Presentation is loading. Please wait.

Presentation is loading. Please wait.

HSC: Building Stream Cipher from Secure Hash Functions Juncao Li Nov. 29 th 2007 Department of Computer Science Portland State University.

Similar presentations


Presentation on theme: "HSC: Building Stream Cipher from Secure Hash Functions Juncao Li Nov. 29 th 2007 Department of Computer Science Portland State University."— Presentation transcript:

1 HSC: Building Stream Cipher from Secure Hash Functions Juncao Li Nov. 29 th 2007 Department of Computer Science Portland State University

2 juncao@cs.pdx.edu Portland State University Nov. 29th 20072 Agenda Introduction to the Stream Cipher Security of the Stream Cipher Construction of the Hashing Stream Cipher Analysis of the HSC

3 juncao@cs.pdx.edu Portland State University Nov. 29th 20073 Agenda Introduction to the Stream Cipher Security of the Stream Cipher Construction of the Hashing Stream Cipher Analysis of the HSC

4 juncao@cs.pdx.edu Portland State University Nov. 29th 20074 Introduction: Stream Cipher Symmetric Cipher Encryption/Decryption Scheme –Take a Key and an IV (optional) –Generate a pseudorandom keystream(pad) –XOR the pad with the plaintext like onetime pad

5 juncao@cs.pdx.edu Portland State University Nov. 29th 20075 Stream Cipher: types State Cipher –Maintains an internal state –Based on which, the keystream is generated –Usually, the internal state is kept secrete –As large as possible

6 juncao@cs.pdx.edu Portland State University Nov. 29th 20076 Stream Cipher: types Synchronous –The state changes independently of the plaintext or ciphertext –RC4 –Non-error-propagation –Keep synchronized Self-synchronizing stream ciphers –Previous ciphertext digits are used to compute the keystream –CFB: a block cipher in cipher-feedback mode (CFB) –Input to the generator is partially exposed –Limitation of the analyzability: keystream depends on the messages

7 juncao@cs.pdx.edu Portland State University Nov. 29th 20077 Agenda Introduction to the Stream Cipher Security of the Stream Cipher Construction of the Hashing Stream Cipher Analysis of the HSC

8 juncao@cs.pdx.edu Portland State University Nov. 29th 20078 Security analysis: goal Hard to guess next bit of the keystream generator with some probability: better than random guessing –About the appearance of the keystream –Noticeable more 1s than 0s in the keystream Hard to reproduce the keystream from the keystream that we already have –About the inherent complexity of the keystream –Existence of the short period

9 juncao@cs.pdx.edu Portland State University Nov. 29th 20079 Formal security support Theoretical support –Yao’s work: a pseudo-random generator could be 'effciently' predicted if, and only if, the generator could be 'effciently' distinguished from a perfectly random source.

10 juncao@cs.pdx.edu Portland State University Nov. 29th 200710 Security in appearance Security measures in appearance –Long period A keystream generator can be modeled by a finite state machine Eventually some states will repeat which lead to a period –Statistical measures Have the appearance of (periodic) pseudo-random sequences –Complexity

11 juncao@cs.pdx.edu Portland State University Nov. 29th 200711 Agenda Definition of the Stream Cipher Security of the Stream Cipher Construction of the Hashing Stream Cipher Analysis of the HSC

12 juncao@cs.pdx.edu Portland State University Nov. 29th 200712 HSC It’s a synchronous streamcipher It takes an IV and a random Key as input Define –Original Vector: OV = Key || IV –Increasing Factor:, where is byte accumulation, and i is public. If IF = 0, set IF = 1 –Keystream Block:, where KB n represents n th keystream block

13 juncao@cs.pdx.edu Portland State University Nov. 29th 200713 HSC: Framework

14 juncao@cs.pdx.edu Portland State University Nov. 29th 200714 Intuitions: why HSC Hash function is easy to find –Easy to implement our scheme based on the existing systems We can prove the security of HSC based on the security of Cryptographic Hash functions

15 juncao@cs.pdx.edu Portland State University Nov. 29th 200715 Agenda Introduction to the Stream Cipher Security of the Stream Cipher Construction of the Hashing Stream Cipher Analysis of the HSC

16 juncao@cs.pdx.edu Portland State University Nov. 29th 200716 Secure analysis on HSC: Period Period –Ideally, no period if the core hash function is collision-resistant –Assume there’s a m bits period, we can find the collision every m/n iterations

17 juncao@cs.pdx.edu Portland State University Nov. 29th 200717 Secure analysis on HSC: Period –But… the inner state has a limitation due to the implementation –Configurable inner state size –The inner state size depends on the limitation of the hash function input size – –Which is huge!

18 juncao@cs.pdx.edu Portland State University Nov. 29th 200718 Secure analysis on HSC: Indistinguishability Indistinguishability of the keystream from the random stream –The distribution of the keystream depends on the IV and Key

19 juncao@cs.pdx.edu Portland State University Nov. 29th 200719 Secure analysis on HSC: Indistinguishability –Assumption 1: if the input of the hash function is random, the output should be random, or have a random distribution –Every individual keystream block should look random, given the randomness of the key and the security of the hash function. –Otherwise, we can find an easier way to invert the one-way function by analyzing the non- uniform distribution of the output

20 juncao@cs.pdx.edu Portland State University Nov. 29th 200720 Secure analysis on HSC: Indistinguishability –Assumption 2: if the inputs of the hash function are different, but correlated, the outputs of a good hash function should at least have a good statistical distribution –Global view of the keystream blocks –Collision-resistance guarantees that keystream blocks are statistically different

21 juncao@cs.pdx.edu Portland State University Nov. 29th 200721 Secure analysis on HSC: Indistinguishability –Almost no one can guarantee there’s no correlation in their keystream –That’s why inner state should be kept secrete –That’s why we are using

22 juncao@cs.pdx.edu Portland State University Nov. 29th 200722 Secure analysis on HSC: Information theory Information theory -- Entropy –The larger entropy of the keystream the better –Entropy comes from: IV and Key –The hash function will guarantee the entropy of each stream block: min(|key|, |digest|) –IF will spread the key entropy to the whole keystream

23 juncao@cs.pdx.edu Portland State University Nov. 29th 200723 Secure analysis on HSC: Statistical analysis Three statistical test from the NIST standard –SHA-1, Key length 64 bytes, IV 16 bytes, and IF 1 byte –1000 times test on 10 MB keystream. Threshold: 0.981 –1GB HSC costs 92,312ms , RC4 costs 30,047ms HSC 12345678910 Frequency0.9920.9940.9910.9940.9970.9940.9890.9920.989 Runs0.9950.9940.9930.9890.9920.9890.9920.9890.9950.991 Cumulative0.9860.9940.9880.9920.9950.9930.9850.9930.9880.989 RC4 12345678910 Frequency0.9860.9820.9870.984 0 . 989 0.989 0 . 989 0.9890.991 Runs0.9920.9930.9900.9870.991 0 . 993 0.996 0 . 988 0.9900.985 Cumulative0.9870.9760.9820.9760.986 0 . 988 0.989 0 . 989 0.9830.989

24 juncao@cs.pdx.edu Portland State University Nov. 29th 200724 References Stream Ciphers, RSA Laboratories Technical Report TR-701, Version 2.0, M.J.B. Robshaw, July 25, 1995 Stream Cipher Design -- An evaluation of the eSTREAM candidate Polar Bear, JOHN MATTSSON, Master of Science Thesis, Stockholm, Sweden 2006 On the Role of the Inner State Size in Stream Ciphers, Erik Zenner, Reihe Informatik 01-2004 Attacks on RC4 and WEP, Scott Fluhrer, Itsik Mantin, Adi Shamir CHOSEN-IV STATISTICAL ATTACKS ON eSTREAM CIPHERS, Markku-Juhani O Saarinen. http://www.wikipedia.org/ Yong Zhang, Xiamu Niu, Juncao Li, and Chunming Li. Research on a novel Hashing Stream Cipher. In Proc. of CIS 2006, Guangzhou, China, November 3-6, 2006

25 juncao@cs.pdx.edu Portland State University Nov. 29th 200725 Thanks Questions?

26 juncao@cs.pdx.edu Portland State University Nov. 29th 200726 Secure analysis on HSC: Information theory Information theory -- Entropy –The larger entropy of the keystream the better –Entropy comes from: IV and Key –But the IF will spread the entropy to the whole keystream –This may lead to a better explanation of our construction

27 juncao@cs.pdx.edu Portland State University Nov. 29th 200727 Secure analysis on HSC: Information theory Information theory -- Entropy –Why hash functions? – we want to shrink –The larger entropy of the keystream the better –Entropy come from: IV and Key –If |OV| > |Hash digest|, entropy loses on each keystream block. –But the IF will spread the entropy to the whole keystream –This may lead to a better explanation of our construction


Download ppt "HSC: Building Stream Cipher from Secure Hash Functions Juncao Li Nov. 29 th 2007 Department of Computer Science Portland State University."

Similar presentations


Ads by Google