stream ciphers - darmstadt university of applied … ciphers vs. block ciphers ... 1940s–project...
TRANSCRIPT
Stream Ciphers
Michal Dobes
19. 5. 2014
Michal Dobes Stream Ciphers 19. 5. 2014 1 / 56
Outline
1 IntroductionOne-time pad (Vernam Cipher)
2 Pseudo-random sequences (PN-sequences)Golomb’s postulates
3 Feedback Shift Registers (FSRs)
Michal Dobes Stream Ciphers 19. 5. 2014 2 / 56
Introduction
Stream ciphers vs. Block ciphers
Block ciphers – output
Encrypt 1 block of bits at a timeIf block size is 64 bits and we want to encrypt 65 bits longmessage, we will need 2 blocks and the resultingciphertext will be 128 bits long
Stream ciphers – output
Encrypt 1 bit at a timeEncrypting 65 bits long message will give us 65 bits longciphertext
Michal Dobes Stream Ciphers 19. 5. 2014 3 / 56
Introduction
Stream ciphers vs. Block ciphers
Block ciphers
Encrypt 1 block of bits at a timeNo well-developed mathematical backgroundRather difficult HW implementation
Stream ciphers
Encrypt 1 bit at a timeMathematical background developed to an extentFast and efficient in HW
Michal Dobes Stream Ciphers 19. 5. 2014 4 / 56
Introduction One-time pad (Vernam Cipher)
One-time pad (Vernam Cipher)
Michal Dobes Stream Ciphers 19. 5. 2014 5 / 56
Introduction One-time pad (Vernam Cipher)
One-time pad encryption
Principle
Uses binary XOR operation (⊕)Ciphertext = Message ⊕ KeyEvery bit of key has to be random
Message: 0 1 0 0 0 0 0 1 ’A’
Key: 0 0 0 1 0 0 1 1 Key stream
Ciphertext: 0 1 0 1 0 0 1 0 ’R’
Michal Dobes Stream Ciphers 19. 5. 2014 6 / 56
Introduction One-time pad (Vernam Cipher)
One-time pad encryption
Principle
Uses binary XOR operation (⊕)Ciphertext = Message ⊕ KeyEvery bit of key has to be random
Message: 0 1 0 0 0 0 0 1 ’A’
Key: 0 0 0 1 0 0 1 1 Key stream
Ciphertext: 0 1 0 1 0 0 1 0 ’R’
Michal Dobes Stream Ciphers 19. 5. 2014 6 / 56
Introduction One-time pad (Vernam Cipher)
One-time pad decryption
Principle
Ciphertext = Message ⊕ KeyKey ⊕ Key = 0 ⇒ Message = Ciphertext ⊕ Key
Ciphertext: 0 1 0 1 0 0 1 0 ’R’
Key: 0 0 0 1 0 0 1 1 Same sequence
Message: 0 1 0 0 0 0 0 1 ’A’
Michal Dobes Stream Ciphers 19. 5. 2014 7 / 56
Introduction One-time pad (Vernam Cipher)
One-time pad decryption
Principle
Ciphertext = Message ⊕ KeyKey ⊕ Key = 0 ⇒ Message = Ciphertext ⊕ Key
Ciphertext: 0 1 0 1 0 0 1 0 ’R’
Key: 0 0 0 1 0 0 1 1 Same sequence
Message: 0 1 0 0 0 0 0 1 ’A’
Michal Dobes Stream Ciphers 19. 5. 2014 7 / 56
Introduction One-time pad (Vernam Cipher)
One-time pad: Perfect secrecy
Proven to be resistant to bruteforce attack:Key is as long as the messageTherefore by enumerating all keys we get all possiblemessages of given length.We will not know which message is the correct one
Michal Dobes Stream Ciphers 19. 5. 2014 8 / 56
Introduction One-time pad (Vernam Cipher)
One-time pad key reuse problem
Key can only be used onceWhen reused, cipher can be broken
:
C1 = M1 ⊕ K
C2 = M2 ⊕ K
⇒ C1 ⊕ C2 = M1 ⊕ K ⊕ M2 ⊕ K = M1 ⊕ M2
1940s – project VENONA: US&UK broke Soviet messages
Michal Dobes Stream Ciphers 19. 5. 2014 9 / 56
Introduction One-time pad (Vernam Cipher)
One-time pad key reuse problem
Key can only be used onceWhen reused, cipher can be broken:
C1 = M1 ⊕ K
C2 = M2 ⊕ K
⇒ C1 ⊕ C2 = M1 ⊕ K ⊕ M2 ⊕ K = M1 ⊕ M2
1940s – project VENONA: US&UK broke Soviet messages
Michal Dobes Stream Ciphers 19. 5. 2014 9 / 56
Introduction One-time pad (Vernam Cipher)
One-time pad key reuse problem
Key can only be used onceWhen reused, cipher can be broken:
C1 = M1 ⊕ K
C2 = M2 ⊕ K
⇒ C1 ⊕ C2 = M1 ⊕ K ⊕ M2 ⊕ K = M1 ⊕ M2
1940s – project VENONA: US&UK broke Soviet messages
Michal Dobes Stream Ciphers 19. 5. 2014 9 / 56
Introduction One-time pad (Vernam Cipher)
One-time pad key reuse problem
Key can only be used onceWhen reused, cipher can be broken:
C1 = M1 ⊕ K
C2 = M2 ⊕ K
⇒ C1 ⊕ C2 = M1 ⊕ K ⊕ M2 ⊕ K = M1 ⊕ M2
1940s – project VENONA: US&UK broke Soviet messages
Michal Dobes Stream Ciphers 19. 5. 2014 9 / 56
Introduction One-time pad (Vernam Cipher)
Key reuse problem demonstration
M1: M2:
K: K:
C1: C2:
Michal Dobes Stream Ciphers 19. 5. 2014 10 / 56
Introduction One-time pad (Vernam Cipher)
Key reuse problem demonstration
⊕ =
C1 ⊕ C2 = M1 ⊕ M2
Michal Dobes Stream Ciphers 19. 5. 2014 11 / 56
Introduction One-time pad (Vernam Cipher)
One-time pad properties
Offers perfect secrecy (as the only cipher)Key has to be a random sequenceCan be looked at as a stream cipher(1 bit of message ⊕ 1 bit of key = 1 bit of ciphertext)
Michal Dobes Stream Ciphers 19. 5. 2014 12 / 56
Introduction One-time pad (Vernam Cipher)
One-time pad disadvantages
Key has to be as long as the original messageKey cannot be reusedImpractical for common use (key distribution problems)More practical: generate pseudo-random sequencebased on random input
Michal Dobes Stream Ciphers 19. 5. 2014 13 / 56
Introduction One-time pad (Vernam Cipher)
General scheme of a stream cipher
PN- generator
Initial state
PN- sequence
Message
Ciphertext
⊕
=
Michal Dobes Stream Ciphers 19. 5. 2014 14 / 56
Pseudo-random sequences (PN-sequences)
Pseudo-random sequences (PN-sequences)
Michal Dobes Stream Ciphers 19. 5. 2014 15 / 56
Pseudo-random sequences (PN-sequences)
Pseudo-random sequences (PN-sequences)
Sequence that looks randomPN = pseudo noiseSame initial state always gives the same sequenceInitial state = keyGeneral scheme of a stream cipher:
PN- generator
Initial state
PN- sequence
Message
Ciphertext
⊕
=
Michal Dobes Stream Ciphers 19. 5. 2014 16 / 56
Pseudo-random sequences (PN-sequences) Criteria
Criteria of BSIBundesamt für Sicherheit in der Informationstechnik
BSI Developed four classes for PN-generatorsClasses K1 (weakest) to K4(strongest)Downward compatibility: In order for a generator topass a specific class, it must also pass all the previousclasses.Examples:A K2 generator must pass K1 and K2.A K4 generator must pass K1, K2, K3 and K4.
Michal Dobes Stream Ciphers 19. 5. 2014 17 / 56
Pseudo-random sequences (PN-sequences) Criteria
BSI Class K1
K1 Parts of the PN-sequence are different from each other
We divide the sequence into c bits long groupsThere should be high probability that the groups aredifferent from each otherWe choose the value of c based on intended useA simple counter will pass K1 criteria
Example:
1100101 1100101 1100101
Michal Dobes Stream Ciphers 19. 5. 2014 18 / 56
Pseudo-random sequences (PN-sequences) Criteria
BSI Class K2
K2 PN-sequence has statistical properties of a randomsequence (based on standard tests)
Sequence must, among other things:Have approximately the same number of 1s and 0sNot have too long groups of 1s or 0sHave good autocorrelation properties (see further)
Sequence of first 20 000 output bits must pass the tests
1100101 1100101 1100101
Michal Dobes Stream Ciphers 19. 5. 2014 19 / 56
Pseudo-random sequences (PN-sequences) Criteria
BSI Class K3
K3 It is practically impossible to work out internal state ofthe generator or numbers which precede or follow thePN-sequence, knowing the PN-sequence
PN-generators have an internal state. Based on it, theygenerate the next bit of PN-sequenceIf we know the internal state, we can find out whatnumbers will follow
1100101 1100101 1100101
Michal Dobes Stream Ciphers 19. 5. 2014 20 / 56
Pseudo-random sequences (PN-sequences) Criteria
BSI Class K4
K4 It is practically impossible to guess previous numbers orinternal states from knowledge of the current internalstate
If we know the internal state, we can always find out whatoutput will followHowever, with a K4 PN-generator, we cannot find outwhat numbers came before our sequence
??? 1100101 1100101Michal Dobes Stream Ciphers 19. 5. 2014 21 / 56
Pseudo-random sequences (PN-sequences) Criteria
BSI Criteria – summary
BSI Classes for PN-generators:K1 Parts of the PN-sequence are different from each otherK2 PN-sequence has statistical properties of a random
sequence (based on standard tests)K3 It is practically impossible to work out internal state of the
generator or numbers which precede or follow thePN-sequence, knowing the PN-sequence
K4 It is practically impossible to guess previous numbers orinternal states from knowledge of the current internal state
Michal Dobes Stream Ciphers 19. 5. 2014 22 / 56
Pseudo-random sequences (PN-sequences) Golomb’s postulates
Golomb’s postulates
Solomon W. GolombCriteria for a perfectly random sequenceApplied to one whole period of the sequenceBased on coin throws:
Probability of tails (T): 50 % (0 in output)Probability of heads (H): 50 % (1 in output)
1 1 0 0 1 0 1H H T T H T H
Michal Dobes Stream Ciphers 19. 5. 2014 23 / 56
Pseudo-random sequences (PN-sequences) Golomb’s postulates
G1 – Equal number of 1s and 0s
The number of 1s and the number of 0s differ by at most one.
Probability is 0.5 both for 0 and for 1⇒ total number must be equal for even period⇒ total number must differ by at most 1 for odd period
1100101
Michal Dobes Stream Ciphers 19. 5. 2014 24 / 56
Pseudo-random sequences (PN-sequences) Golomb’s postulates
G2 – Lengths of runs
Run = group of identical values (e.g. 111, 0000) in thesequenceBlock = group of ones, Gap = group of zeroes
Michal Dobes Stream Ciphers 19. 5. 2014 25 / 56
Pseudo-random sequences (PN-sequences) Golomb’s postulates
G2 – Lengths of runs
Half the runs have length 1, one-fourth have length 2,one-eight has length 3, etc., as long as the number of runs soindicated exceeds 1.Moreover, for each of these lengths, there are equally manygaps and blocks.
In every run, the probability that the run will end with thenext digit is 50 %Demonstration: In the 1st coin throw, we got a 1.In the 2nd throw, the 1 will become 11 with 50 % chance.In the 3rd throw, the 11 will become 111 with another50 % chance.So: There will be 2x more 1s than 11s
There will be 2x more 11s than 111s
1100101Michal Dobes Stream Ciphers 19. 5. 2014 26 / 56
Pseudo-random sequences (PN-sequences) Golomb’s postulates
G3 – Cyclic autocorrelation
The out-of-phase autocorrelation of the sequence always hasthe same value.
Autocorrelation tells us how similar (predictable) parts ofthe sequence are (can reveal period of periodic sequence)Knowing previous results, we cannot predict the next
Michal Dobes Stream Ciphers 19. 5. 2014 27 / 56
Pseudo-random sequences (PN-sequences) Golomb’s postulates
Autocorrelation
1100101110010111001011100101
3333333
τ = 0 (in phase)
A(τ) = Ø− × = 7− 0 = 7
Michal Dobes Stream Ciphers 19. 5. 2014 28 / 56
Pseudo-random sequences (PN-sequences) Golomb’s postulates
Autocorrelation
1100101110010111001011100101
3737773
τ = 1
A(τ) = Ø− × = 3− 4 = −1
Michal Dobes Stream Ciphers 19. 5. 2014 28 / 56
Pseudo-random sequences (PN-sequences) Golomb’s postulates
Autocorrelation
1100101110010111001011100101
7773373
τ = 2
A(τ) = Ø− × = 3− 4 = −1
Michal Dobes Stream Ciphers 19. 5. 2014 28 / 56
Pseudo-random sequences (PN-sequences) Golomb’s postulates
Autocorrelation
1100101110010111001011100101
7337377
τ = 3
A(τ) = Ø− × = 3− 4 = −1
Michal Dobes Stream Ciphers 19. 5. 2014 28 / 56
Pseudo-random sequences (PN-sequences) Golomb’s postulates
Autocorrelation
1100101110010111001011100101
3777337
τ = 4
A(τ) = Ø− × = 3− 4 = −1
Michal Dobes Stream Ciphers 19. 5. 2014 28 / 56
Pseudo-random sequences (PN-sequences) Golomb’s postulates
Autocorrelation
1100101110010111001011100101
7377733
τ = 5
A(τ) = Ø− × = 3− 4 = −1
Michal Dobes Stream Ciphers 19. 5. 2014 28 / 56
Pseudo-random sequences (PN-sequences) Golomb’s postulates
Autocorrelation
1100101110010111001011100101
3373773
τ = 6
A(τ) = Ø− × = 3− 4 = −1
Michal Dobes Stream Ciphers 19. 5. 2014 28 / 56
Pseudo-random sequences (PN-sequences) Golomb’s postulates
Golomb’s postulates – summary
For 1 whole period of pseudorandom sequence:
G1 The number of 1s and the number of 0s differ by atmost one.
G2 Half the runs have length 1, one-fourth havelength 2, one-eight has length 3, etc., as long asthe number of runs so indicated exceeds 1.Moreover, for each of these lengths, there areequally many gaps and blocks.
G3 The out-of-phase autocorrelation of the sequencealways has the same value. The in-phaseautocorrelation has value equal to the length of theperiod.
Michal Dobes Stream Ciphers 19. 5. 2014 29 / 56
Feedback Shift Registers (FSRs)
Feedback Shift Registers (FSRs)
Michal Dobes Stream Ciphers 19. 5. 2014 30 / 56
Feedback Shift Registers (FSRs) Introduction
General scheme of a stream cipher
PN- generator
Initial state
PN- sequence
Message
Ciphertext
⊕
=
Michal Dobes Stream Ciphers 19. 5. 2014 31 / 56
Feedback Shift Registers (FSRs) Introduction
Example Feedback Shift Register
x1 x2 x3
0 1 0
f (x1,x2,x3)
Output
Memory cells (stages x1, x2, x3), connected togetherEach stage holds one bitNumber of stages = length of the register = L
Feedback function foutputs 1 bit based on the contents on the stages
Michal Dobes Stream Ciphers 19. 5. 2014 32 / 56
Feedback Shift Registers (FSRs) Introduction
Example Feedback Shift Register
x1 x2 x3
0 1 0
f (x1,x2,x3)
Output
On clock pulse, all stages shift to the rightContent of first stage determined by feedback functionContent of the last stage is discarded
Contents of stages = internal state of the FSRInitial state = contents of stages at the beginning
Michal Dobes Stream Ciphers 19. 5. 2014 33 / 56
Feedback Shift Registers (FSRs) Introduction
Output of FSR
x1 x2 x3
0 1 0
f (x1,x2,x3)
Output
Output can be taken directly from the feedback functionor from any of the stagesOutput depends on feedback function
Not all feedback functions give good outputWe can learn if the output is good from state transitions
Feedback function determines next stateNew state gives new values to the feedback functionState transitions can be visualised by De Bruijn graphs
Michal Dobes Stream Ciphers 19. 5. 2014 34 / 56
Feedback Shift Registers (FSRs) Introduction
De Bruijn graphs
Feedback function x1 ⊕ x2x3:
x1 x2 x3
f = x1 ⊕ x2x3
100
110
111
011
101
010
001
000
Michal Dobes Stream Ciphers 19. 5. 2014 35 / 56
Feedback Shift Registers (FSRs) Introduction
De Bruijn graphs
Feedback function x1 ⊕ x2x3:
x1 x2 x3
1 0 0
f = x1 ⊕ x2x3
?
100
110
111
011
101
010
001
000
Let’s start with the state 100. . .
Michal Dobes Stream Ciphers 19. 5. 2014 35 / 56
Feedback Shift Registers (FSRs) Introduction
De Bruijn graphs
Feedback function x1 ⊕ x2x3:
x1 x2 x3
1 0 0
f = x1 ⊕ x2x3
1
100
110
111
011
101
010
001
000
Output is 1. After shift, we will get state 110. . .
Michal Dobes Stream Ciphers 19. 5. 2014 35 / 56
Feedback Shift Registers (FSRs) Introduction
De Bruijn graphs
Feedback function x1 ⊕ x2x3:
x1 x2 x3
1 1 0
f = x1 ⊕ x2x3
?
100
110
111
011
101
010
001
000
Michal Dobes Stream Ciphers 19. 5. 2014 35 / 56
Feedback Shift Registers (FSRs) Introduction
De Bruijn graphs
Feedback function x1 ⊕ x2x3:
x1 x2 x3
1 1 0
f = x1 ⊕ x2x3
1
100
110
111
011
101
010
001
000
Michal Dobes Stream Ciphers 19. 5. 2014 35 / 56
Feedback Shift Registers (FSRs) Introduction
De Bruijn graphs
Feedback function x1 ⊕ x2x3:
x1 x2 x3
1 1 1
f = x1 ⊕ x2x3
?
100
110
111
011
101
010
001
000
Michal Dobes Stream Ciphers 19. 5. 2014 35 / 56
Feedback Shift Registers (FSRs) Introduction
De Bruijn graphs
Feedback function x1 ⊕ x2x3:
x1 x2 x3
1 1 1
f = x1 ⊕ x2x3
0
100
110
111
011
101
010
001
000
Michal Dobes Stream Ciphers 19. 5. 2014 35 / 56
Feedback Shift Registers (FSRs) Introduction
De Bruijn graphs
Feedback function x1 ⊕ x2x3:
x1 x2 x3
0 1 1
f = x1 ⊕ x2x3
?
100
110
111
011
101
010
001
000
Michal Dobes Stream Ciphers 19. 5. 2014 35 / 56
Feedback Shift Registers (FSRs) Introduction
De Bruijn graphs
Feedback function x1 ⊕ x2x3:
x1 x2 x3
0 1 1
f = x1 ⊕ x2x3
1
100
110
111
011
101
010
001
000
Michal Dobes Stream Ciphers 19. 5. 2014 35 / 56
Feedback Shift Registers (FSRs) Introduction
De Bruijn graphs
Feedback function x1 ⊕ x2x3:
x1 x2 x3
1 0 1
f = x1 ⊕ x2x3
?
100
110
111
011
101
010
001
000
Michal Dobes Stream Ciphers 19. 5. 2014 35 / 56
Feedback Shift Registers (FSRs) Introduction
De Bruijn graphs
Feedback function x1 ⊕ x2x3:
x1 x2 x3
1 0 1
f = x1 ⊕ x2x3
1
100
110
111
011
101
010
001
000
Next state will be 110. . .
Michal Dobes Stream Ciphers 19. 5. 2014 35 / 56
Feedback Shift Registers (FSRs) Introduction
De Bruijn graphs
Feedback function x1 ⊕ x2x3:
x1 x2 x3
1 1 0
f = x1 ⊕ x2x3
100
110
111
011
101
010
001
000
Which states are missing? Try 010. . .
Michal Dobes Stream Ciphers 19. 5. 2014 35 / 56
Feedback Shift Registers (FSRs) Introduction
De Bruijn graphs
Feedback function x1 ⊕ x2x3:
x1 x2 x3
0 1 0
f = x1 ⊕ x2x3
?
100
110
111
011
101
010
001
000
Michal Dobes Stream Ciphers 19. 5. 2014 35 / 56
Feedback Shift Registers (FSRs) Introduction
De Bruijn graphs
Feedback function x1 ⊕ x2x3:
x1 x2 x3
0 1 0
f = x1 ⊕ x2x3
0
100
110
111
011
101
010
001
000
Next state will be 001. . .
Michal Dobes Stream Ciphers 19. 5. 2014 35 / 56
Feedback Shift Registers (FSRs) Introduction
De Bruijn graphs
Feedback function x1 ⊕ x2x3:
x1 x2 x3
0 0 1
f = x1 ⊕ x2x3
?
100
110
111
011
101
010
001
000
Michal Dobes Stream Ciphers 19. 5. 2014 35 / 56
Feedback Shift Registers (FSRs) Introduction
De Bruijn graphs
Feedback function x1 ⊕ x2x3:
x1 x2 x3
0 0 1
f = x1 ⊕ x2x3
0
100
110
111
011
101
010
001
000
Michal Dobes Stream Ciphers 19. 5. 2014 35 / 56
Feedback Shift Registers (FSRs) Introduction
De Bruijn graphs
Feedback function x1 ⊕ x2x3:
x1 x2 x3
0 0 0
f = x1 ⊕ x2x3
?
100
110
111
011
101
010
001
000
Michal Dobes Stream Ciphers 19. 5. 2014 35 / 56
Feedback Shift Registers (FSRs) Introduction
De Bruijn graphs
Feedback function x1 ⊕ x2x3:
x1 x2 x3
0 0 0
f = x1 ⊕ x2x3
0
100
110
111
011
101
010
001
000
Michal Dobes Stream Ciphers 19. 5. 2014 35 / 56
Feedback Shift Registers (FSRs) Introduction
De Bruijn graphs
Feedback function x1 ⊕ x2x3:
x1 x2 x3
0 0 0
f = x1 ⊕ x2x3
100
110
111
011
101
010
001
000
We have all 8 states, graph is complete.
Michal Dobes Stream Ciphers 19. 5. 2014 35 / 56
Feedback Shift Registers (FSRs) Feedback functions
Linear vs. non-linear operations
Linear operator has the the same amount of 1s and 0s inoutput (they are balanced)Linear operator will preserve the statistical properties ofthe sequenceNon-linear operator can spoil the statistical properties
XOR operator (x1 ⊕ x2)⊕ 0 10 0 11 1 0
2 ones, 2 zeroesLinear
AND operator (x1x2)� 0 10 0 01 0 1
1 one, 3 zeroesNon-linear
Michal Dobes Stream Ciphers 19. 5. 2014 36 / 56
Feedback Shift Registers (FSRs) Feedback functions
Singularity of feedback function
State diagram is cyclic if feedback function f isnon-singularf is non-singular if it contains last stage of the FSR aslinear element (no non-linear operators are used on it)⇒ In order for output to be periodic for all initialstates, feedback function must contain the last stage asa linear element:
f = f ′(x1, . . . ,xn−1)⊕ xn
Michal Dobes Stream Ciphers 19. 5. 2014 37 / 56
Feedback Shift Registers (FSRs) Feedback functions
Singular feedback function
Singular feedbackfunction (x1 ⊕ x2x3)Output is ultimatelyperiodicNot suitable for use incryptography
100
110
111
011
101
010
001
000
Michal Dobes Stream Ciphers 19. 5. 2014 38 / 56
Feedback Shift Registers (FSRs) Feedback functions
Non-singular feedback function
Non-singular feedbackfunction (x1 ⊕ x2 ⊕ x3)Output is periodicfor every stateSeveral different cyclesStill not suitable for usein cryptography
100
011
001
110
000
111101
010
Michal Dobes Stream Ciphers 19. 5. 2014 39 / 56
Feedback Shift Registers (FSRs) Feedback functions
Non-linear vs. linear FSRs
x1x2 ⊕ x3
Non-linear feedbackfunction (has AND)Mathematical theorynot as well developedDifficult to get a goodoutput sequence(DeBruijn FSRs)
vs. x1 ⊕ x2 ⊕ x3
Linear feedback function(no AND, only XOR)Well-developedmathematical theoryRelatively easy to geta good output sequence
Michal Dobes Stream Ciphers 19. 5. 2014 40 / 56
Feedback Shift Registers (FSRs) Feedback functions
Feedback polynomial
x1 x2 x3
x1 x2 x3
f = c1x1 ⊕ c2x2 ⊕ c3x3
Output
For Linear Feedback Shift Registers (LFSRs)Polynomial description of the feedback function:
f (x1, . . .xn) = 1+ c1x+ c2x2 + c3x3
ci ∈ {0,1},cn = 1
Michal Dobes Stream Ciphers 19. 5. 2014 41 / 56
Feedback Shift Registers (FSRs) Feedback functions
Reducible polynomial
Feedback functionx1 ⊕ x2 ⊕ x3
Feedback polynomial1+ x+ x2 + x3
1+x+x2+x3 = (1+x)(1+x2)
Different lengths of cyclesNot suitable for usein cryptography 100
011
001
110
000
111101
010
Michal Dobes Stream Ciphers 19. 5. 2014 42 / 56
Feedback Shift Registers (FSRs) Feedback functions
Irreducible polynomial
No suitable examplefor L = 3Feedback functionx1 ⊕ x2 ⊕ x3 ⊕ x4
Feedback polynomial1+ x+ x2 + x3 + x4
Cycles of same length(length is divisor of 2L − 1)Still not suitable for usein cryptography
1111
0000
0111
1011
1101
1110
0001
1000
1100
0110
0011
1010
0101
0010
1001
0100
Michal Dobes Stream Ciphers 19. 5. 2014 43 / 56
Feedback Shift Registers (FSRs) Feedback functions
Primitive polynomial
Special class of irreducibleFeedback function x2 ⊕ x3
Feedback polynomial1+ x2 + x3
One long cycle(+ all-zero state)Output passes allGolomb’s postulatesSuitable for usein cryptography
010
001
100
101
000
110
111
011
Michal Dobes Stream Ciphers 19. 5. 2014 44 / 56
Feedback Shift Registers (FSRs) Security of LFSRs
Security of LFSRs
Michal Dobes Stream Ciphers 19. 5. 2014 45 / 56
Feedback Shift Registers (FSRs) Security of LFSRs
Security of LFSRsx1 x2 x3
0 1 0
f (x1,x2,x3)
Output
BSI Classes of pseudorandom sequences:K1 Parts of the PN-sequence are different from each otherK2 PN-sequence has statistical properties of a random
sequence (based on standard tests)K3 It is practically impossible to work out internal state of the
generator or numbers which precede or follow thePN-sequence, knowing the PN-sequence
K4 It is practically impossible to guess previous numbers orinternal states from knowledge of the current internal state.
BSI class K2
Michal Dobes Stream Ciphers 19. 5. 2014 46 / 56
Feedback Shift Registers (FSRs) Security of LFSRs
Security of LFSRsx1 x2 x3
0 1 0
f (x1,x2,x3)
Output
BSI Classes of pseudorandom sequences:K1 Parts of the PN-sequence are different from each otherK2 PN-sequence has statistical properties of a random
sequence (based on standard tests)K3 It is practically impossible to work out internal state of the
generator or numbers which precede or follow thePN-sequence, knowing the PN-sequence
K4 It is practically impossible to guess previous numbers orinternal states from knowledge of the current internal state.
BSI class K2
Michal Dobes Stream Ciphers 19. 5. 2014 46 / 56
Feedback Shift Registers (FSRs) Security of LFSRs
Security of LFSRs
Security ≈ Can we guess which number comes next?Berlekamp-Massey algorithm:
Input: sequenceOutput: shortest LFSR that generates the sequence
and initial state of the LFSRTime complexity: quadratic (≈ L2)
⇒ with long enough LFSR, the algorithm will take foreverA sequence that can be generated by LFSR with at least Lstages has linear complexity L
Michal Dobes Stream Ciphers 19. 5. 2014 47 / 56
Feedback Shift Registers (FSRs) Security of LFSRs
Increasing linear complexity
To achieve higher linear complexity of the outputsequence, we need to introduce some nonlinearity.To introduce nonlinearity, we can use:
Nonlinear FSR (difficult)Nonlinear filter generatorNonlinear combination generatorAlternating steps generatorShrinking generator
Michal Dobes Stream Ciphers 19. 5. 2014 48 / 56
Feedback Shift Registers (FSRs) Increasing linear complexity
Non-linear filter generator
Feedback functionremains the same (linear)Non-linear filter functiontakes internal state andreturns 1 bitOutput is taken from thefilter functionFiltering function mustpreserve statisticalproperties of the outputsequence
ffilter(x1,x2,x3)
Output
0 1 0
ffeedback(x1,x2,x3)
Michal Dobes Stream Ciphers 19. 5. 2014 49 / 56
Feedback Shift Registers (FSRs) Increasing linear complexity
Non-linear combination generator
Non-linear combiningfunction fc combinesoutput from multipleLFSRsCombination function hasto preserve statisticalproperties of the outputsequencesCombination function canhave memory of its own
Out
LFSR 1
LFSR 2
LFSR 3
fc
Michal Dobes Stream Ciphers 19. 5. 2014 50 / 56
Feedback Shift Registers (FSRs) Increasing linear complexity
Alternating steps
LFSR 1
LFSR 2
LFSR 3
LFSR 1
x
x
�
�Output
LFSR 1’s output x is used to enable or disable clockx = 1 will shift LFSR 2, x = 0 will shift LFSR 3For maximum security, the lengths (L1, L2, L3) of theregisters should be similar but relatively prime
gcd(L1, L2) = 1, gcd(L2, L3) = 1, gcd(L1, L3) = 1L1 ≈ L2 ≈ L3
Michal Dobes Stream Ciphers 19. 5. 2014 51 / 56
Feedback Shift Registers (FSRs) Increasing linear complexity
Shrinking
LFSR 1
LFSR 2
�
Output bi
ai
biai = 1
Discard bi
Yes
No
We use LFSR 1 to discard some of LFSR 2’s outputLengths of the registers should be similar andrelatively prime to achieve maximum security
gcd(L1,L2) = 1L1 ≈ L2
Michal Dobes Stream Ciphers 19. 5. 2014 52 / 56
Feedback Shift Registers (FSRs) Increasing linear complexity
Increasing linear complexity – summary
To achieve higher linear complexity of the outputsequence, we need to introduce some nonlinearity.To introduce nonlinearity, we can:
Use nonlinear FSR (difficult)Use a different (nonlinear) function for output than we usefor feedback (nonlinear filter generator)Use multiple LFSRs and combine their outputs using anonlinear function (nonlinear combination generator)Use LFSR as clock for other LFSR (alternating steps)Use LFSR to discard some of other LFSR’s output(shrinking)
Michal Dobes Stream Ciphers 19. 5. 2014 53 / 56
Feedback Shift Registers (FSRs) Increasing linear complexity
A5/1 cipher
LFSR 1x1 x9 x19x18x17x14
LFSR 2x1 x11 x22x21
LFSR 3x1 x11 x22x21 x23x8
Output
�control
Used in GSM (2G – voice)Broken by bruteforce/precomputation attacks (64 bit key)Notice the design properties
gcd(L1, L2) = 1, gcd(L2, L3) = 1, gcd(L1, L3) = 1L1 ≈ L2 ≈ L3
Michal Dobes Stream Ciphers 19. 5. 2014 54 / 56
The end
Sources
Slobodan Petrovic’s lectures at Gjovik University CollegeAlfred J. Menezes: Handbook of Applied Cryptography(link)
Springer Reference: Golomb’s Randomness Postulates(link)
Springer Reference: Autocorrelation (link)
Bundesamt für Sicherheit in der Informationstechnik (BSI):Functionality Classes and Evaluation Methodology forDeterministic Random Number Generators (link)
Elad Barkan, Eli Biham: Conditional Estimators: AnEffective Attack on A5/1 (link)
Michal Dobes Stream Ciphers 19. 5. 2014 55 / 56
The end
Questions?
Michal Dobes Stream Ciphers 19. 5. 2014 56 / 56