Session 1 Stream ciphers 1
Introduction If the level of security is not the highest one, instead of the Vernam cipher, a stream cipher can be used. Stream cipher A deterministic algorithm produces a pseudo-noise sequence (PN-sequence) Satisfies the 3 Golomb’s postulates. The key is short – much shorter than the plaintext - practical.
Introduction xi zi = yi yi zi = xi zi yi xi xi Key Key TRANSMITTER RECEIVER Key Deterministic algorithm Deterministic algorithm COMM. CHANNEL xi
Linear feedback shift registers LFSR theory is developed enough to enable thorough analysis of the properties of the output sequence of a PN sequence generator containing LFSRs. Because of that, the vast majority of PN generators are designed by combining LFSRs and non-linear Boolean functions.
Linear feedback shift registers A linear feedback shift register (LFSR): n single-symbol memory cells (stages) A linear feedback function – to express each new symbol of the output sequence as a linear function of the n previous symbols The contents of the flip-flops is shifted one position at every clock pulse
Linear feedback shift registers g – linear!
Linear feedback shift registers The state of the register – the contents of the stages between two clock pulses The initial state – the contents of the stages at the moment of the beginning of the process
Linear feedback shift registers The state diagram of a LFSR is never singular, because the linear feedback function satisfies the non-singularity condition:
Linear feedback shift registers The maximum possible period of the output sequence is 2n-1. The all-zero initial state is not used, because in that case only all-zero sequence would be produced. The key – the initial contents of the LFSR.
Linear feedback shift registers The feedback function g of a LFSR is a linear recurrence – linear recurring sequences of order n
Linear feedback shift registers It is possible to associate the characteristic (feedback) polynomial to every linear recurrence Analysis of the properties of the output sequence is made easier in such a way.
Linear feedback shift registers 1 Initial state Feedback polynomial Linear recurrence Example: An LFSR of length 4. Generated sequence: 1 1 1 0 1 0 1 ……
Linear feedback shift registers The characteristics of the output sequence of the LFSR depend on the characteristics of the feedback polynomial The feedback polynomial can be: reducible irreducible primitive
Linear feedback shift registers Example 1: Reducible feedback polynomial 0001 1000 0100 1010 0101 0010 0011 1001 1100 1110 1111 0111 0110 1011 1101 0000
Linear feedback shift registers LFSRs with reducible feedback polynomial: The length of the output sequence depends on the initial state Not adequate for use in cryptography
Linear feedback shift registers Example 2: Irreducible feedback polynomial 0000 1111 0111 1011 1101 1110 0001 1000 1100 0110 0011 0010 1001 0100 1010 0101
Linear feedback shift registers LFSRs with irreducible feedback polynomial: The length of the output sequence does not depend on the initial state (except the all-zero state) The period T is a factor of , L is the length of the LFSR Not adequate for use in cryptography
Linear feedback shift registers 1000 1100 1110 1111 0111 1011 0101 1010 1101 0110 0011 1001 0100 0010 0001 Example 3: Primitive feedback polynomial 0000 PN-sequence (m-sequence) The maximum possible period for this type of generator 111010110010001 …..
Linear feedback shift registers LFSRs with primitive feedback polynomial: The length of the sequence does not depend on the initial state (except the all-zero state) The period is Adequate for use in cryptography, because the output sequence satisfies all the Golomb’s postulates
Linear feedback shift registers Thus, to use LFSRs in pseudorandom sequence generators we need primitive polynomials. How do we get them? We need some basic concepts of abstract algebra – groups, rings, Galois fields.
Groups A group is an algebraic structure consisting of a non-empty set G and a binary operation such that the following axioms of the group are satisfied: Closure Associativity Existence of the identity (neutral) element Existence of the inverse element for each element of G.
Groups Closure Associativity Existence of the neutral element Existence of the inverse elements
Groups Multiplicative group - the operation * is the multiplication, i.e. “” The identity element is 1 The inverse element is x -1 Additive group - the operation * is the sum, i.e. “+” The identity element is 0 The inverse element is –x
Groups Examples of additive groups: Examples of multiplicative groups: Z, Q, R, C , where the operation is the sum modulo n. Examples of multiplicative groups: , , where the operation is the multiplication modulo n
Groups If in the group G the operation * fulfils the commutative property, i.e. then G is a commutative or Abelian group If G is a finite group, the number of elements in G is called order of G and is represented by #G.
Groups An element gG is a generator of G if every element of G can be written as a power of g. G is then a cyclic group The cyclic group:
Groups Example: show that 5 is a generator of Z12
Groups A nonempty subset H of G is called subgroup of G if it is closed for the operation * and the inversion, i.e. The Lagrange theorem: If G is a finite group and H is its subgroup, then #H divides #G, i.e.
Groups Examples: A group of order 8 can have subgroups of order 2 and 4, but not of order 3 or 6. A finite group, whose order is a prime number cannot have its own subgroups.
Groups The order of an element gG of a finite group is the least positive integer k such that g k=e. If k is the order of gG, then {e, g, g 2,…, g k -1} is a subgroup of G. Corollary of the Lagrange theorem: In a finite group, the order of each element divides the order of the group.
Groups Example: a subgroup of Z8:
Rings A ring is an algebraic structure consisting of a non-empty set G and 2 binary operations called summation, i.e. “+” and multiplication, i.e. “” such that the following holds: (G,+) is an abelian group The structure (G,) : closure, associativity and the existence of the neutral element Multiplication distributes over addition, i.e.
Fields A field is an algebraic structure consisting of a non-empty set G and 2 binary operations called summation, i.e. “+” and multiplication, i.e. “” such that the following holds: (G,+) is an abelian group – the additive group of the field (G \{0},) is an abelian group – the multiplicative group of the field Multiplication distributes over addition.
Fields Every field is a ring but the converse is not true The difference is The structure (G \{0},) of the field is a commutative group and in a general ring this is not required.
Fields Examples: Field of rational numbers Q. If p is a prime number, then Zp is a field Zp is an additive commutative group. (Zp) is a multiplicative commutative group.
Finite fields A finite field is a field with a finite number of elements, i.e. the set G is finite. Theorem (1) (i) The number of elements of a finite field F must be equal to the power of a prime number, i.e. #F =p m. p is the characteristic of the field. The field is represented by GF(p m ) (Galois Field).
Finite fields Theorem (2) (ii) There is only one finite field of p m elements. If we fix an irreducible polynomial f (x ) of degree m with coefficients in Zp, the elements of GF(p m ) are represented as polynomials with coefficients in Zp of degree <m and the product of elements of GF(p m ) is realized as the product of polynomials modulo f (x ).
Finite fields The finite field GF(p m ) is called the extension field of the field GF(p ). Theorem: The multiplicative group of GF(p m ) is cyclic, i.e. there is at least 1 generator of all its elements. This generator is called primitive element of the field GF(p m )
Finite fields Example (1): p =2, m =3, f (x )=x 3 +x +1, irreducible The elements of the field (1): 000 0 001, or 1 in the polynomial notation The subsequent elements are obtained by multiplying the immediate predecessors by x and reducing modulo f (x ), i.e. 1 010, or x 2 100, or x 2
Finite fields Example (2): The elements of the field (2): 3 , or 011 4 110 5 , or 111 6 , or 101
Testing irreducibility The fundamental theorem of arithmetic: Every positive integer can be represented in a unique way as a product of prime factors. Analogue in a GF: Every polynomial in a GF can be represented in a unique way as a product of irreducible factors. An irreducible polynomial has no irreducible factors except 1 and itself.
Testing irreducibility Theorem If a polynomial f (x ) of degree n in GF(q ) does not have common factors with then it is irreducible. To determine whether a given polynomial has common factors with some other polynomial we can use Euclidean algorithm
Testing irreducibility Example – polynomials in GF(2) Find (x 5+x 4+x 2+x, x 4+x 3+x 2+x ) (x 5+x 4+x 2+x )=x (x 4+x 3+x 2+x )+(x 3+x ) (x 4+x 3+x 2+x )=(x +1)(x 3+x )+0 (x 5+x 4+x 2+x, x 4+x 3+x 2+x )=(x 3+x )
Testing irreducibility Example – Determine if the polynomial in GF(2) is irreducible. Irreducible
Testing irreducibility Example - Determine if the polynomial in GF(2) is irreducible. Not irreducible
Primitive polynomials The order of a polynomial P (x ), P (0)0 is the smallest integer e for which P (x ) divides x e -1. In a finite field GF(q ), if the order of an irreducible polynomial P (x ) is qn -1, this polynomial is called primitive polynomial.
Primitive polynomials Thus, to test whether a polynomial P (x ), deg P (x )=n in GF(q ) is primitive Test whether P (x ) is irreducible If P (x ) is irreducible, check whether it divides the polynomials x k -1, n k < qn -1 If P (x ) does NOT divide any of the polynomials above, then it is primitive. Obviously, this procedure is not efficient.
Primitive polynomials Example: The polynomial of degree 4 in GF(2) is irreducible and does not divide any of the polynomials . Because of that, it is primitive.
Primitive polynomials Theorem (Alanen, Knuth, 1964; Herlestam, 1982) A polynomial f (x ) in GF(q ), q =p m , deg f (x )=n, is primitive if and only if it satisfies the following: For all prime factors p ’ of ≢1 (mod f (x ))
Primitive polynomials For q =2, the polynomial f (x ) must have odd weight (i.e. odd number of terms) Problem Factorization of q n -1 is needed If q n -1 is a prime, the condition 3 of the theorem is trivially satisfied. For q =2, primes of the form 2n -1 are called Mersenne primes.
Primitive polynomials The first 24 Mersenne primes are obtained for the following values of n : 2, 3, 5, 7, 13, 17, 19, 31, 61, 89, 107, 127, 521, 607, 1279, 2203, 2281, 3217, 4253, 4423, 9689, 9941, 11213, 19937. Thus, a polynomial in GF(2) of odd weight, of degree n such that 2n -1 is a Mersenne prime is primitive if , which is easy to check in practice.
Primitive polynomials How many primitive polynomials with coefficients in GF(2) of degree n are there? Example:
Primitive polynomials Not all primitive polynomials are suitable for use in LFSRs Primitive polynomials with too concentrated terms (i.e. with terms containing powers of x that are of very similar magnitude) Primitive polynomials of degree n such that 2n -1 contains many small prime factors There are attacks against schemes with LFSRs using such feedback polynomials.
Primitive polynomials Example 1: For n =61, 261-1=2305843009213693951 is a Mersenne prime. Recommended for use in LFSRs. Example 2: For n =63, 263-1=727312733792737649657 is not a Mersenne prime. It is not recommended for use in LFSRs.
Primitive polynomials Thus, a good strategy is to use an LFSR with a primitive feedback polynomial of degree n such that 2n -1 is a Mersenne prime. But if 2n -1 has a small number of large prime factors, it can also be used in LFSRs Example: n =103, 2103-1= =25501837993976656429941438590393
Primitive polynomials The reciprocal polynomial of the polynomial f (x ) of degree n Theorem If f (x ) is primitive, f *(x ) is also primitive.
Primitive polynomials Example: This polynomial is primitive This polynomial is also primitive
Linear complexity The length L of the smallest LFSR capable of generating the given sequence The Berlekamp-Massey algorithm (1969): Input: the given binary sequence Output: C (D ) is the feedback polynomial and L is the length of the equivalent LFSR the initial state of the equivalent LFSR
The Berlekamp-Massey algorithm Input to one step: n digits of a sequence Determines the minimum LFSR capable of generating them If the digit n +1 of the sequence can be generated by the current LFSR, the length of the current LFSR is preserved Otherwise, a longer LFSR is needed
The Berlekamp-Massey algorithm The Berlekamp-Massey algorithm is based on the following theorems: Theorem 1 If <C (D ),L > generates the prefix sn of the intercepted sequence, but does not generate sn +1, then
The Berlekamp-Massey algorithm Example: n =6, L=2, the LFSR generates the sequence 110110. Can it generate 1101100? 0 1 1 1 0 1 1 1 0 Generates 110110, but does not generate 1101100 LC(1101100)6+1-2 Discrepancy
The Berlekamp-Massey algorithm Theorem 2 If <C (D ),L> generates sn, but does not generate sn+1 (discrepancy n 0) and <C *(D ),L*> generates sm, but does not generate sm+1 (discrepancy m 0), where 0 m n, then generates sn+1.
The Berlekamp-Massey algorithm Theorem 3 If <C (D ),L> with L=LC(sn) generates sn, but does not generate sn+1, then
The Berlekamp-Massey algorithm = n *= m j=n-m
The Berlekamp-Massey algorithm Example: N =7, GF(2), s0,…,s6=1,1,0,1,0,0,1 Solution: C (D )=1+D +D 3, L=3 0 1 1 1 1 0 1 1 0 1 0 0 0 0 1 1 1 0 0 0 1 1 0 0 1 1 1 1