Chapter 4 Symmetric-Key Cryptography: Stream Ciphers Recall that the two types of symmetric-key algorithms are block ciphers and stream ciphers, and that block ciphers operate on a block of data whereas stream ciphers encrypt individual bits. Therefore, in the case of a stream cipher we have the plaintext message X = 21, @,..., the key Z = 2, 2,..., and the ci- phertext Y = y1, Yyo,--.. Because stream ciphers encrypt a sin- gle bit at a time, xi, y;, 2% € {0, 1}. The ciphertext Y is de- fined as y; = €2,(21), Yo = (2), ... where the most com- mon form of stream cipher encryption is modulo 2 addition, i.e. Yi = Cz,(Li) = 2 + 2% mod 2. Decryption is of the form of mod- ulo 2 subtraction, which is equivalent to modulo 2 addition, i.e. a, = d,,(yi) = yi — % mod2=y; + % mod 2. Moreover, both operations are equivalent to the bit-wise exclusive-OR (denoted as XOR) operation, as detailed in Table 4.1. 4950 CHAPTER 4. SYMMETRIC-KEY CRYPTOGRAPHY: STREAM CIPHERS a[b a+b mod 2 a- b mod 2 a@b , 0] 0 | 0 [ 0 0 o}1 1 -1 mod 2 = 1 mod 2 1 1/0 1 i 1 1] 1 || 2 mod 2=0 mod 2 0 0 Table 4.1: Modulo 2 Addition, Subtraction, and Bit-Wise XOR. Figure 4.1 shows the setup of a typical stream cipher implemen- tation in which two parties, Alice and Bob, desire to communicate in secret over an open channel. A third party, Oscar, wishes to de- termine the contents of the communication and potentially modify said contents without the knowledge of either Alice or Bob. How- ever, with the use of the stream cipher, Oscar can only access the ciphertext y; as it is sent over the channel. Note that encryption and decryption are the same because 2; © % @ 2% = 2;. This equation holds true because of the XOR properties z; © 2; = 0 and z; ® 0 = a;. Using the XOR operation for encryption and decryption was originally proposed by Gilbert Vernam in 1917 and was patented in U.S. Patent 1310719 in 1919 for use in the Baudot teletype. Stream ciphers that utilize the XOR operation to com- bine the plaintext X with the key Z to generate the ciphertext Y are known as Vernam ciphers [90]. Therefore, it is evident that stream cipher encryption and de- cryption are easy to implement; in hardware, using 2-input XOR gates, and in software, using bitwise XOR instructions. For hard- ware implementations, the unit-gate model approximation is used such that a 2-input XOR gate is counted as two gate equivalents [314]. For software implementations, encrypting or decrypting a51 Alice Bob x x x Figure 4.1: Typical Stream Cipher Implementation single bit at a time is inefficient when instructions that perform bit- wise functions typically operate on single or multiple bytes of data. When operating on ASCII character data, software-based stream cipher encryption and decryption work well given that ASCII char- acters are seven bits in length and extended ASCII characters are eight bits in length. When encrypting or decrypting binary data streams in software, the data must be organized in groupings that. match the processor word size (which dictates the number of bytes operated on by an individual instruction). This allows for efficient software-based stream cipher encryption and decryption for all but the leftover bits when the size of the data stream is not evenly divisible by the processor word size. Having established hardware and software implementations of stream cipher encryption and decryption, what remains is how to generate the key Z = 2, 22,... such that Oscar is unable to decrypt the ciphertext Y and potentially alter the resultant plaintext X. If Oscar can recreate the key Z, he can decrypt the ciphertext y by combining the key and the ciphertext through an XOR operation. Therefore, it is critical that the key Z appear52 CHAPTER 4. SYMMETRIC-KEY CRYPTOGRAPHY: STREAM CIPHERS to be random such that Oscar cannot perform an attack using Statistical Analysis (or any other method) to extract the key. 4.1 Random Numbers Generating random numbers may seem trivially easy but is in fact quite difficult. Recall that when examining substitution ciphers in Section 3.1, Statistical Analysis attacks were applied to determine the plaintext from the ciphertext. Similarly, if correlations exist between results of a supposedly random number generator, Oscar can exploit these correlations when attacking the cryptosystem. As detailed in [166, 275], because computers are deterministic, the best a computer can do is to act as a pseudo-random number generator to produce numbers and sequences that appear to be random but are computed from some initial value, usually termed a seed. Two examples of pseudo-random number generators are linear congruential generators and Linear Feedback Shift Registers. It is important to note that although pseudo-random number generators may pass statistical randomness. tests such as those found in [166], this does not guarantee that such generators are useful in cryptographic applications. This is because such applica- tions require cryptographically secure pseudo-random number gen- erators that have the additional property of being unpredictable [275]. Keeping Kerckhoffs’ Principle in mind, we must assume that Oscar knows the method used to generate the pseudo-random stream of numbers or bits. Therefore, for a pseudo-random number4.2. THE ONE-TIME PAD 53. generator to be cryptographically secure, it must generate number streams (or bit streams) in a manner such that it is not compu- tationally feasible for Oscar to reproduce the stream and thus generate the next number or bit in the stream. 4.2 The One-Time Pad The concept of security is unusual in that it is nearly impossible to state that something is proven to be secure. The opinion of an algorithm’s or cryptosystem’s strength of security is based on the scrutiny applied by cryptanalysts over time. The more time that passes without attacks being proposed that significantly reduce the complexity of obtaining the key (or keys) below the thresh- old of Exhaustive Key Search, the more secure the algorithm or cryptosystem. If it can be demonstrated that an algorithm or cryptosystem cannot be compromised, even if Oscar has access to unlimited computing resources, then such an algorithm or cryp- tosystem is termed Unconditionally Secure. The only cryptosystem that is proven to be unconditionally secure is known as the One-Time Pad. The One-Time Pad was developed as a result of Joseph Mauborgne’s suggestion that the key used in the Baudot teletype be random, and this idea was patented in the 1920s. However, it was not until the late 1940s that Claude Shannon successfully proved the One-Time Pad to be unconditionally secure [90]. The One-Time Pad is defined as:54 CHAPTER 4. SYMMETRIC-KEY CRYPTOGRAPHY: STREAM CIPHERS X = {xo, 2,...} eP Y = {yo w,-..}€C {ho ki. fe K x Hl ui, yi, ke € {0, I} (a; + ki) mod 2 Mi ll Encryption : e,,(xi) Yi " Decryption: dy,(yi) = (yi + ki) mod 2 Uj The One-Time Pad is unconditionally secure if keys are used only once and the keys are random, i.e. no correlations exist between keys. This is demonstrable by examining the system of linear equations that results from implementing the One-Time Pad: Yo = (xo + ko) mod 2 mw = (a, + ky) mod 2 Yo = (x2 + ke) mod 2 Yi (xi + kj) mod 2 As long as each k; is independent, the system of linear equations cannot be solved because each equation has one known element, Yi, and two unknown elements, z; and k;.4.2. THE ONE-TIME PAD 55, Unfortunately, implementing a One-Time Pad is not practical. As previously discussed, generating random key bits, i.e. bits that are independent, is extremely difficult, especially for long keys. The One-Time Pad is vulnerable to attack if a key is reused. Moreover, the nature of the One-Time Pad is such that key lengths must match the message length, resulting in a system that scales poorly. Finally, and arguably most significantly, the One-Time Pad does not address key distribution once the key has been gen- erated. Given the lack of feasibility of a true One-Time Pad, more practical systems that attempt to replace the random key stream used in the One-Time Pad with a pseudo-random key stream gen- erated from a small number of random key bits must be considered. Such an implementation yields a cryptosystem that is more easily realized in practice, as shown in Figure 4.2. Figure 4.2: Practical Stream Cipher Implementation Clearly, such an implementation is not unconditionally secure as in the case of the One-Time Pad. Therefore, more realistic levels of security when defining a cryptosystem must be. consid- ered. A cryptosystem is considered to be Computationally Secure if the best possible algorithm available to Oscar for successfully56 CHAPTER 4. SYMMETRIC-KEY CRYPTOGRAPHY: STREAM CIPHERS compromising the system requires a very large number of compu- tations. In such a situation, it is not feasible for Oscar to have sufficient computing power to break the cryptosystem. Of course the computing power available to Oscar varies widely depending on whether Oscar is an individual, a company, a government, or somewhere in between. Moreover, computational security is based on the best known algorithm, and the required number of compu- tations necessary to ensure computational security may change dramatically if a more powerful algorithm for attacking the cryp- tosystem be developed. The same is true should a significant ad- vance in computing technology occur. As such, cryptosystems whose security is based on a very hard problem that has been studied by cryptanalysts are of greater interest. Such cryptosys- tems are termed Relatively Secure, although these systems may also fall victim to technology advancements and the development of a more powerful attack as scrutiny and cryptanalysis of the underlying algorithm(s) continues over time. 4.3 Key Stream Generators When considering key stream generators for implementing the more practical stream cipher shown in Figure 4.2, two possibilities exist. Asynchronous key stream generators use the ciphertext y; as a feedback term. This is indicated by the dotted lines in Figure 4.2. Synchronous key stream generators do not use the ciphertext yj as a feedback term and instead rely only on the key & and previ- ously generated key stream bits (z; — 1, 2 — 2, -.. 21) to generate4.3. KEY STREAM GENERATORS 57 the next key stream bit z;. The term Synchronous Stream Cipher is used to describe stream ciphers that use key stream generators that generate the key stream independent of the plaintext and the ciphertext, i.e. that use synchronous key stream generators. The term Asynchronous Stream Cipher is used to describe stream ci- phers that synchronize automatically. In all cases, Alice and Bob must reach a state where their key stream generators are synchro- nized so that each z; arrives at the same time as its corresponding y; because loss of synchronization will result in corruption of the plaintext x; upon decryption of the ciphertext y;. 4.3.1 Linear Feedback Shift Registers Linear Feedback Shift Registers (LFSRs) are often used to generate key streams for practical stream ciphers. An LFSR is made up of storage elements and a feedback network, as detailed in Figure 4.3. Clock Figure 4.3: Example LFSR Implementation The number of flip-flops in the LFSR is denoted as m. In the case of Figure 4.3, m = 4. The m LFSR storage elements are represented as D flip-flops, denoted as K;, that are initialized58 CHAPTER 4. SYMMETRIC-KEY CRYPTOGRAPHY: STREAM CIPHERS to a chosen value, represented in Figure 4.3 as (z3, 22, 21, 20): The right-most flip-flop produces the output key stream z;. The left-most flip-flop’s input is the XOR of the outputs of certain flip-flops within the feedback network, and the input to all other flip-flops is the output of the previous flip-flop, ie. Di = Qi +1. It will become evident that choosing which flip-flop outputs to XOR to create the input to the left-most flip-flop is the critical factor to guarantee a key stream 2; that is of maximum length before repeating its output sequence. Based on the configuration of Figure 4.3, the values (z3, zo, z1, 20) propagate through the D flip-flops from left to right and are shifted out to form the key stream z; via output Qp of flip-flop Ko. Example 4.1: What is the pattern generated for z; given the LFSR of Figure 4.3 and the initial vector of (z3 = 1, 22 = 0,21 = 0, » = 1)? The LFSR of Figure 4.3 yields the following equations for the flip- flop inputs: Do = Q Dy = & Dz = Qs Ds = Q: ® Qo4.3. KEY STREAM GENERATORS 59 Based on these equations and knowing the initial vector (z3, 22, 21, 20) yields equations for each z; beginning with z4, remembering that 4% = Qo a= PA % = 1 Dw % = 2D % ay = % Dw 444 = 4 O M41 Therefore, the pattern generated by the LFSR for z; is: 4 = %™Oxumd2=1G0=1 % = 4 @xmmod2=0900=0 % = 2 Owzmd2=001=1 2 = 4 @%umod2=101=0 % = 4 @zmd2=-1080=1 % = % OB zwmd2=-001=1 Zo = % ® 2zmd2=100=1 21 = 27 ® ~mod2=001=1 z2 = % © %mod2=101=0 23 = % @ z9mod2=101=0 44 = 4 © zmod2=161=0 15 = %1 ® y2mod2=1@0=1 2416 = 22 8 23mod2=080=060 CHAPTER 4. SYMMETRIC-KEY CRYPTOGRAPHY: STREAM CIPHERS Zr = a3 8 34mod2=000=0 41g = 24 8 z%53mod2=001=1 Zo = 25 © zmsmod2=160=1 2 = 26 © %77mod2=0G0=0 2m = 27 ® agmod2=O0G1l=1 22 = 2g © zgmod2=1861=0 ag = ug © zy mod2=160=1 22 = 2% © %mod2=001=1 25 = 2m © %mod2=100=1 206 = 222 © %mod2=-OG1l=1 27 = mg @ %mod2=101=0 Therefore it is evident that for the key stream 2% = 1001101011110001001101011110 ... the key stream begins repeating at 25, and the length of the key stream before repeating is 15.