Presentation is loading. Please wait.

Presentation is loading. Please wait.

Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream."— Presentation transcript:

1 Stream Ciphers 1 Stream Ciphers

2 Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream cipher is initialized with short key  Key is “stretched” into long keystream  Keystream is used like a one-time pad o XOR to encrypt or decrypt  Stream cipher is a keystream generator  Usually, keystream is bits, sometimes bytes

3 Stream Ciphers 3 Stream Cipher  Generic view of stream cipher

4 Stream Ciphers 4 Stream Cipher  We consider 3 real stream ciphers o ORYX — weak cipher, uses shift registers, generates 1 byte/step o RC4 — strong cipher, widely used but used poorly in WEP, generates 1 byte/step o PKZIP — intermediate strength, unusual mathematical design, generates 1 byte/step  But first, we discuss shift registers

5 Stream Ciphers 5 Shift Registers  Traditionally, stream ciphers were based on shift registers o Today, a wider variety of designs  Shift register includes o A series of stages each holding one bit o A feedback function  A linear feedback shift register (LFSR) has a linear feedback function

6 Stream Ciphers 6  Example (nonlinear) feedback function f(x i, x i+1, x i+2 ) = 1  x i  x i+2  x i+1 x i+2  Example (nonlinear) shift register  First 3 bits are initial fill: (x 0, x 1, x 2 ) Shift Register

7 Stream Ciphers 7 LFSR  Example of LFSR  Then x i+5 = x i  x i+2 for all i  If initial fill is (x 0,x 1,x 2,x 3,x 4 ) = 01110 then (x 0,x 1,…,x 15,…) = 0111010100001001…

8 Stream Ciphers 8 LFSR  For LFSR  We have x i+5 = x i  x i+2 for all i  Linear feedback functions often written in polynomial form: x 5 + x 2 + 1  Connection polynomial of the LFSR

9 Stream Ciphers 9 Berlekamp-Massey Algorithm  Given (part of) a (periodic) sequence, can find shortest LFSR that could generate the sequence  Berlekamp-Massey algorithm o Order N 2, where N is length of LFSR o Iterative algorithm o Only 2N consecutive bits required

10 Stream Ciphers 10 Berlekamp-Massey Algorithm  Binary sequence: s = (s 0,s 1,s 2,…,s n-1 )  Linear complexity of s is the length of shortest LFSR that can generate s  Let L be linear complexity of s  Then connection polynomial of s is of form C(x) = c 0 + c 1 x + c 2 x 2 + … + c L x L  Berlekamp-Massey finds L and C(x) o Algorithm on next slide (where d is known as the discrepancy)

11 Stream Ciphers 11 Berlekamp-Massey Algorithm

12 Stream Ciphers 12 Berlekamp-Massey Algorithm  Example:

13 Stream Ciphers 13 Berlekamp-Massey Algorithm  Berlekamp-Massey is efficient way to determine minimal LFSR for sequence  With known plaintext, keystream bits of stream cipher are exposed  With enough keystream bits, can use Berlekamp-Massey to find entire keystream o 2 L bits is enough, where L is linear complexity of the keystream  Keystream must have large linear complexity

14 Stream Ciphers 14 Cryptographically Strong Sequences  A sequence is cryptographically strong if it is a “good” keystream o “Good” relative to some specified criteria  Crypto strong sequence must be unpredictable o Known plaintext exposes part of keystream o Trudy must not be able to determine more of the keystream from a short segment  Small linear complexity implies predictable o Due to Berlekamp-Massey algorithm

15 Stream Ciphers 15 Crypto Strong Sequences  Necessary for a cryptographically strong keystream to have a high linear complexity  But not sufficient!  Why? Consider s = (s 0,s 1,…,s n-1 ) = 00…01  Then s has linear complexity n o Smallest shift register for s requires n stages o Largest possible for sequence of period n o But s is not cryptographically strong  Linear complexity “concentrated” in last bit

16 Stream Ciphers 16 Linear Complexity Profile  Linear complexity profile is a better measure of cryptographic strength  Plot linear complexity as function of bits processed in Berlekamp-Massey algorithm o Should follow n/2 line “closely but irregularly”  Plot of sequence s = (s 0,s 1,…,s n-1 ) = 00…01 would be 0 until last bit, then jumps to n o Does not follow n/2 line “closely but irregularly” o Not a strong sequence (by this definition)

17 Stream Ciphers 17 Linear Complexity Profile  A “good” linear complexity profile

18 Stream Ciphers 18 k-error Linear Complexity Profile  Alternative way to measure cryptographically strong sequences  Consider again s = (s 0,s 1,…,s n-1 ) = 00…01  This s has max linear complexity, but it is only 1 bit away from having min linear complexity  k -error linear complexity is min complexity of any sequence that is “distance” k from s  1-error linear complexity of s = 00…01 is 0 o Linear complexity of this sequence is “unstable”

19 Stream Ciphers 19 k-error Linear Complexity Profile  k -error linear complexity profile o k -error linear complexity as function of k  Example: o Not a strong s o Good profile should follow diagonal “closely”

20 Stream Ciphers 20 Crypto Strong Sequences  Linear complexity must be “large”  Linear complexity profile must n/2 line “closely but irregularly”  k -error linear complexity profile must follow diagonal line “closely”  All of this is necessary but not sufficient for crypto strength!

21 Stream Ciphers 21 Shift Register-Based Stream Ciphers  Two approaches to LFSR-based stream ciphers o One LFSR with nonlinear combining function o Multiple LFSRs combined via nonlinear func  In either case o Key is initial fill of LFSRs o Keystream is output of nonlinear combining function

22 Stream Ciphers 22 Shift Register-Based Stream Ciphers  LFSR-based stream cipher o 1 LFSR with nonlinear function f(x 0,x 1,…,x n-1 )  Keystream: k 0,k 1,k 2,…

23 Stream Ciphers 23 Shift Register-Based Stream Ciphers  LFSR-based stream cipher o Multiple LFSRs with nonlinear function  Keystream: k 0,k 1,k 2,…

24 Stream Ciphers 24 Shift Register-Based Stream Ciphers  Single LFSR example is special case of multiple LFSR example  To convert single LFSR case to multiple o Let LFSR 0,…LFSR n-1 be same as LFSR o Initial fill of LFSR 0 is initial fill of LFSR o Initial fill of LFSR 1 is initial fill of LFSR stepped once o And so on…

25 Stream Ciphers 25 Correlation Attack  Trudy obtains some segment of keystream from LFSR stream cipher o Of the type considered on previous slides  Can assume stream cipher is the multiple shift register case o If not, convert it to this case  By Kerckhoffs Principle, we assume shift registers and combining function known  Only unknown is the key o The key consists of LFSR initial fills

26 Stream Ciphers 26 Correlation Attack  Trudy wants to recover LFSR initial fills o She knows all connection polynomials and nonlinear combining function o She also knows N keystream bits, k 0,k 1,…,k N-1  Sometimes possible to determine initial fills of the LFSRs independently o By correlating each LFSR output to keystream o A classic divide and conquer attack

27 Stream Ciphers 27 Correlation Attack  For example, suppose keystream generator is of the form:  And f(x,y,z) = xy  yz  z  Note that key is 12 bits, initial fills

28 Stream Ciphers 28 Correlation Attack  For stream cipher on previous slide  Suppose initial fills are o X = 011, Y = 0101, Z = 11100 xixi 011100101110010111001011 yiyi 010110010001111010110010 zizi 111000110111010100001001 kiki 111100100110010110001011 bits i = 0,1,2,…23

29 Stream Ciphers 29 Correlation Attack  Consider truth table for combining function: f(x,y,z) = xy  yz  z  Easy to show that f(x,y,z) = x with probability 3/4 f(x,y,z) = z with probability 3/4  Trudy can use this to recover initial fills from known keystream

30 Stream Ciphers 30 Correlation Attack  Trudy sees keystream in table  Trudy wants to find initial fills  She guesses X = 111, generates first 24 bits of putative X, compares to k i kiki 111100100110010110001011 xixi 111001011100101110010111  Trudy finds 12 out of 24 matches  As expected in random case

31 Stream Ciphers 31 Correlation Attack  Now suppose Trudy guesses correct fill, X = 011  First 24 bits of X (and keystream) kiki 111100100110010110001011 xixi 011100101110010111001011  Trudy finds 21 out of 24 matches  Expect 3/4 matches in causal case  Trudy has found initial fill of X

32 Stream Ciphers 32 Correlation Attack  How much work is this attack? o The X,Y,Z fills are 3,4,5 bits, respectively  We need to try about half of the initial fills before we find X  Then we try about half of the fills for Y  Then about half of Z fills  Work is 2 2 + 2 3 + 2 4 < 2 5  Exhaustive key search work is 2 11

33 Stream Ciphers 33 Correlation Attack  Work factor in general…  Suppose n LFSRs o Of lengths N 0,N 1,…,N n-1  Correlation attack work is  Work for exhaustive key search is

34 Stream Ciphers 34 Conclusions  Keystreams must be cryptographically strong o Crucial property: unpredictable  Lots of theory available for LFSRs o Berlekamp-Massey algorithm o Nice mathematical theory exists  LFSRs can be used to make stream ciphers o LFSR-based stream ciphers must be correlation immune o Depends on properties of function f

35 Stream Ciphers 35 Coming Attractions  Consider attacks on 3 stream ciphers o ORYX — weak cipher, uses shift registers, generates 1 byte/step o RC4 — strong, widely used but used poorly in WEP, generates 1 byte/step o PKZIP — medium strength, unusual design, generates 1 byte/step

Download ppt "Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream."

Similar presentations

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.
DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
Cryptography, Attacks and Countermeasures Lecture 3 - Stream Ciphers

Cryptography, Attacks and Countermeasures Lecture 3 - Stream Ciphers
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
AN IMPROVEMENT TO A CORRELATION ATTACK ON A5/1 H. Nikoonia, F. Amin, A. H. Jahangir Computer Engineering Department, Sharif University of Technology.

AN IMPROVEMENT TO A CORRELATION ATTACK ON A5/1 H. Nikoonia, F. Amin, A. H. Jahangir Computer Engineering Department, Sharif University of Technology.
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012.

LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012.
Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.

Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.
Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.

Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.
An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology

An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.

Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.
Session 2: Secret key cryptography – stream ciphers – part 2.

Session 2: Secret key cryptography – stream ciphers – part 2.
Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.

Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.
Intro 1 Introduction Intro 2 Good Guys and Bad Guys  Alice and Bob are the good guys  Trudy is the bad guy  Trudy is our generic “intruder”

Intro 1 Introduction Intro 2 Good Guys and Bad Guys  Alice and Bob are the good guys  Trudy is the bad guy  Trudy is our generic “intruder”
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Stream Ciphers.

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Stream Ciphers.
Session 2 Symmetric ciphers 1. Stream cipher definition Recall the Vernam cipher: Plaintext 000110111101101 Ciphertext 110000101000110 (Running) key 110110010101011.

Session 2 Symmetric ciphers 1. Stream cipher definition Recall the Vernam cipher: Plaintext Ciphertext (Running) key

Similar presentations

Ads by Google