8 views

Uploaded by masterofdon

- DfT-w_c_w
- watermarking vlsi report
- Electronic Document Verification using Visual Cryptography
- Bist Tutorial 1
- TB-ASBE- Secure Key Agreement for Data Access Control Using Tree Based Attribute-set-based Encryption
- STR95a
- Memory, Register and Aspects of System by Canara ENG Clg
- Data hiding for optimized security
- j
- A Built in Self Test Scheme for Vlsi
- DFT - Design for Testability - Verified With Hardware Emulation
- Illinois Scan 6 Per Page
- HDL Design for Peta Hertz Clock Based 2e31-1 Peta Bits Per Second (Pbps) PRBS Design for Ultra High Speed Applications Products
- Sequential Circuits Design
- A Faster Attack on Certain Stream Ciphers
- Manual
- IOSR Journals
- 16.Low Power Efficient Built in Self Test
- V2I600172
- e Commerce Lecture

You are on page 1of 37

Cryptography – CS 507

Erkay Savas

Sabancı University

Taxonomy of Cryptographic

Algorithms

Cryptography

Ciphers Ciphers Protocols

Stream Block

Ciphers Ciphers

Stream ciphers

• Basic idea comes from One-Time-Pad cipher,

• Encryption:

ci = mi ⊕ ki i = 1, 2, 3, ...

• Decryption:

mi = ci ⊕ ki i = 1, 2, 3, ...

• Drawback:

– Key-stream should be as long as plain-text.

– Key distribution & management difficult.

• Solution: Stream Ciphers

– key-stream is generated using a pseudo-random

generator from a relatively short secret key

12/07/10 Erkay Savas 3

Stream ciphers

• Randomness: Closely related to unpredictability.

• Pseudo-randomness: Pseudo-random sequences appears

random to a computationally bounded adversary.

• Stream ciphers can be modeled as finite-state machines.

Si+1

Si Si : state at time t = i.

G : output function.

F : next-state function.

F

Initial state, output and

G next-state functions are

ki controlled by the secret

mi ci key.

Linear Feedback Shift Registers

LFSR

Output sequence

c1 c2 cL ci = 0 or 1

C ( x) = 1 + c1 x + c2 x 2 + + cL x L : Connection Polynomial

can have maximum period of 2L-1

12/07/10 Erkay Savas 5

LFSR – Connection Polynomial

1+ x

1+ x2 + x3

http://fchabaud.free.fr/English/

LFSR ciphers

• m-sequences have good statistical properties.

• However, they are predictable

Example: 1+ x + x 4

ciphertext

plaintext

100011110101100 100011110101100 …

12/07/10 Erkay Savas 7

LFSR Ciphers

1000 0001

0010

1100

0100

1110

1001

1111

0011

0111

1011 0110

0101 1101

1010

1 0 0 0 1 1 1 1 0 1 0 1 1 0 0

0 1 0 0 0 1 1 1 1 0 1 0 1 1 0 7

0 0 1 0 0 0 1 1 1 1 0 1 0 1 1 7

1 0 0 1 0 0 0 1 1 1 1 0 1 0 1 7

1 1 0 0 1 0 0 0 1 1 1 1 0 1 0 7

0 1 1 0 0 1 0 0 0 1 1 1 1 0 1 7

1 0 1 1 0 0 1 0 0 0 1 1 1 1 0 7

0 1 0 1 1 0 0 1 0 0 0 1 1 1 1 7

1 0 1 0 1 1 0 0 1 0 0 0 1 1 1 7

1 1 0 1 0 1 1 0 0 1 0 0 0 1 1 7

1 1 1 0 1 0 1 1 0 0 1 0 0 0 1 7

1 1 1 1 0 1 0 1 1 0 0 1 0 0 0 7

0 1 1 1 1 0 1 0 1 1 0 0 1 0 0 7

0 0 1 1 1 1 0 1 0 1 1 0 0 1 0 7

0 0 0 1 1 1 1 0 1 0 1 1 0 0 1 7

1 0 0 0 1 1 1 1 0 1 0 1 1 0 0 15

12/07/10 Erkay Savas 9

Linear Complexity of a Sequence

sequence sn, denoted L(sn), is the length of the

shortest LFSR that generates this sequence.

randomness (or unpredictability) of a sequence.

given sequence?

12/07/10 Erkay Savas 10

Berlekamp-Massey Algorithm(BMA)

the linear complexity of a finite binary

sequence.

– Let s be an binary sequence of linear complexity L,

and

– let t be any subsequence of s of length at least 2L.

– Then the BMA with input t determines an LFSR of

length L which generates s.

• Expected linear complexity of a random

sequence E(L(sn)) ≈ n/2 + 2/9.

12/07/10 Erkay Savas 11

Berlekamp-Massey Algorithm

Input sn = s0, s1, s2,…, sn-1

Output L(sn) and C(x)

Step 1 C(x) = B(x) = 1, L = 0, m = -1 and i = 0

Step 2 while (i < n)

Step 2.1 ∆ = (si + c1 si-1 + c2 si-2 + ... + cL si-L )

Step 2.2 If ∆ = 1 then

T(x) = C(x) and C(x) = C(x) + B(x)·xi-m

if L ≤ i/2 then

L = i+1-L, m = i and B(x) = T(x)

Step 2.3 i=i+1

Step 3 Return L and C(x)

12/07/10 Erkay Savas 12

Example

s31 = 1000010101110110001111100110100

C(x) L m B(x) i ∆

1 0 -1 1 0 ∆ = s0 = 1

1+x 1 0 1 1 ∆ = s1 + s0 = 1

1 1 0 1 2 ∆ = s2 = 0

1 1 0 1 3 ∆ = s3 = 0

1 1 0 1 4 ∆ = s4 = 0

1 1 0 1 5 ∆ = s5 = 1

1+x5 5 5 1 6 ∆ = s6 + s1 = 0

1+x5 5 5 1 7 ∆ = s7 + s2 = 1

12/07/10 Erkay Savas 13

Example

s31 = 1000010101110110001111100110100

C(x) L m B(x) i d

1+ x2 + x5 5 5 1 8 d = s8 + s6 + s3 = 0

1+ x2 + x5 5 5 1 9 d = s9 + s7 + s4 = 0

1+ x2 + x5 5 5 1 10 d = s10 + s8 + s5 = 0

1+ x2 + x5 5 5 1 11 d = s11 + s9 + s6 = 0

1+ x2 + x5 5 5 1 12 d = s12 + s10 + s7 = 0

1+ x2 + x5 5 5 1 13 d = s13 + s11 + s8 = 0

1+ x2 + x5 5 5 1 14 d = s14 + s12 + s9 = 0

1+ x2 + x5 5 5 1 15 d = s15 + s13 + s10 = 0

12/07/10 Erkay Savas 14

Properties of Linear Complexity

sequence sn satisfies 0 ≤ L(sn) ≤ n.

2. L(sn) = 0 iff sn is an all-zero sequence.

3. L(sn) = n iff sn = 0,0,…0,1.

4. If s is periodic with period N, then L(s) ≤ N

5. L(s ⊕ t) = L(s) + L(t)

6. L(s⋅ t) = L(s)⋅ L(t) if gcd(L(s), L(t)) = 1

Stream Ciphers Based on LFSRs

• Desirable properties of LFSR-based key-stream

generators:

– Large period

– Large linear complexity

– Good statistical properties

• Caveat: These are only necessary conditions for

a generator to be considered cryptographically

secure.

– Mathematical proofs of security of such generators

are not known.

– They are deemed to be computationally secure after

having withstood sufficient public scrutiny.

12/07/10 Erkay Savas 16

Nonlinear Combination Generator

LFSR1

Nonlinear Output

LFSR2

Combining

sequence

Function

LFSR3

Input

sequences

Nonlinear Combination Generator

Combiner function must be

1. balanced

2. carefully selected so that there is no statistical

dependence between any small subset of n LFSR

sequences and the output sequence

3. highly nonlinear (Nonlinearity of a function is given as

the maximum of the order of the terms in function’s

algebraic normal form).

Example:

F(x1, x2, x3, x4, x5) = 1 ⊕ x2 ⊕ x3 ⊕ x4 x5 ⊕ x1 x3 x4 x5

has nonlinear order 4.

12/07/10 Erkay Savas 18

The Geffe Generator

x1

LFSR1

x2 z

LFSR2

x3

LFSR3

function we can compute the linear complexity of the

output sequence.

• F(x1, x2, x3) = x1 x2 ⊕ x2 x3 ⊕ x3

12/07/10 Erkay Savas 19

Properties of the Geffe generator

and all connection polynomials are primitive, then

– L = L1·L2 + L2·L3 + L3

– T = (2L1-1) · (2L2-1) · (2L3-1)

• When we inspect the truth table of the

combiner function we gain more insight about

the security of Geffe generator.

Correlation in the Geffe Generator

x1 x2 x3 z = F(x1, x2, x3)

0 0 0 0

0 0 1 1

0 1 0 0

0 1 1 0

1 0 0 0

1 0 1 1

1 1 0 1

1 1 1 1

12/07/10 Erkay Savas 21

Correlation Attacks

• The method

– requires a sufficiently long output sequence.

– We assumed that the connection polynomials of the

LFSRs are known. (Recall Kerckhoffs' principle)

– We do not know the current or initial states of the

LFSRs.

– Input sequences of the same length will be compared

against the output sequence.

– the input sequence yielding a correlation that is

matching to the predefined correlation will be taken.

Example: Correlation Attacks

• Geffe Generator:

– LFSR1 : 1 + x + x4 and Initial key 1: 0001

– LFSR2: 1 + x + x3 and Initial key 2: 010

– LFSR3: 1 + x2 + x5 and Initial key 3: 10101

x1 1 0 0 0 1 1 1 1 0 1 0 1 1 0 0

x2 0 1 0 0 1 1 1 0 1 0 0 1 1 1 0

x3 1 0 1 0 1 1 1 0 1 1 0 0 0 1 1

z 1 0 1 0 1 1 1 0 0 1 0 1 1 0 1

Example: Correlated, Indeed

x1 1 0 0 0 1 1 1 1 0 1 0 1 1 0 0 12/15

x2 0 1 0 0 1 1 1 0 1 0 0 1 1 1 0 8/15

x3 1 0 1 0 1 1 1 0 1 1 0 0 0 1 1 11/15

z 1 0 1 0 1 1 1 0 0 1 0 1 1 0 1

(real seed is 0001)

Example: Computing Correlation

z 1 0 1 0 1 1 1 0 0 1 0 1 1 0 1

0111 1 1 1 0 1 0 1 1 0 0 1 0 0 0 1 8/15

1011 1 1 0 1 0 1 1 0 0 1 0 0 0 1 1 8/15

0101 1 0 1 0 1 1 0 0 1 0 0 0 1 1 1 10/15

1010 0 1 0 1 1 0 0 1 0 0 0 1 1 1 1 6/15

1101 1 0 1 1 0 0 1 0 0 0 1 1 1 1 0 8/15

0110 0 1 1 0 0 1 0 0 0 1 1 1 1 0 1 10/15

0011 1 1 0 0 1 0 0 0 1 1 1 1 0 1 0 6/15

1001 1 0 0 1 0 0 0 1 1 1 1 0 1 0 1 6/15

0100 0 0 1 0 0 0 1 1 1 1 0 1 0 1 1 8/15

0010 0 1 0 0 0 1 1 1 1 0 1 0 1 1 0 4/15

0001 1 0 0 0 1 1 1 1 0 1 0 1 1 0 0 12/15

1000 0 0 0 1 1 1 1 0 1 0 1 1 0 0 1 7/15

12/07/10 Erkay Savas 25

Example: Cost of the Attack

• Brute force attack: 15× 7× 31 = 3255 trial

Li

n

∏i =1 (2 − 1)

If there is correlation between the output and

inputs, the effective key space can be reduced

to

Li

n

∑i =1 ( 2 − 1)

12/07/10 Erkay Savas 26

Other Constructions

• An LFSR can be clocked by the output of another

LFSR.

– This introduces an irregularity in clocking of the first

LFSR, hence increase the linear complexity of its output.

• Example: Shrinking Generator

si No attacks better than

LFSR - S

exhaustive search if the

connection polynomials are

secret

ai If si = 1 output ai

LFSR - A

If si = 0 discard ai

if gcd( Ls , L A ) = 1 ⇒ T = (2 L A − 1) ⋅ 2 LS −1

L A ⋅ 2 LS − 2 < L < L A ⋅ 2 LS −1

12/07/10 Erkay Savas 27

GSM Cryptography

GSM Cryptography: A5/1

A5/1

• A5/2 is a weaker version of A5/1

– Both A5/1 and A5/2 are weak ciphers.

• A5/3 , a.k.a. KASUMI, is a block cipher.

– In 2006, ciphertext-only attack against A5/3

– Instant Ciphertext-Only Cryptanalysis of GSM Encrypted

Communication, by E. Barkan, E. Biham and N. Keller, July

2006

– http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-

get.cgi/2006/CS/CS-2006-07.pdf

– O. Dunkelman, N. Keller, A. Shamir (2010-01-10). A

Practical-Time Attack on the A5/3 Cryptosystem Used in

Third Generation GSM Telephony

eSTREAM Competition - Trivium

• Trivium is a synchronous stream cipher designed to

provide a flexible trade-off between speed and

gate count in hardware, and reasonably efficient

software implementation.

• Three shift registers: A, B, and C (93, 84, and 111

bits, respectively)

– ai = ci-66 + ci-111 + ci-110 ci-109 + ai-69

– bi = ai-66 + ai-93 + ai-92 ai-91 + bi-78

– ci = bi-69 + bi-84 + bi-83 bi-82 + ci-87

– ri = ci-66 + ci-111 + ai-66 + ai-93 + bi-69 + bi-84

12/07/10 Erkay Savas 31

Trivium

+ 1 A 66 69 91 92 93 +

ri

+ 1 B 69 78 82 83 84 + +

+

Trivium

• Given an 80-bit key k0 ... k79 and an l-bit IV v0 ...

vl-1 (where 0 ≤ l ≤ 80), Trivium is initialized as

follows:

– (a-1245 ... a-1153 ) = (0, 0 ... 0, k0 ... k79 )

– (b-1236 ... b-1153 ) = (0, 0 ... 0, v0 ... vl-1 )

– (c-1263 ... c-1153 ) = (1, 1, 1, 0, 0 ... 0)

reflect the 1152 steps that must take place

before output is produced.

12/07/10 Erkay Savas 33

Performance

Frequency

Trivium by 90nm 800 MHz ≈ 5645 51.2 Gpbs 64

Gaj et al.

AES by 0.11μm 145 MHz 12454 1.595 Gpbs 11

Satoh

AES by 0.18μm 606 MHz 473000 77.6 Gpbs 128

Hodjat

AES by 0.25μm 323 MHz 26000 41.3 Gpbs 127.86

Northpole

Eng.

Synchronous Stream Ciphers

Si+1 Si+1

Si mi mi Si

F F

G ci ci G

ki

Sender ki Receiver

• Resynchronization is needed.

• Key-stream is independent of plaintext and

ciphertext. (confusion)

• No error propagation.

• Active attacks can easily be detected (i.e.

insertion, deletion, replay)

12/07/10 Erkay Savas 35

Asynchronous Stream Ciphers

• a.k.a. self-synchronizing stream ciphers

ki

G G

ki ci ci

Sender mi Receiver

mi

Asynchronous Stream Ciphers

• The key stream is generated as a function of a

fixed number of previous ciphertext bits

• Limited error propagation (up to t bits).

• After at most t bits later than synchronization

is lost, it resynchronizes itself

• It helps to diffuse plain-text statistics.

- DfT-w_c_wUploaded byChethan Jayasimha
- watermarking vlsi reportUploaded byVig Nesh
- Electronic Document Verification using Visual CryptographyUploaded byInternational Journal of Innovative Science and Research Technology
- Bist Tutorial 1Uploaded bykv
- TB-ASBE- Secure Key Agreement for Data Access Control Using Tree Based Attribute-set-based EncryptionUploaded byEditor IJRITCC
- STR95aUploaded bytariq76
- Memory, Register and Aspects of System by Canara ENG ClgUploaded byabhijith
- Data hiding for optimized securityUploaded byInternational Journal for Scientific Research and Development - IJSRD
- A Built in Self Test Scheme for VlsiUploaded byVishwanath Natarajan
- jUploaded byvijaykannamalla
- DFT - Design for Testability - Verified With Hardware EmulationUploaded byRod Sb
- Illinois Scan 6 Per PageUploaded byNagaraj Sainagasubramanian
- HDL Design for Peta Hertz Clock Based 2e31-1 Peta Bits Per Second (Pbps) PRBS Design for Ultra High Speed Applications ProductsUploaded byEditor IJRITCC
- Sequential Circuits DesignUploaded byMihai Roman
- A Faster Attack on Certain Stream CiphersUploaded byΟλυμπίδης Ιωάννης
- ManualUploaded bySuhas Shirol
- IOSR JournalsUploaded byInternational Organization of Scientific Research (IOSR)
- 16.Low Power Efficient Built in Self TestUploaded byUday Kumar
- V2I600172Uploaded byeditor_ijarcsse
- e Commerce LectureUploaded byMihir Gandhi
- PUEAESUploaded bykiranvarma7777
- Network SecurityUploaded byHaritha Devinani
- Illinois Scan ArchitectureUploaded byshri1527
- Li_Lilja_Qian_Bazargan_Riedel_Computation_on_Stochastic_Bit_Streams_Digital_Image_Processing_Case_Studies.pdfUploaded byNarendra
- art%3A10.1007%2Fs11235-011-9460-1Uploaded bylaz_chikhi1574
- CryptographyUploaded bySky Nalin
- IRJET- Power Optimization of Linear Feedback Shift Register (LFSR) using Power GatingUploaded byIRJET Journal
- cns tool.docUploaded bysojitradarshak
- 2408-Article Text-4342-1-10-20180102 (1)Uploaded byDoveann Dealagdon
- Black Hats, White Hats, And Hard HatsUploaded bySteve Asher

- NPCT42xUploaded byC P
- Tutorial for pythonUploaded bySamuel Roldan Moros
- Modbus RS485 Communications - Wilo PumpsUploaded bymachineman
- Oracle-Workflow manual.pdfUploaded byFher Lino
- 01.NumberSystemsUploaded byAnubhav Gupta
- BarcodeUploaded byPradeep Negi
- thinkcspy3Uploaded byAlessandro Nz
- Comparison Between Clustering Algorithms for Microarray Data AnalysisUploaded byInternational Organization of Scientific Research (IOSR)
- Test de Simulador MtcnaUploaded byanon_453900437
- Using Brain Waves as New Biometric Feature for Authenticating a Computer User in Real-TimeUploaded byAI Coordinator - CSC Journals
- Virtual Machine Setup GuideUploaded bysrituraj17
- A Computer is an Electronic Device That Processes Data by Following a Set of InstructionsUploaded bySifilis96
- Hacking Facebook 1.02Uploaded bybarneyr666999
- Oracle Apps R12 ArchitectureUploaded bySudhakar Ganjikunta
- High Speed, Power and Area efficient Algorithms for ALU using Vedic MathematicsUploaded byVamshi Krishna
- IB-NAS4220-B_UK1Uploaded byJohn Johnson
- 52 Using PidxUploaded byChien Nguyen
- Tutorial Bergambar Wpa Cracking Using Xiaopan Os _ Xiaopan ForumsUploaded bysabar5
- Hard and Soft Partitioning With Oracle VM 06-16-14Uploaded byMuneer Shaik
- Kamailio Start to FinishUploaded byLy Quoc Chinh
- Como Hablar PDF[1]Uploaded byOscar Alfonso Hernandez Niklitschek
- finding semantic relation among medical termsUploaded bySneha Bairagi
- Previous QPUploaded byRajendra Sinha
- MIS12Uploaded byGowri Shankar
- Systems Midterm 1 S15 SolUploaded byAliBaranIşık
- Final Capabilities Document- Team 18Uploaded bySarah Swanson
- 08 n31638en30gla00 Ranpar1 Resourcemanager Ru30 v1.2Uploaded byAyyoub Yousef Mukattash
- Applying Domain-Driven Design and Patterns_ With Examples in C# and.netUploaded bybrench2
- CreateandreadXML.docxUploaded bypintothefeak
- User ExitsUploaded byAnvit Sah