random number generation and stream cipher random number...random number generation and stream...
Post on 14-Aug-2020
22 Views
Preview:
TRANSCRIPT
Random Number Generation andStream Cipher
GOUTAM PAUL
Asst. ProfessorDepartment of Computer Science & Engineering
Jadavpur University, Kolkata.
July 16, 2011
Tutorial Workshop on Cryptology(Jointly organized by: CU & Centre of Excellence in Cryptology, ISI)Rajabazar Science College Campus, University of Calcutta, India.
Outline
1 RandomnessDefining RandomnessTesting RandomnessCryptographic Randomness
2 Random Number GenerationNatural Random Number GeneratorsPseudo-Random Number Generators
3 Stream CiphersHardware Stream CiphersSoftware Stream CiphersDistinguisher
Roadmap
1 RandomnessDefining RandomnessTesting RandomnessCryptographic Randomness
2 Random Number GenerationNatural Random Number GeneratorsPseudo-Random Number Generators
3 Stream CiphersHardware Stream CiphersSoftware Stream CiphersDistinguisher
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Notion of Randomness
A numeric sequence is said to be statistically randomwhen it contains no recognizable patterns orregularities.Examples:
Sequence of Head and Tail in an unbiased coin toss.Results of an ideal die roll.Digits of π.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 4 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Notion of Randomness
A numeric sequence is said to be statistically randomwhen it contains no recognizable patterns orregularities.
Examples:Sequence of Head and Tail in an unbiased coin toss.Results of an ideal die roll.Digits of π.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 4 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Notion of Randomness
A numeric sequence is said to be statistically randomwhen it contains no recognizable patterns orregularities.Examples:
Sequence of Head and Tail in an unbiased coin toss.Results of an ideal die roll.Digits of π.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 4 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Notion of Randomness
A numeric sequence is said to be statistically randomwhen it contains no recognizable patterns orregularities.Examples:
Sequence of Head and Tail in an unbiased coin toss.
Results of an ideal die roll.Digits of π.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 4 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Notion of Randomness
A numeric sequence is said to be statistically randomwhen it contains no recognizable patterns orregularities.Examples:
Sequence of Head and Tail in an unbiased coin toss.Results of an ideal die roll.
Digits of π.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 4 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Notion of Randomness
A numeric sequence is said to be statistically randomwhen it contains no recognizable patterns orregularities.Examples:
Sequence of Head and Tail in an unbiased coin toss.Results of an ideal die roll.Digits of π.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 4 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Test of (Non-)Randomness
It is not possible to mathematically prove that asequence is random.It is possible to test whether a sequence isnon-random.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 5 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Test of (Non-)Randomness
It is not possible to mathematically prove that asequence is random.
It is possible to test whether a sequence isnon-random.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 5 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Test of (Non-)Randomness
It is not possible to mathematically prove that asequence is random.It is possible to test whether a sequence isnon-random.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 5 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Frequency Test
Checking that each symbol occurs with equalfrequency.For a binary string, proportion of 0’s and 1’s shouldbe 0.5 each.Can be generalized to n-gram frequencies.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 6 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Frequency Test
Checking that each symbol occurs with equalfrequency.
For a binary string, proportion of 0’s and 1’s shouldbe 0.5 each.Can be generalized to n-gram frequencies.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 6 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Frequency Test
Checking that each symbol occurs with equalfrequency.For a binary string, proportion of 0’s and 1’s shouldbe 0.5 each.
Can be generalized to n-gram frequencies.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 6 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Frequency Test
Checking that each symbol occurs with equalfrequency.For a binary string, proportion of 0’s and 1’s shouldbe 0.5 each.Can be generalized to n-gram frequencies.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 6 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Gap Test
Look at the distances between a particular symbol.For example, for the symbol 0,
00 would be a distance of 0.030 would be a distance of 1.02250 would be a distance of 3, etc.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 7 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Gap Test
Look at the distances between a particular symbol.
For example, for the symbol 0,00 would be a distance of 0.030 would be a distance of 1.02250 would be a distance of 3, etc.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 7 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Gap Test
Look at the distances between a particular symbol.For example, for the symbol 0,
00 would be a distance of 0.030 would be a distance of 1.02250 would be a distance of 3, etc.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 7 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Gap Test
Look at the distances between a particular symbol.For example, for the symbol 0,
00 would be a distance of 0.030 would be a distance of 1.02250 would be a distance of 3, etc.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 7 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Run Test
A run is a sequence of consecutive digits.This test is based on the frequency of run-lengths.Example: 522238 has a run of 2’s of length 3.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 8 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Run Test
A run is a sequence of consecutive digits.
This test is based on the frequency of run-lengths.Example: 522238 has a run of 2’s of length 3.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 8 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Run Test
A run is a sequence of consecutive digits.This test is based on the frequency of run-lengths.
Example: 522238 has a run of 2’s of length 3.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 8 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Run Test
A run is a sequence of consecutive digits.This test is based on the frequency of run-lengths.Example: 522238 has a run of 2’s of length 3.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 8 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Autocorrelation Test
Correlation between two sequences/processes givesa measure of similarity between them.Autocorrelation: correlation between themeasurements of the same process at two differentinstances of time.If random, such autocorrelations should be near zerofor any and all time-lag separations.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 9 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Autocorrelation Test
Correlation between two sequences/processes givesa measure of similarity between them.
Autocorrelation: correlation between themeasurements of the same process at two differentinstances of time.If random, such autocorrelations should be near zerofor any and all time-lag separations.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 9 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Autocorrelation Test
Correlation between two sequences/processes givesa measure of similarity between them.Autocorrelation: correlation between themeasurements of the same process at two differentinstances of time.
If random, such autocorrelations should be near zerofor any and all time-lag separations.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 9 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Autocorrelation Test
Correlation between two sequences/processes givesa measure of similarity between them.Autocorrelation: correlation between themeasurements of the same process at two differentinstances of time.If random, such autocorrelations should be near zerofor any and all time-lag separations.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 9 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Maurer’s Universal Test
Source modeled as
an ergodic stationary processwith finite memoryhaving arbitrary (unknown) state transitionprobabilities.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 10 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Maurer’s Universal Test
Source modeled asan ergodic stationary process
with finite memoryhaving arbitrary (unknown) state transitionprobabilities.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 10 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Maurer’s Universal Test
Source modeled asan ergodic stationary processwith finite memory
having arbitrary (unknown) state transitionprobabilities.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 10 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Maurer’s Universal Test
Source modeled asan ergodic stationary processwith finite memoryhaving arbitrary (unknown) state transitionprobabilities.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 10 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Example with a Binary StringConsider the string 0010110011101.
Frequency test:freq(0)=6, freq(1)=7,freq(00) = 2, freq(01) = 4, freq(10)=3, freq(11) = 3.Gap test: freq(gap 0)=2, freq(gap 1)=1, freq(gap2)=1, freq(gap 3) = 1.Run test: freq(len 1)=4, freq(len 2)=3, freq(len 3)=1.Autocorrelation test:Lag 1 autocorrelation =0.0+0.1+1.0+0.1+1.1+1.0+0.0+0.1+1.1+1.1+1.0+0.1= 3,Lag 2 autocorrelation =0.1+0.0+1.1+0.1+1.0+1.0+0.1+0.1+1.1+1.0+1.1 = 3.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 11 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Example with a Binary StringConsider the string 0010110011101.
Frequency test:freq(0)=6, freq(1)=7,freq(00) = 2, freq(01) = 4, freq(10)=3, freq(11) = 3.
Gap test: freq(gap 0)=2, freq(gap 1)=1, freq(gap2)=1, freq(gap 3) = 1.Run test: freq(len 1)=4, freq(len 2)=3, freq(len 3)=1.Autocorrelation test:Lag 1 autocorrelation =0.0+0.1+1.0+0.1+1.1+1.0+0.0+0.1+1.1+1.1+1.0+0.1= 3,Lag 2 autocorrelation =0.1+0.0+1.1+0.1+1.0+1.0+0.1+0.1+1.1+1.0+1.1 = 3.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 11 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Example with a Binary StringConsider the string 0010110011101.
Frequency test:freq(0)=6, freq(1)=7,freq(00) = 2, freq(01) = 4, freq(10)=3, freq(11) = 3.Gap test: freq(gap 0)=2, freq(gap 1)=1, freq(gap2)=1, freq(gap 3) = 1.
Run test: freq(len 1)=4, freq(len 2)=3, freq(len 3)=1.Autocorrelation test:Lag 1 autocorrelation =0.0+0.1+1.0+0.1+1.1+1.0+0.0+0.1+1.1+1.1+1.0+0.1= 3,Lag 2 autocorrelation =0.1+0.0+1.1+0.1+1.0+1.0+0.1+0.1+1.1+1.0+1.1 = 3.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 11 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Example with a Binary StringConsider the string 0010110011101.
Frequency test:freq(0)=6, freq(1)=7,freq(00) = 2, freq(01) = 4, freq(10)=3, freq(11) = 3.Gap test: freq(gap 0)=2, freq(gap 1)=1, freq(gap2)=1, freq(gap 3) = 1.Run test: freq(len 1)=4, freq(len 2)=3, freq(len 3)=1.
Autocorrelation test:Lag 1 autocorrelation =0.0+0.1+1.0+0.1+1.1+1.0+0.0+0.1+1.1+1.1+1.0+0.1= 3,Lag 2 autocorrelation =0.1+0.0+1.1+0.1+1.0+1.0+0.1+0.1+1.1+1.0+1.1 = 3.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 11 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Example with a Binary StringConsider the string 0010110011101.
Frequency test:freq(0)=6, freq(1)=7,freq(00) = 2, freq(01) = 4, freq(10)=3, freq(11) = 3.Gap test: freq(gap 0)=2, freq(gap 1)=1, freq(gap2)=1, freq(gap 3) = 1.Run test: freq(len 1)=4, freq(len 2)=3, freq(len 3)=1.Autocorrelation test:Lag 1 autocorrelation =0.0+0.1+1.0+0.1+1.1+1.0+0.0+0.1+1.1+1.1+1.0+0.1= 3,Lag 2 autocorrelation =0.1+0.0+1.1+0.1+1.0+1.0+0.1+0.1+1.1+1.0+1.1 = 3.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 11 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Encryption increases Randomness
The goal of encryption is to make the transmittedmessage look random.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 12 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Encryption increases Randomness
The goal of encryption is to make the transmittedmessage look random.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 12 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Perfect Secrecy
Information Theoretic Security:
Prob(P | C) = Prob(P).
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 13 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Perfect Secrecy
Information Theoretic Security:
Prob(P | C) = Prob(P).
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 13 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
Perfect Secrecy
Information Theoretic Security:
Prob(P | C) = Prob(P).
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 13 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
From Non-Random to Random-Looking
Result: XOR(Arbitrary bitstring, Random bitstring) =Random bitstring.Encryption Ci = Mi ⊕ Ki .Decryption: Mi = Ci ⊕ Ki .
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 14 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
From Non-Random to Random-Looking
Result: XOR(Arbitrary bitstring, Random bitstring) =Random bitstring.
Encryption Ci = Mi ⊕ Ki .Decryption: Mi = Ci ⊕ Ki .
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 14 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
From Non-Random to Random-Looking
Result: XOR(Arbitrary bitstring, Random bitstring) =Random bitstring.Encryption Ci = Mi ⊕ Ki .
Decryption: Mi = Ci ⊕ Ki .
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 14 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
From Non-Random to Random-Looking
Result: XOR(Arbitrary bitstring, Random bitstring) =Random bitstring.Encryption Ci = Mi ⊕ Ki .Decryption: Mi = Ci ⊕ Ki .
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 14 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
One Time Pad
A different keystream is XOR-ed with each differentplaintext message.Has the property of perfect secrecy.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 15 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
One Time Pad
A different keystream is XOR-ed with each differentplaintext message.
Has the property of perfect secrecy.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 15 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
One Time Pad
A different keystream is XOR-ed with each differentplaintext message.Has the property of perfect secrecy.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 15 of 51
RandomnessRandom Number Generation
Stream Ciphers
Defining RandomnessTesting RandomnessCryptographic Randomness
One Time Pad
A different keystream is XOR-ed with each differentplaintext message.Has the property of perfect secrecy.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 15 of 51
Roadmap
1 RandomnessDefining RandomnessTesting RandomnessCryptographic Randomness
2 Random Number GenerationNatural Random Number GeneratorsPseudo-Random Number Generators
3 Stream CiphersHardware Stream CiphersSoftware Stream CiphersDistinguisher
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Necessity
One Time Pad requires a long stream of random bits.Other cryptographic schemes also require randomnumbers as keys.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 17 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Necessity
One Time Pad requires a long stream of random bits.
Other cryptographic schemes also require randomnumbers as keys.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 17 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Necessity
One Time Pad requires a long stream of random bits.Other cryptographic schemes also require randomnumbers as keys.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 17 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
One option: Natural Randomness
Thermal noise from a semiconductor resistor.Atmospheric noise.Quantum-mechanical phenomena.Tossing a coin.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 18 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
One option: Natural Randomness
Thermal noise from a semiconductor resistor.
Atmospheric noise.Quantum-mechanical phenomena.Tossing a coin.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 18 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
One option: Natural Randomness
Thermal noise from a semiconductor resistor.Atmospheric noise.
Quantum-mechanical phenomena.Tossing a coin.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 18 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
One option: Natural Randomness
Thermal noise from a semiconductor resistor.Atmospheric noise.Quantum-mechanical phenomena.
Tossing a coin.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 18 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
One option: Natural Randomness
Thermal noise from a semiconductor resistor.Atmospheric noise.Quantum-mechanical phenomena.Tossing a coin.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 18 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Why Natural Randomness is not useful?
Difficulty of sampling.Difficulty of synchronizing when the sender and thereceiver are far apart.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 19 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Why Natural Randomness is not useful?
Difficulty of sampling.
Difficulty of synchronizing when the sender and thereceiver are far apart.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 19 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Why Natural Randomness is not useful?
Difficulty of sampling.Difficulty of synchronizing when the sender and thereceiver are far apart.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 19 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Pragmatic Solution
A Finite State Machine.A seed (called the secret key) characterizes the initialstate.Same seed generates the same output sequence.Seed can be shared between the sender and thereceiver.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 20 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Pragmatic Solution
A Finite State Machine.
A seed (called the secret key) characterizes the initialstate.Same seed generates the same output sequence.Seed can be shared between the sender and thereceiver.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 20 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Pragmatic Solution
A Finite State Machine.A seed (called the secret key) characterizes the initialstate.
Same seed generates the same output sequence.Seed can be shared between the sender and thereceiver.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 20 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Pragmatic Solution
A Finite State Machine.A seed (called the secret key) characterizes the initialstate.Same seed generates the same output sequence.
Seed can be shared between the sender and thereceiver.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 20 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Pragmatic Solution
A Finite State Machine.A seed (called the secret key) characterizes the initialstate.Same seed generates the same output sequence.Seed can be shared between the sender and thereceiver.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 20 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Inherent Limitations
Each state transition of the FSM gives one newoutput.FSM has finite no. of states.So the output sequence must have a period.One Time Pad cannot be realized in practice.Goal: short seed, but long keystream.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 21 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Inherent Limitations
Each state transition of the FSM gives one newoutput.
FSM has finite no. of states.So the output sequence must have a period.One Time Pad cannot be realized in practice.Goal: short seed, but long keystream.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 21 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Inherent Limitations
Each state transition of the FSM gives one newoutput.FSM has finite no. of states.
So the output sequence must have a period.One Time Pad cannot be realized in practice.Goal: short seed, but long keystream.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 21 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Inherent Limitations
Each state transition of the FSM gives one newoutput.FSM has finite no. of states.So the output sequence must have a period.
One Time Pad cannot be realized in practice.Goal: short seed, but long keystream.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 21 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Inherent Limitations
Each state transition of the FSM gives one newoutput.FSM has finite no. of states.So the output sequence must have a period.One Time Pad cannot be realized in practice.
Goal: short seed, but long keystream.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 21 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Inherent Limitations
Each state transition of the FSM gives one newoutput.FSM has finite no. of states.So the output sequence must have a period.One Time Pad cannot be realized in practice.Goal: short seed, but long keystream.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 21 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Linear Congruential Generator
xn = axn−1 + b(modm).
x0 is the initial seed.a,b,m are parameters.Example: C library function rand().Suitable for experimental purposes, butcryptographically not secure.Same is true for any polynomial congruentialgenerator.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 22 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Linear Congruential Generator
xn = axn−1 + b(modm).
x0 is the initial seed.a,b,m are parameters.Example: C library function rand().Suitable for experimental purposes, butcryptographically not secure.Same is true for any polynomial congruentialgenerator.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 22 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Linear Congruential Generator
xn = axn−1 + b(modm).
x0 is the initial seed.
a,b,m are parameters.Example: C library function rand().Suitable for experimental purposes, butcryptographically not secure.Same is true for any polynomial congruentialgenerator.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 22 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Linear Congruential Generator
xn = axn−1 + b(modm).
x0 is the initial seed.a,b,m are parameters.
Example: C library function rand().Suitable for experimental purposes, butcryptographically not secure.Same is true for any polynomial congruentialgenerator.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 22 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Linear Congruential Generator
xn = axn−1 + b(modm).
x0 is the initial seed.a,b,m are parameters.Example: C library function rand().
Suitable for experimental purposes, butcryptographically not secure.Same is true for any polynomial congruentialgenerator.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 22 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Linear Congruential Generator
xn = axn−1 + b(modm).
x0 is the initial seed.a,b,m are parameters.Example: C library function rand().Suitable for experimental purposes, butcryptographically not secure.
Same is true for any polynomial congruentialgenerator.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 22 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Linear Congruential Generator
xn = axn−1 + b(modm).
x0 is the initial seed.a,b,m are parameters.Example: C library function rand().Suitable for experimental purposes, butcryptographically not secure.Same is true for any polynomial congruentialgenerator.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 22 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Blum-Blum-Shub (BBS) Generator
Choose two large primes p,q both congruent to3 mod 4.Set n = pq and choose a random integer x relativelyprime to n.Set initial seed x0 = x2(modn).j-th output is given by xj = x2
j−1(modn).Has provable security, but too slow for practical use.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 23 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Blum-Blum-Shub (BBS) Generator
Choose two large primes p,q both congruent to3 mod 4.
Set n = pq and choose a random integer x relativelyprime to n.Set initial seed x0 = x2(modn).j-th output is given by xj = x2
j−1(modn).Has provable security, but too slow for practical use.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 23 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Blum-Blum-Shub (BBS) Generator
Choose two large primes p,q both congruent to3 mod 4.Set n = pq and choose a random integer x relativelyprime to n.
Set initial seed x0 = x2(modn).j-th output is given by xj = x2
j−1(modn).Has provable security, but too slow for practical use.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 23 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Blum-Blum-Shub (BBS) Generator
Choose two large primes p,q both congruent to3 mod 4.Set n = pq and choose a random integer x relativelyprime to n.Set initial seed x0 = x2(modn).
j-th output is given by xj = x2j−1(modn).
Has provable security, but too slow for practical use.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 23 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Blum-Blum-Shub (BBS) Generator
Choose two large primes p,q both congruent to3 mod 4.Set n = pq and choose a random integer x relativelyprime to n.Set initial seed x0 = x2(modn).j-th output is given by xj = x2
j−1(modn).
Has provable security, but too slow for practical use.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 23 of 51
RandomnessRandom Number Generation
Stream Ciphers
Natural Random Number GeneratorsPseudo-Random Number Generators
Blum-Blum-Shub (BBS) Generator
Choose two large primes p,q both congruent to3 mod 4.Set n = pq and choose a random integer x relativelyprime to n.Set initial seed x0 = x2(modn).j-th output is given by xj = x2
j−1(modn).Has provable security, but too slow for practical use.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 23 of 51
Roadmap
1 RandomnessDefining RandomnessTesting RandomnessCryptographic Randomness
2 Random Number GenerationNatural Random Number GeneratorsPseudo-Random Number Generators
3 Stream CiphersHardware Stream CiphersSoftware Stream CiphersDistinguisher
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
General Model of Stream Ciphers
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 25 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Need for Initialization Vector (IV)
The same key always produces the same keystream.Repeated use of the same key is just as bad asreusing a one-time pad.As a remedy, the IV is combined with the secret keyto form the effective key for the correspondingsession of the cipher, called a session key.Different session keys make the output of the streamcipher different in each session, even if the same keyis used.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 26 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Need for Initialization Vector (IV)
The same key always produces the same keystream.
Repeated use of the same key is just as bad asreusing a one-time pad.As a remedy, the IV is combined with the secret keyto form the effective key for the correspondingsession of the cipher, called a session key.Different session keys make the output of the streamcipher different in each session, even if the same keyis used.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 26 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Need for Initialization Vector (IV)
The same key always produces the same keystream.Repeated use of the same key is just as bad asreusing a one-time pad.
As a remedy, the IV is combined with the secret keyto form the effective key for the correspondingsession of the cipher, called a session key.Different session keys make the output of the streamcipher different in each session, even if the same keyis used.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 26 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Need for Initialization Vector (IV)
The same key always produces the same keystream.Repeated use of the same key is just as bad asreusing a one-time pad.As a remedy, the IV is combined with the secret keyto form the effective key for the correspondingsession of the cipher, called a session key.
Different session keys make the output of the streamcipher different in each session, even if the same keyis used.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 26 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Need for Initialization Vector (IV)
The same key always produces the same keystream.Repeated use of the same key is just as bad asreusing a one-time pad.As a remedy, the IV is combined with the secret keyto form the effective key for the correspondingsession of the cipher, called a session key.Different session keys make the output of the streamcipher different in each session, even if the same keyis used.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 26 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Hardware vs. Software Stream Ciphers
Hardware Stream Ciphers.LFSRs are used as linear elements.Combining functions (may be with some amount ofmemory) are used as nonlinear elements.
Software Stream Ciphers.May use word-based LFSR / NFSRs.May use arrays, modular additions and otheroperators.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 27 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Hardware vs. Software Stream Ciphers
Hardware Stream Ciphers.
LFSRs are used as linear elements.Combining functions (may be with some amount ofmemory) are used as nonlinear elements.
Software Stream Ciphers.May use word-based LFSR / NFSRs.May use arrays, modular additions and otheroperators.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 27 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Hardware vs. Software Stream Ciphers
Hardware Stream Ciphers.LFSRs are used as linear elements.
Combining functions (may be with some amount ofmemory) are used as nonlinear elements.
Software Stream Ciphers.May use word-based LFSR / NFSRs.May use arrays, modular additions and otheroperators.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 27 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Hardware vs. Software Stream Ciphers
Hardware Stream Ciphers.LFSRs are used as linear elements.Combining functions (may be with some amount ofmemory) are used as nonlinear elements.
Software Stream Ciphers.May use word-based LFSR / NFSRs.May use arrays, modular additions and otheroperators.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 27 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Hardware vs. Software Stream Ciphers
Hardware Stream Ciphers.LFSRs are used as linear elements.Combining functions (may be with some amount ofmemory) are used as nonlinear elements.
Software Stream Ciphers.
May use word-based LFSR / NFSRs.May use arrays, modular additions and otheroperators.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 27 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Hardware vs. Software Stream Ciphers
Hardware Stream Ciphers.LFSRs are used as linear elements.Combining functions (may be with some amount ofmemory) are used as nonlinear elements.
Software Stream Ciphers.May use word-based LFSR / NFSRs.
May use arrays, modular additions and otheroperators.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 27 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Hardware vs. Software Stream Ciphers
Hardware Stream Ciphers.LFSRs are used as linear elements.Combining functions (may be with some amount ofmemory) are used as nonlinear elements.
Software Stream Ciphers.May use word-based LFSR / NFSRs.May use arrays, modular additions and otheroperators.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 27 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Bit-oriented LFSR⊕ ⊕
b5 b4 b3 b2 b1 b0
⊕ ⊕b6 b5 b4 b3 b2 b1 b0
Figure: LFSR: one step evolution
Recurrence Relation: xn+6 = xn+4 ⊕ xn+1 ⊕ xn
Polynomial over GF (2): x6 + x4 + x1 + 1
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 28 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Bit-oriented LFSR⊕ ⊕
b5 b4 b3 b2 b1 b0
⊕ ⊕b6 b5 b4 b3 b2 b1 b0
Figure: LFSR: one step evolution
Recurrence Relation: xn+6 = xn+4 ⊕ xn+1 ⊕ xn
Polynomial over GF (2): x6 + x4 + x1 + 1
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 28 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Bit-oriented LFSR⊕ ⊕
b5 b4 b3 b2 b1 b0
⊕ ⊕b6 b5 b4 b3 b2 b1 b0
Figure: LFSR: one step evolution
Recurrence Relation: xn+6 = xn+4 ⊕ xn+1 ⊕ xn
Polynomial over GF (2): x6 + x4 + x1 + 1GOUTAM PAUL Random Number Generation and Stream Cipher Slide 28 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Bit-oriented LFSR (cont’d.)
Primitive polynomial provides maximum length cycle,2d − 1 for degree d . Well known as m-sequence.By itself, not cryptographically secure, but usefulbuilding block for pseudo-randomness.Easy and efficient implementation in hardware, usingregisters (Flip-Flops) and simple logic gates.Deep mathematical development for a long time.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 29 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Bit-oriented LFSR (cont’d.)
Primitive polynomial provides maximum length cycle,2d − 1 for degree d . Well known as m-sequence.
By itself, not cryptographically secure, but usefulbuilding block for pseudo-randomness.Easy and efficient implementation in hardware, usingregisters (Flip-Flops) and simple logic gates.Deep mathematical development for a long time.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 29 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Bit-oriented LFSR (cont’d.)
Primitive polynomial provides maximum length cycle,2d − 1 for degree d . Well known as m-sequence.By itself, not cryptographically secure, but usefulbuilding block for pseudo-randomness.
Easy and efficient implementation in hardware, usingregisters (Flip-Flops) and simple logic gates.Deep mathematical development for a long time.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 29 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Bit-oriented LFSR (cont’d.)
Primitive polynomial provides maximum length cycle,2d − 1 for degree d . Well known as m-sequence.By itself, not cryptographically secure, but usefulbuilding block for pseudo-randomness.Easy and efficient implementation in hardware, usingregisters (Flip-Flops) and simple logic gates.
Deep mathematical development for a long time.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 29 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Bit-oriented LFSR (cont’d.)
Primitive polynomial provides maximum length cycle,2d − 1 for degree d . Well known as m-sequence.By itself, not cryptographically secure, but usefulbuilding block for pseudo-randomness.Easy and efficient implementation in hardware, usingregisters (Flip-Flops) and simple logic gates.Deep mathematical development for a long time.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 29 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Attacking the LFSR-based PRNGs
Suppose we know the segment 011010111100 of akeystream sequence.We also know that it is generated by some LFSR.We do not necessarily know the length of therecurrence.We need to determine the coefficients.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 30 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Attacking the LFSR-based PRNGs
Suppose we know the segment 011010111100 of akeystream sequence.
We also know that it is generated by some LFSR.We do not necessarily know the length of therecurrence.We need to determine the coefficients.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 30 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Attacking the LFSR-based PRNGs
Suppose we know the segment 011010111100 of akeystream sequence.We also know that it is generated by some LFSR.
We do not necessarily know the length of therecurrence.We need to determine the coefficients.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 30 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Attacking the LFSR-based PRNGs
Suppose we know the segment 011010111100 of akeystream sequence.We also know that it is generated by some LFSR.We do not necessarily know the length of therecurrence.
We need to determine the coefficients.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 30 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Attacking the LFSR-based PRNGs
Suppose we know the segment 011010111100 of akeystream sequence.We also know that it is generated by some LFSR.We do not necessarily know the length of therecurrence.We need to determine the coefficients.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 30 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Try with Length 2
xn+2 = c0xn + c1xn+1.
[0 11 1
] [c0
c1
]=
[10
]Solution: c0 = 1, c1 = 1.But x6 6= x4 + x5.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 31 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Try with Length 2
xn+2 = c0xn + c1xn+1.[0 11 1
] [c0
c1
]=
[10
]
Solution: c0 = 1, c1 = 1.But x6 6= x4 + x5.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 31 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Try with Length 2
xn+2 = c0xn + c1xn+1.[0 11 1
] [c0
c1
]=
[10
]Solution: c0 = 1, c1 = 1.
But x6 6= x4 + x5.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 31 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Try with Length 2
xn+2 = c0xn + c1xn+1.[0 11 1
] [c0
c1
]=
[10
]Solution: c0 = 1, c1 = 1.But x6 6= x4 + x5.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 31 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Try with Length 3
xn+3 = c0xn + c1xn+1 + c2xn+2.
0 1 11 1 01 0 1
c0
c1
c2
=
010
Solution: ?
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 32 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Try with Length 3
xn+3 = c0xn + c1xn+1 + c2xn+2.0 1 11 1 01 0 1
c0
c1
c2
=
010
Solution: ?
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 32 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Try with Length 3
xn+3 = c0xn + c1xn+1 + c2xn+2.0 1 11 1 01 0 1
c0
c1
c2
=
010
Solution: ?
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 32 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Try with Length 4
xn+4 = c0xn + c1xn+1 + c2xn+2 + c3xn+3.
0 1 1 01 1 0 11 0 1 00 1 0 1
c0
c1
c2
c3
=
1011
Solution: c0 = 1, c1 = 1, c2 = 0, c3 = 0.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 33 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Try with Length 4
xn+4 = c0xn + c1xn+1 + c2xn+2 + c3xn+3.0 1 1 01 1 0 11 0 1 00 1 0 1
c0
c1
c2
c3
=
1011
Solution: c0 = 1, c1 = 1, c2 = 0, c3 = 0.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 33 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Try with Length 4
xn+4 = c0xn + c1xn+1 + c2xn+2 + c3xn+3.0 1 1 01 1 0 11 0 1 00 1 0 1
c0
c1
c2
c3
=
1011
Solution: c0 = 1, c1 = 1, c2 = 0, c3 = 0.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 33 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
General Problem
xn+m = c0xn + c1xn+1 + . . . + cm−1xn+m−1
x1 x2 . . . xm
x2 x3 . . . xm+1...
... . . . ...xm xm+1 . . . x2m−1
c0
c1...
cm−1
=
xm+1
xm+2...
x2m
Result: The m ×m matrix is invertible mod2, iff there isno linear recurrence relation of length less than m that issatisfied by the 2m values x1, x2, . . . , x2m.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 34 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
General Problem
xn+m = c0xn + c1xn+1 + . . . + cm−1xn+m−1x1 x2 . . . xm
x2 x3 . . . xm+1...
... . . . ...xm xm+1 . . . x2m−1
c0
c1...
cm−1
=
xm+1
xm+2...
x2m
Result: The m ×m matrix is invertible mod2, iff there isno linear recurrence relation of length less than m that issatisfied by the 2m values x1, x2, . . . , x2m.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 34 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
General Problem
xn+m = c0xn + c1xn+1 + . . . + cm−1xn+m−1x1 x2 . . . xm
x2 x3 . . . xm+1...
... . . . ...xm xm+1 . . . x2m−1
c0
c1...
cm−1
=
xm+1
xm+2...
x2m
Result: The m ×m matrix is invertible mod2, iff there isno linear recurrence relation of length less than m that issatisfied by the 2m values x1, x2, . . . , x2m.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 34 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Nonlinear Combiner Model
Take n LFSRs of different length (may be pairwiseprime).Initialize them with seeds.In each clock, take the n-many outputs from theLFSRs, which are fed as n-inputs to an n-variableBoolean function.May be some memory element is added.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 35 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Nonlinear Combiner Model
Take n LFSRs of different length (may be pairwiseprime).
Initialize them with seeds.In each clock, take the n-many outputs from theLFSRs, which are fed as n-inputs to an n-variableBoolean function.May be some memory element is added.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 35 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Nonlinear Combiner Model
Take n LFSRs of different length (may be pairwiseprime).Initialize them with seeds.
In each clock, take the n-many outputs from theLFSRs, which are fed as n-inputs to an n-variableBoolean function.May be some memory element is added.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 35 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Nonlinear Combiner Model
Take n LFSRs of different length (may be pairwiseprime).Initialize them with seeds.In each clock, take the n-many outputs from theLFSRs, which are fed as n-inputs to an n-variableBoolean function.
May be some memory element is added.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 35 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Nonlinear Combiner Model
Take n LFSRs of different length (may be pairwiseprime).Initialize them with seeds.In each clock, take the n-many outputs from theLFSRs, which are fed as n-inputs to an n-variableBoolean function.May be some memory element is added.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 35 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Nonlinear Filter-Generator Model
Take one LFSR.Initialize that with a seed.In each clock, take the n-many outputs from theLFSR from different locations, which are fed asn-inputs to an n-variable Boolean function.May be considered with additional memory element.The Boolean function and memory together form aFinite State Machine.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 36 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Nonlinear Filter-Generator Model
Take one LFSR.
Initialize that with a seed.In each clock, take the n-many outputs from theLFSR from different locations, which are fed asn-inputs to an n-variable Boolean function.May be considered with additional memory element.The Boolean function and memory together form aFinite State Machine.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 36 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Nonlinear Filter-Generator Model
Take one LFSR.Initialize that with a seed.
In each clock, take the n-many outputs from theLFSR from different locations, which are fed asn-inputs to an n-variable Boolean function.May be considered with additional memory element.The Boolean function and memory together form aFinite State Machine.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 36 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Nonlinear Filter-Generator Model
Take one LFSR.Initialize that with a seed.In each clock, take the n-many outputs from theLFSR from different locations, which are fed asn-inputs to an n-variable Boolean function.
May be considered with additional memory element.The Boolean function and memory together form aFinite State Machine.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 36 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Nonlinear Filter-Generator Model
Take one LFSR.Initialize that with a seed.In each clock, take the n-many outputs from theLFSR from different locations, which are fed asn-inputs to an n-variable Boolean function.May be considered with additional memory element.
The Boolean function and memory together form aFinite State Machine.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 36 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Nonlinear Filter-Generator Model
Take one LFSR.Initialize that with a seed.In each clock, take the n-many outputs from theLFSR from different locations, which are fed asn-inputs to an n-variable Boolean function.May be considered with additional memory element.The Boolean function and memory together form aFinite State Machine.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 36 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Boolean Function: Cryptographic Properties
BALANCEDNESS: Necessary to achievePseudo-Random sequence
ALGEBRAIC DEGREE: To achieve high Linear Complexity
NONLINEARITY: For higher Confusion and resistanceagainst: Best Affine Approximation (BAA) Attack andLinear Cryptanalysis.
AUTOCORRELATION: To achieve higher Diffusion, and toresist Differential Cryptanalysis.
CORRELATION IMMUNITY: To resist Correlation Attack
ALGEBRAIC IMMUNITY: To resist Algebraic Attack
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 37 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Boolean Function: Cryptographic Properties
BALANCEDNESS: Necessary to achievePseudo-Random sequence
ALGEBRAIC DEGREE: To achieve high Linear Complexity
NONLINEARITY: For higher Confusion and resistanceagainst: Best Affine Approximation (BAA) Attack andLinear Cryptanalysis.
AUTOCORRELATION: To achieve higher Diffusion, and toresist Differential Cryptanalysis.
CORRELATION IMMUNITY: To resist Correlation Attack
ALGEBRAIC IMMUNITY: To resist Algebraic Attack
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 37 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Boolean Function: Cryptographic Properties
BALANCEDNESS: Necessary to achievePseudo-Random sequence
ALGEBRAIC DEGREE: To achieve high Linear Complexity
NONLINEARITY: For higher Confusion and resistanceagainst: Best Affine Approximation (BAA) Attack andLinear Cryptanalysis.
AUTOCORRELATION: To achieve higher Diffusion, and toresist Differential Cryptanalysis.
CORRELATION IMMUNITY: To resist Correlation Attack
ALGEBRAIC IMMUNITY: To resist Algebraic Attack
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 37 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Boolean Function: Cryptographic Properties
BALANCEDNESS: Necessary to achievePseudo-Random sequence
ALGEBRAIC DEGREE: To achieve high Linear Complexity
NONLINEARITY: For higher Confusion and resistanceagainst: Best Affine Approximation (BAA) Attack andLinear Cryptanalysis.
AUTOCORRELATION: To achieve higher Diffusion, and toresist Differential Cryptanalysis.
CORRELATION IMMUNITY: To resist Correlation Attack
ALGEBRAIC IMMUNITY: To resist Algebraic Attack
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 37 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Boolean Function: Cryptographic Properties
BALANCEDNESS: Necessary to achievePseudo-Random sequence
ALGEBRAIC DEGREE: To achieve high Linear Complexity
NONLINEARITY: For higher Confusion and resistanceagainst: Best Affine Approximation (BAA) Attack andLinear Cryptanalysis.
AUTOCORRELATION: To achieve higher Diffusion, and toresist Differential Cryptanalysis.
CORRELATION IMMUNITY: To resist Correlation Attack
ALGEBRAIC IMMUNITY: To resist Algebraic Attack
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 37 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Boolean Function: Cryptographic Properties
BALANCEDNESS: Necessary to achievePseudo-Random sequence
ALGEBRAIC DEGREE: To achieve high Linear Complexity
NONLINEARITY: For higher Confusion and resistanceagainst: Best Affine Approximation (BAA) Attack andLinear Cryptanalysis.
AUTOCORRELATION: To achieve higher Diffusion, and toresist Differential Cryptanalysis.
CORRELATION IMMUNITY: To resist Correlation Attack
ALGEBRAIC IMMUNITY: To resist Algebraic Attack
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 37 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Boolean Function: Cryptographic Properties
BALANCEDNESS: Necessary to achievePseudo-Random sequence
ALGEBRAIC DEGREE: To achieve high Linear Complexity
NONLINEARITY: For higher Confusion and resistanceagainst: Best Affine Approximation (BAA) Attack andLinear Cryptanalysis.
AUTOCORRELATION: To achieve higher Diffusion, and toresist Differential Cryptanalysis.
CORRELATION IMMUNITY: To resist Correlation Attack
ALGEBRAIC IMMUNITY: To resist Algebraic Attack
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 37 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Hardware Stream Ciphers: Current Trends
Nonlinear Filter Generator Model With Memory.More than one bit processed together (32-bit words)Use LFSRs over larger fields: need the LFSRevolution operations to be efficient.GF (232) or GF (231 − 1) to relate with 32-bit words ofmodern processors. Are we moving towards 64-bitwords?FSM contains S-boxes and Registers.Registers are memory words.S-boxes are multiple output Boolean functions.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 38 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Hardware Stream Ciphers: Current Trends
Nonlinear Filter Generator Model With Memory.
More than one bit processed together (32-bit words)Use LFSRs over larger fields: need the LFSRevolution operations to be efficient.GF (232) or GF (231 − 1) to relate with 32-bit words ofmodern processors. Are we moving towards 64-bitwords?FSM contains S-boxes and Registers.Registers are memory words.S-boxes are multiple output Boolean functions.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 38 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Hardware Stream Ciphers: Current Trends
Nonlinear Filter Generator Model With Memory.More than one bit processed together (32-bit words)
Use LFSRs over larger fields: need the LFSRevolution operations to be efficient.GF (232) or GF (231 − 1) to relate with 32-bit words ofmodern processors. Are we moving towards 64-bitwords?FSM contains S-boxes and Registers.Registers are memory words.S-boxes are multiple output Boolean functions.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 38 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Hardware Stream Ciphers: Current Trends
Nonlinear Filter Generator Model With Memory.More than one bit processed together (32-bit words)Use LFSRs over larger fields: need the LFSRevolution operations to be efficient.
GF (232) or GF (231 − 1) to relate with 32-bit words ofmodern processors. Are we moving towards 64-bitwords?FSM contains S-boxes and Registers.Registers are memory words.S-boxes are multiple output Boolean functions.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 38 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Hardware Stream Ciphers: Current Trends
Nonlinear Filter Generator Model With Memory.More than one bit processed together (32-bit words)Use LFSRs over larger fields: need the LFSRevolution operations to be efficient.GF (232) or GF (231 − 1) to relate with 32-bit words ofmodern processors. Are we moving towards 64-bitwords?
FSM contains S-boxes and Registers.Registers are memory words.S-boxes are multiple output Boolean functions.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 38 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Hardware Stream Ciphers: Current Trends
Nonlinear Filter Generator Model With Memory.More than one bit processed together (32-bit words)Use LFSRs over larger fields: need the LFSRevolution operations to be efficient.GF (232) or GF (231 − 1) to relate with 32-bit words ofmodern processors. Are we moving towards 64-bitwords?FSM contains S-boxes and Registers.
Registers are memory words.S-boxes are multiple output Boolean functions.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 38 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Hardware Stream Ciphers: Current Trends
Nonlinear Filter Generator Model With Memory.More than one bit processed together (32-bit words)Use LFSRs over larger fields: need the LFSRevolution operations to be efficient.GF (232) or GF (231 − 1) to relate with 32-bit words ofmodern processors. Are we moving towards 64-bitwords?FSM contains S-boxes and Registers.Registers are memory words.
S-boxes are multiple output Boolean functions.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 38 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Hardware Stream Ciphers: Current Trends
Nonlinear Filter Generator Model With Memory.More than one bit processed together (32-bit words)Use LFSRs over larger fields: need the LFSRevolution operations to be efficient.GF (232) or GF (231 − 1) to relate with 32-bit words ofmodern processors. Are we moving towards 64-bitwords?FSM contains S-boxes and Registers.Registers are memory words.S-boxes are multiple output Boolean functions.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 38 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Design Principle
Initially, stream ciphers were targeted towardshardware only.Later, software stream ciphers became popular dueto their speed and efficiency compared to softwareimplementation of block ciphers.Typically consists of two modules:
KSA : key × IV→ internal state andPRGA : internal state→ keystream word.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 39 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Design Principle
Initially, stream ciphers were targeted towardshardware only.
Later, software stream ciphers became popular dueto their speed and efficiency compared to softwareimplementation of block ciphers.Typically consists of two modules:
KSA : key × IV→ internal state andPRGA : internal state→ keystream word.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 39 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Design Principle
Initially, stream ciphers were targeted towardshardware only.Later, software stream ciphers became popular dueto their speed and efficiency compared to softwareimplementation of block ciphers.
Typically consists of two modules:KSA : key × IV→ internal state andPRGA : internal state→ keystream word.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 39 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Design Principle
Initially, stream ciphers were targeted towardshardware only.Later, software stream ciphers became popular dueto their speed and efficiency compared to softwareimplementation of block ciphers.Typically consists of two modules:
KSA : key × IV→ internal state andPRGA : internal state→ keystream word.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 39 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
An Example: RC4 (Ron Rivest, 1987)
Wide commercial applications SSL, TLS, WEP, WPA,AOCE, Microsoft Windows, Lotus Notes, OracleSecure SQL etc.Generally used with 5 to 16 bytes key, thoughprovision for 256 bytes key is there.Uses a permutation over Z256 as the internal state.Operations: Swaps and Modulo 256 additions.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 40 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
An Example: RC4 (Ron Rivest, 1987)
Wide commercial applications SSL, TLS, WEP, WPA,AOCE, Microsoft Windows, Lotus Notes, OracleSecure SQL etc.
Generally used with 5 to 16 bytes key, thoughprovision for 256 bytes key is there.Uses a permutation over Z256 as the internal state.Operations: Swaps and Modulo 256 additions.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 40 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
An Example: RC4 (Ron Rivest, 1987)
Wide commercial applications SSL, TLS, WEP, WPA,AOCE, Microsoft Windows, Lotus Notes, OracleSecure SQL etc.Generally used with 5 to 16 bytes key, thoughprovision for 256 bytes key is there.
Uses a permutation over Z256 as the internal state.Operations: Swaps and Modulo 256 additions.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 40 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
An Example: RC4 (Ron Rivest, 1987)
Wide commercial applications SSL, TLS, WEP, WPA,AOCE, Microsoft Windows, Lotus Notes, OracleSecure SQL etc.Generally used with 5 to 16 bytes key, thoughprovision for 256 bytes key is there.Uses a permutation over Z256 as the internal state.
Operations: Swaps and Modulo 256 additions.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 40 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
An Example: RC4 (Ron Rivest, 1987)
Wide commercial applications SSL, TLS, WEP, WPA,AOCE, Microsoft Windows, Lotus Notes, OracleSecure SQL etc.Generally used with 5 to 16 bytes key, thoughprovision for 256 bytes key is there.Uses a permutation over Z256 as the internal state.Operations: Swaps and Modulo 256 additions.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 40 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
RC4 KSA
0 1 2 i j 255
· · · · · ·
Initialize S-box to identity permutation of{0,1, . . . ,255}Initialize counter: j = 0;for i = 0, . . . ,255
j = j + S[i] + K [i];Swap: S[i]↔ S[j];
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 41 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
RC4 PRGA
0 1 2 S[i ] + S[j ] i j 254 255
· · · · · · · · ·
Z �
Initialize the counters: i = j = 0;While you need keystream bytes
Increment counters i = i + 1 and j = j + S[i];Swap S[i]↔ S[j];Output Z = S[S[i] + S[j]];
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 42 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Software Stream Ciphers: Current Trends
Word oriented design.Complicated Functions and Operations.Huge Internal State.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 43 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Software Stream Ciphers: Current Trends
Word oriented design.
Complicated Functions and Operations.Huge Internal State.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 43 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Software Stream Ciphers: Current Trends
Word oriented design.Complicated Functions and Operations.
Huge Internal State.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 43 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Software Stream Ciphers: Current Trends
Word oriented design.Complicated Functions and Operations.Huge Internal State.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 43 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Basic Idea
An event that distinguishes the keystream from auniformly random stream.For a stream cipher, the event is based on somecombination of the keystream bits.The attack complexity is given by the number ofsamples required for a given success probability.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 44 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Basic Idea
An event that distinguishes the keystream from auniformly random stream.
For a stream cipher, the event is based on somecombination of the keystream bits.The attack complexity is given by the number ofsamples required for a given success probability.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 44 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Basic Idea
An event that distinguishes the keystream from auniformly random stream.For a stream cipher, the event is based on somecombination of the keystream bits.
The attack complexity is given by the number ofsamples required for a given success probability.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 44 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Basic Idea
An event that distinguishes the keystream from auniformly random stream.For a stream cipher, the event is based on somecombination of the keystream bits.The attack complexity is given by the number ofsamples required for a given success probability.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 44 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
The Setup
Event A, P(A) = p.
Define Xr = 1, if A occurs in r -th sample, else it is 0.
If we observe n samples,n∑
r=1
Xr ∼ B(n,p).
When Xr ’s are i.i.d. and n is large enough,n∑
r=1
Xr ∼ N (np,np(1− p)) .
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 45 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
The SetupEvent A, P(A) = p.
Define Xr = 1, if A occurs in r -th sample, else it is 0.
If we observe n samples,n∑
r=1
Xr ∼ B(n,p).
When Xr ’s are i.i.d. and n is large enough,n∑
r=1
Xr ∼ N (np,np(1− p)) .
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 45 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
The SetupEvent A, P(A) = p.
Define Xr = 1, if A occurs in r -th sample, else it is 0.
If we observe n samples,n∑
r=1
Xr ∼ B(n,p).
When Xr ’s are i.i.d. and n is large enough,n∑
r=1
Xr ∼ N (np,np(1− p)) .
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 45 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
The SetupEvent A, P(A) = p.
Define Xr = 1, if A occurs in r -th sample, else it is 0.
If we observe n samples,
n∑r=1
Xr ∼ B(n,p).
When Xr ’s are i.i.d. and n is large enough,n∑
r=1
Xr ∼ N (np,np(1− p)) .
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 45 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
The SetupEvent A, P(A) = p.
Define Xr = 1, if A occurs in r -th sample, else it is 0.
If we observe n samples,n∑
r=1
Xr ∼ B(n,p).
When Xr ’s are i.i.d. and n is large enough,n∑
r=1
Xr ∼ N (np,np(1− p)) .
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 45 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
The SetupEvent A, P(A) = p.
Define Xr = 1, if A occurs in r -th sample, else it is 0.
If we observe n samples,n∑
r=1
Xr ∼ B(n,p).
When Xr ’s are i.i.d. and n is large enough,
n∑r=1
Xr ∼ N (np,np(1− p)) .
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 45 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
The SetupEvent A, P(A) = p.
Define Xr = 1, if A occurs in r -th sample, else it is 0.
If we observe n samples,n∑
r=1
Xr ∼ B(n,p).
When Xr ’s are i.i.d. and n is large enough,n∑
r=1
Xr ∼ N (np,np(1− p)) .
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 45 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Hypothesis Testing Approach
TestH0 : p = p0(1 + ε), ε > 0,
againstH1 : p = p0.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 46 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Hypothesis Testing Approach
TestH0 : p = p0(1 + ε), ε > 0,
againstH1 : p = p0.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 46 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Hypothesis Testing Approach
TestH0 : p = p0(1 + ε), ε > 0,
againstH1 : p = p0.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 46 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Bounding the Errors
The objective is to find a threshold c in [np0,np0(1 + ε)]such that
P
(n∑
r=1
Xr ≤ c | H0
)≤ α
and
P
(n∑
r=1
Xr > c | H1
)≤ β.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 47 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Bounding the Errors
The objective is to find a threshold c in [np0,np0(1 + ε)]such that
P
(n∑
r=1
Xr ≤ c | H0
)≤ α
and
P
(n∑
r=1
Xr > c | H1
)≤ β.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 47 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Bounding the Errors
The objective is to find a threshold c in [np0,np0(1 + ε)]such that
P
(n∑
r=1
Xr ≤ c | H0
)≤ α
and
P
(n∑
r=1
Xr > c | H1
)≤ β.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 47 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Bounding the Errors
The objective is to find a threshold c in [np0,np0(1 + ε)]such that
P
(n∑
r=1
Xr ≤ c | H0
)≤ α
and
P
(n∑
r=1
Xr > c | H1
)≤ β.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 47 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Necessary Condition
For such a c to exist,
np0(1 + ε)− κ1σ1 > np0 + κ2σ2,
where
σ21 = np0(1 + ε) (1− p0(1 + ε)) ,
σ22 = np0(1− p0),
Φ(−κ1) = α
and Φ(κ2) = 1− β.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 48 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Necessary Condition
For such a c to exist,
np0(1 + ε)− κ1σ1 > np0 + κ2σ2,
where
σ21 = np0(1 + ε) (1− p0(1 + ε)) ,
σ22 = np0(1− p0),
Φ(−κ1) = α
and Φ(κ2) = 1− β.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 48 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Necessary Condition
For such a c to exist,
np0(1 + ε)− κ1σ1 > np0 + κ2σ2,
where
σ21 = np0(1 + ε) (1− p0(1 + ε)) ,
σ22 = np0(1− p0),
Φ(−κ1) = α
and Φ(κ2) = 1− β.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 48 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
How Many Samples Required?
When p0, ε� 1,
n >(κ1 + κ2)2
p0ε2 .
κ1 = κ2 = 0.5 gives α = β = 1− 0.6915 and at least 1p0ε2
samples are required.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 49 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
How Many Samples Required?
When p0, ε� 1,
n >(κ1 + κ2)2
p0ε2 .
κ1 = κ2 = 0.5 gives α = β = 1− 0.6915 and at least 1p0ε2
samples are required.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 49 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Example of a Distinguisher
RC4 2nd byte.Attack on Broadcast.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 50 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Example of a Distinguisher
RC4 2nd byte.
Attack on Broadcast.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 50 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
Example of a Distinguisher
RC4 2nd byte.Attack on Broadcast.
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 50 of 51
RandomnessRandom Number Generation
Stream Ciphers
Hardware Stream CiphersSoftware Stream CiphersDistinguisher
I end my talk here ...
Thank You
Homepage: http://www.goutampaul.comEmail: goutam.paul@ieee.org
GOUTAM PAUL Random Number Generation and Stream Cipher Slide 51 of 51
top related