Stream Cipher Course-I

An Introduction to Stream
Ciphers
Lecturer: Souradyuti Paul
Computer Security and Industrial Cryptography (COSIC)
Department of Electrical Engineering
Katholieke Universiteit Leuven, Belgium
Email: Souradyuti.Paul@esat.kuleuven.be
5th December 2007
COSIC course within BCRYPT
Foundations of Ciphers (1)
It is all about preventing information from being

leaked
4 important secret mathematical objects
One way functions (OWFs)

Pseudorandom bit generators (PRBGs)
Pseudorandom functions (PRFs)
Pseudorandom permutations (PRPs)
Can you think anything more? (exercise)
Note the objects are used as a collection. Why?

Why pseudo? Thinking exercise
5th December 2007
One way function: Given f and y=f(x) it is difficult to

retrieve x on the average
PRBG:
PRF: (a set of functions S)
y=f(x) is longer than x (stretching function)

If x follows uniform distribution so does y
S={all functions from 2n 2n}, size 2^n2^n

S is a subset of S with size 2n, still it is difficult to distinguish S
from S easily
PRP: (a set of permutations S)
S={all permutations from 2n 2n}, is described in bits

exponential in n
S is a subset of S which can be described in bits polynomial in n
S and S are `indistinguishable
5th December 2007
Now if the security parameter n is a fixed value, all are

insecure. Why? Ans. Brute force.
Asymptotic study (also called complexity theoretic),
where n grows asymptotically
Drawback: practical ciphers have fixed keys
Concrete security considers a family of functions (Bellare,

Kilian Rogaway, 01)
Geared for fixed length keys

Uses fixed security goal
5th December 2007
Inter-conversion Between OWFs,

PRBGs, PRFs, PRPs
Is still an active field of research

OWFPRBG
OWFPRF
Luby and Rackoff 88
PRPPRF
Goldreich, Goldwasser, Micali86
PRF PRP
Blum and Micali 82, Yao82, Levin87, Hastad90, Impagliazzo89
Bellare, Krovetz and Rogaway98

Hall, Wagner, Kelsey and Schneier98
What about PRBGOWF, PRPOWF?

Are there other important theoretical questions?
5th December 2007
Introduction to Stream
Ciphers
5th December 2007
Example: Encryption and Decryption

Attacker
Sender
Receiver
Plaintext
Plaintext
Decryption
Encryption
5th December 2007
Ciphertext
Simple Example: Shift Cipher

1. Plaintext: COSIC
2. Encryption: Replace each letter by
another 1 position shifted to the right
3. Ciphertext: DPTJD
4. Decryption: Replace each letter by
another 1 position shifted to the left
5. Plaintext: COSIC
5th December 2007
Shift Cipher
Has some historical significance

Julius Caesar (1st century BC) used this
cipher 2100 years ago!!!
Also known as Caesar Cipher
Very weak against modern computing
machines
5th December 2007
Cryptography: Historically
Egyptians used cryptography in 2500 BC (4500

years ago)
Roman were known to have used cryptography
2000 years ago for military purposes
Indians were also aware of several techniques to
hide information 1800 years ago (vide
kamasutra, 2nd century AD)
5th December 2007
10
Modern Cryptography
WWII: breaking of German cipher

ENIGMA
Remained in private domain till late 1970s
Popular interest started in early 80s with
the widespread growth of the Internet
5th December 2007
11
Why and Where is Cryptology
Communication Systems require Protection of

Digital Data from Unauthorized Users
Applications of Cryptography
Electronic Banking
Smart Card
E-Commerce
Defense
Wireless Communications
Satellite TV
Computer Security Systems
Government Identification
5th December 2007
12
Scope of Cryptology:
Security Issues
Cryptology
Confidentiality
(data)
Authentication
(data & entity)
Confidentiality of Data
Primitives: Block Ciphers, Stream Ciphers, Public Key

Cryptosystems etc.
Authentication of Data and Entity
Primitives: Hash Functions, Message Authentication

Codes, Digital Signatures etc.
5th December 2007
13
The Most Important Element in

Cryptography: The Key
Attacker
receiver
Sender
Plaintext
Encryption
5th December 2007
Ciphertext
Plaintext
Decryption
14
Cryptology: Based on Secret Key

Cryptology
Symmetric key
Symmetric Key Primitives: Applications where sender and

receiver share a common key
Asymmetric Key
Examples: Block Ciphers (AES), Stream Ciphers (RC4), Hash

Functions (SHA-1), MACs (HELIX) etc.
Asymmetric Key Primitives: Applications where sender

and receiver do not share a common key
Examples: Public Key Cryptosystems (RSA), Digital Signatures

(DSS) etc.
5th December 2007
15
Perfect Security:
Vernam Cipher or One time pad
The scheme is impractical
because of large size of the
key
Key:
011001001101001101010010..
Bitwise XOR
5th December 2007
Plaintext:
100101001000101001001110..
Ciphertext:
111100000101100100011100
16
How to manage with short keys?

Keystream bits
(Short key)
Stream Cipher
011001001101001101010010..
Bitwise XOR
5th December 2007
Plaintext:
100101001000101001001110..
Ciphertext:
111100000101011001101100
17
How does a Stream Cipher

Work?
Two stages of a practical stream cipher
Key scheduling algorithm
Pseudorandom bit generation algorithm
5th December 2007
18
Stage I : Key/IV Setup (KSA)

Key
IV
Key/IV set-up algo

(vigorous mixing)
X
Y
A
B
C
Initialization
5th December 2007
19
Stage II : Pseudorandom Bit

Generation Algo. (PRBG)
Round 2
Round 1
A
B
C
mixing
Keystream: Output 1
mixing
mixing
B
C
...
Output 2
Output 3
Plaintext 1
Plaintext 2

Plaintext 3
Ciphertext 1
Ciphertext 2
Ciphertext 3
5th December 2007
A
B
C
Round 3
20
Different types of Stream Ciphers
Synchronous Stream Cipher
Asynchronous Stream Cipher
Keystream independent of plaintext/ciphertext

No error propagation
Synchronization is a problem if ciphertext lost
Keystream depends on plaintext/ciphertext
Error propagation
Self-synchronizing Stream Cipher
Keystream depends on finite ciphertext and key

Synchronization `automatic
5th December 2007
21
What is a block cipher

Plaintext
Key
5th December 2007
Plaintext
Encryption
Decryption
Ciphertext
Ciphertext
Key
22
Turning block cipher into a stream

cipher: output feedback mode
Key
Encryption
Ciphertext
5th December 2007
23
Examples of Block Ciphers
DES
Rijndael
Serpent
Twofish
MARS
RC6
5th December 2007
24
Block vs. Stream Cipher (I)

Original Idea: Block Ciphers operate with a fixed
transformation on large blocks of plaintext data; stream ciphers
operate with a time-varying transformation on individual
plaintext bits. [R.Rueppel]
However, some schemes retain some properties of both
block and stream ciphers
Stream ciphers can be block oriented (Helix)
Block Cipher can used as Stream Cipher (OFB)
5th December 2007
25
Block vs. Stream Ciphers (II)

Pure block and stream ciphers are two
concrete points on a continuous design space
and we increasingly use mixed modes
[Shamir, Asiacrypt 2004]
Therefore, the difference is only relative. Small
plaintext size and less operations on plaintext in

successive rounds separate stream ciphers from
block ciphers
5th December 2007
26
Stream Ciphers vs. PRBG
A PRBG does not need a proper decryption

function
A stream cipher can be used as a PRBG
A PRBG may not be used as a stream
cipher. Example: PRBG based on noise
5th December 2007
27
Hardware based and Software

based stream ciphers
Hardware is expensive
Hardware based stream ciphers should
run on low memory. Example: LFSR-based
Hardware based stream ciphers are
generally faster
Software based ciphers can take
advantages of larger memory to improve
security. Example: Large array-based
5th December 2007
28
Why should we study stream

cipher?
Because of its high speed.

Most of the stream ciphers are even faster
than block ciphers
5th December 2007
29
Linear Feedback Shift

Register (LFSR) based
Stream Ciphers
5th December 2007
30
An L-Stage Register
1 0 1 1 0 1 0 1 0 0 1 0 1 1 0 1
Stages L-1 L-2
5th December 2007
31
Why Study LFSR?
LFSR is a component of the internal state

of a large number of stream ciphers
LFSR size is small: suitable for hardware
implementation which is expensive
LFSR generates output sequence of large
period
5th December 2007
32
An L-stage
Linear Feedback Shift Register
1
1 0 1 1 0 0 1 0 0 1 0 0 1 1 0 1
Stages L-1 L-2
5th December 2007
Output
33
An L-stage
Linear Feedback Shift Register
0
1 1 0 1 1 0 0 1 0 0 1 0 0 1 1 0
Stages L-1 L-2
5th December 2007
1
Output
34
Representing an LFSR:
Using Linear Recurrence
a
a
z[ L-1]
c n k a b 0 1 0 w
0 1 t 0 s 1 q
z[k]
z[5]
z[3]
z[0]
State update: z[L-1]=az[L-2]+bz[k]+cz[5]+dz[3]+ez[0]

z[k]=z[k+1] for all L-2k0
5th December 2007
35
Representing an LFSR: Using

Connection/Feedback Polynomial
1 1 0 1 1 0 0 1 0 0 1 0 0 1 1 0
z[ L-2]
z[k]
z[5]
z[3]
z[0]
Ordered pair: (Initial state, connection polynomial)

Example: (Z[0..L-1], 1+aX2+bXL-k +cXL-5 +dXL-3+ eXL)
5th December 2007
36
Representing an LFSR: Example
1 1 0 1 1 0 0 1 0 0 1 0 0 1 1 0
z[24] z[23]
z[10]
z[5]
z[3]
z[0]
LFSR size: 25 stages
Connection Poly: 1+X2+X15 +X20 +X22+ X25

5th December 2007
37
Representing an LFSR: Example
1 1 0 1 1 0 0 1 0 0 1 0 0 1 1 0
z[24] z[23]
z[10]
z[5]
z[3]
z[0]
LFSR size: 25 stages
Connection Poly: 1+X2+X15 +X20 +X22+ X25

5th December 2007
38
The Period of LFSR Output

Sequence
1 1 0 1 1 0 0 1 0 0 1 0 0 1 1 0
L-1
0110101
output
LFSR output is ultimately periodic. Proof: Mental
Exercise
The max. period of the sequence is 2L-1 (exercise)
How to attain the maximum period?
5th December 2007
39
The Maximum Period of LFSR

Output
1 1 0 1 1 0 0 1 0 0 1 0 0 1 1 0
L-1
0110101
output
The maximum period 2L-1: when the connection
poly. is a primitive poly. of degree L over F2

Proof: exercise. Clue: order of primitive poly. is 2L1. (consult Lidl and Niederreiter, Chapter 6)
5th December 2007
40
Linear Complexity (I)
A B . .
MNO P
SN=01101011100..
output
Length=L
SN is an output sequence of length N
The size of the shortest L is the linear
complexity of SN
5th December 2007
41
Linear Complexity:Examples (II)
If SN are all zeroes then LC(SN)=0

If SN =000001 then LC(SN)=n (Friday
evening exercise)
Exercise: If the connection polynomial is
irreducible and has degree L, then the
output sequence for any non-zero initial
state of size L has LC equal to L
5th December 2007
42
Linear Complexity: BerlekampMassey Algorithm (I)
A B. .
MNO P
SN=01101011100..
output
Length=L
What is the size of the shortest L and
the connection polynomial given any
finite output sequence SN of length N?
5th December 2007
43
What happens if LFSRs alone are

used in stream cipher?
The stream cipher is weak then
Why?
Berlekamp-Massey algorithm reconstructs the

LFSRs very quickly (polynomial time)
Remedy: Include nonlinear operations
5th December 2007
44
LFSR-based Stream Ciphers:

Nonlinear Combination Generators
LFSR1
LFSR2
:
:
keystream
LFSRn
f is a nonlinear Boolean function
Exercise: Compute the period of the input to f
if the lengths of the LFSRs are pairwise coprime?
5th December 2007
45
A Simple Nonlinear Combination

Generator: Geffe Generator
LFSR1
LFSR2
LFSR3
x1
x2
keystream
x3
f =x1.x2+x2.x3+x3
High LC, high period, balanced
Exercise: P[z=x1]>1/2correlation attack!!
5th December 2007
46
A Nonlinear Comb. Gen. With

Memory Element
Memory: Summation
Generator
LFSR1
LFSR2
x1
x2
c
Z
Keysream
Proposed by Rueppel (1985)

Memory bit C stores carry of integer addition
Two functions: z=x1+x2+c, c=c(x1+x2)+x1.x2
Exercise: Show correlation attack on summation gen.
(Hint: Meier and Staffelbach JoC92)
5th December 2007
47
Nonlinear Filter Generator
1 1 0 1 1 0 0 1 0 0 1 0 0 1 1 0
Only one LFSR, f is nonlinear filter funcn

Exercise: What is max. LC of keystream?
5th December 2007
48
Irregularly Clocked/Clock
Controlled Generator
One LFSR is used to clock another LFSR

Nonlinearity is brought about through
irregular clocking
Extremely simple design
Low hardware complexity
5th December 2007
49
Irregular Clocking: Alternating Step

Generator (1)
Clocked
LFSR1
1
Clocking LFSR
1
LFSR2
Always Clocked
0
Repeat
By C. G. Gnther in 1987
Exercise: LC and period?
5th December 2007
50
Irregular Clocking: Alternating Step

Generator (2)
Repeat
LFSR1
0
Clocking LFSR
0
LFSR2
Always Clocked
1
Clocked
By C. G. Gnther in 1987
Exercise: LC and period?
5th December 2007
51
Irregular Clocking: Shrinking

Generator (1)
Regularly Clocked
LFSR1
1
LFSR2
z=a
Regularly Clocked
By Coppersmith, Krawczyk and Mansour in 1993
Exercise: Compute LC and period of Shrinking Gen.
5th December 2007
52
Irregular Clocking: Shrinking

Generator (2)
Regularly Clocked
LFSR1
0
LFSR2
Discard z
Regularly Clocked
By Coppersmith et. al. 93
Exercise: Compute LC and period of Shrinking Gen.
5th December 2007
53
A Modern LFRS-based stream

cipher SNOW 1.0
5th December 2007
54
FSM of SNOW 1.0
Syed Huq
5th December 2007
55
Using T-functions for

Stream Ciphers
5th December 2007
56
Change the LFSR with a T-function
Klimov, Shamir, 2003

X=x+(x^2 or C) when C=xyz.101
Invertible mapping
Single cycle with highest period
Advantage: software oriented stream
cipher
5th December 2007
57
Cellular Automata
5th December 2007
58
Array-based Stream
Ciphers
5th December 2007
59
Generic Attacks on
Stream Ciphers
5th December 2007
60
When a Cipher is Considered

Broken?
Very fuzzy issue

Wide gap between practical and
theoretical breaks
5th December 2007
61
Key Recovery Attack (1)
Simplest: The exhaustive key search or

brute force attack
The key-length should be large enough to
thwart brute-force attack
5th December 2007
62
Key-recovery Attack (2)
The strongest form of Attack: Recover

the secret key from the keystream bits
with practical time complexity (fully
broken)
Recover key with time better than brute
force attack (theoretical break)
5th December 2007
63
Different Types of Key-recovery

Attacks (I)
Known/chosen plaintext attack
Known/chosen IV attack
Related-key attack
5th December 2007
64
Different Types of Key-recovery

Attacks (II)
Time-Memory-Tradeoff Attack
Guess and Determine Attack
Divide and Conquer Attack
Algebraic attack
(More on that in a later meeting)
5th December 2007
65
Recovery of Internal State
5th December 2007
66
Distinguishing attacks: Regular
Stream of bits do not follow the uniform

distribution
Key
011001001101001101010010..
Bias in a single and a long stream

5th December 2007
67
Distinguishing attacks : Prefix
Stream of bits do not follow the uniform

distribution
Key1
01110011010011000 010..
Key 2
01111011010111100 010..
Key n
01011010011110100 010..
Bias in multiple streams

5th December 2007
68
Hybrid Distinguisher
5th December 2007
69
Related-key Distinguisher
Consider a subset of keys (related keys)

rather that all keys
5th December 2007
70
Statistical Distance Between Two

Distributions
The distance between two distributions
5th December 2007
71
Advantage of a Distinguisher
A measure of efficiency of an algorithm to

distinguish one distribution from the other
5th December 2007
72
Optimal Distinguisher
An optimal distinguisher attains max.

advantage given a fixed number of
samples
5th December 2007
73
Examples of Stream Ciphers
RC4
Helix
Snow
Py
5th December 2007
74
The RC4 cipher
5th December 2007
75
RC4 (1987)
i:=i+1
j:=(j + S[i]) mod 256
swap S[i] and S[j]
t:=(S[i] + S[j]) mod 256
output S[t]
t
000 001 002
205 162
092 013
093 094 095

...
033 162
92 079
254 255
...
099 143
i
j
5th December 2007
76
Distinguishing Attack by Mantin

and Shamir
Second byte is highly biased
5th December 2007
77
We hope to elaborate more in a later

meeting
5th December 2007
78
5th December 2007
79

Stream Cipher Course-I

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Stream Cipher Course-I

Hochgeladen von

Copyright:

Verfügbare Formate

An Introduction to Stream

5th December 2007

COSIC course within BCRYPT

Foundations of Ciphers (1)

It is all about preventing information from being

One way functions (OWFs)

Note the objects are used as a collection. Why?

5th December 2007

COSIC course within BCRYPT

Foundations of Ciphers (2)

One way function: Given f and y=f(x) it is difficult to

PRF: (a set of functions S)

y=f(x) is longer than x (stretching function)

S={all functions from 2n 2n}, size 2^n2^n

PRP: (a set of permutations S)

S={all permutations from 2n 2n}, is described in bits

5th December 2007

COSIC course within BCRYPT

Foundations of Ciphers (3)

Now if the security parameter n is a fixed value, all are

Drawback: practical ciphers have fixed keys

Concrete security considers a family of functions (Bellare,

Geared for fixed length keys

5th December 2007

COSIC course within BCRYPT

Inter-conversion Between OWFs,

Is still an active field of research

Luby and Rackoff 88

Goldreich, Goldwasser, Micali86

Blum and Micali 82, Yao82, Levin87, Hastad90, Impagliazzo89

Bellare, Krovetz and Rogaway98

What about PRBGOWF, PRPOWF?

5th December 2007

COSIC course within BCRYPT

5th December 2007

COSIC course within BCRYPT

Example: Encryption and Decryption

5th December 2007

COSIC course within BCRYPT

Simple Example: Shift Cipher

5th December 2007

COSIC course within BCRYPT

Has some historical significance

5th December 2007

COSIC course within BCRYPT

Egyptians used cryptography in 2500 BC (4500

5th December 2007

COSIC course within BCRYPT

WWII: breaking of German cipher

5th December 2007

COSIC course within BCRYPT

Why and Where is Cryptology

Communication Systems require Protection of

5th December 2007

COSIC course within BCRYPT

Primitives: Block Ciphers, Stream Ciphers, Public Key

Authentication of Data and Entity

Primitives: Hash Functions, Message Authentication

5th December 2007

COSIC course within BCRYPT

The Most Important Element in

5th December 2007

COSIC course within BCRYPT