Post on 09-Aug-2020
Introduction Stream Ciphers Feedback Shift Registers Stream Ciphers in Real Life
Pastry Dough Mixing
Practical Construction of Stream Ciphers
Foundations of CryptographyComputer Science Department
Wellesley College
Fall 2016
Introduction Stream Ciphers Feedback Shift Registers Stream Ciphers in Real Life
Table of contents
Introduction
Stream Ciphers
Feedback Shift Registers
Stream Ciphers in Real Life
Introduction Stream Ciphers Feedback Shift Registers Stream Ciphers in Real Life
Practical construction of symmetric-key primitives
• We know how to constructsecure encryption schemesand message authenticationcodes from cryptographicprimitives such aspseudorandom generators.
• But we have no idea have toconstruct these primitives oreven know if they exist.
• Starting today we focus one�cient heuristicconstructions*
*While we can’t prove these primitives secure, they are based on design
principles, some of which can be justified by theory, and have withstood the
test of time.
Introduction Stream Ciphers Feedback Shift Registers Stream Ciphers in Real Life
Production of pastry dough
• Claude Shannon pointed outthat the composition ofnon-commuting encryptionmethods works like athorough pastry doughmixing.
• Iterating the productencryption increases the mix.
• However, we need to chooseour mixing methods withgreat care in order tomaximize mixing withoutinadvertently moving towardconvergence.
Introduction Stream Ciphers Feedback Shift Registers Stream Ciphers in Real Life
Mixing through reflection and a�ne distortion
• Consider the composition ofa reflection with an a�nedistortion followed by areduction to the basicformat by cutting o↵ andpasting back the protrudingcorners.
•
T :
8<
:
x
0 = y
y
0 =
⇢x + y + 1 if x + y � 1x + y if 0 x + y < 1
Introduction Stream Ciphers Feedback Shift Registers Stream Ciphers in Real Life
The mixing of F. L. Bauer
Applying this method to a picture of the cryptographer F. L. Bauerdoes seem to result in a total mix.
Introduction Stream Ciphers Feedback Shift Registers Stream Ciphers in Real Life
The resurrection of F. L. Bauer
• However, in the discretespaces of cryptography, anyiteration of a fixedtransformation is periodic.
• Texture turns up in our mixof FLB after only 48 steps, afourfold ghost haunts us instep 192 ...
• The moral of the story:Choose your mixingmethods with great care.
Introduction Stream Ciphers Feedback Shift Registers Stream Ciphers in Real Life
Stream ciphers revisited
Recall, we view a stream cipher as a pair of deterministicalgorithms:
• Init takes a seed s and an optimal initialization vector IV, andoutputs an initial state st0.
• Getbits takes as input state information sti , and outputs a bity and updated state sti+1.
Today we investigate several methods dedicated to theconstruction of stream-ciphers.
Introduction Stream Ciphers Feedback Shift Registers Stream Ciphers in Real Life
Cautionary tales
• We have already seen howstream ciphers can beconstructed from blockciphers
• The primary motivation forusing dedicatedstream-cipher constructors ise�ciency, especially inresource-constrainedenvironments.
• However, attacks have beenshown against recentconstructions of streamciphers and their securityappears more tenuous thanfor block ciphers.
Introduction Stream Ciphers Feedback Shift Registers Stream Ciphers in Real Life
Linear-Feedback Shift Registers
•Linear-feedback shift registers (LFSRs) are e�cient toimplement in hardware, and generate output having goodstatistical properties.
• By themselves they do not give cryptographically stringpseudorandom generators, but can be used as a component inbuilding stream ciphers with better security.
Introduction Stream Ciphers Feedback Shift Registers Stream Ciphers in Real Life
Linear-Feedback Shift Registers
• An LFSR consists of an array of n registers sn�1, . . . , s0 alongwith a feedback loop specified by a set of n feedback
coe�cients cn�1, . . . , c0. The size of the array is called thedegree of the LFSR.
• Each register stores a single bit, and the state st of the LFSRis the set of bits in all the registers. The state is updated ineach of a series of “clock ticks.”
Introduction Stream Ciphers Feedback Shift Registers Stream Ciphers in Real Life
At the next tick of the clock ...
• Suppose that state of an LFSR at time t is s(t)n�1, . . . , s(t)0 .
• Then the state after the next clock tick is s(t+1)n�1 , . . . , s(t+1)
0where
s
(t+1)i := s
(t)i+1, i = 1, . . . , n � 2
s
(t+1)n�1 :=
n�1M
i=0
ci · s(t)i .
• The figure show a degree-4 LFSR with c0 = c2 = 1 andc1 = c3 = 0.
Introduction Stream Ciphers Feedback Shift Registers Stream Ciphers in Real Life
After each tick of the clock
• The LFSR outputs the value of the right-most register s0.
• If we denote the output bits by y1, y2, . . ., where yi = s
i�10 ,
thenyi = s
(0)i�1, i = 1, . . . , n
yi =n�1M
i=0
ci · yi�n+j�1 i > n.
Introduction Stream Ciphers Feedback Shift Registers Stream Ciphers in Real Life
Shades of F. L. Bauer
• The state of the LFSRconsists of n bits; thus, theLFSR can cycle through atmost 2n possible statesbefore repeating.
• When the states repeat theoutput bits repeat.
• A maximum-length LFSRcycles through all 2n � 1states before repeating.*
• It is well understood how toset the feedback coe�cientsto obtain a maximal-lengthLFSR, but we won’t gothere.
*If the all-zero state is ever realized, then the LFSR remains in that state
forever; which is the reason it is excluded.
Introduction Stream Ciphers Feedback Shift Registers Stream Ciphers in Real Life
Reconstruction attacks
• The output of a maximal-length LFSR of degree n has goodstatistical properties, but it isn’t a Jedi yet; an attacker canreconstruct the entire state of a degree-n LFSR after observing atmost 2n bits.
• The first n output bits reveal the initial state:
yi = s
(0)i�1, i = 1, . . . , n
• Given the next n output bits, the attacker can set up n linearequations in the n unknowns cn�1, . . . , c0:
yn+1 = cn�1yn � . . .� c0y1
...
y2n = cn�1y2n�1 � . . .� c0yn
Introduction Stream Ciphers Feedback Shift Registers Stream Ciphers in Real Life
Adding nonlinear feedback
• To thwart such attack, we introduce nonlinearity into thepicture. A nonlinear-feedback shift register (FSR) looks likeits LFSR cousin.
• However, the new value of the left-most register is a nonlinear
function of the current registers:
s
(t+1)i := s
(t)i+1, i = 1, . . . , n � 2
s
(t+1)n�1 := g(s(t)0 , . . . s(t)n�1).
Introduction Stream Ciphers Feedback Shift Registers Stream Ciphers in Real Life
Nonlinear combination generators
• It is also possible to add nonlinearity in the output sequence.In the simplest case, we have a LFSR as before, but whoseoutput is a nonlinear function g of all the current registers.
• It is important that g is balanced in the sense thatPr[g(s0, . . . , sn�1) = 1] ⇡ 1/2 else the output will be biasedand hence easily distinguishable from uniform.
• Finally we may choose to generate the output by combiningthe outputs streams from several LFSRs. The individualLFSRs need not have the same length.
Introduction Stream Ciphers Feedback Shift Registers Stream Ciphers in Real Life
Putting it all together: Trivium
• Trivium uses three coupled,nonlinear FSRs denoted A, B, Cand having degree 93, 84, and111.
• The Init algorithm loads an80-bit key into the 80 leftmostregisters and an 80-bit IV iintothe 80 right-most registers. Theremaining registers are set to 0except for the three right-mostbits of register C which are setto 1.
• GetBits is run 4 · 288 times andthe resulting state is take as st0.
Introduction Stream Ciphers Feedback Shift Registers Stream Ciphers in Real Life
Crash and burn: RC4
• LFSRs are e�cient in hardware,but have poor softwareperformance.
• The stream cipher RC4,designed by Ron Rivest in 1987,is fast, easy to implement, andhas resisted attack for severalyears.
• Despite the fact that it is still inwide use today, recent attackshave demonstrated seriousweaknesses and no longer beused.
Introduction Stream Ciphers Feedback Shift Registers Stream Ciphers in Real Life
RC4 Init algorithm
Algorithm 6.1
Init algorithm for RC4
Input: 16-bit key k
Output: Initial state (S , i , j)(Note: All addition is done modulo 256)for i = 0 to 255:
S [i ] := i
k[i ] := k[i mod 16]j := 0for i = 0 to 255:
j := j + S [i ] + k[i ]Swap S [i ] and S [j ]
i := 0, j := 0return (S , i , j)
Introduction Stream Ciphers Feedback Shift Registers Stream Ciphers in Real Life
RC4 GetBits algorithm
Algorithm 6.1
Init algorithm for RC4
Input: Current state (S , i , j)Output: Output byte y ; updated state (S , i , j)(Note: All addition is done modulo 256)i := i + 1j := j + S [i ]Swap S [i ] and S [j ]t := S [i ] + S [j ]y := S [t]return (S , i , j), y
Introduction Stream Ciphers Feedback Shift Registers Stream Ciphers in Real Life
The use of an initial vector in RC4
• RC4 was not designed to take an IV , but an IV is oftenincorporated by concatenating it with the actual key k
0.
• When used in unsynchronized mode, the IV would be sent inthe clear to the receiver.
• This is the method used in Wired Equivalent Privacy (WEP)encryption for protecting 802.11 wireless networks.*
*Danger Will Robinson!
Introduction Stream Ciphers Feedback Shift Registers Stream Ciphers in Real Life
Attacking RC4
• The text gives a simple attackon RC4 (not relying on the useof IV) that exploits the factthat the second byte of RC4 is(slightly) biased toward 0.*
• A more serious attack againstRC4 is possible when an IV isincorporated by prepending tothe key which allows theattacker recover the key.
• This attack can be used tocompletely break the WEPencryption, and was influentialin getting the standard replaced.
*You will explore this further in your homework.
Introduction Stream Ciphers Feedback Shift Registers Stream Ciphers in Real Life
An attack on RC4 exploiting the initial vector
• Note that when IV is prepended to the actual key k
0 (sok = IV k k
0), the first few bytes of k are given to the attackerfor free.
• WEP IV ’s are 3 bytes long. The attacker waits for the firsttwo bytes to have a specific form*, say (3, 255,X ) where X isarbitrary.
• After four iterations second loop of Init
S [0] = 3, S [1] = 0, S [3] = X + 6 + k[3].
and in the next 252 iterations, i is always greater than 3. SoS [0], S [1], S [3] are not change as long as j 6= 1, 2, 3. Thishappens with probability (253/256)252 ⇡ 0.05.
*The attack can be carried out with several possibilities.