# 02 - Secret Key Cryptography

### Pages to are hidden for

"02 - Secret Key Cryptography"

```					                        4 kitamrofnI rüf lhutsrheL                                                                       4 kitamrofnI rüf lhutsrheL
emetsyS etlietrev dnu noitakinummoK                                                              emetsyS etlietrev dnu noitakinummoK

Goals of Cryptography

1. Secrecy of data and messages
Chapter 2: Security Techniques Background
→ Only authorized people should be able to read the data
• Secret Key Cryptography
• Public Key Cryptography                                2.1: Secret Key Cryptography             2. Authentication of participants and messages
• Hash Functions                                              • Cryptosystems                         → Is a user really the one he pretends to be?
• Authentication                                              • Historical approaches
3. Anonymity of participants
• Stream Ciphers
Chapter 3: Security on Network                                                                        → Anonymity of sender and/or receiver for third parties
and Transport Layer                                          • Block ciphers

Chapter 4: Security on the Application Layer                                                      Fundamental terms
Chapter 5: Security Concepts for Networks                                                         • A(lice): Sender of a message
• B(ob): Recipient of a message
• O(scar): Opponent, attacker on a message

yhpargotpyrC yeK terceS :1.2 retpahC                                                    1 egaP   yhpargotpyrC yeK terceS :1.2 retpahC                                                   2 egaP

4 kitamrofnI rüf lhutsrheL                                                                       4 kitamrofnI rüf lhutsrheL
emetsyS etlietrev dnu noitakinummoK                                                              emetsyS etlietrev dnu noitakinummoK

Definition of a Cryptosystem                                                                     Security – Kerckhoff's Requirements

A cryptosystem is a five-tuple (P,C,K,E,D), where the following conditions are                     A cryptosystem is called breakable, if a third party is able to recover
satisfied:                                                                                       the plaintext from a given cipher text without knowledge of the key
• P is a finite set of possible plaintexts
• C is a finite set of possible cipher texts
A set of general cryptosystem requirements are given by
• K, the key space, is a finite set of possible keys                                                 Kerckhoff's requirements (1883):
• For each k ∈ K, there is an encryption rule ek ∈ E and a corresponding decryption                • The system should be, if not theoretically unbreakable, unbreakable in
rule dk ∈ D                                                                                        practice (time effort, cost, ...)
Each ek:P → C and dk:C → P are functions such that dk(ek(x))=x for every plaintext               • Compromise of the system details should not inconvenience the
x∈P                                                                                                correspondents
• The key should be rememberable without notes, and easily changed
• The cryptogram should be transmissible by telegraph
• The encryption apparatus should be portable and operable by a single person
The last-mentioned property is the main property: if a plaintext x is                  • The system should be easy, requiring neither the knowledge of a long list of
encrypted using ek and the resulting cipher text is subsequently decrypted               rules, nor mental strain
using dk, then the original plaintext x results.

yhpargotpyrC yeK terceS :1.2 retpahC                                                    3 egaP   yhpargotpyrC yeK terceS :1.2 retpahC                                                   4 egaP
4 kitamrofnI rüf lhutsrheL                                                                        4 kitamrofnI rüf lhutsrheL
emetsyS etlietrev dnu noitakinummoK                                                               emetsyS etlietrev dnu noitakinummoK

Classification of Attackers                                                                      Historical Cryptosystems

1.) Cipher text-only: Oscar possesses a string y of the cipher text.
2.) Known plaintext: Oscar possesses a string x of the plaintext and the
corresponding cipher text y. The problem now is to find out the key which
produces y form x.
1.    Monoalphabetic cipher: Each alphabetic character is mapped onto a
3.) Chosen plaintext: Oscar has access to the encryption machinery. Hence he                               unique alphabetic character
can chose a plaintext string x and construct the corresponding cipher text                             Examples: Shift Cipher, Substitution Cipher, Affine Cipher
string y.
4.) Chosen cipher text: Oscar has access to the decryption machinery. Hence,
2.    Polyalphabetic cipher: Each alphabetic character is mapped onto
he can chose a cipher text string y and construct the corresponding plaintext
various alphabetic characters
string x.
Examples: Vigenere Cipher, Hill Cipher, Permutation Cipher

Cryptosystems are classified regarding the protection against attackers of these
classes:
• 2.) is the minimum requirement on a modern cryptosystem
• 3.) and 4.) are hard tests on a modern cryptosystem

yhpargotpyrC yeK terceS :1.2 retpahC                                                    5 egaP   yhpargotpyrC yeK terceS :1.2 retpahC                                                          6 egaP

4 kitamrofnI rüf lhutsrheL                                                                        4 kitamrofnI rüf lhutsrheL
emetsyS etlietrev dnu noitakinummoK                                                               emetsyS etlietrev dnu noitakinummoK

Shift Cipher                                                                                     Substitution Cipher

Idea:                                                                                              Idea: use a permutation over the set of characters as key to get a more flexible
scheme as in the shift cipher
Map each character x on that character which follows x by a given number k of positions
Let P = C = Zn, K = S(Zn) (set of permutations over Zn).
Let P = C = K = Zn = {0, 1, ..., n-1}. For k ∈ K, define                                         For each permutation p ∈ K, define
ek(x) = x + k mod n                                                                              ep(x) = p(x),
and                                                                                              and
dk(y) = y – k mod n                                                                              dp(y) = p-1(y)
where x,y ∈ Zn.                                                                                  where p-1 is the inverse permutation to p, and x,y ∈ Zn.

Example:           p: • a • b • c • d • e • f          • g • h • i   • j   • k • l   • m
Example: n=26, k=3                                                                        n=26                   • F • G • N • E • A • T • X • Z • O • I             • Q • B • H
Encrypt: hello (7,4,11,11,14) to KHOOR (10,7,14,14,17)
• n • o • p • q • r         • s • t   • u • v • w • x • y • z
This special cipher (k=3) is called Caesar Cipher, because it is said that
• K • Y • W • V • C • P • J • L • S • D • M • U • R
Julius Caesar used it
computerscience         NYHWLJACPNOAKNA
yhpargotpyrC yeK terceS :1.2 retpahC                                                    7 egaP   yhpargotpyrC yeK terceS :1.2 retpahC                                                          8 egaP
4 kitamrofnI rüf lhutsrheL                                                                                         4 kitamrofnI rüf lhutsrheL
emetsyS etlietrev dnu noitakinummoK                                                                                emetsyS etlietrev dnu noitakinummoK

Affine Cipher                                                                                                      Vigenere Cipher
Idea: usage of several keys to encrypt blocks of characters. Thus, the same character of
Idea: combination of a shift cipher and a special permutation, made by a
plaintext is mapped onto several characters in cipher text
multiplication with a constant relatively prime to n.
Let m be a positive integer, P = C = K = (Zn)m.
Let P = C = Zn and K = {(a, b) ∈ Zn×Zn: gcd(a, n) = 1}.                                                              For a key k = (k1,k2,...,km), define
For k = (a, b) ∈ K, define                                                                                                    ek(x1,...,xm) = (x1 + k1,...,xm + km)
y = ek(x) = ax + b mod n                                                                                    and
and                                                                                                                           dk(y1,...,ym) = (y1 – k1,...,ym – km),
x = dk(y) = a-1(y – b) mod n, where x,y ∈Zn.                                                                where all operations are performed in Zn.

Example: n = 26, m=5, k=(7,4,11,11,14) (Keyword: hello)
Example: n = 26, k=(7,15)               hello   MROOJ                                                          Plaintext: chine|sepeo|ple (2,7,8,13,4); (18,4,15,4,14); (15,11,4)
(7,4,11,11,14) (12,17,14,14,9)                                         Adding:          • 2 • 7 • 8 • 13 • 4      • 18 • 4 • 15 • 4 • 14            • 15 • 11   • 4
7 · 7 + 15 mod 26 =   64 mod 26 = 12                                                    • 7 • 4 • 11 • 11 • 14         • 7 • 4 • 11 • 11 • 14      • 7 • 4 • 11
4 · 7 + 15 mod 26 =   43 mod 26 = 17                                                    • 9 • 11 • 19 • 24 • 18        • 25   • 8 • 0 • 15   • 2   • 22 • 15 • 15
11 · 7 + 15 mod 26 =   92 mod 26 = 14
14 · 7 + 15 mod 26 =   113 mod 26 = 9                                        Ciphertext: JLTYS|ZIAPC|WPP
yhpargotpyrC yeK terceS :1.2 retpahC                                                                      9 egaP   yhpargotpyrC yeK terceS :1.2 retpahC                                                               01 egaP

4 kitamrofnI rüf lhutsrheL                                                                                         4 kitamrofnI rüf lhutsrheL
emetsyS etlietrev dnu noitakinummoK                                                                                emetsyS etlietrev dnu noitakinummoK

Hill Cipher                                                                                                        Permutation Cipher
Idea: usage of several keys to encrypt blocks of characters. Instead of using a
Idea: use a permutation, but do not permute the characters, but their position
vector of keys, construct a matrix with certain properties

Let m be a positive integer,                                                                                                      Let m be a positive integer, P = C = (Zn)m, and K=S({1,...,m}).
K = {m × m invertible matrices over Zn} = {A ∈Znm×m | gcd(det(A),n) = 1}, P = C = (Zn)m.
For a key (a permutation) p ∈ K, we define
For a key k ∈K, we define
ep(x1,...,xm) = (xp(1),...,xp(m))
ek(x) = xk mod n
and
and
dp(y1,...,ym) = (ys(1),...,ys(m))
dk(y) = yk-1mod n,
where s = p-1 is the inverse permutation of p.
where x, y ∈ Zn.
3   13
(17,25 )                     = ( 9,4 )
⎛            ⎞
Example: n=37, m=2, P=C={0,...,9,_,a,...,z},                            ⎜            ⎟                                           Example: n=37, P=C={0,...,9,_,a,...,z}, m = 5.
22 15
3 13                               ⎝            ⎠
Plaintext:               [she_i|s_bea|utifu|l]
plaintext: good = (17,25,25,14), k =
⎛        ⎞
⎜
22 15
⎟                         3   13
( 25,14 )                    = (13,17 )
⎛            ⎞
⎝        ⎠
⎜
22 15
⎟                                           Key = (1,4,2,5,3)
⎝            ⎠

Cipher text:                    [_EISH|EBAS_|FIUUT|___L_]
Cipher text: 94CG

yhpargotpyrC yeK terceS :1.2 retpahC                                                                     11 egaP   yhpargotpyrC yeK terceS :1.2 retpahC                                                               21 egaP
4 kitamrofnI rüf lhutsrheL                                                                                                  4 kitamrofnI rüf lhutsrheL
emetsyS etlietrev dnu noitakinummoK                                                                                         emetsyS etlietrev dnu noitakinummoK

Breaking Monoalphabetic Ciphers                                                                                              Statistical Characteristics of English Language

letter   probability     letter   probability
Partition into five groups:
Monoalphabetic ciphers preserve the frequency of alphabetic characters, pairs, etc.                                        a         .082           n          .067          1. E, having probability about 0.12
→ Identify alphabetic characters due to their frequency                                                                 b         .015           o          .075          2. T,A,O,I,N,S,H,R, each having probabilities
Method to decipher natural languages:                                                                                      c         .028           p          .019               between 0.06 and 0.09
1. Determine frequency of alphabetic characters of the cipher text                                                         d         .043           q          .001          3. D,L, each having probabilities around 0.04
2. Identify alphabetic characters according to their frequency:                                                                                                              4. C,U,M,W,F,G,Y,P,B, each having
e         .127           r          .060
e, n, i, s, r, a, t (in Germany: e, n, r, i, s, t, u, d, a, g, l, o, ...)                                                                                                    probabilities between 0.015 and 0.028
f         .022           s          .063
1. Determine frequency of pairs                                                                                                                                              5. V,K,J,X,Q,Z, each having probabilities
g         .020           t          .091               less than 0.01
2. Identify e.g. er to distinguish between er and es
h         .061           u          .028
3. Look at identified text, re-substitute, guess, ...
i         .070           v          .010
Digram frequencies
j         .002           w          .023
th   .0315    in         .0169
k         .008           x          .001
he   .0251    er         .0154
Solution: extension of alphabet, e.g. Data Encryption Standard (DES): 264 characters                                        l         .040           y          .020
an   .0172    re         .0148
m         .024           z          .001

yhpargotpyrC yeK terceS :1.2 retpahC                                                                               31 egaP   yhpargotpyrC yeK terceS :1.2 retpahC                                                         41 egaP

4 kitamrofnI rüf lhutsrheL                                                                                                  4 kitamrofnI rüf lhutsrheL
emetsyS etlietrev dnu noitakinummoK                                                                                         emetsyS etlietrev dnu noitakinummoK

Example: Cipher Text from Affine Cipher                                                                                      Secrecy of Cryptosystems: Entropy
Entropy: mathematical measure of information or uncertainty. An event occurring
Cipher text:                                                                                                                   with probability p might be encoded by a bit string of approximate length -logc p
FMXVEDKAPHFERBNDKRXRSREFMORUDSDKDVSHVUFEDKAPRKDLYEVLRHHRH
Let X be an random variable which takes on a finite set of values
letter        a   b   c   d   e   f   g   h   i   j   k   l   m   n   o   p   q   r   s   t   u   v   w   x   y    z                  {x1,…, xm }, a constant c > 1, and
P (X = x j ) = p j with p j ≥ 0 for j = 1,… ,m, and
frequency     2   1   -   7   5   4   -   5   -   -   5   2   2   1   1   2   -   8   3   -   2   4   -   2   1    -                                                                                 m

∑p
j =1
j   =1
Guess:
• R (8 occurrences) is encryption of e                                                                                                the distribution of X .
• D (7 occurrences) is encryption of t                                                                                                                                    m

→ ek(4) = 17, ek(19) = 3
Entropy of X : H( X ) = −∑ p j ⋅ logc p j
j =1
→ 4a + b = 17, 19a + b = 3
→ a = 6, b = 19                                                                                                           Remark: c characterises the number of values for elements to be encoded.
Normal case: c = 2, i.e. xj ∈{0, 1}.
→ dk(y) = 9y - 19
Example: let c = 2, m = 8, and p1= ... = p8 = 0.125
Plaintext:                                                                                                                          → H(X) = 8 ⋅ (-0.125 ⋅ log20.125) = - log20.125 = 3
algorithmsarequitegeneraldefinitionsofarithmeticprocesses                                                                           → You need 3 binary values to encode (identify) one of the 8 characters
yhpargotpyrC yeK terceS :1.2 retpahC                                                                               51 egaP   yhpargotpyrC yeK terceS :1.2 retpahC                                                         61 egaP
4 kitamrofnI rüf lhutsrheL                                                                          4 kitamrofnI rüf lhutsrheL
emetsyS etlietrev dnu noitakinummoK                                                                 emetsyS etlietrev dnu noitakinummoK

Perfect Security                                                                                    Perfect Security - Properties

A cryptosystem has perfect security, if the probability for the plaintext to be x is                             Let (P,C,K,E,D) be an cryptosystem with P(P=x) > 0 for all x ∈ P,
independent of having observed the ciphered text to be y                                                         P(K=k) > 0 for all k ∈ K,
C = {e(x,k) | x ∈ P, k ∈ K} and |P| = |K|.
Let (P,C,K,E,D) be a cryptosystem,
Then: (P,C,K,E,D) has perfect security, if
P = {x1,...,xm}, K = {k1, ..., kl}, C = {y1,...,yn}
1
P: (W,A,P)       P random variable, P(P=xi) = pi                                                         P(K=k) =            for all k ∈ K
|K|
K: (W,A,P)       K random variable, P(K=kj) = qj                                                and for all x ∈ P, y ∈ C exists exactly one k ∈ K:
The distribution of C=e(M,K) is defined as                                                                e(x,k) = y

P (C = y 1 ) = r1 =            ∑ p ⋅q       i
i , j :e ( x i ,k j )= y 1
j
Example: let M = K = C = {A,...,Z}, define
ek(x) = x + k mod 26,
dk(y) = y – k mod 26.
1
Definition: A cryptosystem (P,C,K,E,D) has perfect security, if                                                 If P(K=k) =
|K|
H(M|C) = H(M)
then the cryptosystem has perfect security (for exactly one letter)

yhpargotpyrC yeK terceS :1.2 retpahC                                                      71 egaP   yhpargotpyrC yeK terceS :1.2 retpahC                                                            81 egaP

4 kitamrofnI rüf lhutsrheL                                                                          4 kitamrofnI rüf lhutsrheL
emetsyS etlietrev dnu noitakinummoK                                                                 emetsyS etlietrev dnu noitakinummoK

Stream Ciphers                                                                                      Structure of Stream Ciphers
Idea: convert a stream of plain text into a stream of cipher text by combining it
with a keystream as long as the plain text
Problem: how to produce key-streams?
• Stream ciphers encrypt a data stream as it comes in                                                    initial state
• Key is as long as the data stream
internal state                                         • Define initial state for keystream
• Example: Red Telephone between Moskov and Washington is secured with a
stream cipher                                                                                                    next state                  key k           • Define 'next state' function:
function                                     combine the current key-stream
• Practical Methods:
element with the key k and
Synchronous stream cipher                                                                          output function
previous cipher text characters
Self-synchronising stream cipher                                                                                                                        • Output function can further
Linear Feedback Shift Registers                                                                                                                           modify the internal state
keystream
• Encrypt each character xi of
zi                   zi                     plaintext with a character zi of the
ci
xi        ⊕                           ⊕       xi        keystream, e.g. by XOR (⊕)
cipher text
plaintext                                     plaintext

yhpargotpyrC yeK terceS :1.2 retpahC                                                      91 egaP   yhpargotpyrC yeK terceS :1.2 retpahC                                                            02 egaP
4 kitamrofnI rüf lhutsrheL                                                                      4 kitamrofnI rüf lhutsrheL
emetsyS etlietrev dnu noitakinummoK                                                             emetsyS etlietrev dnu noitakinummoK

Definition of Stream Ciphers                                                                    Autokey Cipher (Simplest Stream Cipher)

Idea: use key k as initial state for the first character. For each following character, use
the previous one for encryption. Encryption is made like in shift cipher.
A Stream Cipher is a tuple (P,C,K,L,F,E,D), where the following conditions are
satisfied:
• P is a finite set of possible plaintexts                                                     Let P = C = K = L = Zn, z1= k, zi+1 = xi.                 Principle:
• C is a finite set of possible cipher texts                                                   For 0 ≤ z < n define                                      plaintext stream:         x1 x2 x3 ... xr
• K, the keyspace, is a finite set of possible keys                                                     ez(x) = x + z mod n                              encoding                + k x1 x2 ... xr-1
• L is a finite set called the keystream alphabet                                              and                                                       cipher stream:            c1 c2 c3 ... cr
• F = (f1, f2, ...) is the keystream generator                                                          dz(y) = y – z mod n,                             decoding                - k x1 x2 ... xr-1
For i ≥ 1, fi: K × Pi-1 → L                                                                  where x,y∈ Zn.                                            receiver gets:            x1 x2 x3 ... xr
• For each z ∈ L, there is an encryption rule ez ∈ E and a corresponding
Example: n = 26, k = 14, plaintext thisisinsecure
decryption rule dz ∈ D.
As stream of integers:   19 7 8 18 8 18 8                   13 18 4 2       20 17 4
ez : P → C and dz : C → P are functions such that dz(ez(x)) = x
for every plaintext x ∈ P                                                                   Keystream:                    14 19 7 8        18 8    18 8 13 18 4         2 20 17
Cipher text:     7 0                  15 0     0 0     0    21 5    22 6    22 1     21
→ HAPAAAAVFWGWBV
yhpargotpyrC yeK terceS :1.2 retpahC                                                  12 egaP   yhpargotpyrC yeK terceS :1.2 retpahC                                                               22 egaP

4 kitamrofnI rüf lhutsrheL                                                                      4 kitamrofnI rüf lhutsrheL
emetsyS etlietrev dnu noitakinummoK                                                             emetsyS etlietrev dnu noitakinummoK

Vernam Cipher                                                                                   Security Problems of Vernam Cipher
Idea: use a special case of the Vigenere Cipher. Choose a vector of keys as long as the          Problem: if same key is used twice, the Vernam Cipher is insecure
plaintext. In the ideal case, the key is a randomly generated stream.

Let P = C = K = L = Zn.                                                       Let x1 = (m1, ..., ms), x2 = (n1, ..., ns), k = (z1, ..., zs),
1                                         yl = (c1, ..., cs) = (m1 + z1, ..., ms + zs)
For each z ∈ L, 0 ≤ j < n: p( z = j ) =
n                                         y2 = (d1, ..., ds) = (n1 + z1, ..., ns + zs)
define
Then for all i = 1, ..., s:
ez(x) = x + z mod n
and                                                                            (ci − d i )mod 26 = ((mi + zi ) mod 26 − (ni + zi ) mod 26)
dz(y) = y – z mod n,                                                                     = (mi − ni ) mod 26
where x,y ∈Zn.                                                                 Decrypt x1 and x2 at the same time by using differences of
common letters
Example: n = 2
Plaintext:           01010100000101111010
Key:                 11010100100101000110                                  Solution: Onetime Pad - any key is used only once.
Cipher Text:         10000000100000111100

yhpargotpyrC yeK terceS :1.2 retpahC                                                  32 egaP   yhpargotpyrC yeK terceS :1.2 retpahC                                                               42 egaP
4 kitamrofnI rüf lhutsrheL                                                                          4 kitamrofnI rüf lhutsrheL
emetsyS etlietrev dnu noitakinummoK                                                                 emetsyS etlietrev dnu noitakinummoK

Problem: Key Distribution                                                                          Synchronous Stream Cipher

Characteristics:
• Keystream is generated independently from cipher stream
• But… how can the randomly chosen key be communicated to the receiver?
• Key k is expanded into a keystream z1z2z3...
New problem: Transport of the key is as difficult as the transport of the message!
Solution: Usage of pseudo-random-generators
internal state                                               • The keystream generators on
→ Best known: x0 is starting value                                                                                                                                   sender and receiver side must be
xi+1 = a ⋅ xi + b mod 2, for a, b suitably chosen                                              next state                            key k          synchronised: if one bit is lost, on
Looks randomly, but is absolutely not random if x0 is known                                                  function                                            receiver side all following bits are
→ Synchronous stream cipher                                                                             output function                                              decrypted incorrectly
→ Self-synchronising stream cipher                                                                                                                                 • No propagation of transmission
errors: only the garbled bit is
→ Linear feedback shift register
decrypted incorrectly
keystream
But: Systems are no longer perfectly secure!                                                                                                                           • Protection against insertion and
zi                 zi
ci                                      deletion in the cipher text, because
xi       °                           °            xi          these would cause a loss of
cipher text                                 synchronisation
plaintext                                        plaintext
yhpargotpyrC yeK terceS :1.2 retpahC                                                     52 egaP    yhpargotpyrC yeK terceS :1.2 retpahC                                                                   62 egaP

4 kitamrofnI rüf lhutsrheL                                                                          4 kitamrofnI rüf lhutsrheL
emetsyS etlietrev dnu noitakinummoK                                                                 emetsyS etlietrev dnu noitakinummoK
Generating a Keystream for Synchronous
Self-Synchronising Stream Ciphers
Stream Ciphers
Characteristics:
Simple examples for keystream ciphers are:
• Each keystream bit is a function of the previous n cipher text bits
• Shift Cipher                                                                           • The key k further modifies the output of the keystream generator
→ Use a constant keystream with z1 = z2 = z3 ...
initial state
• Vigenere Cipher
→ For k = (k1, ..., km) repeat key elements with period zi = zi+m
internal state                                               • Usage of a n-bit header randomly
k is the start vector
next state                                           keystream generators are
function                                            synchronised
But: practical keystreams must have a long period
• Use Vigenere Cipher with k = (k1, ..., km)                                          key k        output function                                            • Decryption keystream generator
automatically synchronises with
→ Keystream could be generated by zi+m = zi + zi+1 mod n
encryption keystream generator
→ Example: m = 4, n = 2, k = (1, 0, 0, 0)                                                keystream                                                       • Error propagation: for each cipher
With zi+4 = zi + zi+1 mod 2 generate                                                                   zi                      zi                       text bit gambled, the decryption
ci                                 keystream generator produces n
keystream: 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 0, 1, 1, 1, ...                               xi       °                                °            xi     incorrect keystream bits
cipher text
plaintext
yhpargotpyrC yeK terceS :1.2 retpahC                                                     72 egaP    yhpargotpyrC yeK terceS :1.2 retpahC                                                                   82 egaP
4 kitamrofnI rüf lhutsrheL                                                                                    4 kitamrofnI rüf lhutsrheL
emetsyS etlietrev dnu noitakinummoK                                                                           emetsyS etlietrev dnu noitakinummoK

Linear Feedback Shift Registers (LFSR)                                                                        Shift Register for Keystream Generation
Idea: Generate keystream by use of shift registers of length m
As initial state, use a key k = (k1, ..., km)
• Simplest example: Autokey Cipher for m = 1

Generation of keystream in three stages:                                                                       • For achieving a long period: see LFSR as polynomial
1.) k1 is used as next keystream bit                                                                               → Degree of polynomial is length of shift register:
2.) k2, ..., km are shifted one stage to the left            m −2                                                        k1 k2 k3 k4                   k4 ⋅ x4 + k3 ⋅ x3 + k2 ⋅ x2 + k1 ⋅ x + 1
3.) Compute the new value of km by a 'linear feedback': km = ∑ aj ⋅ kj + 1
j =0
→   For a maximal-period LFSR, the polynomial formed by the shift
The values aj ∉{0, 1} are coefficients which determine, which kj are to be                                         register plus the constant 1 must be a primitive polynomial mod 2
considered for computing km                                                                                    →   Primitive polynomial of degree n: irreducible polynomial that divides
n-1
x2 +1, but not xd +1 for any d that divides 2n -1
Example: m = 4                                                            3.)
+                                            • Combine several shift registers for longer periods
→ Examples: Geffe Generator, Alternating Stop-and-Go Generator
Actual keystream
bit                         k1                   k2                 k3                 k4
1.)                   2.)                   2.)              2.)
yhpargotpyrC yeK terceS :1.2 retpahC                                                               92 egaP    yhpargotpyrC yeK terceS :1.2 retpahC                                                         03 egaP

4 kitamrofnI rüf lhutsrheL                                                                                    4 kitamrofnI rüf lhutsrheL
emetsyS etlietrev dnu noitakinummoK                                                                           emetsyS etlietrev dnu noitakinummoK

Geffe Generator                                                                                               Alternating Stop-and-Go Generator

Characteristics:                                                                                              Characteristics:
• Keystream generator using 3 LFSRs, combined in nonlinear manner                                             • Keystream generator using 3 LFSRs of different length
→ Two LFSRs are input to a multiplexer                                                                        → LFSR-2 is clocked when the output of LFSR-1 is 1
→ One LFSR controls output                                                                                    → LFSR-3 is clocked when the output of LFSR-1 is 0
→ If a1, a2, a3 are outputs of the LFSRs, the overall output is                                               → The output is a xor of LFSR-2 and LFSR-3
b = (a1 ∧ a2) ⊕ (¬ (a1) ∧ a3)

• Linear complexity: if the LFSRs have the                                     LFSR-2
lengths n1, n2, n3 the linear complexity of the    LFSR-1
LFSR-2
a2                                              generator is (n1 + 1)n2 + n1n3
2-to-1                 b            (the '+1' comes from the negation operation)                                                 ⊕         b
Multiplexer
LFSR-3                                                   • Cryptographically weak, falls to a correlation                                                             • Long period and large linear complexity
a3
attack: the output b equals the output of         clock                                                    • Correlation attack against LFSR-1
LFSR-2 and LFSR-3 75% of the time                                            LFSR-3                          possible, but it does not substantially
LFSR-1
a1                                                                                                                                                           weaken the generator

yhpargotpyrC yeK terceS :1.2 retpahC                                                               13 egaP    yhpargotpyrC yeK terceS :1.2 retpahC                                                         23 egaP
4 kitamrofnI rüf lhutsrheL                                                                    4 kitamrofnI rüf lhutsrheL
emetsyS etlietrev dnu noitakinummoK                                                           emetsyS etlietrev dnu noitakinummoK

Block Ciphers                                                                                 Definition of Block Ciphers

A Block Cipher is a function which maps n-bit plaintext blocks to n-bit cipher text
blocks; n is called the blocklength
•Block ciphers simultaneously encrypt groups of characters of a
plaintext message using a fixed encryption transformation                            A n-bit Block Cipher is a tuple (P,C,K,E,D), where the following conditions are
satisfied:
•Memoryless, i.e. the same function (and the same key) is used to
encrypt successive blocks                                                            •P = Zmn is a finite set of possible plaintext blocks over Zm of length n
•Practical Methods:                                                                  •C = Zmn is a finite set of possible cipher text blocks over Zm of length n
Data Encryption Standard (DES)                                                •K, the keyspace, is a finite set of possible keys
International Data Encryption Algorithm (IDEA)                                •For each k ∈ K, there is an encryption rule ek ∈ E and a corresponding decryption
rule dk ∈ D:
ek : P x K → C is an bijective mapping (the encryption function for k), and
dk : C x K → P is the inverse mapping (the decryption function)
with dk(ek(x)) = x for every plaintext x ∈ P.

yhpargotpyrC yeK terceS :1.2 retpahC                                                33 egaP   yhpargotpyrC yeK terceS :1.2 retpahC                                                      43 egaP

4 kitamrofnI rüf lhutsrheL                                                                    4 kitamrofnI rüf lhutsrheL
emetsyS etlietrev dnu noitakinummoK                                                           emetsyS etlietrev dnu noitakinummoK

Design Characteristics for Block Ciphers                                                      Definition of Encryption Function ek
Choice of blocklength n                                                                     Encryption function
• n too long → complex algorithm, performance loss                                          • Use a combination of substitution and permutation, called a round
• n too short → weak encryption, easy to attack                                             • Number of rounds determines the quality of the encryption
• Modern variants use n = 40 - 256 bit, 64 bit is seen as the right compromise              Substitution
Definition of encryption function ek                                                        • Divide a n-bit block in smaller chunks with m bit ( typically m = 4 - 16)
• Assume n = 64, m = 2: mapping of 264 → 264 values would take about 270 bit                • Replacing a m-bit block with another one by using a table
• For encryption and decryption it is not possible to use a table                           Permutation
→ using algorithms for replacing blocks                                                   • Exchanging bits by using an invertible function (Permutation Cipher)
• Achieving different results by using a secret key k in the algorithm                      Result of one round
→ symmetric cryptography, secret key cryptography                                         • Should look like a succession of random numbers
• Good algorithms can be published, data are protected by hiding the key                    • Each input bit should have the same influence on an output bit
Choice of the key length of k                                                               • Achieved by alternating application of substitution and permutation
• Practical key length: 40 - 256 bit                                                        • Suitable choice n = m², i.e. each bit of one m-bit chunk of the input block
• k too short → systematic testing of all valid keys (Brute Force attack)                   • Can be passed to a different m-bit chunk of the output block
• Against Brute Force attacks, a minimum of 70 bit are necessary                            Remark: encryption and decryption have the same expense
yhpargotpyrC yeK terceS :1.2 retpahC                                                53 egaP   yhpargotpyrC yeK terceS :1.2 retpahC                                                      63 egaP
4 kitamrofnI rüf lhutsrheL
emetsyS etlietrev dnu noitakinummoK

One Round in an Encryption Function

64 bit input block

8 bit    8 bit   8 bit     8 bit     8 bit    8 bit   8 bit   8 bit
• Input block with 64 bit
k      S1       S2       S3       S4        S5       S6      S7      S8     • Divide input block into
8-bit pieces (n = m2)
• 8-bit substitution functions
8 bit    8 bit   8 bit     8 bit     8 bit    8 bit   8 bit   8 bit     si derived from the key k
• Join 8-bit blocks into an
intermediate block
64 bit intermediate block
• Permutation of the 64 bits,
possibly based on the key
(best diffusion of single
bits by mapping the bits of
an 8-bit piece into different
64 bit output block                             output pieces
yhpargotpyrC yeK terceS :1.2 retpahC                                                            73 egaP

```
DOCUMENT INFO
Shared By:
Categories:
Stats:
 views: 11 posted: 2/2/2010 language: Croatian pages: 10