Stream Ciphers – an Overview

Stream Ciphers – an Overview

Stream Ciphers – An Overview Palash Sarkar Indian Statistical Institute, Kolkata email: [email protected] stream cipher overview, Palash Sarkar – p.1/51 Classical Encryption Adversary message ciphertext ciphertext message Encrypt Decrypt public channel secret key K secret key K Adversary’s goal: To obtain message or secret key. stream cipher overview, Palash Sarkar – p.2/51 One Time Pad Let the message be a sequence of bits: ¡£¢¥¤ ¡£¦ ¡©¨ ¤ § § ¤ § ¨ ¢ ¤ Let § § ¤ § be a sequence of random bits. ¨ ¢ ¤ ¦ Ciphertext is ¤ § § ¤ § £ ¡ where . Perfect Secrecy: Given a ciphertext, the message can be any binary string of length . Impractical: (a) Difficult to get random bits. (b) Sequence must be pre-distributed to both sender and receiver. (c) random sequence as long as the message. stream cipher overview, Palash Sarkar – p.3/51 Additive Stream Ciphers Use a pseudorandom generator PRG to produce ¨ ¢¥¤ the sequence § § ¤ § . The PRG extends a short “seed” into a long “pseudorandom” string, i.e., ¡ ¨ ¢¥¤ PRG § § ¤ § . The seed is the secret key . Security depends on the design of PRG. stream cipher overview, Palash Sarkar – p.4/51 Security of PRG PRG is a broad concept. For cryptographic use, a PRG must be unpredictable: Next bit test: Given an initial segment, it should not be possible to efficiently guess the next bit. Statistical Tests: The generated pseudorandom sequence should pass all polynomial time statistical tests. The above notions are equivalent. stream cipher overview, Palash Sarkar – p.5/51 p.6/51 – Sarkar alash P , w ervie v § o (PRP). ¤ ¥ a cipher £ . is stream ¢ ¡ ¤ ¡ © . ¡ cipher § , § © ¤ ¤ permutation £ £ block ¢ . ¢ ¤ ¤ ¡ ¥ ¤ ¡ as £ ¦ -bit ¨ . ¢ y ¤ e ¡ ¤ ¥ k an £ of written ¢ ed ¤ ¡ is Pseudorandom ¡ fix secret called is the ¡ each ¤ Ciphers © is or F Security: permutation Let Block Stream and Block Ciphers Block Ciphers: Applies a fixed permutation to all -bit blocks. Stream Ciphers: Applies a time-varying map. Maintains a state vector, which allows the application of a time-varying map. This difference is not very important. Some block cipher modes of operations are actually stream ciphers. Modern day stream ciphers are becoming more and more block oriented. The difference between PRP and PRG is more fundamental. stream cipher overview, Palash Sarkar – p.7/51 Attacks General Attack Models Known (or chosen) plaintext attack: The adversary learns a segment of the pseudorandom sequence. Chosen ciphertext attack: Adversary submits ciphertexts and gets back the corresponding plaintexts. Attack Goals Distinguishing Attacks: The adversary should be able to distinguish the output of the PRG from a random string. Key Recovery Attacks: The adversary has to find the “seed” of the PRG from the output of the PRG. stream cipher overview, Palash Sarkar – p.8/51 Based on Hard Problems Blum, Blum and Shub (BBS): ¦ § £ ¢ ¥ ¡ ¡ ¤ Let , where ¤ . ¦ ¥ ¨ ¨ ¨ ¤ ¢ ¦ © Seed: . Iterates . ¡ ¨ Bit extraction: parity . Security: If determining quadratic residuacity modulo is difficult, then guessing is also difficult. Efficiency: Slow; one squaring per bit. Recent criticism: Menezes and Koblitz have argued that security guarantee is not realistic. Elliptic curve based construction also known. stream cipher overview, Palash Sarkar – p.9/51 Classical Models Hardware based – well studied – based on old ideas (almost four decades). Uses Linear Feedback Shift Registers (LFSR) and Boolean Functions. LFSR: Fast generation of bit sequences (satisfying a linear recurrence) in hardware. Boolean function: Maps an -bit string to one bit. ¡ S-box: Maps an -bit string to an -bit string. stream cipher overview, Palash Sarkar – p.10/51 p.11/51 – Sarkar the . alash P ¢ , w LFSR. has ervie ¡ ¢ ¦ v o ¨ an polynomial ¢ cipher . ¦ £ sequence. © stream then ¥ ¥ using , ¥ ¡ ¨ ¥ ¥ sequence. § ¥ ¨§ are bit of ¦ ¤ a recurring ¦ ¤ ¨ characteristic ¨ ¨ be © er ¡£¢ hardw § v § ¦ ¤ the period ¦ ¤ o § in linear ¨ e ¨ a ¤ ¡ v called ¤ ¡ ¦ ¨ ¨ ¨ is possible © ¡£¢ called ¡ ¢ ¤ ¡ primiti ¨ produced ¡ is is ¨ ¡ be ¨ . ¦ can maximum of Let Suppose Then Let Then If LFSR Two Standard Models Nonlinear Filter Model: Boolean function combines outputs of different cells of a single LFSR. Nonlinear Combiner Model: Boolean function combines outputs of several LFSRs. Filter-Combiner model (Sarkar, Crypto 2002) combines the best features of the above two models. Uses linear cellular automata (CA) instead of LFSRs. Suitable Boolean functions are required to realize FC-model. stream cipher overview, Palash Sarkar – p.12/51 Filter-Combiner Model CA 1 mi CA 2 ri ci f CA k stream cipher overview, Palash Sarkar – p.13/51 Necessary Properties High linear complexity of the output sequence. Suitable choice of the Boolean function. Balanced. Correlation immune. High algebraic degree. High nonlinearlity. Resistance to algebraic attacks. stream cipher overview, Palash Sarkar – p.14/51 Linear Complexity ¡ ¡ ¢¥¤ ¢ Let § § ¤ § be a sequence (possibly used to encrypt a message). The linear complexity of is the length of a minimum length LFSR that can produce . Berlekamp-Massey algorithm can be used to find the linear complexity and a minimal length LFSR producing . £¢ ¡ The time complexity of the algorithm is . The BM algorithm was originally introduced for decoding BCH codes. If is a random sequence, then its expected ¤¨§ linear complexity is ¡ . stream cipher overview, Palash Sarkar – p.15/51 Linear Complexity (contd.) Nonlinear-Filter Model: Partial results are known – due to Rueppel. Depends on the choice of the Boolean function. For certain Boolean functions, the linear complexity can be large. Nonlinear-Combiner Model: ¡ ¨ ¨ ¦ ¤ ¥ Let § § ¤ § be the combining Boolean function. ¦ ¤ ¥ Let § § ¤ § be the lengths of the LFSRs which are taken to be distinct. ¡ ¦ ¤ ¥ Then the linear complexity is § § ¤ § where the arithmetic is over the integers (Rueppel-Staffelbach). stream cipher overview, Palash Sarkar – p.16/51 Upper bound on linear complexity is . p.17/51 – Sarkar from alash P , respect w ervie v o cipher with Boolean . stream obtained ¦ the biased . model. ¡ of is ¢ ¨ ¡ ¢ sequence ¡ § ¤ § . § ¤ © ¨ § § output § the ¡ ¤ ¡ ¢¥¤ ¦ ¨ the -combiner be . ¡ ¡ © ¨ be ¢ ¨ § genthaler Attack ¡ ¢ ¦ § ¤ £¥¤ Sie § § ¤ output § § nonlinear § ¡ LFSR by ¤ sequence the ¦ ¨ ¡ ¢¥¤ th ¢ the the elation the to Let Let Suppose Then function. Introduced Assume Corr Correlation Attack (contd.) ¡ ¡ ¢¥¤ ¢ Assume that the sequence § § ¤ § is known. (Also possible to work with the ciphertext.) ¢¡ § £ For each of the © nonzero initial states of ¡ ¡ ¨ ¨ ¦ ¢ , generate the sequence ¤ § § ¤ § . ¡ ¨ £ £ § ¡ ¦ ¤ ¨ © Compute © for each such sequence. If the choice of initial condition is correct, then ¤¨§ £ £ £ ¤ ¤ else, . ¤¨§ £ ¢ If and are “sufficiently” separate and is “sufficiently” large, then we can find the correct initial state for . stream cipher overview, Palash Sarkar – p.18/51 Correlation Attack (contd.) ¤¨§ £ If , then this does not work for . ¤¨§ ¡ £ ¢ If for all , then is said to be correlation immune (CI). One can then look for correlation between and XORs of several ’s. ¡ ¡ If is th order CI, then this method will not succeed if we take the XORs of upto ¡ LFSRs. ¡ ¡ A balanced -CI function is called -resilient. stream cipher overview, Palash Sarkar – p.19/51 Correlation Attack (contd.) Fast Correlation Attack: Avoid considering all possible initial states (Meier-Staffelbach). Each LFSR sequence satisfies a linear recurrence. ¡ Let ¨ be the characteristic polynomial of the recurrence. Then the sequence also satisfies a recurrence ¡ given by any multiple of ¨ . Collection of all such recurrences (with “low span”) constitute a set of parity check equations. An iterative decoding method can be applied to obtain the original sequence from these parity check equations. stream cipher overview, Palash Sarkar – p.20/51 Multiples of Polynomials ¡ Multiples of ¨ provide parity check equations. It is helpful for the attack if these parity check equations have few terms. ¡ For example, if ¨ has a trinomial multiple, then the obtained parity check has three terms. ¡ A “good” polynomial ¨ will not have low degree sparse multiples. Determining whether a polynomial is “good” can be difficult. Work by Wagner (Crypto 2002) based on the generalized birthday attack. stream cipher overview, Palash Sarkar – p.21/51 Algebraic Attack Courtois-Meier: Consider the nonlinear-filter model, i.e., there is a single LFSR . Let ¢ be the initial state of the LFSR. ¡ ¢ The th state is obtained as ¢ . ¡ Let be the combining Boolean function of degree ¡ . The key bits of can be written as ¡ ¡ ¡ ¢ § ¡ ¢ For any , the map is a linear map. ¢ Thus, for any , we obtain a nonlinear equation in ¡ the bits of ¢ of maximum degree . stream cipher overview, Palash Sarkar – p.22/51 Algebraic Attack (contd.) Linearization: Replace each monomial of degree greater than one by a new variable. £ ¢ ¥ ¢ Let ¡ . We obtain a system of linear equations in at most variables. If there are “independent” equations, then we can solve for these variables and use back substitution to obtain the bits of ¢ . ¤ ¡ Time required is . Becomes infeasible if is large, which can be ensured by having ¡ to be large. stream cipher overview, Palash Sarkar – p.23/51 Algebraic Attack (contd.) ¡ Suppose has large degree , but there are low ¡ ¡ ¡ degree polynomials ¨ and ¨ such that ¡ ¡ ¡ ¡ ¨ ¨ ¨ . Then a modification of the above idea can be ¡ ¡ applied to ¡ instead of . ¡ ¡ ¡ If ¨ is zero, then ¨ is called an annihilator. A low degree annihilator can be used for the attack. ¡

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    51 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us