Introduction to Practical

Cryptography
Lectures 3/4
Stream Ciphers

1
 Agenda

•Properties
•Building Blocks
•Competitions
•Examples

2
 Uses

• Encryption of streaming data

• Random bit generation

3
 Stream Ciphers

• Stream cipher outputs keystream, KS

• KS produced by a function, F, that is initialized with a key, k
• C = Ek(P) = P  KS
• P = C  KS
• k can be used only once
• C1 = Ek1(P1); C2 = Ek2(P2)
• C1  C2 = P1  KS1  P2  KS2 = P1  P2 if KS1 = KS2
• Will know when P1 and P2 have identical bits
• If know part of P1 (if packet headers, format information), then can
obtain part of P2
• Period – how long is KS before it starts repeating?
• repeating is equivalent to reusing a key

4
 Stream Ciphers

• Speed
• Initialization
• Keystream generation
• Resources – memory, power, cpu
• Hardware, software suitability

5
 Stream Ciphers

• Synchronous stream cipher

• Sender and receiver must be in-synch
• Lost bit garbles all subsequent bits unless synch up
• Flipped bit garbles only one bit
• Can precompute key stream
• Example: RC4, block cipher in OFB mode
• Self-synchronizing stream ciphers
• Use n previous ciphertext bits to compute keystream
• Lost bit: synch up after n bits
• Flipped bit :  next n bits garbled
• Can’t precompute keystream
• Example: Block cipher in ciphertext feedback (CFB) mode

6
 Stream Ciphers – General
Concept
State Updates
state (data)
• FSR based (SOBER, LILI)
key
• Array Permutations (RC4)
next state
function
output
function

ksi
pi (ci) ci (pi)
7
synchronous
 Stream Ciphers – General
Concept

state (data)
key • error propagation
next state • block cipher in CFB mode
function
output
function

subset
ksi of ci’s
pi (ci) ci
self synchronizing 8
 Keystream Properties
• Period
• Period of 232 repeats after ~ 8.5 minutes when encrypting
1MB/sec
• Random appearance:
• Runs of 1’s or 0’s: ½ with length 1, ¼ with length 2, 1/8 have
length 3 …
• Test – little or no compression
• Dissipates statistics of plaintext
• Complexity:
• Low ability to define a bit as a linear expression (or
algebraic expression) of bits < period bits away
• No discernable relation to key (seed/initial state) bits

9
 Agenda

•Properties
•Building Blocks
•Competitions
•Examples

10
 Stream Ciphers - Approaches

• Feedback Shift Register (FSR) based – useful in

hardware
• Block cipher – CTR, CFB, OFB modes
• Components similar to those found in block
ciphers

11
 Feedback Shift Register

bits, same concept with bytes, words

State: bi values
b0
bn-1 bn-2 …… b1 b0

……
new bn-1 Tap Sequence:
F(bn-1,…..b0) bits used in F

Linear F: bn-1 = ibi for i {0,1} Feedback with Carry Shift (FCSR)
i=0,n-1
F: s = (ibi + c) for i {0,1}
Nonlinear F
i=0,n-1

bn-1 = s mod 2 12
c = s/2 mod log2 (# tap bits)
 Feedback Shift Registers
• Period
• LFSR of n bits: Maximum 2n –1
• FCSR: depends on initial state
• Non-linear FSR: depends on function, initial state
• Inefficient in Software
• Small # of bits in tap sequence, easier to break.
• Large # of bits in tap sequence, slow.
• Security
• Berlekamp-Massey Algorithm: 2n output bits needed to
reproduce the LFSR in O(n2) time.
• Non-linear FSR: avoid linear approximations

13
 Variations Utilizing LFSR
Combination generator
• Output bit = nonlinear function on output of multiple LFSRs.
• May clock each LFSR differently
• Various combinations of AND,OR,Thresholds

LSFR1

LSFR2
nonlinear
. function keystream

.
.
LSFRn
14
 Variations Utilizing LFSR
• Clock controlled generator
• Move to next state only on some clock cycles.
• Move to next state on every cycle but only output bit
on some clock cycles.
• 2nd LFSR may control clock.
• Clock control that affects output is also called
stuttering

15
 Clock Control Examples
• Stop and Go:
• 2 LFSRs
• LFSR1’s output clocks LFSR2
• Alternating Stop and Go:
• 3 LFSRs
• output of LFSR1 indicates whether to clock LFSR2 or LFSR3
• output is  of LFSR’s 2 and 3
• Bilateral Stop and Go:
• 2 LFSRs
• output =  of both outputs
• clock LSRFs depending on their output values
• Self-Decimated Generators:
• control their own clock – some function of their state bits controls clock

16
 Clock Control Examples
• Shrinking Generator:
• 2 LFSRs
• always clock
• if LFSR1 outputs 1, use LFSR2’s output, else no output on that
cycle
• called “shrinking” because fewer output bits than clock ticks
• Self Shrinking Generator:
• similar to shrinking generator but use 2 different bits from 1
LSFR instead of 2 LFSRs
• Cascade:
• output of 1st level (may be single or combination of generators)
controls clock of next level
• usually not secure due to some relationship between 1st level
output and final output.

17
 Agenda
•Properties
•Building Blocks
•Competitions
•Examples

18
 NESSIE Stream Cipher
Submissions
• None recommended
• BMGL – too slow, small internal state –
time/memory tradeoff attack
• Leviathan - distinguishing attack
• LILI-128 – attack O(271)
• SNOW – distinguishing attack
• SOBER-t16 – distinguishing attack
• SOBER-t32 – distinguishing attack
• Both Sober algorithms thought to be subject to
side channel analysis

19
 ECRYPT’s eStream Contest
• Just ended (3rd round of evaluations finished, winners
selected)
• 4 for software, 4 for hardware
• In third round of evaluations
• 16 candidates
• 3+ years from time of call for proposals to final report
• originally November 2004 to January 2008
• Just ended

• ECRYPT: European Network of Excellence for Cryptology

20
 eStream Overview
• Categories
• key length of 128 bits and an IV length of 64 and/or 128 bits
• key length of 80 bits and an IV length of 32 and/or 64 bits
• Separate software and hardware categories within each
• Evaluation
• Security
• Free of licensing requirements …
• Performance, range of environments
• Committee is only collecting submissions. Evaluations are done by
the general cryptographic community.

21
 eStream Evaluation
• Security Criteria
• Any key-recovery attack should be at least as difficult as
exhaustive search.
• Distinguishing attacks
• Interest to the cryptographic community
• Relative importance of high complexity distinguishing attacks is an
issue for wider discussion
• Clarity of design 
• Implementation Criteria
• Software and hardware efficiency
• Execution code and memory sizes
• Performance
• Flexibility of use

22
 eSTREAM Phase 3 Candidates
Profile 1 (SW) Profile 2 (HW)
CryptMT (CryptMT Version 3) DECIM (DECIM v2 and DECIM-128)
Dragon Edon80
HC (HC-128 and HC-256) F-FCSR (F-FCSR-H v2 and F-FCSR-16)
LEX (LEX-128, LEX-192 and LEX-256) Grain (Grain v1 and Grain-128)
NLS (NLSv2, encryption-only) MICKEY (MICKEY 2.0 and MICKEY-12 2.0)
Rabbit Moustique
Salsa20 Pomaranch (Pomaranch Version 3)
SOSEMANUK Trivium

http://www.ecrypt.eu.org/stream/phase3list.html
key lengths: 128 bits for SW and 80 bits for HW
23
 eSTREAM Winners

Profile 1 (SW) Profile 2 (HW)

HC (HC-128 and HC-256) F-FCSR (F-FCSR-H v2 and F-FCSR-16)
Rabbit Grain (Grain v1 and Grain-128)
Salsa20 MICKEY (MICKEY 2.0 and MICKEY-12 2.0)
SOSEMANUK Trivium

http://www.ecrypt.eu.org/stream/
key lengths: 128 bits for SW and 80 bits for HW
24
 Agenda

•Properties
•Building Blocks
•Competitions
•Examples

25
 Stream Cipher Examples
•Lists
•http://en.wikipedia.org/wiki/Stream_cipher
•http://www.ecrypt.eu.org/stream/
• RC4
• A5/1
• A5/3
• LILI
• Sober
• Trivium
• Lex

26
 RC4
S-Box Creation Keystream Generator
i = 0; j = 0;
input key;
loop {
if (key < 256 bytes) {
i = (i+1) mod 256;
repeat key until 256 bytes; j = (j+S[i]) mod 256;
} Swap(S[i],S[j]);
for (i=0; i < 256; ++i) { t = (S[i] + S[j]) mod 256;
S[i] = i; // initialize S-Box ks_byte = S[t];
K[i] = ith key byte; }
}
j = 0; 2 S-Box entries form index into S-Box
for (i = 0; i <256; ++i) { Output S-Box entry (byte)
j = (j + S[i] + K[i]) mod 256;
swap(S[i],S[j]); S-Box: key dependent
} permutation of 0 to 255.
(lookup table)
27
 RC4 Cryptanalysis
• Initial keystream byte highly correlated with first few key
bytes
• Recommendations to discard first 256 or 512 output bytes
• Distinguish from random:  O(230.6) bytes needed
• Attempts to backtrack to initial state from keystream
Keystream Generator
i = 0; j = 0;
loop {
i = (i+1) mod 256;
j = (j+S[i]) mod 256;
Swap(S[i],S[j]);
t = (S[i] + S[j]) mod 256;
ks_byte = S[t];
}
28
 A5/1
• Used in Global System for Mobil Communications (GSM)
• Example of a cipher manufacturers tried to keep secret, it was
leaked and also reversed engineered within 5 years
• A5/2 – weaker cipher used in some countries due to export rules
• GSM phone conversations are sent as sequences of frames.
• One 228 bit frame is sent every 4.6 milliseconds: 114 bits for the
communication in each direction.
• A5/1 produces 228 bits to XOR with the frame
• Initialized using a 64-bit key combined with a publicly-known 22-bit
frame number.
• In some GSM implementations, 10 key bits are fixed at zero -
effective key length is 54 bits.
• A5/1 is based around a combination of three LFSRs with irregular
clocking.

29
 A5/1

Image from Wikipedia

30
 A5/1 LSRFs
• 19 bits
• x19 + x5 + x2 + x + 1
• clock bit 8
• tapped bits: 13, 16, 17, 18
• 22 bits
• x22 + x + 1
• clock bit 10
• tapped bits 20, 21
• 23 bits
• x23 + x15 + x2 + x + 1
• clock bit 10
• tapped bits 7, 20, 21, 22

• Least significant bit numbered 0

• Tapped bits of each LSRF are XORed to create value of next 0 bit.
• Output bits of the three LSRFs are XORed to form the keystream bit
31
 A5/1
• Each cycle, look at the three clock bits. The
majority value, cm, is determined.
• In each LSRF, if the clock bit matches cm, the
registers are clocked.
• In each cycle, 2 or 3 LSRFs will be clocked.

32
 A5/1 Initialization
• Registers set to all 0’s
• Incorporate the key and frame number:
• For 64 cycles, the key is mixed in by XORing the ith
key bit with the least significant bit of each register
• For 22 cycles, the 22 bit frame value is mixed in –
same as with key value
• Normal clocking used
• 100 cycles are run using the majority clocking,
the output is discarded
• End result is the initial state

33
 A5/1
• Three short LSFRs
• Not many tap bits to guess

34
 A5/3 Core
BLCNT is a 64 bit counter
CC || CB || CD || 00 || CA || CE •defined on next slide KM = 0x555….555 (128 bit key modifier)
CK = key bits

CK  KM KASUMI
•CBC XORed with counter and key
•A  counter  previous output
A

BLKCNT=0 BLKCNT=1 BLKCNT=2 BLKCNT=BLOCKS-1

CK KASUMI CK KASUMI CK KASUMI CK KASUMI

CO[0] … CO[63] CO[64] … CO[127] CO[128] … CO[191] CO[last bits]

35
 A5/3 GSM
0 KC cyclically •Kc = key
repeated to
0…0 || COUNT fill 128 bits

00000
00001111 0…0

CA CB CC CD CE CK

KGCORE

CO (228 bits)

BLOCK1 (114 bits) || BLOCK2 (114 bits)

•http://www.gsmworld.com/using/algorithms/docs/a5_3_and_gea3_specifications.pdf
36
 LILI
Family of keystream generators

Regularly clocked Irregular:

LFSRC LFSRD clocked c times

s1 s2 …sk s1 s2 …sn
bit for
keystream.
c FD b
clocking Fc
function integer
output non-linear
function

37
 SOBER - Original
LFSR
S17 = 141  S15  175  S0
LFSR: 17 bytes,  128 bit key

Si’s Clock Control

Nonlinear transformation Stutter Control

Vn = (S0 + S2 + S5 + S12) sc = next 2 bits of byte
 (S12  S13) need byte: clock, take Vn
Vn Clock Control (sc)
Vn
Output function (sc) 00: 1 clock
01: clock, output, clock
00: No output
10: 2 clocks
01: Vn  01101001 11: 1 clock
10: Vn
11: Vn  10010110
sc
output byte
38
Sober t{8,16,32}
8,16,32 = byte size of key

39
 Sober-t

LSFR for Sober-tw w = 8,16,32

Max period: 213w-1

40
 Non-linear Function
LFSR output input to non-linear function fw, output added to subset of LSFRs bits,
XORed with key-dependent value, this result then added to subset of LSRF bits

41
 Trivium
• Christophe De Canniere and Bart Preneel
• hardware oriented synchronous stream
cipher
• Trivium generates up to 264 bits of key
stream from an 80-bit secret key and an
80-bit initial value (IV).
• Internal state is 288 bits

42
 Trivium
• IV and key used to initialize the state
• Iterate state
– extract values of 15 specific state bits and use
them to update 3 bits of the state and to
compute 1 bit of the key stream zi.
– state bits then rotated and process repeats

43
 Trivium Key Stream Generation
for i = 1 to N do
t1  s66  s93
t2  s162  s177
t3  s243  s288
zi  t1  t2  t3
t1  t1  s91  s92  s171
t2  t2  s175  s176  s264
t3  t3  s286  s287  s69
(s1; s2; : : : ; s93)  (t3; s1; : : : ; s92)
(s94; s95; : : : ; s177)  (t1; s94; : : : ; s176)
(s178; s279; : : : ; s288) (t2; s178; : : : ; s287)
end for
44
 Trivium Initialization
• load 80-bit key and 80-bit IV into 288-bit
initial state
• set all remaining bits to 0, except for s286,
s287, and s288, which are set to 1
• state is rotated over 4 full cycles of the for
look, but no bits are output (for i = 1 to
4288)

45
 Trivium
• state bit is not used for at least 64
iterations after it has been modified
• up to 64 iterations can be computed at
once, provided that 3 AND gates and 11
XOR gates in the original scheme are
duplicated a corresponding number of
times

46
 Estimated Gate Counts
1-bit to 64-bit hardware implementations

Components 1-bit 8-bit 16-bit 32-bit 64-bit

Flip-ops 288 288 288 288 288

AND gates 3 24 48 96 192
XOR gates 11 88 176 352 704
NAND gate count 3488 3712 3968 4480 5504

47
 Software
• Stream generation: 12 cycles/byte
• Key setup: 55 cycles
• IV setup: 2050 cycles
• on Intel XeonTM CPU 1.5 GHz

48
 Trivium Security
• Linear correlations between key stream bits and internal state bits are
easy to find because zi is simply defined to be equal to s66s93 
s162  s177  s243  s288.
• But, as opposed to LFSR based ciphers, Trivium's state evolves in a
nonlinear way
– not clear how an attacker should combine these equations in order to
efficiently recover the state
– Estimate: follow linear trails through the cipher and approximate the outputs
of all encountered AND gates by 0. However, the positions of the taps in
Trivium have been chosen in such a way that any trail of this specific type is
forced to approximate at least 72 AND gate outputs
– If assume that the correlation of linear combination is completely explained
by a specific trail considered, then it would have a correlation coefficient of
2-72
• Detecting such a correlation would require at least 2144 bits of key
stream
• Other more complicated types of linear trails with larger correlations
might exist, estimate that no correlations will exceed 2-40
49
 Lex
• Alex Biryukov
• Leak EXtraction
• Software category
– Uses AES – reuse if application has AES
implementation

50
 Lex
• Initialize:
– Key AES: 128-bit key, K, run through standard
AES key-schedule
– State: 128-bit IV is encrypted by AES
S = AESK(IV )
• Generate key stream
– Repeatedly encrypt (starting with S)
• Rekey every 500 AES applications

51
 Lex

takes 4 bytes from each round of AES

(see next slide)
52
Lex

53
 Lex
• order of bytes
– not relevant for security
– relevant for fast software implementation
• allows extraction of a 32-bit value from two
32-bit rows in four steps
((t0&0xFF00FF) << 8) (t2&0xFF00FF)

t0 = 1st row, t2 = 3rd row in 4x4 matrix

54