cryptography i n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Cryptography I PowerPoint Presentation
Download Presentation
Cryptography I

Loading in 2 Seconds...

play fullscreen
1 / 29

Cryptography I - PowerPoint PPT Presentation


  • 379 Views
  • Uploaded on

Cryptography I. Lecture 6 Dimitrios Delivasilis Department of Information and Communication Systems Engineering University of Aegean. Stream Ciphers. Refreshing our memory Stream ciphers can be either symmetric-key or public-key Block ciphers are memoryless

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Cryptography I' - eurydice


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
cryptography i

Cryptography I

Lecture 6

Dimitrios Delivasilis

Department of Information and Communication Systems Engineering

University of Aegean

stream ciphers
Stream Ciphers
  • Refreshing our memory
    • Stream ciphers can be either symmetric-key or public-key
    • Block ciphers are memoryless
    • Stream ciphers are said to have memory
  • Unconditionally secure
    • A symmetric key system is unconditionally secure if H(K)≥H(M). In other words, the uncertainty of the secret key must be at least as great as the uncertainty of the plaintext
synchronous stream ciphers
Synchronous Stream Ciphers
  • Definition: A synchronous stream cipher is one in which the keystream is generated independently of the plaintext
  • Encryption:
  • Decryption:

σi

mi

σi+1

mi: plaintext

ci:ciphertext

k: key

zi: keystream

σi: state

f

zi

k

ci

g

h

σi

ci

σi+1

f

zi

k

mi

g

h-1

Functions: g produces keystream zi, h combines the keystream and plaintext to produce ciphertext, and f is the next state function.

more on synchronous stream ciphers

mi

zi

zi

Keystream

Generator

Keystream

Generator

mi

ci

k

k

More on synchronous stream ciphers
  • Properties of synchronous stream ciphers
    • Synchronisation requirements
    • No error propagation
    • Active attacks
  • Definition: A binary additive stream cipher is a synchronous stream cipher in which the keystream, plaintext, and ciphertext digits are binary digits, and the output function h is the XOR function.

ci

Encryption:

Decryption:

self synchronising stream ciphers
Self-synchronising stream ciphers
  • Definition: A self-synchronising or asynchronous stream cipher is one in which the keystream is generated as a function of the key and a fixed number of previous ciphertext digits.
  • Encryption:
  • Decryption:

mi

zi

k

g

h

ci

ci

zi

k

g

h-1

mi

properties of self synchronising stream ciphers
Properties of self-synchronising stream ciphers
  • Self-synchronising: capable of re-establishing proper decryption automatically after loss of synchronisation, with only a fixed number of plaintext characters unrecoverable
  • Limited error propagation: If a single ciphertext digit is modified during transmission, then decryption of up to t subsequent ciphertext digits may be incorrect, after which correct decryption resumes
  • Active attacks: It is more difficult to detect insertion, deletion, or replay of ciphertext digits by an active adversary
  • Diffusion of plaintext: Self-synchronising stream ciphers may be more resistant than synchronous stream ciphers against attacks based on plaintext redundancy
linear feedback shift registers lfsrs
Linear feedback shift registers (LFSRs)
  • Characteristics:
    • LFSRs are well-suited to hardware implementation
    • Produce sequences of large period
    • Produce sequences with good statistical properties
    • Due to their structure, they can be readily analysed using algebraic techniques
  • Definition:

A linear feedback shift register (LFSR) of length L consists of L stages (or delay elements) numbered 0, 1, …, L-1, each capable of storing one bit and having one input and one output; and a clock which controls the movement of data. During each unit of time the following operations are performed:

(i) the content of stage 0 is output and forms part of the output sequence

(ii) the content of stage I is moved to stage i-1 for each I, 1≤ i ≤ L-1

(iii) the new content of stage L-1 is the feedback bit sj which is calculated by adding together modulo 2 the previous contents of a fixed subset of stages 0, 1, …, L-1

lfsr analysis
LFSR analysis

Figure: A linear feedback shift register (LFSR) of length L

sj

c1

c2

cL-1

cL

Stage

L-1

Stage

L-2

Stage

1

Stage

0

output

linear complexity
Linear Complexity
  • Definition:

An LFSR is said to generate a sequence s if there is some initial state for which the output sequence of the LFSR is s. An LFSR is said to generate a finite sequence sn if there is some initial state for which the output sequence of the LFSR has sn as its first n terms.

  • Definition:

The linear complexity of an infinite binary sequence s, denoted L(s), is defined as follows:

- if s is the zero sequence s = 0, 0, 0, …, then L(s) = 0

- if no LFSR generates s, then L(s) = ∞

- otherwise, L(s) is the length of the shortest LFSR that generates s.

more on linear complexity
More on Linear Complexity
  • Definition:

The linear complexity of a finite binary sequence sn, denoted L(sn), is the length of the shortest LFSR that generates a sequence having sn as its first n terms.

  • Properties of linear complexity:

(i) For any n≥1, the linear complexity of the subsequence sn satisfies 0≤L(sn) ≤n.

(ii) L(sn) = 0 if and only if sn is the zero sequence of length n.

(iii) L(sn) = n if and only if sn = 0, 0, …, 0, 1.

(iv) If s is periodic with period N, then L(s) ≤ N.

(v) L(s⊕t) ≤ L(s) + L(t), where s⊕t denotes the bitwise XOR of s and t.

non linear feedback shift registers
Non Linear Feedback Shift Registers
  • Definition: A feedback shift register (FSR) of length L consists of L stages (or delay elements) numbered 0, 1, …, L-1, each capable of storing one bit and having one input and one output, and a clock which controls the movement of data. During each unit of time the following operations are performed:

(i) the content of stage 0 is output and forms part of the output sequence

(ii) the content of stage I is moved to stage i-1 for each I, 1≤i ≤L-1

(iii) the new content of stage L-1 is the feedback bit sj = f(sj-1, sj-2, …, sj-L), where the feedback function f is a Boolean function and sj-I is the previous content of stage L-I, 1≤i ≤L.

analysis of feedback shift register

f(sj-1, sj-2, …, sj-L)

sj

sj-1

sj-2

sj-L+1

sj-L

Stage

L-1

Stage

L-2

Stage

1

Stage

0

output

Analysis of feedback shift register

A feedback shift register (FSR) of length L

stream ciphers using lfsrs
Stream Ciphers using LFSRs
  • Basic design of a keystream generator:
    • Number of LFSRs ≥ 1
    • LFSRs should have different lengths and different feedback polynomials
    • IF <the lengths are all relatively prime> AND <the feedback polynomials are all primitive> THEN the whole generator is maximal length
    • Key is the initial state of the LFSRs
    • Clocking
  • A keystream generator with the above characteristics is also known as combination generator
  • In case the output bit is a function of a single LFSR, then it is called a filter generator
geffe generator
Geffe Generator
  • A combination of three LFSRs
  • If a1, a2 and a3 are the outputs of the three LFSRs, the output of the generator can be calculated by the following equation

b = (a1^a2)⊕((¬a1) ^a3)

  • If the LFSRs have lengths n1, n2, and n3, respectively, then the linear complexity of the generator is

(n1+1)n2+n1n3

2-to-1

Multiplexer

LFSR - 2

b(t)

LFSR - 3

Select

LFSR - 1

jennings generator
Jennings Generator
  • Uses a multiplexer to combine two LFSRs
  • Multiplexer selects one bit of LFSR-2 for each output bit
  • LFSR-1 controls the multiplexer
  • A function maps the output of LFSR-2 to the input of the multiplexer
  • Key is the initial states of the LFSRs and the mapping function

Multiplexer

LFSR -2

θ

b(t)

Select

0 1 … n-1

K1

K2

K3

LFSR -1

threshold generator
Threshold Generator
  • Employs a variable (odd) number of LFSRs
  • Motto: The more LFSRs a system uses, the harder it gets to break the cipher.
  • Maximise the period: - the lengths of all the LFSRs are relatively prime

- all the feedback polynomials are primitive

  • If more than half the output bits are 1, then the output of the generator is 1.
  • If more than half the output bits are 0, then the output of the generator is 0
more on threshold generator
More on Threshold Generator
  • Lets assume that we use three LFSRs, then the output generator can be written as:

b= (a1^a2)⊕(a1^a3) ⊕(a2^a3) (similar to Geffe)

  • Linear complexity:

n1n2+n1n3+n2n3 (larger than Geffe)

LFSR-1

LFSR-2

Majority

Function

b(t)

LFSR-3

LFSR-n

block cipher introduction
Block Cipher : Introduction
  • maps n-bit plaintext blocks to n-bit ciphertext blocks (n: block length)
  • Use of plaintext and ciphertext of equal size avoids data expansion
  • To allow unique decryption, encryption function must be 1-1(invertible)
    • For n-bit plaintext and ciphertext blocks and a fixed key, the encryption function is a bijection, defining a permutation on n-bit vectors
    • Each key potentially defines a different bijection
  • Def
    • n-bit block cipher is E : Vn X K  Vn such that for all key k  K, E(P, k) is an invertible mapping (the encryption for k) from Vn to Vn, written Ek(P).
    • The inverse mapping is the decryption function, denoted Dk(C)
    • C = Ek(P) denotes ciphertext C results from encrypting plaintext P under k
practical security and complexity of attack
Practical security and complexity of attack
  • Basic assumption
    • adversary has access to all data transmitted over cipher channel
    • (Kerckhoffs’ assumption) adversary knows all details of the encryption function except the secret key
  • Classes of attacks
    • ciphertext-only – no additional information is available
    • known-plaintext – plaintext-ciphertext pairs are available
    • chosen-plaintext – ciphertexts are available corresponding to plaintexts of the adversary’s choice
    • adaptive chosen-plaintext – choice of plaintexts may depend on previous plaintext-ciphertext pairs
ecb electronic codebook mode

xj

n

E

E-1

key

key

n

x’j = xj

encipherment

cj

decipherment

ECB(Electronic CodeBook) Mode
  • Encryption: for 1≤j≤t, cj <= EK(xj).
  • Decryption: for 1≤j≤t, xj <= DK(cj).
    • Identical plaintext (under the same key) result in identical ciphertext
    • blocks are enciphered independently of other blocks
    • bit errors in a single ciphertext affect decipherment of that block only
cbc cipher block chaining mode

C0=IV

C j

C j-1

n

E-1

key

xj

E

C j-1

key

C j

<Encipherment>

n

X’j = xj

<Decipherment>

CBC(Cipher-Block Chaining) Mode
  • Encryption: c0 IV, cj EK(cj−1 xj)
  • Decryption: c0 IV, xj cj−1  E−1K(cj)
    • chaining causes ciphertext cj to depend on all preceding plaintext
    • a single bit error in cj affects decipherment of blocks cj and cj+1
    • self-synchronizing: error cj (not cj+1, cj+2) is correctly decrypted to xj+2.
    • Can use as a MAC: x1, x2, . . . , xn, cn
cfb r cipher feedback mode
CFB-r(Cipher FeedBack) Mode
  • INPUT: k-bit key K; n-bit IV; r-bit plaintext blocks x1…, xu (1≤ r≤n)
  • OUTPUT: produce r-bit ciphertext blocks c1,…,cu
    • Encryption: I1←IV.(Ij is the input value in a shift register) For 1≤ j≤u:
      • Oj ← Ek(Ij). (Compute the block cipher output)
      • tj ←the r leftmost bits of Oj.(Assume the leftmost is identified as bit 1.)
      • cj ←xj ⊕tj.(Transmit the r-bit ciphertext block cj.)
      • Ij+1 ← 2r • Ij+cj mod 2n.(Shift cj into right end of shift register.)
    • Decryption: I1 ←IV. For 1≤j≤u, upon receiving cj:

x j ← cj ⊕t j, where tj, Oj and Ij are computed as above

cfb r mode cont d
CFB-r Mode(Cont’d)

r-bit Shift

r-bit Shift

I1=IV

E

key

E

key

leftmost r bits

leftmost r bits

Oj

Oj

ci

xj

xj

ci

Encipherment

Decipherment

properties of the cfb r
Properties of the CFB-r
  • re-ordering ciphertext blocks affects decryption
  • one or more bit errors in any single r-bit ciphertext block cjaffects the decipherment of next n/r ciphertext blocks
  • self-synchronizing similar to CBC, but requires n/r blocks to recover.
  • for r <n, throughput is decreased by a factor of n/r
ofb output feedback mode with full or r bit feedback
OFB(Output FeedBack) Mode with full(or r-bit) feedback
  • INPUT: k-bit key K; n-bit IV; r-bit plaintext blocks x1,…, xu (1≤r≤n)
  • OUTPUT: produce r-bit ciphertext blocks c1,…, cu
  • Encryption: I1←IV. For 1≤ j≤u, given plaintext block xj:
      • Oj ← Ek(Ij). (Compute the block cipher output)
      • tj ←the r leftmost bits of Oj.(Assume the leftmost is identified as bit 1.)
      • cj ←xj ⊕tj.(Transmit the r-bit ciphertext block cj.)
      • Ij+1 ← Oj(Update the block cipher input for the next block.)
      • Ij+1 ← 2rㆍIj + tj mod 2n”(shift output tj into right end of shift register.)
  • Decryption: I1 ←IV. For 1≤j≤u, upon receiving cj:

x j ← cj ⊕t j, where tj, Oj and Ij are computed as above

ofb r mode
OFB-r Mode

r-bit Shift

Ij

Ij

r-bit Shift

I1=IV

key

key

E

E

Leftmost r-bits

Oj

Leftmost r-bits

Oj

cj

xj

xj

cj

Deciphering

Encipherment

properties of the ofb r
Properties of the OFB-r
  • keystream is plaintext-independent
  • bit errors affects the decipherment of only that character
  • recovers from ciphertext bit errors, but cannot self-synchronize
  • for r <n, throughput is decreased as per the CFB mode
other block ciphers
Other Block Ciphers
  • FEAL
    • Fast N-round block cipher
    • Suffers a lot of attacks, and hence introduce new attacks on block ciphers
    • Japan standard
  • IDEA
    • 64-64-128-8
    • James Massey
    • Using algebraic functions (mult mod 2n+1, add mod 2n)
  • SAFER, RC-5, AES