Highly Secure Systems

Stream ciphers and block cipher modes

1/21
 Symmetric Key Crypto
• Alice and Bob shares a secret key Ks . She encrypts
plaintext message P to get C and sends it Bob over an
insecure channel.
• The ciphertext C may be intercepted by Eve but she
cannot get P. Bob is able to obtain P

• Components:
• Shared secret key Ks
• Encrypytion algorithm E(P, Ks )
• Decryption algotrithm D(C, Ks )
such that D(C, Ks ) = D(E(P, Ks ), Ks ) = P
• Two modes of operations:
• Stream ciphers
• Block ciphers
2/21
 Stream cipher

• Encrypts one bit at a time by

XOR with a keystream s which is
as long as the plaintext x.
• Keystream is generated from the
shared secret key k using a
suitable algorithm
• The plaintext, ciphertext and • Two modes:
keystream consists of individual 1. Synchronous:
bits, i.e. xi , yi , si ∈ {0, 1} s depends only on
Encryption: the shared key k
E(xi , si ) = xi ⊕ si = yi
2. Asynchronous:
Decryption:
s depends on both
D(yi , si ) = yi ⊕ si = xi
shared key k and
the ciphertext.
3/21
 Stream cipher encryption/decryption
functions

• The stream cipher bit encryption/decryptions are modulo 2

additions
• Let the plaintext, ciphertext, and keystream bits be
xi , yi , si ∈ 0, 1
• Encryption: yi = esi (xi ) ≡ xi + si mod 2
• Decryption: xi = dsi (yi ) ≡ yi + si mod 2
• For operation of each bit, the modolu 2 operation is
equivalent to the XOR operation

4/21
Stream cipher – example

5/21
 Stream cipher – One time pad (OTP)

• In the OTP cipher, the keystream is used only once.

• If the keystream is reused, frequency analysis can be used
to recover parts of the messages can be recovered.
• The OTP is unconditionally secure if the keystream bits are
random
• Requires the keystream to be as long as the message

6/21
 Stream Cipher applications

• Simple, fast, small – useful for small devices e.g. cell

phone GSM A5/1, Internet RC4 algorithm in SSL
• Security completely depends on the key stream s
• must be random
• must not be repeated – i.e. same length as plaintext
otherwise can be broken using frequency analysis
• OTP is not practical, instead Alice and Bob shares an
encryption key Ks
• The keystream is generated from Ks using a known
method.

7/21
 Keystream

• Key generation methods:

• CSPRNG – cryptographically secure pseudo random
number generator, using a seed derived from Ks .
Impossible to predict the remaining bits of the key stream
given some initial bits.
• LFSR – Linear Feedback Shift Registers e.g. in A5/1 cipher
for GSM
• Trivium cipher – uses 80 bit key, three shift registers
• Block ciphers in OFB, CTR modes

8/21
 LFSR

• Consider LFSR with 3 Flip-flops FF2 , FF1 , FF0 with initial

states: S20 = 1, S10 = 0, S00 = 0, resp. Outputs s are:
s0 = S00 = 0
s1 = S10 = 0
s2 = S11 = S20 = 1
s3 = S12 = S21 ≡ S10 ⊕ S00 ≡ s1 ⊕ s0 mod 2
s4 ≡ S13 = S22 = S11 ⊕ S01 = s2 ⊕ s1 mod 2
• Output: si+3 ≡ si+1 + si mod 2, where i ≥ 0
9/21
 Generalised degree m LFSR

• The secret key is pm−1 , · · · , p1 , p0

• Initial states are Sm−1 , Sm−2 , · · · , S1 , S0
• First m bits: S0 , S1 , · · · , Sm−1
• After m bits, the generated key stream is
P
si+m ≡ m−1 j=0 pj · si+j mod 2; si , pj ∈ {0, 1}; i = 0, 1, 2, · · ·

10/21
 Stream cipher using LFSR
• If at any time, the FF states are all zeros, the LFSR
becomes stuck as all subsequent outputs are zeros.
• Also, if the FF states reach the initial state, then the output
sequence starts to repeat.
• With m FF s, there are 2m posssible FF states
• Theorem: The maximum sequence length generated by an
LFSR of degree m is 2m − 1
• Only certain configurations of (pm−1 , · · · , p0 ) yeild
maximum length LFSR sequence.
• For stream cipher, the secret key is (pm−1 , · · · , p0 )
• LFSR is good PRNG with good statistical properties but
keystream using single LFSR can be easily broken.
• Solution: use several LFSRs in combination, e.g. in the
Trivium cipher
11/21
 Summary – stream ciphers

• Stream ciphers simple and require less resources

• Requires long, random keystream derived from the shared
key
• Careful use of LFSR, CSPRNG to obtain keystreams with
good statistical properties.
• Examples:
• Trivium uses 3 LFSR used incombination with nonlinear
components. Keylength is 80 bits.
• RC4
• GSM mobiles: A5/1, A5/2

12/21
 Block Ciphers modes

• Plaintext message is divided into separate blocks of 64 bits

or 128 bits
• Each block is encrypted individually.
• Several modes:
• Encrypts the plaintext
• ECB – Electric Code Book
• CBC – Cipher Block Chaining
• XOR the plaintext
• CFB – Cipher Feed Back
• OFB – Output Feed Back
• CTR – Counter
• GCM – Galois Counter Mode

13/21
 ECB mode

• Encryption: yi = ek (xi ), i ≥ 1
Decryption: xi = ek−1 (yi ), i ≥ 1
• Indentical plaintex blocks are encrypted into identical
ciphertext blocks
• Encryption is deterministic
• Attacks:
• traffic analysis
• frequency analysis
• Substitution attack (homework: pg 126)

14/21
 CBC – Cipher Block Chaining mode

• Encryption
The first block: y1 = ek (x1 ⊕ IV ),
then subsequent blocks: yi = ek (xi ⊕ yi−1 ), i ≥ 2
• Decryption is the reverse process
x1 = ek−1 (y1 ⊕ IV ), then xi = ek−1 (yi ⊕ yi−1 )
• The encryption is probabilistic.
• Usually IV is a nonce, not secret – can be sent in cleartext,
or counter value, derived from ID, etc.
15/21
 CFB – Cipher Feed Back mode

• First block: key is encrypted with IV then XOR with

plaintext block: y1 = ek (IV ) ⊕ x1
• Subsequent blocks: key is encrypted with previous
ciphertext, XOR with the plaintext:
xi = ek (yi−1 ) ⊕ xi
• Decryption: x1 = ek (IV ) ⊕ y1 , i ≥ 2
xi = ek (yi−1 ) ⊕ yi , i ≥ 2
• Probabilistic encryption
• IV should be a nonce, can be sent in clear text.
16/21
 OFB – Output Feed Back mode

• First block, IV is encrypted with the key, then XOR with the
plaintext block, si = ek (IV ), y1 = s1 ⊕ x1
• Subsequent blocks: previous encrypted key is encrypted
with key, XOR with plaintext:
si = ek (si−1 ), yi = si ⊕ xi , i ≥ 2
• Decryption: s1 = ek (IV ), x1 = s1 ⊕ y1
si = ek (si−1 ), xi = si ⊕ yi , i ≥ 2
• probablistic encryption
• The ’encrytion keys’ si can be computed independent of
plaintext, e.g. pre-computed.
17/21
 CTR – Counter mode

• Key is encrypted
with a CTR
• CTR made up of IV
and counter value
• Generates a key
stream block
• Can be generated
independently of • Encryption:
plaintext – parallel yi = ek (IV k CTRi ) ⊕ xi , i ≥ 1
operation • Decryption:
• Non-deterministic xi = ek (IV k CTRi ) ⊕ yi , i ≥ 1

18/21
 Galois Counter Mode

• Provides encryption and authentication

• Encryption uses CTR mode: Derive CTR0 from IV ,
Counter values, CTRi = CTRi−1 + 1, i ≥ 1
Encrypts: yi = ek (CTRi ) ⊕ xi , i ≥ 1
• Authentication:
Generates subkey: H = ek (0), computes g0 = AAD × H,
Computes gi = ((gi−1 ) ⊕ yi ) × H, 1 ≤ i ≤ n
Final authentication tag, T = (gn × H) ⊕ ek (CTR0 )

19/21
GCM

20/21
 Summary – Block cipher modes

• ECB mode is deterministic – vulnerable to attacks

• CBC, OFB, CFB, CTR modes are probabilistic
• OFB, CFB, CTR modes – encrypts the shared key
• All except ECB requires IV to be shared
• OFB, CTR modes can be used to generate key stream,
random numbers.
• Problem: How to share the secret key?

21/21