Download Classical Cryptography

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
page
62
page
63
page
64
page
65
Document related concepts
no text concepts found
Transcript 
Session 1
Stream ciphers 1
Introduction
• If the level of security is not the highest
one, instead of the Vernam cipher, a
stream cipher can be used.
• Stream cipher
– A deterministic algorithm produces a pseudonoise sequence (PN-sequence)
• Satisfies the 3 Golomb’s postulates.
– The key is short – much shorter than the
plaintext - practical.
2/65
Introduction
Key
Key
Deterministic
algorithm
zi
zi
Deterministic
algorithm
yi
TRANSMITTER
xi
xi  zi = yi
RECEIVER
COMM.
CHANNEL
yi  zi = xi
xxi
3/65
Linear feedback shift registers
• LFSR theory is developed enough to
enable thorough analysis of the properties
of the output sequence of a PN sequence
generator containing LFSRs.
• Because of that, the vast majority of PN
generators are designed by combining
LFSRs and non-linear Boolean functions.
4/65
Linear feedback shift registers
• A linear feedback shift register (LFSR):
– n single-symbol memory cells (stages)
– A linear feedback function – to express each
new symbol of the output sequence as a
linear function of the n previous symbols
• The contents of the flip-flops is shifted one
position at every clock pulse
5/65
Linear feedback shift registers
g – linear!
6/65
Linear feedback shift registers
• The state of the register – the contents of
the stages between two clock pulses
• The initial state – the contents of the
stages at the moment of the beginning of
the process
7/65
Linear feedback shift registers
• The state diagram of a LFSR is never
singular, because the linear feedback
function satisfies the non-singularity
condition:
at   g at  1, at  2, , at  n  1 at  n
8/65
Linear feedback shift registers
• The maximum possible period of the
output sequence is 2n-1.
• The all-zero initial state is not used,
because in that case only all-zero
sequence would be produced.
• The key – the initial contents of the LFSR.
9/65
Linear feedback shift registers
• The feedback function g of a LFSR is a
linear recurrence – linear recurring
sequences of order n
at   c1at  1  c2 at  2    cn at  n 
ci  0,1, cn  1
10/65
Linear feedback shift registers
• It is possible to associate the
characteristic (feedback) polynomial to
every linear recurrence
f x  1  c1 x  c2 x 2   cn x n
• Analysis of the properties of the output
sequence is made easier in such a way.
11/65
Linear feedback shift registers

Initial state

1 0 0 0
1 1 0 0
Feedback polynomial
at   at  1  at  4
1 1 1 0
1 1 1 1
Linear recurrence
Example: An LFSR of length 4.
Generated sequence: 1 1 1 0 1 0 1 ……
0 1 1 1
1 0 1 1
0 1 0 1
1 0 1 0
12/65
Linear feedback shift registers
• The characteristics of the output sequence
of the LFSR depend on the characteristics
of the feedback polynomial
• The feedback polynomial can be:
– reducible
– irreducible
– primitive
13/65
Linear feedback shift registers
Example 1: Reducible feedback polynomial
x 4  x 2  1  ( x 2  x  1)( x 2  x  1)
0000
0110
1011
1101
0001
1000
0100
1010
0101
0010
0011
1001
1100
1110
1111
0111
14/65
Linear feedback shift registers
• LFSRs with reducible feedback polynomial:
– The length of the output sequence depends on
the initial state
– Not adequate for use in cryptography
15/65
Linear feedback shift registers
Example 2: Irreducible feedback polynomial
0000
1111
0111
1011
1101
1110
0001
1000
1100
0110
0011
0010
1001
0100
1010
0101
16/65
Linear feedback shift registers
• LFSRs with irreducible feedback polynomial:
– The length of the output sequence does not
depend on the initial state (except the all-zero
state)
– The period T is a factor of 2 L  1 , L is the length
of the LFSR
– Not adequate for use in cryptography
17/65
Linear feedback shift registers
Example 3: Primitive feedback polynomial
0000
PN-sequence (m-sequence)
The maximum possible period for this type of
generator
111010110010001 …..
1000
1100
1110
1111
0111
1011
0101
1010
1101
0110
0011
1001
0100
0010
0001
18/65
Linear feedback shift registers
• LFSRs with primitive feedback polynomial:
– The length of the sequence does not depend on
the initial state (except the all-zero state)
– The period is 2 L  1
– Adequate for use in cryptography, because the
output sequence satisfies all the Golomb’s
postulates
19/65
Linear feedback shift registers
• Thus, to use LFSRs in pseudorandom
sequence generators we need primitive
polynomials.
• How do we get them?
• We need some basic concepts of abstract
algebra – groups, rings, Galois fields.
20/65
Groups
• A group is an algebraic structure
consisting of a non-empty set G and a
binary operation * : G  G  G such that the
following axioms of the group are satisfied:
– Closure
– Associativity
– Existence of the identity (neutral) element
– Existence of the inverse element for each
element of G.
21/65
Groups
• Closure X , Y  G
• Associativity
x, y, z  G
X *Y  G
 x * y * z  x *  y * z 
• Existence of the neutral element
e  G x  G x * e  e * x  x
• Existence of the inverse elements
x  G x 1  G x * x 1  x 1 * x  e
22/65
Groups
• Multiplicative group - the operation * is the
multiplication, i.e. “”
– The identity element is 1
– The inverse element is x -1
• Additive group - the operation * is the sum,
i.e. “+”
– The identity element is 0
– The inverse element is –x
23/65
Groups
• Examples of additive groups:
– Z, Q, R, C
– n  N Z n  0,1,2,, n  1 , where the
operation is the sum modulo n.
• Examples of multiplicative groups:
– Q \ 0 , R \ 0
– n  N Z n  1  x  n : gcd x, n   1 , where the
operation is the multiplication modulo n
24/65
Groups
• If in the group G the operation * fulfils the
commutative property, i.e.
x, y x * y  y * x
then G is a commutative or Abelian group
• If G is a finite group, the number of
elements in G is called order of G and is
represented by #G.
25/65
Groups
• An element gG is a generator of G if
every element of G can be written as a
power of g. G is then a cyclic group
• The cyclic group:
G  g  e, g  g , g , g , g ,
0
1
2
3
n
26/65
Groups
• Example: show that 5 is a generator of Z12
Z12  0,11
50  e  0
56  1  5  6
51  5
57  6  5  11
52  5 * 5  5  5  10
58  11  5 mod 12  4
53  5 * 5 * 5  5  5  5 mod 12  3
59  4  5  9
54  3  5  8
510  9  5 mod 12  2
55  8  5 mod 12  1
511  2  5  7
27/65
Groups
• A nonempty subset H of G is called
subgroup of G if it is closed for the
operation * and the inversion, i.e.
x, y  H x * y  H , x 1  H
• The Lagrange theorem:
– If G is a finite group and H is its subgroup,
then #H divides #G, i.e.
# H #G
28/65
Groups
• Examples:
– A group of order 8 can have subgroups of
order 2 and 4, but not of order 3 or 6.
– A finite group, whose order is a prime number
cannot have its own subgroups.
29/65
Groups
• The order of an element gG of a finite
group is the least positive integer k such
that g k=e.
• If k is the order of gG, then
{e, g, g 2,…, g k -1} is a subgroup of G.
• Corollary of the Lagrange theorem:
– In a finite group, the order of each element
divides the order of the group.
30/65
Groups
• Example: a subgroup of Z8:
Z 8  0,1,2,3,4,5,6,7
e0
g2
21  2
22  2  2  4
23  2  2  2  6
2 4  6  2  mod 8  0  e
 k  4  H  0,2,4,6
# H # G, k # G
31/65
Rings
• A ring is an algebraic structure consisting
of a non-empty set G and 2 binary
operations called summation, i.e. “+” and
multiplication, i.e. “” such that the
following holds:
– (G,+) is an abelian group
– The structure (G,) : closure, associativity and
the existence of the neutral element
– Multiplication distributes over addition, i.e.
ab  c   ab  ac
a  bc  ac  bc
32/65
Fields
• A field is an algebraic structure consisting
of a non-empty set G and 2 binary
operations called summation, i.e. “+” and
multiplication, i.e. “” such that the
following holds:
– (G,+) is an abelian group – the additive group
of the field
– (G \{0},) is an abelian group – the
multiplicative group of the field
– Multiplication distributes over addition.
33/65
Fields
• Every field is a ring but the converse is not
true
• The difference is
– The structure (G \{0},) of the field is a
commutative group and in a general ring this
is not required.
34/65
Fields
• Examples:
– Field of rational numbers Q.
– If p is a prime number, then Zp is a field
• Zp is an additive commutative group.
• (Zp) is a multiplicative commutative group.
35/65
Finite fields
• A finite field is a field with a finite number
of elements, i.e. the set G is finite.
• Theorem (1)
– (i) The number of elements of a finite field F
must be equal to the power of a prime
number, i.e. #F =p m.
• p is the characteristic of the field.
• The field is represented by GF(p m ) (Galois Field).
36/65
Finite fields
• Theorem (2)
– (ii) There is only one finite field of p m
elements. If we fix an irreducible polynomial
f (x ) of degree m with coefficients in Zp, the
elements of GF(p m ) are represented as
polynomials with coefficients in Zp of degree
<m and the product of elements of GF(p m ) is
realized as the product of polynomials modulo
f (x ).
  
GF p m  0  1 x  2 x 2    m1 x m1; 0 , 1 , 2 ,, m1  Z p

37/65
Finite fields
• The finite field GF(p m ) is called the
extension field of the field GF(p ).
• Theorem:
– The multiplicative group of GF(p m ) is cyclic,
i.e. there is at least 1 generator  of all its
elements.
• This generator  is called primitive
element of the field GF(p m )
38/65
Finite fields
• Example (1): p =2, m =3, f (x )=x 3 +x +1,
irreducible
– The elements of the field (1):
000
0 001, or 1 in the polynomial notation
• The subsequent elements are obtained by
multiplying the immediate predecessors by x and
reducing modulo f (x ), i.e.
1 010, or x
2 100, or x 2
39/65
Finite fields
• Example (2):
– The elements of the field (2):




2
3
• 3 x  x mod x  x  1  x  1 , or 011
4 110
2
3
2
• 5 x  x  x mod x  x  1  x  x  1 , or 111
 
 






2
3
2
• 6 x  x  x  1 mod x  x  1  x  1 , or 101
40/65
Testing irreducibility
• The fundamental theorem of arithmetic:
– Every positive integer can be represented in a
unique way as a product of prime factors.
• Analogue in a GF:
– Every polynomial in a GF can be represented
in a unique way as a product of irreducible
factors.
• An irreducible polynomial has no
irreducible factors except 1 and itself.
41/65
Testing irreducibility
• Theorem
– If a polynomial f (x ) of degree n in GF(q ) does
not have common factors with
n
q
then it is irreducible.
x  x mod f x , 1  k 

k

2
• To determine whether a given polynomial
has common factors with some other
polynomial we can use Euclidean algorithm
42/65
Testing irreducibility
• Example – polynomials in GF(2)
– Find (x 5+x 4+x 2+x, x 4+x 3+x 2+x )
(x 5+x 4+x 2+x )=x (x 4+x 3+x 2+x )+(x 3+x )
(x 4+x 3+x 2+x )=(x +1)(x 3+x )+0
(x 5+x 4+x 2+x, x 4+x 3+x 2+x )=(x 3+x )
43/65
Testing irreducibility
• Example – Determine if the polynomial
f x   1  x  x 4 in GF(2) is irreducible.
n
k  1,  , ,
2
x
n  4  k  1,2
 


21
x
 x mod x 4  x  1 , x 4  x  1
2
 x , x4  x 1  1
x
22
1, x

 



 x mod x 4  x  1 , x 4  x  1
4

 x  1  1 Irreducible
44/65
Testing irreducibility
• Example - Determine if the polynomial
f x   1  x 2  x 4 in GF(2) is irreducible.
n
k  1, , ,
2
x
n  4  k  1,2
 


21
x
 x mod x 4  x 2  1 , x 4  x 2  1
2
 x , x4  x2 1  1
x
22
x
2


 

 1  x

 x  1  1
 x mod x 4  x 2  1 , x 4  x 2  1

 x 1 , x4  x2
2
Not irreducible
45/65
Primitive polynomials
• The order of a polynomial P (x ), P (0)0 is
the smallest integer e for which P (x )
divides x e -1.
• In a finite field GF(q ), if the order of an
irreducible polynomial P (x ) is qn -1, this
polynomial is called primitive polynomial.
46/65
Primitive polynomials
• Thus, to test whether a polynomial P (x ),
deg P (x )=n in GF(q ) is primitive
– Test whether P (x ) is irreducible
– If P (x ) is irreducible, check whether it divides
the polynomials x k -1, n  k < qn -1
– If P (x ) does NOT divide any of the
polynomials above, then it is primitive.
• Obviously, this procedure is not efficient.
47/65
Primitive polynomials
• Example:
– The polynomial f x   1  x  x 4 of degree 4 in
GF(2) is irreducible and does not divide any of
4
5
14
x

1
,
x

1
,

,
x
 1. Because
the polynomials
of that, it is primitive.
48/65
Primitive polynomials
• Theorem (Alanen, Knuth, 1964;
Herlestam, 1982)
– A polynomial f (x ) in GF(q ), q =p m ,
deg f (x )=n, is primitive if and only if it
satisfies the following:
1. x  GF q , f x   0
2. x q  x mod f x 
3. For all prime factors p ’ of q n  1
x q 1 / p' ≢1 (mod f (x ))
n
n
49/65
Primitive polynomials
• For q =2, the polynomial f (x ) must have
odd weight (i.e. odd number of terms)
• Problem
– Factorization of q n -1 is needed
• If q n -1 is a prime, the condition 3 of the
theorem is trivially satisfied.
• For q =2, primes of the form 2n -1 are
called Mersenne primes.
50/65
Primitive polynomials
• The first 24 Mersenne primes are obtained
for the following values of n :
2, 3, 5, 7, 13, 17, 19, 31, 61, 89, 107, 127,
521, 607, 1279, 2203, 2281, 3217, 4253,
4423, 9689, 9941, 11213, 19937.
• Thus, a polynomial in GF(2) of odd weight,
of degree n such that 2n -1 is a Mersenne
prime is primitive if x 2  x mod f x , which
is easy to check in practice.
n
51/65
Primitive polynomials
• How many primitive polynomials with
coefficients in GF(2) of degree n are
there?


N   2n  1 / n
• Example:
n  11, N  176
n  24, N  276480
52/65
Primitive polynomials
• Not all primitive polynomials are suitable
for use in LFSRs
– Primitive polynomials with too concentrated
terms (i.e. with terms containing powers of x
that are of very similar magnitude)
– Primitive polynomials of degree n such that
2n -1 contains many small prime factors
– There are attacks against schemes with
LFSRs using such feedback polynomials.
53/65
Primitive polynomials
• Example 1:
– For n =61, 261-1=2305843009213693951 is a
Mersenne prime. Recommended for use in
LFSRs.
• Example 2:
– For n =63, 263-1=727312733792737649657
is not a Mersenne prime. It is not
recommended for use in LFSRs.
54/65
Primitive polynomials
• Thus, a good strategy is to use an LFSR
with a primitive feedback polynomial of
degree n such that 2n -1 is a Mersenne
prime.
• But if 2n -1 has a small number of large
prime factors, it can also be used in
LFSRs
• Example: n =103, 2103-1=
=25501837993976656429941438590393
55/65
Primitive polynomials
• The reciprocal polynomial of the
polynomial f (x ) of degree n
1
f * ( x)  x f  
 x
n
• Theorem
– If f (x ) is primitive, f *(x ) is also primitive.
56/65
Primitive polynomials
• Example:
f ( x)  1  x  x 4
– This polynomial is primitive
 1 1 
f ( x )  x 1   4   x 4  x 3  1
 x x 
*
4
– This polynomial is also primitive
57/65
Linear complexity
• The length L of the smallest LFSR
capable of generating the given sequence
• The Berlekamp-Massey algorithm (1969):
– Input: the given binary sequence
– Output:
C D, L 1. C (D ) is the feedback polynomial and
L is the length of the equivalent LFSR
2. the initial state of the equivalent LFSR
58/65
The Berlekamp-Massey algorithm
• Input to one step: n digits of a sequence
• Determines the minimum LFSR capable
of generating them
• If the digit n +1 of the sequence can be
generated by the current LFSR, the length
of the current LFSR is preserved
• Otherwise, a longer LFSR is needed
59/65
The Berlekamp-Massey algorithm
• The Berlekamp-Massey algorithm is based
on the following theorems:
• Theorem 1
– If <C (D ),L > generates the prefix sn of the
intercepted sequence, but does not generate
sn +1, then LC s n1   n  1  L
60/65
The Berlekamp-Massey algorithm
• Example: n =6, L=2, the LFSR generates
the sequence 110110. Can it generate
1101100?
011
101
110
Generates 110110, but
does not generate
1101100
011
101
110
011
LC(1101100)6+1-2
Discrepancy 
61/65
The Berlekamp-Massey algorithm
• Theorem 2
– If <C (D ),L> generates sn, but does not
generate sn+1 (discrepancy n  0) and
<C *(D ),L*> generates sm, but does not
generate sm+1 (discrepancy m  0), where
0  m  n, then
 n nm
C D  
D C * D , max L, L * n  m
m
generates sn+1.
62/65
The Berlekamp-Massey algorithm
• Theorem 3
– If <C (D ),L> with L=LC(sn) generates sn, but
does not generate sn+1, then
 
  
 
LC s n1  max LC s n , n  1  LC s n
63/65
The Berlekamp-Massey algorithm
= n
*= m
j=n-m
64/65
The Berlekamp-Massey algorithm
• Example:
N =7, GF(2), s0,…,s6=1,1,0,1,0,0,1
Solution:
C (D )=1+D +D
3,
L=3
011 1
101 1
010 0
001 1
100 0
110 0
111 1
65/65
Related documents