Presentation is loading. Please wait.

Presentation is loading. Please wait.

Linearization of Stream Ciphers in Terms of Cellular Automata Amparo Fúster-Sabater Institute of Applied Physics (CSIC) Madrid (Spain)

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Linearization of Stream Ciphers in Terms of Cellular Automata Amparo Fúster-Sabater Institute of Applied Physics (CSIC) Madrid (Spain)"— Presentation transcript:

1 Linearization of Stream Ciphers in Terms of Cellular Automata Amparo Fúster-Sabater Institute of Applied Physics (CSIC) Madrid (Spain) amparo@iec.csic.es A. Fúster-Sabater Gjøvik University College June 2006

2 Overview Introduction Basic structures LFSR-Based Keystream Generators Cellular Automata (CA) Linear model of a class of Keystream Generators Contributions to Cryptanalysis Conclusions A. Fúster-Sabater Gjøvik University College June 2006

3 “Linearity is the curse of the cryptographer” - James L. Massey - Crypto’89 A. Fúster-Sabater Gjøvik University College June 2006

4 001…10 010…11 110…01 ….. (plain text) 011…01 000…10 010…11 ….. (keystream seq.) 010…11 010…01 100…10 ….. (ciphered text) sender 011…01 000…10 010…11 ….. (keystream seq.) 010…11 010…01 100…10 ….. (ciphered text) 001…10 010…11 010…11 ….. (plain text) receiver Stream Cipher Procedure Stream cipher: design of keystream sequence generators with pseudorandomness characteristics A. Fúster-Sabater Gjøvik University College June 2006

5 Linear Feedback Shift Register (LFSR) LFSR’s Parameters: Length L Characteristic polynomial They work: Shifting of the binary content Feedback bit entrance Generated sequence: 1 0 0 0 1 1 1 1 …… 0001  1000 0001 0011 0111 1111 1110 1101 1010 A. Fúster-Sabater Gjøvik University College June 2006

6 Linear Feedback Shift Registers LFSRs generate PN-sequences: Long period Good statistics Low linear complexity Cryptographic applications: Non-linear combinations of LFSRs Non-linear filters Non-linear combining generators Clock-controlled generators A. Fúster-Sabater Gjøvik University College June 2006

7 Cellular Automata (CA) One-dimensional CA: Register of n cells updated according to a function of k variables (Rule  ) Cell x i t+1 depends on k = 2r+1 neighbour cells x i t+1 =  ( x t i-r, …, x t i, …, x t i+r ) Linear CA:  is a linear function xixi A. Fúster-Sabater Gjøvik University College June 2006

8 Classification of CA  Uniform or Regular CA All the cells follow the same rule   Hybrid CA Different cells follow different rules  i Null boundary conditions Cells adjacent to the extreme cells are supposed with permanent null content Periodic boundary conditions Extreme cells are supposed adjacent xixi A. Fúster-Sabater Gjøvik University College June 2006

9 Linear Cellular Automata k =3 Rule 90  x i t+1 = x t i-1  x t i+1 111 110 101 100 011 010 001 000 0 1 0 1 1 0 1 0 01011010 (binary) = 90 (decimal) Rule 150  x i t+1 = x t i-1  x t i  x t i+1 111 110 101 100 011 010 001 000 1 0 0 1 0 1 1 0 10010110 (binary) = 150 (decimal) A. Fúster-Sabater Gjøvik University College June 2006

10 Cellular Automata (rules 90 & 150) L=6 cells 00..00.. 01..01.. 11..11.. 00..00.. 15090150 90150 10..10.. 11..11.. 2 L states grouped in state cycles Number of different sequences, T, LC A. Fúster-Sabater Gjøvik University College June 2006

11 References 1. S. Wolfram, Cellular Automata as Models of Complexity, Nature, Vol. 311, pp. 419, 1984. 2. S. Wolfram, Random Sequence Generation by Cellular Automata, Avd. Appl. Math., Vol. 7, pp.127 – 169, 1986. 3. S. Zhang et al. Quantitative Analysis for Cellular Automata and LFSR as BIST Generators, J. Electro. Testing, 7 (3), 1995. 4. M. Serra et al. Analysis of One-dimensional CA and their Aliasing Properties, IEEE Trans. Comp. Aided Design, 9 (2), 1990. 5. A.K. Das et al. Efficient Characterization of Cellular Automata, IEE Proc. Part E. 1, pp. 81-87, 1990. 6. S. J. Cho et al. Computing Phase Shifts of 90/150 CA Sequences. Proc. ACRI 2004, LNCS, 3305, pp. 31 – 39, 2004. 7. A. Fúster et al. Concatenated Automata in Stream Ciphers. To appear in Proc. ACRI 2006, LNCS, 2006. A. Fúster-Sabater Gjøvik University College June 2006

12 LFSRs v CA 110 101 010 100 001 011 111 Simple implementation Pattern Generators: circuit testing Interchangeable structures 100 110 011 111 001 010 101 15090 Characteristic polynomial A. Fúster-Sabater Gjøvik University College June 2006

13 More References CA Characteristic Polynomial S. Zhang et al., Quantitative Analysis for Linear Hybrid Cellular Automata and LFSR as Built-In Self-Test Generators for Sequential Faults, J. of Electronic Testing: Theory and Applications, 7 (1995), 209 – 221. Characteristic Polynomial CA K. Cattel and J.C. Muzio, The Synthesis of One- Dimensional Linear Hybrid Cellular Automata, IEEE Trans. On Computer-Aided Design. 15 (1996) 325-335. A. Fúster-Sabater Gjøvik University College June 2006

14 A Class of LFSR-Based Generators: Clock-Controlled Shrinking Generators A wide class of binary sequence generators Made up of two LFSRs: R 1 and R 2 R 1 (Selector register) clocked normally R 2 (Generating register) clocked irregularly According to a rule P, the bits of register R 1 control the clock of register R 2 This construction allows users to generate a large family of different sequences using the same registers and initial states but changing the rule P A. Fúster-Sabater Gjøvik University College June 2006

15 The Shrinking Generator (Crypto’93) Very simple binary sequence generator Made up of two LFSRs: R 1 and R 2 According to a rule P, register R 1 (selector register) decimates the sequence produced by register R 2 R1R1 R2R2 P clock bibi aiai cjcj A. Fúster-Sabater Gjøvik University College June 2006

16 The Shrinking Generator {a i } binary sequence generated by R 1 {b i } binary sequence generated by R 2 {c j } output sequence of the SG: “the shrunken sequence” Decimation rule P: 1. If a i = 1  c j = b i 2. If a i = 0  b i is discarded A. Fúster-Sabater Gjøvik University College June 2006

17 The Shrinking Generator: Example LFSRs: 1. R 1 : 2. R 2 : Decimation rule P: {a i }= 1 0 0 1 1 1 0 1 0 0 1 1 1 0 1 0 … {b i }= 1 0 0 0 1 0 0 1 1 0 1 0 1 1 1 1 … {c j }= 1 0 1 0 1 1 0 1 1 … The underlined bits 1 and 0 are discarded A. Fúster-Sabater Gjøvik University College June 2006

18 Cryptographic characteristics of the shrunken sequence Period: Linear Complexity: Number of 1’s: quasi-balanced sequence A. Fúster-Sabater Gjøvik University College June 2006

19 Clock-Controlled Shrinking Generators Remark: Double decimation A. Kanso, Clock-Controlled Shrinking Generators. Proc. ACISP’03, LNCS 2727, 2003 Binary cell contents P XtXt R2R2 R1R1 aiai bibi bi’bi’ cjcj clock A. Fúster-Sabater Gjøvik University College June 2006

20 CCSG: An Example For the same LFSRs as before and Decimation rule X: (if X t =1 => the shrinking generator) {b i }= 1 0 0 0 1 0 0 1 1 0 1 0 1 1 1 1 0 0 0 1 0 0 1… {X}= 2 1 1 2 2 2 1 2 1 1 2 2 2 1 2 1 1 2 2… {b i ’ }= 1 0 0 1 0 1 1 0 1 1 1 0 1 0 1 0 1 0 1 1… Decimation rule P: {a i }= 1 0 0 1 1 1 0 1 0 0 1 1 1 0 1 0 … {b i ’ }= 1 0 0 1 0 1 1 0 1 1 1 0 1 0 1 0 … {c j }= 1 1 0 1 0 1 0 1 1 … P X R1R1 R2R2 A. Fúster-Sabater Gjøvik University College June 2006

21 Given expressing it in terms of A Clock-Controlled Shrinking Generator characterized by its LFSRs Null Hybrid Linear Cellular Automata with rules 90 and 150 CCSG in terms of CA A. Fúster-Sabater Gjøvik University College June 2006

22 Fact 1: The characteristic polynomial of the shrunken sequence is of the form: P(x) is an L 2 - degree primitive polynomial N satisfies A. Fúster-Sabater Gjøvik University College June 2006

23 Fact 2: P(x) depends exclusively on: 1. The characteristic polynomial P 2 (x) of the register R 2 2. The length L 1 of the register R 1 Different SG will have the same characteristic polynomial. R1R1 R2R2 P A. Fúster-Sabater Gjøvik University College June 2006

24 Algorithm of Linearization Input: A Shrinking Generator (given L 1, L 2, P 2 (x)) Output: Two linear CA corresponding to the given SG A. Fúster-Sabater Gjøvik University College June 2006

25 Step 1: Computation of P(x) P(x) is obtained from L 1 and P 2 (x) P(x) is the characteristic polynomial of the cyclotomic Coset E being a primitive root in A. Fúster-Sabater Gjøvik University College June 2006

26 Step 2: Computation of the CA corresponding to P(x) Apply to P(x) the “Cattel and Muzio synthesis algorithm” to determine the two linear hybrid CA of length L 2 whose characteristic polynomials are P(x) Codify both CA according to: rule 90 = 0 and rule 150 = 1 A. Fúster-Sabater Gjøvik University College June 2006

27 Step 3: Computation of the CA corresponding to the given SG For each obtained CA: 1. Complement its least significant bit S 2. Compute its mirror image S* and concatenate both strings Iterate 1. and 2. (L 1 -1) times A. Fúster-Sabater Gjøvik University College June 2006

28 Algorithm (An Example) Shrinking Generator: R 1  (not needed) R 2  Step 1 is the characteristic polynomial of Coset 7 A. Fúster-Sabater Gjøvik University College June 2006

29 Step 2 Determine two linear CA corresponding to via Cattel and Muzio algorithm Both CA are codified: (0 = ley 90, 1 = ley 150) 0 1 1 1 1 1 1 1 1 0 Algorithm (An Example) A. Fúster-Sabater Gjøvik University College June 2006

30 Algorithm (Step 3) First automata: 0 1 1 1 1 0 1 1 1 0 0 1 1 1 0 0 1 1 1 1 1 1 1 1 0 0 1 1 1 0 Second automata: 1 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 1 1 L 1 -1 times A. Fúster-Sabater Gjøvik University College June 2006

31 Linearization Algorithm for CCSGs CCSG: given R 1  (not needed) R 2  X t  In Step 1, is the characteristic polynomial of Coset E The other steps of the algorithm are as before CCSGs can be expressed in terms of linear CA too A. Fúster-Sabater Gjøvik University College June 2006

32 {c j } = {0 1 0 1 1 0 1 0 0...} 90150 90 150 … 011011101… 10001001 0101011 110101 10010 0111 101 00 0 CA: Applications From n intercepted bits n-1 bits (2 nd column) n-2 bits (3 rd column) 1 bit (n th column) A. Fúster-Sabater Gjøvik University College June 2006 …… …

33 Reconstruction of the shrunken sequence From n intercepted bits of the shrunken sequence IDEA: use these bits to determine portions of the shrunken sequence A. Fúster-Sabater Gjøvik University College June 2006

34 Symmetry for CA: P1P1 P4P4 P5P5 P 15 P6P6 P1P1 P8P8 P 12 P7P7 P6P6 P2P2 P5P5 P4P4 P3P3 P9P9 P2P2 P 10 P7P7 P 12 P9P9 P3P3 P 13 P 11 P2P2 P 10 P3P3 P9P9 P 14 P 16 P 10 P4P4 P1P1 P2P2 P 11 P7P7 P4P4 P 14 P9P9 P6P6 P7P7 P5P5 P2P2 P1P1 P 13 P 12 P5P5 P 16 P6P6 P9P9 P 12 P6P6 P7P7 P8P8 P1P1 P6P6 P 15 P5P5 P4P4 P1P1 P7P7 P6P6 P9P9 P 14 P4P4 P7P7 P 11 P2P2 P1P1 P4P4 P8P8 P 14 P 16 P6P6 P 15 P8P8 P1P1 P 13 P 11 P 15 ………………………… P 12 P9P9 P6P6 P 16 P5P5 P 12 P 13 P1P1 P2P2 P5P5 P3P3 P 15 P5P5 P 16 P 13 P 12 P8P8 P 10 P 16 P 14 P8P8 P 10 P7P7 P 11 P 14 P4P4 P3P3 P 15 P 11 P 15 P 11 P 13 P1P1 P8P8 P 15 P6P6 P 16 P 14 P8P8 P 16 P 10 P8P8 P 12 P 13 P 16 P5P5 P 15 P3P3 P 13 CA 1000110001 A. Fúster-Sabater Gjøvik University College June 2006

35 Other sequences generated by CA Different shrinking generators The same R 2 Different R 1 with length L 1 LFSR-based generators Different rules of decimation Clock-controlled shrinking generators A. Fúster-Sabater Gjøvik University College June 2006

36 Other Sequence Generators: The Alternating Generator A. Fúster-Sabater Gjøvik University College June 2006 clock Introduced by C. Gunther (Eurocrypt’87) R3R3 R2R2 1 0 R1R1 Addition of two different CA

37 Introduced by D. Gollmann (IEE Proc. 1988) A. Fúster-Sabater Gjøvik University College June 2006 Other Sequence Generators: The Gollmann Generator clock 1 R1R1 R2R2 R3R3 Addition of two (or more) CA

38 Conclusions LFSR-based structures Cellular Automata Classes of CC Generators are a Subset of Linear Cellular Automata Linear Models describe the behavior of the CC Sequence Generators A. Fúster-Sabater Gjøvik University College June 2006

39 Conclusions Very simple algorithm to convert different classes of CC generators into linear CA-based model A wide class of non-linear binary generators can be expressed as linear models (by concatenation) A wide class of different binary generators are included in the same cellular automata The algorithm can be applied to CC generators in a range of cryptographic interest A. Fúster-Sabater Gjøvik University College June 2006

40 For the Future Apply the same technique of linearization to other nonlinear LFSR-based keystream generators A. Fúster-Sabater Gjøvik University College June 2006

Download ppt "Linearization of Stream Ciphers in Terms of Cellular Automata Amparo Fúster-Sabater Institute of Applied Physics (CSIC) Madrid (Spain)"

Similar presentations

Cellular Automata (CA) - Theory & Application

Cellular Automata (CA) - Theory & Application
Cryptography, Attacks and Countermeasures Lecture 3 - Stream Ciphers

Cryptography, Attacks and Countermeasures Lecture 3 - Stream Ciphers
Spread Spectrum Chapter 7.

Spread Spectrum Chapter 7.
Spread Spectrum Chapter 7. Spread Spectrum Input is fed into a channel encoder Produces analog signal with narrow bandwidth Signal is further modulated.

Spread Spectrum Chapter 7. Spread Spectrum Input is fed into a channel encoder Produces analog signal with narrow bandwidth Signal is further modulated.
1 Introduction to Practical Cryptography Lectures 3/4 Stream Ciphers.

1 Introduction to Practical Cryptography Lectures 3/4 Stream Ciphers.
LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012.

LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012.
Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.

Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.
Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.

Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.
Session 2: Secret key cryptography – stream ciphers – part 2.

Session 2: Secret key cryptography – stream ciphers – part 2.
Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.

Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.
Copyright 2005, Agrawal & BushnellVLSI Test: Lecture 21alt1 Lecture 21alt BIST -- Built-In Self-Test (Alternative to Lectures 25, 26 and 27) n Definition.

Copyright 2005, Agrawal & BushnellVLSI Test: Lecture 21alt1 Lecture 21alt BIST -- Built-In Self-Test (Alternative to Lectures 25, 26 and 27) n Definition.
Nitin Yogi and Vishwani D. Agrawal Auburn University Auburn, AL 36849

Nitin Yogi and Vishwani D. Agrawal Auburn University Auburn, AL 36849
Session 2 Symmetric ciphers 1. Stream cipher definition Recall the Vernam cipher: Plaintext 000110111101101 Ciphertext 110000101000110 (Running) key 110110010101011.

Session 2 Symmetric ciphers 1. Stream cipher definition Recall the Vernam cipher: Plaintext Ciphertext (Running) key
11/17/05ELEC 5970-001/6970-001 Lecture 201 ELEC 5970-001/6970-001(Fall 2005) Special Topics in Electrical Engineering Low-Power Design of Electronic Circuits.

11/17/05ELEC / Lecture 201 ELEC / (Fall 2005) Special Topics in Electrical Engineering Low-Power Design of Electronic Circuits.
Stream cipher diagram + + Recall: One-time pad in Chap. 2.

Stream cipher diagram + + Recall: One-time pad in Chap. 2.
Design for Testability Theory and Practice Lecture 11: BIST

Design for Testability Theory and Practice Lecture 11: BIST
6/17/2015Spectral Testing1 Spectral Testing of Digital Circuits An Embedded Tutorial Vishwani D. Agrawal Agere Systems Murray Hill, NJ 07974, USA

6/17/2015Spectral Testing1 Spectral Testing of Digital Circuits An Embedded Tutorial Vishwani D. Agrawal Agere Systems Murray Hill, NJ 07974, USA
Fall 2006, Nov. 30 ELEC 5270-001/6270-001 Lecture 12 1 ELEC 5270-001/6270-001(Fall 2006) Low-Power Design of Electronic Circuits Test Power Vishwani D.

Fall 2006, Nov. 30 ELEC / Lecture 12 1 ELEC / (Fall 2006) Low-Power Design of Electronic Circuits Test Power Vishwani D.
Comparison of LFSR and CA for BIST

Comparison of LFSR and CA for BIST
Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.

Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.

Similar presentations

Ads by Google