stream ciphers

Van Hoang Nguyen

Mail: startnewday85@gmail.com

Department of Computer Science – FITA – HUA

Information Security Course --------------------------------------------- Fall 2013

Dept. of Computer Science – FITA – HUA

Information Security ------------- Fall 2013

Van Hoang Nguyen

What is a secure cipher?

Van Hoang Nguyen

What is the best cipher?

Van Hoang Nguyen

The cipher text should reveal no

information about the plaintext.

Van Hoang Nguyen

Information Theoretic Security (Shannon 1949)

perfect

secrecy

P (len( )=len( )) and c C

Pr(E(k,m0)=c) = Pr(E(k,m1)=c)

Van Hoang Nguyen

xor xor

Van Hoang Nguyen

“random”

“pseudorandom”

the random seed

Van Hoang Nguyen

(key-length < message-length)

Van Hoang Nguyen 16

Yes, if the PRG is really ”secure”

No, there are no ciphers with perfect secrecy

Yes, every cipher has perfect secrecy

No, since the key is shorter than the message

Can a stream cipher have perfect secrecy?

Sourced by Online Cryptography Course – Dan Boneh

Van Hoang Nguyen

PRG must be unpredictable.

Van Hoang Nguyen

Def: PRG is unpredictable if it is not predictable

⇒ ∀ i: no “eff” adv. can predict bit (i+1) for “non-neg” ε

Van Hoang Nguyen

ε ε ≥ 1/230

ε ε ≤ 1/280 (won’t happen over life of key)

ε ε: Z≥0 ⟶ R

≥0and

ε ∃d: ε(λ) ≥ 1/λd inf. often ε

ε ∀d, λ≥λd: ε(λ) ≤ 1/λd ε

Van Hoang Nguyen

How must PRG be?

Van Hoang Nguyen

Statistical test on {0,1}n

is an algorithm A such that A(x) outputs 0 or 1.

Van Hoang Nguyen

Advantage

A(x) = 0 ⇒ AdvPRG [A,G] =

Van Hoang Nguyen

Def: We say that G: K ⟶{0,1}n

is a secure PRG if

∀ “eff” statistical test A:

AdvPRG(A,G) is “negligible”

Van Hoang Nguyen

PRG predictable ⇒ PRG is insecure

A secure PRG is unpredictable

Suppose A is an efficient algorithm s.t

for non-negligible ε

Van Hoang Nguyen

Define statistical test B as:

A secure PRG is unpredictable

AdvPRG[B, G]=|Pr[B(r)=1] - Pr[B(G(k))=1]|>ε

Van Hoang Nguyen

Thm (Yao’82): an unpredictable PRG is secure

Let G:K ⟶{0,1}n

be PRG

“Thm”: if ∀ i ∈ {0, … , n-1} PRG G is unpredictable

at position i then G is a secure PRG.

Van Hoang Nguyen

computationally indistinguishable P1 ≈p P2

∀ “eff” statistical test A:

{ k ⟵K : G(k) } ≈p uniform({0,1}n)

Van Hoang Nguyen

Silvio Micali Shafi Goldwasser

Van Hoang Nguyen

Adv. AkK

m0 , m1 : |m0| = |m1|

c E(k, mb)

b’ {0,1}

Van Hoang Nguyen

semantically secure

AdvSS[A, ]

{ E(k,m0) } ≈p { E(k,m1) }

Van Hoang Nguyen

Adv. B (us)Chal.

b{0,1}

Adv. A

(given)

C E(k, mb)

m0, LSB(m0)=0

m1, LSB(m1)=1

LSB(mb)=b

Then AdvSS[B, E] = | Pr[ EXP(0)=1 ] − Pr[ EXP(1)=1 ] |= |0 – 1| = 1

Van Hoang Nguyen

For all A: AdvSS[A,OTP] = | Pr[ A(k⊕m0)=1 ] − Pr[ A(k⊕m1)=1 ] |= 0

Adv. AkK

m0 , m1 M : |m0| = |m1|

c k⊕m0 or c k⊕m1

b’ {0,1}

Van Hoang Nguyen

secure PRG

semantically secure

Van Hoang Nguyen

Adv. A

m0 , m1 M : |m0| = |m1|

c mb⊕ r

b’ {0,1}

r{0,1}n

For b=0,1: Rb := [ event that b’=1 ]

Van Hoang Nguyen

Adv. Am0 , m1 M : |m0| = |m1|

c mb⊕ G(k)

b’ {0,1}For b=0,1: Rb := [ event that b’=1 ]

r{0,1}n

Van Hoang Nguyen

Claim 1: |Pr[R0] – Pr[R1]| = AdvSS[A,OTP] = 0

Claim 2: ∃B: |Pr[Wb] – Pr[Rb]| = AdvPRG[B,G] for b = 0,1

0 1Pr[W0] Pr[W1]Pr[Rb]

≤AdvPRG[B,G] ≤AdvPRG[B,G]

⇒ AdvSS[A,E] = |Pr[W0] – Pr[W1]| ≤ 2AdvPRG[B,G]

Van Hoang Nguyen

Proof: ∃B: |Pr[W0] – Pr[R0]| = AdvPRG[B,G]

PRG adv. B (us)

Adv. A

(given)c m0⊕y

y ∈ {0,1}n

m0, m1

b’ ∈ {0,1}

|Pr[W0] – Pr[R0]| = = AdvPRG[B,G]

Van Hoang Nguyen

Real-world stream ciphers

Van Hoang Nguyen

Ronald L. Rivest

RC4 (1987)

For i=0 to 255 do S[i]=i;

For i=0 to 255 do T[i]=K[i mode keylen];

For i=0 to 255 do

j=(j+S[i]+T[i]) mode 256;

swap(S[i],S[j]);

Van Hoang Nguyen

Ronald L. Rivest

RC4 (1987)

i,j=0;

While (true) do

i=(i+1) mode 256;

j=(j+S[i]) mode 256;

swap(S[i],S[j]);

t=(S[i]+S[j]) mode 256;

ks=S[t];

Van Hoang Nguyen

Ronald L. Rivest

RC4 (1987)

2048 bits128 bits

1 byte

per round

Van Hoang Nguyen

stream ciphers

van hoang nguyen n

van hoang nguyen chal

van hoang nguyen def

van hoang nguyen mail

van hoang nguyen secure

van hoang nguyen p c

van hoang nguyen xor

van hoang nguyen thm

Technology

stream ciphers: wg and lex

block ciphers and stream ciphers: the state of the art

building stream ciphers from block ciphers and their...

an introduction to stream ciphers

a faster attack on certain stream ciphers

dan boneh stream ciphers attacks on otp and stream ciphers...

pastry dough mixing practical construction of stream...

stream ciphers for constrained environments

symmetric ciphers: stream ciphers - l-università ta'...

stream ciphers and block ciphers a stream cipher is one that...

stream ciphers - andreas klein

block ciphers and stream ciphers - university of...

chapter 2 stream ciphers

lfsr-based stream ciphers -...

stream ciphers: dead or alive? stream ciphers seem to be...

lecture 4 page 1 cs 236 stream and block ciphers stream...

analysis of lightweight stream ciphers

stream cipher - inria...stream ciphers are classiﬁed into...

lfsr-based stream ciphers - inria · pdf filechapter 3...

differential power analysis of stream ciphers