1 / 81

Session 2: Secret key cryptography – stream ciphers – part 2

Session 2: Secret key cryptography – stream ciphers – part 2. The Berlekamp-Massey algorithm. Computational complexity of the Berlekamp-Massey algorithm is quadratic in the length of the minimum LFSR capable of generating the intercepted sequence.

orrick
Télécharger la présentation

Session 2: Secret key cryptography – stream ciphers – part 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Session 2: Secret key cryptography – stream ciphers – part 2

  2. The Berlekamp-Massey algorithm • Computational complexity of the Berlekamp-Massey algorithm is quadratic in the length of the minimum LFSR capable of generating the intercepted sequence. • Thus, if the linear complexity is very high, then the task of predicting the next bits of the sequence is too complex.

  3. The Berlekamp-Massey algorithm • Then, in order to prevent the cryptanalysis of a pseudorandom sequence generator, we must design it in such a way that its linear complexity is too high for the application of the Berlekamp-Massey algorithm.

  4. Pseudorandom sequence generators • Based on LFSRs • The goals: • Preserve good characteristics of the PN-sequences • Increase the linear complexity • The key is the initial state • Different families of generators

  5. Combinational generators LFSR LFSR LFSR • Non linear filter • Non linear combiner

  6. Non linear filters • In general, it is difficult to calculate the value of the linear complexity of the resulting sequence. • However, under some special conditions, it is possible to estimate the linear complexity of the resulting sequence.

  7. Algebraic normal form • It is the form of a Boolean function that uses only the operations  and  • In the ANF, the product that includes the largest number of variables is denominated non linear order of the function. • Example: The non linear order of the function f(x1,x2,x3)=x1x2x3x1x3 is 2.

  8. Algebraic normal form • The ANF of a function can be determined from its truth table. The Möbius transform

  9. Algebraic normal form • Example: n=3, u=001 x 000 001 010 011 100 101 110 111

  10. Algebraic normal form • Example: n=3, u=010 x 000 001 010 011 100 101 110 111

  11. Algebraic normal form • Example: n=3

  12. Algebraic normal form • u=000u=001 u=010 000 001 010 011 100 101 110 111 000 001 010 011 100 101 110 111 000 001 010 011 100 101 110 111 a000=f(0,0,0)=0 a001=f(0,0,0)+ +f(0,0,1)=0+1=1 a010=f(0,0,0)+ +f(0,1,0)=0+0=0

  13. Algebraic normal form • u=011 u=100u=101 000 001 010 011 100 101 110 111 000 001 010 011 100 101 110 111 000 001 010 011 100 101 110 111 a101=f(0,0,0)+ f(0,0,1)+f(1,0,0)+f(1,0,1)=0+1+0+1=0 a011=f(0,0,0)+ f(0,0,1)+f(0,1,0)+f(0,1,1)=0+1+0+1=0 a100=f(0,0,0)+ +f(1,0,0)=0+0=0

  14. Algebraic normal form • u=110u=111 000 001 010 011 100 101 110 111 a111=f(0,0,0)+ f(0,0,1)+f(0,1,0)+f(0,1,1)+ f(1,0,0)+f(1,0,1)+f(1,1,0)+ f(1,1,1)=0 a110=f(0,0,0)+ f(0,1,0)+f(1,0,0)+f(1,1,0)=0+0+0+1=1

  15. Algebraic normal form • f(x0,x1,x2)=a001x2+a110x0x1=x2+x0x1

  16. Non linear filters • Theorem (Rueppel, 1984): • With the LFSR of length n and with the filter function with the property that its unique term in the ANF of maximum order k is a product of equidistant phases, the lower limit of the linear complexity of the resultant sequence is

  17. Non linear filters • Design principles: • The feedback polynomial: primitive • The filter function must have various terms of each order. • kn/2 • Include a linear term in order to obtain good statistical properties of the resulting sequence (balanced filter function).

  18. Non linear combiners • In these generators, the keystream sequence is obtained by combining the output sequences of various LFSRs in a non linear manner. • Example – it is possible to use a Boolean function (without memory).

  19. Non linear combiners • Two cryptographic principles by Shannon: • Confusion – we must use complicated transformations – as many bits of the key as possible should be involved in obtaining a single bit of the keystream sequence (and the ciphertext). • Diffusion – Every bit of the key must affect many bits of the keystream sequence (and the ciphertext).

  20. Non linear combiners • Possible flaws of non linear combiners (to be considered during the design): • Bad statistical properties – e.g. too many zeros/ones in the output sequence. • Correlation – The output sequence coincides too much with one or more internal sequences – this enables correlation attacks.

  21. Non linear combiners • Correlation attacks: • It is possible to divide the task of the cryptanalyst into several less difficult tasks – “Divide and conquer”. • In order to prevent the correlation attacks, the non linear function of the combiner must have, at the same time: • as high non linear order as possible • as high correlation immunity as possible. • These two requirements are opposite – we must find a trade off between these two values.

  22. Non linear combiners • Correlation immunity: • A Boolean function is correlation immune of order m if its output sequence is not correlated with any set of m and less input sequences. • But, the higher the correlation immunity, the lower the non linear order k. • The trade off (N is the number of variables) m+kN; 1kN, 0mN-1

  23. Non linear combiners • A Boolean function is balanced if it has an equal number of 0s and 1s in its truth table. • The balanced correlation immune functions of order m are denominated m-resilient functions.

  24. Non linear combiners • Example: • The sum modulo 2 of N variables has the maximum possible value of correlation immunity, N-1, but its non linear order is 1. • If the combination function contains memory, then the trade off between the correlation immunity and non linearity is not needed – it is possible to maximize both values – a single bit of memory is enough (Rueppel, 1984).

  25. Non linear combiners • If F is a Boolean function of N periodic input sequences a1(t), a2(t), ..., aN(t), then the output sequence b(t) = F(a1(t), a2(t), ..., aN(t)) is a linear combination of various products of sequences. • These products are determined by determining the ANF of the function F.

  26. Non linear combiners • If in the ANF of the function F instead of the sum and product modulo 2 we use the sum and product of integers, the resulting function is denominated F* and for the linear complexity and the period of the output sequence of F the following holds:

  27. Non linear combiners • Example: • If the characteristic polynomials of the input sequences are: All these polynomials are primitive!

  28. Non linear combiners • Example (cont.): • Then

  29. Non linear combiners • The sum of N sequences in GF(q): • The equality holds if the characteristic polynomials of the input sequences are mutually prime.

  30. Non linear combiners • The sum of N sequences in GF(q): • Obviously, if the periods of the input sequences are mutually prime then

  31. Non linear combiners • Example: Primitive! The periods are Mersenne primes

  32. Non linear combiners • Product of N sequences in GF(q): • Theorem (Golić, 1989) If Per(ai) are mutually prime, then • Theorem (Lidl, Niedereiter) Per(ai) are mutually prime

  33. Non linear combiners • Example: Primitive! The periods are Mersenne primes

  34. Non linear combiners • The general case: • Let be the Boolean function obtained by removing all the products from the function F except those of the maximum order. Let be the corresponding integer function.

  35. Non linear combiners • Theorem (Golić, 1989) • F depends on all the N input variables. • Per(ai) are mutually prime. • Then

  36. Non linear combiners • Example: • If the characteristic polynomials of the input sequences are: Primitive, periods Mersenne primes

  37. Non linear combiners • Example (cont.)

  38. Geffe’s generator F balanced – good statistical properties

  39. Geffe’s generator • The equivalent scheme

  40. Geffe’s generator • Example: polynomials – primitive, with periods that are Mersenne primes.

  41. Geffe’s generator • Problem: Correlation!

  42. Correlation immune functions • Is there a way to find a Boolean memoryless combiner that guarantees a high level of correlation immunity? • This is a difficult problem and there is no final answer. • However, some Boolean combiners are known to have a high level of correlation immunity.

  43. Correlation immune functions • One of the classes of such “good” functions – Latin squares. • A Latin square is an n×n scheme of integers in which each element appears exactly once in each row and in each column.

  44. Correlation immune functions • Basic property of Latin squares: • If we exchange two rows/columns of a Latin square, the obtained scheme is also a Latin square. • This gives rise to a construction (one of the possible algorithms): • We start from the table of addition of the additive group with n elements. • We exchange some rows and columns of the table several times.

  45. Correlation immune functions • Example – a Latin square of order 4:

  46. Correlation immune functions • A Latin square of dimension n as a family of log2n Boolean functions (a vectorial Boolean function with log2n outputs): • There are 2 address branches, log2n bits each • The output has log2n bits. • Example (see previous slide): • The address is 0110 (the two most significant bits address the row). • The output is 10.

  47. Correlation immune functions • Basic correlation-related property of Latin squares: • Each bit of output is correlated with a linear combination of inputs that are located in both address branches. • Consequence: there is no way of analyzing the address branches individually – no divide and conquer.

  48. Correlation immune functions

  49. Decimation of sequences • The principal characteristic: • The output sequence of a subgenerator controls the clock sequence of one or more subgenerators.

  50. Decimation of sequences • Example 1: • X=1,1,0,1,0,1,0,1 • Y=0,1,0,0,1 • Z=1,0,1,0,0 • Example 2: • X and Y are generated by LFSRs and the BRM is applied

More Related