1 / 18

Agenda

CS G513 / SS G513 Network Security. Agenda. Stream Ciphers One-time Pads  Synchronous Stream Ciphers  Self-Synchronizing Stream Ciphers Feedback Shift Registers Linear Feedback Shift Registers Non-Linear Feedback Shift Registers Non-Linear Combination Generators

owena
Download Presentation

Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS G513 / SS G513 Network Security Agenda Stream Ciphers One-time Pads  Synchronous Stream Ciphers  Self-Synchronizing Stream Ciphers Feedback Shift Registers Linear Feedback Shift Registers Non-Linear Feedback Shift Registers Non-Linear Combination Generators Non-Linear Filter Generators Software Stream Ciphers

  2. Stream Ciphers • Block Ciphers vs. Stream Ciphers: • Block Ciphers • process plaintext in large blocks and • repeat the same process (of encryption) across blocks • Thus, block ciphers are typically stateless/memoryless. • With Stream ciphers encryption function may vary as plaintext is processed and • Stream Ciphers process plaintext in small blocks (say one character or often just one bit)

  3. Stream Ciphers: One-time Pad • A Vernam cipher (over the binary alphabet) is defined as: • Ci = Mi  Ki where for I=1,2,3,… Mi refers to the keystream, Ki the keystream, Ci the cipherstream. • (Vernam’s) One-time Pad: • The keystream is generated independently and randomly. • This is unconditionally secure against a cipher-text only attack. • Observation: • Key is (at least) as long as the message – uncertainty of the key is at least as great as that of the message Sundar B.

  4. Synchronous Stream Ciphers • Keystream is generated independently of the plaintext message and of the ciphertext. • Encryption process: • Si+1 = f(Si, k) Zi = g(Si, k) Ci = h(Zi, Mi) • where S0 is the initital state (may depend on k) • and Zi is the keystream • and Ci is the cipher-stream • Decryption process: • Si+1 = f(Si, k) Zi = g(Si, k) Mi = h-1(Zi, Ci) • E.g.: Binary Additive Stream Cipher: • streams are binary and h is  Sundar B.

  5. Synchronous Stream Ciphers • Properties: • Synchronization Requirements: • Sender and Receiver must be synchronized – using the same key and operating at the same state within that key • Insertion/Deletion may cause loss of synchronization • Re-synchronization may need re-initialization and/or special marks in the stream at regular intervals. • No Error Propagation: • Modified digit does not affect decryption of other digits • Active Attacks: • Insertion/Deletion/Replay cause loss of sync. And hence detected by decryptor • Chosen plaintext attacks possible due to lack of error propagation.

  6. Self-synchronizing Stream Ciphers • Keystream is generated as a function of the key and a fixed number of previous ciphertext digits. • Encryption process: • Si = (Ci-t, Ci-t+1, …, Ci-1) • Zi = g(Si, k) Ci = h(Zi, Mi) • where S0 = (C-t, C-t+1, …, C-1) is the initial state • and Zi is the keystream • and Ci is the cipher-stream • Decryption process: • Si = (Ci-t, Ci-t+1, …, Ci-1) • Zi = g(Si, k) Mi = h-1(Zi, Ci)

  7. Self-synchronizing Stream Ciphers • Properties: • Self-synchronization: • possible with insertions/deletions (at most t digits may be lost) • Limited Error Propagation: • 1 digit modification/insertion/deletion may cause incorrect decryption of up to t digits. • Active Attacks • Modification can be detected due to incorrect decryption – better than synchronous stream ciphers. • It is more difficult than for synch. stream ciphers to detect insertion / deletion / replay of ciphertext digits. • Diffusion of plaintext statistics: Better Sundar B.

  8. Linear Feedback Shift Registers • An LFSR of length L consists of • L stages (or delay elements) capable of storing 1 bit each and • a clock controlling the movement of data. • During each unit of time: • Content of stage 0 is output • Content of stage j is moved to stage j-1 for each j (1 to L-1) • New content of stage L-1 is the feedback bit computed as sum without carry of previous contents of a fixed subset of stages. Sundar B.

  9. Linear Feedback Shift Registers Figure from Menezes et. al.

  10. Linear Feedback Shift Registers • If the initial state of the LFSR in the Figure (prev. slide) is • [sL-1, …, s1, s0] • then the output sequence is determined by the recursion • sj = (c1sj-1 + c2sj-2 + … + cLsj-L) Sundar B.

  11. Feedback Shift Registers • Linear Feedback Shift Registers (LFSRs) are used in key-stream generation because: • they are well-suited for hardware implementation • they can produce sequences of large period • they can produce sequences w/ good statistical properties • they can be readily analyzed by algebraic techniques Reading exercise – Refer to Menezes et. al. Chapter 6 Sundar B.

  12. LFSRs - Limitations • Primary Weakness: Linear Complexity – no of stages needed for generating a sequence • At most n for a n-bit sequence • At most N for a sequence with period N • Claim: If an inifinite bit stream s is generated by an LFSR of L stages, then there is an O(n2) algorithm that determines the linear combination used for generating s given a substream t of s if the length of t > 2L. • Proof: Berlekamp-Massey algo. • Refer to Menezes et. al (Chapter 6) Sundar B.

  13. (Generalized) Feedback Shift Registers • An LFSR of length L consists of • L stages (or delay elements) capable of storing 1 bit each and • a clock controlling the movement of data. • During each unit of time: • Content of stage 0 is output • Content of stage j is moved to stage j-1 for each j (1 to L-1) • New content of stage L-1 is the feedback bit Sj = f(Sj-1, Sj-2, … Sj-L) where f is a boolean function and Sj-i is the previous content of stage L-i, 1<= i <= L Sundar B.

  14. (Generalized) Feedback Shift Registers Figure from Menezes et. al. If f is a non-linear function, then this is a non-linear FSR Sundar B.

  15. Non-linear Combination Generators f is a non-linear combining function Figure from Menezes et. al. Note that f must be suitable for destroying linearity of LFSR outputs Sundar B.

  16. Non-linear Filter Generators f is a non-linear filtering function Figure from Menezes et. al. Sundar B.

  17. Non-linear Filter Generators • Example: Knapsack Generator • Secret key consists of L knapsack integer weights a1,a2,…,aL each of bit length L • At time j, the knapsack sum Sj is computed as: • Sj = sum from k=1 to L of (xkak mod 2L) where [xL, …, x2,x1] is the state of the LFSR at time j. • Selected bits of Sj are extracted to form part of the keystream. • Determining a subset of weights from a given sum is a hard problem. (Subset Sum is NP-hard). Sundar B.

  18. Other Stream Ciphers • LFSR based stream ciphers are well-suited for hardware implementation • But they are not necessarily amenable for software implementations. • SEAL (Software Optimized Encryption Algorithm) • A binary additive stream cipher designed for efficient software implementation in 32-bit processors (circa 1993) • Maps a 32-bit sequence number n into a L-bit keystream under control of a 160-bit secret key a. • Refer to Menezes et. al (Chapter 6) Sundar B.

More Related