs 57/85

58 Non-linear filter – Theorem (Rueppel, 1984) With the LFSR of length n and with the filter function with the property that its unique term in the ANF of maximum order k is a product of equidistant phases, the lower limit of the linear complexity of the resultant sequence is Pseudorandom generators with LFSRs 58/85

59 Non-linear filter – Design principles The feedback polynomial: primitive The filter function must have various terms of each order k  n / 2 Include a linear term in order to obtain good statistical properties of the resulting sequence (balanced filter function) Pseudorandom generators with LFSRs 59/85

60 Pseudorandom generators with LFSRs Non-linear combiners – Two cryptographic principles by Shannon Confusion – we must use complicated transformations – as many bits of the key as possible should be involved in obtaining a single bit of the keystream sequence (and the ciphertext) Diffusion – Every bit of the key must affect many bits of the keystream sequence (and the ciphertext) 60/85

61 Pseudorandom generators with LFSRs Non-linear combiners – Possible flaws (considered at design time): Bad statistical properties – e.g. too many zeros/ones in the output sequence Correlation – The output sequence coincides too much with one or more internal sequences – this enables correlation attacks 61/85

62 Pseudorandom generators with LFSRs Non-linear combiners – Statistical properties The combining function must be balanced in order to get a sequence with good statistical properties at its output A Boolean function is balanced if it has an equal number of 0s and 1s in its truth table 62/85

63 Pseudorandom generators with LFSRs Non-linear combiners – Correlation It is possible to divide the task of the cryptanalyst into several less difficult tasks – “Divide and conquer” In order to prevent algebraic and correlation attacks, the non-linear function of the combiner must have, at the same time: – as high non linear order as possible – as high correlation immunity as possible These two requirements are opposite – we must find a trade off between these two values 63/85

64 Pseudorandom generators with LFSRs Non-linear combiners – Correlation immunity A Boolean function is correlation immune of order m if its output sequence is not correlated with any linear combination of m and less input sequences But, the higher the correlation immunity, the lower the non linear order k Balanced correlation immune functions of order m are denominated m -resilient functions 64/85

65 Pseudorandom generators with LFSRs Non-linear combiners – Example: The sum modulo 2 of N variables has the maximum possible value of correlation immunity, N -1, but its non linear order is 1 65/85

66 Pseudorandom generators with LFSRs Non-linear combiners – Example - the Geffe’s generator: F is balanced – good statistical properties 66/85

67 Pseudorandom generators with LFSRs Non-linear combiners – The Geffe’s generator Problem – correlation! 67/85

68 Pseudorandom generators with LFSRs Non-linear combiners – Is there a way to find a Boolean memoryless combiner that guarantees a high level of correlation immunity? – This is a difficult problem and there is no final answer – However, some Boolean combiners are known to have a high level of correlation immunity 68/85

69 Pseudorandom generators with LFSRs Non-linear combiners – One of the classes of such “good” functions – Latin squares – A Latin square is an n  n scheme of integers in which each element appears exactly once in each row and in each column 69/85

70 Pseudorandom generators with LFSRs Non-linear combiners – Basic property of Latin squares: If we exchange two rows/columns of a Latin square, the obtained scheme is also a Latin square – This gives rise to a construction: We start from the table of addition of the additive group with n elements We exchange some rows and columns of the table several times 70/85

71 Example – a Latin square of order 4: 3201 1023 0312 2130 Pseudorandom generators with LFSRs 71/85

72 Non-linear combiners – A Latin square of dimension n as a family of log 2 n Boolean functions (a vectorial Boolean function with log 2 n outputs): There are 2 address branches, log 2 n bits each The output has log 2 n bits Pseudorandom generators with LFSRs 72/85

73 Non-linear combiners – Example (see previous example): The address is 0110 (the two most significant bits address the row) The output is 10 Pseudorandom generators with LFSRs 73/85

74 Non-linear combiners – Basic correlation-related property of Latin squares: Each bit of output is correlated with a linear combination of inputs that are located in both address branches Consequence: there is no way of analyzing the address branches individually – no divide and conquer Pseudorandom generators with LFSRs 74/85

75 Pseudorandom generators with LFSRs 75/85

76 Decimation of sequences – The principal characteristic: the output sequence of a subgenerator controls the clock sequence of one or more other subgenerators Pseudorandom generators with LFSRs 76/85

77 Decimation of sequences – The Binary Rate Multiplier (BRM) Pseudorandom generators with LFSRs 77/85

78 Decimation of sequences – The Binary Rate Multiplier (BRM) Example 1: X = 1,1,0,1,0,1,0,1 Y = 0,1,0,0,1 Z = 1,0,1,0,0 Example 2: – X and Y are generated by LFSRs and the BRM is applied Pseudorandom generators with LFSRs Y X (without decimation) Z (with decimation) 78/85

79 Decimation of sequences – The Binary Rate Multiplier (BRM) Theorem (Chambers, Jennings, 1984) R 1, R 2 – primitive polynomials, degrees m and n, respectively Periods M =2 m -1 and N =2 n -1 All the prime factors of M divide N Then: Pseudorandom generators with LFSRs 79/85

80 Decimation of sequences – The Binary Rate Multiplier (BRM) The requirements of the Theorem are satisfied if the lengths of both LFSRs are equal and the feedback polynomials are primitive Example: n =m =107, primitive polynomials LC=nM =107(2 107 -1) Per = NM =(2 107 -1)(2 107 -1) Pseudorandom generators with LFSRs 80/85

81 Decimation of sequences – The Shrinking Generator (1993) A very simple binary sequence generator It consists of two LFSRs: Based on P, LFSR1 (the control register) decimates the sequence generated by LFSR2 LFSR 1 LFSR 2 P clock Pseudorandom generators with LFSRs 81/85

82 Decimation of sequences – The Shrinking Generator - operation If a i =0, b i is discarded, otherwise b i is sent to the output Thus the number of discarded bits from the sequence b depends on the lengths of runs of 0s in the sequence a Pseudorandom generators with LFSRs 82/85

83 Decimation of sequences – The Shrinking Generator - example LFSR1: L 1 =3, f 1 (x )=1+x 2 +x 3, IS 1 =(1,0,0) LFSR2: L 2 =4, f 2 (x )=1+x +x 4, IS 2 =(1,0,0,0) Decimation rule P: {a i }= 0 1 1 1 0 0 1 0 1 1 1 0 0 1 … {b i }= 1 1 1 0 1 0 1 1 0 0 1 0 0 0 … {c j }= 1 1 0 1 0 0 1 0 … Pseudorandom generators with LFSRs 83/85

84 Decimation of sequences – The Shrinking Generator - characteristics of the output sequence Period Linear complexity Pseudorandom generators with LFSRs 84/85

85 Decimation of sequences – The Shrinking Generator – BRM vs. Shrink. BRM: X=000100110101111… Y=001110100111010… Z=0010100111… Shrinking: X=000100110101111… Y=001110100111010… Z=01011011 Pseudorandom generators with LFSRs 85/85

Download ppt "Session 2 Symmetric ciphers 1. Stream cipher definition Recall the Vernam cipher: Plaintext 000110111101101 Ciphertext 110000101000110 (Running) key 110110010101011."

Similar presentations

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.
Cryptography, Attacks and Countermeasures Lecture 3 - Stream Ciphers

Cryptography, Attacks and Countermeasures Lecture 3 - Stream Ciphers
Spread Spectrum Chapter 7.

Spread Spectrum Chapter 7.
Spread Spectrum Chapter 7. Spread Spectrum Input is fed into a channel encoder Produces analog signal with narrow bandwidth Signal is further modulated.

Spread Spectrum Chapter 7. Spread Spectrum Input is fed into a channel encoder Produces analog signal with narrow bandwidth Signal is further modulated.
LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012.

LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012.
Random Number Generation. Random Number Generators Without random numbers, we cannot do Stochastic Simulation Most computer languages have a subroutine,

Random Number Generation. Random Number Generators Without random numbers, we cannot do Stochastic Simulation Most computer languages have a subroutine,
Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.

Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.
Session 2: Secret key cryptography – stream ciphers – part 2.

Session 2: Secret key cryptography – stream ciphers – part 2.
Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.

Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
Cryptography and Network Security

Cryptography and Network Security
CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos
Copyright 2005, Agrawal & BushnellVLSI Test: Lecture 21alt1 Lecture 21alt BIST -- Built-In Self-Test (Alternative to Lectures 25, 26 and 27) n Definition.

Copyright 2005, Agrawal & BushnellVLSI Test: Lecture 21alt1 Lecture 21alt BIST -- Built-In Self-Test (Alternative to Lectures 25, 26 and 27) n Definition.
Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.

Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Random Number Generators. Why do we need random variables? random components in simulation → need for a method which generates numbers that are random.

Random Number Generators. Why do we need random variables? random components in simulation → need for a method which generates numbers that are random.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.

Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.
Linearization of Stream Ciphers in Terms of Cellular Automata Amparo Fúster-Sabater Institute of Applied Physics (CSIC) Madrid (Spain)

Linearization of Stream Ciphers in Terms of Cellular Automata Amparo Fúster-Sabater Institute of Applied Physics (CSIC) Madrid (Spain)

Similar presentations

Ads by Google