Stream Ciphers An Overview

Similar documents
Some Aspects of Block Ciphers

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

Stream Ciphers. Stream Ciphers 1

Information Security CS526

Chapter 6 Contemporary Symmetric Ciphers

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Chapter 3 Block Ciphers and the Data Encryption Standard

3 Symmetric Cryptography

Block Cipher Operation. CS 6313 Fall ASU

Double-DES, Triple-DES & Modes of Operation

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

Network Security Essentials Chapter 2

Cryptography BITS F463 S.K. Sahay

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

1 Achieving IND-CPA security

Content of this part

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Introduction to Cryptography. Lecture 3

Comp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Block Cipher Modes of Operation

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Information Security CS526

CIS 4360 Secure Computer Systems Symmetric Cryptography

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security CS 526

ECE 646 Lecture 8. Modes of operation of block ciphers

Lecture 2B. RTL Design Methodology. Transition from Pseudocode & Interface to a Corresponding Block Diagram

CSC 474/574 Information Systems Security

Introduction to Cryptography. Lecture 3

Stream Ciphers. Koç ( ucsb ccs 130h explore crypto fall / 13

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

Stream Ciphers. Çetin Kaya Koç Winter / 13

Cryptography. Dr. Michael Schneider Chapter 10: Pseudorandom Bit Generators and Stream Ciphers

AN INTEGRATED BLOCK AND STREAM CIPHER APPROACH FOR KEY ENHANCEMENT

IDEA, RC5. Modes of operation of block ciphers

Cryptology complementary. Symmetric modes of operation

RC4. Invented by Ron Rivest. A stream cipher Generate keystream byte at a step

Modern Symmetric Block cipher

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

T Cryptography and Data Security

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

T Cryptography and Data Security

Chapter 6: Contemporary Symmetric Ciphers

Cryptography and Network Security Chapter 7

Lecture 1 Applied Cryptography (Part 1)

How to Use Your Block Cipher? Palash Sarkar

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Cryptography III: Symmetric Ciphers

FPGA Implementation of WG Stream Cipher

CPSC 467b: Cryptography and Computer Security

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

7. Symmetric encryption. symmetric cryptography 1

Introduction to cryptology (GBIN8U16)

Cryptography. Summer Term 2010

Cryptography and Network Security

Syrvey on block ciphers

COMP4109 : Applied Cryptography

Data Encryption Standard (DES)

CPSC 467b: Cryptography and Computer Security

ECE 646 Lecture 7. Modes of Operation of Block Ciphers. Modes of Operation. Required Reading:

An Efficient Stream Cipher Using Variable Sizes of Key-Streams

Crypto: Symmetric-Key Cryptography

Symmetric Cryptography

A Chosen-key Distinguishing Attack on Phelix

Network Security Essentials

Analysis, demands, and properties of pseudorandom number generators

Computer Security 3/23/18

Stream Ciphers and Block Ciphers

Symmetric Key Cryptography

Symmetric Cryptography

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

symmetric cryptography s642 computer security adam everspaugh

CPS2323. Symmetric Ciphers: Stream Ciphers

CPSC 467: Cryptography and Computer Security

Stream Ciphers and Block Ciphers

Practical Aspects of Modern Cryptography

Basic principles of pseudo-random number generators

DESIGNING OF STREAM CIPHER ARCHITECTURE USING THE CELLULAR AUTOMATA

Block ciphers, stream ciphers

CS6701- CRYPTOGRAPHY AND NETWORK SECURITY UNIT 2 NOTES

Cryptography [Symmetric Encryption]

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

How crypto fails in practice? CSS, WEP, MIFARE classic. *Slides borrowed from Vitaly Shmatikov

Cryptography (cont.)

Using block ciphers 1

CENG 520 Lecture Note III

Enhancing Security of Improved RC4 Stream Cipher by Converting into Product Cipher

Symmetric Encryption Algorithms

CIS 6930/4930 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

ENEE 459-C Computer Security. Symmetric key encryption in practice: DES and AES algorithms

The Salsa20 Family of Stream Ciphers

Chapter 8. Encipherment Using Modern Symmetric-Key Ciphers

Security. Communication security. System Security

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

Transcription:

Stream Ciphers An Overview Palash Sarkar Indian Statistical Institute, Kolkata email: palash@isicalacin stream cipher overview, Palash Sarkar p1/51

Classical Encryption Adversary message ciphertext ciphertext Encrypt public channel Decrypt message secret key K secret key K Adversary s goal: To obtain message or secret key stream cipher overview, Palash Sarkar p2/51

One Time Pad Let the message be a sequence of bits: Let Ciphertext is where be a sequence of random bits Perfect Secrecy: Given a ciphertext, the message can be any binary string of length Impractical: (a) Difficult to get random bits (b) Sequence must be pre-distributed to both sender and receiver (c) random sequence as long as the message stream cipher overview, Palash Sarkar p3/51

Additive Stream Ciphers Use a pseudorandom generator PRG to produce the sequence The PRG extends a short seed into a long pseudorandom string, ie, PRG The seed is the secret key Security depends on the design of PRG stream cipher overview, Palash Sarkar p4/51

Security of PRG PRG is a broad concept For cryptographic use, a PRG must be unpredictable: Next bit test: Given an initial segment, it should not be possible to efficiently guess the next bit Statistical Tests: The generated pseudorandom sequence should pass all polynomial time statistical tests The above notions are equivalent stream cipher overview, Palash Sarkar p5/51

Block Ciphers Let For each fixed permutation of is written as is called an, is a -bit block cipher is the secret key Security: Pseudorandom permutation (PRP) stream cipher overview, Palash Sarkar p6/51

Stream and Block Ciphers Block Ciphers: Applies a fixed permutation to all -bit blocks Stream Ciphers: Applies a time-varying map Maintains a state vector, which allows the application of a time-varying map This difference is not very important Some block cipher modes of operations are actually stream ciphers Modern day stream ciphers are becoming more and more block oriented The difference between PRP and PRG is more fundamental stream cipher overview, Palash Sarkar p7/51

Attacks General Attack Models Known (or chosen) plaintext attack: The adversary learns a segment of the pseudorandom sequence Chosen ciphertext attack: Adversary submits ciphertexts and gets back the corresponding plaintexts Attack Goals Distinguishing Attacks: The adversary should be able to distinguish the output of the PRG from a random string Key Recovery Attacks: The adversary has to find the seed of the PRG from the output of the stream cipher overview, Palash Sarkar p8/51 PRG

Based on Hard Problems Blum, Blum and Shub (BBS): Let, where Seed: Iterates Bit extraction: parity Security: If determining quadratic residuacity modulo is difficult, then guessing is also difficult Efficiency: Slow; one squaring per bit Recent criticism: Menezes and Koblitz have argued that security guarantee is not realistic Elliptic curve based construction also known stream cipher overview, Palash Sarkar p9/51

Classical Models Hardware based well studied based on old ideas (almost four decades) Uses Linear Feedback Shift Registers (LFSR) and Boolean Functions LFSR: Fast generation of bit sequences (satisfying a linear recurrence) in hardware Boolean function: Maps an S-box: Maps an -bit string to an -bit string to one bit -bit string stream cipher overview, Palash Sarkar p10/51

LFSR Let Suppose Then Let be a bit sequence is called a linear recurring sequence can be produced in hardware using an LFSR Then of is called the characteristic polynomial If is primitive over maximum possible period of, then has the stream cipher overview, Palash Sarkar p11/51

Two Standard Models Nonlinear Filter Model: Boolean function combines outputs of different cells of a single LFSR Nonlinear Combiner Model: Boolean function combines outputs of several LFSRs Filter-Combiner model (Sarkar, Crypto 2002) combines the best features of the above two models Uses linear cellular automata (CA) instead of LFSRs Suitable Boolean functions are required to realize FC-model stream cipher overview, Palash Sarkar p12/51

Filter-Combiner Model CA 1 mi CA 2 f ri c i CA k stream cipher overview, Palash Sarkar p13/51

Necessary Properties High linear complexity of the output sequence Suitable choice of the Boolean function Balanced Correlation immune High algebraic degree High nonlinearlity Resistance to algebraic attacks stream cipher overview, Palash Sarkar p14/51

Linear Complexity Let be a sequence (possibly used to encrypt a message) The linear complexity of is the length of a minimum length LFSR that can produce Berlekamp-Massey algorithm can be used to find the linear complexity and a minimal length LFSR producing The time complexity of the algorithm is The BM algorithm was originally introduced for decoding BCH codes If is a random sequence, then its expected linear complexity is stream cipher overview, Palash Sarkar p15/51

Linear Complexity (contd) Nonlinear-Filter Model: Partial results are known due to Rueppel Depends on the choice of the Boolean function For certain Boolean functions, the linear complexity can be large Nonlinear-Combiner Model: Let be the combining Boolean function Let which are taken to be distinct Then the linear complexity is where the arithmetic is over the integers (Rueppel-Staffelbach) be the lengths of the LFSRs stream cipher overview, Palash Sarkar p16/51

Correlation Attack Introduced by Siegenthaler Assume the nonlinear-combiner model Let the th LFSR Let function Suppose Then the output to the sequence be the sequence obtained from be the output of the Boolean is biased with respect stream cipher overview, Palash Sarkar p17/51

Correlation Attack (contd) Assume that the sequence known (Also possible to work with the ciphertext) For each of the nonzero initial states of, generate the sequence Compute sequence is for each such If the choice of initial condition is correct, then else, If and are sufficiently separate and is sufficiently large, then we can find the correct initial state for stream cipher overview, Palash Sarkar p18/51

Correlation Attack (contd) If, then this does not work for If for all, then is said to be correlation immune (CI) One can then look for correlation between and XORs of several s If is th order CI, then this method will not succeed if we take the XORs of upto LFSRs A balanced -CI function is called -resilient stream cipher overview, Palash Sarkar p19/51

Correlation Attack (contd) Fast Correlation Attack: Avoid considering all possible initial states (Meier-Staffelbach) Each LFSR sequence satisfies a linear recurrence Let be the characteristic polynomial of the recurrence Then the sequence also satisfies a recurrence given by any multiple of Collection of all such recurrences (with low span ) constitute a set of parity check equations An iterative decoding method can be applied to obtain the original sequence from these parity check equations stream cipher overview, Palash Sarkar p20/51

Multiples of Polynomials Multiples of provide parity check equations It is helpful for the attack if these parity check equations have few terms For example, if has a trinomial multiple, then the obtained parity check has three terms A good polynomial degree sparse multiples will not have low Determining whether a polynomial is good can be difficult Work by Wagner (Crypto 2002) based on the generalized birthday attack stream cipher overview, Palash Sarkar p21/51

Algebraic Attack Courtois-Meier: Consider the nonlinear-filter model, ie, there is a single LFSR Let The Let degree be the initial state of the LFSR th state The key bits of is obtained as be the combining Boolean function of can be written as For any, the map is a linear map Thus, for any, we obtain a nonlinear equation in the bits of of maximum degree stream cipher overview, Palash Sarkar p22/51

Algebraic Attack (contd) Linearization: Replace each monomial of degree greater than one by a new variable Let We obtain a system of linear equations in at most variables If there are independent equations, then we can solve for these variables and use back substitution to obtain the bits of Time required is Becomes infeasible if is large, which can be ensured by having to be large stream cipher overview, Palash Sarkar p23/51

Algebraic Attack (contd) Suppose has large degree, but there are low degree polynomials and such that Then a modification of the above idea can be applied to instead of If is zero, then is called an annihilator A low degree annihilator can be used for the attack Necessary condition: Neither nor should have a low degree annihilator stream cipher overview, Palash Sarkar p24/51

Boolean Function Properties -variable Boolean function be an Let Balancedness: -CI: for any choice of from is affine if Nonlinearity: A function for some bit constants affine Algebraic Degree: Largest degree monomial in the algebraic normal form of stream cipher overview, Palash Sarkar p25/51

Boolean Function Properties (contd) Let = the number of input bits; = degree; = the order of resiliency; = nonlinearity Known Trade-Offs: Recent research has shown that it is possible to construct Boolean functions with optimal trade-offs The question of algebraic resistance offered by such Boolean functions is still under investigation stream cipher overview, Palash Sarkar p26/51

Exchange-Shuffle Paradigm Let be an array of length containing some permutation of to Repeat the following steps times Choose two random locations of Exchange the values in these locations At the end of steps, is expected to have a random permutation of to RC4: Uses the above principle Key set-up phase: Starting from a secret key, ensures a uniform distribution Byte generation phase: generates bytes at each step stream cipher overview, Palash Sarkar p27/51

RC4 Key Setup for i from 0 to 255 S[i] := i j := 0 for i from 0 to 255 j := (j + S[i] + key[i mod keylength]) mod 256 swap(s[i],s[j]) stream cipher overview, Palash Sarkar p28/51

RC4 Byte Generation Initialization: ; ; Generation loop: ; ; Swap(, ); Ouput Note: is a byte-array of length 256 stream cipher overview, Palash Sarkar p29/51

RC4: Byte Generation stream cipher overview, Palash Sarkar p30/51

RC4: Weaknesses and Extensions Very efficient in software But cannot take advantage of 32-bit architecture Weaknesses pointed out by Shamir, Mantin, Golić, Paul-Preneel and others Attempts to extend the design to 32-bit architecture Recent study of weaknesses by Paul-Preneel (Asiacrypt 2006) stream cipher overview, Palash Sarkar p31/51

Initialization Vector In a stream cipher, the same secret key cannot be used more than once Regular key change is a serious problem Modern day stream ciphers use an initialization vector (IV) IV can be known to the adversary Strength of stream cipher does not depend on IV IV need not be random or unpredictable Constraint: The same (key,iv) pair cannot be used twice With this constraint, for the same key, several IVs can be used Eases the problem of supplying fresh keys stream cipher overview, Palash Sarkar p32/51

Security Goals Confidentiality: This is the basic goal Authentication: If the message has been tampered with, then it should be possible to detect it Usually achieved by computing a tag of the message Authenticated Encryption: The combined goal of confidentiality plus authentication Self-Synchronization: In a noisy channel, there may be bit flips, bit slips or bit inserts Suppose a contiguous sequence of bits are received correctly From this point, the decryption algorithm can stream cipher overview, Palash Sarkar p33/51 correctly decrypt

BC Modes of Operations message: initialization vector: ( -bit blocks); -bit IV (used as nonce) Electronic codebook (ECB) mode:, stream cipher overview, Palash Sarkar p34/51

ECB Mode stream cipher overview, Palash Sarkar p35/51

Insecurity of ECB Mode Source: Wikipedia, http://enwikipediaorg/wiki/ stream cipher overview, Palash Sarkar p36/51

CBC Mode Cipher Block Chaining (CBC) Mode: ;, stream cipher overview, Palash Sarkar p37/51

CBC Mode IV P1 P2 Pm 1 Pm E K E K E K E K C 1 C 2 C m 1 C m stream cipher overview, Palash Sarkar p38/51

Modes of Operations (contd) Output feedback (OFB) mode: ;, ;, This is essentially an additive stream cipher Cipher feedback (CFB) mode: ;, Can be used as a self-synchronizing stream cipher in a 1-bit feedback mode stream cipher overview, Palash Sarkar p39/51

OFB Mode stream cipher overview, Palash Sarkar p40/51

CFB Mode IV E K E K E K E K M 1 M 2 M 3 M 4 C 1 C 2 C 3 C 4 stream cipher overview, Palash Sarkar p41/51

Modes of Operations (contd) Counter (CTR) mode: Recent proposal Salsa20 due to Bernstein is based on this idea nonce is an -bit string is an -bit binary representation of Requires an adder Use of parallel generation of LFSR sequences in hardware (Mukhopadhyay-Sarkar, 2006) stream cipher overview, Palash Sarkar p42/51

Counter Mode stream cipher overview, Palash Sarkar p43/51

Bluetooth: E0 LFSR1 x 1 t LFSR2 LFSR3 x 2 t x t 3 XOR Keystream Z t LFSR4 x t 4 Z 1 c t+1 T 1 2 Z 1 T 2 2 XOR 2 + + 3 /2 2 s t+1 3 stream cipher overview, Palash Sarkar p44/51

Bluetooth: E0 The key length may vary; usually 128 bits At each step, E0 generates a bit using four shift registers (lengths 25, 31, 33, 39 bits) and two 2-bit internal states At each step, the registers are shifted and the two states are updated with the current state, the previous state and the values in the shift registers Four bits are then extracted from the shift registers and added together The algorithm XORs that sum with the value in the 2-bit register The first bit of the result is output for the encoding stream cipher overview, Palash Sarkar p45/51

GSM: A5/1 stream cipher overview, Palash Sarkar p46/51

GSM: A5/1 The registers are clocked in a stop/go fashion using a majority rule Each register has an associated clocking bit At each cycle, the clocking bit of all three registers is examined and the majority bit is determined A register is clocked if the clocking bit agrees with the majority bit Hence at each step two or three registers are clocked, and each register steps with probability 3/4 stream cipher overview, Palash Sarkar p47/51

SNOW 20 Stream Cipher stream cipher overview, Palash Sarkar p48/51

Phelix stream cipher overview, Palash Sarkar p49/51

Ecrypt Stream Cipher Proposals Phelix HC-256 Salsa20 Rabbit Many others generating a lot of interest and discussion on various aspects of stream cipher design and analysis http://wwwecrypteuorg/stream/ stream cipher overview, Palash Sarkar p50/51

Thank you for your attention! stream cipher overview, Palash Sarkar p51/51

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback