stream cipher
play

Stream Cipher One-time pad secure, however key as long as message - PowerPoint PPT Presentation

Apr 20, 2023 •164 likes •367 views

Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we replace key with sequence which behaves as sequence of random numbers Algorithms which produce pseudo-random strings are called pseudo-random

  1. Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we replace key with sequence which behaves as sequence of random numbers Algorithms which produce pseudo-random strings are called pseudo-random generators . Use seed (short random number) and produce keystream Plaintext Ciphertext Pseudo-random Keystream Key/Seed generator Eike Ritter Cryptography 2013/14 75

  2. Sources of randomness Thermal noise in various electric circuits Radioactive decay Atmospheric noise measurement of times between user key-strokes time needed to access different sectors on hard-disk drive (air turbulence caused by spinning disk supposed to be random) Eike Ritter Cryptography 2013/14 76

  3. RC4 Stream cipher invented 1987 by Ron Rivest Consists of tow phases: Initalisation phase (key schedule) Keystream generation phase Main datastructure is array S of 256 bytes Eike Ritter Cryptography 2013/14 77

  4. Initialisation for i := 0 to 255 do S[ i ] := i end j := 0 for i := 0 to 255 do j := ( j + S[ i ] + K[ i mod keylength]) mod 256 swap(S[ i ],S[ j ]) end Eike Ritter Cryptography 2013/14 78

  5. Keystream generation i := 0 j := 0 while GeneratingOutput: i := ( i + 1) mod 256 j := ( j + S[ i ]) mod 256 swap(S[ i ],S[ j ]) output S[(S[ i ] + S[ j ]) mod 256] end Eike Ritter Cryptography 2013/14 79

  6. Graphical representation Source: Wikipedia Eike Ritter Cryptography 2013/14 80

  7. LFSR Linear Feedback Shift Register: Building block for many modern stream ciphers Can be implemented very efficiently Key idea: have register of single bit cells shifted by one at every clock cycle together with feedback function Source: Wikipedia Eike Ritter Cryptography 2013/14 81

  8. Example: Source: Wikipedia Eike Ritter Cryptography 2013/14 82

  9. Reasoning about LFSRs Interesting property: Length of keystream period Reasoning works as follows: Have state vector s = [ s 1 , . . . , s n ] for shift register with n cells Have connection polynomial c ( x ) = c n x n + . . . + c 1 x + 1, where c i is 1 if the i th cell in s is used for feedback and 0 if not.   c 1 c 2 c n − 1 c n · · · 1 0 0 0 · · ·     0 1 0 0 · · · a matrix M =    . . .  ... ... . . .   . . .   0 0 1 0 · · · Next state vector given by M · s . Eike Ritter Cryptography 2013/14 83

  10. Combining LFSRs LFSRs are insecure in practice (Connection polynomial can be computed fairly efficiently) Hence multiple LFSRs are combined in non-linear fashion Source: Wikipedia Eike Ritter Cryptography 2013/14 84

  11. Keys for stream ciphers must not be reused. Formally, RC4 and LFSR as presented do not satisfy IND-CPA security. Need carefully used initialisation vectors or nonces to obtain IND-CPA. Eike Ritter Cryptography 2013/14 85

  12. WEP Old standard for encryption on wireless networks based on RC4, but seriously broken - don’t use Source: Wikipedia Eike Ritter Cryptography 2013/14 86

  13. Weaknesses in WEP Initialisation vector only 24 bits, hence keys repeat after at most 2 24 frames With certain initialisation vectors knowing m bytes of key and keystream means you can deduce byte m + 1 of key First bytes of key stream known because standard headers are always sent With this method, can crack the key in minutes on modern PC hardware Eike Ritter Cryptography 2013/14 87

  14. CSS CSS used to encrypt DVD for copy protection Following steps are taken: Check whether region code and code on DVD match Use player keys to extract disk key from DVD Use disk key to extract title key for track Use title key to extract for each sector a sector key, which is used to decrypt the sector. Eike Ritter Cryptography 2013/14 88

  15. Sector encryption is combination of two LFSR’s added modulo 256 seed 17 bit LFSR 1 || K 0 || K 1 8 bit keystream add modulo 256 1 || K 2 || K 3 || K 4 25 bit LFSR Eike Ritter Cryptography 2013/14 89

  16. Security of CSS Can be broken in time 2 17 : Idea: Because of structure of MP4, first 20 bytes of plaintext are known Hence also first 20 bytes of keystream are known Given output of 17 bit LFSR, can deduce output of 25 bit LFSR by subtraction Hence try all 2 17 possibilities for 17 bit LFSR and if generated 25 bit LFSR produces observed keystream, cipher is cracked Eike Ritter Cryptography 2013/14 90

  17. A5/1 Stream cipher used in GSM mobile phone communication Became public knowledge through leaks and reverse engineering Built from three LFSRs with irregular clock cycle 54 bit secret key and 22 bit initialisation vector Shift register only shifted if clock bit is the same as majority of three clock bits Eike Ritter Cryptography 2013/14 91

  18. Source: Wikipedia Eike Ritter Cryptography 2013/14 92

  19. Security of A5/1 Better design: Clock shift make cryptanalysis much harder However, advanced techniques means mainstream PC with terabytes of flash memory (to store pre-processed tables) can break A5/1 with probability ≥ 90% in a few seconds Eike Ritter Cryptography 2013/14 93

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J.

The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J.

The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J. Bernstein into long stream of bytes Thanks to: to add to plaintext. University of Illinois at Chicago Key : 16 or 32 bytes. NSF CCR9983950 Same

714 views • 43 slides
Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J. Bernstein Timing tools Thanks to: (De Canni` ere) University of Illinois at Chicago Denmark Technical University

602 views • 13 slides
Summary We present a new stream cipher Spritz (generating a pseudo-random stream of

Summary We present a new stream cipher Spritz (generating a pseudo-random stream of

S PRITZ A SPONGY RC4- LIKE STREAM CIPHER AND HASH FUNCTION Ronald L. Rivest 1 Jacob C. N. Schuldt 2 1 Vannevar Bush Professor of EECS MIT CSAIL Cambridge, MA 02139 rivest@mit.edu 2 Research Institute for Secure Systems AIST, Japan

603 views • 37 slides
PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m

PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m

PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m (stream) Enc One-time Encryption with a stream-cipher: SC K Generate a one-time pad from a short seed Can share just the seed as the key Mask

1.33k views • 102 slides
T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher confidentiality modes of operation Kaufman et al: Ch 4 Stallings: Ch 6, Ch 3 1 Stream ciphers Stream ciphers are generally faster than block

535 views • 12 slides
ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ChaCha20

ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ChaCha20

ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ChaCha20 stream cipher Poly1305 authenticator ChaCha20+Poly1305 AEAD construction TLS cipher suites Performance ChaCha20 stream cipher

648 views • 12 slides
Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade provable security for practicality Stream cipher is initialized with short key Key is stretched into long keystream Keystream is used like

512 views • 35 slides
An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant

An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant

An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant Sinha 2 , Sugata Gangopadhyay 2 , Subhamoy Maitra 3 , Goutam Paul 3 and Kanta Matsuura 4 1 Mathematical Institute, Serbian Academy of Sciences and

809 views • 49 slides
Lightweight S Stream C Cipher Scheme f for R Resource- Constrained I IoT D Devices WIMOB

Lightweight S Stream C Cipher Scheme f for R Resource- Constrained I IoT D Devices WIMOB

Lightweight S Stream C Cipher Scheme f for R Resource- Constrained I IoT D Devices WIMOB 2019 October 21st 23rd, 2019 Casa Convalescncia, Barcelona, Spain Authors: Hassan Noura, Raphal Couturier, CongDuc Pham and Ali Chehab

149 views • 13 slides
Distinguishing Attacks on the Stream Cipher Py (Roo) Speaker: Souradyuti Paul (work jointly with

Distinguishing Attacks on the Stream Cipher Py (Roo) Speaker: Souradyuti Paul (work jointly with

Distinguishing Attacks on the Stream Cipher Py (Roo) Speaker: Souradyuti Paul (work jointly with B.Preneel and G. Sekar) Computer Security and Industrial Cryptography (COSIC) Department of Electrical Engineering-ESAT Katholieke Universiteit

655 views • 16 slides
MaD2: An Ultra-Performance Stream Cipher for Pervasive Data Encryption Jie Li and Jianliang Zheng

MaD2: An Ultra-Performance Stream Cipher for Pervasive Data Encryption Jie Li and Jianliang Zheng

MaD2: An Ultra-Performance Stream Cipher for Pervasive Data Encryption Jie Li and Jianliang Zheng The City University of New York Contents Motivation Algorithm Details Key Scheduling State Initialization Keystream Generation

383 views • 17 slides
Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined

Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined

Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined (passive) security of Symmetric Key Encryption (SKE) SIM-CPA = IND-CPA + almost perfect correctness Restricts to PPT entities Allows negligible advantage

1.1k views • 13 slides
Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2

Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2

Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2 Jean-Jacques Quisquater 3 1 - University College London, UK 2 - VEST Corporation, France 3 - Universit Catholique de Louvain, Belgium Algebraic

995 views • 61 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Key Collisions of the RC4 Stream Cipher Mitsuru Matsui Mitsuru Matsui Information Technology

Key Collisions of the RC4 Stream Cipher Mitsuru Matsui Mitsuru Matsui Information Technology

Key Collisions of the RC4 Stream Cipher Mitsuru Matsui Mitsuru Matsui Information Technology R&D Center Mitsubishi Electric Corporation February 23 2009, FSE 2009 In this presentation we talk about A colliding key pair of RC4

359 views • 15 slides
ABC: A New Fast Flexible Stream Cipher Vladimir Anashin Andrey Bogdanov* Ilya Kizhvatov

ABC: A New Fast Flexible Stream Cipher Vladimir Anashin Andrey Bogdanov* Ilya Kizhvatov

ABC: A New Fast Flexible Stream Cipher Vladimir Anashin Andrey Bogdanov* Ilya Kizhvatov Russian State University for the Humanities Faculty of Information Security *Partially supported by the Institute for Experimental Mathematics, University

453 views • 19 slides
Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago & Technische

Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago & Technische

Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Crypto horror stories Daniel J. Bernstein Horror story 1 RC4 Crypto horror stories Daniel J. Bernstein RC4 stream cipher:

799 views • 61 slides
Symmetric Key Encryp.on 9/9/2009 598MAN Applied Cryptography 1 Outline Recall:

Symmetric Key Encryp.on 9/9/2009 598MAN Applied Cryptography 1 Outline Recall:

Symmetric Key Encryp.on 9/9/2009 598MAN Applied Cryptography 1 Outline Recall: defini.ons of encryp.on Perfect secrecy CPA security CCA security Today Prac.cal construc.ons 9/9/2009 598MAN Applied Cryptography

490 views • 28 slides
Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Sourav Sen Gupta 1

Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Sourav Sen Gupta 1

Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Sourav Sen Gupta 1 Subhamoy Maitra 1 Willi Meier 2 Goutam Paul 1 Santanu Sarkar 3 Indian

749 views • 30 slides
Wi Wi-Fi Security Fi Security FEUP>MIEIC>Mobile Communications FEUP>MIEIC>Mobile

Wi Wi-Fi Security Fi Security FEUP>MIEIC>Mobile Communications FEUP>MIEIC>Mobile

Wi Wi-Fi Security Fi Security FEUP>MIEIC>Mobile Communications FEUP>MIEIC>Mobile Communications Jaime Dias <jaime.dias@fe.up.pt> Jaime Dias <jaime.dias@fe.up.pt> Symmetric cryptography Symmetric cryptography Ex:

548 views • 30 slides
WEP Weak IVs Revisited Kazukuni Kobara and Hideki Imai IIS, Univ. of Tokyo RCIS, AIST 1

WEP Weak IVs Revisited Kazukuni Kobara and Hideki Imai IIS, Univ. of Tokyo RCIS, AIST 1

WEP Weak IVs Revisited Kazukuni Kobara and Hideki Imai IIS, Univ. of Tokyo RCIS, AIST 1 Outline Available options for securing WLAN access WEP and its key recovery attack Condition to recover the WEP key Good and bad strategies

378 views • 24 slides
How to Recover Any Byte of Plaintext on RC4 Toshihiro Ohigashi (Hiroshima University) Takanori

How to Recover Any Byte of Plaintext on RC4 Toshihiro Ohigashi (Hiroshima University) Takanori

15 August, 2013 SAC 2013 @ Simon Fraser University How to Recover Any Byte of Plaintext on RC4 Toshihiro Ohigashi (Hiroshima University) Takanori Isobe (Kobe University) Yuhei Watanabe (Kobe University) Masakatu Morii (Kobe University) 1

555 views • 21 slides
Introduction to cryptographic protocols models, proofs, and attacks Karthikeyan Bhargavan INRIA

Introduction to cryptographic protocols models, proofs, and attacks Karthikeyan Bhargavan INRIA

Introduction to cryptographic protocols models, proofs, and attacks Karthikeyan Bhargavan INRIA karthikeyan.bhargavan@inria.fr http://prosecco.inria.fr/personal/karthik September 2013 (Based on slides by Stphanie Delaune, Bruno Blanchet,

1.36k views • 96 slides
On Improving Data Complexity of Attacks on RC5 A. Biryukov V. Velichkov Laboratory of

On Improving Data Complexity of Attacks on RC5 A. Biryukov V. Velichkov Laboratory of

Motivation Previous Work Improved Filter Conclusion On Improving Data Complexity of Attacks on RC5 A. Biryukov V. Velichkov Laboratory of Algorithmics, Cryptology and Security (LACS) University of Luxembourg Early Symmetric Crypto 2015

533 views • 37 slides

More recommend