feedback shift register based stream ciphers
play

Feedback shift register based stream ciphers Thomas Johansson, - PowerPoint PPT Presentation

Oct 05, 2022 •47 likes •497 views

Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden 5/15/2007 1 CONTENTS Efficient encryption and possible solutions Stream ciphers Basic security analysis of stream ciphers LFSR sequences Design

  1. Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden 5/15/2007 1

  2. CONTENTS Efficient encryption and possible solutions Stream ciphers Basic security analysis of stream ciphers LFSR sequences Design of LFSR based stream ciphers NLFSR sequences 5/15/2007 2

  3. OUR PROBLEM – EFFICIENT ENCRYPTION Public key solutions too slow, used only for key setup We need symmetric encryption Stream ciphers, Block ciphers 5/15/2007 3

  4. BLOCK CIPHERS Ideally, random permutations One problem : We cannot encrypt as follows: (because if p i =p j then c i =c j ) p 1 p 2 p k . . . k BC BC BC c 1 c 2 c k 5/15/2007 4

  5. BLOCK CIPHERS The block cipher must be used in a mode of operation For example, counter mode But this is also a stream cipher … 5/15/2007 5

  6. STREAM CIPHERS (Additive synchronous) The PRKG stretches the k bit key to some arbitrarily long sequence Z = z 1 , z 2 , z 3 , … ( keystream , running key ) 5/15/2007 6

  7. DEFINITION OF A GENERATOR Version 1 key keystream 00…00 0110100110110100… 00…01 1010111001000010… Version 2 (with IV): IV key 00…00 00…00 0110100110110100… ” 00…01 1010111001000010… 00…01 00…00 1100101101010101… ” 00…01 0101001100110100… 5/15/2007 7

  8. OPERATION OF A STREAM CIPHER 1. Key initialization Set all the internal variables according to the selected key IV initialization Set all the internal variables according to the IV 2. Run the generator and produce the keystream Z = z 1 , z 2 , z 3 , … 3. Add the keystream to the plaintext c i = p i + z i 5/15/2007 8

  9. MOTIVATION FOR STUDYING STREAM CIPHERS We need to bring forward new modern stream ciphers and study them carefully A modern stream cipher should be superior to a block cipher in performance (software and hardware) A modern stream cipher should provide security similar to a block cipher, for example, the ``best’’ attack is an exhaustive key search attack 5/15/2007 9

  10. BLOCK CIPHERS VS STREAM CIPHERS Idea : Since we are already using stream ciphers through block cipher + some mode of operation we might gain something through a direct construction Typical gain: Higher speed in software, smaller complexity in hardware, lower power consumption, … In some applications this is very important Security ? There are many well known and well studied block ciphers DES, IDEA, RC5, … more recent AES + candidates, Camelia,… There are not many equally well known stream ciphers A5, RC4, and definitely not many of them with good security! 5/15/2007 10

  11. Security of a stream cipher The standard assumption KNOWN PLAINTEXT ATTACK This implies knowledge of the keystream Z = z 1 , z 2 , … , z N When IV is used the opponent knows Z 1 = z 1,1 , z 1,2 , … , z 1,N , for IV = 1 Z 2 = z 2,1 , z 2,2 , … , z 2,N for IV = 2 … generated by the same key k. Could be a chosen IV attack . 5/15/2007 11

  12. DIFFERENT TYPES OF ATTACKS KEY RECOVERY ATTACK Recover the secret key k . DISTINGUISHING ATTACKS Build a distinguisher that can distinguish Z = z 1 , z 2 , … , z N from random (or Z 1 ; Z 2 ; … in the IV case) OTHER ATTACKS RELATED: Prediction of the next symbol, … UNRELATED: Side-channel attacks (power analysis, timing attacks, etc.), … 5/15/2007 12

  13. DISTINGUISHING ATTACKS Assume that D is given a truly random X with probability ½. If P(D guesses correct) > ½ we have a distinguisher (with some advantage) Note: We are usually not interested in cases when P(D guesses correct) = ½ + 2 -n for too small 2 -n . 5/15/2007 13

  14. APPLICATION OF A DISTINGUISHING ATTACK THE ATTACKER Guesses that PLAINTEXT = PICTURE 1 (P 1 ) Calculates Z’ = P 1 + C Give Z’ to the distinguisher If Z’ is recognized as ``CIPHER’’ the plaintext was PIC. 1 If Z’ is recognized as ``RANDOM’’ the plaintext was PIC. 2 (A wrong guess would give Z’= P 1 +C= P 1 + P 2 +Z) 5/15/2007 14

  15. DIFFERENT TYPES OF STREAM CIPHERS BIT-ORIENTED: `` ONE BIT ON EACH CLOCK’’ SHRINKING SELFSHRINKING ALTERNATING STEP 5/15/2007 15

  16. A5/1 Bluetooth, E0 Nonlinear combination generators and Filter generators Very simple to implement in hardware BUT in general slow in software In addition, some have security problems 5/15/2007 16

  17. WORD-ORIENTED STREAM CIPHERS ``Produce a word on each clock/step’’ Word size: 8, 16, 32, 64 When we are operating on words, things are a bit different… Moving closer to block ciphers, using their machinery, e.g., S-boxes, SP-networks, etc. 5/15/2007 17

  18. ATTACK TECHNIQUES ``UNIVERSAL DISTINGUISHERS’’ NIST statistical test suite, DIEHARD, … GUESS AND DETERMINE Guess unknown things on demand ``CORRELATION ATTACKS’’ Dependence between output and internal unknown variables LINEAR ATTACKS Apply linear approximations ``ALGEBRAIC ATTACKS’’ View your problem as the solution to a system of nonlinear equations ``TIME-MEMORY TRADEOFF ATTACKS’’ 5/15/2007 18

  19. GUESS AND DETERMINE Example: ``GUESS AND DETERMINE’’ s 1 +t 1 +u 1 =z 1 s d1 =x, t d2 =x, u d3 =x+1 s 2 +t 2 +u 1 =z 2 ,… 5/15/2007 19

  20. CORRELATION ATTACKS All possible LFSR sequences are codeword in a linear code C Reconstructing the initial state is the problem of decoding the code C on BSC (1/2 + ε ). 5/15/2007 20

  21. LINEAR ATTACKS Replace nonlinear parts by a linear approximation Find an expression where all unknown variables are eliminated, Σ c i z n+i = 0 Binary case, let B n = Σ c i z n+i . Then P(B n = 0)= ½+ ε . Collect as many samples as we need to distinguish the sequence B 1 , B 2 , … from random. 5/15/2007 21

  22. ALGEBRAIC ATTACKS Find a low degree algebraic expression relating Z and S, F( z n ,z n+1 ,…, s n ,s n+1 ,…)=0 Valid for all n! Generate a system of nonlinear equations Simplest case: If the number of equations we can generate is very large we may solve the system by relinearization. 5/15/2007 22

  23. RECENTLY PROPOSED STREAM CIPHERS Some proposed stream ciphers eSTREAM project (2004-2008) 2000-2003 • 34 stream ciphers submitted (2005) SNOW 2.0 Lund Univ. SOBER –t16, t32, 128 Qualcomm TURING “ • Software: CryptMT, Dragon, HC, LEX, SCREAM IBM NLS, Rabbit, Salsa20, Sosemanuk MUGI Hitachi • Hardware: DECIM, Edon80, F-FCSR, RABBIT Cryptico Grain, Mickey, Moustique, Pomaranche, Trivium Word-oriented, fast in software • A lot of new ideas and techniques being Use of LFSR or buffers evaluated… One linear part/update and one nonlinear 5/15/2007 23

  24. DISCUSSION ISSUE Where should the level of required security be? Note : An n-bit block cipher in use is usually distinguished from random using 2 n/2 output blocks and the same complexity. Ex. AES is distinguished from random using ~ 2 64 blocks of output DES is distinguished from random using ~ 2 32 blocks of output 5/15/2007 24

  25. LFSR BASED APPROACH TO STREAM CIPHER DESIGN LFSR sequences have nice statistical properties. The idea is to combine or modify LFSR sequences to completely destroy the linear property of them. This is the old classic way of constructing stream ciphers. 5/15/2007 25

  26. LFSR sequences LFSR s j ∈ GF(q) Connection polynomial C(D)= 1 +c 1 D+c 2 D 2 +…+c L D L 5/15/2007 26

  27. Alternative representations Linear recurrence relation s j =-c 1 s j-1 -c 2 s j-2 -…-c L s j-L , Characteristic polynomial of the recurrence, f(x)= x L +c 1 x L-1 +c 2 x L-2 …+c L-1 x+c L 5/15/2007 27

  28. If the polynomial is irreducible we can also write s j =Tr(ß α j ), where α ,ß ∈ GF(q L ), and Tr(x)=x+x q +x q2 +…+ x qL-1 is the trace map from GF(q L ) to GF(q). 5/15/2007 28

  29. Multiplication in GF(q L ) The LFSR basically implements multiplication with α in GF(q L ) A state-transition graph gives a number of different cycles. C(D) irreducible 1[1]+ (q L -1)/T [T] C(D) primitive 1[1]+ 1 [q L -1] C(D) reducible cycles of different lengths 5/15/2007 29

  30. Primitive connection polynomials, q=2 m-sequences (period 2 L -1) Statistical properties P(s j =0) ≈ 1/2, P((s j ,s j+1 )=(a,b)) ≈ 1/4, … P(s j1 +s j2 +…+s jn =0) ≈ 1/2 unless s j1 +s j2 +…+s jn obeys the recurrence relation. Adding two m-sequences results in a new m-sequence 5/15/2007 30

  31. Summary of statistical properties m-sequences have almost ideal statistical properties, except for the linear parity checks described by the connection polynomial C(D)= 1 +c 1 D+c 2 D 2 +…+c L D L and all its multiples P(D)=Q(D) C(D). We need to do something about that… 5/15/2007 31

  32. The nonlinear combination generator Combine several m-sequences using a Boolean function. 5/15/2007 32

  33. The filter generator An m-sequence is filtered by a nonlinear function F(x) 5/15/2007 33

  34. THE SNOW STREAM CIPHERS Designed at Lund University, Sweden (Johansson, Ekdahl) SNOW 2.0 ISO standard ISO/ IEC 18033-4: 2005 DPCP (DisplayPort Content Protection) Reference stream cipher in eSTREAM SNOW 3G UMTS 5/15/2007 34

  35. Keystream 35 α SNOW 2.0 R2 Finite State Machine S α −1 R1 5/15/2007

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Objectives Classifications Feedback Based Stream Ciphers Linear Feedback Shift

Objectives Classifications Feedback Based Stream Ciphers Linear Feedback Shift

Stream Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Classifications Feedback Based Stream Ciphers Linear Feedback

263 views • 15 slides
Objectives Non-linear feedback shift registers Stream ciphers using LFSRs: Non-linear

Objectives Non-linear feedback shift registers Stream ciphers using LFSRs: Non-linear

Stream Ciphers (contd.) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Non-linear feedback shift registers Stream ciphers using

445 views • 13 slides
Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade provable security for practicality Stream cipher is initialized with short key Key is stretched into long keystream Keystream is used like

512 views • 35 slides
Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

CS 166: Information Security Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers & Block Ciphers Stream ciphers based on the one-time pad Block ciphers based on codebook ciphers Symmetric

650 views • 52 slides
B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers

B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers

1 B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers Normally, stream ciphers are symmetric algorithms with encryption = decryption In this course we only consider symmetric stream ciphers.

828 views • 44 slides
Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream

Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream

Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream ciphers Building blocks in stream ciphers m-sequences Clock-control registers / Nonlinear combiner / Filter generator Correlation

666 views • 39 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad define a secret key (seed) Using the seed generates a byte stream ( Keystream): i-th byte is function only of the key

822 views • 69 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State

Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State

ASK 2018, ISI Kolkata November 13, 2018 Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State - A generic TMD tradeoff distinguisher - High-order differentials - Cryptanalysis with division property

944 views • 47 slides
T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher confidentiality modes of operation Kaufman et al: Ch 4 Stallings: Ch 6, Ch 3 1 Stream ciphers Stream ciphers are generally faster than block

535 views • 12 slides
A new construction of strength-3 covering arrays using linear feedback shift register (LFSR)

A new construction of strength-3 covering arrays using linear feedback shift register (LFSR)

Combinatorial Designs and Covering Arrays Our CA constructing for t = 3 New bounds and open problems A new construction of strength-3 covering arrays using linear feedback shift register (LFSR) sequences Lucia Moura School of Electrical

516 views • 28 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and

Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and

CSS441 Random Numbers Principles PRNGs Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven

460 views • 24 slides
Digital Design Discussion: RTL Storage Components Shift Register Timing Register File Timing

Digital Design Discussion: RTL Storage Components Shift Register Timing Register File Timing

Principles Of Digital Design Discussion: RTL Storage Components Shift Register Timing Register File Timing RAM Up/Down Counter FIFO Queue Shift Register Timing Problem: Complete the timing diagram for the shift register shown. Assume

302 views • 12 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
Limits of Rauzy graphs of low-complexity words Blair Drummond August 7, 2019 University of

Limits of Rauzy graphs of low-complexity words Blair Drummond August 7, 2019 University of

Limits of Rauzy graphs of low-complexity words Blair Drummond August 7, 2019 University of Ottawa The Benjamini-Schramm limit Limits of finite graphs The aim of the thesis is to show the convergence properties of particular sequences of

1.54k views • 65 slides
Rational Points on Curves of Higher Genus Michael Stoll Universit at Bayreuth Pacific

Rational Points on Curves of Higher Genus Michael Stoll Universit at Bayreuth Pacific

Rational Points on Curves of Higher Genus Michael Stoll Universit at Bayreuth Pacific Norhwest Number Theory Conference Simon Fraser University, Burnaby May 8, 2010 The Problem Let C be a (geometrically integral) curve defined over Q . (We

581 views • 23 slides
Geometric distance-regular graphs J. Koolen Department of Mathematics POSTECH May 20, 2009

Geometric distance-regular graphs J. Koolen Department of Mathematics POSTECH May 20, 2009

Distance-regular graphs The Bannai-Ito Conjecture Geometric DRG Open Problems and Conjectures Geometric distance-regular graphs J. Koolen Department of Mathematics POSTECH May 20, 2009 Distance-regular graphs The Bannai-Ito Conjecture

407 views • 37 slides
Performance of linear average-consensus algorithm in large-scale networks F EDERICA G ARIN (NeCS

Performance of linear average-consensus algorithm in large-scale networks F EDERICA G ARIN (NeCS

Performance of linear average-consensus algorithm in large-scale networks F EDERICA G ARIN (NeCS team, INRIA Rh one-Alpes and gipsa-lab, Grenoble, France) joint work with: S ANDRO Z AMPIERI , E NRICO L OVISARI , R UGGERO C ARLI (DEI, Univ.

452 views • 30 slides
Words of Minimal Weight and Weight Distribution in Binary Goppa Codes Matthieu Finiasz ISIT 2003

Words of Minimal Weight and Weight Distribution in Binary Goppa Codes Matthieu Finiasz ISIT 2003

Words of Minimal Weight and Weight Distribution in Binary Goppa Codes Matthieu Finiasz ISIT 2003 Yokohama Binary Goppa Codes Introduction Used for cryptography ( McEliece cryptosystem) Indistinguishable from a random linear code

138 views • 11 slides
A distinguisher for high-rate McEliece Cryptosystems J.C. Faug` ere (INRIA, SALSA project),

A distinguisher for high-rate McEliece Cryptosystems J.C. Faug` ere (INRIA, SALSA project),

A distinguisher for high-rate McEliece Cryptosystems J.C. Faug` ere (INRIA, SALSA project), Val erie Gauthier (Math. dep. Tech. Univ. of Denmark), A. Otmani (Universit e Caen- INRIA, SECRET project), L. Perret (INRIA, SALSA project),

734 views • 35 slides
Code-Based Post-Quantum Cryptography Wijik Lee 1 , Young-Sik Kim 2 , and Jong-Seon No 1 1

Code-Based Post-Quantum Cryptography Wijik Lee 1 , Young-Sik Kim 2 , and Jong-Seon No 1 1

Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 1 / 41 Code-Based Post-Quantum Cryptography Wijik Lee 1 , Young-Sik Kim 2 , and Jong-Seon No 1 1 Department of ECE, INMC, Seoul National University, Seoul, Korea 2 Chosun

565 views • 41 slides
Cryptosystems That Resist Quantum Fourier Sampling Attacks Hang Dinh Indiana University South

Cryptosystems That Resist Quantum Fourier Sampling Attacks Hang Dinh Indiana University South

McEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks Hang Dinh Indiana University South Bend joint work with Cristopher Moore Alexander Russell University of New Mexico University of Connecticut Post-quantum

401 views • 18 slides

More recommend