Stream Ciphers

Bilgi Güvenliği
Taxonomy of Cryptographic Algorithms

Cryptography

Symmetric Asymmetric Cryptographic

Ciphers Ciphers Protocols

Stream Ciphers Block

Ciphers

01/03/25 2
 Stream ciphers
• Basic idea comes from One-Time-Pad cipher,
• Encryption:
c i = m i  ki i = 1, 2, 3, ...
• Decryption:
m i = c i  ki i = 1, 2, 3, ...
• Drawback:
– Key-stream should be as long as plain-text.
– Key distribution & management difficult.
• Solution: Stream Ciphers
– key-stream is generated using a pseudo-random generator
from a relatively short secret key
01/03/25 3
 Stream ciphers
• Randomness: Closely related to unpredictability.
• Pseudo-randomness: Pseudo-random sequences appears random
to a computationally bounded adversary.
• Stream ciphers can be modeled as finite-state machines.

Si+1
Si Si : state at time t = i.
G : output function.
F : next-state function.
F
Initial state, output and next-
G
state functions are controlled by
ki the secret key.
mi ci

01/03/25 4
 Linear Feedback Shift Registers (LFSR)
Output sequence

c1 c2 cL ci = 0 or 1

C ( x) 1  c1 x  c2 x 2    cL x L : Connection Polynomial

• If C(x) is chosen carefully the output of LFSR can have

maximum period of 2L-1
01/03/25 5
 LFSR – Connection Polynomial

1 x

1 x2  x3

http://fchabaud.free.fr/English/

01/03/25 6
 LFSR ciphers
• m-sequences have good statistical properties.
• However, they are predictable

Example: 1 x  x 4

ciphertext

plaintext

Output of LFSR when initial state is (0001):

100011110101100 100011110101100 …
01/03/25 7
 LFSR Ciphers
1000 0001
0010
1100
0100
1110
1001
1111
0011
0111

1011 0110

0101 1101
1010

01/03/25 8
 1 0 0 0 1 1 1 1 0 1 0 1 1 0 0
0 1 0 0 0 1 1 1 1 0 1 0 1 1 0 7
0 0 1 0 0 0 1 1 1 1 0 1 0 1 1 7
1 0 0 1 0 0 0 1 1 1 1 0 1 0 1 7
1 1 0 0 1 0 0 0 1 1 1 1 0 1 0 7
0 1 1 0 0 1 0 0 0 1 1 1 1 0 1 7
1 0 1 1 0 0 1 0 0 0 1 1 1 1 0 7
0 1 0 1 1 0 0 1 0 0 0 1 1 1 1 7
1 0 1 0 1 1 0 0 1 0 0 0 1 1 1 7
1 1 0 1 0 1 1 0 0 1 0 0 0 1 1 7
1 1 1 0 1 0 1 1 0 0 1 0 0 0 1 7
1 1 1 1 0 1 0 1 1 0 0 1 0 0 0 7
0 1 1 1 1 0 1 0 1 1 0 0 1 0 0 7
0 0 1 1 1 1 0 1 0 1 1 0 0 1 0 7
0 0 0 1 1 1 1 0 1 0 1 1 0 0 1 7
1 0 0 0 1 1 1 1 0 1 0 1 1 0 0 15
01/03/25 9
 Linear Complexity of a Sequence
• Definition: The linear complexity of a binary sequence
sn, denoted L(sn), is the length of the shortest LFSR that
generates this sequence.

• Use: It can be used as a tool to asses the randomness

(or unpredictability) of a sequence.

• Problem: Is it easy to construct the LFSR for a given

sequence?

01/03/25 10
 Berlekamp-Massey Algorithm(BMA)
• BMA is an efficient algorithm for determining the
linear complexity of a finite binary sequence.
– Let s be an binary sequence of linear complexity L, and
– let t be any subsequence of s of length at least 2L.
– Then the BMA with input t determines an LFSR of length L
which generates s.
• Expected linear complexity of a random sequence
E(L(sn))  n/2 + 2/9.

01/03/25 11
 Berlekamp-Massey Algorithm
Input sn = s0, s1, s2,…, sn-1
Output L(sn) and C(x)
Step 1 C(x) = B(x) = 1, L = 0, m = -1 and i = 0
Step 2 while (i < n)
Step 2.1  = (si + c1 si-1 + c2 si-2 + ... + cL si-L)
Step 2.2 If  = 1 then
T(x) = C(x) and C(x) = C(x) + B(x)·xi-m
if L  i/2 then
L = i+1-L, m = i and B(x) = T(x)
Step 2.3 i = i + 1
Step 3 Return L and C(x)
01/03/25 12
 Example
s31 = 1000010101110110001111100110100
C(x) L m B(x) i 
1 0 -1 1 0  = s0 = 1
1+x 1 0 1 1  = s1 + s0 = 1
1 1 0 1 2  = s2 = 0
1 1 0 1 3  = s3 = 0
1 1 0 1 4  = s4 = 0
1 1 0 1 5  = s5 = 1
1+x5 5 5 1 6  = s6 + s1 = 0
1+x5 5 5 1 7  = s7 + s2 = 1

01/03/25 13
 Example
s31 = 1000010101110110001111100110100

C(x) L m B(x) i d
1+ x2 + x5 5 5 1 8 d = s8 + s 6 + s 3 = 0
1+ x2 + x5 5 5 1 9 d = s9 + s 7 + s 4 = 0
1+ x2 + x5 5 5 1 10 d = s10 + s8 + s5 = 0
1+ x2 + x5 5 5 1 11 d = s11 + s9 + s6 = 0
1+ x2 + x5 5 5 1 12 d = s12 + s10 + s7 = 0
1+ x2 + x5 5 5 1 13 d = s13 + s11 + s8 = 0
1+ x2 + x5 5 5 1 14 d = s14 + s12 + s9 = 0
1+ x2 + x5 5 5 1 15 d = s15 + s13 + s10 = 0
01/03/25 14
 Properties of Linear Complexity

1. For any n  1, the linear complexity of the sequence

sn satisfies 0  L(sn)  n.
2. L(sn) = 0 iff sn is an all-zero sequence.
3. L(sn) = n iff sn = 0,0,…0,1.
4. If s is periodic with period N, then L(s)  N
5. L(s  t) = L(s) + L(t)
6. L(st) = L(s)L(t) if gcd(L(s),L(t)) = 1

01/03/25 15
 Stream Ciphers Based on LFSRs
• Desirable properties of LFSR-based key-stream
generators:
– Large period
– Large linear complexity
– Good statistical properties
• Caveat: These are only necessary conditions for a
generator to be considered cryptographically secure.
– Mathematical proofs of security of such generators are not
known.
– They are deemed to be computationally secure after having
withstood sufficient public scrutiny.
01/03/25 16
 Nonlinear Combination Generator

LFSR1

Nonlinear Output
LFSR2
Combining
sequence
Function
LFSR3
Input
sequences

01/03/25 17
 Nonlinear Combination Generator
Combiner function must be
1. balanced
2. carefully selected so that there is no statistical dependence
between any small subset of n LFSR sequences and the output
sequence
3. highly nonlinear (Nonlinearity of a function is given as the
maximum of the order of the terms in function’s algebraic
normal form).
Example:
F(x1,x2,x3,x4,x5) = 1  x2  x3  x4x5  x1x3x4x5
has nonlinear
01/03/25
order 4. 18
 The Geffe Generator
x1
LFSR1

x2 z
LFSR2

x3
LFSR3

• Utilizing the algebraic normal form of the combiner function we

can compute the linear complexity of the output sequence.
• F(x1, x2, x3) = x1x2  x2x3  x3

01/03/25 19
 Properties of the Geffe generator
• If the lengths of the LFSRs are relatively prime and all
connection polynomials are primitive, then
– L = L1·L2 + L2·L3 + L3
– T = (2L1-1)·(2L2-1)·(2L3-1)
• When we inspect the truth table of the combiner
function we gain more insight about the security of
Geffe generator.

01/03/25 20
 Correlation in the Geffe Generator
x1 x2 x3 z = F(x1, x2, x3)
0 0 0 0
0 0 1 1
0 1 0 0
0 1 1 0
1 0 0 0
1 0 1 1
1 1 0 1
1 1 1 1

• The combiner function is balanced

• However, the correlation of z to x1 is P(z = x1) = ¾

01/03/25 21
 Correlation Attacks
• The method
– requires a sufficiently long output sequence.
– We assumed that the connection polynomials of the LFSRs
are known. (Recall Kerckhoffs' principle)
– We do not know the current or initial states of the LFSRs.
– Input sequences of the same length will be compared
against the output sequence.
– the input sequence yielding a correlation that is matching to
the predefined correlation will be taken.

01/03/25 22
 Example: Correlation Attacks
• Geffe Generator:
– LFSR1 : 1 + x + x4 and Initial key 1: 0001
– LFSR2: 1 + x + x3 and Initial key 2: 010
– LFSR3: 1 + x2 + x5 and Initial key 3: 10101

x1 1 0 0 0 1 1 1 1 0 1 0 1 1 0 0
x2 0 1 0 0 1 1 1 0 1 0 0 1 1 1 0
x3 1 0 1 0 1 1 1 0 1 1 0 0 0 1 1
z 1 0 1 0 1 1 1 0 0 1 0 1 1 0 1

01/03/25 23
 Example: Correlated, Indeed

x1 1 0 0 0 1 1 1 1 0 1 0 1 1 0 0 12/15

x2 0 1 0 0 1 1 1 0 1 0 0 1 1 1 0 8/15

x3 1 0 1 0 1 1 1 0 1 1 0 0 0 1 1 11/15

z 1 0 1 0 1 1 1 0 0 1 0 1 1 0 1

Let us start with 0111 for LFSR1

(real seed is 0001)

01/03/25 24
 Example: Computing Correlation
z 1 0 1 0 1 1 1 0 0 1 0 1 1 0 1
0111 1 1 1 0 1 0 1 1 0 0 1 0 0 0 1 8/15
1011 1 1 0 1 0 1 1 0 0 1 0 0 0 1 1 8/15
0101 1 0 1 0 1 1 0 0 1 0 0 0 1 1 1 10/15
1010 0 1 0 1 1 0 0 1 0 0 0 1 1 1 1 6/15
1101 1 0 1 1 0 0 1 0 0 0 1 1 1 1 0 8/15
0110 0 1 1 0 0 1 0 0 0 1 1 1 1 0 1 10/15
0011 1 1 0 0 1 0 0 0 1 1 1 1 0 1 0 6/15
1001 1 0 0 1 0 0 0 1 1 1 1 0 1 0 1 6/15
0100 0 0 1 0 0 0 1 1 1 1 0 1 0 1 1 8/15
0010 0 1 0 0 0 1 1 1 1 0 1 0 1 1 0 4/15
0001 1 0 0 0 1 1 1 1 0 1 0 1 1 0 0 12/15
1000 0 0 0 1 1 1 1 0 1 0 1 1 0 0 1 7/15
01/03/25 25
 Example: Cost of the Attack
• Brute force attack: 15731 = 3255 trial

• Correlation attack: 15+7+31 = 53 trial.

• If we have n LFSRs, the key space ideally is

n Li
i 1 (2  1)
If there is correlation between the output and
inputs, the effective key space can be reduced
to
n Li
i 1 (2  1)
01/03/25 26
 Other Constructions
• An LFSR can be clocked by the output of another LFSR.
– This introduces an irregularity in clocking of the first LFSR, hence
increase the linear complexity of its output.
• Example: Shrinking Generator

si No attacks better than

LFSR - S
exhaustive search if the
connection polynomials are
secret
ai If si = 1 output ai
LFSR - A
If si = 0 discard ai
if gcdLs , L A  1  T (2 L A  1) 2 LS  1
L A 2 LS  2  L  L A 2 LS  1
01/03/25 27
 GSM Cryptography

01/03/25 28
 GSM Cryptography: A5/1

01/03/25 29
 A5/1
• A5/2 is a weaker version of A5/1
– Both A5/1 and A5/2 are weak ciphers.
• A5/3 , a.k.a. KASUMI, is a block cipher.
– In 2006, ciphertext-only attack against A5/3
– Instant Ciphertext-Only Cryptanalysis of GSM Encrypted
Communication, by E. Barkan, E. Biham and N. Keller, July 2006
– http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/
2006/CS/CS-2006-07.pdf
– O. Dunkelman, N. Keller, A. Shamir (2010-01-10). A Practical-
Time Attack on the A5/3 Cryptosystem Used in Third
Generation GSM Telephony

01/03/25 30
 eSTREAM Competition - Trivium
• Trivium is a synchronous stream cipher designed to
provide a flexible trade-off between speed and gate
count in hardware, and reasonably efficient software
implementation.
• Three shift registers: A, B, and C (93, 84, and 111 bits,
respectively)
– ai = ci-66 + ci-111 + ci-110ci-109 + ai-69
– bi = ai-66 + ai-93 + ai-92ai-91 + bi-78
– ci = bi-69 + bi-84 + bi-83bi-82 + ci-87

• The output bits r0 ... r264-1 are then generated by

– ri = ci-66 + ci-111 + ai-66 + ai-93 + bi-69 + bi-84
01/03/25 31
 Trivium

 1 A 66 69 91 92 93 

ri
 1 B 69 78 82 83 84  


 1 C 66 87 109 110 111  

01/03/25 32
 Trivium
• Given an 80-bit key k0 ... k79 and an l-bit IV v0
... vl-1 (where 0 ≤ l ≤ 80), Trivium is
initialized as follows:
– (a-1245 ... a-1153) = (0,0 ... 0,k0 ... k79)
– (b-1236 ... b-1153) = (0,0 ... 0,v0 ... vl-1)
– (c-1263 ... c-1153) = (1, 1, 1, 0, 0 ... 0)
• The large negative indices on the initial values reflect
the 1152 steps that must take place before output is
produced.
01/03/25 33
 Performance

Design Technology Max. Area Throughput bits/cycle

Frequency
Trivium by 90nm 800 MHz 5645 51.2 Gpbs 64
Gaj et al.
AES by Satoh 0.11μm 145 MHz 12454 1.595 Gpbs 11
AES by 0.18μm 606 MHz 473000 77.6 Gpbs 128
Hodjat
AES by 0.25μm 323 MHz 26000 41.3 Gpbs 127.86
Northpole
Eng.

01/03/25 34
 Synchronous Stream Ciphers
Si+1 Si+1
Si mi mi Si

F F

G ci ci G
ki ki
Sender Receiver
• Sender and receiver must be synchronized.
• Resynchronization is needed.
• Key-stream is independent of plaintext and ciphertext.
(confusion)
• No error propagation.
• Active attacks can easily be detected (i.e. insertion,
deletion, replay)
01/03/25 35
 Asynchronous Stream Ciphers
• a.k.a. self-synchronizing stream ciphers

ci-t … ci-2 ci-1 ci-1 ci-2 … ci-t

ki
G G
ki ci ci
Sender mi Receiver
mi

01/03/25 36
 Asynchronous Stream Ciphers
• The key stream is generated as a function of a fixed
number of previous ciphertext bits
• Limited error propagation (up to t bits).
• After at most t bits later than synchronization is lost, it
resynchronizes itself
• It helps to diffuse plain-text statistics.

01/03/25 37