stream cipher - school of computer sciencemdr/teaching/crypto15/crypto5.pdf · lfsr stream cipher...

Stream cipher

Block cipher as stream cipherLFSR stream cipherRC4General remarks

Stream Cipher

Suppose you want to encrypt a stream of data, such as:

the data from a keyboard

the data from a sensor

Block ciphers might be awkward/inefficient (consider eachkeystroke as a block??).

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 90

Stream cipher


Stream cipher

A stream cipher is a bit like a one-time pad: we generate a keythat’s as long as the data, but we generate it from a short seed.

The key stream is thus not random, but pseudorandom.Use seed (short random number) and produce keystream.

Key/Seed generatorPseudo-random Keystream

Plaintext

Ciphertext


Stream cipher


Example 1

A block cipher, using counter mode.


Stream cipher


Example 2: LFSR

Linear Feedback Shift Register: Building block for many modernstream ciphersCan be implemented very efficientlyKey idea: have register of single bit cells shifted by one at everyclock cycle together with feedback function

Source: Wikipedia


Stream cipher


Example:

Source: Wikipedia


Stream cipher


Reasoning about LFSRs

Interesting property: Length of keystream periodReasoning works as follows:

Have state vector s = [s1, . . . , sn] for shift register with n cells

Have a matrix M =

c1 c2 · · · cn−1 cn1 0 · · · 0 00 1 · · · 0 0...

. . .. . .

......

0 · · · 0 1 0

where ci is 1 if the i th cell in s is used for feedback and 0 ifnot.

Next state vector given by M · s.


Stream cipher


Combining LFSRs

LFSRs are insecure in practice (given a lot of output, the values cican computed fairly efficiently)Hence multiple LFSRs are combined in non-linear fashion

Source: Wikipedia


Stream cipher


CSS

CSS used to encrypt DVD for copy protectionFollowing steps are taken:

Check whether region code and code on DVD match

Use player keys to extract disk key from DVD

Use disk key to extract title key for track

Use title key to extract for each sector a sector key, which isused to decrypt the sector.


Stream cipher


Sector encryption is combination of two LFSR’s added modulo 256(observing carry bit from previous addition):

1||K2||K3||K4

seed

17 bit LFSR

25 bit LFSR

add modulo 2568 bit keystream

1||K0||K1


Stream cipher


Security of CSS

Can be broken in time 217:Idea: Because of structure of MP4, first 20 bytes of plaintext areknownHence also first 20 bytes of keystream are knownGiven output of 17 bit LFSR, can deduce output of 25 bit LFSR bysubtractionHence try all 217 possibilities for 17 bit LFSR and if generated 25bit LFSR produces observed keystream, cipher is cracked


Stream cipher


A5/1

Stream cipher used in GSM mobile phone communication

Became public knowledge through leaks and reverseengineering

Built from three LFSRs with irregular clock cycle

54 bit secret key and 22 bit initialisation vector

A register is shifted only if its clock bit is the same as majorityof the three clock bits


Stream cipher


Source: Wikipedia


Stream cipher


Security of A5/1

Better design: Clock shift make cryptanalysis much harderHowever, advanced techniques means mainstream PC withterabytes of flash memory (to store pre-processed tables) can breakA5/1 with probability ≥ 90% in a few seconds


Stream cipher


Example 3: RC4

Stream cipher invented 1987 by Ron RivestMain datastructure is array S of 256 bytes.

Consists of two phases:

Initalisation of S phase (“key schedule”)

Keystream generation phase


Stream cipher


Code for RC4

for i := 0 to 255 doS[i ] := i

endj := 0for i := 0 to 255 do

j := (j + S[i ] + K[i mod keylength]) mod 256swap(S[i ],S[j ])

endi := 0j := 0while GeneratingOutput:

i := (i + 1) mod 256j := (j + S[i ]) mod 256swap(S[i ],S[j ])output S[(S[i ] + S[j ]) mod 256]

end


Stream cipher


Graphical representation

Source: Wikipedia


Stream cipher


Properties of RC4

Extremely compact, and beautiful

Exhaustively studied

Two books, and hundreds of research papers

Pretty good!

But not good enough by modern standards:

Numerous “attacks” (biases in the stream, especially the firstfew bytes)Led to real attacks on WEP, and modes of TLS that use it


Stream cipher


WEP

Old standard for encryption on wireless networksbased on RC4, but seriously broken - don’t use

Source: Wikipedia


Stream cipher


Weaknesses in WEP

Initialisation vector only 24 bits, hence key streams repeatafter at most 224 frames

With certain initialisation vectors knowing m bytes of key andkeystream means you can deduce byte m + 1 of key

First bytes of key stream known because standard headers arealways sent

With this method, can crack the key in minutes on modern PChardware


Stream cipher


Keys for stream ciphers must not be reused.Formally, RC4 and LFSR as presented do not satisfy IND-CPAsecurity.Need carefully used initialisation vectors or nonces to obtainIND-CPA.


stream cipher - school of computer sciencemdr/teaching/crypto15/crypto5.pdf · lfsr stream cipher...

Documents