Professional Documents
Culture Documents
Dan Boneh
Stream ciphers
Dan Boneh
E is often randomized.
D is always deterministic.
Dan Boneh
(Vernam 1917)
(Vernam 1917)
msg: 0 1 1 0 1 1 1
key: 1 0 1 1 0 1 0
CT:
Dan Boneh
You are given a message (m) and its OTP encryption (c).
Can you compute the OTP key from m and c ?
(Vernam 1917)
Dan Boneh
(for now)
Dan Boneh
where k KR
Dan Boneh
Dan Boneh
Let and .
How many OTP keys map to ?
None
1
2
Depends on
Dan Boneh
Dan Boneh
||
Dan Boneh
End of Segment
Dan Boneh
Dan Boneh
Stream ciphers
Pseudorandom
Generators
Dan Boneh
Review
Cipher over (K,M,C): a pair of efficient algs (E, D) s.t.
mM, kK: D(k, E(k, m) ) = m
Weak ciphers: subs. cipher, Vigener,
A good cipher: OTP
M=C=K={0,1}n
E(k, m) = k m ,
D(k, c) = k c
Dan Boneh
Dan Boneh
Dan Boneh
Dan Boneh
Is G predictable ??
Yes, given the first bit I can predict the second
No, G is unpredictable
Yes, given the first (n-1) bits I can predict the nth bit
It depends
Dan Boneh
Weak PRGs
glibc random():
r[i+ ( r[i-3] + r[i-31] ) % 232
output r[i] >> 1
Dan Boneh
End of Segment
Dan Boneh
Dan Boneh
Stream ciphers
Negligible vs.
non-negligible
Dan Boneh
negligible:
1/280
negligible: d, d: () 1/d
Few Examples
() = 1/2 : negligible
() =
() = 1/1000 : non-negligible
1/2
for odd
1/1000 for even
Negligible
Non-negligible
Dan Boneh
n()
n()
)
= G(k)
]
1,,i
i+1
> 1/2 + ()
End of Segment
Dan Boneh
Dan Boneh
Stream ciphers
Review
OTP:
E(k,m) = m k
D(k,c) = c k
G: K {0,1}n
E(k,m) = m G(k)
D(k,c) = c G(k)
Dan Boneh
C2 m2 PRG(k)
Eavesdropper does:
C1 C2
m1 m2
Dan Boneh
CRC(m)
PRG( IV ll k )
IV
ciphetext
PRG( IV ll k )
ciphetext
IV
CRC(m)
(1 ll k)
(2 ll k)
Dan Boneh
A better construction
k
PRG
Dan Boneh
Dan Boneh
Dan Boneh
Attack 2: no integrity
m
enc ( k )
(OTP is malleable)
mk
p
mp
dec ( k )
(mk)p
Attack 2: no integrity
From: Bob
enc ( k )
(OTP is malleable)
From: Bob
From: Eve
dec ( k )
From: Eve
End of Segment
Dan Boneh
Dan Boneh
Stream ciphers
Real-world Stream
Ciphers
Dan Boneh
(1987)
2048 bits
seed
1 byte
per round
Weaknesses:
1. Bias in initial output: Pr[ 2nd byte = 0 ] = 2/256
2. Prob. of (0,0) is 1/2562 + 1/2563
3. Related key attacks
Dan Boneh
(badly broken)
all broken
Dan Boneh
(badly broken)
Dan Boneh
Cryptanalysis of CSS
17-bit LFSR
+
25-bit LFSR
(mod 256)
encrypted movie
prefix
CSS prefix
eStream
{0,1}s R {0,1}n
E(k, m ; r) = m PRG(k ; r)
The pair (k,r) is never used more than once.
Dan Boneh
eStream: Salsa 20
(SW+HW)
k
r
i
32 bytes
0
k
1
r
h
i
2
(10 rounds)
k
3 64 bytes
64 byte
output
64 bytes
Dan Boneh
Is Salsa20 secure
(unpredictable) ?
Dan Boneh
Performance:
AMD Opteron, 2.2 GHz
eStream
Crypto++ 5.6.0
[ Wei Dai ]
( Linux)
PRG
Speed (MB/sec)
RC4
126
Salsa20/12
643
Sosemanuk
727
Dan Boneh
Generating Randomness
Dan Boneh
End of Segment
Dan Boneh
Dan Boneh
Stream ciphers
Dan Boneh
be a PRG
is indistinguishable from
Dan Boneh
Statistical Tests
Statistical test on {0,1}n:
an alg. A s.t. A(x) outputs 0 or 1
Examples:
Dan Boneh
Statistical Tests
More examples:
Dan Boneh
Advantage
Let G:K {0,1}n be a PRG and A a stat. test on {0,1}n
Define:
Dan Boneh
| Pr[ A(G(k))=1]
- Pr[ A(r)=1 ] | =
| 2/3 1/2 | =
1/6
Dan Boneh
Easy fact:
We show:
Easy fact:
Dan Boneh
Thm (Yao82):
Thm:
More Generally
Let P1 and P2 be two distributions over {0,1}n
Def: We say that P1 and P2 are
computationally indistinguishable (denoted
R
Example: a PRG is secure if { k K
: G(k) } p uniform({0,1}n)
Dan Boneh
End of Segment
Dan Boneh
Dan Boneh
Stream ciphers
Semantic security
Goal: secure PRG secure stream cipher
Dan Boneh
(for now)
{ E(k,m0) }
= { E(k,m1) }
where kK
{ E(k,m0) } p { E(k,m1) }
where kK
Adv. A
m0 , m1 M : |m0| = |m1|
c E(k, mb)
b {0,1}
[0,1]
Dan Boneh
is negligible.
{ E(k,m0) }
{ E(k,m1) }
Dan Boneh
Examples
Suppose efficient A can always deduce LSB of PT from CT.
b{0,1}
Chal.
kK
m0,
m1,
LSB(m0)=0
LSB(m1)=1
C E(k, mb)
Adv. B (us)
Adv. A
(given)
LSB(mb)=b
Chal.
kK
m0 , m1 M : |m0| = |m1|
Adv. A
c k m 0
b {0,1}
identical distributions
EXP(1):
Chal.
kK
m0 , m1 M : |m0| = |m1|
c k m 1
Adv. A
b {0,1}
End of Segment
Dan Boneh
Dan Boneh
Stream ciphers
Dan Boneh
Proof: intuition
chal.
kK
m0 , m1
adv. A
c m0 G(k)
chal.
r{0,1}n
m0 , m1
c m0 r
b1
p
chal.
kK
m0 , m1
adv. A
c m1 G(k)
b1
chal.
r{0,1}n
adv. A
m0 , m1
b1
adv. A
c m1 r
b1
Dan Boneh
Chal.
kK
r{0,1}n
m0 , m1 M : |m0| = |m1|
Adv. A
c mb G(k)
b {0,1}
For b=0,1: Wb := * event that b=1 +.
AdvSS[A,E] = | Pr[ W0 + Pr[ W1 ] |
Dan Boneh
Chal.
kK
r{0,1}n
m0 , m1 M : |m0| = |m1|
Adv. A
c mb r
b {0,1}
For b=0,1: Wb := * event that b=1 +.
AdvSS[A,E] = | Pr[ W0 + Pr[ W1 ] |
Claim 1:
Claim 2:
|Pr[R0] Pr[R1]| =
B: |Pr[Wb] Pr[Rb]| =
Pr[W0]
Pr[Rb]
Pr[W1]
Proof of claim 2:
B:
|Pr[W0] Pr[R0]| =
AdvPRG[B,G]
Algorithm B:
y {0,1}n
m0, m1
b {0,1}
c m0y
Adv. A
(given)
AdvPRG[B,G] =
Dan Boneh
End of Segment
Dan Boneh