stream ciphers - darmstadt university of applied … ciphers vs. block ciphers ... 1940s–project...

Stream Ciphers

Michal Dobes

19. 5. 2014

Michal Dobes Stream Ciphers 19. 5. 2014 1 / 56

Outline

1 IntroductionOne-time pad (Vernam Cipher)

2 Pseudo-random sequences (PN-sequences)Golomb’s postulates

3 Feedback Shift Registers (FSRs)


Introduction

Stream ciphers vs. Block ciphers

Block ciphers – output

Encrypt 1 block of bits at a timeIf block size is 64 bits and we want to encrypt 65 bits longmessage, we will need 2 blocks and the resultingciphertext will be 128 bits long

Stream ciphers – output

Encrypt 1 bit at a timeEncrypting 65 bits long message will give us 65 bits longciphertext


Introduction

Stream ciphers vs. Block ciphers

Block ciphers

Encrypt 1 block of bits at a timeNo well-developed mathematical backgroundRather difficult HW implementation

Stream ciphers

Encrypt 1 bit at a timeMathematical background developed to an extentFast and efficient in HW


Introduction One-time pad (Vernam Cipher)

One-time pad (Vernam Cipher)



One-time pad encryption

Principle

Uses binary XOR operation (⊕)Ciphertext = Message ⊕ KeyEvery bit of key has to be random

Message: 0 1 0 0 0 0 0 1 ’A’

Key: 0 0 0 1 0 0 1 1 Key stream

Ciphertext: 0 1 0 1 0 0 1 0 ’R’



One-time pad decryption

Principle

Ciphertext = Message ⊕ KeyKey ⊕ Key = 0 ⇒ Message = Ciphertext ⊕ Key

Ciphertext: 0 1 0 1 0 0 1 0 ’R’

Key: 0 0 0 1 0 0 1 1 Same sequence

Message: 0 1 0 0 0 0 0 1 ’A’



One-time pad: Perfect secrecy

Proven to be resistant to bruteforce attack:Key is as long as the messageTherefore by enumerating all keys we get all possiblemessages of given length.We will not know which message is the correct one



One-time pad key reuse problem

Key can only be used onceWhen reused, cipher can be broken

:

C1 = M1 ⊕ K

C2 = M2 ⊕ K

⇒ C1 ⊕ C2 = M1 ⊕ K ⊕ M2 ⊕ K = M1 ⊕ M2

1940s – project VENONA: US&UK broke Soviet messages



One-time pad key reuse problem

Key can only be used onceWhen reused, cipher can be broken:

C1 = M1 ⊕ K

C2 = M2 ⊕ K

⇒ C1 ⊕ C2 = M1 ⊕ K ⊕ M2 ⊕ K = M1 ⊕ M2

1940s – project VENONA: US&UK broke Soviet messages



Key reuse problem demonstration

M1: M2:

K: K:

C1: C2:



Key reuse problem demonstration

⊕ =

C1 ⊕ C2 = M1 ⊕ M2



One-time pad properties

Offers perfect secrecy (as the only cipher)Key has to be a random sequenceCan be looked at as a stream cipher(1 bit of message ⊕ 1 bit of key = 1 bit of ciphertext)



One-time pad disadvantages

Key has to be as long as the original messageKey cannot be reusedImpractical for common use (key distribution problems)More practical: generate pseudo-random sequencebased on random input



General scheme of a stream cipher

PN- generator

Initial state

PN- sequence

Message

Ciphertext

⊕

=


Pseudo-random sequences (PN-sequences)





Sequence that looks randomPN = pseudo noiseSame initial state always gives the same sequenceInitial state = keyGeneral scheme of a stream cipher:

PN- generator

Initial state

PN- sequence

Message

Ciphertext

⊕

=


Pseudo-random sequences (PN-sequences) Criteria

Criteria of BSIBundesamt für Sicherheit in der Informationstechnik

BSI Developed four classes for PN-generatorsClasses K1 (weakest) to K4(strongest)Downward compatibility: In order for a generator topass a specific class, it must also pass all the previousclasses.Examples:A K2 generator must pass K1 and K2.A K4 generator must pass K1, K2, K3 and K4.



BSI Class K1

K1 Parts of the PN-sequence are different from each other

We divide the sequence into c bits long groupsThere should be high probability that the groups aredifferent from each otherWe choose the value of c based on intended useA simple counter will pass K1 criteria

Example:

1100101 1100101 1100101



BSI Class K2

K2 PN-sequence has statistical properties of a randomsequence (based on standard tests)

Sequence must, among other things:Have approximately the same number of 1s and 0sNot have too long groups of 1s or 0sHave good autocorrelation properties (see further)

Sequence of first 20 000 output bits must pass the tests

1100101 1100101 1100101



BSI Class K3

K3 It is practically impossible to work out internal state ofthe generator or numbers which precede or follow thePN-sequence, knowing the PN-sequence

PN-generators have an internal state. Based on it, theygenerate the next bit of PN-sequenceIf we know the internal state, we can find out whatnumbers will follow

1100101 1100101 1100101



BSI Class K4

K4 It is practically impossible to guess previous numbers orinternal states from knowledge of the current internalstate

If we know the internal state, we can always find out whatoutput will followHowever, with a K4 PN-generator, we cannot find outwhat numbers came before our sequence

??? 1100101 1100101Michal Dobes Stream Ciphers 19. 5. 2014 21 / 56


BSI Criteria – summary

BSI Classes for PN-generators:K1 Parts of the PN-sequence are different from each otherK2 PN-sequence has statistical properties of a random

sequence (based on standard tests)K3 It is practically impossible to work out internal state of the

generator or numbers which precede or follow thePN-sequence, knowing the PN-sequence

K4 It is practically impossible to guess previous numbers orinternal states from knowledge of the current internal state


Pseudo-random sequences (PN-sequences) Golomb’s postulates

Golomb’s postulates

Solomon W. GolombCriteria for a perfectly random sequenceApplied to one whole period of the sequenceBased on coin throws:

Probability of tails (T): 50 % (0 in output)Probability of heads (H): 50 % (1 in output)

1 1 0 0 1 0 1H H T T H T H



G1 – Equal number of 1s and 0s

The number of 1s and the number of 0s differ by at most one.

Probability is 0.5 both for 0 and for 1⇒ total number must be equal for even period⇒ total number must differ by at most 1 for odd period

1100101



G2 – Lengths of runs

Run = group of identical values (e.g. 111, 0000) in thesequenceBlock = group of ones, Gap = group of zeroes



G2 – Lengths of runs

Half the runs have length 1, one-fourth have length 2,one-eight has length 3, etc., as long as the number of runs soindicated exceeds 1.Moreover, for each of these lengths, there are equally manygaps and blocks.

In every run, the probability that the run will end with thenext digit is 50 %Demonstration: In the 1st coin throw, we got a 1.In the 2nd throw, the 1 will become 11 with 50 % chance.In the 3rd throw, the 11 will become 111 with another50 % chance.So: There will be 2x more 1s than 11s

There will be 2x more 11s than 111s

1100101Michal Dobes Stream Ciphers 19. 5. 2014 26 / 56


G3 – Cyclic autocorrelation

The out-of-phase autocorrelation of the sequence always hasthe same value.

Autocorrelation tells us how similar (predictable) parts ofthe sequence are (can reveal period of periodic sequence)Knowing previous results, we cannot predict the next



Autocorrelation

1100101110010111001011100101

3333333

τ = 0 (in phase)

A(τ) = Ø− × = 7− 0 = 7



Autocorrelation

1100101110010111001011100101

3737773

τ = 1

A(τ) = Ø− × = 3− 4 = −1



Autocorrelation

1100101110010111001011100101

7773373

τ = 2

A(τ) = Ø− × = 3− 4 = −1



Autocorrelation

1100101110010111001011100101

7337377

τ = 3

A(τ) = Ø− × = 3− 4 = −1



Autocorrelation

1100101110010111001011100101

3777337

τ = 4

A(τ) = Ø− × = 3− 4 = −1



Autocorrelation

1100101110010111001011100101

7377733

τ = 5

A(τ) = Ø− × = 3− 4 = −1



Autocorrelation

1100101110010111001011100101

3373773

τ = 6

A(τ) = Ø− × = 3− 4 = −1



Golomb’s postulates – summary

For 1 whole period of pseudorandom sequence:

G1 The number of 1s and the number of 0s differ by atmost one.

G2 Half the runs have length 1, one-fourth havelength 2, one-eight has length 3, etc., as long asthe number of runs so indicated exceeds 1.Moreover, for each of these lengths, there areequally many gaps and blocks.

G3 The out-of-phase autocorrelation of the sequencealways has the same value. The in-phaseautocorrelation has value equal to the length of theperiod.


Feedback Shift Registers (FSRs)

Feedback Shift Registers (FSRs)


Feedback Shift Registers (FSRs) Introduction

General scheme of a stream cipher

PN- generator

Initial state

PN- sequence

Message

Ciphertext

⊕

=



Example Feedback Shift Register

x1 x2 x3

0 1 0

f (x1,x2,x3)

Output

Memory cells (stages x1, x2, x3), connected togetherEach stage holds one bitNumber of stages = length of the register = L

Feedback function foutputs 1 bit based on the contents on the stages



Example Feedback Shift Register

x1 x2 x3

0 1 0

f (x1,x2,x3)

Output

On clock pulse, all stages shift to the rightContent of first stage determined by feedback functionContent of the last stage is discarded

Contents of stages = internal state of the FSRInitial state = contents of stages at the beginning



Output of FSR

x1 x2 x3

0 1 0

f (x1,x2,x3)

Output

Output can be taken directly from the feedback functionor from any of the stagesOutput depends on feedback function

Not all feedback functions give good outputWe can learn if the output is good from state transitions

Feedback function determines next stateNew state gives new values to the feedback functionState transitions can be visualised by De Bruijn graphs



De Bruijn graphs

Feedback function x1 ⊕ x2x3:

x1 x2 x3

f = x1 ⊕ x2x3

100

110

111

011

101

010

001

000



De Bruijn graphs


x1 x2 x3

1 0 0

f = x1 ⊕ x2x3

?

100

110

111

011

101

010

001

000

Let’s start with the state 100. . .



De Bruijn graphs


x1 x2 x3

1 0 0

f = x1 ⊕ x2x3

1

100

110

111

011

101

010

001

000

Output is 1. After shift, we will get state 110. . .



De Bruijn graphs


x1 x2 x3

1 1 0

f = x1 ⊕ x2x3

?

100

110

111

011

101

010

001

000



De Bruijn graphs


x1 x2 x3

1 1 0

f = x1 ⊕ x2x3

1

100

110

111

011

101

010

001

000



De Bruijn graphs


x1 x2 x3

1 1 1

f = x1 ⊕ x2x3

?

100

110

111

011

101

010

001

000



De Bruijn graphs


x1 x2 x3

1 1 1

f = x1 ⊕ x2x3

0

100

110

111

011

101

010

001

000



De Bruijn graphs


x1 x2 x3

0 1 1

f = x1 ⊕ x2x3

?

100

110

111

011

101

010

001

000



De Bruijn graphs


x1 x2 x3

0 1 1

f = x1 ⊕ x2x3

1

100

110

111

011

101

010

001

000



De Bruijn graphs


x1 x2 x3

1 0 1

f = x1 ⊕ x2x3

?

100

110

111

011

101

010

001

000



De Bruijn graphs


x1 x2 x3

1 0 1

f = x1 ⊕ x2x3

1

100

110

111

011

101

010

001

000

Next state will be 110. . .



De Bruijn graphs


x1 x2 x3

1 1 0

f = x1 ⊕ x2x3

100

110

111

011

101

010

001

000

Which states are missing? Try 010. . .



De Bruijn graphs


x1 x2 x3

0 1 0

f = x1 ⊕ x2x3

?

100

110

111

011

101

010

001

000



De Bruijn graphs


x1 x2 x3

0 1 0

f = x1 ⊕ x2x3

0

100

110

111

011

101

010

001

000

Next state will be 001. . .



De Bruijn graphs


x1 x2 x3

0 0 1

f = x1 ⊕ x2x3

?

100

110

111

011

101

010

001

000



De Bruijn graphs


x1 x2 x3

0 0 1

f = x1 ⊕ x2x3

0

100

110

111

011

101

010

001

000



De Bruijn graphs


x1 x2 x3

0 0 0

f = x1 ⊕ x2x3

?

100

110

111

011

101

010

001

000



De Bruijn graphs


x1 x2 x3

0 0 0

f = x1 ⊕ x2x3

0

100

110

111

011

101

010

001

000



De Bruijn graphs


x1 x2 x3

0 0 0

f = x1 ⊕ x2x3

100

110

111

011

101

010

001

000

We have all 8 states, graph is complete.


Feedback Shift Registers (FSRs) Feedback functions

Linear vs. non-linear operations

Linear operator has the the same amount of 1s and 0s inoutput (they are balanced)Linear operator will preserve the statistical properties ofthe sequenceNon-linear operator can spoil the statistical properties

XOR operator (x1 ⊕ x2)⊕ 0 10 0 11 1 0

2 ones, 2 zeroesLinear

AND operator (x1x2)� 0 10 0 01 0 1

1 one, 3 zeroesNon-linear



Singularity of feedback function

State diagram is cyclic if feedback function f isnon-singularf is non-singular if it contains last stage of the FSR aslinear element (no non-linear operators are used on it)⇒ In order for output to be periodic for all initialstates, feedback function must contain the last stage asa linear element:

f = f ′(x1, . . . ,xn−1)⊕ xn



Singular feedback function

Singular feedbackfunction (x1 ⊕ x2x3)Output is ultimatelyperiodicNot suitable for use incryptography

100

110

111

011

101

010

001

000



Non-singular feedback function

Non-singular feedbackfunction (x1 ⊕ x2 ⊕ x3)Output is periodicfor every stateSeveral different cyclesStill not suitable for usein cryptography

100

011

001

110

000

111101

010



Non-linear vs. linear FSRs

x1x2 ⊕ x3

Non-linear feedbackfunction (has AND)Mathematical theorynot as well developedDifficult to get a goodoutput sequence(DeBruijn FSRs)

vs. x1 ⊕ x2 ⊕ x3

Linear feedback function(no AND, only XOR)Well-developedmathematical theoryRelatively easy to geta good output sequence



Feedback polynomial

x1 x2 x3

x1 x2 x3

f = c1x1 ⊕ c2x2 ⊕ c3x3

Output

For Linear Feedback Shift Registers (LFSRs)Polynomial description of the feedback function:

f (x1, . . .xn) = 1+ c1x+ c2x2 + c3x3

ci ∈ {0,1},cn = 1



Reducible polynomial

Feedback functionx1 ⊕ x2 ⊕ x3

Feedback polynomial1+ x+ x2 + x3

1+x+x2+x3 = (1+x)(1+x2)

Different lengths of cyclesNot suitable for usein cryptography 100

011

001

110

000

111101

010



Irreducible polynomial

No suitable examplefor L = 3Feedback functionx1 ⊕ x2 ⊕ x3 ⊕ x4

Feedback polynomial1+ x+ x2 + x3 + x4

Cycles of same length(length is divisor of 2L − 1)Still not suitable for usein cryptography

1111

0000

0111

1011

1101

1110

0001

1000

1100

0110

0011

1010

0101

0010

1001

0100



Primitive polynomial

Special class of irreducibleFeedback function x2 ⊕ x3

Feedback polynomial1+ x2 + x3

One long cycle(+ all-zero state)Output passes allGolomb’s postulatesSuitable for usein cryptography

010

001

100

101

000

110

111

011


Feedback Shift Registers (FSRs) Security of LFSRs

Security of LFSRs



Security of LFSRsx1 x2 x3

0 1 0

f (x1,x2,x3)

Output

BSI Classes of pseudorandom sequences:K1 Parts of the PN-sequence are different from each otherK2 PN-sequence has statistical properties of a random

sequence (based on standard tests)K3 It is practically impossible to work out internal state of the

generator or numbers which precede or follow thePN-sequence, knowing the PN-sequence

K4 It is practically impossible to guess previous numbers orinternal states from knowledge of the current internal state.

BSI class K2



Security of LFSRs

Security ≈ Can we guess which number comes next?Berlekamp-Massey algorithm:

Input: sequenceOutput: shortest LFSR that generates the sequence

and initial state of the LFSRTime complexity: quadratic (≈ L2)

⇒ with long enough LFSR, the algorithm will take foreverA sequence that can be generated by LFSR with at least Lstages has linear complexity L



Increasing linear complexity

To achieve higher linear complexity of the outputsequence, we need to introduce some nonlinearity.To introduce nonlinearity, we can use:

Nonlinear FSR (difficult)Nonlinear filter generatorNonlinear combination generatorAlternating steps generatorShrinking generator


Feedback Shift Registers (FSRs) Increasing linear complexity

Non-linear filter generator

Feedback functionremains the same (linear)Non-linear filter functiontakes internal state andreturns 1 bitOutput is taken from thefilter functionFiltering function mustpreserve statisticalproperties of the outputsequence

ffilter(x1,x2,x3)

Output

0 1 0

ffeedback(x1,x2,x3)



Non-linear combination generator

Non-linear combiningfunction fc combinesoutput from multipleLFSRsCombination function hasto preserve statisticalproperties of the outputsequencesCombination function canhave memory of its own

Out

LFSR 1

LFSR 2

LFSR 3

fc



Alternating steps

LFSR 1

LFSR 2

LFSR 3

LFSR 1

x

x

�

�Output

LFSR 1’s output x is used to enable or disable clockx = 1 will shift LFSR 2, x = 0 will shift LFSR 3For maximum security, the lengths (L1, L2, L3) of theregisters should be similar but relatively prime

gcd(L1, L2) = 1, gcd(L2, L3) = 1, gcd(L1, L3) = 1L1 ≈ L2 ≈ L3



Shrinking

LFSR 1

LFSR 2

�

Output bi

ai

biai = 1

Discard bi

Yes

No

We use LFSR 1 to discard some of LFSR 2’s outputLengths of the registers should be similar andrelatively prime to achieve maximum security

gcd(L1,L2) = 1L1 ≈ L2



Increasing linear complexity – summary

To achieve higher linear complexity of the outputsequence, we need to introduce some nonlinearity.To introduce nonlinearity, we can:

Use nonlinear FSR (difficult)Use a different (nonlinear) function for output than we usefor feedback (nonlinear filter generator)Use multiple LFSRs and combine their outputs using anonlinear function (nonlinear combination generator)Use LFSR as clock for other LFSR (alternating steps)Use LFSR to discard some of other LFSR’s output(shrinking)



A5/1 cipher

LFSR 1x1 x9 x19x18x17x14

LFSR 2x1 x11 x22x21

LFSR 3x1 x11 x22x21 x23x8

Output

�control

Used in GSM (2G – voice)Broken by bruteforce/precomputation attacks (64 bit key)Notice the design properties

gcd(L1, L2) = 1, gcd(L2, L3) = 1, gcd(L1, L3) = 1L1 ≈ L2 ≈ L3


The end

Sources

Slobodan Petrovic’s lectures at Gjovik University CollegeAlfred J. Menezes: Handbook of Applied Cryptography(link)

Springer Reference: Golomb’s Randomness Postulates(link)

Springer Reference: Autocorrelation (link)

Bundesamt für Sicherheit in der Informationstechnik (BSI):Functionality Classes and Evaluation Methodology forDeterministic Random Number Generators (link)

Elad Barkan, Eli Biham: Conditional Estimators: AnEffective Attack on A5/1 (link)


http://cacr.uwaterloo.ca/hac/

http://www.springerreference.com/docs/html/chapterdbid/317361.html

http://www.springerreference.com/docs/html/chapterdbid/317344.html

https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Interpretationen/AIS_20_Functionality_Classes_Evaluation_Methodology_DRNG_e.pdf

http://link.springer.com/chapter/10.1007%2F11693383_1

The end

Questions?


stream ciphers - darmstadt university of applied … ciphers vs. block ciphers ... 1940s–project...

Documents