Software Stream Cipher based on pGSSG Generator
Transcription
Software Stream Cipher based on pGSSG Generator
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(2): 111-121 The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012) Software Stream Cipher based on pGSSG Generator Antoniya Tasheva1, Zhaneta Tasheva2, Ognyan Nakov1 1 Technical University of Sofia, Bulgaria 8 Kliment Ohridski blvd., Sofia 1000, Bulgaria 2 National Military University “Vasil Levski”, Faculty of Artillery, Air Defense and Communication and Information Systems, Bulgaria, 1 Karel Shkorpil Str., Shumen 9700, Bulgaria [email protected], [email protected], [email protected] ABSTRACT Secrecy of a software stream cipher based on p-ary Generalized Self-Shrinking Generator (pGSSG) is examined in this paper. Background information for the generator’s algorithm is provided. The software architecture and key management for the cipher initialization are explained. Galois Field GF(25732) and feedback polynomials are chosen for initialization of the generator. In order to examine the secrecy mathematical model of the software system is made. It is proved that the cipher is not perfect but the empirical tests result in less than 0,0125% deviation of the encrypted files’ entropy from the perfect secrecy. At last the proposed cipher is compared to four eSTREAM finalists by key length and period. KEYWORDS PRNG, pGSSG, Security, eSTREAM, Stream Cipher. Entropy, Encryption, 1 INTRODUCTION Recently, computer technologies have started to play a huge role in everyday life as well as at the workplace. As the Internet gains more and more popularity and becomes a major means of communication, the term information security becomes more and more important. Encryption has been studied for centuries and the need to find new and better solutions is still present to date. When transmitting large amounts of data over communication channels such as mobile and wireless networks, and when high speed, low error propagation and resistance to attacks are needed, the use of stream ciphers is recommended. They encrypt each symbol of the transmitted message with a keystream, which is usually generated by a Pseudo Random Number Generator (PRNG), producing binary Pseudo Random Sequences (PRSs). The elements of PRNGs that are most used in stream ciphers are Linear Feedback Shift Registers (LFSRs), because LFSR of length n can generate a PRS of maximum length T = 2n – 1. Since 1969, when the Berlekamp-Massey algorithm [1] was discovered, scientific researchers are looking for new methods of generating non-linear sequences. Researchers use two basic methods to generate nonlinear sequences [2]: structures based on LFSR registers, such as filter generators, combinatorial generators and clock controlled generators, and generators in finite fields such as GMW (Gordon, Mills and Welch) sequences and Bent function sequences. Recently some clock controlled generators which use a p-ary PRS [3] to create nonlinear sequences have been proposed [4 - 7]. They summarize the work of the Shrinking Generator proposed by D. Coppersmith, H. Krawczyk and Y. Mansour at Eurocrypt’93 [8], and the self-shrinking generator (SSG) proposed by W. Meier and O. Staffelbach at Eurocrypt’94 in [9]. Such generator that uses LFSR in order to produce its output PRSs is the recently proposed p-ary Generalized Self-Shrinking Generator [10]. It is proved that it has long period, is well balanced, has good statistical characteristics and is resistant against exhaustive search and entropy attacks. As most of the properties of the sequences generated by pGSSG generator have been studied and proved to give good results, it was decided to 111 International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(2): 111-121 The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012) build a software encryption system based on it. Its encryption properties are tested using the entropy measure [11, 12], which is the matter of this paper. An entropy measure is usually defined in terms of probability distribution. The entropy H(X) of a random variable X is a measure of its average uncertainty. It is the minimum number of bits required on the average to describe the value x of the random variable X [11]. In this study the entropy of the pGSSG PRSs is considered as well as their influence on the symbol distribution in the source and encrypted files. The paper is organized as follows. First, the working algorithm of p-ary Generalized SelfShrinking Generator for Galois Field GF(pn) is given. Then the architecture of software encryption system based on a pGSSG stream cipher is described. Then the key management is explained. In Section 4 the mathematical model of the system is designed and the entropy is both evaluated and calculated. Section 5 gives a comparison of the proposed stream cipher with four eSTREAM finalists. 2 ALGORITHM OVERVIEW The proposed p-ary Generalized Self-Shrinking Generator [10], given in Figure 1, consists of a pLFSR register A, whose length will be denoted by L. It generates a sequence (ai ) i0 with p-ary digits (i.e. (ai ) i0 , 0 ai p 1 ) and 0 i L 1. The multipliers of the feedbacks are given by coefficients q1 , q2 ,..., qL , q L [0, 1, ..., p 1] of the primitive polynomial in GF(pL). Every element can remember one p-ary number. The register is initialized by p-ary sequence (a0 , a1 , , aL1 ) . Clock i pLFSR A api+1 api+2 … api+(p-1) api SELECTION RULE Memory for p-ary transformation of ( p 1) * log 2 p 1 bits p-ary output The pGSSG selects a portion of the output p-ary LFSR sequence by controlling the p-ary LFSR itself using a six-step algorithm (see Fig. 1): 1. The p-ary LFSR A is clocked with clock sequence with period T. 2. The output pLFSR sequence is split into ptuples a pi , a pi1 , a pi2 ,..., a pi( p1) , i 0, 1, ... 3. If a pi 0 the whole p-tuple is discarded from the pGSSG output, i.e. the output is shrunken. 4. When a pi 0 , the corresponding digit a pia pi in the p-tuple forms the output of the pGSSG. For example, if api = 1, then api+1 is output and the other digits a pi , a pi2 ,..., a pi( p1) are discard. If a pi 2 , then api+2 is output and the other digits a pi , a pi1 , a pi3 ,..., a pi( p 1) are discard and so on. If a pi p 1, then a pi( p1) is output and the other digits a pi , a pi1 ,..., a pi( p2) are discard. 5. The shrunken p-ary GSSG output sequence is transformed into binary sequence in which every p-ary number is presented with log 2 ( p 1) binary digits, where x is the smallest integer which is greater or equal to x. 6. Every output number i from 1 to p-1 of p-ary GSSG sequence is depicted with pary expansion of the number by the formula: 2 log2 p 1 p 1 (1) (i 1) 2 7. Every p-ary zero in its i-th appearance ( i 1, 2, 3,... ) of the generated p-ary sequence can be represented binary by number di, (d i 1 1) mod p, if d i 1 p - 1 di (2) 1, if d i 1 p - 1 and initial condition d 0 0 . Binary output Figure 1. p-ary Generalized Self-Shrinking Generator 112 International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(2): 111-121 The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012) 3 SOFTWARE STREAM CIPHER Table 1. Feedback polynomials used in pGSSG. A software encryption system has been built. Its main task is to encrypt the transmitted data in advance using a keystream, generated by the output of pGSSG generator. When needed the encrypted data could be put under second encryption with standard methods, such as DES in CBC mode or AES in CCM mode, which are used in the contemporary wireless networks. № 1 2 3 3.1 Architecture The software encryption system is based on symmetric stream encryption algorithm which is initialized by the value of the secret key K. It encrypts the input data stream (the plain text) as simple XOR operation on each byte of the plain text and the keystream received from the pGSSG generator (see Fig. 2). Encryption Key K pGSSG + Plain Text pGSSG Encrypted Text Encrypted Text The result of the encryption with that software system is that the amount of data remains the same before and after sending it into the communication channel. If the communication network provides the option for additional data encryption, it is applied as second level of encryption through a standard block cipher AES or DES. For example in WiMAX WLAN networks where data encryption is mandatory the confidentiality and the security will increase using two levels of encryption (Fig. 3). Plain Text First Level Encryption Decryption Key K Feedback Polynomial x32 + x + 10 x32 + 75 x2 + 174 x + 33 x32 + 188 x2 + 200 x + 107 + Plain Text Figure 2. Architecture of the Software Encryption System based on pGSSG Generator. The software encryption system uses class libraries for software representation of the LFSR register and the pGSSG generator. Although they are designed to be universal, Galois Field GF(25732) was chosen for the implementation because of the ease of byte representation and therefore the possibility of faster implementation. Three of the primitive feedback polynomials used to create a pLFSR register with prime p = 257 and length L = 32 are shown in Table 1. GMH 4 bytes PN Security Header pGSSG encryption 128 AES encryption DLEN Second Level Encryption 8 bytes ICV CRC Security Trailer Figure 3. Use of pGSSG Software Encryption System in WiMAX WLAN Networks. 3.2 Key management The architecture of the pGSSG generator allows building a symmetrical stream cipher with flexible key management. The key is multicomponent and consists of several elements: 1. L in count p-ary bit components, giving the initial state (a0, a1, …, aj, … aL1), where aj = 0, 1, ..., p - 1, j = 0, 1, …, L1, of the inner LFSR register. 2. L+1 in count p-ary number components, giving the coefficients of the feedback polynomial (q0, q1, …, qj, …,qL), where qj = 0, 1, ..., p - 1, j = 1, 2, …, L, of the inner LFSR register. 3. The last component is set as the initial value of the ‘zero’ in the output and is a random p-ary number. 113 International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(2): 111-121 The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012) If we consider only the initial state as key of the system, it will have length L in p-ary digits. To present each p-ary digit log 2 p bits are needed. Therefore the key length is LK InSt = L. log 2 p . It can be seen that with p growing the key length is also growing. Table 4.1 shows the minimum length Lmin of the pLSFR register that ensures key length LKmin to be 256, 512 or 1024 bits, required by the contemporary cryptographic applications. The choice of a feedback polynomial is made between preliminarily calculated primitive polynomials in GF(pL). Their count Cpoly is calculated by the formula [13]: ( p 1) , (3) C poly L 1 1 where ( x) x1 1 is the Euler phi q1 qk function, and x is a positive integer with L different p-ary digit components for the initial state of pLFSR register and one for the initial state d0 of the p-ary zero are used. factorization given by x q1e1 qk ek . The length of the secret key K increases both with the growth of the inner register and the value of the prime p. The vast amount of components and the great length of the key K make more difficult and dramatically slow up the process of searching through all different keys when decrypting the received message by malicious users. There is negative side on growing the prime p, and that is the decreasing the speed of the software encryption system. This is due to the imperfect software registers and the sequence manner of processor’s calculations in contrast of a hardware implementation. For this certain software implementation a tradeoff is made in order to find maximum security with minimum slow down. A prime p = 257 is chosen, where all feedback coefficients, the initial state and the initialization zero can be saved into 9 bits and the output of a 257GSSG is a single byte. The register length may vary from L = 8 to L = 34. When these elements are set the secret key K consists of the following components (fig. 4): Initial state – aL– 1 aL – 2 … a1 a0, ai = 0, 1, …, p – 1; i = 0, 1, …, L – 1 (Lmin = 8, Lmax = 34); Feedbacks – qL qL-1 … q1 q0, qi = 0, 1, …, p – 1; i = 0, 1, …, L – 1 (Lmin = 8, Lmax = 34); Initial zero – z = 0, 1, …, p – 1 Table 2. Minimal length of the pLSFR register to ensure key length LK InSt of 256, 512 or 1024 bits p 2 3 5, 7 11, 13 17, 19, 23, 29, 31 37, 41, 43, 47, 53, 59, 61 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127 131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, 233, 239, 241, 251 Lmin of pLSFR for 256 bits 512 bits 1024 bits 256 512 1024 128 256 512 85 171 342 64 128 256 52 103 205 43 86 171 37 74 147 32 64 128 The count of primitive polynomials with different base p and register length L is shown in table 3. In order to determine which one polynomial from the list should be used in the cryptographic system log 2 Cpoly bits are needed as shown in the last column of table 3. Using the fact that log 2 p bits are needed for presentation of the GF(p) elements the total length LK of the secret key can be calculated as: (4) LK L 1log 2 p log 2 Cpoly , where L is the length of the inner pLFSR register. Table 3. Count of primitive polynomials with different powers and bases p L 17 32 61 32 127 32 167 32 257 257 257 8 10 16 257 24 257 32 257 34 Bit Count 18976458037657197225461286734659584000 124 10244854334997082026962604386814833429237905 183 489920000000 13788941890097745057084265918295403933459936 217 6308071077551957606400 85864901880654498516021075274859050725923408 229 8656177980910291910656000а 582729142999449600 59 37204727422640848896000 75 5511978689381920798272782377943040000 122 54468265154915537177576109136107838060351092 185 424704000000 98767885865554779011732725900114323996711704 250 7735833824574876556711690240000 82943263199168780322247079972233538359404412 266 641258708571048665491964779770675200 Count of primitive polynomials 114 International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(2): 111-121 The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012) Feedback Polynomial Initial State Zero qL … aL-1 … q1 q0 qi = 0, 1, …, p-1 a1 a0 ai = 0, 1, …, p-1 z z = 0, 1, …, p-1 Figure 4. Main components of the secret key K in a software encryption system based on pGSSG generator The minimum key length is calculated for the mentioned above initialization values only for base p = 257 LKmin = 9.9 + 59 = 140 bits, and the maximum key length is: LKmax = 35.9 + 266 = 581 bits. The contemporary symmetrical encryption applications/ systems in wireless communication networks most often use secret key with length up to 256 bits, like 3DES with key-length of 168-bits (3 times 56-bit DES key), AES – working with key sizes of 128, 192 or 256 bits. As it can be seen the pGSSG encryption system can have twice longer secret key. In order to calculate the time for brute force attack the count of all possible keys should be determined. The speed for conducting each test is also needed. The pGSSG based software encryption system is enabled to use all possible bit combinations with a certain length and therefore the count NK of all possible keys is: (5) N K 2 LK , where LK is the length of the secret key. Table 4 shows the count NK of all possible keys with different length. Table 4. Count of possible keys of length LK Key length LK [bits] 80 96 112 128 140 256 512 546 581 Count of possible different keys NK 1208925819614629174706176 79228162514264337593543950336 5,1922968585348276285304963292201.1033 3,4028236692093846346337460743177.1038 1,3937965749081639463459823920405.1042 1,1579208923731619542357098500869.1077 1,3407807929942597099574024998206.10154 2,3034438628061165479989957159352.10164 7,9145728471393450899360806726287.10174 The speed each key is tested is a secondary factor, thus it can be assumed that all keys are tested independently and for equal amount of time. This parameter is closely tight to the budget of the organization conducting the attack. The attack is faster when is held on parallel processors due to the assumptions made so far. Each parallel processor checks part of the keys and no interaction between them is needed except for a stop signal when the correct key is found. 4 EXAMINING THE CIPHER SECRECY Determining the theoretical secrecy of a cryptographic system is a very complex mathematical task. The use of different extended Galois Fields GF(257L) makes the mathematical cryptanalysis of the pGSSG generator more difficult. To see if this system is usable, many questions need to be answered. They are related to its robustness and security when the attacker is not limited in time and has access to all possible means to analyze encrypted messages. Another question is could a single solution be found and what amount of data should be intercepted to get this solution. Due to the nonlinearity of modern encryption algorithms, a comprehensive fully mathematically justified answer could not be given. However, the entropy, suggested by Claude Shannon in “A mathematical theory of communication” [14], has found wide application in analyzing these issues since 1948. 4.1 Mathematical Model As it can be seen on figure 3, the pGSSG based software encryption system ciphers the entire plain text: both the data and the headers of the files. If we consider the byte organization of stored data, the mathematical model of the pGSSG encryption system can be presented as follows. The system (see Fig. 5) would work with 256 (1 byte) different symbols a0, a1, …, ai, …, a255 with corresponding probability for appearance P(ai), i = 0, 1, ..., 255. As a result of the encryption, these symbols are mapped into cryptograms b0, b1, …, bj, …, b255 with probability for appearance P(bj), j = 0, 1, ..., 255. The keys K0, K1, ..., Kn are equally possible and their maximum count NK depends on the key length. It is possible 115 International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(2): 111-121 The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012) that one input symbol is converted to a different output symbol when using different keys. The required and sufficient condition for the system to be completely secret [14, 15] is: P(bj) = P (bj / ai), j = 0, 1, ..., 255. (6) i.e. P (bj / ai) should not depend on the input symbol ai. K0, K23 a0 P(a0) KNk K1 Kj b0 P(b0) a1 P(a1) b1 P(b1) ai P(ai) bj P(bj) K2 an P(a255) K78 K255 K5 b255 P(b255) Figure 5. Mathematical model of the pGSSG software encryption system. Here P(bj/ai) is the conditional probability of the encrypted symbol bj, provided that the input symbol is ai. That means that it is the sum of the possibilities of all keys that transform the symbol ai into bj. It is known that the perfect encryption system is achieved when the following three conditions are true [Sha49]: 1. Each message is associated with only one cryptogram. 2. The number of keys is equal to number of messages. 3. All keys are equally possible. Under these conditions, the entropy H of the system is n 1 n 1 1 1 H ( A) P(ai ) log 2 P(ai ) log 2 log 2 n (7) n i 0 i 0 n 4.2 Experiments using Shannon Entropy As evident from the mathematical model of the pGSSG software encryption system, it is not absolutely secret because it does not fulfill conditions 1 and 2. Studies are made to answer the question how close the proposed system is to the perfect case scenario in (7). For this purpose over 100 different files are tested. They are distributed equally in the main types: text documents (.doc, .docx, .txt), images (.bmp, .jpg, .png), executable files (.exe), audio files (.wav, .mp3) and archives (.zip, .rar). The frequencies of occurrence of all characters in input and encrypted files are studied and their entropy is calculated. Furthermore, for image files their three color components R, G and B were analyzed separately. In Table 5 the Shannon entropy of the input and output files for four files from each group are shown. Figure 6 demonstrates the distribution histograms of the plain text and encrypted text for different types of files. The results for the three color components R, G and B of the images are respectively shown in Table 7 and Figure 7. More than 100 sequences of length 1 000 000 bits were generated for each password in order to check how the password transforms into keystream. They were then tested via NIST [16], [17] test suite to obtain their properties. It is known that the crypto-analytics can use the existing dependencies in the occurrence of characters in various types of information and the model of the standard headers in different file types. That information can help them decrypt the data. Thus they have blocks of plain text and when capturing the encrypted message and they can map it to the corresponding encrypted text. The use of additional level of encryption with the software encryption system eliminates these possibilities as it uniformly changes the values of the symbols for the whole length of the file, including the header part. This conclusion is confirmed by the results shown in Tables 5 and 7. Analysis shows that the entropy of encrypted files slightly differs from the perfect encryption system entropy with less than 0,001 bit which is 0,0125 % deviation from the perfect secrecy. The entropy of a perfect secrecy system with 256 equally possible symbols is: 255 1 (8) H ( A) log 2 2 8 8 bit. i 0 256 116 International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(2): 111-121 The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012) Table 5. Entropy of input and pGSSG encrypted files. № 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. File Password explorer.exe 2345explorer encryptPhD.exe Fast2Enc%(! notepad++.exe ++нотпад++ WinRAR.exe KoМпReСиQ CompleteSet.docx 2013BCPC DiplomnaRabota.docx Info4диплом document.docx Просто*Tekst TrainingTasks.docx Passw0rd presentation.pptx Imagine8№ IFRToolLog.txt лог$а@к§n& leMouse.rar el^gAto-te Raboti.rar lANg25cop18% Zadaniq.rar worry35ePIc^ Zadaniq.zip rAts24mOd= ALARM.WAV VarY39eRns& cat8.wav NiX^pEn=Dry1 TU.bmp myUniversit1 lenna.bmp vAN83scoUR@ snowman.jpg faLL!kOR?jiltS sozopol.jpg idS?OcHRy65 Entropy of Input File Encrypted File 5.872596706508290 7.999598134607586 7.631900643959939 7.998833667709484 6.091405544356415 7.999648675667926 6.469161170026363 7.999644709803738 7.948642291913700 7.998595024152175 7.524045264552306 7.989391747378668 7.910834642297916 7.998354864955056 7.948642291913700 7.998405935750952 7.937660319385949 7.999896904729666 4.714971677469938 7.999566854515114 7.986186549835893 7.998523780587349 7.999329046994613 7.999986138240808 7.999026651474129 7.999558585297283 7.997750400646980 7.999661066662499 6.871613007127728 7.997961560964973 4.572460198612183 7.998654459803242 7.735134585817764 7.999598750116132 5.682224748742369 7.999696018375432 7.927340915095799 7.995697933926553 7.966401975045295 7.997800281093063 As seen on Figure 6 the distribution of symbols in most file types differs radically from the uniform distribution. Exceptions are the archive files whose distribution is largely similar to the uniform and this is no coincidence, because in the archives different algorithms for compressing data are applied. This feature of the archives determines their entropy, which depending on the compression algorithm can reach up to 7.998. However in the distribution of the symbols there are usually detectable peaks of the symbols having a value of 0 or 255 (see Figure 6.c). These anomalies in the histograms are eliminated by the use of encryption with the pGSSG generator. 5 COMPARISON WITH OTHER CIPHERS In this section we compare our 257GSSG software stream cipher with four eSTREAM finalists from profile 1 which use large LFSR and a nonlinear filter with memory. The eSTREAM project was launched in 2004 as part of the EU-sponsored ECRYPT Framework VI Network of Excellence [18]. The primary goal of eSTREAM was to help developers how to analyze and design stream ciphers. To promote research in stream ciphers, a call for new proposals has been made. Two specific stream cipher profiles were identified: Profile 1: Stream ciphers for software applications with high throughput and Profile 2: Stream ciphers for hardware applications with highly restricted resources [19]. In addition, to emphases the importance of providing an authentication method along with encryption, two further profiles were proposed: Profile 1A: Stream ciphers satisfying Profile 1 with an associated authentication method and Profile 2A: Stream ciphers satisfying Profile 2 with an associated authentication method. The original call provoked significant interest and 34 stream ciphers were submitted by the deadline of April 29, 2005. All candidates are evaluated by some significant criteria like security, performance compared to the AES and to other submissions, justification and supporting analysis, simplicity and flexibility, and completeness and clarity over the tree phases of eSTREAM. Only 16 algorithms were advanced to the final phase of eSTREAM by eight in Profile 1 and 2. Four of the final eight Profile 1 ciphers use NonLinear FSR (NLFSR). They are CryptMT v3 [20], DRAGON [21], NLS v2 [22] и SOSEMANUK [23]. CryptMT version 3 is a stream cipher obtained by combining a large LFSR and a nonlinear filter with memory using integer multiplication. Its period is proved to be no less than 219937−1. The key-size can be flexibly chosen from 128 bits to 2048 bits, as well as the IV-size. The authors claim that the security level is the same with the minimum of the Key-size and the IV-size. Dragon is a word-based stream cipher, which state is initialized with 128- or 256-bit key-IV pairs. Dragon uses a single 1024-bit word based NLFSR and a 64-bit memory M which give a state size of 1088 bits. The period for the sequence produced by a 1024-bit NLFSR is 2512 and since the counter M has a period of 264, the expected Dragon period is 2576. NLSv2 is a synchronous stream cipher designed for a secret key that may be up to 128 bits in length. NLSv2’s stream generator is constructed from a NLFSR and a non-linear filter. NLSv2 is intended to provide security under the condition that no nonce is ever reused with a single key, that no more than 280 words of data are processed with one key, and that no more than 248 words of data are processed with one key/nonce pair. 117 International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(2): 111-121 The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012) Sosemanuk is a synchronous software-oriented stream cipher with variable key length between 128 and 256 bits. Any key length is claimed to achieve 128-bit security. It uses a non-singular LFSR which operates over elements of GF(232). The output Sosemanuk sequence of 32-bit words is periodic and has maximal period 2320 − 1. Table 6. Comparison of Key length, IV length and Period of Stream Ciphers Key Length, bits CryptMT v3 from 128 to 2048 DRAGON 128 or 256 NLS v2 up to 128 SOSEMANUK from 128 to 256 pGSSG, p = 257 from 297 to 547 Stream Cipher IV Length, Period bits from 128 ≥ 219937 – 1 to 2048 128 or 256 2576 280 words 128 2320 – 1 144 256.25731.8 > 2259 Here we consider only software version of pGSSG that is constructed using a single 257-ary LFSR with length L = 32. For one feedback polynomial the initial state of pGSSG is populated using the key K in conjunction with Initial Vector IV. The initial filling of the 257LFSR is done by 32 clock cycles as follows: K , ai i ( K i IVi 15 ) mod 257, 0 i 15 16 i 31 (9) For a single feedback polynomial the key K consists of 32 in count 257-ary digits, representing the initial state, and one digit for the initial value of 257-ary zero in binary pGSSG sequence. Due to the fact that a 257-ary digit can be presented binary with log2257 = 9 bits, the key length for one feedback polynomial in bits is 33.9 = 297 bits. The IV length is 16 257-ary digits, which in bits is 16.9 = 144 bits. Any key length is claimed to achieve 297-bit security. The other 250 bits of the key define which of the feedback polynomials is used to constructs the pGSSG. In this case the maximum key length can be calculated as 297 + 250 = 547 bits. The period for the sequence of 257-ary digits produced by a 257LFSR with length L = 32 is 25732 – 1. Due to self-shrinking procedure of pGSSG, the output pGSSG sequence is non-linear and its expected period is T = (p – 1).pL – 1 = 256.25731, assuming the pGSSG sequence of 257-ary digits is pseudo-random [10, 24]. Because every 257-ary digit in pGSSG sequence is transformed into log2(257 – 1) = 8 bits, then the period of pGSSG output binary sequence is greater than 256.25631.8 = 28.28.31.23 = 2259. To make the design of pGSSG more robust against cryptanalytic attacks we change the primitive feedback polynomial of used 257LFSR before the pGSSG period is produced. The number of distinct primitive polynomials in GF(25732) is shown in Table 3. The comparison shows that 257GSSG provides 297-bit security which is more than three of the eSTREAM finalists shown in Table 6. Only CryptMT v3 offer variable key length from 128 to 2048 bits, which may provide more than 297-bit security. The period of 257LFSR is less than the period of CryptMT v3 and DRAGON, more than the period of the NLS v2 and similar to the period of SOSEMANUK. Table 7. Entropy of the colour components R, G and B of the input and pGSSG encrypted images. № Image Password 1. 2. 3. 4. 5. *&^%^%sG *&*B”}@E Poiuytr^B& M*b%V)JY 12345678 medal.bmp banner.bmp DarkDoor.bmp pepper.bmp lenna.bmp Input Image R 6.0038 7.3162 7.2023 7.3388 5.0465 G 5.9726 6.9769 7.0943 7.4962 5.4576 Encrypted Image B 6.0043 6.8664 7.0060 7.0583 4.8001 R 7.99928 7.99977 7.99934 7.99930 7.99914 G 7.99943 7.99973 7.99935 7.99924 7.99918 B 7.99937 7.99974 7.99924 7.99935 7.99904 118 Encrypted File Input File International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(2): 111-121 The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012) a) text file IFRToolLog.txt b) executable file notepad++.exe c) archive file leMouse.rar Figure 6. Distribution histograms for symbols in input and pGSSG encrypted files: a) text files, b) executable file, c) archive file. Input File Encrypted File Figure 7. Input and encrypted image and the corresponding distribution histograms for the R, G and B values. 119 International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(2): 111-121 The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012) 6 CONCLUSIONS AND FUTURE WORK 3. The secrecy of the software pGSSG encryption system is tested with the aim of its mathematical model using the term Entropy. It is proved that the system does not have perfect secrecy but transforms the data into such with uniform distribution of characters. The analysis shows that the entropy of encrypted files compared to the perfect encryption system differs with less than 0,001 bits, which is 0,0125 % deviation from the perfect secrecy. The comparison with eSTREAM finalists from profile 1 which use large NLFSR shows that software version of 257GSSG with length L = 32 offer 297-bit security which is more than the security of DRAGON, NLS v2 and SOSEMANUK. The period of the pGSSG stream cipher is compared to those of the eSTREAM finalists and it is stated that it is times longer than NLS, similar to SOSEMANUK, but shorter that the other two. This shortness is compensated by simply changing the primitive polynomial of the generator. The task of decrypting the received data has been made more complicated for the crypto-analytics when using known dependencies in the occurrence of characters in different types of information. However, there are some practical issues that need to be addressed. First, to measure the degree of randomness of sequences generated by pGSSG some statistic experiments using approximate entropy [25] must be done. Second, to analyze the problem of finding the secret key in pGSSG software system min-entropy can be used [11], which determines the probability of guessing the correct value at first attempt. Moreover, it is necessary to find the average number of guesses needed to determine the key, which is given by the guessing entropy [11]. 4. 7 REFERENCES 17. 1. 2. Massey J., Shift-register synthesis and BCH decoding, IEEE Transactions on Information Theory, vol. 15, no. 1, pp. 122–127, (1969) Gong G., Sequence Analysis, University of Waterloo, p. 137, (1999) http://calliope.uwaterloo.ca/~ggong. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. Golomb S., Shift Register Sequences, Aegean Park Press, Laguna Hills, Calif, USA, revised edition, (1982) Kanso, A. Clock-controlled generators. University of London, (1999) Tashev, T., Bedzhev, B., Tasheva, Zh. The Generalized Shrinking-Multiplexing Generator, ACM International Conference Proceeding Series 285, Article number 48, Proceedings of the 2007 international conference on Computer systems and technologies CompSysTech '07, (2007) Tasheva, Z., Bedzhev, B., Stoyanov, B. P-adic shrinking-multiplexing generator, Proceedings of the Third Workshop - 2005 IEEE Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications, IDAACS 2005, pp. 443 – 448, (2005) Tasheva Zh. N. Design and Analysis of 3-ary Generalized Shrinking Multiplexing Generator, International Journal of Advance in Communication Engineering 4 (2), pp. 129-140, (2012) Coppersmith D., H. Krawczyk, Y. Mansour, The shrinking generator, Advances in Cryptology – EUROCRYPT’93, vol.773 of LNCS, Berlin, SpringerVerlag, pp. 22-39, (1993) Meier W., O. Staffelbach, The self-shrinking generator. In A.De Santis, editor, Advances in Cryptology – EUROCRYPT ’94, vol.950 of LNCS, Berlin, SpringerVerlag, pp. 205-214, (1995) Tasheva A. T., Tasheva, Zh. N., Milev, A. P., Generalization of the Self-Shrinking Generator in the Galois Field GF(pn), Advances in Artificial Intelligence, vol. 2011, Article ID 464971, 10 pages, (2011) doi:10.1155/2011/464971 Cachin, C. Entropy measures and unconditional security in cryptography. Konstanz: Hartung-Gorre, (1997) Gray R., Entropy and Information Theory, Springer, Second Edition, (2011) Lidl, Rudolf. Finite fields. Vol. 20. Cambridge University Press, (1997) Shannon, C. E. “A mathematical theory of communication.” ACM SIGMOBILE Mobile Computing and Communications Review 5, no. 1, pp. 3-55, (2001) Shannon, C. E. “Communication theory of secrecy systems.” Bell system technical journal 28, no. 4, pp. 656-715. (1949) NIST Statistical Test Suite, Version 2.1.1., August 11, (2010), http://csrc.nist.gov/groups/ST/toolkit/rng/docum entation_software.html Rukhin A., J. Soto, et.al, NIST Special Publication 80022rev1a: A Statistical Test Suite for the Validation of Random Number Generators and Pseudo Random Number Generators for Cryptographic Applications, (2010), http://csrc.nist.gov/groups/ST/toolkit/rng/ documents/SP800-22rev1a.pdf. 120 International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(2): 111-121 The Society of Digital Information and Wireless Communications, 2014 (ISSN: 2305-0012) 18. Babbage, Steve, et al. "The eSTREAM portfolio." eSTREAM, ECRYPT Stream Cipher Project. April 15, (2008). http://www.ecrypt.eu.org/stream/portfolio.pdf. 19. ECRYPT. The eSTREAM project, http://www.ecrypt.eu.org/stream/ 20. Zhang, Haina, and Xiaoyun Wang. “On the Security of Stream Cipher CryptMT v3.” IACR Cryptology ePrint Archive 2009, pp. 110, (2009) 21. Chen, Kevin, et al. "Dragon: A fast word based stream cipher." Information Security and Cryptology–ICISC 2004. Springer Berlin Heidelberg, Seoul, Korea, pp. 3350. (2005) 22. Hawkes, Philip, et al. "Specification for NLSv2." New Stream Cipher Designs. Springer Berlin Heidelberg, pp.57-68. (2008) 23. Cho, Joo Yeon, and Miia Hermelin. “Improved linear cryptanalysis of SOSEMANUK.” Information, Security and Cryptology–ICISC 2009. Springer Berlin Heidelberg, pp. 101-117. (2010) 24. Tasheva, A., Nakov O., and Tasheva, Zh. About balance property of thep-ary generalized self-shrinking generator sequence. In Proceedings of the 14th International Conference on Computer Systems and Technologies (CompSysTech '13), ACM, New York, NY, USA, pp. 299-306. (2013) 25. Pincus S., B. H. Singer, Randomness and degrees of irregularity, Proc. Natl. Acad. Sci. USA. Vol. 93, pp. 2083-2088 (1996) 121