Lecture 9 Dr.

Alshaimaa Abo-alian
Stream Ciphers [email protected]
Lecture Outline

➢ What is stream cipher?

➢ Stream Cipher Structure
➢ Stream Cipher Vs. Block Cipher
➢ RC4
➢ Stream Ciphers Using Feedback Shift Registers
➢ LFSR
➢ NFSR
➢Grain-128a

2
What is Stream Cipher?
▪ Stream ciphers can be viewed a pseudorandom
equivalent of one-time pad.
▪ The one-time pad uses a long random key, of length
equal to the plaintext message.
▪ A stream cipher uses a short secret key and a
pseudorandomly generated stream of bits
▪ Stream ciphers are useful in the following cases:
▪ There is a need to encrypt large amounts of fast streaming data.
▪ Devices with very limited memory and processing power, called
constrained devices. Such as:
➢ Small wireless sensors in IoT applications
➢ radio frequency identification (RFID) tags.
3
What is Stream Cipher?

▪ Encrypt one byte at a time by XOR with pseudo-random byte

▪ Output of generator is called keystream
4
 Stream Cipher Design Considerations

1. Pseudorandom sequence should have large period

➔ The longer the period of repeat the more difficult it is to
break the cipher
2. Keystream should approximate true random number stream
For example:
– There should be an approximately equal number of 1s and
0s.
– As the keystream is a stream of bytes, all of the 256
possible byte values should appear approximately equally
often.
3. Key must withstand brute force attacks
➔ the key needs to be sufficiently long (at least 128 bits)
7
 Comparison to Block Ciphers
1. Efficiency?
➢ Stream ciphers are often simpler to implement, faster.

2. Security?
➢ With a properly designed pseudorandom number generator, a
stream cipher can be as secure as a block cipher of
comparable key length.
✓ A key length of at least 128 bits is desirable.

3. Reusing keys?
➢ Block ciphers can re-use keys but stream ciphers cannot.

8
 RC4
▪ Designed by Ron Rivest in 1987
▪ Based on the use of a random permutation
▪ Very simple and efficient implementation
▪ Can use variable size key: 8 to 2048 bits
▪ The period of the cipher is likely to be greater than 10100
▪ No known attacks if use 128-bit key and discard initial values
of stream
▪ Used in secure web browsing and wireless LANs (shown to be
weak security)
▪ WiFi security has now moved on to the WPA2 protocol that
uses AES for encryption in the Counter mode (CTR). 9
RC4
Parameters and Variables
▪ Variable length key (K): from 1 to 256 Bytes
▪ State vector (S): 256 Bytes
▪ Temporary vector (T): 256 Bytes
▪ A byte from keystream (k) generated from S
Steps
1. Initialize S to values 0 to 255; initialize T with repeating
values of key K
2. Use T to create initial permutation of S
3. Permutate S and generate keystream k from S
4. Encrypt a byte of plaintext, p, by XOR with k 10
RC4
Initialization of S & T
for i = 0 to 255 do
S[i] = i;
T[i] = K[i mod keylen];

11
RC4
Initial Permutation of S
j = 0;
for i = 0 to 255 do
j = (j + S[i] + T[i]) mod 256;
Swap (S[i], S[j]);

12
RC4
Stream Generation
i, j = 0; To encrypt:
while (true) C = p XOR k
i = (i + 1) mod 256; To decrypt:
j = (j + S[i]) mod 256; p = C XOR k
Swap (S[i], S[j]);
t = (S[i] + S[j]) mod 256;
k = S[t];

13
RC4
Example
• Consider a simplified version of the stream cipher RC4
• Instead of the full 256 bytes, the state vector S is 8 x 3-bits.
• Assume we use a 4 x 3-bit key of K = [1 2 3 6] and a
plaintext P = [1 2 2 2]
• We will operate on 3-bits of plaintext at a time since S can
take the values 0 to 7, which can be represented as 3 bits.

14
Stream Ciphers Using
Feedback Shift Registers
With the increasing use of highly constrained devices
(i.e., especially in the IoT), it is required to develop new
stream ciphers that:
– Take up minimal memory
– Are highly efficient
– have minimal power consumption requirements
➔ Feedback Shift Registers (FSRs) exhibit the desired
performance behavior and well-suited to compact
hardware implementation

15
Feedback Shift Registers
(FSR)
▪ An FSR consists of a sequence of 1-bit memory cells
▪ Each cell has an output line (indicates the value currently store) and
an input line
▪ At clock times, the value in each storage device is replaced by the
value indicated by its input line
▪ The effect is as follows:
o The rightmost (least significant) bit is shifted out as the output
bit for this clock cycle
o The other bits are shifted one bit position to the right
o The new leftmost (most significant) bit is calculated as a function
of the other bits in the FSR

16
Feedback Shift Registers
(FSR)

17
Types of FSR

Linear Feedback Nonlinear Feedback

Shift Registers Shift Registers
(LFSRs) (NFSRs)

Coefficients Ai are coefficients can be variables

Boolean constants

Feedback function Feedback function includes other

is XOR only operations such as AND.
18
Linear Feedback Shift Registers
(LFSR)

FSR is linear if the feedback function only involves

logical exclusive-OR (XOR) of bits in the register.

19
Linear Feedback Shift Registers
(LFSR)
Example
4-bit LFSR that implements the equation B4 = B1 ⊕ B0 or
equivalently, P(X) = 1 + X2 + X3 with a seed (initial state) =
1000

1 X2 X3

20
 Linear Feedback Shift Registers
(LFSR)
Example
If the LFSR has an initial state of
1000
(B3= 1, B2= 0, B1= 0, B0=0)

➔The period of the sequence is

15 = 24 – 1
➔Although a LFSR produces a
good pseudorandom number bit
stream, a single LFSR by itself
is not suitable as a stream
cipher

21
Nonlinear Feedback Shift Registers
(NFSR)
Example: B5 = B4 ⊕B3 ⊕ B2 B0
Or can be expresses as primitive polynomial P (X) = 1 + X + X2X4

22
Grain-128a

▪ Grain is a family of hardware-efficient stream ciphers

▪ Grain was accepted as part of the eSTREAM effort to
approve several new stream ciphers
▪ The eSTREAM specification, called Grain v1, defines two
stream ciphers:
– one with an 80-bit key and a 64-bit initialization vector (IV)
– one with a 128-bit key and 80-bit IV
▪ Grain has since been revised and expanded to include
authentication, referred to as Grain-128a

23
Grain-128a
▪ Grain-128a consists of:
– A linear feedback shift register (LFSR)
– A nonlinear feedback shift register (NFSR)
– A filter function (h)
▪ The registers are couple by very lightweight Boolean functions
▪ The input to the NFSR is masked with the output of the LFSR so
that the state of the NFSR is balanced

24
Grain-128a

The LFSR at iteration is defined as follows:

si+128 = si ⊕ si+7 ⊕ si+38 ⊕ si+70 ⊕ si+81 ⊕ si+96

The NFSR is defines as follows:

bi+128 = si ⊕ bi ⊕ bi+26 ⊕ bi+56 ⊕ bi+91 ⊕ bi+96 ⊕ bi+3bi+67
⊕ bi+11bi+13⊕ bi+17bi+18⊕ bi+27bi+59⊕ bi+40bi+48 ⊕ bi+61bi+65
⊕ bi+68bi+84 ⊕ bi+22bi+24 bi+25 ⊕ bi+70bi+78 bi+82
⊕ bi+88bi+92 bi+93 bi+95

25
 Grain-128a
▪ The filter function h takes 9 variables from the two shift registers.
▪ It is designed to be balanced, highly nonlinear, and produce
secure output. It is defined as:
h = bi+12si+8⊕ si+12si+20 ⊕ si+95si+42 ⊕ si+60 si+79 si+94

▪ A pre-output function y masks with 1 bit of the LFSR and 7 bits of

the NFSR, using the following simple linear function:
yi = h ⊕ si+93⊕σ𝑗∈𝐴 𝑏𝑖+𝑗 , A = {2, 15, 36, 45, 64, 73, 89}.

▪ The output function is defined as zi = y64+2i

26
Choose The Correct Answer
1. All of the following primitive operations are used in RC4
Except?
A. XOR B. AND
C. Swap D. mod

2. the maximum period obtainable from 5-bit linear feedback

shift register is ________ .
A. 5 B. 10
C. 15 D. 31

27
Choose The Correct Answer
3. Which of the following statements are true?
i) Stream Ciphers are faster than Block Ciphers
ii) Block Ciphers can reuse keys
iii) Block ciphers use less code than stream ciphers (Simpler to
implement)

A. 1st and 2nd

B. 1st only
C. 2nd and 3rd
D. All are true 28
Try by Yourself

a. Find the period of the following generator using seed

x0=1:
xn = 5 xn-1 + 2 mod 25 Answer: 16

b. Consider the stream cipher RC4, but instead of using

state vector S of 256 bytes, we will use the state vector S
of 8 x 3-bits. Encrypt the plaintext P = [1 2 6 5] using the
key K = [1 2 3 6].
Answer: C= [4 3 6 4]

29
Thank you

30