Linearization of Stream Ciphers in Terms of Cellular Automata Amparo Fúster-Sabater Institute of Applied Physics (CSIC) Madrid (Spain)

Slides:

Advertisements

Similar presentations

Cellular Automata (CA) - Theory & Application

Advertisements

Cryptography, Attacks and Countermeasures Lecture 3 - Stream Ciphers

Spread Spectrum Chapter 7.

Spread Spectrum Chapter 7. Spread Spectrum Input is fed into a channel encoder Produces analog signal with narrow bandwidth Signal is further modulated.

1 Introduction to Practical Cryptography Lectures 3/4 Stream Ciphers.

LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012.

Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.

Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.

Session 2: Secret key cryptography – stream ciphers – part 2.

Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.

Copyright 2005, Agrawal & BushnellVLSI Test: Lecture 21alt1 Lecture 21alt BIST -- Built-In Self-Test (Alternative to Lectures 25, 26 and 27) n Definition.

Nitin Yogi and Vishwani D. Agrawal Auburn University Auburn, AL 36849

Session 2 Symmetric ciphers 1. Stream cipher definition Recall the Vernam cipher: Plaintext Ciphertext (Running) key

11/17/05ELEC / Lecture 201 ELEC / (Fall 2005) Special Topics in Electrical Engineering Low-Power Design of Electronic Circuits.

Stream cipher diagram + + Recall: One-time pad in Chap. 2.

Design for Testability Theory and Practice Lecture 11: BIST

6/17/2015Spectral Testing1 Spectral Testing of Digital Circuits An Embedded Tutorial Vishwani D. Agrawal Agere Systems Murray Hill, NJ 07974, USA

Fall 2006, Nov. 30 ELEC / Lecture 12 1 ELEC / (Fall 2006) Low-Power Design of Electronic Circuits Test Power Vishwani D.

Comparison of LFSR and CA for BIST

Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

11/17/04VLSI Design & Test Seminar: Spectral Testing 1 Spectral Testing Vishwani D. Agrawal James J. Danaher Professor Dept. of Electrical and Computer.

Spring 07, Jan 30 ELEC 7770: Advanced VLSI Design (Agrawal) 1 ELEC 7770 Advanced VLSI Design Spring 2007 SOC Test Scheduling Vishwani D. Agrawal James.

Session 2: Secret key cryptography – stream ciphers – part 1.

THE EXTENSION OF COLLISION AND AVALANCHE EFFECT TO k-ARY SEQUENCES Viktória Tóth Eötvös Loránd University, Budapest Department of Algebra and Number Theory,

Generating Random Numbers in Hardware. Two types of random numbers used in computing: --”true” random numbers: ++generated from a physical source (e.g.,

5.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 5 Introduction to Modern Symmetric-key Ciphers.

Chaos Theory and Encryption

Códigos y Criptografía Francisco Rodríguez Henríquez A Short Introduction to Stream Ciphers.

Theory and Applications of GF(2 p ) Cellular Automata P. Pal Chaudhuri Department of CST Bengal Engineering College (DU) Shibpur, Howrah India (LOGIC ON.

CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.

Random-Number Generation Andy Wang CIS Computer Systems Performance Analysis.

Chapter 7 Random-Number Generation

변 우 성변 우 성 1/ 년 6 월 2 일 변 우 성 연세대학교 전기전자공학과 부호 및 정보이론 연구실 Introduction and Explanation of Exercise #5 & #6.

Stream Ciphers Making the one-time pad practical.

A Method for Generating Full Cycles by a Composition of NLFSRs Elena Dubrova Royal Institute of Technology – KTH Stockholm, Sweden.

Cryptanalysis of the Stream Cipher DECIM Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC.

Session 1 Stream ciphers 1.

ECE 553: TESTING AND TESTABLE DESIGN OF DIGITAL SYSTEMS

©KDDI R&D Laboratories Inc. ALL Rights Reserved. Cryptanalysis on Clock Controlled Stream Ciphers Shinsaku Kiyomoto KDDI R&D Laboratories Inc

PRBG Based on Couple Chaotic Systems & its Applications in Stream- Cipher Cryptography Li Shujun, Mou Xuanqin, Cai Yuanlong School of Electronics & Information.

Linear Feedback Shift Register. 2 Linear Feedback Shift Registers (LFSRs) These are n-bit counters exhibiting pseudo-random behavior. Built from simple.

Introduction to Modern Symmetric-key Ciphers

Vishwani D. Agrawal Auburn University, Dept. of Elec. & Comp. Engg. Auburn, AL 36849, U.S.A. Nitin Yogi NVIDIA Corporation, Santa Clara, CA th.

TOPIC : Signature Analysis. Introduction Signature analysis is a compression technique based on the concept of (CRC) Cyclic Redundancy Checking It realized.

A High-Speed Hardware Implementation of the LILI-II Keystream Generator Paris Kitsos...in cooperation with Nicolas Sklavos and Odysseas Koufopavlou Digital.

BIST Pattern Generator inserter using Cellular Automata By Jeffrey Dwoskin Project for Testing of ULSI Circuits, Spring 2002, Rutgers University 5/15/02.

A Ultra-Light Block Cipher KB1 Changhoon Lee Center for Information Security Technologies, Korea University.

Mixed-Mode BIST Based on Column Matching Petr Fišer.

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Mehdi Hassanzadeh University of Bergen Selmer Center, Norway

November 25Asian Test Symposium 2008, Nov 24-27, Sapporo, Japan1 Sequential Circuit BIST Synthesis using Spectrum and Noise from ATPG Patterns Nitin Yogi.

Information and Network Security Lecture 2 Dr. Hadi AL Saadi.

1.  How does the computer generate observations from various distributions specified after input analysis?  There are two main components to the generation.

Presented By Anna Fariha Roll : SN – 213 MS, 1 st Semester Session: Boolean Matching.

EE5393, Circuits, Computation, and Biology Computing with Probabilities 1,1,0,0,0,0,1,0 1,1,0,1,0,1,1,1 1,1,0,0,1,0,1,0 a = 6/8 c = 3/8 b = 4/8.

Page : 1 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Lecture-7 Secret-Key Ciphers.

Introduction to Modern Symmetric-key Ciphers

Hardware Testing and Designing for Testability

VLSI Testing Lecture 14: Built-In Self-Test

Cryptography Lecture 15.

Random-Number Generation

Stream Ciphers Day 18.

Introduction to Modern Symmetric-key Ciphers

STREAM CIPHERS by Jennifer Seberry.

Cryptology Design Fundamentals

CH 6. Stream Ciphers Information Security & IoT Lab 김해용

Information and Computer Security CPIS 312 Lab 4 & 5

Cryptography Lecture 15.

Digital Electronics and Logic Design

Presentation transcript:

Linearization of Stream Ciphers in Terms of Cellular Automata Amparo Fúster-Sabater Institute of Applied Physics (CSIC) Madrid (Spain) A. Fúster-Sabater Gjøvik University College June 2006

Overview Introduction Basic structures LFSR-Based Keystream Generators Cellular Automata (CA) Linear model of a class of Keystream Generators Contributions to Cryptanalysis Conclusions A. Fúster-Sabater Gjøvik University College June 2006

“Linearity is the curse of the cryptographer” - James L. Massey - Crypto’89 A. Fúster-Sabater Gjøvik University College June 2006

001…10 010…11 110…01 ….. (plain text) 011…01 000…10 010…11 ….. (keystream seq.) 010…11 010…01 100…10 ….. (ciphered text) sender 011…01 000…10 010…11 ….. (keystream seq.) 010…11 010…01 100…10 ….. (ciphered text) 001…10 010…11 010…11 ….. (plain text) receiver Stream Cipher Procedure Stream cipher: design of keystream sequence generators with pseudorandomness characteristics A. Fúster-Sabater Gjøvik University College June 2006

Linear Feedback Shift Register (LFSR) LFSR’s Parameters: Length L Characteristic polynomial They work: Shifting of the binary content Feedback bit entrance Generated sequence: …… 0001  A. Fúster-Sabater Gjøvik University College June 2006

Linear Feedback Shift Registers LFSRs generate PN-sequences: Long period Good statistics Low linear complexity Cryptographic applications: Non-linear combinations of LFSRs Non-linear filters Non-linear combining generators Clock-controlled generators A. Fúster-Sabater Gjøvik University College June 2006

Cellular Automata (CA) One-dimensional CA: Register of n cells updated according to a function of k variables (Rule  ) Cell x i t+1 depends on k = 2r+1 neighbour cells x i t+1 =  ( x t i-r, …, x t i, …, x t i+r ) Linear CA:  is a linear function xixi A. Fúster-Sabater Gjøvik University College June 2006

Classification of CA  Uniform or Regular CA All the cells follow the same rule   Hybrid CA Different cells follow different rules  i Null boundary conditions Cells adjacent to the extreme cells are supposed with permanent null content Periodic boundary conditions Extreme cells are supposed adjacent xixi A. Fúster-Sabater Gjøvik University College June 2006

Linear Cellular Automata k =3 Rule 90  x i t+1 = x t i-1  x t i (binary) = 90 (decimal) Rule 150  x i t+1 = x t i-1  x t i  x t i (binary) = 150 (decimal) A. Fúster-Sabater Gjøvik University College June 2006

Cellular Automata (rules 90 & 150) L=6 cells L states grouped in state cycles Number of different sequences, T, LC A. Fúster-Sabater Gjøvik University College June 2006

References 1. S. Wolfram, Cellular Automata as Models of Complexity, Nature, Vol. 311, pp. 419, S. Wolfram, Random Sequence Generation by Cellular Automata, Avd. Appl. Math., Vol. 7, pp.127 – 169, S. Zhang et al. Quantitative Analysis for Cellular Automata and LFSR as BIST Generators, J. Electro. Testing, 7 (3), M. Serra et al. Analysis of One-dimensional CA and their Aliasing Properties, IEEE Trans. Comp. Aided Design, 9 (2), A.K. Das et al. Efficient Characterization of Cellular Automata, IEE Proc. Part E. 1, pp , S. J. Cho et al. Computing Phase Shifts of 90/150 CA Sequences. Proc. ACRI 2004, LNCS, 3305, pp. 31 – 39, A. Fúster et al. Concatenated Automata in Stream Ciphers. To appear in Proc. ACRI 2006, LNCS, A. Fúster-Sabater Gjøvik University College June 2006

LFSRs v CA Simple implementation Pattern Generators: circuit testing Interchangeable structures Characteristic polynomial A. Fúster-Sabater Gjøvik University College June 2006

More References CA Characteristic Polynomial S. Zhang et al., Quantitative Analysis for Linear Hybrid Cellular Automata and LFSR as Built-In Self-Test Generators for Sequential Faults, J. of Electronic Testing: Theory and Applications, 7 (1995), 209 – 221. Characteristic Polynomial CA K. Cattel and J.C. Muzio, The Synthesis of One- Dimensional Linear Hybrid Cellular Automata, IEEE Trans. On Computer-Aided Design. 15 (1996) A. Fúster-Sabater Gjøvik University College June 2006

A Class of LFSR-Based Generators: Clock-Controlled Shrinking Generators A wide class of binary sequence generators Made up of two LFSRs: R 1 and R 2 R 1 (Selector register) clocked normally R 2 (Generating register) clocked irregularly According to a rule P, the bits of register R 1 control the clock of register R 2 This construction allows users to generate a large family of different sequences using the same registers and initial states but changing the rule P A. Fúster-Sabater Gjøvik University College June 2006

The Shrinking Generator (Crypto’93) Very simple binary sequence generator Made up of two LFSRs: R 1 and R 2 According to a rule P, register R 1 (selector register) decimates the sequence produced by register R 2 R1R1 R2R2 P clock bibi aiai cjcj A. Fúster-Sabater Gjøvik University College June 2006

The Shrinking Generator {a i } binary sequence generated by R 1 {b i } binary sequence generated by R 2 {c j } output sequence of the SG: “the shrunken sequence” Decimation rule P: 1. If a i = 1  c j = b i 2. If a i = 0  b i is discarded A. Fúster-Sabater Gjøvik University College June 2006

The Shrinking Generator: Example LFSRs: 1. R 1 : 2. R 2 : Decimation rule P: {a i }= … {b i }= … {c j }= … The underlined bits 1 and 0 are discarded A. Fúster-Sabater Gjøvik University College June 2006

Cryptographic characteristics of the shrunken sequence Period: Linear Complexity: Number of 1’s: quasi-balanced sequence A. Fúster-Sabater Gjøvik University College June 2006

Clock-Controlled Shrinking Generators Remark: Double decimation A. Kanso, Clock-Controlled Shrinking Generators. Proc. ACISP’03, LNCS 2727, 2003 Binary cell contents P XtXt R2R2 R1R1 aiai bibi bi’bi’ cjcj clock A. Fúster-Sabater Gjøvik University College June 2006

CCSG: An Example For the same LFSRs as before and Decimation rule X: (if X t =1 => the shrinking generator) {b i }= … {X}= … {b i ’ }= … Decimation rule P: {a i }= … {b i ’ }= … {c j }= … P X R1R1 R2R2 A. Fúster-Sabater Gjøvik University College June 2006

Given expressing it in terms of A Clock-Controlled Shrinking Generator characterized by its LFSRs Null Hybrid Linear Cellular Automata with rules 90 and 150 CCSG in terms of CA A. Fúster-Sabater Gjøvik University College June 2006

Fact 1: The characteristic polynomial of the shrunken sequence is of the form: P(x) is an L 2 - degree primitive polynomial N satisfies A. Fúster-Sabater Gjøvik University College June 2006

Fact 2: P(x) depends exclusively on: 1. The characteristic polynomial P 2 (x) of the register R 2 2. The length L 1 of the register R 1 Different SG will have the same characteristic polynomial. R1R1 R2R2 P A. Fúster-Sabater Gjøvik University College June 2006

Algorithm of Linearization Input: A Shrinking Generator (given L 1, L 2, P 2 (x)) Output: Two linear CA corresponding to the given SG A. Fúster-Sabater Gjøvik University College June 2006

Step 1: Computation of P(x) P(x) is obtained from L 1 and P 2 (x) P(x) is the characteristic polynomial of the cyclotomic Coset E being a primitive root in A. Fúster-Sabater Gjøvik University College June 2006

Step 2: Computation of the CA corresponding to P(x) Apply to P(x) the “Cattel and Muzio synthesis algorithm” to determine the two linear hybrid CA of length L 2 whose characteristic polynomials are P(x) Codify both CA according to: rule 90 = 0 and rule 150 = 1 A. Fúster-Sabater Gjøvik University College June 2006

Step 3: Computation of the CA corresponding to the given SG For each obtained CA: 1. Complement its least significant bit S 2. Compute its mirror image S* and concatenate both strings Iterate 1. and 2. (L 1 -1) times A. Fúster-Sabater Gjøvik University College June 2006

Algorithm (An Example) Shrinking Generator: R 1  (not needed) R 2  Step 1 is the characteristic polynomial of Coset 7 A. Fúster-Sabater Gjøvik University College June 2006

Step 2 Determine two linear CA corresponding to via Cattel and Muzio algorithm Both CA are codified: (0 = ley 90, 1 = ley 150) Algorithm (An Example) A. Fúster-Sabater Gjøvik University College June 2006

Algorithm (Step 3) First automata: Second automata: L 1 -1 times A. Fúster-Sabater Gjøvik University College June 2006

Linearization Algorithm for CCSGs CCSG: given R 1  (not needed) R 2  X t  In Step 1, is the characteristic polynomial of Coset E The other steps of the algorithm are as before CCSGs can be expressed in terms of linear CA too A. Fúster-Sabater Gjøvik University College June 2006

{c j } = { } … … CA: Applications From n intercepted bits n-1 bits (2 nd column) n-2 bits (3 rd column) 1 bit (n th column) A. Fúster-Sabater Gjøvik University College June 2006 …… …

Reconstruction of the shrunken sequence From n intercepted bits of the shrunken sequence IDEA: use these bits to determine portions of the shrunken sequence A. Fúster-Sabater Gjøvik University College June 2006

Symmetry for CA: P1P1 P4P4 P5P5 P 15 P6P6 P1P1 P8P8 P 12 P7P7 P6P6 P2P2 P5P5 P4P4 P3P3 P9P9 P2P2 P 10 P7P7 P 12 P9P9 P3P3 P 13 P 11 P2P2 P 10 P3P3 P9P9 P 14 P 16 P 10 P4P4 P1P1 P2P2 P 11 P7P7 P4P4 P 14 P9P9 P6P6 P7P7 P5P5 P2P2 P1P1 P 13 P 12 P5P5 P 16 P6P6 P9P9 P 12 P6P6 P7P7 P8P8 P1P1 P6P6 P 15 P5P5 P4P4 P1P1 P7P7 P6P6 P9P9 P 14 P4P4 P7P7 P 11 P2P2 P1P1 P4P4 P8P8 P 14 P 16 P6P6 P 15 P8P8 P1P1 P 13 P 11 P 15 ………………………… P 12 P9P9 P6P6 P 16 P5P5 P 12 P 13 P1P1 P2P2 P5P5 P3P3 P 15 P5P5 P 16 P 13 P 12 P8P8 P 10 P 16 P 14 P8P8 P 10 P7P7 P 11 P 14 P4P4 P3P3 P 15 P 11 P 15 P 11 P 13 P1P1 P8P8 P 15 P6P6 P 16 P 14 P8P8 P 16 P 10 P8P8 P 12 P 13 P 16 P5P5 P 15 P3P3 P 13 CA A. Fúster-Sabater Gjøvik University College June 2006

Other sequences generated by CA Different shrinking generators The same R 2 Different R 1 with length L 1 LFSR-based generators Different rules of decimation Clock-controlled shrinking generators A. Fúster-Sabater Gjøvik University College June 2006

Other Sequence Generators: The Alternating Generator A. Fúster-Sabater Gjøvik University College June 2006 clock Introduced by C. Gunther (Eurocrypt’87) R3R3 R2R2 1 0 R1R1 Addition of two different CA

Introduced by D. Gollmann (IEE Proc. 1988) A. Fúster-Sabater Gjøvik University College June 2006 Other Sequence Generators: The Gollmann Generator clock 1 R1R1 R2R2 R3R3 Addition of two (or more) CA

Conclusions LFSR-based structures Cellular Automata Classes of CC Generators are a Subset of Linear Cellular Automata Linear Models describe the behavior of the CC Sequence Generators A. Fúster-Sabater Gjøvik University College June 2006

Conclusions Very simple algorithm to convert different classes of CC generators into linear CA-based model A wide class of non-linear binary generators can be expressed as linear models (by concatenation) A wide class of different binary generators are included in the same cellular automata The algorithm can be applied to CC generators in a range of cryptographic interest A. Fúster-Sabater Gjøvik University College June 2006

For the Future Apply the same technique of linearization to other nonlinear LFSR-based keystream generators A. Fúster-Sabater Gjøvik University College June 2006