Stream Cipher q Introduction q Pseudorandomness q LFSR

Stream Cipher q Introduction q Pseudorandomness q LFSR q Design ü Refer to “Handbook of Applied Cryptography” [Ch 5 & 6] 1 © Information Security Group, ICU

Stream Cipher q. Introduction • Originate from one-time pad • bit-by-bit Exor with pt and key stream (ci = mi zi) • Encryption = Decryption --> Symmetric • Use LFSR (Linear Feedback Shift Register) • (external) Synchronous or self-synchronous q. Properties • Faster and Low Complexity in H/W • Security measure : Period of key stream, LC(Linear Complexity), Statistical properties • Vast amounts of theoretical knowledge • Proprietary and Confidential for Military 2 © Information Security Group, ICU

Sequence q. Def) ms=s 0, s 1, … : infinite seq. , msn=s 0, s 1, …, sn-1: n term of s mif si = si+n for all i >=0, s is periodic seq. having period n. mrun : subsequence of consecutive ‘ 0’(gap) or consecutive ‘ 1’(block) 3 © Information Security Group, ICU

Pseudorandomness 4 © Information Security Group, ICU

Golomb’s postulates(I) s. N : periodic seq. of period N (1) For a cycle of s. N, 0~1 balanceness, i. e, | #{si=1} - #{sj=0} | =<1 (2) For a cycle of s. N, half the runs have length 1, 1/4 have the length 2, …, etc. (3) Autocorrelation* function is two-valued * Measuring similarity between original and t-shifted sequences ** A sequence satisfying them is called Pseudo-Noise(PN) sequence. 5 © Information Security Group, ICU

Golomb’s postulates(II) (Ex) s 15 = 0, 1, 1, 0, 0, 0, 1, 1, 0, 1 (1) #{0} = 7, #{1}=8 (why ? ) (2) 8 runs, 4 runs with length 1 (2 gaps, 2 blocks), 2 runs with length 2 (1 gap, 1 block), 1 run with length 3 (1 gap), 1 run with length 4 (1 block) (3) Autocorrelation function, C(0)=1, C(t)= -1/15 Thus, PN-seq. 6 © Information Security Group, ICU

Statistical Randomness q Five Basic Tests m. Frequency Test (monobit) m. Serial Test (twobit; Overlapping is allowed) m. Poker Test (Frequency of m-bit subsequences) m. Runs Test m. Autocorrelation Test q Others m. Spectral Test m. Linear Complexity Profile m. Quadratic Complexity m. Universal Test 7 © Information Security Group, ICU

Statistical Test by FIPS 140 -1 For a given 20, 000 bit sample seq. (I) monobit test : The number of ‘ 1’=n 1, 9, 654 < n 1 < 10, 346 (2) poker test : m=4, 1. 03 < X 3 < 57. 4 (3) runs test : for length 1 i 6 (4) long run test : no run greater than 34 8 © Information Security Group, ICU

LFSR 9 © Information Security Group, ICU

Notation of LFSR § Notation: < L, C[D]> where connection poly. C[D] = 1 + c 1 D + c 2 D 2 + …+c. LDL Z 2[D] § If c. L=1, {i. e. , deg{C[D]}=L}, C[D] is called a nonsingular polynomial. § If initial stage is [s. L-1, … , s 1, s 0], output seq. s 0, s 1, … sj = (c 1 s j-1 + c 2 s j-2 + … + c Ls j-L) mod 2 , j L (Ex) <4, 1 + D 4> , 0 = [0, 1, 1, 0] s 4=s 3+s 0 § Finite State Machine t D 3 D 2 0 1 2 3 4 5 6 7 0 0 1 0 0 0 1 1 1 0 0 0 1 D 0 1 1 0 0 0 0 (6) 1 (3) 1 (9) 0 (4) 0 (2) 1 (1) 0 (8) 0 (12) t D 3 D 2 D 1 D 0 8 1 1 1 0 (14) 9 1 1 (15) 10 0 1 1 1 (7) 11 1 0 1 1 (11) 12 0 1 (5) 13 1 0 (10) 14 1 1 0 1 (13) 15 0 1 1 0 (6) Output Stage 3 D 3 Stage 2 D 2 Stage 1 D 1 Stage 0 D 0 Output seq. = 0, 1, 1, 0, 0, 0, 1, 1, 0, 1, 0 10 © Information Security Group, ICU

Properties of m-LFSR(I) q The period of the sequence from LFSR divides 2 L-1 q A polynomial f(x) is called a primitive polynomial if f(x) | xk -1 for k=2 L-1 not for smaller k • # of monic primitive poly = (2 m-1)/m in Z 2[x] where is Euler-phi ft. q If the connection polynomial is primitive, the period is 2 L-1 q Such sequence is called Maximum-length Shift Register Seq. , M –seq. and LFSR is called m-LFSR. 11 © Information Security Group, ICU

Primitive Polynomials m k(k 1, k 2, k 3) 2 3 4 5 6 7 8 9 10 11 1 2 1 1 6, 5, 1 4 3 2 12 13 14 15 16 17 18 19 20 21 7, 4, 3, 1 12, 11, 1 1 5, 3, 2 3 7 6, 5, 1 3 2 22 23 24 25 26 27 28 29 30 31 1 5 4, 3, 1 3 8, 7, 1 3 2 16, 15, 1 3 m k(k 1, k 2, k 3) 32 33 34 35 36 37 38 39 40 41 28, 27, 1 13 15, 14, 1 2 11 12, 10, 2 6, 5, 1 4 21, 19, 2 3 Primitive polynomial over Z 2: - xm+xk+1(trinomial) - xm + xk 1+xk 2+xk 3+1(pentanomial) 12 © Information Security Group, ICU

Properties of LFSR(II) q Well suited for H/W implementation q Produce seq. of large period q Good statistical properties q Readily analyzed by algebraic structure q Breakable by consecutive 2 * L sequence : depends on computing an inverse matrix whose complexity is O(L 3), L : length of LFSR. one LFSR is useless. 13 © Information Security Group, ICU

Linear Complexity(I) q (Def) Given an infinite sequence s, the shortest length of LFSR’s that generate s is called Linear Complexity q Using Berlekamp-Massey algorithm, LC is computed q (Properties of LC) s, t : binary seq. m For any n 1, 0 L(sn) n m L(sn) =0 iff sn is ‘ 0’ seq. of length n. m L(sn) =n iff sn=0, 0, …, 0, 1. m If s is periodic with period N, L(sn) N. m L(s t) L(s) + L(t) 14 © Information Security Group, ICU

Linear Complexity(II) q sn : random seq. from all seq. of length n q Expectation value of LC where B(n)=0 if even n, otherwise 0 For large n E(L(sn)) n/2 + 2/9 and Var(L(sn)) 86/81 q (Def) LCP (Linear Complexity Profile) Denote LN is LC of s. N=s 0, s 1, …s. N-1, L 2, … LN is LCP 15 © Information Security Group, ICU

Nonlinear FSR f ( s j-1, s j-2, …, s j-L) Sj Sj-1 Sj-L+2 Stage L-1 sj-L+1 Stage 1 S j-L Stage 0 Output f() : nonlinear ft 16 © Information Security Group, ICU

Design 17 © Information Security Group, ICU

Synchronous Stream Cipher(I) f : next state ft, i+1 = f( i , k), 0 : initial value g : keystream generating ft, zi = g ( i , k), k : key § § h : output ft, ci = h (zi, mi) , mi : pt, zi : key stream, ci: ct § i i+1 i f k f g h k g zi mi i+1 zi ci ci Encryption 18 h-1 Decryption mi © Information Security Group, ICU

Synchronous Stream Cipher(II) q Keystream is independent of pt and ct q Properties m Synchronization requirement m No error propagation m Active attack Ø Insertion, deletion or replay will lose synchronization Ø Change selected ciphertext digits Need to have integrity check mechanisms 19 © Information Security Group, ICU

Self-Synchronous Stream Cipher(I) § § § i = (ci-t , ci-t+1, …, ci-1), 0 = (c-t, c-t+1, …, c-1) : initial value g : keystream generating ft, zi = g ( i , k), k : key h : output ft, ci = h (zi, mi) , mi : pt, zi : keystream, ci : ct k g g zi mi h k zi ci ci Encryption h-1 mi Decryption 20 © Information Security Group, ICU

Self-Synchronous Stream Cipher(II) q Keystream is independent of pt and ct q Properties m. Self-Synchronization m. Limited error propagation m. Active attack Ø Difficult to detect insertion, deletion, or replay Ø Easy to find passive modification m. More diffusion more resistant against attacks based on plaintext redundancy 21 © Information Security Group, ICU

Nonlinear Combiner(I) LFSR 1 LFSR 2 f Keystream, z LFSR n Algebraic Normal Form (ANF) : mod. 2 sum of distinct m-th order product of its variable, 0 <= m <= n Ex) f(x 1, x 2, x 3, x 4, x 5)=1 + x 2+ x 3 + x 4 x 5 + x 1 x 2 x 3 x 4, deg(f) =4 22 © Information Security Group, ICU

Nonlinear Combiner(II) q Geffe generator LFSR 1 LFSR 2 x 1 x 2 Keystream, z LFSR 3 x 3 • f(x 1, x 2, x 3) = x 1 x 2 (1+x 2)x 3 = x 1 x 2 x 2 x 3 • p(z) : (2 L 1 -1) (2 L 2 -1)(2 L 3 -1) where L 1, L 2 and L 3 are relatively prime • L(z) = L 1 L 2 + L 1 L 3 + L 3 • Prob(z(t)=x 1(t)) =3/4 Correlation attack is possible ! 23 © Information Security Group, ICU

Nonlinear Combiner(III) q Summation generator Carry LFSR 1 LFSR 2 LFSR n If Li and Lj are pairwise relatively prime, then p(z) = i=1 n (2 Li -1) LC p(z) But vulnerable to the correlation attack of carry and 2 -adic span x 1 x 2 xn z, keystream 24 © Information Security Group, ICU

Clock-controlled generator(I) q Alternating step generator LFSR R 2 Clock z, keystream LFSR R 1 LFSR R 3 R 1 : de Brujin seq. of period 2 L 1 R 2, R 3 : m-seq s. t. , gcd(L 2, L 3)=1 p(z) = 2 L 1 (2 L 2 -1)(2 L 3 -1) L(z) : (L 2 + L 3) 2 L 1 -1 < L(z) <= (L 2+L 3) 2 L 1 m Best known attack is a divide-and-conquer attack on the control register R 1 in 2 L m L should be about 128 (de Brujin = maximal period) 25 © Information Security Group, ICU

Clock-controlled generator(II) q Shrinking generator LFSR R 1 ai Clock LFSR R 2 bi ai=1 ai=0 output bi discard bi • If gcd(L 1, L 2) =1, p(z) = (2 L 2 -1) 2 L 1 -1 • L 2 2 L 1 -2 < L(z) < L 2 2 L 1 -1 • Best known attack takes O(2 L 1 L 23). Li is about 64 26 © Information Security Group, ICU

Other generators q Cascade Generator q CSPRBG(Cryptographically Secure Pseudo Random Bit Generator) m. RSA LSB Generator m. BBS Generator (p. 336) q Pseudo-noise Generator m. Noise Diode or Noise Transistor q Feedback with Carry Shift Register (FCSR) m 2 -adic span q Stream Ciphers: SEAL, A 5, RC 4, PKZIP, FISH, PIKE, etc. 27 © Information Security Group, ICU

Correlation Attack 28 © Information Security Group, ICU

Correlation Attack (I) q Siegenthaler, 1984 m The complexity of a Combining Generator depends on the correlation of the combining function F. m Divide-and-Conquer Attack - If the output of F has a correlation with the output of KSG 1, we can find the initial vector of the KSG 1 KSG 2 KSG n x 1 x 2 F z xn 29 © Information Security Group, ICU

Correlation Attack (II) q Assume Prob(z=0|xi=0)=1/2 -e, e>0 q Identify the initial vector of the KSGi by Divide and Conquer KSG 1 q Known ciphertext attack KSG 2 x 1 x 2 m. Assume an initial vector of KSGi xn m. Generate xi’ from KSGi KSG n m. Compute e’=1/2 - Prob(z=0|xi’=0) m. If the initial vector is correct, we must have e’=e. If not, we have e 0 since x’ has no correlation with z m. This attack is very effective. So e must be zero. 30 F © Information Security Group, ICU z

Resilient Functions q A balanced function {0, 1}m - every possible output m-tuple is equally likely to occur q A k-resilient function f : {0, 1}n {0, 1}m - every possible output m-tuple is equally likely to occur when the values of k arbitrary inputs are fixed and the remaining n-k input bits are chosen independently at random. q A 0 -resilient function is just a balanced function. q A k-resilient function is (k-1)-resilient. q E. g. ) f(x 1, x 2)=x 1+x 2 is 1 -resilient. 31 © Information Security Group, ICU

Multi-output Stream Ciphers q To design a multi-output stream cipher based on a combining generator, we need a resilient function which m is nonlinear m has algebraic degree as large as possible (for large LC) m has nonlinearity as large as possible m has resiliency as large as possible KSG 1 KSG 2 F KSG n 32 © Information Security Group, ICU

Summary of a Stream Cipher q Period : Depends on req’d level of security q Linear Complexity mshortest LFSR that generates a given seq. q Measure against Correlation Attack m. Correlation Immune function m. Nonlinear function * A 5 (for GSM) crack survey: http: //www. jya. com/crack-a 5. htm 33 © Information Security Group, ICU