STREAM CIPHERS

A.A. 2010/2011 1
Cryptography Part II
Stream Enciphering
michele elia
Politecnico di Torino
STREAM CIPHERS
A.A. 2010/2011 2
Stream enciphering is realized in two ways
- as a Bit by Bit operation, which is performed by
machines called Stream ciphers
- as a Block by Block operation, which is performed
by machines called Block ciphers
The Stream enciphering is intended to be the
encryption operation of long sequences of bits.
STREAM CIPHERS
A.A. 2010/2011 3
Plain text binary sequence
m(1), m(2), , m(n) ...
Key binary sequence (produced by a FSM starting from a short
sequence K
0
called the secret key
k(1), k(2), , k(n) ...
Encrypted binary sequence
k(1), k(2), , k(n) ...
Encryption rule, referred to as Caesar enciphering
e(n) = m(n) + k(n)
Stream Ciphers
STREAM CIPHER
A.A. 2010/2011 4
Structure of a stream generator as Autonomous FSM
Periodic generator
Nonlinear
Function
k(n)
STREAM CIPHER
A.A. 2010/2011 5
Stream Cipher Cryptanalysis
The problem:
Find the secret key K
0
(the initial state of the FSM)
knowing
- state transition function f ,
- output function g,
given a piece of generated enciphering stream
k
1
,k
2
, k
3
, , k
s
STREAM CIPHER
A.A. 2010/2011 6
Structure of a Block Cipher
Nonlinear
Function
I
N
P
U
T
Key
Oyput
e
1
e
n
m
1
m
n
STREAM CIPHER
A.A. 2010/2011 7
Block Ciphers (classical)
Enigma: single character cipher
DES: Data Encryption Standard
AES: Advanced Encryption Standard
IDEA: International Data Encryption
Algorithm
STREAM CIPHERS
A.A. 2010/2011 8
Common structure
Input
Input Transformation
Round 1
Round 2
Round n
Output Transformation
Output
STREAM CIPHER
A.A. 2010/2011 9
Classic (Standard) Algorithms

Block Key Round
Enigma
1 carattere 3 caratteri 3 x 2
DES
64=32+32
56 bit
16
AES
128=8x(4x4)
128-192-256 bit
10-12-14
IDEA
64=16+16+16+16
128 bit
8


STREAM CIPHERS
A.A. 2010/2011 10
Enigma: Round structure
26 Alphabetic Characters represented as elements of Z
26
T(X)= (X+k)-k
Each round consist of a Caesar transformation
followed by a permutation (monoalphabetic
substitution) followed by the inverse of the Caesar
transformation.
The machine state changes after the encryption of a
character with a period that depends on rotor notches
and is of the order 26
6
t
STREAM CIPHERS
A.A. 2010/2011 11
DATA ENCRYPTION STANDARD: DES
DES
E
i
=DES(K
0
,M
i
) (64bit)
M
i
(64bit)
K
0
(56bit)
STREAM CIPHERS
A.A. 2010/2011 12
DES ROUND structure
L
i
R
i
R
i+1 L
i+1
Q(S(E(R
i
)+ K
i
))
+
STREAM CIPHER
A.A. 2010/2011 13
DES function description
M is a vector with 64 entries (bits); consider
M=(L|R) decomposed into two vectors of dimension 32
P denotes an operator permuting the entries of a vector
denotes an involutory operator, that is M=(R|L)

2
= where is the identity operator
denotes an operator such that M=(L+f(R)|R)
therefore is an involution, that is
2
=
DES = P
16

15

14

1
P
-1
DES
-1
= P
1

2

3

16
P
-1
STREAM CIPHER
A.A. 2010/2011 14
Description of DES function Function f(.)
f(R)= S(E(R)+K)
K is a vector of 48 bits defined from K
0
, the key of 56 bits
E(.) is an expansion function of a vector of dimension 32 to
a vector of dimension 48: this is obtained by replicating
some entries
S, called S-box, is a compression function from dimension
48 to dimension 32 made of 8 boxes that define 8 s-
mappings from 6 bits to 4 bits: the vector of 48 bits is
partitioned into 8 vectors of 6 bits to which each s-mapping
is applied
STREAM CIPHER
A.A. 2010/2011 15
DES transformation
In standard applications a binary message is partitioned
into groups (vectors) of 64 bits
M
0
, M
1
, M
n
,
Function DES is always applied with the same key K
0
to
each vector
DES(K
0
, M
0
), DES(K
0
, M
1
), DES(K
0
, M
n
), ...
STREAM CIPHER
A.A. 2010/2011 16
DES strengths and weaknesses
DES is a good encryption function
Few (4) known keys are weak
DES(K
0
, DES(K
0
, M) = M
Few (6) known pairs of keys are weak
DES(K
1
, DES(K
2
, M) = M
It is highly probable that the 2
56
DES transformations
do not form a group: otherwise the complexity to break
the system, namely to find the secret key from a pair of plain
and cipher texts, would be 2
28
STREAM CIPHER
A.A. 2010/2011 17
AES
128 bits of data are stored as bytes
in a 4 x 4 state matrix
Round operations are: Subbyte,
Shiftrow, Mixcolumn, and
Addroundkey
ij
X
STREAM CIPHER
A.A. 2010/2011 18
Round transformations
Subbyte
Shiftrow
Mixcolumn
Addroundkey
) 1 mod( ) (
4
3
0
3
0
+

= =
x x X x a x X
i
i
ij
i
i
ij
1 +

ij ij
X X
ij ij
X a AX +
c r j j +
+
4
w c c
STREAM CIPHER
A.A. 2010/2011 19
AES Round Structure
ij ij
X a AX +
ij
X
ij
X
1 +

ij ij
X X
) 1 mod( ) (
4
3
0
3
0
+

= =
x x X x a x X
i
i
ij
i
i
ij
c r j j +
+
4
w c c
STREAM CIPHER
A.A. 2010/2011 20
Legenda
Polynomial (fixed in the standard)
it is relatively prime with
Affine transformation on bytes
3 2
2
1
3
0
) ( a x a x a x a x a + + + =
(
(
(
(
(
(
(
(
(
(
(

=
1 1 1 1 1 0 0 0
0 1 1 1 1 1 0 0
0 0 1 1 1 1 1 0
0 0 0 1 1 1 1 1
1 0 0 0 1 1 1 1
1 1 0 0 0 1 1 1
1 1 1 0 0 0 1 1
1 1 1 1 0 0 0 1
A
(
(
(
(
(
(
(
(
(
(
(

=
0
1
1
0
0
0
1
1
a
1
4
+ x
STREAM CIPHER
A.A. 2010/2011 21
Legenda (continue)
Each round requires 4 words (i.e. 128 bits) of key data plus 4
words for the output transformation
A 128 bit key requires 4 x 11 words of key data w[i] (0i<44)
Key expansion: w[0] , w[1] , w[2] , and w[3] are filled
with Key data, the words are updated as
w[i] = v[i] + w[i-4] where
v[i] = w[i-1] if i is not divisible by 4
v[i] = Subword(Rotword(w[i-1]))+R[i]
if i is divisible by 4 and
R[i]=(
i-1
,0,0,0) with GF(2
8
)
STREAM CIPHER
A.A. 2010/2011 22
Legenda (continue)
Rotword takes a four byte word [a
0
,a
1
,a
2
,a
3
] as
input and returns [a
1
,a
2
,a
3
,a
0
]
Subword performs the Subbyte transformation
on every byte in the word
STREAM CIPHER
A.A. 2010/2011 23
IDEA Round structure
X
1
X
1
X
2
X
2
X
3
X
3
X
4
X
4
+
+
+
+
+
+
+
+
+
+
K
1
K
2
K
3 K
4
K
5
K
6
STREAM CIPHER
A.A. 2010/2011 24
Legenda
XOR su 16 bit somma in
somma modulo 2
16
somma in
prodotto modulo 2
16
+1 prodotto in
+
+
16
2
Z
16
2
Z
1 2
16
+
Z
STREAM CIPHER
A.A. 2010/2011 25
ECB: Electronic Code Book
DES
E
i
=DES(K
0
,M
i
) (64bit)
M
i
(64bit)
K
0
(56bit)
STREAM CIPHER
A.A. 2010/2011 26
CBC: Cipher-Block Chaining
DES
E
i
=DES(K
0
, M
i
+E
i-1
)
K
0
+
M
i
STREAM CIPHER
A.A. 2010/2011 27
CFB: Cipher FeedBack
DES
k
i
=DES(K
0
, k
i-1
)
k
i-1
K
0
+
M
i
E
i
STREAM CIPHER
A.A. 2010/2011 28
OFB: Output FeedBack
DES
k
i
=DES(K
0
, E
i-1
)
E
i-1
K
0
+
M
i
E
i
= k
i
+M
i
STREAM CIPHER
A.A. 2010/2011 29
Applications
GSM (Mobile telephony)
Authentication for correct accounting and
access control to the network
Confidentiality
No tracking
Internet Secure Connection
STREAM CIPHER
A.A. 2010/2011 30
GSM
Security in GSM is based on three
algorithms
A3 authentication algorithm (and protocol)
A5 confidentiality algorithm: a stream
ciphering with stream generator consisting
of three clock controlled LFSR
A8 algorithm: a one-way function used to
define the initial state for A5
Tracking is avoided using a secret alias for
any accepted user.
STREAM CIPHER
A.A. 2010/2011 31
GSM - A3 protocol
Users are identified by
a public user number PIN, the phone
number, and
a secret user number ID.
IDis stored on the SIMcard and in the
Control access computer system of the
Provider.
STREAM CIPHER
A.A. 2010/2011 32
GSM - A3 protocol
BOB sends an access request to
Base Station (BS) (the distributed
access points of the cellular network)
with clear PIN.
BS forwards the request to provider P.
P returns a RANDOM number to BS.
BS sends RANDOM to BOB
STREAM CIPHER
A.A. 2010/2011 33
GSM - A3 protocol
BOB encrypts RANDOM combined with
his secret ID using A3 algorithm
ANSWER=A3(RANDOM, ID)
BOB sends ANSWER to BS
BS forwards ANSWER to P
P compares ANSWER with the locally
computed ANS = A3(RANDOM, ID)
If ANS = ANSWER then access
is permitted, otherwise it
is denied.
STREAM CIPHER
A.A. 2010/2011 34
GSM - A3 protocol
If access is permitted then P sends an ack
to BS together with a SKEY5, a secret key
used by the encryption algorithm A5
BS sends an ack to BOB.
BOB computes his SKEY5 as
SKEY5 = A8(RANDOM, ID)
STREAM CIPHER
A.A. 2010/2011 35
GSM - A5 algorithm
It is composed of three LFSRs of length 19,
22, and 23.
The evolution is clock controlled: three
cells, in position 8, 10 and 10 of the three
Registers respectively, are checked and
only the Registers with the majority symbol
(either 0 or 1) change of state
The output sequence is obtained as a sum
modulo 2 of the three binary sequences.
STREAM CIPHER
A.A. 2010/2011 36
GSM - A5 algorithm
Block scheme and polynomial generators

+ + + + =
+ + =
+ + + + =
1 ) (
1 ) (
1 ) (
2 7 23
23
22
22
2 5 19
19
x x x x x g
x x x g
x x x x x g
+
STREAM CIPHER
A.A. 2010/2011 37
GSM - Comments
A3 algorithm
Is Providers responsibility and choice
Must be a strong ONE-WAY function to
prevent cloning
Must be easy to compute because of the
limited power of cell phones.
Definition is not publicly available.
Common to all Providers (possibly) as that
proposed by GSM group is used
STREAM CIPHER
A.A. 2010/2011 38
GSM - Comments
A5 algorithm
Must be common to every Provider as it runs on every
Base Station
Must be reasonably strong but guarantee QoS
being a real time bit by bit encryption
Must need few computations because of the
limited power and energy available.
Is public. It was originally proposed by GSM
standardization group
Initial state of LFSRs provided by A8 algorithm
STREAM CIPHER
A.A. 2010/2011 39
GSM - Comments
A8 is Providers responsibility and choice
It must be a strong ONE-WAY function to
prevent cloning
The weakness is manifest only if A5 is
broken
It must be easy to compute because of the
limited power of cell phones.
At present the algorithm used is not public.
It is common to all Providers as they use
that proposed by GSM standardization
group
STREAM CIPHER
A.A. 2010/2011 40
Internet secure connection
Internet confidentiality is based on
Secure Socket Layer (SSL) that
establishes an encrypted connection
with the secret keys distributed by a
Trusted Party using a PKC
SSL encrypts the bits that go through the
Internet channel
STREAM CIPHER
A.A. 2010/2011 41
Comparisson
Internet confidentiality
GSM confidentiality
are examples of two different security
models:
SSL encrypts the channel
GSM encrypts the message