**Stream** **Ciphers** (contd.)Debdeep MukhopadhyayAssistant Pr**of**essor**Department** **of** **Computer** **Science** **and****Engineering**Indian Institute **of** Technology KharagpurINDIA -721302Objectives• Non-linear feedback shift registers• **Stream** ciphers using LFSRs:– Non-linear combination generators– Non-linear filter generators– Clock controlled generators– Other **Stream** **Ciphers**Low Power Ajit Pal IIT Kharagpur 1

Non-linear feedback shift registers• A Feedback Shift Register (FSR) isnon-singular iff for all possible initialstates every output sequence **of** theFSR is periodic.de Bruijn SequenceAn FSR with feedback function f( sj− 1, sj−2,..., sj−L)is non-singular iff f is **of** the form:f = sj−L⊕g( sj− 1, sj−2,..., sj− L+1)for some Boolean function g.The period **of** a non-singular FSR with length LLis at most 2 .If the period **of** the output sequence for any initialLstate **of** a non-singular FSR **of** length L is 2 , then theFSR is called a de Bruijn FSR, **and** the output sequenceis called a de Bru ijn sequence.Low Power Ajit Pal IIT Kharagpur 2

Examplef ( x , x , x ) = 1⊕x ⊕x ⊕x x1 2 3 2 3 1 2t0123x 10111x 20011x 30001t4563x 10100x 21010x 31101Converting a maximal length LFSRto a de-Bruijn FSRLet R1be a maximum length LFSR **of** length Lwith linear feedback function:f( s , s ,..., s ).j−1 j−2j−LThen the FSR R with feedback function:2(j 1, j 2,..., j L) j−1, j−2,...,j−L+gs−s−s−= f⊕s s s 1is a de Bruijn FSR.Low Power Ajit Pal IIT Kharagpur 3

**Stream** **Ciphers** based on LFSR• LFSRs are popular key stream generators:– well suited for hardware implementations– large period– good statistical properties• However the key stream is predictable– the connection polynomial **of** an LFSR withlinear complexity L can be efficientlycomputed from a sub-sequence **of** length 2L ormore– the sub-sequence can be ascertained by aknown plain-text attackThree LFSR based methods• using a non-linear combiningfunction on the outputs **of** severalLFSRs• using a non-linear filtering functionon the contents **of** a single LFSR• using the output **of** one (or more)LFSR to control the clock **of** one (ormore) LFSRLow Power Ajit Pal IIT Kharagpur 4

Non-linear combination generators• f is a non-linear combining function• Suppose that n maximum length LFSRs, whose lengths L 1 , L 2 ,…,L n are pairwise distinct **and** greater than 2, are combined bya non-linear function f(x 1 ,x 2 ,…,x n ), which is the ANF form. Thenthe linear complexity **of** the key stream is f(L 1 , L 2 ,…,L n ), wherethe xors are replaced by integer additions.Example: the Geffe generator• 3 maximum length LFSRs whose lengths L 1 , L 2**and** L 3 are pairwise relatively prime.• Period=(2 L1 -1)(2 L2 -1)(2 L3 -1)• Linear Complexity=L 1 L 2 +L 2 L 3 +L 3Low Power Ajit Pal IIT Kharagpur 5

Correlation Attacks• The Geffe generator iscryptographically weak, becauseinformation about the states **of** LFSR1 **and** LFSR 3 leaks into the outputsequence.Pr(z(t)=x1( t)) = Pr( x2( t) = 1) + Pr( x2( t) = 0) Pr( x3( t) = x1( t))1 1 1 3= + =2 2 2 43Similarly, Pr(z(t)=x3( t))=4Correlation attacks• Consider n maximum length LFSRs R 1 ,R 2 ,…,R nwith lengths L 1 ,L 2 ,…,L n• Number **of** keys=(2 L1 -1)(2 L2 -1)…(2 Ln -1)• Suppose that there is a correlation between thekeystream **and** the output **of** R 1 with probabilityp>1/2– guess the initial state **of** R 1– Compute the number **of** coincidences between thekeystream **and** all possible shifts **of** the output sequence**of** R1, until the probability is more than p.– Number **of** trials=(2 L1 -1)– Since the initial states **of** the LFSRs can be knownindependently, total number **of** trials=Σ(2 Li -1)Low Power Ajit Pal IIT Kharagpur 6

Correlation Immunity• Let X 1 , …,X n be independent binaryvariables, each taking values 0 or 1 withprobability ½• A Boolean function f is m th ordercorrelation immune if for each subset **of** mr**and**om variables X i1 , X i2 ,…, X im , ther**and**om variable Z=f(X 1 ,…,X n ) isstatistically independent **of** the r**and**omvector (X i1 , X i2 ,…, X im )Summation Generator• The lengths L 1 ,L 2 ,…,L n **of** the n LFSRs arepairwise prime.• Period **of** the key-stream=Π(2 Li -1), while itslinear complexity is close to this number.Low Power Ajit Pal IIT Kharagpur 7

Non-linear filter generatorsClock controlled generatorsAlternating Step Generator:• A control LFSR R 1 is used to selectivelystep two other LFSRs, R 2 **and** R 3 .• Output sequence is the XOR **of** R 2 **and** R 3 .• Algorithm:– Register R 1 is clocked.– If output **of** R 1 is 1, then R 2 is clocked, R 3 is notclocked but the previous output is repeated.– If output **of** R 1 is 0, then R 3 is clocked, R 2 is notclocked but the previous output is repeated.Low Power Ajit Pal IIT Kharagpur 8

Example• If R 1 produces a de Bruijn sequence, thealternating step generator has high period, highlinear complexity, **and** have good statisticalproperties.Example (contd.)• R 1 =, R 2 =,R 3 =• Suppose initial states **of** R 1 =[001],R 2 =[1011], R 3 =[01001]• Output sequences:– R 1 : 1001011– R 2 :1101 0111 1000 100– R 3 :1001 0101 1000 0111 0011 0111 1101 000– z: 1011 1010 1010 0001 0111 1011 0001 110…Low Power Ajit Pal IIT Kharagpur 9

Shrinking generator• a control LFSR R 1 is used to controlthe output **of** a second LFSR R 2• Register R 1 **and** R 2 are clocked• If the output **of** R 1 is 1, the output bit**of** R 2 forms part **of** the key stream• If the output **of** R 1 is 0, the output **of**R 2 is discarded.Example• R 1 **and** R 2 are maximum length LFSRs• L 1 **and** L 2 are mutually co-prime, **and** if theconnection polynomials are unknown then thesecurity level is ≈2 2l , where L 1 ≈l, L 2 ≈l• thus keeping l=64, the SG should be quite strong.Low Power Ajit Pal IIT Kharagpur 10

Example (contd.)• R 1 =, R 2 =• Suppose initial states **of** R 1 =[100],R 2 =[00101]• Output sequences:– R 1 : 0011101– R 2 :1010 0001 0010 1100 1111 1000 1101 110– x: 1000 0101 1111 1011 10…Modern **Stream** **Ciphers**• Several proposals in the Estream Website• There are hardware **and** s**of**twarec**and**idates• Search for st**and**ard **Stream** **Ciphers**• New attack techniques have beendeveloped, like algebraic attacks, cubeattacks.• **Stream** cipher design have become all themore challenging.Low Power Ajit Pal IIT Kharagpur 11

Points to Ponder!• A self-shrinking generator (SSG) usesonly one maximum length LFSR R. Theoutput sequence **of** R is partitioned intopairs **of** bits.• The SSG outputs:– 0 if the pair is 10– 1 if the pair is 11– 00 **and** 01 pairs are dropped• A SSG can be implemented as a shrinkinggenerator **and** vice-versa. Can you workout?Further Reading• A. Menezes, P. Van Oorschot, ScottVanstone, “H**and**book **of** AppliedCryptography” (Available online)Low Power Ajit Pal IIT Kharagpur 12

Next Days Topic• Pseudor**and**omnessLow Power Ajit Pal IIT Kharagpur 13