Andreas Klein Stream Ciphers Stream Ciphers Andreas Klein Stream Ciphers AndreasKlein Dept.ofPureMathem.&ComputerAlgebra StateUniversityofGhent Ghent,Belgium ISBN978-1-4471-5078-7 ISBN978-1-4471-5079-4(eBook) DOI10.1007/978-1-4471-5079-4 SpringerLondonHeidelbergNewYorkDordrecht LibraryofCongressControlNumber:2013936538 MathematicsSubjectClassification: 94A60,68P25,11T71 ©Springer-VerlagLondon2013 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartof thematerialisconcerned,specificallytherightsoftranslation,reprinting,reuseofillustrations,recitation, broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,andtransmissionorinformation storageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodology nowknownorhereafterdeveloped.Exemptedfromthislegalreservationarebriefexcerptsinconnection with reviews or scholarly analysis or material supplied specifically for the purpose of being entered and executed on a computer system, for exclusive use by the purchaser of the work. Duplication of this publication or parts thereof is permitted only under the provisions of the Copyright Law of the Publisher’slocation,initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer. PermissionsforusemaybeobtainedthroughRightsLinkattheCopyrightClearanceCenter.Violations areliabletoprosecutionundertherespectiveCopyrightLaw. Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant protectivelawsandregulationsandthereforefreeforgeneraluse. Whiletheadviceandinformationinthisbookarebelievedtobetrueandaccurateatthedateofpub- lication,neithertheauthorsnortheeditorsnorthepublishercanacceptanylegalresponsibilityforany errorsoromissionsthatmaybemade.Thepublishermakesnowarranty,expressorimplied,withrespect tothematerialcontainedherein. Printedonacid-freepaper SpringerispartofSpringerScience+BusinessMedia(www.springer.com) Preface Cryptographiccipherscomeintwoflavours:symmetric(AES,etc.)andasymmetric (RSA,etc.).Thesymmetricciphersarefurtherdividedintoblockciphersandstream ciphers. Block ciphers work on large blocks simultaneously (typically comprising 128or256bits)andhavenointernalstate(atleastnotintheirbasicversion).Stream ciphersworkonsinglebitsorsinglewordsandneedtomaintainaninternalstateto changethecipherateachstep. Typically stream ciphers can reach higher speeds than block ciphers, but their theoryislessdeveloped.Thisiswhystreamciphersareoftenskippedinbookson cryptography. This does not reflect the real importance of stream ciphers. They are used in severaleverydayapplications(forexampleRC4isusedinwirelessLANandmobile telephonesuseA5).Thisbookshouldfillthegapandprovideadetailedintroduction tostreamciphers. Iwrotethisbookintheyears2008–2010whenIhadaresearchpositionatGhent University. IwanttothankallmycolleaguesinGhentforthepleasanttimeIhadthere,but especially Prof. Leo Storme who first gave me the opportunity to come to Ghent. Wedidsomeniceresearchtogether. I also thank the team of the Springer Verlag who did a great job in improving this book. In addition I want to thank the anonymous referee, without whom the chapterontheBlum-Blum-Shubgeneratorwouldbemissingandtherewouldbeno exercises. Wettenberg,Germany AndreasKlein v Contents 1 IntroductiontoStreamCiphers . . . . . . . . . . . . . . . . . . . . . 1 1.1 HistoryI:AntiqueCiphers . . . . . . . . . . . . . . . . . . . . . . 1 1.2 LessonsfromHistory:TheClassificationofCiphers . . . . . . . . 3 1.3 HistoryII:TheGoldenAgeofStreamCiphers . . . . . . . . . . . 8 1.4 LessonsfromtheEnigma . . . . . . . . . . . . . . . . . . . . . . 8 1.5 HistoryIII:TowardsModernCryptography . . . . . . . . . . . . . 10 1.6 WhentoUseStreamCiphers? . . . . . . . . . . . . . . . . . . . . 11 1.7 OutlineoftheBook . . . . . . . . . . . . . . . . . . . . . . . . . 11 PartI ShiftRegister-BasedStreamCiphers 2 LinearFeedbackShiftRegisters. . . . . . . . . . . . . . . . . . . . . 17 2.1 BasicDefinitions . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.2 AlgebraicDescriptionofLFSRSequences . . . . . . . . . . . . . 18 2.2.1 GeneratingFunctions . . . . . . . . . . . . . . . . . . . . 19 2.2.2 FeedbackPolynomialsWithoutMultipleRoots . . . . . . . 20 2.2.3 FeedbackPolynomialswithMultipleRoots . . . . . . . . . 21 2.2.4 LFSRSequencesasCyclicLinearCodes . . . . . . . . . . 23 2.3 Propertiesofm-Sequences. . . . . . . . . . . . . . . . . . . . . . 24 2.3.1 Golomb’sAxioms . . . . . . . . . . . . . . . . . . . . . . 24 2.3.2 SequenceswithTwoLevelAuto-Correlation . . . . . . . . 27 2.3.3 Cross-Correlationofm-Sequences . . . . . . . . . . . . . 29 2.4 LinearComplexity . . . . . . . . . . . . . . . . . . . . . . . . . . 30 2.4.1 DefinitionandBasicProperties . . . . . . . . . . . . . . . 30 2.4.2 TheBerlekamp-MasseyAlgorithm . . . . . . . . . . . . . 33 2.4.3 AsymptoticFastComputationofLinearComplexity . . . . 37 2.4.4 LinearComplexityofRandomSequences . . . . . . . . . 42 2.5 TheLinearComplexityProfileofPseudo-randomSequences . . . 44 2.5.1 BasicProperties . . . . . . . . . . . . . . . . . . . . . . . 44 2.5.2 ContinuedFractions . . . . . . . . . . . . . . . . . . . . . 46 vii viii Contents 2.5.3 Classification of Sequences with a Perfect Linear ComplexityProfile . . . . . . . . . . . . . . . . . . . . . . 48 2.6 ImplementationofLFSRs . . . . . . . . . . . . . . . . . . . . . . 50 2.6.1 HardwareRealizationofLFSRs . . . . . . . . . . . . . . . 51 2.6.2 SoftwareRealizationofLFSRs . . . . . . . . . . . . . . . 52 3 Non-linearCombinationsofLFSRs . . . . . . . . . . . . . . . . . . . 59 3.1 DeBruijnSequences . . . . . . . . . . . . . . . . . . . . . . . . . 59 3.2 ASimpleExampleofaNon-linearCombinationofLFSRs . . . . 64 3.3 DifferentAttackClasses . . . . . . . . . . . . . . . . . . . . . . . 65 3.3.1 Time-MemoryTrade-offAttacks . . . . . . . . . . . . . . 65 3.3.2 AlgebraicAttacks . . . . . . . . . . . . . . . . . . . . . . 65 3.3.3 CorrelationAttacks . . . . . . . . . . . . . . . . . . . . . 66 3.4 Non-linearCombinationsofSeveralLFSRSequences . . . . . . . 66 3.4.1 TheProductofTwoLFSRs . . . . . . . . . . . . . . . . . 67 3.4.2 GeneralCombinations . . . . . . . . . . . . . . . . . . . . 70 3.5 Non-linearFilters . . . . . . . . . . . . . . . . . . . . . . . . . . 72 3.6 CorrelationImmuneFunctions . . . . . . . . . . . . . . . . . . . 75 3.6.1 DefinitionandAlternativeCharacterizations . . . . . . . . 75 3.6.2 Siegenthaler’sInequality . . . . . . . . . . . . . . . . . . 78 3.6.3 AsymptoticEnumerationofCorrelationImmuneFunctions 80 4 CorrelationAttacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 4.1 CJS-Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 4.1.1 TheBasicVersion . . . . . . . . . . . . . . . . . . . . . . 91 4.1.2 UsingRelationsofDifferentSize . . . . . . . . . . . . . . 94 4.1.3 HowtoSearchRelations. . . . . . . . . . . . . . . . . . . 96 4.1.4 ExtendedRelationClasses. . . . . . . . . . . . . . . . . . 98 4.1.5 TwiceStepDecoding . . . . . . . . . . . . . . . . . . . . 101 4.1.6 EvaluationoftheRelations . . . . . . . . . . . . . . . . . 103 4.2 AttacksBasedonConvolutionalCodes . . . . . . . . . . . . . . . 105 4.2.1 IntroductiontoConvolutionalCodes . . . . . . . . . . . . 105 4.2.2 DecodingConvolutionalCodes . . . . . . . . . . . . . . . 107 4.2.3 ApplicationtoCryptography . . . . . . . . . . . . . . . . 111 4.3 AttackingLFSRswithSparseFeedbackPolynomials . . . . . . . 114 5 BDD-BasedAttacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 5.1 BinaryDecisionDiagrams . . . . . . . . . . . . . . . . . . . . . . 117 5.1.1 OrderedBDDs . . . . . . . . . . . . . . . . . . . . . . . . 118 5.1.2 FreeBDDs . . . . . . . . . . . . . . . . . . . . . . . . . . 124 5.2 AnExampleofaBDD-BasedAttack . . . . . . . . . . . . . . . . 126 5.2.1 TheCipherE . . . . . . . . . . . . . . . . . . . . . . . . 126 0 5.2.2 AttackingE . . . . . . . . . . . . . . . . . . . . . . . . . 127 0 6 AlgebraicAttacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 6.1 ToolsforSolvingNon-linearEquations . . . . . . . . . . . . . . . 131 6.1.1 GröbnerBases . . . . . . . . . . . . . . . . . . . . . . . . 131 Contents ix 6.1.2 Linearization . . . . . . . . . . . . . . . . . . . . . . . . . 143 6.2 Pre-processingTechniquesforAlgebraicAttacks . . . . . . . . . . 147 6.2.1 ReducingtheDegree. . . . . . . . . . . . . . . . . . . . . 147 6.2.2 DealingwithCombinerswithMemory . . . . . . . . . . . 149 6.3 RealWorldExamples . . . . . . . . . . . . . . . . . . . . . . . . 151 6.3.1 LILI-128 . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 6.3.2 E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 0 7 IrregularClockedShiftRegisters . . . . . . . . . . . . . . . . . . . . 155 7.1 TheStop-and-GoGeneratorandtheStep-Once-TwiceGenerator . 155 7.2 TheAlternatingStepGenerator . . . . . . . . . . . . . . . . . . . 157 7.3 TheShrinkingGenerator. . . . . . . . . . . . . . . . . . . . . . . 158 7.3.1 DescriptionoftheCipher . . . . . . . . . . . . . . . . . . 159 7.3.2 LinearComplexityoftheShrinkingGenerator . . . . . . . 159 7.3.3 CorrelationAttacksAgainsttheShrinkingGenerator . . . . 161 7.4 SideChannelAttacks . . . . . . . . . . . . . . . . . . . . . . . . 163 PartII SomeSpecialCiphers 8 TheSecurityofMobilePhones(GSM) . . . . . . . . . . . . . . . . . 169 8.1 TheGSMProtocol . . . . . . . . . . . . . . . . . . . . . . . . . . 169 8.2 A5/2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 8.2.1 DescriptionofA5/2 . . . . . . . . . . . . . . . . . . . . . 170 8.2.2 AnInstanceofaCiphertext-OnlyAttack . . . . . . . . . . 172 8.2.3 OtherAttacksAgainstA5/2 . . . . . . . . . . . . . . . . . 175 8.3 A5/1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 8.3.1 DescriptionofA5/1 . . . . . . . . . . . . . . . . . . . . . 176 8.3.2 Time-MemoryTrade-offAttacks . . . . . . . . . . . . . . 176 8.3.3 CorrelationAttacks . . . . . . . . . . . . . . . . . . . . . 179 9 RC4andRelatedCiphers . . . . . . . . . . . . . . . . . . . . . . . . 183 9.1 DescriptionofRC4 . . . . . . . . . . . . . . . . . . . . . . . . . 183 9.2 ApplicationofRC4inWLANSecurity . . . . . . . . . . . . . . . 184 9.2.1 TheWEPProtocol . . . . . . . . . . . . . . . . . . . . . . 184 9.2.2 TheWPAProtocol . . . . . . . . . . . . . . . . . . . . . . 185 9.2.3 AWeaknessCommontoBothProtocols . . . . . . . . . . 187 9.3 AnalysisoftheRC4KeyScheduling . . . . . . . . . . . . . . . . 190 9.3.1 TheMostLikelyandLeastLikelyRC4Permutation . . . . 191 9.3.2 DiscardingtheFirstRC4Bytes . . . . . . . . . . . . . . . 196 9.4 ChosenIVAttacks . . . . . . . . . . . . . . . . . . . . . . . . . . 199 9.4.1 InitializationVectorPrecedestheMainKey . . . . . . . . 199 9.4.2 VariantsoftheAttack . . . . . . . . . . . . . . . . . . . . 200 9.4.3 InitializationVectorFollowstheMainKey . . . . . . . . . 202 9.5 AttacksBasedonGolic´’sCorrelation . . . . . . . . . . . . . . . . 202 9.5.1 InitializationVectorFollowstheMainKey . . . . . . . . . 204 9.5.2 InitializationVectorPrecedestheMainKey . . . . . . . . 205 9.5.3 AttackingRC4withtheFirstnBytesDiscarded . . . . . . 207 x Contents 9.5.4 ACiphertext-OnlyAttack . . . . . . . . . . . . . . . . . . 209 9.6 StateRecoveringAttacks . . . . . . . . . . . . . . . . . . . . . . 209 9.7 OtherAttacksonRC4 . . . . . . . . . . . . . . . . . . . . . . . . 212 9.7.1 DigraphProbabilities . . . . . . . . . . . . . . . . . . . . 213 9.7.2 FortuitousStates . . . . . . . . . . . . . . . . . . . . . . . 218 9.8 RC4Variants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 9.8.1 AnRC4Variantfor32-BitProcessors . . . . . . . . . . . 222 9.8.2 RC4A . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 9.8.3 ModificationstoAvoidKnownAttacks . . . . . . . . . . . 227 10 TheeStreamProject . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 10.1 Trivium. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 10.2 Rabbit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 10.3 MosquitoandMoustique . . . . . . . . . . . . . . . . . . . . . . 235 11 TheBlum-Blum-ShubGeneratorandRelatedCiphers . . . . . . . . 241 11.1 CryptographicallySecurePseudo-randomGenerators . . . . . . . 241 11.2 TheBlum-Blum-ShubGenerator . . . . . . . . . . . . . . . . . . 244 11.3 ImplementationAspects . . . . . . . . . . . . . . . . . . . . . . . 247 11.4 ExtractingSeveralBitsperStep . . . . . . . . . . . . . . . . . . . 251 11.5 TheRSAGeneratorandthePowerGenerator . . . . . . . . . . . . 253 11.6 GeneratorsBasedonOtherHardProblems . . . . . . . . . . . . . 254 11.7 UnconditionallySecurePseudo-randomSequences. . . . . . . . . 256 PartIII MathematicalBackground 12 ComputationalAspects. . . . . . . . . . . . . . . . . . . . . . . . . . 261 12.1 BitTricks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 12.1.1 Infinite2-adicExpansions . . . . . . . . . . . . . . . . . . 261 12.1.2 SidewayAddition . . . . . . . . . . . . . . . . . . . . . . 262 12.1.3 SidewayAdditionforArrays . . . . . . . . . . . . . . . . 263 12.2 BinaryDecisionDiagrams,ImplementationAspects . . . . . . . . 264 12.2.1 MemoryManagement . . . . . . . . . . . . . . . . . . . . 264 12.2.2 ImplementationoftheBasicOperations . . . . . . . . . . 266 12.2.3 ImplementationofReorderingAlgorithms . . . . . . . . . 267 12.2.4 EmulatingaBDDBase . . . . . . . . . . . . . . . . . . . 271 12.3 TheO-Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 12.4 TheComplexityClassesP andNP . . . . . . . . . . . . . . . . 273 12.5 FastLinearAlgebra . . . . . . . . . . . . . . . . . . . . . . . . . 278 12.5.1 MatrixMultiplication . . . . . . . . . . . . . . . . . . . . 278 12.5.2 OtherMatrixOperations . . . . . . . . . . . . . . . . . . . 289 12.5.3 Wiedmann’sAlgorithmandBlackBoxLinearAlgebra . . 291 13 NumberTheory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 13.1 BasicResults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 13.2 TheGroup(Z/nZ)× . . . . . . . . . . . . . . . . . . . . . . . . . 294 13.3 ThePrimeNumberTheoremandItsConsequences. . . . . . . . . 295 Contents xi 13.4 Zsigmondy’sTheorem . . . . . . . . . . . . . . . . . . . . . . . . 297 13.5 QuadraticResidues . . . . . . . . . . . . . . . . . . . . . . . . . 299 13.6 LatticeReduction . . . . . . . . . . . . . . . . . . . . . . . . . . 301 14 FiniteFields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 14.1 BasicProperties . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 14.2 IrreduciblePolynomials . . . . . . . . . . . . . . . . . . . . . . . 305 14.3 PrimitivePolynomials . . . . . . . . . . . . . . . . . . . . . . . . 307 14.4 Trinomials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 14.5 TheAlgebraicNormalForm. . . . . . . . . . . . . . . . . . . . . 309 15 Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 15.1 MeasureTheory . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 15.2 SimpleTests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 15.2.1 TheVariationDistance . . . . . . . . . . . . . . . . . . . 312 15.2.2 TheTestProblem . . . . . . . . . . . . . . . . . . . . . . 313 15.2.3 OptimalTests . . . . . . . . . . . . . . . . . . . . . . . . 314 15.2.4 BayesianStatistics . . . . . . . . . . . . . . . . . . . . . . 315 15.3 SequentialTests . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 15.3.1 IntroductiontoSequentialAnalysis . . . . . . . . . . . . . 316 15.3.2 Martingales . . . . . . . . . . . . . . . . . . . . . . . . . 316 15.3.3 Wald’sSequentialLikelihoodRatioTest . . . . . . . . . . 319 15.3.4 BrownianMotion . . . . . . . . . . . . . . . . . . . . . . 322 15.3.5 TheFunctionalCentralLimitTheorem . . . . . . . . . . . 326 16 Combinatorics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 16.1 AsymptoticCalculations . . . . . . . . . . . . . . . . . . . . . . . 329 16.2 Permutations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 16.3 Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 PartIV ExerciseswithSolutions 17 Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 17.1 ProposalsforProgrammingProjects . . . . . . . . . . . . . . . . 344 18 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 PartV Programs 19 AnOverviewofthePrograms . . . . . . . . . . . . . . . . . . . . . . 365 20 LiterateProgramming . . . . . . . . . . . . . . . . . . . . . . . . . . 371 20.1 IntroductiontoLiterateProgramming . . . . . . . . . . . . . . . . 371 20.2 PwebDesignGoals . . . . . . . . . . . . . . . . . . . . . . . . . 371 20.3 PwebManual . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 20.3.1 StructureofaWEB-Document . . . . . . . . . . . . . . . 372 20.3.2 TextSections . . . . . . . . . . . . . . . . . . . . . . . . . 372 20.3.3 CodeSectionsandModules . . . . . . . . . . . . . . . . . 373 20.3.4 Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374