Stream ciphers

Van Hoang Nguyen

Mail: [email protected]

Department of Computer Science – FITA – HUA

Information Security Course --------------------------------------------- Fall 2013

Dept. of Computer Science – FITA – HUA

Information Security ------------- Fall 2013

Van Hoang Nguyen

What is a secure cipher?


Van Hoang Nguyen

What is the best cipher?


Van Hoang Nguyen


Van Hoang Nguyen

The cipher text should reveal no

information about the plaintext.


Van Hoang Nguyen

Information Theoretic Security (Shannon 1949)

perfect

secrecy

P (len( )=len( )) and c C

Pr(E(k,m0)=c) = Pr(E(k,m1)=c)


Van Hoang Nguyen

K

xor

xor


Van Hoang Nguyen

K

|K|

K


Van Hoang Nguyen

P C

None

1


Van Hoang Nguyen

xor xor

K


Van Hoang Nguyen


Van Hoang Nguyen

“random”

“pseudorandom”

the random seed


Van Hoang Nguyen


Van Hoang Nguyen

(key-length < message-length)


Van Hoang Nguyen 16

Yes, if the PRG is really ”secure”

No, there are no ciphers with perfect secrecy

Yes, every cipher has perfect secrecy

No, since the key is shorter than the message

Can a stream cipher have perfect secrecy?

Sourced by Online Cryptography Course – Dan Boneh


Van Hoang Nguyen


Van Hoang Nguyen

PRG must be unpredictable.


Van Hoang Nguyen


Van Hoang Nguyen

Def: PRG is unpredictable if it is not predictable

⇒ ∀ i: no “eff” adv. can predict bit (i+1) for “non-neg” ε


Van Hoang Nguyen

ε

ε ε ≥ 1/230

ε ε ≤ 1/280 (won’t happen over life of key)

ε ε: Z≥0 ⟶ R

≥0and

ε ∃d: ε(λ) ≥ 1/λd inf. often ε

ε ∀d, λ≥λd: ε(λ) ≤ 1/λd ε


Van Hoang Nguyen

How must PRG be?


Van Hoang Nguyen

⟶ n


Van Hoang Nguyen

Statistical test on {0,1}n

is an algorithm A such that A(x) outputs 0 or 1.


Van Hoang Nguyen

Advantage

⟶ n

n

A(x) = 0 ⇒ AdvPRG [A,G] =


Van Hoang Nguyen

Def: We say that G: K ⟶{0,1}n

is a secure PRG if

∀ “eff” statistical test A:

AdvPRG(A,G) is “negligible”


Van Hoang Nguyen

PRG predictable ⇒ PRG is insecure

A secure PRG is unpredictable

Suppose A is an efficient algorithm s.t

for non-negligible ε


Van Hoang Nguyen

Define statistical test B as:

A secure PRG is unpredictable

ε

AdvPRG[B, G]=|Pr[B(r)=1] - Pr[B(G(k))=1]|>ε


Van Hoang Nguyen

Thm (Yao’82): an unpredictable PRG is secure

Let G:K ⟶{0,1}n

be PRG

“Thm”: if ∀ i ∈ {0, … , n-1} PRG G is unpredictable

at position i then G is a secure PRG.


Van Hoang Nguyen

computationally indistinguishable P1 ≈p P2

∀ “eff” statistical test A:

{ k ⟵K : G(k) } ≈p uniform({0,1}n)


Van Hoang Nguyen

Silvio Micali Shafi Goldwasser


Van Hoang Nguyen

Chal.

b

Adv. AkK

m0 , m1 : |m0| = |m1|

c E(k, mb)

b’ {0,1}


Van Hoang Nguyen

semantically secure

AdvSS[A, ]

{ E(k,m0) } ≈p { E(k,m1) }


Van Hoang Nguyen

Adv. B (us)Chal.

b{0,1}

Adv. A

(given)

kK

C E(k, mb)

m0, LSB(m0)=0

m1, LSB(m1)=1

C

LSB(mb)=b

Then AdvSS[B, E] = | Pr[ EXP(0)=1 ] − Pr[ EXP(1)=1 ] |= |0 – 1| = 1


Van Hoang Nguyen

For all A: AdvSS[A,OTP] = | Pr[ A(k⊕m0)=1 ] − Pr[ A(k⊕m1)=1 ] |= 0

Chal.

b

Adv. AkK

m0 , m1 M : |m0| = |m1|

c k⊕m0 or c k⊕m1

b’ {0,1}


Van Hoang Nguyen

secure PRG

semantically secure


Van Hoang Nguyen

Chal.

b

Adv. A

kK

m0 , m1 M : |m0| = |m1|

c mb⊕ r

b’ {0,1}

r{0,1}n

For b=0,1: Rb := [ event that b’=1 ]


Van Hoang Nguyen

Chal.

b

Adv. Am0 , m1 M : |m0| = |m1|

c mb⊕ G(k)

b’ {0,1}For b=0,1: Rb := [ event that b’=1 ]

kK

r{0,1}n


Van Hoang Nguyen

Proof: ∃B: |Pr[W0] – Pr[R0]| = AdvPRG[B,G]

PRG adv. B (us)

Adv. A

(given)c m0⊕y

y ∈ {0,1}n

m0, m1

b’ ∈ {0,1}

|Pr[W0] – Pr[R0]| = = AdvPRG[B,G]


Van Hoang Nguyen

Real-world stream ciphers


Van Hoang Nguyen

Ronald L. Rivest

RC4 (1987)

For i=0 to 255 do S[i]=i;

For i=0 to 255 do T[i]=K[i mode keylen];

j=0;

For i=0 to 255 do

Begin

j=(j+S[i]+T[i]) mode 256;

swap(S[i],S[j]);

End


Van Hoang Nguyen

Ronald L. Rivest

RC4 (1987)

i,j=0;

While (true) do

Begin

i=(i+1) mode 256;

j=(j+S[i]) mode 256;

swap(S[i],S[j]);

t=(S[i]+S[j]) mode 256;

ks=S[t];

End


Van Hoang Nguyen

Ronald L. Rivest

RC4 (1987)

2048 bits128 bits

seed

1 byte

per round


Van Hoang Nguyen

Stream ciphers

Technology

Transcript of Stream ciphers