5-2 MODERN STREAM CIPHERS

In a modern stream cipher, encryption and decryption

are done r bits at a time. We have a plaintext bit stream
P = pn…p2 p1, a ciphertext bit stream
C = cn…c2 c1, and a key bit stream K = kn…k2 k1, in
which pi , ci , and ki are r-bit words.

Topics discussed in this section:

5.2.1 Synchronous Stream Ciphers
5.2.2 Nonsynchronous Stream Ciphers

5.1
5.2 Continued
Figure 5.20 Stream cipher

Note
In a modern stream cipher, each r-bit word in the
plaintext stream is enciphered using an r-bit word
in the key stream to create the corresponding r-bit
word in the ciphertext stream.
5.2
Design Considerations
◼ The encryption sequence should have a large period.
◼ A pseudorandom number generator uses a function that produces a
deterministic stream of bits that eventually repeats.
◼ The longer the period of repeat, the more difficult it will be to do
cryptanalysis.
◼ The keystream should approximate the properties of a
true random number stream as close as possible.
◼ There should be an approximately equal number of 1s and 0s.
◼ If the keystream is treated as a stream of bytes, then all of the 256
possible byte values should appear approximately equally often.
◼ As the output of the pseudorandom number generator is
conditioned on the value of the input key, to guard
against brute-force attacks, the key needs to be
sufficiently long.
◼ With the current technology, a key length of at least 128 bits is
desirable.
◼ The primary advantage of a stream cipher is that stream ciphers are
5.3 almost always faster and use far less code than do block ciphers.
 5.2.1 Synchronous Stream Ciphers

Note
In a synchronous stream cipher the key is
independent of the plaintext or ciphertext.

Figure 5.22 One-time pad

5.4
 5.2.1 Continued
Example 5.17
What is the pattern in the ciphertext of a one-time pad cipher
in each of the following cases?
a. The plaintext is made of n 0’s.
b. The plaintext is made of n 1’s.
c. The plaintext is made of alternating 0’s and 1’s.
d. The plaintext is a random string of bits.

Solution
a. Because 0  ki = ki , the ciphertext stream is the same as
the key stream. If the key stream is random, the
ciphertext is also random. The patterns in the plaintext
are not preserved in the ciphertext.
5.5
 5.2.1 Continued
Example 5.7 (Continued)

b. Because 1  ki = ki where ki is the complement of ki , the

ciphertext stream is the complement of the key stream. If
the key stream is random, the ciphertext is also random.
Again the patterns in the plaintext are not preserved in
the ciphertext.
c. In this case, each bit in the ciphertext stream is either the
same as the corresponding bit in the key stream or the
complement of it. Therefore, the result is also a random
string if the key stream is random.
d. In this case, the ciphertext is definitely random because
the exclusive-or of two random bits results in a random
bit.

5.6
 5.2.1 Continued

Figure 5.23 Feedback shift register (FSR)

5.7
 5.2.1 Continued
Example 5.18

Create a linear feedback shift register with 5 cells in which

b5 = b4  b2  b0 .

Solution
If ci = 0, bi has no role in calculation of bm. This means that bi
is not connected to the feedback function. If ci = 1, bi is
involved in calculation of bm. In this example, c1 and c3 are
0’s, which means that we have only three connections. Figure
5.24 shows the design.

5.8
 5.2.1 Confidentiality
Figure 5.24 LSFR for Example 5.18

5.9
 5.2.1 Continued
Example 5.19
Create a linear feedback shift register with 4 cells in which
b4 = b1  b0. Show the value of output for 20 transitions
(shifts) if the seed is (0001)2.

Solution
Figure 5.25 LFSR for Example 5.19

5.10
 5.2.1 Continued
Example 5.19 (Continued)

Table 4.6 Cell values and key sequence for Example 5.19

5.11
 5.2.1 Continued
Example 5.19 (Continued)

Table 4.6 Continued

5.12
 5.2.1 Continued
Example 5.19 (Continued)
Note that the key stream is 100010011010111 10001…. This
looks like a random sequence at first glance, but if we go
through more transitions, we see that the sequence is
periodic. It is a repetition of 15 bits as shown below:

The key stream generated from a LFSR is a pseudorandom

sequence in which the the sequence is repeated after N bits.

Note

The maximum period of an LFSR is to 2m − 1.

5.13
 5.2.2 Nonsynchronous Stream Ciphers

In a nonsynchronous stream cipher, each key in the key

stream depends on previous plaintext or ciphertext.

Note
In a nonsynchronous stream cipher, the key
depends on either the plaintext or ciphertext.

5.14
 A5/1: Shift Registers

◼ A5/1 uses 3 shift registers

◼ X: 19 bits (x0,x1,x2, …,x18)
◼ Y: 22 bits (y0,y1,y2, …,y21)
◼ Z: 23 bits (z0,z1,z2, …,z22)

Part 1 ⎯ Cryptography
15
 A5/1: Keystream
◼ At each step: m = maj(x8, y10, z10)
◼ Examples: maj(0,1,0) = 0 and maj(1,1,0) = 1
◼ If x8 = m then X steps
◼ t = x13  x16  x17  x18
◼ xi = xi−1 for i = 18,17,…,1 and x0 = t
◼ If y10 = m then Y steps
◼ t = y20  y21
◼ yi = yi−1 for i = 21,20,…,1 and y0 = t
◼ If z10 = m then Z steps
◼ t = z7  z20  z21  z22
◼ zi = zi−1 for i = 22,21,…,1 and z0 = t
◼ Keystream bit is x18  y21  z22
Part 1 ⎯ Cryptography
16
 A5/1
X
x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18

Y 
y0 y1 y2 y3 y4 y5 y6 y7 y8 y9 y10 y11 y12 y13 y14 y15 y16 y17 y18 y19 y20 y21

Z
z0 z1 z2 z3 z4 z5 z6 z7 z8 z9 z10 z11 z12 z13 z14 z15 z16 z17 z18 z19 z20 z21 z22

◼ Each variable here is a single bit

◼ Key is used as initial fill of registers
◼ Each register steps (or not) based on maj(x8, y10, z10)
◼ Keystream bit is XOR of rightmost bits of registers
Part 1 ⎯ Cryptography
17
 A5/1
X
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1


Y 
1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 0 1


Z
1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 0 0 0 1


◼ In this example, m = maj(x8, y10, z10) = maj(1,0,1) = 1

◼ Register X steps, Y does not step, and Z steps
◼ Keystream bit is XOR of right bits of registers
◼ Here, keystream bit will be 0  1  0 = 1
Part 1 ⎯ Cryptography
18
 Shift Register Crypto
◼ Shift register crypto efficient in hardware
◼ Often, slow if implement in software
◼ In the past, very popular
◼ Today, more is done in software due to fast
processors
◼ Shift register crypto still used some
◼ Resource-constrained devices

Part 1 ⎯ Cryptography
19
 RC4
◼ A self-modifying lookup table
◼ Table always contains a permutation of the
byte values 0,1,…,255
◼ Initialize the permutation using key
◼ At each step, RC4 does the following
◼ Swaps elements in current lookup table
◼ Selects a keystream byte from table
◼ Each step of RC4 produces a byte
◼ Efficient in software
◼ Each step of A5/1 produces only a bit
◼ Efficient in hardware
Part 1 ⎯ Cryptography
20
 RC4 Initialization
◼ S[] is permutation of 0,1,...,255
◼ key[] contains N bytes of key
for i = 0 to 255
S[i] = i
K[i] = key[i (mod N)]
next i
j = 0
for i = 0 to 255
j = (j + S[i] + K[i]) mod 256
swap(S[i], S[j])
next i
i = j = 0

Part 1 ⎯ Cryptography
21
 RC4 Keystream
◼ For each keystream byte, swap elements in
table and select byte
i = (i + 1) mod 256
j = (j + S[i]) mod 256
swap(S[i], S[j])
t = (S[i] + S[j]) mod 256
keystreamByte = S[t]
◼ Use keystream bytes like a one-time pad
◼ Note: first 256 bytes should be discarded
◼ Otherwise, related key attack exists

Part 1 ⎯ Cryptography
22
 Stream Ciphers

◼ Stream ciphers were popular in the past

◼ Efficient in hardware
◼ Speed was needed to keep up with voice, etc.
◼ Today, processors are fast, so software-based
crypto is usually more than fast enough
◼ Future of stream ciphers?
◼ Shamir declared “the death of stream ciphers”
◼ May be greatly exaggerated…

Part 1 ⎯ Cryptography
23