Presentation is loading. Please wait.

Presentation is loading. Please wait.

Session 1 Stream ciphers 1.

Published byDorothy Gray Modified over 8 years ago

Similar presentations

Presentation on theme: "Session 1 Stream ciphers 1."— Presentation transcript:

1 Session 1 Stream ciphers 1

2 Introduction If the level of security is not the highest one, instead of the Vernam cipher, a stream cipher can be used. Stream cipher A deterministic algorithm produces a pseudo-noise sequence (PN-sequence) Satisfies the 3 Golomb’s postulates. The key is short – much shorter than the plaintext - practical.

3 Introduction xi  zi = yi yi  zi = xi zi yi xi xi Key Key
TRANSMITTER RECEIVER Key Deterministic algorithm Deterministic algorithm COMM. CHANNEL xi

4 Linear feedback shift registers
LFSR theory is developed enough to enable thorough analysis of the properties of the output sequence of a PN sequence generator containing LFSRs. Because of that, the vast majority of PN generators are designed by combining LFSRs and non-linear Boolean functions.

5 Linear feedback shift registers
A linear feedback shift register (LFSR): n single-symbol memory cells (stages) A linear feedback function – to express each new symbol of the output sequence as a linear function of the n previous symbols The contents of the flip-flops is shifted one position at every clock pulse

6 Linear feedback shift registers
g – linear!

7 Linear feedback shift registers
The state of the register – the contents of the stages between two clock pulses The initial state – the contents of the stages at the moment of the beginning of the process

8 Linear feedback shift registers
The state diagram of a LFSR is never singular, because the linear feedback function satisfies the non-singularity condition:

9 Linear feedback shift registers
The maximum possible period of the output sequence is 2n-1. The all-zero initial state is not used, because in that case only all-zero sequence would be produced. The key – the initial contents of the LFSR.

10 Linear feedback shift registers
The feedback function g of a LFSR is a linear recurrence – linear recurring sequences of order n

11 Linear feedback shift registers
It is possible to associate the characteristic (feedback) polynomial to every linear recurrence Analysis of the properties of the output sequence is made easier in such a way.

12 Linear feedback shift registers
1 Initial state Feedback polynomial Linear recurrence Example: An LFSR of length 4. Generated sequence: ……

13 Linear feedback shift registers
The characteristics of the output sequence of the LFSR depend on the characteristics of the feedback polynomial The feedback polynomial can be: reducible irreducible primitive

14 Linear feedback shift registers
Example 1: Reducible feedback polynomial 0001 1000 0100 1010 0101 0010 0011 1001 1100 1110 1111 0111 0110 1011 1101 0000

15 Linear feedback shift registers
LFSRs with reducible feedback polynomial: The length of the output sequence depends on the initial state Not adequate for use in cryptography

16 Linear feedback shift registers
Example 2: Irreducible feedback polynomial 0000 1111 0111 1011 1101 1110 0001 1000 1100 0110 0011 0010 1001 0100 1010 0101

17 Linear feedback shift registers
LFSRs with irreducible feedback polynomial: The length of the output sequence does not depend on the initial state (except the all-zero state) The period T is a factor of , L is the length of the LFSR Not adequate for use in cryptography

18 Linear feedback shift registers
1000 1100 1110 1111 0111 1011 0101 1010 1101 0110 0011 1001 0100 0010 0001 Example 3: Primitive feedback polynomial 0000 PN-sequence (m-sequence) The maximum possible period for this type of generator …..

19 Linear feedback shift registers
LFSRs with primitive feedback polynomial: The length of the sequence does not depend on the initial state (except the all-zero state) The period is Adequate for use in cryptography, because the output sequence satisfies all the Golomb’s postulates

20 Linear feedback shift registers
Thus, to use LFSRs in pseudorandom sequence generators we need primitive polynomials. How do we get them? We need some basic concepts of abstract algebra – groups, rings, Galois fields.

21 Groups A group is an algebraic structure consisting of a non-empty set G and a binary operation such that the following axioms of the group are satisfied: Closure Associativity Existence of the identity (neutral) element Existence of the inverse element for each element of G.

22 Groups Closure Associativity Existence of the neutral element
Existence of the inverse elements

23 Groups Multiplicative group - the operation * is the multiplication, i.e. “” The identity element is 1 The inverse element is x -1 Additive group - the operation * is the sum, i.e. “+” The identity element is 0 The inverse element is –x

24 Groups Examples of additive groups: Examples of multiplicative groups:
Z, Q, R, C , where the operation is the sum modulo n. Examples of multiplicative groups: , , where the operation is the multiplication modulo n

25 Groups If in the group G the operation * fulfils the commutative property, i.e. then G is a commutative or Abelian group If G is a finite group, the number of elements in G is called order of G and is represented by #G.

26 Groups An element gG is a generator of G if every element of G can be written as a power of g. G is then a cyclic group The cyclic group:

27 Groups Example: show that 5 is a generator of Z12

28 Groups A nonempty subset H of G is called subgroup of G if it is closed for the operation * and the inversion, i.e. The Lagrange theorem: If G is a finite group and H is its subgroup, then #H divides #G, i.e.

29 Groups Examples: A group of order 8 can have subgroups of order 2 and 4, but not of order 3 or 6. A finite group, whose order is a prime number cannot have its own subgroups.

30 Groups The order of an element gG of a finite group is the least positive integer k such that g k=e. If k is the order of gG, then {e, g, g 2,…, g k -1} is a subgroup of G. Corollary of the Lagrange theorem: In a finite group, the order of each element divides the order of the group.

31 Groups Example: a subgroup of Z8:

32 Rings A ring is an algebraic structure consisting of a non-empty set G and 2 binary operations called summation, i.e. “+” and multiplication, i.e. “” such that the following holds: (G,+) is an abelian group The structure (G,) : closure, associativity and the existence of the neutral element Multiplication distributes over addition, i.e.

33 Fields A field is an algebraic structure consisting of a non-empty set G and 2 binary operations called summation, i.e. “+” and multiplication, i.e. “” such that the following holds: (G,+) is an abelian group – the additive group of the field (G \{0},) is an abelian group – the multiplicative group of the field Multiplication distributes over addition.

34 Fields Every field is a ring but the converse is not true
The difference is The structure (G \{0},) of the field is a commutative group and in a general ring this is not required.

35 Fields Examples: Field of rational numbers Q.
If p is a prime number, then Zp is a field Zp is an additive commutative group. (Zp) is a multiplicative commutative group.

36 Finite fields A finite field is a field with a finite number of elements, i.e. the set G is finite. Theorem (1) (i) The number of elements of a finite field F must be equal to the power of a prime number, i.e. #F =p m. p is the characteristic of the field. The field is represented by GF(p m ) (Galois Field).

37 Finite fields Theorem (2)
(ii) There is only one finite field of p m elements. If we fix an irreducible polynomial f (x ) of degree m with coefficients in Zp, the elements of GF(p m ) are represented as polynomials with coefficients in Zp of degree <m and the product of elements of GF(p m ) is realized as the product of polynomials modulo f (x ).

38 Finite fields The finite field GF(p m ) is called the extension field of the field GF(p ). Theorem: The multiplicative group of GF(p m ) is cyclic, i.e. there is at least 1 generator  of all its elements. This generator  is called primitive element of the field GF(p m )

39 Finite fields Example (1): p =2, m =3, f (x )=x 3 +x +1, irreducible
The elements of the field (1): 000 0 001, or 1 in the polynomial notation The subsequent elements are obtained by multiplying the immediate predecessors by x and reducing modulo f (x ), i.e. 1 010, or x 2 100, or x 2

40 Finite fields Example (2): The elements of the field (2): 3 , or 011
4 110  , or 111  , or 101

41 Testing irreducibility
The fundamental theorem of arithmetic: Every positive integer can be represented in a unique way as a product of prime factors. Analogue in a GF: Every polynomial in a GF can be represented in a unique way as a product of irreducible factors. An irreducible polynomial has no irreducible factors except 1 and itself.

42 Testing irreducibility
Theorem If a polynomial f (x ) of degree n in GF(q ) does not have common factors with then it is irreducible. To determine whether a given polynomial has common factors with some other polynomial we can use Euclidean algorithm

43 Testing irreducibility
Example – polynomials in GF(2) Find (x 5+x 4+x 2+x, x 4+x 3+x 2+x ) (x 5+x 4+x 2+x )=x (x 4+x 3+x 2+x )+(x 3+x ) (x 4+x 3+x 2+x )=(x +1)(x 3+x )+0 (x 5+x 4+x 2+x, x 4+x 3+x 2+x )=(x 3+x )

44 Testing irreducibility
Example – Determine if the polynomial in GF(2) is irreducible. Irreducible

45 Testing irreducibility
Example - Determine if the polynomial in GF(2) is irreducible. Not irreducible

46 Primitive polynomials
The order of a polynomial P (x ), P (0)0 is the smallest integer e for which P (x ) divides x e -1. In a finite field GF(q ), if the order of an irreducible polynomial P (x ) is qn -1, this polynomial is called primitive polynomial.

47 Primitive polynomials
Thus, to test whether a polynomial P (x ), deg P (x )=n in GF(q ) is primitive Test whether P (x ) is irreducible If P (x ) is irreducible, check whether it divides the polynomials x k -1, n  k < qn -1 If P (x ) does NOT divide any of the polynomials above, then it is primitive. Obviously, this procedure is not efficient.

48 Primitive polynomials
Example: The polynomial of degree 4 in GF(2) is irreducible and does not divide any of the polynomials Because of that, it is primitive.

49 Primitive polynomials
Theorem (Alanen, Knuth, 1964; Herlestam, 1982) A polynomial f (x ) in GF(q ), q =p m , deg f (x )=n, is primitive if and only if it satisfies the following: For all prime factors p ’ of ≢1 (mod f (x ))

50 Primitive polynomials
For q =2, the polynomial f (x ) must have odd weight (i.e. odd number of terms) Problem Factorization of q n -1 is needed If q n -1 is a prime, the condition 3 of the theorem is trivially satisfied. For q =2, primes of the form 2n -1 are called Mersenne primes.

51 Primitive polynomials
The first 24 Mersenne primes are obtained for the following values of n : 2, 3, 5, 7, 13, 17, 19, 31, 61, 89, 107, 127, 521, 607, 1279, 2203, 2281, 3217, 4253, 4423, 9689, 9941, 11213, Thus, a polynomial in GF(2) of odd weight, of degree n such that 2n -1 is a Mersenne prime is primitive if , which is easy to check in practice.

52 Primitive polynomials
How many primitive polynomials with coefficients in GF(2) of degree n are there? Example:

53 Primitive polynomials
Not all primitive polynomials are suitable for use in LFSRs Primitive polynomials with too concentrated terms (i.e. with terms containing powers of x that are of very similar magnitude) Primitive polynomials of degree n such that 2n -1 contains many small prime factors There are attacks against schemes with LFSRs using such feedback polynomials.

54 Primitive polynomials
Example 1: For n =61, 261-1= is a Mersenne prime. Recommended for use in LFSRs. Example 2: For n =63, 263-1=727312733792737 is not a Mersenne prime. It is not recommended for use in LFSRs.

55 Primitive polynomials
Thus, a good strategy is to use an LFSR with a primitive feedback polynomial of degree n such that 2n -1 is a Mersenne prime. But if 2n -1 has a small number of large prime factors, it can also be used in LFSRs Example: n =103, = = 

56 Primitive polynomials
The reciprocal polynomial of the polynomial f (x ) of degree n Theorem If f (x ) is primitive, f *(x ) is also primitive.

57 Primitive polynomials
Example: This polynomial is primitive This polynomial is also primitive

58 Linear complexity The length L of the smallest LFSR capable of generating the given sequence The Berlekamp-Massey algorithm (1969): Input: the given binary sequence Output: C (D ) is the feedback polynomial and L is the length of the equivalent LFSR the initial state of the equivalent LFSR

59 The Berlekamp-Massey algorithm
Input to one step: n digits of a sequence Determines the minimum LFSR capable of generating them If the digit n +1 of the sequence can be generated by the current LFSR, the length of the current LFSR is preserved Otherwise, a longer LFSR is needed

60 The Berlekamp-Massey algorithm
The Berlekamp-Massey algorithm is based on the following theorems: Theorem 1 If <C (D ),L > generates the prefix sn of the intercepted sequence, but does not generate sn +1, then

61 The Berlekamp-Massey algorithm
Example: n =6, L=2, the LFSR generates the sequence Can it generate ? 0 1 1 1 0 1 1 1 0 Generates , but does not generate LC( )6+1-2 Discrepancy 

62 The Berlekamp-Massey algorithm
Theorem 2 If <C (D ),L> generates sn, but does not generate sn+1 (discrepancy n  0) and <C *(D ),L*> generates sm, but does not generate sm+1 (discrepancy m  0), where  m  n, then generates sn+1.

63 The Berlekamp-Massey algorithm
Theorem 3 If <C (D ),L> with L=LC(sn) generates sn, but does not generate sn+1, then

64 The Berlekamp-Massey algorithm
= n *= m j=n-m

65 The Berlekamp-Massey algorithm
Example: N =7, GF(2), s0,…,s6=1,1,0,1,0,0,1 Solution: C (D )=1+D +D 3, L=3

Download ppt "Session 1 Stream ciphers 1."

Similar presentations

Mathematics of Cryptography Part II: Algebraic Structures

Mathematics of Cryptography Part II: Algebraic Structures
Cryptography and Network Security, Finite Fields From Third Edition by William Stallings Lecture slides by Mustafa Sakalli so much modified..

Cryptography and Network Security, Finite Fields From Third Edition by William Stallings Lecture slides by Mustafa Sakalli so much modified..
Cryptography and Network Security

Cryptography and Network Security
Chapter 4 Finite Fields. Introduction of increasing importance in cryptography –AES, Elliptic Curve, IDEA, Public Key concern operations on “numbers”

Chapter 4 Finite Fields. Introduction of increasing importance in cryptography –AES, Elliptic Curve, IDEA, Public Key concern operations on “numbers”
Cryptography and Network Security Chapter 4 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 4 Fourth Edition by William Stallings.
Chapter 4 – Finite Fields. Introduction will now introduce finite fields of increasing importance in cryptography –AES, Elliptic Curve, IDEA, Public Key.

Chapter 4 – Finite Fields. Introduction will now introduce finite fields of increasing importance in cryptography –AES, Elliptic Curve, IDEA, Public Key.
CHANNEL CODING REED SOLOMON CODES.

CHANNEL CODING REED SOLOMON CODES.
Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.

Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.
Session 2: Secret key cryptography – stream ciphers – part 2.

Session 2: Secret key cryptography – stream ciphers – part 2.
Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.

Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.
Section 11 Direct Products and Finitely Generated Abelian Groups One purpose of this section is to show a way to use known groups as building blocks to.

Section 11 Direct Products and Finitely Generated Abelian Groups One purpose of this section is to show a way to use known groups as building blocks to.
Number Theory and Cryptography

Number Theory and Cryptography
Math 3121 Abstract Algebra I

Math 3121 Abstract Algebra I
1.  Detailed Study of groups is a fundamental concept in the study of abstract algebra. To define the notion of groups,we require the concept of binary.

1.  Detailed Study of groups is a fundamental concept in the study of abstract algebra. To define the notion of groups,we require the concept of binary.
Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.

Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Session 2 Symmetric ciphers 1. Stream cipher definition Recall the Vernam cipher: Plaintext 000110111101101 Ciphertext 110000101000110 (Running) key 110110010101011.

Session 2 Symmetric ciphers 1. Stream cipher definition Recall the Vernam cipher: Plaintext Ciphertext (Running) key
1 Chapter 7– Introduction to Number Theory Instructor: 孫宏民 Room: EECS 6402, Tel:03- 5742968, Fax : 886-3-572-3694.

1 Chapter 7– Introduction to Number Theory Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Cryptography and Network Security Chapter 4

Cryptography and Network Security Chapter 4
Cryptography and Network Security Chapter 4 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 4 Fourth Edition by William Stallings.

Similar presentations

Ads by Google