CRYPTOGRAPHY

Stream Ciphers
The One-Time Pad
 One-Time Pad or Vernam Cipher

Example: Let the message be IF then its ASCII code be

(1001001 1000110) and the key be (1010110 0110001).
The ciphertext can be found XORing message and key
bits

Encryption:
1001001 1000110 plaintext
1010110 0110001 key
ciphertext

Decryption:
0011111 1110110 ciphertext
1010110 0110001 key
plaintext
Why One-Time Pad is provably secure?
Or how can we prove it is unbreakable?

• The security depends on the randomness of the key.

• It is hard to define randomness.
• In cryptographic context, we seek two fundamental
properties in a binary random key sequence:
1. Unpredictability: Independent of the number of
the bits of a sequence observed, the probability
of guessing the next bit is not better than ½.
Therefore, the probability of a certain bit being
1 or 0 is exactly equal to ½.
2. Balanced (Equal Distribution): The number of 1’s
and 0’s should be equal.
 Mathematical Proof
• the probability of a key bit being 1 or 0 is exactly equal to ½.
• The plaintext bits are not balanced. Let the probability of 0
be x and then the probability of 1 turns out to be 1-x.
• Let us calculate the probability of ciphertext bits.
mi prob. ki prob. ci prob.
0 x 0 ½ 0 ½x
0 x 1 ½ 1 ½x
1 1-x 0 ½ 1 ½ (1-x)
1 1-x 1 ½ 0 ½ (1-x)

• We find out the probability of a ciphertext bit being 1

or 0 is equal to (½)x + (½)(1-x) = ½. Ciphertext looks like
a random sequence.
 The One-Time Pad

Drawback

• An obvious drawback of the one-time pad is that key

should be as long as the plaintext message which
increases the difficulty of key distribution and key
management

• That motivates the design of stream ciphers where the

keystream is pseduorandomly generated from a smaller
secret key, with the intent that the key stream appears
to a computationally bounded adversary
 Stream Ciphers
• Process message bit by bit or byte by byte (as a stream)
• Have a pseudo random keystream
• Combined (XOR) with plaintext bit by bit
• Randomness of key stream completely destroys
statistically properties in message
• But must never reuse stream key
– Otherwise can recover messages
Synchronous Stream Cipher
Asynchronous Stream Cipher
 Difference between Synchronous and
Asynchronous Stream ciphers
Synchronous Stream Ciphers
• Key-stream is independent of plain and cipher-text.
• Both sender &receiver must be synchronized.
• Resynchronization can be needed.
• No error propagation.
• Active attacks can easily be detected.
Self-Synchronizing Stream Ciphers
• Key-stream is a function of fixed number t of cipher-text
bits.
• Limited error propagation (up to t bits).
• Active attacks cannot be detected.
• At most t bits later, it resynchronizes itself when
synchronization is lost.
• It helps to diffuse plain-text statistics.
 RC4
• RC4 is a stream cipher designed in 1987 by Ron Rivest for
RSA security
• It is a variable key-size stream cipher with byte-oriented
operations
• The algorithm is based on the use of random permutation
• Period of cipher is greater that 10 100
• Widely used in SSL (Secure Socket Layer)/TLS (Transport
Layer Security) standards defined for communication between
web browsers and servers
• Also used in WEP (Wired Equivalent Privacy) and WiFi
protocols –wireless LAN standards
• (Web SSL/TLS, Wireless WEP)
 RC4 Key Schedule
• Starts with an array S of numbers: 0..255
• Use key K to well and truly shuffle
• S forms initial state of the cipher

Initialization
for i = 0 to 255 do
S[i] = i
T[i] = K[i mod keylen])

Initial Permutation of S
j=0
for i = 0 to 255 do
j = (j + S[i] + T[i]) mod 256
swap (S[i], S[j])
 RC4 Encryption
• Encryption continues shuffling array values
• Sum of shuffled pair selects "stream key" value from permutation
• Xor S[t] with next byte of message to en/decrypt

Stream Generation
i=j=0
for each message byte Mi
i = (i + 1) mod 256
j = (j + S[i]) mod 256
swap(S[i], S[j])
t = (S[i] + S[j]) mod 256
k = S[t]
Encryption: Ci = Mi XOR k
Decryption: Mi = Ci XOR k
RC4 Overview
 Linear Feedback Shift Register
(LFSR) Sequences

• The sequence

01000010010110011111000110111010100001001011001111

Can be described by giving the initial values

x1 = 0, x2 = 1, x3 = 0, x4 = 0, x5 = 0;

and the linear recurrence relation

xn+5 = xn +xn+2 mod 2.

 Linear Feedback Shift Register - LFSR

Output sequence
bn bn-1 b2 b1

Feedback Function

• A feedback shift register is made up of two parts: a shift register and a feedback
function
• The shift register is a sequence of bits, if it is n-bit long, it is called n bit shift
register
• Each time a bit is needed, all bits in the shifted register are shifted 1 bit to right
• The new leftmost bit is computed as a function of the other bits using feedback
function
• The output of shift register is 1 bit, often least significant bit
• The period of a shift register is the length of the output sequence before it starts
 Linear Feedback Shift Register - LFSR

Output bit
bn bn-1 b2 b1
…………

• The simplest kind of feedback shift register is a linear feedback shift register
(LFSR), the feedback function is simply XOR of certain bits in the register, the
list of these bits is called a tap sequence

Output bit
b4 b3 b2 b1
 Linear Feedback Shift Register - LFSR

Example: 4-bit LFSR tapped at first and fourth bit

• It is initialized with the value 1 1 1 1 1111

• It produces the bit sequence 0111
• The output sequence is the string of least significant bits 1011
1 1 1 1 0 1 0 1 1 1 0 0 1 0 0 0 . ……….. 0101
• An n-bit LFSR maximum cycle through 2n-1 states-these 1010
are maxima; period LFSRs and the resulting output 1101
sequence is called m-sequence 0110
0011
1001
Output bit 0100
0010
b4 b3 b2 b1
0001
1000
1100
1110
 Linear Feedback Shift Register - LFSR

Example: output sequence of n LFSR with connection

polynomial f(x)=x4 + x + 1, and initialized with 0 1 1 0
0110
0011
Output bit 1001
x x2 x3 x4 0100
0010
0001
1000
1100
1110
1111
0111
1011
The output sequence is : 0101
0 1 1 0 0 1 0 0 0 1 1 1 1 0 1 ……. 1010
1101
0110
 Desirable properties of an LFSR

For essentially all possible secret keys, the output sequence

of an LFSR-based keystream generator should have the
following properties:

1. Large period
2. Large Linear Complexity
3. Good Statistical Properties
 Nonlinear combination Generator

1. One general technique to destroy linearity in LFSRs is to use

several LFSRs in parallel
2. The key stream is generated as non-linear function f of the
outputs of the component LFSRs
3. Such keystream generators are called nonlinear combination
generator

The Combiner Function should be,

1. Balanced,
2. Highly nonlinear,
3. Correlation Immune.