Software Stream Cipher based on pGSSG Generator

Transcription

International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(2): 111-121
The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012)
Software Stream Cipher based on pGSSG Generator
Antoniya Tasheva1, Zhaneta Tasheva2, Ognyan Nakov1
1
Technical University of Sofia, Bulgaria
8 Kliment Ohridski blvd., Sofia 1000, Bulgaria
2
National Military University “Vasil Levski”,
Faculty of Artillery, Air Defense and Communication and Information Systems, Bulgaria,
1 Karel Shkorpil Str., Shumen 9700, Bulgaria
atasheva@tu-sofia.bg, zh.tasheva@mail.bg, nakov@tu-sofia.bg
ABSTRACT
Secrecy of a software stream cipher based on p-ary
Generalized Self-Shrinking Generator (pGSSG) is
examined in this paper. Background information for
the generator’s algorithm is provided. The software
architecture and key management for the cipher
initialization are explained. Galois Field GF(25732) and
feedback polynomials are chosen for initialization of
the generator. In order to examine the secrecy
mathematical model of the software system is made. It
is proved that the cipher is not perfect but the empirical
tests result in less than 0,0125% deviation of the
encrypted files’ entropy from the perfect secrecy. At
last the proposed cipher is compared to four
eSTREAM finalists by key length and period.
KEYWORDS
PRNG, pGSSG, Security,
eSTREAM, Stream Cipher.
Entropy,
Encryption,
1 INTRODUCTION
Recently, computer technologies have started to
play a huge role in everyday life as well as at the
workplace. As the Internet gains more and more
popularity and becomes a major means of
communication, the term information security
becomes more and more important. Encryption
has been studied for centuries and the need to find
new and better solutions is still present to date.
When transmitting large amounts of data over
communication channels such as mobile and
wireless networks, and when high speed, low error
propagation and resistance to attacks are needed,
the use of stream ciphers is recommended. They
encrypt each symbol of the transmitted message
with a keystream, which is usually generated by a
Pseudo Random Number Generator (PRNG),
producing binary Pseudo Random Sequences
(PRSs).
The elements of PRNGs that are most used in
stream ciphers are Linear Feedback Shift Registers
(LFSRs), because LFSR of length n can generate a
PRS of maximum length T = 2n – 1.
Since 1969, when the Berlekamp-Massey
algorithm [1] was discovered, scientific
researchers are looking for new methods of
generating non-linear sequences. Researchers use
two basic methods to generate nonlinear
sequences [2]: structures based on LFSR registers,
such as filter generators, combinatorial generators
and clock controlled generators, and generators in
finite fields such as GMW (Gordon, Mills and
Welch) sequences and Bent function sequences.
Recently some clock controlled generators which
use a p-ary PRS [3] to create nonlinear sequences
have been proposed [4 - 7]. They summarize the
work of the Shrinking Generator proposed by D.
Coppersmith, H. Krawczyk and Y. Mansour at
Eurocrypt’93 [8], and the self-shrinking generator
(SSG) proposed by W. Meier and O. Staffelbach
at Eurocrypt’94 in [9].
Such generator that uses LFSR in order to produce
its output PRSs is the recently proposed p-ary
Generalized Self-Shrinking Generator [10]. It is
proved that it has long period, is well balanced,
has good statistical characteristics and is resistant
against exhaustive search and entropy attacks.
As most of the properties of the sequences
generated by pGSSG generator have been studied
and proved to give good results, it was decided to
111
build a software encryption system based on it. Its
encryption properties are tested using the entropy
measure [11, 12], which is the matter of this paper.
An entropy measure is usually defined in terms of
probability distribution. The entropy H(X) of a
random variable X is a measure of its average
uncertainty. It is the minimum number of bits
required on the average to describe the value x of
the random variable X [11]. In this study the
entropy of the pGSSG PRSs is considered as well
as their influence on the symbol distribution in the
source and encrypted files.
The paper is organized as follows. First, the
working algorithm of p-ary Generalized SelfShrinking Generator for Galois Field GF(pn) is
given. Then the architecture of software
encryption system based on a pGSSG stream
cipher is described. Then the key management is
explained. In Section 4 the mathematical model of
the system is designed and the entropy is both
evaluated and calculated. Section 5 gives a
comparison of the proposed stream cipher with
four eSTREAM finalists.
2 ALGORITHM OVERVIEW
The proposed p-ary Generalized Self-Shrinking
Generator [10], given in Figure 1, consists of a
pLFSR register A, whose length will be denoted
by L. It generates a sequence (ai ) i0 with p-ary
digits (i.e. (ai ) i0 , 0  ai  p  1 ) and 0  i  L  1.
The multipliers of the feedbacks are given by
coefficients q1 , q2 ,..., qL , q L  [0, 1, ..., p  1] of the
primitive polynomial in GF(pL). Every element
can remember one p-ary number. The register is
initialized by p-ary sequence (a0 , a1 , , aL1 ) .
Clock i
pLFSR A
api+1 api+2 … api+(p-1)
api
SELECTION
RULE
Memory for p-ary
transformation of
( p  1) * log 2  p  1
bits
p-ary output
The pGSSG selects a portion of the output p-ary
LFSR sequence by controlling the p-ary LFSR
itself using a six-step algorithm (see Fig. 1):
1. The p-ary LFSR A is clocked with clock
sequence with period T.
2. The output pLFSR sequence is split into ptuples a pi , a pi1 , a pi2 ,..., a pi( p1) , i  0, 1, ...
3. If a pi  0 the whole p-tuple is discarded
from the pGSSG output, i.e. the output is
shrunken.
4. When a pi  0 , the corresponding digit
a pia pi in the p-tuple forms the output of
the pGSSG. For example, if api = 1, then
api+1 is output and the other digits
a pi , a pi2 ,..., a pi( p1) are discard. If a pi  2 ,
then api+2 is output and the other digits
a pi , a pi1 , a pi3 ,..., a pi( p 1) are discard and
so on. If a pi  p  1, then a pi( p1) is output
and the other digits a pi , a pi1 ,..., a pi( p2) are
discard.
5. The shrunken p-ary GSSG output sequence
is transformed into binary sequence in
which every p-ary number is presented
with log 2 ( p  1) binary digits, where
x  is the smallest integer which is greater
or equal to x.
6. Every output number i from 1 to p-1 of
p-ary GSSG sequence is depicted with pary expansion of the number by the
formula:
2 log2 p 1  p  1
(1)
(i  1) 
2
7. Every p-ary zero in its i-th appearance
( i  1, 2, 3,... ) of the generated p-ary
sequence can be represented binary by
number di,
(d i 1  1) mod p, if d i 1  p - 1
di 
(2)
1,
if d i 1  p - 1
and initial condition d 0  0 .
Binary output
Figure 1. p-ary Generalized Self-Shrinking Generator
112
3 SOFTWARE STREAM CIPHER
Table 1. Feedback polynomials used in pGSSG.
A software encryption system has been built. Its
main task is to encrypt the transmitted data in
advance using a keystream, generated by the
output of pGSSG generator. When needed the
encrypted data could be put under second
encryption with standard methods, such as DES in
CBC mode or AES in CCM mode, which are used
in the contemporary wireless networks.
№
1
2
3
3.1 Architecture
The software encryption system is based on
symmetric stream encryption algorithm which is
initialized by the value of the secret key K. It
encrypts the input data stream (the plain text) as
simple XOR operation on each byte of the plain
text and the keystream received from the pGSSG
generator (see Fig. 2).
Encryption
Key K
pGSSG
+
Plain Text
pGSSG
Encrypted Text
Encrypted Text
The result of the encryption with that software
system is that the amount of data remains the same
before and after sending it into the communication
channel. If the communication network provides
the option for additional data encryption, it is
applied as second level of encryption through a
standard block cipher AES or DES. For example
in WiMAX WLAN networks where data
encryption is mandatory the confidentiality and
the security will increase using two levels of
encryption (Fig. 3).
Plain Text
First Level
Encryption
Decryption
Key K
Feedback Polynomial
x32 + x + 10
x32 + 75 x2 + 174 x + 33
x32 + 188 x2 + 200 x + 107
+
Plain Text
Figure 2. Architecture of the Software Encryption System
based on pGSSG Generator.
The software encryption system uses class
libraries for software representation of the LFSR
register and the pGSSG generator. Although they
are designed to be universal, Galois Field
GF(25732) was chosen for the implementation
because of the ease of byte representation and
therefore the possibility of faster implementation.
Three of the primitive feedback polynomials used
to create a pLFSR register with prime p = 257 and
length L = 32 are shown in Table 1.
GMH
4 bytes
PN
Security
Header
pGSSG encryption
128 AES encryption
DLEN
Second Level Encryption
8 bytes
ICV
CRC
Security
Trailer
Figure 3. Use of pGSSG Software Encryption System in
WiMAX WLAN Networks.
3.2 Key management
The architecture of the pGSSG generator allows
building a symmetrical stream cipher with flexible
key management. The key is multicomponent and
consists of several elements:
1. L in count p-ary bit components, giving the
initial state (a0, a1, …, aj, … aL1), where
aj = 0, 1, ..., p - 1, j = 0, 1, …, L1, of the
inner LFSR register.
2. L+1 in count p-ary number components,
giving the coefficients of the feedback
polynomial (q0, q1, …, qj, …,qL), where
qj = 0, 1, ..., p - 1, j = 1, 2, …, L, of the
inner LFSR register.
3. The last component is set as the initial
value of the ‘zero’ in the output and is a
random p-ary number.
113
If we consider only the initial state as key of the
system, it will have length L in p-ary digits. To
present each p-ary digit log 2 p bits are needed.
Therefore the key length is LK InSt = L. log 2 p . It
can be seen that with p growing the key length is
also growing. Table 4.1 shows the minimum
length Lmin of the pLSFR register that ensures key
length LKmin to be 256, 512 or 1024 bits, required
by the contemporary cryptographic applications.
The choice of a feedback polynomial is made
between preliminarily calculated primitive
polynomials in GF(pL). Their count Cpoly is
calculated by the formula [13]:
 ( p  1)
,
(3)
C poly 
L

1 
1 
where  ( x)  x1   1   is the Euler phi
 q1   qk 
function, and x is a positive integer with
L different p-ary digit components for the initial
state of pLFSR register and one for the initial state
d0 of the p-ary zero are used.
factorization given by x  q1e1 qk ek .
The length of the secret key K increases both with
the growth of the inner register and the value of
the prime p. The vast amount of components and
the great length of the key K make more difficult
and dramatically slow up the process of searching
through all different keys when decrypting the
received message by malicious users.
There is negative side on growing the prime p, and
that is the decreasing the speed of the software
encryption system. This is due to the imperfect
software registers and the sequence manner of
processor’s calculations in contrast of a hardware
implementation. For this certain software
implementation a tradeoff is made in order to find
maximum security with minimum slow down. A
prime p = 257 is chosen, where all feedback
coefficients, the initial state and the initialization
zero can be saved into 9 bits and the output of a
257GSSG is a single byte. The register length may
vary from L = 8 to L = 34. When these elements
are set the secret key K consists of the following
components (fig. 4):
 Initial state –
aL– 1 aL – 2 … a1 a0, ai = 0, 1, …, p – 1; i =
0, 1, …, L – 1 (Lmin = 8, Lmax = 34);
 Feedbacks –
qL qL-1 … q1 q0, qi = 0, 1, …, p – 1; i = 0, 1,
…, L – 1 (Lmin = 8, Lmax = 34);
 Initial zero – z = 0, 1, …, p – 1
Table 2. Minimal length of the pLSFR register to ensure key
length LK InSt of 256, 512 or 1024 bits
p
2
3
5, 7
11, 13
17, 19, 23, 29, 31
37, 41, 43, 47, 53, 59, 61
67, 71, 73, 79, 83, 89, 97, 101, 103, 107,
109, 113, 127
131, 137, 139, 149, 151, 157, 163, 167,
173, 179, 181, 191, 193, 197, 199, 211,
223, 227, 229, 233, 239, 241, 251
Lmin of pLSFR for
256 bits 512 bits 1024 bits
256
512
1024
128
256
512
85
171
342
64
128
256
52
103
205
43
86
171
37
74
147
32
64
128
The count of primitive polynomials with different
base p and register length L is shown in table 3.
In order to determine which one polynomial from
the list should be used in the cryptographic system
log 2 Cpoly  bits are needed as shown in the last
column of table 3.
Using the fact that log 2 p  bits are needed for
presentation of the GF(p) elements the total length
LK of the secret key can be calculated as:
(4)
LK  L  1log 2 p  log 2 Cpoly  ,
where L is the length of the inner pLFSR register.
Table 3. Count of primitive polynomials with different
powers and bases
p
L
17
32
61
32
127
32
167
32
257
257
257
8
10
16
257
24
257
32
257
34
Bit
Count
18976458037657197225461286734659584000
124
10244854334997082026962604386814833429237905 183
489920000000
13788941890097745057084265918295403933459936 217
6308071077551957606400
85864901880654498516021075274859050725923408 229
8656177980910291910656000а
582729142999449600
59
37204727422640848896000
75
5511978689381920798272782377943040000
122
54468265154915537177576109136107838060351092 185
424704000000
98767885865554779011732725900114323996711704 250
7735833824574876556711690240000
82943263199168780322247079972233538359404412 266
641258708571048665491964779770675200
Count of primitive polynomials
114
Feedback
Polynomial
Initial
State
Zero
qL
…
aL-1
…
q1
q0
qi = 0, 1, …, p-1
a1
a0
ai = 0, 1, …, p-1
z
z = 0, 1, …, p-1
Figure 4. Main components of the secret key K in a
software encryption system based on pGSSG generator
The minimum key length is calculated for the
mentioned above initialization values only for
base p = 257
LKmin = 9.9 + 59 = 140 bits,
and the maximum key length is:
LKmax = 35.9 + 266 = 581 bits.
The contemporary symmetrical encryption
applications/ systems in wireless communication
networks most often use secret key with length up
to 256 bits, like 3DES with key-length of 168-bits
(3 times 56-bit DES key), AES – working with
key sizes of 128, 192 or 256 bits. As it can be seen
the pGSSG encryption system can have twice
longer secret key.
In order to calculate the time for brute force attack
the count of all possible keys should be
determined. The speed for conducting each test is
also needed. The pGSSG based software
encryption system is enabled to use all possible bit
combinations with a certain length and therefore
the count NK of all possible keys is:
(5)
N K  2 LK ,
where LK is the length of the secret key. Table 4
shows the count NK of all possible keys with
different length.
Table 4. Count of possible keys of length LK
Key length
LK [bits]
80
96
112
128
140
256
512
546
581
Count of possible different keys NK
1208925819614629174706176
79228162514264337593543950336
5,1922968585348276285304963292201.1033
3,4028236692093846346337460743177.1038
1,3937965749081639463459823920405.1042
1,1579208923731619542357098500869.1077
1,3407807929942597099574024998206.10154
2,3034438628061165479989957159352.10164
7,9145728471393450899360806726287.10174
The speed each key is tested is a secondary factor,
thus it can be assumed that all keys are tested
independently and for equal amount of time. This
parameter is closely tight to the budget of the
organization conducting the attack. The attack is
faster when is held on parallel processors due to
the assumptions made so far. Each parallel
processor checks part of the keys and no
interaction between them is needed except for a
stop signal when the correct key is found.
4 EXAMINING THE CIPHER SECRECY
Determining the theoretical secrecy of a
cryptographic system is a very complex
mathematical task. The use of different extended
Galois Fields GF(257L) makes the mathematical
cryptanalysis of the pGSSG generator more
difficult. To see if this system is usable, many
questions need to be answered. They are related to
its robustness and security when the attacker is not
limited in time and has access to all possible
means to analyze encrypted messages. Another
question is could a single solution be found and
what amount of data should be intercepted to get
this solution.
Due to the nonlinearity of modern encryption
algorithms, a comprehensive fully mathematically
justified answer could not be given. However, the
entropy, suggested by Claude Shannon in “A
mathematical theory of communication” [14], has
found wide application in analyzing these issues
since 1948.
4.1 Mathematical Model
As it can be seen on figure 3, the pGSSG based
software encryption system ciphers the entire plain
text: both the data and the headers of the files. If
we consider the byte organization of stored data,
the mathematical model of the pGSSG encryption
system can be presented as follows.
The system (see Fig. 5) would work with 256
(1 byte) different symbols a0, a1, …, ai, …, a255
with corresponding probability for appearance
P(ai), i = 0, 1, ..., 255. As a result of the
encryption, these symbols are mapped into
cryptograms b0, b1, …, bj, …, b255 with probability
for appearance P(bj), j = 0, 1, ..., 255. The keys K0,
K1, ..., Kn are equally possible and their maximum
count NK depends on the key length. It is possible
115
that one input symbol is converted to a different
output symbol when using different keys.
The required and sufficient condition for the
system to be completely secret [14, 15] is:
P(bj) = P (bj / ai), j = 0, 1, ..., 255.
(6)
i.e. P (bj / ai) should not depend on the input
symbol ai.
K0, K23
a0
P(a0)
KNk
K1
Kj
b0
P(b0)
a1
P(a1)
b1
P(b1)
ai
P(ai)
bj
P(bj)
K2
an
P(a255)
K78
K255
K5
b255
P(b255)
Figure 5. Mathematical model of the pGSSG software
encryption system.
Here P(bj/ai) is the conditional probability of the
encrypted symbol bj, provided that the input
symbol is ai. That means that it is the sum of the
possibilities of all keys that transform the symbol
ai into bj.
It is known that the perfect encryption system is
achieved when the following three conditions are
true [Sha49]:
1. Each message is associated with only one
cryptogram.
2. The number of keys is equal to number of
messages.
3. All keys are equally possible.
Under these conditions, the entropy H of the
system is
n 1
n 1
1
1
H ( A)   P(ai ) log 2 P(ai )   log 2  log 2 n (7)
n
i 0
i 0 n
4.2 Experiments using Shannon Entropy
As evident from the mathematical model of the
pGSSG software encryption system, it is not
absolutely secret because it does not fulfill
conditions 1 and 2. Studies are made to answer the
question how close the proposed system is to the
perfect case scenario in (7). For this purpose over
100 different files are tested. They are distributed
equally in the main types: text documents (.doc,
.docx, .txt), images (.bmp, .jpg, .png), executable
files (.exe), audio files (.wav, .mp3) and archives
(.zip, .rar). The frequencies of occurrence of all
characters in input and encrypted files are studied
and their entropy is calculated. Furthermore, for
image files their three color components R, G and
B were analyzed separately. In Table 5 the
Shannon entropy of the input and output files for
four files from each group are shown. Figure 6
demonstrates the distribution histograms of the
plain text and encrypted text for different types of
files. The results for the three color components R,
G and B of the images are respectively shown in
Table 7 and Figure 7.
More than 100 sequences of length 1 000 000 bits
were generated for each password in order to
check how the password transforms into
keystream. They were then tested via NIST [16],
[17] test suite to obtain their properties.
It is known that the crypto-analytics can use the
existing dependencies in the occurrence of
characters in various types of information and the
model of the standard headers in different file
types. That information can help them decrypt the
data. Thus they have blocks of plain text and when
capturing the encrypted message and they can map
it to the corresponding encrypted text. The use of
additional level of encryption with the software
encryption system eliminates these possibilities as
it uniformly changes the values of the symbols for
the whole length of the file, including the header
part. This conclusion is confirmed by the results
shown in Tables 5 and 7.
Analysis shows that the entropy of encrypted files
slightly differs from the perfect encryption system
entropy with less than 0,001 bit which is 0,0125 %
deviation from the perfect secrecy. The entropy of
a perfect secrecy system with 256 equally possible
symbols is:
255
1
(8)
H ( A)  
log 2 2 8  8 bit.
i 0 256
116
Table 5. Entropy of input and pGSSG encrypted files.
№
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
File
Password
explorer.exe
2345explorer
encryptPhD.exe
Fast2Enc%(!
notepad++.exe
++нотпад++
WinRAR.exe
KoМпReСиQ
CompleteSet.docx 2013BCPC
DiplomnaRabota.docx Info4диплом
document.docx
Просто*Tekst
TrainingTasks.docx Passw0rd
presentation.pptx
Imagine8№
IFRToolLog.txt
лог$а@к§n&
leMouse.rar
el^gAto-te
Raboti.rar
lANg25cop18%
Zadaniq.rar
worry35ePIc^
Zadaniq.zip
rAts24mOd=
ALARM.WAV
VarY39eRns&
cat8.wav
NiX^pEn=Dry1
TU.bmp
myUniversit1
lenna.bmp
vAN83scoUR@
snowman.jpg
faLL!kOR?jiltS
sozopol.jpg
idS?OcHRy65
Entropy of
Input File
Encrypted File
5.872596706508290 7.999598134607586
7.631900643959939 7.998833667709484
6.091405544356415 7.999648675667926
6.469161170026363 7.999644709803738
7.948642291913700 7.998595024152175
7.524045264552306 7.989391747378668
7.910834642297916 7.998354864955056
7.948642291913700 7.998405935750952
7.937660319385949 7.999896904729666
4.714971677469938 7.999566854515114
7.986186549835893 7.998523780587349
7.999329046994613 7.999986138240808
7.999026651474129 7.999558585297283
7.997750400646980 7.999661066662499
6.871613007127728 7.997961560964973
4.572460198612183 7.998654459803242
7.735134585817764 7.999598750116132
5.682224748742369 7.999696018375432
7.927340915095799 7.995697933926553
7.966401975045295 7.997800281093063
As seen on Figure 6 the distribution of symbols in
most file types differs radically from the uniform
distribution. Exceptions are the archive files
whose distribution is largely similar to the uniform
and this is no coincidence, because in the archives
different algorithms for compressing data are
applied. This feature of the archives determines
their entropy, which depending on the
compression algorithm can reach up to 7.998.
However in the distribution of the symbols there
are usually detectable peaks of the symbols having
a value of 0 or 255 (see Figure 6.c). These
anomalies in the histograms are eliminated by the
use of encryption with the pGSSG generator.
5 COMPARISON WITH OTHER CIPHERS
In this section we compare our 257GSSG software
stream cipher with four eSTREAM finalists from
profile 1 which use large LFSR and a nonlinear
filter with memory.
The eSTREAM project was launched in 2004 as
part of the EU-sponsored ECRYPT Framework VI
Network of Excellence [18]. The primary goal of
eSTREAM was to help developers how to analyze
and design stream ciphers. To promote research in
stream ciphers, a call for new proposals has been
made. Two specific stream cipher profiles were
identified: Profile 1: Stream ciphers for software
applications with high throughput and Profile 2:
Stream ciphers for hardware applications with
highly restricted resources [19]. In addition, to
emphases the importance of providing an
authentication method along with encryption, two
further profiles were proposed: Profile 1A: Stream
ciphers satisfying Profile 1 with an associated
authentication method and Profile 2A: Stream
ciphers satisfying Profile 2 with an associated
authentication method.
The original call provoked significant interest and
34 stream ciphers were submitted by the deadline
of April 29, 2005. All candidates are evaluated by
some significant criteria like security, performance
compared to the AES and to other submissions,
justification and supporting analysis, simplicity
and flexibility, and completeness and clarity over
the tree phases of eSTREAM. Only 16 algorithms
were advanced to the final phase of eSTREAM by
eight in Profile 1 and 2.
Four of the final eight Profile 1 ciphers use NonLinear FSR (NLFSR). They are CryptMT v3 [20],
DRAGON [21], NLS v2 [22] и SOSEMANUK
[23].
CryptMT version 3 is a stream cipher obtained by
combining a large LFSR and a nonlinear filter
with memory using integer multiplication. Its
period is proved to be no less than 219937−1. The
key-size can be flexibly chosen from 128 bits to
2048 bits, as well as the IV-size. The authors
claim that the security level is the same with the
minimum of the Key-size and the IV-size.
Dragon is a word-based stream cipher,
which state is initialized with 128- or
256-bit key-IV pairs. Dragon uses a single
1024-bit word based NLFSR and a 64-bit memory
M which give a state size of 1088 bits. The period
for the sequence produced by a 1024-bit NLFSR is
2512 and since the counter M has a period of 264,
the expected Dragon period is 2576.
NLSv2 is a synchronous stream cipher designed
for a secret key that may be up to 128 bits in
length. NLSv2’s stream generator is constructed
from a NLFSR and a non-linear filter. NLSv2 is
intended to provide security under the condition
that no nonce is ever reused with a single key, that
no more than 280 words of data are processed with
one key, and that no more than 248 words of data
are processed with one key/nonce pair.
117
Sosemanuk is a synchronous software-oriented
stream cipher with variable key length between
128 and 256 bits. Any key length is claimed to
achieve 128-bit security. It uses a non-singular
LFSR which operates over elements of GF(232).
The output Sosemanuk sequence of 32-bit words
is periodic and has maximal period 2320 − 1.
Table 6. Comparison of Key length, IV length and Period of
Stream Ciphers
Key Length,
bits
CryptMT v3
from 128
to 2048
DRAGON
128 or 256
NLS v2
up to 128
SOSEMANUK from 128
to 256
pGSSG, p = 257 from 297
to 547
Stream Cipher
IV Length,
Period
bits
from 128
≥ 219937 – 1
to 2048
128 or 256
2576
 280 words
128
 2320 – 1
144
256.25731.8 > 2259
Here we consider only software version of pGSSG
that is constructed using a single 257-ary LFSR
with length L = 32. For one feedback polynomial
the initial state of pGSSG is populated using the
key K in conjunction with Initial Vector IV. The
initial filling of the 257LFSR is done by 32 clock
cycles as follows:
K ,
ai   i
 ( K i  IVi 15 ) mod 257,
0  i  15
16  i  31
(9)
For a single feedback polynomial the key K
consists of 32 in count 257-ary digits, representing
the initial state, and one digit for the initial value
of 257-ary zero in binary pGSSG sequence. Due
to the fact that a 257-ary digit can be presented
binary with log2257 = 9 bits, the key length for
one feedback polynomial in bits is 33.9 = 297 bits.
The IV length is 16 257-ary digits, which in bits is
16.9 = 144 bits. Any key length is claimed to
achieve 297-bit security. The other 250 bits of the
key define which of the feedback polynomials is
used to constructs the pGSSG. In this case the
maximum key length can be calculated as
297 + 250 = 547 bits.
The period for the sequence of 257-ary digits
produced by a 257LFSR with length L = 32 is
25732 – 1. Due to self-shrinking procedure of
pGSSG, the output pGSSG sequence is non-linear
and its expected period is T = (p – 1).pL – 1 =
256.25731, assuming the pGSSG sequence of
257-ary digits is pseudo-random [10, 24]. Because
every 257-ary digit in pGSSG sequence is
transformed into log2(257 – 1) = 8 bits, then the
period of pGSSG output binary sequence is
greater than 256.25631.8 = 28.28.31.23 = 2259.
To make the design of pGSSG more robust against
cryptanalytic attacks we change the primitive
feedback polynomial of used 257LFSR before the
pGSSG period is produced. The number of distinct
primitive polynomials in GF(25732) is shown in
Table 3.
The comparison shows that 257GSSG provides
297-bit security which is more than three of the
eSTREAM finalists shown in Table 6. Only
CryptMT v3 offer variable key length from 128 to
2048 bits, which may provide more than 297-bit
security. The period of 257LFSR is less than the
period of CryptMT v3 and DRAGON, more than
the period of the NLS v2 and similar to the period
of SOSEMANUK.
Table 7. Entropy of the colour components R, G and B of the input and pGSSG encrypted images.
№ Image
Password
1.
2.
3.
4.
5.
*&^%^%sG
*&*B”}@E
Poiuytr^B&
M*b%V)JY
12345678
medal.bmp
banner.bmp
DarkDoor.bmp
pepper.bmp
lenna.bmp
Input Image
R
6.0038
7.3162
7.2023
7.3388
5.0465
G
5.9726
6.9769
7.0943
7.4962
5.4576
Encrypted Image
B
6.0043
6.8664
7.0060
7.0583
4.8001
R
7.99928
7.99977
7.99934
7.99930
7.99914
G
7.99943
7.99973
7.99935
7.99924
7.99918
B
7.99937
7.99974
7.99924
7.99935
7.99904
118
Encrypted File
Input File
a) text file IFRToolLog.txt
b) executable file notepad++.exe
c) archive file leMouse.rar
Figure 6. Distribution histograms for symbols in input and pGSSG encrypted files: a) text files, b) executable file, c) archive file.
Input File
Encrypted File
Figure 7. Input and encrypted image and the corresponding distribution histograms for the R, G and B values.
119
6 CONCLUSIONS AND FUTURE WORK
3.
The secrecy of the software pGSSG encryption
system is tested with the aim of its mathematical
model using the term Entropy. It is proved that the
system does not have perfect secrecy but
transforms the data into such with uniform
distribution of characters. The analysis shows that
the entropy of encrypted files compared to the
perfect encryption system differs with less than
0,001 bits, which is 0,0125 % deviation from the
perfect secrecy.
The comparison with eSTREAM finalists from
profile 1 which use large NLFSR shows that
software version of 257GSSG with length L = 32
offer 297-bit security which is more than the
security of
DRAGON,
NLS
v2
and
SOSEMANUK. The period of the pGSSG stream
cipher is compared to those of the eSTREAM
finalists and it is stated that it is times longer than
NLS, similar to SOSEMANUK, but shorter that
the other two. This shortness is compensated by
simply changing the primitive polynomial of the
generator.
The task of decrypting the received data has been
made more complicated for the crypto-analytics
when using known dependencies in the occurrence
of characters in different types of information.
However, there are some practical issues that need
to be addressed. First, to measure the degree of
randomness of sequences generated by pGSSG
some statistic experiments using approximate
entropy [25] must be done. Second, to analyze the
problem of finding the secret key in pGSSG
software system min-entropy can be used [11],
which determines the probability of guessing the
correct value at first attempt. Moreover, it is
necessary to find the average number of guesses
needed to determine the key, which is given by the
guessing entropy [11].
4.
7 REFERENCES
17.
1.
2.
Massey J., Shift-register synthesis and BCH decoding,
IEEE Transactions on Information Theory, vol. 15, no.
1, pp. 122–127, (1969)
Gong G., Sequence Analysis, University of Waterloo, p.
137, (1999) http://calliope.uwaterloo.ca/~ggong.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
Golomb S., Shift Register Sequences, Aegean Park
Press, Laguna Hills, Calif, USA, revised edition, (1982)
Kanso, A. Clock-controlled generators. University of
London, (1999)
Tashev, T., Bedzhev, B., Tasheva, Zh. The Generalized
Shrinking-Multiplexing Generator, ACM International
Conference Proceeding Series 285, Article number 48,
Proceedings of the 2007 international conference on
Computer systems and technologies CompSysTech '07,
(2007)
Tasheva, Z., Bedzhev, B., Stoyanov, B. P-adic
shrinking-multiplexing generator, Proceedings of the
Third Workshop - 2005 IEEE Intelligent Data
Acquisition and Advanced Computing Systems:
Technology and Applications, IDAACS 2005, pp. 443 –
448, (2005)
Tasheva Zh. N. Design and Analysis of 3-ary
Generalized Shrinking Multiplexing Generator,
International Journal of Advance in Communication
Engineering 4 (2), pp. 129-140, (2012)
Coppersmith D., H. Krawczyk, Y. Mansour, The
shrinking generator, Advances in Cryptology –
EUROCRYPT’93, vol.773 of LNCS, Berlin, SpringerVerlag, pp. 22-39, (1993)
Meier W., O. Staffelbach, The self-shrinking generator.
In A.De Santis, editor, Advances in Cryptology –
EUROCRYPT ’94, vol.950 of LNCS, Berlin, SpringerVerlag, pp. 205-214, (1995)
Tasheva A. T., Tasheva, Zh. N., Milev, A. P.,
Generalization of the Self-Shrinking Generator in the
Galois Field GF(pn), Advances in Artificial Intelligence,
vol. 2011, Article ID 464971, 10 pages, (2011)
doi:10.1155/2011/464971
Cachin, C. Entropy measures and unconditional
security in cryptography. Konstanz: Hartung-Gorre,
(1997)
Gray R., Entropy and Information Theory, Springer,
Second Edition, (2011)
Lidl, Rudolf. Finite fields. Vol. 20. Cambridge
University Press, (1997)
Shannon, C. E. “A mathematical theory of
communication.” ACM SIGMOBILE Mobile Computing
and Communications Review 5, no. 1, pp. 3-55, (2001)
Shannon, C. E. “Communication theory of secrecy
systems.” Bell system technical journal 28, no. 4, pp.
656-715. (1949)
NIST Statistical Test Suite, Version 2.1.1., August 11,
(2010), http://csrc.nist.gov/groups/ST/toolkit/rng/docum
entation_software.html
Rukhin A., J. Soto, et.al, NIST Special Publication 80022rev1a: A Statistical Test Suite for the Validation of
Random Number Generators and Pseudo Random
Number Generators for Cryptographic Applications,
(2010),
http://csrc.nist.gov/groups/ST/toolkit/rng/
documents/SP800-22rev1a.pdf.
120
18. Babbage, Steve, et al. "The eSTREAM portfolio."
eSTREAM, ECRYPT Stream Cipher Project. April 15,
(2008). http://www.ecrypt.eu.org/stream/portfolio.pdf.
19. ECRYPT.
The
eSTREAM
project,
http://www.ecrypt.eu.org/stream/
20. Zhang, Haina, and Xiaoyun Wang. “On the Security of
Stream Cipher CryptMT v3.” IACR Cryptology ePrint
Archive 2009, pp. 110, (2009)
21. Chen, Kevin, et al. "Dragon: A fast word based stream
cipher." Information Security and Cryptology–ICISC
2004. Springer Berlin Heidelberg, Seoul, Korea, pp. 3350. (2005)
22. Hawkes, Philip, et al. "Specification for NLSv2." New
Stream Cipher Designs. Springer Berlin Heidelberg,
pp.57-68. (2008)
23. Cho, Joo Yeon, and Miia Hermelin. “Improved linear
cryptanalysis of SOSEMANUK.” Information, Security
and Cryptology–ICISC 2009. Springer Berlin
Heidelberg, pp. 101-117. (2010)
24. Tasheva, A., Nakov O., and Tasheva, Zh. About balance
property of thep-ary generalized self-shrinking
generator sequence. In Proceedings of the 14th
International Conference on Computer Systems and
Technologies (CompSysTech '13), ACM, New York,
NY, USA, pp. 299-306. (2013)
25. Pincus S., B. H. Singer, Randomness and degrees of
irregularity, Proc. Natl. Acad. Sci. USA. Vol. 93, pp.
2083-2088 (1996)
121

Software Stream Cipher based on pGSSG Generator

Transcription

Similar documents

“More” Mohawk

New slides

Herbert Girardet - Future of Cities Forum

Datasheet

Security Revisited: What can we learn from

Defining Waterbodies: Davidsonville Wildlife Sanctuary

t-rmb er - Eel River Recovery Project

Secure USB Flash Drive