Einführung in die Kryptographie

Stream Cipher

Lorenz SZ42 cipher machine on display at Bletchley Park museum

Source: Wikipedia

1
Stream Cipher

• Simulate a one-time pad:

• 𝑐 = 𝑒𝑛𝑐𝑘 𝑚 = 𝑚  𝑘 with 𝑙𝑒𝑛 𝑘 = 𝑙𝑒𝑛(𝑚)
• Generate an arbitrary long pseudo-random key 𝑘
• using some deterministic algorithm based on an
initial fixed-sized seed
• How to find such a (deterministic) algorithm?

Encryption

Decryption

2
Pseudo-Random Functions

A family of pseudo-random functions (PRF) are deterministic functions {𝐹𝑘 }𝐾

indexed by a key 𝑘 and with input 𝑚 that are indistinguishable from a truly
random function of the input (i.e., cannot be distinguished from a random
function in polynomial time)

𝑏 ← 0, 1 , 𝑘 ∈ 𝐾 if ∃ 𝑥, 𝑦 ′ ∈ 𝐿: 𝑦 ← 𝑦 ′
𝑥∈𝐷
{𝐹𝑘 }𝐾 elif 𝑏 = 0: y ← 𝐶
else: 𝑦 ← 𝐹𝑘 𝑥
𝑏‘ 𝐿 ← 𝐿 ∪ {𝑥, 𝑦}
𝑦

𝐶 𝐴 Oracle 𝑶𝐹𝑘
A wins if 𝑏‘ = 𝑏

𝑃𝑅𝐹 1
𝐴𝑑𝑣 𝐹𝑘 𝐾 𝐴 = 2 ∙ Pr[ 𝐴 𝑤𝑖𝑛𝑠] − = Pr 𝑏′ = 1 𝑏 = 1 − Pr 𝑏′ = 1 𝑏 = 0
2

3
Pseudo-Random-Function Families

Why not just use a single pseudo-random function 𝑔 instead an entire

family {𝐹𝑘 }𝐾 ?

• Kerckhoff‘s principle
Security should entirely rest on the chosen key and not on the
knowledge of the encryption algorithm!

Pseudo-random function families establish stream ciphers

• Let {𝐹𝑘 }𝐾 be a 𝑃𝑅𝐹 family having bitstrings of length 𝑙 as outputs.

The family defines a stream cipher for bitstrings of length 𝑙 by
c = 𝑚 ⊕ 𝐹𝑘 (0)

4
Stream Cipher Depends on Strength of PRF
Compare IND-PASS game 𝐺0 for a scheme 𝑐 ∗ ← 𝑚𝑏 ⊕ 𝐹𝑘 (0)

𝑏0 ← 0, 1 𝑚0 , 𝑚1 ∈ 𝑃 𝑐 ∗ ← 𝑚𝑏0 ⊕ 𝐹𝑘 (0)
𝑘 ∈ 𝐾𝑒𝑦𝐺𝑒𝑛𝑃𝑅𝐹 () 𝑐∗
𝑏0 ‘ 𝑶𝐿𝑅
𝐴 wins if 𝑏0 ‘=𝑏0
𝐶 𝐴

with an IND-PASS game 𝐺1 for the ideal scheme 𝑐 ∗ ← 𝑚𝑏 ⊕ 𝑅𝑎𝑛𝑑(0)

𝑏1 ← 0, 1 𝑚0 , 𝑚1 ∈ 𝑃 𝑐 ∗ ← 𝑚𝑏1 ⊕ 𝑅𝑎𝑛𝑑(0)
𝑘 ∈ 𝐾𝑒𝑦𝐺𝑒𝑛𝑃𝑅𝐹 () 𝑐∗
𝐴 wins if 𝑏1 ‘=𝑏1 𝑏1 ‘ 𝑶𝐿𝑅
𝐶 𝐴

𝐴𝑑𝑣 𝑃𝑅𝐹 ′ ′ ′ ′
𝐹𝑘 𝐾 𝐴 = Pr 𝑏0 = 1 𝑏0 = 1 − Pr 𝑏1 = 1 𝑏1 = 1 = Pr 𝑏0 = 0 𝑏0 = 0 − Pr 𝑏1 = 0 𝑏1 = 0

Lemma (Smart, pp. 225):

𝐴𝑑𝑣 𝐼𝑁𝐷−𝑃𝐴𝑆𝑆
Π 𝐴 = Pr 𝑏0′ = 1 𝑏0 = 1 − Pr 𝑏0′ = 1 𝑏0 = 0 ≤ ⋯ ≤ 2 ∙ 𝐴𝑑𝑣 𝑃𝑅𝐹
𝐹𝑘 𝐾 𝐴

5
Pseudo-Random Generator PRG

• Generate a pseudo-random sequence 𝑘 = 𝑘1 , 𝑘2 , … of arbitrary

length from a fixed-length initial key (𝑠𝑒𝑒𝑑)

• Pseudo-random means that

– 𝑘1 , 𝑘2 , … seems to be randomly generated but can be
deterministically computed by 𝑠𝑒𝑒𝑑
– knowing 𝑘1 , 𝑘2 , … , 𝑘𝑖−1 should give almost no advantage in
guessing 𝑘𝑖

6
Linear Feedback Shift Registers (LFSR)

Shift register
𝑏𝑛−1 𝑏𝑛−2 … 𝑏2 𝑏1 𝑏0 Output bits

𝑐1 𝑐2 𝑐𝑛−2 𝑐𝑛−1
𝑐𝑛

𝑏𝑛 = σ𝑛−1
𝑗=0 𝑐𝑗 ∙ 𝑏𝑗

• Initialization of state 𝑏0 , … , 𝑏𝑛−1

• Iterate:
– Output 𝑏0 as next output bit
– Compute 𝑏𝑛 ≔ σ𝑛−1
𝑗=0 𝑐𝑛−𝑗 ∙ 𝑏𝑗
– Shift register (incl. 𝑏𝑛 ) to the right

7
Outputs and States of a LFSR

• After initialization with 𝑠0 , … 𝑠𝑛−1 the LFSR produces the

outputs
𝑜𝑚 = 𝑠𝑚 for 0 ≤ 𝑚 < 𝑛
𝑜𝑛+𝑚 = σ𝑛−1 𝑗=0 𝑐𝑛−𝑗 ∙ 𝑜𝑗+𝑚 for 𝑚 ≥ 0

• Given a LFSR state 𝒔 = 𝑠1 … 𝑠𝑛 then the successor state is

𝑀 ∙ 𝑠 with matrix
𝑠2
0 1 0 ⋯ 0 0 1 0 ⋯ 0 𝑠1 𝑠3
0 0 1 ⋯ 0 0 0 1 ⋯ 0 𝑠2 ⋮
𝑀∙𝑠 = ⋮ ⋮ ⋮ ⋱ ⋮ ∙ ⋮ = 𝑠𝑛
𝑀= ⋮ ⋮ ⋮ ⋱ ⋮ 0 0 0 ⋯ 1 ⋮ 𝑛−1
0 0 0 ⋯ 1 𝑐𝑛 𝑐𝑛−1 𝑐𝑛−2 ⋯ 𝑐1 𝑠𝑛 ෍ 𝑐𝑛−𝑗 ∙ 𝑠𝑗+1
𝑐𝑛 𝑐𝑛−1 𝑐𝑛−2 ⋯ 𝑐1 𝑗=0

8
Some Properties of LFSR

Definition
A sequence 𝑜0 , 𝑜1 , … has period 𝑟 iff 𝑜𝑗 = 𝑜𝑗+𝑟 for all 𝑗 ≥ 0

Lemma
An 𝑛-bit LFSR has at most a period of 2𝑛 − 1

Proof:
An 𝑛-bit LFSR can encode at most 2𝑛 states. The 0 - state is not usable
as a state. Since the successor state is uniquely determined by the
actual state, the LSFR will eventually return (after at most 2𝑛 − 1
transitions) to a previously seen state (and then cycle infinitely).

9
Connection Polynomial

Definition
Given 𝑐1 … 𝑐𝑛 the (binary) connection polynomial is
– 𝐶 𝑋 = 1 + 𝑐1 𝑋 + 𝑐2 𝑋 2 + ⋯ + 𝑐𝑛 𝑋 𝑛

Examples

𝑏3 𝑏2 𝑏1 𝑏0
𝐶 𝑋 = 1 + 𝑋 + 𝑋3
𝑐1 𝑐3

𝑏31 𝑏30 𝑏29 … 𝑏1 𝑏0

𝐶 𝑋 = 1 + 𝑋 3 + 𝑋 32
𝑐3 𝑐32

10
Connection Polynomial and Periods (I)

Consider 𝑐𝑛 = 0:
• Register is longer than the degree of connection polynomial,
sequence is singular
• Sequence may not periodic but eventually become periodic

Example:

𝐶 𝑋 = 1 + 𝑋 + 𝑋3
State transitions

11
Connection Polynomial and Periods (II)

Consider 𝑐𝑛 = 1 and 𝐶(𝑋) is irreducible

• Sequence is always periodic
• Non-zero initial states produce sequence with periods of length 𝑘
being the smallest value such that 𝐶(𝑋) divides 1 + 𝑋 𝑘

Example:

𝐶 𝑋 = 1 + 𝑋 + 𝑋2 + 𝑋3 + 𝑋4 State transitions

12
Connection Polynomial and Periods (III)

Consider 𝑐𝑛 = 1 and 𝐶(𝑋) is primitive (which implies irreducible)

• Sequence is always periodic
• Non-zero initial states produce sequence with periods of length 2𝑛 − 1

Example:

𝐶 𝑋 = 1 + 𝑋 + 𝑋4
State transitions

An irreducible polynomial 𝐹(𝑥) of degree 𝑚 over 𝐺𝐹(𝑝), where 𝑝 is prime, is a primitive polynomial
if the smallest positive integer 𝑛 such that 𝐹(𝑥) divides 𝑥 𝑛 − 1 is 𝑛 = 𝑝𝑚 − 1.

13
Linear LFSR are Insecure

Lemma
If an attacker knows 2 ∙ 𝑛 consecutive bits of the sequence, then he
knows its entire continuation

Proof:
Suppose, we know the output 𝑜1 … 𝑜2𝑛 .
According to construction 𝑜𝑛+𝑚 = σ𝑛−1
𝑗=0 𝑐𝑛−𝑗 ∙ 𝑜𝑗+𝑚 holds for 𝑚 > 0

which is a set of 𝑛 linear equations:

𝑜𝑛+1 = σ𝑛−1
𝑗=0 𝑐𝑛−𝑗 ∙ 𝑜𝑗+1
… with 𝑛 unknowns 𝑐1 … 𝑐𝑛
𝑜𝑛+𝑛 = σ𝑛−1
𝑗=0 𝑐𝑛−𝑗 ∙ 𝑜𝑗+𝑛

14
Beyond Linearity – Combining LFSR
Different approaches to combine LFSRs (of different sizes !) to
overcome linearity:

Multiplexer
𝑓 …

Combining generators with

a non-linear function 𝑓

Generalized Geffe generator

Pass or
drop bit

Shrinking generator plus a lot more …

15
Example: GSM a‘la A5 / 1 Generator

𝒎𝒃 = (𝒄𝟏 ∙ 𝒄𝟐 ) ⊕ (𝒄𝟐 ∙ 𝒄𝟑 ) ⊕ (𝒄𝟏 ∙ 𝒄𝟑 )

A5 / 1 was used for encryption in on-air- 𝒕𝒊 = (𝒄𝒊 = 𝒎𝒃)
traffic in GSM (mobile phones) 𝒄𝟏 𝒄𝟐 𝒄𝟑 𝒎𝒃 𝒕𝟏 𝒕𝟐 𝒕𝟑
0 0 0 0 𝑌 𝑌 𝑌
• Developed in 1987, 0 0 1 0 𝑌 𝑌 𝑁
• Reverse engineered in 1999, and 0 1 0 0 𝑌 𝑁 𝑌
• Broken by various attacks 0 1 1 1 𝑁 𝑌 𝑌
(e.g., 2006 in real time!) 1 0 0 0 𝑁 𝑌 𝑌
1 0 1 1 𝑌 𝑁 𝑌
Non-linear combination of three LFSRs 1 1 0 1 𝑌 𝑌 𝑁
𝑐1
of different lengths Clock 𝑐2 1 1 1 1 𝑌 𝑌 𝑌
𝑐3
𝒕𝟏
Each LFSR is clocked by an individual 10
…
clock 𝒕𝒊 determined by the values of
𝑥 18 + 𝑥 5 + 𝑥 2 + 𝑥 1 + 1
𝒄𝟏 , 𝒄𝟐 , 𝒄 𝟑 𝒕𝟐 11
(i.e., bit 10 in LFSR 1, bit 11 in LFSR 2, and bit 12 in LFSR 3) … +
𝑥 21 + 𝑥 1 + 1
𝒕𝟑
12
…
𝑥 22 + 𝑥 15 + 𝑥 2 + 𝑥 1 + 1
Connection polynoms
16
Conclusion

• Stream ciphers are mostly used for HW and are non-linear

combinations of LFSRs
• Trivium is a recent stream cipher for HW realization based on three
shift registers of lengths 93, 84, and 111 bits and shift registers are
feed with combinations of all three registers. Initialization of registers is
done by a key (80 bits) and an initial value (IV) (≤ 80 bits)
• Most prominent stream cipher is still RC4 (Ron Rivest), but is no
longer considered as secure, since each outbyte has a particular bias

• In software implementations block-ciphers (like AES) are preferred,

which will be presented in the next week

Stay tuned !

17