Pastry Dough Mixing Practical Construction of Stream Cipherscs310/lectures/17_stream...Introduction...

Introduction Stream Ciphers Feedback Shift Registers Stream Ciphers in Real Life

Pastry Dough Mixing

Practical Construction of Stream Ciphers

Foundations of CryptographyComputer Science Department

Wellesley College

Fall 2016


Table of contents

Introduction

Stream Ciphers

Feedback Shift Registers

Stream Ciphers in Real Life


Practical construction of symmetric-key primitives

• We know how to constructsecure encryption schemesand message authenticationcodes from cryptographicprimitives such aspseudorandom generators.

• But we have no idea have toconstruct these primitives oreven know if they exist.

• Starting today we focus one�cient heuristicconstructions*

*While we can’t prove these primitives secure, they are based on design

principles, some of which can be justified by theory, and have withstood the

test of time.


Production of pastry dough

• Claude Shannon pointed outthat the composition ofnon-commuting encryptionmethods works like athorough pastry doughmixing.

• Iterating the productencryption increases the mix.

• However, we need to chooseour mixing methods withgreat care in order tomaximize mixing withoutinadvertently moving towardconvergence.


Mixing through reflection and a�ne distortion

• Consider the composition ofa reflection with an a�nedistortion followed by areduction to the basicformat by cutting o↵ andpasting back the protrudingcorners.

•

T :

8<

:

x

0 = y

y

0 =

⇢x + y + 1 if x + y � 1x + y if 0 x + y < 1


The mixing of F. L. Bauer

Applying this method to a picture of the cryptographer F. L. Bauerdoes seem to result in a total mix.


The resurrection of F. L. Bauer

• However, in the discretespaces of cryptography, anyiteration of a fixedtransformation is periodic.

• Texture turns up in our mixof FLB after only 48 steps, afourfold ghost haunts us instep 192 ...

• The moral of the story:Choose your mixingmethods with great care.


Stream ciphers revisited

Recall, we view a stream cipher as a pair of deterministicalgorithms:

• Init takes a seed s and an optimal initialization vector IV, andoutputs an initial state st0.

• Getbits takes as input state information sti , and outputs a bity and updated state sti+1.

Today we investigate several methods dedicated to theconstruction of stream-ciphers.


Cautionary tales

• We have already seen howstream ciphers can beconstructed from blockciphers

• The primary motivation forusing dedicatedstream-cipher constructors ise�ciency, especially inresource-constrainedenvironments.

• However, attacks have beenshown against recentconstructions of streamciphers and their securityappears more tenuous thanfor block ciphers.


Linear-Feedback Shift Registers

•Linear-feedback shift registers (LFSRs) are e�cient toimplement in hardware, and generate output having goodstatistical properties.

• By themselves they do not give cryptographically stringpseudorandom generators, but can be used as a component inbuilding stream ciphers with better security.


Linear-Feedback Shift Registers

• An LFSR consists of an array of n registers sn�1, . . . , s0 alongwith a feedback loop specified by a set of n feedback

coe�cients cn�1, . . . , c0. The size of the array is called thedegree of the LFSR.

• Each register stores a single bit, and the state st of the LFSRis the set of bits in all the registers. The state is updated ineach of a series of “clock ticks.”


At the next tick of the clock ...

• Suppose that state of an LFSR at time t is s(t)n�1, . . . , s(t)0 .

• Then the state after the next clock tick is s(t+1)n�1 , . . . , s(t+1)

0where

s

(t+1)i := s

(t)i+1, i = 1, . . . , n � 2

s

(t+1)n�1 :=

n�1M

i=0

ci · s(t)i .

• The figure show a degree-4 LFSR with c0 = c2 = 1 andc1 = c3 = 0.


After each tick of the clock

• The LFSR outputs the value of the right-most register s0.

• If we denote the output bits by y1, y2, . . ., where yi = s

i�10 ,

thenyi = s

(0)i�1, i = 1, . . . , n

yi =n�1M

i=0

ci · yi�n+j�1 i > n.


Shades of F. L. Bauer

• The state of the LFSRconsists of n bits; thus, theLFSR can cycle through atmost 2n possible statesbefore repeating.

• When the states repeat theoutput bits repeat.

• A maximum-length LFSRcycles through all 2n � 1states before repeating.*

• It is well understood how toset the feedback coe�cientsto obtain a maximal-lengthLFSR, but we won’t gothere.

*If the all-zero state is ever realized, then the LFSR remains in that state

forever; which is the reason it is excluded.


Reconstruction attacks

• The output of a maximal-length LFSR of degree n has goodstatistical properties, but it isn’t a Jedi yet; an attacker canreconstruct the entire state of a degree-n LFSR after observing atmost 2n bits.

• The first n output bits reveal the initial state:

yi = s

(0)i�1, i = 1, . . . , n

• Given the next n output bits, the attacker can set up n linearequations in the n unknowns cn�1, . . . , c0:

yn+1 = cn�1yn � . . .� c0y1

...

y2n = cn�1y2n�1 � . . .� c0yn


Adding nonlinear feedback

• To thwart such attack, we introduce nonlinearity into thepicture. A nonlinear-feedback shift register (FSR) looks likeits LFSR cousin.

• However, the new value of the left-most register is a nonlinear

function of the current registers:

s

(t+1)i := s

(t)i+1, i = 1, . . . , n � 2

s

(t+1)n�1 := g(s(t)0 , . . . s(t)n�1).


Nonlinear combination generators

• It is also possible to add nonlinearity in the output sequence.In the simplest case, we have a LFSR as before, but whoseoutput is a nonlinear function g of all the current registers.

• It is important that g is balanced in the sense thatPr[g(s0, . . . , sn�1) = 1] ⇡ 1/2 else the output will be biasedand hence easily distinguishable from uniform.

• Finally we may choose to generate the output by combiningthe outputs streams from several LFSRs. The individualLFSRs need not have the same length.


Putting it all together: Trivium

• Trivium uses three coupled,nonlinear FSRs denoted A, B, Cand having degree 93, 84, and111.

• The Init algorithm loads an80-bit key into the 80 leftmostregisters and an 80-bit IV iintothe 80 right-most registers. Theremaining registers are set to 0except for the three right-mostbits of register C which are setto 1.

• GetBits is run 4 · 288 times andthe resulting state is take as st0.


Crash and burn: RC4

• LFSRs are e�cient in hardware,but have poor softwareperformance.

• The stream cipher RC4,designed by Ron Rivest in 1987,is fast, easy to implement, andhas resisted attack for severalyears.

• Despite the fact that it is still inwide use today, recent attackshave demonstrated seriousweaknesses and no longer beused.


RC4 Init algorithm

Algorithm 6.1

Init algorithm for RC4

Input: 16-bit key k

Output: Initial state (S , i , j)(Note: All addition is done modulo 256)for i = 0 to 255:

S [i ] := i

k[i ] := k[i mod 16]j := 0for i = 0 to 255:

j := j + S [i ] + k[i ]Swap S [i ] and S [j ]

i := 0, j := 0return (S , i , j)


RC4 GetBits algorithm

Algorithm 6.1

Init algorithm for RC4

Input: Current state (S , i , j)Output: Output byte y ; updated state (S , i , j)(Note: All addition is done modulo 256)i := i + 1j := j + S [i ]Swap S [i ] and S [j ]t := S [i ] + S [j ]y := S [t]return (S , i , j), y


The use of an initial vector in RC4

• RC4 was not designed to take an IV , but an IV is oftenincorporated by concatenating it with the actual key k

0.

• When used in unsynchronized mode, the IV would be sent inthe clear to the receiver.

• This is the method used in Wired Equivalent Privacy (WEP)encryption for protecting 802.11 wireless networks.*

*Danger Will Robinson!


Attacking RC4

• The text gives a simple attackon RC4 (not relying on the useof IV) that exploits the factthat the second byte of RC4 is(slightly) biased toward 0.*

• A more serious attack againstRC4 is possible when an IV isincorporated by prepending tothe key which allows theattacker recover the key.

• This attack can be used tocompletely break the WEPencryption, and was influentialin getting the standard replaced.

*You will explore this further in your homework.


An attack on RC4 exploiting the initial vector

• Note that when IV is prepended to the actual key k

0 (sok = IV k k

0), the first few bytes of k are given to the attackerfor free.

• WEP IV ’s are 3 bytes long. The attacker waits for the firsttwo bytes to have a specific form*, say (3, 255,X ) where X isarbitrary.

• After four iterations second loop of Init

S [0] = 3, S [1] = 0, S [3] = X + 6 + k[3].

and in the next 252 iterations, i is always greater than 3. SoS [0], S [1], S [3] are not change as long as j 6= 1, 2, 3. Thishappens with probability (253/256)252 ⇡ 0.05.

*The attack can be carried out with several possibilities.

Pastry Dough Mixing Practical Construction of Stream Cipherscs310/lectures/17_stream...Introduction...

Documents

Transcript of Pastry Dough Mixing Practical Construction of Stream Cipherscs310/lectures/17_stream...Introduction...