350 likes | 965 Vues
Cryptography I. Lecture 6 Dimitrios Delivasilis Department of Information and Communication Systems Engineering University of Aegean. Stream Ciphers. Refreshing our memory Stream ciphers can be either symmetric-key or public-key Block ciphers are memoryless
E N D
Cryptography I Lecture 6 Dimitrios Delivasilis Department of Information and Communication Systems Engineering University of Aegean
Stream Ciphers • Refreshing our memory • Stream ciphers can be either symmetric-key or public-key • Block ciphers are memoryless • Stream ciphers are said to have memory • Unconditionally secure • A symmetric key system is unconditionally secure if H(K)≥H(M). In other words, the uncertainty of the secret key must be at least as great as the uncertainty of the plaintext
Synchronous Stream Ciphers • Definition: A synchronous stream cipher is one in which the keystream is generated independently of the plaintext • Encryption: • Decryption: σi mi σi+1 mi: plaintext ci:ciphertext k: key zi: keystream σi: state f zi k ci g h σi ci σi+1 f zi k mi g h-1 Functions: g produces keystream zi, h combines the keystream and plaintext to produce ciphertext, and f is the next state function.
mi zi zi Keystream Generator Keystream Generator mi ci k k More on synchronous stream ciphers • Properties of synchronous stream ciphers • Synchronisation requirements • No error propagation • Active attacks • Definition: A binary additive stream cipher is a synchronous stream cipher in which the keystream, plaintext, and ciphertext digits are binary digits, and the output function h is the XOR function. ci Encryption: Decryption:
Self-synchronising stream ciphers • Definition: A self-synchronising or asynchronous stream cipher is one in which the keystream is generated as a function of the key and a fixed number of previous ciphertext digits. • Encryption: • Decryption: … mi … zi k g h ci … … ci zi k g h-1 mi
Properties of self-synchronising stream ciphers • Self-synchronising: capable of re-establishing proper decryption automatically after loss of synchronisation, with only a fixed number of plaintext characters unrecoverable • Limited error propagation: If a single ciphertext digit is modified during transmission, then decryption of up to t subsequent ciphertext digits may be incorrect, after which correct decryption resumes • Active attacks: It is more difficult to detect insertion, deletion, or replay of ciphertext digits by an active adversary • Diffusion of plaintext: Self-synchronising stream ciphers may be more resistant than synchronous stream ciphers against attacks based on plaintext redundancy
Linear feedback shift registers (LFSRs) • Characteristics: • LFSRs are well-suited to hardware implementation • Produce sequences of large period • Produce sequences with good statistical properties • Due to their structure, they can be readily analysed using algebraic techniques • Definition: A linear feedback shift register (LFSR) of length L consists of L stages (or delay elements) numbered 0, 1, …, L-1, each capable of storing one bit and having one input and one output; and a clock which controls the movement of data. During each unit of time the following operations are performed: (i) the content of stage 0 is output and forms part of the output sequence (ii) the content of stage I is moved to stage i-1 for each I, 1≤ i ≤ L-1 (iii) the new content of stage L-1 is the feedback bit sj which is calculated by adding together modulo 2 the previous contents of a fixed subset of stages 0, 1, …, L-1
LFSR analysis Figure: A linear feedback shift register (LFSR) of length L … sj … c1 c2 cL-1 cL Stage L-1 Stage L-2 … Stage 1 Stage 0 output
Linear Complexity • Definition: An LFSR is said to generate a sequence s if there is some initial state for which the output sequence of the LFSR is s. An LFSR is said to generate a finite sequence sn if there is some initial state for which the output sequence of the LFSR has sn as its first n terms. • Definition: The linear complexity of an infinite binary sequence s, denoted L(s), is defined as follows: - if s is the zero sequence s = 0, 0, 0, …, then L(s) = 0 - if no LFSR generates s, then L(s) = ∞ - otherwise, L(s) is the length of the shortest LFSR that generates s.
More on Linear Complexity • Definition: The linear complexity of a finite binary sequence sn, denoted L(sn), is the length of the shortest LFSR that generates a sequence having sn as its first n terms. • Properties of linear complexity: (i) For any n≥1, the linear complexity of the subsequence sn satisfies 0≤L(sn) ≤n. (ii) L(sn) = 0 if and only if sn is the zero sequence of length n. (iii) L(sn) = n if and only if sn = 0, 0, …, 0, 1. (iv) If s is periodic with period N, then L(s) ≤ N. (v) L(s⊕t) ≤ L(s) + L(t), where s⊕t denotes the bitwise XOR of s and t.
Non Linear Feedback Shift Registers • Definition: A feedback shift register (FSR) of length L consists of L stages (or delay elements) numbered 0, 1, …, L-1, each capable of storing one bit and having one input and one output, and a clock which controls the movement of data. During each unit of time the following operations are performed: (i) the content of stage 0 is output and forms part of the output sequence (ii) the content of stage I is moved to stage i-1 for each I, 1≤i ≤L-1 (iii) the new content of stage L-1 is the feedback bit sj = f(sj-1, sj-2, …, sj-L), where the feedback function f is a Boolean function and sj-I is the previous content of stage L-I, 1≤i ≤L.
f(sj-1, sj-2, …, sj-L) sj … sj-1 sj-2 sj-L+1 sj-L Stage L-1 Stage L-2 … Stage 1 Stage 0 output Analysis of feedback shift register A feedback shift register (FSR) of length L
Stream Ciphers using LFSRs • Basic design of a keystream generator: • Number of LFSRs ≥ 1 • LFSRs should have different lengths and different feedback polynomials • IF <the lengths are all relatively prime> AND <the feedback polynomials are all primitive> THEN the whole generator is maximal length • Key is the initial state of the LFSRs • Clocking • A keystream generator with the above characteristics is also known as combination generator • In case the output bit is a function of a single LFSR, then it is called a filter generator
Geffe Generator • A combination of three LFSRs • If a1, a2 and a3 are the outputs of the three LFSRs, the output of the generator can be calculated by the following equation b = (a1^a2)⊕((¬a1) ^a3) • If the LFSRs have lengths n1, n2, and n3, respectively, then the linear complexity of the generator is (n1+1)n2+n1n3 2-to-1 Multiplexer LFSR - 2 b(t) LFSR - 3 Select LFSR - 1
Jennings Generator • Uses a multiplexer to combine two LFSRs • Multiplexer selects one bit of LFSR-2 for each output bit • LFSR-1 controls the multiplexer • A function maps the output of LFSR-2 to the input of the multiplexer • Key is the initial states of the LFSRs and the mapping function Multiplexer LFSR -2 θ b(t) Select … … 0 1 … n-1 … K1 K2 K3 LFSR -1
Threshold Generator • Employs a variable (odd) number of LFSRs • Motto: The more LFSRs a system uses, the harder it gets to break the cipher. • Maximise the period: - the lengths of all the LFSRs are relatively prime - all the feedback polynomials are primitive • If more than half the output bits are 1, then the output of the generator is 1. • If more than half the output bits are 0, then the output of the generator is 0
More on Threshold Generator • Lets assume that we use three LFSRs, then the output generator can be written as: b= (a1^a2)⊕(a1^a3) ⊕(a2^a3) (similar to Geffe) • Linear complexity: n1n2+n1n3+n2n3 (larger than Geffe) LFSR-1 LFSR-2 Majority Function b(t) LFSR-3 … LFSR-n
Block Cipher : Introduction • maps n-bit plaintext blocks to n-bit ciphertext blocks (n: block length) • Use of plaintext and ciphertext of equal size avoids data expansion • To allow unique decryption, encryption function must be 1-1(invertible) • For n-bit plaintext and ciphertext blocks and a fixed key, the encryption function is a bijection, defining a permutation on n-bit vectors • Each key potentially defines a different bijection • Def • n-bit block cipher is E : Vn X K Vn such that for all key k K, E(P, k) is an invertible mapping (the encryption for k) from Vn to Vn, written Ek(P). • The inverse mapping is the decryption function, denoted Dk(C) • C = Ek(P) denotes ciphertext C results from encrypting plaintext P under k
Practical security and complexity of attack • Basic assumption • adversary has access to all data transmitted over cipher channel • (Kerckhoffs’ assumption) adversary knows all details of the encryption function except the secret key • Classes of attacks • ciphertext-only – no additional information is available • known-plaintext – plaintext-ciphertext pairs are available • chosen-plaintext – ciphertexts are available corresponding to plaintexts of the adversary’s choice • adaptive chosen-plaintext – choice of plaintexts may depend on previous plaintext-ciphertext pairs
xj n E E-1 key key n x’j = xj encipherment cj decipherment ECB(Electronic CodeBook) Mode • Encryption: for 1≤j≤t, cj <= EK(xj). • Decryption: for 1≤j≤t, xj <= DK(cj). • Identical plaintext (under the same key) result in identical ciphertext • blocks are enciphered independently of other blocks • bit errors in a single ciphertext affect decipherment of that block only
C0=IV C j C j-1 n E-1 key ⊕ xj ⊕ E C j-1 key C j <Encipherment> n X’j = xj <Decipherment> CBC(Cipher-Block Chaining) Mode • Encryption: c0 IV, cj EK(cj−1 xj) • Decryption: c0 IV, xj cj−1 E−1K(cj) • chaining causes ciphertext cj to depend on all preceding plaintext • a single bit error in cj affects decipherment of blocks cj and cj+1 • self-synchronizing: error cj (not cj+1, cj+2) is correctly decrypted to xj+2. • Can use as a MAC: x1, x2, . . . , xn, cn
CFB-r(Cipher FeedBack) Mode • INPUT: k-bit key K; n-bit IV; r-bit plaintext blocks x1…, xu (1≤ r≤n) • OUTPUT: produce r-bit ciphertext blocks c1,…,cu • Encryption: I1←IV.(Ij is the input value in a shift register) For 1≤ j≤u: • Oj ← Ek(Ij). (Compute the block cipher output) • tj ←the r leftmost bits of Oj.(Assume the leftmost is identified as bit 1.) • cj ←xj ⊕tj.(Transmit the r-bit ciphertext block cj.) • Ij+1 ← 2r • Ij+cj mod 2n.(Shift cj into right end of shift register.) • Decryption: I1 ←IV. For 1≤j≤u, upon receiving cj: x j ← cj ⊕t j, where tj, Oj and Ij are computed as above
CFB-r Mode(Cont’d) r-bit Shift r-bit Shift I1=IV E key E key leftmost r bits leftmost r bits Oj Oj ci xj xj ci Encipherment Decipherment
Properties of the CFB-r • re-ordering ciphertext blocks affects decryption • one or more bit errors in any single r-bit ciphertext block cjaffects the decipherment of next n/r ciphertext blocks • self-synchronizing similar to CBC, but requires n/r blocks to recover. • for r <n, throughput is decreased by a factor of n/r
OFB(Output FeedBack) Mode with full(or r-bit) feedback • INPUT: k-bit key K; n-bit IV; r-bit plaintext blocks x1,…, xu (1≤r≤n) • OUTPUT: produce r-bit ciphertext blocks c1,…, cu • Encryption: I1←IV. For 1≤ j≤u, given plaintext block xj: • Oj ← Ek(Ij). (Compute the block cipher output) • tj ←the r leftmost bits of Oj.(Assume the leftmost is identified as bit 1.) • cj ←xj ⊕tj.(Transmit the r-bit ciphertext block cj.) • Ij+1 ← Oj(Update the block cipher input for the next block.) • Ij+1 ← 2rㆍIj + tj mod 2n”(shift output tj into right end of shift register.) • Decryption: I1 ←IV. For 1≤j≤u, upon receiving cj: x j ← cj ⊕t j, where tj, Oj and Ij are computed as above
OFB-r Mode r-bit Shift Ij Ij r-bit Shift I1=IV key key E E Leftmost r-bits Oj Leftmost r-bits Oj cj xj xj cj Deciphering Encipherment
Properties of the OFB-r • keystream is plaintext-independent • bit errors affects the decipherment of only that character • recovers from ciphertext bit errors, but cannot self-synchronize • for r <n, throughput is decreased as per the CFB mode
Other Block Ciphers • FEAL • Fast N-round block cipher • Suffers a lot of attacks, and hence introduce new attacks on block ciphers • Japan standard • IDEA • 64-64-128-8 • James Massey • Using algebraic functions (mult mod 2n+1, add mod 2n) • SAFER, RC-5, AES