CC BY
47
ТЕХНИЧЕСКИЕ НАУКИ
INTRODUCTION TO CRYPTANALYSIS OF STREAM CIPHERS 1 2
Bozorov O.N. , Sharofov D.O. Email: Bozorov664@scientifictext.ru
1Bozorov Obidjon Norqobilovich - Assistant, Teacher;
2Sharofov Dadakhon Ortikjon ugli - Assistant, Teacher, DEPARTMENT OF INFORMATION SECURITY, FACULTY OF MATHEMATICS, NATIONAL UNIVERSITY OF UZBEKISTAN NAMED AFTER MIRZO ULUGBEK TASHKENT, REPUBLIC OF UZBEKISTAN
Abstract: at the present time, there are lots of techniques and methods that are used in information security. We have an idea as to how our information send to other member and why we must to protect them from attack. In this article, we will discuss an elementary introduction to the cryptanalysis of stream ciphers. Originally, a few historical examples are given to explain the core aspects of cryptography and the various properties of stream ciphers. We define the meaning of cryptographic strength and show how to identify weaknesses in a cryptosystem. Then, we show how these cryptographic weaknesses can be exploited and attacked by a number of cryptanalytic techniques.
Keywords: cryptanalysis, attack, key, cipher, cryptosystem, shift register, asymmetric, symmetric, network, communication channel, LFSR, keystream, plaintext, ciphertext, encryption, decryption.
ВВЕДЕНИЕ В КРИПТАНАЛИЗ ПОТОЧНЫХ ШИФРОВ
12 Бозоров О.Н. , Шарофов Д.О.
1Бозоров Обиджон Норкобилович - ассистент, преподаватель;
2Шарофов Дадахон Ортикжон угли - ассистент, преподаватель, кафедра информационной безопасности, математический факультет, Национальный университет Узбекистана им. Мирзо Улугбека, г. Ташкент, Республика Узбекистан
Аннотация: в настоящее время существует множество методик и методов, которые используются в информационной безопасности. У нас есть представление о том, как наша информация отправляется другим участникам и почему мы должны защищать их от атак. В этой статье мы обсудим элементарное введение в криптоанализ потоковых шифров. Первоначально приведено несколько исторических примеров, объясняющих основные аспекты криптографии и различные свойства потоковых шифров. Мы определяем значение криптографической силы и показываем, как выявлять слабые места в криптосистеме. Затем мы покажем, как эти криптографические слабости могут быть использованы и атакованы рядом криптоаналитических методов.
Ключевые слова: криптоанализ, атака, ключ, шифр, криптосистема, сдвиговый регистр, асимметричный, симметричный, сеть, канал связи, LFSR, поток ключей, открытый текст, зашифрованный текст, шифрование, дешифрование.
УДК 003.26.09
A stream cipher performs an encryption which is similar to the One-time Pad (OTP) encryption technique. It produces a large chunk of secret, random looking data and combines it with the plaintext to produce ciphertext. Without the exact same data chunk, the plaintext cannot be uncovered from the ciphertext. The random data represents a stream of bits which is derived from the secret key and is commonly referred to as keystream. A stream cipher contains some persistent memory, called the internal cipher state, which is initialized by the
secret key and propagates to a successor state after each encryption step. The output of a strong stream cipher is comparable to (and should be indistinguishable from) a contiguous bit stream produced by a Pseudo Random Number Generator (PRNG) [4].
There are two types of stream ciphers, synchronous and self-synchronizing. In a synchronous stream cipher, the encryption bits are computed independently from the plaintext. Such ciphers are useful in situations when a communication channel is more prone to error. Contrarily, a self-synchronizing stream cipher computes the successor of its internal state with a function over the previous state and the ciphertext. The internal state diverts from its original propagation path when a transmission error occurs.
An important objective of a stream cipher is to avoid a direct relation between the input (secret key) and output (keystream) of the cipher. Because the entropy of a stream cipher is limited to the size of the internal state, the produced keystream will eventually repeat itself.
(+i) Aiicc (awdtt) (b) Hob (rtíteivér)
Fig. 1.1. Typical non-linear stream cipher system
The cryptographic algorithm illustrated in Figure 1.1 embeds a rotating shift register, which represents the internal state of the cipher. After the computation of a new keystream bit, the successor function updates the internal state by a linear function to preserve as much entropy to the cipher. Then, the output component applies a non-linear filter function f(-) to compute the next keystream bit. The keystream bits are used by the sender (Figure 1.1a) to encrypt the plaintext bits by combining both bit strings with the exclusive-or (XOR) operation. The resulting ciphertext is transmitted over an insecure channel. The receiver (Figure 1.1b) performs the exact same computations and applies another XOR operation, this time on the ciphertext bits in combination with the keystream bits. The keystream bits, already embedded in the ciphertext, are cancelled out and the original plaintext is revealed to the receiver.
The sender and the receiver use the non-linear stream cipher to compute exactly the same keystream. Then, the sender combines the keystream with the plaintext to produce the ciphertext by using the XOR operation. The receiver performs the same technique on the ciphertext together with the keystream to reconstruct and reveal the plaintext.
In most cryptosystems, it is important to link multiple encrypted messages in one cryptographic session, this is called chaining of encryption. Stream ciphers inherently provide this feature since their ciphertext is produced incrementally. It uses the previous internal state and a successor function to step forward.
Cryptanalysis is the study of ciphertext, ciphers and cryptosystems with the aim of understanding how they work and finding and improving techniques for defeating or weakening them. For example, cryptanalysts seek to decrypt ciphertexts without knowledge of the plaintext source, encryption key or the algorithm used to encrypt it; cryptanalysts also target secure hashing, digital signatures and other cryptographic algorithms.
While the objective of cryptanalysis is to find weaknesses in or otherwise defeat cryptographic algorithms, cryptanalysts' research results are used by cryptographers to improve and strengthen or replace flawed algorithms. Both cryptanalysis, which focuses on deciphering encrypted data, and cryptography, which focuses on creating and improving
encryption ciphers and other algorithms, are aspects of cryptology, the mathematical study of codes, ciphers and related algorithms.
Cryptanalysis is practiced by a broad range of organizations, including governments aiming to decipher other nations' confidential communications; companies developing security products that employ cryptanalysts to test their security features; and hackers, crackers, independent researchers and academicians who search for weaknesses in cryptographic protocols and algorithms. It is this constant battle between cryptographers trying to secure information and cryptanalysts trying to break cryptosystems that moves the entire body of cryptology knowledge forward.
Cryptanalysis techniques and attacks
There are many different types of cryptanalysis attacks and techniques, which vary depending on how much information the analyst has about the ciphertext being analyzed. Some cryptanalytic methods include:
In a ciphertext-only attack, the attacker only has access to one or more encrypted messages but knows nothing about the plaintext data, the encryption algorithm being used or any data about the cryptographic key being used. This is the type of challenge that intelligence agencies often face when they have intercepted encrypted communications from an opponent.
In a known plaintext attack, the analyst may have access to some or all of the plaintext of the ciphertext; the analyst's goal in this case is to discover the key used to encrypt the message and decrypt the message. Once the key is discovered, an attacker can decrypt all messages that had been encrypted using that key. Linear cryptanalysis is a type of known plaintext attack that uses a linear approximation to describe how a block cipher. Known plaintext attacks depend on the attacker being able to discover or guess some or all of an encrypted message, or even the format of the original plaintext. For example, if the attacker is aware that a particular message is addressed to or about a particular person, that person's name may be a suitable known plaintext.
In a chosen plaintext attack, the analyst either knows the encryption algorithm or has access to the device used to do the encryption. The analyst can encrypt the chosen plaintext with the targeted algorithm to derive information about the key.
A differential cryptanalysis attack is a type of chosen plaintext attack on block ciphers that analyzes pairs of plaintexts rather than single plaintexts, so the analyst can determine how the targeted algorithm works when it encounters different types of data.
Integral cryptanalysis attacks are similar to differential cryptanalysis attacks, but instead of pairs of plaintexts, it uses sets of plaintexts in which part of the plaintext is kept constant but the rest of the plaintext is modified. This attack can be especially useful when applied to block ciphers that are based on substitution-permutation networks.
A side-channel attack depends on information collected from the physical system being used to encrypt or decrypt. Successful side-channel attacks use data that is neither the ciphertext resulting from the encryption process nor the plaintext to be encrypted, but rather may be related to the amount of time it takes for a system to respond to specific queries, the amount of power consumed by the encrypting system, or electromagnetic radiation emitted by the encrypting system.
A dictionary attack is a technique typically used against password files and exploits the human tendency to use passwords based on natural words or easily guessed sequences of letters or numbers. The dictionary attack works by encrypting all the words in a dictionary and then checking whether the resulting hash matches an encrypted password stored in the SAM file format or other password file.
Man-in-the-middle attacks occur when cryptanalysts find ways to insert themselves into the communication channel between two parties who wish to exchange their keys for secure communication via asymmetric or public key infrastructure. The attacker then performs a key exchange with each party, with the original parties believing they are exchanging keys with each other. The two parties then end up using keys that are known to the attacker.
Other types of cryptanalytic attacks can include techniques for convincing individuals to reveal their passwords or encryption keys, developing Trojan horse programs that steal secret keys from victims' computers and send them back to the cryptanalyst, or tricking a victim into using a weakened cryptosystem.
Side-channel attacks have also been known as timing or differential power analysis. These attacks came to wide notice in the late 1990s when cryptographer Paul Kocher was publishing results of his research into timing attacks and differential power analysis attacks on Diffie-Hellman, RSA, Digital Signature Standard (DSS) and other cryptosystems, especially against implementations on smart cards.
The applicability of differential cryptanalysis highly depends on the possibility to gather a set of similar encryptions which differ only to a certain extent. A straightforward approach would be to find a way that directly influences and only slightly changes the internal state of the cipher. To apply such a technique in practice, often additional components of the cryptosystems are used to intentionally create the desired difference in the internal state. Examples of such components are the internal state initialization procedure, key diversification schemes and random number generators. With control over these components an adversary can often predict and pre-compute the desired changes.
The initialization procedure of the cipher might allow an attacker to specifically change one internal state bit at a certain position. Such a minor change could lead directly to a different output which indicates the changed bit is a significant input to the filter function. Likewise, when the change does not influence the corresponding keystream bit, it reveals that the bit is an insignificant input to filter function.
A Description of A5/1
A5/1 combines 3 LFSRs. Each new step, 2 or 3 LFSRs are clocked, according to a clocking mechanism we describe later. The output is the parity of the outputs of the 3 LFSRs.
We denote the LFSRs as R1,R2 and R3. The lengths of R1,R2 and R3 are 19, 22 and 23 bits respectively. The output of each LFSR is the last bit (we refer those as bits 18, 21, 22, respectively). The registers are updated according to their primitive polynomials, which are summarized in Table 1. The clocking decision is based upon one bit of each register. The three bits are being extracted (bit 8 from R1, bit 10 from R2 and bit 10 from R3) and their majority is calculated. The two or three registers whose bit agrees with the majority are clocked. We denote by Ri [j1,. .jL] the bits ju. ,jL of register Ri.
The initialization of the registers loads the bits of secret key Key, followed by the bits of the frame number Frame and discarding 100 output bits, as follows:
1. Set all LFSRs to 0 (R 1,= R2=R3 = 0)
2. For i :=0 to 63 do
(a)
(b) R 2 [ 0 ]=R 2 [ 0 ]®Key [ i]
(c)
(d) Clock all three registers (i.e., for j>0 Ri [j] <=■ Ri [j — i] , and Ri[0 ] is set to the result of the primitive polynomial on the previous value of R ¿)
3. For i :=0 to 21 do
(a)
(b) R2 [0] = R2 [0] ® Frame [i]
(c)
(d) Clock all three registers
4. For i :=0 to 99, clock the cipher by its regular clocking mechanism, and discard the output.
After the initialization, 228 bits of output stream are being computed. 114 bits are used to encrypt data from the center to the mobile phone, and the other 114 bits are used to encrypt data from the mobile phone to the center. We put the figure of the cipher at Figure 1.2.
Cryptanalysis of A5/1
Several papers about the A5/1 were published [7, 1, 2]. One of them [7] attacks an alleged version, which is very similar to the real A5/1. This attack takes on average 24016 workload and finds the internal state of the cipher. However in [7] the time unit is the time needed to solve a linear equations system, a unit which we do not use. We, on the other hand, use (like [2]) workload unit of A5/1 one clocking. Golic also presents a time-memory tradeoff, which was enhanced by Biryukov and Shamir in [2] after the first version of our paper was written.
Golic's first attack is briefly described as follows: The attack is based on creating 63.32 linear equations (in average, however, the analysis refers to 64 equations) which could be solved and thus retrieving the internal state (as only 26332 internal states are possible).
Fig. 1.2. The A5/1 Structure
In the first step, the attacker guesses n bits from all three registers. After this is done, the attacker knows all three registers output, thus on the average he receives 4n/3 linear equations about the registers contents. Also the first output bit is known to be the parity of all most significant bits from each register in the beginning, thus the attacker obtain another equation. Therefore, the attacker has now 3n+4n/3+1 linear equations. As in the process of analysis we assumed the bits to be independent, thus, n cannot be bigger than the shortest distance between the clock controlling bit and the output bit.
For n=10 the attacker can get 44.33 linear equations, thus he needs about 19 more equations. In that point Golic noticed that not all 219 options need to be considered. The attacker builds a tree with all the valid options for the possible values for the three input bits to the majority clock-control function. The number of options (for the three bits) is 2.5, as in3/4 of the cases, two new bits are considered, and in the remaining % of the cases, 3 new bits are considered. Hence, each node contains 3/4-4+1/4- 8=5 options. We now use the knowledge of the output, to discard about half of the options (as lead to wrong output value). Thus each node has a branching level of 2.5 on the average, and as the knowledge of 4/3m bits is sufficient to receive the linear equations about the m bits out of each register (due to the clocking mechanism), the tree of clocking options need to be considered only till the depth of 4/3 -19/3=76/9=8.44. As each level has a branching factor of 2.5, the amount of time needed to search the tree is 2.5844 = 2116.
References / Список литературы
1. Anderson Ross, On Fibonacci Keystream Generators, Proceedings of Fast Software Encryption -FSE 95, Springer vol. 1008, pp 346-352, 1995.
2. Biryukov Alex, Shamir Adi. Real Time cryptanalysis of A5/1, private communication.
3. Anderson Ross. Searching for the optimum correlation attack. In 2nd International Workshop on Fast Software Encryption (FSE 1994). Volume 1008 of Lecture Notes in Computer Science, Pages 137-143. Springer-Verlag, 1995.
4. Anderson Ross and Charalampos Manifavas. Chameleon - a new kind of stream cipher. In 4th International Workshop on Fast Software Encryption (FSE 1997). Volume 1267 of Lecture Notes in Computer Science. Pages 107-113. Springer-Verlag, 1997.
5. Anderson Ross J. Tree functions and cipher systems. Cryptologia. 15 (3):194-202, 1991.
6. Kazumaro Aoki and Yu Sasaki. Meet-in-the-middle preimage attacks against reduced SHA-0 and SHA-1. In 29th International Cryptology Conference, Advances in Cryptology (CRYPTO 2009). Volume 5677 of Lecture Notes in Computer Science. Pages 70-89. Springer-Verlag, 2009.
7. Golic Jovan. Cryptanalysis of Alleged A5 Stream Cipher, Proceedings of Eurocrypt' 97, Springer LNCS vol. Pp. 239-255, 1997.
ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ ДЛЯ UWP, РАССЧИТЫВАЮЩЕЕ ПОКАЗАТЕЛИ ЭФФЕКТИВНОСТИ ФУНКЦИОНИРОВАНИЯ МНОГОКАНАЛЬНОЙ СИСТЕМЫ МАССОВОГО ОБСЛУЖИВАНИЯ
1 2 3
Логинов А.А. , Агафонова Д.А. , Лухнев С.Н. Email: Loginov664@scientifictext.ru
1Логинов Андрей Андреевич - аспирант, кафедра аппаратного, программного и математического обеспечения; 2Агафонова Дарья Андреевна - аспирант; 3Лухнев Савва Николаевич - аспирант, кафедра информатики, МИРЭА - Российский технологический университет, г. Москва
Аннотация: в статье рассмотрены основные понятия и классификация систем массового обслуживания, а также представлено программное обеспечение, разработанное на C# для Universal Windows Platform (UWP). Системы массового обслуживания присутствуют во множестве сфер человеческой деятельности. Оптимизация работы системы массового обслуживания позволит сэкономить время, как работников, так и клиентов. Разработанное программное обеспечение позволяет оценить эффективность работы системы массового обслуживания без необходимости проведения расчетов вручную, облегчив, таким образом, жизнь людей, которые работают над проектом, связанным с системами массового обслуживания.
Ключевые слова: системы массового обслуживания, расчет показателей эффективности функционирования СМО, C#, UWP.
SOFTWARE FOR UWP, CALCULATING INDICATORS OF THE EFFICIENCY OF FUNCTIONING OF MULTI-CHANNEL
QUEUEING SYSTEM
1 2 3
Loginov A.A.1, Agafonova D.A.2, Lukhnev S.N.3
1Loginov Andrey Andreevich - Postgraduate Student, DEPARTMENT OF HARDWARE, SOFTWARE AND MATHEMATICAL PROVISION OF
COMPUTING SYSTEM;
2Agafonova Daria Andreevna - Postgraduate Student;
3Lukhnev Savva Nikolaevich - Postgraduate Student, DEPARTMENT OF COMPUTER SCIENCE, MIREA - RUSSIAN TECHNOLOGICAL UNIVERSITY, MOSCOW
