HSC: Building Stream Cipher from Secure Hash Functions Juncao Li Nov. 29 th 2007 Department of Computer Science Portland State University
Portland State University Nov. 29th Agenda Introduction to the Stream Cipher Security of the Stream Cipher Construction of the Hashing Stream Cipher Analysis of the HSC
Portland State University Nov. 29th Agenda Introduction to the Stream Cipher Security of the Stream Cipher Construction of the Hashing Stream Cipher Analysis of the HSC
Portland State University Nov. 29th Introduction: Stream Cipher Symmetric Cipher Encryption/Decryption Scheme –Take a Key and an IV (optional) –Generate a pseudorandom keystream(pad) –XOR the pad with the plaintext like onetime pad
Portland State University Nov. 29th Stream Cipher: types State Cipher –Maintains an internal state –Based on which, the keystream is generated –Usually, the internal state is kept secrete –As large as possible
Portland State University Nov. 29th Stream Cipher: types Synchronous –The state changes independently of the plaintext or ciphertext –RC4 –Non-error-propagation –Keep synchronized Self-synchronizing stream ciphers –Previous ciphertext digits are used to compute the keystream –CFB: a block cipher in cipher-feedback mode (CFB) –Input to the generator is partially exposed –Limitation of the analyzability: keystream depends on the messages
Portland State University Nov. 29th Agenda Introduction to the Stream Cipher Security of the Stream Cipher Construction of the Hashing Stream Cipher Analysis of the HSC
Portland State University Nov. 29th Security analysis: goal Hard to guess next bit of the keystream generator with some probability: better than random guessing –About the appearance of the keystream –Noticeable more 1s than 0s in the keystream Hard to reproduce the keystream from the keystream that we already have –About the inherent complexity of the keystream –Existence of the short period
Portland State University Nov. 29th Formal security support Theoretical support –Yao’s work: a pseudo-random generator could be 'effciently' predicted if, and only if, the generator could be 'effciently' distinguished from a perfectly random source.
Portland State University Nov. 29th Security in appearance Security measures in appearance –Long period A keystream generator can be modeled by a finite state machine Eventually some states will repeat which lead to a period –Statistical measures Have the appearance of (periodic) pseudo-random sequences –Complexity
Portland State University Nov. 29th Agenda Definition of the Stream Cipher Security of the Stream Cipher Construction of the Hashing Stream Cipher Analysis of the HSC
Portland State University Nov. 29th HSC It’s a synchronous streamcipher It takes an IV and a random Key as input Define –Original Vector: OV = Key || IV –Increasing Factor:, where is byte accumulation, and i is public. If IF = 0, set IF = 1 –Keystream Block:, where KB n represents n th keystream block
Portland State University Nov. 29th HSC: Framework
Portland State University Nov. 29th Intuitions: why HSC Hash function is easy to find –Easy to implement our scheme based on the existing systems We can prove the security of HSC based on the security of Cryptographic Hash functions
Portland State University Nov. 29th Agenda Introduction to the Stream Cipher Security of the Stream Cipher Construction of the Hashing Stream Cipher Analysis of the HSC
Portland State University Nov. 29th Secure analysis on HSC: Period Period –Ideally, no period if the core hash function is collision-resistant –Assume there’s a m bits period, we can find the collision every m/n iterations
Portland State University Nov. 29th Secure analysis on HSC: Period –But… the inner state has a limitation due to the implementation –Configurable inner state size –The inner state size depends on the limitation of the hash function input size – –Which is huge!
Portland State University Nov. 29th Secure analysis on HSC: Indistinguishability Indistinguishability of the keystream from the random stream –The distribution of the keystream depends on the IV and Key
Portland State University Nov. 29th Secure analysis on HSC: Indistinguishability –Assumption 1: if the input of the hash function is random, the output should be random, or have a random distribution –Every individual keystream block should look random, given the randomness of the key and the security of the hash function. –Otherwise, we can find an easier way to invert the one-way function by analyzing the non- uniform distribution of the output
Portland State University Nov. 29th Secure analysis on HSC: Indistinguishability –Assumption 2: if the inputs of the hash function are different, but correlated, the outputs of a good hash function should at least have a good statistical distribution –Global view of the keystream blocks –Collision-resistance guarantees that keystream blocks are statistically different
Portland State University Nov. 29th Secure analysis on HSC: Indistinguishability –Almost no one can guarantee there’s no correlation in their keystream –That’s why inner state should be kept secrete –That’s why we are using
Portland State University Nov. 29th Secure analysis on HSC: Information theory Information theory -- Entropy –The larger entropy of the keystream the better –Entropy comes from: IV and Key –The hash function will guarantee the entropy of each stream block: min(|key|, |digest|) –IF will spread the key entropy to the whole keystream
Portland State University Nov. 29th Secure analysis on HSC: Statistical analysis Three statistical test from the NIST standard –SHA-1, Key length 64 bytes, IV 16 bytes, and IF 1 byte –1000 times test on 10 MB keystream. Threshold: –1GB HSC costs 92,312ms , RC4 costs 30,047ms HSC Frequency Runs Cumulative RC Frequency . . Runs . . Cumulative . .
Portland State University Nov. 29th References Stream Ciphers, RSA Laboratories Technical Report TR-701, Version 2.0, M.J.B. Robshaw, July 25, 1995 Stream Cipher Design -- An evaluation of the eSTREAM candidate Polar Bear, JOHN MATTSSON, Master of Science Thesis, Stockholm, Sweden 2006 On the Role of the Inner State Size in Stream Ciphers, Erik Zenner, Reihe Informatik Attacks on RC4 and WEP, Scott Fluhrer, Itsik Mantin, Adi Shamir CHOSEN-IV STATISTICAL ATTACKS ON eSTREAM CIPHERS, Markku-Juhani O Saarinen. Yong Zhang, Xiamu Niu, Juncao Li, and Chunming Li. Research on a novel Hashing Stream Cipher. In Proc. of CIS 2006, Guangzhou, China, November 3-6, 2006
Portland State University Nov. 29th Thanks Questions?
Portland State University Nov. 29th Secure analysis on HSC: Information theory Information theory -- Entropy –The larger entropy of the keystream the better –Entropy comes from: IV and Key –But the IF will spread the entropy to the whole keystream –This may lead to a better explanation of our construction
Portland State University Nov. 29th Secure analysis on HSC: Information theory Information theory -- Entropy –Why hash functions? – we want to shrink –The larger entropy of the keystream the better –Entropy come from: IV and Key –If |OV| > |Hash digest|, entropy loses on each keystream block. –But the IF will spread the entropy to the whole keystream –This may lead to a better explanation of our construction