Understanding Cryptography - Stream Ciphers PDF

Summary

This document is a chapter from a textbook on cryptography, specifically focusing on stream ciphers. It covers various aspects including stream cipher basics, random number generators, one-time pads, and linear feedback shift registers.

Full Transcript

Cryptography
(Course Code: CCY6322- 3)

Dr. Mohammad Zunnun Khan
Email: [email protected]
2024
 Understanding Cryptography – A Textbook for
Students and Practitioners
by Christof Paar and Jan Pelzl

www.crypto-textbook.com

Chapter 2 – Stream Ciphers
ver. October 29, 2009

These slides were prepared by Thomas Eisenbarth, Christof Paar and Jan Pelzl
 Content of this Chapter

Intro to stream ciphers
Random number generators (RNGs)
One-Time Pad (OTP)
Linear feedback shift registers (LFSRs)

3/27 Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
 Content of this Chapter

Intro to stream ciphers
Random number generators (RNGs)
One-Time Pad (OTP)
Linear feedback shift registers (LFSRs)
Trivium: a modern stream cipher

4/27 Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
  Stream Ciphers in the Field of Cryptology

Cryptology

Cryptography Cryptanalysis

Symmetric Ciphers Asymmetric Ciphers Protocols

Block Ciphers Stream Ciphers

Stream Ciphers were invented in 1917 by Gilbert Vernam

5/27 Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
 Stream Cipher vs. Block Cipher

Stream Ciphers
Encrypt bits individually
Usually small and fast  common in embedded devices (e.g., A5/1 for
GSM phones)

Block Ciphers:
Always encrypt a full block (several bits)
Are common for Internet applications

6/27 Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
  Encryption and Decryption with Stream Ciphers
Plaintext xi, ciphertext yi and key stream si consist of individual bits

Encryption and decryption are simple additions modulo 2 (aka XOR)
Encryption and decryption are the same functions

Encryption: yi = esi(xi ) = xi + si mod 2 xi , yi , si ∈ {0,1}
Decryption: xi = esi(yi ) = yi + si mod 2

SID's
7/27 Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
 Synchronous vs. Asynchronous Stream Cipher

Security of stream cipher depends entirely on the key stream si :
Should be random , i.e., Pr(si = 0) = Pr(si = 1) = 0.5
Must be reproducible by sender and receiver

Synchronous Stream Cipher
Key stream depend only on the key (and possibly an initialization vector IV)

Asynchronous Stream Ciphers
Key stream depends also on the ciphertext (dotted feedback enabled)
8/27 Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
  Why is Modulo 2 Addition a Good Encryption Function?

Modulo 2 addition is equivalent to XOR operation

For perfectly random key stream si , each ciphertext output bit
has a 50% chance to be 0 or 1
 Good statistic property for ciphertext

Inverting XOR is simple, since it is the same XOR operation

xi si yi
0 0 0
0 1 1
1 0 1
1 1 0

9/27 Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
  Stream Cipher: Throughput

Performance comparison of symmetric ciphers (Pentium4):

Cipher Key length Mbit/s
DES 56 36.95
3DES 112 13.32
AES 128 51.19
RC4 (stream cipher) (choosable) 211.34
Source: Zhao et al., Anatomy and Performance of SSL Processing, ISPASS 2005

10/27 Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
 Content of this Chapter

Intro to stream ciphers
Random number generators (RNGs)
One-Time Pad (OTP)
Linear feedback shift registers (LFSRs)
Trivium: a modern stream cipher

11/27 Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
  Random number generators (RNGs)

RNG

True RNG Cryptographically
Pseudorandom NG
Secure RNG

12/27 Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
  True Random Number Generators (TRNGs)
coin
Based on physical random processes: coin flipping, dice rolling, semiconductor
noise, radioactive decay, mouse movement, clock jitter of digital circuits
Output stream si should have good statistical properties:
Pr(si = 0) = Pr(si = 1) = 50% (often achieved by post-processing)
Output can neither be predicted nor be reproduced

Typically used for generation of keys, nonces (used only-once values) and for
many other purposes

13/27 Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
  Pseudorandom Number Generator (PRNG)

Generate sequences from initial seed value
psi
Typically, output stream has good statistical properties
Output can be reproduced and can be predicted
Often computed in a recursive way:

s0  seed
si 1  f ( si , si 1 ,..., si t )

Example: rand() function in ANSI C:

s0  12345
si 1  1103515245si  12345mod 231

Most PRNGs have bad cryptographic properties!

14/27 Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
  Cryptanalyzing a Simple PRNG
Simple PRNG: Linear Congruential Generator

S 0  seed
Si 1  AS i  B mod m

Assume
unknown A, B and S0 as key
Size of A, B and Si to be 100 bit
300 bit of output are known, i.e. S1, S2 and S3
Solving

S 2  AS1  B mod m
S 3  AS 2  B mod m
…directly reveals A and B. All Si can be computed easily!

Bad cryptographic properties due to the linearity of most PRNGs
15/27 Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
  Cryptographically Secure Pseudorandom Number
Generator (CSPRNG)

Special PRNG with additional property:
Output must be unpredictable

More precisely: Given n consecutive bits of output si , the following output bits sn+1
cannot be predicted (in polynomial time).

Needed in cryptography, in particular for stream ciphers

Remark: There are almost no other applications that need unpredictability,
whereas many, many (technical) systems need PRNGs.

16/27 Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
 Content of this Chapter

Intro to stream ciphers
Random number generators (RNGs)
One-Time Pad (OTP)
Linear feedback shift registers (LFSRs)
Trivium: a modern stream cipher

17/27 Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
  One-Time Pad (OTP)

Unconditionally secure cryptosystem:
A cryptosystem is unconditionally secure if it cannot be broken even with
infinite computational resources

One-Time Pad
A cryptosystem developed by Mauborgne that is based on Vernam’s stream
cipher:
Properties:
Let the plaintext, ciphertext and key consist of individual bits
xi, yi, ki  {0,1}.

Encryption: eki(xi) = xi  ki.
Decryption: dki(yi) = yi  ki

OTP is unconditionally secure if and only if the key ki. is used once!

18/27 Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
  One-Time Pad (OTP)

Unconditionally secure cryptosystem:
y0 = x 0  k0
y1 = x 1  k1
:
Every equation is a linear equation with two unknowns
 for every yi are xi = 0 and xi = 1 equiprobable!
This is true iff k0, k1,... are independent, i.e., all ki have to be
generated truly random
 It can be shown that this systems can provably not be solved.

Disadvantage: For almost all applications the OTP is impractical
since the key must be as long as the message! (Imagine you
1
have to encrypt a 1GByte email attachment.)

19/27 Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
 Content of this Chapter

Intro to stream ciphers
Random number generators (RNGs)
One-Time Pad (OTP)
Linear feedback shift registers (LFSRs)
Trivium: a modern stream cipher

20/27 Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
  Linear Feedback Shift Registers (LFSRs)

Concatenated flip-flops (FF), i.e., a shift register together with a feedback path
Feedback computes fresh input by XOR of certain state bits
Degree m given by number of storage elements
If pi = 1, the feedback connection is present (“closed switch), otherwise there is
not feedback from this flip-flop (“open switch”)
Output sequence repeats periodically
Maximum output length: 2m-1
21/27 Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
  Linear Feedback Shift Registers (LFSRs): Example with m=3

clk FF2 FF1 FF0=si
0 1 0 0
LFSR output described by recursive equation: 1 0 1 0

si 3  si 1  si mod 2 2 1 0 1
3 1 1 0
4 1 1 1
Maximum output length (of 23-1=7) achieved only for certain
5 0 1 1
feedback configurations,.e.g., the one shown here.
6 0 0 1
7 1 0 0
8 0 1 0
22/27 Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
  Security of LFSRs
LFSRs typically described by polynomials:

P( x)  x m  pl 1 x m1 ...  p1 x  p0

Single LFSRs generate highly predictable output
If 2m output bits of an LFSR of degree m are known, the feedback
coefficients pi of the LFSR can be found by solving a system of linear
equations*

Because of this many stream ciphers use combinations of LFSRs

*See Chapter 2 of Understanding Cryptography for further details.

23/27 Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
 Content of this Chapter

Intro to stream ciphers
Random number generators (RNGs)
One-Time Pad (OTP)
Linear feedback shift registers (LFSRs)
Trivium: a modern stream cipher

24/27 Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
  A Modern Stream Cipher - Trivium

1

Three nonlinear LFSRs (NLFSR) of length 93, 84, 111
XOR-Sum of all three NLFSR outputs generates key stream si
Small in Hardware:
Total register count: 288 782
Non-linearity: 3 AND-Gates

25/27
7 XOR-Gates (4 with three inputs)
155
Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
  Lessons Learned
Stream ciphers are less popular than block ciphers in most domains such as Internet
security. There are exceptions, for instance, the popular stream cipher RC4.

Stream ciphers sometimes require fewer resources, e.g., code size or chip area, for
implementation than block ciphers, and they are attractive for use in constrained
environments such as cell phones.

The requirements for a cryptographically secure pseudorandom number generator are far
more demanding than the requirements for pseudorandom number generators used in other
applications such as testing or simulation

The One-Time Pad is a provable secure symmetric cipher. However, it is highly impractical
for most applications because the key length has to equal the message length.

Single LFSRs make poor stream ciphers despite their good statistical properties. However,
careful combinations of several LFSR can yield strong ciphers.

26/27 Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl