Stream ciphers – Secgroup Ca' Foscari

So far, we have illustrated cryptosystems that “reuse” the same key to encrypt letters or blocks of the plaintext. This is usually referred to as block ciphers.

$\begin{matrix} x_1 & x_2& \ldots ~~~~~~& x_n\\\downarrow& \downarrow&&\downarrow\\k\rightarrow\fbox{E}~~~~~~&k\rightarrow\fbox{E}~~~~~~&\ldots~~~~~~&k\rightarrow\fbox{E}~~~~~~\\\downarrow&\downarrow& &\downarrow\\y_1 & y_2 & \ldots ~~~~~~& y_n\end{matrix}$

This scheme can be generalized by considering a stream of keys instead of a fixed one. Let $z_1, z_2, \ldots, z_n$ be such a stream. The idea is to encrypt the first letter of the plaintext with $z_1$ , the second with $z_2$ and so on. It does not matter much if we encrypt a letter or a block, the important difference is that the used key is always different.

$\begin{matrix} x_1 & x_2 & \ldots ~~~~~~~& x_n\\\downarrow&\downarrow& &\downarrow\\z_1\rightarrow\fbox{E}~~~~~~~&z_2\rightarrow\fbox{E}~~~~~~~&\ldots~~~~~~~&z_n\rightarrow\fbox{E}~~~~~~~\\\downarrow&\downarrow& &\downarrow\\y_1 & y_2 & \ldots ~~~~~~~& y_n\end{matrix}$

Having a different key for each letter or block of the plaintext is of course appealing but not much practical. The stream of key is thus usually derived starting from an initial key $k$ . To make the stream more complex it can also depend on previous part of the plaintext. In general we say that $z_i = f_i(k,x_1,\ldots,x_{i-1})$ . To understand why a key $z_i$ cannot depend on plaintexts with indexes greater than or equal to $i$ , it is useful to reason on the decryption scheme:

$\begin{matrix} y_1 & \ldots ~~~~~~~& y_i & \ldots ~~~~~~~& y_n\\\downarrow&&\downarrow& &\downarrow\\z_1\rightarrow\fbox{D}~~~~~~~&\ldots~~~~~~~&z_i\rightarrow\fbox{D}~~~~~~~&\ldots~~~~~~~&z_n\rightarrow\fbox{D}~~~~~~~\\\downarrow& &\downarrow& &\downarrow\\x_1 & \ldots ~~~~~~~& x_2 & \ldots ~~~~~~~& x_n\end{matrix}$

Now, $z_1 = f_1(k)$ meaning that we can compute it with not knowledge of the plaintext. To compute $z_2 = f_2(k,x_1)$ , instead, we need to know $x_1$ . As a consequence, we have to decrypt $y_1$ with $z_1$ before computing $z_2$ . Once we have this key we can decrypt $x_3$ and compute $z_3$ , and so on. The values are thus computed in the following sequence: $z_1,x_1,z_2,x_2, \ldots, z_n,x_n$ . It should be evident, now, that we cannot let $z_i$ depend, e.g., on $x_i$ as we would need that plaintext to compute the key.

Notice that block ciphers are, clearly, a simple instance of stream ciphers where $z_i = k$ for all $i$ .It is also useful to classify these ciphers depending on certain properties of the key stream:

Periodic

A stream cipher is periodic its key stream has the following form $z_1,z_2,\ldots,z_d,z_{1},z_2,\ldots,z_d,z_1\ldots$ , i.e., if it repeats after $d$ steps.

Exercise. Vigenére cipher can be seen as a stream cipher acting on single letters and with a periodic key stream. Formalize the cipher giving $({\cal P},{\cal C},{\cal K},E,D)$ and defining the key stream $z_i$ .

Synchronous. A stream cipher is synchronous if its key stream does not depend on plaintexts, i.e., $z_i = f_i(k)$ for all $i$ . When this happens, we have that the key stream can be generated starting from $k$ and independently on the plaintext. This is particularly useful to improve efficiency: we do not need to obtain $x_{i}$ to compute $z_{i+1}$ . In fact, the key stream can be generated offline, before the actual ciphertext is received.

Asynchronous. This is the general case where $z_i = f_i(k,x_1,\ldots,x_{i-1})$ . As mentioned above, we need to decrypt and compute the keys stream at the same time, as a key can depend on previous plaintexts. We give a simple example of a cipher of this class, called Autokey. We let ${\cal P}={\cal C}={\cal K}=\mathbb{Z}_{26}$ . $E_z(x) = x+z \mod 26$ and $D_z(y) = y-z \mod 26$ , i.e., encryption and decryption are exactly as in a shift cipher. The key stream is defined as $z_1 = k$ and $z_i = x_{i-1}$ for $i\geq 2$ , meaning that the first key in the stream is the initial key $k$ while the next keys are the same as the previous plaintext.

$\begin{matrix} x_1 & x_2& \ldots ~~~~~~& x_n\\\downarrow& \downarrow&&\downarrow\\k\rightarrow\fbox{E}~~~~~~&x_1\rightarrow\fbox{E}~~~~~~~&\ldots~~~~~~&x_{n-1}\rightarrow\fbox{E}~~~~~~~~~~~\\\downarrow&\downarrow& &\downarrow\\y_1 & y_2 & \ldots ~~~~~~& y_n\end{matrix}$

Exercise: try to break the following ciphertext encrypted with the above autokey cipher:

GUAAMLXOOVTMRVTKXOWSSDXNVJSTVTACALTNQFTPNIHUXRPWLV