CHAPTER 6 EC BASED KEY GENERATION FOR SYMMETRIC ENCRYPTION

Transcription

1 100 CHAPTER 6 EC BASED KEY GENERATION FOR SYMMETRIC ENCRYPTION 6.1 INTRODUCTION Stream ciphers are cryptographic primitives used to ensure privacy in digital communication. Security of stream cipher depends on the generation of unpredictable sequence called key stream that must be of sufficient size and randomness (Goldreich et al 1986). Hence, key stream generator is incredibly a vital building block for stream cipher applications. This chapter presents the implementation of stream cipher, where the key stream is generated based on the properties of LFSR and cyclic EC over a finite prime field. The process of encryption / decryption of an image in spatial domain are illustrated and the key file parameters needed for generating the key stream to other parties are also encrypted using ECC. Therefore, the encrypted key file parameters are only transmitted and not the entire full length key. Whereas ECC is replacing RSA for key exchange, EC based stream cipher offers a good choice for encryption in real time application. The strength of the proposed cipher lies in the generation of random sequence using LFSR over GF(p), the difficulty of ECDLP for determining the key file parameters and no need to transmit the entire key stream in the encryption process. This chapter also discusses the security aspects of the proposed cipher which is secure against all kinds of attacks.

2 101 The rest of the chapter is organized as follows. Section 6.2 describes the concepts of pseudo random sequence generation. Section 6.3 discusses security issues related to image encryption techniques. Section 6.4 proposes an efficient EC based stream cipher for confidential communication. The algorithm is also defined. Section 6.5 gives experiment results. Section 6.6 evaluates the security analysis, and finally section 6.7 concludes this chapter. 6.2 PSEUDO RANDOM SEQUENCE GENERATION Random numbers are of crucial importance in almost every aspect of modern digital cryptography, responsible for the strength of cryptographic primitives in securing precious information by rendering it unknown, unguessable, unpredictable and unrepeatable for an adversary. One of the most important roles randomness plays in cryptography is represented by cryptographic keys which determine the transformation of the plaintext into cipher text and vice versa. Considering that both the encryption and the decryption algorithms are publicly known together with all the cipher texts transmitted between the sender and receiver, the security of the whole cryptosystem is dependent on how the key information is managed, generated, agreed on, applied, stored and destroyed. The knowledge of the key entails the access to the secret message, thus the choice of the key space and the key derivation method is critical. Cryptographic keys must be unpredictable for the adversary meaning a high information content and high uncertainty, and the measure of these properties is entropy. Thus sequences chosen for cryptographic keys must also exhibit independency of values, uniform distribution and irreproducibility. As a result, what cryptography needs for its keys is

3 102 randomness. But randomness comes in many flavours and deciding on a certain source of randomness for a given application is a difficult task, considering the quality and quantity of randomness necessary for a key to withstand possible attacks. Furthermore, aspects such as the performance implications of working with a long key sequence and the effort of managing such a key also have to be taken into account. One of the properties that a key sequence provides is to classify the cipher using these keys in different security categories. The most demanding requirements on the quality of the key sequence are stated by unconditional security. The most notable work in this area is Shannon s demonstration that a vernam cipher which uses a perfectly random key and applies it only once, known as OTP, is unbreakable. The need for design of efficient and secure pseudo random sequence generators remains an ongoing challenge and an important field in cryptographic research up to the present day. The cryptosystems that exploit the idea of the pseudo random sequence generators are the stream ciphers. The cryptographically random generators follow this property: from a piece of an arbitrary long sequence, it is computationally impossible to predict the following bit of the sequence. The requirement is that the complete sequence cannot be computed from a piece of it, and at the same time, it can be completely regenerated from the seed. Pseudo random generators allow ciphering messages of arbitrary length combining the message with the sequence using the exclusive OR operation byte to byte. Considerable research has been made in the design and analysis of pseudo random generators over the last decade (Rueppel 1986). Kaliski(1986) discussed how to generate a pseudo random sequence from elliptic curves,

4 103 wherein randomness criteria based on the computational difficulty of the DL over the elliptic curves is used. Guang et al (1999) use the unconditional randomness criteria to measure the EC sequences and the generation of binary sequences by applying trace functions to EC over GF(2 m ). Deepthi et al (2009) presented stream cipher based on elliptic curve point multiplication over GF(2 m ). Pareek et al (2010) discussed the random bit generators based on properties of chaotic maps. Thus there are ongoing research efforts that aim to reveal secure ways of using PRNG in cryptography and this search has brought about several PRNG designs that are considered cryptographically secure PRNG built on cryptographic primitives such as hash functions or block ciphers, mathematical problems considered to be extremely difficult such as EC generators, or integer factorization. In this work, the focus is on stream cipher built using LFSR and cyclic EC over a finite prime field Linear Feedback Shift Register Linear feedback shift register is the basis for generating key sequences of stream ciphers because they generate sequences having long periods and good randomness and statistical properties. The LFSR was first presented by Golomb (1982) as pseudo random number generator. The secret key in these ciphers is the LFSR s initial state. The pseudo random number generators based on LFSRs are very quick, easy and secure in the implementation of hardware and software (Schneier 1996). This work aims to extend the period of a LFSR in order to make them more secure. Any LFSR can be characterized as a polynomial of variable x, referred to as the generator polynomial:

5 104 G(x) = g m x m + g m-1 x m g 2 x 2 + g 1 x + g 0 (6.1) The coefficients g i denotes the tap weights. The order of the polynomial, m, specifies the number of LFSR stages. Finite field is used to attain m-sequence feedback taps. As an example of polynomial representation, the generator polynomial G(x) = g 4 x 4 + g 3 x 3 + g 2 x 2 + g 1 x + g 0 represents an LFSR with feedback taps 2 and 1, denoted in Figure 6.1. These taps are elected based on the primitive polynomial. Random sequence (r i ) g 4 g 3 g 2 g 1 Seed mod p Figure 6.1 Linear feedback shift register To determine maximum length tap sequences, the following points are to be considered. The polynomial is primitive. Maximal length tap sequences constantly have an even number of taps. The tap values in a maximal length tap sequence are all relatively prime. Recent works point out that the key stream generation plays a major role in the performance of a secure stream cipher. The key stream generation presented in this work is a variation of the above methods, where the key streams are generated based on the combination of LFSR and cyclic EC over a finite prime field.

6 SECURITY ISSUES IN IMAGE ENCRYPTION Images are widely used in various areas and hence the protection of image data from unauthorized access has become a major concern. Image encryption plays an important role in real time multimedia applications because of large data sizes. Therefore, communication security of digital images and textual digital media can be accomplished by means of standard symmetric key cryptography. Such media can be treated as binary sequence and the whole data can be encrypted using a cryptosystem such as Advanced Encryption Standard (AES) or Data Encryption Standard (DES) (Stinson 2002). In general, when the multimedia data is static (not a real time streaming) it can be treated as a regular binary data and the conventional encryption techniques can be used. Deciding upon what level of security is needed is harder than it looks. To identify an optimal security level, the cost of the multimedia information to be protected and the cost of the protection itself are to be compared carefully. At present, there are many available image encryption algorithms such as magic cube transformation (Jun et al 2002), baker s transformation (Feng 2003), affine transformation (Guibin et al 2003) and tangram algorithm (Ding et al 2005). In some algorithms, the secret key and algorithm cannot be separated effectively. This does not satisfy the requirements of the modern cryptographic mechanism and are prone to various attacks. In recent years, image encryption has been developed to overcome the above disadvantages as discussed in (Stinson 2002, Gang et al 2002).

7 106 Various image encryption schemes have been proposed by several researchers to overcome image encryption problems. Sinha et al (2003) have proposed a technique to encrypt an image for secure image transmission. Image encoding is done by using an appropriate error control code like a Bose Chaudhuri Hochquenghem (BCH) code. Shin et al (2003) proposed the multilevel image encryption by using binary phase exclusive OR operation and image dividing technique. Salleh et al (2003) discussed a chaos based symmetric key encryption algorithm for securing images. Mitra et al (2006) proposed an image encryption using permutation method where the image can be sighted as an arrangement of bits, pixels and blocks. El-din et al (2007) presented a feedback stream cipher based on chaos for image encryption. Zeghid et al (2007) illustrated a modified version of AES algorithm for image encryption by introducing a key stream generator. Ismail et al (2010) established a chaos based stream cipher, where the key is tailored after encryption of each pixel of the plain image. Based on the study, EC based key stream is generated and is used to enhance the security of the stream cipher system further. 6.4 EC BASED STREAM CIPHER Generally, elliptic curve is used in public key cryptosystems. The security of ECC is based on discrete logarithmic problem and has advantages over RSA scheme (Koblitz 1987). In this section, the use of ECs over finite prime field in stream cipher cryptosystems is discussed.

8 Methodology Stream ciphers are a symmetric key cryptosystem used to encrypt large amounts of data very fast. Figure 6.2 presents the block diagram of the proposed stream cipher. Let the source be A and destination be B. Here, plaintext message is represented as a stream of characters, M i. The key stream K i is chosen from the EC points. The same key stream is exploited for encryption and decryption procedure. The cipher stream is indicated by C i. The length of the message is taken as n bytes. P B n B Key file parameters (a, b, p, x, seed) E D Key file parameters (a, b, p, x, seed) E PB (keyfile) EC based Key Stream Generator over GF (p) EC based Key Stream Generator over GF (p) Message (M i) K i Ciphertext (Ci) E PB (keyfile) K i Message (M i) C i User A User B Figure 6.2 Elliptic curve based stream cipher system Assume that user A wants to encrypt and transmit the message to user B, it does the following step by step procedure. 1. Generate elliptic curve y 2 = x 3 + ax + b by choosing the appropriate parameters a and b over GF(p). The algorithm genpoints described in Section is used to generate EC points P i.

9 Generate random numbers r i using LFSR. For LFSR, choose a primitive or irreducible polynomial of order m over GF(p) so that maximal length sequence can be obtained of period p m Map the generated random numbers r i to the EC points P i using scalar multiplication described in Section Get a symmetric key K i which is either x or y coordinate or Least Significant Bit (LSB) or Most Significant Bit (MSB) of eight consecutive bits of x or y coordinates from the computed stream of EC points. 5. Encrypt the message M i using the symmetric key K i. 6. Communicate parameters needed for generating the key stream to other parties using ECC based public key system along with the cipher message. 7. Decrypt the cipher message C i using the same symmetric key K i generated by the other parties Algorithm The proposed algorithm ecstream is used for enciphering and deciphering the message using key stream generated from EC points. At the encryption end, symmetric key stream is exclusive OR with the plaintext stream to produce the cipher stream. At the decryption end, the cipher stream is exclusive OR with the same key stream to recover the plaintext stream. Hence, stream ciphers can be sighted as computational analogy of an OTP cipher, replacing a long secret key by short secret key file parameters. The key file parameters needed for generating the key stream is ciphered using ECC. This algorithm is pertinent for messages like text, image, video and speech samples.

10 109 Algorithm ecstream( ) // Input : EC parameters (a, b, p, G), Coefficient x, seed, Input message M i // Output : Key stream K i, M i Decrypted Cipher message C i { // Key Distribution // Let U A and U B be legitimate users U A = {P A, n A } // Key pair for U A U B = {P B, n B } // Key pair for U B // Send the Public key of U B to U A Send (P B, U A ); // Send the Public key of U A to U B Send (P A, U B ); // Encryption at U A P i = genpoints (a, b, p) Construct an irreducible polynomial using coefficient as x and a seed. Generate r i from this irreducible polynomial Q i = r i P i // Scalar Multiplication K i = Q i {x, y, LSB(x), LSB(y), MSB(x), MSB(y)} C i = M i K i // Encrypt the message Key file parameters are converted into EC points as P kp k = random ( ) E PB (keyfile) = {kg, P kp + kp B } // Encrypt the key file parameters Send (C i, E PB (keyfile), U B ) // Decryption at U B P kp = P kp + kp B n B kg // Decrypt the encrypted key file Compute key file parameters from EC points (P kp ) using discrete logarithm

11 110 } P i = genpoints (a, b, p) Construct an irreducible polynomial using coefficient as x and a seed. Generate r i from this irreducible polynomial Q i = r i P i // Scalar Multiplication K i = Q i {x, y, LSB(x), LSB(y), MSB(x), MSB(y)} M i = C i K i // Decrypt the cipher message The challenge of this proposal lies in the generation of key stream and the secure distribution of the parameters needed for generating the key stream through unsecured channels. In several of the existing algorithms, the key will be of equal length as the message. In the proposed scheme presented in this chapter, the key stream is never transmitted. Instead the key file needed for generating the key stream is encrypted using ECC technique and transmitted along with the cipher stream. The key file contains the parameters a, b, p, x, and seed values needed for generating the key stream. For the EC based stream cipher, the secret key is tailored after encryption of each pixel of the plain image, and for each cipher image the key file parameters are also changed. These factors are used to enhance the security of the proposed EC based stream cipher. In the proposed work, the security using ECC is realized on byte basis only. Hence the work carried out for the image could be extended for the video applications also. However for any embedded system work environment, fast computing techniques with the help of hardware processing system could be deployed.

12 RESULTS AND DISCUSSION For demonstration purposes typical EC is represented by y 2 mod 841 = x 3-5x + 25 mod 841 where a = -5, b = 25 and p = 841. The generated points on the EC can be represented as (0, 5), (0, 836), (2, 368), (2, 473), (5, 258), (5, 583), (8, 85), (8, 756), (9, 338), (9, 503), (11, 372), (11, 469), and so on. The base point G is selected as (0, 5). P i is affine point, which is picked out of a series of affine points evaluated for the given EC. However, for the purpose of individual identity, P i is chosen differently for every random number. Varying values of P i can be chosen as part of an exercise to work with ECC process on the given EC. In the proposed EC based key stream generation, a sequence of random numbers r i using LFSR is generated, which needs to be kept secret. For LFSR, first construct an irreducible polynomial x x 3-940x x of order 4 over GF(587) using randomly selected coefficient x as 1076 and a seed value as Then generate random sequences from this irreducible polynomial that are represented as 495, 234, 14, 31, 261, 228, 17, 282, 481, 245, 267, 251, 276, 510, and so on. Next the generated random number r i and the EC point P i are scalar multiplied, which is carried out with a series of doubling and additions, depending on the value of r i. Efficient procedure can be adapted for optimal number of doublings and additions. For example, the first EC point (0, 5) is multiplied with the random number 495 to get an affine point (0, 836) which is also an EC point. Similarly, other EC points are multiplied with consecutive random numbers to obtain a point on EC. Some of them are tabulated in the following Table 6.1.

13 112 The computed EC point (Q i ) should fit into the EC. This conversion is done for two reasons. First, the random sequence is mapped into an affine point on an EC. Second, it will be entirely concealed from the hacker. These steps are introduced to add some level of complexity for the key stream generation process. Table 6.1 Computed EC point Generated Random Sequence (r i ) Generated EC Point (P i ) Computed EC Point (Q i ) 495 (0, 5) (0, 836) 234 (0, 836) (603, 358) 14 (2, 368) (817, 525) 31 (2, 473) (171, 155) 261 (5, 258) (58, 24) 228 (5, 583) (544, 329) 17 (8, 85) (574, 338) 282 (8, 756) (116, 295) 481 (9, 338) (727, 600) 245 (9, 503) (669, 716) 267 (11, 372) (564, 633) 251 (11, 469) (292, 212) 276 (18, 411) (150, 32) 510 (18, 430) (646, 727) From the computed EC points Q i, choose a symmetric key K i from any one of the methods specified in Table 6.2. For example, in method 2, y coordinate of computed EC points is taken as a key stream K i means the key stream are 836, 358, 525, 155, 24, 329, 338, 295, 600, 716, 633, 212, 32, 727, and so on. The same key stream K i is exploited for encryption and decryption procedure. The key stream generator plays a major role in a stream cipher for the overall security.

14 113 Using the generated key stream K i, any sort of messages like document, text, or image can be encrypted as well as decrypted byte by byte. In this work, ( ) bmp standard test image of lena that has the size of 148 KB is considered as an example. The selection of key dictates the complexity of encryption algorithm for breaking. A novel key stream generation method based on LFSR and EC over finite prime field is introduced, which is not part of any of the existing work on stream cipher key generation. Table 6.2 Key selection methods Methods Method 1 Method 2 Method 3 Method 4 Method 5 Method 6 K i Q i (x) Q i (y) LSB {Q i (x)} LSB {Q i (y)} MSB {Q i (x)} MSB {Q i (y)} where Q i (x) - x coordinates of random EC point. Q i (y) - y coordinates of random EC point. LSB{Q i (x)} - LSB of x coordinates of eight consecutive random EC point. LSB{Q i (y)} - LSB of y coordinates of eight consecutive random EC point. MSB{Q i (x)} - MSB of x coordinates of eight consecutive random EC point. MSB{Q i (y)} - MSB of y coordinates of eight consecutive random EC point. Here, the secret key stream is tailored after encryption of each pixel of the plain image and for each cipher image, the key file parameters are also changed. The key file parameters are also encrypted using ECC based

15 114 technique and sent along with the cipher image. The discrete logarithm concept is applied to recover the value of key file parameters. This also increases the security of the proposed EC based stream cipher. The software implementation of the EC based key generation for stream cipher is done using Java. The input image and respective cipher images are shown in Figure 6.3. The corresponding histograms are shown in Figure 6.4. Figure 6.3 Input and cipher images of bmp lena image Figure 6.4 Histograms of input and cipher images of lena image

16 115 Table 6.3 lists the values of entropy and correlation between two adjacent pixels. Computations for the plain and cipher images are carried out using the procedure given in equation ( ). The encryption time taken by method 2 of the proposed stream cipher is 2620 ms. The selection of the methods in Table 6.2 is of arbitrary choice and only the key size decides the complexity of the encryption algorithm. From this, it is observed that the proposed stream cipher can be efficiently used in real time multimedia and wireless applications because it has simple structure and generates a key stream faster than other generators. 6.6 SECURITY ANALYSIS Application of computing power to encryption schemes is a potential area of research. A good encryption scheme is the need of the hour against the background of multi-nationalism. Globalization has opened up frontiers, but cryptography has become more essential in the modern times. A good encryption scheme should be insulated against possible attacks. An analysis of encryption schemes such as key space analysis, statistical analysis, correlation analysis and key sensitivity analysis ensures right development of the security system Key Space Analysis The key space that is being used for encryption must be large enough to prevent the brute force attackers to intrude. For, the proposed EC based stream cipher has a flexible, moderately large key space, which comprises number of stages of LFSR over GF(p), initial values of LFSR, feedback coefficients, possible elliptic curves and the base point. Hence for

17 116 this image encryption, this large key space is sufficient which is immune to all kinds of brute force attacks Statistical Analysis Statistical analysis generally depends on the measure of the randomness of the cipher image. Also, it works on the relative frequency of the occurred cipher image. It is eminent that a lot of ciphers have been successfully analyzed with the help of statistical analysis and numerous statistical attacks have been formulated on them. Hence, a perfect cipher should be vigorous against any statistical attack. The following aspects related to statistical attack are considered in this work Histograms To prevent the leakage of information to an adversary, it is important to ensure that cipher image does not have any statistical resemblance to the input image. An image histogram shows how pixels in an image are distributed by plotting the number of pixels at each intensity level. In this work, the histograms are plotted for input and cipher images as shown in Figure 6.4. The histogram of the input image has large spikes. But, the histogram of the cipher image is nearly smooth and uniform, representing almost equivalent probability of occurrence of each intensity level. They are considerably different and tolerate no statistical similarity to the input image. Hence, this does not give any hint to use any statistical attack on the proposed stream cipher.

18 Entropy The recital of the encryption algorithms is measured by computing entropy of the input and the cipher images and then comparing them. Entropy is defined to express the measure of uncertainty. The entropy E m of the image is calculated as: E m P( i) log 2 (6.2) P( i) i 0 where P ( i) Number of occurrence of a pixel Total number of pixel in the image Table 6.3 Entropy and correlation of plain and cipher image Image Entropy Adjacent Pixels Correlation Coefficient Vertical Horizontal Diagonal Plain image Cipher image e Table 6.3 gives the values of entropy calculated for the input and the cipher images as stated by the formula specified in equation (6.2). The entropy of the input image is It can be noticed from the table that the entropy of the cipher image is extremely close to the theoretical value of 8. Therefore, the information leakage in the proposed cipher is negligible and it is secure upon the entropy attack.

19 Randomness tests The proposed key stream generator is based on the arithmetic operation of EC and the properties of LFSR. The random sequences are unpredictable and the period of the sequences is analysed theoretically. In addition, sequences produced by the proposed key stream generator have passed the Federal Information Processing Standards (FIPS) statistical tests of the Cryptographic Standards and Validation Programs (CSVP) at NIST. As a result, statistical attacks are difficult to perform in the proposed key stream generator. Based on these aspects, it is observed that the proposed stream cipher is resistant against statistical attack Correlation Analysis The correlation between two neighbouring pixels in horizontal, vertical and diagonal orientations of input and cipher image is analysed. The process is as follows: First, randomly pick M pairs of neighbouring pixels from an image. Afterwards, calculate their correlation coefficient using the following equation ( ). Here, x and y are intensity values of two neighbouring pixels in the image. 1 E( x) (6.3) M M x i i 1 i 1 2 M 1 D ( x) xi E( x) (6.4) M cov( x, y) 1 M M i 1 xi E( x) yi E( y) (6.5)

20 119 cov( x, y) r xy (6.6) D( x) D( y) To test correlation, 500 pairs of two neighbouring pixels are selected randomly from the image. Table 6.3 presents the correlation between two adjacent pixels for the plain and cipher images. It is observed that the two neighbouring pixels in the input image are highly correlated, while there is a negligibly less correlation between the two neighbouring pixels in the cipher image Key Sensitivity Analysis Even a change in a single bit of key will make a completely different cipher image for the intruders to guess the key. This makes the encryption procedure sensitive enough to the secret key. To prove the heftiness of the proposed cipher, key sensitivity analysis is performed with the following procedure. (a) Input image (b) Cipher image 1 Figure 6.5 Key sensitivity test (c) Cipher image 2 First, the input image in Figure 6.5(a) is encrypted by using the secret key that is the initial values of LFSR as (14, -940, 1082, 1076) and the cipher image 1 as shown in Figure 6.5(b). Then the initial values of LFSR is changed to (14, -940, 1082, 1077) and the cipher image 2 as shown in

21 120 Figure 6.5(c). Finally, the two cipher images are compared. It is not easy to compare the cipher images by simply observing these images. Thus for comparison, correlation between the matching pixels of the two cipher images is calculated. Table 6.4 Entropy and correlation between two cipher images Image Entropy Adjacent Pixels Correlation Coefficient Vertical Horizontal Diagonal Cipher image e Cipher image The results of the correlation coefficients between the matching pixels of the two cipher images using method 2 are given in Table 6.4. It is clear that no correlation exists among cipher images corresponding to small change in the key Algebraic Attack Algebraic attack is a technique of cryptanalysis against a cipher. If the key stream is linearly narrated even if the period is large, by knowing a small section of key stream, it is likely to make a set of linear simultaneous equations and solve for the entire key stream. In the case of random sequence of EC points, the key stream is nonlinearly related. Therefore, it may not be probable to make finite number of proper equations whose solution finally escorts to knowledge of entire sequence. Therefore, the nonlinear key stream

22 121 makes the relation between input and cipher image nonlinear and provides resistance against algebraic type attack. From the above analysis, it is concluded that the proposed EC based stream cipher is secure against brute force, statistical, correlation, key sensitivity and algebraic attacks. 6.7 SUMMARY In this chapter, EC based key generation for stream cipher is proposed. The key streams are generated based on the combination of LFSR and cyclic EC over a finite prime field. In this work, ( ) bmp standard test image of lena that has the size of 148 KB is considered as an example. The input image and the respective cipher image histograms are conversed. It is seen that cipher image does not have residual information and the histogram is nearly smooth and uniform, offering good security for images. The entropy and the correlation between two neighbouring pixels for the input and cipher images are computed and analysed. The proposed scheme key space is sufficient to resist all sorts of brute force attacks. Hence, the proposed EC based image encryption algorithm is protected against brute force, statistical, correlation, key sensitivity and algebraic attacks. For the proposed cipher, the secret key stream is altered after encryption of each pixel of the plain image and for each cipher image, the key file parameters are also changed. The key file parameters are also encrypted using ECC based technique and sent along with the cipher image. It is difficult for an adversary to determine the key file parameters since the ECDLP is considered difficult. These factors are used to enhance the security of the proposed EC based stream cipher. The encryption time required for the

23 122 proposed scheme is estimated. It can be scrutinized that the proposed EC based stream cipher can be a potential candidate for real time multimedia applications.