Stream Ciphers - Department of Computer Science and Engineering ...

cse.iitkgp.ac.in

Stream Ciphers - Department of Computer Science and Engineering ...

Stream Ciphers (contd.)Debdeep MukhopadhyayAssistant ProfessorDepartment of Computer Science andEngineeringIndian Institute of Technology KharagpurINDIA -721302Objectives• Non-linear feedback shift registers• Stream ciphers using LFSRs:– Non-linear combination generators– Non-linear filter generators– Clock controlled generators– Other Stream CiphersLow Power Ajit Pal IIT Kharagpur 1


Non-linear feedback shift registers• A Feedback Shift Register (FSR) isnon-singular iff for all possible initialstates every output sequence of theFSR is periodic.de Bruijn SequenceAn FSR with feedback function f( sj− 1, sj−2,..., sj−L)is non-singular iff f is of the form:f = sj−L⊕g( sj− 1, sj−2,..., sj− L+1)for some Boolean function g.The period of a non-singular FSR with length LLis at most 2 .If the period of the output sequence for any initialLstate of a non-singular FSR of length L is 2 , then theFSR is called a de Bruijn FSR, and the output sequenceis called a de Bru ijn sequence.Low Power Ajit Pal IIT Kharagpur 2


Examplef ( x , x , x ) = 1⊕x ⊕x ⊕x x1 2 3 2 3 1 2t0123x 10111x 20011x 30001t4563x 10100x 21010x 31101Converting a maximal length LFSRto a de-Bruijn FSRLet R1be a maximum length LFSR of length Lwith linear feedback function:f( s , s ,..., s ).j−1 j−2j−LThen the FSR R with feedback function:2(j 1, j 2,..., j L) j−1, j−2,...,j−L+gs−s−s−= f⊕s s s 1is a de Bruijn FSR.Low Power Ajit Pal IIT Kharagpur 3


Stream Ciphers based on LFSR• LFSRs are popular key stream generators:– well suited for hardware implementations– large period– good statistical properties• However the key stream is predictable– the connection polynomial of an LFSR withlinear complexity L can be efficientlycomputed from a sub-sequence of length 2L ormore– the sub-sequence can be ascertained by aknown plain-text attackThree LFSR based methods• using a non-linear combiningfunction on the outputs of severalLFSRs• using a non-linear filtering functionon the contents of a single LFSR• using the output of one (or more)LFSR to control the clock of one (ormore) LFSRLow Power Ajit Pal IIT Kharagpur 4


Non-linear combination generators• f is a non-linear combining function• Suppose that n maximum length LFSRs, whose lengths L 1 , L 2 ,…,L n are pairwise distinct and greater than 2, are combined bya non-linear function f(x 1 ,x 2 ,…,x n ), which is the ANF form. Thenthe linear complexity of the key stream is f(L 1 , L 2 ,…,L n ), wherethe xors are replaced by integer additions.Example: the Geffe generator• 3 maximum length LFSRs whose lengths L 1 , L 2and L 3 are pairwise relatively prime.• Period=(2 L1 -1)(2 L2 -1)(2 L3 -1)• Linear Complexity=L 1 L 2 +L 2 L 3 +L 3Low Power Ajit Pal IIT Kharagpur 5


Correlation Attacks• The Geffe generator iscryptographically weak, becauseinformation about the states of LFSR1 and LFSR 3 leaks into the outputsequence.Pr(z(t)=x1( t)) = Pr( x2( t) = 1) + Pr( x2( t) = 0) Pr( x3( t) = x1( t))1 1 1 3= + =2 2 2 43Similarly, Pr(z(t)=x3( t))=4Correlation attacks• Consider n maximum length LFSRs R 1 ,R 2 ,…,R nwith lengths L 1 ,L 2 ,…,L n• Number of keys=(2 L1 -1)(2 L2 -1)…(2 Ln -1)• Suppose that there is a correlation between thekeystream and the output of R 1 with probabilityp>1/2– guess the initial state of R 1– Compute the number of coincidences between thekeystream and all possible shifts of the output sequenceof R1, until the probability is more than p.– Number of trials=(2 L1 -1)– Since the initial states of the LFSRs can be knownindependently, total number of trials=Σ(2 Li -1)Low Power Ajit Pal IIT Kharagpur 6


Correlation Immunity• Let X 1 , …,X n be independent binaryvariables, each taking values 0 or 1 withprobability ½• A Boolean function f is m th ordercorrelation immune if for each subset of mrandom variables X i1 , X i2 ,…, X im , therandom variable Z=f(X 1 ,…,X n ) isstatistically independent of the randomvector (X i1 , X i2 ,…, X im )Summation Generator• The lengths L 1 ,L 2 ,…,L n of the n LFSRs arepairwise prime.• Period of the key-stream=Π(2 Li -1), while itslinear complexity is close to this number.Low Power Ajit Pal IIT Kharagpur 7


Non-linear filter generatorsClock controlled generatorsAlternating Step Generator:• A control LFSR R 1 is used to selectivelystep two other LFSRs, R 2 and R 3 .• Output sequence is the XOR of R 2 and R 3 .• Algorithm:– Register R 1 is clocked.– If output of R 1 is 1, then R 2 is clocked, R 3 is notclocked but the previous output is repeated.– If output of R 1 is 0, then R 3 is clocked, R 2 is notclocked but the previous output is repeated.Low Power Ajit Pal IIT Kharagpur 8


Example• If R 1 produces a de Bruijn sequence, thealternating step generator has high period, highlinear complexity, and have good statisticalproperties.Example (contd.)• R 1 =, R 2 =,R 3 =• Suppose initial states of R 1 =[001],R 2 =[1011], R 3 =[01001]• Output sequences:– R 1 : 1001011– R 2 :1101 0111 1000 100– R 3 :1001 0101 1000 0111 0011 0111 1101 000– z: 1011 1010 1010 0001 0111 1011 0001 110…Low Power Ajit Pal IIT Kharagpur 9


Shrinking generator• a control LFSR R 1 is used to controlthe output of a second LFSR R 2• Register R 1 and R 2 are clocked• If the output of R 1 is 1, the output bitof R 2 forms part of the key stream• If the output of R 1 is 0, the output ofR 2 is discarded.Example• R 1 and R 2 are maximum length LFSRs• L 1 and L 2 are mutually co-prime, and if theconnection polynomials are unknown then thesecurity level is ≈2 2l , where L 1 ≈l, L 2 ≈l• thus keeping l=64, the SG should be quite strong.Low Power Ajit Pal IIT Kharagpur 10


Example (contd.)• R 1 =, R 2 =• Suppose initial states of R 1 =[100],R 2 =[00101]• Output sequences:– R 1 : 0011101– R 2 :1010 0001 0010 1100 1111 1000 1101 110– x: 1000 0101 1111 1011 10…Modern Stream Ciphers• Several proposals in the Estream Website• There are hardware and softwarecandidates• Search for standard Stream Ciphers• New attack techniques have beendeveloped, like algebraic attacks, cubeattacks.• Stream cipher design have become all themore challenging.Low Power Ajit Pal IIT Kharagpur 11


Points to Ponder!• A self-shrinking generator (SSG) usesonly one maximum length LFSR R. Theoutput sequence of R is partitioned intopairs of bits.• The SSG outputs:– 0 if the pair is 10– 1 if the pair is 11– 00 and 01 pairs are dropped• A SSG can be implemented as a shrinkinggenerator and vice-versa. Can you workout?Further Reading• A. Menezes, P. Van Oorschot, ScottVanstone, “Handbook of AppliedCryptography” (Available online)Low Power Ajit Pal IIT Kharagpur 12


Next Days Topic• PseudorandomnessLow Power Ajit Pal IIT Kharagpur 13

More magazines by this user
Similar magazines