Scribd
Upload
24 views32 pages

Lecture #10-Stream Ciphers

The document discusses stream ciphers, including their introduction, the role of random number generators, and specific types such as the One-Time Pad and Linear Feedback Shift Registers. It highlights the differences between stream and block ciphers, emphasizing the efficiency and application of stream ciphers in constrained environments. Additionally, it covers the modern stream cipher Trivium and the importance of cryptographically secure pseudorandom number generators in cryptography.

Uploaded by

sajjalmandana661
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
24 views32 pages

Lecture #10-Stream Ciphers

The document discusses stream ciphers, including their introduction, the role of random number generators, and specific types such as the One-Time Pad and Linear Feedback Shift Registers. It highlights the differences between stream and block ciphers, emphasizing the efficiency and application of stream ciphers in constrained environments. Additionally, it covers the modern stream cipher Trivium and the importance of cryptographically secure pseudorandom number generators in cryptography.

Uploaded by

sajjalmandana661
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

Lecture 10

Stream Ciphers

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl


Content of this Chapter

• Intro to stream ciphers


• Random number generators (RNGs)
• One-Time Pad (OTP)
• Linear feedback shift registers (LFSRs)
• Trivium: a modern stream cipher

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl


Content of this Chapter

• Intro to stream ciphers


• Random number generators (RNGs)
• One-Time Pad (OTP)
• Linear feedback shift registers (LFSRs)
• Trivium: a modern stream cipher

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl


 Stream Ciphers in the Field of Cryptology

Cryptology

Cryptography Cryptanalysis

Symmetric Ciphers Asymmetric Ciphers Protocols

Block Ciphers Stream Ciphers

Stream Ciphers were invented in 1917 by Gilbert Vernam

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl


 Stream Cipher vs. Block Cipher

• Stream Ciphers
• Encrypt bits individually
• Usually small and fast → common in embedded devices (e.g., A5/1 for
GSM phones)

• Block Ciphers:
• Always encrypt a full block (several bits)
• Are common for Internet applications

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl


 Encryption and Decryption with Stream Ciphers
Plaintext xi, ciphertext yi and key stream si consist of individual bits

• Encryption and decryption are simple additions modulo 2 (aka XOR)


• Encryption and decryption are the same functions

• Encryption: yi = esi(xi ) = xi + si mod 2 xi , yi , si ∈ {0,1}


• Decryption: xi = esi(yi ) = yi + si mod 2

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl


 Synchronous vs. Asynchronous Stream Cipher

• Security of stream cipher depends entirely on the key stream si :


• Should be random , i.e., Pr(si = 0) = Pr(si = 1) = 0.5
• Must be reproducible by sender and receiver

• Synchronous Stream Cipher


• Key stream depend only on the key (and possibly an initialization vector IV)

• Asynchronous Stream Ciphers


• Key stream depends also on the ciphertext (dotted feedback enabled)
Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
 Why is Modulo 2 Addition a Good Encryption Function?

• Modulo 2 addition is equivalent to XOR operation

• For perfectly random key stream si , each ciphertext output bit


has a 50% chance to be 0 or 1
→ Good statistic property for ciphertext

• Inverting XOR is simple, since it is the same XOR operation

xi si yi
0 0 0
0 1 1
1 0 1
1 1 0

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl


 Stream Cipher: Throughput

Performance comparison of symmetric ciphers (Pentium4):

Cipher Key length Mbit/s


DES 56 36.95
3DES 112 13.32
AES 128 51.19
RC4 (stream cipher) (choosable) 211.34
Source: Zhao et al., Anatomy and Performance of SSL Processing, ISPASS 2005

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl


Content of this Chapter

• Intro to stream ciphers


• Random number generators (RNGs)
• One-Time Pad (OTP)
• Linear feedback shift registers (LFSRs)
• Trivium: a modern stream cipher

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl


 Random number generators (RNGs)

RNG

True RNG Cryptographically


Pseudorandom NG
Secure RNG

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl


 True Random Number Generators (TRNGs)

• Based on physical random processes: coin flipping, dice rolling, semiconductor


noise, radioactive decay, mouse movement, clock jitter of digital circuits
• Output stream si should have good statistical properties:
Pr(si = 0) = Pr(si = 1) = 50% (often achieved by post-processing)
• Output can neither be predicted nor be reproduced

Typically used for generation of keys, nonces (used only-once values) and for
many other purposes

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl


 Pseudorandom Number Generator (PRNG)

• Generate sequences from initial seed value


• Typically, output stream has good statistical properties
• Output can be reproduced and can be predicted
Often computed in a recursive way:

s0 = seed
si +1 = f ( si , si −1 ,..., si −t )

Example: rand() function in ANSI C:


s0 = 12345
si +1 = 1103515245 si + 62345 mod 231
i = 0,1,2,...
Most PRNGs have bad cryptographic properties!
Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
 Cryptanalyzing a Simple PRNG
Simple PRNG: Linear Congruential Generator

S 0 = seed
Si +1 = ASi + B mod m

Assume
• unknown A, B and S0 as key
• Size of A, B and Si to be 100 bit
• 300 bit of output are known, i.e. S1, S2 and S3
Solving

S 2 = AS1 + B mod m
S3 = AS 2 + B mod m
…directly reveals A and B. All Si can be computed easily!

Bad cryptographic properties due to the linearity of most PRNGs


Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
 Cryptographically Secure Pseudorandom Number
Generator (CSPRNG)

• Special PRNG with additional property:


• Output must be unpredictable

More precisely: Given n consecutive bits of output si , the following output bits sn+1
cannot be predicted (in polynomial time).

• Needed in cryptography, in particular for stream ciphers

• Remark: There are almost no other applications that need unpredictability,


whereas many, many (technical) systems need PRNGs.

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl


Content of this Chapter

• Intro to stream ciphers


• Random number generators (RNGs)
• One-Time Pad (OTP)
• Linear feedback shift registers (LFSRs)
• Trivium: a modern stream cipher

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl


 One-Time Pad (OTP)

Unconditionally secure cryptosystem:


• A cryptosystem is unconditionally secure if it cannot be broken even with
infinite computational resources

One-Time Pad
• A cryptosystem developed by Mauborgne that is based on Vernam’s stream
cipher:
• Properties:
Let the plaintext, ciphertext and key consist of individual bits
xi, yi, ki  {0,1}.

Encryption: eki(xi) = xi  ki.


Decryption: dki(yi) = yi  ki

OTP is unconditionally secure if and only if the key ki. is used once!

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl


 One-Time Pad (OTP)

Unconditionally secure cryptosystem:


y0 = x 0  k0
y1 = x 1  k1
:
Every equation is a linear equation with two unknowns
 for every yi are xi = 0 and xi = 1 equiprobable!
This is true iff k0, k1, ... are independent, i.e., all ki have to be
generated in a truly random manner
 It can be shown that this system can provably not be solved.

Disadvantage: For almost all applications the OTP is impractical


since the key must be as long as the message! (Imagine you
have to encrypt a 1GByte email attachment.)

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl


Content of this Chapter

• Intro to stream ciphers


• Random number generators (RNGs)
• One-Time Pad (OTP)
• Linear feedback shift registers (LFSRs)
• Trivium: a modern stream cipher

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl


 Linear Feedback Shift Registers (LFSRs)

• Concatenated flip-flops (FF), i.e., a shift register together with a feedback path
• Feedback computes fresh input by XOR of certain state bits
• Degree m given by number of storage elements
• If pi = 1, the feedback connection is present (“closed switch), otherwise there is
not feedback from this flip-flop (“open switch”)
• Output sequence repeats periodically
• Maximum output length: 2m-1
Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
 Linear Feedback Shift Registers (LFSRs): Example with m=3

clk FF2 FF1 FF0=si


0 1 0 0
• LFSR output described by recursive equation: 1 0 1 0
2 1 0 1
Linear
Recurrence
si +3 = si +1 + si mod 2 3 1 1 0
4 1 1 1
• Maximum output length (of 23-1=7) achieved only for certain
5 0 1 1
feedback configurations, .e.g., the one shown here.
6 0 0 1

Characteristic Polynomial: x3+x+1 7 1 0 0


8 0 1 0
Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
 LFSR Continued

zi,...., z 1, z 0
xm

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl


For m = 3, and for i and j
mentioned as above in
the equation
Z3 = C0Z0 + C1Z1 + C2Z2
Z4 = C0Z1 + C1Z2 + C2Z3
Z5 = C0Z2 + C1Z3 + C2Z4

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl


(C3 = 0, C2 = 0, C1 = 1, C0 = 1)  P(x) = x4 + x1 + 1  No x3, x2 terms
because coefficients C3 = 0, C2 = 0
(C3 = 1, C2 = 1, C1 = 1, C0 = 1)  P(x) = x4 + x3+ x2 + x1 + 1

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl


 Polynomial

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl


 Security of LFSRs
LFSRs typically described by polynomials:

P ( x) = x m + pl −1 x m −1 + ... + p1 x + p0

• Single LFSRs generate highly predictable output


• If 2m output bits of an LFSR of degree m are known, the feedback
coefficients pi of the LFSR can be found by solving a system of linear
equations

• Because of this many stream ciphers use combinations of LFSRs

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl


• Linear feedback shift registers are widely used in key-stream generators
• Unfortunately, the output sequences of LFSRs are also easily predictable
• Nevertheless, LFSRs are desirable because of their very low
implementation costs.
• Three general methodologies for destroying the linearity properties of
LFSRs are following
• Nonlinear combining function on the outputs of several LFSRs
• Filtering function on the contents of a single LFSR and
• one (or more) LFSRs to control the clock of one (or more) other LFSRs
Content of this Chapter

• Intro to stream ciphers


• Random number generators (RNGs)
• One-Time Pad (OTP)
• Linear feedback shift registers (LFSRs)
• Trivium: a modern stream cipher

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl


 A Modern Stream Cipher - Trivium

• Three nonlinear LFSRs (NLFSR) of length 93, 84, 111


• XOR-Sum of all three NLFSR outputs generates key stream si
• Small in Hardware:
• Total register count: 288
• Non-linearity: 3 AND-Gates
• 10 + 1(encryption) XOR-Gates
Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
 Trivium

Initialization:
• Load 80-bit IV into A
• Load 80-bit key into B
• Set c109 , c110 , c111 =1, all other bits 0
Warm-Up:
• Clock cipher 4 x 288 = 1152 times without generating output
Encryption:
• XOR-Sum of all three NLFSR outputs generates key stream si

Design can be parallelized to produce up to 64 bits of output per clock cycle

Register length Feedback bit Feedforward bit AND inputs


A 93 69 66 91, 92
B 84 78 69 82, 83
C 111 87 66 109, 110

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl


 Some Comments

• Note that the AND operation is equal to multiplication in modulo 2 arithmetic. If


we multiply two unknowns, and the register contents are the unknowns that an
attacker wants to recover, the resulting equations are no longer linear as they
contain products of two unknowns.
• Almost all modern stream ciphers have two input parameters: a key k and an
initialization vector IV . The former is the regular key that is used in every
symmetric crypto system. The IV serves as a randomizer and should take a
new value for every encryption session. It is important to note that the IV does
not have to be kept secret, it merely must change for every session. Such values
are often referred to as nonces, which stands for “number used once”. Its
main purpose is that two key streams produced by the cipher should be
different, even though the key has not changed.

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl


 Lessons Learned
• Stream ciphers are less popular than block ciphers in most domains such as Internet
security. There are exceptions, for instance, the popular stream cipher RC4.

• Stream ciphers sometimes require fewer resources, e.g., code size or chip area, for
implementation than block ciphers, and they are attractive for use in constrained
environments such as cell phones.

• The requirements for a cryptographically secure pseudorandom number generator are far
more demanding than the requirements for pseudorandom number generators used in other
applications such as testing or simulation

• The One-Time Pad is a provable secure symmetric cipher. However, it is highly impractical
for most applications because the key length has to equal the message length.

• Single LFSRs make poor stream ciphers despite their good statistical properties. However,
careful combinations of several LFSR can yield strong ciphers.

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl

You might also like