session 1 stream ciphers 1. introduction if the level of security is not the highest one, instead of...
TRANSCRIPT
Session 1
Stream ciphers 1
Introduction
• If the level of security is not the highest one, instead of the Vernam cipher, a stream cipher can be used.
• Stream cipher– A deterministic algorithm produces a
pseudo-noise sequence (PN-sequence)• Satisfies the 3 Golomb’s postulates.
– The key is short – much shorter than the plaintext - practical.
2/65
Introduction
xi
Key
zi zi
yi
xi xi zi = yi yi zi = xi
TRANSMITTER RECEIVER
xi
Deterministic algorithm
Deterministic algorithm
Key
COMM. CHANNEL
3/65
Linear feedback shift registers
• LFSR theory is developed enough to
enable thorough analysis of the
properties of the output sequence of
a PN sequence generator containing
LFSRs.
• Because of that, the vast majority of
PN generators are designed by
combining LFSRs and non-linear
Boolean functions.
4/65
Linear feedback shift registers
• A linear feedback shift register
(LFSR):
– n single-symbol memory cells (stages)
– A linear feedback function – to express
each new symbol of the output
sequence as a linear function of the n
previous symbols
• The contents of the flip-flops is
shifted one position at every clock
pulse
5/65
Linear feedback shift registers
6/65
g – linear!
Linear feedback shift registers
• The state of the register – the
contents of the stages between two
clock pulses
• The initial state – the contents of the
stages at the moment of the
beginning of the process
7/65
Linear feedback shift registers
• The state diagram of a LFSR is never
singular, because the linear feedback
function satisfies the non-singularity
condition:
ntanta,,ta,tagta 121
8/65
Linear feedback shift registers
• The maximum possible period of the
output sequence is 2n-1.
• The all-zero initial state is not used,
because in that case only all-zero
sequence would be produced.
• The key – the initial contents of the
LFSR.9/65
• The feedback function g of a LFSR is
a linear recurrence – linear recurring
sequences of order n
110
21 21
ni
n
c,,c
ntactactacta
Linear feedback shift registers
10/65
• It is possible to associate the
characteristic (feedback)
polynomial to every linear
recurrence
• Analysis of the properties of the
output sequence is made easier in
such a way.
nnxcxcxcxf 2
211
Linear feedback shift registers
11/65
Example: An LFSR of length 4.
Generated sequence: 1 1 1 0 1 0 1 ……
1 0 0 0
1 1 0 0
1 1 1 0
1 1 1 1
0 1 1 1
1 0 1 1
0 1 0 1
1 0 1 0
41 tatata
Initial state
Feedback polynomial
Linear recurrence
Linear feedback shift registers
12/65
• The characteristics of the output
sequence of the LFSR depend on the
characteristics of the feedback
polynomial
• The feedback polynomial can be:
– reducible
– irreducible
– primitive
Linear feedback shift registers
13/65
000110000100101001010010
4 2 2 21 ( 1)( 1)x x x x x x
0000 011010111101
001110011100111011110111
Linear feedback shift registersExample 1: Reducible feedback polynomial
14/65
• LFSRs with reducible feedback
polynomial:
– The length of the output sequence
depends on the initial state
– Not adequate for use in cryptography
Linear feedback shift registers
15/65
00011000110001100011
0000
00101001010010100101
11110111101111011110
Linear feedback shift registersExample 2: Irreducible feedback polynomial
16/65
• LFSRs with irreducible feedback
polynomial:
– The length of the output sequence does
not depend on the initial state (except the
all-zero state)
– The period T is a factor of , L is the
length of the LFSR
– Not adequate for use in cryptography
Linear feedback shift registers
12 L
17/65
0000
100011001110111101111011010110101101011000111001010000100001
PN-sequence (m-sequence)
The maximum possible period for this
type of generator
111010110010001 …..
Linear feedback shift registersExample 3: Primitive feedback polynomial
18/65
• LFSRs with primitive feedback
polynomial:
– The length of the sequence does not
depend on the initial state (except the all-
zero state)
– The period is
– Adequate for use in cryptography, because
the output sequence satisfies all the
Golomb’s postulates
Linear feedback shift registers
12 L
19/65
• Thus, to use LFSRs in pseudorandom
sequence generators we need
primitive polynomials.
• How do we get them?
• We need some basic concepts of
abstract algebra – groups, rings, Galois
fields.
Linear feedback shift registers
20/65
Groups
• A group is an algebraic structure consisting of a non-empty set G and a binary operation such that the following axioms of the group are satisfied:– Closure– Associativity– Existence of the identity (neutral)
element– Existence of the inverse element for
each element of G.21/65
GGG :*
Groups
• Closure• Associativity
• Existence of the neutral element
• Existence of the inverse elements
22/65
GYXGYX *,
zyxzyxGzyx ****,,
xxeexGxGe **
exxxxGxGx ** 111
Groups
• Multiplicative group - the operation * is the multiplication, i.e. “”– The identity element is 1– The inverse element is x -1
• Additive group - the operation * is the sum, i.e. “+”– The identity element is 0– The inverse element is –x
23/65
Groups
• Examples of additive groups:– Z, Q, R, C– , where the
operation is the sum modulo n.
• Examples of multiplicative groups:– , – , where
the operation is the multiplication modulo n
24/65
1,,2,1,0 nZNn n
0\Q 0\R
1,gcd:1 nxnxZNn n
Groups
• If in the group G the operation * fulfils the commutative property, i.e.
then G is a commutative or Abelian group
• If G is a finite group, the number of elements in G is called order of G and is represented by #G.
25/65
xyyxyx **,
Groups
• An element gG is a generator of G if every element of G can be written as a power of g. G is then a cyclic group
• The cyclic group:
26/65
,,,,, 3210 ngggggegG
Groups
• Example: show that 5 is a generator of Z12
27/65
112mod585
8535
312mod5555*5*55
10555*55
55
05
11,0
5
4
3
2
1
0
12
e
Z
7525
212mod595
9545
412mod5115
11565
6515
11
10
9
8
7
6
Groups
• A nonempty subset H of G is called subgroup of G if it is closed for the operation * and the inversion, i.e.
• The Lagrange theorem:– If G is a finite group and H is its
subgroup, then #H divides #G, i.e.
28/65
HxHyxHyx 1,*,
GH ##
Groups
• Examples:– A group of order 8 can have subgroups
of order 2 and 4, but not of order 3 or 6.– A finite group, whose order is a prime
number cannot have its own subgroups.
29/65
Groups
• The order of an element gG of a finite group is the least positive integer k such that g k=e.
• If k is the order of gG, then {e, g, g 2,…, g k -1} is a subgroup of G.
• Corollary of the Lagrange theorem:– In a finite group, the order of each
element divides the order of the group.
30/65
Groups
• Example: a subgroup of Z8:
31/65
GkGH
Hk
e
g
e
Z
#,##
6,4,2,04
08 mod 262
62222
4222
22
2
0
7,6,5,4,3,2,1,0
4
3
2
1
8
Rings• A ring is an algebraic structure
consisting of a non-empty set G and 2 binary operations called summation, i.e. “+” and multiplication, i.e. “” such that the following holds:– (G,+) is an abelian group– The structure (G,) : closure, associativity
and the existence of the neutral element–Multiplication distributes over addition, i.e.
32/65
bcaccba
acabcba
Fields
• A field is an algebraic structure consisting of a non-empty set G and 2 binary operations called summation, i.e. “+” and multiplication, i.e. “” such that the following holds:– (G,+) is an abelian group – the additive
group of the field– (G \{0},) is an abelian group – the
multiplicative group of the field–Multiplication distributes over addition.
33/65
Fields
• Every field is a ring but the converse is not true
• The difference is– The structure (G \{0},) of the field is a
commutative group and in a general ring this is not required.
34/65
Fields
• Examples:– Field of rational numbers Q.– If p is a prime number, then Zp is a field• Zp is an additive commutative group.
• (Zp) is a multiplicative commutative group.
35/65
Finite fields
• A finite field is a field with a finite number of elements, i.e. the set G is finite.
• Theorem (1)– (i) The number of elements of a finite
field F must be equal to the power of a prime number, i.e. #F =p m.• p is the characteristic of the field.• The field is represented by GF(p m ) (Galois
Field).36/65
Finite fields
• Theorem (2)– (ii) There is only one finite field of p m
elements. If we fix an irreducible polynomial f (x ) of degree m with coefficients in Zp, the elements of GF(p m
) are represented as polynomials with coefficients in Zp of degree <m and the product of elements of GF(p m ) is realized as the product of polynomials modulo f (x ).
37/65
pmm
mm Zxxxp
1210
11
2210 ,,,,;GF
Finite fields
• The finite field GF(p m ) is called the extension field of the field GF(p ).
• Theorem:– The multiplicative group of GF(p m ) is
cyclic, i.e. there is at least 1 generator of all its elements.
• This generator is called primitive element of the field GF(p m )
38/65
Finite fields
• Example (1): p =2, m =3, f (x )=x 3
+x +1, irreducible– The elements of the field (1):
000 0 001, or 1 in the polynomial notation• The subsequent elements are obtained by
multiplying the immediate predecessors by x and reducing modulo f (x ), i.e. 1 010, or x 2 100, or x 2
39/65
Finite fields
• Example (2):– The elements of the field (2):• 3 , or 011
4 110• 5 , or
111
• 6 , or 101
40/65
11 mod 232 xxxxxxx
11 mod 1 232 xxxxxx
11 mod 32 xxxxx
Testing irreducibility
• The fundamental theorem of arithmetic:– Every positive integer can be represented
in a unique way as a product of prime factors.
• Analogue in a GF:– Every polynomial in a GF can be
represented in a unique way as a product of irreducible factors.
• An irreducible polynomial has no irreducible factors except 1 and itself.
41/65
Testing irreducibility
• Theorem– If a polynomial f (x ) of degree n in GF(q )
does not have common factors with then it is irreducible.
• To determine whether a given polynomial has common factors with some other polynomial we can use Euclidean algorithm
42/65
2
1,modn
kxfxxkq
Testing irreducibility
• Example – polynomials in GF(2)– Find (x 5+x 4+x 2+x, x 4+x 3+x 2+x )
(x 5+x 4+x 2+x )=x (x 4+x 3+x 2+x )+(x 3+x )(x 4+x 3+x 2+x )=(x +1)(x 3+x )+0
(x 5+x 4+x 2+x, x 4+x 3+x 2+x )=(x 3+x )
43/65
Testing irreducibility
• Example – Determine if the polynomial
in GF(2) is irreducible.
44/65
41 xxxf
11,1
1,1mod
11,
1,1mod
2,14,2
,,1
4
442
42
442
2
1
xx
xxxxxx
xxxx
xxxxxx
knn
k
Irreducible
Testing irreducibility
• Example - Determine if the polynomial
in GF(2) is irreducible.
45/65
421 xxxf
111,1
1,1mod
11,
1,1mod
2,14,2
,,1
2242
24242
242
24242
2
1
xxxxxx
xxxxxx
xxxx
xxxxxx
knn
k
Not irreducible
Primitive polynomials
• The order of a polynomial P (x ), P (0)0 is the smallest integer e for which P (x ) divides x e -1.
• In a finite field GF(q ), if the order of an irreducible polynomial P (x ) is qn -1, this polynomial is called primitive polynomial.
46/65
Primitive polynomials
• Thus, to test whether a polynomial P (x ), deg P (x )=n in GF(q ) is primitive– Test whether P (x ) is irreducible– If P (x ) is irreducible, check whether it
divides the polynomials x k -1, n k < qn -1
– If P (x ) does NOT divide any of the polynomials above, then it is primitive.
• Obviously, this procedure is not efficient.
47/65
Primitive polynomials
• Example:– The polynomial of degree
4 in GF(2) is irreducible and does not divide any of the polynomials . Because of that, it is primitive.
48/65
41 xxxf
1,,1,1 1454 xxx
Primitive polynomials
• Theorem (Alanen, Knuth, 1964; Herlestam, 1982)– A polynomial f (x ) in GF(q ), q =p m ,
deg f (x )=n, is primitive if and only if it satisfies the following:1. 2. 3. For all prime factors p ’ of ≢1 (mod f (x ))
49/65
0 xf,qGFx
xfxxnq mod
1nq 'p/qn
x 1
Primitive polynomials
• For q =2, the polynomial f (x ) must have odd weight (i.e. odd number of terms)
• Problem– Factorization of q n -1 is needed
• If q n -1 is a prime, the condition 3 of the theorem is trivially satisfied.
• For q =2, primes of the form 2n -1 are called Mersenne primes.
50/65
Primitive polynomials
• The first 24 Mersenne primes are obtained for the following values of n :
2, 3, 5, 7, 13, 17, 19, 31, 61, 89, 107, 127, 521, 607, 1279, 2203, 2281, 3217, 4253, 4423, 9689, 9941, 11213, 19937.
• Thus, a polynomial in GF(2) of odd weight, of degree n such that 2n -1 is a Mersenne prime is primitive if , which is easy to check in practice.
51/65
xfxxn
mod2
Primitive polynomials
• How many primitive polynomials with coefficients in GF(2) of degree n are there?
• Example:
52/65
nN n /12
276480,24
176,11
Nn
Nn
Primitive polynomials
• Not all primitive polynomials are suitable for use in LFSRs– Primitive polynomials with too
concentrated terms (i.e. with terms containing powers of x that are of very similar magnitude)
– Primitive polynomials of degree n such that 2n -1 contains many small prime factors
– There are attacks against schemes with LFSRs using such feedback polynomials.53/65
Primitive polynomials
• Example 1:– For n =61, 261-
1=2305843009213693951 is a Mersenne prime. Recommended for use in LFSRs.
• Example 2: – For n =63, 263-
1=727312733792737649657 is not a Mersenne prime. It is not recommended for use in LFSRs.
54/65
Primitive polynomials
• Thus, a good strategy is to use an LFSR with a primitive feedback polynomial of degree n such that 2n -1 is a Mersenne prime.
• But if 2n -1 has a small number of large prime factors, it can also be used in LFSRs
• Example: n =103, 2103-1= =25501837993976656429941438590393
55/65
Primitive polynomials
• The reciprocal polynomial of the polynomial f (x ) of degree n
• Theorem– If f (x ) is primitive, f *(x ) is also
primitive.
56/65
x
fxxf n 1)(*
Primitive polynomials
• Example:
– This polynomial is primitive
– This polynomial is also primitive
57/65
41)( xxxf
111
1)( 344
4*
xx
xxxxf
• The length L of the smallest LFSR
capable of generating the given
sequence
• The Berlekamp-Massey algorithm
(1969):
– Input: the given binary sequence
– Output: 1. C (D ) is the feedback polynomial
and L is the length of the equivalent LFSR
2. the initial state of the equivalent LFSR
Linear complexity
L,DC
58/65
• Input to one step: n digits of a
sequence
• Determines the minimum LFSR
capable of generating them
• If the digit n +1 of the sequence can
be generated by the current LFSR,
the length of the current LFSR is
preserved
• Otherwise, a longer LFSR is needed
The Berlekamp-Massey algorithm
59/65
The Berlekamp-Massey algorithm
• The Berlekamp-Massey algorithm is based on the following theorems:
• Theorem 1
– If <C (D ),L > generates the prefix sn of
the intercepted sequence, but does not
generate sn +1, then
60/65
LnsLC n 11
The Berlekamp-Massey algorithm
• Example: n =6, L=2, the LFSR generates the sequence 110110. Can it generate 1101100?
61/65
0 1 1
1 0 1
1 1 0
0 1 1
1 0 1
1 1 0
0 1 1
Generates 110110, but does not generate
1101100
LC(1101100)6+1-2
Discrepancy
The Berlekamp-Massey algorithm
• Theorem 2
– If <C (D ),L> generates sn, but does not
generate sn+1 (discrepancy n 0) and
<C *(D ),L*> generates sm, but does
not generate sm+1 (discrepancy m 0),
where 0 m n, then
generates sn+1.62/65
mnLLDCDDC mn
m
n *,max,*
The Berlekamp-Massey algorithm
• Theorem 3
– If <C (D ),L> with L=LC(sn) generates sn,
but does not generate sn+1, then
63/65
nnn sLCnsLCsLC 1,max1
The Berlekamp-Massey algorithm
64/65
= n
*= m
j=n-m
The Berlekamp-Massey algorithm
• Example: N =7, GF(2), s0,…,s6=1,1,0,1,0,0,1
Solution:C (D )=1+D +D 3, L=3
65/65
0 1 1 1
1 0 1 1
0 1 0 0
0 0 1 1
1 0 0 0
1 1 0 0
1 1 1 1