Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator...

Stream ciphers 2

Session 2

Contents

• PN generators with LFSRs• Statistical testing of PN generator sequences• Cryptanalysis of stream ciphers

PN generators with LFSRs

• Computational complexity of the Berlekamp-Massey algorithm is quadratic in the length of the minimum LFSR capable of generating the intercepted sequence.

• Thus, if the linear complexity is very high, then the task of predicting the next bits of the sequence is too complex.

• Linear complexity achievable with a sole LFSR is small.

• Then, in order to prevent the cryptanalysis of a pseudorandom sequence generator, we must design it in such a way that its linear complexity is too high for the practical application of the Berlekamp-Massey algorithm.

• Since LFSRs have nice properties regarding

statistics of their output sequences, a good

idea is to base PN generators on LFSRs.

• But to increase linear complexity, we have to

combine outputs of several LFSRs in non-linear

manner – through non-linear Boolean

functions.5/75

Algebraic normal form

• It is the form of a Boolean function that uses only the operations and

• In the ANF, the product that includes the largest number of variables is denominated non linear order of the function.

• Example: The non linear order of the functionf(x1,x2,x3)=x1x1x3x2x3 is 2.

• The ANF of a Boolean function can be determined from its truth table.

,u,,u,uu

xax,,x,xfn

The Möbius transform

• Example: n=3

x0 x1 x2 f

0 0 0 00 0 1 10 1 0 00 1 1 11 0 0 01 0 1 11 1 0 11 1 1 0

• u=000 u=001 u=010

000001010011100101110111

a000=f(0,0,0)=0 a001=f(0,0,0)++f(0,0,1)=0+1=1

a010=f(0,0,0)++f(0,1,0)=0+0=0

• u=011 u=100 u=101

000001010011100101110111

a011=f(0,0,0)+ f(0,0,1) +f(0,1,0)+f(0,1,1)= 0+1+0+1=0

a100=f(0,0,0)++f(1,0,0)=0+0=0

a101=f(0,0,0)+ f(0,0,1) +f(1,0,0)+f(1,0,1)= 0+1+0+1=0

• u=110 u=111

000001010011100101110111

a110=f(0,0,0)+ f(0,1,0) +f(1,0,0)+f(1,1,0)= 0+0+0+1=1

a111=f(0,0,0)+ f(0,0,1) +f(0,1,0)+f(0,1,1)+ f(1,0,0) +f(1,0,1)+f(1,1,0)+ f(1,1,1) = 0

Then:f(x0,x1,x2)=a001x2+a110x0x1=x2+x0x1

Non-linear combiners

• In these generators, the keystream sequence is obtained by combining the output sequences of various LFSRs in a non linear manner.

• Example – it is possible to use a Boolean function (without memory).

• If F is a Boolean function of N periodic input sequences a1(t), a2(t), ..., aN(t), then the output sequence b(t) = F(a1(t), a2(t), ..., aN(t)) is a linear combination of various products of sequences.

• These products are determined by determining the ANF of the function F.

• Given the ANF of the function F, if we create a function F* from F in such a way that instead of the sum and product modulo 2 in F we use the sum and product of integers, for the linear complexity and the period of the output sequence of F the following holds:

aPer,,aPer,aPerbPer

aLC,,aLC,aLC*FbLC

• Example (1)

– If the characteristic polynomials of the input sequences are:

20100210

xxxxxx,x,x*F

xxxxxx,x,xF

All these polynomials are

primitive!

• Example (2)– Then

465311515lcm

4054444

,,bPer

• The sum of N sequences in GF(q) (1)

– The equality holds if the characteristic polynomials of the input sequences do not have common factors.

iiaLCbLC

• The sum of N sequences in GF(q) (2)

– Obviously, if the periods of the input sequences are mutually prime then

aPer,,aPer,aPerbPer

aLCbLC

thenIf

iiaPerbPer

• The sum of N sequences in GF(q) (3)– Example:

6110651

XXXXXf

89618961

Primitive!

The periods are Mersenne primes

• The product of N sequences in GF(q) (1)– Theorem (Golić, 1989)

• If Per(ai) are mutually prime, then

– Theorem (Lidl, Niedereiter)

Per(ai) are mutually prime

iiaLCbLC

iiaPerbPer

• Example

6110651

XXXXXf

542989618961

Primitive!

The periods are Mersenne primes

• The general case (1)– Let be the Boolean function obtained by

removing all the products from the function F except those of the maximum order. Let be the corresponding integer function.

• The general case (2)– Theorem (Golić, 1989)

• F depends on all the N input variables.• Per(ai) are mutually prime.• Then

aPerbPer

aLC,,aLC*FbLC

• The general case (3)– Example (1)

2010210

20100210

xxxxx,x,x*F

xxxxx,x,xF

xxxxxx,x,x*F

xxxxxx,x,xF

• The general case (4)– Example (2)

• If the characteristic polynomials of the input sequences are:

• Then

107974

896531

6110650

XXXXXf

Primitive, periods Mersenne

primes

121212

116401066088601078961

• The general case (5)– Example – Geffe’s generator (1)

322133221321 1 xxxxxxxxxx,x,xF

• The general case (6)– Example – Geffe’s generator (2) –

• Equivalent scheme

• The general case (7)– Example – Geffe’s generator (3)

• If we set the feedback polynomials primitive, with periods that are Mersenne primes:

• Then

107974

896532

6110651

XXXXXf

121212

146081068888601078961

Statistical testing of PN generators

• The output sequence of a generator of pseudorandom sequences looks random, but it is not.

• Pseudorandom generators expand a truly random sequence (the key) to a much longer sequence, such that an adversary cannot distinguish between the pseudorandom sequence and a truly random sequence.

• In order to obtain a guarantee of the security of this type of generators, various statistical tests are applied, especially designed for this purpose.

• The fact that a generator passes a set of statistical tests should be considered a necessary condition, although not a sufficient one, for the security of the generator.

• If the result X of an experiment can take any real value, then X is a continuous random variable.

• The probability density function f(x) of a continuous random variable X can be integrated and the following holds:

f(x)0, for all xRFor all a, bR the following holds

dxxfbXaP

• A continuous random variable has a normal distribution with the mean and the variance 2 if its probability density function is:

• We say that X is• If X is , then we say that X has a standard

normal distribution.

• If the random variable X is , then the variable is .

• The Euler’s gamma function:

/ XZ 1,0N

1 dxext xt

• A continuous random variable X has a 2 distribution with degrees of freedom if its probability density function is

x,ex/xf

• A statistical hypothesis H is an affirmation about the distribution of one or more random variables.

• A hypothesis test is a procedure based on the observed values of the random variable that leads to the acceptance or rejection of the hypothesis H.

• The test only provides a measure of the strength of evidence given by the data against the hypothesis.

• The conclusion is probabilistic.• The level of significance of the test of the

hypothesis H is the probability of rejecting the hypothesis H when it is true.

• The hypothesis to be tested is denominated the null hypothesis, H0.

• The alternative hypothesis is denoted by H1 or Ha.

• In cryptography:– H0 – the given generator is a random sequence

generator.– is between 0,001 and 0,05.

• A test:– Determines a statistic for the sample of the output

sequence.– This statistic is compared with the expected value

for a random sequence.

• How is the comparison carried out? (1)– The computed statistic – X0 – follows (usually) a 2

distribution with degrees of freedom.– It is assumed that this statistic takes large values

for non random sequences.

• How is the comparison carried out? (2)– In order to achieve , a threshold X is chosen (by

means of the corresponding table), such that P(X0>X)=.

– If the value of the statistic for the sample of the output sequence, Xs, satisfies Xs>X, then the sequence fails on the test.

• Basic tests for cryptographic use:– frequency test, – serial test, – poker test, – runs test, – autocorrelation test, – etc.

• Frequency test (1)– Purpose: determine if the number of zeros and

ones in a sequence s is approximately the same.– n0 – number of zeros, n1 – number of ones.– The statistic:

• Frequency test (2)– The statistic follows a 2 distribution with 1 degree

of freedom.– The approximation is good enough if n10.

• Serial test (1)– Tries to determine if the number of occurrences of

00, 01, 10 and 11, as subsequences of s is approximately the same.

– The statistic:

11100100

• Serial test (2)– The statistic follows a 2 distribution with 2

degrees of freedom.– The approximation is good enough if n21.

• Poker test (1)– A positive integer m is considered such that

– The sequence s is divided into k parts of size m.– ni is the number of occurrences of the type i of the

sequence of length m, 1i2m (that is, i is the value of the integer whose binary representation is the sequence of length m.

• Poker test (2)– The test determines if every sequence of length m

appears approximately the same number of times.– The statistic:

– The statistic follows approximately a 2 distribution with 2m-1 degrees of freedom.

• Runs test (1)– A run of length i – a subsequence of s formed by i

consecutive zeros or i consecutive ones that are neither preceded nor followed by the same symbol.

– A run of zeros – gap– A run of ones – block

• Runs test (2)– Purpose: determine if the number of runs of

different lengths in the sequence s is that expected in a random sequence.

– The number of gaps (or blocks) of length i in a random sequence of length n is

– It is considered that k is equal to the largest integer i for which ei5.

223 ii /ine

• Runs test (3)– We denote by Bi and Hi the number of blocks and

gaps of length i in s, for each i, 1ik.– The statistic

– The statistic follows approximately a 2 distribution with 2k-2 degrees of freedom.

• Autocorrelation test (1)– Checks the correlation between s and shifted

versions of s.– An integer d, 1 d n/2 is considered. – The number of bits in s that are not equal to the

d-shifts is

idii ssdA

• Autocorrelation test (2)– The statistic

– The statistic follows approximately a N (0,1) distribution.

– The approximation is good enough if n-d 10.

Cryptanalysis of stream ciphers

Plaintext

decipher

decrypt

Cryptanalysis

Ciphertextencipher

Plaintext

• The problem of cryptanalysis– Given some information related to the

cryptosystem (at least the ciphertext), determine plaintext and/or the key.

• The goal of the designer is to make this problem as difficult as possible for the cryptanalyst.

• General assumption – all the details of the cryptosystem are known to the cryptanalyst.

• The only unknown is the key.• Types of attack

– Ciphertext-only attack– Known plaintext attack– Chosen plaintext attack– Chosen ciphertext attack

• The ciphertext-only attack is the most difficult one for the cryptanalyst (in general).

• The more information known to the cryptanalyst, the easier the attack.

• The “brute force attack”– Elementary attack – no knowledge about

cryptanalysis is necessary.– Assumptions

• The cryptosystem is known• The ciphertext is known

– The goal• Determine the key/plaintext

– The means• Trying all the possible keys

• Complexity of the brute force attack– Extremely high, if there are many possible keys –

impractical• Key space – the total number of keys possible

in a cryptosystem

• Examples of key space size

Key space – 40 bits 11012

Key space – 56 bits (DES) 71016

Number of 256-bit primes 11072

Age of the Sun in seconds 11016

Number of clock pulses of a 3GHz computer clock through the Sun’s age

5.41026

• A cryptosystem’s security is ultimately determined by the size of its key space

• However, this is the upper limit of that security measure

• There may be a problem in the system design that may cause a significant reduction of the effective key space

• The task of the cryptanalyst – to find this pitfall and to use it to attack the system

• Basic attack methods against stream (and block) ciphers– Algebraic– Statistical

• Algebraic attacks (1)– The key symbols (e.g. bits) are the unknowns in

the system of equations assigned to the PRNG

• Algebraic attacks (2)– Given all the details of the PRNG to be

cryptanalyzed (except the key bits), determine the system of equations that relates the bits of the output sequence with the bits of the key

– The designer’s goal• To make this system as non-linear as possible• The reason

– non-linear systems are difficult to solve – there is no general method other than trying all the possible values of the variables: 2n possibilities for a system with n variables.

• Algebraic attacks (3)– The problem of solving a non-linear system in

GF(2) – the satisfiability problem (SAT)– Cook’s theorem (1971)

• SAT is NP-complete

– However, some instances of the SAT problem may be easier to solve

– The designer should check the system assigned to the PRNG

• Algebraic attacks (4)– Example – LFSR– The output sequence: 1110…– The initial state: a0, a1, a2, a3

– The output bits: y0=1, y1=1, y2=1, y3=0– The equations

41 xxxf

a 3210y0 1100y1 1110y2 1111y3 0111

Linear system – easy to solve!

• Algebraic attacks (5)– Example (1): consider the non-linear PRNG below

• Algebraic attacks (6)– Example (2): The system of equations

• (1) y1=(x1+x4)(x5+x7)=x1x5+x1x7+x4x5+x4x7• (2) y2=(x1+x4+x3)(x5+x7+x6)=

=x1x5+x1x7+x1x6+x4x5+x4x7+x4x6+x3x5+x3x7+x3x6• … (we need 7 independent equations)

• Algebraic attacks (7)– Example (3): Methods of solving the system

• The brute force method: try all the possible 27-1 solutions (all zeros are not permitted)

• The linearization method– Replace all the products by new variables– Solve the obtained linear system (e.g. by Gaussian algorithm)– Try to guess the variables that were included in the products,

given the values of the new variables, in such a way that the overall system is consistent

• Algebraic attacks (8)– Example (4): The linearized system

• y1=z1+z2+z3+z4

• y2=z1+z2+z5+z3+z4+z6+z7+z8+z9

• ...

• Algebraic attacks (9)– Other methods of solving non-linear systems,

applied in cryptanalysis• Linear consistency test (LCT)• Methods of computational commutative algebra

(Gröbner bases etc.)• etc.

– No matter how sophisticated the method of solving the system is applied, cryptanalysis of a seriously designed system always includes search

• Statistical methods (1)– In the previous example, the majority of the

output symbols will be zero, due to the AND combining function

– The non-linearity of the assigned system of equations is the highest possible

– However, it is possible to make use of bad statistical properties of the output sequence to determine the plaintext sequence

• Statistical methods (2)– Example

• With the AND output combiner, the probability of zero in the output sequence will be ¾.

• This means that, upon enciphering with this sequence as the keystream, the probability that the plaintext bit is equal to the ciphertext bit is ¾.

• Consequence – easy reconstruction of the plaintext.

• Statistical methods (3)– Correlation – The output sequence coincides too

much with one or more internal sequences – this enables correlation attacks – a kind of statistical attack.

– Correlation attacks• It is possible to divide the task of the cryptanalyst into

several less difficult tasks – “Divide and conquer”

• Statistical methods (4)– Typical example – the Geffe’s generator

322133221321 1 xxxxxxxxxx,x,xF

F balanced – good statistical properties

• Statistical methods (5)– Problem: Correlation!

ssPrsssPr

• Statistical methods (6)– Since the output sequence is correlated with both

input sequences, we can independently guess the input sequences’ bits with high probability if the output sequence is known.

Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator...

Documents

Stream Ciphers and Block Ciphers A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. Examples of classical stream

Differential Power Analysis of Stream Ciphers

Cryptanalysis on Clock Controlled Stream Ciphers

Applied cryptanalysis - stream ciphers

Stream ciphers 2

Stream ciphers

Cifrados de Flujo (Stream Ciphers) II

5 stream ciphers

LFSR-based Stream Ciphers - repository.root-me.orgrepository.root-me.org/Cryptographie/EN - LFSR-based Stream Ciphers... · Chapter 3 LFSR-based Stream Ciphers Inordertominimizethesizeoftheinternalstate,streamciphersdedicatedtolow-costhard-ware

LFSR-based Stream Ciphers - Inria · PDF fileChapter 3 LFSR-based Stream Ciphers Inordertominimizethesizeoftheinternalstate,streamciphersdedicatedtolow-costhard-ware implementations

Symmetric Ciphers: Stream Ciphers - L-Università ta' Maltastaff.um.edu.mt/mvel3/files/crypto/2_StreamCiphers.pdf · 2016-09-07 · CPS2323 29/33 Hardware Stream Ciphers (ix) Trivium

An Introduction to Stream Ciphers

InTech-New Classification of Existing Stream Ciphers

Block Ciphers and Stream Ciphers: The State of the Art

Chapter 2 Stream Ciphers

Stream ciphers...Stream ciphers Stream Ciphers are Psuedorandom Generators made practical! They are better than PRG’s! Are Stream Ciphers ciphers? Depends on who you ask. Some people

Stream Ciphers for Constrained Environments

Analysis of Lightweight Stream Ciphers

Cryptanalysis of stream ciphers with linear masking · Cryptanalysis of stream ciphers with linear masking ... This framework can be applied to many ciphers, and for those ciphers

A Faster Attack on Certain Stream Ciphers