STREAM CIPHER. Chapter - 3

Size: px

Start display at page:

Download "STREAM CIPHER. Chapter - 3"

Gyles Spencer
5 years ago
Views:

1 STREAM CIPHER Chapter - 3

2 S t r e a m C i p h e r P a g e 38

3 S t r e a m C i p h e r P a g e 39 STREAM CIPHERS Stream cipher is a class of symmetric key algorithm that operates on individual bits or bytes. The design of stream cipher and its security very much rely on the pseudorandom generator used for generating the key streams. The basic concept of stream cipher security is based on the concepts of Shannon's theory of secrecy systems and One Time Pad (OTP). Due to his immense contribution in the field of communication, Shannon is known as the father of information theory. In 1948, he laid the foundation of information theory and defined the notion of perfect secrecy and necessary conditions for a cryptosystem to be perfectly secure. Information theory is concerned with the study of communication system and its security. These principles are very basic to Stream Cipher design and its security. These basic concepts related to stream cipher design have been explained in this chapter. 3.1 SHANNON S NOTION OF PERFECT SECRECY Shannon proposed mathematical methods to assess the security of symmetric cryptographic system. A secrecy system or cryptographic system should follow the Kerckhoff s Principle, which state that security of a system should not rely on the secrecy of the cryptosystem but on the secret key itself. In his famous works on cryptography " La Cryptographie Militaire" [41], Auguste Kerckhoffs stated that a

4 S t r e a m C i p h e r P a g e 40 perfect security system or unbreakable system is a system that cannot be broken, even if the attacker has all the knowledge of the system except the secret key and unlimited computational resources available and the security of the system should not be dependent on the obscuring or hiding the details of the system. Only one encryption method or cipher amongst all the developed systems has been proved mathematically fully secure. This cipher is generally known as Vernam Cipher or One Time Pad (OTP). In OTP, the key should be truly random and must be used only once. It means that for a system to be fully secure, the size of the key should be equal to the size of plaintext. The basic problem of such type of system is that very large size key is required and in case of software, pure random number cannot be generated. Such system is not of any practical use because it will be very expensive. Most of the stream ciphers try to imitate the logic of the One Time Pad (OTP) for security and use Pseudo Random Bit Generator (PRBG) for random number generation that generate output similar to purely random number but not fully random and that s why they are called Pseudo Random Bit Generator IDEAL SECURITY SYSTEM Idealized model of a security system is the system which provides perfect security as in an OTP system with limited key size. Such a system can only be built, if the input text is truly random, which is not possible because every input text for a practical use has some sort of statistical attributes PRACTICAL SECURITY OR COMPUTATIONAL SECURITY For a security system to be of practical use, Shannon gives the concept of practical or computational security. In the practical world, no attacker or adversary can have the unlimited computational power to break a security system, therefore the practical security of a cipher does not depend upon the impossibility of breaking it but on the difficulty of the breaking the cipher in limited time. A cipher can be practically secure, if the computing resources of the adversary are not sufficient to break in the limited time and difficulty of the problem solution exceeds the computational capability of the attacker or an adversary. All the present time ciphers are developed

5 S t r e a m C i p h e r P a g e 41 with computational security in mind, but as the Moore s law [42] states that the computational power of CPUs is doubling every 18 months, the systems which have secured sometime before, can now be susceptible to cryptanalytic attacks. Hence, designers need to strengthen the secrecy systems regularly. A Secrecy system is as secure as the weakest part of the system and if there exists a single security hole, the cryptanalyst will find it, when the system is exposed. Therefore, efforts should be made on every part of a secrecy system to make it secure CONFUSION AND DIFFUSION To provide a good level of secrecy in security systems, the concept of confusion and diffusion is being used. For the practical implementation of confusion and diffusion in symmetric key ciphers, two basic functions, permutation and combination are implemented in multiple rounds. Confusion and Diffusion have been defined by Shannon in [7] as follows: Diffusion: In the method of diffusion, the statistical structure of the plaintext which leads to its redundancy is dissipated into long range statistics, that implies that plaintext s statistical structure should be hidden by spreading the influence of a single plaintext digit over a long range of ciphertext digits. Confusion: The method of confusion is to make the relation between the simple statistics of ciphertext and the simple description of plaintext a very complex and involved one, that implies that ciphertext and plaintext relation should be made very complex and obscure so that it cannot be derived from the ciphertext and plaintext even the attacker has the access to it. The phenomenon confusion and diffusion was further explained by Massey in his paper [43] as, By confusion in a cipher, Shannon meant that the enciphering process should be such that the ciphertext statistics depend on the plaintext statistics in a manner too complicated to be exploited by an attacker. By diffusion in a cipher, Shannon meant that each bit of the input key should influence many bits of the ciphertext.

6 S t r e a m C i p h e r P a g e VALUATION OF SECRECY SYSTEM Shannon defined five points on the basis of which any secrecy system can be evaluated. These are: I. Amount of Secrecy II. Size of Key III. Complexity of Enciphering and Deciphering Operations IV. Propagation of Errors V. Expansion of Message 3.2 RANDOM NUMBER GENERATOR A random number generator is a mathematical or physical device that can generate a sequence of numbers that look uncertain or shows no pattern. These random number generators are divided into the true random number generator, Pseudo Random Number generator and Cryptographically Secure Pseudo Random Number generator on the basis of their generation methods TRULY RANDOM NUMBER GENERATOR A Random Bit Sequence is the sequence of bits, in which bits are independent of each other and uniformly distributed. Random bit generation is either very expensive or slow and can be either hardware based or software based. Examples of hardware based random bit generation are time elapsed between emission of particles during radioactive decay, sound from different sources like thermal noise or radio noise. The other method used for practical purposes is a software based random bit generators. Software based random bit generators use system clock, elapsed time between key strokes or mouse movement or any other source for random number generation. Capturing the random numbers from these sources is expensive and slow PSEUDO-RANDOM BIT GENERATOR It is very difficult to generate true random numbers on computers because it has been designed to be deterministic. Computer based applications use the concept of pseudo-

7 S t r e a m C i p h e r P a g e 43 random numbers that are being generated from some internal value and an algorithm that appear true random, but these generated bits cannot be called truly random because they are being generated using a mathematical formula that is deterministic. These types of random bit generators are called Pseudo-Random Bit Generators. PRBG is an acronym for Pseudo-Random Bit Generator" and is defined as a deterministic algorithm which, given a truly-random binary sequence of length n, outputs a binary sequence of length l(n) greater than n which appears to be random, with l( ) being a polynomial. The input to the PRBG is called the seed, and the output is called a pseudo-random bit sequence. A Pseudo-Random Bit Generator generates a long sequence of bits that seems random by inputting a small sequence of random bits. These algorithms are deterministic in nature and always produce the same sequence of output bits for a given sequence of input bits. Generally PRBGs are used in practical applications and for such applications the output sequence should appear truly random sequence and an adversary must not able to efficiently distinguish. A one-way function can be utilized to generate pseudorandom bit sequences by first selecting a random seed, and then applying the function to the sequence of values. Golomb was one of the first to present a postulate for establishing some necessary condition to test the randomness a pseudorandom sequence. These postulates are called Golomb s randomness postulates [44] CRYPTOGRAPHICALLY SECURE PRBG (CSPRBG) The requirements of PRBGs for cryptographic purpose are far more than normal applications. As in the case of normal context the output random bit sequence should only have good statistical properties but in the case of cryptographic applications the output random sequence must not be distinguishable from true random numbers even with large computational power. A PRBG can be termed as Cryptographically Secure PRBG (CSPRBG) if it passes the next bit test. It states that if first n bits of a random sequence is given then there should not exist a polynomial-time algorithm that can predict the next bit i.e. n+1 bit

8 S t r e a m C i p h e r P a g e 44 with the probability better than.5 or 50%. Yao proved in his paper Theory and application of Trapdoor Functions [45] in 1982 that any PRBG which qualify the next bit test can qualify all the statistical tests for randomness. The security of any CSPRBG depends on the presumed intractability of an underlying number-theoretic problem [44]. Intractability refers that the problem is impossible or seemingly impossible to solve based on available computational models. 3.3 STREAM CIPHER Symmetric key ciphers are classified into two categories; Block Cipher and Stream Cipher. Stream cipher is an important class of symmetric key cipher. Unlike Block cipher, which use fixed cryptographic transformations on block of characters, Stream cipher to encrypt single characters of plaintext one by one with time varying transformations. Rueppel in [46] defines block ciphers and stream cipher as, Block cipher operate with a fixed transformation on large blocks of plaintext data; stream cipher operate with a time-varying transformation on individual plaintext digits. As the stream ciphers encrypt individual digits, it takes less buffer memory, less complex hardware circuitry and is comparatively faster than block ciphers. Block cipher requires no memory but stream cipher requires memory for the storage of the current state of function, which is being used for further encryption. This is the reason why the same bit is encrypted differently in case of stream ciphers when enciphered again and again but that is not the case in block ciphers. This is the major weakness of block ciphers and different modes of operation (CFB, OFB) are used to overcome it. AES in Counter Mode or Output Feedback Mode can also be used as stream cipher and any stream ciphers must be able to be more efficient than these block cipher modes of operation to be used in any practical application.

9 S t r e a m C i p h e r P a g e PROPERTIES AND ADVANTAGES OF STREAM CIPHER Shamir in his popular invited talk [47] Stream Ciphers: Dead or Alive and Babbage in his invited talk [48] Stream ciphers - what does industry want? at State of the Art of Stream Ciphers workshop in 2004 clearly identified some areas where stream ciphers have an edge over block ciphers. These are the some areas where stream ciphers can be useful: 1. Stream Ciphers have an edge over block ciphers where hardware resources are limited and less complex circuits are required like RFID tags and Smart cards. 2. Stream ciphers can be useful in cases where very high speed throughput is required like multi gigabit communication channels. 3. Stream ciphers are also desirable where zero error propagation is required like radio communication, due to no error propagation in case of Synchronous stream ciphers or limited error propagation in case of an asynchronous stream cipher. 4. Stream ciphers are also desirable where the length of the message cannot be predetermined and smaller input/output delay is required as in the case of GSM communication. These are the few areas where stream ciphers have a clear edge over block ciphers due to its efficiency and speed CLASSIFICATION OF STREAM CIPHER Stream ciphers are classified into two classes; Synchronous stream cipher and Asynchronous or Self Synchronizing stream cipher on the basis of use of ciphertext in keystream generation SELF-SYNCHRONIZING STREAM CIPHER The generated keystream is dependent on the key as well as previous ciphertext digits in the case of a synchronous stream cipher. The outputted ciphertext bits are inputted in keystream generator for state update of the cipher. For Self Synchronizing Stream cipher, these equations below represent the different functions.

10 S t r e a m C i p h e r P a g e 46 State update function, S t+1 = U (S t, K, C t ) Keystream generation function, Z t = G (S t, K) And Output function or encryption function, C t = H (P t, Z t ) A general structure of self-synchronizing stream cipher has been given in figure 3.1. Key K Keystream Generator Keystream Z t Plaintext P t H Ciphertext C t Figure 3.1: Self Synchronizing Stream Cipher All the new states of the cipher are dependent on the previous of the cipher or in other words encrypted or ciphered bits generated from the previous state. The initial state is derived from the key and IV bits and in the majority of ciphers IV is kept public hence attackers are well aware of the some bits that have been used in the encryption. Hence this type of ciphers is very vulnerable to cryptanalytic attacks. The effect of one single bit is propagated to n number of bits and hence a single error will propagate to n number of other bits. These weaknesses make Self Synchronizing Stream Ciphers very less attractive and rarely used.

11 S t r e a m C i p h e r P a g e SYNCHRONOUS STREAM CIPHER In case of synchronous stream cipher, the keystream is dependent only on the key and there is no relation with the previous ciphertext digits. The secret key and state of the keystream generator is used only for the keystream generation. Synchronous stream cipher design has been depicted in figure 3.2. Key K Key Stream Generator Keystream Z t Plaintext P t H Ciphertext C t Figure 3.2: Synchronous Stream Cipher For Synchronous Stream cipher, these equations below represent the different functions. State update function, S t+1 = U (S t, K) Keystream generation function, Z t = G (S t, K) And Output function or encryption function, C t = H (P t, Z t ) As the keystream generation is independent of the previous ciphertext generated, if an error occurs at on bit, it will affect only one corresponding bit at decryption stage.

12 S t r e a m C i p h e r P a g e GENERAL STRUCTURE OF SYNCHRONOUS STREAM CIPHER Any synchronous stream cipher works in two phases: 1. Key Initialization or Key Setup Phase 2. Key Stream Generation Phase In the key initialization phase, a secret key K and initialization vector IV are used to generate the initial state of the cipher. S 0 = f init (K, IV) After the initial state of the cipher is generated or key setup phase completed, the IV is not used for key generation. Keystream is generated with the use of secret key and internal state or initial state for the first keystream generation using keystream function G. The Output function H is used with keystream Z t and plaintext P t to generate ciphertext C t. General Structure of the synchronous stream cipher has been shown in the figure 3.3. Key K Update function U IV f init Initialization Function Keystream Function G keystream Si Internal State S t Keystream Generator Plaintext P t H Output Function Ciphertext C t Figure 3.3: General structure of synchronous Stream Cipher BINARY ADDITIVE STREAM CIPHER A binary additive stream cipher is a synchronous stream cipher in which the keystream, plaintext, and ciphertext digits are binary digits, and the output function H is the XOR ( ) function.

13 S t r e a m C i p h e r P a g e 49 The keystream generated from keystream generator is xored with the plaintext bits and ciphertext is generated. At the decryption end, the ciphertext bits are again xored with the keystream and plaintext bits are generated. The encryption or output function C t is denoted by the equation C t = P t Z t. At the decryption state the ciphertext bits are again xored with the keystream bits and we get the plaintext bit. The decryption equation will be P t = C t Z t. Design of binary additive stream cipher has been shown in figure 3.4. Key K Key Stream Generator Keystream Z t Plaintext P t Ciphertext C t Figure 3.4: Binary Additive Stream Cipher PROPERTIES OF SYNCHRONOUS STREAM CIPHER Synchronous stream cipher exhibit several properties that are briefly mentioned here: No error propagation: There is no chance of error propagation in case of a synchronous stream cipher. If a bit is modified during the transmission, then only that bit will be decrypted incorrectly and does not affect other bits. Better security: Chosen plaintext/ciphertext attacks cannot be applied to synchronous stream ciphers and only known plaintext attacks can be applied to this category of ciphers. This feature significantly reduces the security risks.

14 S t r e a m C i p h e r P a g e 50 Synchronization requirement: The sender and receiver should be synchronized properly for correct decryption. The synchronization requirement is an additional overhead that requires that both, the sender and the receiver must be properly synchronized for correct decryption. Generally if an error occurs the packet is rejected as whole and sent again. Synchronous stream ciphers are used due to no error propagation and better security feature. Re-sending of data packet is no major issue in comparison of security concerns due very high speed and low error rate of present day networks DESIRABLE PROPERTIES OF KEY STREAM GENERATOR Keystream generators are the integral part of the synchronous stream ciphers. The security of stream ciphers depends mostly on the security features of these generators. These are some of the desirable properties of Key stream generators: PERIOD A keystream generator is called periodic, if after a specific number of iterations, it generates the same sequence again or come in the same state. S t+p = S t Where t>0, p>0 The smallest value of p is called the period of the generator. Synchronous stream ciphers are periodic in nature. It implies that the same key will be used to encrypt two different messages that violate the principle of the One Time Pad (OTP) and the cipher becomes susceptible to attack. Therefore the period of the cipher or the intrinsic keystream generator should be substantially large for a good cipher RANDOMNESS The output sequence should behave like a truly random stream and should not show any deviation. The output sequence should be unpredictable and uniform i.e. 0's and

15 S t r e a m C i p h e r P a g e 51 1's should be equally distributed and with any given sequence next bits cannot be determined COMPLEXITY There are two complexity measures used to assess the complexity of the sequence; Linear Complexity where linear feedback polynomials are involved like LFSR based system and Maximum Order Complexity (MOC) that is used in systems where nonlinear feedback polynomials are used. MOC will be always less than or equal to linear complexity. Linear complexity is the length of the shortest LFSR that can mimic the same sequence as generated by the original keystream generator. MOC is the length of shortest FSR that can mimic the same sequence as generated by the original FSR based keystream generator. For a good cipher, the linear complexity and MOC should to be high. 3.4 BASIC BUILDING BLOCKS FOR STREAM CIPHER Some of the main building blocks for stream cipher design that have been discussed in this part are: i. Feedback Shift Register a. Linear Feedback Shift Register b. Nonlinear Feedback Shift Register c. Feedback Shift Register with Carry ii. Boolean Function iii. S-Box FEEDBACK SHIFT REGISTER (FSR) The states in a feedback shift register (FSR) can be viewed as values stored in a register: S t = {S 0, S 1,.., St -1 } During updation, a new value S t is calculated using connection logic or a Boolean function. At every clock, the values of the register are shifted one bit to the left and new value S t is fed to the rightmost bit. The update function can be defined as follows:

16 S t r e a m C i p h e r P a g e 52 S t+1 = {S t, S 0, S 1,.., S t-1 } The feedback shift registers are classified on the basis of their transformation or update function. If the transformation function is linear then FSR is termed as Linear Feedback Shift Register (LFSR) and if the transformation function is nonlinear, the FSR is termed as Non Linear Feedback Shift Register (NFSR or NLFSR). The basic design of the shift register has been presented in figure 3.5. S t-1 S t-2 S t-1 S t-2... S 1 S 0 f Figure 3.5: Feedback Shift Register LINEAR FEEDBACK SHIFT REGISTER (LFSR): LFSR s have been widely used in stream cipher design due to their good statistical properties and long period output that are suitable for cryptographic purpose. If q is defined as a finite field which has q elements then an LFSR of n bits can be defined as a collection of n memory cells m 0, m 1, m 2,,m n-1 each have any value from q. The general structure of an LFSR has been shown in figure 3.6. S t-1 S t-2 S 0 Figure 3.6: Linear feedback shift Register (LFSR)

17 S t r e a m C i p h e r P a g e 53 The state of an LFSR is the content of that register at any instance t and denoted as: S t (S t+n-1, S t+n-2,.., S t ) LFSR s also use feedback polynomial of degree n likes to update the LFSR contents: F(x) = 1+c 1 x+ c 2 x 2 +.+c n x n The taps corresponding to the polynomial functions are xored ( ) and output bit is generated that is again fed in the last bit of the register. When the LFSR is clocked the S 0 is taken as output and all the values of the shift register are shifted one bit left and the last cell is updated with the help of feedback polynomial. The new value of last cell is calculated as: =.. Over the field q Where c 0, c 1,... c t q are called feedback coefficients. A polynomial of degree n, can be termed as irreducible if it cannot be divided by another polynomial of degree m, where m<n. An irreducible polynomial f(x) is called primitive polynomial iff (if and only if) it generates all the elements of an extension field of q. All primitive polynomials are irreducible also. An LFSR which uses primitive polynomial as feedback polynomial for updation is called a maximum length LFSR with period q n -1 and the output sequence of such LFSR is called m-sequence. We use finite field 2 in computers for representation of binary bits 0 and 1 and computers does not understand any other values except 0 or 1. Addition and multiplication are equivalent to binary operations XOR and AND. LFSR's are used in cryptography due to large periods that increases exponentially with the size of LFSR and sequences produced by LFSR show good uniform statistical properties. LFSR s based keystream generators provide large period, good statistical properties and algebraic analysis can be readily done for keystreams generated by LFSRs.

18 S t r e a m C i p h e r P a g e 54 LFSR's can be easily implemented in hardware as well as in software. But the only demerit of LFSR is its low linear complexity due to which a lot of LFSR based designs have been compromised. The output sequence is easily predictable using the Berlekamp - Massey algorithm. Many different techniques have been used to overcome the weakness of low linear complexity. Some of these are: i. Non Linear Combination Generator ii. Nonlinear Filter Generator iii. Clock controlled generators i. Non Linear Combination Generator In a Non Linear combination generator, several LFSRs of length L i are combined using a non-linear Boolean function f to introduce non-linearity in the output keystream. It takes one or more binary input, each one from the LFSRs and gives one binary output. If the outputs of each LFSR is x 1, x 2,... x n then the generated keystram z will be: z = f (x 1, x 2,... x n ) A general model of a Non Linear combination generator has been shown in figure 3.7. LFSR1 LFSR2... f Key Stream LFSRn Figure 3.7: Non linear combination generator

19 S t r e a m C i p h e r P a g e 55 Maximum length LFSRs are used in the stream cipher design which use irreducible primitive polynomials as update function that can provide maximum period (2 Li -1). The combined period (P) of the Non Linear combination system is defined as the least common multiple (LCM) of the periods of each LFSR. P = LCM (2 L1-1, 2 L2-1,..., 2 Ln -1) The role of function f is very important in providing unbiased output keystream. The algebraic degree and non-linearity of f should be higher with a high order of correlation immunity [49]. ii. Nonlinear Filter Generator In a Nonlinear filter generator, the current state of a single maximum length LFSR is filtered using a nonlinear function f to generate the keystream. The current state of the LFSR is passed to the function f that gives a single nonlinear output. The function f is the filtering function used for introducing nonlinearity. The general design structure of a Nonlinear Filter Generator has been shown in figure 3.8. If the length of LFSR is r and nonlinearity of function f is of the order m then the maximum complexity of the keystream is given by the equation [50]: = ( ) a r-1 a r-2.. a 2 a 1 a 0 f Figure 3.8: Non linear filter generator

20 S t r e a m C i p h e r P a g e 56 iii. Clock Controlled Generators In Clock controlled registers, two shift registers are used. The first register called clock register is a shift register that is clocked normally but the clocking of the second shift register called generating register is varied and depends on the current state of the clock register. The general structure of clock controlled generator has been shown in figure 3.9. Clock Register Generating Register Key Stream Figure 3.9: Clock controlled generator The next state of the clock controlled generator can be defined by the function F where F: Z m 2 N where m is the length of clock register and value of N= {0, 1, 2, 3,...}. The value of N determines that how much time the generating register has to be clocked [51] NONLINEAR FEEDBACK SHIFT REGISTER (NFSR) NFSR's are very similar to the LFSR with a difference that NFSRs use Non-Linear Boolean function as feedback function. NFSRs do not have low linear complexity as is the case with LFSRs that helps in avoiding algebraic attacks. A n-bit NFSR can generate cyclic sequence in which each n bit pattern exactly appears once. Such a sequence is called a de Bruijn sequence. The de Bruijn sequence of order n possesses the period of 2 n in the binary field 2. Such a binary sequence provides a very high level of nonlinearity. Due to these features NFSR's are being used frequently in new cipher designs. But in comparison to LFSR's the design principles of NFSR's are still not well understood and well structured methods for generating NLFSR's has not been devised fully yet.

21 S t r e a m C i p h e r P a g e 57 A Non-Linear Feedback Shift Register (NLFSR) consists of n binary storage elements, called bits. Each bit I {0, 1,, n-1} has an associated state variable x i which represents the current value of the bit I and a feedback function f i : {0,1} n {0,1} which determines how the value of I is updated. For any I s {0,1,, n-1}, f i depends on x (i+1) mod n and a subset of variables from the set {x 0, x 1, x i }. A state of an NLFSR is an ordered set of values of its state variables (x 0, x 1,... x n-1). At every clock cycle, the next state is determined from the current state by updating the values of all bits simultaneously to the values of the corresponding f i s. The general structure of NFSR has been shown in figure a r-1 a r-2.. a 2 a 1 a 0 Nonlinear Generating function g(x) Figure 3.10: Nonlinear Feedback Shift Register The output of an NLFSR is the value of its 0 th bit. If for all I {0,1,, n-2} the feedback functions are of type f i = x i+1, we call an NLFSR the Fibonacci type. Otherwise, we call an NLFSR the Galois type. Two NLFSRs are equivalent if their sets of output sequences are equal. Feedback functions of NLFSRs are usually represented using the algebraic normal form. The algebraic normal form (ANF) of a Boolean function f: {0,1} n {0,1} is a polynomial in GF(2) of type f(x,, x ) =., Where {0, 1} and (i 0, i 1,, i n-1 ) is the binary expansion of i with i 0 being the least significant bit [52].

22 S t r e a m C i p h e r P a g e FEEDBACK WITH CARRY SHIFT REGISTER (FCSR) Feedback with carry shift registers (FCSRs) are also called Feedback Shift Register with memory and these registers are similar in design with LFSR's but with a difference that FCSR uses integer addition ( ) instead of XOR ( ) operation. FCSR's are nonlinear shift registers. Klapper and Goresky in [53] introduced the concept of FCSR. These two authors have further explained and elaborated the concepts of FCSRs in [54, 55, 56, 57]. The basic FCSR automata was devised in Fibonacci architecture but later on Klapper and Goresky in 2002 [58] introduced the Galois architecture of FCSR. As the basics of LFSRs are well understood but due to their inherent linearity they are vulnerable to algebraic attacks [59]. To avoid the weakness of linearity, nonlinear feedback shift register (NFSRs) was introduced as an alternative but the efficiency is low. FCSRs can be a viable alternative to LFSRs due to their strong theoretical understanding based on 2-adic numbers and its ease of implementation and efficient in hardware and software that is not the case with NFSR's [60, 61]. Fibonacci FCSR Fibonacci FCSR is different from LFSR in the way that sum for calculation of new States is calculated over Z 2 and not over 2 as in case of LFSR s and for this purpose additional memory is added for storing carry. The design of Fibonacci FCSR has been given in figure The state update function of Fibonacci FCSR is calculated as: If the length of the main register is n denoted as a 0, a 1, a 2, a r-1 and each cell can store binary values 0 or 1, i.e. a 0, a 1, a 2, a r-1 {0,1}. The feedback positions are represented by q 1, q 2,.. q r {0,1}. The sate update function is defined by these equations. i= m (t) + x r-1 (t) q i,

23 S t r e a m C i p h e r P a g e 59 a i (t+1) = a i+1 for 0 i r-2 a r-1 (t+1) = i mod 2, m (t+1) = i div 2 here div is integer addition. m div 2 mod 2 a r-1 a r-2.. a 2 a 1 a 0 q1 q2 qr-1 qr Figure 3.11: Fibonacci FCSR Galois FCSR: Galois FCSR has an integer summation at each feedback tab in place of one integer summation in Fibonacci FCSR. A Galois FCSR has a main register and an integer addition with carry is performed at each feedback tap position. The design of Galois FCSR has been given in figure If the size of main register is n consisting of cells a 0, a 1, a 2, a r-1 {0,1} and feedback positions are defined as q 1, q 2,.. q r {0,1} with q r =1. The carry bits are stored at each feedback tab in memory cells c 1, c 2,. C n-1. The state update function is defined by these equations: i= a i (t) + c i (t) + q i a 0 (t),

24 S t r e a m C i p h e r P a g e 60 a i-1 (t+1) = i mod 2, c i (t+1) = i div 2 or, And a r-1 (t+1) = a 0 (t) For all 1 i r-1 The advantage of this design of FCSR is that the state update at each feedback tap position can be done parallel and does not depend on the number of feedback positions hence increase the efficiency. cr-1 c2 c1 a r-1 a 1 a 0 q r-1 qr-1 qr-1 q r-1 Figure 3.12: Galois FCSR FCSRs are based on 2-adic numbers that is a well defined number system. FCSRs are easy in implementation and non-linear in nature that provide large periods. These properties make FCSR suitable for use in pseudorandom number generation and stream ciphers BOOLEAN FUNCTION A function over field 2 on domain set 2 n such that f: 2 n 2 is called an n-variable Boolean function [62].

25 S t r e a m C i p h e r P a g e 61 In simple words a boolean function is a function that maps n binary input variables into one binary output variable. f: I n I where I n 2 Boolean functions are represented in two forms; truth table and algebraic normal form i.e. as a multivariate polynomial. Boolean functions play an important role in the design of symmetric key algorithms and it is used to introduce non-linearity and improve the complexity of linear systems like LFSRs S-BOX (SUBSTITUTION BOX) S-Box is a function that maps m input bits into n output bits where n and m may or may not be equal. S-Box S i : {0, 1} m {0, 1} n Substitution boxes are basic components of the symmetric key systems. This is a 2 m x 2 n table in which every column represents output and every row represent input difference. Generally a fixed table is used as in case of DES but some newer design are using variable tables that are dynamically generated using the key. A carefully designed S-Box can thwart the linear and differential cryptanalysis attacks [63]. Let I = (I 0, I 1,... I m-1 ) be a input vector of S-Box and let O = (O 0, O 1,..., O n-1 ) be the output vector. Then the S-Box output can be derived by these equations: O 1 = S 0 (I 0, I 1,... I m-1 )... O n-1 =S n-1 (I 0, I 1,... I m-1 ) Where S is mapping 2 m 2 n, and 2 is a binary field.

26 S t r e a m C i p h e r P a g e 62 Nayberg [64] has defined some basic criteria for selection and generation of good S- Box. He said that some good pseudorandom number generator should be used for generating S-Box contents and these contents should be thoroughly tested against different design criteria for acceptance or rejection. Mathematical principles should to be used for S-Box generation so that it can provide good diffusion properties and can be secure against linear and differential cryptanalysis. This chapter specifically deals with the principles and basic building blocks involved in the stream cipher design. Need of the stream cipher has been highlighted and classifications of the stream cipher have been explained. This chapter explains the relative advantages of Synchronous stream ciphers over the Asynchronous ones. It explains the shift registers and other basic building blocks of synchronous stream cipher design in detail.

CRC Press has granted the following specific permissions for the electronic version of this book:

CRC Press has granted the following specific permissions for the electronic version of this book: This is a Chapter from the Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, and S. Vanstone, CRC Press, 1996. For further information, see www.cacr.math.uwaterloo.ca/hac CRC Press has