miércoles, 24 de octubre de 2012

Report 3

Stream Cipher

Hi, this is the report 3, this report is about stream ciphers, the teacher let us choose a stream cipher, i choose Phelix Stream Cipher.

The total homework is:

- Choose a stream cipher.
- Describe its operation.
- Describe known attacks and vulnerabilities.

Ok, firstly i'm going to explain what the hell is a stream cipher and then i will conclude explaining  the stream cipher that i choose (Phelix).

Stream Cipher

Stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream.. In a stream cipher each plaintext digit is encrypted one at a time with the corresponding digit of the keystream, to give a digit of the cyphertext stream. An alternative name is a state cipher as the encryption of each digit is dependent on the current state. In practice, a digit is typically a bit and the combining operation an xor

The pseudorandom keystream is typically generated serially from a random seed value using digital shift registers. The seed value serves as the cryptographic key for decrypting the ciphertext stream.



Ok, now Phelix is a high speed stream cipher with a built-in single-pass message authentication code (MAC, don't confuse with Mac address hehe) functionality. Phelix was submitted in 2004 by Doug Whiting, Bruce Schneier, Stefan Lucks, and Frédéric Muller.

Phelix operation is as follows:

The origin of Phelix is a modified form of Helix (another stream cipher), is the strengthened version of Helix.

Phelix uses a 256-bit key and a 128-bit nonce. The key is secret, and the nonce is typically public knowledge. Phelix is optimized for 32-bit platforms; all operations are on 32-bit words. The only operations used are addition modulo 2^32, exclusive or, and rotation by ¯xed numbers of bits. The design philosophy of Phelix can be summarized as many simple rounds.

Phelix has a state that consists of nine words of 32 bits each. The state is broken up into two groups: 5 "active" state words, which participate in the block update function, and 4 "old" state words that are only used in the keystream output function. A single round of Phelix consists of adding (or xoring) one active state word into the next, and rotating the first word. This is shown in Figure 1, where the active state words are shown as vertical lines. Multiple rounds are applied in a cyclical pattern to the active state. The horizontal lines of the rounds wind themselves in helical fashion through the active state words. Twenty rounds make up one block (see Figure 2). Phelix actually uses two intertwined helices; a single block contains two full turns of each of the helices. 

I made a diagram to explain better the previous explanatio (is very simple, but it help to understand easily).

During each block, several other activities occur. During block i, one word of keystream is generated (Si), two words of key material are added (Xi;0 and Xi;1), and one word of plaintext is added (Pi). The output state of one block is used as input to the next, so the computations shown in ¯gure 2 are all that is required to process 4 bytes of the message. As with any stream cipher, the ciphertext is created by xoring the plaintext with the keystream.

At the start of an encryption, a starting state is derived from the key and nonce. The key words Xi;j depend on the key, the length of the input key, the nonce, and the block number i. State-guessing attacks are made more di±cult by adding key material at double the rate at which key stream material is extracted. At the end of the message, some extra processing is done, after which a 128-bit MAC tag is produced to authenticate the message.


A Phelix encryption is started by setting

Z^(-8) := K(j+3) "XOR" Nj         for j = 0, ... ,3

Z4^(-8) := K7

Z4^(i) := 0                                   for i = -12, ... , -9

Pi := 0                                         for i = -8, ..., -1

Eight blocks are then applied, using block number i = -8, ... ,-1. For these blocks, the generated keystream words are discarded.


After the initialization, the plaintext is encrypted. Let k := [(L(P) + 3)/4] be the number of words in the plaintext. The encryption consists of k blocks numbered 0 to k -1. Each block generates one word of keystream, which is used to encrypt one word of the plaintext. Depending on L(P) mod 4, between 1 and 4 of the bytes of the last keystream word are used.

Computing the mask

Just after the block that encrypted the last plaintext byte, one of the state words is modified. The internal state word Z0^(k) is xored with the value 0x912d94f1.

Using this modifed state, eight blocks, numbered k; ... ,k + 7 are applied for post-mixing. For these blocks, the plaintext word Pi is defined as L(P) mod 4, and the generated keystream is discarded . After the post-mixing, four more blocks, numbered k + 8, ... , k + 11, are applied, using the same plaintext input word (i.e., L(P) mod 4).


Decryption is almost identical to encryption. The only diferences are:

-The keystream "Si" generated after the first application of the H function in each block is used to decrypt the ciphertext, producing the plaintext word that is used in the second application of the H function within the block. The implementation must insure that any unused bytes of the final plaintext word are taken as zero for purposes of computing the block function, regardless of value of the extra keystream bytes.

- Once the tag has been generated, it is compared to the tag provided. If the two values are not identical, all generated data (i.e., the keystream, plaintext, and tag) is destroyed.

The keystream words generated by these four blocks form the MAC tag.

Attacks and vulnerabilities. 

- Only bruteforce attack is proved to be possible till now.

- Salehani, Ahmadi claimed an attack but later withdrew the claim.

- Wu,Preneel pointed out attacks against senders who do not follow the Phelix specifcation.

pyPhelix (library in python)

A very nice nice library of python of this stream cipher is  pyPhelix, you can found more information, and examples in this site (it is very good, i recomend it): http://www.seanet.com/~bugbee/crypto/phelix/

This is a very simple example of Phelix stream cipher implementation:

I can't run the program cause i had a lot of problems compiling pyPhelix.c file(this file is necessary compile it to import pyPhelix library).
There is no much information about pyPhelix :(



If you have any doubt you can leave it in comments.


1 comentario: