Stream Ciphers

Block vs. Stream

• Block ciphers
– process plaintext in relatively large blocks(e.g.
n64 bits)
– The same function is used to encrypt successive
blocks
• Stream ciphers
– process plaintext in small blocks, and the
encryption function may vary as plaintext is
processed
– sometimes called state ciphers since encryption
depends on not only the key and plaintext, but
also on the current state.
Stream Cipher

Bit Stream Generator

Key Stream Key Stream

Plain text Cipher text Plain text

Ex-or Ex-or
EX-Or Operation

Input A Input B Result

0 0 0
0 1 1
1 0 1
1 1 0
Examples

Encryption
Plaintext = 1 0 1 0 1 1 0 1
Key = 0 1 0 1 0 1 0 1 Ex-Or
Cipher text =11111000

Decryption
Cipher text =11111000
Key = 0 1 0 1 0 1 0 1 Ex-Or
Plaintext = 1 0 1 0 1 1 0 1
One-Time Pad
• Provably secure
– Key generated independently and randomly
– Key as long as the plain text

– Must never ever reuse a stream key

• If two messages encrypted by XOR with same key can
combine these to remove effect of key giving a book cipher

C1i = M1i ⊕ Ki
C2i = M2i ⊕ Ki
C1i ⊕ C2i = M1i ⊕ Ki ⊕ M2i ⊕ Ki = M1i ⊕ M2i
Pseudo Random Generators (PRG)
• Compromise to computationally secure
– Instead of random, use pseudo
random sequence based on a short
key
– the generated stream must be:
• statistically random
(knowing part of seq not enough to
break)
PRG from a counter
PRG may be controlled
just by key influencing :
- Next-state function
(output feedback
mode)
- Output function
- (counter mode)
 PRG output
feedback mode
PRG maybe controlled both by
data and key :
– output function
(cipher feedback mode)
Example : Pascal Source Code
1. Uses Crt;
2. Var
3. J, I, K : integer ;
4. Begin
5. Clrscr;
6. for J := 1 to 10 do
7. begin
8. randseed := j ;
9. writeln(‘Random seed = ‘ , randseed);
10. for I := 1 to 10 do
11. begin
12. x := random(100);
13. write(x, ‘ ‘);
14. end;
15. writeln;
16. end;
17. readln;
18. End.
 The Output
• Random seed = 1
3 86 20 27 67 31 16 37 42 8
• Random seed = 2
6 69 54 34 7 96 0 58 47 73
• Random seed = 3
9 52 88 41 46 61 84 79 53 39
• Random seed = 4
12 35 22 48 86 25 69 0 58 5
• Random seed = 5
15 17 56 55 26 90 53 21 63 70
• Random seed = 6
18 0 91 62 66 55 37 42 69 36
• Random seed = 7
21 83 25 69 6 20 22 63 74 2
• Random seed = 8
25 66 59 76 46 84 6 84 79 67
• Random seed = 9
28 49 93 83 86 49 90 5 85 33
• Random seed = 10
31 32 27 90 26 14 74 26 90 98
 Synchronous Stream Ciphers
• Keystream generated independently of plaintext and of ciphertext

si pi si ci
si+1 si+1
f f
zi zi
k g h ci k g h-1 pi
Synchronous Stream Ciphers
– Both sender and receiver must be synchronized using
same key and operating at the same position
• If synchonization is lost due to inserted or deleted
ciphertext, decryption fails
• No error propagation: A modified ciphertext during
transmission does not affect the decryption of
other ciphertext digits.

– Active attacks: the insertion, deletion, or replay of

ciphertext digits by an active adversary causes
immediate loss of synchronization
Self-synchronizing Ciphers

• Key-stream generated as a function of the

key and a fixed number of previous
ciphertext digits

…
mi
zi
k g h ci
General SC Criteria
• Long period with no repetitions
• Statistically random
• Large linear complexity (based on size of
equiv LFSR)
• Correlation immunity (have tradeoff with
linear complexity)
• Confusion (output bits depend on all key bits)
• Diffusion
• Use of highly non-linear Boolean functions
Linear Feedback Shift Registers (LFSR)

• Well-suited to hardware implementation

• Can produce sequences of large period
• Can produce sequences with good
statistical properties
LFSR

bn b n-1 .... b4 b3 b2 b1 Output Bit

....

bn b n-1 .... b4 b3 b2 b1

Feedback Function
 Example LFSR 4 bits
State Bit 4 Bit 3 Bit 2 Bit 1
(MSB) (LSB)

1 1 1 1 1

Initialization = 1111 2

3
0

1
1

0
1

1
1

4 0 1 0 1

5 1 0 1 0
b4 b3 b2 b1 Output Bit 6 1 1 0 1

7 0 1 1 0

8 0 0 1 1

9 1 0 0 1

10 0 1 0 0

11 0 0 1 0

12 0 0 0 1

13 1 0 0 0

14 1 1 0 0

15 1 1 1 0
LFSRs (cont’d)

• Balanced, non-linear, correlation immune

LFSR-L1

LFSR-L2 Nonlinear
Combiner output
Function
F

LFSR-Ln
RC4

• Proprietary cipher owned by RSA

• Variable key size, byte-oriented stream cipher
• Widely used (web SSL/TLS, wireless WEP)
• Key forms random permutation of all 8-bit
values
• Uses that permutation to scramble input info
processed one byte at a time
RC4 Initializing
Key Setup phase

Diagram 256 byte S-box

Key Key mixing

256 byte
S-box

Generate
Pseudorandom byte

(Byte)
Ex-Or (Byte)
Plaintext / Ciphertext /
Ciphertext Plaintext
Encrypt / Decrypt

Ciphering Phase
 1 [Define of array state]
S[0], S[1], ..., S[255].
2 [Initializing state array, each elemen of array is assign with index
number]
S[0] = 0; S[1] = 1; ...; S[255] = 255;
3 [Initializing key array, each elemen of array is assagn with the key].
S2[0] = K[0]; S2[1] = K[1]; ...
4 [Mixing process].
J = 0;

RC-4
REPEAT THRU STEP 4 FOR i = 0 TO 255
j = (j + S[i] + S2[i]) % 256;
temp = S[i];

Algorithm S[i] = S[j];

S[j] = temp;
i = i + 1;
5 [Generate byte streams for ciphering process]
i = 0; j = 0;
i = (i+1) % 256;
j = (j + S[i]) % 256;
temp = S[i];
S[i] = S[j];
S[j] = temp;
t = (S[i] + S[j]) % 256;
K = S[t];
6 [Stop]
RC4 Key Schedule

• Starts with an array S of numbers: 0..255

• S forms internal state of the cipher
• given a key k of length l bytes
for i = 0 to 255 do
S[i] = i
j = 0
for i = 0 to 255 do
j = (j + S[i] + k[i mod l]) (mod 256)
swap (S[i], S[j])
Stream Generation

• Encryption continues shuffling array values

i = j = 0
for each message byte Mi
i = (i + 1) (mod 256)
j = (j + S[i]) (mod 256)
swap(S[i], S[j])
t = (S[i] + S[j]) (mod 256)
Ci = Mi XOR S[t]
RC4 Security Issues

• First group of outputs correlate with key

• Should discard first 256 outputs
• Should never reuse a key
• After a few GB, see some values occurring
slightly too often
WEP Encryption

• Mobile station shares key with Access Point

• Transmitting a message M
– Compute checksum of M and append it to M
Generate keystream using RC4(IV,Key)
Xor <M,C(M)> with keystream
Transmit IV and cipher text
• Upon receiving, reverse steps
WEP(cont’d)

• Key length = 40. IV length = 24

Message CRC
XOR

Keystream = RC(IV,k)

IV Cipher Text
A5 Algorithm
• Stream cipher used to encrypt GSM phones
• Has several variants (A5, A5/1, A5/2)
• A5/1 uses 3 LFSRs of 19, 22 and 23 bits using
sparse feedback polys
– all have been broken (A5/2 in Aug99, A5/1 in Apr
2000) - basic attack has complexity 240
– guess state of LFSRs 1 & 2, try to determine 3
from keystream
– real problem is registers are too small & feedback
polys are sparse
End of Presentations