SlideShare une entreprise Scribd logo

5 stream ciphers

Télécharger en tant que PPT, PDF
H
Harish Sahu
1  sur  35
Stream Ciphers Stream Ciphers
Stream Ciphers Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream cipher is initialized with short key  Key is “stretched” into long keystream  Keystream is used like a one-time pad o XOR to encrypt or decrypt  Stream cipher is a keystream generator  Usually, keystream is bits, sometimes bytes
Stream Ciphers Stream Cipher  Generic view of stream cipher QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
Stream Ciphers Stream Cipher  We consider 3 real stream ciphers o ORYX — weak cipher, uses shift registers, generates 1 byte/step o RC4 — strong cipher, widely used but used poorly in WEP, generates 1 byte/step o PKZIP — intermediate strength, unusual mathematical design, generates 1 byte/step  But first, we discuss shift registers
Stream Ciphers Shift Registers  Traditionally, stream ciphers were based on shift registers o Today, a wider variety of designs  Shift register includes o A series of stages each holding one bit o A feedback function  A linear feedback shift register (LFSR) has a linear feedback function
Stream Ciphers  Example (nonlinear) feedback function f(xi, xi+1, xi+2) = 1⊕ xi⊕xi+2⊕xi+1xi+2  Example (nonlinear) shift register  First 3 bits are initial fill: (x0, x1, x2) QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture. Shift Register
Stream Ciphers LFSR  Example of LFSR  Then xi+5= xi⊕xi+2 for all i  If initial fill is (x0,x1,x2,x3,x4) = 01110 then (x0,x1,…,x15,…) = 0111010100001001… QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
Stream Ciphers LFSR  For LFSR  We have xi+5= xi ⊕xi+2 for all i  Linear feedback functions often written in polynomial form: x5 + x2 + 1  Connection polynomial of the LFSR QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
Stream Ciphers Berlekamp-Massey Algorithm  Given (part of) a (periodic) sequence, can find shortest LFSR that could generate the sequence  Berlekamp-Massey algorithm o Order N2 , where N is length of LFSR o Iterative algorithm o Only 2N consecutive bits required
Stream Ciphers Berlekamp-Massey Algorithm  Binary sequence: s = (s0,s1,s2,…,sn-1)  Linear complexity of s is the length of shortest LFSR that can generate s  Let L be linear complexity of s  Then connection polynomial of s is of form C(x) = c0+ c1x + c2x2 + … + cLxL  Berlekamp-Massey finds L and C(x) o Algorithm on next slide (where d is known as the discrepancy)
Stream Ciphers Berlekamp-Massey Algorithm
Stream Ciphers Berlekamp-Massey Algorithm  Example:
Stream Ciphers Berlekamp-Massey Algorithm  Berlekamp-Massey is efficient way to determine minimal LFSR for sequence  With known plaintext, keystream bits of stream cipher are exposed  With enough keystream bits, can use Berlekamp-Massey to find entire keystream o 2L bits is enough, where L is linear complexity of the keystream  Keystream must have large linear complexity
Stream Ciphers Cryptographically Strong Sequences  A sequence is cryptographically strong if it is a “good” keystream o “Good” relative to some specified criteria  Crypto strong sequence must be unpredictable o Known plaintext exposes part of keystream o Trudy must not be able to determine more of the keystream from a short segment  Small linear complexity implies predictable o Due to Berlekamp-Massey algorithm
Stream Ciphers Crypto Strong Sequences  Necessary for a cryptographically strong keystream to have a high linear complexity  But not sufficient!  Why? Consider s = (s0,s1,…,sn-1) = 00…01  Then s has linear complexity n o Smallest shift register for s requires n stages o Largest possible for sequence of period n o But s is not cryptographically strong  Linear complexity “concentrated” in last bit
Stream Ciphers Linear Complexity Profile  Linear complexity profile is a better measure of cryptographic strength  Plot linear complexity as function of bits processed in Berlekamp-Massey algorithm o Should follow n/2 line “closely but irregularly”  Plot of sequence s = (s0,s1,…,sn-1) = 00…01 would be 0 until last bit, then jumps to n o Does not follow n/2 line “closely but irregularly” o Not a strong sequence (by this definition)
Stream Ciphers Linear Complexity Profile  A “good” linear complexity profile QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
Stream Ciphers k-error Linear Complexity Profile  Alternative way to measure cryptographically strong sequences  Consider again s = (s0,s1,…,sn-1) = 00…01  This s has max linear complexity, but it is only 1 bit away from having min linear complexity  k-error linear complexity is min complexity of any sequence that is “distance” k from s  1-error linear complexity of s = 00…01 is 0 o Linear complexity of this sequence is “unstable”
Stream Ciphers QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture. k-error Linear Complexity Profile  k-error linear complexity profile o k-error linear complexity as function of k  Example: o Not a strong s o Good profile should follow diagonal “closely”
Stream Ciphers Crypto Strong Sequences  Linear complexity must be “large”  Linear complexity profile must n/2 line “closely but irregularly”  k-error linear complexity profile must follow diagonal line “closely”  All of this is necessary but not sufficient for crypto strength!
Stream Ciphers Shift Register-Based Stream Ciphers  Two approaches to LFSR-based stream ciphers o One LFSR with nonlinear combining function o Multiple LFSRs combined via nonlinear func  In either case o Key is initial fill of LFSRs o Keystream is output of nonlinear combining function
Stream Ciphers Shift Register-Based Stream Ciphers  LFSR-based stream cipher o 1 LFSR with nonlinear function f(x0,x1,…,xn-1) QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.  Keystream: k0,k1,k2,…
Stream Ciphers Shift Register-Based Stream Ciphers  LFSR-based stream cipher o Multiple LFSRs with nonlinear function  Keystream: k0,k1,k2,… QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
Stream Ciphers Shift Register-Based Stream Ciphers  Single LFSR example is special case of multiple LFSR example  To convert single LFSR case to multiple o Let LFSR0,…LFSRn-1 be same as LFSR o Initial fill of LFSR0 is initial fill of LFSR o Initial fill of LFSR1 is initial fill of LFSR stepped once o And so on…
Stream Ciphers Correlation Attack  Trudy obtains some segment of keystream from LFSR stream cipher o Of the type considered on previous slides  Can assume stream cipher is the multiple shift register case o If not, convert it to this case  By Kerckhoffs Principle, we assume shift registers and combining function known  Only unknown is the key o The key consists of LFSR initial fills
Stream Ciphers Correlation Attack  Trudy wants to recover LFSR initial fills o She knows all connection polynomials and nonlinear combining function o She also knows N keystream bits, k0,k1,…,kN-1  Sometimes possible to determine initial fills of the LFSRs independently o By correlating each LFSR output to keystream o A classic divide and conquer attack
Stream Ciphers Correlation Attack  For example, suppose keystream generator is of the form: QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.  And f(x,y,z) = xy ⊕ yz ⊕ z  Note that key is 12 bits, initial fills
Stream Ciphers Correlation Attack  For stream cipher on previous slide  Suppose initial fills are o X = 011, Y = 0101, Z = 11100 xi 0 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 yi 0 1 0 1 1 0 0 1 0 0 0 1 1 1 1 0 1 0 1 1 0 0 1 0 zi 1 1 1 0 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 0 0 1 ki 1 1 1 1 0 0 1 0 0 1 1 0 0 1 0 1 1 0 0 0 1 0 1 1 bits i = 0,1,2,…23
Stream Ciphers Correlation Attack  Consider truth table for combining function: f(x,y,z) = xy ⊕ yz ⊕ z  Easy to show that f(x,y,z) = x with probability 3/4 f(x,y,z) = z with probability 3/4  Trudy can use this to recover initial fills from known keystream
Stream Ciphers Correlation Attack  Trudy sees keystream in table  Trudy wants to find initial fills  She guesses X = 111, generates first 24 bits of putative X, compares to ki ki 1 1 1 1 0 0 1 0 0 1 1 0 0 1 0 1 1 0 0 0 1 0 1 1 xi 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 1  Trudy finds 12 out of 24 matches  As expected in random case
Stream Ciphers Correlation Attack  Now suppose Trudy guesses correct fill, X = 011  First 24 bits of X (and keystream) ki 1 1 1 1 0 0 1 0 0 1 1 0 0 1 0 1 1 0 0 0 1 0 1 1 xi 0 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1  Trudy finds 21 out of 24 matches  Expect 3/4 matches in causal case  Trudy has found initial fill of X
Stream Ciphers Correlation Attack  How much work is this attack? o The X,Y,Z fills are 3,4,5 bits, respectively  We need to try about half of the initial fills before we find X  Then we try about half of the fills for Y  Then about half of Z fills  Work is 22 + 23 + 24 < 25  Exhaustive key search work is 211
Stream Ciphers Correlation Attack  Work factor in general…  Suppose n LFSRs o Of lengths N0,N1,…,Nn-1  Correlation attack work is  Work for exhaustive key search is
Stream Ciphers Conclusions  Keystreams must be cryptographically strong o Crucial property: unpredictable  Lots of theory available for LFSRs o Berlekamp-Massey algorithm o Nice mathematical theory exists  LFSRs can be used to make stream ciphers o LFSR-based stream ciphers must be correlation immune o Depends on properties of function f
Stream Ciphers Coming Attractions  Consider attacks on 3 stream ciphers o ORYX — weak cipher, uses shift registers, generates 1 byte/step o RC4 — strong, widely used but used poorly in WEP, generates 1 byte/step o PKZIP — medium strength, unusual design, generates 1 byte/step

Recommandé

[기초개념] Graph Convolutional Network (GCN)
[기초개념] Graph Convolutional Network (GCN)[기초개념] Graph Convolutional Network (GCN)
[기초개념] Graph Convolutional Network (GCN)Donghyeon Kim
 
MPEG video compression standard
MPEG video compression standardMPEG video compression standard
MPEG video compression standardanuragjagetiya
 
Introduction of Deep Reinforcement Learning
Introduction of Deep Reinforcement LearningIntroduction of Deep Reinforcement Learning
Introduction of Deep Reinforcement LearningNAVER Engineering
 
Multiprocessor Game Loops: Lessons from Uncharted 2: Among Thieves
Multiprocessor Game Loops: Lessons from Uncharted 2: Among ThievesMultiprocessor Game Loops: Lessons from Uncharted 2: Among Thieves
Multiprocessor Game Loops: Lessons from Uncharted 2: Among ThievesNaughty Dog
 
Digital Image Processing
Digital Image ProcessingDigital Image Processing
Digital Image ProcessingShaleen Saini
 
Bit plane coding
Bit plane codingBit plane coding
Bit plane codingpriyadharshini murugan
 
Image Compression
Image CompressionImage Compression
Image CompressionParamjeet Singh Jamwal
 
Iain Richardson: An Introduction to Video Compression
Iain Richardson: An Introduction to Video CompressionIain Richardson: An Introduction to Video Compression
Iain Richardson: An Introduction to Video CompressionIain Richardson
 

Recommandé

[기초개념] Graph Convolutional Network (GCN)
[기초개념] Graph Convolutional Network (GCN)[기초개념] Graph Convolutional Network (GCN)
[기초개념] Graph Convolutional Network (GCN)Donghyeon Kim
 
MPEG video compression standard
MPEG video compression standardMPEG video compression standard
MPEG video compression standardanuragjagetiya
 
Introduction of Deep Reinforcement Learning
Introduction of Deep Reinforcement LearningIntroduction of Deep Reinforcement Learning
Introduction of Deep Reinforcement LearningNAVER Engineering
 
Multiprocessor Game Loops: Lessons from Uncharted 2: Among Thieves
Multiprocessor Game Loops: Lessons from Uncharted 2: Among ThievesMultiprocessor Game Loops: Lessons from Uncharted 2: Among Thieves
Multiprocessor Game Loops: Lessons from Uncharted 2: Among ThievesNaughty Dog
 
Digital Image Processing
Digital Image ProcessingDigital Image Processing
Digital Image ProcessingShaleen Saini
 
Bit plane coding
Bit plane codingBit plane coding
Bit plane codingpriyadharshini murugan
 
Image Compression
Image CompressionImage Compression
Image CompressionParamjeet Singh Jamwal
 
Iain Richardson: An Introduction to Video Compression
Iain Richardson: An Introduction to Video CompressionIain Richardson: An Introduction to Video Compression
Iain Richardson: An Introduction to Video CompressionIain Richardson
 
Recognition of Partially Occluded Face Using Gradientface and Local Binary Pa...
Recognition of Partially Occluded Face Using Gradientface and Local Binary Pa...Recognition of Partially Occluded Face Using Gradientface and Local Binary Pa...
Recognition of Partially Occluded Face Using Gradientface and Local Binary Pa...Win Yu
 
스키닝 애니메이션
스키닝 애니메이션스키닝 애니메이션
스키닝 애니메이션sung suk seo
 
Huffman Coding
Huffman CodingHuffman Coding
Huffman Codinganithabalaprabhu
 
Graph Convolutional Neural Networks
Graph Convolutional Neural Networks Graph Convolutional Neural Networks
Graph Convolutional Neural Networks 신동 강
 
매쉬 베이크 마스터리
매쉬 베이크 마스터리매쉬 베이크 마스터리
매쉬 베이크 마스터리Jooyoung Yi
 
Memristors and their potential applications 2012
Memristors and their potential applications 2012Memristors and their potential applications 2012
Memristors and their potential applications 2012Md Kafiul Islam
 
1 AUDIO SIGNAL PROCESSING
1 AUDIO SIGNAL PROCESSING1 AUDIO SIGNAL PROCESSING
1 AUDIO SIGNAL PROCESSINGmukesh bhardwaj
 
Attention
AttentionAttention
AttentionSEMINARGROOT
 
Word embeddings, RNN, GRU and LSTM
Word embeddings, RNN, GRU and LSTMWord embeddings, RNN, GRU and LSTM
Word embeddings, RNN, GRU and LSTMDivya Gera
 
Depthwise separable convolution
Depthwise separable convolutionDepthwise separable convolution
Depthwise separable convolutionDong-Won Shin
 
Sequence Modelling with Deep Learning
Sequence Modelling with Deep LearningSequence Modelling with Deep Learning
Sequence Modelling with Deep LearningNatasha Latysheva
 
Graph Neural Network (한국어)
Graph Neural Network (한국어)Graph Neural Network (한국어)
Graph Neural Network (한국어)Jungwon Kim
 
Bilinear z transformaion
Bilinear z transformaionBilinear z transformaion
Bilinear z transformaionNguyen Si Phuoc
 
H261
H261H261
H261Videoguy
 
Windowing techniques of fir filter design
Windowing techniques of fir filter designWindowing techniques of fir filter design
Windowing techniques of fir filter designRohan Nagpal
 
Arithmetic coding
Arithmetic codingArithmetic coding
Arithmetic codingVikas Goyal
 
"Using Deep Learning for Video Event Detection on a Compute Budget," a Presen...
"Using Deep Learning for Video Event Detection on a Compute Budget," a Presen..."Using Deep Learning for Video Event Detection on a Compute Budget," a Presen...
"Using Deep Learning for Video Event Detection on a Compute Budget," a Presen...Edge AI and Vision Alliance
 
[Ndc13]Ndc 2013 김동석:UDK로 물리기반 셰이더 만들기
[Ndc13]Ndc 2013 김동석:UDK로 물리기반 셰이더 만들기[Ndc13]Ndc 2013 김동석:UDK로 물리기반 셰이더 만들기
[Ndc13]Ndc 2013 김동석:UDK로 물리기반 셰이더 만들기동석 김
 
강화학습의 흐름도 Part 1
강화학습의 흐름도 Part 1강화학습의 흐름도 Part 1
강화학습의 흐름도 Part 1Dongmin Lee
 
Decima Engine: Visibility in Horizon Zero Dawn
Decima Engine: Visibility in Horizon Zero DawnDecima Engine: Visibility in Horizon Zero Dawn
Decima Engine: Visibility in Horizon Zero DawnGuerrilla
 
Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentationdegarden
 
Isaac stream cipher
Isaac stream cipherIsaac stream cipher
Isaac stream cipherAnoop Betigeri
 

Contenu connexe

Tendances

Recognition of Partially Occluded Face Using Gradientface and Local Binary Pa...
Recognition of Partially Occluded Face Using Gradientface and Local Binary Pa...Recognition of Partially Occluded Face Using Gradientface and Local Binary Pa...
Recognition of Partially Occluded Face Using Gradientface and Local Binary Pa...Win Yu
 
스키닝 애니메이션
스키닝 애니메이션스키닝 애니메이션
스키닝 애니메이션sung suk seo
 
Graph Convolutional Neural Networks
Graph Convolutional Neural Networks Graph Convolutional Neural Networks
Graph Convolutional Neural Networks 신동 강
 
매쉬 베이크 마스터리
매쉬 베이크 마스터리매쉬 베이크 마스터리
매쉬 베이크 마스터리Jooyoung Yi
 
Memristors and their potential applications 2012
Memristors and their potential applications 2012Memristors and their potential applications 2012
Memristors and their potential applications 2012Md Kafiul Islam
 
1 AUDIO SIGNAL PROCESSING
1 AUDIO SIGNAL PROCESSING1 AUDIO SIGNAL PROCESSING
1 AUDIO SIGNAL PROCESSINGmukesh bhardwaj
 
Word embeddings, RNN, GRU and LSTM
Word embeddings, RNN, GRU and LSTMWord embeddings, RNN, GRU and LSTM
Word embeddings, RNN, GRU and LSTMDivya Gera
 
Depthwise separable convolution
Depthwise separable convolutionDepthwise separable convolution
Depthwise separable convolutionDong-Won Shin
 
Sequence Modelling with Deep Learning
Sequence Modelling with Deep LearningSequence Modelling with Deep Learning
Sequence Modelling with Deep LearningNatasha Latysheva
 
Graph Neural Network (한국어)
Graph Neural Network (한국어)Graph Neural Network (한국어)
Graph Neural Network (한국어)Jungwon Kim
 
Bilinear z transformaion
Bilinear z transformaionBilinear z transformaion
Bilinear z transformaionNguyen Si Phuoc
 
Windowing techniques of fir filter design
Windowing techniques of fir filter designWindowing techniques of fir filter design
Windowing techniques of fir filter designRohan Nagpal
 
Arithmetic coding
Arithmetic codingArithmetic coding
Arithmetic codingVikas Goyal
 
"Using Deep Learning for Video Event Detection on a Compute Budget," a Presen...
"Using Deep Learning for Video Event Detection on a Compute Budget," a Presen..."Using Deep Learning for Video Event Detection on a Compute Budget," a Presen...
"Using Deep Learning for Video Event Detection on a Compute Budget," a Presen...Edge AI and Vision Alliance
 
[Ndc13]Ndc 2013 김동석:UDK로 물리기반 셰이더 만들기
[Ndc13]Ndc 2013 김동석:UDK로 물리기반 셰이더 만들기[Ndc13]Ndc 2013 김동석:UDK로 물리기반 셰이더 만들기
[Ndc13]Ndc 2013 김동석:UDK로 물리기반 셰이더 만들기동석 김
 
강화학습의 흐름도 Part 1
강화학습의 흐름도 Part 1강화학습의 흐름도 Part 1
강화학습의 흐름도 Part 1Dongmin Lee
 
Decima Engine: Visibility in Horizon Zero Dawn
Decima Engine: Visibility in Horizon Zero DawnDecima Engine: Visibility in Horizon Zero Dawn
Decima Engine: Visibility in Horizon Zero DawnGuerrilla
 

Tendances (20)

Recognition of Partially Occluded Face Using Gradientface and Local Binary Pa...
Recognition of Partially Occluded Face Using Gradientface and Local Binary Pa...Recognition of Partially Occluded Face Using Gradientface and Local Binary Pa...
Recognition of Partially Occluded Face Using Gradientface and Local Binary Pa...
 
스키닝 애니메이션
스키닝 애니메이션스키닝 애니메이션
스키닝 애니메이션
 
Huffman Coding
Huffman CodingHuffman Coding
Huffman Coding
 
Graph Convolutional Neural Networks
Graph Convolutional Neural Networks Graph Convolutional Neural Networks
Graph Convolutional Neural Networks
 
매쉬 베이크 마스터리
매쉬 베이크 마스터리매쉬 베이크 마스터리
매쉬 베이크 마스터리
 
Memristors and their potential applications 2012
Memristors and their potential applications 2012Memristors and their potential applications 2012
Memristors and their potential applications 2012
 
1 AUDIO SIGNAL PROCESSING
1 AUDIO SIGNAL PROCESSING1 AUDIO SIGNAL PROCESSING
1 AUDIO SIGNAL PROCESSING
 
Attention
AttentionAttention
Attention
 
Word embeddings, RNN, GRU and LSTM
Word embeddings, RNN, GRU and LSTMWord embeddings, RNN, GRU and LSTM
Word embeddings, RNN, GRU and LSTM
 
Depthwise separable convolution
Depthwise separable convolutionDepthwise separable convolution
Depthwise separable convolution
 
Sequence Modelling with Deep Learning
Sequence Modelling with Deep LearningSequence Modelling with Deep Learning
Sequence Modelling with Deep Learning
 
Graph Neural Network (한국어)
Graph Neural Network (한국어)Graph Neural Network (한국어)
Graph Neural Network (한국어)
 
Bilinear z transformaion
Bilinear z transformaionBilinear z transformaion
Bilinear z transformaion
 
H261
H261H261
H261
 
Windowing techniques of fir filter design
Windowing techniques of fir filter designWindowing techniques of fir filter design
Windowing techniques of fir filter design
 
Arithmetic coding
Arithmetic codingArithmetic coding
Arithmetic coding
 
"Using Deep Learning for Video Event Detection on a Compute Budget," a Presen...
"Using Deep Learning for Video Event Detection on a Compute Budget," a Presen..."Using Deep Learning for Video Event Detection on a Compute Budget," a Presen...
"Using Deep Learning for Video Event Detection on a Compute Budget," a Presen...
 
[Ndc13]Ndc 2013 김동석:UDK로 물리기반 셰이더 만들기
[Ndc13]Ndc 2013 김동석:UDK로 물리기반 셰이더 만들기[Ndc13]Ndc 2013 김동석:UDK로 물리기반 셰이더 만들기
[Ndc13]Ndc 2013 김동석:UDK로 물리기반 셰이더 만들기
 
강화학습의 흐름도 Part 1
강화학습의 흐름도 Part 1강화학습의 흐름도 Part 1
강화학습의 흐름도 Part 1
 
Decima Engine: Visibility in Horizon Zero Dawn
Decima Engine: Visibility in Horizon Zero DawnDecima Engine: Visibility in Horizon Zero Dawn
Decima Engine: Visibility in Horizon Zero Dawn
 

En vedette

Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentationdegarden
 
Поисковый отряд "Звезда"
Поисковый отряд "Звезда"Поисковый отряд "Звезда"
Поисковый отряд "Звезда"Денис Лонский
 
Jose Eugenio Beltran Pantoja english nuevo (4)
Jose Eugenio Beltran Pantoja english nuevo (4)Jose Eugenio Beltran Pantoja english nuevo (4)
Jose Eugenio Beltran Pantoja english nuevo (4)Jose Beltran
 
NEWEST CONSTITUTION OF CASHVILLE MULTI-PURPOSE COOPERATIVE SOCIETY LIMITED
NEWEST CONSTITUTION OF CASHVILLE MULTI-PURPOSE COOPERATIVE SOCIETY LIMITEDNEWEST CONSTITUTION OF CASHVILLE MULTI-PURPOSE COOPERATIVE SOCIETY LIMITED
NEWEST CONSTITUTION OF CASHVILLE MULTI-PURPOSE COOPERATIVE SOCIETY LIMITEDDr. Henry Akpojubaro Efegbere
 
Goodtogreat 150222012854-conversion-gate01
Goodtogreat 150222012854-conversion-gate01Goodtogreat 150222012854-conversion-gate01
Goodtogreat 150222012854-conversion-gate01Ritika Sharma
 
Closed Door project
Closed Door projectClosed Door project
Closed Door projectGerry Hannah
 
ARTICLES FOR PRESENTATION AT ACEDCAMDS BY THE CASHVILLE GROUP OF COMPANIES AN...
ARTICLES FOR PRESENTATION AT ACEDCAMDS BY THE CASHVILLE GROUP OF COMPANIES AN...ARTICLES FOR PRESENTATION AT ACEDCAMDS BY THE CASHVILLE GROUP OF COMPANIES AN...
ARTICLES FOR PRESENTATION AT ACEDCAMDS BY THE CASHVILLE GROUP OF COMPANIES AN...Dr. Henry Akpojubaro Efegbere
 
Поисковый Отряд "Звезда"
Поисковый Отряд "Звезда"Поисковый Отряд "Звезда"
Поисковый Отряд "Звезда"Денис Лонский
 
Upper Class White Women Powerpoint week 5 Presentation
Upper Class White Women Powerpoint week 5 PresentationUpper Class White Women Powerpoint week 5 Presentation
Upper Class White Women Powerpoint week 5 Presentationwapinskysmiths
 
Tier 1 presentation - AV blocks and pacemakers
Tier 1 presentation - AV blocks and pacemakersTier 1 presentation - AV blocks and pacemakers
Tier 1 presentation - AV blocks and pacemakersHannah Pegram
 
Lambing lunch-GFAVS lecture
Lambing lunch-GFAVS lectureLambing lunch-GFAVS lecture
Lambing lunch-GFAVS lectureHannah Pegram
 
Stream ciphers
Stream ciphersStream ciphers
Stream ciphersdegarden
 
Effect of Corruption on Natural Disaster Vulnerability
Effect of Corruption on Natural Disaster Vulnerability Effect of Corruption on Natural Disaster Vulnerability
Effect of Corruption on Natural Disaster Vulnerability Md Boby Sabur
 

En vedette (20)

Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentation
 
Isaac stream cipher
Isaac stream cipherIsaac stream cipher
Isaac stream cipher
 
Gsm Security and Attacks
Gsm Security and AttacksGsm Security and Attacks
Gsm Security and Attacks
 
Поисковый отряд "Звезда"
Поисковый отряд "Звезда"Поисковый отряд "Звезда"
Поисковый отряд "Звезда"
 
constitution-1
constitution-1constitution-1
constitution-1
 
Jose Eugenio Beltran Pantoja english nuevo (4)
Jose Eugenio Beltran Pantoja english nuevo (4)Jose Eugenio Beltran Pantoja english nuevo (4)
Jose Eugenio Beltran Pantoja english nuevo (4)
 
NEWEST CONSTITUTION OF CASHVILLE MULTI-PURPOSE COOPERATIVE SOCIETY LIMITED
NEWEST CONSTITUTION OF CASHVILLE MULTI-PURPOSE COOPERATIVE SOCIETY LIMITEDNEWEST CONSTITUTION OF CASHVILLE MULTI-PURPOSE COOPERATIVE SOCIETY LIMITED
NEWEST CONSTITUTION OF CASHVILLE MULTI-PURPOSE COOPERATIVE SOCIETY LIMITED
 
презентация2
презентация2презентация2
презентация2
 
Goodtogreat 150222012854-conversion-gate01
Goodtogreat 150222012854-conversion-gate01Goodtogreat 150222012854-conversion-gate01
Goodtogreat 150222012854-conversion-gate01
 
Closed Door project
Closed Door projectClosed Door project
Closed Door project
 
DRAMATIC LEADERSHIP
DRAMATIC LEADERSHIPDRAMATIC LEADERSHIP
DRAMATIC LEADERSHIP
 
ARTICLES FOR PRESENTATION AT ACEDCAMDS BY THE CASHVILLE GROUP OF COMPANIES AN...
ARTICLES FOR PRESENTATION AT ACEDCAMDS BY THE CASHVILLE GROUP OF COMPANIES AN...ARTICLES FOR PRESENTATION AT ACEDCAMDS BY THE CASHVILLE GROUP OF COMPANIES AN...
ARTICLES FOR PRESENTATION AT ACEDCAMDS BY THE CASHVILLE GROUP OF COMPANIES AN...
 
Поисковый Отряд "Звезда"
Поисковый Отряд "Звезда"Поисковый Отряд "Звезда"
Поисковый Отряд "Звезда"
 
korjaamo
korjaamokorjaamo
korjaamo
 
Upper Class White Women Powerpoint week 5 Presentation
Upper Class White Women Powerpoint week 5 PresentationUpper Class White Women Powerpoint week 5 Presentation
Upper Class White Women Powerpoint week 5 Presentation
 
Tier 1 presentation - AV blocks and pacemakers
Tier 1 presentation - AV blocks and pacemakersTier 1 presentation - AV blocks and pacemakers
Tier 1 presentation - AV blocks and pacemakers
 
factoring
factoringfactoring
factoring
 
Lambing lunch-GFAVS lecture
Lambing lunch-GFAVS lectureLambing lunch-GFAVS lecture
Lambing lunch-GFAVS lecture
 
Stream ciphers
Stream ciphersStream ciphers
Stream ciphers
 
Effect of Corruption on Natural Disaster Vulnerability
Effect of Corruption on Natural Disaster Vulnerability Effect of Corruption on Natural Disaster Vulnerability
Effect of Corruption on Natural Disaster Vulnerability
 

Similaire à 5 stream ciphers

Computer security
Computer securityComputer security
Computer securityFraboni Ec
 
Computer security
Computer security Computer security
Computer security Harry Potter
 
Computer security
Computer security Computer security
Computer security Tony Nguyen
 
Computer security
Computer securityComputer security
Computer securityDavid Hoen
 
Computer security
Computer securityComputer security
Computer securityJames Wong
 
Block Cipher vs. Stream Cipher
Block Cipher vs. Stream CipherBlock Cipher vs. Stream Cipher
Block Cipher vs. Stream CipherAmirul Wiramuda
 
Programmable PN Sequence Generators
Programmable PN Sequence GeneratorsProgrammable PN Sequence Generators
Programmable PN Sequence GeneratorsRajesh Singh
 
Crypto theory practice
Crypto theory practiceCrypto theory practice
Crypto theory practiceFraboni Ec
 
Crypto theory to practice
Crypto theory to practiceCrypto theory to practice
Crypto theory to practiceLuis Goldster
 
Crypto theory practice
Crypto theory practiceCrypto theory practice
Crypto theory practiceJames Wong
 
Crypto theory to practice
Crypto theory to practiceCrypto theory to practice
Crypto theory to practiceTony Nguyen
 
Crypto theory to practice
Crypto theory to practiceCrypto theory to practice
Crypto theory to practiceDavid Hoen
 
Crypto theory to practice
Crypto theory to practiceCrypto theory to practice
Crypto theory to practiceHarry Potter
 
Crypto theory practice
Crypto theory practiceCrypto theory practice
Crypto theory practiceYoung Alista
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
Basics of Cryptography - Stream ciphers and PRNG
Basics of Cryptography - Stream ciphers and PRNGBasics of Cryptography - Stream ciphers and PRNG
Basics of Cryptography - Stream ciphers and PRNGjulien pauli
 
Thesis : &quot;IBBET : In Band Bandwidth Estimation for LAN&quot;
Thesis : &quot;IBBET : In Band Bandwidth Estimation for LAN&quot;Thesis : &quot;IBBET : In Band Bandwidth Estimation for LAN&quot;
Thesis : &quot;IBBET : In Band Bandwidth Estimation for LAN&quot;Vishalkumarec
 

Similaire à 5 stream ciphers (20)

Computer security
Computer securityComputer security
Computer security
 
Computer security
Computer securityComputer security
Computer security
 
Computer security
Computer security Computer security
Computer security
 
Computer security
Computer securityComputer security
Computer security
 
Computer security
Computer security Computer security
Computer security
 
Computer security
Computer securityComputer security
Computer security
 
Computer security
Computer securityComputer security
Computer security
 
Block Cipher vs. Stream Cipher
Block Cipher vs. Stream CipherBlock Cipher vs. Stream Cipher
Block Cipher vs. Stream Cipher
 
Programmable PN Sequence Generators
Programmable PN Sequence GeneratorsProgrammable PN Sequence Generators
Programmable PN Sequence Generators
 
Crypto theory practice
Crypto theory practiceCrypto theory practice
Crypto theory practice
 
Crypto theory to practice
Crypto theory to practiceCrypto theory to practice
Crypto theory to practice
 
Crypto theory practice
Crypto theory practiceCrypto theory practice
Crypto theory practice
 
Crypto theory to practice
Crypto theory to practiceCrypto theory to practice
Crypto theory to practice
 
Crypto theory to practice
Crypto theory to practiceCrypto theory to practice
Crypto theory to practice
 
Crypto theory to practice
Crypto theory to practiceCrypto theory to practice
Crypto theory to practice
 
Crypto theory practice
Crypto theory practiceCrypto theory practice
Crypto theory practice
 
Rsa encryption
Rsa encryptionRsa encryption
Rsa encryption
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
 
Basics of Cryptography - Stream ciphers and PRNG
Basics of Cryptography - Stream ciphers and PRNGBasics of Cryptography - Stream ciphers and PRNG
Basics of Cryptography - Stream ciphers and PRNG
 
Thesis : &quot;IBBET : In Band Bandwidth Estimation for LAN&quot;
Thesis : &quot;IBBET : In Band Bandwidth Estimation for LAN&quot;Thesis : &quot;IBBET : In Band Bandwidth Estimation for LAN&quot;
Thesis : &quot;IBBET : In Band Bandwidth Estimation for LAN&quot;
 

5 stream ciphers

  • 2. Stream Ciphers Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream cipher is initialized with short key  Key is “stretched” into long keystream  Keystream is used like a one-time pad o XOR to encrypt or decrypt  Stream cipher is a keystream generator  Usually, keystream is bits, sometimes bytes
  • 3. Stream Ciphers Stream Cipher  Generic view of stream cipher QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
  • 4. Stream Ciphers Stream Cipher  We consider 3 real stream ciphers o ORYX — weak cipher, uses shift registers, generates 1 byte/step o RC4 — strong cipher, widely used but used poorly in WEP, generates 1 byte/step o PKZIP — intermediate strength, unusual mathematical design, generates 1 byte/step  But first, we discuss shift registers
  • 5. Stream Ciphers Shift Registers  Traditionally, stream ciphers were based on shift registers o Today, a wider variety of designs  Shift register includes o A series of stages each holding one bit o A feedback function  A linear feedback shift register (LFSR) has a linear feedback function
  • 6. Stream Ciphers  Example (nonlinear) feedback function f(xi, xi+1, xi+2) = 1⊕ xi⊕xi+2⊕xi+1xi+2  Example (nonlinear) shift register  First 3 bits are initial fill: (x0, x1, x2) QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture. Shift Register
  • 7. Stream Ciphers LFSR  Example of LFSR  Then xi+5= xi⊕xi+2 for all i  If initial fill is (x0,x1,x2,x3,x4) = 01110 then (x0,x1,…,x15,…) = 0111010100001001… QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
  • 8. Stream Ciphers LFSR  For LFSR  We have xi+5= xi ⊕xi+2 for all i  Linear feedback functions often written in polynomial form: x5 + x2 + 1  Connection polynomial of the LFSR QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
  • 9. Stream Ciphers Berlekamp-Massey Algorithm  Given (part of) a (periodic) sequence, can find shortest LFSR that could generate the sequence  Berlekamp-Massey algorithm o Order N2 , where N is length of LFSR o Iterative algorithm o Only 2N consecutive bits required
  • 10. Stream Ciphers Berlekamp-Massey Algorithm  Binary sequence: s = (s0,s1,s2,…,sn-1)  Linear complexity of s is the length of shortest LFSR that can generate s  Let L be linear complexity of s  Then connection polynomial of s is of form C(x) = c0+ c1x + c2x2 + … + cLxL  Berlekamp-Massey finds L and C(x) o Algorithm on next slide (where d is known as the discrepancy)
  • 13. Stream Ciphers Berlekamp-Massey Algorithm  Berlekamp-Massey is efficient way to determine minimal LFSR for sequence  With known plaintext, keystream bits of stream cipher are exposed  With enough keystream bits, can use Berlekamp-Massey to find entire keystream o 2L bits is enough, where L is linear complexity of the keystream  Keystream must have large linear complexity
  • 14. Stream Ciphers Cryptographically Strong Sequences  A sequence is cryptographically strong if it is a “good” keystream o “Good” relative to some specified criteria  Crypto strong sequence must be unpredictable o Known plaintext exposes part of keystream o Trudy must not be able to determine more of the keystream from a short segment  Small linear complexity implies predictable o Due to Berlekamp-Massey algorithm
  • 15. Stream Ciphers Crypto Strong Sequences  Necessary for a cryptographically strong keystream to have a high linear complexity  But not sufficient!  Why? Consider s = (s0,s1,…,sn-1) = 00…01  Then s has linear complexity n o Smallest shift register for s requires n stages o Largest possible for sequence of period n o But s is not cryptographically strong  Linear complexity “concentrated” in last bit
  • 16. Stream Ciphers Linear Complexity Profile  Linear complexity profile is a better measure of cryptographic strength  Plot linear complexity as function of bits processed in Berlekamp-Massey algorithm o Should follow n/2 line “closely but irregularly”  Plot of sequence s = (s0,s1,…,sn-1) = 00…01 would be 0 until last bit, then jumps to n o Does not follow n/2 line “closely but irregularly” o Not a strong sequence (by this definition)
  • 17. Stream Ciphers Linear Complexity Profile  A “good” linear complexity profile QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
  • 18. Stream Ciphers k-error Linear Complexity Profile  Alternative way to measure cryptographically strong sequences  Consider again s = (s0,s1,…,sn-1) = 00…01  This s has max linear complexity, but it is only 1 bit away from having min linear complexity  k-error linear complexity is min complexity of any sequence that is “distance” k from s  1-error linear complexity of s = 00…01 is 0 o Linear complexity of this sequence is “unstable”
  • 19. Stream Ciphers QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture. k-error Linear Complexity Profile  k-error linear complexity profile o k-error linear complexity as function of k  Example: o Not a strong s o Good profile should follow diagonal “closely”
  • 20. Stream Ciphers Crypto Strong Sequences  Linear complexity must be “large”  Linear complexity profile must n/2 line “closely but irregularly”  k-error linear complexity profile must follow diagonal line “closely”  All of this is necessary but not sufficient for crypto strength!
  • 21. Stream Ciphers Shift Register-Based Stream Ciphers  Two approaches to LFSR-based stream ciphers o One LFSR with nonlinear combining function o Multiple LFSRs combined via nonlinear func  In either case o Key is initial fill of LFSRs o Keystream is output of nonlinear combining function
  • 22. Stream Ciphers Shift Register-Based Stream Ciphers  LFSR-based stream cipher o 1 LFSR with nonlinear function f(x0,x1,…,xn-1) QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.  Keystream: k0,k1,k2,…
  • 23. Stream Ciphers Shift Register-Based Stream Ciphers  LFSR-based stream cipher o Multiple LFSRs with nonlinear function  Keystream: k0,k1,k2,… QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
  • 24. Stream Ciphers Shift Register-Based Stream Ciphers  Single LFSR example is special case of multiple LFSR example  To convert single LFSR case to multiple o Let LFSR0,…LFSRn-1 be same as LFSR o Initial fill of LFSR0 is initial fill of LFSR o Initial fill of LFSR1 is initial fill of LFSR stepped once o And so on…
  • 25. Stream Ciphers Correlation Attack  Trudy obtains some segment of keystream from LFSR stream cipher o Of the type considered on previous slides  Can assume stream cipher is the multiple shift register case o If not, convert it to this case  By Kerckhoffs Principle, we assume shift registers and combining function known  Only unknown is the key o The key consists of LFSR initial fills
  • 26. Stream Ciphers Correlation Attack  Trudy wants to recover LFSR initial fills o She knows all connection polynomials and nonlinear combining function o She also knows N keystream bits, k0,k1,…,kN-1  Sometimes possible to determine initial fills of the LFSRs independently o By correlating each LFSR output to keystream o A classic divide and conquer attack
  • 27. Stream Ciphers Correlation Attack  For example, suppose keystream generator is of the form: QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.  And f(x,y,z) = xy ⊕ yz ⊕ z  Note that key is 12 bits, initial fills
  • 28. Stream Ciphers Correlation Attack  For stream cipher on previous slide  Suppose initial fills are o X = 011, Y = 0101, Z = 11100 xi 0 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 yi 0 1 0 1 1 0 0 1 0 0 0 1 1 1 1 0 1 0 1 1 0 0 1 0 zi 1 1 1 0 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 0 0 1 ki 1 1 1 1 0 0 1 0 0 1 1 0 0 1 0 1 1 0 0 0 1 0 1 1 bits i = 0,1,2,…23
  • 29. Stream Ciphers Correlation Attack  Consider truth table for combining function: f(x,y,z) = xy ⊕ yz ⊕ z  Easy to show that f(x,y,z) = x with probability 3/4 f(x,y,z) = z with probability 3/4  Trudy can use this to recover initial fills from known keystream
  • 30. Stream Ciphers Correlation Attack  Trudy sees keystream in table  Trudy wants to find initial fills  She guesses X = 111, generates first 24 bits of putative X, compares to ki ki 1 1 1 1 0 0 1 0 0 1 1 0 0 1 0 1 1 0 0 0 1 0 1 1 xi 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 1  Trudy finds 12 out of 24 matches  As expected in random case
  • 31. Stream Ciphers Correlation Attack  Now suppose Trudy guesses correct fill, X = 011  First 24 bits of X (and keystream) ki 1 1 1 1 0 0 1 0 0 1 1 0 0 1 0 1 1 0 0 0 1 0 1 1 xi 0 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1  Trudy finds 21 out of 24 matches  Expect 3/4 matches in causal case  Trudy has found initial fill of X
  • 32. Stream Ciphers Correlation Attack  How much work is this attack? o The X,Y,Z fills are 3,4,5 bits, respectively  We need to try about half of the initial fills before we find X  Then we try about half of the fills for Y  Then about half of Z fills  Work is 22 + 23 + 24 < 25  Exhaustive key search work is 211
  • 33. Stream Ciphers Correlation Attack  Work factor in general…  Suppose n LFSRs o Of lengths N0,N1,…,Nn-1  Correlation attack work is  Work for exhaustive key search is
  • 34. Stream Ciphers Conclusions  Keystreams must be cryptographically strong o Crucial property: unpredictable  Lots of theory available for LFSRs o Berlekamp-Massey algorithm o Nice mathematical theory exists  LFSRs can be used to make stream ciphers o LFSR-based stream ciphers must be correlation immune o Depends on properties of function f
  • 35. Stream Ciphers Coming Attractions  Consider attacks on 3 stream ciphers o ORYX — weak cipher, uses shift registers, generates 1 byte/step o RC4 — strong, widely used but used poorly in WEP, generates 1 byte/step o PKZIP — medium strength, unusual design, generates 1 byte/step