# Stream ciphers 2 - PowerPoint PPT Presentation Download Presentation Stream ciphers 2

Stream ciphers 2 Download Presentation ## Stream ciphers 2

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
##### Presentation Transcript

1. Stream ciphers 2 Session 2

2. Contents • PN generators with LFSRs • Statistical testing of PN generator sequences • Cryptanalysis of stream ciphers

3. PN generators with LFSRs • Computational complexity of the Berlekamp-Massey algorithm is quadratic in the length of the minimum LFSR capable of generating the intercepted sequence. • Thus, if the linear complexity is very high, then the task of predicting the next bits of the sequence is too complex.

4. PN generators with LFSRs • Linear complexity achievable with a sole LFSR is small. • Then, in order to prevent the cryptanalysis of a pseudorandom sequence generator, we must design it in such a way that its linear complexity is too high for the practical application of the Berlekamp-Massey algorithm.

5. PN generators with LFSRs • Since LFSRs have nice properties regarding statistics of their output sequences, a good idea is to base PN generators on LFSRs. • But to increase linear complexity, we have to combine outputs of several LFSRs in non-linear manner – through non-linear Boolean functions.

6. Algebraic normal form • It is the form of a Boolean function that uses only the operations  and  • In the ANF, the product that includes the largest number of variables is denominated non linear orderof the function. • Example: The non linear order of the function f(x1,x2,x3)=x1x1x3x2x3 is 2.

7. Algebraic normal form • The ANF of a Boolean function can be determined from its truth table. The Möbius transform

8. Algebraic normal form • Example: n=3

9. Algebraic normal form • u=000u=001 u=010 000 001 010 011 100 101 110 111 000 001 010 011 100 101 110 111 000 001 010 011 100 101 110 111 x x x a000=f(0,0,0)=0 a010=f(0,0,0)+ +f(0,1,0)=0+0=0 a001=f(0,0,0)+ +f(0,0,1)=0+1=1

10. Algebraic normal form • u=011 u=100u=101 000 001 010 011 100 101 110 111 000 001 010 011 100 101 110 111 000 001 010 011 100 101 110 111 x x x a101=f(0,0,0)+ f(0,0,1) +f(1,0,0)+f(1,0,1)= 0+1+0+1=0 a011=f(0,0,0)+ f(0,0,1) +f(0,1,0)+f(0,1,1)= 0+1+0+1=0 a100=f(0,0,0)+ +f(1,0,0)=0+0=0

11. Algebraic normal form • u=110u=111 000 001 010 011 100 101 110 111 a111=f(0,0,0)+ f(0,0,1) +f(0,1,0)+f(0,1,1)+ f(1,0,0) +f(1,0,1)+f(1,1,0)+ f(1,1,1) = 0 x Then: f(x0,x1,x2)=a001x2+a110x0x1=x2+x0x1 a110=f(0,0,0)+ f(0,1,0) +f(1,0,0)+f(1,1,0)= 0+0+0+1=1

12. Non-linear combiners • In these generators, the keystream sequence is obtained by combining the output sequences of various LFSRs in a non linear manner. • Example – it is possible to use a Boolean function (without memory).

13. Non-linear combiners • If F is a Boolean function of N periodic input sequences a1(t), a2(t), ..., aN(t), then the output sequence b(t) = F(a1(t), a2(t), ..., aN(t)) is a linear combination of various products of sequences. • These products are determined by determining the ANF of the function F.

14. Non-linear combiners • Given the ANF of the function F, if we create a function F* from F in such a way that instead of the sum and product modulo 2 in F we use the sum and product of integers, for the linear complexity and the period of the output sequence of F the following holds:

15. Non-linear combiners • Example (1) • If the characteristic polynomials of the input sequences are: All these polynomials are primitive!

16. Non-linear combiners • Example (2) • Then

17. Non-linear combiners • The sum of N sequences in GF(q) (1) • The equality holds if the characteristic polynomials of the input sequences do not have common factors.

18. Non-linear combiners • The sum of N sequences in GF(q) (2) • Obviously, if the periods of the input sequences are mutually prime then

19. Non-linear combiners • The sum of N sequences in GF(q) (3) • Example: Primitive! The periods are Mersenne primes

20. Non-linear combiners • The product of N sequences in GF(q) (1) • Theorem (Golić, 1989) • If Per(ai) are mutually prime, then • Theorem (Lidl, Niedereiter) Per(ai) are mutually prime

21. Non-linear combiners • Example Primitive! The periods are Mersenne primes

22. Non-linear combiners • The general case (1) • Let be the Boolean function obtained by removing all the products from the function F except those of the maximum order. Let be the corresponding integer function.

23. Non-linear combiners • The general case (2) • Theorem (Golić, 1989) • F depends on all the N input variables. • Per(ai) are mutually prime. • Then

24. Non-linear combiners • The general case (3) • Example (1)

25. Non-linear combiners • The general case (4) • Example (2) • If the characteristic polynomials of the input sequences are: • Then Primitive, periods Mersenne primes

26. Non-linear combiners • The general case (5) • Example – Geffe’s generator (1)

27. Non-linear combiners • The general case (6) • Example – Geffe’s generator (2) – • Equivalent scheme

28. Non-linear combiners • The general case (7) • Example – Geffe’s generator (3) • If we set the feedback polynomials primitive, with periods that are Mersenne primes: • Then

29. Statistical testing of PN generators • The output sequence of a generator of pseudorandom sequences looks random, but it is not. • Pseudorandom generators expand a truly random sequence (the key) to a much longer sequence, such that an adversary cannot distinguish between the pseudorandom sequence and a truly random sequence.

30. Statistical testing of PN generators • In order to obtain a guarantee of the security of this type of generators, various statistical tests are applied, especially designed for this purpose. • The fact that a generator passes a set of statistical tests should be considered a necessary condition, although not a sufficient one, for the security of the generator.

31. Statistical testing of PN generators • If the result X of an experiment can take any real value, then X is a continuous random variable. • The probability density function f(x) of a continuous random variable X can be integrated and the following holds: f(x)0, for all xR For all a, bR the following holds

32. Statistical testing of PN generators • A continuous random variable has a normal distributionwith the mean  and the variance 2 if its probability density function is: • We say that X is • If X is , then we say that X has a standard normal distribution.

33. Statistical testing of PN generators • If the random variable X is , then the variable is . • The Euler’s gamma function:

34. Statistical testing of PN generators • A continuous random variable X has a 2 distribution with  degrees of freedom if its probability density function is

35. Statistical testing of PN generators • A statistical hypothesis H is an affirmation about the distribution of one or more random variables. • A hypothesis test is a procedure based on the observed values of the random variable that leads to the acceptance or rejection of the hypothesis H.

36. Statistical testing of PN generators • The test only provides a measure of the strength of evidence given by the data against the hypothesis. • The conclusion is probabilistic. • The level of significance of the test of the hypothesis H is the probability of rejecting the hypothesis H when it is true.

37. Statistical testing of PN generators • The hypothesis to be tested is denominated the null hypothesis, H0. • The alternative hypothesisis denoted by H1 or Ha. • In cryptography: • H0 – the given generator is a random sequence generator. •  is between 0,001 and 0,05.

38. Statistical testing of PN generators • A test: • Determines a statistic for the sample of the output sequence. • This statistic is compared with the expected value for a random sequence.

39. Statistical testing of PN generators • How is the comparison carried out? (1) • The computed statistic – X0 – follows (usually) a 2 distribution with  degrees of freedom. • It is assumed that this statistic takes large values for non random sequences.

40. Statistical testing of PN generators • How is the comparison carried out? (2) • In order to achieve , a threshold X is chosen (by means of the corresponding table), such that P(X0>X)=. • If the value of the statistic for the sample of the output sequence, Xs, satisfies Xs>X, then the sequence fails on the test.

41. Statistical testing of PN generators • Basic tests for cryptographic use: • frequency test, • serial test, • poker test, • runs test, • autocorrelation test, • etc.

42. Statistical testing of PN generators • Frequency test (1) • Purpose: determine if the number of zeros and ones in a sequence s is approximately the same. • n0 – number of zeros, n1 – number of ones. • The statistic:

43. Statistical testing of PN generators • Frequency test (2) • The statistic follows a 2distribution with 1 degree of freedom. • The approximation is good enough if n10.

44. Statistical testing of PN generators • Serial test (1) • Tries to determine if the number of occurrences of 00, 01, 10 and 11, as subsequences of s is approximately the same. • The statistic:

45. Statistical testing of PN generators • Serial test (2) • The statistic follows a 2distribution with 2 degrees of freedom. • The approximation is good enough if n21.

46. Statistical testing of PN generators • Poker test (1) • A positive integer m is considered such that • The sequence s is divided into k parts of size m. • ni is the number of occurrences of the type i of the sequence of length m, 1i2m (that is, i is the value of the integer whose binary representation is the sequence of length m.

47. Statistical testing of PN generators • Poker test (2) • The test determines if every sequence of length m appears approximately the same number of times. • The statistic: • The statistic follows approximately a 2 distribution with 2m-1 degrees of freedom.

48. Statistical testing of PN generators • Runs test (1) • A run of length i – a subsequence of s formed by i consecutive zeros or i consecutive ones that are neither preceded nor followed by the same symbol. • A run of zeros – gap • A run of ones – block

49. Statistical testing of PN generators • Runs test (2) • Purpose: determine if the number of runs of different lengths in the sequence s is that expected in a random sequence. • The number of gaps (or blocks) of length i in a random sequence of length n is • It is considered that k is equal to the largest integer i for which ei5.

50. Statistical testing of PN generators • Runs test (3) • We denote by Bi and Hi the number of blocks and gaps of length i in s, for each i, 1ik. • The statistic • The statistic follows approximately a 2distribution with 2k-2 degrees of freedom.