Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 2 Stream Ciphers ver.

Similar documents
Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 2 Stream Ciphers ver.

LFSR stream cipher RC4. Stream cipher. Stream Cipher

Stream Cipher. Block cipher as stream cipher LFSR stream cipher RC4 General remarks. Stream cipher

Cryptography CS 555. Topic 5: Pseudorandomness and Stream Ciphers. CS555 Spring 2012/Topic 5 1

How to Predict the Output of a Hardware Random Number Generator

Stream Ciphers. Debdeep Mukhopadhyay

A Pseudorandom Binary Generator Based on Chaotic Linear Feedback Shift Register

True Random Number Generation with Logic Gates Only

Sequences and Cryptography

Randomness analysis of A5/1 Stream Cipher for secure mobile communication

Design for Test. Design for test (DFT) refers to those design techniques that make test generation and test application cost-effective.

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

V.Sorge/E.Ritter, Handout 5

New Address Shift Linear Feedback Shift Register Generator

ECE 715 System on Chip Design and Test. Lecture 22

DESIGN and IMPLETATION of KEYSTREAM GENERATOR with IMPROVED SECURITY

VLSI System Testing. BIST Motivation

A New Proposed Design of a Stream Cipher Algorithm: Modified Grain - 128

WG Stream Cipher based Encryption Algorithm

Testing of Cryptographic Hardware

Pseudorandom bit Generators for Secure Broadcasting Systems

Logic and Computer Design Fundamentals. Chapter 7. Registers and Counters

Instructions. Final Exam CPSC/ELEN 680 December 12, Name: UIN:

EET2411 DIGITAL ELECTRONICS

A New Random Keys Generator Depend on Multi Techniques

Digital Implementation of a True Random Number Generator

MATHEMATICAL APPROACH FOR RECOVERING ENCRYPTION KEY OF STREAM CIPHER SYSTEM

Overview: Logic BIST

An Introduction to Cryptography

Asynchronous (Ripple) Counters

Chapter 4. Logic Design

A clock is a free-running signal with a cycle time. A clock may be either high or low, and alternates between the two states.

Experiment 8 Introduction to Latches and Flip-Flops and registers

Design of Fault Coverage Test Pattern Generator Using LFSR

Fault Analysis of Stream Ciphers

Performance Evaluation of Stream Ciphers on Large Databases

Attacking of Stream Cipher Systems Using a Genetic Algorithm

BLOCK CIPHER AND NON-LINEAR SHIFT REGISTER BASED RANDOM NUMBER GENERATOR QUALITY ANALYSIS

Ultra-lightweight 8-bit Multiplicative Inverse Based S-box Using LFSR

Design and Implementation of Data Scrambler & Descrambler System Using VHDL

LFSR Counter Implementation in CMOS VLSI

CSE 352 Laboratory Assignment 3

Modified Version of Playfair Cipher Using Linear Feedback Shift Register and Transpose Matrix Concept

21.1. Unit 21. Hardware Acceleration

Welch Gong (Wg) 128 Bit Stream Cipher For Encryption and Decryption Algorithm

Testing Digital Systems II

Segmented Leap-Ahead LFSR Architecture for Uniform Random Number Generator

Guidance For Scrambling Data Signals For EMC Compliance

Cellular Automaton prng with a Global Loop for Non-Uniform Rule Control

The A to Z GUIDE to the ZK-Crypt

Digital Logic Design Sequential Circuits. Dr. Basem ElHalawany

Analysis of Different Pseudo Noise Sequences

ECE 172 Digital Systems. Chapter 2.2 Review: Ring Counter, Johnson Counter. Herbert G. Mayer, PSU Status 7/14/2018

Jin-Fu Li Advanced Reliable Systems (ARES) Laboratory. National Central University

Sequential Circuit Design: Principle

SEQUENTIAL LOGIC. Satish Chandra Assistant Professor Department of Physics P P N College, Kanpur

Logic Design. Flip Flops, Registers and Counters

Optimization of FPGA Architecture for Uniform Random Number Generator Using LUT-SR Family

Optimization of Multi-Channel BCH Error Decoding for Common Cases. Russell Dill Master's Thesis Defense April 20, 2015

Design and Simulation of a Digital CMOS Synchronous 4-bit Up-Counter with Set and Reset

MC9211 Computer Organization

Introduction to Sequential Circuits

Combinational vs Sequential

COE 202: Digital Logic Design Sequential Circuits Part 1. Dr. Ahmad Almulhem ahmadsm AT kfupm Phone: Office:

An Improved Hardware Implementation of the Grain-128a Stream Cipher

Sequential Design Basics

Registers and Counters

Logic Design II (17.342) Spring Lecture Outline

NH 67, Karur Trichy Highways, Puliyur C.F, Karur District UNIT-III SEQUENTIAL CIRCUITS

DESIGN OF RECONFIGURABLE IMAGE ENCRYPTION PROCESSOR USING 2-D CELLULAR AUTOMATA GENERATOR

Decim v2. To cite this version: HAL Id: hal

Logic. Andrew Mark Allen March 4, 2012

Universal Asynchronous Receiver- Transmitter (UART)

Flip Flop. S-R Flip Flop. Sequential Circuits. Block diagram. Prepared by:- Anwar Bari

VLSI Test Technology and Reliability (ET4076)

Contents Circuits... 1

Counter dan Register

hochschule fu r angewandte wissenschaften hamburg Prof. Dr. B. Schwarz FB Elektrotechnik/Informatik

(12) Patent Application Publication (10) Pub. No.: US 2003/ A1

We are here. Assembly Language. Processors Arithmetic Logic Units. Finite State Machines. Circuits Gates. Transistors

SECURED EEG DISTRIBUTION IN TELEMEDICINE USING ENCRYPTION MECHANISM

LFSRs as Functional Blocks in Wireless Applications Author: Stephen Lim and Andy Miller

Efficient Realization for A Class of Clock-Controlled Sequence Generators

ELCT201: DIGITAL LOGIC DESIGN

The Design and Analysis of a True Random Number Generator in a Field Programmable Gate Array

Power Optimization of Linear Feedback Shift Register Using Clock Gating

DesignandImplementationofDataScramblerDescramblerSystemusingVHDL

The basic logic gates are the inverter (or NOT gate), the AND gate, the OR gate and the exclusive-or gate (XOR). If you put an inverter in front of

Long and Fast Up/Down Counters Pushpinder Kaur CHOUHAN 6 th Jan, 2003

IN DIGITAL transmission systems, there are always scramblers

IT T35 Digital system desigm y - ii /s - iii

Assistant Professor, Electronics and Telecommunication Engineering, DMIETR, Wardha, Maharashtra, India

Counters

Encryption. Secure Chat. Encryption Machine

From Theory to Practice: Private Circuit and Its Ambush

RS flip-flop using NOR gate

Cryptanalysis of LILI-128

EFFICIENT IMPLEMENTATION OF RECENT STREAM CIPHERS ON RECONFIGURABLE HARDWARE DEVICES

ECE 545 Digital System Design with VHDL Lecture 2. Digital Logic Refresher Part B Sequential Logic Building Blocks

Flip-Flops. Because of this the state of the latch may keep changing in circuits with feedback as long as the clock pulse remains active.

Transcription:

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 2 Stream Ciphers ver. October 29, 2009 These slides were prepared by Thomas Eisenbarth, Christof Paar and Jan Pelzl

Some legal stuff (sorry): Terms of Use The slides can used free of charge. All copyrights for the slides remain with the authors. The title of the accompanying book Understanding Cryptography by Springer and the author s names must remain on each slide. If the slides are modified, appropriate credits to the book authors and the book title must remain within the slides. It is not permitted to reproduce parts or all of the slides in printed form whatsoever without written consent by the authors. 2/27

Content of this Chapter Intro to stream ciphers Random number generators (RNGs) One-Time Pad (OTP) Linear feedback shift registers (LFSRs) Trivium: a modern stream cipher 3/27

Content of this Chapter Intro to stream ciphers Random number generators (RNGs) One-Time Pad (OTP) Linear feedback shift registers (LFSRs) Trivium: a modern stream cipher 4/27

Stream Ciphers in the Field of Cryptology Cryptology Cryptography Cryptanalysis Symmetric Ciphers Asymmetric Ciphers Protocols Block Ciphers Stream Ciphers Stream Ciphers were invented in 1917 by Gilbert Vernam 5/27

Stream Cipher vs. Block Cipher Stream Ciphers Encrypt bits individually Usually small and fast common in embedded devices (e.g., A5/1 for GSM phones) Block Ciphers: Always encrypt a full block (several bits) Are common for Internet applications 6/27

Encryption and Decryption with Stream Ciphers Plaintext x i, ciphertext y i and key stream s i consist of individual bits Encryption and decryption are simple additions modulo 2 (aka XOR) Encryption and decryption are the same functions Encryption: y i = e si (x i ) = x i + s i mod 2 x i, y i, s i {0,1} Decryption: x i = e si (y i ) = y i + s i mod 2 7/27

Synchronous vs. Asynchronous Stream Cipher Security of stream cipher depends entirely on the key stream s i : Should be random, i.e., Pr(s i = 0) = Pr(s i = 1) = 0.5 Must be reproducible by sender and receiver Synchronous Stream Cipher Key stream depend only on the key (and possibly an initialization vector IV) Asynchronous Stream Ciphers Key stream depends also on the ciphertext (dotted feedback enabled) 8/27

Why is Modulo 2 Addition a Good Encryption Function? Modulo 2 addition is equivalent to XOR operation For perfectly random key stream s i, each ciphertext output bit has a 50% chance to be 0 or 1 Good statistic property for ciphertext Inverting XOR is simple, since it is the same XOR operation x i s i y i 0 0 0 0 1 1 1 0 1 1 1 0 9/27

Stream Cipher: Throughput Performance comparison of symmetric ciphers (Pentium4): Cipher Key length Mbit/s DES 56 36.95 3DES 112 13.32 AES 128 51.19 RC4 (stream cipher) (choosable) 211.34 Source: Zhao et al., Anatomy and Performance of SSL Processing, ISPASS 2005 10/27

Content of this Chapter Intro to stream ciphers Random number generators (RNGs) One-Time Pad (OTP) Linear feedback shift registers (LFSRs) Trivium: a modern stream cipher 11/27

Random number generators (RNGs) RNG True RNG Pseudorandom NG Cryptographically Secure RNG 12/27

True Random Number Generators (TRNGs) Based on physical random processes: coin flipping, dice rolling, semiconductor noise, radioactive decay, mouse movement, clock jitter of digital circuits Output stream s i should have good statistical properties: Pr(s i = 0) = Pr(s i = 1) = 50% (often achieved by post-processing) Output can neither be predicted nor be reproduced Typically used for generation of keys, nonces (used only-once values) and for many other purposes 13/27

Pseudorandom Number Generator (PRNG) Generate sequences from initial seed value Typically, output stream has good statistical properties Output can be reproduced and can be predicted Often computed in a recursive way: s s 0 = seed = i+ 1 f ( si, si 1,..., si t ) Example: rand() function in ANSI C: s 0 = 12345 s i = 1103515245s + 1 i + 12345mod 2 31 Most PRNGs have bad cryptographic properties! 14/27

Cryptanalyzing a Simple PRNG Simple PRNG: Linear Congruential Generator S S 0 i+ 1 = seed = AS i + B mod m Assume unknown A, B and S 0 as key Size of A, B and S i to be 100 bit 300 bit of output are known, i.e. S 1, S 2 and S 3 Solving S S 2 3 = = AS AS 1 2 + B mod m + B mod m directly reveals A and B. All S i can be computed easily! Bad cryptographic properties due to the linearity of most PRNGs 15/27

Cryptographically Secure Pseudorandom Number Generator (CSPRNG) Special PRNG with additional property: Output must be unpredictable More precisely: Given n consecutive bits of output s i, the following output bits s n+1 cannot be predicted (in polynomial time). Needed in cryptography, in particular for stream ciphers Remark: There are almost no other applications that need unpredictability, whereas many, many (technical) systems need PRNGs. 16/27

Content of this Chapter Intro to stream ciphers Random number generators (RNGs) One-Time Pad (OTP) Linear feedback shift registers (LFSRs) Trivium: a modern stream cipher 17/27

One-Time Pad (OTP) Unconditionally secure cryptosystem: A cryptosystem is unconditionally secure if it cannot be broken even with infinite computational resources One-Time Pad A cryptosystem developed by Mauborgne that is based on Vernam s stream cipher: Properties: Let the plaintext, ciphertext and key consist of individual bits x i, y i, k i {0,1}. Encryption: e ki (x i ) = x i k i. Decryption: d ki (y i ) = y i k i OTP is unconditionally secure if and only if the key k i. is used once! 18/27

One-Time Pad (OTP) Unconditionally secure cryptosystem: y 0 = x 0 k 0 y 1 = x 1 k 1 : Every equation is a linear equation with two unknowns for every y i are x i = 0 and x i = 1 equiprobable! This is true iff k 0, k 1,... are independent, i.e., all k i have to be generated truly random It can be shown that this systems can provably not be solved. Disadvantage: For almost all applications the OTP is impractical since the key must be as long as the message! (Imagine you have to encrypt a 1GByte email attachment.) 19/27

Content of this Chapter Intro to stream ciphers Random number generators (RNGs) One-Time Pad (OTP) Linear feedback shift registers (LFSRs) Trivium: a modern stream cipher 20/27

Linear Feedback Shift Registers (LFSRs) Concatenated flip-flops (FF), i.e., a shift register together with a feedback path Feedback computes fresh input by XOR of certain state bits Degree m given by number of storage elements If p i = 1, the feedback connection is present ( closed switch), otherwise there is not feedback from this flip-flop ( open switch ) Output sequence repeats periodically Maximum output length: 2 m -1 21/27

Linear Feedback Shift Registers (LFSRs): Example with m=3 clk FF 2 FF 1 FF 0 =s i LFSR output described by recursive equation: s + i + 3 = si + 1 si mod 2 Maximum output length (of 2 3-1=7) achieved only for certain feedback configurations,.e.g., the one shown here. 0 1 0 0 1 0 1 0 2 1 0 1 3 1 1 0 4 1 1 1 5 0 1 1 6 0 0 1 7 1 0 0 8 0 1 0 22/27

Security of LFSRs LFSRs typically described by polynomials: m P( x) = x + p + p x + p m 1 l 1 x +... 1 0 Single LFSRs generate highly predictable output If 2m output bits of an LFSR of degree m are known, the feedback coefficients p i of the LFSR can be found by solving a system of linear equations* Because of this many stream ciphers use combinations of LFSRs *See Chapter 2 of Understanding Cryptography for further details. 23/27

Content of this Chapter Intro to stream ciphers Random number generators (RNGs) One-Time Pad (OTP) Linear feedback shift registers (LFSRs) Trivium: a modern stream cipher 24/27

A Modern Stream Cipher - Trivium Three nonlinear LFSRs (NLFSR) of length 93, 84, 111 XOR-Sum of all three NLFSR outputs generates key stream s i Small in Hardware: Total register count: 288 Non-linearity: 3 AND-Gates 7 XOR-Gates (4 with three inputs) 25/27

Trivium Initialization: Load 80-bit IV into A Load 80-bit key into B Set c 109, c 110, c 111 =1, all other bits 0 Warm-Up: Clock cipher 4 x 288 = 1152 times without generating output Encryption: XOR-Sum of all three NLFSR outputs generates key stream s i Design can be parallelized to produce up to 64 bits of output per clock cycle Register length Feedback bit Feedforward bit AND inputs A 93 69 66 91, 92 B 84 78 69 82, 83 C 111 87 66 109, 110 26/27

Lessons Learned Stream ciphers are less popular than block ciphers in most domains such as Internet security. There are exceptions, for instance, the popular stream cipher RC4. Stream ciphers sometimes require fewer resources, e.g., code size or chip area, for implementation than block ciphers, and they are attractive for use in constrained environments such as cell phones. The requirements for a cryptographically secure pseudorandom number generator are far more demanding than the requirements for pseudorandom number generators used in other applications such as testing or simulation The One-Time Pad is a provable secure symmetric cipher. However, it is highly impractical for most applications because the key length has to equal the message length. Single LFSRs make poor stream ciphers despite their good statistical properties. However, careful combinations of several LFSR can yield strong ciphers. 27/27

2024 © artsdocbox.com Privacy Policy | Terms of Service | Feedback