recent results on stream ciphers
play

Recent Results on Stream Ciphers Subhamoy Maitra Applied Statistics - PowerPoint PPT Presentation

Jun 02, 2023 •267 likes •993 views

Recent Results on Stream Ciphers Subhamoy Maitra Applied Statistics Unit Indian Statistical Institute, Kolkata subho@isical.ac.in 26 August, 2020 Subhamoy Maitra Recent Results on Stream Ciphers Slide 1 of 71 Stream Cipher Subhamoy Maitra

  1. Recent Results on Stream Ciphers Subhamoy Maitra Applied Statistics Unit Indian Statistical Institute, Kolkata subho@isical.ac.in 26 August, 2020 Subhamoy Maitra Recent Results on Stream Ciphers Slide 1 of 71

  2. Stream Cipher Subhamoy Maitra Recent Results on Stream Ciphers Slide 2 of 71

  3. Basic Idea Parties: Alice (Sender/Receiver) and Bob (Receiver/Sender) Procedure Alice and Bob share a stream of random data (keystream) K i , where i = 0 , 1 , . . . The plaintext stream M i is XOR-ed with K i to generate the cipher stream C i . [ C i = M i ⊕ K i ] The cipher stream C i is XOR-ed with K i to generate the plaintext stream M i . [ M i = C i ⊕ K i ] Subhamoy Maitra Recent Results on Stream Ciphers Slide 3 of 71

  4. One Time Pad Alice and Bob may sit on a table and toss an unbiased coin enough number of times to generate the keystream bits. Once some portion of the keystream is used for encryption, it will never be used again. Not practical! Subhamoy Maitra Recent Results on Stream Ciphers Slide 4 of 71

  5. Pseudorandom Generator Alice and Bob share a small key E.g., toss the coin for 128 times to generate the secret key Initialize some deterministic algorithm on a classical computer with this secret key. After the initialization, the algorithm will keep on generating random-looking bitstream , the keystream bits K i . The small key and K i should have a unique one-to-one correspondence. Key 128 bits, key-stream 2048 bits, not all the key-stream patterns can be generated. A practical solution! Subhamoy Maitra Recent Results on Stream Ciphers Slide 5 of 71

  6. Cryptographic Security Kerckhoff’s Principle: The security of a cipher should rely on the secrecy of the key only! Attacker knows every detail of the cryptographic algorithm except the key. Keeping the design secret in commercial domain has no scientific justification. It may be leaked easily. The design should be such that the designer himself cannot break the system without knowing the key. No trapdoor. Design should be known to everybody for evaluation. For stream cipher the attacker will have access to certain amount of key-stream Obscurity is the opposite of “transparency” or “transparentness”. This never helps to achieve cryptographic security. Subhamoy Maitra Recent Results on Stream Ciphers Slide 6 of 71

  7. Basic Design Ideas Subhamoy Maitra Recent Results on Stream Ciphers Slide 7 of 71

  8. Initial Remarks Involvement of linear and nonlinear elements together. Efficiency on Hardware and Software Platforms. In Hardware domain mostly LFSRs are used as linear elements and combining functions (may be with some amount of memory) are used as nonlinear elements. The designs of SNOW and ZUC are advanced implementation of this strategy. [May also be used efficiently in software] Subhamoy Maitra Recent Results on Stream Ciphers Slide 8 of 71

  9. Hardware Stream Ciphers LFSR, NFSR, Boolean Functions Keys involved only during KSA PRGA does not involve keys The state size must be twice the key size to protect against Generic TMDTO attack. Total space required: The space to store the key (might be non-volatile) The space for LFSR, NFSR, Counter (volatile) Subhamoy Maitra Recent Results on Stream Ciphers Slide 9 of 71

  10. Lightweight Stream Ciphers: New Direction Secret key fixed with the device (Where is the key stored?) Use secret key during PRGA Cost of non-volatile memory less Reduce size of volatile memory Subhamoy Maitra Recent Results on Stream Ciphers Slide 10 of 71

  11. Comparisons Cipher Key size IV size State size Initialization rounds Lizard 120(80) 64 121 (90 NFSR + 31 NFSR) 256 Plantlet 80 90 101 (61 LFSR + 40 NFSR) 320 Sprout 80 70 80 (40 LFSR + 40 NFSR) 320 Grain v1 80 64 160 (80 LFSR + 80 NFSR) 160 Table: Comparison of Plantlet with its predecessors in terms of LFSR and NFSR sizes. Subhamoy Maitra Recent Results on Stream Ciphers Slide 11 of 71

  12. Present Situation Grain v1 had some cryptanalysis very recently Sprout (FSE 2015) immediately attacked Plantlet (based on Sprout) and Lizard were presented in FSE 2017 We have checked Plantlet is weaker than Sprout in terms of Fault Attack (IEEE TC 2017) We have mounted a TMDTO attack on Lizard (IEEE TC 2018) Subhamoy Maitra Recent Results on Stream Ciphers Slide 12 of 71

  13. LFSR Based Stream Ciphers Subhamoy Maitra Recent Results on Stream Ciphers Slide 13 of 71

  14. Bit-oriented LFSR � � b 5 b 4 b 3 b 2 b 1 b 0 ✲ ✲ � � ✲ b 0 b 6 b 5 b 4 b 3 b 2 b 1 ✲ Figure: LFSR: One step evolution Recurrence Relation: s t +6 = s t +4 ⊕ s t +1 ⊕ s t Polynomial over GF (2): x 6 + x 4 + x 1 + 1 Subhamoy Maitra Recent Results on Stream Ciphers Slide 14 of 71

  15. Bit-oriented LFSR (cont’d.) Primitive polynomial provides maximum length cycle, 2 d − 1 for degree d . Well known as m -sequence. By itself, not cryptographically secure, but useful building block for pseudo randomness. In the domain of communications, known as p-n sequence. Easy and efficient implementation in hardware, using registers (Flip Flops) and simple logic gates. Deep mathematical development for a long time. Elegant results in the area of Linear Complexity. Subhamoy Maitra Recent Results on Stream Ciphers Slide 15 of 71

  16. An Example: A5/1 (1987) Used in GSM Mobile in Europe and USA. 64-bit key and 22-bit frame number. Three irregularly clocked LFSR’s. LFSR Length Connection polynomial Clocking bit x 19 + x 5 + x 2 + x + 1 19 8 x 22 + x + 1 22 10 x 23 + x 15 + x 2 + x + 1 23 10 Subhamoy Maitra Recent Results on Stream Ciphers Slide 16 of 71

  17. A5/1 (1987) Subhamoy Maitra Recent Results on Stream Ciphers Slide 17 of 71

  18. Nonlinear Combiner Model Take n LFSRs of different length (may be pairwise prime). Initialize them with seeds. In each clock, take the n -many outputs from the LFSRs, which are fed as n -inputs to an n -variable Boolean function. May be some memory element is added. Subhamoy Maitra Recent Results on Stream Ciphers Slide 18 of 71

  19. Nonlinear Filter-Generator Model Take one LFSR. Initialize that with a seed. In each clock, take the n -many outputs from the LFSR from different locations, which are fed as n -inputs to an n -variable Boolean function. May be considered with additional memory element. The Boolean function and memory together form a Finite State Machine. Subhamoy Maitra Recent Results on Stream Ciphers Slide 19 of 71

  20. Nonlinear Filter Generator Model With Memory Subhamoy Maitra Recent Results on Stream Ciphers Slide 20 of 71

  21. Current Trend: State-of-the-art View Concept: More than one bit processed together (32-bit words) Use LFSRs over larger fields: need the LFSR evolution operations to be efficient. GF (2 32 ) or GF (2 31 − 1) to relate with 32-bit words of modern processors. Are we moving towards 64-bit words? FSM contains S-boxes and Registers. Registers are memory words. S-boxes are multiple output Boolean functions. Here the Hardware is not constrained. Subhamoy Maitra Recent Results on Stream Ciphers Slide 21 of 71

  22. SNOW and ZUC: SAGE’s view SAGE: Security Algorithms Group of Experts One stated objective for the design was that the new algorithms be substantially different from the first and second LTE algorithm sets, in such a way that an attack on any one algorithm set would be unlikely to lead to an attack on either of the others. In SAGEs view this objective is not fully met there are some architectural similarities between ZUC and SNOW 3G, and it is possible that a major advance in cryptanalysis might affect them both. However, there are important differences too, so ZUC and SNOW 3G by no means “stand or fall together”. Subhamoy Maitra Recent Results on Stream Ciphers Slide 22 of 71

  23. SNOW 3G Subhamoy Maitra Recent Results on Stream Ciphers Slide 23 of 71

  24. SNOW 3G Stream Cipher LFSR based stream cipher: 32-bit words with 128-bit key. An LFSR of 32-bit words, length 16 A Finite State Machine (FSM) as a non-linear model Based on the earlier versions SNOW 1.0 and SNOW 2.0 Derived from the stream cipher SNOW 2.0, with improvements against algebraic cryptanalysis and distinguishing attacks. SNOW 1.0, SNOW 2.0, and SNOW 3G are developed by Thomas Johansson and Patrik Ekdahl. Subhamoy Maitra Recent Results on Stream Ciphers Slide 24 of 71

  25. SNOW 3G Structure Subhamoy Maitra Recent Results on Stream Ciphers Slide 25 of 71

  26. SNOW 3G: Simple Analysis Z t = ( s 15 , t ⊞ R 1 t ) ⊕ R 2 t ⊕ s 0 , t Approximation: Z t ≈ ( s 15 , t ⊕ R 1 t ) ⊕ R 2 t ⊕ s 0 , t 1 If R 1 t = R 2 t (happens with probability 2 32 ), then Z t ≈ s 15 , t ⊕ s 0 , t . Better understanding of R 1 , R 2 may provide nontrivial results relating the keystream words and LFSR words. Subhamoy Maitra Recent Results on Stream Ciphers Slide 26 of 71

  27. SNOW 3G: Simple Analysis (cont’d.) Z t = ( s 15 , t ⊞ R 1 t ) ⊕ R 2 t ⊕ s 0 , t Two values directly from the LFSR Two values from the registers Let us have the term “directly use” for the LFSR words that are XOR-ed/Added to generate the keystream words. Here such terms are s 15 , t , and s 0 , t . A word of the LFSR is “directly used” twice to generate two different keywords which are 15 clocks apart. Let us have the term “indirectly use” for the words that are flowed to the FSM. Here such term is s 5 , t . Subhamoy Maitra Recent Results on Stream Ciphers Slide 27 of 71

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State

Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State

ASK 2018, ISI Kolkata November 13, 2018 Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State - A generic TMD tradeoff distinguisher - High-order differentials - Cryptanalysis with division property

944 views • 47 slides
Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade provable security for practicality Stream cipher is initialized with short key Key is stretched into long keystream Keystream is used like

512 views • 35 slides
B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers

B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers

1 B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers Normally, stream ciphers are symmetric algorithms with encryption = decryption In this course we only consider symmetric stream ciphers.

828 views • 44 slides
Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream

Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream

Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream ciphers Building blocks in stream ciphers m-sequences Clock-control registers / Nonlinear combiner / Filter generator Correlation

666 views • 39 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad define a secret key (seed) Using the seed generates a byte stream ( Keystream): i-th byte is function only of the key

822 views • 69 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher confidentiality modes of operation Kaufman et al: Ch 4 Stallings: Ch 6, Ch 3 1 Stream ciphers Stream ciphers are generally faster than block

535 views • 12 slides
Advanced Cryptanalysis of Stream Ciphers Willi Meier Albena, June 30 - July 5, 2013 1 / 41

Advanced Cryptanalysis of Stream Ciphers Willi Meier Albena, June 30 - July 5, 2013 1 / 41

Advanced Cryptanalysis of Stream Ciphers Willi Meier Albena, June 30 - July 5, 2013 1 / 41 Overview Introduction Conditional differentials High-order differentials Applications to Trivium and Grain Recent results Open

630 views • 41 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and

Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and

CSS441 Random Numbers Principles PRNGs Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven

460 views • 24 slides
Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden

Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden

Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden 5/15/2007 1 CONTENTS Efficient encryption and possible solutions Stream ciphers Basic security analysis of stream ciphers LFSR sequences Design

497 views • 45 slides
Objectives Non-linear feedback shift registers Stream ciphers using LFSRs: Non-linear

Objectives Non-linear feedback shift registers Stream ciphers using LFSRs: Non-linear

Stream Ciphers (contd.) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Non-linear feedback shift registers Stream ciphers using

445 views • 13 slides
Objectives Classifications Feedback Based Stream Ciphers Linear Feedback Shift

Objectives Classifications Feedback Based Stream Ciphers Linear Feedback Shift

Stream Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Classifications Feedback Based Stream Ciphers Linear Feedback

263 views • 15 slides
Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

CS 166: Information Security Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers & Block Ciphers Stream ciphers based on the one-time pad Block ciphers based on codebook ciphers Symmetric

650 views • 52 slides
Hardware Acceleration for Programs in SSA Form Manuel Mohr, Artjom Grudnitsky, Tobias

Hardware Acceleration for Programs in SSA Form Manuel Mohr, Artjom Grudnitsky, Tobias

saarland university computer science Hardware Acceleration for Programs in SSA Form Manuel Mohr, Artjom Grudnitsky, Tobias Modschiedler, Lars Bauer, Sebastian Hack, Jrg Henkel Institute for Program Structures and Data Organization, Karlsruhe

879 views • 66 slides
Discourse BSc Artificial Intelligence, Spring 2011 Raquel Fernndez Institute for Logic,

Discourse BSc Artificial Intelligence, Spring 2011 Raquel Fernndez Institute for Logic,

Discourse BSc Artificial Intelligence, Spring 2011 Raquel Fernndez Institute for Logic, Language & Computation University of Amsterdam Raquel Fernndez Discourse BSc AI 2011 1 / 35 Summary from Last Week Overview of the main

615 views • 35 slides
Neural Networks Marco Chiarandini Department of Mathematics & Computer Science University of

Neural Networks Marco Chiarandini Department of Mathematics & Computer Science University of

SRP Neural Networks Marco Chiarandini Department of Mathematics & Computer Science University of Southern Denmark Neural Science Artificial Neural Networks Goals Other Applications Goals of the meeting: Give an overview of applications

896 views • 76 slides
Unitary forms of Kac-Moody groups Cornell University Lie Seminar Spring 2009 February 20, 2009

Unitary forms of Kac-Moody groups Cornell University Lie Seminar Spring 2009 February 20, 2009

Unitary forms of Kac-Moody groups Cornell University Lie Seminar Spring 2009 February 20, 2009 Dipl.-Math. Max Horn Cornell University & TU Darmstadt mhorn@mathematik.tu-darmstadt.de February 20, 2009 | TU Darmstadt | Max Horn | 1

501 views • 20 slides
A Case Against Currently Used Hash Functions in RFID Protocols Workshop on RFID Security 2006

A Case Against Currently Used Hash Functions in RFID Protocols Workshop on RFID Security 2006

VLSI Institute for Applied Information Processing and Communications (IAIK) VLSI & Security A Case Against Currently Used Hash Functions in RFID Protocols Workshop on RFID Security 2006 RFIDSec06 July 13-14, 2006, Graz, Austria

232 views • 21 slides
Spin- -orbit interactions in black hole orbit interactions in black hole binaries binaries Spin

Spin- -orbit interactions in black hole orbit interactions in black hole binaries binaries Spin

Departm ent Physics & Astronom y The University of Texas at Brow nsville Spin- -orbit interactions in black hole orbit interactions in black hole binaries binaries Spin Carlos Lousto with Manuela Campanelli & Yosef Zlochower

365 views • 20 slides
Lecture 9: More on predicate logic Prof. Julia Hockenmaier juliahmr@illinois.edu

Lecture 9: More on predicate logic Prof. Julia Hockenmaier juliahmr@illinois.edu

CS440/ECE448: Intro to Artificial Intelligence Lecture 9: More on predicate logic Prof. Julia Hockenmaier juliahmr@illinois.edu http://cs.illinois.edu/fa11/cs440 Quick upgrade on quizzes Review:

864 views • 59 slides
Incremental Quantification and the Dynamics of Pair-List Phenomena Dylan Bumford New York

Incremental Quantification and the Dynamics of Pair-List Phenomena Dylan Bumford New York

Intro Universals and pair-lists Incremental quantification Deriving the readings Conclusion Incremental Quantification and the Dynamics of Pair-List Phenomena Dylan Bumford New York

670 views • 30 slides

More recommend