Stream ciphers
-
Upload
hoang-nguyen -
Category
Technology
-
view
199 -
download
3
description
Transcript of Stream ciphers
Van Hoang Nguyen
Mail: [email protected]
Department of Computer Science – FITA – HUA
Information Security Course --------------------------------------------- Fall 2013
Dept. of Computer Science – FITA – HUA
Information Security ------------- Fall 2013
Van Hoang Nguyen
What is a secure cipher?
Information Security ------------- Fall 2013
Van Hoang Nguyen
What is the best cipher?
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen
The cipher text should reveal no
information about the plaintext.
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Theoretic Security (Shannon 1949)
perfect
secrecy
P (len( )=len( )) and c C
Pr(E(k,m0)=c) = Pr(E(k,m1)=c)
Information Security ------------- Fall 2013
Van Hoang Nguyen
K
xor
xor
Information Security ------------- Fall 2013
Van Hoang Nguyen
K
|K|
K
Information Security ------------- Fall 2013
Van Hoang Nguyen
P C
None
1
Information Security ------------- Fall 2013
Van Hoang Nguyen
xor xor
K
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen
“random”
“pseudorandom”
the random seed
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen
(key-length < message-length)
Information Security ------------- Fall 2013
Van Hoang Nguyen 16
Yes, if the PRG is really ”secure”
No, there are no ciphers with perfect secrecy
Yes, every cipher has perfect secrecy
No, since the key is shorter than the message
Can a stream cipher have perfect secrecy?
Sourced by Online Cryptography Course – Dan Boneh
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen
PRG must be unpredictable.
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen
Def: PRG is unpredictable if it is not predictable
⇒ ∀ i: no “eff” adv. can predict bit (i+1) for “non-neg” ε
Information Security ------------- Fall 2013
Van Hoang Nguyen
ε
ε ε ≥ 1/230
ε ε ≤ 1/280 (won’t happen over life of key)
ε ε: Z≥0 ⟶ R
≥0and
ε ∃d: ε(λ) ≥ 1/λd inf. often ε
ε ∀d, λ≥λd: ε(λ) ≤ 1/λd ε
Information Security ------------- Fall 2013
Van Hoang Nguyen
How must PRG be?
Information Security ------------- Fall 2013
Van Hoang Nguyen
⟶ n
Information Security ------------- Fall 2013
Van Hoang Nguyen
Statistical test on {0,1}n
is an algorithm A such that A(x) outputs 0 or 1.
Information Security ------------- Fall 2013
Van Hoang Nguyen
Advantage
⟶ n
n
A(x) = 0 ⇒ AdvPRG [A,G] =
Information Security ------------- Fall 2013
Van Hoang Nguyen
Def: We say that G: K ⟶{0,1}n
is a secure PRG if
∀ “eff” statistical test A:
AdvPRG(A,G) is “negligible”
Information Security ------------- Fall 2013
Van Hoang Nguyen
PRG predictable ⇒ PRG is insecure
A secure PRG is unpredictable
Suppose A is an efficient algorithm s.t
for non-negligible ε
Information Security ------------- Fall 2013
Van Hoang Nguyen
Define statistical test B as:
A secure PRG is unpredictable
ε
AdvPRG[B, G]=|Pr[B(r)=1] - Pr[B(G(k))=1]|>ε
Information Security ------------- Fall 2013
Van Hoang Nguyen
Thm (Yao’82): an unpredictable PRG is secure
Let G:K ⟶{0,1}n
be PRG
“Thm”: if ∀ i ∈ {0, … , n-1} PRG G is unpredictable
at position i then G is a secure PRG.
Information Security ------------- Fall 2013
Van Hoang Nguyen
computationally indistinguishable P1 ≈p P2
∀ “eff” statistical test A:
{ k ⟵K : G(k) } ≈p uniform({0,1}n)
Information Security ------------- Fall 2013
Van Hoang Nguyen
Silvio Micali Shafi Goldwasser
Information Security ------------- Fall 2013
Van Hoang Nguyen
Chal.
b
Adv. AkK
m0 , m1 : |m0| = |m1|
c E(k, mb)
b’ {0,1}
Information Security ------------- Fall 2013
Van Hoang Nguyen
semantically secure
AdvSS[A, ]
{ E(k,m0) } ≈p { E(k,m1) }
Information Security ------------- Fall 2013
Van Hoang Nguyen
Adv. B (us)Chal.
b{0,1}
Adv. A
(given)
kK
C E(k, mb)
m0, LSB(m0)=0
m1, LSB(m1)=1
C
LSB(mb)=b
Then AdvSS[B, E] = | Pr[ EXP(0)=1 ] − Pr[ EXP(1)=1 ] |= |0 – 1| = 1
Information Security ------------- Fall 2013
Van Hoang Nguyen
For all A: AdvSS[A,OTP] = | Pr[ A(k⊕m0)=1 ] − Pr[ A(k⊕m1)=1 ] |= 0
Chal.
b
Adv. AkK
m0 , m1 M : |m0| = |m1|
c k⊕m0 or c k⊕m1
b’ {0,1}
Information Security ------------- Fall 2013
Van Hoang Nguyen
secure PRG
semantically secure
Information Security ------------- Fall 2013
Van Hoang Nguyen
Chal.
b
Adv. A
kK
m0 , m1 M : |m0| = |m1|
c mb⊕ r
b’ {0,1}
r{0,1}n
For b=0,1: Rb := [ event that b’=1 ]
Information Security ------------- Fall 2013
Van Hoang Nguyen
Chal.
b
Adv. Am0 , m1 M : |m0| = |m1|
c mb⊕ G(k)
b’ {0,1}For b=0,1: Rb := [ event that b’=1 ]
kK
r{0,1}n
Information Security ------------- Fall 2013
Van Hoang Nguyen
Claim 1: |Pr[R0] – Pr[R1]| = AdvSS[A,OTP] = 0
Claim 2: ∃B: |Pr[Wb] – Pr[Rb]| = AdvPRG[B,G] for b = 0,1
0 1Pr[W0] Pr[W1]Pr[Rb]
≤AdvPRG[B,G] ≤AdvPRG[B,G]
⇒ AdvSS[A,E] = |Pr[W0] – Pr[W1]| ≤ 2AdvPRG[B,G]
Information Security ------------- Fall 2013
Van Hoang Nguyen
Proof: ∃B: |Pr[W0] – Pr[R0]| = AdvPRG[B,G]
PRG adv. B (us)
Adv. A
(given)c m0⊕y
y ∈ {0,1}n
m0, m1
b’ ∈ {0,1}
|Pr[W0] – Pr[R0]| = = AdvPRG[B,G]
Information Security ------------- Fall 2013
Van Hoang Nguyen
Real-world stream ciphers
Information Security ------------- Fall 2013
Van Hoang Nguyen
Ronald L. Rivest
RC4 (1987)
For i=0 to 255 do S[i]=i;
For i=0 to 255 do T[i]=K[i mode keylen];
j=0;
For i=0 to 255 do
Begin
j=(j+S[i]+T[i]) mode 256;
swap(S[i],S[j]);
End
Information Security ------------- Fall 2013
Van Hoang Nguyen
Ronald L. Rivest
RC4 (1987)
i,j=0;
While (true) do
Begin
i=(i+1) mode 256;
j=(j+S[i]) mode 256;
swap(S[i],S[j]);
t=(S[i]+S[j]) mode 256;
ks=S[t];
End
Information Security ------------- Fall 2013
Van Hoang Nguyen
Ronald L. Rivest
RC4 (1987)
2048 bits128 bits
seed
1 byte
per round
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen