1 / 75

Stream ciphers 2

Stream ciphers 2. Session 2. Contents. PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers. PN generators with LFSRs.

kiora
Download Presentation

Stream ciphers 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Stream ciphers 2 Session 2

  2. Contents • PN generators with LFSRs • Statistical testing of PN generator sequences • Cryptanalysis of stream ciphers

  3. PN generators with LFSRs • Computational complexity of the Berlekamp-Massey algorithm is quadratic in the length of the minimum LFSR capable of generating the intercepted sequence. • Thus, if the linear complexity is very high, then the task of predicting the next bits of the sequence is too complex.

  4. PN generators with LFSRs • Linear complexity achievable with a sole LFSR is small. • Then, in order to prevent the cryptanalysis of a pseudorandom sequence generator, we must design it in such a way that its linear complexity is too high for the practical application of the Berlekamp-Massey algorithm.

  5. PN generators with LFSRs • Since LFSRs have nice properties regarding statistics of their output sequences, a good idea is to base PN generators on LFSRs. • But to increase linear complexity, we have to combine outputs of several LFSRs in non-linear manner – through non-linear Boolean functions.

  6. Algebraic normal form • It is the form of a Boolean function that uses only the operations  and  • In the ANF, the product that includes the largest number of variables is denominated non linear orderof the function. • Example: The non linear order of the function f(x1,x2,x3)=x1x1x3x2x3 is 2.

  7. Algebraic normal form • The ANF of a Boolean function can be determined from its truth table. The Möbius transform

  8. Algebraic normal form • Example: n=3

  9. Algebraic normal form • u=000u=001 u=010 000 001 010 011 100 101 110 111 000 001 010 011 100 101 110 111 000 001 010 011 100 101 110 111 x x x a000=f(0,0,0)=0 a010=f(0,0,0)+ +f(0,1,0)=0+0=0 a001=f(0,0,0)+ +f(0,0,1)=0+1=1

  10. Algebraic normal form • u=011 u=100u=101 000 001 010 011 100 101 110 111 000 001 010 011 100 101 110 111 000 001 010 011 100 101 110 111 x x x a101=f(0,0,0)+ f(0,0,1) +f(1,0,0)+f(1,0,1)= 0+1+0+1=0 a011=f(0,0,0)+ f(0,0,1) +f(0,1,0)+f(0,1,1)= 0+1+0+1=0 a100=f(0,0,0)+ +f(1,0,0)=0+0=0

  11. Algebraic normal form • u=110u=111 000 001 010 011 100 101 110 111 a111=f(0,0,0)+ f(0,0,1) +f(0,1,0)+f(0,1,1)+ f(1,0,0) +f(1,0,1)+f(1,1,0)+ f(1,1,1) = 0 x Then: f(x0,x1,x2)=a001x2+a110x0x1=x2+x0x1 a110=f(0,0,0)+ f(0,1,0) +f(1,0,0)+f(1,1,0)= 0+0+0+1=1

  12. Non-linear combiners • In these generators, the keystream sequence is obtained by combining the output sequences of various LFSRs in a non linear manner. • Example – it is possible to use a Boolean function (without memory).

  13. Non-linear combiners • If F is a Boolean function of N periodic input sequences a1(t), a2(t), ..., aN(t), then the output sequence b(t) = F(a1(t), a2(t), ..., aN(t)) is a linear combination of various products of sequences. • These products are determined by determining the ANF of the function F.

  14. Non-linear combiners • Given the ANF of the function F, if we create a function F* from F in such a way that instead of the sum and product modulo 2 in F we use the sum and product of integers, for the linear complexity and the period of the output sequence of F the following holds:

  15. Non-linear combiners • Example (1) • If the characteristic polynomials of the input sequences are: All these polynomials are primitive!

  16. Non-linear combiners • Example (2) • Then

  17. Non-linear combiners • The sum of N sequences in GF(q) (1) • The equality holds if the characteristic polynomials of the input sequences do not have common factors.

  18. Non-linear combiners • The sum of N sequences in GF(q) (2) • Obviously, if the periods of the input sequences are mutually prime then

  19. Non-linear combiners • The sum of N sequences in GF(q) (3) • Example: Primitive! The periods are Mersenne primes

  20. Non-linear combiners • The product of N sequences in GF(q) (1) • Theorem (Golić, 1989) • If Per(ai) are mutually prime, then • Theorem (Lidl, Niedereiter) Per(ai) are mutually prime

  21. Non-linear combiners • Example Primitive! The periods are Mersenne primes

  22. Non-linear combiners • The general case (1) • Let be the Boolean function obtained by removing all the products from the function F except those of the maximum order. Let be the corresponding integer function.

  23. Non-linear combiners • The general case (2) • Theorem (Golić, 1989) • F depends on all the N input variables. • Per(ai) are mutually prime. • Then

  24. Non-linear combiners • The general case (3) • Example (1)

  25. Non-linear combiners • The general case (4) • Example (2) • If the characteristic polynomials of the input sequences are: • Then Primitive, periods Mersenne primes

  26. Non-linear combiners • The general case (5) • Example – Geffe’s generator (1)

  27. Non-linear combiners • The general case (6) • Example – Geffe’s generator (2) – • Equivalent scheme

  28. Non-linear combiners • The general case (7) • Example – Geffe’s generator (3) • If we set the feedback polynomials primitive, with periods that are Mersenne primes: • Then

  29. Statistical testing of PN generators • The output sequence of a generator of pseudorandom sequences looks random, but it is not. • Pseudorandom generators expand a truly random sequence (the key) to a much longer sequence, such that an adversary cannot distinguish between the pseudorandom sequence and a truly random sequence.

  30. Statistical testing of PN generators • In order to obtain a guarantee of the security of this type of generators, various statistical tests are applied, especially designed for this purpose. • The fact that a generator passes a set of statistical tests should be considered a necessary condition, although not a sufficient one, for the security of the generator.

  31. Statistical testing of PN generators • If the result X of an experiment can take any real value, then X is a continuous random variable. • The probability density function f(x) of a continuous random variable X can be integrated and the following holds: f(x)0, for all xR For all a, bR the following holds

  32. Statistical testing of PN generators • A continuous random variable has a normal distributionwith the mean  and the variance 2 if its probability density function is: • We say that X is • If X is , then we say that X has a standard normal distribution.

  33. Statistical testing of PN generators • If the random variable X is , then the variable is . • The Euler’s gamma function:

  34. Statistical testing of PN generators • A continuous random variable X has a 2 distribution with  degrees of freedom if its probability density function is

  35. Statistical testing of PN generators • A statistical hypothesis H is an affirmation about the distribution of one or more random variables. • A hypothesis test is a procedure based on the observed values of the random variable that leads to the acceptance or rejection of the hypothesis H.

  36. Statistical testing of PN generators • The test only provides a measure of the strength of evidence given by the data against the hypothesis. • The conclusion is probabilistic. • The level of significance of the test of the hypothesis H is the probability of rejecting the hypothesis H when it is true.

  37. Statistical testing of PN generators • The hypothesis to be tested is denominated the null hypothesis, H0. • The alternative hypothesisis denoted by H1 or Ha. • In cryptography: • H0 – the given generator is a random sequence generator. •  is between 0,001 and 0,05.

  38. Statistical testing of PN generators • A test: • Determines a statistic for the sample of the output sequence. • This statistic is compared with the expected value for a random sequence.

  39. Statistical testing of PN generators • How is the comparison carried out? (1) • The computed statistic – X0 – follows (usually) a 2 distribution with  degrees of freedom. • It is assumed that this statistic takes large values for non random sequences.

  40. Statistical testing of PN generators • How is the comparison carried out? (2) • In order to achieve , a threshold X is chosen (by means of the corresponding table), such that P(X0>X)=. • If the value of the statistic for the sample of the output sequence, Xs, satisfies Xs>X, then the sequence fails on the test.

  41. Statistical testing of PN generators • Basic tests for cryptographic use: • frequency test, • serial test, • poker test, • runs test, • autocorrelation test, • etc.

  42. Statistical testing of PN generators • Frequency test (1) • Purpose: determine if the number of zeros and ones in a sequence s is approximately the same. • n0 – number of zeros, n1 – number of ones. • The statistic:

  43. Statistical testing of PN generators • Frequency test (2) • The statistic follows a 2distribution with 1 degree of freedom. • The approximation is good enough if n10.

  44. Statistical testing of PN generators • Serial test (1) • Tries to determine if the number of occurrences of 00, 01, 10 and 11, as subsequences of s is approximately the same. • The statistic:

  45. Statistical testing of PN generators • Serial test (2) • The statistic follows a 2distribution with 2 degrees of freedom. • The approximation is good enough if n21.

  46. Statistical testing of PN generators • Poker test (1) • A positive integer m is considered such that • The sequence s is divided into k parts of size m. • ni is the number of occurrences of the type i of the sequence of length m, 1i2m (that is, i is the value of the integer whose binary representation is the sequence of length m.

  47. Statistical testing of PN generators • Poker test (2) • The test determines if every sequence of length m appears approximately the same number of times. • The statistic: • The statistic follows approximately a 2 distribution with 2m-1 degrees of freedom.

  48. Statistical testing of PN generators • Runs test (1) • A run of length i – a subsequence of s formed by i consecutive zeros or i consecutive ones that are neither preceded nor followed by the same symbol. • A run of zeros – gap • A run of ones – block

  49. Statistical testing of PN generators • Runs test (2) • Purpose: determine if the number of runs of different lengths in the sequence s is that expected in a random sequence. • The number of gaps (or blocks) of length i in a random sequence of length n is • It is considered that k is equal to the largest integer i for which ei5.

  50. Statistical testing of PN generators • Runs test (3) • We denote by Bi and Hi the number of blocks and gaps of length i in s, for each i, 1ik. • The statistic • The statistic follows approximately a 2distribution with 2k-2 degrees of freedom.

More Related