Chap 567 New

8/3/2019 Chap 567 New

1/38

PRNG, Stream and Block Cipher

Feb. 15, 2002

8/3/2019 Chap 567 New

2/38

2/38

Index

Pseudo Random Number Generator Random bit generation

Pseudorandom bit generation

Statistical tests

Cryptographically secure pseudorandom bit generation

Stream Cipher Feedback shift registers

Stream ciphers based on LFSRs

Other stream ciphers

Block Cipher Introduction

Modes of Operation

etc

8/3/2019 Chap 567 New

3/38

3/38

Introduction

RBG: a device or algorithm which outputs a sequence ofstatistically independent and unbiased binary digits.

RBG can be used to generate random numbers

Example : a random integer in the interval [0; n]

generating random bit sequence of length -lg n + 1, convert to integer

if resulting integer exceeds n, discard it and generate a new sequence

PRBG

Given a truly random sequence of length k, deterministically

outputs sequence of length l >> k which appears to be random

Input to the PRBG is called the seed Output of PRBG is not random

Intention is that an adversary cannot efficiently distinguish between

sequences of PRBG and truly random sequences of length l.

8/3/2019 Chap 567 New

4/38

4/38

Introduction (contd.)

LCG (linear congruential generators) produces a pseudorandom sequence of numbers x1, x2, x3

according to the linear recurrence xn = axn1 + b mod m; n u 1;

a, b,and m are parameters which characterize the generator

x0 is the (secret) seed.

given a partial output sequence, the remainder of the sequence canbe reconstructed even if the parameters a, b,and m are unknown.

Unix Random

Definitions Pass allpolynomial-time statistical tests if no poly algorithm can

distinguish between output sequence and truly random sequenceof the same length with probability significantly greater that

Pass next-bit testif no poly algorithm which, on input of first l bits,can predict (l + 1)st bit with probability significantly greater than

PRBG that passes the next-bit test is called CSPRBG

8/3/2019 Chap 567 New

5/38

5/38

Random Bit Generation

Hardware-based elapsed time between emission of particle during radioactive decay

thermal noise from a semiconductor diode or resistor;

the frequency instability of a free running oscillator;

air turbulence within disk drive which causes random fluctuations

drive sector read latency times

sound from a microphone or video input from a camera.

Software-based

the system clock

elapsed time between keystrokes or mouse movement

content of input/output buffers

user input

operating system values such as system load and network statistics

8/3/2019 Chap 567 New

6/38

6/38

Random Bit Generation (contd)

De-skewing A natural source of random bits may be defective in that the output

bits may be biased or correlated

De-skewing: techniques for generating truly random bit sequences

from the output bits of such a defective generator

Techniques

Suppose that a generator produces biased but uncorrelated bits

Suppose that probability of 1 is p where p is unknown but fixed, 0 < p

8/3/2019 Chap 567 New

7/38

7/38

Pseudo Random Bit Generation

ANSI X9.17 generator INPUT: m, a random seed s, Triple-DES encryption key k.

OUTPUT: m pseudorandom 64-bit strings x1, x2, , xm

1. Compute the intermediate value I = Ek(D),where D is a 64-bit

date/time to as fine a resolution as is available.

2. For i from 1 to m do the following:

1. xi nEk(I s).

2. sn Ek(xi I).

3. Return(x1, x2, , xm)

More generators FIPS 186 for DSA

8/3/2019 Chap 567 New

8/38

8/38

Statistical Test

Why impossible to give a mathematical proof that a generator is indeed

a random bit generator, the tests help detect certain kinds of

weaknesses the generator may have.

This is accomplished by taking a sample output sequence of the

generator and subjecting it to various statistical tests.

the term accepted should be replaced by not rejected

Five Basic Test (Using Chi-square analysis)

Frequency Test: # of 0 and 1

Serial Test: # of 00, 01, 10, 11 Poker-k Test: # of each k-bit string

Run Test: comparing with expected run length

Autocorrelation test: correlations between s and shifted version

8/3/2019 Chap 567 New

9/38

9/38

FIPS 140-1 statistical tests for randomness

A single bit strings of length 20000 bits, output from agenerator, is subjected to each of the following tests. If any of

the tests fail, then the generator fails the test.

(i) monobit test. The number n1 of 1s in s should satisfy 9654 < n1< 10346.

(ii) poker test. The statistic X3 defined by equation (5.3) is computed for

m = 4. The poker test is passed if1.3

8/3/2019 Chap 567 New

10/38

10/38

Statistical test (contd)

Maurers universal statistical test The basic idea is that it should not be possible to significantly

compress the output sequence of a RBG

Thus, if a sample output sequence s of a bit generator can be

significantly compressed, the generator should be rejected

The universality arises because it is able to detect any one of avery general class of possible defects a bit generator might have.

A drawback over the five basic tests is that it requires a much

longer sample output sequence in order to be effective.

A two-sided test used with a significance level between 0.001 and

0.01

E

8/3/2019 Chap 567 New

11/38

11/38

CSPRBG (RSA)

Basic Algorithm Setup: p, q, n = pq and * = (p 1)(q 1), 1 < e< *, gcd(e, *) =1

1. Select a random integer x0 (the seed) in the interval [1, n 1].

2. For i from 1 to l do the following:

1. xi n xei1 mod n.

2. zi the least significant bit of xi.

3. The output sequence is z1, z2, , zl.

Efficiency

If e = 3, then generating zi requires one mod. mult. and squaring

Improved by extracting j least significant bits of xi (j = c lg lg n) If n is sufficiently large, this generator is cryptographically secure

For fixed n, explicit range of values of c under intractability of the

RSA problem has not been determined.

8/3/2019 Chap 567 New

12/38

12/38

Micali-Schnorr

Setup: p, q, n = pq and * = (p 1)(q 1), 1 < e< *, gcd(e, *) =1,N=bit length of n, 80 e e n, k = -N(1-2/e) , r = N-k

1. Select a random integer x0 (the seed) of bit length r

2. Generate sequence of length k l: For i from 1 to l do the following:

1. yi n xei mod n.

2. xi : r most significant bit of yi.3. zi : k least significant bit of yi.

3. The output sequence is z1|| z2 || || zl.

Properties

Efficiency: -N(1-2/e) bit sequence is generated per exponentiation

Secure under assumption that distribution xe mod n for random r-

bit sequences x is indistinguishable by all poly statistical tests from

the uniform distribution of integers in the interval [0, n1].

stronger assumption than RSA problem

8/3/2019 Chap 567 New

13/38

13/38

Blum-Blum-Shub(BBS) PRBG

Basic Algorithm Setup: p, q (= 3 mod 4), n = pq

1. Select a random integer s (seed) in [1, n 1] such that gcd(s, n)=1and compute x0 n s

2 mod n

2. For i from 1 to l do the following:

1. xi n x2i1 mod n.

2. zi n the least significant bit of xi.

3. The output sequence is z1, z2, , zl.

Efficiency One modular squaring

Improved by extracting j least significant bits of xi (j = c lg lg n) If n is sufficiently large, this generator is cryptographically secure

For fixed n, explicit range of values of c under intractability of thefactoring problem has not been determined.

8/3/2019 Chap 567 New

14/38

14/38

Index



Statistical tests






DES

etc

8/3/2019 Chap 567 New

15/38

15/38

Stream Cipher : Introduction

Definition encrypt individual characters of plaintext message one at a time,

using encryption transformation which varies with time.

Block vs. Stream

Block ciphers

process plaintext in relatively large blocks(e.g. nu64 bits)

The same function is used to encrypt successive blocks memoryless

stream ciphers

process plaintext in small blocks, and the encryption function may vary

as plaintext is processed have memory

sometimes called state ciphers since encryption depends on not only

the key and plaintext, but also on the current state.

This distinction between block and stream ciphers is not definitive

adding memory to a block cipher (as in CBC) results in a stream cipher

8/3/2019 Chap 567 New

16/38

16/38

One-time Pad and Stream Cipher

One-Time Pad(OTP) Vernam cipher: ci=mi xi for i = 1, 2, 3

key is generated independently and randomly one-time pad

H(M|C) = H(M), M, C are random variables for plain, cipher text

Ciphertext contributes no information about plaintext

Shannon proved that a necessary condition for a symmetric-keyencryption to be unconditionally secure is that H(K) u H(M)

If the key with bit length k, is chosen independently and randomly, thenH(K) = k k u H(M)

OTP is unconditionally secure regardless of distribution of plaintext

Drawback is key should be as long as plaintext key management

Hence, stream cipher tries to solve this problem havingshort key and generate pseudo-random sequence Not unconditionally secure, but try to be computationally secure

8/3/2019 Chap 567 New

17/38

17/38

Synchronous Stream Cipher

Definition keystream is generated independently of plaintext and of ciphertext

si+1=f(si, k): next-state function, s0 is the initial state

zi=g(si, k): key-stream generation function

ci

= h(zi

, mi

): output(encryption) function

e.g. OFB

f

g

si

hk

si+1

zi

mi

ci

f

g

si

h-1k

si+1

zi

ci

mi

8/3/2019 Chap 567 New

18/38

18/38

Synchronous Stream Cipher (Cnt.)

Properties synchronization requirements: both sender and receiver must be

synchronized using same key and operating at the same position

If sync. is lost due to inserted or deleted ciphertext, decryption fails

and can only be restored through additional techniques for

re-synchronization. no error propagation: A modified ciphertext during transmission

does not affect the decryption of other ciphertext digits.

active attacks: the insertion, deletion, or replay of ciphertext digits

by an active adversary causes immediate loss of synchronization

8/3/2019 Chap 567 New

19/38

19/38

Stream Cipher

Binary additive stream cipher synchronous stream cipher in which keystream, plaintext, and

ciphertext are binary digits, and output function h is XOR function

Self-synchronizing stream cipher key-stream is generated as a function of the key and a fixed

number of previous ciphertext digits (e.g. 1-bit CFB)

KSGk zi

mi

ci KSGk zi

ci

mi

g hkzi

mi

ci

g hkzi

ci

mi

8/3/2019 Chap 567 New

20/38

20/38

Linear Feedback Shift Registers

Properties LFSRs are well-suited to hardware implementation;

Can produce sequences of large period

Can produce sequences with good statistical properties

Because of the structure, can be analyzed using algebra

Definition

LFSR of length L consists of L stages numbered 0, 1, , L 1,

each capable of storing one bit and having one input and one

output, and clock which controls the movement of data

content of stage 0 is output and forms part of the output sequence

the content of stage i is moved to stage i 1 for each i, 1 e i e L 1

new content of stage L 1 is feedback bit sj calculated by adding

together modulo 2 previous contents of fixed subset of stages

8/3/2019 Chap 567 New

21/38

21/38

Pseudo-Random Binary Sequence (PRBS) by a Linear-

Feedback Shift Register (LFSR) with a (2L-1) Period

L-1 L-2 11 00 output

Sj

c2c1 cL-1 cL

A LFSR of length L, denoted by

8/3/2019 Chap 567 New

22/38

22/38

LFSR (cnt.)

Output sequence sj= (c1sj-1 + c2sj-2 + + cLsj-L) mod 2 for j u L

Some facts

If C(D) is a primitive polynomial, LFSR produces output sequence

with maximum possible period 2L 1 m-LFSR, m-sequence

Has very good statistical properties

Linear complexity of sequence s is the length of the shortest LFSR

generating s, and denoted by L(s)

If a stream cipher has linear complexity n, we can find initial

sequence using 2n consecutive bits using Massey-Berlekamp

algorithm

8/3/2019 Chap 567 New

23/38

23/38


Why To augment LC,(or destroy the linear properties of LFSRs)

use nonlinear combining function on the output of several LFSRs

: LC of linear combination of two LFSR is at most LC of 1 LFSR

Use a nonlinear filtering function on the contents of a single LFSR

Use the output of one (or more) LFSRs to control the clock of one (or more) otherLFSRs

Desirable properties ofLFSR-based keystream generators

large period;

large linear complexity

good statistical properties

computationally secure : no mathematical proofs of security ofsuch generators

8/3/2019 Chap 567 New

24/38

24/38

LSFR1

LSFR2

LSFRn

f LSFR1 LSFR2

Examples

Stream ciphers based on LFSRs(Contd)

8/3/2019 Chap 567 New

25/38

25/38

Other Stream Ciphers

Optimized for software implementation RC4

Proprietary, not presented here

SEAL (Software-optimized Encryption ALgorithm)

length-increasing pseudorandom function which maps a 32-bitsequence number n to an L-bit keystream under control of a 160-bit

secret key a

In the preprocessing stage, the key is stretched into larger tables

using the table-generation function Ga (based on SHA-1)

Subsequent to this preprocessing, keystream generation requiresabout 5 machine instructions per byte

order of magnitude faster than DES

8/3/2019 Chap 567 New

26/38

26/38

Index



Statistical tests






Modes of Operation

etc

8/3/2019 Chap 567 New

27/38

27/38

Block Cipher: Introduction

maps n-bit plaintext blocks to n-bit ciphertext blocks (n: block length) Use of plaintext and ciphertext of equal size avoids data expansion

To allow unique decryption, encryption function must be 1-1(invertible)

For n-bit plaintext and ciphertext blocks and a fixed key, the encryption

function is a bijection, defining a permutation on n-bit vectors

Each key potentially defines a different bijection Def

n-bit block cipher is E : Vn X K p Vn such that for all key k K, E(P, k) is

an invertible mapping (the encryption for k) from Vn to Vn, written Ek(P).

The inverse mapping is the decryption function, denoted Dk(C)

C = Ek(P) denotes ciphertext C results from encrypting plaintext P under k

8/3/2019 Chap 567 New

28/38

28/38

Practical security and complexity of attack

Basic assumption adversary has access to all data transmitted over cipher channel

(Kerckhoffs assumption) adversary knows all details of the

encryption function except the secret key

Classes of attacks

ciphertext-only no additional information is available

known-plaintext plaintext-ciphertext pairs are available

chosen-plaintext ciphertexts are available corresponding to

plaintexts of the adversarys choice

adaptive chosen-plaintext choice of plaintexts may depend onprevious plaintext-ciphertext pairs

8/3/2019 Chap 567 New

29/38

29/38

ECB(Electronic CodeBook) Mode

Encryption: for 1jt, cj

8/3/2019 Chap 567 New

30/38

30/38

CBC(Cipher-Block Chaining) Mode

Encryption: c0 n IV, cj n EK(cj1 xj)

Decryption: c0 n IV, xj n cj1 E1

K(cj)

chaining causes ciphertext cj to depend on all preceding plaintext

a single bit error in cj affects decipherment of blocks cj and cj+1

self-synchronizing: error cj (not cj+1, cj+2) is correctly decrypted to xj+2. Can use as a MAC: x1, x2, . . . , xn, cn

C0=IV Cj

Cj-1

E

Cj-1

E-1

xj n

Cj

key

Xj = xjn

key

8/3/2019 Chap 567 New

31/38

31/38

CFB-r(CipherFeedBack) Mode

INPUT: k-bit key K; n-bit IV; r-bit plaintext blocks x1, xu(1 rn)

OUTPUT: produce r-bit ciphertext blocks c1,,cu

1) Encryption: I1IV.(Ij is the input value in a shift register) For1 ju:

Oj Ek(Ij). (Compute the block cipher output)

tj the r leftmost bits ofOj.(Assume the leftmost is identified as bit 1.)

cj xjtj.(Transmit the r-bit ciphertext block cj.)

Ij+1 2r Ij+cj mod 2

n.(Shift cj into right end of shift register.)

2) Decryption: I1 IV. For1ju, upon receiving cj:

x j cjtj, where tj,Oj and Ij are computed as above

8/3/2019 Chap 567 New

32/38

32/38

CFB-rMode(Contd)

r-bit Shift

I1=IV

E

Oj

xj

ci

leftmost r bits

key

Encipherment

r-bit Shift

ci

xj

leftmost r bits

key

Decipherment

E

Oj

8/3/2019 Chap 567 New

33/38

33/38

re-ordering ciphertext blocks affects decryption

one or more bit errors in any single r-bit ciphertext

block cj affects the decipherment of next n/rciphertext blocks

self-synchronizing similar to CBC, but requires n/rblocks to recover.

for r

8/3/2019 Chap 567 New

34/38

34/38

INPUT: k-bit key K; n-bit IV; r-bit plaintext blocksx1,, xu (1rn)

OUTPUT: produce r-bit ciphertext blocks c1,, cu Encryption: I1IV. For 1 ju, given plaintext block xj:

Oj Ek(

Ij). (Compute the block cipher output)

tj the r leftmost bits of Oj.(Assume the leftmost is identified as bit 1.)

cj xjtj.(Transmit the r-bit ciphertext block cj.)

Ij+1 Oj(Updatetheblock cipherinputforthenextblock.)

Ij+1 2rIj +tj mod 2

n(shiftoutputtj intorightendofshiftregister.)

Decryption

:I1 IV. For1ju, upon receiving cj

:

x j cjtj, where tj,Oj and Ij are computed as above

OFB(Output FeedBack) Mode

with full(or r-bit) feedback

8/3/2019 Chap 567 New

35/38

35/38

OFB-r Mode

r-bit Shift

I1=IV

Oj

xj

cj

Leftmost r-bits

key

Encipherment

r-bit Shift

cj

xj

Leftmost r-bits

key

Deciphering

E

Oj

E

IjIj

8/3/2019 Chap 567 New

36/38

36/38

Properties of the OFB-r

keystream is plaintext-independent

bit errors affects the decipherment of only that

character

recovers from ciphertext bit errors, but cannot self-

synchronize

for r

8/3/2019 Chap 567 New

37/38

37/38

Other Block Ciphers

FEAL Fast N-round block cipher

Suffers a lot of attacks, and hence introduce new attacks on block

ciphers

Japan standard

IDEA

64-64-128-8

James Massey

Using algebraic functions (mult mod 2n+1, add mod 2n)

SAFER, RC-5, AES

8/3/2019 Chap 567 New

38/38

38/38

To teach is to learn twice !!

Chap 567 New

Documents

Transcript of Chap 567 New