1 / 29

Cryptography I

Cryptography I. Lecture 6 Dimitrios Delivasilis Department of Information and Communication Systems Engineering University of Aegean. Stream Ciphers. Refreshing our memory Stream ciphers can be either symmetric-key or public-key Block ciphers are memoryless

eurydice
Télécharger la présentation

Cryptography I

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptography I Lecture 6 Dimitrios Delivasilis Department of Information and Communication Systems Engineering University of Aegean

  2. Stream Ciphers • Refreshing our memory • Stream ciphers can be either symmetric-key or public-key • Block ciphers are memoryless • Stream ciphers are said to have memory • Unconditionally secure • A symmetric key system is unconditionally secure if H(K)≥H(M). In other words, the uncertainty of the secret key must be at least as great as the uncertainty of the plaintext

  3. Synchronous Stream Ciphers • Definition: A synchronous stream cipher is one in which the keystream is generated independently of the plaintext • Encryption: • Decryption: σi mi σi+1 mi: plaintext ci:ciphertext k: key zi: keystream σi: state f zi k ci g h σi ci σi+1 f zi k mi g h-1 Functions: g produces keystream zi, h combines the keystream and plaintext to produce ciphertext, and f is the next state function.

  4. mi zi zi Keystream Generator Keystream Generator mi ci k k More on synchronous stream ciphers • Properties of synchronous stream ciphers • Synchronisation requirements • No error propagation • Active attacks • Definition: A binary additive stream cipher is a synchronous stream cipher in which the keystream, plaintext, and ciphertext digits are binary digits, and the output function h is the XOR function. ci Encryption: Decryption:

  5. Self-synchronising stream ciphers • Definition: A self-synchronising or asynchronous stream cipher is one in which the keystream is generated as a function of the key and a fixed number of previous ciphertext digits. • Encryption: • Decryption: … mi … zi k g h ci … … ci zi k g h-1 mi

  6. Properties of self-synchronising stream ciphers • Self-synchronising: capable of re-establishing proper decryption automatically after loss of synchronisation, with only a fixed number of plaintext characters unrecoverable • Limited error propagation: If a single ciphertext digit is modified during transmission, then decryption of up to t subsequent ciphertext digits may be incorrect, after which correct decryption resumes • Active attacks: It is more difficult to detect insertion, deletion, or replay of ciphertext digits by an active adversary • Diffusion of plaintext: Self-synchronising stream ciphers may be more resistant than synchronous stream ciphers against attacks based on plaintext redundancy

  7. Linear feedback shift registers (LFSRs) • Characteristics: • LFSRs are well-suited to hardware implementation • Produce sequences of large period • Produce sequences with good statistical properties • Due to their structure, they can be readily analysed using algebraic techniques • Definition: A linear feedback shift register (LFSR) of length L consists of L stages (or delay elements) numbered 0, 1, …, L-1, each capable of storing one bit and having one input and one output; and a clock which controls the movement of data. During each unit of time the following operations are performed: (i) the content of stage 0 is output and forms part of the output sequence (ii) the content of stage I is moved to stage i-1 for each I, 1≤ i ≤ L-1 (iii) the new content of stage L-1 is the feedback bit sj which is calculated by adding together modulo 2 the previous contents of a fixed subset of stages 0, 1, …, L-1

  8. LFSR analysis Figure: A linear feedback shift register (LFSR) of length L … sj … c1 c2 cL-1 cL Stage L-1 Stage L-2 … Stage 1 Stage 0 output

  9. Linear Complexity • Definition: An LFSR is said to generate a sequence s if there is some initial state for which the output sequence of the LFSR is s. An LFSR is said to generate a finite sequence sn if there is some initial state for which the output sequence of the LFSR has sn as its first n terms. • Definition: The linear complexity of an infinite binary sequence s, denoted L(s), is defined as follows: - if s is the zero sequence s = 0, 0, 0, …, then L(s) = 0 - if no LFSR generates s, then L(s) = ∞ - otherwise, L(s) is the length of the shortest LFSR that generates s.

  10. More on Linear Complexity • Definition: The linear complexity of a finite binary sequence sn, denoted L(sn), is the length of the shortest LFSR that generates a sequence having sn as its first n terms. • Properties of linear complexity: (i) For any n≥1, the linear complexity of the subsequence sn satisfies 0≤L(sn) ≤n. (ii) L(sn) = 0 if and only if sn is the zero sequence of length n. (iii) L(sn) = n if and only if sn = 0, 0, …, 0, 1. (iv) If s is periodic with period N, then L(s) ≤ N. (v) L(s⊕t) ≤ L(s) + L(t), where s⊕t denotes the bitwise XOR of s and t.

  11. Non Linear Feedback Shift Registers • Definition: A feedback shift register (FSR) of length L consists of L stages (or delay elements) numbered 0, 1, …, L-1, each capable of storing one bit and having one input and one output, and a clock which controls the movement of data. During each unit of time the following operations are performed: (i) the content of stage 0 is output and forms part of the output sequence (ii) the content of stage I is moved to stage i-1 for each I, 1≤i ≤L-1 (iii) the new content of stage L-1 is the feedback bit sj = f(sj-1, sj-2, …, sj-L), where the feedback function f is a Boolean function and sj-I is the previous content of stage L-I, 1≤i ≤L.

  12. f(sj-1, sj-2, …, sj-L) sj … sj-1 sj-2 sj-L+1 sj-L Stage L-1 Stage L-2 … Stage 1 Stage 0 output Analysis of feedback shift register A feedback shift register (FSR) of length L

  13. Stream Ciphers using LFSRs • Basic design of a keystream generator: • Number of LFSRs ≥ 1 • LFSRs should have different lengths and different feedback polynomials • IF <the lengths are all relatively prime> AND <the feedback polynomials are all primitive> THEN the whole generator is maximal length • Key is the initial state of the LFSRs • Clocking • A keystream generator with the above characteristics is also known as combination generator • In case the output bit is a function of a single LFSR, then it is called a filter generator

  14. Geffe Generator • A combination of three LFSRs • If a1, a2 and a3 are the outputs of the three LFSRs, the output of the generator can be calculated by the following equation b = (a1^a2)⊕((¬a1) ^a3) • If the LFSRs have lengths n1, n2, and n3, respectively, then the linear complexity of the generator is (n1+1)n2+n1n3 2-to-1 Multiplexer LFSR - 2 b(t) LFSR - 3 Select LFSR - 1

  15. Jennings Generator • Uses a multiplexer to combine two LFSRs • Multiplexer selects one bit of LFSR-2 for each output bit • LFSR-1 controls the multiplexer • A function maps the output of LFSR-2 to the input of the multiplexer • Key is the initial states of the LFSRs and the mapping function Multiplexer LFSR -2 θ b(t) Select … … 0 1 … n-1 … K1 K2 K3 LFSR -1

  16. Threshold Generator • Employs a variable (odd) number of LFSRs • Motto: The more LFSRs a system uses, the harder it gets to break the cipher. • Maximise the period: - the lengths of all the LFSRs are relatively prime - all the feedback polynomials are primitive • If more than half the output bits are 1, then the output of the generator is 1. • If more than half the output bits are 0, then the output of the generator is 0

  17. More on Threshold Generator • Lets assume that we use three LFSRs, then the output generator can be written as: b= (a1^a2)⊕(a1^a3) ⊕(a2^a3) (similar to Geffe) • Linear complexity: n1n2+n1n3+n2n3 (larger than Geffe) LFSR-1 LFSR-2 Majority Function b(t) LFSR-3 … LFSR-n

  18. Block Cipher : Introduction • maps n-bit plaintext blocks to n-bit ciphertext blocks (n: block length) • Use of plaintext and ciphertext of equal size avoids data expansion • To allow unique decryption, encryption function must be 1-1(invertible) • For n-bit plaintext and ciphertext blocks and a fixed key, the encryption function is a bijection, defining a permutation on n-bit vectors • Each key potentially defines a different bijection • Def • n-bit block cipher is E : Vn X K  Vn such that for all key k  K, E(P, k) is an invertible mapping (the encryption for k) from Vn to Vn, written Ek(P). • The inverse mapping is the decryption function, denoted Dk(C) • C = Ek(P) denotes ciphertext C results from encrypting plaintext P under k

  19. Practical security and complexity of attack • Basic assumption • adversary has access to all data transmitted over cipher channel • (Kerckhoffs’ assumption) adversary knows all details of the encryption function except the secret key • Classes of attacks • ciphertext-only – no additional information is available • known-plaintext – plaintext-ciphertext pairs are available • chosen-plaintext – ciphertexts are available corresponding to plaintexts of the adversary’s choice • adaptive chosen-plaintext – choice of plaintexts may depend on previous plaintext-ciphertext pairs

  20. xj n E E-1 key key n x’j = xj encipherment cj decipherment ECB(Electronic CodeBook) Mode • Encryption: for 1≤j≤t, cj <= EK(xj). • Decryption: for 1≤j≤t, xj <= DK(cj). • Identical plaintext (under the same key) result in identical ciphertext • blocks are enciphered independently of other blocks • bit errors in a single ciphertext affect decipherment of that block only

  21. C0=IV C j C j-1 n E-1 key ⊕ xj ⊕ E C j-1 key C j <Encipherment> n X’j = xj <Decipherment> CBC(Cipher-Block Chaining) Mode • Encryption: c0 IV, cj EK(cj−1 xj) • Decryption: c0 IV, xj cj−1  E−1K(cj) • chaining causes ciphertext cj to depend on all preceding plaintext • a single bit error in cj affects decipherment of blocks cj and cj+1 • self-synchronizing: error cj (not cj+1, cj+2) is correctly decrypted to xj+2. • Can use as a MAC: x1, x2, . . . , xn, cn

  22. CFB-r(Cipher FeedBack) Mode • INPUT: k-bit key K; n-bit IV; r-bit plaintext blocks x1…, xu (1≤ r≤n) • OUTPUT: produce r-bit ciphertext blocks c1,…,cu • Encryption: I1←IV.(Ij is the input value in a shift register) For 1≤ j≤u: • Oj ← Ek(Ij). (Compute the block cipher output) • tj ←the r leftmost bits of Oj.(Assume the leftmost is identified as bit 1.) • cj ←xj ⊕tj.(Transmit the r-bit ciphertext block cj.) • Ij+1 ← 2r • Ij+cj mod 2n.(Shift cj into right end of shift register.) • Decryption: I1 ←IV. For 1≤j≤u, upon receiving cj: x j ← cj ⊕t j, where tj, Oj and Ij are computed as above

  23. CFB-r Mode(Cont’d) r-bit Shift r-bit Shift I1=IV E key E key leftmost r bits leftmost r bits Oj Oj ci xj xj ci Encipherment Decipherment

  24. Properties of the CFB-r • re-ordering ciphertext blocks affects decryption • one or more bit errors in any single r-bit ciphertext block cjaffects the decipherment of next n/r ciphertext blocks • self-synchronizing similar to CBC, but requires n/r blocks to recover. • for r <n, throughput is decreased by a factor of n/r

  25. OFB(Output FeedBack) Mode with full(or r-bit) feedback • INPUT: k-bit key K; n-bit IV; r-bit plaintext blocks x1,…, xu (1≤r≤n) • OUTPUT: produce r-bit ciphertext blocks c1,…, cu • Encryption: I1←IV. For 1≤ j≤u, given plaintext block xj: • Oj ← Ek(Ij). (Compute the block cipher output) • tj ←the r leftmost bits of Oj.(Assume the leftmost is identified as bit 1.) • cj ←xj ⊕tj.(Transmit the r-bit ciphertext block cj.) • Ij+1 ← Oj(Update the block cipher input for the next block.) • Ij+1 ← 2rㆍIj + tj mod 2n”(shift output tj into right end of shift register.) • Decryption: I1 ←IV. For 1≤j≤u, upon receiving cj: x j ← cj ⊕t j, where tj, Oj and Ij are computed as above

  26. OFB-r Mode r-bit Shift Ij Ij r-bit Shift I1=IV key key E E Leftmost r-bits Oj Leftmost r-bits Oj cj xj xj cj Deciphering Encipherment

  27. Properties of the OFB-r • keystream is plaintext-independent • bit errors affects the decipherment of only that character • recovers from ciphertext bit errors, but cannot self-synchronize • for r <n, throughput is decreased as per the CFB mode

  28. Other Block Ciphers • FEAL • Fast N-round block cipher • Suffers a lot of attacks, and hence introduce new attacks on block ciphers • Japan standard • IDEA • 64-64-128-8 • James Massey • Using algebraic functions (mult mod 2n+1, add mod 2n) • SAFER, RC-5, AES

  29. To teach is to learn twice !!

More Related