Skip to main content
SpringerLink
Log in

Applications to Stream Ciphers

  • Chapter
  • First Online:
Book cover Algebra for Cryptologists

  • 2530 Accesses

Abstract

In this chapter, after some general observations on stream ciphers and block ciphers and on the fundamental concept of entropy as defined in Information Theory, we apply our ideas of finite fields to linear feedback shift registers (LFSRs), a frequent component of stream cipher designs. We also discuss methods in which LFSRs are used, which brings us to the problems involved in stream cipher design, and then provide a survey of such design methods.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
eBook
USD 19.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 29.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 39.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    IEEE Press, New York, 1992.

  2. 2.

    In this respect one may think of a keystream generator as a pseudorandom sequence generator. But this is only partially true. For a pseudorandom generator, e.g. one used in Monte Carlo methods, it does not matter whether the sequence is predictable or whether, given a state, the previous or subsequent states of the generator can be found. But for a keystream generator this should be impossible. Ideally, knowing a small part of the message, e.g. “Dear Sir”, should not enable an attacker to find out anything more of its contents.

  3. 3.

    If any! We warn the reader here that there appears to be consensus in the cryptological community that self-synchronising stream ciphers are inherently weak. The eStream project (see Sect. 7.9) failed to find an acceptable one, and there is currently no standardisation body such as ISO/IEC or IEEE which has approved a self-synchronising cipher, other than block ciphers in CFB mode. In such cases the self-synchronising property does not hold if block boundaries are lost.

  4. 4.

    Two exceptions are the paper by Daemen, Govaerts and Vandewalle: Resynchronization weaknesses in synchronous stream ciphers, in the Proceedings of Eurocrypt ’93 (LNCS 765, Springer-Verlag, 1994) and, 10 years later, Armknecht, F., Lano, J. and Preneel, B.: Extending the resynchronization attack, Proc. SAC 2004, LNCS 3357, Springer-Verlag 2005.

  5. 5.

    Proc. SAC 2000, LNCS 2012, pp. 233–247, Springer-Verlag 2001.

  6. 6.

    Shannon, Claude E.:A mathematical theory of communication, Bell System Tech. J. 27 (1948), pp. 379–423 and 623–656. This paper represents the start of the mathematical and engineering discipline of Information Theory, of which Shannon is seen as the “father”.

    The following exposition is heavily based on the excellent exposition in the book by D. Welsh: Codes and Cryptography; Oxford University Press, 1988.

    If you will pardon a very personal note: these two, reading Shannon’s paper and some years later the book by Welsh, are what got me hooked on Cryptology.

  7. 7.

    We have used the natural logarithm ln in the proof. This makes no difference to the conclusion: recall that \(\log _{2}(x) = \frac{\ln (x)} {\ln (2)}\).

  8. 8.

    “Texting”, which turns ‘See you tomorrow” into “C u 2morro”, shows the reduction of such redundancy.

  9. 9.

    To which we return, for completely different reasons, in Sect. 9.3

  10. 10.

    Kelsey, J.: Compression and information leakage of plaintext; Proc. FSE 2002, LNCS 2365, Springer-Verlag, 263–276. A little earlier in Benedetto, D., Caglioti, E. and Loreto, V.: Language trees and zipping, published on-line as ArXiv.cond-mat/0108530v2.pdf, the authors showed how to determine, from the zipped version of a document, the language in which the original was written.

  11. 11.

    Johnson, M., Ishwar, P., Prabhakaran, V., Schonberg, D. and Ramchandran, K.: On compressing encrypted data, IEEE Trans. Signal Processing 52 (2004), pp. 2992–3006.

  12. 12.

    Webpage of the Centre for Discrete Mathematics and Theoretical Computer Science, University of Auckland, New Zealand. Accessed 24 October 2015.

  13. 13.

    We need to warn the unwary that a code is not the same as a cipher, contrary to popular usage. In coding data there is no intention of preserving secrecy or authenticity. See also the footnote in Sect. 7.6.3. There is more about codes in Sect. 9.5

  14. 14.

    Shannon, C.E.: Communication Theory of Secrecy Systems, Bell System Techn. J. 28, pp. 657–715 (1949).

  15. 15.

    More generally, the s i could come from any set, such as a field \(\mathbb{F}\), in which case the function f would be a function mapping \(\mathbb{F}^{n}\) to \(\mathbb{F}\). In that case the cells would hold elements of \(\mathbb{F}\) as well. We discuss only the case where \(\mathbb{F} = GF(2)\).

  16. 16.

    Sic. Not to be confused with linear differential equations, even though there are some beautiful analogies between the two theories.

  17. 17.

    In general one should not “prove” mathematical results from examples. On the other hand, a mathematical proof is not very helpful when considering applications, unless it helps clarify matters. In this case, I don’t believe that rigorous proofs would contribute to understanding, and I have recourse to the fact that we are only interested in applying all this stuff. But please don’t tell anyone.

  18. 18.

    These go all the way back to 1967: Golomb, S.W.: Shift Register Sequences, Holden-Day, San Francisco, 1967.

  19. 19.

    1 +α l = α m for some m, because α is a primitive element.

  20. 20.

    A known plaintext attack, as the name suggests, is an attack in which the cryptanalyst tries to find the key used, having available some plaintext and the corresponding ciphertext. This is a much more common event than one might at first imagine, because of the ubiquity of common headers in files and messages, such as #include <stdio.h> in C-code, and “Dear Sir” in letters. A common piece of plaintext used by the cryptanalysts at Bletchley Park reading the German Enigma traffic during World War II was “Nothing to report”, or, more probably, “Nichts zu melden”.

  21. 21.

    This terminology is now so well established that there is no reasonable hope of changing it. It is nevertheless unfortunate: codes are employed in communication in order to reduce bandwidth or, more commonly nowadays, to enable the receiver to correct random errors introduced in the transmission process. However, when it comes to authentication, what is needed is protection against changes in the message deliberately introduced by an intelligent adversary, which won’t be random at all. Thus a MAC is not a code in the technical sense.

  22. 22.

    CBC is one of the recognised modes of operation of block ciphers. Let the message consist of n-bit blocks P 1, P 2, , P m , and denote the encryption function (with block length n) using key K by E K . The encryption of the message is the sequence of ciphertext blocks C 0, C 1, , C m , where C 0 is some initial value, and

    $$\displaystyle{C_{i} = E_{K}(C_{i-1} \oplus P_{i})\ \ \mathrm{for}\ \ i = 1,\ldots,m.}$$

    Decryption is obvious:

    $$\displaystyle{P_{i} = D_{K}(C_{i}) \oplus C_{i-1}.}$$

    Note that if P i is modified, then all ciphertext blocks from the ith one onwards are changed. This diffusion property probably explains its popularity in designs of MACs.

  23. 23.

    In what follows we shall largely follow the exposition of J.L. Massey in a set of notes used in lectures offered at the University of Pretoria in 1991.

  24. 24.

    In his article on stream ciphers in the book edited by Gustavus Simmons, which we referenced in footnote 1 of this chapter.

  25. 25.

    The designer who breaks his own cipher at the time of designing it, though not completely unknown, remains an exception.

  26. 26.

    Robshaw, M. and Billet, O. (eds.): New Stream Cipher Designs, LNCS 4986, Springer-Verlag, 2008.

  27. 27.

    “Stream cipher design has traditionally focussed on bit-based linear feedback registers (LFSRs), as these are well studied and produce sequences which satisfy common statistical criteria.” Dawson, E., Henrickson, M. and Simpson, L.: The Dragon stream cipher: Design, analysis and implementation issues; in Robshaw and Billet, op. cit., pp. 20–38.

  28. 28.

    The reader may also wish to read Alex Biryukov’s article Block Ciphers and Stream Ciphers: The State of the Art, now somewhat dated, obtainable at https://eprint.iacr.org/2004/094.ps.

  29. 29.

    In their analysis of stream cipher designs (Braeken, A. and Lano, J.: On the (im)possibility of practical and secure nonlinear filters and combiners, Proc. Selected Areas in Cryptography 2005, LNCS 3897, Springer-Verlag, pp. 159–174.) Braeken and Lano suggest that this is a good reason to prefer ciphers based on these constructions when considering dedicated stream ciphers. They also come to the conclusion that using nonlinear filters is more practical than using combiners.

  30. 30.

    This is frequently in the cryptological literature referred to as the “algebraic degree” or even the “(algebraic or nonlinear) order”. The word “algebraic” appears to be unnecessary, redundant and superfluous, to coin a phrase. There also appears to be no reason to use the overworked word “order” when mathematicians have happily agreed on the term “degree”.

  31. 31.

    This theorem, which we shall not prove, is due to E.L. Key, and appeared in an article entitled An analysis of the structure and complexity of nonlinear binary sequence generators, IEEE Trans. Info. Th.  IT-22 , (1976).

  32. 32.

    T. Siegenthaler: Correlation-immunity of nonlinear combining functions for cryptographic applications, IEEE Transactions in Information Theory, 30, 1984, pp. 776–780. It is an interesting observation by M. Liu, P. Lu and G.L. Mullen in their paper Correlation-immune functions over finite fields, IEEE Transactions on Information Theory, 44, 1998, pp. 1273–1276, that this trade-off is only a problem if one works in the finite fields GF(2) or GF(3).

  33. 33.

    There is a technique which uses so-called “Gröbner bases” for solving Boolean equations of high degree. However, it does not appear to have lived up to the original expectations. Using Gröbner bases still seems to lead to very high complexity. But we shall return to the stated assumption when we discuss “algebraic immunity” of Boolean functions.

  34. 34.

    See R.J. Anderson: Tree functions and cipher systems, Cryptologia 15, 1991, pp. 194–202; and W. Millan, E.P. Dawson and L.J. O’Connor: Fast attacks on tree-structured ciphers, Electronics Letters 30 (1994), pp. 941–943.

  35. 35.

    Anderson, R.J.: Searching for the optimum correlation attack; Proc. Fast Software Encryption 2005, LNCS 1008, Springer-Verlag 2005.

  36. 36.

    T. Siegenthaler: Correlation immunity of nonlinear combining functions for cryptographic applications, IEEE Trans. Info. Th. IT-30, 1984, pp. 776–780.

  37. 37.

    Meier, W. and Staffelbach, O.: Fast correlation attacks on certain stream ciphers, J. Cryptology 1, 1989, pp. 159–176.

  38. 38.

    J.D. Golić: On the security of nonlinear filter generators; Proc. Fast Software Encryption ’96, LNCS 1039, Springer-Verlag 1996, pp. 173–188.

  39. 39.

    Loc. cit., supra.

  40. 40.

    The following quotation from a paper by Alex Biryukov: Block ciphers and stream ciphers: The state of the art (https://eprint.iacr.org/2004/094.ps), may be relevant here:

    Prior to design of DES stream ciphers [were] ruling the world of encryption, either rotor machines (like Hagelin or Enigma), or secret military hardware-based designs using LFSRs all belonged to this class. Appearance of fast block ciphers has caused a shift of interest, due to convenience of use of block ciphers in various protocols, including stream-like behavior which can be obtained via modes of operation in counter, OFB or CBC, as well as due to a shift from hardware to software designs.

    Still in cases where there is a need to encrypt large quantities of fast streaming data one would like to use a stream cipher. Popular trends in design of stream ciphers is to turn to block-wise stream ciphers (i.e. output is a block of bits, either a byte or 32-bits instead of a single bit) like RC4, SNOW 2.0, SCREAM, oriented towards fast software implementation. Stream ciphers which use parts of block-cipher like rounds intermixed with more traditional LFSR-like structure (MUGI, SCREAM).[sic]

  41. 41.

    Due to Beth and Piper: Beth, T. and Piper, F.: The stop-and-go generator; Proc. Eurocrypt ’84, LNCS 209, Springer-Verlag.

  42. 42.

    A.J. Menezes, P.C. van Oorschot and S.A. Vanstone: Handbook of Applied Cryptography, CRC Press, 1996. I am not aware of any more recent results about this cipher.

  43. 43.

    Coppersmith, D., Krawczyk, H. and Mansour, Y.: The shrinking generator, Proc. Eurocrypt ’93, LNCS 765, Springer-Verlag 1994.

  44. 44.

    Ekdahl, P., Meier, W. and Johansson, T.: Predicting the shrinking generator with fixed connections, Proc. Eurocrypt 2003, Springer-Verlag.

  45. 45.

    This proposal emanates from a paper, available on the Internet, The (a,b)-shrinking generator by A.A. Kanso of the King Fahd University of Petroleum and Minerals, Haid, Saudi Arabia. Dr. Kanso’s Ph.D. thesis, in which this design also appears, is available on the website of the Royal Holloway, University of London, Information Security Group.

  46. 46.

    W. Meier and O. Staffelbach: The self-shrinking generator, Proc. Eurocrypt ’94, LNCS 950, Springer-Verlag, 1995.

  47. 47.

    Mihaljević, M.J.: A faster cryptanalysis of the self-shrinking generator, Proc. ACISP ’96, LNCS 172, Springer-Verlag.

  48. 48.

    Zenner, E., Krause, M. and Lucks, S.: Improved cryptanalysis of the self-shrinking generator; Proc. ACISP 2001, LNCS 2119, Springer-Verlag, pp. 21–35.

  49. 49.

    Gouget, A. and Sibert, H.: The Bitsearch generator, Proc. State of the Art in Stream Ciphers Workshop 2004, 60–68.

Author information

Authors and Affiliations

  1. Tokai, Cape Town, South Africa

    Alko R. Meijer

Authors
  1. Alko R. Meijer
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Meijer, A.R. (2016). Applications to Stream Ciphers. In: Algebra for Cryptologists. Springer Undergraduate Texts in Mathematics and Technology. Springer, Cham. https://doi.org/10.1007/978-3-319-30396-3_7

Download citation

Publish with us

Policies and ethics

Search

Navigation