You are on page 1of 37

Stream Ciphers

Cryptography – CS 507
Erkay Savas
Sabancı University
Taxonomy of Cryptographic
Algorithms
Cryptography

Symmetric Asymmetric Cryptographic


Ciphers Ciphers Protocols

Stream Block
Ciphers Ciphers

12/07/10 Erkay Savas 2


Stream ciphers
• Basic idea comes from One-Time-Pad cipher,
• Encryption:
ci = mi ⊕ ki i = 1, 2, 3, ...
• Decryption:
mi = ci ⊕ ki i = 1, 2, 3, ...
• Drawback:
– Key-stream should be as long as plain-text.
– Key distribution & management difficult.
• Solution: Stream Ciphers
– key-stream is generated using a pseudo-random
generator from a relatively short secret key
12/07/10 Erkay Savas 3
Stream ciphers
• Randomness: Closely related to unpredictability.
• Pseudo-randomness: Pseudo-random sequences appears
random to a computationally bounded adversary.
• Stream ciphers can be modeled as finite-state machines.

Si+1
Si Si : state at time t = i.
G : output function.
F : next-state function.
F
Initial state, output and
G next-state functions are
ki controlled by the secret
mi ci key.

12/07/10 Erkay Savas 4


Linear Feedback Shift Registers
LFSR
Output sequence

c1 c2 cL ci = 0 or 1

C ( x) = 1 + c1 x + c2 x 2 +  + cL x L : Connection Polynomial

• If C(x) is chosen carefully the output of LFSR


can have maximum period of 2L-1
12/07/10 Erkay Savas 5
LFSR – Connection Polynomial

1+ x

1+ x2 + x3

http://fchabaud.free.fr/English/

12/07/10 Erkay Savas 6


LFSR ciphers
• m-sequences have good statistical properties.
• However, they are predictable

Example: 1+ x + x 4

ciphertext

plaintext

Output of LFSR when initial state is (0001):

100011110101100 100011110101100 …
12/07/10 Erkay Savas 7
LFSR Ciphers
1000 0001
0010
1100
0100
1110
1001
1111
0011
0111

1011 0110

0101 1101
1010

12/07/10 Erkay Savas 8


1 0 0 0 1 1 1 1 0 1 0 1 1 0 0
0 1 0 0 0 1 1 1 1 0 1 0 1 1 0 7
0 0 1 0 0 0 1 1 1 1 0 1 0 1 1 7
1 0 0 1 0 0 0 1 1 1 1 0 1 0 1 7
1 1 0 0 1 0 0 0 1 1 1 1 0 1 0 7
0 1 1 0 0 1 0 0 0 1 1 1 1 0 1 7
1 0 1 1 0 0 1 0 0 0 1 1 1 1 0 7
0 1 0 1 1 0 0 1 0 0 0 1 1 1 1 7
1 0 1 0 1 1 0 0 1 0 0 0 1 1 1 7
1 1 0 1 0 1 1 0 0 1 0 0 0 1 1 7
1 1 1 0 1 0 1 1 0 0 1 0 0 0 1 7
1 1 1 1 0 1 0 1 1 0 0 1 0 0 0 7
0 1 1 1 1 0 1 0 1 1 0 0 1 0 0 7
0 0 1 1 1 1 0 1 0 1 1 0 0 1 0 7
0 0 0 1 1 1 1 0 1 0 1 1 0 0 1 7
1 0 0 0 1 1 1 1 0 1 0 1 1 0 0 15
12/07/10 Erkay Savas 9
Linear Complexity of a Sequence

• Definition: The linear complexity of a binary


sequence sn, denoted L(sn), is the length of the
shortest LFSR that generates this sequence.

• Use: It can be used as a tool to asses the


randomness (or unpredictability) of a sequence.

• Problem: Is it easy to construct the LFSR for a


given sequence?
12/07/10 Erkay Savas 10
Berlekamp-Massey Algorithm(BMA)

• BMA is an efficient algorithm for determining


the linear complexity of a finite binary
sequence.
– Let s be an binary sequence of linear complexity L,
and
– let t be any subsequence of s of length at least 2L.
– Then the BMA with input t determines an LFSR of
length L which generates s.
• Expected linear complexity of a random
sequence E(L(sn)) ≈ n/2 + 2/9.
12/07/10 Erkay Savas 11
Berlekamp-Massey Algorithm
Input sn = s0, s1, s2,…, sn-1
Output L(sn) and C(x)
Step 1 C(x) = B(x) = 1, L = 0, m = -1 and i = 0
Step 2 while (i < n)
Step 2.1 ∆ = (si + c1 si-1 + c2 si-2 + ... + cL si-L )
Step 2.2 If ∆ = 1 then
T(x) = C(x) and C(x) = C(x) + B(x)·xi-m
if L ≤ i/2 then
L = i+1-L, m = i and B(x) = T(x)
Step 2.3 i=i+1
Step 3 Return L and C(x)
12/07/10 Erkay Savas 12
Example
s31 = 1000010101110110001111100110100

C(x) L m B(x) i ∆
1 0 -1 1 0 ∆ = s0 = 1
1+x 1 0 1 1 ∆ = s1 + s0 = 1
1 1 0 1 2 ∆ = s2 = 0
1 1 0 1 3 ∆ = s3 = 0
1 1 0 1 4 ∆ = s4 = 0
1 1 0 1 5 ∆ = s5 = 1
1+x5 5 5 1 6 ∆ = s6 + s1 = 0
1+x5 5 5 1 7 ∆ = s7 + s2 = 1
12/07/10 Erkay Savas 13
Example
s31 = 1000010101110110001111100110100

C(x) L m B(x) i d
1+ x2 + x5 5 5 1 8 d = s8 + s6 + s3 = 0
1+ x2 + x5 5 5 1 9 d = s9 + s7 + s4 = 0
1+ x2 + x5 5 5 1 10 d = s10 + s8 + s5 = 0
1+ x2 + x5 5 5 1 11 d = s11 + s9 + s6 = 0
1+ x2 + x5 5 5 1 12 d = s12 + s10 + s7 = 0
1+ x2 + x5 5 5 1 13 d = s13 + s11 + s8 = 0
1+ x2 + x5 5 5 1 14 d = s14 + s12 + s9 = 0
1+ x2 + x5 5 5 1 15 d = s15 + s13 + s10 = 0
12/07/10 Erkay Savas 14
Properties of Linear Complexity

1. For any n ≥ 1, the linear complexity of the


sequence sn satisfies 0 ≤ L(sn) ≤ n.
2. L(sn) = 0 iff sn is an all-zero sequence.
3. L(sn) = n iff sn = 0,0,…0,1.
4. If s is periodic with period N, then L(s) ≤ N
5. L(s ⊕ t) = L(s) + L(t)
6. L(s⋅ t) = L(s)⋅ L(t) if gcd(L(s), L(t)) = 1

12/07/10 Erkay Savas 15


Stream Ciphers Based on LFSRs
• Desirable properties of LFSR-based key-stream
generators:
– Large period
– Large linear complexity
– Good statistical properties
• Caveat: These are only necessary conditions for
a generator to be considered cryptographically
secure.
– Mathematical proofs of security of such generators
are not known.
– They are deemed to be computationally secure after
having withstood sufficient public scrutiny.
12/07/10 Erkay Savas 16
Nonlinear Combination Generator

LFSR1

Nonlinear Output
LFSR2
Combining
sequence
Function
LFSR3
Input
sequences

12/07/10 Erkay Savas 17


Nonlinear Combination Generator
Combiner function must be
1. balanced
2. carefully selected so that there is no statistical
dependence between any small subset of n LFSR
sequences and the output sequence
3. highly nonlinear (Nonlinearity of a function is given as
the maximum of the order of the terms in function’s
algebraic normal form).
Example:
F(x1, x2, x3, x4, x5) = 1 ⊕ x2 ⊕ x3 ⊕ x4 x5 ⊕ x1 x3 x4 x5
has nonlinear order 4.
12/07/10 Erkay Savas 18
The Geffe Generator
x1
LFSR1

x2 z
LFSR2

x3
LFSR3

• Utilizing the algebraic normal form of the combiner


function we can compute the linear complexity of the
output sequence.
• F(x1, x2, x3) = x1 x2 ⊕ x2 x3 ⊕ x3
12/07/10 Erkay Savas 19
Properties of the Geffe generator

• If the lengths of the LFSRs are relatively prime


and all connection polynomials are primitive, then
– L = L1·L2 + L2·L3 + L3
– T = (2L1-1) · (2L2-1) · (2L3-1)
• When we inspect the truth table of the
combiner function we gain more insight about
the security of Geffe generator.

12/07/10 Erkay Savas 20


Correlation in the Geffe Generator
x1 x2 x3 z = F(x1, x2, x3)
0 0 0 0
0 0 1 1
0 1 0 0
0 1 1 0
1 0 0 0
1 0 1 1
1 1 0 1
1 1 1 1

• The combiner function is balanced

• However, the correlation of z to x1 is P(z = x1) = ¾


12/07/10 Erkay Savas 21
Correlation Attacks
• The method
– requires a sufficiently long output sequence.
– We assumed that the connection polynomials of the
LFSRs are known. (Recall Kerckhoffs' principle)
– We do not know the current or initial states of the
LFSRs.
– Input sequences of the same length will be compared
against the output sequence.
– the input sequence yielding a correlation that is
matching to the predefined correlation will be taken.

12/07/10 Erkay Savas 22


Example: Correlation Attacks
• Geffe Generator:
– LFSR1 : 1 + x + x4 and Initial key 1: 0001
– LFSR2: 1 + x + x3 and Initial key 2: 010
– LFSR3: 1 + x2 + x5 and Initial key 3: 10101

x1 1 0 0 0 1 1 1 1 0 1 0 1 1 0 0
x2 0 1 0 0 1 1 1 0 1 0 0 1 1 1 0
x3 1 0 1 0 1 1 1 0 1 1 0 0 0 1 1
z 1 0 1 0 1 1 1 0 0 1 0 1 1 0 1

12/07/10 Erkay Savas 23


Example: Correlated, Indeed

x1 1 0 0 0 1 1 1 1 0 1 0 1 1 0 0 12/15

x2 0 1 0 0 1 1 1 0 1 0 0 1 1 1 0 8/15

x3 1 0 1 0 1 1 1 0 1 1 0 0 0 1 1 11/15

z 1 0 1 0 1 1 1 0 0 1 0 1 1 0 1

Let us start with 0111 for LFSR1


(real seed is 0001)

12/07/10 Erkay Savas 24


Example: Computing Correlation
z 1 0 1 0 1 1 1 0 0 1 0 1 1 0 1
0111 1 1 1 0 1 0 1 1 0 0 1 0 0 0 1 8/15
1011 1 1 0 1 0 1 1 0 0 1 0 0 0 1 1 8/15
0101 1 0 1 0 1 1 0 0 1 0 0 0 1 1 1 10/15
1010 0 1 0 1 1 0 0 1 0 0 0 1 1 1 1 6/15
1101 1 0 1 1 0 0 1 0 0 0 1 1 1 1 0 8/15
0110 0 1 1 0 0 1 0 0 0 1 1 1 1 0 1 10/15
0011 1 1 0 0 1 0 0 0 1 1 1 1 0 1 0 6/15
1001 1 0 0 1 0 0 0 1 1 1 1 0 1 0 1 6/15
0100 0 0 1 0 0 0 1 1 1 1 0 1 0 1 1 8/15
0010 0 1 0 0 0 1 1 1 1 0 1 0 1 1 0 4/15
0001 1 0 0 0 1 1 1 1 0 1 0 1 1 0 0 12/15
1000 0 0 0 1 1 1 1 0 1 0 1 1 0 0 1 7/15
12/07/10 Erkay Savas 25
Example: Cost of the Attack
• Brute force attack: 15× 7× 31 = 3255 trial

• Correlation attack: 15+7+31 = 53 trial.

• If we have n LFSRs, the key space ideally is


Li
n
∏i =1 (2 − 1)
If there is correlation between the output and
inputs, the effective key space can be reduced
to
Li
n
∑i =1 ( 2 − 1)
12/07/10 Erkay Savas 26
Other Constructions
• An LFSR can be clocked by the output of another
LFSR.
– This introduces an irregularity in clocking of the first
LFSR, hence increase the linear complexity of its output.
• Example: Shrinking Generator
si No attacks better than
LFSR - S
exhaustive search if the
connection polynomials are
secret
ai If si = 1 output ai
LFSR - A
If si = 0 discard ai

if gcd( Ls , L A ) = 1 ⇒ T = (2 L A − 1) ⋅ 2 LS −1
L A ⋅ 2 LS − 2 < L < L A ⋅ 2 LS −1
12/07/10 Erkay Savas 27
GSM Cryptography
GSM Cryptography: A5/1

12/07/10 Erkay Savas 29


A5/1
• A5/2 is a weaker version of A5/1
– Both A5/1 and A5/2 are weak ciphers.
• A5/3 , a.k.a. KASUMI, is a block cipher.
– In 2006, ciphertext-only attack against A5/3
– Instant Ciphertext-Only Cryptanalysis of GSM Encrypted
Communication, by E. Barkan, E. Biham and N. Keller, July
2006
– http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-
get.cgi/2006/CS/CS-2006-07.pdf
– O. Dunkelman, N. Keller, A. Shamir (2010-01-10). A
Practical-Time Attack on the A5/3 Cryptosystem Used in
Third Generation GSM Telephony

12/07/10 Erkay Savas 30


eSTREAM Competition - Trivium
• Trivium is a synchronous stream cipher designed to
provide a flexible trade-off between speed and
gate count in hardware, and reasonably efficient
software implementation.
• Three shift registers: A, B, and C (93, 84, and 111
bits, respectively)
– ai = ci-66 + ci-111 + ci-110 ci-109 + ai-69
– bi = ai-66 + ai-93 + ai-92 ai-91 + bi-78
– ci = bi-69 + bi-84 + bi-83 bi-82 + ci-87

• The output bits r0 ... r264 -1 are then generated by


– ri = ci-66 + ci-111 + ai-66 + ai-93 + bi-69 + bi-84
12/07/10 Erkay Savas 31
Trivium

+ 1 A 66 69 91 92 93 +

ri
+ 1 B 69 78 82 83 84 + +
+

+ 1 C 66 87 109 110 111 + +

12/07/10 Erkay Savas 32


Trivium
• Given an 80-bit key k0 ... k79 and an l-bit IV v0 ...
vl-1 (where 0 ≤ l ≤ 80), Trivium is initialized as
follows:
– (a-1245 ... a-1153 ) = (0, 0 ... 0, k0 ... k79 )
– (b-1236 ... b-1153 ) = (0, 0 ... 0, v0 ... vl-1 )
– (c-1263 ... c-1153 ) = (1, 1, 1, 0, 0 ... 0)

• The large negative indices on the initial values


reflect the 1152 steps that must take place
before output is produced.
12/07/10 Erkay Savas 33
Performance

Design Technology Max. Area Throughput bits/cycle


Frequency
Trivium by 90nm 800 MHz ≈ 5645 51.2 Gpbs 64
Gaj et al.
AES by 0.11μm 145 MHz 12454 1.595 Gpbs 11
Satoh
AES by 0.18μm 606 MHz 473000 77.6 Gpbs 128
Hodjat
AES by 0.25μm 323 MHz 26000 41.3 Gpbs 127.86
Northpole
Eng.

12/07/10 Erkay Savas 34


Synchronous Stream Ciphers
Si+1 Si+1
Si mi mi Si

F F

G ci ci G
ki
Sender ki Receiver

• Sender and receiver must be synchronized.


• Resynchronization is needed.
• Key-stream is independent of plaintext and
ciphertext. (confusion)
• No error propagation.
• Active attacks can easily be detected (i.e.
insertion, deletion, replay)
12/07/10 Erkay Savas 35
Asynchronous Stream Ciphers
• a.k.a. self-synchronizing stream ciphers

ci-t … ci-2 ci-1 ci-1 ci-2 … ci-t

ki
G G
ki ci ci
Sender mi Receiver
mi

12/07/10 Erkay Savas 36


Asynchronous Stream Ciphers
• The key stream is generated as a function of a
fixed number of previous ciphertext bits
• Limited error propagation (up to t bits).
• After at most t bits later than synchronization
is lost, it resynchronizes itself
• It helps to diffuse plain-text statistics.

12/07/10 Erkay Savas 37