Chapter Three : Stream Cipher Systems ----------------------------------------------------------------------
25
3.1 RUNNING-KEY CIPHER:
If we choose a key with its length as long as the plaintext message, then the
cipher is called running-key cipher. A text of a book can be used as a key sequence in
a substitution cipher based on shifted alphabets (i.e. non-periodic vigenere). Running
key might be expected to be unbreakable because it has non-periodic key;
but the key has redundancy due to non-randomness of its characters.
Example:
Giving a key K selected from a textbook and a message M:
M:
T H E T R E A S U R E I S B U R I E D....
K:
T H E S E C O N D C I P H E R I S A N....
EK (M): M O I L V G O F X T M X Z F L A A E Q....
If the key has redundancy, the cipher may be breakable using friend Nan's
method.Fried Nan's approach is based on the observation that a large proportion of
letters in the cipher text will correspond to encipherments , where both, the plaintext
and key letters fall in the high frequency category.
3.2 VERNAM CIPHER:
The implementation of one-time раd cipher is in vented by Gilbert Vernam in
1917; he designed a cryptographic device based on 32-character Baudot code for new
teletype writer developed at AT&T. Each character is represented as a combination of
five marks and spaces corresponding to 1 and 0. A Vemam idea is to run a second
synchronized non repeating random sequence of key character punched on paper tape
during transmission which would cause each Baudot (0 or 1) on the message tape to
be Xored with its corresponding value on the key tape. Each plain text is added
(mod 2) to the key stream, and generates a cipher text bit stream.
C = Ek (m) =C1 , C2 ,C3, …..
Where Ci = (mi +kj) mod 2
Vernam cipher is efficiently implemented in microelectronics by taking the
(exlusive_or) (XOR).
2010 -2011
Chapter Three : Stream Cipher Systems ----------------------------------------------------------------------
26
Ci =Mi ki
Ci ki =mi (ki ki)
Where ki ki=0
XOR Truth table:
X1
X2
XOR
0
0
0
1
0
1
0
1
1
0
0
0
Example:
M=A: 11000
K=D: 10010
E (M): 01010
If Vernam key is repeated then the cipher is equal to a running-key Cipher with a
text as a key. There were two immediate problems; first both a party has to possess
identical copies of key tape, secondly, repeated use carried the danger of working out
the period of repetition cycle.
3.3 ONE-TIME PAD CIPHER:
Army cryptologist Major Joseph Mauborgne who carried out a research into
Vemam's system, he suggested an endless tape contain sequence of random characters
which is used as a key stream, and used one time and one time only. If a peace of this
2010 -2011
Chapter Three : Stream Cipher Systems ----------------------------------------------------------------------
27
key is used to encrypt a message, then there is not enough information to break the
cipher. Such a cipher called one-time pad cipher, because the key is not repeated (i.e.
it is not periodic). If plaintext message M consist of m1 m2 m3... ..............md , then a
piece of one-time key k1 k2 k3............... ...kd will be used to encrypt this message.
C =Ek (M)
where Ci = (mi +ki) mod n
The main drawback of the cipher is that; it requires a long and random key sequence,
which should be available for both parties. Figure 3-1 illustrates One-time pad system.
Random sequence K1 K2….. Kn
Mixer
Cryptogram C1C2…CN
Message m1m2... mn
Figure (3-1) One Time Pad System.
Reusing one-time pad can lead to a catastrophe. Suppose, a two plaintext M 1
and M2 are encrypted modulo 26 with the same random key K as shown in the
following .
M1 S E L L S I L V E R
18 4 11 11 18 8 11 21 4 17
K
11 6 20 4 1 5 6 9 5 20
C 1 3 10 5 15 2 13 17 4 9 11
D K F P C N R E J L
2010 -2011
M2 B U Y C O C A I N E
1 20 24 2 14 2 0 8 13 4
K 11 6 20 4 1 5 6 9 5 20
C2 12 0 18 6 24 7 6 17 18 24
MA S G Y H G R S Y
Chapter Three : Stream Cipher Systems ----------------------------------------------------------------------
28
Cli = Mli + KI mod 26
C2i = M2i + KI mod 26
If both cipher text C1 and C2 are intercepted, cryptanalyst may create a third cipher
text C3 from C1 and C2: C3 I = Cli - C2i mod 26
Now we can decrypt C3 by: M1 = C3 + M2 mod 26
C1
D K F P C N R E J L
3 10 5 15 2 13 17 4 9 11
C2
M A S G Y H G R S Y
12 0 18 6 24 7 6 17 18 24
C3
17 10 13 9 4 6 11 13 17 13
R K N J E G L N R N
M2
M1
B U Y C O C A
I
N
E
1 20 24 2 14 2 0 8 13
4
18 4 11 11 18 8 11 21 4 17
S E L L S I L V E
R
As mentioned above One-Time-Pad system (OTP) is a perfect secrecy
cryptographic system, and indeed there are some applications in today's world,
primarily for Ultra-Secure low bandwidth channels. Hot line between the United State
and the former Soviet Union was (is it still active!) rumored to be encrypted with a
One-Time-Pad (OTP). Unfortunately most practical applications can not use OTP for
many reasons, among them, key distribution and storage problems. Since the famous
paper of Shannon in 1947 till now, a tremendous work has been done to build (or
more precisely to simulate) a perfect secrecy cryptographic system.
3.4 STREAM CIPHER:
Recall the discussion in Sections 3.1, 3.2 and 3.3 concerning the One-Time-Pad
system, the development of stream cipher systems was greatly influenced by the fact
2010 -2011
Chapter Three : Stream Cipher Systems ----------------------------------------------------------------------
29
that Shanoon had proved the OTP to be unconditionally secure. Stream cipher systems
are developed to emulate the OTP system in the sense that they produced long
sequence of displacement which were applied character by character to the plaintext
message as illustrated in figure 3-1. However, the fundamental difference is that; the
sequences generated by the stream system is not random, and it is completely
determined by a key.
Thus, a stream cipher is a system in which the key is fed to an algorithm, which
uses the key to generate finite sequence. The algorithm is usually referred to as the
sequence generator or key stream generator. Figure 3-2 illustrates stream cipher
system. Stream Ciphers lies between simple XOR and One-Time Pad. Encryption and
decryption processes are shown in figure 3-3.
K M=C
C K=M K K=M
K 0 =k
and K K K =0
Key Generator
Key stream
Ciphertext
Mixer
Plaintext
Figure (3-2)Stream cipher System.
Ki
Mi
Ki
Ci
Mi
Figure (3-3) Stream Cipher encryption and decryption.
2010 -2011
Chapter Three : Stream Cipher Systems ----------------------------------------------------------------------
30
Stream ciphers should posses the following characteristics:
1. Easy to implement.
2. High speed in generating key stream.
3. Computationally secure.
3.1. It should be protected against known-plaintext attack.
3.2. Having a large key space.
3.3. The period of the key sequence should be greater than the message length.
3.4. Key sequence has random characteristics.
In the following sections, fundamental background and techniques of stream cipher
systems is discussed. A survey of previous stream ciphers cryptanalysis also
discussed.
3.5 KEYSTREAM GENERATOR:
The basic element in stream ciphers is the key stream generator, which will
generate the key stream (sequence) to be combined with the plaintext stream and
produce the cipher text.
3.5.1 LINEAR SHIFT REGISTERES:
A feed back shift register is an implementation of the key stream generator. It is
made up of two parts; a shift register and a feedback function. The shift register is a
sequence of bits. Each time a bit is needed, all the bits in the register are shifted 1 bit
to the right. The new left-most bit is computed as a function of the other bits in the
register. The output of the shift register is one bit. The simplest kind of feedback shift
register is a linear feedback shift register (LFSR). The feedback function is simply the
XOR function. Figure 3-4 shows a 4-bit LFSR. If it is initialized with the value
(1111), it produces the following output sequence:
111101011001000 ......
2010 -2011
Chapter Three : Stream Cipher Systems ----------------------------------------------------------------------
b4
b3
b2
31
b1
Figure 3-4 Linear Feedback Shift Register (4-bit LFSR)
Three parameters; initial state, primitive polynomial, and the length of the
register affect the output stream of the linear shift register. For each linear shift
register there exist a linear equivalence, which defined as; the length of the smallest
linear shift register which can be used to generate the sequence.
3.5.2 REGISTER STAGES:
Shift registers consist of finite length of binary memory, called stages,
for n-binary memory, called m-stages shift register, and in any given time the contents
of the register, called state. The register could be in one of 2 m states. Zero state is
ignored because; it causes endless sequence of zeros. Thus, we left with 2m -1 states.
Next states depends on the feedback function (the mixer).
Example:
Given a LFSN of figure 3-4 with an initial state (0001) the register will cycle
with the following states and produce the corresponding outputs.
Feedback
R states
Out put
1
0001
1
1
1000
0
1
1100
0
1
1110
0
1
1111
1
0
1
0
1
0111
1011
0101
1010
1
1
1
0
2010 -2011
Chapter Three : Stream Cipher Systems ----------------------------------------------------------------------
1
0
0
1
0
0
1101
0110
0011
1001
0100
0010
32
1
0
1
1
0
0
To achieve maximal length of 2m -1 stages of LFSR; the tap sequence must
cause the register to cycle through 2m -1 non zero bit sequence before repeating; this
will happen if the polynomial formed from the elements in the tap sequence is
primitive.
3.5.3 PRIMITIVE POLYNOMIAL
When talking about the polynomials, the term prime is replaced by
irreducible. Primitive polynomial of degree
n
is defined as an irreducible
polynomial that divides x2d-1 + 1, but not xd +1 for any d that divides 2n -1. A
polynomial is irreducible if it can not be expressed as the product of two other
polynomials (except 1 and itself). In another meaning maximal length sequence
with period 2n -1 are generated only in the case when the characteristic (generating)
polynomial ¢(x) is primitive, irreducible, and the initial state of the register must be
other than zero. Table 3-1 illustrates primitive polynomial of m =2 - 6.
2010 -2011
Chapter Three : Stream Cipher Systems ---------------------------------------------------------------------- 33
Degree
2
3
Primitive polynomial
X2+x+l
X3+x+l
Degree Primitive polynomial
6
X6+x+1
X6+x5+l
x3+x2+l
X6+x5+x4+x+l
4
X4+x+l
x6+x5+x4+x+l
x6+x5+x3+x2+ x+l
5
x4+x3+l
X5+x2+1 .
x6+x4+x3+x+l
X5+x2+1
X5+x4+x3+x2+l
X5+x3+x2+ x+1
X5+x4+x3+x+l
Table 3-1 Primitive polynomials
x5+x4+x3+x+l
3.6 STREAM ENCRYPTION APPROACHES:
There are two different approaches to stream encryption they are; synchronous
methods and self-synchronous methods.
3.6.1 SYNCHRONOUS STREAM CIPHERS:
In a synchronous stream cipher the key stream is generated independently of
the message stream. The algorithm that generates the stream must be deterministic
so the stream can be reproduced for decryption. This means that if a ciphertext is lost
during transmission, the sender and receiver must resynchronize their key generators
before they can proceed. Furthermore, this must be done with out repeating any part
of the key. The starting state of the generator is initialized by a "seed " 10 as
illustrated in figure 3-5.
Synchronous stream ciphers have the advantage of not propagating errors. A
transmission error effecting one character will not affect subsequent characters.
From another point of view; this is a disadvantage in that it is easier for an opponent
to modify (with out detection) a single ciphertext character.
2010 -2011
Chapter Three : Stream Cipher Systems ---------------------------------------------------------------------- 34
10
Key generator
10
Key generator
Ki key generator
Ki key generator
Mi
Ci
Encipher
Decipher
Figure 3-5 synchronous stream cipher
3.6.2 SELF-SYNCHRONOUS STREAM CIPHERS
A self-synchronous stream ciphers derives each key character from a fixed
number n of preceding cipher text character. This is done by using a cipher feed
back mode (CFB) because the ciphertext characters participate in the feed back loop.
It is some times called chaining, because each ciphertext character depend on
preceding cipher-text character (chain) the feed back as shown figure 3-6. The
feedback register R is a shift register when each cipher text character Ci is shifted
into one end ofR immediately after being generated, the character at the other end is
discarded. Register R is initialized to the seed 10. During each iteration, the value
ofR is used as input to a block encryption algorithm (EB), the right most character of
the algorithm becomes the next key character. If a ciphertext character is altered or
lost during transmission, the receiver's shift register will differ from the transmitter's,
and subsequent cipher text will not be correctly deciphered until the error character
is shifted out of the register.
……
10
……
EB
EB
Ki
Ci
Mi
2010 -2011
Mi
Figure 3-6 self-synchronous stream cipher
Chapter Three : Stream Cipher Systems ---------------------------------------------------------------------- 35
3.7 NONLINEAR SHIFT REGISTER:
Linear feedback shift registers are unsafe because they have relatively small
linear complexity, and hence a relatively small fragment of the key streams (LFSR
sequence) can be used to obtain the entire sequence by solving a set of linear
equations. To increase the linear complexity of LFSR, one or more output sequences
of LFSR's are combined with some nonlinear function to produce relatively high
linear complexity. For example shift register SR1 generates sequence (S1) with
sequence length of 2n-1 , and shift register SR2 generates sequence (S2) with
sequence length of (2m-1), then the output sequence (S3) will be:
S3 = S1 * S2
with period (sequence length) = (2n -1) ^ (2m -1)
A wide range of nonlinear stream generators can be obtained by the following
means:
3.7.1 NONLINEAR FEEDBACK SHIFT REGISTER SYSTEMS:
in which the key stream generator is a shift register with non linear feedback
function, as illustrated in figure 3-8.
In this type, one LFSR is used with n-stages and non-linear feed back function, the
simplest nonlinear function is "AND" function. For example F=l+x5+xlx2+x2x3x4
is a nonlinear function .
SR1
m – stage LFSR
.
Output
Key stream
SR2
n – stage LFSR
Figure 3-8 Nonlinear Feedback Shift Register with Nonlinear Function
2010 -2011
Chapter Three : Stream Cipher Systems ---------------------------------------------------------------------- 36
Example:
If we choose Rl, R2, R3 with 5,6,7 stages respectively which they are
relatively
prime the maximal length of the period will be
(25-l) (26-l) (27-l) =31*63*127 =
248031
Geffe, Pless, Hadmard, and Threshold are examples of this type, with the following
nonlinear functions:
1• Geffe: Nonlinear generator consists of three LFSR of {3,4,5) bit stages, with
nonlinear function (S1^S2) (-S1^S3) and maximal length of (23-1) (24-1) (25-1)=
3255 bits.
2• Hadmard: a Nonlinear generator consists of two LFSR of (5,7) bit stages, with
nonlinear function (S1^S2) and maximal length of (25-1) (27-1) = 3937 bits.
3• Threshold: nonlinear generator consists of three LFSR of (3,4,5) bit stages, with
nonlinear
function
(S1^S2)
(S1^S3)
(S2^S3)
and
maximal
length
of
(23-1) (24-1)(25-1)= 3255 bits.
3.8 MEASURE OF RUNDOMNESS:
3.9.1 DEFINITION:
Run: sequence of identical bits (0 or 1)
Ex.01110000111
Runs are 0,111, 0000, 111
Gap: runs of zeroes
1000011 contain the gap 0000
Block: runs of ones
1111001110 contain blocks 1111,111 For with period P , Sm + p = Sm
Auto correlation function:
For any constant d, if we compare the sequence of S with Sd (after shifting d
displacement), then Auto correlation function C(t) = (A - D) / P Where :
2010 -2011
Chapter Three : Stream Cipher Systems ---------------------------------------------------------------------- 37
A = no. Of identical bits.
P = period of the sequence
D = period of different bits
d = displacement 0 <= d < p
 RANDOMNESS CHARACTERISTICS:
1. If p is even then ones equal zeros, other wise they differ by one only.
2. 1/2 of runs with length of 1 , 1/4 of runs with length of 2 , generally l / 2i = i.
3. Auto correlation function (for d < > 0 out of phase) has constant value. Where d is
the displacement.
1. FREQUENCY TEST:
used to ensure that there is roughly the same number of O's and 1's using the
following formula:
X2 =(n0 – n1)2 / n
X2 = 0 if n0 = n1
For good sequence 0 < X2 < 3.84
2. SERIAL TEST:
The serial test is used to ensure that the transition probabilities are reasonable.
This will give as some level of confidence that each bit is independent of its
predecessor suppose .01 occurs n 01, 10 occurs n0, 00 occurs n00…and 11 occurs
n11 times.
N01+n10=n0 or n0-1 , n10+n11 = n01 or n1-1 and
N10 + N01 + N00 + N11 = N-1 AND
X2 = 4/n - 1 Σ(nij)2 - 2/n Σ(ni)2 + 1
For good sequence X2 <= 5.99.
2010 -2011
Chapter Three : Stream Cipher Systems ---------------------------------------------------------------------- 38
Ideally we wont:
n01 = n10 = n00 = n11 ≈ n-1/4
3. POKER TEST:
For any binary sequence of length m, there are 2^ different possibilities. In this test
we partition our sequence into blocks of size m (sequence of ones), and then we
count the frequency of each type of sections of length m in the sequence. If the
frequencies are
f0, f1,.. fm-1 We compute:
X2 = 2m / F Σ (Xi)2 / mi) – F
Where F = Σ fi = n/m
4. AUTO CORRELATION TEST:
For a given sequence of n bits S1,..Sn then
A (d) = ∑ai ai+d
0 <= d <= n-1
A (o) =∑ai = ni
If the sequence has ni of zeros and n1 of ones then
µ= n12 (n-d) / n2
The test will pass if
X2 = (A(d)- µ)2 /µ
X2 <=3.841 for all values of d
5. RUNS TEST:
Devide the sequence into blocks and gaps, let r0i be the number of gaps of length i
and r1i be the number of blocks of length i. If r0 and r1 are number of gaps and
blocks respectively then:
r0 = ∑roi and r1 = ∑ r11
This test applied after the sequence had passed the serial test, then we would expect
about 1/2 the gaps with length 1 , 1/4 of gaps of length 2, and so on.
Ideally 1/2i of runs having length i.
2010 -2011
Chapter Three : Stream Cipher Systems ---------------------------------------------------------------------- 39
Example:
Given
the
following
sequence
of
minimal
length
0101011101100011111001101001000
1. Frequency test
n0=15
n1=31-15=16
X2 = (15-16)2 / n = (-1)2 /31 = 1/31 = 0.0322 0.322 < 3.841
2.Serial test:
n00=6
n01=8
n10=8
n11=8
X2 = 4/n-l (n002 + n012 + n102 + n112 ) - 2/n (n02+n12) + 1
= 4/30 (36 + 64 + 64 + 64) - 2/31(152 +162) + 1
=30.4 - 31.032 + 1 = 0.368 0.368 < 5.99
Pass
also
n00+ n01 = n0 -1 =6+8 =14 = n0 - 1
n11+n10=n11 =8+8=16=n1
n00+n01+n10+n11 = 6+8+8+8= 30 = n-l
n-1/4 = 30/4 = 7.5 = 8
3.Poker test
m=5 F=n/m=31/5=6 Then we have 6 blocks of 5 digit each
01010 11101 10001 11110 01101 00100 0
We count Xi where i is number of ones in each block
2010 -2011
Pass
of
31.
Chapter Three : Stream Cipher Systems ---------------------------------------------------------------------- 40
X 0=0
X1=1
X2=2
X3=1
X4=2
-.
X5 = 0
X2 = 25/6 ∑ (Xi)2 /5i - 6
= 5.33(0 + 1/5 + 4/10 + 1/10 + 4/5 + 0) - 6
=5.33(2 + 4 + 1 + 8/10) – 6
=5.33*15/10 - 6 =1.995
Checking x2 table with degree of freedom of 22 - 1 = 31 then the test is pass
4.runs test
r0=9
r1=8
n01=8= r0-1
n10=8= r1
n11 =n1 –r1 = 16 - 8 = 8
n00 = 6= n0-r0 = 15-9 = 6
r01=5
r11=4
r02=2
r12=2
r03=2
r13=1
r14=0
r15=1
2010 -2011
Chapter Three : Stream Cipher Systems ---------------------------------------------------------------------- 41
5• Auto correlation test
n0= 15 n1=16
µ= (16)2 (31-l) / (31)2 =7.99 for d=l
µ = 7.72
d=2
µ = 7.45
d=3
010101110110001111100110100100
101011101100011111001101001000
A(l)=8
X2 = (8 - 7.99)2 / 7.99 = 0.0000125
010101110110001111100110100100
010111011000111110011010010000
A(2)=8
X2=(8-7.72)2/ 7.72= 0.01
010101110110001111100110100100
101110110001111100110100100000
A(3)=8
X2 = (8-7.45)2 / 7.45 = 0.04 And so on
X2 <= 3.84 for all value of d
3.9 STREAM CIPHER CRYPTANALYSIS:
Stream ciphers have a wide variety of design choices, and hence, a large
number of complex stream generators have been designed with different periods and
linear complexities. On the other hand different approaches have been used by many
researchers to analyze stream ciphers, and have successfully cracked many of such
systems.
One of the earliest approaches are the matrix approach,and the Berlekamp
Massey approach. Both methods used a known-plaintext attack to determine the
2010 -2011
Chapter Three : Stream Cipher Systems ---------------------------------------------------------------------- 42
linear equivalence and the primitive polynomial of the shift register.
Thomas Siegenthler presented a divide-and-conquer approach, which often called
correlation~attack, and shown that correlation immunity can be precisely defined.
The basic idea behind correlation attack is to identify some correlation between the
output of the generator and the output of one of its internal pieces, then by observing
the output sequence, information can be obtainer' about the internal output. Using
the collected information and other correlation about other internal output until the
entire generator is broken. More efficient correlation attack based on using algebraic
tools to determine the LFSR instead of the exhaustive search, this is called fast
correction attack. Artificial neural networks is been used in a known-plaintext attack
against linear feedback shift registers to obtain the linear equivalence, characteristic
polynomial, and restore missing bits in the output sequences of the shift register.
More recently, two ciphertext-only attack researches has been introduced; the first
one
uses Genetic Algorithms while the seco nd one
uses Adaptive Genetic
Programming. Both researches use the statistical properties of the natural language
heavily in formulating the fitness function. These language features make the
ciphertext-only attack possible, since it is used for measuring the fitness of the
individual programs in a population of the genetic programming.
2010 -2011