A New LFSR-Based Stream Cipher Generator

Transcription

1 A New LFSR-Based Stream Cipher Generator م.م. وعود ماجد عبد كلية طب الاسنان جامعة بغداد 27

2 28

3 A New LFSR-Based Stream Cipher Generator م.م.وعود ماجد ABSTRACT In this project we will introduce a new design for a random key generator as a new stream cipher algorithm. The proposed algorithm is an LFSR-based stream cipher. The proposed random key generator is simply designed to produce a very quick algorithm to be used for securing GSM communication as mobiles or in satellite communications channels. The simplicity of the design derived from using of four small LFSR and three Xored gates and a single 3 to 1 multiplexer on the content of an 8-stages LFSR. الخلاصة في هذا البحث نستعرض تصميم جديد لمولد مفاتيح عشواي ي كخوارزمية تشفير جديدة. الخوارزمية المقترحة هي من نوع التشفير الانسيابي الذي يعتمد الزاحف الخطي ذي التغذية المرتدة كا ساس. لقد روعيت البساطة في التصميم للحصول على سرعة عالية في التنفيذ لاستخدامها في تشفير ا جهزة الاتصال المحمولة وخطوط الاتصالات عبر قنوات الا قمار الصناعية. ا ما بساطة التصنيع فهي لكونها تتا لف من ا ربعة زواحف خطية قصيرة الا طوال وثلاثة بوابات الجمع المنفرد (xor) و 1-3 ملتبلكسر معرف على زاحف خطي مكون من ثمانية خانات.

4 2010 مجلة كلية بغداد للعلوم الاقتصادية الجامعة العدد الثالث والعشرون 1. Introduction Cryptosystems are divided between those that are secret-key or symmetric, and those that are public-key or asymmetric. With the latter, the sender uses publicly known information to send a message to the receiver. The receiver then uses secret information to recover the message. In secretkey cryptography, the sender and receiver have previously agreed on some private information that they use for both encryption and decryption. This information must be kept secret from potential eavesdroppers. There is a further division of symmetric cryptosystems into block ciphers and stream ciphers. The distinction between block and stream ciphers is perhaps best summarized by the following quotation due to [1]: Block ciphers operate with a fixed transformation on large blocks of plaintext data; stream ciphers operate with a time-varying transformation on individual plaintext digits. In this technical report we provide a review of current stream cipher techniques. Anyone looking through the cryptographic literature will be struck by a great difference in the treatment of block ciphers and stream ciphers. Practically all work in the cryptanalysis of block ciphers is focused on DES [2] and nearly all the proposed block ciphers are based in some way on the perceived design goals of DES. There is no algorithm occupying an equivalent position in the field of stream ciphers. There are a huge variety of alternative stream cipher designs and cryptanalysis tends to be couched in very general terms. While much of this distinction might be attributed to the publication of DES as a Federal Standard and the subsequent high profile of this algorithm within both the business and cryptographic communities, there may well be an additional and more subtle factor to consider. We will see in this report that many stream ciphers have been proposed which use very basic building blocks. The mathematical analysis of these components has been very advanced for some considerable time and intensive design and cryptanalysis over the years has resulted in the formulation of a set of ground rules for the design of stream ciphers. It is well known that highly developed analytic techniques facilitate both design and cryptanalysis. No such well-developed list could be given, until very recently, for block ciphers. The design criteria for DES were not published and cryptanalysis was, for a long time, frustratingly unsuccessful. There seemed to be little general theory available. With the advent of differential cryptanalysis [3] and, more recently, linear cryptanalysis [4], both designers and

5 A New LFSR-Based Stream Cipher Generator م.م.وعود ماجد cryptanalysts had new and clear cut issues to consider and there has been considerable recent activity in both the design and analysis of block ciphers. 2.Stream cipher In cryptography, a stream cipher is a symmetric key cipher where plaintext bits are combined with a pseudorandom cipher bit stream (key stream), typically by an exclusive-or (xor) operation. In a stream cipher the plaintext digits are encrypted one at a time, and the transformation of successive digits varies during the encryption. An alternative name is a state cipher, as the encryption of each digit is dependent on the current state. In practice, the digits are typically single bits or bytes[7]. Figure 1, shows A5/1 random generator an example of stream cipher algorithm. Stream ciphers represent a different approach to symmetric encryption from block ciphers. Block ciphers operate on large blocks of digits with a fixed, unvarying transformation. This distinction is not always clear-cut: in some modes of operation, a block cipher primitive is used in such a way that it acts effectively as a stream cipher. Stream ciphers typically execute at a higher speed than block ciphers and have lower hardware complexity. However, stream ciphers can be susceptible to serious security problems if used incorrectly. Figure 1. The operation of the keystream generator in A5/1, a LFSR-based stream cipher used to encrypt mobile phone conversations.

6 2010 مجلة كلية بغداد للعلوم الاقتصادية الجامعة العدد الثالث والعشرون 2.1 Types of stream ciphers A stream cipher generates successive elements of the key stream based on an internal state. This state is updated in essentially two ways: if the state changes independently of the plaintext or ciphertext messages, the cipher is classified as a synchronous stream cipher. By contrast, self-synchronising stream ciphers update their state based on previous ciphertext digits Synchronous stream ciphers In a synchronous stream cipher a stream of pseudo-random digits is generated independently of the plaintext and ciphertext messages, and then combined with the plaintext (to encrypt) or the ciphertext (to decrypt). In the most common form, binary digits are used (bits), and the key stream is combined with the plaintext using the exclusive or operation (XOR). This is termed a binary additive stream cipher [5]. In a synchronous stream cipher, the sender and receiver must be exactly in step for decryption to be successful. If digits are added or removed from the message during transmission, synchronisation is lost. To restore synchronisation, various offsets can be tried systematically to obtain the correct decryption. Another approach is to tag the ciphertext with markers at regular points in the output. If, however, a digit is corrupted in transmission, rather than added or lost, only a single digit in the plaintext is affected and the error does not propagate to other parts of the message. This property is useful when the transmission error rate is high; however, it makes it less likely the error would be detected without further mechanisms. Moreover, because of this property, synchronous stream ciphers are very susceptible to active attacks if an attacker can change a digit in the ciphertext, he might be able to make predictable changes to the corresponding plaintext bit; for example, flipping a bit in the ciphertext causes the same bit to be flipped in the plaintext Self-synchronizing stream ciphers Another approach uses several of the previous N ciphertext digits to compute the key stream. Such schemes are known as self-synchronizing stream ciphers, asynchronous stream ciphers or ciphertext autokey (CTAK). The idea of self-synchronization was patented in 1946, and has the advantage that the receiver will automatically synchronize with the key stream generator after receiving N ciphertext digits, making it easier to recover if digits are dropped or added to the message stream. Single-digit

7 A New LFSR-Based Stream Cipher Generator م.م.وعود ماجد errors are limited in their effect, affecting only up to N plaintext digits. It is somewhat more difficult to perform active attacks on self-synchronising stream ciphers by comparison with their synchronous counterparts. An example of a self-synchronising stream cipher is a block cipher in cipher-feedback mode (CFB). 3.Linear feedback shift register-based stream ciphers Linear feedback shift registers (LFSRs) are popular components in stream ciphers (see figure 2) as they can be implemented cheaply in hardware, and their properties are well-understood [5]. Figure 2 linear feedback shift register Binary stream ciphers are often constructed using linear feedback shift registers (LFSRs) because they can be easily implemented in hardware and can be readily analyzed mathematically. The use of LFSRs on their own, however, is insufficient to provide good security. Various schemes have been proposed to increase the security of LFSRs. 3.1 Non-linear combining functions One approach is to use n LFSRs in parallel, their outputs combined using an n-input binary Boolean function (F) (see figure 3).

8 2010 مجلة كلية بغداد للعلوم الاقتصادية الجامعة العدد الثالث والعشرون Figure 3. sample of a combining function Because LFSRs are inherently linear, one technique for removing the linearity is to feed the outputs of several parallel LFSRs into a non-linear Boolean function to form a combination generator [7]. Various properties of such a combining function are critical for ensuring the security of the resultant scheme, for example, in order to avoid correlation attacks. 4 Clock-controlled generators Normally LFSRs are stepped regularly. One approach to introducing nonlinearity is to have the LFSR clocked irregularly, controlled by the output of a second LFSR. Such generators include the stop-and-go generator, the alternating step generator and the shrinking generator. The stop-and-go generator (Beth and Piper, 1984) consists of two LFSRs. One LFSR is clocked if the output of a second is a "1", otherwise it repeats its previous output. This output is then (in some versions) combined with the output of a third LFSR clocked at a regular rate. The shrinking generator takes a different approach. Two LFSRs are used, both clocked regularly. If the output of the first LFSR is "1", the output of the second LFSR becomes the output of the generator. If the first LFSR outputs "0", however, the output of the second is discarded, and no bit is output by the generator. This mechanism suffers from timing attacks on the second generator, since the speed of the output is variable in a manner that depends on the second generator's state. This can be alleviated by buffering the output.

9 A New LFSR-Based Stream Cipher Generator م.م.وعود ماجد 5. Other designs Instead of a linear driving device, one may use a nonlinear update function. RC4 is one of the most widely used stream cipher designs[5] (See figure 4). Figure 4. RC4 random generator 6. Strength of Cryptographic Algorithms Good cryptographic systems should always be designed so that they are as difficult to break as possible. It is possible to build systems that cannot be broken in practice (though this cannot usually be proved). This does not significantly increase system implementation effort; however, some care and expertise is required. There is no excuse for a system designer to leave the system breakable. Any mechanisms that can be used to circumvent security must be made explicit, documented, and brought into the attention of the end users[5]. In theory, any cryptographic method with a key can be broken by trying all possible keys in sequence. If using brute force to try all keys is the only option, the required computing power increases exponentially with the length of the key. A 32-bit key takes 2 32 (about 10 9 ) steps. This is something anyone can do on his/her home computer. A system with 56-bit keys, such as DES, requires a substantial effort, but using massive distributed systems requires only hours of computing. In 1999, a bruteforce search using a specially designed supercomputer and a worldwide network of nearly 100,000 PCs on the Internet, found a DES key in 22 hours and 15 minutes. It is currently believed that keys with at least 128 bits (as in AES, for example) will be sufficient against brute-force attacks into the foreseeable future[6].

10 2010 مجلة كلية بغداد للعلوم الاقتصادية الجامعة العدد الثالث والعشرون However, key length is not the only relevant issue. Many ciphers can be broken without trying all possible keys. In general, it is very difficult to design ciphers that could not be broken more effectively using other methods. Unpublished or secret algorithms should generally be regarded with suspicion. Quite often the designer is not sure of the security of the algorithm, or its security depends on the secrecy of the algorithm. Generally, no algorithm that depends on the secrecy of the algorithm is secure. For professionals, it is easy to disassemble and reverse-engineer the algorithm. Experience has shown that the vast majority of secret algorithms that have become public knowledge later have been pitifully weak in reality. The keys used in public-key algorithms are usually much longer than those used in symmetric algorithms. This is caused by the extra structure that is available to the cryptanalyst. There the problem is not that of guessing the right key, but deriving the matching private key from the public key. In the case of RSA, this could be done by factoring a large integer that has two large prime factors. In the case of some other cryptosystems, it is equivalent to computing the discrete logarithm modulo a large integer (which is believed to be roughly comparable to factoring when the moduli is a large prime number). There are public-key cryptosystems based on yet other problems. To give some idea of the complexity for the RSA cryptosystem, a 256-bit modulus is easily factored at home, and 512-bit keys can be broken by university research groups within a few months. Keys with 768 bits are probably not secure in the long term. Keys with 1024 bits and more should be safe for now unless major cryptographical advances are made against RSA. RSA Security claims that 1024-bit keys are equivalent in strength to 80-bit symmetric keys and recommends their usage until bit RSA keys are claimed to be equivalent to 112-bit symmetric keys and can be used at least up to 2030 [7]. It should be emphasized that the strength of a cryptographic system is usually equal to its weakest link. No aspect of the system design should be overlooked, from the choice of algorithms to the key distribution and usage policies.

11 A New LFSR-Based Stream Cipher Generator م.م.وعود ماجد 7. Proposed Random Key Generator We introduce here a new LFSR-based stream cipher as a new random key generator used to provide a key to be used for encryption. Figure 5 shows the main components of this generator. LFSR-1 LFSR-2 LFSR-3 2-to-1 Multiplexer LFSR Out put Driving part Combining Figure 5. the main component of the proposed The random key generator consists of two parts: the driving part and the combining part. The tapping stages are (31, 3), (30, 23), (29, 27), each of these feedback functions produce a maximal period. These registers are initialized using a special procedure will be explained later. The combining part consists of a single LFSR of length 8 stages with a feedback function defined by the tapping (8,5,3). 7.1 Initialization Procedure The proposed generator is consists of four LFSR's of lengths 31, 30, 29 (the driving part), 8 (the combining part), which means that there are 98 stages need to be initialized before the generator start working. The initialization procedure starts by reading fourteen character as seed key (or secret key) of the random generator. Each character is converted to its ASCII value (7 bits), the result is 98 bits fed the LFSR's 31, 30, 29, 8 respectively. 7.2 The Generator Work After the initialization procedure work the generator will be ready to produce the semi-random output keys. The driving part produce three bits (b 0,b 1,b 2 ), one from each LFSR (as shown in figure 6). The output of the

12 2010 مجلة كلية بغداد للعلوم الاقتصادية الجامعة العدد الثالث والعشرون driving part are fed to the combining part as an address calculated by the following formula: adr=b 0 +b 1 *2+b 2 *4 The value adr is used as an address to the LFSR of the combining part after shifting to produce the value of the stage number adr of LFSR as an output key. In the same time the bits of adr (b 0,b 1,b 2 ) are Xored and fed to a onestage delay shift register. The output of the one-stage shift register were Xored with the output of the Feedback function of the combining part (see figure 6), This means that the sum of the address bits will be Xored with the feedback of the 8-stage register of the next step to avoid the correlation attack. b 0 b 1 b 2 Output key Driving part Delay Combining part Figure 6. the proposed random generator The period of the proposed system can be computed by *(2 8 *( )) = =2 128, which considered fair according to the recommendation of cryptographic community. The statistical properties of this generator derived from the statistical properties of the Linear Feed Back Shift Register the figures 7, 8, 9 show the statistical tests of some the output of the proposed generator from different length.

13 A New LFSR-Based Stream Cipher Generator م.م.وعود ماجد Figure 7. the statistical test of the proposed generator output Figure 8. the statistical test of the proposed generator output

14 2010 مجلة كلية بغداد للعلوم الاقتصادية الجامعة العدد الثالث والعشرون Figure 9. the statistical test of the proposed generator output

15 A New LFSR-Based Stream Cipher Generator م.م.وعود ماجد References 1. G.J. Simmons, editor. Contemporary Cryptology, The Science of Information Integrity. IEEE, New York, National Institute of Standards and Technology (NIST). FIPS Publication 46-2: Data Encryption Standard. December 30, E. Biham and A. Shamir. Differential Cryptanalysis of the Data Encryption Standard. Springer-Verlag, New York, M. Matsui. Linear cryptanalysis method for DES cipher. In T. Helleseth, editor, Advances in Cryptology Eurocrypt '93, pages , Springer-Verlag, Berlin, Wikipedia, the free encyclopedia, Stream Cipher, last updated July William Stallings, "Cryptography and Network Security Principles and Practices, Fourth Edition", Prentice Hall, Schneier, B.,"Applied Cryptography", New York: Wiley, 1996.