Cryptography I

1 / 29

# Cryptography I - PowerPoint PPT Presentation

Cryptography I. Lecture 6 Dimitrios Delivasilis Department of Information and Communication Systems Engineering University of Aegean. Stream Ciphers. Refreshing our memory Stream ciphers can be either symmetric-key or public-key Block ciphers are memoryless

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'Cryptography I' - eurydice

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Cryptography I

Lecture 6

Dimitrios Delivasilis

Department of Information and Communication Systems Engineering

University of Aegean

Stream Ciphers
• Refreshing our memory
• Stream ciphers can be either symmetric-key or public-key
• Block ciphers are memoryless
• Stream ciphers are said to have memory
• Unconditionally secure
• A symmetric key system is unconditionally secure if H(K)≥H(M). In other words, the uncertainty of the secret key must be at least as great as the uncertainty of the plaintext
Synchronous Stream Ciphers
• Definition: A synchronous stream cipher is one in which the keystream is generated independently of the plaintext
• Encryption:
• Decryption:

σi

mi

σi+1

mi: plaintext

ci:ciphertext

k: key

zi: keystream

σi: state

f

zi

k

ci

g

h

σi

ci

σi+1

f

zi

k

mi

g

h-1

Functions: g produces keystream zi, h combines the keystream and plaintext to produce ciphertext, and f is the next state function.

mi

zi

zi

Keystream

Generator

Keystream

Generator

mi

ci

k

k

More on synchronous stream ciphers
• Properties of synchronous stream ciphers
• Synchronisation requirements
• No error propagation
• Active attacks
• Definition: A binary additive stream cipher is a synchronous stream cipher in which the keystream, plaintext, and ciphertext digits are binary digits, and the output function h is the XOR function.

ci

Encryption:

Decryption:

Self-synchronising stream ciphers
• Definition: A self-synchronising or asynchronous stream cipher is one in which the keystream is generated as a function of the key and a fixed number of previous ciphertext digits.
• Encryption:
• Decryption:

mi

zi

k

g

h

ci

ci

zi

k

g

h-1

mi

Properties of self-synchronising stream ciphers
• Self-synchronising: capable of re-establishing proper decryption automatically after loss of synchronisation, with only a fixed number of plaintext characters unrecoverable
• Limited error propagation: If a single ciphertext digit is modified during transmission, then decryption of up to t subsequent ciphertext digits may be incorrect, after which correct decryption resumes
• Active attacks: It is more difficult to detect insertion, deletion, or replay of ciphertext digits by an active adversary
• Diffusion of plaintext: Self-synchronising stream ciphers may be more resistant than synchronous stream ciphers against attacks based on plaintext redundancy
Linear feedback shift registers (LFSRs)
• Characteristics:
• LFSRs are well-suited to hardware implementation
• Produce sequences of large period
• Produce sequences with good statistical properties
• Due to their structure, they can be readily analysed using algebraic techniques
• Definition:

A linear feedback shift register (LFSR) of length L consists of L stages (or delay elements) numbered 0, 1, …, L-1, each capable of storing one bit and having one input and one output; and a clock which controls the movement of data. During each unit of time the following operations are performed:

(i) the content of stage 0 is output and forms part of the output sequence

(ii) the content of stage I is moved to stage i-1 for each I, 1≤ i ≤ L-1

(iii) the new content of stage L-1 is the feedback bit sj which is calculated by adding together modulo 2 the previous contents of a fixed subset of stages 0, 1, …, L-1

LFSR analysis

Figure: A linear feedback shift register (LFSR) of length L

sj

c1

c2

cL-1

cL

Stage

L-1

Stage

L-2

Stage

1

Stage

0

output

Linear Complexity
• Definition:

An LFSR is said to generate a sequence s if there is some initial state for which the output sequence of the LFSR is s. An LFSR is said to generate a finite sequence sn if there is some initial state for which the output sequence of the LFSR has sn as its first n terms.

• Definition:

The linear complexity of an infinite binary sequence s, denoted L(s), is defined as follows:

- if s is the zero sequence s = 0, 0, 0, …, then L(s) = 0

- if no LFSR generates s, then L(s) = ∞

- otherwise, L(s) is the length of the shortest LFSR that generates s.

More on Linear Complexity
• Definition:

The linear complexity of a finite binary sequence sn, denoted L(sn), is the length of the shortest LFSR that generates a sequence having sn as its first n terms.

• Properties of linear complexity:

(i) For any n≥1, the linear complexity of the subsequence sn satisfies 0≤L(sn) ≤n.

(ii) L(sn) = 0 if and only if sn is the zero sequence of length n.

(iii) L(sn) = n if and only if sn = 0, 0, …, 0, 1.

(iv) If s is periodic with period N, then L(s) ≤ N.

(v) L(s⊕t) ≤ L(s) + L(t), where s⊕t denotes the bitwise XOR of s and t.

Non Linear Feedback Shift Registers
• Definition: A feedback shift register (FSR) of length L consists of L stages (or delay elements) numbered 0, 1, …, L-1, each capable of storing one bit and having one input and one output, and a clock which controls the movement of data. During each unit of time the following operations are performed:

(i) the content of stage 0 is output and forms part of the output sequence

(ii) the content of stage I is moved to stage i-1 for each I, 1≤i ≤L-1

(iii) the new content of stage L-1 is the feedback bit sj = f(sj-1, sj-2, …, sj-L), where the feedback function f is a Boolean function and sj-I is the previous content of stage L-I, 1≤i ≤L.

f(sj-1, sj-2, …, sj-L)

sj

sj-1

sj-2

sj-L+1

sj-L

Stage

L-1

Stage

L-2

Stage

1

Stage

0

output

Analysis of feedback shift register

A feedback shift register (FSR) of length L

Stream Ciphers using LFSRs
• Basic design of a keystream generator:
• Number of LFSRs ≥ 1
• LFSRs should have different lengths and different feedback polynomials
• IF <the lengths are all relatively prime> AND <the feedback polynomials are all primitive> THEN the whole generator is maximal length
• Key is the initial state of the LFSRs
• Clocking
• A keystream generator with the above characteristics is also known as combination generator
• In case the output bit is a function of a single LFSR, then it is called a filter generator
Geffe Generator
• A combination of three LFSRs
• If a1, a2 and a3 are the outputs of the three LFSRs, the output of the generator can be calculated by the following equation

b = (a1^a2)⊕((¬a1) ^a3)

• If the LFSRs have lengths n1, n2, and n3, respectively, then the linear complexity of the generator is

(n1+1)n2+n1n3

2-to-1

Multiplexer

LFSR - 2

b(t)

LFSR - 3

Select

LFSR - 1

Jennings Generator
• Uses a multiplexer to combine two LFSRs
• Multiplexer selects one bit of LFSR-2 for each output bit
• LFSR-1 controls the multiplexer
• A function maps the output of LFSR-2 to the input of the multiplexer
• Key is the initial states of the LFSRs and the mapping function

Multiplexer

LFSR -2

θ

b(t)

Select

0 1 … n-1

K1

K2

K3

LFSR -1

Threshold Generator
• Employs a variable (odd) number of LFSRs
• Motto: The more LFSRs a system uses, the harder it gets to break the cipher.
• Maximise the period: - the lengths of all the LFSRs are relatively prime

- all the feedback polynomials are primitive

• If more than half the output bits are 1, then the output of the generator is 1.
• If more than half the output bits are 0, then the output of the generator is 0
More on Threshold Generator
• Lets assume that we use three LFSRs, then the output generator can be written as:

b= (a1^a2)⊕(a1^a3) ⊕(a2^a3) (similar to Geffe)

• Linear complexity:

n1n2+n1n3+n2n3 (larger than Geffe)

LFSR-1

LFSR-2

Majority

Function

b(t)

LFSR-3

LFSR-n

Block Cipher : Introduction
• maps n-bit plaintext blocks to n-bit ciphertext blocks (n: block length)
• Use of plaintext and ciphertext of equal size avoids data expansion
• To allow unique decryption, encryption function must be 1-1(invertible)
• For n-bit plaintext and ciphertext blocks and a fixed key, the encryption function is a bijection, defining a permutation on n-bit vectors
• Each key potentially defines a different bijection
• Def
• n-bit block cipher is E : Vn X K  Vn such that for all key k  K, E(P, k) is an invertible mapping (the encryption for k) from Vn to Vn, written Ek(P).
• The inverse mapping is the decryption function, denoted Dk(C)
• C = Ek(P) denotes ciphertext C results from encrypting plaintext P under k
Practical security and complexity of attack
• Basic assumption
• (Kerckhoffs’ assumption) adversary knows all details of the encryption function except the secret key
• Classes of attacks
• ciphertext-only – no additional information is available
• known-plaintext – plaintext-ciphertext pairs are available
• chosen-plaintext – ciphertexts are available corresponding to plaintexts of the adversary’s choice
• adaptive chosen-plaintext – choice of plaintexts may depend on previous plaintext-ciphertext pairs

xj

n

E

E-1

key

key

n

x’j = xj

encipherment

cj

decipherment

ECB(Electronic CodeBook) Mode
• Encryption: for 1≤j≤t, cj <= EK(xj).
• Decryption: for 1≤j≤t, xj <= DK(cj).
• Identical plaintext (under the same key) result in identical ciphertext
• blocks are enciphered independently of other blocks
• bit errors in a single ciphertext affect decipherment of that block only

C0=IV

C j

C j-1

n

E-1

key

xj

E

C j-1

key

C j

<Encipherment>

n

X’j = xj

<Decipherment>

CBC(Cipher-Block Chaining) Mode
• Encryption: c0 IV, cj EK(cj−1 xj)
• Decryption: c0 IV, xj cj−1  E−1K(cj)
• chaining causes ciphertext cj to depend on all preceding plaintext
• a single bit error in cj affects decipherment of blocks cj and cj+1
• self-synchronizing: error cj (not cj+1, cj+2) is correctly decrypted to xj+2.
• Can use as a MAC: x1, x2, . . . , xn, cn
CFB-r(Cipher FeedBack) Mode
• INPUT: k-bit key K; n-bit IV; r-bit plaintext blocks x1…, xu (1≤ r≤n)
• OUTPUT: produce r-bit ciphertext blocks c1,…,cu
• Encryption: I1←IV.(Ij is the input value in a shift register) For 1≤ j≤u:
• Oj ← Ek(Ij). (Compute the block cipher output)
• tj ←the r leftmost bits of Oj.(Assume the leftmost is identified as bit 1.)
• cj ←xj ⊕tj.(Transmit the r-bit ciphertext block cj.)
• Ij+1 ← 2r • Ij+cj mod 2n.(Shift cj into right end of shift register.)
• Decryption: I1 ←IV. For 1≤j≤u, upon receiving cj:

x j ← cj ⊕t j, where tj, Oj and Ij are computed as above

CFB-r Mode(Cont’d)

r-bit Shift

r-bit Shift

I1=IV

E

key

E

key

leftmost r bits

leftmost r bits

Oj

Oj

ci

xj

xj

ci

Encipherment

Decipherment

Properties of the CFB-r
• re-ordering ciphertext blocks affects decryption
• one or more bit errors in any single r-bit ciphertext block cjaffects the decipherment of next n/r ciphertext blocks
• self-synchronizing similar to CBC, but requires n/r blocks to recover.
• for r <n, throughput is decreased by a factor of n/r
OFB(Output FeedBack) Mode with full(or r-bit) feedback
• INPUT: k-bit key K; n-bit IV; r-bit plaintext blocks x1,…, xu (1≤r≤n)
• OUTPUT: produce r-bit ciphertext blocks c1,…, cu
• Encryption: I1←IV. For 1≤ j≤u, given plaintext block xj:
• Oj ← Ek(Ij). (Compute the block cipher output)
• tj ←the r leftmost bits of Oj.(Assume the leftmost is identified as bit 1.)
• cj ←xj ⊕tj.(Transmit the r-bit ciphertext block cj.)
• Ij+1 ← Oj(Update the block cipher input for the next block.)
• Ij+1 ← 2rㆍIj + tj mod 2n”(shift output tj into right end of shift register.)
• Decryption: I1 ←IV. For 1≤j≤u, upon receiving cj:

x j ← cj ⊕t j, where tj, Oj and Ij are computed as above

OFB-r Mode

r-bit Shift

Ij

Ij

r-bit Shift

I1=IV

key

key

E

E

Leftmost r-bits

Oj

Leftmost r-bits

Oj

cj

xj

xj

cj

Deciphering

Encipherment

Properties of the OFB-r
• keystream is plaintext-independent
• bit errors affects the decipherment of only that character
• recovers from ciphertext bit errors, but cannot self-synchronize
• for r <n, throughput is decreased as per the CFB mode
Other Block Ciphers
• FEAL
• Fast N-round block cipher
• Suffers a lot of attacks, and hence introduce new attacks on block ciphers
• Japan standard
• IDEA
• 64-64-128-8
• James Massey
• Using algebraic functions (mult mod 2n+1, add mod 2n)
• SAFER, RC-5, AES