Stream ciphers

Myrto Arapinis School of Informatics University of Edinburgh

February 29, 2015

1 / 16 n I M = C = K = {0, 1}

I Encryption: ∀k ∈ K. ∀m ∈ M. E(k, m) = k ⊕ m

k = 0 1 1 0 1 0 0 1 m = 1 0 0 0 1 0 1 1

c = 1 1 1 0 0 0 1 0

I Decryption: ∀k ∈ K. ∀c ∈ C. D(k, c) = k ⊕ c

k = 0 1 1 0 1 0 0 1 c = 1 1 1 0 0 0 1 0

m = 1 0 0 0 1 0 1 1

I Consistency: D(k, E(k, m)) = k ⊕ (k ⊕ m) = m

The One-Time Pad (OTP)

2 / 16 I Encryption: ∀k ∈ K. ∀m ∈ M. E(k, m) = k ⊕ m

k = 0 1 1 0 1 0 0 1 m = 1 0 0 0 1 0 1 1

c = 1 1 1 0 0 0 1 0

I Decryption: ∀k ∈ K. ∀c ∈ C. D(k, c) = k ⊕ c

k = 0 1 1 0 1 0 0 1 c = 1 1 1 0 0 0 1 0

m = 1 0 0 0 1 0 1 1

I Consistency: D(k, E(k, m)) = k ⊕ (k ⊕ m) = m

The One-Time Pad (OTP)

n I M = C = K = {0, 1}

2 / 16 k = 0 1 1 0 1 0 0 1 m = 1 0 0 0 1 0 1 1

c = 1 1 1 0 0 0 1 0

I Decryption: ∀k ∈ K. ∀c ∈ C. D(k, c) = k ⊕ c

k = 0 1 1 0 1 0 0 1 c = 1 1 1 0 0 0 1 0

m = 1 0 0 0 1 0 1 1

I Consistency: D(k, E(k, m)) = k ⊕ (k ⊕ m) = m

The One-Time Pad (OTP)

n I M = C = K = {0, 1}

I Encryption: ∀k ∈ K. ∀m ∈ M. E(k, m) = k ⊕ m

2 / 16 I Decryption: ∀k ∈ K. ∀c ∈ C. D(k, c) = k ⊕ c

k = 0 1 1 0 1 0 0 1 c = 1 1 1 0 0 0 1 0

m = 1 0 0 0 1 0 1 1

I Consistency: D(k, E(k, m)) = k ⊕ (k ⊕ m) = m

The One-Time Pad (OTP)

n I M = C = K = {0, 1}

I Encryption: ∀k ∈ K. ∀m ∈ M. E(k, m) = k ⊕ m

k = 0 1 1 0 1 0 0 1 m = 1 0 0 0 1 0 1 1

c = 1 1 1 0 0 0 1 0

2 / 16 k = 0 1 1 0 1 0 0 1 c = 1 1 1 0 0 0 1 0

m = 1 0 0 0 1 0 1 1

I Consistency: D(k, E(k, m)) = k ⊕ (k ⊕ m) = m

The One-Time Pad (OTP)

n I M = C = K = {0, 1}

I Encryption: ∀k ∈ K. ∀m ∈ M. E(k, m) = k ⊕ m

k = 0 1 1 0 1 0 0 1 m = 1 0 0 0 1 0 1 1

c = 1 1 1 0 0 0 1 0

I Decryption: ∀k ∈ K. ∀c ∈ C. D(k, c) = k ⊕ c

2 / 16 I Consistency: D(k, E(k, m)) = k ⊕ (k ⊕ m) = m

The One-Time Pad (OTP)

n I M = C = K = {0, 1}

I Encryption: ∀k ∈ K. ∀m ∈ M. E(k, m) = k ⊕ m

k = 0 1 1 0 1 0 0 1 m = 1 0 0 0 1 0 1 1

c = 1 1 1 0 0 0 1 0

I Decryption: ∀k ∈ K. ∀c ∈ C. D(k, c) = k ⊕ c

k = 0 1 1 0 1 0 0 1 c = 1 1 1 0 0 0 1 0

m = 1 0 0 0 1 0 1 1

2 / 16 The One-Time Pad (OTP)

n I M = C = K = {0, 1}

I Encryption: ∀k ∈ K. ∀m ∈ M. E(k, m) = k ⊕ m

k = 0 1 1 0 1 0 0 1 m = 1 0 0 0 1 0 1 1

c = 1 1 1 0 0 0 1 0

I Decryption: ∀k ∈ K. ∀c ∈ C. D(k, c) = k ⊕ c

k = 0 1 1 0 1 0 0 1 c = 1 1 1 0 0 0 1 0

m = 1 0 0 0 1 0 1 1

I Consistency: D(k, E(k, m)) = k ⊕ (k ⊕ m) = m

2 / 16 Perfect secrecy

Definition A cipher (E, D) over (M, C, K) satisfies perfect secrecy if for all messages m1, m2 ∈ M of same length (|m1| = |m2|), and for all ciphertexts c ∈ C

|Pr(E(k, m1) = c) − Pr(E(k, m2) = c)| ≤ 

where k ←−Kr and  is some “negligible quantity”.

3 / 16 #{k∈K: k⊕m=c} = #K #{k∈K: k=m⊕c} = #K 1 = #K

where k ←−Kr . Thus, for all messages m1, m2 ∈ M, and for all ciphertexts c ∈ C

1 1 |Pr(E(k, m1) = c) − Pr(E(k, m2) = c)| ≤ − = 0 #K #K

Proof: We first note that for all messages m ∈ M and all ciphertexts c ∈ C

Pr(E(k, m) = c)

OTP satisfies perfect secrecy

Theorem (Shannon 1949) The One-Time Pad satisfies perfect secrecy

4 / 16 #{k∈K: k⊕m=c} = #K #{k∈K: k=m⊕c} = #K 1 = #K

Thus, for all messages m1, m2 ∈ M, and for all ciphertexts c ∈ C

1 1 |Pr(E(k, m1) = c) − Pr(E(k, m2) = c)| ≤ − = 0 #K #K

OTP satisfies perfect secrecy

Theorem (Shannon 1949) The One-Time Pad satisfies perfect secrecy

Proof: We first note that for all messages m ∈ M and all ciphertexts c ∈ C

Pr(E(k, m) = c)

where k ←−Kr .

4 / 16 #{k∈K: k=m⊕c} = #K 1 = #K

Thus, for all messages m1, m2 ∈ M, and for all ciphertexts c ∈ C

1 1 |Pr(E(k, m1) = c) − Pr(E(k, m2) = c)| ≤ − = 0 #K #K

OTP satisfies perfect secrecy

Theorem (Shannon 1949) The One-Time Pad satisfies perfect secrecy

Proof: We first note that for all messages m ∈ M and all ciphertexts c ∈ C

#{k∈K: k⊕m=c} Pr(E(k, m) = c) = #K

where k ←−Kr .

4 / 16 1 = #K

Thus, for all messages m1, m2 ∈ M, and for all ciphertexts c ∈ C

1 1 |Pr(E(k, m1) = c) − Pr(E(k, m2) = c)| ≤ − = 0 #K #K

OTP satisfies perfect secrecy

Theorem (Shannon 1949) The One-Time Pad satisfies perfect secrecy

Proof: We first note that for all messages m ∈ M and all ciphertexts c ∈ C

#{k∈K: k⊕m=c} Pr(E(k, m) = c) = #K #{k∈K: k=m⊕c} = #K

where k ←−Kr .

4 / 16 Thus, for all messages m1, m2 ∈ M, and for all ciphertexts c ∈ C

1 1 |Pr(E(k, m1) = c) − Pr(E(k, m2) = c)| ≤ − = 0 #K #K

OTP satisfies perfect secrecy

Theorem (Shannon 1949) The One-Time Pad satisfies perfect secrecy

Proof: We first note that for all messages m ∈ M and all ciphertexts c ∈ C

#{k∈K: k⊕m=c} Pr(E(k, m) = c) = #K #{k∈K: k=m⊕c} = #K 1 = #K

where k ←−Kr .

4 / 16

1 1 − = 0 #K #K

OTP satisfies perfect secrecy

Theorem (Shannon 1949) The One-Time Pad satisfies perfect secrecy

Proof: We first note that for all messages m ∈ M and all ciphertexts c ∈ C

#{k∈K: k⊕m=c} Pr(E(k, m) = c) = #K #{k∈K: k=m⊕c} = #K 1 = #K

where k ←−Kr . Thus, for all messages m1, m2 ∈ M, and for all ciphertexts c ∈ C

|Pr(E(k, m1) = c) − Pr(E(k, m2) = c)| ≤

4 / 16 OTP satisfies perfect secrecy

Theorem (Shannon 1949) The One-Time Pad satisfies perfect secrecy

Proof: We first note that for all messages m ∈ M and all ciphertexts c ∈ C

#{k∈K: k⊕m=c} Pr(E(k, m) = c) = #K #{k∈K: k=m⊕c} = #K 1 = #K

where k ←−Kr . Thus, for all messages m1, m2 ∈ M, and for all ciphertexts c ∈ C

1 1 |Pr(E(k, m1) = c) − Pr(E(k, m2) = c)| ≤ − = 0 #K #K

4 / 16 I The key should be as long as the plaintext.

I OTP is subject to two-time pad attacks given m1 ⊕ k and m2 ⊕ k, we can compute m1 ⊕ m2 = (m1 ⊕ k) ⊕ (m2 ⊕ k) English has enough redundancy s.t. m1 ⊕ m2 → m1, m2

I OTP is malleable given the ciphertext c = E(k, m) with m = to bob : m0, it is possible to compute the ciphertext c0 = E(k, m0) with 0 m = to eve : m0 c0 := c ⊕ ”to bob : 00 ... 00” ⊕ ”to eve : 00 ... 00”

I Key-length!

I Getting true randomness!

I The key should not be guessable from an attacker.

I Perfect secrecy does not capture all possible attacks

Limitations of OTP

5 / 16 I OTP is subject to two-time pad attacks given m1 ⊕ k and m2 ⊕ k, we can compute m1 ⊕ m2 = (m1 ⊕ k) ⊕ (m2 ⊕ k) English has enough redundancy s.t. m1 ⊕ m2 → m1, m2

I OTP is malleable given the ciphertext c = E(k, m) with m = to bob : m0, it is possible to compute the ciphertext c0 = E(k, m0) with 0 m = to eve : m0 c0 := c ⊕ ”to bob : 00 ... 00” ⊕ ”to eve : 00 ... 00”

I Getting true randomness!

I The key should not be guessable from an attacker.

I Perfect secrecy does not capture all possible attacks

Limitations of OTP

I Key-length!

I The key should be as long as the plaintext.

5 / 16 I OTP is subject to two-time pad attacks given m1 ⊕ k and m2 ⊕ k, we can compute m1 ⊕ m2 = (m1 ⊕ k) ⊕ (m2 ⊕ k) English has enough redundancy s.t. m1 ⊕ m2 → m1, m2

I OTP is malleable given the ciphertext c = E(k, m) with m = to bob : m0, it is possible to compute the ciphertext c0 = E(k, m0) with 0 m = to eve : m0 c0 := c ⊕ ”to bob : 00 ... 00” ⊕ ”to eve : 00 ... 00”

I Perfect secrecy does not capture all possible attacks

Limitations of OTP

I Key-length!

I The key should be as long as the plaintext.

I Getting true randomness!

I The key should not be guessable from an attacker.

5 / 16 I OTP is subject to two-time pad attacks given m1 ⊕ k and m2 ⊕ k, we can compute m1 ⊕ m2 = (m1 ⊕ k) ⊕ (m2 ⊕ k) English has enough redundancy s.t. m1 ⊕ m2 → m1, m2

I OTP is malleable given the ciphertext c = E(k, m) with m = to bob : m0, it is possible to compute the ciphertext c0 = E(k, m0) with 0 m = to eve : m0 c0 := c ⊕ ”to bob : 00 ... 00” ⊕ ”to eve : 00 ... 00”

Limitations of OTP

I Key-length!

I The key should be as long as the plaintext.

I Getting true randomness!

I The key should not be guessable from an attacker.

I Perfect secrecy does not capture all possible attacks

5 / 16 I OTP is malleable given the ciphertext c = E(k, m) with m = to bob : m0, it is possible to compute the ciphertext c0 = E(k, m0) with 0 m = to eve : m0 c0 := c ⊕ ”to bob : 00 ... 00” ⊕ ”to eve : 00 ... 00”

Limitations of OTP

I Key-length!

I The key should be as long as the plaintext.

I Getting true randomness!

I The key should not be guessable from an attacker.

I Perfect secrecy does not capture all possible attacks

I OTP is subject to two-time pad attacks given m1 ⊕ k and m2 ⊕ k, we can compute m1 ⊕ m2 = (m1 ⊕ k) ⊕ (m2 ⊕ k) English has enough redundancy s.t. m1 ⊕ m2 → m1, m2

5 / 16 Limitations of OTP

I Key-length!

I The key should be as long as the plaintext.

I Getting true randomness!

I The key should not be guessable from an attacker.

I Perfect secrecy does not capture all possible attacks

I OTP is subject to two-time pad attacks given m1 ⊕ k and m2 ⊕ k, we can compute m1 ⊕ m2 = (m1 ⊕ k) ⊕ (m2 ⊕ k) English has enough redundancy s.t. m1 ⊕ m2 → m1, m2

I OTP is malleable given the ciphertext c = E(k, m) with m = to bob : m0, it is possible to compute the ciphertext c0 = E(k, m0) with 0 m = to eve : m0 c0 := c ⊕ ”to bob : 00 ... 00” ⊕ ”to eve : 00 ... 00”

5 / 16 I Idea: use a pseudorandom key rather than a really random key

I The key will not really be random, but will look random I The key will be generated from a key seed using a Pseudo-Random Generator (PRG) G : {0, 1}s → {0, 1}n with s << n

I Encryption using a PRG G: E(k, m) = G(k) ⊕ m

I Decryption using a PRG G: D(k, c) = G(k) ⊕ c

I Stream ciphers are subject to two-time pad attacks

I Stream ciphers are malleable

Stream ciphers

I Goal: make the OTP practical

6 / 16 I The key will not really be random, but will look random I The key will be generated from a key seed using a Pseudo-Random Generator (PRG) G : {0, 1}s → {0, 1}n with s << n

I Encryption using a PRG G: E(k, m) = G(k) ⊕ m

I Decryption using a PRG G: D(k, c) = G(k) ⊕ c

I Stream ciphers are subject to two-time pad attacks

I Stream ciphers are malleable

Stream ciphers

I Goal: make the OTP practical

I Idea: use a pseudorandom key rather than a really random key

6 / 16 I The key will be generated from a key seed using a Pseudo-Random Generator (PRG) G : {0, 1}s → {0, 1}n with s << n

I Encryption using a PRG G: E(k, m) = G(k) ⊕ m

I Decryption using a PRG G: D(k, c) = G(k) ⊕ c

I Stream ciphers are subject to two-time pad attacks

I Stream ciphers are malleable

Stream ciphers

I Goal: make the OTP practical

I Idea: use a pseudorandom key rather than a really random key

I The key will not really be random, but will look random

6 / 16 I Encryption using a PRG G: E(k, m) = G(k) ⊕ m

I Decryption using a PRG G: D(k, c) = G(k) ⊕ c

I Stream ciphers are subject to two-time pad attacks

I Stream ciphers are malleable

Stream ciphers

I Goal: make the OTP practical

I Idea: use a pseudorandom key rather than a really random key

I The key will not really be random, but will look random I The key will be generated from a key seed using a Pseudo-Random Generator (PRG) G : {0, 1}s → {0, 1}n with s << n

6 / 16 I Decryption using a PRG G: D(k, c) = G(k) ⊕ c

I Stream ciphers are subject to two-time pad attacks

I Stream ciphers are malleable

Stream ciphers

I Goal: make the OTP practical

I Idea: use a pseudorandom key rather than a really random key

I The key will not really be random, but will look random I The key will be generated from a key seed using a Pseudo-Random Generator (PRG) G : {0, 1}s → {0, 1}n with s << n

I Encryption using a PRG G: E(k, m) = G(k) ⊕ m

6 / 16 I Stream ciphers are subject to two-time pad attacks

I Stream ciphers are malleable

Stream ciphers

I Goal: make the OTP practical

I Idea: use a pseudorandom key rather than a really random key

I The key will not really be random, but will look random I The key will be generated from a key seed using a Pseudo-Random Generator (PRG) G : {0, 1}s → {0, 1}n with s << n

I Encryption using a PRG G: E(k, m) = G(k) ⊕ m

I Decryption using a PRG G: D(k, c) = G(k) ⊕ c

6 / 16 I Stream ciphers are malleable

Stream ciphers

I Goal: make the OTP practical

I Idea: use a pseudorandom key rather than a really random key

I The key will not really be random, but will look random I The key will be generated from a key seed using a Pseudo-Random Generator (PRG) G : {0, 1}s → {0, 1}n with s << n

I Encryption using a PRG G: E(k, m) = G(k) ⊕ m

I Decryption using a PRG G: D(k, c) = G(k) ⊕ c

I Stream ciphers are subject to two-time pad attacks

6 / 16 Stream ciphers

I Goal: make the OTP practical

I Idea: use a pseudorandom key rather than a really random key

I The key will not really be random, but will look random I The key will be generated from a key seed using a Pseudo-Random Generator (PRG) G : {0, 1}s → {0, 1}n with s << n

I Encryption using a PRG G: E(k, m) = G(k) ⊕ m

I Decryption using a PRG G: D(k, c) = G(k) ⊕ c

I Stream ciphers are subject to two-time pad attacks

I Stream ciphers are malleable

6 / 16 I Consists of 2 phases:

seed 2048 bits k 1 byte per round

initialisation keystream generation

I Main data structure: array S of 256 bytes.

I Used in HTTPS and WEP

I Weaknesses of RC4:

I first bytes are biased −→ drop the first to 256 generated bytes I subject to related keys attacks −→ choose randomly generated keys as seeds

RC4

I Stream cipher invented by Ron Rivest in 1987

7 / 16 I Main data structure: array S of 256 bytes.

I Used in HTTPS and WEP

I Weaknesses of RC4:

I first bytes are biased −→ drop the first to 256 generated bytes I subject to related keys attacks −→ choose randomly generated keys as seeds

RC4

I Stream cipher invented by Ron Rivest in 1987

I Consists of 2 phases:

seed 2048 bits k 1 byte per round

initialisation keystream generation

7 / 16 I Used in HTTPS and WEP

I Weaknesses of RC4:

I first bytes are biased −→ drop the first to 256 generated bytes I subject to related keys attacks −→ choose randomly generated keys as seeds

RC4

I Stream cipher invented by Ron Rivest in 1987

I Consists of 2 phases:

seed 2048 bits k 1 byte per round

initialisation keystream generation

I Main data structure: array S of 256 bytes.

7 / 16 I Weaknesses of RC4:

I first bytes are biased −→ drop the first to 256 generated bytes I subject to related keys attacks −→ choose randomly generated keys as seeds

RC4

I Stream cipher invented by Ron Rivest in 1987

I Consists of 2 phases:

seed 2048 bits k 1 byte per round

initialisation keystream generation

I Main data structure: array S of 256 bytes.

I Used in HTTPS and WEP

7 / 16 I first bytes are biased −→ drop the first to 256 generated bytes I subject to related keys attacks −→ choose randomly generated keys as seeds

RC4

I Stream cipher invented by Ron Rivest in 1987

I Consists of 2 phases:

seed 2048 bits k 1 byte per round

initialisation keystream generation

I Main data structure: array S of 256 bytes.

I Used in HTTPS and WEP

I Weaknesses of RC4:

7 / 16 I subject to related keys attacks −→ choose randomly generated keys as seeds

RC4

I Stream cipher invented by Ron Rivest in 1987

I Consists of 2 phases:

seed 2048 bits k 1 byte per round

initialisation keystream generation

I Main data structure: array S of 256 bytes.

I Used in HTTPS and WEP

I Weaknesses of RC4:

I first bytes are biased −→ drop the first to 256 generated bytes

7 / 16 RC4

I Stream cipher invented by Ron Rivest in 1987

I Consists of 2 phases:

seed 2048 bits k 1 byte per round

initialisation keystream generation

I Main data structure: array S of 256 bytes.

I Used in HTTPS and WEP

I Weaknesses of RC4:

I first bytes are biased −→ drop the first to 256 generated bytes I subject to related keys attacks −→ choose randomly generated keys as seeds

7 / 16 RC4: initialisation

for i := 0 to 255 do S[i] := i end j := 0 for i := 0 to 255 do j := (j + S[i] + K[i(mod |K|)])(mod 256) swap(S[i], S[j]) end i := 0 j := 0

8 / 16 RC4: key stream generation

while generatingOutput i := i + 1(mod 256) j := j + S[i](mod 256) swap(S[i], S[j]) output(S[S[i] + S[j](mod 256)]) end

9 / 16 WEP uses RC4

m + RC4 ( IV II k ) k k IV ciphertext

Initialisation Vector (IV): 24-bits long string

10 / 16 I two-time pad attack: IV is 24 bits long, so the key is reused after at most 224 frames −→ use longer IVs

I Fluhrer, Mantin and Shamir (FMS) attack (related keys attack): - the keys only differ in the 24 bits IV - first bytes of key stream known because standard headers are always sent - for certain IVs knowing m bytes of key and keystream means you can deduce byte m + 1 of key −→ instead of using related IVs, generate IVs using a PRG

Remark The FMS attack does not apply to RC4-based SSL (TLS), since SSL generates the encryption keys it uses for RC4 by hashing, meaning that different SSL sessions have unrelated keys

Weaknesses of WEP

11 / 16 I Fluhrer, Mantin and Shamir (FMS) attack (related keys attack): - the keys only differ in the 24 bits IV - first bytes of key stream known because standard headers are always sent - for certain IVs knowing m bytes of key and keystream means you can deduce byte m + 1 of key −→ instead of using related IVs, generate IVs using a PRG

Remark The FMS attack does not apply to RC4-based SSL (TLS), since SSL generates the encryption keys it uses for RC4 by hashing, meaning that different SSL sessions have unrelated keys

Weaknesses of WEP

I two-time pad attack: IV is 24 bits long, so the key is reused after at most 224 frames −→ use longer IVs

11 / 16 Remark The FMS attack does not apply to RC4-based SSL (TLS), since SSL generates the encryption keys it uses for RC4 by hashing, meaning that different SSL sessions have unrelated keys

Weaknesses of WEP

I two-time pad attack: IV is 24 bits long, so the key is reused after at most 224 frames −→ use longer IVs

I Fluhrer, Mantin and Shamir (FMS) attack (related keys attack): - the keys only differ in the 24 bits IV - first bytes of key stream known because standard headers are always sent - for certain IVs knowing m bytes of key and keystream means you can deduce byte m + 1 of key −→ instead of using related IVs, generate IVs using a PRG

11 / 16 Weaknesses of WEP

I two-time pad attack: IV is 24 bits long, so the key is reused after at most 224 frames −→ use longer IVs

I Fluhrer, Mantin and Shamir (FMS) attack (related keys attack): - the keys only differ in the 24 bits IV - first bytes of key stream known because standard headers are always sent - for certain IVs knowing m bytes of key and keystream means you can deduce byte m + 1 of key −→ instead of using related IVs, generate IVs using a PRG

Remark The FMS attack does not apply to RC4-based SSL (TLS), since SSL generates the encryption keys it uses for RC4 by hashing, meaning that different SSL sessions have unrelated keys

11 / 16 s I K = {0, 1} I Main data structure: register R of s bits I Initialisation: R := k I Keystream generation: 1-bit output per round taps: i1, i2,... i` feedback bit: R[i1] ⊕ R[i2] ⊕ · · · ⊕ R[i`] output bit: R[s]

output bit

i1 i2 il +

feedback bit

I Broken LFSR-based stream ciphers: I DVD encryption: CSS (2 LFSRs) I GSM encryption: A5 (3 LFSRs) I Bluetooth encryption: E0 (4 LFSRs)

Linear Feedback Shift Registers (LFSRs)

12 / 16 I Main data structure: register R of s bits I Initialisation: R := k I Keystream generation: 1-bit output per round taps: i1, i2,... i` feedback bit: R[i1] ⊕ R[i2] ⊕ · · · ⊕ R[i`] output bit: R[s]

output bit

i1 i2 il +

feedback bit

I Broken LFSR-based stream ciphers: I DVD encryption: CSS (2 LFSRs) I GSM encryption: A5 (3 LFSRs) I Bluetooth encryption: E0 (4 LFSRs)

Linear Feedback Shift Registers (LFSRs) s I K = {0, 1}

12 / 16 I Initialisation: R := k I Keystream generation: 1-bit output per round taps: i1, i2,... i` feedback bit: R[i1] ⊕ R[i2] ⊕ · · · ⊕ R[i`] output bit: R[s]

output bit

i1 i2 il +

feedback bit

I Broken LFSR-based stream ciphers: I DVD encryption: CSS (2 LFSRs) I GSM encryption: A5 (3 LFSRs) I Bluetooth encryption: E0 (4 LFSRs)

Linear Feedback Shift Registers (LFSRs) s I K = {0, 1} I Main data structure: register R of s bits

12 / 16 I Keystream generation: 1-bit output per round taps: i1, i2,... i` feedback bit: R[i1] ⊕ R[i2] ⊕ · · · ⊕ R[i`] output bit: R[s]

output bit

i1 i2 il +

feedback bit

I Broken LFSR-based stream ciphers: I DVD encryption: CSS (2 LFSRs) I GSM encryption: A5 (3 LFSRs) I Bluetooth encryption: E0 (4 LFSRs)

Linear Feedback Shift Registers (LFSRs) s I K = {0, 1} I Main data structure: register R of s bits I Initialisation: R := k

12 / 16 I Broken LFSR-based stream ciphers: I DVD encryption: CSS (2 LFSRs) I GSM encryption: A5 (3 LFSRs) I Bluetooth encryption: E0 (4 LFSRs)

Linear Feedback Shift Registers (LFSRs) s I K = {0, 1} I Main data structure: register R of s bits I Initialisation: R := k I Keystream generation: 1-bit output per round taps: i1, i2,... i` feedback bit: R[i1] ⊕ R[i2] ⊕ · · · ⊕ R[i`] output bit: R[s]

output bit

i1 i2 il +

feedback bit

12 / 16 Linear Feedback Shift Registers (LFSRs) s I K = {0, 1} I Main data structure: register R of s bits I Initialisation: R := k I Keystream generation: 1-bit output per round taps: i1, i2,... i` feedback bit: R[i1] ⊕ R[i2] ⊕ · · · ⊕ R[i`] output bit: R[s]

output bit

i1 i2 il +

feedback bit

I Broken LFSR-based stream ciphers: I DVD encryption: CSS (2 LFSRs) I GSM encryption: A5 (3 LFSRs) I Bluetooth encryption: E0 (4 LFSRs) 12 / 16 40 I K = {0, 1}

I Data structures: 17-bits LFSR (R17) and 25-bits LFSR (R25)

I Initialisation: R17 := 1||K[0 − 15] R25 := 1||K[16 − 39]

I Keystream generation: 1-byte output per round

1 byte 17‐bit LFSR output byte + (mod 256) 1 byte 25‐bit LFSR carry-out

carry‐out from previous round

Content Scrambling System (CSS) uses LFSRs

13 / 16 I Data structures: 17-bits LFSR (R17) and 25-bits LFSR (R25)

I Initialisation: R17 := 1||K[0 − 15] R25 := 1||K[16 − 39]

I Keystream generation: 1-byte output per round

1 byte 17‐bit LFSR output byte + (mod 256) 1 byte 25‐bit LFSR carry-out

carry‐out from previous round

Content Scrambling System (CSS) uses LFSRs

40 I K = {0, 1}

13 / 16 I Initialisation: R17 := 1||K[0 − 15] R25 := 1||K[16 − 39]

I Keystream generation: 1-byte output per round

1 byte 17‐bit LFSR output byte + (mod 256) 1 byte 25‐bit LFSR carry-out

carry‐out from previous round

Content Scrambling System (CSS) uses LFSRs

40 I K = {0, 1}

I Data structures: 17-bits LFSR (R17) and 25-bits LFSR (R25)

13 / 16 I Keystream generation: 1-byte output per round

1 byte 17‐bit LFSR output byte + (mod 256) 1 byte 25‐bit LFSR carry-out

carry‐out from previous round

Content Scrambling System (CSS) uses LFSRs

40 I K = {0, 1}

I Data structures: 17-bits LFSR (R17) and 25-bits LFSR (R25)

I Initialisation: R17 := 1||K[0 − 15] R25 := 1||K[16 − 39]

13 / 16 Content Scrambling System (CSS) uses LFSRs

40 I K = {0, 1}

I Data structures: 17-bits LFSR (R17) and 25-bits LFSR (R25)

I Initialisation: R17 := 1||K[0 − 15] R25 := 1||K[16 − 39]

I Keystream generation: 1-byte output per round

1 byte 17‐bit LFSR output byte + (mod 256) 1 byte 25‐bit LFSR carry-out

carry‐out from previous round

13 / 16 I Because of structure of MPEG-2, first 20 bytes of plaintext are known

I Hence also first 20 bytes of keystream are known

I Given output of 17 bit LFSR, can deduce output of 25 bit LFSR by subtraction

17 I Hence try all 2 possibilities for 17 bit LFSR and if generated 25 bit LFSR produces observed keystream, cipher is cracked

Weaknesses in CSS

Can be broken in time 217. The idea of the attack is as follows:

14 / 16 I Hence also first 20 bytes of keystream are known

I Given output of 17 bit LFSR, can deduce output of 25 bit LFSR by subtraction

17 I Hence try all 2 possibilities for 17 bit LFSR and if generated 25 bit LFSR produces observed keystream, cipher is cracked

Weaknesses in CSS

Can be broken in time 217. The idea of the attack is as follows:

I Because of structure of MPEG-2, first 20 bytes of plaintext are known

14 / 16 I Given output of 17 bit LFSR, can deduce output of 25 bit LFSR by subtraction

17 I Hence try all 2 possibilities for 17 bit LFSR and if generated 25 bit LFSR produces observed keystream, cipher is cracked

Weaknesses in CSS

Can be broken in time 217. The idea of the attack is as follows:

I Because of structure of MPEG-2, first 20 bytes of plaintext are known

I Hence also first 20 bytes of keystream are known

14 / 16 17 I Hence try all 2 possibilities for 17 bit LFSR and if generated 25 bit LFSR produces observed keystream, cipher is cracked

Weaknesses in CSS

Can be broken in time 217. The idea of the attack is as follows:

I Because of structure of MPEG-2, first 20 bytes of plaintext are known

I Hence also first 20 bytes of keystream are known

I Given output of 17 bit LFSR, can deduce output of 25 bit LFSR by subtraction

14 / 16 Weaknesses in CSS

Can be broken in time 217. The idea of the attack is as follows:

I Because of structure of MPEG-2, first 20 bytes of plaintext are known

I Hence also first 20 bytes of keystream are known

I Given output of 17 bit LFSR, can deduce output of 25 bit LFSR by subtraction

17 I Hence try all 2 possibilities for 17 bit LFSR and if generated 25 bit LFSR produces observed keystream, cipher is cracked

14 / 16 Conjecture These eStream stream ciphers are “secure”

Modern stream ciphers

Project eStream: project to “identify new stream ciphers suitable for widespread adoption”, organised by the EU ECRYPT network −→ HC-128, Rabbit, Salsa20/12, SOSEMANUK, Grain v1, MICKEY 2.0, Trivium

15 / 16 Modern stream ciphers

Project eStream: project to “identify new stream ciphers suitable for widespread adoption”, organised by the EU ECRYPT network −→ HC-128, Rabbit, Salsa20/12, SOSEMANUK, Grain v1, MICKEY 2.0, Trivium

Conjecture These eStream stream ciphers are “secure”

15 / 16 I Perfect secrecy does not capture all possible attacks. −→ need for different security definition

I Theorem (Shannon 1949) Let (E, D) be a cipher over (M, C, K). If (E, D) satisfies perfect secrecy, then the keys should be at least as long as the plaintexts (|M| ≤ |K|). ⇒ Stream ciphers do not satisfy perfect secrecy because the keys in K are smaller than the messages in M −→ need for different security definition

I The design of crypto primitives is a subtle and error prone task: define threat model, propose construction, prove that breaking construction would solve an underlying hard problem. −→ use standardised publicly know primitives

I Crypto primitives are secure under a precisely defined threat model. −→ respect the security assumptions of the crypto primitives you use

Concluding remarks

16 / 16 I Theorem (Shannon 1949) Let (E, D) be a cipher over (M, C, K). If (E, D) satisfies perfect secrecy, then the keys should be at least as long as the plaintexts (|M| ≤ |K|). ⇒ Stream ciphers do not satisfy perfect secrecy because the keys in K are smaller than the messages in M −→ need for different security definition

I The design of crypto primitives is a subtle and error prone task: define threat model, propose construction, prove that breaking construction would solve an underlying hard problem. −→ use standardised publicly know primitives

I Crypto primitives are secure under a precisely defined threat model. −→ respect the security assumptions of the crypto primitives you use

Concluding remarks

I Perfect secrecy does not capture all possible attacks. −→ need for different security definition

16 / 16 I The design of crypto primitives is a subtle and error prone task: define threat model, propose construction, prove that breaking construction would solve an underlying hard problem. −→ use standardised publicly know primitives

I Crypto primitives are secure under a precisely defined threat model. −→ respect the security assumptions of the crypto primitives you use

Concluding remarks

I Perfect secrecy does not capture all possible attacks. −→ need for different security definition

I Theorem (Shannon 1949) Let (E, D) be a cipher over (M, C, K). If (E, D) satisfies perfect secrecy, then the keys should be at least as long as the plaintexts (|M| ≤ |K|). ⇒ Stream ciphers do not satisfy perfect secrecy because the keys in K are smaller than the messages in M −→ need for different security definition

16 / 16 I Crypto primitives are secure under a precisely defined threat model. −→ respect the security assumptions of the crypto primitives you use

Concluding remarks

I Perfect secrecy does not capture all possible attacks. −→ need for different security definition

I Theorem (Shannon 1949) Let (E, D) be a cipher over (M, C, K). If (E, D) satisfies perfect secrecy, then the keys should be at least as long as the plaintexts (|M| ≤ |K|). ⇒ Stream ciphers do not satisfy perfect secrecy because the keys in K are smaller than the messages in M −→ need for different security definition

I The design of crypto primitives is a subtle and error prone task: define threat model, propose construction, prove that breaking construction would solve an underlying hard problem. −→ use standardised publicly know primitives

16 / 16 Concluding remarks

I Perfect secrecy does not capture all possible attacks. −→ need for different security definition

I Theorem (Shannon 1949) Let (E, D) be a cipher over (M, C, K). If (E, D) satisfies perfect secrecy, then the keys should be at least as long as the plaintexts (|M| ≤ |K|). ⇒ Stream ciphers do not satisfy perfect secrecy because the keys in K are smaller than the messages in M −→ need for different security definition

I The design of crypto primitives is a subtle and error prone task: define threat model, propose construction, prove that breaking construction would solve an underlying hard problem. −→ use standardised publicly know primitives

I Crypto primitives are secure under a precisely defined threat model. −→ respect the security assumptions of the crypto primitives you use

16 / 16