Download - Session 1 Stream ciphers 1. Introduction If the level of security is not the highest one, instead of the Vernam cipher, a stream cipher can be used. Stream

Session 1

Stream ciphers 1

Introduction

• If the level of security is not the highest one, instead of the Vernam cipher, a stream cipher can be used.

• Stream cipher– A deterministic algorithm produces a

pseudo-noise sequence (PN-sequence)• Satisfies the 3 Golomb’s postulates.

– The key is short – much shorter than the plaintext - practical.

2/65

Introduction

xi

Key

zi zi

yi

xi xi zi = yi yi zi = xi

TRANSMITTER RECEIVER

xi

Deterministic algorithm

Deterministic algorithm

Key

COMM. CHANNEL

3/65

Linear feedback shift registers

• LFSR theory is developed enough to

enable thorough analysis of the

properties of the output sequence of

a PN sequence generator containing

LFSRs.

• Because of that, the vast majority of

PN generators are designed by

combining LFSRs and non-linear

Boolean functions.

4/65


• A linear feedback shift register

(LFSR):

– n single-symbol memory cells (stages)

– A linear feedback function – to express

each new symbol of the output

sequence as a linear function of the n

previous symbols

• The contents of the flip-flops is

shifted one position at every clock

pulse

5/65


6/65

g – linear!


• The state of the register – the

contents of the stages between two

clock pulses

• The initial state – the contents of the

stages at the moment of the

beginning of the process

7/65


• The state diagram of a LFSR is never

singular, because the linear feedback

function satisfies the non-singularity

condition:

ntanta,,ta,tagta 121

8/65


• The maximum possible period of the

output sequence is 2n-1.

• The all-zero initial state is not used,

because in that case only all-zero

sequence would be produced.

• The key – the initial contents of the

LFSR.9/65

• The feedback function g of a LFSR is

a linear recurrence – linear recurring

sequences of order n

110

21 21

ni

n

c,,c

ntactactacta


10/65

• It is possible to associate the

characteristic (feedback)

polynomial to every linear

recurrence

• Analysis of the properties of the

output sequence is made easier in

such a way.

nnxcxcxcxf 2

211


11/65

Example: An LFSR of length 4.

Generated sequence: 1 1 1 0 1 0 1 ……

1 0 0 0

1 1 0 0

1 1 1 0

1 1 1 1

0 1 1 1

1 0 1 1

0 1 0 1

1 0 1 0

41 tatata

Initial state

Feedback polynomial

Linear recurrence


12/65

• The characteristics of the output

sequence of the LFSR depend on the

characteristics of the feedback

polynomial

• The feedback polynomial can be:

– reducible

– irreducible

– primitive


13/65

000110000100101001010010

4 2 2 21 ( 1)( 1)x x x x x x

0000 011010111101

001110011100111011110111

Linear feedback shift registersExample 1: Reducible feedback polynomial

14/65

• LFSRs with reducible feedback

polynomial:

– The length of the output sequence

depends on the initial state

– Not adequate for use in cryptography


15/65

00011000110001100011

0000

00101001010010100101

11110111101111011110

Linear feedback shift registersExample 2: Irreducible feedback polynomial

16/65

• LFSRs with irreducible feedback

polynomial:

– The length of the output sequence does

not depend on the initial state (except the

all-zero state)

– The period T is a factor of , L is the

length of the LFSR

– Not adequate for use in cryptography


12 L

17/65

0000

100011001110111101111011010110101101011000111001010000100001

PN-sequence (m-sequence)

The maximum possible period for this

type of generator

111010110010001 …..

Linear feedback shift registersExample 3: Primitive feedback polynomial

18/65

• LFSRs with primitive feedback

polynomial:

– The length of the sequence does not

depend on the initial state (except the all-

zero state)

– The period is

– Adequate for use in cryptography, because

the output sequence satisfies all the

Golomb’s postulates


12 L

19/65

• Thus, to use LFSRs in pseudorandom

sequence generators we need

primitive polynomials.

• How do we get them?

• We need some basic concepts of

abstract algebra – groups, rings, Galois

fields.


20/65

Groups

• A group is an algebraic structure consisting of a non-empty set G and a binary operation such that the following axioms of the group are satisfied:– Closure– Associativity– Existence of the identity (neutral)

element– Existence of the inverse element for

each element of G.21/65

GGG :*

Groups

• Closure• Associativity

• Existence of the neutral element

• Existence of the inverse elements

22/65

GYXGYX *,

zyxzyxGzyx ****,,

xxeexGxGe **

exxxxGxGx ** 111

Groups

• Multiplicative group - the operation * is the multiplication, i.e. “”– The identity element is 1– The inverse element is x -1

• Additive group - the operation * is the sum, i.e. “+”– The identity element is 0– The inverse element is –x

23/65

Groups

• Examples of additive groups:– Z, Q, R, C– , where the

operation is the sum modulo n.

• Examples of multiplicative groups:– , – , where

the operation is the multiplication modulo n

24/65

1,,2,1,0 nZNn n

0\Q 0\R

1,gcd:1 nxnxZNn n

Groups

• If in the group G the operation * fulfils the commutative property, i.e.

then G is a commutative or Abelian group

• If G is a finite group, the number of elements in G is called order of G and is represented by #G.

25/65

xyyxyx **,

Groups

• An element gG is a generator of G if every element of G can be written as a power of g. G is then a cyclic group

• The cyclic group:

26/65

,,,,, 3210 ngggggegG

Groups

• Example: show that 5 is a generator of Z12

27/65

112mod585

8535

312mod5555*5*55

10555*55

55

05

11,0

5

4

3

2

1

0

12

e

Z

7525

212mod595

9545

412mod5115

11565

6515

11

10

9

8

7

6

Groups

• A nonempty subset H of G is called subgroup of G if it is closed for the operation * and the inversion, i.e.

• The Lagrange theorem:– If G is a finite group and H is its

subgroup, then #H divides #G, i.e.

28/65

HxHyxHyx 1,*,

GH ##

Groups

• Examples:– A group of order 8 can have subgroups

of order 2 and 4, but not of order 3 or 6.– A finite group, whose order is a prime

number cannot have its own subgroups.

29/65

Groups

• The order of an element gG of a finite group is the least positive integer k such that g k=e.

• If k is the order of gG, then {e, g, g 2,…, g k -1} is a subgroup of G.

• Corollary of the Lagrange theorem:– In a finite group, the order of each

element divides the order of the group.

30/65

Groups

• Example: a subgroup of Z8:

31/65

GkGH

Hk

e

g

e

Z

#,##

6,4,2,04

08 mod 262

62222

4222

22

2

0

7,6,5,4,3,2,1,0

4

3

2

1

8

Rings• A ring is an algebraic structure

consisting of a non-empty set G and 2 binary operations called summation, i.e. “+” and multiplication, i.e. “” such that the following holds:– (G,+) is an abelian group– The structure (G,) : closure, associativity

and the existence of the neutral element–Multiplication distributes over addition, i.e.

32/65

bcaccba

acabcba

Fields

• A field is an algebraic structure consisting of a non-empty set G and 2 binary operations called summation, i.e. “+” and multiplication, i.e. “” such that the following holds:– (G,+) is an abelian group – the additive

group of the field– (G \{0},) is an abelian group – the

multiplicative group of the field–Multiplication distributes over addition.

33/65

Fields

• Every field is a ring but the converse is not true

• The difference is– The structure (G \{0},) of the field is a

commutative group and in a general ring this is not required.

34/65

Fields

• Examples:– Field of rational numbers Q.– If p is a prime number, then Zp is a field• Zp is an additive commutative group.

• (Zp) is a multiplicative commutative group.

35/65

Finite fields

• A finite field is a field with a finite number of elements, i.e. the set G is finite.

• Theorem (1)– (i) The number of elements of a finite

field F must be equal to the power of a prime number, i.e. #F =p m.• p is the characteristic of the field.• The field is represented by GF(p m ) (Galois

Field).36/65

Finite fields

• Theorem (2)– (ii) There is only one finite field of p m

elements. If we fix an irreducible polynomial f (x ) of degree m with coefficients in Zp, the elements of GF(p m

) are represented as polynomials with coefficients in Zp of degree <m and the product of elements of GF(p m ) is realized as the product of polynomials modulo f (x ).

37/65

pmm

mm Zxxxp

1210

11

2210 ,,,,;GF

Finite fields

• The finite field GF(p m ) is called the extension field of the field GF(p ).

• Theorem:– The multiplicative group of GF(p m ) is

cyclic, i.e. there is at least 1 generator of all its elements.

• This generator is called primitive element of the field GF(p m )

38/65

Finite fields

• Example (1): p =2, m =3, f (x )=x 3

+x +1, irreducible– The elements of the field (1):

000 0 001, or 1 in the polynomial notation• The subsequent elements are obtained by

multiplying the immediate predecessors by x and reducing modulo f (x ), i.e. 1 010, or x 2 100, or x 2

39/65

Finite fields

• Example (2):– The elements of the field (2):• 3 , or 011

4 110• 5 , or

111

• 6 , or 101

40/65

11 mod 232 xxxxxxx

11 mod 1 232 xxxxxx

11 mod 32 xxxxx

Testing irreducibility

• The fundamental theorem of arithmetic:– Every positive integer can be represented

in a unique way as a product of prime factors.

• Analogue in a GF:– Every polynomial in a GF can be

represented in a unique way as a product of irreducible factors.

• An irreducible polynomial has no irreducible factors except 1 and itself.

41/65


• Theorem– If a polynomial f (x ) of degree n in GF(q )

does not have common factors with then it is irreducible.

• To determine whether a given polynomial has common factors with some other polynomial we can use Euclidean algorithm

42/65

2

1,modn

kxfxxkq


• Example – polynomials in GF(2)– Find (x 5+x 4+x 2+x, x 4+x 3+x 2+x )

(x 5+x 4+x 2+x )=x (x 4+x 3+x 2+x )+(x 3+x )(x 4+x 3+x 2+x )=(x +1)(x 3+x )+0

(x 5+x 4+x 2+x, x 4+x 3+x 2+x )=(x 3+x )

43/65


• Example – Determine if the polynomial

in GF(2) is irreducible.

44/65

41 xxxf

11,1

1,1mod

11,

1,1mod

2,14,2

,,1

4

442

42

442

2

1

xx

xxxxxx

xxxx

xxxxxx

knn

k

Irreducible


• Example - Determine if the polynomial

in GF(2) is irreducible.

45/65

421 xxxf

111,1

1,1mod

11,

1,1mod

2,14,2

,,1

2242

24242

242

24242

2

1

xxxxxx

xxxxxx

xxxx

xxxxxx

knn

k

Not irreducible

Primitive polynomials

• The order of a polynomial P (x ), P (0)0 is the smallest integer e for which P (x ) divides x e -1.

• In a finite field GF(q ), if the order of an irreducible polynomial P (x ) is qn -1, this polynomial is called primitive polynomial.

46/65


• Thus, to test whether a polynomial P (x ), deg P (x )=n in GF(q ) is primitive– Test whether P (x ) is irreducible– If P (x ) is irreducible, check whether it

divides the polynomials x k -1, n k < qn -1

– If P (x ) does NOT divide any of the polynomials above, then it is primitive.

• Obviously, this procedure is not efficient.

47/65


• Example:– The polynomial of degree

4 in GF(2) is irreducible and does not divide any of the polynomials . Because of that, it is primitive.

48/65

41 xxxf

1,,1,1 1454 xxx


• Theorem (Alanen, Knuth, 1964; Herlestam, 1982)– A polynomial f (x ) in GF(q ), q =p m ,

deg f (x )=n, is primitive if and only if it satisfies the following:1. 2. 3. For all prime factors p ’ of ≢1 (mod f (x ))

49/65

0 xf,qGFx

xfxxnq mod

1nq 'p/qn

x 1


• For q =2, the polynomial f (x ) must have odd weight (i.e. odd number of terms)

• Problem– Factorization of q n -1 is needed

• If q n -1 is a prime, the condition 3 of the theorem is trivially satisfied.

• For q =2, primes of the form 2n -1 are called Mersenne primes.

50/65


• The first 24 Mersenne primes are obtained for the following values of n :

2, 3, 5, 7, 13, 17, 19, 31, 61, 89, 107, 127, 521, 607, 1279, 2203, 2281, 3217, 4253, 4423, 9689, 9941, 11213, 19937.

• Thus, a polynomial in GF(2) of odd weight, of degree n such that 2n -1 is a Mersenne prime is primitive if , which is easy to check in practice.

51/65

xfxxn

mod2


• How many primitive polynomials with coefficients in GF(2) of degree n are there?

• Example:

52/65

nN n /12

276480,24

176,11

Nn

Nn


• Not all primitive polynomials are suitable for use in LFSRs– Primitive polynomials with too

concentrated terms (i.e. with terms containing powers of x that are of very similar magnitude)

– Primitive polynomials of degree n such that 2n -1 contains many small prime factors

– There are attacks against schemes with LFSRs using such feedback polynomials.53/65


• Example 1:– For n =61, 261-

1=2305843009213693951 is a Mersenne prime. Recommended for use in LFSRs.

• Example 2: – For n =63, 263-

1=727312733792737649657 is not a Mersenne prime. It is not recommended for use in LFSRs.

54/65


• Thus, a good strategy is to use an LFSR with a primitive feedback polynomial of degree n such that 2n -1 is a Mersenne prime.

• But if 2n -1 has a small number of large prime factors, it can also be used in LFSRs

• Example: n =103, 2103-1= =25501837993976656429941438590393

55/65


• The reciprocal polynomial of the polynomial f (x ) of degree n

• Theorem– If f (x ) is primitive, f *(x ) is also

primitive.

56/65

x

fxxf n 1)(*


• Example:

– This polynomial is primitive

– This polynomial is also primitive

57/65

41)( xxxf

111

1)( 344

4*

xx

xxxxf

• The length L of the smallest LFSR

capable of generating the given

sequence

• The Berlekamp-Massey algorithm

(1969):

– Input: the given binary sequence

– Output: 1. C (D ) is the feedback polynomial

and L is the length of the equivalent LFSR

2. the initial state of the equivalent LFSR

Linear complexity

L,DC

58/65

• Input to one step: n digits of a

sequence

• Determines the minimum LFSR

capable of generating them

• If the digit n +1 of the sequence can

be generated by the current LFSR,

the length of the current LFSR is

preserved

• Otherwise, a longer LFSR is needed

The Berlekamp-Massey algorithm

59/65


• The Berlekamp-Massey algorithm is based on the following theorems:

• Theorem 1

– If <C (D ),L > generates the prefix sn of

the intercepted sequence, but does not

generate sn +1, then

60/65

LnsLC n 11


• Example: n =6, L=2, the LFSR generates the sequence 110110. Can it generate 1101100?

61/65

0 1 1

1 0 1

1 1 0

0 1 1

1 0 1

1 1 0

0 1 1

Generates 110110, but does not generate

1101100

LC(1101100)6+1-2

Discrepancy


• Theorem 2

– If <C (D ),L> generates sn, but does not

generate sn+1 (discrepancy n 0) and

<C *(D ),L*> generates sm, but does

not generate sm+1 (discrepancy m 0),

where 0 m n, then

generates sn+1.62/65

mnLLDCDDC mn

m

n *,max,*


• Theorem 3

– If <C (D ),L> with L=LC(sn) generates sn,

but does not generate sn+1, then

63/65

nnn sLCnsLCsLC 1,max1


64/65

= n

*= m

j=n-m


• Example: N =7, GF(2), s0,…,s6=1,1,0,1,0,0,1

Solution:C (D )=1+D +D 3, L=3

65/65

0 1 1 1

1 0 1 1

0 1 0 0

0 0 1 1

1 0 0 0

1 1 0 0

1 1 1 1

Download - Session 1 Stream ciphers 1. Introduction If the level of security is not the highest one, instead of the Vernam cipher, a stream cipher can be used. Stream

Top Related