Scribd
Upload
9 views137 pages

Fifth

Uploaded by

gandhithatha143
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
9 views137 pages

Fifth

Uploaded by

gandhithatha143
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 137

Stream Ciphers

Dhananjoy Dey

Indian Institute of Information Technology, Lucknow


[email protected]

September 10, 2024

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 1 / 77


Disclaimers

1
All the pictures used in this presentation are taken from freely available
websites.

2
If there is a reference on a slide all of the information on that slide is
attributable to that source whether quotation marks are used or not.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 2 / 77


Outline

1 Introduction

2 Statistical Tests
Golomb’s Postulates
Five Basic Tests

3 LFSR

4 RC4

5 Trivium

6 Salsa20/20

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 3 / 77


Introduction

Outline

1 Introduction

2 Statistical Tests
Golomb’s Postulates
Five Basic Tests

3 LFSR

4 RC4

5 Trivium

6 Salsa20/20

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 4 / 77


Introduction

Block vs. Stream Cipher

1
Adding a small amount of memory to a block cipher results in a stream cipher with large
blocks.
Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 5 / 77
Introduction

Block vs. Stream Cipher

Block Cipher
It processes plaintext in relatively large blocks (e.g., n ≥ 64 bits).
The same function is used to encrypt successive blocks; thus
(pure) block ciphers are memoryless1 .
Stream Ciphers
It processes plaintext in blocks as small as a single bit.
The encryption function may vary as plaintext is processed.
Thus it is said to have memory.
It is also called state ciphers since encryption depends on not only
the key and plaintext, but also on the current state.

1
Adding a small amount of memory to a block cipher results in a stream cipher with large
blocks.
Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 5 / 77
Introduction

One-Time Pad

Encryption
e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111

Encryption: Plaintext ⊕ Key = Ciphertext

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 6 / 77


Introduction

One-Time Pad

Encryption
e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111

Encryption: Plaintext ⊕ Key = Ciphertext

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 6 / 77


Introduction

One-Time Pad

Encryption
e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111

Encryption: Plaintext ⊕ Key = Ciphertext

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 6 / 77


Introduction

One-Time Pad

Decryption
e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111

Decryption: Ciphertext ⊕ Key = Plaintext

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 7 / 77


Introduction

One-Time Pad

Decryption
e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111

Decryption: Ciphertext ⊕ Key = Plaintext

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 7 / 77


Introduction

One-Time Pad

Provably secure · · ·
Ciphertext provides no info about plaintext
All plaintexts are equally likely
· · · but, only when be used correctly
Key must be random, used only once
Key is known only to sender and receiver
Note: Key is same size as message

So, why not distribute message instead of pad?

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 8 / 77


Introduction

Stream Cipher

based on one-time pad

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 9 / 77


Introduction

Stream Cipher

based on one-time pad

Except that key is relatively short

Key is stretched into a long keystream

Keystream is used just like a one-time pad

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 9 / 77


Introduction

Stream Cipher

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 10 / 77


Introduction

Stream Cipher

Main Characteristics

Speed: faster in hardware

Hardware implementation cost: low

Error propagation: limited or no error propagation

Synchronization requirement: to allow for proper decryption, the


sender and receiver must be synchronized

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 11 / 77


Introduction

Difference Between Stream Cipher and


Pseudorandom Generator

The output length is not fixed and the keystream is computed


recursively using an internal state and the key.

The initial state is derived from a key and an initialization vector.

Stream cipher is an encryption scheme based on a keystream


generator.

Encryption is defined by XORing the plaintext with the keystream

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 12 / 77


Introduction

Classification of Stream Ciphers

Synchronous Stream Ciphers: is one in which the keystream is


generated independently of the plaintext message and of the
ciphertext.

where f is the feedback function of the cipher, g is the key stream extractor and h
combines the key stream with the message stream.
x0 is called the initial state and may depend on the key.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 13 / 77


Introduction

Classification of Stream Ciphers

Self-Synchronous/Asynchronous Stream Ciphers: is one in


which the keystream is generated as a function of the key and a
fixed number of previous ciphertext bits.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 14 / 77


Introduction

The eSTREAM Project

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 15 / 77


Introduction

The eSTREAM Project


Timeline

14-15 Oct 04 : workshop hosted by ECRYPT to discuss SASC


(The State of the Art of Stream Ciphers)
Nov 04 : call for Primitives
29 Apr 05 : the deadline of submission to ECRYPT.
34 primitives have been submitted
to ECRYPT
13 Jun 05 : website is launched to promote the public
evaluation of the primitives.
02-03 Feb 06 : workshop SASC 2006 hosted by ECRYPT
Feb 06 : The end of the first evaluation phase of
eSTREAM.

https://www.ecrypt.eu.org/stream/

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 15 / 77


Introduction

The eSTREAM Project

Timeline

Jul 06 : The beginning of the second evaluation


phase of eSTREAM.
31 Jan -
01 Feb 07 : workshop SASC 2007 hosted
by ECRYPT
Apr 07 : the beginning of the third evaluation phase
of eSTREAM
Feb 08 : workshop SASC 2008
May 08 : the final report of the eSTREAM
Jan 12 : the final report of the eSTREAM
Portfolio in 2012

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 16 / 77


Introduction

Submission Requirements

Submissions had to be either fast in software or resource friendly


in hardware

key IV tag (optional)

Profile 1 128 64 or 128 32, 64, 96, or 128


(SW )

Profile 2 80 32 or 64 32 or 64
(HW)

Designers required to give an IP statement.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 17 / 77


Introduction

eSTREAM Portfolio

in 2008
Profile 1 Profile 2
HC-128 F-FCSR-H v2
Rabbit Grain v1
Salsa20/12 MICKEY v2
Sosemanuk Trivium

in 2012
Profile 1 Profile 2
HC-128
Rabbit Grain v1
Salsa20/12 MICKEY 2.0
Sosemanuk Trivium

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 18 / 77


Introduction

Recommended Stream Ciphers (ENISA - Nov 2014)

Recommendation
Primitive Legacy Future
HC-128 X X
Salsa20/20 X X
ChaCha X X
SNOW 2.0 X X
SNOW 3G X X
SOSEMANUK X X

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 19 / 77


Introduction

Recommended Stream Ciphers (ENISA - Nov 2014)

Recommendation
Primitive Legacy Future
HC-128 X X
Salsa20/20 X X
ChaCha X X
SNOW 2.0 X X
SNOW 3G X X
SOSEMANUK X X
Grain X ×
Mickey 2.0 X ×
Trivium X ×
Rabbit X ×

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 19 / 77


Introduction

Recommended Stream Ciphers (ENISA - Nov 2014)

Recommendation
Primitive Legacy Future
HC-128 X X
Salsa20/20 X X
ChaCha X X
SNOW 2.0 X X
SNOW 3G X X
SOSEMANUK X X
Grain X ×
Mickey 2.0 X ×
Trivium X ×
Rabbit X ×
A5/1 × ×
A5/2 × ×
E0 × ×
RC4 × ×

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 19 / 77


Introduction

Recommended Stream Ciphers (ENISA - Nov 2014)

Legacy × Attack exists or security considered not sufficient.


Mechanism should be replaced in Fielded products
as a matter of urgency.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 20 / 77


Introduction

Recommended Stream Ciphers (ENISA - Nov 2014)

Legacy × Attack exists or security considered not sufficient.


Mechanism should be replaced in Fielded products
as a matter of urgency.

Legacy X No known weaknesses at present.


Better alternatives exist.
Lack of security proof or limited key size.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 20 / 77


Introduction

Recommended Stream Ciphers (ENISA - Nov 2014)

Legacy × Attack exists or security considered not sufficient.


Mechanism should be replaced in Fielded products
as a matter of urgency.

Legacy X No known weaknesses at present.


Better alternatives exist.
Lack of security proof or limited key size.

Future X Mechanism is well studied (often with security proof).


Expected to remain secure in 10-50 year lifetime.

https://www.enisa.europa.eu/publications/
algorithms-key-size-and-parameters-report-2014

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 20 / 77


Introduction

Stream Ciphers

Once upon a time, not so very long ago, stream ciphers were the
king of crypto

Today, not as popular as block ciphers


RC4
Based on a changing lookup table
Used many places (WEP · · · )

RFC 7465: “Prohibiting RC4 Cipher Suites" published in Feb


2015.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 21 / 77


Introduction

Stream Ciphers

Once upon a time, not so very long ago, stream ciphers were the
king of crypto

Today, not as popular as block ciphers


RC4
Based on a changing lookup table
Used many places (WEP · · · )

RFC 7465: “Prohibiting RC4 Cipher Suites" published in Feb


2015.
ChaCha20 is a modern stream cipher with good performance in
s/w.
It has been adopted as a replacement for RC4 in several internet
standards.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 21 / 77


Introduction

RBG & PRBG

Definition
A random bit generator is a device or algorithm which outputs a
sequence of statistically independent and unbiased binary digits.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 22 / 77


Introduction

RBG & PRBG

Definition
A random bit generator is a device or algorithm which outputs a
sequence of statistically independent and unbiased binary digits.

Definition
A pseudo-random bit generator (PRBG) is a deterministic algorithm
which, given a truly random binary sequence of length k, outputs a
binary sequence of length ` much larger than k which “appears" to be
random. The input to the PRBG is called seed, while the output of the
PRBG is called a pseudo-random bit sequence.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 22 / 77


Introduction

PRBG & CSPRBG

Definition
We say that a PRBG passes all poly-time statistical tests if no poly-time algorithm
can correctly distinguish between an output sequence of the generator and a TRBG of
the same length with prob significantly > 21 .

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 23 / 77


Introduction

PRBG & CSPRBG

Definition
We say that a PRBG passes all poly-time statistical tests if no poly-time algorithm
can correctly distinguish between an output sequence of the generator and a TRBG of
the same length with prob significantly > 21 .

Definition
We say that a PRBG passes the next-bit test if there is no poly-time algo which, on
input of the first ` bits of an output sequence s, can predict the (` + 1)th bit of s with
prob significantly > 12 .

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 23 / 77


Introduction

PRBG & CSPRBG

Definition
We say that a PRBG passes all poly-time statistical tests if no poly-time algorithm
can correctly distinguish between an output sequence of the generator and a TRBG of
the same length with prob significantly > 21 .

Definition
We say that a PRBG passes the next-bit test if there is no poly-time algo which, on
input of the first ` bits of an output sequence s, can predict the (` + 1)th bit of s with
prob significantly > 12 .

Definition
A PRBG that passes the next-bit test is called a cryptographically secure PRBG.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 23 / 77


Introduction

Linear Congruential Generator

Designed by D. H. Lehmer in 1949


xn ≡ a.xn−1 + b mod m, where n ≥ 1.
Ouput depends on the initial seed x0 and a, b, & m.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 24 / 77


Introduction

Linear Congruential Generator

Designed by D. H. Lehmer in 1949


xn ≡ a.xn−1 + b mod m, where n ≥ 1.
Ouput depends on the initial seed x0 and a, b, & m.

Theorem
If b , 0, LCG generates a sequence of length m iff
(i) gcd(b, m) = 1,
(ii) if p | m, then p | (a − 1) for all prime factor p of m,
(iii) if 4 | m, then 4 | (a − 1).

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 24 / 77


Introduction

Linear Congruential Generator

Designed by D. H. Lehmer in 1949


xn ≡ a.xn−1 + b mod m, where n ≥ 1.
Ouput depends on the initial seed x0 and a, b, & m.

Theorem
If b , 0, LCG generates a sequence of length m iff
(i) gcd(b, m) = 1,
(ii) if p | m, then p | (a − 1) for all prime factor p of m,
(iii) if 4 | m, then 4 | (a − 1).

LCGs are not very useful for cryptographic purpose.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 24 / 77


Introduction

RSA CSPRBG

Choose 2 large primes p & q.


Set n = p.q
Choose a random e s/t 0 < e < φ(n) s/t gcd(e, φ(n)) = 1.
Choose a random seed x0 s/t 1 ≤ x0 ≤ n − 1

e
xi ≡ xi−1 mod n.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 25 / 77


Introduction

RSA CSPRBG

Choose 2 large primes p & q.


Set n = p.q
Choose a random e s/t 0 < e < φ(n) s/t gcd(e, φ(n)) = 1.
Choose a random seed x0 s/t 1 ≤ x0 ≤ n − 1

e
xi ≡ xi−1 mod n.

Let bi be the least significant bit of xi .


` random bits are b1 , b2 , . . . , b` .

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 25 / 77


Introduction

BBS (Blum-Blum-Shub) CSPRBG

Generate 2 large primes p & q s/t both ≡ 3 mod 4


Set n = p.q
Select a random integer x s/t gcd(x, n) = 1
Set initial seed x0 ≡ x2 mod n

2
xi ≡ xi−1 mod n

Let bi be the least significant bit of xi .


` random bits are b1 , b2 , . . . , b` .

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 26 / 77


Statistical Tests

Outline

1 Introduction

2 Statistical Tests
Golomb’s Postulates
Five Basic Tests

3 LFSR

4 RC4

5 Trivium

6 Salsa20/20

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 27 / 77


Statistical Tests Golomb’s Postulates

Golomb’s Postulates

Let s = s0 , s1 , s2 , . . . be an infinite sequence. The subsequence consisting of the


first n terms of s is denoted by sn = s0 , s1 , . . . , sn−1 .

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 28 / 77


Statistical Tests Golomb’s Postulates

Golomb’s Postulates

Let s = s0 , s1 , s2 , . . . be an infinite sequence. The subsequence consisting of the


first n terms of s is denoted by sn = s0 , s1 , . . . , sn−1 .
A run of s is a subsequence of s consisting of consecutive 0’s or consecutive 1’s
which is neither preceded nor succeeded by the same symbol. A run of 0’s is
called a gap, while a run of 1’s is called a block.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 28 / 77


Statistical Tests Golomb’s Postulates

Golomb’s Postulates

Let s = s0 , s1 , s2 , . . . be an infinite sequence. The subsequence consisting of the


first n terms of s is denoted by sn = s0 , s1 , . . . , sn−1 .
A run of s is a subsequence of s consisting of consecutive 0’s or consecutive 1’s
which is neither preceded nor succeeded by the same symbol. A run of 0’s is
called a gap, while a run of 1’s is called a block.

Definition
Let s = s0 , s1 , s2 , . . . be a periodic sequence of period N. The autocorrelation function of s is the
integer-valued function C(t) defined as
N−1
1 X
C(t) = (2.si − 1).(2si+t − 1), for 0 ≤ t ≤ N − 1.
N i=0

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 28 / 77


Statistical Tests Golomb’s Postulates

Golomb’s Postulates

Let s = s0 , s1 , s2 , . . . be an infinite sequence. The subsequence consisting of the


first n terms of s is denoted by sn = s0 , s1 , . . . , sn−1 .
A run of s is a subsequence of s consisting of consecutive 0’s or consecutive 1’s
which is neither preceded nor succeeded by the same symbol. A run of 0’s is
called a gap, while a run of 1’s is called a block.

Definition
Let s = s0 , s1 , s2 , . . . be a periodic sequence of period N. The autocorrelation function of s is the
integer-valued function C(t) defined as
N−1
1 X
C(t) = (2.si − 1).(2si+t − 1), for 0 ≤ t ≤ N − 1.
N i=0

C(t) measures the amount of similarity between the sequence s and a shift of s by t positions. If s
is a random periodic sequence of period N, then |N.C(t)| can be expected to be quite small for all
values of t, 0 < t < N.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 28 / 77


Statistical Tests Golomb’s Postulates

Golomb’s Postulates

Let s be a periodic sequence of period N. Golomb’s randomness postulates are the


following:
(i) In the cycle sN of s, the number of 1’s differs from the number of 0’s by at most 1.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 29 / 77


Statistical Tests Golomb’s Postulates

Golomb’s Postulates

Let s be a periodic sequence of period N. Golomb’s randomness postulates are the


following:
(i) In the cycle sN of s, the number of 1’s differs from the number of 0’s by at most 1.
(ii) In the cycle sN , at least half the runs have length 1, at least one-fourth have
length 2, at least one-eighth have length 3, etc., as long as the number of runs
so indicated exceeds 1. Moreover, for each of these lengths, there are (almost)
equally many gaps and blocks.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 29 / 77


Statistical Tests Golomb’s Postulates

Golomb’s Postulates

Let s be a periodic sequence of period N. Golomb’s randomness postulates are the


following:
(i) In the cycle sN of s, the number of 1’s differs from the number of 0’s by at most 1.
(ii) In the cycle sN , at least half the runs have length 1, at least one-fourth have
length 2, at least one-eighth have length 3, etc., as long as the number of runs
so indicated exceeds 1. Moreover, for each of these lengths, there are (almost)
equally many gaps and blocks.
(iii) The autocorrelation function C(t) is two-valued. That is for some integer K,

N−1
i f t = 0,
(
X N,
N × C(t) = (2.si − 1).(2si+t − 1) =
K, i f 1 ≤ t ≤ N − 1.
i=0

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 29 / 77


Statistical Tests Golomb’s Postulates

Golomb’s Postulates

Let s be a periodic sequence of period N. Golomb’s randomness postulates are the


following:
(i) In the cycle sN of s, the number of 1’s differs from the number of 0’s by at most 1.
(ii) In the cycle sN , at least half the runs have length 1, at least one-fourth have
length 2, at least one-eighth have length 3, etc., as long as the number of runs
so indicated exceeds 1. Moreover, for each of these lengths, there are (almost)
equally many gaps and blocks.
(iii) The autocorrelation function C(t) is two-valued. That is for some integer K,

N−1
i f t = 0,
(
X N,
N × C(t) = (2.si − 1).(2si+t − 1) =
K, i f 1 ≤ t ≤ N − 1.
i=0

A binary sequence which satisfies Golomb’s randomness postulates is called a


pseudo-noise sequence or a pn-sequence.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 29 / 77


Statistical Tests Five Basic Tests

Frequency Test (Monobit Test)

The purpose of this test is to determine whether the number of 0’s


and 1’s in s are approximately the same, as would be expected for
a random sequence.
Let s = s0 , s1 , s2 , . . . , sn−1 be a binary sequence of length n.
Let n0 , n1 denote the number of 0’s and 1’s in s, respectively.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 30 / 77


Statistical Tests Five Basic Tests

Frequency Test (Monobit Test)

The purpose of this test is to determine whether the number of 0’s


and 1’s in s are approximately the same, as would be expected for
a random sequence.
Let s = s0 , s1 , s2 , . . . , sn−1 be a binary sequence of length n.
Let n0 , n1 denote the number of 0’s and 1’s in s, respectively.
The statistic used is

(n0 − n1 )2
X1 =
n

which approximately follows a χ2 distribution with 1 degree of


freedom if n ≥ 10.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 30 / 77


Statistical Tests Five Basic Tests

Serial Test (2-bit Test)

The purpose of this test is to determine whether the number of


occurrences of 00, 01, 10, and 11 as subsequences of s are
approximately the same, as would be expected for a random
sequence.

2
n00 + n01 + n10 + n11 = (n − 1) since the subsequences are allowed to overlap.
Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 31 / 77
Statistical Tests Five Basic Tests

Serial Test (2-bit Test)

The purpose of this test is to determine whether the number of


occurrences of 00, 01, 10, and 11 as subsequences of s are
approximately the same, as would be expected for a random
sequence.
Let n0 , n1 denote the number of 0’s and 1’s in s, respectively, and
let n00 , n01 , n10 , n11 denote the number of occurrences of 00, 01, 10,
11 in s, respectively2 .

2
n00 + n01 + n10 + n11 = (n − 1) since the subsequences are allowed to overlap.
Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 31 / 77
Statistical Tests Five Basic Tests

Serial Test (2-bit Test)

The purpose of this test is to determine whether the number of


occurrences of 00, 01, 10, and 11 as subsequences of s are
approximately the same, as would be expected for a random
sequence.
Let n0 , n1 denote the number of 0’s and 1’s in s, respectively, and
let n00 , n01 , n10 , n11 denote the number of occurrences of 00, 01, 10,
11 in s, respectively2 .
The statistic used is
4  2  2 
X2 = n00 + n201 + n210 + n211 − n20 + n21 + 1
n−1 n

which approximately follows a χ2 distribution with 2 degrees of


freedom if n ≥ 21.
2
n00 + n01 + n10 + n11 = (n − 1) since the subsequences are allowed to overlap.
Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 31 / 77
Statistical Tests Five Basic Tests

Poker test

Let m be a positive integer such that b mn c ≥ 5.2m , and let k = b mn c.


Divide the sequence s into k non-overlapping parts each of length m
Let ni be the number of occurrences of the ith type of sequence of length m,
1 ≤ i ≤ 2m .

3
Note that the poker test is a generalization of the frequency test: setting m = 1 in the poker
test yields the frequency test.
Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 32 / 77
Statistical Tests Five Basic Tests

Poker test

Let m be a positive integer such that b mn c ≥ 5.2m , and let k = b mn c.


Divide the sequence s into k non-overlapping parts each of length m
Let ni be the number of occurrences of the ith type of sequence of length m,
1 ≤ i ≤ 2m .
The poker test3 determines whether the sequences of length m each appear
approximately the same number of times in s, as would be expected for a
random sequence.
The statistic used is
 2m 
2m X 
X3 =  n2  − k
i
k 
i=1

which approximately follows a χ2 distribution with 2m − 1 degrees of freedom.

3
Note that the poker test is a generalization of the frequency test: setting m = 1 in the poker
test yields the frequency test.
Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 32 / 77
Statistical Tests Five Basic Tests

Runs test

The purpose of the runs test is to determine whether the number of runs of
various lengths in the sequence s is as expected for a random sequence.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 33 / 77


Statistical Tests Five Basic Tests

Runs test

The purpose of the runs test is to determine whether the number of runs of
various lengths in the sequence s is as expected for a random sequence.
The expected number of gaps (or blocks) of length i in a random sequence of
length n is ei = (n − i + 3)/2i+2 .
Let k be equal to the largest integer i for which ei ≥ 5.
Let Bi , Gi be the number of blocks and gaps, respectively, of length i in s for each
i, 1 ≤ i ≤ k.
The statistic used is

k k
X (Bi − ei )2 X (Gi − ei )2
X4 = +
i
ei i
ei

which approximately follows a χ2 distribution with 2k − 2 degrees of freedom.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 33 / 77


Statistical Tests Five Basic Tests

Autocorrelation test

The purpose of this test is to check for correlations between the


sequence s and (non-cyclic) shifted versions of it.
Let d be a fixed integer, 1 ≤ d ≤ bn/2c.
The number of bits in s not equal to their d-shifts is
A(d) = n−d−1
P
i=0 si ⊕ si+d .
The statistic used is

2(A(d) − n−d
2 )
X5 = √
n−d

which approximately follows an N(0, 1) distribution if n − d ≥ 10.


Since small values of A(d) are as unexpected as large values of
A(d), a two-sided test should be used.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 34 / 77


LFSR

Outline

1 Introduction

2 Statistical Tests
Golomb’s Postulates
Five Basic Tests

3 LFSR

4 RC4

5 Trivium

6 Salsa20/20

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 35 / 77


LFSR

Linear Feedback Shift Registers (LFSR)

A standard way of producing a binary stream of data is to use a


feedback shift register.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 36 / 77


LFSR

Linear Feedback Shift Registers (LFSR)

A standard way of producing a binary stream of data is to use a


feedback shift register.
These are small circuits containing a number of memory cells,
each of which holds one bit of information.
The set of such cells forms a register.
In each cycle a certain predefined set of cells are ‘tapped’ and
their value is passed through a function, called the feedback
function.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 36 / 77


LFSR

Linear Feedback Shift Registers (LFSR)

A standard way of producing a binary stream of data is to use a


feedback shift register.
These are small circuits containing a number of memory cells,
each of which holds one bit of information.
The set of such cells forms a register.
In each cycle a certain predefined set of cells are ‘tapped’ and
their value is passed through a function, called the feedback
function.
The register is then shifted down by one bit, with the output bit of
the feedback shift register being the bit that is shifted out of the
register.
The combination of the tapped bits is then fed into the empty cell
at the top of the register.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 36 / 77


LFSR

Linear Feedback Shift Registers (LFSR)

Figure: LFSR of length L

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 37 / 77


LFSR

Linear Feedback Shift Registers (LFSR)

Figure: LFSR of length L

This LFSR is denoted by hL, C(Di, where

C(D) = 1 + c1 D + c2 D2 + · · · + cL DL ∈ GF(2)[D]

is the connection polynomial.


Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 37 / 77
LFSR

Linear Feedback Shift Registers (LFSR)

Definition
A LFSR of degree / length L is defined by feedback coefficients
c1 , . . . , cL ∈ GF(2).

The initial state is an L-bit word S = (sL−1 , . . . , s1 , s0 ) and new bits


are generated by the recursion

s j = (c1 .s j−1 ⊕ c2 s j−2 ⊕ . . . ⊕ cL .s j−L ), for j ≥ L

At each iteration step, the state S is updated from (s j−1 , . . . , s j−L ) to


(s j , s j−1 , . . . , s j−L+1 ), by shifting the register to the right. The
rightmost bit s j−L is output.

The output of an LFSR is called a linear recurring sequence.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 38 / 77


LFSR

Linear Feedback Shift Registers (LFSR)

Let the length of the register be L.


One defines a set of bits (c1 , . . . , cL ) where ci = 1 if that cell is
tapped and ci = 0 otherwise.
The initial internal state of the register is given by the bit sequence
(sL−1 , . . . , s1 , s0 ).
The output sequence is then defined to be
s0 , s1 , s2 , . . . , sL−1 , sL , sL+1 , . . . where for j ≥ L we have

s j = c1 .s j−1 ⊕ c2 s j−2 ⊕ . . . ⊕ cL .s j−L .

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 39 / 77


LFSR

Linear Feedback Shift Registers (LFSR)

Example (LFSR)

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 40 / 77


LFSR

Linear Feedback Shift Registers (LFSR)

Example (LFSR)

Connection polynomial:

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 40 / 77


LFSR

Linear Feedback Shift Registers (LFSR)

Example (LFSR)

Connection polynomial: c(x) = x4 + x + 1


Initial state is (1, 1, 0, 1)

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 40 / 77


LFSR

Linear Feedback Shift Registers (LFSR)


Example (LFSR)

1101 → 1
0110 → 0
0011 → 1
1001 → 1
0100 → 0
0010 → 0
0001 → 1
1000 → 0
1100 → 0
1110 → 0
1111 → 1
0111 → 1
1011 → 1
0101 → 1
1010 → 0

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 41 / 77


LFSR

Linear Feedback Shift Registers (LFSR)


Example (LFSR)

1101 → 1
0110 → 0
0011 → 1
1001 → 1
0100 → 0
0010 → 0
0001 → 1
1000 → 0
1100 → 0
1110 → 0
1111 → 1
0111 → 1
1011 → 1
0101 → 1
1010 → 0
1101

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 41 / 77


LFSR

Linear Feedback Shift Registers (LFSR)

Definition
Let s0 , s1 , s2 , . . . be a linear recurring sequence. The period of the
sequence is the smallest integer N ≥ 1 s/t

s j+N = s j
for all sufficiently large values of j.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 42 / 77


LFSR

Linear Feedback Shift Registers (LFSR)

Definition
Let s0 , s1 , s2 , . . . be a linear recurring sequence. The period of the
sequence is the smallest integer N ≥ 1 s/t

s j+N = s j
for all sufficiently large values of j.

Proposition
The period of a sequence generated by an LFSR of degree n is at
most 2n − 1.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 42 / 77


LFSR

Linear Complexity

Definition
The linear complexity of an infinite binary sequence s, denoted L(s),
is defined as follows:
(i) if s is the zero sequence s = 0, 0, 0, . . . , then L(s) = 0 ;
(ii) if no LFSR generates s, then L(s) = ∞;
(iii) otherwise, L(s) is the length of the shortest LFSR that generates s.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 43 / 77


LFSR

Linear Complexity

Definition
The linear complexity of an infinite binary sequence s, denoted L(s),
is defined as follows:
(i) if s is the zero sequence s = 0, 0, 0, . . . , then L(s) = 0 ;
(ii) if no LFSR generates s, then L(s) = ∞;
(iii) otherwise, L(s) is the length of the shortest LFSR that generates s.

Definition
The linear complexity of a finite binary sequence sn , denoted L(sn ), is
the length of the shortest LFSR that generates a sequence having sn
as its first n terms.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 43 / 77


LFSR

Properties of Linear Complexity

(i) For any n ≥ 1, the linear complexity of the subsequence sn


satisfies 0 ≤ L(sn ) ≤ n.
(ii) L(sn ) = 0 iff sn is the zero sequence of length n.
(iii) L(sn ) = n iff sn = 0, 0, 0, . . . , 0, 1.
(iv) If s is periodic with period N, then L(s) ≤ N.
(v) L(s ⊕ t) ≤ L(s) + L(t), where s ⊕ t denotes the bitwise XOR of s and t.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 44 / 77


LFSR

Nonlinear FSR (NLFSR)


Example
Consider a 4-stage NFSR with a feedback function

f (x0 , x1 , x2 , x3 ) = 1 + x0 + x1 + x1 x2 x3

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 45 / 77


LFSR

Nonlinear FSR (NLFSR)


Example
Consider a 4-stage NFSR with a feedback function

f (x0 , x1 , x2 , x3 ) = 1 + x0 + x1 + x1 x2 x3

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 45 / 77


LFSR

Nonlinear FSR (NLFSR)


Example
f (x0 , x1 , x2 , x3 ) = 1 + x0 + x1 + x1 x2 x3 – de Bruijn FSR

0001 → 1
0000 → 0
1000 → 0
1100 → 0
1110 → 0
1111 → 1
0111 → 1
1011 → 1
1101 → 1
0110 → 0
0011 → 1
1001 → 1
0100 → 0
1010 → 0
0101 → 1
0010 → 0
Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 46 / 77
LFSR

Stream Ciphers Based on LFSRs

Nonlinear combination generator

Filter generator

Shrinking generator

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 47 / 77


LFSR

Nonlinear Combination Generator


One general technique for destroying the linearity inherent in
LFSRs is to use several LFSRs in parallel.
The key stream is generated as a nonlinear function f of the
outputs of the component LFSRs.
These are called nonlinear combination generators, and f is
called the combining function.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 48 / 77


LFSR

Nonlinear Combination Generator


One general technique for destroying the linearity inherent in
LFSRs is to use several LFSRs in parallel.
The key stream is generated as a nonlinear function f of the
outputs of the component LFSRs.
These are called nonlinear combination generators, and f is
called the combining function.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 48 / 77


LFSR

Nonlinear Combination Generator

Example (Geffe Generator)

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 49 / 77


LFSR

Nonlinear Combination Generator

Example (Geffe Generator)

Consider 3 maximum-length LFSRs whose lengths L1 , L2 , L3 are pairwise relatively prime,


with nonlinear combining function

f (x1 , x2 , x3 ) = x1 x2 ⊕ (1 + x2 )x3 = x1 x2 ⊕ x2 x3 ⊕ x3 .

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 49 / 77


LFSR

Nonlinear Combination Generator

Example (Geffe Generator)

Consider 3 maximum-length LFSRs whose lengths L1 , L2 , L3 are pairwise relatively prime,


with nonlinear combining function

f (x1 , x2 , x3 ) = x1 x2 ⊕ (1 + x2 )x3 = x1 x2 ⊕ x2 x3 ⊕ x3 .

The keystream generated has period (2L1 − 1)(2L2 − 1)(2L3 − 1) and linear complexity
L = L1 L2 + L2 L3 + L3 .

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 49 / 77


LFSR

Filter Generator
A filter generator is a running-key generator for stream cipher
applications.
It consists of a single LFSR which is filtered by a nonlinear
function f .

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 50 / 77


LFSR

Filter Generator
A filter generator is a running-key generator for stream cipher
applications.
It consists of a single LFSR which is filtered by a nonlinear
function f .

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 50 / 77


LFSR

Shrinking Generator

A control LFSR R1 is used to select a portion of the output


sequence of a second LFSR R2
Due to its simplicity, it was a promising candidate for high-speed
encryption applications.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 51 / 77


LFSR

Shrinking Generator

A control LFSR R1 is used to select a portion of the output


sequence of a second LFSR R2
Due to its simplicity, it was a promising candidate for high-speed
encryption applications.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 51 / 77


RC4

Outline

1 Introduction

2 Statistical Tests
Golomb’s Postulates
Five Basic Tests

3 LFSR

4 RC4

5 Trivium

6 Salsa20/20

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 52 / 77


RC4

RC4

A self-modifying lookup table (or Synchronous stream cipher)


designed by Ron Rivest in 1987.
Table always contains a permutation of the byte values 0, 1, . . . , 255
Initialize the permutation using key
At each step, RC4 does the following:
Swaps elements in current lookup table
Selects a keystream byte from table

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 53 / 77


RC4

RC4

A self-modifying lookup table (or Synchronous stream cipher)


designed by Ron Rivest in 1987.
Table always contains a permutation of the byte values 0, 1, . . . , 255
Initialize the permutation using key
At each step, RC4 does the following:
Swaps elements in current lookup table
Selects a keystream byte from table
Each step of RC4 produces a byte

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 53 / 77


RC4

RC4

A self-modifying lookup table (or Synchronous stream cipher)


designed by Ron Rivest in 1987.
Table always contains a permutation of the byte values 0, 1, . . . , 255
Initialize the permutation using key
At each step, RC4 does the following:
Swaps elements in current lookup table
Selects a keystream byte from table
Each step of RC4 produces a byte
Efficient in software
Each step of A5/1 produces only a bit

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 53 / 77


RC4

RC4

A self-modifying lookup table (or Synchronous stream cipher)


designed by Ron Rivest in 1987.
Table always contains a permutation of the byte values 0, 1, . . . , 255
Initialize the permutation using key
At each step, RC4 does the following:
Swaps elements in current lookup table
Selects a keystream byte from table
Each step of RC4 produces a byte
Efficient in software
Each step of A5/1 produces only a bit
Efficient in hardware

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 53 / 77


RC4

RC4 Key Scheduling Algorithm (KSA)

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 54 / 77


RC4

RC4 Pseudorandom Generation Algorithm (PRGA)


For each keystream byte, swap elements in table and select byte

Use keystream bytes like a one-time pad


Note: first 256 bytes should be discarded
Otherwise, related key attack exists
Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 55 / 77
Trivium

Outline

1 Introduction

2 Statistical Tests
Golomb’s Postulates
Five Basic Tests

3 LFSR

4 RC4

5 Trivium

6 Salsa20/20

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 56 / 77


Trivium

Trivium
Designed by De Canniére and Preneel in 2006 as part of eSTREAM competition
Intended to be simple and efficient (especially in hardware)

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 57 / 77


Trivium

Trivium
Designed by De Canniére and Preneel in 2006 as part of eSTREAM competition
Intended to be simple and efficient (especially in hardware)

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 57 / 77


Trivium

Trivium Hardware

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 58 / 77


Trivium

Trivium

Parameters:
Key size: 80 bit, IV size: 80 bit, Internal state: 288 bit

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 59 / 77


Trivium

Trivium

Parameters:
Key size: 80 bit, IV size: 80 bit, Internal state: 288 bit
Three coupled FSR of degree 93, 84, and 111.
Initialization:
80-bit key in left-most registers of first FSR
80-bit IV in left-most registers of second FSR
Remaining registers set to 0, except for three right-most (all 1s)
registers of third FSR
run for 4 × 288 clock ticks to finish initialization

https://www.ecrypt.eu.org/stream/p3ciphers/trivium/trivium_p3.pdf

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 59 / 77


Trivium

Trivium-Initialization

For i = 1 to 4 × 288 do
1 t1 ← s66 + s91 s92 + s93 + s171
2 t2 ← s162 + s175 s176 + s177 + s264
3 t3 ← s243 + s286 s287 + s288 + s69

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 60 / 77


Trivium

Trivium-Initialization

For i = 1 to 4 × 288 do
1 t1 ← s66 + s91 s92 + s93 + s171
2 t2 ← s162 + s175 s176 + s177 + s264
3 t3 ← s243 + s286 s287 + s288 + s69
4 (s1 , s2 , . . . , s93 ) ← (t3 , s1 , . . . , s92 )
5 (s94 , s95 , . . . , s177 ) ← (t1 , s94 , ..., s176 )
6 (s178 , s279 , . . . , s288 ) ← (t2 , s178 , . . . , s287 )

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 60 / 77


Trivium

Trivium-Initialization

For i = 1 to 4 × 288 do
1 t1 ← s66 + s91 s92 + s93 + s171
2 t2 ← s162 + s175 s176 + s177 + s264
3 t3 ← s243 + s286 s287 + s288 + s69
4 (s1 , s2 , . . . , s93 ) ← (t3 , s1 , . . . , s92 )
5 (s94 , s95 , . . . , s177 ) ← (t1 , s94 , ..., s176 )
6 (s178 , s279 , . . . , s288 ) ← (t2 , s178 , . . . , s287 )

Note: no random bits output. This is just initialization.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 60 / 77


Trivium

Trivium-Iteration

For i = 1 to N(≤ 264 ) do


1 t1 ← s66 + s93
2 t2 ← s162 + s177
3 t3 ← s243 + s288
4 zi ← t1 + t2 + t3

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 61 / 77


Trivium

Trivium-Iteration

For i = 1 to N(≤ 264 ) do


1 t1 ← s66 + s93
2 t2 ← s162 + s177
3 t3 ← s243 + s288
4 zi ← t1 + t2 + t3 1 bit of key stream
5 t1 ← t1 + s91 s92 + s171
6 t2 ← t2 + s175 s176 + s264
7 t3 ← t3 + s286 s287 + s69
8 (s1 , s2 , . . . , s93 ) ← (t3 , s1 , . . . , s92 )
9 (s94 , s95 , . . . , s177 ) ← (t1 , s94 , ←, s176 )
10 (s178 , s279 , . . . , s288 ) ← (t2 , s178 , . . . , s287 )

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 61 / 77


Salsa20/20

Outline

1 Introduction

2 Statistical Tests
Golomb’s Postulates
Five Basic Tests

3 LFSR

4 RC4

5 Trivium

6 Salsa20/20

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 62 / 77


Salsa20/20

Salsa20/20

Designed by Daniel J. Bernstein in 2005

4
Strings are interpreted in little-endian notation
Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 63 / 77
Salsa20/20

Salsa20/20

Designed by Daniel J. Bernstein in 2005


It is based on three simple operations:
modular addition of 32-bit words a and b mod 232 , denoted by a  b,
XOR-sum of 32-bit words a and b, denoted by a ⊕ b,
circular left shift of a 32-bit word a by t positions, denoted by a ≪ t.

4
Strings are interpreted in little-endian notation
Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 63 / 77
Salsa20/20

Salsa20/20

Designed by Daniel J. Bernstein in 2005


It is based on three simple operations:
modular addition of 32-bit words a and b mod 232 , denoted by a  b,
XOR-sum of 32-bit words a and b, denoted by a ⊕ b,
circular left shift of a 32-bit word a by t positions, denoted by a ≪ t.

The Salsa20/20 cipher takes a 256-bit key, a 64-bit nonce and a


64-bit counter.

The state array S of Salsa20 is a 4 × 4 matrix of sixteen 32-bit


words4

4
Strings are interpreted in little-endian notation
Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 63 / 77
Salsa20/20

Salsa20/20

The state array S :

 
 y0 y1 y2 y3 
 y y5 y6 y7 
S =  4 
 y8 y9 y10 y11 

y12 y13 y14 y15

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 64 / 77


Salsa20/20

Salsa20/20

The state array S :

 
 y0 y1 y2 y3 
 y y5 y6 y7 
S =  4 
 y8 y9 y10 y11 

y12 y13 y14 y15

Salsa20 is based on quarter-rounds, row-rounds and column-


rounds.
The quarter-rounds operate on four words, the row-rounds
transform the four rows and the column-rounds transform the four
columns of the state matrix.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 64 / 77


Salsa20/20

Salsa20/20: Quarter-round

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 65 / 77


Salsa20/20

Salsa20/20: Row-round

 
 z0 z1 z2 z3 
 z z5 z6 z7 
row-round(S ) =  4  ,
 8 z9 z10 z11
z 

z12 z13 z14 z15

where
(z0 , z1 , z2 , z3 ) = quarter-round (y0 , y1 , y2 , y3 ),
(z5 , z6 , z7 , z4 ) = quarter-round (y5 , y6 , y7 , y4 ),
(z10 , z11 , z8 , z9 ) = quarter-round (y10 , y11 , y8 , y9 ),
(z15 , z12 , z13 , z14 ) = quarter-round (y15 , y12 , y13 , y14 ).

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 66 / 77


Salsa20/20

Salsa20/20: Column-round

The column-round function is the transpose of the row-round


function: the words in the columns are permuted, the
quarter-round map is applied to each of the columns and the
permutation is reversed.

Let S be a state matrix as above; then

column-round (S ) = (row-round (S T ))T .

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 67 / 77


Salsa20/20

Salsa20/20: Double-round

A double-round is the composition of a column-round and a


row-round.

Let S be a state matrix as above; then

double-round (S ) = row-round (column-round (S )).

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 68 / 77


Salsa20/20

Salsa20/20: Double-round

A double-round is the composition of a column-round and a


row-round.

Let S be a state matrix as above; then

double-round (S ) = row-round (column-round (S )).

Salsa20 runs 10 successive double-rounds, i.e., 20 quarter-rounds, in


order to generate 64 bytes of output.
The initial state depends on the key, a nonce and a counter.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 68 / 77


Salsa20/20

Salsa20/20

The Salsa20/20 stream cipher takes a 256-bit key

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 69 / 77


Salsa20/20

Salsa20/20

The Salsa20/20 stream cipher takes a 256-bit key k = (k1 , . . . , k8 )


and a unique 64-bit message number n = (n1 , n2 ) (nonce) as input.
A 64-bit block counter b = (b1 , b2 ) is initially set to zero.
The initialization algorithm copies k, n, b and the four 32-bit
constants

y0 = 61707865, y5 = 3320646E, y10 = 79622D32, & y15 = 6B206574

into the sixteen 32-bit words of the Salsa20 state matrix

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 69 / 77


Salsa20/20

Salsa20/20
The state array S :

 
 y0 k1 k2 k3 
 k y5 n1 n2 
S =  4 
 b1 b2 y10 k5 

k6 k7 k8 y15

The key stream generator computes the output state by 10


double-round iterations and a final addition mod 232 of the initial
state matrix:

Salsa20k (n, b) = S + double-round10 (S ).

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 70 / 77


Salsa20/20

Salsa20/20
The state array S :

 
 y0 k1 k2 k3 
 k y5 n1 n2 
S =  4 
 b1 b2 y10 k5 

k6 k7 k8 y15

The key stream generator computes the output state by 10


double-round iterations and a final addition mod 232 of the initial
state matrix:

Salsa20k (n, b) = S + double-round10 (S ).

ChaCha20 is a modification of Salsa20


Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 70 / 77
Salsa20/20

ChaCha20

ChaCha20 is a stream cipher intended to be extremely efficient in


s/w, introduced in 2008.

It is not an eSTREAM candidate!

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 71 / 77


Salsa20/20

ChaCha20

ChaCha20 is a stream cipher intended to be extremely efficient in


s/w, introduced in 2008.

It is not an eSTREAM candidate! “Post-eSTREAM cryptography"

It is available as a replacement for RC4 in many systems.

It is combined with the Poly1305 message authentication code to


construct an authenticated encryption (AE) scheme widely used in
the TLS protocol.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 71 / 77


Salsa20/20

ChaCha20 Quarter-round

Let y = (a, b, c, d) be a sequence of four 32-bit words.

Then a ChaCha quarter-round updates (a, b, c, d) as follows:


(i) a ← a + b; d ← d ⊕ a; d ≪ 16;
(ii) c ← c + d; b ← b ⊕ c; b ≪ 12;
(iii) a ← a + b; d ← d ⊕ a; d ≪ 8;
(iv) c ← c + d; b ← b ⊕ c; b ≪ 7;

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 72 / 77


Salsa20/20

ChaCha20 Double-round
ChaCha20 also runs 10 double-rounds.
However, a ChaCha double-round consists of a column-round and
a diagonal-round
A ChaCha double-round is defined by the 8 ChaCha
quarter-rounds
column-round quarter-round (y0 , y4 , y8 , y12 )
quarter-round (y1 , y5 , y9 , y13 )
quarter-round (y2 , y6 , y10 , y14) )
quarter-round (y3 , y7 , y11 , y15 )

diagonal-round quarter-round (y0 , y5 , y10 , y15 )


quarter-round (y1 , y6 , y11 , y12 )
quarter-round (y2 , y7 , y8 , y13 )
quarter-round (y3 , y4 , y9 , y14 )

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 73 / 77


Salsa20/20

ChaCha20
The state array S :

 
 y0 y1 y2 y3 
 k k2 k3 k4 
S =  1 
 k5 k6 k7 k8 

b n1 n2 n3

The ChaCha20 stream cipher takes a 256-bit key k = (k1 , . . . , k8 ) and a unique 96-bit
message number n = (n1 , n2 , n3 ) (nonce) as input.
A 32-bit block counter b is initially set to zero and the four 32-bit constants

y0 = 61707865, y1 = 3320646E, y2 = 79622D32, y3 = 6B206574

ChaChak (n, b) = S + double-round10 (S ).

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 74 / 77


Stream Ciphers

Stream ciphers were popular in the past

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 75 / 77


Stream Ciphers

Stream ciphers were popular in the past


Efficient in hardware
Speed was needed to keep up with voice, etc.
Today, processors are fast, so software-based crypto is usually
more than fast enough

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 75 / 77


Stream Ciphers

Stream ciphers were popular in the past


Efficient in hardware
Speed was needed to keep up with voice, etc.
Today, processors are fast, so software-based crypto is usually
more than fast enough
Future of stream ciphers?

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 75 / 77


Stream Ciphers

Stream ciphers were popular in the past


Efficient in hardware
Speed was needed to keep up with voice, etc.
Today, processors are fast, so software-based crypto is usually
more than fast enough
Future of stream ciphers?
Shamir declared “the death of stream ciphers"
May be greatly exaggerated . . .

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 75 / 77


References

S. W. Golomb,
Shift Register Sequences, Aegean Park Press, 1982.

Andreas Klein,
Stream Ciphers, Springer, 2013.

Alfred J. Menezes, Paul C. van Oorschot & Scott A. Vanstone,


Handbook of Applied Cryptography, CRC Press, 1996.

R. A. Rueppel,
Analysis and Design of Stream Ciphers, Springer, 1986.

Mark Stamp
Information Security - Principles and Practice, John Wiley & Sons, Inc., 2011.

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 76 / 77


The End

Thank you very much for your attention!

Dhananjoy Dey (IIITL) Stream Ciphers September 10, 2024 77 / 77

You might also like