introduction to design and analysis of stream ciphers
play

Introduction to Design and Analysis of Stream Ciphers Willi Meier - PowerPoint PPT Presentation

Nov 10, 2023 •291 likes •940 views

Introduction to Design and Analysis of Stream Ciphers Willi Meier Albena, June 30 - July 5, 2013 1 / 63 Overview Stream Ciphers: A short Introduction Cryptanalysis principles Time/Memory/Data tradeoffs Berlekamp-Massey algorithm

  1. Introduction to Design and Analysis of Stream Ciphers Willi Meier Albena, June 30 - July 5, 2013 1 / 63

  2. Overview ◮ Stream Ciphers: A short Introduction ◮ Cryptanalysis principles ◮ Time/Memory/Data tradeoffs ◮ Berlekamp-Massey algorithm ◮ LFSR-based stream ciphers ◮ Combiners with Memory ◮ Correlation attacks ◮ Linear (distinguishing) attacks ◮ Algebraic attacks ◮ The European NoE eSTREAM Project ◮ NLFSR-based stream ciphers: Trivium and Grain 2 / 63

  3. Introduction Why stream ciphers? Applied in: Environments with high throughput requirements. Stream ciphers can be up to 5 times faster than, e.g., AES. Devices with restricted resources, e.g., in RFIDs (lightweight crypto). 3 / 63

  4. Introduction Stream Cipher: Encrypts sequence of plaintext symbols, e.g., from a binary alphabet { 0 , 1 } , or from 32-bit words. Synchronous stream cipher: The output of a pseudorandom generator, the keystream, is used together with the plaintext to produce the ciphertext. Additive stream cipher: Ciphertext symbols c i obtained from plaintext symbols m i and keystream symbols b i by xor addition. 4 / 63

  5. Introduction A synchronous stream cipher: Takes as input a κ -bit secret key k and a n -bit public initial vector v (or IV). Initialization mixes input to generate a random looking initial state. Thereafter, keystream is output and state is continuously updated. 5 / 63

  6. Introduction Formally: Initialization function F : { 0 , 1 } κ × { 0 , 1 } n �→ { 0 , 1 } m . State update function G : { 0 , 1 } m �→ { 0 , 1 } m Output function H : { 0 , 1 } m �→ { 0 , 1 } . s t : state at time instant t . s t + 1 = G ( s t , k ) , z t = H ( s t , k ) . 6 / 63

  7. Introduction As in every symmetric crypto system, sender and receiver have to be in possession of the key k (e.g. of 128 bits). Message split into small packets. Each of them encrypted using a fresh IV as input. 7 / 63

  8. Introduction Prototype stream cipher: One-Time-Pad (F . Miller 1882, G. Vernam, 1917) Keystream: A random binary string OTP has perfect security (Shannon, 1945). In a deterministic stream cipher, random string of OTP replaced by pseudo random string. Only secret key k needs to be securely transmitted. Provable security lost. 8 / 63

  9. Introduction Examples of stream ciphers ◮ RC4, used, e.g., in eBanking ◮ E0, used in the Bluetooth protocol ◮ A5/1, used in GSM cellphones A variety of cryptanalytic results known on these ciphers. 9 / 63

  10. Introduction Stream ciphers can have very simple structure, e.g., RC4 only needs a few lines for its description: ℓ -byte key k is expanded into N -byte array K [ 0 ... ( N − 1 )] , N = 256: K [ y ] = k [ y mod ℓ ] for any y , 0 ≤ y ≤ N − 1. Algorithm 1 KSA for i = 0 to N − 1 in steps of 1 do S [ i ] = i end for j = 0 for i = 0 to N − 1 in steps of 1 do j = ( j + S [ i ] + K [ i ]) Swap( S [ i ] , S [ j ] ) end for 10 / 63

  11. Introduction Algorithm 2 PRGA i = j = 0 Key Stream Generation Loop: i = i + 1 j = j + S [ i ] Swap( S [ i ] , S [ j ] ) t = S [ i ] + S [ j ] return z = S [ t ] 11 / 63

  12. Introduction State-of-the-art stream ciphers include: ◮ SNOW 2.0, software oriented, ISO/IEC standard ◮ SNOW 3G, 3GPP in UEA2 and UIA2 ◮ ZUC (core of new Long Term Evolution algorithms) ◮ eSTREAM finalists, e.g., Salsa20, Rabbit for software, and Grain and Trivium for hardware implementation. 12 / 63

  13. Introduction Stream cipher modes of operation of block ciphers (e.g., Triple DES or AES): ◮ Cipher feedback ◮ Output feedback ◮ Counter mode 13 / 63

  14. Introduction A dedicated stream cipher with provable security: QUAD (Berbain-Gilbert-Patarin, 2006) Based on difficulty of solving systems of multivariate quadratic equations mod 2. 14 / 63

  15. Introduction Difference between block ciphers and synchronous stream ciphers? Block cipher needs several rounds until it outputs a block. Resulting output dependent on plaintext. Dedicated stream cipher produces output after each update (round). Resulting output independent on plaintext (but on present state). 15 / 63

  16. Cryptanalysis principles In cryptanalysis of stream ciphers: Assume either that ◮ Some part of plaintext is known (known-plaintext attack), or ◮ Plaintext has redundancy (e.g., has ASCII format). For additive stream ciphers, a known part of plaintext is equivalent to a known part of keystream. 16 / 63

  17. Cryptanalysis principles Distinction between passive and active attacks. In passive attacks: Exploit either output mode or initialization (resynchronization) mode. Key recovery: Attempt to recover secret key k out of observed key stream. Distinguishing attack: Try to distinguish observed key stream from being a purely random sequence. Distinguishing attacks may sometimes be turned into key recovery attacks. Side-channel attack: Measures radiation or power consumption during execution of encryption. 17 / 63

  18. Cryptanalysis principles In active attacks: - Adversary inserts, deletes or replays ciphertext digits. Causes loss of synchronization: Data intgrity check and data origin authentication necessary. - Fault attack: Adversary actively induces faults in state (e.g., by ionizing radiation). 18 / 63

  19. Berlekamp-Massey algorithm Efficient method to deliver shortest LFSR, together with initial state that can generate a given sequence. LFSR of length L : State vector ( x L , ..., x 1 ) . In one step, each bit is shifted one position to the right, except the rightmost bit x 1 which is output. On the left, a new bit is shifted in, by a linear recursion x j = ( c 1 x j − 1 + c 2 x j − 2 + ... + c L x j − L ) mod 2 , for j > L . 19 / 63

  20. Berlekamp-Massey algorithm Linear complexity of a binary sequence: Length of shortest LFSR that can produce the given sequence. Complexity of Berlekamp-Massey algorithm: Quadratic in length of LFSR. Consequence: Linear complexity and period of stream cipher need to be large. 20 / 63

  21. Time/Memory/Data tradeoffs General type of attack. Introduced for block ciphers by Hellman (1980). For stream ciphers introduced by Babbage (1995), Goli´ c (1997). General treatment by Biryukov-Shamir (2000). N : size of search space M : amount of random access memory T : time required by realtime phase of attack D : amount of realtime data available to attacker 21 / 63

  22. Time/Memory/Data tradeoffs Statement of basic version of attack: TM = N . Example: T = M ; Hence T = M = N 1 / 2 . Attack associates to each of N possible states of generator a string of the first log ( N ) bits of output produced from that state. 22 / 63

  23. Time/Memory/Data tradeoffs Mapping f ( x ) = y from states x to output prefixes y : Easy to evaluate but hard to invert. Preprocessing phase: Pick M random states x i , compute y i , and store all ( x i , y i ) in a sorted table. Realtime phase: Given D + log ( N ) − 1 output bits, derive all possible D windows y 1 , ..., y D of log ( N ) consecutive bits (with overlaps). Look up each y i in table. If one y i is found, can determine corresponding x i . 23 / 63

  24. Time/Memory/Data tradeoffs Threshold of success: Birthday paradox. Two random subsets of space with N points each are likely to intersect when product of their sizes exceeds N . Hence DM = N , where preprocessing time P = M , attack time T = D , i.e., TM = N . Consequence: Size N of state space of stream cipher should be at least twice the size of secret key. 24 / 63

  25. LFSR-based stream ciphers LFSRs easy to implement in hardware. Depending on linear recursion, LFSRs have desirable properties: ◮ Output sequence has large period (e.g. maximum period 2 L − 1). ◮ Good statistical properties. ◮ Easy to analyse algebraically. 25 / 63

  26. LFSR-based stream ciphers Drawback for cryptography: LFSRs easy to predict. Solve a system of linear equations for unkonwn state bits and recursion coefficients, or use Berlekamp-Massey algorithm. Destroy linearity by ◮ Nonlinear filter/combining functions on outputs of one or several LFSRs. ◮ Use of output of one/several LFSRs to control the clock of one/more other LFSRs. LFSR-based stream ciphers can have some provable properties, like large period or linear complexity. 26 / 63

  27. LFSR-based stream ciphers Nonlinear filter generator: Generate key stream bits b 0 , b 1 , b 2 , ..., as some nonlinear function f of the stages of a single LFSR. 27 / 63

  28. LFSR-based stream ciphers Many (classical) stream ciphers are LFSR-driven, e.g., ◮ A 5 / 1 ◮ Shrinking and self-shrinking generator 28 / 63

  29. Combiners with Memory A ( k , m ) -combiner with k inputs and m memory bits is a finite state machine (FSM), defined by an output function f : { 0 , 1 } m × { 0 , 1 } k → { 0 , 1 } and a memory update function ϕ : { 0 , 1 } m × { 0 , 1 } k → { 0 , 1 } m . 29 / 63

  30. For given stream of inputs ( X 1 , X 2 , ... ) , X i ∈ { 0 , 1 } k , and initial assignment Q 1 in { 0 , 1 } m to memory bits, the output bit stream is defined as: z t = f ( Q t , X t ) , and Q t + 1 = ϕ ( Q t , X t ) , all t > 0. Often, driving devices for generating input streams are LFSRs. Initial states determined by the secret key. 30 / 63

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade provable security for practicality Stream cipher is initialized with short key Key is stretched into long keystream Keystream is used like

512 views • 35 slides
Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden

Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden

Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden 5/15/2007 1 CONTENTS Efficient encryption and possible solutions Stream ciphers Basic security analysis of stream ciphers LFSR sequences Design

497 views • 45 slides
B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers

B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers

1 B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers Normally, stream ciphers are symmetric algorithms with encryption = decryption In this course we only consider symmetric stream ciphers.

828 views • 44 slides
Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream

Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream

Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream ciphers Building blocks in stream ciphers m-sequences Clock-control registers / Nonlinear combiner / Filter generator Correlation

666 views • 39 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad define a secret key (seed) Using the seed generates a byte stream ( Keystream): i-th byte is function only of the key

822 views • 69 slides
On the design of When we design message-authentication codes hash functions, stream ciphers,

On the design of When we design message-authentication codes hash functions, stream ciphers,

On the design of When we design message-authentication codes hash functions, stream ciphers, and other secret-key primitives, D. J. Bernstein should we use University of Illinois at Chicago integer multiplication? AES uses 32 32 32

1.76k views • 149 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State

Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State

ASK 2018, ISI Kolkata November 13, 2018 Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State - A generic TMD tradeoff distinguisher - High-order differentials - Cryptanalysis with division property

944 views • 47 slides
T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher confidentiality modes of operation Kaufman et al: Ch 4 Stallings: Ch 6, Ch 3 1 Stream ciphers Stream ciphers are generally faster than block

535 views • 12 slides
How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and Break them Eric Filiol, filiol@esiea.fr ESIEA -

808 views • 64 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and

Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and

CSS441 Random Numbers Principles PRNGs Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven

460 views • 24 slides
Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation

Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation

Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation Introduction to Computer Security Announcements Cryptography, symmetric and public-key Hash functions and MACs Stephen McCamant Building a secure

440 views • 11 slides
Objectives Non-linear feedback shift registers Stream ciphers using LFSRs: Non-linear

Objectives Non-linear feedback shift registers Stream ciphers using LFSRs: Non-linear

Stream Ciphers (contd.) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Non-linear feedback shift registers Stream ciphers using

445 views • 13 slides
Objectives Classifications Feedback Based Stream Ciphers Linear Feedback Shift

Objectives Classifications Feedback Based Stream Ciphers Linear Feedback Shift

Stream Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Classifications Feedback Based Stream Ciphers Linear Feedback

263 views • 15 slides
tr rs tt

tr rs tt

tr rs tt ttrr ttrqrrsrttt

760 views • 35 slides
Organising and Writing Research Papers Storyboard and Abstract P Sunthar Department of Chemical

Organising and Writing Research Papers Storyboard and Abstract P Sunthar Department of Chemical

Organising and Writing Research Papers Storyboard and Abstract P Sunthar Department of Chemical Engineering Indian Institute of Technology, Bombay Mumbai 400076, India P.Sunthar@iitb.ac.in September 17, 2012 Introduction Answers Writing

380 views • 21 slides
Choosing a Geometry for a Given Application Material Selection Selection of Materials and

Choosing a Geometry for a Given Application Material Selection Selection of Materials and

Choosing a Geometry for a Given Application Material Selection Selection of Materials and Structures Bristol F.2b Air Tractor AT-802A Photo by Alan Wilson CC BY-SA 2.0 Piper Super Cub Photo by flightlog CC BY 2.0 Photo by Ad Meskens CC BY-SA

633 views • 15 slides
IMGD 1001: The Game Art Pipeline by Mark Claypool (claypool@cs.wpi.edu) Robert W . Lindem an

IMGD 1001: The Game Art Pipeline by Mark Claypool (claypool@cs.wpi.edu) Robert W . Lindem an

IMGD 1001: The Game Art Pipeline by Mark Claypool (claypool@cs.wpi.edu) Robert W . Lindem an (gogo@wpi.edu) Artistic Courses AR 1 1 0 0 . ESSENTI ALS OF ART. This course provides an introduction to the basic principles of two and three-

779 views • 16 slides
Some cryptanalytic results on Stream ciphers with short internal states Subhadeep Banik EPF,

Some cryptanalytic results on Stream ciphers with short internal states Subhadeep Banik EPF,

Some cryptanalytic results on Stream ciphers with short internal states Subhadeep Banik EPF, Lausanne Invited Talk to ASK 2019 14th December 2019 Outline Introduction Sprout (FSE15) Previous Work Attack by Esgin/Kara (SAC 2015)

597 views • 46 slides
Towards Stream Ciphers for Efficient FHE with Low-Noise Ciphertexts Pierrick M AUX cole

Towards Stream Ciphers for Efficient FHE with Low-Noise Ciphertexts Pierrick M AUX cole

Towards Stream Ciphers for Efficient FHE with Low-Noise Ciphertexts Pierrick M AUX cole normale suprieure, CNRS, INRIA, PSL Joint work with: Anthony J OURNAULT , Franois-Xavier S TANDAERT , and Claude C ARLET Eurocrypt 2016 Vienna,

953 views • 71 slides
On the Security of IV Dependent Stream Ciphers Cme Berbain and Henri Gilbert France Telecom

On the Security of IV Dependent Stream Ciphers Cme Berbain and Henri Gilbert France Telecom

On the Security of IV Dependent Stream Ciphers Cme Berbain and Henri Gilbert France Telecom R&D {firstname.lastname@orange-ftgroup.com} research & development Stream Ciphers IV-less IV-dependent key K IV (initial value)

477 views • 18 slides
Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined

Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined

Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined (passive) security of Symmetric Key Encryption (SKE) SIM-CPA = IND-CPA + almost perfect correctness Restricts to PPT entities Allows negligible advantage

1.1k views • 13 slides

More recommend