550 likes | 738 Views
Introduction to Practical Cryptography. Lectures 3/4 Stream Ciphers. Agenda. Properties Building Blocks Competitions Examples. Uses. Encryption of streaming data Random bit generation. Stream Ciphers. Stream cipher outputs keystream, KS
E N D
Introduction to Practical Cryptography Lectures 3/4 Stream Ciphers
Agenda • Properties • Building Blocks • Competitions • Examples
Uses • Encryption of streaming data • Random bit generation
Stream Ciphers • Stream cipher outputs keystream, KS • KS produced by a function, F, that is initialized with a key, k • C = Ek(P) = P KS • P = C KS • k can be used only once • C1 = Ek1(P1); C2 = Ek2(P2) • C1 C2 = P1 KS1 P2 KS2 = P1 P2 if KS1 = KS2 • Will know when P1 and P2 have identical bits • If know part of P1 (if packet headers, format information), then can obtain part of P2 • Period – how long is KS before it starts repeating? • repeating is equivalent to reusing a key
Stream Ciphers • Speed • Initialization • Keystream generation • Resources – memory, power, cpu • Hardware, software suitability
Stream Ciphers • Synchronous stream cipher • Sender and receiver must be in-synch • Lost bit garbles all subsequent bits unless synch up • Flipped bit garbles only one bit • Can precompute key stream • Example: RC4, block cipher in OFB mode • Self-synchronizing stream ciphers • Use n previous ciphertext bits to compute keystream • Lost bit: synch up after n bits • Flipped bit : next n bits garbled • Can’t precompute keystream • Example: Block cipher in ciphertext feedback (CFB) mode
Stream Ciphers – General Concept • State Updates • FSR based (SOBER, LILI) • Array Permutations (RC4) state (data) key next state function output function ksi pi (ci) ci (pi) synchronous
Stream Ciphers – General Concept state (data) • error propagation • block cipher in CFB mode key next state function output function subset of ci’s ksi pi (ci) ci self synchronizing
Keystream Properties • Period • Period of 232 repeats after ~ 8.5 minutes when encrypting 1MB/sec • Random appearance: • Runs of 1’s or 0’s: ½ with length 1, ¼ with length 2, 1/8 have length 3 … • Test – little or no compression • Dissipates statistics of plaintext • Complexity: • Low ability to define a bit as a linear expression (or algebraic expression) of bits < period bits away • No discernable relation to key (seed/initial state) bits
Agenda • Properties • Building Blocks • Competitions • Examples
Stream Ciphers - Approaches • Feedback Shift Register (FSR) based – useful in hardware • Block cipher – CTR, CFB, OFB modes • Components similar to those found in block ciphers
Feedback Shift Register bits, same concept with bytes, words State: bi values b0 bn-1 bn-2 …… b1 b0 …… new bn-1 Tap Sequence: bits used in F F(bn-1,…..b0) • Feedback with Carry Shift (FCSR) • F: s = (ibi + c) for i {0,1} • i=0,n-1 • bn-1 = s mod 2 • c = s/2 mod log2 (# tap bits) • Linear F: bn-1 =ibi for i {0,1} • i=0,n-1 • Nonlinear F
Feedback Shift Registers • Period • LFSR of n bits: Maximum 2n –1 • FCSR: depends on initial state • Non-linear FSR: depends on function, initial state • Inefficient in Software • Small # of bits in tap sequence, easier to break. • Large # of bits in tap sequence, slow. • Security • Berlekamp-Massey Algorithm: 2n output bits needed to reproduce the LFSR in O(n2) time. • Non-linear FSR: avoid linear approximations
Variations Utilizing LFSR Combination generator • Output bit = nonlinear function on output of multiple LFSRs. • May clock each LFSR differently • Various combinations of AND,OR,Thresholds LSFR1 LSFR2 nonlinear function . . . keystream LSFRn
Variations Utilizing LFSR • Clock controlled generator • Move to next state only on some clock cycles. • Move to next state on every cycle but only output bit on some clock cycles. • 2nd LFSR may control clock. • Clock control that affects output is also called stuttering
Clock Control Examples • Stop and Go: • 2 LFSRs • LFSR1’s output clocks LFSR2 • Alternating Stop and Go: • 3 LFSRs • output of LFSR1 indicates whether to clock LFSR2 or LFSR3 • output is of LFSR’s 2 and 3 • Bilateral Stop and Go: • 2 LFSRs • output = of both outputs • clock LSRFs depending on their output values • Self-Decimated Generators: • control their own clock – some function of their state bits controls clock
Clock Control Examples • Shrinking Generator: • 2 LFSRs • always clock • if LFSR1 outputs 1, use LFSR2’s output, else no output on that cycle • called “shrinking” because fewer output bits than clock ticks • Self Shrinking Generator: • similar to shrinking generator but use 2 different bits from 1 LSFR instead of 2 LFSRs • Cascade: • output of 1st level (may be single or combination of generators) controls clock of next level • usually not secure due to some relationship between 1st level output and final output.
Agenda • Properties • Building Blocks • Competitions • Examples
NESSIE Stream Cipher Submissions • None recommended • BMGL – too slow, small internal state – time/memory tradeoff attack • Leviathan - distinguishing attack • LILI-128 – attack O(271) • SNOW – distinguishing attack • SOBER-t16 – distinguishing attack • SOBER-t32 – distinguishing attack • Both Sober algorithms thought to be subject to side channel analysis
ECRYPT’s eStream Contest • Just ended (3rd round of evaluations finished, winners selected) • 4 for software, 4 for hardware • In third round of evaluations • 16 candidates • 3+ years from time of call for proposals to final report • originally November 2004 to January 2008 • Just ended • ECRYPT: European Network of Excellence for Cryptology
eStream Overview • Categories • key length of 128 bits and an IV length of 64 and/or 128 bits • key length of 80 bits and an IV length of 32 and/or 64 bits • Separate software and hardware categories within each • Evaluation • Security • Free of licensing requirements … • Performance, range of environments • Committee is only collecting submissions. Evaluations are done by the general cryptographic community.
eStream Evaluation • Security Criteria • Any key-recovery attack should be at least as difficult as exhaustive search. • Distinguishing attacks • Interest to the cryptographic community • Relative importance of high complexity distinguishing attacks is an issue for wider discussion • Clarity of design • Implementation Criteria • Software and hardware efficiency • Execution code and memory sizes • Performance • Flexibility of use
eSTREAM Phase 3 Candidates http://www.ecrypt.eu.org/stream/phase3list.html key lengths: 128 bits for SW and 80 bits for HW
eSTREAM Winners http://www.ecrypt.eu.org/stream/ key lengths: 128 bits for SW and 80 bits for HW
Agenda • Properties • Building Blocks • Competitions • Examples
Stream Cipher Examples • Lists • http://en.wikipedia.org/wiki/Stream_cipher • http://www.ecrypt.eu.org/stream/ • RC4 • A5/1 • A5/3 • LILI • Sober • Trivium • Lex
RC4 • Keystream Generator • i = 0; j = 0; • loop { • i = (i+1) mod 256; • j = (j+S[i]) mod 256; • Swap(S[i],S[j]); • t = (S[i] + S[j]) mod 256; • ks_byte = S[t]; • } S-Box Creation input key; if (key < 256 bytes) { repeat key until 256 bytes; } for (i=0; i < 256; ++i) { S[i] = i; // initialize S-Box K[i] = ith key byte; } j = 0; for (i = 0; i <256; ++i) { j = (j + S[i] + K[i]) mod 256; swap(S[i],S[j]); } 2 S-Box entries form index into S-Box Output S-Box entry (byte) S-Box: key dependent permutation of 0 to 255. (lookup table)
RC4 Cryptanalysis • Initial keystream byte highly correlated with first few key bytes • Recommendations to discard first 256 or 512 output bytes • Distinguish from random: O(230.6) bytes needed • Attempts to backtrack to initial state from keystream • Keystream Generator • i = 0; j = 0; • loop { • i = (i+1) mod 256; • j = (j+S[i]) mod 256; • Swap(S[i],S[j]); • t = (S[i] + S[j]) mod 256; • ks_byte = S[t]; • }
A5/1 • Used in Global System for Mobil Communications (GSM) • Example of a cipher manufacturers tried to keep secret, it was leaked and also reversed engineered within 5 years • A5/2 – weaker cipher used in some countries due to export rules • GSM phone conversations are sent as sequences of frames. • One 228 bit frame is sent every 4.6 milliseconds: 114 bits for the communication in each direction. • A5/1 produces 228 bits to XOR with the frame • Initialized using a 64-bit key combined with a publicly-known 22-bit frame number. • In some GSM implementations, 10 key bits are fixed at zero - effective key length is 54 bits. • A5/1 is based around a combination of three LFSRs with irregular clocking.
A5/1 Image from Wikipedia
A5/1 LSRFs • 19 bits • x19 + x5 + x2 + x + 1 • clock bit 8 • tapped bits: 13, 16, 17, 18 • 22 bits • x22 + x + 1 • clock bit 10 • tapped bits 20, 21 • 23 bits • x23 + x15 + x2 + x + 1 • clock bit 10 • tapped bits 7, 20, 21, 22 • Least significant bit numbered 0 • Tapped bits of each LSRF are XORed to create value of next 0 bit. • Output bits of the three LSRFs are XORed to form the keystream bit
A5/1 • Each cycle, look at the three clock bits. The majority value, cm, is determined. • In each LSRF, if the clock bit matches cm, the registers are clocked. • In each cycle, 2 or 3 LSRFs will be clocked.
A5/1 Initialization • Registers set to all 0’s • Incorporate the key and frame number: • For 64 cycles, the key is mixed in by XORing the ith key bit with the least significant bit of each register • For 22 cycles, the 22 bit frame value is mixed in – same as with key value • Normal clocking used • 100 cycles are run using the majority clocking, the output is discarded • End result is the initial state
A5/1 • Three short LSFRs • Not many tap bits to guess
A5/3 Core BLCNT is a 64 bit counter KM = 0x555….555 (128 bit key modifier) CK = key bits • defined on next slide • CBC XORed with counter and key • A counter previous output
A5/3 GSM • Kc = key • http://www.gsmworld.com/using/algorithms/docs/a5_3_and_gea3_specifications.pdf
LILI Family of keystream generators Regularly clocked Irregular: clocked c times LFSRC LFSRD s1 sk s1 sn s2 s2 … … bit for keystream. c FD b Fc clocking function integer output non-linear function
SOBER - Original LFSR S17 = 141 S15 175 S0 LFSR: 17 bytes, 128 bit key Clock Control Si’s • Nonlinear transformation • Vn = (S0 + S2 + S5 + S12) • (S12S13) Stutter Control sc = next 2 bits of byte need byte: clock, take Vn Clock Control (sc) 00: 1 clock 01: clock, output, clock 10: 2 clocks 11: 1 clock Vn Vn Output function (sc) 00: No output 01: Vn 01101001 10: Vn 11: Vn 10010110 sc output byte
Sober t{8,16,32} 8,16,32 = byte size of key
Sober-t LSFR for Sober-tw w = 8,16,32 Max period: 213w-1
Non-linear Function LFSR output input to non-linear function fw, output added to subset of LSFRs bits, XORed with key-dependent value, this result then added to subset of LSRF bits
Trivium • Christophe De Canniere and Bart Preneel • hardware oriented synchronous stream cipher • Trivium generates up to 264 bits of key stream from an 80-bit secret key and an 80-bit initial value (IV). • Internal state is 288 bits
Trivium • IV and key used to initialize the state • Iterate state • extract values of 15 specific state bits and use them to update 3 bits of the state and to compute 1 bit of the key stream zi. • state bits then rotated and process repeats
Trivium Key Stream Generation for i = 1 to N do t1 s66 s93 t2 s162 s177 t3 s243 s288 zi t1 t2 t3 t1 t1 s91 s92 s171 t2 t2 s175 s176 s264 t3 t3 s286 s287 s69 (s1; s2; : : : ; s93) (t3; s1; : : : ; s92) (s94; s95; : : : ; s177) (t1; s94; : : : ; s176) (s178; s279; : : : ; s288) (t2; s178; : : : ; s287) end for
Trivium Initialization • load 80-bit key and 80-bit IV into 288-bit initial state • set all remaining bits to 0, except for s286, s287, and s288, which are set to 1 • state is rotated over 4 full cycles of the for look, but no bits are output (for i = 1 to 4288)
Trivium • state bit is not used for at least 64 iterations after it has been modified • up to 64 iterations can be computed at once, provided that 3 AND gates and 11 XOR gates in the original scheme are duplicated a corresponding number of times
Estimated Gate Counts1-bit to 64-bit hardware implementations
Software • Stream generation: 12 cycles/byte • Key setup: 55 cycles • IV setup: 2050 cycles • on Intel XeonTM CPU 1.5 GHz
Trivium Security • Linear correlations between key stream bits and internal state bits are easy to find because zi is simply defined to be equal to s66s93 s162 s177 s243 s288. • But, as opposed to LFSR based ciphers, Trivium's state evolves in a nonlinear way • not clear how an attacker should combine these equations in order to efficiently recover the state • Estimate: follow linear trails through the cipher and approximate the outputs of all encountered AND gates by 0. However, the positions of the taps in Trivium have been chosen in such a way that any trail of this specific type is forced to approximate at least 72 AND gate outputs • If assume that the correlation of linear combination is completely explained by a specific trail considered, then it would have a correlation coefficient of 2-72 • Detecting such a correlation would require at least 2144 bits of key stream • Other more complicated types of linear trails with larger correlations might exist, estimate that no correlations will exceed 2-40
Lex • Alex Biryukov • Leak EXtraction • Software category • Uses AES – reuse if application has AES implementation