1. CRYPTANALYSIS OF STREAM CIPHER Bimal K Roy Cryptology Research Group Indian Statistical Institute Kolkata

2. Preliminaries Cryptosystem: A mechanism for providing a secure means of information exchange. Cryptographer: A person who designs a cryptosystem Cryptanalyst: One who tries to attack the cryptosystem Message/Plaintext Ciphertext/Cipher Key Encryption: Process of transforming the message into cipher Decryption:Recovering the actual message from the cipher A cryptosystem is specified by the encryption and decryption procedure.

3. Classical Cryptography Caesar Cipher: Plaintext(P) and Cipher (C) are English alphabet and Key(K) denotes no. of shifts. Substitution Cipher: Here P & C are same and K is a permutation of the 26 symbols. Cryptanalysis cipher-text only known plain-text chosen plain-text Caesar Cipher: Too small key-space Substitution Cipher: Frequency attack

4. Stream Cipher Plaintext(P): binary bit string Key-string(K): pseudo random binary string ciphertext(C): bitwise XOR (addition modulo 2) of P & K e.g: P : 011 001 001 000 100 010 K:001 010 001 101 110 101 C:010 011 000 101 010 111 Here Pr[P=0]=2/3; Pr[P=1]=1/3 Pr[P=0|C=0]= Pr[P=0|C=1]=2/3 Pr[P=1|C=0]= Pr[P=1|C=1]=1/3 This gives Pr[P]= Pr[P|C]

5. Shannon’s notion of Perfect Secrecy A cryptosystem has perfect secrecy if the above condition is satisfied => posterior prob. of the plain text given cipher text is equal to the a-priori prob. of the plain text e.g: one-time pad requires infinte sequence of random bits! REALITY : pseudo random no. generator Linear Feedback Shift Register

6. LFSR Connection Polynomial : c(x) = 1+x^2+x^3 If c(x) is primitive then each non-zero initial state produces an o/p sequence of maximum period Note: Each o/p bit is a linear function of the initial seed s 4 =s 3 +s 1 s 5 =s 4 +s 2 s 6 =s 5 +s 3...

7. One LFSR Generator Drawback: known plaintext attack solving a set of linear equations General Model key: generally the seeds (sometimes includes c(x) & f) LFSR1 LFSR2 LFSRn f K P C

8. Attacks on this Model Siegenthaler attack C = Y + P Y= X 1 if X 3 = 0 = X 2 if X 3 =1 For popularly used Murray code, Prob[P=0] = 0.58 Prob[Y=X 1 ] = Prob[Y=X 2 ] = 3/4 and Prob[Y=X 3 ]=1/2 Prob[C=X 1 ]=Prob[Y=X 1 ].Prob[P=0] + Prob[Y!=X 1 ].Prob[P=1] =0.54 LFSR1LFSR2 LFSR3 Y P X1X1 X2X2 X3X3 C

9. Attacks (contd.) Prob[C=X 1 ]= Prob[C=X 2 ]= 0.54 Prob[C=X 3 ]= 0.50 Attack on the basis of |{ i : X i = C i }| Fast Correlation Attack »using coding theory Let C(x) = 1+ x^2 + x^3 initial state LFSR o/p 001 0011101 010 0100111 011 0111010 100 1001110 101 1010011 110 1101001 111 1110100

10. Attacks (contd.) Observation: The set of o/p sequence of a length k maximum length LFSR is a (2 k - 1, k, 2 k-1 ) linear code. In the example above this forms a (7,3,4) linear code The minimum distance is quite high! This code can correctly decode if there has been error in about 25% of the bits.

11. Fast Correlation Attack (contd.) Decoding: Apply Majority Logic Principle Cryptanalysis LFSR1 LFSR2 LFSR3 f K P C Channel Corrupted Codeword

12. MAJORITY LOGIC DECODING In our 3-stage LFSR with c(x)=1+x^2+x^3 s i + s i+2 + s i+3 =0 for i =1,2,3,… c(x) is the parity-check polynomial of the code. Every multiple of c(x) specifies another parity check The parity check equations over one period give - s 1 +s 3 + s 4 = 0(*) s 2 + s 4 + s 5 = 0 s 3 + s 5 + s 6 = 0 s 4 + s 6 + s 7 = 0 s 5 + s 7 + s 1 = 0(**) s 6 + s 1 +s 2 = 0(***) s 7 + s 2 + s 3 = 0 Along with s 1 = s 1 we get four independent decisions when errors are present.

13. MAJORITY LOGIC DECODING (contd.) codeword 0 0 1 1 1 0 1 corrupted codeword 1 0 1 1 1 0 1 Form the 4 linear equations as follows : s 1 = s 1 (= 1) s 1 = s 3 + s 4 (= 0) s 1 = s 5 + s 7 (= 0) s 1 = s 2 + s 6 (= 0) Now take a majority vote. This is a bit by bit decoding.