CSD451: Applied Cryptography

Modue3 - Lecture 5
Today’s Lecture
• Stream cipher
• LFSR
• Trivium
• Pseudorandom Functions
WEP (FMS Attack)
• Root key remains fixed for long period of time.
• IV has only 24-bits.
• IV is sent in plaintext.
• WPA uses 48 bit IV (2003)
• WPA2-PSK (Pre-Shared Key) (2004)
• WPA2-PSK [AES] is the recommended secure method.
• WPA3 (2018)
Linear Feedback Shift Register(LFSR)
Example: LFSR of Degree 3
LFSR of Degree m
LFSR
LFSR

Theorem: The maximum sequence length generated

by an LFSR of degree m is 2m−1.

• Primitive polynomials are a special type of irreducible polynomial.

• Maximum-length LFSRs have primitive polynomials.
• There are many primitive polynomials for every given degree m;
e.g.,69,273,666 different primitive polynomials of degree m = 31.
 LFSR

• Above list shows one primitive polynomial for every value of m in the range from m = 2,3, . . . , 128
where notation (0,2,5) refers to the polynomial 1+x2 +x5.
LFSR: Known-Plaintext Attack
LFSR: Known-Plaintext Attack
Trivium: LFSR based Stream Cipher
Trivium: LFSR based Stream Cipher
Trivium: LFSR based Stream Cipher
Trivium: LFSR based Stream Cipher
• In the first phase, the cipher is clocked 4×288 = 1152 times. No cipher
output is generated (randomizes the cipher sufficiently and makes the
key stream dependent on both the key k and the IV).
• Starting with the output bit of cycle 1153, form the key stream.
• Trivium was submitted to the Profile II (hardware) of
the eSTREAM competition (2004 - 2008) by its authors, Christophe De
Cannière and Bart Preneel, and has been selected as part of the
portfolio for low area hardware ciphers.
• eSTREAM was organized by the European Network of Excellence in
Cryptography (ECRYPT).
Stream Cipher
Reading
Stream Cipher vs Block Cipher
Stream Cipher vs Block Cipher
Standards
Pseudorandom Function
Random Function
• Consider functions f: S → S
Random Function
• Consider functions f: S → S
• Let S= {0, 1}
• Then possible functions are:
Random Function
• Consider functions f: S → S
• Let S= {0, 1}
• Then possible functions are:

0 0 0 0 0 0 0 0

1 1 1 1 1 1 1 1

(i) (ii) (iii) (iv)

 Random Function
• Let S= {0, 1}n and f: 𝐷 → 𝑅 where 𝐷 = R
• Then possible inputs are:
n-bit
000…000
000…001
000…010
2n different 000…011
input ……
……
……
111…111
 Random Function
• Let S= {0, 1}n and f: 𝐷 → 𝑅 where 𝐷 = R
Then possible function are:
n-bit f(0) f(1) f(2) ………… f(2n-2) f(2n-1)

000…000 n-bit n-bit n-bit …. n-bit n-bit n.2n- bit string

000…001
000…010
2n different 000…011
input ……
……
……
111…111
 Random Function
• Let S= {0, 1}n and f: 𝐷 → 𝑅 where 𝐷 = R
Then possible function are:
n-bit f(0) f(1) f(2) ………… f(2n-2) f(2n-1)

000…000 n-bit n-bit n-bit …. n-bit n-bit n.2n- bit string.

Total possible
000…001 𝒏
strings are: 𝟐𝒏.𝟐
000…010
2n different 000…011
input ……
……
……
111…111
 Random Function
n.2n- bit string.
• Let S= {0, 1}n and f: 𝐷 → 𝑅 where 𝐷 = R Total possible strings
𝒏
are: 𝟐𝒏.𝟐
Then possible function are:
n-bit f(0) f(1) f(2) ………… f(2n-2) f(2n-1)

000…000 n-bit n-bit n-bit …. n-bit n-bit F1

000…001 F2
000…010 F3
2n different 000…011
input ……
……
…… …. …. …. F
111…111
Random Function
• Let set Funcn = {all possible functions from n to n}
𝒏
• | Funcn | = 𝟐𝒏.𝟐
Random Function
• Let set Funcn = {all possible functions from n to n}
𝒏
• | Funcn | = 𝟐𝒏.𝟐

• Random function from set of functions means choosing a function f

uniformly from set Funcn
Keyed Functions
• We are interested to consider 2-input keyed function as defined below:
F: {0,1}* x {0,1}* → {0,1}*
• F is polynomial time computable with input its parameters
• Represented as Fk(x) = F(k, x) where k is the key
Keyed Functions
• We are interested to consider 2-input keyed function as defined below:
F: {0,1}* x {0,1}* → {0,1}*
• F is polynomial time computable with 2 input parameters
• Represented as Fk(x) = F(k, x) where k is the key

• For simplicity, assume |k|=|x| and |F(k, x)| = |k| = |x|.

• Choosing a uniform k ∈ {0, 1}n is equivalent to choosing the function
Fk: {0, 1}n → {0, 1}n
Pseudorandom Function
• ‘Looks like’ a random function.
• 2-input keyed function F is a pseudorandom function if Fk, for uniform
key k ∈ {0, 1}n, is indistinguishable from a uniform function f ∈ Funcn.
Pseudorandom Function
• ‘Looks like’ a random function.
• 2-input keyed function F is a pseudorandom function if Fk, for uniform
key k ∈ {0, 1}n, is indistinguishable from a uniform function f ∈ Funcn.

• For all polynomial time distinguisher D,

|Pr k  [D (.) = 1] -|Pr k  [D f(.) = 1] | ≤ 𝜖 (n)

• k ← {0, 1}n, |Fk|= 2k

PRF vs PRG

• PRF is stronger notation than PRG.

• If we have a PRF (say) F, we can construct a PRG (say) G.
• Example: G(k) = Fk (…) ||Fk(…)
- based on the expansion factor of G
Pseudorandom Permutation
• Let F be a length-preserving, keyed function as already discussed
• F is keyed-permutation if
• ∀ 𝑘, 𝐹𝑘 is one-one, onto (bijection)
• 𝐹𝑘 -1 is efficiently computable and 𝐹𝑘 -1(𝐹𝑘 (x)) = x.
Pseudorandom Permutation
• Let F be a length-preserving, keyed function as already discussed
• F is keyed-permutation if
• ∀ 𝑘, 𝐹𝑘 is one-one, onto (bijection)
• 𝐹𝑘 -1 is efficiently computable and 𝐹𝑘 -1(𝐹𝑘 (x)) = x.

• F is pseudorandom permutation if 𝐹𝑘, for uniform key k ∈ {0, 1}n is

indistinguishable from a uniform permutation f ∈ Permn (set of all
permutations of n-bit strings).
Block Ciphers
For n = 2
 Block Ciphers
For n = 2

• A block cipher operates on a plaintext block of n bits to produce a ciphertext block of n bits. There are
2n possible different plaintext blocks and, for the encryption to be reversible each must produce a
unique ciphertext block. So if we limit ourselves to reversible mappings, the number of different
transformations is 2n!.
Block Ciphers
• Block ciphers are practical constructions of pseudorandom
permutations

F: {0, 1}n x {0, 1}m→ {0, 1}m

where n = key length

m = block length