stream ciphers
play

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of - PowerPoint PPT Presentation

Mar 14, 2023 •150 likes •512 views

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade provable security for practicality Stream cipher is initialized with short key Key is stretched into long keystream Keystream is used like

  1. Stream Ciphers Stream Ciphers 1

  2. Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream cipher is initialized with short key  Key is “stretched” into long keystream  Keystream is used like a one-time pad o XOR to encrypt or decrypt  Stream cipher is a keystream generator  Usually, keystream is bits, sometimes bytes Stream Ciphers 2

  3. Stream Cipher  Generic view of stream cipher Stream Ciphers 3

  4. Stream Cipher  We consider 3 real stream ciphers o ORYX — weak cipher, uses shift registers, generates 1 byte/step o RC4 — strong cipher, widely used but used poorly in WEP, generates 1 byte/step o PKZIP — intermediate strength, unusual mathematical design, generates 1 byte/step  But first, we discuss shift registers Stream Ciphers 4

  5. Shift Registers  Traditionally, stream ciphers were based on shift registers o Today, a wider variety of designs  Shift register includes o A series of stages each holding one bit o A feedback function  A linear feedback shift register ( LFSR ) has a linear feedback function Stream Ciphers 5

  6. Shift Register  Example (nonlinear) feedback function f(x i , x i+1 , x i+2 ) = 1 ⊕ x i ⊕ x i+2 ⊕ x i+1 x i+2  Example (nonlinear) shift register  First 3 bits are initial fill : (x 0 , x 1 , x 2 ) Stream Ciphers 6

  7. LFSR  Example of LFSR  Then x i+5 = x i ⊕ x i+2 for all i  If initial fill is (x 0 ,x 1 ,x 2 ,x 3 ,x 4 ) = 01110 then (x 0 ,x 1 ,…,x 15 ,…) = 0111010100001001… Stream Ciphers 7

  8. LFSR  For LFSR  We have x i+5 = x i ⊕ x i+2 for all i  Linear feedback functions often written in polynomial form: x 5 + x 2 + 1  Connection polynomial of the LFSR Stream Ciphers 8

  9. Berlekamp-Massey Algorithm  Given (part of) a (periodic) sequence, can find shortest LFSR that could generate the sequence  Berlekamp-Massey algorithm o Order N 2 , where N is length of LFSR o Iterative algorithm o Only 2N consecutive bits required Stream Ciphers 9

  10. Berlekamp-Massey Algorithm  Binary sequence: s = (s 0 ,s 1 ,s 2 ,…,s n-1 )  Linear complexity of s is the length of shortest LFSR that can generate s  Let L be linear complexity of s  Then connection polynomial of s is of form C(x) = c 0 + c 1 x + c 2 x 2 + … + c L x L  Berlekamp-Massey finds L and C(x) o Algorithm on next slide (where d is known as the discrepancy ) Stream Ciphers 10

  11. Berlekamp-Massey Algorithm Stream Ciphers 11

  12. Berlekamp-Massey Algorithm  Example: Stream Ciphers 12

  13. Berlekamp-Massey Algorithm  Berlekamp-Massey is efficient way to determine minimal LFSR for sequence  With known plaintext, keystream bits of stream cipher are exposed  With enough keystream bits, can use Berlekamp-Massey to find entire keystream o 2 L bits is enough, where L is linear complexity of the keystream  Keystream must have large linear complexity Stream Ciphers 13

  14. Cryptographically Strong Sequences  A sequence is cryptographically strong if it is a “good” keystream o “Good” relative to some specified criteria  Crypto strong sequence must be unpredictable o Known plaintext exposes part of keystream o Trudy must not be able to determine more of the keystream from a short segment  Small linear complexity implies predictable o Due to Berlekamp-Massey algorithm Stream Ciphers 14

  15. Crypto Strong Sequences  Necessary for a cryptographically strong keystream to have a high linear complexity  But not sufficient!  Why? Consider s = (s 0 ,s 1 ,…,s n-1 ) = 00…01  Then s has linear complexity n o Smallest shift register for s requires n stages o Largest possible for sequence of period n o But s is not cryptographically strong  Linear complexity “concentrated” in last bit Stream Ciphers 15

  16. Linear Complexity Profile  Linear complexity profile is a better measure of cryptographic strength  Plot linear complexity as function of bits processed in Berlekamp-Massey algorithm o Should follow n/2 line “closely but irregularly”  Plot of sequence s = (s 0 ,s 1 ,…,s n-1 ) = 00…01 would be 0 until last bit, then jumps to n o Does not follow n/2 line “closely but irregularly” o Not a strong sequence (by this definition) Stream Ciphers 16

  17. Linear Complexity Profile  A “good” linear complexity profile Stream Ciphers 17

  18. k-error Linear Complexity Profile  Alternative way to measure cryptographically strong sequences  Consider again s = (s 0 ,s 1 ,…,s n-1 ) = 00…01  This s has max linear complexity, but it is only 1 bit away from having min linear complexity  k -error linear complexity is min complexity of any sequence that is “distance” k from s  1-error linear complexity of s = 00…01 is 0 o Linear complexity of this sequence is “unstable” Stream Ciphers 18

  19. k-error Linear Complexity Profile  k -error linear complexity profile o k -error linear complexity as function of k  Example: o Not a strong s o Good profile should follow diagonal “closely” Stream Ciphers 19

  20. Crypto Strong Sequences  Linear complexity must be “large”  Linear complexity profile must n/2 line “closely but irregularly”  k -error linear complexity profile must follow diagonal line “closely”  All of this is necessary but not sufficient for crypto strength! Stream Ciphers 20

  21. Shift Register-Based Stream Ciphers  Two approaches to LFSR-based stream ciphers o One LFSR with nonlinear combining function o Multiple LFSRs combined via nonlinear func  In either case o Key is initial fill of LFSRs o Keystream is output of nonlinear combining function Stream Ciphers 21

  22. Shift Register-Based Stream Ciphers  LFSR-based stream cipher o 1 LFSR with nonlinear function f(x 0 ,x 1 ,…,x n-1 )  Keystream: k 0 ,k 1 ,k 2 ,… Stream Ciphers 22

  23. Shift Register-Based Stream Ciphers  LFSR-based stream cipher o Multiple LFSRs with nonlinear function  Keystream: k 0 ,k 1 ,k 2 ,… Stream Ciphers 23

  24. Shift Register-Based Stream Ciphers  Single LFSR example is special case of multiple LFSR example  To convert single LFSR case to multiple o Let LFSR 0 ,…LFSR n-1 be same as LFSR o Initial fill of LFSR 0 is initial fill of LFSR o Initial fill of LFSR 1 is initial fill of LFSR stepped once o And so on… Stream Ciphers 24

  25. Correlation Attack  Trudy obtains some segment of keystream from LFSR stream cipher o Of the type considered on previous slides  Can assume stream cipher is the multiple shift register case o If not, convert it to this case  By Kerckhoffs Principle, we assume shift registers and combining function known  Only unknown is the key o The key consists of LFSR initial fills Stream Ciphers 25

  26. Correlation Attack  Trudy wants to recover LFSR initial fills o She knows all connection polynomials and nonlinear combining function o She also knows N keystream bits, k 0 ,k 1 ,…,k N-1  Sometimes possible to determine initial fills of the LFSRs independently o By correlating each LFSR output to keystream o A classic divide and conquer attack Stream Ciphers 26

  27. Correlation Attack  For example, suppose keystream generator is of the form:  And f(x,y,z) = xy ⊕ yz ⊕ z  Note that key is 12 bits, initial fills Stream Ciphers 27

  28. Correlation Attack  For stream cipher on previous slide  Suppose initial fills are o X = 011, Y = 0101, Z = 11100 bits i = 0,1,2,…23 x i 0 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 y i 0 1 0 1 1 0 0 1 0 0 0 1 1 1 1 0 1 0 1 1 0 0 1 0 z i 1 1 1 0 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 0 0 1 k i 1 1 1 1 0 0 1 0 0 1 1 0 0 1 0 1 1 0 0 0 1 0 1 1 Stream Ciphers 28

  29. Correlation Attack  Consider truth table for combining function: f(x,y,z) = xy ⊕ yz ⊕ z  Easy to show that f(x,y,z) = x with probability 3/4 f(x,y,z) = z with probability 3/4  Trudy can use this to recover initial fills from known keystream Stream Ciphers 29

  30. Correlation Attack  Trudy sees keystream in table  Trudy wants to find initial fills  She guesses X = 111 , generates first 24 bits of putative X , compares to k i x i 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 1 k i 1 1 1 1 0 0 1 0 0 1 1 0 0 1 0 1 1 0 0 0 1 0 1 1  Trudy finds 12 out of 24 matches  As expected in random case Stream Ciphers 30

  31. Correlation Attack  Now suppose Trudy guesses correct fill, X = 011  First 24 bits of X (and keystream) x i 0 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 k i 1 1 1 1 0 0 1 0 0 1 1 0 0 1 0 1 1 0 0 0 1 0 1 1  Trudy finds 21 out of 24 matches  Expect 3/4 matches in causal case  Trudy has found initial fill of X Stream Ciphers 31

  32. Correlation Attack  How much work is this attack? o The X,Y,Z fills are 3,4,5 bits, respectively  We need to try about half of the initial fills before we find X  Then we try about half of the fills for Y  Then about half of Z fills  Work is 2 2 + 2 3 + 2 4 < 2 5  Exhaustive key search work is 2 11 Stream Ciphers 32

  33. Correlation Attack  Work factor in general…  Suppose n LFSRs o Of lengths N 0 ,N 1 ,…,N n-1  Correlation attack work is  Work for exhaustive key search is Stream Ciphers 33

Recommend

B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers

B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers

1 B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers Normally, stream ciphers are symmetric algorithms with encryption = decryption In this course we only consider symmetric stream ciphers.

828 views • 44 slides
Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream

Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream

Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream ciphers Building blocks in stream ciphers m-sequences Clock-control registers / Nonlinear combiner / Filter generator Correlation

666 views • 39 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Secret Key: stream ciphers &amp; block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers &amp; block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers &amp; block ciphers Stream Ciphers Idea: try to simulate one-time pad define a secret key (seed) Using the seed generates a byte stream ( Keystream): i-th byte is function only of the key

822 views • 69 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State

Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State

ASK 2018, ISI Kolkata November 13, 2018 Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State - A generic TMD tradeoff distinguisher - High-order differentials - Cryptanalysis with division property

944 views • 47 slides
T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher confidentiality modes of operation Kaufman et al: Ch 4 Stallings: Ch 6, Ch 3 1 Stream ciphers Stream ciphers are generally faster than block

535 views • 12 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and

Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and

CSS441 Random Numbers Principles PRNGs Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven

460 views • 24 slides
Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden

Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden

Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden 5/15/2007 1 CONTENTS Efficient encryption and possible solutions Stream ciphers Basic security analysis of stream ciphers LFSR sequences Design

497 views • 45 slides
Objectives Non-linear feedback shift registers Stream ciphers using LFSRs: Non-linear

Objectives Non-linear feedback shift registers Stream ciphers using LFSRs: Non-linear

Stream Ciphers (contd.) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Non-linear feedback shift registers Stream ciphers using

445 views • 13 slides
Objectives Classifications Feedback Based Stream Ciphers Linear Feedback Shift

Objectives Classifications Feedback Based Stream Ciphers Linear Feedback Shift

Stream Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Classifications Feedback Based Stream Ciphers Linear Feedback

263 views • 15 slides
Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &amp;

Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &amp;

CS 166: Information Security Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &amp; Block Ciphers Stream ciphers based on the one-time pad Block ciphers based on codebook ciphers Symmetric

650 views • 52 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and Break them Eric Filiol, filiol@esiea.fr ESIEA -

808 views • 64 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A function E : {0, 1} k {0, 1} n

553 views • 32 slides
Stream ciphers and eSTREAM Stream ciphers and eSTREAM Thomas Johansson Lund University Lund

Stream ciphers and eSTREAM Stream ciphers and eSTREAM Thomas Johansson Lund University Lund

Stream ciphers and eSTREAM Stream ciphers and eSTREAM Thomas Johansson Lund University Lund University Motivation Motivation The most used stream cipher constructions (A5, RC4, E0, ...) all have serious weaknesses i k There is a

589 views • 25 slides
Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation

Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation

Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation Introduction to Computer Security Announcements Cryptography, symmetric and public-key Hash functions and MACs Stephen McCamant Building a secure

440 views • 11 slides
On the Security of IV Dependent Stream Ciphers Cme Berbain and Henri Gilbert France Telecom

On the Security of IV Dependent Stream Ciphers Cme Berbain and Henri Gilbert France Telecom

On the Security of IV Dependent Stream Ciphers Cme Berbain and Henri Gilbert France Telecom R&amp;D {firstname.lastname@orange-ftgroup.com} research &amp; development Stream Ciphers IV-less IV-dependent key K IV (initial value)

477 views • 18 slides
Introduction to Design and Analysis of Stream Ciphers Willi Meier Albena, June 30 - July 5, 2013

Introduction to Design and Analysis of Stream Ciphers Willi Meier Albena, June 30 - July 5, 2013

Introduction to Design and Analysis of Stream Ciphers Willi Meier Albena, June 30 - July 5, 2013 1 / 63 Overview Stream Ciphers: A short Introduction Cryptanalysis principles Time/Memory/Data tradeoffs Berlekamp-Massey algorithm

940 views • 63 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Sept 15, 2016 Announcements Project due Sept 20 Recall: Block cipher A function E : {0, 1} k {0, 1} n {0, 1} n . Once

417 views • 30 slides
Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia

Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia

Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia K asper 1 Overview Basic concept of correlation attacks on stream ciphers A correlation attack on the GSM cipher A5/1 A correlation

256 views • 22 slides
A Differential Fault Attack on the Grain Family of Stream Ciphers Subhadeep Banik , Subhamoy

A Differential Fault Attack on the Grain Family of Stream Ciphers Subhadeep Banik , Subhamoy

A Differential Fault Attack on the Grain Family of Stream Ciphers Subhadeep Banik , Subhamoy Maitra, Santanu Sarkar Indian Statistical Institute Kolkata September 10, 2012 CHES 2012, Leuven Belgium GRAIN family of Stream Ciphers 2 of 32

506 views • 32 slides
Recent Results on Stream Ciphers Subhamoy Maitra Applied Statistics Unit Indian Statistical

Recent Results on Stream Ciphers Subhamoy Maitra Applied Statistics Unit Indian Statistical

Recent Results on Stream Ciphers Subhamoy Maitra Applied Statistics Unit Indian Statistical Institute, Kolkata subho@isical.ac.in 26 August, 2020 Subhamoy Maitra Recent Results on Stream Ciphers Slide 1 of 71 Stream Cipher Subhamoy Maitra

993 views • 71 slides

More recommend