stream cipher course-i
DESCRIPTION
criptografiaTRANSCRIPT
5th December 2007 COSIC course within BCRYPT 1
LecturerLecturer:: Souradyuti PaulSouradyuti Paul
CoComputer mputer SSecurity and ecurity and IIndustrial ndustrial CCryptography (ryptography (COSICCOSIC))Department of Electrical EngineeringDepartment of Electrical Engineering
KatholiekeKatholieke UniversiteitUniversiteit LeuvenLeuven, Belgium , Belgium
Email: Email: [email protected]@esat.kuleuven.be
An Introduction to Stream An Introduction to Stream CiphersCiphers
5th December 2007 COSIC course within BCRYPT 2
Foundations of Ciphers (1)Foundations of Ciphers (1)It is all about preventing information from being It is all about preventing information from being leakedleaked4 important secret mathematical objects 4 important secret mathematical objects
One way functions (One way functions (OWFsOWFs))Pseudorandom bit generators (Pseudorandom bit generators (PRBGsPRBGs))Pseudorandom functions (Pseudorandom functions (PRFsPRFs))Pseudorandom permutations (Pseudorandom permutations (PRPsPRPs))… … Can you think anything more? (exercise)Can you think anything more? (exercise)
Note the objects are used as a collection. Why?Note the objects are used as a collection. Why?Why “pseudo”? Thinking exerciseWhy “pseudo”? Thinking exercise
5th December 2007 COSIC course within BCRYPT 3
Foundations of Ciphers (2)Foundations of Ciphers (2)One way function:One way function: GivenGiven f f and and y=y=f(xf(x)) it is ‘difficult’ to it is ‘difficult’ to retrieveretrieve xx on the averageon the averagePRBG: PRBG:
y=y=f(xf(x)) is longer thanis longer than xx (stretching function)(stretching function)IfIf xx follows uniform distribution so does follows uniform distribution so does yy
PRF:PRF: (a set of functions S’)(a set of functions S’)S={all functions from 2S={all functions from 2nn 22nn}, size 2^}, size 2^n2^nn2^n
S’ is a subset of S with size 2S’ is a subset of S with size 2nn, still it is difficult to distinguish S’ , still it is difficult to distinguish S’ from S “easily”from S “easily”
PRP: PRP: (a set of permutations S’)(a set of permutations S’)S={all permutations from 2S={all permutations from 2nn 22nn}, is described in bits }, is described in bits exponential in nexponential in nS’ is a subset of S which can be described in bits polynomial inS’ is a subset of S which can be described in bits polynomial in nnS and S’ are `indistinguishable’S and S’ are `indistinguishable’
5th December 2007 COSIC course within BCRYPT 4
Foundations of Ciphers (3)Foundations of Ciphers (3)Now if the security parameter Now if the security parameter nn is a fixed value, all are is a fixed value, all are insecure. Why? Ans. Brute force.insecure. Why? Ans. Brute force.
Asymptotic study (also called complexity theoretic), Asymptotic study (also called complexity theoretic), where where nn grows asymptoticallygrows asymptotically
Drawback: practical ciphers have fixed keysDrawback: practical ciphers have fixed keys
Concrete security considers a family of functions (Concrete security considers a family of functions (BellareBellare, , KilianKilian RogawayRogaway, ’01), ’01)
Geared for fixed length keysGeared for fixed length keysUses fixed security goal Uses fixed security goal
5th December 2007 COSIC course within BCRYPT 5
InterInter--conversion Between conversion Between OWFsOWFs, , PRBGsPRBGs, , PRFsPRFs, , PRPsPRPs
Is still an active field of researchIs still an active field of researchOWFOWF PRBG PRBG
Blum and Blum and MicaliMicali ’’82, Yao82, Yao’’82, Levin82, Levin’’87, Hastad87, Hastad’’90, Impagliazzo90, Impagliazzo’’8989
OWFOWF PRFPRFGoldreichGoldreich, , GoldwasserGoldwasser, Micali, Micali’’8686
PRF PRF PRPPRPLubyLuby and and RackoffRackoff ’’8888
PRPPRP PRF PRF BellareBellare, , KrovetzKrovetz and Rogawayand Rogaway’’9898Hall, Wagner, Kelsey and SchneierHall, Wagner, Kelsey and Schneier’’9898
What about PRBGWhat about PRBG OWF, PRPOWF, PRP OWF?OWF?Are there other important theoretical questions?Are there other important theoretical questions?
5th December 2007 COSIC course within BCRYPT 6
Introduction to Stream Introduction to Stream CiphersCiphers
5th December 2007 COSIC course within BCRYPT 7
Example: Encryption and DecryptionExample: Encryption and Decryption
Encryption DecryptionPlaintext
CiphertextCiphertext
Plaintext
Attacker
Sender Receiver
5th December 2007 COSIC course within BCRYPT 8
Simple Example: Shift CipherSimple Example: Shift Cipher
1.1. PlaintextPlaintext: COSIC: COSIC2.2. Encryption:Encryption: “Replace each letter by “Replace each letter by
another another 11 position shifted to the position shifted to the rightright’’’’3. 3. CiphertextCiphertext:: DPTJDDPTJD4. Decryption:4. Decryption: “Replace each letter by “Replace each letter by
another another 11 position shifted to the position shifted to the leftleft’’’’5. Plaintext:5. Plaintext: COSICCOSIC
5th December 2007 COSIC course within BCRYPT 9
Shift CipherShift Cipher
Has some historical significanceHas some historical significanceJulius Caesar (1Julius Caesar (1stst century BC) used this century BC) used this cipher cipher 2100 years ago!!!2100 years ago!!!Also known as Also known as Caesar CipherCaesar CipherVeryVery weak against modern computing weak against modern computing machinesmachines
5th December 2007 COSIC course within BCRYPT 10
Cryptography: HistoricallyCryptography: Historically
EgyptiansEgyptians used cryptography in 2500 BC (used cryptography in 2500 BC (4500 4500 years agoyears ago))
RomanRoman were known to have used cryptography were known to have used cryptography 2000 years ago2000 years ago for military purposesfor military purposes
IndiansIndians were also aware of several techniques to were also aware of several techniques to hide information hide information 1800 years ago1800 years ago (vide (vide kamasutrakamasutra, 2, 2ndnd century ADcentury AD))
5th December 2007 COSIC course within BCRYPT 11
Modern CryptographyModern Cryptography
WWIIWWII: breaking of German cipher : breaking of German cipher ENIGMAENIGMA
Remained in private domain till late 1970sRemained in private domain till late 1970s
Popular interest started in early ’80s with Popular interest started in early ’80s with the widespread growth of the Internetthe widespread growth of the Internet
5th December 2007 COSIC course within BCRYPT 12
Why and Where is CryptologyWhy and Where is CryptologyCommunication Systems require Communication Systems require Protection of Protection of Digital DataDigital Data from from Unauthorized UsersUnauthorized Users
Applications of CryptographyApplications of CryptographyElectronic BankingElectronic BankingSmart CardSmart CardEE--CommerceCommerceDefenseDefenseWireless CommunicationsWireless CommunicationsSatellite TVSatellite TVComputer Security SystemsComputer Security SystemsGovernment IdentificationGovernment Identification
5th December 2007 COSIC course within BCRYPT 13
Scope of Cryptology: Scope of Cryptology: Security IssuesSecurity Issues
Confidentiality of DataConfidentiality of DataPrimitivesPrimitives: Block Ciphers, Stream Ciphers, Public Key : Block Ciphers, Stream Ciphers, Public Key Cryptosystems etc.Cryptosystems etc.
Authentication of Data and Entity Authentication of Data and Entity PrimitivesPrimitives: Hash Functions, Message Authentication : Hash Functions, Message Authentication Codes, Digital Signatures etc. Codes, Digital Signatures etc.
Cryptology
Confidentiality(data)
Authentication(data & entity)
5th December 2007 COSIC course within BCRYPT 14
The Most Important Element in The Most Important Element in Cryptography: Cryptography: The KeyThe Key
Encryption DecryptionPlaintext Ciphertext Plaintext
Attacker
Sender receiver
5th December 2007 COSIC course within BCRYPT 15
Cryptology: Based on Secret KeyCryptology: Based on Secret Key
Symmetric Key PrimitivesSymmetric Key Primitives: Applications where sender and : Applications where sender and receiver share a common keyreceiver share a common key
ExamplesExamples: Block Ciphers (AES), Stream Ciphers (RC4), Hash : Block Ciphers (AES), Stream Ciphers (RC4), Hash Functions (SHAFunctions (SHA--1), 1), MACsMACs (HELIX) etc(HELIX) etc..
Asymmetric Key PrimitivesAsymmetric Key Primitives: Applications where sender : Applications where sender and receiver do not share a common keyand receiver do not share a common key
ExamplesExamples: Public Key Cryptosystems (RSA), Digital Signatures : Public Key Cryptosystems (RSA), Digital Signatures (DSS) etc.(DSS) etc.
Cryptology
Symmetric key Asymmetric Key
5th December 2007 COSIC course within BCRYPT 16
Perfect Security:Perfect Security:VernamVernam CipherCipher or or One time padOne time pad
Key: 011001001101001101010010…..
Plaintext: 100101001000101001001110…..
Bitwise XOR
Ciphertext: 111100000101100100011100…
The scheme is impractical because of large size of the
key
5th December 2007 COSIC course within BCRYPT 17
HowHow to manage with short keys?to manage with short keys?
(Short key)Stream Cipher 011001001101001101010010…..
Plaintext: 100101001000101001001110…..
Bitwise XOR
Ciphertext: 111100000101011001101100…
Keystream bits
5th December 2007 COSIC course within BCRYPT 18
How does a Stream Cipher How does a Stream Cipher Work?Work?
Two stages of a practical stream cipherTwo stages of a practical stream cipher
Key scheduling algorithmKey scheduling algorithm
Pseudorandom bit generation algorithmPseudorandom bit generation algorithm
5th December 2007 COSIC course within BCRYPT 19
Stage I : Key/IV Setup (KSA)Stage I : Key/IV Setup (KSA)
KeyKey
IVIV
XX
Y Y
Key/IV set-up algo
Initialization
AABBCC
(vigorous mixing)
5th December 2007 COSIC course within BCRYPT 20
Stage II : Pseudorandom Bit Stage II : Pseudorandom Bit Generation Generation AlgoAlgo. (PRBG). (PRBG)
. . .mixing mixing
Keystream: Output 1 Output 2 Output 3
Plaintext 1
Ciphertext 1
AABBCC
A’A’B’B’C’C’
A’’A’’
B’’B’’C’’C’’
Ciphertext 2
Plaintext 2
Round 1 Round 2 Round 3
mixing
Plaintext 3
Ciphertext 3
5th December 2007 COSIC course within BCRYPT 21
Different types of Stream CiphersDifferent types of Stream Ciphers
Synchronous Stream CipherSynchronous Stream CipherKeystream independent of plaintext/Keystream independent of plaintext/ciphertextciphertextNo error propagationNo error propagationSynchronization is a problem if Synchronization is a problem if ciphertextciphertext lostlost
Asynchronous Stream CipherAsynchronous Stream CipherKeystream depends on plaintext/Keystream depends on plaintext/ciphertextciphertextError propagationError propagation
SelfSelf--synchronizing Stream Cipher synchronizing Stream Cipher Keystream depends on finite Keystream depends on finite ciphertextciphertext and keyand keySynchronization `automatic’Synchronization `automatic’
5th December 2007 COSIC course within BCRYPT 22
What is a block cipherWhat is a block cipher
Plaintext Plaintext PlaintextPlaintext
Key
Ciphertext
EncryptionKey
Ciphertext
Decryption
5th December 2007 COSIC course within BCRYPT 23
Turning block cipher into a stream Turning block cipher into a stream cipher: output feedback modecipher: output feedback mode
Key
Ciphertext
Encryption
5th December 2007 COSIC course within BCRYPT 24
Examples of Block CiphersExamples of Block Ciphers
DESDESRijndaelRijndaelSerpentSerpentTwofishTwofishMARSMARSRC6RC6……
5th December 2007 COSIC course within BCRYPT 25
Block vs. Stream CipherBlock vs. Stream Cipher (I)(I)
Original Idea: Block Ciphers operate with a fixed transformation on large blocks of plaintext data; stream ciphersoperate with a time-varying transformation on individual plaintext bits. [R.Rueppel]
However, some schemes retain some properties of both block and stream ciphers
Stream ciphers can be block oriented (Helix)
Block Cipher can used as Stream Cipher (OFB)
5th December 2007 COSIC course within BCRYPT 26
Block vs. Stream Ciphers (II)Block vs. Stream Ciphers (II)
“Pure block and stream ciphers are two concrete points on a continuous design space and we increasingly use mixed modes’’ [Shamir, Asiacrypt 2004]
Therefore, the difference is only relative. Small plaintext size and less operations on plaintext in successive rounds separate stream ciphers from block ciphers
5th December 2007 COSIC course within BCRYPT 27
Stream Ciphers vs. PRBGStream Ciphers vs. PRBG
A PRBG does not need a proper decryption A PRBG does not need a proper decryption functionfunction
A stream cipher can be used as a PRBGA stream cipher can be used as a PRBG
A PRBG may not be used as a stream A PRBG may not be used as a stream cipher. Example: PRBG based on noisecipher. Example: PRBG based on noise
5th December 2007 COSIC course within BCRYPT 28
Hardware based and Software Hardware based and Software based stream ciphersbased stream ciphers
Hardware is expensiveHardware is expensiveHardware based stream ciphers should Hardware based stream ciphers should run on low memory. Example: LFSRrun on low memory. Example: LFSR--basedbasedHardware based stream ciphers are Hardware based stream ciphers are generally fastergenerally fasterSoftware based ciphers can take Software based ciphers can take advantages of larger memory to improve advantages of larger memory to improve security. Example: Large arraysecurity. Example: Large array--basedbased
5th December 2007 COSIC course within BCRYPT 29
Why should we study stream Why should we study stream cipher?cipher?
Because of its Because of its high speed.high speed.Most of the stream ciphers are even faster Most of the stream ciphers are even faster than block ciphersthan block ciphers
5th December 2007 COSIC course within BCRYPT 30
Linear Feedback Shift Linear Feedback Shift Register (LFSR) based Register (LFSR) based
Stream CiphersStream Ciphers
5th December 2007 COSIC course within BCRYPT 31
An LAn L--Stage Register Stage Register
11 00 11 11 00 00 1111 00 00 11 00 11 11 00 11
StagesStages LL--11 LL--22 … … … … 4 3 2 1 04 3 2 1 0
5th December 2007 COSIC course within BCRYPT 32
Why Study LFSR?Why Study LFSR?
LFSR is a component of the internal state LFSR is a component of the internal state of a large number of stream ciphersof a large number of stream ciphers
LFSR size is small: suitable for hardware LFSR size is small: suitable for hardware implementation which is expensiveimplementation which is expensive
LFSR generates output sequence of large LFSR generates output sequence of large period period
5th December 2007 COSIC course within BCRYPT 33
An LAn L--stage stage Linear Feedback Shift Register Linear Feedback Shift Register
11011 0 1 1 1 10 0 0 0 0 01 0 1 1
001
Output
Stages LStages L--1 L1 L--2 4 3 2 4 3 2 1 02 1 0
5th December 2007 COSIC course within BCRYPT 34
00001 1 0 1 0 11 0 1 0 1 10 0 0 0
000
Output
1
An LAn L--stage stage Linear Feedback Shift Register Linear Feedback Shift Register
Stages LStages L--1 L1 L--2 … … 4 3 2 2 … … 4 3 2 1 01 0
5th December 2007 COSIC course within BCRYPT 35
0a a cc nn bb wwkk aa tt ss qq00 1 0 1 10
Representing an LFSR: Representing an LFSR: Using Linear Recurrence Using Linear Recurrence
z[ Lz[ L--1] … … 1] … … z[kz[k] z[5] z[3] z[0]] z[5] z[3] z[0]
a b c d e
• State update: z’[LState update: z’[L--1]=a1]=a··z[Lz[L--2]+b2]+b··z[k]+cz[k]+c··z[5]+dz[5]+d··z[3]+ez[3]+e··z[0]z[0]
z’[kz’[k]=z[k+1] for all L]=z[k+1] for all L--22≥≥kk≥≥00
5th December 2007 COSIC course within BCRYPT 36
00 00 001 1 0 1 0 11 0 1 0 1 10
Representing an LFSR: Using Representing an LFSR: Using Connection/Feedback PolynomialConnection/Feedback Polynomial
z[ Lz[ L--2] … … 2] … … z[kz[k] z[5] z[3] z[0]] z[5] z[3] z[0]
a b c d e
• Ordered pair: Ordered pair: (Initial state, (Initial state, connection polynomialconnection polynomial))
•• Example: (Z[0..LExample: (Z[0..L--1], 1+a1], 1+a··XX22+b+b··XXLL--kk +c+c·X·XLL--55 +d·X+d·XLL--33+ + e·Xe·XLL))
5th December 2007 COSIC course within BCRYPT 37
00001 1 0 1 0 11 0 1 0 1 10
z[24] z[23] … … z[10] z[5] zz[24] z[23] … … z[10] z[5] z[3] z[0][3] z[0]
1 1 1 1 1
LFSR size: 25 stagesLFSR size: 25 stagesConnection Poly:Connection Poly: 1+X1+X22++XX1515 ++XX2020 +X+X2222+ X+ X2525
Representing an LFSR: ExampleRepresenting an LFSR: Example
5th December 2007 COSIC course within BCRYPT 38
00001 1 0 1 0 11 0 1 0 1 1
z[24] z[23] … … z[10] z[5] zz[24] z[23] … … z[10] z[5] z[3] z[0][3] z[0]
LFSR size: 25 stagesLFSR size: 25 stagesConnection Poly:Connection Poly: 1+X1+X22++XX1515 ++XX2020 +X+X2222+ X+ X2525
Representing an LFSR: ExampleRepresenting an LFSR: Example
5th December 2007 COSIC course within BCRYPT 39
The Period of LFSR Output The Period of LFSR Output SequenceSequence
00001 1 0 1 0 11 0 1 0 1 10110101
output
L-1 0 1…
• LFSR output is LFSR output is ultimatelyultimately periodic. Proof: periodic. Proof: Mental Mental ExerciseExercise••The max. period of the sequence is 2The max. period of the sequence is 2LL--1 (exercise)1 (exercise)•• How to attain the maximum period?How to attain the maximum period?
5th December 2007 COSIC course within BCRYPT 40
The Maximum Period of LFSR The Maximum Period of LFSR OutputOutput
00001 1 0 1 0 11 0 1 0 1 10110101
outputL-1 0 1…
• The maximum period 2The maximum period 2LL--1: when the connection 1: when the connection poly. is a primitive poly. of degree L over Fpoly. is a primitive poly. of degree L over F22
• Proof: exercise. Clue: order of primitive poly. is 2Proof: exercise. Clue: order of primitive poly. is 2LL--1. (consult 1. (consult LidlLidl and and NiederreiterNiederreiter, Chapter 6), Chapter 6)
5th December 2007 COSIC course within BCRYPT 41
Linear Complexity (I) Linear Complexity (I)
A A BB .. .... .. MM NN OO PPSN=01101011100…..
output
• SSN N is an output sequence of length Nis an output sequence of length N••The size of the The size of the shortest Lshortest L is the linear is the linear complexity of Scomplexity of SNN
Length=LLength=L
5th December 2007 COSIC course within BCRYPT 42
Linear Linear Complexity:ExamplesComplexity:Examples (II) (II)
If SIf SN N are all zeroes then LC(Sare all zeroes then LC(SNN)=0)=0If SIf SN N =000…001 then LC(S=000…001 then LC(SNN)=n (Friday )=n (Friday evening exercise)evening exercise)Exercise:Exercise: If the connection polynomial is If the connection polynomial is irreducible and has degree L, then the irreducible and has degree L, then the output sequence for any nonoutput sequence for any non--zero initial zero initial state of size L has LC equal to Lstate of size L has LC equal to L
5th December 2007 COSIC course within BCRYPT 43
Linear Complexity: Linear Complexity: BerlekampBerlekamp--Massey Algorithm (I) Massey Algorithm (I)
A A BB .. .... .. MM NN OO PPSSNN=01101011100…..=01101011100…..
outputoutput
…
• What is the size of What is the size of the shortest L the shortest L andandthe connection polynomialthe connection polynomial given any given any finite output sequence Sfinite output sequence SN N of length N?of length N?
Length=LLength=L
5th December 2007 COSIC course within BCRYPT 44
What happens if What happens if LFSRsLFSRs alone are alone are used in stream cipher?used in stream cipher?
The stream cipher is weak thenThe stream cipher is weak then
Why?Why?BerlekampBerlekamp--Massey algorithm reconstructs the Massey algorithm reconstructs the LFSRsLFSRs very quickly (polynomial time)very quickly (polynomial time)
Remedy:Remedy: Include nonlinear operationsInclude nonlinear operations
5th December 2007 COSIC course within BCRYPT 45
LFSRLFSR--based Stream Ciphers: based Stream Ciphers: Nonlinear Combination Generators Nonlinear Combination Generators
LFSR1LFSR1
LFSR2LFSR2
LFSRnLFSRn
::
ff
• ff is a nonlinear Boolean functionis a nonlinear Boolean function•• Exercise:Exercise: Compute the period of the input toCompute the period of the input to ffif the lengths of the if the lengths of the LFSRsLFSRs are are pairwisepairwise coprimecoprime??
keystreamkeystream
5th December 2007 COSIC course within BCRYPT 46
A Simple Nonlinear Combination A Simple Nonlinear Combination Generator: Generator: GeffeGeffe Generator Generator
LFSR1LFSR1
LFSR2LFSR2
LFSR3LFSR3
• f =x1.x2+x2.x3+x3f =x1.x2+x2.x3+x3•• High LC, high period, balancedHigh LC, high period, balanced•• Exercise:Exercise: P[zP[z=x1]>1/2=x1]>1/2 correlation attack!!correlation attack!!
keystreamkeystreamff
x1x1
x2x2
x3x3
z
5th December 2007 COSIC course within BCRYPT 47
A Nonlinear Comb. Gen. With A Nonlinear Comb. Gen. With MemoryMemory: Summation Generator : Summation Generator
LFSR1LFSR1
LFSR2LFSR2
•• Proposed by Proposed by RueppelRueppel (1985) (1985) •• Memory bit C stores carry of integer additionMemory bit C stores carry of integer addition•• Two functions:Two functions: z=x1+x2+c, c=c(x1+x2)+x1.x2z=x1+x2+c, c=c(x1+x2)+x1.x2•• Exercise:Exercise: Show correlation attack on summation gen.Show correlation attack on summation gen.
(Hint: Meier and (Hint: Meier and StaffelbachStaffelbach JoC’92)JoC’92)
x1x1
x2x2cc
ZKeysream
Memory ElementMemory Element
5th December 2007 COSIC course within BCRYPT 48
Nonlinear Filter GeneratorNonlinear Filter Generator
Only one LFSR, f is nonlinear filter Only one LFSR, f is nonlinear filter func’nfunc’nExercise:Exercise: What is max. LC of keystream? What is max. LC of keystream?
00001 1 0 1 0 11 0 1 0 1 1
ff
… …
5th December 2007 COSIC course within BCRYPT 49
Irregularly Clocked/Clock Irregularly Clocked/Clock Controlled GeneratorControlled Generator
One LFSR is used to clock another LFSROne LFSR is used to clock another LFSR
Nonlinearity is brought about through Nonlinearity is brought about through irregular clockingirregular clocking
Extremely simple designExtremely simple design
Low hardware complexityLow hardware complexity
5th December 2007 COSIC course within BCRYPT 50
Irregular Clocking: Alternating Step Irregular Clocking: Alternating Step Generator (1)Generator (1)
LFSR1
LFSR2
Clocking LFSR
1
1Always Clocked
0
Clocked
Repeat
z
• By C. G. Günther in 1987• Exercise: LC and period?
5th December 2007 COSIC course within BCRYPT 51
Irregular Clocking: Alternating Step Irregular Clocking: Alternating Step Generator (2)Generator (2)
LFSR1
LFSR2
Clocking LFSR
0
0Always Clocked
1
Repeat
Clocked
z
• By C. G. By C. G. GüntherGünther in 1987in 1987•• Exercise:Exercise: LC and period?LC and period?
5th December 2007 COSIC course within BCRYPT 52
Irregular Clocking: Shrinking Irregular Clocking: Shrinking Generator (1) Generator (1)
LFSR1
LFSR2
Regularly Clocked
Regularly Clocked
a z=a
1
•• By Coppersmith, By Coppersmith, KrawczykKrawczyk and and MansourMansour in 1993in 1993•• Exercise:Exercise: Compute LC and period of Shrinking Gen.Compute LC and period of Shrinking Gen.
5th December 2007 COSIC course within BCRYPT 53
Irregular Clocking: Shrinking Irregular Clocking: Shrinking Generator (2) Generator (2)
LFSR1
LFSR2
Regularly Clocked
Regularly Clocked
a Discard z
0
•• By Coppersmith et. al. ’93By Coppersmith et. al. ’93•• Exercise:Exercise: Compute LC and period of Shrinking Gen.Compute LC and period of Shrinking Gen.
5th December 2007 COSIC course within BCRYPT 54
A Modern LFRSA Modern LFRS--based stream based stream cipher SNOW 1.0cipher SNOW 1.0
5th December 2007 COSIC course within BCRYPT 55
FSM of SNOW 1.0FSM of SNOW 1.0
Syed Huq
5th December 2007 COSIC course within BCRYPT 56
Using TUsing T--functions for functions for Stream CiphersStream Ciphers
5th December 2007 COSIC course within BCRYPT 57
Change the LFSR with a TChange the LFSR with a T--functionfunction
KlimovKlimov, , ShamirShamir, 2003, 2003X’=x+(x^2 or C) when C=xyz….101X’=x+(x^2 or C) when C=xyz….101Invertible mappingInvertible mappingSingle cycle with highest periodSingle cycle with highest periodAdvantage: software oriented stream Advantage: software oriented stream ciphercipher
5th December 2007 COSIC course within BCRYPT 58
Cellular Automata Cellular Automata
5th December 2007 COSIC course within BCRYPT 59
ArrayArray--based Stream based Stream Ciphers Ciphers
5th December 2007 COSIC course within BCRYPT 60
Generic Attacks on Generic Attacks on Stream CiphersStream Ciphers
5th December 2007 COSIC course within BCRYPT 61
When a Cipher is Considered When a Cipher is Considered Broken?Broken?
Very fuzzy issueVery fuzzy issue
Wide gap between practical and Wide gap between practical and theoretical breakstheoretical breaks
5th December 2007 COSIC course within BCRYPT 62
Key Recovery Attack (1)Key Recovery Attack (1)
Simplest: Simplest: The The exhaustive keyexhaustive key search or search or brute force attackbrute force attack
The keyThe key--length should be large enough to length should be large enough to thwart thwart brutebrute--force attackforce attack
5th December 2007 COSIC course within BCRYPT 63
KeyKey--recovery Attack (2)recovery Attack (2)
The strongest form of Attack: The strongest form of Attack: RecoverRecoverthe the secret keysecret key from the from the keystream bitskeystream bitswith practical time complexity (fully with practical time complexity (fully broken) broken)
Recover key with time better than Recover key with time better than brute brute force attackforce attack (theoretical break)(theoretical break)
5th December 2007 COSIC course within BCRYPT 64
Different Types of KeyDifferent Types of Key--recovery recovery Attacks (I)Attacks (I)
Known/chosen plaintext attack Known/chosen plaintext attack
Known/chosen IV attack Known/chosen IV attack
RelatedRelated--key attack key attack
5th December 2007 COSIC course within BCRYPT 65
Different Types of KeyDifferent Types of Key--recovery recovery Attacks (II)Attacks (II)
TimeTime--MemoryMemory--Tradeoff Attack Tradeoff Attack
Guess and Determine AttackGuess and Determine Attack
Divide and Conquer AttackDivide and Conquer Attack
Algebraic attackAlgebraic attack
(More on that in a later meeting)(More on that in a later meeting)
5th December 2007 COSIC course within BCRYPT 66
Recovery of Internal State Recovery of Internal State
5th December 2007 COSIC course within BCRYPT 67
Distinguishing attacks: RegularDistinguishing attacks: Regular
Stream of bits do not follow the uniform Stream of bits do not follow the uniform distributiondistribution
Key 011001001101001101010010…..
Bias in a single and a long stream
5th December 2007 COSIC course within BCRYPT 68
Stream of bits do not follow the uniform Stream of bits do not follow the uniform distributiondistribution
Distinguishing attacks : PrefixDistinguishing attacks : Prefix
Key1 01110011010011000 010…..
Bias in multiple streams
Key 2 01111011010111100 010…..
Key n 01011010011110100 010…..
…
5th December 2007 COSIC course within BCRYPT 69
Hybrid DistinguisherHybrid Distinguisher
5th December 2007 COSIC course within BCRYPT 70
RelatedRelated--key Distinguisherkey Distinguisher
Consider a subset of keys (related keys) Consider a subset of keys (related keys) rather that all keysrather that all keys
5th December 2007 COSIC course within BCRYPT 71
Statistical Distance Between Two Statistical Distance Between Two DistributionsDistributions
The distance between two distributionsThe distance between two distributions
5th December 2007 COSIC course within BCRYPT 72
Advantage of a DistinguisherAdvantage of a Distinguisher
A measure of efficiency of an algorithm to A measure of efficiency of an algorithm to distinguish one distribution from the otherdistinguish one distribution from the other
5th December 2007 COSIC course within BCRYPT 73
Optimal DistinguisherOptimal Distinguisher
An optimal distinguisher attains max. An optimal distinguisher attains max. advantage given a fixed number of advantage given a fixed number of samplessamples
5th December 2007 COSIC course within BCRYPT 74
Examples of Stream CiphersExamples of Stream Ciphers
RC4 RC4 HelixHelixSnowSnowPyPy……
5th December 2007 COSIC course within BCRYPT 75
The RC4 cipherThe RC4 cipher
5th December 2007 COSIC course within BCRYPT 76
RC4 (1987)RC4 (1987)
i:=i+1j:=(j + S[i]) mod 256swap S[i] and S[j]t:=(S[i] + S[j]) mod 256output S[t]
000
205
001
092
002
013 ...
093
033
094
162
095
079 ...
254
099
255
143
ij
t
162 92
5th December 2007 COSIC course within BCRYPT 77
Distinguishing Attack by Distinguishing Attack by MantinMantinand and ShamirShamir
Second byte is highly biasedSecond byte is highly biased
5th December 2007 COSIC course within BCRYPT 78
We hope to elaborate more in a later We hope to elaborate more in a later meetingmeeting
5th December 2007 COSIC course within BCRYPT 79