- 379 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about 'Cryptography I' - eurydice

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Cryptography I

Lecture 6

Dimitrios Delivasilis

Department of Information and Communication Systems Engineering

University of Aegean

Stream Ciphers

- Refreshing our memory
- Stream ciphers can be either symmetric-key or public-key
- Block ciphers are memoryless
- Stream ciphers are said to have memory
- Unconditionally secure
- A symmetric key system is unconditionally secure if H(K)≥H(M). In other words, the uncertainty of the secret key must be at least as great as the uncertainty of the plaintext

Synchronous Stream Ciphers

- Definition: A synchronous stream cipher is one in which the keystream is generated independently of the plaintext
- Encryption:
- Decryption:

σi

mi

σi+1

mi: plaintext

ci:ciphertext

k: key

zi: keystream

σi: state

f

zi

k

ci

g

h

σi

ci

σi+1

f

zi

k

mi

g

h-1

Functions: g produces keystream zi, h combines the keystream and plaintext to produce ciphertext, and f is the next state function.

zi

zi

Keystream

Generator

Keystream

Generator

mi

ci

k

k

More on synchronous stream ciphers- Properties of synchronous stream ciphers
- Synchronisation requirements
- No error propagation
- Active attacks
- Definition: A binary additive stream cipher is a synchronous stream cipher in which the keystream, plaintext, and ciphertext digits are binary digits, and the output function h is the XOR function.

ci

Encryption:

Decryption:

Self-synchronising stream ciphers

- Definition: A self-synchronising or asynchronous stream cipher is one in which the keystream is generated as a function of the key and a fixed number of previous ciphertext digits.
- Encryption:
- Decryption:

…

mi

…

zi

k

g

h

ci

…

…

ci

zi

k

g

h-1

mi

Properties of self-synchronising stream ciphers

- Self-synchronising: capable of re-establishing proper decryption automatically after loss of synchronisation, with only a fixed number of plaintext characters unrecoverable
- Limited error propagation: If a single ciphertext digit is modified during transmission, then decryption of up to t subsequent ciphertext digits may be incorrect, after which correct decryption resumes
- Active attacks: It is more difficult to detect insertion, deletion, or replay of ciphertext digits by an active adversary
- Diffusion of plaintext: Self-synchronising stream ciphers may be more resistant than synchronous stream ciphers against attacks based on plaintext redundancy

Linear feedback shift registers (LFSRs)

- Characteristics:
- LFSRs are well-suited to hardware implementation
- Produce sequences of large period
- Produce sequences with good statistical properties
- Due to their structure, they can be readily analysed using algebraic techniques
- Definition:

A linear feedback shift register (LFSR) of length L consists of L stages (or delay elements) numbered 0, 1, …, L-1, each capable of storing one bit and having one input and one output; and a clock which controls the movement of data. During each unit of time the following operations are performed:

(i) the content of stage 0 is output and forms part of the output sequence

(ii) the content of stage I is moved to stage i-1 for each I, 1≤ i ≤ L-1

(iii) the new content of stage L-1 is the feedback bit sj which is calculated by adding together modulo 2 the previous contents of a fixed subset of stages 0, 1, …, L-1

LFSR analysis

Figure: A linear feedback shift register (LFSR) of length L

…

sj

…

c1

c2

cL-1

cL

Stage

L-1

Stage

L-2

…

Stage

1

Stage

0

output

Linear Complexity

- Definition:

An LFSR is said to generate a sequence s if there is some initial state for which the output sequence of the LFSR is s. An LFSR is said to generate a finite sequence sn if there is some initial state for which the output sequence of the LFSR has sn as its first n terms.

- Definition:

The linear complexity of an infinite binary sequence s, denoted L(s), is defined as follows:

- if s is the zero sequence s = 0, 0, 0, …, then L(s) = 0

- if no LFSR generates s, then L(s) = ∞

- otherwise, L(s) is the length of the shortest LFSR that generates s.

More on Linear Complexity

- Definition:

The linear complexity of a finite binary sequence sn, denoted L(sn), is the length of the shortest LFSR that generates a sequence having sn as its first n terms.

- Properties of linear complexity:

(i) For any n≥1, the linear complexity of the subsequence sn satisfies 0≤L(sn) ≤n.

(ii) L(sn) = 0 if and only if sn is the zero sequence of length n.

(iii) L(sn) = n if and only if sn = 0, 0, …, 0, 1.

(iv) If s is periodic with period N, then L(s) ≤ N.

(v) L(s⊕t) ≤ L(s) + L(t), where s⊕t denotes the bitwise XOR of s and t.

Non Linear Feedback Shift Registers

- Definition: A feedback shift register (FSR) of length L consists of L stages (or delay elements) numbered 0, 1, …, L-1, each capable of storing one bit and having one input and one output, and a clock which controls the movement of data. During each unit of time the following operations are performed:

(i) the content of stage 0 is output and forms part of the output sequence

(ii) the content of stage I is moved to stage i-1 for each I, 1≤i ≤L-1

(iii) the new content of stage L-1 is the feedback bit sj = f(sj-1, sj-2, …, sj-L), where the feedback function f is a Boolean function and sj-I is the previous content of stage L-I, 1≤i ≤L.

sj

…

sj-1

sj-2

sj-L+1

sj-L

Stage

L-1

Stage

L-2

…

Stage

1

Stage

0

output

Analysis of feedback shift registerA feedback shift register (FSR) of length L

Stream Ciphers using LFSRs

- Basic design of a keystream generator:
- Number of LFSRs ≥ 1
- LFSRs should have different lengths and different feedback polynomials
- IF <the lengths are all relatively prime> AND <the feedback polynomials are all primitive> THEN the whole generator is maximal length
- Key is the initial state of the LFSRs
- Clocking
- A keystream generator with the above characteristics is also known as combination generator
- In case the output bit is a function of a single LFSR, then it is called a filter generator

Geffe Generator

- A combination of three LFSRs
- If a1, a2 and a3 are the outputs of the three LFSRs, the output of the generator can be calculated by the following equation

b = (a1^a2)⊕((¬a1) ^a3)

- If the LFSRs have lengths n1, n2, and n3, respectively, then the linear complexity of the generator is

(n1+1)n2+n1n3

2-to-1

Multiplexer

LFSR - 2

b(t)

LFSR - 3

Select

LFSR - 1

Jennings Generator

- Uses a multiplexer to combine two LFSRs
- Multiplexer selects one bit of LFSR-2 for each output bit
- LFSR-1 controls the multiplexer
- A function maps the output of LFSR-2 to the input of the multiplexer
- Key is the initial states of the LFSRs and the mapping function

Multiplexer

LFSR -2

θ

b(t)

Select

…

…

0 1 … n-1

…

K1

K2

K3

LFSR -1

Threshold Generator

- Employs a variable (odd) number of LFSRs
- Motto: The more LFSRs a system uses, the harder it gets to break the cipher.
- Maximise the period: - the lengths of all the LFSRs are relatively prime

- all the feedback polynomials are primitive

- If more than half the output bits are 1, then the output of the generator is 1.
- If more than half the output bits are 0, then the output of the generator is 0

More on Threshold Generator

- Lets assume that we use three LFSRs, then the output generator can be written as:

b= (a1^a2)⊕(a1^a3) ⊕(a2^a3) (similar to Geffe)

- Linear complexity:

n1n2+n1n3+n2n3 (larger than Geffe)

LFSR-1

LFSR-2

Majority

Function

b(t)

LFSR-3

…

LFSR-n

Block Cipher : Introduction

- maps n-bit plaintext blocks to n-bit ciphertext blocks (n: block length)
- Use of plaintext and ciphertext of equal size avoids data expansion
- To allow unique decryption, encryption function must be 1-1(invertible)
- For n-bit plaintext and ciphertext blocks and a fixed key, the encryption function is a bijection, defining a permutation on n-bit vectors
- Each key potentially defines a different bijection
- Def
- n-bit block cipher is E : Vn X K Vn such that for all key k K, E(P, k) is an invertible mapping (the encryption for k) from Vn to Vn, written Ek(P).
- The inverse mapping is the decryption function, denoted Dk(C)
- C = Ek(P) denotes ciphertext C results from encrypting plaintext P under k

Practical security and complexity of attack

- Basic assumption
- adversary has access to all data transmitted over cipher channel
- (Kerckhoffs’ assumption) adversary knows all details of the encryption function except the secret key
- Classes of attacks
- ciphertext-only – no additional information is available
- known-plaintext – plaintext-ciphertext pairs are available
- chosen-plaintext – ciphertexts are available corresponding to plaintexts of the adversary’s choice
- adaptive chosen-plaintext – choice of plaintexts may depend on previous plaintext-ciphertext pairs

n

E

E-1

key

key

n

x’j = xj

encipherment

cj

decipherment

ECB(Electronic CodeBook) Mode- Encryption: for 1≤j≤t, cj <= EK(xj).
- Decryption: for 1≤j≤t, xj <= DK(cj).
- Identical plaintext (under the same key) result in identical ciphertext
- blocks are enciphered independently of other blocks
- bit errors in a single ciphertext affect decipherment of that block only

C j

C j-1

n

E-1

key

⊕

xj

⊕

E

C j-1

key

C j

<Encipherment>

n

X’j = xj

<Decipherment>

CBC(Cipher-Block Chaining) Mode- Encryption: c0 IV, cj EK(cj−1 xj)
- Decryption: c0 IV, xj cj−1 E−1K(cj)
- chaining causes ciphertext cj to depend on all preceding plaintext
- a single bit error in cj affects decipherment of blocks cj and cj+1
- self-synchronizing: error cj (not cj+1, cj+2) is correctly decrypted to xj+2.
- Can use as a MAC: x1, x2, . . . , xn, cn

CFB-r(Cipher FeedBack) Mode

- INPUT: k-bit key K; n-bit IV; r-bit plaintext blocks x1…, xu (1≤ r≤n)
- OUTPUT: produce r-bit ciphertext blocks c1,…,cu
- Encryption: I1←IV.(Ij is the input value in a shift register) For 1≤ j≤u:
- Oj ← Ek(Ij). (Compute the block cipher output)
- tj ←the r leftmost bits of Oj.(Assume the leftmost is identified as bit 1.)
- cj ←xj ⊕tj.(Transmit the r-bit ciphertext block cj.)
- Ij+1 ← 2r • Ij+cj mod 2n.(Shift cj into right end of shift register.)
- Decryption: I1 ←IV. For 1≤j≤u, upon receiving cj:

x j ← cj ⊕t j, where tj, Oj and Ij are computed as above

CFB-r Mode(Cont’d)

r-bit Shift

r-bit Shift

I1=IV

E

key

E

key

leftmost r bits

leftmost r bits

Oj

Oj

ci

xj

xj

ci

Encipherment

Decipherment

Properties of the CFB-r

- re-ordering ciphertext blocks affects decryption
- one or more bit errors in any single r-bit ciphertext block cjaffects the decipherment of next n/r ciphertext blocks
- self-synchronizing similar to CBC, but requires n/r blocks to recover.
- for r <n, throughput is decreased by a factor of n/r

OFB(Output FeedBack) Mode with full(or r-bit) feedback

- INPUT: k-bit key K; n-bit IV; r-bit plaintext blocks x1,…, xu (1≤r≤n)
- OUTPUT: produce r-bit ciphertext blocks c1,…, cu
- Encryption: I1←IV. For 1≤ j≤u, given plaintext block xj:
- Oj ← Ek(Ij). (Compute the block cipher output)
- tj ←the r leftmost bits of Oj.(Assume the leftmost is identified as bit 1.)
- cj ←xj ⊕tj.(Transmit the r-bit ciphertext block cj.)
- Ij+1 ← Oj(Update the block cipher input for the next block.)
- Ij+1 ← 2rㆍIj + tj mod 2n”(shift output tj into right end of shift register.)
- Decryption: I1 ←IV. For 1≤j≤u, upon receiving cj:

x j ← cj ⊕t j, where tj, Oj and Ij are computed as above

OFB-r Mode

r-bit Shift

Ij

Ij

r-bit Shift

I1=IV

key

key

E

E

Leftmost r-bits

Oj

Leftmost r-bits

Oj

cj

xj

xj

cj

Deciphering

Encipherment

Properties of the OFB-r

- keystream is plaintext-independent
- bit errors affects the decipherment of only that character
- recovers from ciphertext bit errors, but cannot self-synchronize
- for r <n, throughput is decreased as per the CFB mode

Other Block Ciphers

- FEAL
- Fast N-round block cipher
- Suffers a lot of attacks, and hence introduce new attacks on block ciphers
- Japan standard
- IDEA
- 64-64-128-8
- James Massey
- Using algebraic functions (mult mod 2n+1, add mod 2n)
- SAFER, RC-5, AES

Download Presentation

Connecting to Server..