220 likes | 243 Views
VL 713 Cryptography: Stream Ciphers. NN April 3 2009 Amritapuri. Overview. Stream Ciphers One-Time Pad LFSRs. Stream Ciphers: Characteristics. These encrypt individual characters or symbols of the message Encryption transformation varies with time (have memory)
E N D
VL 713 Cryptography: Stream Ciphers NN April 3 2009 Amritapuri
Overview • Stream Ciphers • One-Time Pad • LFSRs
Stream Ciphers: Characteristics • These encrypt individual characters or symbols of the message • Encryption transformation varies with time (have memory) • Faster than block ciphers in hardware • Less complex hardware circuitry • Appropriate in situations where buffering is limited (eg. Telecommunications applications) • Limited or no error propogation • These can be symmetric key or asymmetric key. We focus only on symmetric key stream ciphers.
Examples • Caeser cipher, Shift ciphers, Mono-alphabetic substitution cipher, Vigenere cipher etc. • One-Time Pad (OTP) this is a special case of Vigenere cipher where the key is perfectly random and the key is as long as the message. The word ‘pad’ is meant to indicate ‘key’. This is a symmetric key cipher.
One-Time Pad (OTP) • Also known as Vernam Cipher (Gilbert Vernam discovered in 1917) • A very important stream cipher (for historical and mathematical reasons) • Perfectly secure (also known as unconditionally secure or Shannon security) • Shannon proved that OTP is the only perfectly secure cryptosystem in 1949. • Moscow and Washington DC used OTP in ? • The one-time pad (key) was transmitted using a trusted courier. • Asymmetric key cryptosystems (PKCS) can never be perfectly secure.
Condition for Perfect Secrecy • Shannon derived Perfect secrecy condition as: H(K)L(K) H(M)L(M) • For OTP, L(K) = L(M) = N bits, and H(K) = N bits. This is the MAXIMUM possible entropy for a data with N bits long. Thus, the perfect secrecy condition is always satisfied, and therefore OTP is perfectly secure.
Attacks on OTP • Ciphertext only attack does not work since the cipher is perfectly secure • Known plaintext-ciphertext pair attack • Chosen plaintext attack • Why should OTP be “perfectly random”? • Why is OTP “one-time”?
Drawbacks of OTP • Key length = Message length This is a pain!!! • OTP should be perfectly random This is a bigger pain!!!!!!!! • Hence go for Stream Ciphers which have short key length and which rely on “pseudo-randomness”. However, we lose perfect secrecy.
Encryption Decryption Key stream Generator (PRNG) Key stream Generator (PRNG) Practical Stream Ciphers • L(K) << L(M), symmetric key is small in length. • Key stream is generated from a key stream generator using key K • Key stream generator is not perfectly random, but ‘pseudo-random’ • PRNG: Pseudo-random number generator • PRNG satisfies statistical tests of randomness.
Stream Ciphers: Classification • Synchronous Stream Ciphers • Asynchronous Stream Ciphers Ref: Chapter 6, pg. 193, Textbook [2]
Asynchronous Stream Ciphers Example: Block ciphers in CFB mode – cipher feedback mode
Recall: CFB mode of Block Ciphers Key Stream Generator
Binary Additive Stream Cipher • Is this synchronous or asynchronous? • Is the OTP synchronous or asynchronous? • OTP is a Binary Additive Stream Cipher which is a Synchronous Stream Cipher XOR XOR
LFSR • LFSRs are the backbone of key-stream generators for stream ciphers. • The goal of an LFSR is to “mimic” randomness, hence called “pseudo-random” generator (PRG or PRNG or PRBG – pseudo random bit generator) • Pseudo-random: not truly random, but passes many statistical tests of randomness (but definitely fails some tests). • Well suited for hardware implementation, can produce sequences of large periods, can be analyzed by algebraic techniques owing to their simple structure.
Chapter 6, pg. 196, Textbook [2] AND AND AND AND
LFSR: Notations • LFSR: <L, C(D)> • L stages and C(D) is the Connection Polynomial of LFSR • A • Initial state of L registers: • Output of the LFSR is given by:
What is the output of LFSR if the initial state is [0 1 1 0] ?
Singular vs. Non-singular LFSR • If the degree of the Connection Polynomial C(D) is equal to L, then the LFSR is called as non-singular. Else, it is called singular. • Which is better? Singular or Non-singular?
Classwork 1. Non-singular LFSR: Draw the LFSR for < 2, 1 + D + D2 > What is the output sequence? What is the period of the output sequence? 2. Singular LFSR: Draw the LFSR for < 4, 1 + D + D2 > What is the output sequence? What is the period of the output sequence?