Presentation is loading. Please wait.

Presentation is loading. Please wait.

LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012.

Published byAryan Elias Modified over 9 years ago

Similar presentations

Presentation on theme: "LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012."— Presentation transcript:

1 LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012

2 Outline Linear Feedback Shift Registers (LFSR) Interesting properties of LFSR Stream ciphers with LFSR – correlation attacks A5/1 and it’s weaknesses Looking forward

3 Linear Feedback Shift Registers (LFSR) Very basic example, 3 bit register XOR 123 Output Bit 101101 110110

4 Linear Feedback Shift Registers (LFSR)

5

6 Properties of LFSR Maximal vs. non-maximal length Cyclic Non-maximal governed by front two bits. 101101 110110 011011 101101 110110 111111 011011 001001 100100 010010

7 Properties of LFSR Columns are exact rotations of each other. If we look at it as a matrix, different “initializations” or start states yield a rotation of the entire matrix. 101101 110110 111111 011011 001001 100100 010010 001001 100100 010010 101101 110110 111111 011011

8 Properties of LFSR Columns are exact rotations of each other. If we look at it as a matrix, different “initializations” or start states yield a rotation of the entire matrix. 101101 110110 111111 011011 001001 100100 010010 001001 100100 010010 101101 110110 111111 011011

9 LFSR and Galois Fields

10 101101 110110 111111 011011 001001 100100 010010 101101 010010 001001 100100 110110 111111 011011

11

12 Can reverse the tap positions to get another, identical set of LFSR states. If the original feedback set is [m, A, B, C], the reversed feedback set is described by [m, m-C, m-B, m-A]. Easy to find another irreducible polynomial.

13 LFSR and Galois Fields

14 LFSR and Stream Ciphers LFSR can be used as a stream cipher. Remember that stream ciphers are similar to PRNG in that they output a single bit at a time, and data is encrypted bit by bit until the whole plaintext has been encrypted. A single LFSR as a cipher is vulnerable to due it’s cyclic nature, so we combine multiple LFSR to achieve this.

15 LFSR and Stream Ciphers First, we define a boolean function. For example, consider the following diagram.

16 LFSR and Stream Ciphers

17 LFSR and Stream Ciphers – Correlation Attacks Since registers are private, they are not independent beings to an attacker, so the whole system must be broken. Idea: Try to correlate one register to the boolean function, improving a brute force attack. If it is correlated, it can be broken separately (independent of the system), vastly improving complexity. More likely than it seems, with enough registers, due to the linear nature of LFSR, some patterns and correlations will appear – linear recursive equations.

18 LFSR and Stream Ciphers – Correlation Attacks

19 LFSR and Stream Ciphers – A5/1

20 Use the following LFSR’s of length 19, 21, and 22. R1 has taps 13,16,17,18 R2 has taps 20, 21 R3 has taps 7, 20, 21, 22

21 LFSR and Stream Ciphers – A5/1

22 Attacks on A5/1 – Known Plaintext

23 Attacks on A5/1 – Active Attacks Barkhan, Biham, and Keller developed the most serious weakness – an active attack with A5/2 – if the phone supports it. They also published another paper in 2006, furthering their attacks and fully breaking A5/1. A5/3 or KASUMI

24 Future Algorithms like RC4/5/6 have been developed and avoid the use of LFSR – have their own set of problems. LFSR are interesting and are good for ‘random’ hardware testing, and if constructed correctly, can be useful in some cryptographic applications. Note that A5/1’s weaknesses are less about the structure of LFSR and more about the structure of GSM.

25 References Elad Barkan, Eli Biham, Nathan Keller, Instant Ciphertext- Only Cryptanalysis of GSM Encrypted Communication, 2003/2006 Patrik Edhal, On LFSR-based Stream Ciphers (PhD), 2003 Alex Biryukov, Adi Shamir, David Wagner, Real Time Cryptanalysis of A5/1 on a PC, 2000 http://www.newwaveinstruments.com/resources/articles/m _sequence_linear_feedback_shift_register_lfsr.htm http://www.newwaveinstruments.com/resources/articles/m _sequence_linear_feedback_shift_register_lfsr.htm Thomas Johansson, Fredrik Jonsson, Improved Fast Correlation Attacks on Stream Ciphers via Convolutional Codes, 1999

Download ppt "LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012."

Similar presentations

Cryptography, Attacks and Countermeasures Lecture 3 - Stream Ciphers

Cryptography, Attacks and Countermeasures Lecture 3 - Stream Ciphers
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.

GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.
CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
State space convergence in the A5/1 keystream generator Ali Al Hamdan and Harry Bartlett Information Security Institute / Faculty of Science and Technology,

State space convergence in the A5/1 keystream generator Ali Al Hamdan and Harry Bartlett Information Security Institute / Faculty of Science and Technology,
Topics In Information Security Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication Presented by Idan Sheetrit

Topics In Information Security Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication Presented by Idan Sheetrit
AN IMPROVEMENT TO A CORRELATION ATTACK ON A5/1 H. Nikoonia, F. Amin, A. H. Jahangir Computer Engineering Department, Sharif University of Technology.

AN IMPROVEMENT TO A CORRELATION ATTACK ON A5/1 H. Nikoonia, F. Amin, A. H. Jahangir Computer Engineering Department, Sharif University of Technology.
GSM Security Threats and Countermeasures Saravanan Bala Tanvir Ahmed Samuel Solomon Travis Atkison.

GSM Security Threats and Countermeasures Saravanan Bala Tanvir Ahmed Samuel Solomon Travis Atkison.
Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.

Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.
Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.

Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Class 25: Security through Complexity? Karsten Nohl cs302: Theory of Computation University of Virginia, Computer Science PS6 is due today. Lorenz cipher.

Class 25: Security through Complexity? Karsten Nohl cs302: Theory of Computation University of Virginia, Computer Science PS6 is due today. Lorenz cipher.
Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.

Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.
Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.

Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
Data Encryption Standard (DES)

Data Encryption Standard (DES)
Announcements: Matlab: tutorial available at Matlab: tutorial available at

Announcements: Matlab: tutorial available at Matlab: tutorial available at
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
Announcements: Assignment 2 finalized Assignment 2 finalizedQuestions?Today: Wrap up Hill ciphers Wrap up Hill ciphers One-time pads and LFSR One-time.

Announcements: Assignment 2 finalized Assignment 2 finalizedQuestions?Today: Wrap up Hill ciphers Wrap up Hill ciphers One-time pads and LFSR One-time.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.

Similar presentations

Ads by Google