Beruflich Dokumente
Kultur Dokumente
Ciphers
Lecturer: Souradyuti Paul
Computer Security and Industrial Cryptography (COSIC)
Department of Electrical Engineering
Katholieke Universiteit Leuven, Belgium
Email: Souradyuti.Paul@esat.kuleuven.be
OWFPRF
PRPPRF
PRF PRP
Introduction to Stream
Ciphers
Receiver
Plaintext
Plaintext
Decryption
Encryption
Ciphertext
Shift Cipher
Cryptography: Historically
10
Modern Cryptography
11
Applications of Cryptography
Electronic Banking
Smart Card
E-Commerce
Defense
Wireless Communications
Satellite TV
Computer Security Systems
Government Identification
12
Scope of Cryptology:
Security Issues
Cryptology
Confidentiality
(data)
Authentication
(data & entity)
Confidentiality of Data
13
Sender
Plaintext
Encryption
Ciphertext
Plaintext
Decryption
14
Asymmetric Key
15
Perfect Security:
Vernam Cipher or One time pad
The scheme is impractical
because of large size of the
key
Key:
011001001101001101010010..
Bitwise XOR
Plaintext:
100101001000101001001110..
Ciphertext:
111100000101100100011100
16
(Short key)
Stream Cipher
011001001101001101010010..
Bitwise XOR
Plaintext:
100101001000101001001110..
Ciphertext:
111100000101011001101100
17
18
X
Y
A
B
C
Initialization
5th December 2007
19
Round 1
A
B
C
mixing
Keystream: Output 1
mixing
mixing
B
C
...
Output 2
Output 3
Plaintext 1
Plaintext 2
Plaintext 3
Ciphertext 1
Ciphertext 2
Ciphertext 3
A
B
C
Round 3
20
21
Plaintext
Encryption
Decryption
Ciphertext
Ciphertext
Key
22
Key
Encryption
Ciphertext
5th December 2007
23
DES
Rijndael
Serpent
Twofish
MARS
RC6
24
25
26
27
Hardware is expensive
Hardware based stream ciphers should
run on low memory. Example: LFSR-based
Hardware based stream ciphers are
generally faster
Software based ciphers can take
advantages of larger memory to improve
security. Example: Large array-based
28
29
30
An L-Stage Register
1 0 1 1 0 1 0 1 0 0 1 0 1 1 0 1
Stages L-1 L-2
31
32
An L-stage
Linear Feedback Shift Register
1
1 0 1 1 0 0 1 0 0 1 0 0 1 1 0 1
Stages L-1 L-2
Output
33
An L-stage
Linear Feedback Shift Register
0
1 1 0 1 1 0 0 1 0 0 1 0 0 1 1 0
Stages L-1 L-2
1
Output
34
Representing an LFSR:
Using Linear Recurrence
a
a
z[ L-1]
c n k a b 0 1 0 w
0 1 t 0 s 1 q
z[k]
z[5]
z[3]
z[0]
35
1 1 0 1 1 0 0 1 0 0 1 0 0 1 1 0
z[ L-2]
z[k]
z[5]
z[3]
z[0]
36
1 1 0 1 1 0 0 1 0 0 1 0 0 1 1 0
z[24] z[23]
z[10]
z[5]
z[3]
z[0]
37
1 1 0 1 1 0 0 1 0 0 1 0 0 1 1 0
z[24] z[23]
z[10]
z[5]
z[3]
z[0]
38
1 1 0 1 1 0 0 1 0 0 1 0 0 1 1 0
L-1
0110101
output
Exercise
The max. period of the sequence is 2L-1 (exercise)
How to attain the maximum period?
39
1 1 0 1 1 0 0 1 0 0 1 0 0 1 1 0
L-1
0110101
output
40
A B . .
MNO P
SN=01101011100..
output
Length=L
SN is an output sequence of length N
The size of the shortest L is the linear
complexity of SN
5th December 2007
41
42
A B. .
MNO P
SN=01101011100..
output
Length=L
What is the size of the shortest L and
the connection polynomial given any
finite output sequence SN of length N?
5th December 2007
43
Why?
44
keystream
LFSRn
f is a nonlinear Boolean function
Exercise: Compute the period of the input to f
if the lengths of the LFSRs are pairwise coprime?
5th December 2007
45
x1
x2
keystream
x3
f =x1.x2+x2.x3+x3
High LC, high period, balanced
Exercise: P[z=x1]>1/2correlation attack!!
5th December 2007
46
x1
x2
c
Z
Keysream
47
1 1 0 1 1 0 0 1 0 0 1 0 0 1 1 0
48
Irregularly Clocked/Clock
Controlled Generator
49
1
Clocking LFSR
1
LFSR2
Always Clocked
0
Repeat
By C. G. Gnther in 1987
Exercise: LC and period?
5th December 2007
50
0
Clocking LFSR
0
LFSR2
Always Clocked
1
Clocked
By C. G. Gnther in 1987
Exercise: LC and period?
5th December 2007
51
z=a
Regularly Clocked
By Coppersmith, Krawczyk and Mansour in 1993
Exercise: Compute LC and period of Shrinking Gen.
5th December 2007
52
Discard z
Regularly Clocked
By Coppersmith et. al. 93
Exercise: Compute LC and period of Shrinking Gen.
5th December 2007
53
54
Syed Huq
55
56
57
Cellular Automata
58
Array-based Stream
Ciphers
59
Generic Attacks on
Stream Ciphers
60
61
62
63
Known/chosen IV attack
Related-key attack
64
Time-Memory-Tradeoff Attack
Algebraic attack
65
66
011001001101001101010010..
67
01110011010011000 010..
Key 2
01111011010111100 010..
Key n
01011010011110100 010..
68
Hybrid Distinguisher
69
Related-key Distinguisher
70
71
Advantage of a Distinguisher
72
Optimal Distinguisher
73
RC4
Helix
Snow
Py
74
75
RC4 (1987)
i:=i+1
j:=(j + S[i]) mod 256
swap S[i] and S[j]
t:=(S[i] + S[j]) mod 256
output S[t]
t
000 001 002
205 162
092 013
033 162
92 079
254 255
...
099 143
i
j
5th December 2007
76
77
78
79