230 likes | 367 Views
Chapter VI. Stream Ciphers. Block cipher Split PT into successive blocks Equal sized bit streams Encrypt / decrypt Stream cipher PT –continuous bit stream Encrypt / decrypt Provided speed & better perfo . 1 / 2 decades ago Cs of today offer adequate power & speed
E N D
Chapter VI Stream Ciphers
Block cipher • Split PT into successive blocks • Equal sized bit streams • Encrypt / decrypt Stream cipher • PT –continuous bit stream • Encrypt / decrypt • Provided speed & better perfo. 1 / 2 decades ago • Cs of today offer adequate power & speed • BC meets requirements & preferred today • SC limited to applications with space & cost consraint – limited security • Cell phones / some military applications
Key stream generator generates a succession of key stream bits • kiith bit • xi ith bit of incoming data stream • XOR’edwith ki in successive clock periods • XORedoutput yi crypto text bit in ith CP Receiver • Key stream generator generates key stream sequence - ki • XORedwith crypto text stream yi • XORedbit stream is xiretrieved plain text stream.
Decoder should know when to XOR & extract info. bit • Clocks to be in sync. • Else clock at receiver to predict instant of bit extraction – thru’ XOR Rx clock to be faster than Tx clock • PHY takes care of all these • Design / arch. of key stream generator decides security
One time pad [OTP] ideal for SC • Make OTP available in advance at either end • Select key bits in succession encrypt / decrypt • Tx & Rx to be in sync. • Miss one bit system goes topsy-turvy • OTP not practical who will bell the cat?
self synchronizing stream • zi present state of a finite state machine • IV initial vector input • zi present state • yi encrypted output • two inputs to FSM zi& yi • zi+1 next state function of IV, zi , & yi • f(zi, IV, yi) • zi+1 next key bit for encryption • FSM continuously clocked to provide succession of key bits for encryption • xi next PT bit to be encrypted • XOR zi & xi to form encrypted output bit yi
FSM repeated at decryption end • Input yi • XORed output xi decrypted output • Need for synchronized functioning avoided • Synchronizing decryption operation to encryption operation provision in transmission protocol • Security depends on IV and functional form used for f(zi, IV, yi) • general structure of a cipher scheme
LFSR based SC • Use Linear Feedback Shift Register (LFSR) to generate next state simplest realization of SC • LFSR structure • a 5-stage shift register • XOR outputs of selected stages & form input to first stage • Proper choice of feedback taps generates longest possible sequence. • Generated sequence with an initial vector – 10 0 0 0 – loaded : • 10 0 0 0 1 0 0 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1 0 1 1 1 0 1 0 * 1 0 0 0 0 1 . . . • ‘*” signifies length of the sequence - 31 bits (25-1) ‘period’
A five stage LFSR with feedback connections to generate the maximum length sequence; the initial vector loaded is 10000
Sequence satisfies a number of criteria that random sequences satisfy • Shows pseudorandom properties • In general select feedback taps LFSR feedback equation corresponds to irreducible polynomial with coefficients in GF(2) • maximum length sequence generated • l-stage LFSR can generate a sequence of length (2l-1) bits
Taps to generate maximum length sequences for LFSRs of different levngths • Bit sequences from LFSR → ‘nearly random’ • ‘Pseudo Random Binary Sequences (PRBS)’ • A PRBS appears well suited to be key stream • But sequence from a linear structure highly predictable • l-stage LFSR a sequence of 2l-bits length enough to identify feedback scheme • Use Berlekamp-Massey algorithm & solve LFSR structure • → scheme vulnerable to attacks.
Non-LFSR based sequence generators • Basic requirement in SC → generate a random key stream • random → scheme of key generation cannot be predicted easily • Specifically knowing scheme, IV should not be predictable in polynomial time • Adapt LFSR → generate key stream conforming to requirements • Various criteria to be satisfied by sequences identified • Linear complexity & correlation immunity key ones
Linear complexity • Length of sequence from LFSR of length l 2l-1 bits • Period of s[n] –– sequence formed from this 2l-1 • l ‘linear complexity’ of s[n] • With a sequence of length 2l, Berlekamp-Massey algorithm identifies underlying l-stage LFSR • A sequence of length 2l is ‘close enough’ to a corresponding linear sequence of length 2l • Continuation beyond may also be close enough to linear one • → Weakness of sequence • Linear complexity is limited to order of l • Different criteria to identify linear complexity & select FSR to make linear complexity as large as possible have been identified
Correlation Immunity • Consider s[n] generated from LFSR of length l • s[n] & s[n-k] are closely related for k = 2l-1 but not for other values of k • Any sequence generated from a linear sequence exhibits similar correlation properties • Need to ensure correlation immunity of sequences • → Schemes to generate sequences should not exhibit any marked changes in correlation with changes in k values • Else →sequence length value exposed • Different criteria to ensure correlation immunity have been developed
Feedback Shift Register Schemes • Different architectures available to generate key streams • All have LFSRs at the core • Outputs modified to get sequences with desirable characteristics • Non-linear combination generator → Figure ↓ • n sequence generators with lengths l1, l2, . . ln-1, & ln • All clocked at same rate • Choose LFSR lengths l1, l2, l3, . . & ln • Ensures overall output sequence length [zi ] is • lcm • Proper choice of f linear complexity can be made sufficiently large.
Non-linear Filter Generator → function of selected taps of LFSR stages • LFSR outputs filtered through f to generate output • Non-linear combination generator → take all LFSRs of equal length l1 & choose IV Non-linear Filter Generator
Multiplexor Generator →uses two LFSRs • Combine Selected taps of LFSR1 to form a binary address • Use address & select one tap of LFSR2 → output zi • Each clock pulse → a new address from LFSR1 • → a different bit from LFSR2 selected & output • LFRS1 → long enough to provide enough address bits to LFSR2 • l1 & l2→ lengths of LFSR1 & LFSR2 • → output sequence length up to • Linear complexity is not so easy to be estimated
Generators using irregularly clocked LFSRs • Clock an LFSR irregularly → a random key sequence • Simplest scheme →use two LFSRs as in Figure • Clock LFSR1 regularly → output decides clocking of LFSR2 • LFSR2 output → key stream • Example: • Output of LFSR1 is 0 → LFSR2 is clocked once • Output of LFSR1 is 1 → LFSR2 is clocked twice • If both LFSRs have lstages • Sequence length can go up to (2l-1)2 • Linear complexity output ofl(2l - 1) • Scheme susceptible to correlation attacks