View
243
Download
1
Category
Tags:
Preview:
Citation preview
Session 2: Secret key cryptography – stream
ciphers – part 1
The Vernam cipher
Message 00011 01111 01101 Cryptogram 11000 01010 00110
Running key 11011 00101 01011 Running key 11011 00101 01011
Cryptogram 11000 01010 00110 Message 00011 01111 01101
Key distribution centre
transmitter receiver
The Vernam cipher
Advantage: Unconditionally secure.Disadvantage: Requires one key bit for
every plaintext bit.Because of that, if the level of security is
not the highest one (the red phone line, etc.), instead of the Vernam cipher, a stream cipher can be used.
xi
Key
zi zi
yi
Deterministic algorithm
xi
Deterministic algorithm
The stream cipher procedure
xi zi = yiyi zi = xi
TRANSMITTER RECEIVER
Key
Stream ciphers
The key is short – much shorter than the length of the plaintext (on average).
The key determines the initial state of a deterministic algorithm.
Based on the initial state, the algorithm generates the running key sequence.
The running key sequence is summed modulo 2 with the bits of the plaintext.
Stream ciphers
Vernam cipher
(running key)Stream cipher
(running key)
Lengthtext Lengthseq. YES
Used once YES
Randomness Pseudorandomness
Running key Algorithm + key
c3
c2
c1
Stream ciphersDo not satisfy the perfect secrecy
conditions (the running key is not random but pseudorandom).
However, stream ciphers possess practical secrecy. The level of security depends on the design.
Advantage: the secret key is short – it is the only piece of information that the transmitter and the receiver must share.
The running key:
1. What are general characteristics of these sequences?
2. What generators produce them?
Stream ciphers
Enciphering bit after bit
Generation of pseudorandom sequences:
• Long period
• Pseudorandomness properties
• Unpredictability
Key space large enough
Etc.
Running keys
The running key sequences generated by pseudorandom sequence generators are ultimately periodic (i.e. they may have an aperiodic prefix).
The period must be at least as long as the length of the plaintext.
In practice, this period is much longer.
Running keys
Example:
T = 2100 - 1 ≈ 1.26 1030 bits
Vc = 1.2 108 bits/sec 3.33 1014 years
22200 times the age of the universe
(1.5 1010 years) to generate the whole
period.
Running keys
Distribution of zeros and ones
…… 0100110100111010110010010 ……• a run of length k – k consecutive equal digits
between two different digits.
• runs of zeros (gaps)• runs of ones (blocks)
Running keys:
Autocorrelation
• Autocorrelation in phase:• Autocorrelation out of phase:• A – Number of coincidences• D – Number of no coincidences• T – Period• k - Shift
( ) ( ) /AC k A D T Original seq. 1 0 1 1 0 0 1 0 1 0 0 0 0 1 1 1
Shifted seq. 0 0 1 0 1 0 0 0 0 1 1 1 1 0 1 1
( ) 1AC k ( ) [ 1,1]AC k
Golomb’s pseudorandomness postulates
G1: In each period of the considered sequence, the
difference between the number of 1s and the number of 0s
must not overcome unity.
G2: In each period of the considered sequence, half of the
runs, of the total number of observed runs, has the length 1,
one fourth has the length 2, one eight has the length 3 … etc.
For each length, there will be the same number of blocks and
gaps.
G3: The autocorrelation AC(k) out of phase must be constant
for each k.
Explanation of the Golomb´s postulates
G1: The 1s and 0s must appear along the
sequence with the same probability.
G2: different n-grams (samples of n consecutive
digits) must occur with the correct probability.
G3: Computation of the coincidences between a
sequence and its shifted version must not give
any information about the period of the
sequence.
Golomb´s postulates
A finite sequence that satisfies the 3 Golomb´s postulates is denominated PN sequence (Pseudo-Noise).
Its properties are equal to the properties of a random sequence with uniform distribution.
Unpredictability
Given a part of a sequence of any length, a cryptanalyst cannot predict the next digit with a probability of success greater than 0.5.
A measure of unpredictability: Linear complexity.
Basic structures
Generators based on linear congruencies Feedback shift registers
• Non linear feedback shift registers (NLFSR)
• Linear feedback shift registers (LFSR)
Linear congruencies
The recurrence of the type
The parameters a, b and m can be used as the secret key.
X0 is the seed that initializes the process. If the parameters a, b and m are chosen in an
appropriate way, the numbers Xi are not repeated until they cover entirely the segment [0,m-1].
)(mod1 mbaXX ii
Linear congruencies
Example:
,...8,1,6,7,4,13,2,3,0,9,14,15,12,5,10,11,8,1
1
16mod35
0
1
X
XX ii
Linear congruencies
Security of the generator: bad• Given a sufficiently long portion of the
sequence, it is possible to deduce the parameters m, a and b, i.e. the key.
Feedback shift registers
A feedback shift register (FSR):• n flip-flops (stages)
• A feedback function – to express each new element of the output sequence as a function of the n previous elements.
The contents of the flip-flops is shifted one position at every clock pulse.
Feedback shift registers
Shift registers
The state of the register – the contents of the stages between two clock pulses.
The initial state – the contents of the stages at the moment of the beginning of the process.
The state diagram of a FSR is cyclic if the feedback function is not singular, i.e. it has the form: ntantatatagta 1,,2,1
Shift registers
The period of the produced sequence depends on the number of stages n of the FSR and the characteristics of the function g.
The maximum possible period is 2n.The key – the initial contents of the FSR.
The feedback function can also be kept secret.
Shift registersExample 1: n=3
x1 x2 x3 g
0 0 0 0
0 0 1 0
0 1 0 0
0 1 1 0
1 0 0 0
1 0 1 1
1 1 0 1
1 1 1 0
Shift registers
Example 1 (cont.)• Algebraic normal form of the function g:
3121321 ),,( xxxxxxxg
Feedback shift registers
Example 1 (cont.)
The DeBruijn graph - singular
Feedback shift registersExample 2: n=3
x1 x2 x3 g
0 0 0 0
0 0 1 1
0 1 0 0
0 1 1 1
1 0 0 0
1 0 1 1
1 1 0 1
1 1 1 0
Feedback shift registers
Example 2 (cont.)• Algebraic normal form of the function g:
321321 ),,( xxxxxxg
Feedback shift registers
Example 2 (cont.)
The DeBruijn graph – non singular
Problems with NLFSRA systematic method of their analysis
and manipulation does not exist – the mathematical theory is not well developed.
It is possible to obtain the sequences whose period is 2n – De Bruijn sequences.
However, the De Bruijn sequences do not satisfy the Golomb’s G3 postulate.
LFSR
The most important devices for generation of pseudorandom sequences.
Their feedback function is a linear recurrence – linear recurrent sequences of order n.
1,1,0
21 21
ni
n
cc
ntactactacta
LFSRTo avoid the null sequence, the initial
state must be different from the all-zero state.
The largest number of different states is 2n-1.
It is possible to associate the characteristic polynomial to every linear recurrence.
nnxcxcxcxf 2
211
LFSR
Example: A LFSR of length 4.
Generated sequence: 1 1 1 0 1 0 1 ……
1 0 0 0
1 1 0 0
1 1 1 0
1 1 1 1
0 1 1 1
1 0 1 1
0 1 0 1
1 0 1 0
41 tatata
Initial state
Feedback polynomial
Linear recurrence
LFSR
The characteristics of the output sequence of the LFSR depend on the characteristics of the feedback polynomial.
The feedback polynomial can be:• reducible
• irreducible
• primitive
LFSR
The fundamental theorem of arithmetic:• Every positive integer can be represented in a
unique way as a product of prime factors.
Analogue in a GF:• Every polynomial in a GF can be represented
in a unique way as a product of irreducible factors.
LFSR
An irreducible polynomial has no irreducible factors except 1 and itself.
Theorem:• The polynomial in a field GF(pm) has
as factors all the irreducible polynomials whose degree divides k.
xxkmp
LFSR
Thus, if a polynomial f(x) of degree n in GF(pm) does not have common factors with
then it is irreducible. 2
1,modn
kxfxxkmp
LFSR
Example:
GF(2)
11 2422 xxxxxxxx
LFSREuclidean algorithm
• For determining G.C.D. between two integers.
• The same algorithm can be used to determine G.C.D. between two polynomials.
• The divisor from the previous step of the algorithm is iteratively divided by the remainder from the previous step until the remainder is 0.
• The G.C.D. is the remainder obtained in the penultimate step of the algorithm.
LFSR
Example – integers• Find (18,12)
18=112+6
12=26+0
(18,12)=6
LFSR
Example – polynomials in GF(2)• Find (x5+x4+x2+x, x4+x3+x2+x)
(x5+x4+x2+x)=x(x4+x3+x2+x)+(x3+x)
(x4+x3+x2+x)=(x+1)(x3+x)+0
(x5+x4+x2+x, x4+x3+x2+x)=(x3+x)
LFSR
Example - Determine if the polynomial is irreducible.
Then, the given polynomial is not irreducible.
421 xxxf
111,1
1,1mod2242
242422
xxxxxx
xxxxxx
LFSR
Example – Determine if the polynomial
is irreducible.
Then, the given polynomial is irreducible.
41 xxxf
2
4
22
11,1
1,1mod4
4422
n
xx
xxxxxx
LFSRA primitive polynomial of degree n in
GF(pm)• is irreducible
• does not divide
Example:• The polynomial of degree 4 in
GF(2) is irreducible and does not divide any of the polynomials . Because of that, it is primitive.
1,1 nmk pkx
41 xxxf
1,,1,1 142 xxx
LFSR
The reciprocal polynomial of the polynomial f(x) of degree n
If f(x) is primitive, f*(x) is also primitive.
x
fxxf n 1)(*
LFSR
Example: primitive.
primitive.
41 xxxf
434
4 1111
)(* xxxx
xxf
Period of the LFSR (reducible)
000110000100101001010010
4 2 2 21 ( 1)( 1)x x x x x x
0000
011010111101
001110011100111011110111
Generators with reducible feedback polynomials
The length of the output sequence depends on
the initial state.
The period T satisfies with the
possibility of secondary periods whose length
divides the period T.
Not adequate for use in cryptography.
2 1LL T
Period of the LFSR (irreducible)
00011000110001100011
0000
00101001010010100101
11110111101111011110
Generators with irreducible feedback polynomial
The length of the output sequence does not
depend on the initial state.
The period T is a factor of
Not adequate for use in cryptography.
2 1L
Period of the LFSR (primitive)
0000
100011001110111101111011010110101101011000111001010000100001
PN-sequence (m-sequence)
The maximum possible period for this
type of generator 111010110010001 …..
Generators with primitive feedback polynomial
The length of the sequence does not depend on
the initial state
The period is
Adequate for use in cryptography, because the
output sequence satisfies all the Golomb’s
postulates.
2 1LT
How many primitive polynomials of degree L are there?
But not all of them are good. It is not recommended to use the polynomials with very concentrated coefficients. There are attacks against LFSRs with that property.
The period of the sequence must have the smallest possible number of prime factors. These prime factors must be as large as possible.
(2 1) /L L 11 . 176
24 . 276480
L No
L No
Mersenne primes
• Those are prime numbers whose form is 2L-1.
• Example: 261-1=2305843009213693951 is a Mersenne prime.
• Example: 263-1=
=727312733792737649657 is not a Mersenne prime. It is not recommended for LFSRs.
• Thus, the best strategy is to use the LFSRs with a primitive polynomial of degree L such that 2L-1 is a Mersenne prime.
• The numbers 261-1, 289-1, 2107-1, 2127-1, etc. are Mersenne primes.
PN-sequences and Golomb’s postulatesG1:
G2:
2 1LT 1. 0' 2 1LNo s
1.1' 2LNo s Long. Gaps Blocks
1
2
: : :
r
: : :
L-2 1 1
L-1 1 0
L 0 1
Total
32L42L
32L42L
22L r 22L r
22L 22L
PN-sequences and Golomb’s postulates
G3:
1 0 0 0 1 1 1 1 0 1 0 1 1 0 0
0 0 0 1 1 1 1 0 1 0 1 1 0 0 1
1 0 0 1 0 0 0 1 1 1 1 0 1 0 1
(1) (7 8) /15AC
1 0 0 0 1 1 1 1 0 1 0 1 1 0 0
0 0 1 1 1 1 0 1 0 1 1 0 0 1 0
1 0 1 1 0 0 1 0 0 0 1 1 1 1 0
(2) (7 8) /15AC
PN-sequences satisfy the Golomb’s postulates
Linear complexity (unpredictability)
The concept of sequence complexity: quantity of sequence
symbols necessary to determine the rest of it.
General idea: Associate a LFSR to every sequence.
Linear complexity = The length of the smallest LFSR
capable of generating the given sequence.
Berlekamp-Massey algorithm (1969)
• Input: The considered binary sequence
• Output:
and the initial contents( ),P x L
Linear complexity
Sequence 1:
Seq. generated by a LFSR (primitive pol.)
VERY PREDICTABLE
Sequence 2: random
1000111101000011011110100010100
VERY UNPREDICTABLE
31LONG bits
( ), 15, 2 30P x L L L bits
127 382 1 10LONG bits
( ), 127, 2 254P x L L L bits
Linear complexity
Example: The output sequence: 1110… The initial state: a0, a1, a2, a3.
The output bits: y0=1, y1=1, y2=1, y3=0 The equations:
41 xxxf
323
212
101
030
ayy
ayy
ayy
aay
Linear system – easy to solve!
a 3210y0 1100y1 1110y2 1111y3 0111
Linear complexity
A random sequence of length 2L has expected linear complexity L.
When a random sequence of length L is repeated periodically, the value of its linear complexity approaches the length of its period.
The Berlekamp-Massey algorithm Input to one step: n digits of a sequence.Determines the characteristics of the
minimum LFSR capable of generating them. If the digit n+1 of the sequence can be
generated by the current LFSR, the length of the current LFSR is preserved.
Otherwise, a longer LFSR is needed, capable of generating the n+1 digits.
Etc.
The Berlekamp-Massey algorithm
Theorem 1• If <C(D),L> generates the prefix sn of the intercepted
sequence, but does not generate sn+1, then
• Example
LnsLC n 11
0 1 1
1 0 1
1 1 0
0 1 1
1 0 1
1 1 0
0 1 1
Generates 110110, but does not generate
1101100
LC(1101100)6+1-2
Discrepancy
The Berlekamp-Massey algorithm
Theorem 2• If <C(D),L> generates sn, but does not generate
sn+1 (discrepancy n0) and <C*(D),L*> generates sm, but does not generate sm+1 (discrepancy m0), where 0mn, then
generates sn+1.
mnLLDCDDC mn
m
n *,max,*
The Berlekamp-Massey algorithm
Theorem 3• If <C(D),L> with L=LC(sn) generates sn, but does not
generate sn+1, then
nnn sLCnsLCsLC 1,max1
= n
*= m
X=n-m
The Berlekamp-Massey algorithm
Example
N=7, GF(2), s0,…,s6=1,1,0,1,0,0,1
Solution
C(D)=1+D+D3, L=3
0 1 1 1
1 0 1 1
0 1 0 0
0 0 1 1
1 0 0 0
1 1 0 0
1 1 1 1
Recommended