Private-key Systems. Block ciphers. Stream ciphers

Similar documents
Topics. Probability Theory. Perfect Secrecy. Information Theory

Lecture Notes. Advanced Discrete Structures COT S

Cryptography Lecture 3. Pseudorandom generators LFSRs

Public-key Cryptography: Theory and Practice

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Block vs. Stream cipher

Classical Cryptography

STREAM CIPHER. Chapter - 3

Univ.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.

A block cipher enciphers each block with the same key.

CRC Press has granted the following specific permissions for the electronic version of this book:

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

Cryptography 2017 Lecture 2

Lecture 12: Block ciphers

MATH3302 Cryptography Problem Set 2

Lecture 1: Introduction to Public key cryptography

Public Key Cryptography

Computer Science A Cryptography and Data Security. Claude Crépeau

Lecture Note 3 Date:

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

L9: Galois Fields. Reading material

Modern symmetric encryption

... Assignment 3 - Cryptography. Information & Communication Security (WS 2018/19) Abtin Shahkarami, M.Sc.

Cryptography. P. Danziger. Transmit...Bob...

A survey of algebraic attacks against stream ciphers

Asymmetric Encryption

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

Cryptographic Engineering

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Exam Security January 19, :30 11:30

A Weak Cipher that Generates the Symmetric Group

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

MATH 158 FINAL EXAM 20 DECEMBER 2016

Security of Networks (12) Exercises

Design of a New Stream Cipher: PALS

Real scripts backgrounder 3 - Polyalphabetic encipherment - XOR as a cipher - RSA algorithm. David Morgan

Unpredictable Binary Strings

Lattice Reduction Attack on the Knapsack

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Dan Boneh. Stream ciphers. The One Time Pad

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Solutions to the Midterm Test (March 5, 2011)

Implementation Tutorial on RSA

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

ORYX. ORYX not an acronym, but upper case Designed for use with cell phones. Standard developed by. Cipher design process not open

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Public Key Cryptography

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

New Methods for Cryptanalysis of Stream Ciphers. The Selmer Centre Department of Informatics University of Bergen Norway

Mathematics of Cryptography

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Public-Key Cryptosystems CHAPTER 4

Detection and Exploitation of Small Correlations in Stream Ciphers

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Solution of Exercise Sheet 6

Chapter 2. A Look Back. 2.1 Substitution ciphers

Historical cryptography. cryptography encryption main applications: military and diplomacy

Akelarre. Akelarre 1

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

RSA RSA public key cryptosystem

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

10 Modular Arithmetic and Cryptography

Introduction to Modern Cryptography. Benny Chor

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

The LILI-128 Keystream Generator

Binary Additive Counter Stream Ciphers

Elliptic Curves. Giulia Mauri. Politecnico di Milano website:

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 7: ElGamal and Discrete Logarithms

CSc 466/566. Computer Security. 5 : Cryptography Basics

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Number theory (Chapter 4)

Algebraic attack on stream ciphers Master s Thesis

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Notes 4: Stream ciphers, continued. Recall from the last part the definition of a stream cipher:

Introduction to Cybersecurity Cryptography (Part 4)

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

3.8 MEASURE OF RUNDOMNESS:

Lecture 28: Public-key Cryptography. Public-key Cryptography

All-Or-Nothing Transforms Using Quasigroups

Solution to Midterm Examination

Chapter 8 Public-key Cryptography and Digital Signatures

Alternative Approaches: Bounded Storage Model

Secret Sharing Schemes

CPSC 467: Cryptography and Computer Security

Introduction to Cybersecurity Cryptography (Part 4)

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

3F1: Signals and Systems INFORMATION THEORY Examples Paper Solutions

New Implementations of the WG Stream Cipher

Cryptography and Security Midterm Exam

Perfectly-Secret Encryption

IEOR SEMINAR SERIES Cryptanalysis: Fast Correlation Attacks on LFSR-based Stream Ciphers

Secret Key: stream ciphers & block ciphers

Pseudo-random Number Generation. Qiuliang Tang

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Transcription:

Chapter 2 Stream Ciphers Further Reading: [Sim92, Chapter 2] 21 Introduction Remember classication: Private-key Systems Block ciphers Stream ciphers Figure 21: Private-key cipher classication Block Cipher: Y = y1 ;y 2 ;:::;y n = e k (x 1 );e k (x 2 );:::;e k (x n ), eg the key does not change with every block Stream Cipher: Y = y1 ;y 2 ;:::;y n = e z1 (x 1 );e z2 (x 2 );:::;e z n(x n ) with the \keystream" = z 1 ;z 2 ;:::;z n 13

X i Z i Y i Z i X i Figure 22: Most Popular Encryption/Decryption Function Most popular en/decryption function: modulo 2 addition Assume: x i ;y i ;z i 2f0; 1g y i = e zi (x i )=x i + z i mod 2! encryption x i = e zi (y i )=y i + z i mod 2! decryption Remarks: 1 Developed by Vernam in 1917 for Baudot Code on teletypewriters 2 The modulo 2 operation is equivalent to a 2-input XOR operation Why are encryption and decryption identical operations? Truth table of modulo 2 addition: a b c = a + b mod 2 0 0 0+0=0mod 2 0 1 0+1=1mod 2 1 0 1+0=1mod 2 1 1 1+1=0mod 2 ) modulo 2 addition yields the same truth table as the XOR operation 3 Encryption and decryption are the same operation, namely modulo 2 addition (or XOR) Why? We show that decryption of ciphertext bit y i yields the corresponding plaintext 14

bit Decryption: y i + z i = (x i + z i ) + z i = x i +(z i + z i ) x i mod 2 {z } encryption Note that z i + z i 0mod 2 for z i = 0 and for z i =1 Example: Encryption of the letter `A' by Alice `A' is given in ASCII code as 65 10 = 1000001 2 Let's assume that the rst key stream bits are! z 1 ;:::;z 7 = 0101101 Encryption by Alice: plaintext x i : 1000001 = `A' (ASCII symbol) key stream z i : 0101101 ciphertext y i : 1101100 = `l' (ASCII symbol) Decryption by Bob: ciphertext y i : 1101100 = `l' (ASCII symbol) key stream z i : 0101101 plaintext x i : 1000001 = `A' (ASCII symbol) 22 One-Time Pad and Pseudo-Random Generators Denition 221 Unconditional Security A cryptosystem is unconditionally secure if it cannot be broken even with innite computational resources Denition 222 One-time Pad (OTP) A cryptosystem developed by Mauborgne based on Vernam's stream cipher consisting of: jpj = jcj = jkj, with x i ;y i ;k i 2f0; 1g encrypt! e ki (x i )=x i + k i mod 2 decrypt! d ki (y i )=y i + k i mod 2 15

Theorem 221 The OTP is unconditionally secure if keys are only used once Remarks: 1 OTP is the only provable secure system: y 0 = x 0 + K 0 mod 2 y 1 = x 1 + K 1 mod 2 each equality is a linear equation with 2 unknowns ) for every y i, x i = 0 and x i =1are equally likely ) holds only if K 0 ;K 1 ;::: are not related to each other, ie, K i must be generated trully randomly 2 OTP are impractical for most applications Question: Can we \emulate" a OTP by using a short key? initial key (short) k k Alice key-stream generator Oscar key-stream generator Bob z i z i x n x 1 x 0 y n y 1 y 0 x n x 1 x 0 Figure 23: Stream cipher model 16

Classication by key-stream generator: a) \synchronous stream cipher" z i = f(k)! pseudo-random generator (PRG) b) \asynchronous stream cipher" z i = f(k; y i,1;y i,2;:::;y i,n)! feedback of cipher c) The key issue is that Bob has to `match' the exact z i to get the correct message In order to do this, both key-stream generators have to be synchronized x i Encr x i zi = y i y i z i f( ) feedback path only in asynchronous stream ciphers k Figure 24: Asynchronous stream cipher It is important to note that key stream generators must not only possess good statistical properties, which is true for other pseudo-random generatores as well, but they must also be cryptographically secure: Denition 223 Cryptographically secure pseudo-random generators A pseudo random generator (key stream generator) is cryptographically secure if it is unpredictable That is, given the rst n output bits of the generator, it is computatinally infeasible to compute the bits n +1;n+ 2;::: 17

23 Synchronous Stream Ciphers The keystream z 1 ;z 2 ;::: is a pseudo-random sequence which depends only on the key 231 Linear Feedback Shift Registers (LFSR) An LFSR consists of m storage elements (ip-ops) and a feedback network The feedback network computes the input for the \last" ip-op as XOR-sum of certain ip-ops in the shift register Example: We consider an LFSR of degree m = 3 with ip-ops K 2, K 1, K 0, and a feedback path as shown below mod 2 addition / XOR K 2 K 1 K 0 Z 2 Z 1 Z 0 Z 0 Z 1 Z 6 CLK Figure 25: Linear feedback shift register K 2 K 1 K 0 1 0 0 0 1 0 1 0 1 1 1 0 1 1 1 0 1 1 0 0 1 1 0 0 18

Mathematical description for keystream bits zi with z 0 ;z 1 ;z 2 as initial settings: z 3 = z 1 + z 0 mod 2 z 4 = z 2 + z 1 mod 2 z 5 = z 3 + z 2 mod 2 general case: zi+3 = zi+1 + zi mod 2; i =0; 1; 2;::: Expression for the LFSR: K m-1 C m-1 K 1 C 1 K 0 C 0 OUTPUT CLK Figure 26: LFSR with feedback coecients C 0 ;C 1 ;:::;Cm,1 are the feedback coecients Ci = 0 denotes an open switch (no connection), Ci = 1 denotes a closed switch (connection) zi+m = m,1 X j=0 The entire key consists of: Cj zi+j mod 2; Cj 2f0; 1g; i =0; 1; 2;::: k = f(c 0 ;C 1 ;:::;Cm,1); (z 0 ;z 1 ;:::;zm,1);mg Example: k = f(c 0 =1;C 1 =1;C 2 =0); (z 0 =0;z 1 =0;z 2 =1); 3g 19

Theorem 231 The maximum sequence length generated by the LFSR is 2 m, 1 Proof: There are only 2 m dierent states (k 0 ;:::;km) possible Since only the current state is known to the LFSR, after 2 m clock cycles a repetition must occur The all-zero state must be excluded since it repeats itself immediately Remarks: 1) Only certain congurations (C 0 ;:::;Cm,1) yield maximum length LFSRs For example: if m = 4 then (C 0 =1;C 1 =1;C 2 =0;C 3 =0)has length of 2 m, 1=15 but (C 0 =1;C 1 =1;C 2 =1;C 3 = 1) has length of 5 2) LFSRs are sometimes specied by polynomials such that the P (x) =x m + Cm,1x m,1 + :::+ C 1 x + C 0 Maximum length LFSRs have \primitive polynomials" These polynomials can be easily obtained from literature (Table 162 in [Sch93]) For example: (C 0 =1;C 1 =1;C 2 =0;C 3 =0)() P (x) =1+x + x 4 232 Clock Controlled Shift Registers Example: Alternating stop-and-go generator 20

LFSR1 Out1 LFSR2 Out2 Out4 = Zi (key stream) CLK LFSR3 Out3 Figure 27: Stop-and-go generator example 21

Basic operation: When Out 1 =1then LFSR2 is clocked otherwise LFSR3 is clocked Out 4 serves as the keystream and is a bitwise XOR of the results from LFSR2 and LFSR3 Security of the generator: All three LFSRs should have maximum length conguration If the sequence lengths of all LFSRs are relatively prime to each other, then the sequence length of the generator is the product of all three sequence lengths, ie, L = L 1 L 2 L 3 A secure generator should have LFSRs of roughly equal lengths and the length should be at least 128: m 1 m 2 m 3 128 22

24 Attacks 241 Known Plaintext Attack Against LFSRs Assumption: For a known plaintext attack, we have to assume that m is known Idea: This attack is based on the knowledge of some plaintext and its corresponding ciphertext i) Known plaintext! x 0 ;x 1 ;:::;x 2m,1 ii) Observed ciphertext! y 0 ;y 1 ;:::;y 2m,1 iii) Construct keystream bits! zi = xi + yi mod 2; i =0; 1;:::;2m, 1 Goal: To nd the feedback coecients Ci Using the LFSR equation to nd the Ci coecients: zi+m = m,1 X j=0 Cj zi+j mod 2; Cj 2f0; 1g We can rewrite this in a matrix form as follows: i =0 zm = C 0 z 0 + C 1 z 1 + :::+ Cm,1zm,1 mod 2: i =1 zm+1 = C 0 z 1 + C 1 z 2 + :::+ Cm,1zm mod 2: (21) i = m, 1 z 2m,1 = C 0 zm,1 + C 1 zm + :::+ Cm,1z 2m,2 mod 2: Note: We now have m linear equations in m unknowns C 0 ;C 1 ;:::;Cm,1 The Ci coecients are constant making it possible to solve for them when we have 2m plaintext-ciphertext pairs 23

Rewriting Equation (21) in matrix form, we get: 2 64 z 0 ::: zm,1 zm,1 ::: z 2m,2 3 c0 75 26 4 cm,1 3 zṃ 75 26 = 4 z 2m,1 3 75 mod 2 (22) Solving the matrix in (22) for the Ci coecients we get: Summary: 2 64 c 0 cm,1 3 z0 ::: zm,1 75 26 = 4 zm,1 ::: z 2m,2 3 75,1 2 64 zṃ z 2m,1 3 75 mod 2 (23) By observing 2m output bits of an LFSR of degree m and matching them to the known plaintext bits, the Ci coecients can exactly be constructed by solving a system of linear equations of degree m ) LFSRs by themselves are extremely un-secure! However, combinations of them such as the Alternating stop-and-go generator can be secure 24

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback