02 Stream Annotated
02 Stream Annotated
Dan Boneh
Stream ciphers
Dan Boneh
E is often randomized.
D is always deterministic.
Dan Boneh
(Vernam 1917)
(Vernam 1917)
msg: 0 1 1 0 1 1 1
key: 1 0 1 1 0 1 0 CT:
Dan Boneh
You are given a message (m) and its OTP encryption (c). Can you compute the OTP key from m and c ?
No, I cannot compute the key. Yes, the key is k = m c. I can only compute half the bits of the key. Yes, the key is k = m m.
Dan Boneh
(Vernam 1917)
Dan Boneh
Possible security requirements: attempt #1: attacker cannot recover secret key attempt #2: attacker cannot recover all of plaintext Shannons idea:
CT should reveal no info about PT
Dan Boneh
Dan Boneh
Dan Boneh
Dan Boneh
None 1 2
Dan Boneh
Dan Boneh
Dan Boneh
End of Segment
Dan Boneh
Dan Boneh
Stream ciphers
Pseudorandom Generators
Dan Boneh
Review
Cipher over (K,M,C): a pair of efficient algs (E, D) s.t. mM, kK: D(k, E(k, m) ) = m Weak ciphers: subs. cipher, Vigener,
A good cipher: OTP M=C=K={0,1}n
E(k, m) = k m ,
D(k, c) = k c
Dan Boneh
Dan Boneh
Yes, if the PRG is really secure No, there are no ciphers with perfect secrecy
Yes, every cipher has perfect secrecy No, since the key is shorter than the message
Dan Boneh
Dan Boneh
Is G predictable ?? Yes, given the first bit I can predict the second No, G is unpredictable Yes, given the first (n-1) bits I can predict the nth bit
It depends
Dan Boneh
Weak PRGs
glibc random():
r[i+ ( r[i-3] + r[i-31] ) % 232 output r[i] >> 1
Dan Boneh
negligible:
1/280
negligible: d, d: () 1/d
Few Examples
() = 1/2 : negligible 1/2 for odd 1/1000 for even
Negligible Non-negligible
() = 1/1000 : non-negligible
() =
Dan Boneh
End of Segment
Dan Boneh
Dan Boneh
Stream ciphers
Review
OTP: E(k,m) = m k , D(k,c) = c k
E(k,m) = m G(k)
Dan Boneh
C2 m2 PRG(k)
Eavesdropper does: C1 C2 m1 m2
Dan Boneh
k
IV
PRG( IV ll k )
ciphetext
Length of IV: 24 bits Repeated IV after 224 16M frames On some 802.11 cards: IV resets to 0 after power cycle
Dan Boneh
k
IV
PRG( IV ll k )
ciphetext
(1 ll k) (2 ll k)
Dan Boneh
A better construction
k k
PRG
now each frame has a pseudorandom key better solution: use stronger encryption method (as in WPA2)
Dan Boneh
Dan Boneh
Dan Boneh
Attack 2: no integrity
m mp
enc ( k )
(OTP is malleable)
mk
p
dec ( k ) (mk)p
Attack 2: no integrity
From: Bob
(OTP is malleable)
From: Bob
enc ( k )
From: Eve
dec ( k )
From: Eve
End of Segment
Dan Boneh
Dan Boneh
Stream ciphers
(1987)
2048 bits
1 byte per round
seed
Weaknesses:
1. Bias in initial output: Pr[ 2nd byte = 0 ] = 2/256 2. Prob. of (0,0) is 1/2562 + 1/2563 3. Related key attacks
Dan Boneh
(badly broken)
DVD encryption (CSS): 2 LFSRs GSM encryption (A5/1,2): 3 LFSRs Bluetooth (E0): 4 LFSRs
all broken
Dan Boneh
(badly broken)
Dan Boneh
Cryptanalysis of CSS
17-bit LFSR 25-bit LFSR
8
+
8
(mod 256)
encrypted movie
prefix
CSS prefix
For all possible initial settings of 17-bit LFSR do: Run 17-bit LFSR to get 20 bytes of output Subtract from CSS prefix candidate 20 bytes output of 25-bit LFSR If consistent with 25-bit LFSR, found correct initial settings of both !! Using key, generate entire CSS output
Dan Boneh
eStream
eStream: Salsa 20
Salsa20: {0,1} 128 or 256 {0,1}64 {0,1}n
(SW+HW)
(max n = 273 bits)
k r i
32 bytes
64 byte output
64 bytes
Dan Boneh
Is Salsa20 secure
(unpredictable) ?
Unknown: no known provably secure PRGs In reality: no known attacks better than exhaustive search
Dan Boneh
Performance:
AMD Opteron, 2.2 GHz
( Linux)
Crypto++ 5.6.0
[ Wei Dai ]
PRG
RC4
eStream
Speed (MB/sec)
126
Salsa20/12
Sosemanuk
643
727
Dan Boneh
Generating Randomness
Pseudo random generators in practice: (e.g. /dev/random) Continuously add entropy to internal state Entropy sources: Hardware RNG: Intel RdRand inst. (Ivy Bridge). 3Gb/sec. Timing: hardware interrupts (keyboard, mouse)
NIST SP 800-90: NIST approved generators
Dan Boneh
End of Segment
Dan Boneh
Dan Boneh
Stream ciphers
Dan Boneh
be a PRG
is indistinguishable from
Dan Boneh
Statistical Tests
Statistical test on {0,1}n: an alg. A s.t. A(x) outputs 0 or 1 Examples:
Dan Boneh
Statistical Tests
More examples:
Dan Boneh
Advantage
Let G:K {0,1}n be a PRG and A a stat. test on {0,1}n
Define:
Dan Boneh
Suppose G:K {0,1}n satisfies msb(G(k)) = 1 for 2/3 of keys in K Define stat. test A(x) as: if [ msb(x)=1 + output 1 else output 0 Then AdvPRG [A,G] =
| Pr[ A(G(k))=1]
- Pr[ A(r)=1 ] | =
| 2/3 1/2 | =
1/6
Dan Boneh
Easy fact:
We show:
Easy fact:
Dan Boneh
Thm (Yao82):
Thm:
If next-bit predictors cannot distinguish G from random then no statistical test can !!
Dan Boneh
Let G:K {0,1}n be a PRG such that from the last n/2 bits of G(k) it is easy to compute the first n/2 bits.
More Generally
Let P1 and P2 be two distributions over {0,1}n
Def: We say that P1 and P2 are computationally indistinguishable (denoted )
End of Segment
Dan Boneh
Dan Boneh
Stream ciphers
Semantic security
Goal: secure PRG secure stream cipher
Dan Boneh
Possible security requirements: attempt #1: attacker cannot recover secret key attempt #2: attacker cannot recover all of plaintext Recall Shannons idea:
CT should reveal no info about PT
Dan Boneh
= { E(k,m1) }
{ E(k,m0) } p { E(k,m1) }
Adv. A
b {0,1}
[0,1]
Dan Boneh
{ E(k,m0) }
{ E(k,m1) }
Dan Boneh
Examples
Suppose efficient A can always deduce LSB of PT from CT.
E = (E,D) is not semantically secure.
b{0,1}
Chal. kK
m 0, m1,
LSB(m0)=0
LSB(m1)=1
Adv. B (us)
C E(k, mb)
C
LSB(mb)=b
Adv. A (given)
m0 , m1 M : |m0| = |m1| c k m 0
identical distributions
Adv. A
b {0,1}
EXP(1):
Chal.
kK
m0 , m1 M : |m0| = |m1|
c k m 1
Adv. A
b {0,1}
End of Segment
Dan Boneh
Dan Boneh
Stream ciphers
Dan Boneh
Proof: intuition
chal. kK
m0 , m1
adv. A
c m0 G(k)
chal. r{0,1}n
m0 , m1 c m0 r
adv. A
b1
p
chal.
kK
b1
m0 , m1 c m1 G(k)
adv. A
chal.
r{0,1}n
m0 , m1 c m1 r
adv. A
b1
b1
Dan Boneh
Chal.
kK r{0,1}n
m0 , m1 M : |m0| = |m1|
c mb G(k)
Adv. A
Dan Boneh
Chal.
kK r{0,1}n
m0 , m1 M : |m0| = |m1|
c mb r
Adv. A
Claim 1:
Claim 2:
B:
|Pr[W0] Pr[R0]| =
AdvPRG[B,G]
y {0,1}n
m0, m1
b {0,1}
c m0y
Adv. A (given)
AdvPRG[B,G] =
Dan Boneh
End of Segment
Dan Boneh