DOCSLIB.ORG

A Software-Optimized Encryption Algorithm

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
A Software-Optimized Encryption Algorithm To app ear in J of CryptologyFull version of Last revised Septemb er A SoftwareOptimized Encryption Algorithm Phillip Rogaway and Don Copp ersmith Department of Computer Science Engineering I I Buildin g University of California Davis CA USA rogawaycsucdavisedu IBM TJ Watson ResearchCenter PO Box Yorktown Heights NY USA copp erwatsonibmcom Abstract We describ e a softwareecient encryption algorithm named SEAL Computational cost on a mo dern bit pro cessor is ab out clo ck cycles p er byte of text The cipher is a pseudorandom function family under control of a key rst prepro cessed into an internal table it stretches a bit p osition index into a long pseudorandom string This string can b e used as the keystream of a Vernam cipher Key words Cryptography Encryption Fast encryption Pseudoran dom function family Software encryption Stream cipher Intro duction Encrypting Fast In Software Encryption must often b e p erformed at high data rates a requirement sometimes met with the help of supp orting crypto graphic hardware Unfortunately cryptographic hardware is often absent and data condentiality is sacriced b ecause the cost of software cryptographyis deemed to b e excessive The computational cost of software cryptography is a function of the under y of its implementation But regardless of imple lying algorithm and the qualit mentation a cryptographic algorithm designed to run well in hardware will not p erform in software as well as an algorithm optimized for software execution The hardwareoriented Data Encryption Algorithm DES is no exception Of ten what is needed is a welldesigned softwareoptimized encryption metho d for to days general purp ose computers To this end wehave designed SEAL Software Encryption Algorithm SEAL is a pseudorandom function family under control of a key rst prepro cesse d into a set of tables SEAL stretches a bit p osition index into a keystream of essentially arbitrary length One then encrypts byXORing this keystream with the plaintext in the manner of a Vernam cipher As with anyVernam cipher it is imp erative that the keystream only b e used once On a mo dern bit pro cessor SEAL can encrypt messages at a rate of ab out clo ck cycles p er byte of text In comparison the DES algorithm is more than times as exp ensive Even a Cyclic Redundancy Co de CRC is more costly Related Work We are not the rst to realize the value of softwareoptimized cryptography In Merkle describ ed the utilityofsoftwareoriented cryptog raphy and he prop osed a suite of three softwareecient algorithms One of them called Khufuisablock cipher which is similar in spirit to SEAL An earlier softwareoriented blo ck cipher than Khufu is FEAL But this algorithm and its variants have not proven to b e particularly secure see for history and attacks Nor is it all that fast RC is a p opular softwareecient stream cipher designed byRivest It is fast though less fast than SEALRC is a softwareecient blo ck cipher It to o was designed by Rivest Some other softwareecient ciphers include BlowshandWAKE History And Naming The full name of the cipher describ ed in this pap er is SEAL An earlier version of this cipher was describ ed in and denoted SEAL Though SEAL is the rst mo dication to SEAL which the authors have describ ed a variantknown as SEAL had already app eared SEAL apart from using NISTs revised in the literature it was identical to Secure Hash Algorithm SHA instead of the original one SHA While SEAL retains that change the more signicant adjustment is resp onsiveto an attackby Handschuh and Gilb ert See Section for further information on their attack and the dierences b etween SEAL and SEAL In this pap er the name SEALby itself always refers to SEAL Characteristics of the Cipher Key characteristics and design choices of SEAL are explained b elow Preprocessing The Key In typical applications requiring fast software cryp tography data encryption is required over the course of a communication session to a remote partner or over the course of a login session to a particular machine In either case the key a which protects the session is determined at session setup Typically this session setup takes at least a few milliseconds and is not a time critical op eration It is therefore acceptable in most applications to sp end some numberofmilliseconds to map the short key a to a less concise representation of the cryptographic transformation sp ecialized to this key Our cipher has this characteristic As such SEAL is an inappropriate choice for applications which require rapid keysetup LengthIncreasing Pseudorandom Function Variable Output And Key Lengths The function SEAL is a typ e of cryptographic ob ject called a pseudorandom function family PRF Such ob jects were rst dened in SEAL is a lengthincreasing PRF under control of a bit key a SEAL maps a bit string n to an Lbit string SEALa n L The number L can b e made as large or as small as is needed for a target application but output lengths ranging from a few bytes to a few thousand bytes are anticipated An arbitrary length key a can b e used as the key for SEAL simply by selecting a SHAa As a pseudorandom function family SEALa L should lo ok like a random function if a is random and unknown The meaning of this is as follows First a key a is taken at random from f g Next the adversary is given at random either a blackb ox for the function SEALa L or else a blackb ox for a truly random function R Either maps bits to L bits The adversarys job is to guess whichtyp e of b ox she has Say that the adversary wins if she correctly guesses Random or Pseudorandom Our goal is that for any reasonable adversary she should not win with probability signicantly greater than Though we will not attempt to dene reasonable or signicant weaimto defeat adversaries with substantial computational resources and cleverness A PRF can b e used to make a go o d stream cipher In a stream cipher the encryption of a message dep ends not only on the key a and the message x but also on the messages p osition n in the data stream This p osition is often a counter sequence numb er which indicates which message is b eing enciphered The encryption of string x at p osition n is given by hn x SEALa n Li where L jxj In other applications n might indicate the address of a piece of data on disk Target Platforms Execution vehicles that should run the algorithm well in TM TM TM clude the Intel Intel Pentium pro cessors and contemp orary bit RISC machines Because of the particular challenges involved in having a cipher run well on the Pentium and b ecause of the p ervasiveness of this pro cessor familywehave optimized our cipher with the characteristics of this pro cessor family particularly in mind By doing well on these diculttooptimizefor vehicles weexpecttodowell on any mo dern bit pro cessor Some of the relevant limitations of the Pentium are a small register set a twoop erand instruction architecture and a small rst level cache Here is some further detail whichwas imp ortant in design choices These pro cessors have general registers including the register normally used as a stackpointer Most instructions work on two op erands A A op B instead of three A B op C The has an KByte onchip cache for data and instructions while entium has an KByte data cache and an KByte instruction cache the P Cache misses can b e exp ensive The and Pentium pro cessors use a stage instruction pip eline and if the base register for an address calculation is the destination register of the preceding instruction an extra cycle will b e consumed The Pentium pro cessor has dual instruction pip es one of whichrunsavery limited instruction set It was not a design goal for the cipher to exhibit an instruction dep endency structure whichwould allowustoalways ll b oth pip es TableDriven Cipher One early decision was whether to make the cipher a straightline program of logical op erations like MD or SHA or to drive it instead by the use of a large table likeKhufu or a software DES instead The tabledriven approachwas selected b ecause wefeltthatitwould lead to a faster and easiertodesign cipher With the tabledriven algorithm we could get very rapid diusion and there would b e less temptation to pro duce a cipher whose most ecient implementation used selfmo difying co de In view of the size of the rstlevel cache and the fact that servers maywant to store in secondlevel cache the representation of the encryption transformation of tens of clients it was decided that we should not b e to o generous with the size of the tables that we used Wewould settle on a total size for all tables of KBytes pro cedure Initializen A B C D n n n n A n R B n iii R C n iii R D n iii R for j to do P A xfc B B T P A A iii P B xfc C C T P B B iii P C xfc D D T P C C iii P D xfc A A T P D D iii n n n n D B A C P A xfc B B T P A A iii P B xfc C C T P B B iii P C xfc D D T P C C iii P D xfc A A T P D D iii Fig Initializati on of A B C D n n n n from n This initiali zatio n de pends on aderived tables T and R Denition of the Cipher Notation We call a bit string a word and an bit string a byte The empty string is denoted We write numb ers in hexadecimal by preceding them with x and then using the symb ols af to represent decimal numb ers resp ectivelyByy iii t we denote a right circular shift of the word y by t bits in other words the ith bit of y iii t is y Similarly y hhh t denotes itmod a left circular shift of y by t bits By andwe
Load more

Recommended publications
  • Breaking Crypto Without Keys: Analyzing Data in Web Applications Chris Eng
    Breaking Crypto Without Keys: Analyzing Data in Web Applications Chris Eng 1 Introduction – Chris Eng _ Director of Security Services, Veracode _ Former occupations . 2000-2006: Senior Consulting Services Technical Lead with Symantec Professional Services (@stake up until October 2004) . 1998-2000: US Department of Defense _ Primary areas of expertise . Web Application Penetration Testing . Network Penetration Testing . Product (COTS) Penetration Testing . Exploit Development (well, a long time ago...) _ Lead developer for @stake’s now-extinct WebProxy tool 2 Assumptions _ This talk is aimed primarily at penetration testers but should also be useful for developers to understand how your application might be vulnerable _ Assumes basic understanding of cryptographic terms but requires no understanding of the underlying math, etc. 3 Agenda 1 Problem Statement 2 Crypto Refresher 3 Analysis Techniques 4 Case Studies 5 Q & A 4 Problem Statement 5 Problem Statement _ What do you do when you encounter unknown data in web applications? . Cookies . Hidden fields . GET/POST parameters _ How can you tell if something is encrypted or trivially encoded? _ How much do I really have to know about cryptography in order to exploit implementation weaknesses? 6 Goals _ Understand some basic techniques for analyzing and breaking down unknown data _ Understand and recognize characteristics of bad crypto implementations _ Apply techniques to real-world penetration tests 7 Crypto Refresher 8 Types of Ciphers _ Block Cipher . Operates on fixed-length groups of bits, called blocks . Block sizes vary depending on the algorithm (most algorithms support several different block sizes) . Several different modes of operation for encrypting messages longer than the basic block size .
    [Show full text]
  • SGX Secure Enclaves in Practice Security and Crypto Review
    SGX Secure Enclaves in Practice Security and Crypto Review JP Aumasson, Luis Merino This talk ● First SGX review from real hardware and SDK ● Revealing undocumented parts of SGX ● Tool and application releases Props Victor Costan (MIT) Shay Gueron (Intel) Simon Johnson (Intel) Samuel Neves (Uni Coimbra) Joanna Rutkowska (Invisible Things Lab) Arrigo Triulzi Dan Zimmerman (Intel) Kudelski Security for supporting this research Agenda .theory What's SGX, how secure is it? .practice Developing for SGX on Windows and Linux .theory Cryptography schemes and implementations .practice Our projects: reencryption, metadata extraction What's SGX, how secure is it? New instruction set in Skylake Intel CPUs since autumn 2015 SGX as a reverse sandbox Protects enclaves of code/data from ● Operating System, or hypervisor ● BIOS, firmware, drivers ● System Management Mode (SMM) ○ aka ring -2 ○ Software “between BIOS and OS” ● Intel Management Engine (ME) ○ aka ring -3 ○ “CPU in the CPU” ● By extension, any remote attack = reverse sandbox Simplified workflow 1. Write enclave program (no secrets) 2. Get it attested (signed, bound to a CPU) 3. Provision secrets, from a remote client 4. Run enclave program in the CPU 5. Get the result, and a proof that it's the result of the intended computation Example: make reverse engineer impossible 1. Enclave generates a key pair a. Seals the private key b. Shares the public key with the authenticated client 2. Client sends code encrypted with the enclave's public key 3. CPU decrypts the code and executes it A trusted
    [Show full text]
  • Bias in the LEVIATHAN Stream Cipher
    Bias in the LEVIATHAN Stream Cipher Paul Crowley1? and Stefan Lucks2?? 1 cryptolabs Amsterdam [email protected] 2 University of Mannheim [email protected] Abstract. We show two methods of distinguishing the LEVIATHAN stream cipher from a random stream using 236 bytes of output and pro- portional effort; both arise from compression within the cipher. The first models the cipher as two random functions in sequence, and shows that the probability of a collision in 64-bit output blocks is doubled as a re- sult; the second shows artifacts where the same inputs are presented to the key-dependent S-boxes in the final stage of the cipher for two suc- cessive outputs. Both distinguishers are demonstrated with experiments on a reduced variant of the cipher. 1 Introduction LEVIATHAN [5] is a stream cipher proposed by David McGrew and Scott Fluhrer for the NESSIE project [6]. Like most stream ciphers, it maps a key onto a pseudorandom keystream that can be XORed with the plaintext to generate the ciphertext. But it is unusual in that the keystream need not be generated in strict order from byte 0 onwards; arbitrary ranges of the keystream may be generated efficiently without the cost of generating and discarding all prior val- ues. In other words, the keystream is “seekable”. This property allows data from any part of a large encrypted file to be retrieved efficiently, without decrypting the whole file prior to the desired point; it is also useful for applications such as IPsec [2]. Other stream ciphers with this property include block ciphers in CTR mode [3].
    [Show full text]
  • RC4-2S: RC4 Stream Cipher with Two State Tables
    RC4-2S: RC4 Stream Cipher with Two State Tables Maytham M. Hammood, Kenji Yoshigoe and Ali M. Sagheer Abstract One of the most important symmetric cryptographic algorithms is Rivest Cipher 4 (RC4) stream cipher which can be applied to many security applications in real time security. However, RC4 cipher shows some weaknesses including a correlation problem between the public known outputs of the internal state. We propose RC4 stream cipher with two state tables (RC4-2S) as an enhancement to RC4. RC4-2S stream cipher system solves the correlation problem between the public known outputs of the internal state using permutation between state 1 (S1) and state 2 (S2). Furthermore, key generation time of the RC4-2S is faster than that of the original RC4 due to less number of operations per a key generation required by the former. The experimental results confirm that the output streams generated by the RC4-2S are more random than that generated by RC4 while requiring less time than RC4. Moreover, RC4-2S’s high resistivity protects against many attacks vulnerable to RC4 and solves several weaknesses of RC4 such as distinguishing attack. Keywords Stream cipher Á RC4 Á Pseudo-random number generator This work is based in part, upon research supported by the National Science Foundation (under Grant Nos. CNS-0855248 and EPS-0918970). Any opinions, findings and conclusions or recommendations expressed in this material are those of the author (s) and do not necessarily reflect the views of the funding agencies or those of the employers. M. M. Hammood Applied Science, University of Arkansas at Little Rock, Little Rock, USA e-mail: [email protected] K.
    [Show full text]
  • Classic Cryptosystems Key Points Modulo Operation Ring Division
    3/1/2014 Ring RRiinngg ZZmm iiss:: ––SetSet of integers: ZZ =={{00,,11,,22,,……,,mm--11}} Classic Cryptosystems mm ––TwoTwo operation: “+” and “ ××”” →→ ≡≡ ∈∈ ““++”” a + b c mod m (c ZZmm)) ×× →→ ×× ≡≡ ∈∈ ““ ” a b d mod m (d ZZmm)) Example: –– m = 77,, ZZ77=={{00,,11,,22,,33,,44,,55,,66}} 66 ++ 55 == 1111 mod 77 == 44 6 ×× 55 == 3300 mod 77 == 22 6622//٤٤ ١١ Key Points Ring Z mm Properties & Operations Field: set of elements with + & * IdentityIdentity:: additive ‘‘00’’ , multiplicative ‘11’’‘ Modular Arithmetic: reduces all aa++00=a=a , ,a ××a11=a=a mod m numbers to fixed set [[00……nn--11]] InverseInverse:: additive ‘--a’,‘ a’, multiplicative ‘a --11’’ GCD: largest positive integer dividing aa++((--aa))==00mod mod m, m, a ××a aa--11 ==11 mod m Finite Field: finite number of elements Multiplicative inverse exist if gcd (a,m) = 11 n Order Finite Field: power of a prime PP Ring Addition and Multiplication is: where n = integer ClosedClosed,, Commutative,Commutative , Associative Finite Field: of order p can be defined using normal arithmetic mod p 6622//٥٥ 6622//٢٢ Modulo Operation Division on Ring ZZmm QQ::WhatWhat is 1122 mod 99?? Ring Division: 44//1155 mod 2266?????? AA::1122 mod 9 ≡≡33 44//1155 mod 2266 == 44 ×× 1155--11 mod 2266 LLeett a,r,m ∈∈ ΖΖ 1155--11 mod 2266existexist if gcd(1155,,2266))==11gcd( 1155--11 mod 2266 == 77 ((Ζ = set of all integers ) and mm >>00.. 44//1155 mod 2266 == 44××7 mod 2266 == 2288 mod 2266==22 We write r ≡ a mod m if m ––rr divides aa.. Note that the modulo operation can be applied mm is called the modulus.
    [Show full text]
  • Read Paper (In PDF)
    The Performance Measurement of Cryptographic Primitives on Palm Devices £ Duncan S. Wong, Hector Ho Fuentes and Agnes H. Chan College of Computer Science Northeastern University Boston, MA 02115, USA g fswong, hhofuent, ahchan @ccs.neu.edu Abstract which take only a few milliseconds or less and are widely used in securing data, performing authentication and in- We developed and evaluated several cryptographic sys- tegrity check on desktop machines, may spend seconds or tem libraries for Palm OS Ö which include stream and even minutes to carry out on a PalmPilot. Furthermore, the block ciphers, hash functions and multiple-precision integer memory space on low-power handheld devices are usually arithmetic operations. We noted that the encryption speed limited which may also introduce new challenges on the im- of SSC2 outperforms both ARC4 (Alleged RC4) and SEAL plementation of cryptosystems. Hence it is critical for users 3.0 if the plaintext is small. On the other hand, SEAL 3.0 to choose appropriate algorithms for the implementation of almost doubles the speed of SSC2 when the plaintext is con- cryptosystems on low-power devices. siderably large. We also observed that the optimized Rijn- We developed several cryptographic system libraries for dael with 8KB of lookup tables is 4 times faster than DES. Palm OS which include the following algorithms: In addition, our results show that implementing the cryp- tographic algorithms as system libraries does not degrade Stream Ciphers We tested the encryption speed of three their performance significantly. Instead, they provide great stream ciphers: SSC2 [11], ARC4 (Alleged RC4)1 and flexibility and code management to the algorithms.
    [Show full text]
  • 1 Stream Ciphers Vs. Block Ciphers
    CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 13: Private-Key Encryption in Practice Reading. • KatzLindell 2nd edition 3.6,6.0,6.2.0-6.2.3,6.2.5 or 1st edition 3.6,5.0,5.2.0-5.2.3,5.2.5 1 Stream Ciphers vs. Block Ciphers • In practice, people use direct constructions of candidate stream ciphers (PRGs with unbounded output length) and block ciphers (like PRFs, discussed below). typically designed for xed nite key length n (not asymptotic) much faster than the full constructions we've seen based on one-way functions, hardness of factoring, etc. designed with aim of having brute-force search being the best attack (so secure against algorithms running in time nearly 2n) but design and security analysis is more of an art than a science • Stream Ciphers Essentially meant to be pseudorandom generators, used for stateful encryption. Examples: linear feedback shift registers (not secure, but used as component in better stream ciphers), RC4, SEAL, ... Extremely simple and fast Practical issues: can generate pseudorandom bits oine and decrypt very quickly without buering, but requires synchronization • Block ciphers For every key n, ` ` is a permutation, and both and −1 k 2 f0; 1g fk : f0; 1g ! f0; 1g fk fk can be computed quickly given k.(n=key length, ` = block length) Examples: DES, AES/Rijndael, IDEA, ... Main tools for private-key encryption in practice. Have both stateless modes and stateful/stream-like modes. • How are they designed? More of an art than science.
    [Show full text]
  • Classic Cryptosystems
    Classic Cryptosystems ١ ١ Key Points Field: set of elements with + & * Modular Arithmetic: reduces all numbers to fixed set [[00…n…n--11]] GCD: largest positive integer dividing Finite Field: finite number of elements Order Finite Field: power of a prime Pn where n = integer Finite Field: of order p can be defined using normal arithmetic mod p 6262//٢٢ Modulo Operation Q: What is 12 mod 9??9 A: 12 mod 9 ≡3≡3 Let a,r,m ∈ Ζ ((Ζ = set of all integers ) and m >0.. We write r ≡ a mod m if m––rr divides a.. m is called the modulus. rr is called the remainder. q · a = m --rr 0 ≤ r< m 6262//٣٣ Ring Ring Zm is: – Set of integers: Zm={00,,11,,22,…,m,…,m--11}} – Two operation: “+” and “ ××”” → ≡≡ ∈ “+” a + b c mod m (c Zmm)) ×× → ×× ≡≡ ∈ ““ ” a b d mod m (d Zmm)) Example: – m = 7,7, Z77={00,,11,,22,,33,,44,,55,,66}} 6 + 5 = 11 mod 7 = 44 6 ×× 5 = 30 mod 7 = 22 6262//٤٤ Ring Zm Properties & Operations Identity: additive ‘‘00’’ , multiplicative ‘1‘ 1’’ a+00=a=a , a××11=a=a mod m Inverse: additive ‘‘--a’,a’, multiplicative ‘a--11’’ a+( --a)=0 mod m, a×× a--11 =1 mod m Multiplicative inverse exist if gcd (a,m) = 1 Ring Addition and Multiplication is: Closed, Commutative, Associative 6262//٥٥ Division on Ring Zm Ring Division: 44//1515 mod 26??? 44//1515 mod 26 = 4 ×× 1515 --11 mod 2626 1515 --11 mod 2626exist if gcd(1515,,2626)=gcd( )=11 1515 --11 mod 26 = 7 4//15 mod 26 = 4××7 mod 26 = 28 mod 26=2 Note that the modulo operation can be applied whenever we want: (a + b) mod m = [(a mod m)+ (b mod m)] mod m (a ×× b) mod m = [(a mod m) ×× (b mod m)] mod m 6262//٦٦ Exponentiation in Zm Ring Exponentiation: 338 mod 7 =??? 338 mod 7 = 6561 mod 77 6561 mod 7 = 2 → 65616561=(=(937937 ××77)+)+22 Or = 3388 = 3344××3344= 3322××3322××3322××3322 338 mod 7 = [( 332 mod 77))××((332 mod 77)) ××((332 mod 77)) ××((332 mod 77)])] mod 77 338 mod 7 = (2( 2 ×× 2 ×× 2 ×× 22)) mod 7 = 16 mod 77==22 Note that ring Ζmm (modulo arithmetic) is of central importance to modern publicpublic--keykey cryptography.
    [Show full text]
  • Symmetric Cryptography
    University of Karlsruhe Advanced Systems Seminar Summer Term 2003 Symmetric Cryptography Daniel Grund 2003/07/01 Abstract Making systems secure is becoming more and more important nowadays. In most cases, isolation of sensitive data is not possible and systems therefore rely on cryptography for secure storage or transmission. This document will focus on classic cryptography, also called symmetric or secret key cryptogra- phy. It will present general concepts and some examples, allowing the reader to get a more detailed view of the internal work of ciphers. It will not discuss cryptanalysis. Key Words: Stream Cipher, Block Cipher, DES, AES, One Time Pad, Electronic Code Book, Cipher Block Chaining, Output Feedback, Cipher Feedback Contents 1 Introduction 3 1.1 Stream Ciphers .......................... 3 1.2 Block Ciphers ........................... 4 2 Operation modes 5 2.1 Synchronous ............................ 5 2.2 Asynchronous ........................... 6 2.3 Electronic Code Book ....................... 6 2.4 Cipher Block Chaining ...................... 6 2.5 Output Feedback ......................... 7 2.6 Cipher Feedback ......................... 7 2.7 Comparsion ............................ 8 3 Examples 10 3.1 DES ................................ 10 3.1.1 History ........................... 10 3.1.2 The Algorithm ...................... 11 3.1.3 Key Expansion ...................... 11 3.1.4 Initial Permutation .................... 11 3.1.5 A DES Round ....................... 11 3.1.6 The Round Function ................... 12 3.1.7 Decryption ........................ 13 3.1.8 Security of DES ...................... 13 3.1.9 Improvements on DES .................. 13 3.2 AES ................................ 14 3.2.1 History ........................... 14 3.2.2 The Algorithm ...................... 14 3.2.3 Key Schedule ....................... 14 3.2.4 The Round Transformation ............... 15 3.2.5 ByteSub .......................... 15 3.2.6 ShiftRow .........................
    [Show full text]
  • SNOW - a New Stream Cipher?
    SNOW - a new stream cipher? Patrik Ekdahl, Thomas Johansson Dept. of Information Technology Lund University, P.O. Box 118, 221 00 Lund, Sweden {patrik,thomas}@it.lth.se November 22, 2001 Abstract. In this paper a new word-oriented stream cipher, called SNOW, is proposed. The design of the cipher is quite simple, consisting of a linear feedback shift register, feeding a nite state machine. The design goals of producing a stream cipher signicantly faster than AES, with signicantly lower implementation costs in hardware, and a security level similar to AES is currently met. Our fastest C implemen- tation requires under 1 clock cycle per running key bit. The best attacks are generic attacks like an exhaustive key search attack. Keywords. SNOW, Stream ciphers, summation combiner, correlation attacks. 1 Introduction Cipher systems are usually subdivided into block ciphers and stream ciphers. Block ciphers tend to simultaneously encrypt groups of characters, whereas stream ciphers operate on individual characters of a plaintext message one at a time. A binary additive stream cipher is a synchronous stream cipher in which the keystream, the plaintext and the ciphertext are sequences of binary digits. The output of the keystream generator, called the running key, z(1); z(2);::: is added symbolwise to the plaintext sequence m(1); m(2);:::, producing the ciphertext c(1); c(2);:::. Each secret key k as input to the keystream generator corresponds to an output sequence. Since the secret key k is shared between the transmitter and the receiver, the receiver can decrypt by subtracting the output of the keystream generator from the ciphertext, obtaining the message sequence.
    [Show full text]
  • Enhancing Security and Speed of RC4
    International Journal of Computing and Network Technology ISSN 2210-1519 Int. J. Com. Net. Teach. 3, No. 2 (May 2015) Enhancing Security and Speed of RC4 Maytham M. Hammood1, 2, Kenji Yoshigoe1and Ali M. Sagheer3 1 Department of Computer Science, University of Arkansas at Little Rock, Little Rock, USA 2Department of Computer Science and Mathematics, University of Tikrit, Iraq 3Computer College, University of Anbar, Iraq Received: 10 Dec. 2014, Revised: 15 March, 2015, Accepted: 1 April 2015, Published: 1 (May) 2015 Abstract: Wireless communication security is a critical factor for secure communication among large scale of wireless networks. A limited resource constraint, such as power and memory size presents a significant challenge to implement existing cryptographic algorithms. One of the most important symmetric cryptographic algorithms is Rivest Cipher 4 (RC4) stream cipherthatis utilized in many real-time security applications. However, the RC4 cipher shows some weaknesses, including a correlation problem between the public known outputs of the internal state. In this paper, we propose RC4 stream cipher with a random initial state (RRC4) to solve the weak keys problem of the RC4 using a random initialization of internal state S. We also propose RC4 stream cipher with two state tables (RC4-2S) to solve the correlation problem between the public known outputs of the internal state using permutation between state1 (S1) and state 2 (S2) while requiring less time than RC4. Finally, we propose RC4 stream cipher with two state tables togenerate four keys (RC4-2S+) in each cycle which further enhances randomness overRC4-2S and RRC4. Keywords: Encryption, Stream Cipher, RC4, Random Number Generator attack can cause immediate loss of synchronization [3].
    [Show full text]
  • Scream: a Software-Efficient Stream Cipher
    Scream: a software-efficient stream cipher Shai Halevi Don Coppersmith Charanjit Jutla IBM T. J. Watson Research Center P.O. Box 704, Yorktown Heights, NY 10598, USA shaih,copper,csjutla @watson.ibm.com f g June 5, 2002 Abstract We report on the design of Scream, a new software-efficient stream cipher, which was designed to be a \more secure SEAL". Following SEAL, the design of Scream resembles in many ways a block-cipher design. The new cipher is roughly as fast as SEAL, but we believe that it offers a significantly higher security level. In the process of designing this cipher, we re-visit the SEAL design paradigm, exhibiting some tradeoffs and limitations. Key words: Stream ciphers, Block ciphers, Round functions, SEAL. 1 Introduction A stream cipher (or pseudorandom generator) is an algorithm that takes a short random string, and expands it into a much longer string, that still \looks random" to adversaries with limited resources. The short input string is called the seed (or key) of the cipher, and the long output string is called the output stream (or key-stream). Stream ciphers can be used for shared-key encryption, by using the output stream as a one-time-pad. In this work we aim to design a secure stream cipher that has very fast implementations in software. 1.1 A more secure SEAL The starting point of our work was the SEAL cipher. SEAL was designed in 1992 by Rogaway and Coppersmith [6], specifically for the purpose of obtaining a software efficient stream cipher. Nearly ten years after it was designed, SEAL is still the fastest steam cipher for software implementations on contemporary PC's, with \C" implementations running at 5 cycle/byte on common PC's (and 3.5 cycle/byte on some RISC workstations).
    [Show full text]