SlideShare a Scribd company logo

5 stream ciphers

Download as PPT, PDF
H
Harish Sahu
1 of 35
Stream Ciphers Stream Ciphers
Stream Ciphers Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream cipher is initialized with short key  Key is “stretched” into long keystream  Keystream is used like a one-time pad o XOR to encrypt or decrypt  Stream cipher is a keystream generator  Usually, keystream is bits, sometimes bytes
Stream Ciphers Stream Cipher  Generic view of stream cipher QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
Stream Ciphers Stream Cipher  We consider 3 real stream ciphers o ORYX — weak cipher, uses shift registers, generates 1 byte/step o RC4 — strong cipher, widely used but used poorly in WEP, generates 1 byte/step o PKZIP — intermediate strength, unusual mathematical design, generates 1 byte/step  But first, we discuss shift registers
Stream Ciphers Shift Registers  Traditionally, stream ciphers were based on shift registers o Today, a wider variety of designs  Shift register includes o A series of stages each holding one bit o A feedback function  A linear feedback shift register (LFSR) has a linear feedback function
Stream Ciphers  Example (nonlinear) feedback function f(xi, xi+1, xi+2) = 1⊕ xi⊕xi+2⊕xi+1xi+2  Example (nonlinear) shift register  First 3 bits are initial fill: (x0, x1, x2) QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture. Shift Register
Stream Ciphers LFSR  Example of LFSR  Then xi+5= xi⊕xi+2 for all i  If initial fill is (x0,x1,x2,x3,x4) = 01110 then (x0,x1,…,x15,…) = 0111010100001001… QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
Stream Ciphers LFSR  For LFSR  We have xi+5= xi ⊕xi+2 for all i  Linear feedback functions often written in polynomial form: x5 + x2 + 1  Connection polynomial of the LFSR QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
Stream Ciphers Berlekamp-Massey Algorithm  Given (part of) a (periodic) sequence, can find shortest LFSR that could generate the sequence  Berlekamp-Massey algorithm o Order N2 , where N is length of LFSR o Iterative algorithm o Only 2N consecutive bits required
Stream Ciphers Berlekamp-Massey Algorithm  Binary sequence: s = (s0,s1,s2,…,sn-1)  Linear complexity of s is the length of shortest LFSR that can generate s  Let L be linear complexity of s  Then connection polynomial of s is of form C(x) = c0+ c1x + c2x2 + … + cLxL  Berlekamp-Massey finds L and C(x) o Algorithm on next slide (where d is known as the discrepancy)
Stream Ciphers Berlekamp-Massey Algorithm
Stream Ciphers Berlekamp-Massey Algorithm  Example:
Stream Ciphers Berlekamp-Massey Algorithm  Berlekamp-Massey is efficient way to determine minimal LFSR for sequence  With known plaintext, keystream bits of stream cipher are exposed  With enough keystream bits, can use Berlekamp-Massey to find entire keystream o 2L bits is enough, where L is linear complexity of the keystream  Keystream must have large linear complexity
Stream Ciphers Cryptographically Strong Sequences  A sequence is cryptographically strong if it is a “good” keystream o “Good” relative to some specified criteria  Crypto strong sequence must be unpredictable o Known plaintext exposes part of keystream o Trudy must not be able to determine more of the keystream from a short segment  Small linear complexity implies predictable o Due to Berlekamp-Massey algorithm
Stream Ciphers Crypto Strong Sequences  Necessary for a cryptographically strong keystream to have a high linear complexity  But not sufficient!  Why? Consider s = (s0,s1,…,sn-1) = 00…01  Then s has linear complexity n o Smallest shift register for s requires n stages o Largest possible for sequence of period n o But s is not cryptographically strong  Linear complexity “concentrated” in last bit
Stream Ciphers Linear Complexity Profile  Linear complexity profile is a better measure of cryptographic strength  Plot linear complexity as function of bits processed in Berlekamp-Massey algorithm o Should follow n/2 line “closely but irregularly”  Plot of sequence s = (s0,s1,…,sn-1) = 00…01 would be 0 until last bit, then jumps to n o Does not follow n/2 line “closely but irregularly” o Not a strong sequence (by this definition)
Stream Ciphers Linear Complexity Profile  A “good” linear complexity profile QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
Stream Ciphers k-error Linear Complexity Profile  Alternative way to measure cryptographically strong sequences  Consider again s = (s0,s1,…,sn-1) = 00…01  This s has max linear complexity, but it is only 1 bit away from having min linear complexity  k-error linear complexity is min complexity of any sequence that is “distance” k from s  1-error linear complexity of s = 00…01 is 0 o Linear complexity of this sequence is “unstable”
Stream Ciphers QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture. k-error Linear Complexity Profile  k-error linear complexity profile o k-error linear complexity as function of k  Example: o Not a strong s o Good profile should follow diagonal “closely”
Stream Ciphers Crypto Strong Sequences  Linear complexity must be “large”  Linear complexity profile must n/2 line “closely but irregularly”  k-error linear complexity profile must follow diagonal line “closely”  All of this is necessary but not sufficient for crypto strength!
Stream Ciphers Shift Register-Based Stream Ciphers  Two approaches to LFSR-based stream ciphers o One LFSR with nonlinear combining function o Multiple LFSRs combined via nonlinear func  In either case o Key is initial fill of LFSRs o Keystream is output of nonlinear combining function
Stream Ciphers Shift Register-Based Stream Ciphers  LFSR-based stream cipher o 1 LFSR with nonlinear function f(x0,x1,…,xn-1) QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.  Keystream: k0,k1,k2,…
Stream Ciphers Shift Register-Based Stream Ciphers  LFSR-based stream cipher o Multiple LFSRs with nonlinear function  Keystream: k0,k1,k2,… QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
Stream Ciphers Shift Register-Based Stream Ciphers  Single LFSR example is special case of multiple LFSR example  To convert single LFSR case to multiple o Let LFSR0,…LFSRn-1 be same as LFSR o Initial fill of LFSR0 is initial fill of LFSR o Initial fill of LFSR1 is initial fill of LFSR stepped once o And so on…
Stream Ciphers Correlation Attack  Trudy obtains some segment of keystream from LFSR stream cipher o Of the type considered on previous slides  Can assume stream cipher is the multiple shift register case o If not, convert it to this case  By Kerckhoffs Principle, we assume shift registers and combining function known  Only unknown is the key o The key consists of LFSR initial fills
Stream Ciphers Correlation Attack  Trudy wants to recover LFSR initial fills o She knows all connection polynomials and nonlinear combining function o She also knows N keystream bits, k0,k1,…,kN-1  Sometimes possible to determine initial fills of the LFSRs independently o By correlating each LFSR output to keystream o A classic divide and conquer attack
Stream Ciphers Correlation Attack  For example, suppose keystream generator is of the form: QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.  And f(x,y,z) = xy ⊕ yz ⊕ z  Note that key is 12 bits, initial fills
Stream Ciphers Correlation Attack  For stream cipher on previous slide  Suppose initial fills are o X = 011, Y = 0101, Z = 11100 xi 0 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 yi 0 1 0 1 1 0 0 1 0 0 0 1 1 1 1 0 1 0 1 1 0 0 1 0 zi 1 1 1 0 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 0 0 1 ki 1 1 1 1 0 0 1 0 0 1 1 0 0 1 0 1 1 0 0 0 1 0 1 1 bits i = 0,1,2,…23
Stream Ciphers Correlation Attack  Consider truth table for combining function: f(x,y,z) = xy ⊕ yz ⊕ z  Easy to show that f(x,y,z) = x with probability 3/4 f(x,y,z) = z with probability 3/4  Trudy can use this to recover initial fills from known keystream
Stream Ciphers Correlation Attack  Trudy sees keystream in table  Trudy wants to find initial fills  She guesses X = 111, generates first 24 bits of putative X, compares to ki ki 1 1 1 1 0 0 1 0 0 1 1 0 0 1 0 1 1 0 0 0 1 0 1 1 xi 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 1  Trudy finds 12 out of 24 matches  As expected in random case
Stream Ciphers Correlation Attack  Now suppose Trudy guesses correct fill, X = 011  First 24 bits of X (and keystream) ki 1 1 1 1 0 0 1 0 0 1 1 0 0 1 0 1 1 0 0 0 1 0 1 1 xi 0 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1  Trudy finds 21 out of 24 matches  Expect 3/4 matches in causal case  Trudy has found initial fill of X
Stream Ciphers Correlation Attack  How much work is this attack? o The X,Y,Z fills are 3,4,5 bits, respectively  We need to try about half of the initial fills before we find X  Then we try about half of the fills for Y  Then about half of Z fills  Work is 22 + 23 + 24 < 25  Exhaustive key search work is 211
Stream Ciphers Correlation Attack  Work factor in general…  Suppose n LFSRs o Of lengths N0,N1,…,Nn-1  Correlation attack work is  Work for exhaustive key search is
Stream Ciphers Conclusions  Keystreams must be cryptographically strong o Crucial property: unpredictable  Lots of theory available for LFSRs o Berlekamp-Massey algorithm o Nice mathematical theory exists  LFSRs can be used to make stream ciphers o LFSR-based stream ciphers must be correlation immune o Depends on properties of function f
Stream Ciphers Coming Attractions  Consider attacks on 3 stream ciphers o ORYX — weak cipher, uses shift registers, generates 1 byte/step o RC4 — strong, widely used but used poorly in WEP, generates 1 byte/step o PKZIP — medium strength, unusual design, generates 1 byte/step

Recommended

CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsSam Bowne
 
Implementation of reed solomon codes basics
Implementation of reed solomon codes basicsImplementation of reed solomon codes basics
Implementation of reed solomon codes basicsRam Singh Yadav
 
Understanding Reed-Solomon code
Understanding Reed-Solomon codeUnderstanding Reed-Solomon code
Understanding Reed-Solomon code继顺(Jeffrey) 王
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingSam Bowne
 
The GSM Technology
The GSM TechnologyThe GSM Technology
The GSM TechnologyWajahatHussain68
 
MIPI DevCon 2021: MIPI I3C Application and Validation Models for IoT Sensor N...
MIPI DevCon 2021: MIPI I3C Application and Validation Models for IoT Sensor N...MIPI DevCon 2021: MIPI I3C Application and Validation Models for IoT Sensor N...
MIPI DevCon 2021: MIPI I3C Application and Validation Models for IoT Sensor N...MIPI Alliance
 
Reed Soloman and convolution codes
Reed Soloman and convolution codesReed Soloman and convolution codes
Reed Soloman and convolution codesShailesh Tanwar
 
Reed solomon code
Reed solomon codeReed solomon code
Reed solomon codeMelaku Bayih Demessie
 

Recommended

CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsSam Bowne
 
Implementation of reed solomon codes basics
Implementation of reed solomon codes basicsImplementation of reed solomon codes basics
Implementation of reed solomon codes basicsRam Singh Yadav
 
Understanding Reed-Solomon code
Understanding Reed-Solomon codeUnderstanding Reed-Solomon code
Understanding Reed-Solomon code继顺(Jeffrey) 王
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingSam Bowne
 
The GSM Technology
The GSM TechnologyThe GSM Technology
The GSM TechnologyWajahatHussain68
 
MIPI DevCon 2021: MIPI I3C Application and Validation Models for IoT Sensor N...
MIPI DevCon 2021: MIPI I3C Application and Validation Models for IoT Sensor N...MIPI DevCon 2021: MIPI I3C Application and Validation Models for IoT Sensor N...
MIPI DevCon 2021: MIPI I3C Application and Validation Models for IoT Sensor N...MIPI Alliance
 
Reed Soloman and convolution codes
Reed Soloman and convolution codesReed Soloman and convolution codes
Reed Soloman and convolution codesShailesh Tanwar
 
Reed solomon code
Reed solomon codeReed solomon code
Reed solomon codeMelaku Bayih Demessie
 
Gprs architecture ppt
Gprs architecture pptGprs architecture ppt
Gprs architecture pptArpita Sanghani
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream CiphersSam Bowne
 
I2C BUS
I2C BUSI2C BUS
I2C BUSp_ayal
 
WCDMA
WCDMAWCDMA
WCDMAHarshal Tiwari
 
IS95 CDMA Technology
IS95 CDMA TechnologyIS95 CDMA Technology
IS95 CDMA TechnologyAditya Sharat
 
Rsa
RsaRsa
RsaNavneet Sharma
 
Rs 232 interface
Rs 232 interfaceRs 232 interface
Rs 232 interfacePREMAL GAJJAR
 
Error control coding bch, reed-solomon etc..
Error control coding bch, reed-solomon etc..Error control coding bch, reed-solomon etc..
Error control coding bch, reed-solomon etc..Madhumita Tamhane
 
Cryptographic Hashing Functions
Cryptographic Hashing FunctionsCryptographic Hashing Functions
Cryptographic Hashing FunctionsYusuf Uzun
 
Mobility Management
Mobility ManagementMobility Management
Mobility ManagementHira Shaukat
 
Reed Solomon encoder and decoder \ ريد سلمون
Reed Solomon encoder and decoder \ ريد سلمونReed Solomon encoder and decoder \ ريد سلمون
Reed Solomon encoder and decoder \ ريد سلمونMuhammed Abdulmahdi
 
Mobile IP
Mobile IPMobile IP
Mobile IPMukesh Chinta
 
wireless application protocol
wireless application protocol wireless application protocol
wireless application protocol Smriti Agrawal
 
Asterisk: the future is at REST
Asterisk: the future is at RESTAsterisk: the future is at REST
Asterisk: the future is at RESTPaloSanto Solutions
 
3 public key cryptography
3 public key cryptography3 public key cryptography
3 public key cryptographyRutvik Mehta
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard ProblemsSam Bowne
 
MIPI DevCon 2016: Multiple MIPI CSI-2 Cameras Leveraging FPGAs
MIPI DevCon 2016: Multiple MIPI CSI-2 Cameras Leveraging FPGAsMIPI DevCon 2016: Multiple MIPI CSI-2 Cameras Leveraging FPGAs
MIPI DevCon 2016: Multiple MIPI CSI-2 Cameras Leveraging FPGAsMIPI Alliance
 
Elgamal digital signature
Elgamal digital signatureElgamal digital signature
Elgamal digital signatureMDKAWSARAHMEDSAGAR
 
Schedule and Contention based MAC protocols
Schedule and Contention based MAC protocolsSchedule and Contention based MAC protocols
Schedule and Contention based MAC protocolsDarwin Nesakumar
 
Reed solomon codes
Reed solomon codesReed solomon codes
Reed solomon codesSamreen Reyaz Ansari
 
Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentationdegarden
 
Isaac stream cipher
Isaac stream cipherIsaac stream cipher
Isaac stream cipherAnoop Betigeri
 

More Related Content

What's hot

5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream CiphersSam Bowne
 
I2C BUS
I2C BUSI2C BUS
I2C BUSp_ayal
 
IS95 CDMA Technology
IS95 CDMA TechnologyIS95 CDMA Technology
IS95 CDMA TechnologyAditya Sharat
 
Error control coding bch, reed-solomon etc..
Error control coding bch, reed-solomon etc..Error control coding bch, reed-solomon etc..
Error control coding bch, reed-solomon etc..Madhumita Tamhane
 
Cryptographic Hashing Functions
Cryptographic Hashing FunctionsCryptographic Hashing Functions
Cryptographic Hashing FunctionsYusuf Uzun
 
Mobility Management
Mobility ManagementMobility Management
Mobility ManagementHira Shaukat
 
Reed Solomon encoder and decoder \ ريد سلمون
Reed Solomon encoder and decoder \ ريد سلمونReed Solomon encoder and decoder \ ريد سلمون
Reed Solomon encoder and decoder \ ريد سلمونMuhammed Abdulmahdi
 
wireless application protocol
wireless application protocol wireless application protocol
wireless application protocol Smriti Agrawal
 
3 public key cryptography
3 public key cryptography3 public key cryptography
3 public key cryptographyRutvik Mehta
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard ProblemsSam Bowne
 
MIPI DevCon 2016: Multiple MIPI CSI-2 Cameras Leveraging FPGAs
MIPI DevCon 2016: Multiple MIPI CSI-2 Cameras Leveraging FPGAsMIPI DevCon 2016: Multiple MIPI CSI-2 Cameras Leveraging FPGAs
MIPI DevCon 2016: Multiple MIPI CSI-2 Cameras Leveraging FPGAsMIPI Alliance
 
Schedule and Contention based MAC protocols
Schedule and Contention based MAC protocolsSchedule and Contention based MAC protocols
Schedule and Contention based MAC protocolsDarwin Nesakumar
 

What's hot (20)

Gprs architecture ppt
Gprs architecture pptGprs architecture ppt
Gprs architecture ppt
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
I2C BUS
I2C BUSI2C BUS
I2C BUS
 
WCDMA
WCDMAWCDMA
WCDMA
 
IS95 CDMA Technology
IS95 CDMA TechnologyIS95 CDMA Technology
IS95 CDMA Technology
 
Rsa
RsaRsa
Rsa
 
Rs 232 interface
Rs 232 interfaceRs 232 interface
Rs 232 interface
 
Error control coding bch, reed-solomon etc..
Error control coding bch, reed-solomon etc..Error control coding bch, reed-solomon etc..
Error control coding bch, reed-solomon etc..
 
Cryptographic Hashing Functions
Cryptographic Hashing FunctionsCryptographic Hashing Functions
Cryptographic Hashing Functions
 
Mobility Management
Mobility ManagementMobility Management
Mobility Management
 
Reed Solomon encoder and decoder \ ريد سلمون
Reed Solomon encoder and decoder \ ريد سلمونReed Solomon encoder and decoder \ ريد سلمون
Reed Solomon encoder and decoder \ ريد سلمون
 
Mobile IP
Mobile IPMobile IP
Mobile IP
 
wireless application protocol
wireless application protocol wireless application protocol
wireless application protocol
 
Asterisk: the future is at REST
Asterisk: the future is at RESTAsterisk: the future is at REST
Asterisk: the future is at REST
 
3 public key cryptography
3 public key cryptography3 public key cryptography
3 public key cryptography
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
MIPI DevCon 2016: Multiple MIPI CSI-2 Cameras Leveraging FPGAs
MIPI DevCon 2016: Multiple MIPI CSI-2 Cameras Leveraging FPGAsMIPI DevCon 2016: Multiple MIPI CSI-2 Cameras Leveraging FPGAs
MIPI DevCon 2016: Multiple MIPI CSI-2 Cameras Leveraging FPGAs
 
Elgamal digital signature
Elgamal digital signatureElgamal digital signature
Elgamal digital signature
 
Schedule and Contention based MAC protocols
Schedule and Contention based MAC protocolsSchedule and Contention based MAC protocols
Schedule and Contention based MAC protocols
 
Reed solomon codes
Reed solomon codesReed solomon codes
Reed solomon codes
 

Viewers also liked

Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentationdegarden
 
Поисковый отряд "Звезда"
Поисковый отряд "Звезда"Поисковый отряд "Звезда"
Поисковый отряд "Звезда"Денис Лонский
 
Jose Eugenio Beltran Pantoja english nuevo (4)
Jose Eugenio Beltran Pantoja english nuevo (4)Jose Eugenio Beltran Pantoja english nuevo (4)
Jose Eugenio Beltran Pantoja english nuevo (4)Jose Beltran
 
NEWEST CONSTITUTION OF CASHVILLE MULTI-PURPOSE COOPERATIVE SOCIETY LIMITED
NEWEST CONSTITUTION OF CASHVILLE MULTI-PURPOSE COOPERATIVE SOCIETY LIMITEDNEWEST CONSTITUTION OF CASHVILLE MULTI-PURPOSE COOPERATIVE SOCIETY LIMITED
NEWEST CONSTITUTION OF CASHVILLE MULTI-PURPOSE COOPERATIVE SOCIETY LIMITEDDr. Henry Akpojubaro Efegbere
 
Goodtogreat 150222012854-conversion-gate01
Goodtogreat 150222012854-conversion-gate01Goodtogreat 150222012854-conversion-gate01
Goodtogreat 150222012854-conversion-gate01Ritika Sharma
 
Closed Door project
Closed Door projectClosed Door project
Closed Door projectGerry Hannah
 
ARTICLES FOR PRESENTATION AT ACEDCAMDS BY THE CASHVILLE GROUP OF COMPANIES AN...
ARTICLES FOR PRESENTATION AT ACEDCAMDS BY THE CASHVILLE GROUP OF COMPANIES AN...ARTICLES FOR PRESENTATION AT ACEDCAMDS BY THE CASHVILLE GROUP OF COMPANIES AN...
ARTICLES FOR PRESENTATION AT ACEDCAMDS BY THE CASHVILLE GROUP OF COMPANIES AN...Dr. Henry Akpojubaro Efegbere
 
Поисковый Отряд "Звезда"
Поисковый Отряд "Звезда"Поисковый Отряд "Звезда"
Поисковый Отряд "Звезда"Денис Лонский
 
Upper Class White Women Powerpoint week 5 Presentation
Upper Class White Women Powerpoint week 5 PresentationUpper Class White Women Powerpoint week 5 Presentation
Upper Class White Women Powerpoint week 5 Presentationwapinskysmiths
 
Tier 1 presentation - AV blocks and pacemakers
Tier 1 presentation - AV blocks and pacemakersTier 1 presentation - AV blocks and pacemakers
Tier 1 presentation - AV blocks and pacemakersHannah Pegram
 
Lambing lunch-GFAVS lecture
Lambing lunch-GFAVS lectureLambing lunch-GFAVS lecture
Lambing lunch-GFAVS lectureHannah Pegram
 
Stream ciphers
Stream ciphersStream ciphers
Stream ciphersdegarden
 
Effect of Corruption on Natural Disaster Vulnerability
Effect of Corruption on Natural Disaster Vulnerability Effect of Corruption on Natural Disaster Vulnerability
Effect of Corruption on Natural Disaster Vulnerability Md Boby Sabur
 

Viewers also liked (20)

Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentation
 
Isaac stream cipher
Isaac stream cipherIsaac stream cipher
Isaac stream cipher
 
Gsm Security and Attacks
Gsm Security and AttacksGsm Security and Attacks
Gsm Security and Attacks
 
Поисковый отряд "Звезда"
Поисковый отряд "Звезда"Поисковый отряд "Звезда"
Поисковый отряд "Звезда"
 
constitution-1
constitution-1constitution-1
constitution-1
 
Jose Eugenio Beltran Pantoja english nuevo (4)
Jose Eugenio Beltran Pantoja english nuevo (4)Jose Eugenio Beltran Pantoja english nuevo (4)
Jose Eugenio Beltran Pantoja english nuevo (4)
 
NEWEST CONSTITUTION OF CASHVILLE MULTI-PURPOSE COOPERATIVE SOCIETY LIMITED
NEWEST CONSTITUTION OF CASHVILLE MULTI-PURPOSE COOPERATIVE SOCIETY LIMITEDNEWEST CONSTITUTION OF CASHVILLE MULTI-PURPOSE COOPERATIVE SOCIETY LIMITED
NEWEST CONSTITUTION OF CASHVILLE MULTI-PURPOSE COOPERATIVE SOCIETY LIMITED
 
презентация2
презентация2презентация2
презентация2
 
Goodtogreat 150222012854-conversion-gate01
Goodtogreat 150222012854-conversion-gate01Goodtogreat 150222012854-conversion-gate01
Goodtogreat 150222012854-conversion-gate01
 
Closed Door project
Closed Door projectClosed Door project
Closed Door project
 
DRAMATIC LEADERSHIP
DRAMATIC LEADERSHIPDRAMATIC LEADERSHIP
DRAMATIC LEADERSHIP
 
ARTICLES FOR PRESENTATION AT ACEDCAMDS BY THE CASHVILLE GROUP OF COMPANIES AN...
ARTICLES FOR PRESENTATION AT ACEDCAMDS BY THE CASHVILLE GROUP OF COMPANIES AN...ARTICLES FOR PRESENTATION AT ACEDCAMDS BY THE CASHVILLE GROUP OF COMPANIES AN...
ARTICLES FOR PRESENTATION AT ACEDCAMDS BY THE CASHVILLE GROUP OF COMPANIES AN...
 
Поисковый Отряд "Звезда"
Поисковый Отряд "Звезда"Поисковый Отряд "Звезда"
Поисковый Отряд "Звезда"
 
korjaamo
korjaamokorjaamo
korjaamo
 
Upper Class White Women Powerpoint week 5 Presentation
Upper Class White Women Powerpoint week 5 PresentationUpper Class White Women Powerpoint week 5 Presentation
Upper Class White Women Powerpoint week 5 Presentation
 
Tier 1 presentation - AV blocks and pacemakers
Tier 1 presentation - AV blocks and pacemakersTier 1 presentation - AV blocks and pacemakers
Tier 1 presentation - AV blocks and pacemakers
 
factoring
factoringfactoring
factoring
 
Lambing lunch-GFAVS lecture
Lambing lunch-GFAVS lectureLambing lunch-GFAVS lecture
Lambing lunch-GFAVS lecture
 
Stream ciphers
Stream ciphersStream ciphers
Stream ciphers
 
Effect of Corruption on Natural Disaster Vulnerability
Effect of Corruption on Natural Disaster Vulnerability Effect of Corruption on Natural Disaster Vulnerability
Effect of Corruption on Natural Disaster Vulnerability
 

Similar to 5 stream ciphers

Computer security
Computer securityComputer security
Computer securityFraboni Ec
 
Computer security
Computer security Computer security
Computer security Harry Potter
 
Computer security
Computer security Computer security
Computer security Tony Nguyen
 
Computer security
Computer securityComputer security
Computer securityDavid Hoen
 
Computer security
Computer securityComputer security
Computer securityJames Wong
 
Block Cipher vs. Stream Cipher
Block Cipher vs. Stream CipherBlock Cipher vs. Stream Cipher
Block Cipher vs. Stream CipherAmirul Wiramuda
 
Programmable PN Sequence Generators
Programmable PN Sequence GeneratorsProgrammable PN Sequence Generators
Programmable PN Sequence GeneratorsRajesh Singh
 
Crypto theory practice
Crypto theory practiceCrypto theory practice
Crypto theory practiceFraboni Ec
 
Crypto theory to practice
Crypto theory to practiceCrypto theory to practice
Crypto theory to practiceLuis Goldster
 
Crypto theory practice
Crypto theory practiceCrypto theory practice
Crypto theory practiceJames Wong
 
Crypto theory to practice
Crypto theory to practiceCrypto theory to practice
Crypto theory to practiceTony Nguyen
 
Crypto theory to practice
Crypto theory to practiceCrypto theory to practice
Crypto theory to practiceDavid Hoen
 
Crypto theory to practice
Crypto theory to practiceCrypto theory to practice
Crypto theory to practiceHarry Potter
 
Crypto theory practice
Crypto theory practiceCrypto theory practice
Crypto theory practiceYoung Alista
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
Basics of Cryptography - Stream ciphers and PRNG
Basics of Cryptography - Stream ciphers and PRNGBasics of Cryptography - Stream ciphers and PRNG
Basics of Cryptography - Stream ciphers and PRNGjulien pauli
 
Thesis : &quot;IBBET : In Band Bandwidth Estimation for LAN&quot;
Thesis : &quot;IBBET : In Band Bandwidth Estimation for LAN&quot;Thesis : &quot;IBBET : In Band Bandwidth Estimation for LAN&quot;
Thesis : &quot;IBBET : In Band Bandwidth Estimation for LAN&quot;Vishalkumarec
 

Similar to 5 stream ciphers (20)

Computer security
Computer securityComputer security
Computer security
 
Computer security
Computer securityComputer security
Computer security
 
Computer security
Computer security Computer security
Computer security
 
Computer security
Computer securityComputer security
Computer security
 
Computer security
Computer security Computer security
Computer security
 
Computer security
Computer securityComputer security
Computer security
 
Computer security
Computer securityComputer security
Computer security
 
Block Cipher vs. Stream Cipher
Block Cipher vs. Stream CipherBlock Cipher vs. Stream Cipher
Block Cipher vs. Stream Cipher
 
Programmable PN Sequence Generators
Programmable PN Sequence GeneratorsProgrammable PN Sequence Generators
Programmable PN Sequence Generators
 
Crypto theory practice
Crypto theory practiceCrypto theory practice
Crypto theory practice
 
Crypto theory to practice
Crypto theory to practiceCrypto theory to practice
Crypto theory to practice
 
Crypto theory practice
Crypto theory practiceCrypto theory practice
Crypto theory practice
 
Crypto theory to practice
Crypto theory to practiceCrypto theory to practice
Crypto theory to practice
 
Crypto theory to practice
Crypto theory to practiceCrypto theory to practice
Crypto theory to practice
 
Crypto theory to practice
Crypto theory to practiceCrypto theory to practice
Crypto theory to practice
 
Crypto theory practice
Crypto theory practiceCrypto theory practice
Crypto theory practice
 
Rsa encryption
Rsa encryptionRsa encryption
Rsa encryption
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
 
Basics of Cryptography - Stream ciphers and PRNG
Basics of Cryptography - Stream ciphers and PRNGBasics of Cryptography - Stream ciphers and PRNG
Basics of Cryptography - Stream ciphers and PRNG
 
Thesis : &quot;IBBET : In Band Bandwidth Estimation for LAN&quot;
Thesis : &quot;IBBET : In Band Bandwidth Estimation for LAN&quot;Thesis : &quot;IBBET : In Band Bandwidth Estimation for LAN&quot;
Thesis : &quot;IBBET : In Band Bandwidth Estimation for LAN&quot;
 

5 stream ciphers

  • 2. Stream Ciphers Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream cipher is initialized with short key  Key is “stretched” into long keystream  Keystream is used like a one-time pad o XOR to encrypt or decrypt  Stream cipher is a keystream generator  Usually, keystream is bits, sometimes bytes
  • 3. Stream Ciphers Stream Cipher  Generic view of stream cipher QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
  • 4. Stream Ciphers Stream Cipher  We consider 3 real stream ciphers o ORYX — weak cipher, uses shift registers, generates 1 byte/step o RC4 — strong cipher, widely used but used poorly in WEP, generates 1 byte/step o PKZIP — intermediate strength, unusual mathematical design, generates 1 byte/step  But first, we discuss shift registers
  • 5. Stream Ciphers Shift Registers  Traditionally, stream ciphers were based on shift registers o Today, a wider variety of designs  Shift register includes o A series of stages each holding one bit o A feedback function  A linear feedback shift register (LFSR) has a linear feedback function
  • 6. Stream Ciphers  Example (nonlinear) feedback function f(xi, xi+1, xi+2) = 1⊕ xi⊕xi+2⊕xi+1xi+2  Example (nonlinear) shift register  First 3 bits are initial fill: (x0, x1, x2) QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture. Shift Register
  • 7. Stream Ciphers LFSR  Example of LFSR  Then xi+5= xi⊕xi+2 for all i  If initial fill is (x0,x1,x2,x3,x4) = 01110 then (x0,x1,…,x15,…) = 0111010100001001… QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
  • 8. Stream Ciphers LFSR  For LFSR  We have xi+5= xi ⊕xi+2 for all i  Linear feedback functions often written in polynomial form: x5 + x2 + 1  Connection polynomial of the LFSR QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
  • 9. Stream Ciphers Berlekamp-Massey Algorithm  Given (part of) a (periodic) sequence, can find shortest LFSR that could generate the sequence  Berlekamp-Massey algorithm o Order N2 , where N is length of LFSR o Iterative algorithm o Only 2N consecutive bits required
  • 10. Stream Ciphers Berlekamp-Massey Algorithm  Binary sequence: s = (s0,s1,s2,…,sn-1)  Linear complexity of s is the length of shortest LFSR that can generate s  Let L be linear complexity of s  Then connection polynomial of s is of form C(x) = c0+ c1x + c2x2 + … + cLxL  Berlekamp-Massey finds L and C(x) o Algorithm on next slide (where d is known as the discrepancy)
  • 13. Stream Ciphers Berlekamp-Massey Algorithm  Berlekamp-Massey is efficient way to determine minimal LFSR for sequence  With known plaintext, keystream bits of stream cipher are exposed  With enough keystream bits, can use Berlekamp-Massey to find entire keystream o 2L bits is enough, where L is linear complexity of the keystream  Keystream must have large linear complexity
  • 14. Stream Ciphers Cryptographically Strong Sequences  A sequence is cryptographically strong if it is a “good” keystream o “Good” relative to some specified criteria  Crypto strong sequence must be unpredictable o Known plaintext exposes part of keystream o Trudy must not be able to determine more of the keystream from a short segment  Small linear complexity implies predictable o Due to Berlekamp-Massey algorithm
  • 15. Stream Ciphers Crypto Strong Sequences  Necessary for a cryptographically strong keystream to have a high linear complexity  But not sufficient!  Why? Consider s = (s0,s1,…,sn-1) = 00…01  Then s has linear complexity n o Smallest shift register for s requires n stages o Largest possible for sequence of period n o But s is not cryptographically strong  Linear complexity “concentrated” in last bit
  • 16. Stream Ciphers Linear Complexity Profile  Linear complexity profile is a better measure of cryptographic strength  Plot linear complexity as function of bits processed in Berlekamp-Massey algorithm o Should follow n/2 line “closely but irregularly”  Plot of sequence s = (s0,s1,…,sn-1) = 00…01 would be 0 until last bit, then jumps to n o Does not follow n/2 line “closely but irregularly” o Not a strong sequence (by this definition)
  • 17. Stream Ciphers Linear Complexity Profile  A “good” linear complexity profile QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
  • 18. Stream Ciphers k-error Linear Complexity Profile  Alternative way to measure cryptographically strong sequences  Consider again s = (s0,s1,…,sn-1) = 00…01  This s has max linear complexity, but it is only 1 bit away from having min linear complexity  k-error linear complexity is min complexity of any sequence that is “distance” k from s  1-error linear complexity of s = 00…01 is 0 o Linear complexity of this sequence is “unstable”
  • 19. Stream Ciphers QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture. k-error Linear Complexity Profile  k-error linear complexity profile o k-error linear complexity as function of k  Example: o Not a strong s o Good profile should follow diagonal “closely”
  • 20. Stream Ciphers Crypto Strong Sequences  Linear complexity must be “large”  Linear complexity profile must n/2 line “closely but irregularly”  k-error linear complexity profile must follow diagonal line “closely”  All of this is necessary but not sufficient for crypto strength!
  • 21. Stream Ciphers Shift Register-Based Stream Ciphers  Two approaches to LFSR-based stream ciphers o One LFSR with nonlinear combining function o Multiple LFSRs combined via nonlinear func  In either case o Key is initial fill of LFSRs o Keystream is output of nonlinear combining function
  • 22. Stream Ciphers Shift Register-Based Stream Ciphers  LFSR-based stream cipher o 1 LFSR with nonlinear function f(x0,x1,…,xn-1) QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.  Keystream: k0,k1,k2,…
  • 23. Stream Ciphers Shift Register-Based Stream Ciphers  LFSR-based stream cipher o Multiple LFSRs with nonlinear function  Keystream: k0,k1,k2,… QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
  • 24. Stream Ciphers Shift Register-Based Stream Ciphers  Single LFSR example is special case of multiple LFSR example  To convert single LFSR case to multiple o Let LFSR0,…LFSRn-1 be same as LFSR o Initial fill of LFSR0 is initial fill of LFSR o Initial fill of LFSR1 is initial fill of LFSR stepped once o And so on…
  • 25. Stream Ciphers Correlation Attack  Trudy obtains some segment of keystream from LFSR stream cipher o Of the type considered on previous slides  Can assume stream cipher is the multiple shift register case o If not, convert it to this case  By Kerckhoffs Principle, we assume shift registers and combining function known  Only unknown is the key o The key consists of LFSR initial fills
  • 26. Stream Ciphers Correlation Attack  Trudy wants to recover LFSR initial fills o She knows all connection polynomials and nonlinear combining function o She also knows N keystream bits, k0,k1,…,kN-1  Sometimes possible to determine initial fills of the LFSRs independently o By correlating each LFSR output to keystream o A classic divide and conquer attack
  • 27. Stream Ciphers Correlation Attack  For example, suppose keystream generator is of the form: QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.  And f(x,y,z) = xy ⊕ yz ⊕ z  Note that key is 12 bits, initial fills
  • 28. Stream Ciphers Correlation Attack  For stream cipher on previous slide  Suppose initial fills are o X = 011, Y = 0101, Z = 11100 xi 0 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 yi 0 1 0 1 1 0 0 1 0 0 0 1 1 1 1 0 1 0 1 1 0 0 1 0 zi 1 1 1 0 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 0 0 1 ki 1 1 1 1 0 0 1 0 0 1 1 0 0 1 0 1 1 0 0 0 1 0 1 1 bits i = 0,1,2,…23
  • 29. Stream Ciphers Correlation Attack  Consider truth table for combining function: f(x,y,z) = xy ⊕ yz ⊕ z  Easy to show that f(x,y,z) = x with probability 3/4 f(x,y,z) = z with probability 3/4  Trudy can use this to recover initial fills from known keystream
  • 30. Stream Ciphers Correlation Attack  Trudy sees keystream in table  Trudy wants to find initial fills  She guesses X = 111, generates first 24 bits of putative X, compares to ki ki 1 1 1 1 0 0 1 0 0 1 1 0 0 1 0 1 1 0 0 0 1 0 1 1 xi 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 1  Trudy finds 12 out of 24 matches  As expected in random case
  • 31. Stream Ciphers Correlation Attack  Now suppose Trudy guesses correct fill, X = 011  First 24 bits of X (and keystream) ki 1 1 1 1 0 0 1 0 0 1 1 0 0 1 0 1 1 0 0 0 1 0 1 1 xi 0 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1  Trudy finds 21 out of 24 matches  Expect 3/4 matches in causal case  Trudy has found initial fill of X
  • 32. Stream Ciphers Correlation Attack  How much work is this attack? o The X,Y,Z fills are 3,4,5 bits, respectively  We need to try about half of the initial fills before we find X  Then we try about half of the fills for Y  Then about half of Z fills  Work is 22 + 23 + 24 < 25  Exhaustive key search work is 211
  • 33. Stream Ciphers Correlation Attack  Work factor in general…  Suppose n LFSRs o Of lengths N0,N1,…,Nn-1  Correlation attack work is  Work for exhaustive key search is
  • 34. Stream Ciphers Conclusions  Keystreams must be cryptographically strong o Crucial property: unpredictable  Lots of theory available for LFSRs o Berlekamp-Massey algorithm o Nice mathematical theory exists  LFSRs can be used to make stream ciphers o LFSR-based stream ciphers must be correlation immune o Depends on properties of function f
  • 35. Stream Ciphers Coming Attractions  Consider attacks on 3 stream ciphers o ORYX — weak cipher, uses shift registers, generates 1 byte/step o RC4 — strong, widely used but used poorly in WEP, generates 1 byte/step o PKZIP — medium strength, unusual design, generates 1 byte/step