stream cipher course-i

5th December 2007 COSIC course within BCRYPT 1

LecturerLecturer:: Souradyuti PaulSouradyuti Paul

CoComputer mputer SSecurity and ecurity and IIndustrial ndustrial CCryptography (ryptography (COSICCOSIC))Department of Electrical EngineeringDepartment of Electrical Engineering

KatholiekeKatholieke UniversiteitUniversiteit LeuvenLeuven, Belgium , Belgium

Email: Email: [email protected]@esat.kuleuven.be

An Introduction to Stream An Introduction to Stream CiphersCiphers


Foundations of Ciphers (1)Foundations of Ciphers (1)It is all about preventing information from being It is all about preventing information from being leakedleaked4 important secret mathematical objects 4 important secret mathematical objects

One way functions (One way functions (OWFsOWFs))Pseudorandom bit generators (Pseudorandom bit generators (PRBGsPRBGs))Pseudorandom functions (Pseudorandom functions (PRFsPRFs))Pseudorandom permutations (Pseudorandom permutations (PRPsPRPs))… … Can you think anything more? (exercise)Can you think anything more? (exercise)

Note the objects are used as a collection. Why?Note the objects are used as a collection. Why?Why “pseudo”? Thinking exerciseWhy “pseudo”? Thinking exercise


Foundations of Ciphers (2)Foundations of Ciphers (2)One way function:One way function: GivenGiven f f and and y=y=f(xf(x)) it is ‘difficult’ to it is ‘difficult’ to retrieveretrieve xx on the averageon the averagePRBG: PRBG:

y=y=f(xf(x)) is longer thanis longer than xx (stretching function)(stretching function)IfIf xx follows uniform distribution so does follows uniform distribution so does yy

PRF:PRF: (a set of functions S’)(a set of functions S’)S={all functions from 2S={all functions from 2nn 22nn}, size 2^}, size 2^n2^nn2^n

S’ is a subset of S with size 2S’ is a subset of S with size 2nn, still it is difficult to distinguish S’ , still it is difficult to distinguish S’ from S “easily”from S “easily”

PRP: PRP: (a set of permutations S’)(a set of permutations S’)S={all permutations from 2S={all permutations from 2nn 22nn}, is described in bits }, is described in bits exponential in nexponential in nS’ is a subset of S which can be described in bits polynomial inS’ is a subset of S which can be described in bits polynomial in nnS and S’ are `indistinguishable’S and S’ are `indistinguishable’


Foundations of Ciphers (3)Foundations of Ciphers (3)Now if the security parameter Now if the security parameter nn is a fixed value, all are is a fixed value, all are insecure. Why? Ans. Brute force.insecure. Why? Ans. Brute force.

Asymptotic study (also called complexity theoretic), Asymptotic study (also called complexity theoretic), where where nn grows asymptoticallygrows asymptotically

Drawback: practical ciphers have fixed keysDrawback: practical ciphers have fixed keys

Concrete security considers a family of functions (Concrete security considers a family of functions (BellareBellare, , KilianKilian RogawayRogaway, ’01), ’01)

Geared for fixed length keysGeared for fixed length keysUses fixed security goal Uses fixed security goal


InterInter--conversion Between conversion Between OWFsOWFs, , PRBGsPRBGs, , PRFsPRFs, , PRPsPRPs

Is still an active field of researchIs still an active field of researchOWFOWF PRBG PRBG

Blum and Blum and MicaliMicali ’’82, Yao82, Yao’’82, Levin82, Levin’’87, Hastad87, Hastad’’90, Impagliazzo90, Impagliazzo’’8989

OWFOWF PRFPRFGoldreichGoldreich, , GoldwasserGoldwasser, Micali, Micali’’8686

PRF PRF PRPPRPLubyLuby and and RackoffRackoff ’’8888

PRPPRP PRF PRF BellareBellare, , KrovetzKrovetz and Rogawayand Rogaway’’9898Hall, Wagner, Kelsey and SchneierHall, Wagner, Kelsey and Schneier’’9898

What about PRBGWhat about PRBG OWF, PRPOWF, PRP OWF?OWF?Are there other important theoretical questions?Are there other important theoretical questions?


Introduction to Stream Introduction to Stream CiphersCiphers


Example: Encryption and DecryptionExample: Encryption and Decryption

Encryption DecryptionPlaintext

CiphertextCiphertext

Plaintext

Attacker

Sender Receiver


Simple Example: Shift CipherSimple Example: Shift Cipher

1.1. PlaintextPlaintext: COSIC: COSIC2.2. Encryption:Encryption: “Replace each letter by “Replace each letter by

another another 11 position shifted to the position shifted to the rightright’’’’3. 3. CiphertextCiphertext:: DPTJDDPTJD4. Decryption:4. Decryption: “Replace each letter by “Replace each letter by

another another 11 position shifted to the position shifted to the leftleft’’’’5. Plaintext:5. Plaintext: COSICCOSIC


Shift CipherShift Cipher

Has some historical significanceHas some historical significanceJulius Caesar (1Julius Caesar (1stst century BC) used this century BC) used this cipher cipher 2100 years ago!!!2100 years ago!!!Also known as Also known as Caesar CipherCaesar CipherVeryVery weak against modern computing weak against modern computing machinesmachines


Cryptography: HistoricallyCryptography: Historically

EgyptiansEgyptians used cryptography in 2500 BC (used cryptography in 2500 BC (4500 4500 years agoyears ago))

RomanRoman were known to have used cryptography were known to have used cryptography 2000 years ago2000 years ago for military purposesfor military purposes

IndiansIndians were also aware of several techniques to were also aware of several techniques to hide information hide information 1800 years ago1800 years ago (vide (vide kamasutrakamasutra, 2, 2ndnd century ADcentury AD))


Modern CryptographyModern Cryptography

WWIIWWII: breaking of German cipher : breaking of German cipher ENIGMAENIGMA

Remained in private domain till late 1970sRemained in private domain till late 1970s

Popular interest started in early ’80s with Popular interest started in early ’80s with the widespread growth of the Internetthe widespread growth of the Internet


Why and Where is CryptologyWhy and Where is CryptologyCommunication Systems require Communication Systems require Protection of Protection of Digital DataDigital Data from from Unauthorized UsersUnauthorized Users

Applications of CryptographyApplications of CryptographyElectronic BankingElectronic BankingSmart CardSmart CardEE--CommerceCommerceDefenseDefenseWireless CommunicationsWireless CommunicationsSatellite TVSatellite TVComputer Security SystemsComputer Security SystemsGovernment IdentificationGovernment Identification


Scope of Cryptology: Scope of Cryptology: Security IssuesSecurity Issues

Confidentiality of DataConfidentiality of DataPrimitivesPrimitives: Block Ciphers, Stream Ciphers, Public Key : Block Ciphers, Stream Ciphers, Public Key Cryptosystems etc.Cryptosystems etc.

Authentication of Data and Entity Authentication of Data and Entity PrimitivesPrimitives: Hash Functions, Message Authentication : Hash Functions, Message Authentication Codes, Digital Signatures etc. Codes, Digital Signatures etc.

Cryptology

Confidentiality(data)

Authentication(data & entity)


The Most Important Element in The Most Important Element in Cryptography: Cryptography: The KeyThe Key

Encryption DecryptionPlaintext Ciphertext Plaintext

Attacker

Sender receiver


Cryptology: Based on Secret KeyCryptology: Based on Secret Key

Symmetric Key PrimitivesSymmetric Key Primitives: Applications where sender and : Applications where sender and receiver share a common keyreceiver share a common key

ExamplesExamples: Block Ciphers (AES), Stream Ciphers (RC4), Hash : Block Ciphers (AES), Stream Ciphers (RC4), Hash Functions (SHAFunctions (SHA--1), 1), MACsMACs (HELIX) etc(HELIX) etc..

Asymmetric Key PrimitivesAsymmetric Key Primitives: Applications where sender : Applications where sender and receiver do not share a common keyand receiver do not share a common key

ExamplesExamples: Public Key Cryptosystems (RSA), Digital Signatures : Public Key Cryptosystems (RSA), Digital Signatures (DSS) etc.(DSS) etc.

Cryptology

Symmetric key Asymmetric Key


Perfect Security:Perfect Security:VernamVernam CipherCipher or or One time padOne time pad

Key: 011001001101001101010010…..

Plaintext: 100101001000101001001110…..

Bitwise XOR

Ciphertext: 111100000101100100011100…

The scheme is impractical because of large size of the

key


HowHow to manage with short keys?to manage with short keys?

(Short key)Stream Cipher 011001001101001101010010…..

Plaintext: 100101001000101001001110…..

Bitwise XOR

Ciphertext: 111100000101011001101100…

Keystream bits


How does a Stream Cipher How does a Stream Cipher Work?Work?

Two stages of a practical stream cipherTwo stages of a practical stream cipher

Key scheduling algorithmKey scheduling algorithm

Pseudorandom bit generation algorithmPseudorandom bit generation algorithm


Stage I : Key/IV Setup (KSA)Stage I : Key/IV Setup (KSA)

KeyKey

IVIV

XX

Y Y

Key/IV set-up algo

Initialization

AABBCC

(vigorous mixing)


Stage II : Pseudorandom Bit Stage II : Pseudorandom Bit Generation Generation AlgoAlgo. (PRBG). (PRBG)

. . .mixing mixing

Keystream: Output 1 Output 2 Output 3

Plaintext 1

Ciphertext 1

AABBCC

A’A’B’B’C’C’

A’’A’’

B’’B’’C’’C’’

Ciphertext 2

Plaintext 2

Round 1 Round 2 Round 3

mixing

Plaintext 3

Ciphertext 3


Different types of Stream CiphersDifferent types of Stream Ciphers

Synchronous Stream CipherSynchronous Stream CipherKeystream independent of plaintext/Keystream independent of plaintext/ciphertextciphertextNo error propagationNo error propagationSynchronization is a problem if Synchronization is a problem if ciphertextciphertext lostlost

Asynchronous Stream CipherAsynchronous Stream CipherKeystream depends on plaintext/Keystream depends on plaintext/ciphertextciphertextError propagationError propagation

SelfSelf--synchronizing Stream Cipher synchronizing Stream Cipher Keystream depends on finite Keystream depends on finite ciphertextciphertext and keyand keySynchronization `automatic’Synchronization `automatic’


What is a block cipherWhat is a block cipher

Plaintext Plaintext PlaintextPlaintext

Key

Ciphertext

EncryptionKey

Ciphertext

Decryption


Turning block cipher into a stream Turning block cipher into a stream cipher: output feedback modecipher: output feedback mode

Key

Ciphertext

Encryption


Examples of Block CiphersExamples of Block Ciphers

DESDESRijndaelRijndaelSerpentSerpentTwofishTwofishMARSMARSRC6RC6……


Block vs. Stream CipherBlock vs. Stream Cipher (I)(I)

Original Idea: Block Ciphers operate with a fixed transformation on large blocks of plaintext data; stream ciphersoperate with a time-varying transformation on individual plaintext bits. [R.Rueppel]

However, some schemes retain some properties of both block and stream ciphers

Stream ciphers can be block oriented (Helix)

Block Cipher can used as Stream Cipher (OFB)


Block vs. Stream Ciphers (II)Block vs. Stream Ciphers (II)

“Pure block and stream ciphers are two concrete points on a continuous design space and we increasingly use mixed modes’’ [Shamir, Asiacrypt 2004]

Therefore, the difference is only relative. Small plaintext size and less operations on plaintext in successive rounds separate stream ciphers from block ciphers


Stream Ciphers vs. PRBGStream Ciphers vs. PRBG

A PRBG does not need a proper decryption A PRBG does not need a proper decryption functionfunction

A stream cipher can be used as a PRBGA stream cipher can be used as a PRBG

A PRBG may not be used as a stream A PRBG may not be used as a stream cipher. Example: PRBG based on noisecipher. Example: PRBG based on noise


Hardware based and Software Hardware based and Software based stream ciphersbased stream ciphers

Hardware is expensiveHardware is expensiveHardware based stream ciphers should Hardware based stream ciphers should run on low memory. Example: LFSRrun on low memory. Example: LFSR--basedbasedHardware based stream ciphers are Hardware based stream ciphers are generally fastergenerally fasterSoftware based ciphers can take Software based ciphers can take advantages of larger memory to improve advantages of larger memory to improve security. Example: Large arraysecurity. Example: Large array--basedbased


Why should we study stream Why should we study stream cipher?cipher?

Because of its Because of its high speed.high speed.Most of the stream ciphers are even faster Most of the stream ciphers are even faster than block ciphersthan block ciphers


Linear Feedback Shift Linear Feedback Shift Register (LFSR) based Register (LFSR) based

Stream CiphersStream Ciphers


An LAn L--Stage Register Stage Register

11 00 11 11 00 00 1111 00 00 11 00 11 11 00 11

StagesStages LL--11 LL--22 … … … … 4 3 2 1 04 3 2 1 0


Why Study LFSR?Why Study LFSR?

LFSR is a component of the internal state LFSR is a component of the internal state of a large number of stream ciphersof a large number of stream ciphers

LFSR size is small: suitable for hardware LFSR size is small: suitable for hardware implementation which is expensiveimplementation which is expensive

LFSR generates output sequence of large LFSR generates output sequence of large period period


An LAn L--stage stage Linear Feedback Shift Register Linear Feedback Shift Register

11011 0 1 1 1 10 0 0 0 0 01 0 1 1

001

Output

Stages LStages L--1 L1 L--2 4 3 2 4 3 2 1 02 1 0


00001 1 0 1 0 11 0 1 0 1 10 0 0 0

000

Output

1

An LAn L--stage stage Linear Feedback Shift Register Linear Feedback Shift Register

Stages LStages L--1 L1 L--2 … … 4 3 2 2 … … 4 3 2 1 01 0


0a a cc nn bb wwkk aa tt ss qq00 1 0 1 10

Representing an LFSR: Representing an LFSR: Using Linear Recurrence Using Linear Recurrence

z[ Lz[ L--1] … … 1] … … z[kz[k] z[5] z[3] z[0]] z[5] z[3] z[0]

a b c d e

• State update: z’[LState update: z’[L--1]=a1]=a··z[Lz[L--2]+b2]+b··z[k]+cz[k]+c··z[5]+dz[5]+d··z[3]+ez[3]+e··z[0]z[0]

z’[kz’[k]=z[k+1] for all L]=z[k+1] for all L--22≥≥kk≥≥00


00 00 001 1 0 1 0 11 0 1 0 1 10

Representing an LFSR: Using Representing an LFSR: Using Connection/Feedback PolynomialConnection/Feedback Polynomial

z[ Lz[ L--2] … … 2] … … z[kz[k] z[5] z[3] z[0]] z[5] z[3] z[0]

a b c d e

• Ordered pair: Ordered pair: (Initial state, (Initial state, connection polynomialconnection polynomial))

•• Example: (Z[0..LExample: (Z[0..L--1], 1+a1], 1+a··XX22+b+b··XXLL--kk +c+c·X·XLL--55 +d·X+d·XLL--33+ + e·Xe·XLL))


00001 1 0 1 0 11 0 1 0 1 10

z[24] z[23] … … z[10] z[5] zz[24] z[23] … … z[10] z[5] z[3] z[0][3] z[0]

1 1 1 1 1

LFSR size: 25 stagesLFSR size: 25 stagesConnection Poly:Connection Poly: 1+X1+X22++XX1515 ++XX2020 +X+X2222+ X+ X2525

Representing an LFSR: ExampleRepresenting an LFSR: Example


00001 1 0 1 0 11 0 1 0 1 1

z[24] z[23] … … z[10] z[5] zz[24] z[23] … … z[10] z[5] z[3] z[0][3] z[0]

LFSR size: 25 stagesLFSR size: 25 stagesConnection Poly:Connection Poly: 1+X1+X22++XX1515 ++XX2020 +X+X2222+ X+ X2525

Representing an LFSR: ExampleRepresenting an LFSR: Example


The Period of LFSR Output The Period of LFSR Output SequenceSequence

00001 1 0 1 0 11 0 1 0 1 10110101

output

L-1 0 1…

• LFSR output is LFSR output is ultimatelyultimately periodic. Proof: periodic. Proof: Mental Mental ExerciseExercise••The max. period of the sequence is 2The max. period of the sequence is 2LL--1 (exercise)1 (exercise)•• How to attain the maximum period?How to attain the maximum period?


The Maximum Period of LFSR The Maximum Period of LFSR OutputOutput

00001 1 0 1 0 11 0 1 0 1 10110101

outputL-1 0 1…

• The maximum period 2The maximum period 2LL--1: when the connection 1: when the connection poly. is a primitive poly. of degree L over Fpoly. is a primitive poly. of degree L over F22

• Proof: exercise. Clue: order of primitive poly. is 2Proof: exercise. Clue: order of primitive poly. is 2LL--1. (consult 1. (consult LidlLidl and and NiederreiterNiederreiter, Chapter 6), Chapter 6)


Linear Complexity (I) Linear Complexity (I)

A A BB .. .... .. MM NN OO PPSN=01101011100…..

output

• SSN N is an output sequence of length Nis an output sequence of length N••The size of the The size of the shortest Lshortest L is the linear is the linear complexity of Scomplexity of SNN

Length=LLength=L


Linear Linear Complexity:ExamplesComplexity:Examples (II) (II)

If SIf SN N are all zeroes then LC(Sare all zeroes then LC(SNN)=0)=0If SIf SN N =000…001 then LC(S=000…001 then LC(SNN)=n (Friday )=n (Friday evening exercise)evening exercise)Exercise:Exercise: If the connection polynomial is If the connection polynomial is irreducible and has degree L, then the irreducible and has degree L, then the output sequence for any nonoutput sequence for any non--zero initial zero initial state of size L has LC equal to Lstate of size L has LC equal to L


Linear Complexity: Linear Complexity: BerlekampBerlekamp--Massey Algorithm (I) Massey Algorithm (I)

A A BB .. .... .. MM NN OO PPSSNN=01101011100…..=01101011100…..

outputoutput

…

• What is the size of What is the size of the shortest L the shortest L andandthe connection polynomialthe connection polynomial given any given any finite output sequence Sfinite output sequence SN N of length N?of length N?

Length=LLength=L


What happens if What happens if LFSRsLFSRs alone are alone are used in stream cipher?used in stream cipher?

The stream cipher is weak thenThe stream cipher is weak then

Why?Why?BerlekampBerlekamp--Massey algorithm reconstructs the Massey algorithm reconstructs the LFSRsLFSRs very quickly (polynomial time)very quickly (polynomial time)

Remedy:Remedy: Include nonlinear operationsInclude nonlinear operations


LFSRLFSR--based Stream Ciphers: based Stream Ciphers: Nonlinear Combination Generators Nonlinear Combination Generators

LFSR1LFSR1

LFSR2LFSR2

LFSRnLFSRn

::

ff

• ff is a nonlinear Boolean functionis a nonlinear Boolean function•• Exercise:Exercise: Compute the period of the input toCompute the period of the input to ffif the lengths of the if the lengths of the LFSRsLFSRs are are pairwisepairwise coprimecoprime??

keystreamkeystream


A Simple Nonlinear Combination A Simple Nonlinear Combination Generator: Generator: GeffeGeffe Generator Generator

LFSR1LFSR1

LFSR2LFSR2

LFSR3LFSR3

• f =x1.x2+x2.x3+x3f =x1.x2+x2.x3+x3•• High LC, high period, balancedHigh LC, high period, balanced•• Exercise:Exercise: P[zP[z=x1]>1/2=x1]>1/2 correlation attack!!correlation attack!!

keystreamkeystreamff

x1x1

x2x2

x3x3

z


A Nonlinear Comb. Gen. With A Nonlinear Comb. Gen. With MemoryMemory: Summation Generator : Summation Generator

LFSR1LFSR1

LFSR2LFSR2

•• Proposed by Proposed by RueppelRueppel (1985) (1985) •• Memory bit C stores carry of integer additionMemory bit C stores carry of integer addition•• Two functions:Two functions: z=x1+x2+c, c=c(x1+x2)+x1.x2z=x1+x2+c, c=c(x1+x2)+x1.x2•• Exercise:Exercise: Show correlation attack on summation gen.Show correlation attack on summation gen.

(Hint: Meier and (Hint: Meier and StaffelbachStaffelbach JoC’92)JoC’92)

x1x1

x2x2cc

ZKeysream

Memory ElementMemory Element


Nonlinear Filter GeneratorNonlinear Filter Generator

Only one LFSR, f is nonlinear filter Only one LFSR, f is nonlinear filter func’nfunc’nExercise:Exercise: What is max. LC of keystream? What is max. LC of keystream?

00001 1 0 1 0 11 0 1 0 1 1

ff

… …


Irregularly Clocked/Clock Irregularly Clocked/Clock Controlled GeneratorControlled Generator

One LFSR is used to clock another LFSROne LFSR is used to clock another LFSR

Nonlinearity is brought about through Nonlinearity is brought about through irregular clockingirregular clocking

Extremely simple designExtremely simple design

Low hardware complexityLow hardware complexity


Irregular Clocking: Alternating Step Irregular Clocking: Alternating Step Generator (1)Generator (1)

LFSR1

LFSR2

Clocking LFSR

1

1Always Clocked

0

Clocked

Repeat

z

• By C. G. Günther in 1987• Exercise: LC and period?


Irregular Clocking: Alternating Step Irregular Clocking: Alternating Step Generator (2)Generator (2)

LFSR1

LFSR2

Clocking LFSR

0

0Always Clocked

1

Repeat

Clocked

z

• By C. G. By C. G. GüntherGünther in 1987in 1987•• Exercise:Exercise: LC and period?LC and period?


Irregular Clocking: Shrinking Irregular Clocking: Shrinking Generator (1) Generator (1)

LFSR1

LFSR2

Regularly Clocked

Regularly Clocked

a z=a

1

•• By Coppersmith, By Coppersmith, KrawczykKrawczyk and and MansourMansour in 1993in 1993•• Exercise:Exercise: Compute LC and period of Shrinking Gen.Compute LC and period of Shrinking Gen.


Irregular Clocking: Shrinking Irregular Clocking: Shrinking Generator (2) Generator (2)

LFSR1

LFSR2

Regularly Clocked

Regularly Clocked

a Discard z

0

•• By Coppersmith et. al. ’93By Coppersmith et. al. ’93•• Exercise:Exercise: Compute LC and period of Shrinking Gen.Compute LC and period of Shrinking Gen.


A Modern LFRSA Modern LFRS--based stream based stream cipher SNOW 1.0cipher SNOW 1.0


FSM of SNOW 1.0FSM of SNOW 1.0

Syed Huq


Using TUsing T--functions for functions for Stream CiphersStream Ciphers


Change the LFSR with a TChange the LFSR with a T--functionfunction

KlimovKlimov, , ShamirShamir, 2003, 2003X’=x+(x^2 or C) when C=xyz….101X’=x+(x^2 or C) when C=xyz….101Invertible mappingInvertible mappingSingle cycle with highest periodSingle cycle with highest periodAdvantage: software oriented stream Advantage: software oriented stream ciphercipher


Cellular Automata Cellular Automata


ArrayArray--based Stream based Stream Ciphers Ciphers


Generic Attacks on Generic Attacks on Stream CiphersStream Ciphers


When a Cipher is Considered When a Cipher is Considered Broken?Broken?

Very fuzzy issueVery fuzzy issue

Wide gap between practical and Wide gap between practical and theoretical breakstheoretical breaks


Key Recovery Attack (1)Key Recovery Attack (1)

Simplest: Simplest: The The exhaustive keyexhaustive key search or search or brute force attackbrute force attack

The keyThe key--length should be large enough to length should be large enough to thwart thwart brutebrute--force attackforce attack


KeyKey--recovery Attack (2)recovery Attack (2)

The strongest form of Attack: The strongest form of Attack: RecoverRecoverthe the secret keysecret key from the from the keystream bitskeystream bitswith practical time complexity (fully with practical time complexity (fully broken) broken)

Recover key with time better than Recover key with time better than brute brute force attackforce attack (theoretical break)(theoretical break)


Different Types of KeyDifferent Types of Key--recovery recovery Attacks (I)Attacks (I)

Known/chosen plaintext attack Known/chosen plaintext attack

Known/chosen IV attack Known/chosen IV attack

RelatedRelated--key attack key attack


Different Types of KeyDifferent Types of Key--recovery recovery Attacks (II)Attacks (II)

TimeTime--MemoryMemory--Tradeoff Attack Tradeoff Attack

Guess and Determine AttackGuess and Determine Attack

Divide and Conquer AttackDivide and Conquer Attack

Algebraic attackAlgebraic attack

(More on that in a later meeting)(More on that in a later meeting)


Recovery of Internal State Recovery of Internal State


Distinguishing attacks: RegularDistinguishing attacks: Regular

Stream of bits do not follow the uniform Stream of bits do not follow the uniform distributiondistribution

Key 011001001101001101010010…..

Bias in a single and a long stream


Stream of bits do not follow the uniform Stream of bits do not follow the uniform distributiondistribution

Distinguishing attacks : PrefixDistinguishing attacks : Prefix

Key1 01110011010011000 010…..

Bias in multiple streams

Key 2 01111011010111100 010…..

Key n 01011010011110100 010…..

…


Hybrid DistinguisherHybrid Distinguisher


RelatedRelated--key Distinguisherkey Distinguisher

Consider a subset of keys (related keys) Consider a subset of keys (related keys) rather that all keysrather that all keys


Statistical Distance Between Two Statistical Distance Between Two DistributionsDistributions

The distance between two distributionsThe distance between two distributions


Advantage of a DistinguisherAdvantage of a Distinguisher

A measure of efficiency of an algorithm to A measure of efficiency of an algorithm to distinguish one distribution from the otherdistinguish one distribution from the other


Optimal DistinguisherOptimal Distinguisher

An optimal distinguisher attains max. An optimal distinguisher attains max. advantage given a fixed number of advantage given a fixed number of samplessamples


Examples of Stream CiphersExamples of Stream Ciphers

RC4 RC4 HelixHelixSnowSnowPyPy……


The RC4 cipherThe RC4 cipher


RC4 (1987)RC4 (1987)

i:=i+1j:=(j + S[i]) mod 256swap S[i] and S[j]t:=(S[i] + S[j]) mod 256output S[t]

000

205

001

092

002

013 ...

093

033

094

162

095

079 ...

254

099

255

143

ij

t

162 92


Distinguishing Attack by Distinguishing Attack by MantinMantinand and ShamirShamir

Second byte is highly biasedSecond byte is highly biased


We hope to elaborate more in a later We hope to elaborate more in a later meetingmeeting

stream cipher course-i

Documents