Stream ciphers
Myrto Arapinis School of Informatics University of Edinburgh
February 29, 2015
1 / 16 n I M = C = K = {0, 1}
I Encryption: ∀k ∈ K. ∀m ∈ M. E(k, m) = k ⊕ m
k = 0 1 1 0 1 0 0 1 m = 1 0 0 0 1 0 1 1
c = 1 1 1 0 0 0 1 0
I Decryption: ∀k ∈ K. ∀c ∈ C. D(k, c) = k ⊕ c
k = 0 1 1 0 1 0 0 1 c = 1 1 1 0 0 0 1 0
m = 1 0 0 0 1 0 1 1
I Consistency: D(k, E(k, m)) = k ⊕ (k ⊕ m) = m
The One-Time Pad (OTP)
2 / 16 I Encryption: ∀k ∈ K. ∀m ∈ M. E(k, m) = k ⊕ m
k = 0 1 1 0 1 0 0 1 m = 1 0 0 0 1 0 1 1
c = 1 1 1 0 0 0 1 0
I Decryption: ∀k ∈ K. ∀c ∈ C. D(k, c) = k ⊕ c
k = 0 1 1 0 1 0 0 1 c = 1 1 1 0 0 0 1 0
m = 1 0 0 0 1 0 1 1
I Consistency: D(k, E(k, m)) = k ⊕ (k ⊕ m) = m
The One-Time Pad (OTP)
n I M = C = K = {0, 1}
2 / 16 k = 0 1 1 0 1 0 0 1 m = 1 0 0 0 1 0 1 1
c = 1 1 1 0 0 0 1 0
I Decryption: ∀k ∈ K. ∀c ∈ C. D(k, c) = k ⊕ c
k = 0 1 1 0 1 0 0 1 c = 1 1 1 0 0 0 1 0
m = 1 0 0 0 1 0 1 1
I Consistency: D(k, E(k, m)) = k ⊕ (k ⊕ m) = m
The One-Time Pad (OTP)
n I M = C = K = {0, 1}
I Encryption: ∀k ∈ K. ∀m ∈ M. E(k, m) = k ⊕ m
2 / 16 I Decryption: ∀k ∈ K. ∀c ∈ C. D(k, c) = k ⊕ c
k = 0 1 1 0 1 0 0 1 c = 1 1 1 0 0 0 1 0
m = 1 0 0 0 1 0 1 1
I Consistency: D(k, E(k, m)) = k ⊕ (k ⊕ m) = m
The One-Time Pad (OTP)
n I M = C = K = {0, 1}
I Encryption: ∀k ∈ K. ∀m ∈ M. E(k, m) = k ⊕ m
k = 0 1 1 0 1 0 0 1 m = 1 0 0 0 1 0 1 1
c = 1 1 1 0 0 0 1 0
2 / 16 k = 0 1 1 0 1 0 0 1 c = 1 1 1 0 0 0 1 0
m = 1 0 0 0 1 0 1 1
I Consistency: D(k, E(k, m)) = k ⊕ (k ⊕ m) = m
The One-Time Pad (OTP)
n I M = C = K = {0, 1}
I Encryption: ∀k ∈ K. ∀m ∈ M. E(k, m) = k ⊕ m
k = 0 1 1 0 1 0 0 1 m = 1 0 0 0 1 0 1 1
c = 1 1 1 0 0 0 1 0
I Decryption: ∀k ∈ K. ∀c ∈ C. D(k, c) = k ⊕ c
2 / 16 I Consistency: D(k, E(k, m)) = k ⊕ (k ⊕ m) = m
The One-Time Pad (OTP)
n I M = C = K = {0, 1}
I Encryption: ∀k ∈ K. ∀m ∈ M. E(k, m) = k ⊕ m
k = 0 1 1 0 1 0 0 1 m = 1 0 0 0 1 0 1 1
c = 1 1 1 0 0 0 1 0
I Decryption: ∀k ∈ K. ∀c ∈ C. D(k, c) = k ⊕ c
k = 0 1 1 0 1 0 0 1 c = 1 1 1 0 0 0 1 0
m = 1 0 0 0 1 0 1 1
2 / 16 The One-Time Pad (OTP)
n I M = C = K = {0, 1}
I Encryption: ∀k ∈ K. ∀m ∈ M. E(k, m) = k ⊕ m
k = 0 1 1 0 1 0 0 1 m = 1 0 0 0 1 0 1 1
c = 1 1 1 0 0 0 1 0
I Decryption: ∀k ∈ K. ∀c ∈ C. D(k, c) = k ⊕ c
k = 0 1 1 0 1 0 0 1 c = 1 1 1 0 0 0 1 0
m = 1 0 0 0 1 0 1 1
I Consistency: D(k, E(k, m)) = k ⊕ (k ⊕ m) = m
2 / 16 Perfect secrecy
Definition A cipher (E, D) over (M, C, K) satisfies perfect secrecy if for all messages m1, m2 ∈ M of same length (|m1| = |m2|), and for all ciphertexts c ∈ C
|Pr(E(k, m1) = c) − Pr(E(k, m2) = c)| ≤
where k ←−Kr and is some “negligible quantity”.
3 / 16 #{k∈K: k⊕m=c} = #K #{k∈K: k=m⊕c} = #K 1 = #K
where k ←−Kr . Thus, for all messages m1, m2 ∈ M, and for all ciphertexts c ∈ C
1 1 |Pr(E(k, m1) = c) − Pr(E(k, m2) = c)| ≤ − = 0 #K #K
Proof: We first note that for all messages m ∈ M and all ciphertexts c ∈ C
Pr(E(k, m) = c)
OTP satisfies perfect secrecy
Theorem (Shannon 1949) The One-Time Pad satisfies perfect secrecy
4 / 16 #{k∈K: k⊕m=c} = #K #{k∈K: k=m⊕c} = #K 1 = #K
Thus, for all messages m1, m2 ∈ M, and for all ciphertexts c ∈ C
1 1 |Pr(E(k, m1) = c) − Pr(E(k, m2) = c)| ≤ − = 0 #K #K
OTP satisfies perfect secrecy
Theorem (Shannon 1949) The One-Time Pad satisfies perfect secrecy
Proof: We first note that for all messages m ∈ M and all ciphertexts c ∈ C
Pr(E(k, m) = c)
where k ←−Kr .
4 / 16 #{k∈K: k=m⊕c} = #K 1 = #K
Thus, for all messages m1, m2 ∈ M, and for all ciphertexts c ∈ C
1 1 |Pr(E(k, m1) = c) − Pr(E(k, m2) = c)| ≤ − = 0 #K #K
OTP satisfies perfect secrecy
Theorem (Shannon 1949) The One-Time Pad satisfies perfect secrecy
Proof: We first note that for all messages m ∈ M and all ciphertexts c ∈ C
#{k∈K: k⊕m=c} Pr(E(k, m) = c) = #K
where k ←−Kr .
4 / 16 1 = #K
Thus, for all messages m1, m2 ∈ M, and for all ciphertexts c ∈ C
1 1 |Pr(E(k, m1) = c) − Pr(E(k, m2) = c)| ≤ − = 0 #K #K
OTP satisfies perfect secrecy
Theorem (Shannon 1949) The One-Time Pad satisfies perfect secrecy
Proof: We first note that for all messages m ∈ M and all ciphertexts c ∈ C
#{k∈K: k⊕m=c} Pr(E(k, m) = c) = #K #{k∈K: k=m⊕c} = #K
where k ←−Kr .
4 / 16 Thus, for all messages m1, m2 ∈ M, and for all ciphertexts c ∈ C
1 1 |Pr(E(k, m1) = c) − Pr(E(k, m2) = c)| ≤ − = 0 #K #K
OTP satisfies perfect secrecy
Theorem (Shannon 1949) The One-Time Pad satisfies perfect secrecy
Proof: We first note that for all messages m ∈ M and all ciphertexts c ∈ C
#{k∈K: k⊕m=c} Pr(E(k, m) = c) = #K #{k∈K: k=m⊕c} = #K 1 = #K
where k ←−Kr .
4 / 16
1 1 − = 0 #K #K
OTP satisfies perfect secrecy
Theorem (Shannon 1949) The One-Time Pad satisfies perfect secrecy
Proof: We first note that for all messages m ∈ M and all ciphertexts c ∈ C
#{k∈K: k⊕m=c} Pr(E(k, m) = c) = #K #{k∈K: k=m⊕c} = #K 1 = #K
where k ←−Kr . Thus, for all messages m1, m2 ∈ M, and for all ciphertexts c ∈ C
|Pr(E(k, m1) = c) − Pr(E(k, m2) = c)| ≤
4 / 16 OTP satisfies perfect secrecy
Theorem (Shannon 1949) The One-Time Pad satisfies perfect secrecy
Proof: We first note that for all messages m ∈ M and all ciphertexts c ∈ C
#{k∈K: k⊕m=c} Pr(E(k, m) = c) = #K #{k∈K: k=m⊕c} = #K 1 = #K
where k ←−Kr . Thus, for all messages m1, m2 ∈ M, and for all ciphertexts c ∈ C
1 1 |Pr(E(k, m1) = c) − Pr(E(k, m2) = c)| ≤ − = 0 #K #K
4 / 16 I The key should be as long as the plaintext.
I OTP is subject to two-time pad attacks given m1 ⊕ k and m2 ⊕ k, we can compute m1 ⊕ m2 = (m1 ⊕ k) ⊕ (m2 ⊕ k) English has enough redundancy s.t. m1 ⊕ m2 → m1, m2
I OTP is malleable given the ciphertext c = E(k, m) with m = to bob : m0, it is possible to compute the ciphertext c0 = E(k, m0) with 0 m = to eve : m0 c0 := c ⊕ ”to bob : 00 ... 00” ⊕ ”to eve : 00 ... 00”
I Key-length!
I Getting true randomness!
I The key should not be guessable from an attacker.
I Perfect secrecy does not capture all possible attacks
Limitations of OTP
5 / 16 I OTP is subject to two-time pad attacks given m1 ⊕ k and m2 ⊕ k, we can compute m1 ⊕ m2 = (m1 ⊕ k) ⊕ (m2 ⊕ k) English has enough redundancy s.t. m1 ⊕ m2 → m1, m2
I OTP is malleable given the ciphertext c = E(k, m) with m = to bob : m0, it is possible to compute the ciphertext c0 = E(k, m0) with 0 m = to eve : m0 c0 := c ⊕ ”to bob : 00 ... 00” ⊕ ”to eve : 00 ... 00”
I Getting true randomness!
I The key should not be guessable from an attacker.
I Perfect secrecy does not capture all possible attacks
Limitations of OTP
I Key-length!
I The key should be as long as the plaintext.
5 / 16 I OTP is subject to two-time pad attacks given m1 ⊕ k and m2 ⊕ k, we can compute m1 ⊕ m2 = (m1 ⊕ k) ⊕ (m2 ⊕ k) English has enough redundancy s.t. m1 ⊕ m2 → m1, m2
I OTP is malleable given the ciphertext c = E(k, m) with m = to bob : m0, it is possible to compute the ciphertext c0 = E(k, m0) with 0 m = to eve : m0 c0 := c ⊕ ”to bob : 00 ... 00” ⊕ ”to eve : 00 ... 00”
I Perfect secrecy does not capture all possible attacks
Limitations of OTP
I Key-length!
I The key should be as long as the plaintext.
I Getting true randomness!
I The key should not be guessable from an attacker.
5 / 16 I OTP is subject to two-time pad attacks given m1 ⊕ k and m2 ⊕ k, we can compute m1 ⊕ m2 = (m1 ⊕ k) ⊕ (m2 ⊕ k) English has enough redundancy s.t. m1 ⊕ m2 → m1, m2
I OTP is malleable given the ciphertext c = E(k, m) with m = to bob : m0, it is possible to compute the ciphertext c0 = E(k, m0) with 0 m = to eve : m0 c0 := c ⊕ ”to bob : 00 ... 00” ⊕ ”to eve : 00 ... 00”
Limitations of OTP
I Key-length!
I The key should be as long as the plaintext.
I Getting true randomness!
I The key should not be guessable from an attacker.
I Perfect secrecy does not capture all possible attacks
5 / 16 I OTP is malleable given the ciphertext c = E(k, m) with m = to bob : m0, it is possible to compute the ciphertext c0 = E(k, m0) with 0 m = to eve : m0 c0 := c ⊕ ”to bob : 00 ... 00” ⊕ ”to eve : 00 ... 00”
Limitations of OTP
I Key-length!
I The key should be as long as the plaintext.
I Getting true randomness!
I The key should not be guessable from an attacker.
I Perfect secrecy does not capture all possible attacks
I OTP is subject to two-time pad attacks given m1 ⊕ k and m2 ⊕ k, we can compute m1 ⊕ m2 = (m1 ⊕ k) ⊕ (m2 ⊕ k) English has enough redundancy s.t. m1 ⊕ m2 → m1, m2
5 / 16 Limitations of OTP
I Key-length!
I The key should be as long as the plaintext.
I Getting true randomness!
I The key should not be guessable from an attacker.
I Perfect secrecy does not capture all possible attacks
I OTP is subject to two-time pad attacks given m1 ⊕ k and m2 ⊕ k, we can compute m1 ⊕ m2 = (m1 ⊕ k) ⊕ (m2 ⊕ k) English has enough redundancy s.t. m1 ⊕ m2 → m1, m2
I OTP is malleable given the ciphertext c = E(k, m) with m = to bob : m0, it is possible to compute the ciphertext c0 = E(k, m0) with 0 m = to eve : m0 c0 := c ⊕ ”to bob : 00 ... 00” ⊕ ”to eve : 00 ... 00”
5 / 16 I Idea: use a pseudorandom key rather than a really random key
I The key will not really be random, but will look random I The key will be generated from a key seed using a Pseudo-Random Generator (PRG) G : {0, 1}s → {0, 1}n with s << n
I Encryption using a PRG G: E(k, m) = G(k) ⊕ m
I Decryption using a PRG G: D(k, c) = G(k) ⊕ c
I Stream ciphers are subject to two-time pad attacks
I Stream ciphers are malleable
Stream ciphers
I Goal: make the OTP practical
6 / 16 I The key will not really be random, but will look random I The key will be generated from a key seed using a Pseudo-Random Generator (PRG) G : {0, 1}s → {0, 1}n with s << n
I Encryption using a PRG G: E(k, m) = G(k) ⊕ m
I Decryption using a PRG G: D(k, c) = G(k) ⊕ c
I Stream ciphers are subject to two-time pad attacks
I Stream ciphers are malleable
Stream ciphers
I Goal: make the OTP practical
I Idea: use a pseudorandom key rather than a really random key
6 / 16 I The key will be generated from a key seed using a Pseudo-Random Generator (PRG) G : {0, 1}s → {0, 1}n with s << n
I Encryption using a PRG G: E(k, m) = G(k) ⊕ m
I Decryption using a PRG G: D(k, c) = G(k) ⊕ c
I Stream ciphers are subject to two-time pad attacks
I Stream ciphers are malleable
Stream ciphers
I Goal: make the OTP practical
I Idea: use a pseudorandom key rather than a really random key
I The key will not really be random, but will look random
6 / 16 I Encryption using a PRG G: E(k, m) = G(k) ⊕ m
I Decryption using a PRG G: D(k, c) = G(k) ⊕ c
I Stream ciphers are subject to two-time pad attacks
I Stream ciphers are malleable
Stream ciphers
I Goal: make the OTP practical
I Idea: use a pseudorandom key rather than a really random key
I The key will not really be random, but will look random I The key will be generated from a key seed using a Pseudo-Random Generator (PRG) G : {0, 1}s → {0, 1}n with s << n
6 / 16 I Decryption using a PRG G: D(k, c) = G(k) ⊕ c
I Stream ciphers are subject to two-time pad attacks
I Stream ciphers are malleable
Stream ciphers
I Goal: make the OTP practical
I Idea: use a pseudorandom key rather than a really random key
I The key will not really be random, but will look random I The key will be generated from a key seed using a Pseudo-Random Generator (PRG) G : {0, 1}s → {0, 1}n with s << n
I Encryption using a PRG G: E(k, m) = G(k) ⊕ m
6 / 16 I Stream ciphers are subject to two-time pad attacks
I Stream ciphers are malleable
Stream ciphers
I Goal: make the OTP practical
I Idea: use a pseudorandom key rather than a really random key
I The key will not really be random, but will look random I The key will be generated from a key seed using a Pseudo-Random Generator (PRG) G : {0, 1}s → {0, 1}n with s << n
I Encryption using a PRG G: E(k, m) = G(k) ⊕ m
I Decryption using a PRG G: D(k, c) = G(k) ⊕ c
6 / 16 I Stream ciphers are malleable
Stream ciphers
I Goal: make the OTP practical
I Idea: use a pseudorandom key rather than a really random key
I The key will not really be random, but will look random I The key will be generated from a key seed using a Pseudo-Random Generator (PRG) G : {0, 1}s → {0, 1}n with s << n
I Encryption using a PRG G: E(k, m) = G(k) ⊕ m
I Decryption using a PRG G: D(k, c) = G(k) ⊕ c
I Stream ciphers are subject to two-time pad attacks
6 / 16 Stream ciphers
I Goal: make the OTP practical
I Idea: use a pseudorandom key rather than a really random key
I The key will not really be random, but will look random I The key will be generated from a key seed using a Pseudo-Random Generator (PRG) G : {0, 1}s → {0, 1}n with s << n
I Encryption using a PRG G: E(k, m) = G(k) ⊕ m
I Decryption using a PRG G: D(k, c) = G(k) ⊕ c
I Stream ciphers are subject to two-time pad attacks
I Stream ciphers are malleable
6 / 16 I Consists of 2 phases:
seed 2048 bits k 1 byte per round
initialisation keystream generation
I Main data structure: array S of 256 bytes.
I Used in HTTPS and WEP
I Weaknesses of RC4:
I first bytes are biased −→ drop the first to 256 generated bytes I subject to related keys attacks −→ choose randomly generated keys as seeds
RC4
I Stream cipher invented by Ron Rivest in 1987
7 / 16 I Main data structure: array S of 256 bytes.
I Used in HTTPS and WEP
I Weaknesses of RC4:
I first bytes are biased −→ drop the first to 256 generated bytes I subject to related keys attacks −→ choose randomly generated keys as seeds
RC4
I Stream cipher invented by Ron Rivest in 1987
I Consists of 2 phases:
seed 2048 bits k 1 byte per round
initialisation keystream generation
7 / 16 I Used in HTTPS and WEP
I Weaknesses of RC4:
I first bytes are biased −→ drop the first to 256 generated bytes I subject to related keys attacks −→ choose randomly generated keys as seeds
RC4
I Stream cipher invented by Ron Rivest in 1987
I Consists of 2 phases:
seed 2048 bits k 1 byte per round
initialisation keystream generation
I Main data structure: array S of 256 bytes.
7 / 16 I Weaknesses of RC4:
I first bytes are biased −→ drop the first to 256 generated bytes I subject to related keys attacks −→ choose randomly generated keys as seeds
RC4
I Stream cipher invented by Ron Rivest in 1987
I Consists of 2 phases:
seed 2048 bits k 1 byte per round
initialisation keystream generation
I Main data structure: array S of 256 bytes.
I Used in HTTPS and WEP
7 / 16 I first bytes are biased −→ drop the first to 256 generated bytes I subject to related keys attacks −→ choose randomly generated keys as seeds
RC4
I Stream cipher invented by Ron Rivest in 1987
I Consists of 2 phases:
seed 2048 bits k 1 byte per round
initialisation keystream generation
I Main data structure: array S of 256 bytes.
I Used in HTTPS and WEP
I Weaknesses of RC4:
7 / 16 I subject to related keys attacks −→ choose randomly generated keys as seeds
RC4
I Stream cipher invented by Ron Rivest in 1987
I Consists of 2 phases:
seed 2048 bits k 1 byte per round
initialisation keystream generation
I Main data structure: array S of 256 bytes.
I Used in HTTPS and WEP
I Weaknesses of RC4:
I first bytes are biased −→ drop the first to 256 generated bytes
7 / 16 RC4
I Stream cipher invented by Ron Rivest in 1987
I Consists of 2 phases:
seed 2048 bits k 1 byte per round
initialisation keystream generation
I Main data structure: array S of 256 bytes.
I Used in HTTPS and WEP
I Weaknesses of RC4:
I first bytes are biased −→ drop the first to 256 generated bytes I subject to related keys attacks −→ choose randomly generated keys as seeds
7 / 16 RC4: initialisation
for i := 0 to 255 do S[i] := i end j := 0 for i := 0 to 255 do j := (j + S[i] + K[i(mod |K|)])(mod 256) swap(S[i], S[j]) end i := 0 j := 0
8 / 16 RC4: key stream generation
while generatingOutput i := i + 1(mod 256) j := j + S[i](mod 256) swap(S[i], S[j]) output(S[S[i] + S[j](mod 256)]) end
9 / 16 WEP uses RC4
m + RC4 ( IV II k ) k k IV ciphertext
Initialisation Vector (IV): 24-bits long string
10 / 16 I two-time pad attack: IV is 24 bits long, so the key is reused after at most 224 frames −→ use longer IVs
I Fluhrer, Mantin and Shamir (FMS) attack (related keys attack): - the keys only differ in the 24 bits IV - first bytes of key stream known because standard headers are always sent - for certain IVs knowing m bytes of key and keystream means you can deduce byte m + 1 of key −→ instead of using related IVs, generate IVs using a PRG
Remark The FMS attack does not apply to RC4-based SSL (TLS), since SSL generates the encryption keys it uses for RC4 by hashing, meaning that different SSL sessions have unrelated keys
Weaknesses of WEP
11 / 16 I Fluhrer, Mantin and Shamir (FMS) attack (related keys attack): - the keys only differ in the 24 bits IV - first bytes of key stream known because standard headers are always sent - for certain IVs knowing m bytes of key and keystream means you can deduce byte m + 1 of key −→ instead of using related IVs, generate IVs using a PRG
Remark The FMS attack does not apply to RC4-based SSL (TLS), since SSL generates the encryption keys it uses for RC4 by hashing, meaning that different SSL sessions have unrelated keys
Weaknesses of WEP
I two-time pad attack: IV is 24 bits long, so the key is reused after at most 224 frames −→ use longer IVs
11 / 16 Remark The FMS attack does not apply to RC4-based SSL (TLS), since SSL generates the encryption keys it uses for RC4 by hashing, meaning that different SSL sessions have unrelated keys
Weaknesses of WEP
I two-time pad attack: IV is 24 bits long, so the key is reused after at most 224 frames −→ use longer IVs
I Fluhrer, Mantin and Shamir (FMS) attack (related keys attack): - the keys only differ in the 24 bits IV - first bytes of key stream known because standard headers are always sent - for certain IVs knowing m bytes of key and keystream means you can deduce byte m + 1 of key −→ instead of using related IVs, generate IVs using a PRG
11 / 16 Weaknesses of WEP
I two-time pad attack: IV is 24 bits long, so the key is reused after at most 224 frames −→ use longer IVs
I Fluhrer, Mantin and Shamir (FMS) attack (related keys attack): - the keys only differ in the 24 bits IV - first bytes of key stream known because standard headers are always sent - for certain IVs knowing m bytes of key and keystream means you can deduce byte m + 1 of key −→ instead of using related IVs, generate IVs using a PRG
Remark The FMS attack does not apply to RC4-based SSL (TLS), since SSL generates the encryption keys it uses for RC4 by hashing, meaning that different SSL sessions have unrelated keys
11 / 16 s I K = {0, 1} I Main data structure: register R of s bits I Initialisation: R := k I Keystream generation: 1-bit output per round taps: i1, i2,... i` feedback bit: R[i1] ⊕ R[i2] ⊕ · · · ⊕ R[i`] output bit: R[s]
output bit
i1 i2 il +
feedback bit
I Broken LFSR-based stream ciphers: I DVD encryption: CSS (2 LFSRs) I GSM encryption: A5 (3 LFSRs) I Bluetooth encryption: E0 (4 LFSRs)
Linear Feedback Shift Registers (LFSRs)
12 / 16 I Main data structure: register R of s bits I Initialisation: R := k I Keystream generation: 1-bit output per round taps: i1, i2,... i` feedback bit: R[i1] ⊕ R[i2] ⊕ · · · ⊕ R[i`] output bit: R[s]
output bit
i1 i2 il +
feedback bit
I Broken LFSR-based stream ciphers: I DVD encryption: CSS (2 LFSRs) I GSM encryption: A5 (3 LFSRs) I Bluetooth encryption: E0 (4 LFSRs)
Linear Feedback Shift Registers (LFSRs) s I K = {0, 1}
12 / 16 I Initialisation: R := k I Keystream generation: 1-bit output per round taps: i1, i2,... i` feedback bit: R[i1] ⊕ R[i2] ⊕ · · · ⊕ R[i`] output bit: R[s]
output bit
i1 i2 il +
feedback bit
I Broken LFSR-based stream ciphers: I DVD encryption: CSS (2 LFSRs) I GSM encryption: A5 (3 LFSRs) I Bluetooth encryption: E0 (4 LFSRs)
Linear Feedback Shift Registers (LFSRs) s I K = {0, 1} I Main data structure: register R of s bits
12 / 16 I Keystream generation: 1-bit output per round taps: i1, i2,... i` feedback bit: R[i1] ⊕ R[i2] ⊕ · · · ⊕ R[i`] output bit: R[s]
output bit
i1 i2 il +
feedback bit
I Broken LFSR-based stream ciphers: I DVD encryption: CSS (2 LFSRs) I GSM encryption: A5 (3 LFSRs) I Bluetooth encryption: E0 (4 LFSRs)
Linear Feedback Shift Registers (LFSRs) s I K = {0, 1} I Main data structure: register R of s bits I Initialisation: R := k
12 / 16 I Broken LFSR-based stream ciphers: I DVD encryption: CSS (2 LFSRs) I GSM encryption: A5 (3 LFSRs) I Bluetooth encryption: E0 (4 LFSRs)
Linear Feedback Shift Registers (LFSRs) s I K = {0, 1} I Main data structure: register R of s bits I Initialisation: R := k I Keystream generation: 1-bit output per round taps: i1, i2,... i` feedback bit: R[i1] ⊕ R[i2] ⊕ · · · ⊕ R[i`] output bit: R[s]
output bit
i1 i2 il +
feedback bit
12 / 16 Linear Feedback Shift Registers (LFSRs) s I K = {0, 1} I Main data structure: register R of s bits I Initialisation: R := k I Keystream generation: 1-bit output per round taps: i1, i2,... i` feedback bit: R[i1] ⊕ R[i2] ⊕ · · · ⊕ R[i`] output bit: R[s]
output bit
i1 i2 il +
feedback bit
I Broken LFSR-based stream ciphers: I DVD encryption: CSS (2 LFSRs) I GSM encryption: A5 (3 LFSRs) I Bluetooth encryption: E0 (4 LFSRs) 12 / 16 40 I K = {0, 1}
I Data structures: 17-bits LFSR (R17) and 25-bits LFSR (R25)
I Initialisation: R17 := 1||K[0 − 15] R25 := 1||K[16 − 39]
I Keystream generation: 1-byte output per round
1 byte 17‐bit LFSR output byte + (mod 256) 1 byte 25‐bit LFSR carry-out
carry‐out from previous round
Content Scrambling System (CSS) uses LFSRs
13 / 16 I Data structures: 17-bits LFSR (R17) and 25-bits LFSR (R25)
I Initialisation: R17 := 1||K[0 − 15] R25 := 1||K[16 − 39]
I Keystream generation: 1-byte output per round
1 byte 17‐bit LFSR output byte + (mod 256) 1 byte 25‐bit LFSR carry-out
carry‐out from previous round
Content Scrambling System (CSS) uses LFSRs
40 I K = {0, 1}
13 / 16 I Initialisation: R17 := 1||K[0 − 15] R25 := 1||K[16 − 39]
I Keystream generation: 1-byte output per round
1 byte 17‐bit LFSR output byte + (mod 256) 1 byte 25‐bit LFSR carry-out
carry‐out from previous round
Content Scrambling System (CSS) uses LFSRs
40 I K = {0, 1}
I Data structures: 17-bits LFSR (R17) and 25-bits LFSR (R25)
13 / 16 I Keystream generation: 1-byte output per round
1 byte 17‐bit LFSR output byte + (mod 256) 1 byte 25‐bit LFSR carry-out
carry‐out from previous round
Content Scrambling System (CSS) uses LFSRs
40 I K = {0, 1}
I Data structures: 17-bits LFSR (R17) and 25-bits LFSR (R25)
I Initialisation: R17 := 1||K[0 − 15] R25 := 1||K[16 − 39]
13 / 16 Content Scrambling System (CSS) uses LFSRs
40 I K = {0, 1}
I Data structures: 17-bits LFSR (R17) and 25-bits LFSR (R25)
I Initialisation: R17 := 1||K[0 − 15] R25 := 1||K[16 − 39]
I Keystream generation: 1-byte output per round
1 byte 17‐bit LFSR output byte + (mod 256) 1 byte 25‐bit LFSR carry-out
carry‐out from previous round
13 / 16 I Because of structure of MPEG-2, first 20 bytes of plaintext are known
I Hence also first 20 bytes of keystream are known
I Given output of 17 bit LFSR, can deduce output of 25 bit LFSR by subtraction
17 I Hence try all 2 possibilities for 17 bit LFSR and if generated 25 bit LFSR produces observed keystream, cipher is cracked
Weaknesses in CSS
Can be broken in time 217. The idea of the attack is as follows:
14 / 16 I Hence also first 20 bytes of keystream are known
I Given output of 17 bit LFSR, can deduce output of 25 bit LFSR by subtraction
17 I Hence try all 2 possibilities for 17 bit LFSR and if generated 25 bit LFSR produces observed keystream, cipher is cracked
Weaknesses in CSS
Can be broken in time 217. The idea of the attack is as follows:
I Because of structure of MPEG-2, first 20 bytes of plaintext are known
14 / 16 I Given output of 17 bit LFSR, can deduce output of 25 bit LFSR by subtraction
17 I Hence try all 2 possibilities for 17 bit LFSR and if generated 25 bit LFSR produces observed keystream, cipher is cracked
Weaknesses in CSS
Can be broken in time 217. The idea of the attack is as follows:
I Because of structure of MPEG-2, first 20 bytes of plaintext are known
I Hence also first 20 bytes of keystream are known
14 / 16 17 I Hence try all 2 possibilities for 17 bit LFSR and if generated 25 bit LFSR produces observed keystream, cipher is cracked
Weaknesses in CSS
Can be broken in time 217. The idea of the attack is as follows:
I Because of structure of MPEG-2, first 20 bytes of plaintext are known
I Hence also first 20 bytes of keystream are known
I Given output of 17 bit LFSR, can deduce output of 25 bit LFSR by subtraction
14 / 16 Weaknesses in CSS
Can be broken in time 217. The idea of the attack is as follows:
I Because of structure of MPEG-2, first 20 bytes of plaintext are known
I Hence also first 20 bytes of keystream are known
I Given output of 17 bit LFSR, can deduce output of 25 bit LFSR by subtraction
17 I Hence try all 2 possibilities for 17 bit LFSR and if generated 25 bit LFSR produces observed keystream, cipher is cracked
14 / 16 Conjecture These eStream stream ciphers are “secure”
Modern stream ciphers
Project eStream: project to “identify new stream ciphers suitable for widespread adoption”, organised by the EU ECRYPT network −→ HC-128, Rabbit, Salsa20/12, SOSEMANUK, Grain v1, MICKEY 2.0, Trivium
15 / 16 Modern stream ciphers
Project eStream: project to “identify new stream ciphers suitable for widespread adoption”, organised by the EU ECRYPT network −→ HC-128, Rabbit, Salsa20/12, SOSEMANUK, Grain v1, MICKEY 2.0, Trivium
Conjecture These eStream stream ciphers are “secure”
15 / 16 I Perfect secrecy does not capture all possible attacks. −→ need for different security definition
I Theorem (Shannon 1949) Let (E, D) be a cipher over (M, C, K). If (E, D) satisfies perfect secrecy, then the keys should be at least as long as the plaintexts (|M| ≤ |K|). ⇒ Stream ciphers do not satisfy perfect secrecy because the keys in K are smaller than the messages in M −→ need for different security definition
I The design of crypto primitives is a subtle and error prone task: define threat model, propose construction, prove that breaking construction would solve an underlying hard problem. −→ use standardised publicly know primitives
I Crypto primitives are secure under a precisely defined threat model. −→ respect the security assumptions of the crypto primitives you use
Concluding remarks
16 / 16 I Theorem (Shannon 1949) Let (E, D) be a cipher over (M, C, K). If (E, D) satisfies perfect secrecy, then the keys should be at least as long as the plaintexts (|M| ≤ |K|). ⇒ Stream ciphers do not satisfy perfect secrecy because the keys in K are smaller than the messages in M −→ need for different security definition
I The design of crypto primitives is a subtle and error prone task: define threat model, propose construction, prove that breaking construction would solve an underlying hard problem. −→ use standardised publicly know primitives
I Crypto primitives are secure under a precisely defined threat model. −→ respect the security assumptions of the crypto primitives you use
Concluding remarks
I Perfect secrecy does not capture all possible attacks. −→ need for different security definition
16 / 16 I The design of crypto primitives is a subtle and error prone task: define threat model, propose construction, prove that breaking construction would solve an underlying hard problem. −→ use standardised publicly know primitives
I Crypto primitives are secure under a precisely defined threat model. −→ respect the security assumptions of the crypto primitives you use
Concluding remarks
I Perfect secrecy does not capture all possible attacks. −→ need for different security definition
I Theorem (Shannon 1949) Let (E, D) be a cipher over (M, C, K). If (E, D) satisfies perfect secrecy, then the keys should be at least as long as the plaintexts (|M| ≤ |K|). ⇒ Stream ciphers do not satisfy perfect secrecy because the keys in K are smaller than the messages in M −→ need for different security definition
16 / 16 I Crypto primitives are secure under a precisely defined threat model. −→ respect the security assumptions of the crypto primitives you use
Concluding remarks
I Perfect secrecy does not capture all possible attacks. −→ need for different security definition
I Theorem (Shannon 1949) Let (E, D) be a cipher over (M, C, K). If (E, D) satisfies perfect secrecy, then the keys should be at least as long as the plaintexts (|M| ≤ |K|). ⇒ Stream ciphers do not satisfy perfect secrecy because the keys in K are smaller than the messages in M −→ need for different security definition
I The design of crypto primitives is a subtle and error prone task: define threat model, propose construction, prove that breaking construction would solve an underlying hard problem. −→ use standardised publicly know primitives
16 / 16 Concluding remarks
I Perfect secrecy does not capture all possible attacks. −→ need for different security definition
I Theorem (Shannon 1949) Let (E, D) be a cipher over (M, C, K). If (E, D) satisfies perfect secrecy, then the keys should be at least as long as the plaintexts (|M| ≤ |K|). ⇒ Stream ciphers do not satisfy perfect secrecy because the keys in K are smaller than the messages in M −→ need for different security definition
I The design of crypto primitives is a subtle and error prone task: define threat model, propose construction, prove that breaking construction would solve an underlying hard problem. −→ use standardised publicly know primitives
I Crypto primitives are secure under a precisely defined threat model. −→ respect the security assumptions of the crypto primitives you use
16 / 16