Chapter 3 – Stream Ciphers

Dr. Safi Ibrahim

1/27
 Content of this Chapter

• Intro to stream ciphers

• Random number generators (RNGs)
• One-Time Pad (OTP)
• Linear feedback shift registers (LFSRs)
• Trivium: a modern stream cipher

2/27
 Content of this Chapter

• Intro to stream ciphers

• Random number generators (RNGs)
• One-Time Pad (OTP)
• Linear feedback shift registers (LFSRs)
• Trivium: a modern stream cipher

3/27
  Stream Ciphers in the Field of Cryptology

Cryptology

Cryptography Cryptanalysis

Symmetric Ciphers Asymmetric Ciphers Protocols

Block Ciphers Stream Ciphers

Stream Ciphers were invented in 1917 by Gilbert Vernam

4/27
 Stream Cipher vs. Block Cipher

• Stream Ciphers
• Encrypt bits individually
• Usually small and fast  common in embedded
devices

• Block Ciphers:
• Always encrypt a full block (several bits)
• Are common for Internet applications
5/27
  Encryption and Decryption with Stream Ciphers

Plaintext xi, ciphertext yi and key stream si consist of individual bits

• Encryption and decryption are simple additions modulo 2 (aka XOR)

• Encryption and decryption are the same functions

• Encryption: yi = esi(xi ) = xi + si mod 2 xi , yi , si ∈ {0,1}

• Decryption: xi = esi(yi ) = yi + si mod 2

6/27
  Why is Modulo 2 Addition a Good Encryption Function?

• Modulo 2 addition is equivalent to XOR operation

• For perfectly random key stream si , each ciphertext output bit has a
50% chance to be 0 or 1
 Good statistic property for ciphertext

• Inverting XOR is simple, since it is the same XOR operation

xi si yi
0 0 0
0 1 1
1 0 1
1 1 0

7/27
Why are encryption and decryption the same operations ?

8/27
 Synchronous vs. Asynchronous Stream Cipher

• Security of stream cipher depends entirely on the key stream si :

• Should be random , i.e., Pr(si = 0) = Pr(si = 1) = 0.5
• Must be reproducible by sender and receiver

• Synchronous Stream Cipher

• Key stream depend only on the key (and possibly an initialization vector IV)

• Asynchronous Stream Ciphers

9/27

• Key stream depends also on the ciphertext (dotted feedback enabled)

 Content of this Chapter

• Intro to stream ciphers

• Random number generators (RNGs)
• One-Time Pad (OTP)
• Linear feedback shift registers
(LFSRs)
• Trivium: a modern stream cipher

10/27
  Random number generators (RNGs)

RNG

True RNG Cryptographically

Pseudorandom NG
Secure RNG

11/27
  True Random Number Generators (TRNGs)
• Based on physical random processes: coin flipping, dice rolling,
semiconductor noise, radioactive decay, mouse movement, clock jitter
of digital circuits
• Output stream si should have good statistical properties:
Pr(si = 0) = Pr(si = 1) = 50% (often achieved by post-processing)
• Output can neither be predicted nor be reproduced

Typically used for generation of keys, nonces (used only-once

values) and for many other purposes

12/27
  Pseudorandom Number Generator (PRNG)

• Generate sequences from initial seed value

• Typically, output stream has good statistical properties
•Output can be reproduced and can be predicted Often computed in a
recursive way:

s0  seed
si1  f (si , si1,..., si t )

Example: rand() function in ANSI C:

s0  12345
s  1103515245s 12345mod 231
i1 i

Most PRNGs have bad cryptographic properties!

13/27
  Cryptanalyzing a Simple PRNG
Simple PRNG: Linear Congruential Generator

S0  seed
Si 1  ASi  B mod m

Assume

• unknown A, B and S0 as key

• Size of A, B and Si to be 100 bit
• 300 bit of output are known, i.e. S1, S2 and S3
Solving
S2  AS1  B mod
m S3  AS2  B
mod m
14/27
…directly reveals A and B.
All Si can be computed
  Cryptographically Secure Pseudorandom Number Generator (CSPRNG)

• Special PRNG with additional property:

• Output must be unpredictable

More precisely: Given n consecutive bits of output si , the following

output bits sn+1
cannot be predicted (in polynomial time).

• Needed in cryptography, in particular for stream ciphers

• Remark: There are almost no other applications that need

unpredictability, whereas many, many (technical) systems need
PRNGs.
15/27
 Content of this Chapter

• Intro to stream ciphers

• Random number generators (RNGs)
• One-Time Pad (OTP)
• Linear feedback shift registers (LFSRs)
• Trivium: a modern stream cipher

16/27
  One-Time Pad (OTP)

Unconditionally secure cryptosystem:

• A cryptosystem is unconditionally secure if it cannot be broken even with
infinite computational resources

One-Time Pad
• A cryptosystem developed by Mauborgne that is based on Vernam’s stream
cipher:
• Properties:
Let the plaintext, ciphertext and key consist of individual bits
xi, yi, ki  {0,1}.

Encryption: eki(xi) = xi  ki.

Decryption: dki(yi) = yi  ki

OTP is unconditionally secure if and only if the key ki. is used once!

17/27
  One-Time Pad (OTP)

Unconditionally secure cryptosystem:

y0 = x0  k0
y1 = x1  k1
:
Every equation is a
linear equation with
two unknowns
 for every yi are xi
= 0 and xi = 1
equiprobable!
This is true iff k0, k1, ... are independent, i.e., all ki have to be
generated truly random
 It can be shown that this systems can provably not be
solved.
Disadvantage: For almost all applications the OTP is impractical
since the key must be as long as the message! (Imagine you
have to encrypt a 1GByte email attachment.)

18/27
 Content of this Chapter

• Intro to stream ciphers

• Random number generators (RNGs)
• One-Time Pad (OTP)
• Linear feedback shift registers
(LFSRs)
• Trivium: a modern stream cipher

19/27
  Linear Feedback Shift Registers (LFSRs)

• Concatenated flip-flops (FF), i.e., a shift register together with a feedback path
• Feedback computes fresh input by XOR of certain state bits
• Degree m given by number of storage elements
• If pi = 1, the feedback connection is present (“closed switch), otherwise there is
not feedback from this flip-flop (“open switch”)
• Output sequence repeats periodically
• Maximum output length: 2m-1
20/27
  Linear Feedback Shift Registers (LFSRs): Example with m=3

clk FF2 FF1 FF0=si

There is a simple formula determines functioning of this LFSR. 0 1 0 0
assuming the initial state bits s0, s1, s2:
1 0 1 0
s3 ≡ s1+s0 mod 2
s4 ≡ s2+s1 mod 2 2 1 0 1
s5 ≡ s3+s2 mod 2 3 1 1 0
... 4 1 1 1
• In general
5 0 1 1
si3  si1  si mod 2
6 0 0 1
7 1 0 0
• Maximum output length (of 23-1=7) achieved only for certain 8 0 1 0
feedback
21/27 configurations, .e.g., the one shown here.
 A Mathematical Description of LFSRs
The general form of an LFSR of degree m, all combined by the XOR operation. Whether a
feedback path is active or not, is defined by the feedback coefficient p0, p1, . . . , pm−1:
If pi = 1 (closed switch), the feedback is active.
If pi = 0 (open switch), the corresponding flip-flop output is not used for the feedback
 Example

LFSR with maximum-length output sequence Given an LFSR of degree m

= 4 and the feedback path (p3 = 0, p2 = 0, p1 =1, p0 = 1), the output
sequence of the LFSR has a period of 2m −1 = 15, i.e., it is a maximum-
length LFSR.

23/
27
  Representing LFSR as Ploynomials
LFSRs typically described by polynomials:
P(x)  x m  p xm1 ...  p x  p
l 1 1 0

• Single LFSRs generate highly predictable output

• If 2m output bits of an LFSR of degree m are known, the feedback
coefficients pi of the LFSR can be found by solving a system of linear
equations*
• For example with coefficients (p3 = 0, p2 = 0, p1 = 1, p0 = 1) can
alternatively be specified by the polynomial x4 + x + 1.

• Because of this many stream ciphers use combinations of LFSRs

24/27
 Content of this Chapter

• Intro to stream ciphers

• Random number generators (RNGs)
• One-Time Pad (OTP)
• Linear feedback shift registers
(LFSRs)
• Trivium: a modern stream cipher

25/27
  A Modern Stream Cipher - Trivium

• Three nonlinear LFSRs (NLFSR) of length 93, 84, 111

• XOR-Sum of all three NLFSR outputs generates key stream si
• Small in Hardware:
• Total register count: 288
• Non-linearity: 3 AND-Gates
• 7 XOR-Gates (4 with three inputs)
26/27
  Trivium

Initialization:
• Load 80-bit IV into A
• Load 80-bit key into B
• Set c109 , c110 , c111 =1, all other bits 0
Warm-Up:
• Clock cipher 4 x 288 = 1152 times without generating output
Encryption:
• XOR-Sum of all three NLFSR outputs generates key stream si

Design can be parallelized to produce up to 64 bits of output per clock cycle

Register length Feedback bit Feedforward bit AND inputs

A 93 69 66 91, 92
B 84 78 69 82, 83
C 111 87 66 109, 110

27/27
  Lessons Learned
• Stream ciphers are less popular than block ciphers in most domains such as Internet
security. There are exceptions, for instance, the popular stream cipher RC4.

• Stream ciphers sometimes require fewer resources, e.g., code size or chip area, for
implementation than block ciphers, and they are attractive for use in constrained
environments such as cell phones.

• The requirements for a cryptographically secure pseudorandom number generator are far
more demanding than the requirements for pseudorandom number generators used in other
applications such as testing or simulation

• The One-Time Pad is a provable secure symmetric cipher. However, it is highly impractical
for most applications because the key length has to equal the message length.

• Single LFSRs make poor stream ciphers despite their good statistical properties.
However, careful combinations of several LFSR can yield strong ciphers.

28/27