stream cipher

1 © Information Security Group, ICU

Stream Cipher

Introduction

Pseudorandomness

LFSR

Design

Refer to “Handbook of Applied Cryptography” [Ch 5 & 6]

2 © Information Security Group, ICU

Stream CipherIntroduction

• Originate from one-time pad

• bit-by-bit Exor with pt and key stream (ci = mi zi)

• Encryption = Decryption --> Symmetric• Use LFSR (Linear Feedback Shift Register) • (external) Synchronous or self-synchronous

Properties• Faster and Low Complexity in H/W• Security measure : Period of key stream,

LC(Linear Complexity), Statistical properties• Vast amounts of theoretical knowledge• Proprietary and Confidential for Military

3 © Information Security Group, ICU

Sequence

Def) s=s0,s1,… : infinite seq.,

sn=s0,s1,…,sn-1: n term of s

if si = si+n for all i >=0, s is periodic seq. having period n.run : subsequence of consecutive ‘0’(gap)

or consecutive ‘1’(block)

4 © Information Security Group, ICU

PseudorandomnessPseudorandomness

5 © Information Security Group, ICU

Golomb’s postulates(I)

sN : periodic seq. of period N

(1) For a cycle of sN, 0~1 balanceness, i.e,

| #{si=1} - #{sj=0} | =<1

(2) For a cycle of sN, half the runs have length 1, 1/4 have the length 2, …, etc.

(3) Autocorrelation* function is two-valued

11if,

0if,1)- 2()12()(

1

0 NtK

tNsstCN ti

N

ii

* Measuring similarity between original and t-shifted sequences** A sequence satisfying them is called Pseudo-Noise(PN) sequence.

6 © Information Security Group, ICU

Golomb’s postulates(II)

(Ex) s15 = 0,1,1,0,0,1,0,0,0,1,1,1,1,0,1

(1) #{0} = 7, #{1}=8 (why ?)

(2) 8 runs, 4 runs with length 1 (2 gaps, 2 blocks), 2 runs with length 2 (1 gap, 1 block), 1 run with length 3 (1 gap), 1 run with length 4 (1 block)

(3) Autocorrelation function, C(0)=1, C(t)= -1/15

Thus, PN-seq.

7 © Information Security Group, ICU

Statistical Randomness

Five Basic TestsFrequency Test (monobit)Serial Test (twobit; Overlapping is allowed)Poker Test (Frequency of m-bit subsequences)Runs Test Autocorrelation Test

OthersSpectral TestLinear Complexity ProfileQuadratic ComplexityUniversal Test

8 © Information Security Group, ICU

Statistical Test by FIPS 140-1

For a given 20,000bit sample seq.

(I) monobit test :

The number of ‘1’=n1, 9,654 < n1 < 10,346

(2) poker test :

m=4, 1.03 < X3 < 57.4

(3) runs test : for length 1 i 6

(4) long run test : no run greater than 34

m

nkkn

kX

m

ii

m

,,2 2

1

23 단

9 © Information Security Group, ICU

LFSRLFSR

10 © Information Security Group, ICU

Notation of LFSR

Notation: < L, C[D]> where connection poly.

C[D] = 1 + c1D + c2D2 + …+cLDL Z2[D] If cL=1, {i.e., deg{C[D]}=L}, C[D] is called a nonsingular polynomial. If initial stage is [sL-1, … , s1,s0], output seq. s0,s1, … sj =

(c1s j-1 + c 2 s j-2 + … + c Ls j-L) mod 2 , j L

(Ex) <4, 1 + D + D4> , 0 = [0,1,1,0] s4=s3+s0 Finite State Machine

t D3 D2 D1 D0 t D3 D2 D1 D0

0 0 1 1 0 (6) 8 1 1 1 0 (14)1 0 0 1 1 (3) 9 1 1 1 1 (15)2 1 0 0 1 (9) 10 0 1 1 1 (7)3 0 1 0 0 (4) 11 1 0 1 1 (11)4 0 0 1 0 (2) 12 0 1 0 1 (5)5 0 0 0 1 (1) 13 1 0 1 0 (10) 6 1 0 0 0 (8) 14 1 1 0 1 (13)7 1 1 0 0 (12) 15 0 1 1 0 (6) Output seq. = 0,1,1,0,0,1,0,0,0,1,1,1,1,0,1,0

Stage 1

Stage 0

Output

Stage 3

Stage 2

D3

D2 D1 D0

11 © Information Security Group, ICU

Properties of m-LFSR(I)

The period of the sequence from LFSR divides 2L-1

A polynomial f(x) is called a primitive polynomial if f(x) | xk

-1 for k=2L-1 not for smaller k• # of monic primitive poly =(2m-1)/m in Z2[x] where is Euler-phi f

t.

If the connection polynomial is primitive, the period is 2L-1

Such sequence is called Maximum-length Shift Register Seq., M –seq. and LFSR is called m-LFSR.

12 © Information Security Group, ICU

Primitive Polynomials

Primitive polynomial over Z2: - xm+xk+1(trinomial) - xm + xk1+xk2+xk3+1(pentanomial)

m k(k1,k2,k3) m k(k1,k2,k3) m k(k1,k2,k3) m k(k1,k2,k3)

2

3

4

5

6

7

8

9

10

11

1

1

1

2

1

1

6,5,1

4

3

2

12

13

14

15

16

17

18

19

20

21

7,4,3

4,3,1

12,11,1

1

5,3,2

3

7

6,5,1

3

2

22

23

24

25

26

27

28

29

30

31

1

5

4,3,1

3

8,7,1

8,7,1

3

2

16,15,1

3

32

33

34

35

36

37

38

39

40

41

28,27,1

13

15,14,1

2

11

12,10,2

6,5,1

4

21,19,2

3

13 © Information Security Group, ICU

Properties of LFSR(II)

Well suited for H/W implementationProduce seq. of large periodGood statistical propertiesReadily analyzed by algebraic structure

Breakable by consecutive 2 * L sequence : depends on computing an inverse matrix whose complexity is O(L3), L : length of LFSR. one LFSR is useless.

14 © Information Security Group, ICU

Linear Complexity(I)

(Def) Given an infinite sequence s, the shortest length of LFSR’s that generate s is called Linear Complexity

Using Berlekamp-Massey algorithm, LC is computed

(Properties of LC) s,t : binary seq.For any n 1, 0 L(sn) n L(sn) =0 iff sn is ‘0’ seq. of length n. L(sn) =n iff sn=0,0,…,0,1. If s is periodic with period N, L(sn) N. L(st) L(s) + L(t)

15 © Information Security Group, ICU

Linear Complexity(II)

sn : random seq. from all seq. of length n Expectation value of LC

where B(n)=0 if even n, otherwise 0

For large n E(L(sn)) n/2 + 2/9 and Var(L(sn)) 86/81

(Def) LCP (Linear Complexity Profile) Denote LN is LC of sN=s0,s1,…sN-1, L1, L2, … LN is LCP

9

2

32

1

18

)(4))((

2nnB

sLEn

n n

16 © Information Security Group, ICU

Nonlinear FSR

StageL-1

Stage 1

Stage 0

Sj-1 sj-L+1Sj-L+2 S j-L Sj

Output

f ( s j-1, s j-2, …, s j-L)

f() : nonlinear ft

17 © Information Security Group, ICU

DesignDesign

18 © Information Security Group, ICU

Synchronous Stream Cipher(I)

f : next state ft, i+1 = f(i , k), 0 : initial value

g : keystream generating ft, zi = g (i , k), k : key

h : output ft, ci = h (zi, mi) , mi : pt, zi : key stream, ci:ct

f

ii+1

g

h-1

k

mici

zi

Encryption

f

ii+1

g

h

k

mici

zi

Decryption

19 © Information Security Group, ICU

Synchronous Stream Cipher(II)

Keystream is independent of pt and ct Properties Synchronization requirement No error propagation Active attack Insertion, deletion or replay will lose synchronization Change selected ciphertext digits Need to have inte

grity check mechanisms

20 © Information Security Group, ICU

Self-Synchronous Stream Cipher(I)

i = (ci-t , ci-t+1, …, ci-1), 0 = (c-t, c-t+1, …, c-1) : initial value

g : keystream generating ft, zi = g (i , k), k : key

h : output ft, ci = h (zi, mi) , mi : pt, zi : keystream, ci : ct

g

h

k

mi ci

zi

g

h-1

k

mici

zi

Encryption Decryption

21 © Information Security Group, ICU

Self-Synchronous Stream Cipher(II)

Keystream is independent of pt and ctPropertiesSelf-SynchronizationLimited error propagationActive attackDifficult to detect insertion, deletion, or replayEasy to find passive modification

More diffusion more resistant against attacks based on plaintext redundancy

22 © Information Security Group, ICU

Nonlinear Combiner(I)

LFSR 1

LFSR 2

LFSR n

f Keystream, z

Algebraic Normal Form (ANF) : mod. 2 sum of distinct m-th orderproduct of its variable, 0 <= m <= n Ex) f(x1,x2,x3,x4,x5)=1 + x2+ x3 + x4 + x4x5 + x1x2x3x4, deg(f) =4

23 © Information Security Group, ICU

Nonlinear Combiner(II)

Geffe generator

LFSR 1

LFSR 2

LFSR 3

Keystream, z

x1

x2

x3

• f(x1,x2,x3) = x1x2 (1+x2)x3 = x1x2 x2x3 x3

• p(z) : (2L1-1) (2L2-1)(2L3-1) where L1,L2 and L3 are relatively prime• L(z) = L1L2 + L1L3 + L3

• Prob(z(t)=x1(t)) =3/4 Correlation attack is possible !

24 © Information Security Group, ICU

Nonlinear Combiner(III)

Summation generator

z, keystream

LFSR 1

LFSR 2

LFSR n

Carry

x1

x2

xn

If Li and Lj are pairwise relatively prime, thenp(z) = i=1 n (2Li -1) LC p(z) But vulnerable to the correlation attack of carry and 2-adic span

25 © Information Security Group, ICU

Clock-controlled generator(I)

Alternating step generator

LFSR R1

LFSR R2

LFSR R3

Clock z, keystream

R1 : de Brujin seq. of period 2L1

R2,R3 : m-seq s.t., gcd(L2, L3)=1p(z) = 2L1 (2L2-1)(2L3-1)L(z) : (L2 + L3) 2L1-1 < L(z) <= (L2+L3) 2L1

Best known attack is a divide-and-conquer attack on the control register R1 in 2L

L should be about 128 (de Brujin = maximal period)

26 © Information Security Group, ICU

Clock-controlled generator(II)

Shrinking generator

LFSR R1

LFSR R2

Clock

ai

biai=1

ai=0

output bi

discard bi

• If gcd(L1, L2) =1, p(z) = (2L2-1) 2L1-1

• L2 2 L1-2 < L(z) < L2 2 L1-1 • Best known attack takes O(2L1L2

3). Li is about 64

27 © Information Security Group, ICU

Other generators

Cascade GeneratorCSPRBG(Cryptographically Secure Pseudo

Random Bit Generator)RSA LSB GeneratorBBS Generator (p.336)

Pseudo-noise GeneratorNoise Diode or Noise Transistor

Feedback with Carry Shift Register (FCSR)2-adic span

Stream Ciphers: SEAL, A5, RC4, PKZIP, FISH, PIKE, etc.

28 © Information Security Group, ICU

Correlation AttackCorrelation Attack

29 © Information Security Group, ICU

Correlation Attack (I)

Siegenthaler, 1984The complexity of a Combining Generator depends on the correl

ation of the combining function F.Divide-and-Conquer Attack

- If the output of F has a correlation with the output of KSG1, we can find the initial vector of the KSG1

KSG 1

KSG 2

KSG n

F z

x1

xn

x2

30 © Information Security Group, ICU

Correlation Attack (II)

Assume Prob(z=0|xi=0)=1/2-e, e>0Identify the initial vector of the KSGi by Divide a

nd Conquer

Known ciphertext attackAssume an initial vector of KSGi

Generate xi’ from KSGi

Compute e’=1/2- Prob(z=0|xi’=0)If the initial vector is correct, we must have e’=e. If no

t, we have e0 since x’ has no correlation with zThis attack is very effective. So e must be zero.

KSG 1

KSG 2

KSG n

F z

x1

xn

x2

31 © Information Security Group, ICU

Resilient Functions

A balanced function {0,1}n {0,1}m

- every possible output m-tuple is equally likely to occur A k-resilient function f : {0,1}n {0,1}m

- every possible output m-tuple is equally likely to occur

when the values of k arbitrary inputs are fixed and

the remaining n-k input bits are chosen independently at random.

A 0-resilient function is just a balanced function. A k-resilient function is (k-1)-resilient. E.g.) f(x1,x2)=x1+x2 is 1-resilient.

32 © Information Security Group, ICU

Multi-output Stream Ciphers

To design a multi-output stream cipher based on a combining generator, we need a resilient function which is nonlinear has algebraic degree as large as possible (for large LC) has nonlinearity as large as possible has resiliency as large as possible

KSG 1

KSG 2

KSG n

F

33 © Information Security Group, ICU

Summary of a Stream Cipher

Period : Depends on req’d level of security

Linear Complexityshortest LFSR that generates a given seq.

Measure against Correlation AttackCorrelation Immune function Nonlinear function

* A5 (for GSM) crack survey: http://www.jya.com/crack-a5.htm