Block vs. Stream cipher

Transcription

1 Block vs. Stream cipher Idea of a block cipher: partition the text into relatively large (e.g. 128 bits) blocks and encode each block separately. The encoding of each block generally depends on at most one of the previous blocks. the same key is used at each block. Idea of a stream cipher: partition the text into small (e.g. 1 bit) blocks and let the encoding of each block depend on many previous blocks. for each block, a different key is generated.

2 Ý ¼ Ü ½ Ý ½ Ü ¾ Ý ¾ Ü Ý Ü Ý Examples of stream ciphers One-time pad. Block cipher in OFB or CTR mode. ÁÎ ½ ÁÎ ¾ ÁÎ ÁÎ ÁÎ

3 Synchronous stream ciphers Definition 1. A stream cipher is synchronous if its key sequence does not depend on the plain- and ciphertexts but only on the previous elements of the key sequence and the initial key. Þ Þ ½ Þ ¾ Þ Ø µ Ý Ü Þ µ Þ ½ Þ¼ Þ½ Þ¾ Þ Ý½ ݾ Ý Ü½ ܾ Ü

4 Properties of the synchronous stream cipher 1. The encoder and decoder must be synchronized, i.e. the decoder must always make sure that it applies the right element of the key sequence to the given element of the ciphertext sequence. 2. If an element of the ciphertext sequence has been changed (but not deleted) then only the corresponding plaintext element is affected. One-time pad is a synchronous stream cipher. Other synchronous stream ciphers could be called pseudo one-time pads. They are as secure as hard it is to distinguish Þ µ from a truly random sequence.

5 ݼ ݽ ݾ Ý Self-synchronizing stream ciphers Definition 2. A stream cipher is self-synchronizing if its keystream depends on the plain- or ciphertext. Þ Ý ½ Ý ¾ Ý Ø µ Ý Ü Þ µ Þ½ Þ¾ Þ Ý ½ ܽ ܾ Ü

6 Properties of a self-synchronizing stream cipher 1. If a ciphertext block is changed somehow (either randomly or adverently) then only the decryptions of the next Ø blocks are affected. Hence the decoding process synchronizes itself. 2. The rather quick reappearance of the correct decoding means that the tampering of some ciphertext blocks may remain unnoticed. 3. As the cryptotext blocks depend on all preceeding plaintext blocks, the statistical analysis of the cryptotext is hopefully more difficult.

7 Linear keystream generator Let ½ Ø ¾ ¼ ½ certain fixed bits and Þ ¼ Þ Ø ½ the initial keystream bits. The subsequent bits Þ of the keystream Þ Ò µ, where Ø, are generated using the rule Þ Þ ½ Þ ¾ Þ Ø µ ½ Þ ½ ¾ Þ ¾ Ø Þ Ø µ ÑÓ ¾ Example: Ø let, ¾ ¼ ½ ja ½ Þ and Þ ½ Þ ¾ Þ µ ¼ ½ ¼ ¼µ. The output of the generator is then ¼ ¼ ½ ¼ ¼ ½ ½ ¼ ½ ¼ ½ ½ ½ ½ ¼ ¼ ¼

8 Linear feedback shift register (Lineaarse tagasisidega nihkeregister)... is an electronic gadget for generating a linear keystream. The LFSR corresponding to the previous example is Ê Ê Ê ¾ Ê ½ output

9 LFSR works like this... Ê step Ê Ê ¾ Ê ½ Ê step Ê Ê ¾ Ê ½ Ê Ê Ê ¾ Ê ½ output

10 Periodic sequences Definition 3. A sequence Þ ¼ Þ ½ Þ ¾ is periodic if there exists a ½, such that Þ Þ for all ¼. The smallest such is called the period of that sequence. If Þ Þ holds only for all sufficiently large -s, then Þ is called eventually periodic. Exercise. Show that the sequence of bits generated by any LFSR is eventually periodic. Show that the period of a sequence generated by a Ø-register LFSR is at most ¾ Ø ½. Show that if this bound is reached then each period contains ¾ Ø ½ bits ½ and ¾ Ø ½ ½ bits ¼. Exercise. Show that any (eventually) periodic sequence can be generated by an LFSR. The linear complexity Ä Þµ of a sequence Þ is the minimal number of registers that a LFSR needs to output this sequence.

11 LFSR as a stream cipher P C ¼ ½. A key ¾ K consists of Ø ¾ Æ ; ½ Ø ¾ ¼ ½; Þ ¼ Þ Ø ½ ¾ ¼ ½. To encode or Ü ¾ ¼ ½ decode : compute Þ Ò ½ Þ ½ Ø Þ Ø ÑÓ Ø Ò ½ for and Ü output Þ. ¾ A synchronous stream cipher...how difficult it is to distinguish Þ µ from a truly random sequence of bits? I.e. if we know a part of the sequence Þ µ, how difficult it is to predict the next element(s)?

12 Þ Ö Ø ½ ½ Þ Ö Ø ¾ ¾ Þ Ö Ø Þ Ö Ø Þ Ö Ø ½ Þ Ö Ø ½ ¾ Þ Ö ½ Ø Þ Ö Ø ½ If we know the linear complexity Ä Þµ Let Ø. We need to find ¾Ø out consequtive keystream Þ bits Þ Ö ¾Ø ½ Ö. Known-plaintext attack can provide them. The following equations hold: Ö ¾Ø ¾ ½ Þ Ö ¾Ø ¾ Þ Ö Ø ½ Ø Þ Ö ¾Ø ½ Þ Solve this system over ¾ for Ø ½ µ. It has a solution the coefficients of the LFSR generating this sequence.

13 If we do not know the linear complexity Then we must (over)estimate it. Let us know Ø Ä Þµ Ø ¼. We need ¾Ø consequtive keystream bits; solve the same system of equations. It has a solution: if ¼ ½ ¼ Ø ¼ µ are the coefficients of a minimal LFSR generating Þ then ¼ if ½ ؼ ; ¼ if Ø ¼ ½ Ø is a solution to the system of equations. There are other solutions as well. We can even determine the linear compexity.

14 Polynomials over a ring Ê Formally, a polynomial Ô is a mapping Æ Ê (here Æ ¼ ½ ¾ ) with only finitely many non-zero entries. Denote Ô µ by Ô. The values of Ô are called its coefficients. is usually written Ô as Ô ½ Ü Ô ¾ Ü ¾ Ô Ñ Ü ¼ where Ô Ñ Ô Ñ ½ Ñ ¾ ¼. Ô Polynomials can be added, multiplied, divided (with remainder), ÔÕ division is possible if the leading coefficient Õ of is invertible. multiplied with a scalar used as arguments to Euclid s algorithm, giving their gcd. The set of all polynomials over Ê, denoted ÊÜ, is a ring.

15 ¼ ½ µ ¼ ½ µ Formal series over a ring Ê A formal series is Æ a mapping Ê. The values of are called its ½ coefficients. is usually written as ¼ Ü. Formal series can be added, multiplied, multiplied with a scalar: È µ µ If ¼ is invertible then ½ exists and is given by ½ µ ¼ ½ ¼ ½ µ ½ ¼ The set of all formal series over Ê, denoted ÊÜ, is a ring. A sequence Þ µ can also be seen as a formal series (over ¾ ).

16 Õ ½ ½ ½ Õ µ Õ Ô ½ ½ Õ ½ Rational formal series A formal series is rational if it can be expressed ÔÕ as, where Ô and ½ are polynomials. Then ¼ Ô ¼ Õ ½ ¼ and Õ ½ Õ µ Õ ½ ¼ Ô Ô ¼ Õ ½ ¼ Ô Õ ½ Õ µ Õ ½ ¼ Ô Ô Ô Õ ½ µ ¼ ½ ¼ Ô Õ I.e. the coefficients of a rational formal series satisfy a linear recurrence. If Ê is finite then the coefficients of are eventually periodic.

17 ½ Ö ½ Ø Ö Ü Ô ¼µ ½ Ü Ø µ ½ Ô Ü Ö Ô ¼µ ½ Ü Ø µ Ô Ü Ö Theorem 1. Let the coefficients of ¾ ÊÜ be eventually periodic. Then is rational. Proof. Let ¼ Ö ½ be the non-periodic part of s coefficients and let Ø for all Ö. Let Ü and Ô Ô ¼µ ¼ ¼ Then Ô ¼µ Ô Ü Ö Ô Ü Ö Ø Ô Ü Ö ¾Ø Ô ¼µ ½ Ü Ø Ü ¾Ø µ Ô Ü Ö ½ Ü Ø Corollary. If s coefficients are periodic (i.e. Ö ¼) then Ô Õ where Ô Õ.

18 Õ and Þ ½ Ø Þ ½ Rational formal series over ¾ vs. LFSRs Let ½ Ø and Þ ½ Þ Ø be given. Compare: Take Ô Õ ¼ ½, Õ Ø and Õ for ½ Ø. Ô Þ Þ for ½ Ø. ½ È Then Þ. Õ is the characteristic polynomial of the LFSR generating Þ. If Ä Þµ Ø then Õ is the characteristic polynomial of Þ.

19 Finding the characteristic polynomial Given: Þ Ö Þ Ö ¾Ø ½, such that Ø Ä Þµ. Assume Ö ½. Compute ½ Ø by solving a system of linear equations. Find Õ and Ô as in the previous slide. Return Õ Ô Õµ. Berlekamp-Massey algorithm is faster...ç Ø ¾ µ. Exercise: if we know Ä Þµ and solve the system of equations containing exactly Ä Þµ unknowns, then is it possible to get more than one solution?

20 Berlekamp-Massey algorithm B-M algorithm reads the coefficients ¼ ½ ¾ one by one. At the -th stage of the algorithm (having read ¼ ½ ) it has computed polynomials Ô µ, Õ µ, such that Õ µ Ô µ ÑÓ Ü µ The size Ô µ Õ µ µ ÑÜ Õ µ Ô µ µ ½ of the LFSR is minimal. Step of the algorithm: read. If Õ µ Ô µ ÑÓ Ü ½ µ then Õ ½µ Õ µ, Ô ½µ Ô µ. Otherwise we have a discrepancy.

21 µ µ Recomputing Ô and Õ We have Õ µ Ô µ µ Ü ÑÓ Ü ½ µ for some µ ¼. Let be some earlier discrepancy: Õ µ Ô µ µ Ü ÑÓ Ü ½ µ. µ Ü Ô µ and Õ ½µ Õ µ Õ µ Ü µ Take Ô ½µ Ô µ Exercise. Show that Õ ½µ Ô ½µ ÑÓ Ü ½ µ In the B-M algorithm, the last such is used where Ô µ Õ µ µ Ô ½µ Õ ½µ µ

22 B-M algorithm: initialization If ¼ ½ ¾ ¼ then return Ô ¼ Õ ½µ. Let be such, that Ñ ½ ¼ ¼, Ñ ¼. Ñ Let ¼, ½, Ô Ñ ½µ Ô Ñµ Ü Õ Ñµ Ñ, Ñ Ü, if Ñ Ñ ¼ and Õ Ñ ½µ ½ if Ñ ¼. Õ Ñ ½µ ½ At step Ñ, the linear complexity changed.

23 LFSR-s with long periods We know that an LFSR with Ø registers can output a sequence with a period at most ¾ Ø ½. How to achieve this upper bound? Definition 4. A polynomial Ô ¾ ÊÜ is reducible if there exists a polynomial Õ ¾ ÊÜ, such that ½ Õ Ô and Õ Ô. Otherwise we call Ô irreducible.

24 Residue classes modulo polynomials Given Ô ¾ ÊÜ with invertible leading coefficient we can consider the set ÊÜ Ô of all residue classes of ÊÜ modulo Ô. We can define addition and multiplication on this set. ÊÜ Ô Õ Õ ¾ ÊÜ Õ Ô; Õ ½ Õ ¾ Õ ½ Õ ¾ ; Õ ½ Õ ¾ Õ ½ Õ ¾ ÑÓ Ô. The structure ÊÜ Ô µ is a ring. If Ê is a field and Ô is irreducible then ÊÜ Ô is a field. Finding inverses in ÊÜ Ô just like in Õ, where Õ ¾ È. Main tool Euclid s algorithm.

25 Finite fields Let Ô be an irreducible polynomial of degree Ñ over a finite field Ã. ÃÜ Ô Then is a field Ô with elements. Ñ Up to isomorphism, there exists only one field with Ô Ñ elements. If is a finite field à then is cyclic, i.e. it can be generated by à a single element of Ã. Definition 5. A polynomial Ô ¾ ÃÜ is primitive if Ü is a generator of ÃÜ Ôµ. Theorem 2. If a LFSR s characteristic polynomial Õ is primitive then the period of the sequence produced by this LFSR is ¾ Õ ½ for any non-zero initialization vector. Proof follows...

26 LFSRs in Galois configuration ½ Ê ¾ Ê Ê Ê Ê Ê Normal; characteristic ½ Ü polynomial: Ü Ü ¼ Ê ½ Ê ¾ Ê Ê Ê Ê Galois configuration; char. ½ Ü Ü polynomial: Ü Char. poly. of Galois conf: contains Ü if there is extra input to Ê. Also contains Ü Ø where Ø is the number of registers.

27 Evolution of state of a LFSR in Galois conf. A state of a Ø-register LFSR can be represented by a polynomial Ë µü where Ë Ê µ is the contents of Ê in Ë. Ë Ê ¼ The next state of LFSR in Galois conf. is then Ü Ô Ëµ µ ÑÓ Õ where Õ is the characteristic polynomial. Ô Ëµ È Ø ½ If Õ is primitive then the state of that LFSR in Galois conf. passes through all ¾ Ø ½ possible values. We can define an isomorphism between the states of a normal LFSR and its corresponding LFSR in Galois conf. Hence the states of a LFSR pass through ¾ all ½ possible values if the corresponding LFSR in Galois conf. has a primitive characteristic Ø polynomial. The period of the output sequence is ¾ then ½ as well. Ø

28 Mirror images of polynomials For Õ a ¼ polynomial Ü with Õ ¼ Õ È r Õµ image ¼ by Ü. Õ È ¼ Õ define its mirror If a (normal) LFSR has the characteristic polynomial Õ then the corresponding LFSR in Galois conf. has the characteristic polynomial r Õµ. r Õµ r Õ ¼ µ r Õ Õ ¼ µ. Just compare the coefficients. Hence Õ is irreducible iff r Õµ is. Õ (of degree ) is primitive iff r Õµ is. Indeed, suppose an irreducible Õ is not primitive, then Ü ½ ÑÓ Õµ for some Ô ½. I.e. there exists a polynomial Õ ¼, such that Ü ½ ÕÕ ¼. Then also r Ü ½µ r Õµr Õ ¼ µ. But r Ü ½µ Ü ½µ. Hence r Õµ r Õ ¼ µµ Ü ½ and r Õµ is not primitive.

29 Testing irreducibility Theorem 3. An irreducible Ñ polynomial of -th degree divides Ô Ü in ÔÜ. Ü Proof. ÔÜ Ñ is a field with Ô elements. Hence «Ô «¼ in ÔÜ Ñ for all «¾ ÔÜ Ñ (Fermat s little theorem). The polynomial Ü is also a member ÔÜ Ñ, hence Ü Ô Ü ¼ ÑÓ Ñµ in ÔÜ. Theorem 4. If an irreducible polynomial Ñ of -th degree divides ¼ then Ô. Ü Ü Proof. Let be ¼ the field with elements; it contains exactly the roots ¼ Ã Ô ¼ of Ü. is a vector space over with dimension. It contains ¼ Ô Ü Ô Ã ½ also «the roots of Ñ, let be Ë a root of Ñ. Let È ¼ «¾ Ô. Then is a field. Ã Ë We have Ô, Ñ hence Ã Ë ¼ Ô Ñ Ë Ãµ Ñ Ë Ãµ ˵ Ô and. ¼ Ñ

30 Testing irreducibility Õ ¾ ÔÜ is irreducible if Õ Ü Ô Üµ ½ for all Õµ¾. Here Ü Ô may be computed modulo Õ.

31 Testing primitiveness For Õ ¾ ÔÜ to be primitive, it must first be irreducible. Let Ñ We Ü ÑÓ must have Ô for all ½. It is sufficient to test ½ Õµ this only Ñ Ô for ½µÔ the values Ô where is a prime factor of ½. ¼ ¼ Ñ Ñ Ô Õ.

32 Polynomials: exercise Which of those polynomials are reducible, which are irreducible and which are primitive over ¾? 1. Ü ½, 2. Ü ¾, 3. Ü ¾ ½, 4. Ü ¾ Ü ½ 5. Ü ½ 6. Ü Ü ½, 7. Ü Ü ½, 8. Ü Ü ¾ ½.

33 Linear complexity: exercises Exercise. Determine the linear complexities of the following sequences. 1. ½ ¼ ½ ¼ ½ ¼ 2. ½ ¼ ¼ ½ ¼ ½ ½ ½ ¼ ¼ ½ ¼ ½ ½ 3. ½ ¼ ¼ ¼ ½ ¼ ½ ¼ ¼ ¼ ½ ¼ Exercise. 1. Construct a sequence with infinite linear complexity (i.e. a sequence that is generated by no LFSR).

34 LFSR-s in real cryptosystems Use one or more LFSR-s and apply some non-linear function to their outputs.

35 Shrinking generator... is constructed from two LFSRs working synchronously. The shrinking generator produces up to one bit for each bit-pair generated by these two LFSRs. It is defined as follows: 1. If the first LFSR outputs ½ then return the output of the second LFSR. 2. If the first LFSR outputs ¼ then return nothing (discard the output of the second LFSR). If the linear complexities of these two LFSR-s are Ä ½ and Ä ¾ and their periods are maximal, then the linear complexity Ä of the shrinking generator satisfies Ä ¾ ¾ Ä ½ ¾ Ä Ä ¾ ¾ Ä ½ ½

36 Other non-linear combiners Self-shrinking generator: Generate two bits, ¾ ½. If ½ ½ then output ¾. If ½ ¼ then output nothing. Majority: use three LFSR-s clocked synchronously, output the majority of their bits. Irregular clocking: use several LFSR-s, do not clock each of them at each clock cycle, decide the clocked LFSR-s in a non-linear way.