Presentation is loading. Please wait.

Presentation is loading. Please wait.

Random walks and analysis of algorithms in cryptography Ilya Mironov Stanford University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Random walks and analysis of algorithms in cryptography Ilya Mironov Stanford University."— Presentation transcript:

1 Random walks and analysis of algorithms in cryptography Ilya Mironov Stanford University

2 Talk overview Cryptanalysis RC4 stream cipher card shuffling brute force attack Broadcast encryption analysis optimization Other work

3 Talk overview

4 RC4 stream cipher RC stands for “Ron’s Code,” designed in 1987 by Ron Rivest. Several design goals: speed support of 8-bit architecture simplicity (to circumvent export regulations)

5 Abridged history of [alleged] RC4™ 1994 – leaked to cypherpunks mailing list 1995 - first weakness (USENET post) 1996 – appeared in “Applied Cryptography” by B. Schneier as “alleged RC4” 1997 – first published analysis MS theses: 3 PhD thesis: 1

6 Usage SSL/TLS Windows, Lotus Notes, Oracle, etc. Cellular Digital Packet Data OpenBSD pseudo-random number generator

7 000111101010110101 Encryption key  plain text = cipher text cipher t state

8 000111101010110101 Decryption key  cipher text cipher t = plain text state

9 Security Requirement Indistinguishability from a perfect source of randomness: given part of the output stream, it is impossible to distinguish it from a random string

10 Second byte [MS01] Second byte of RC4 output is 0 with twice the expected probability

11 Related key attack [FMS01] Wireless Equivalent Privacy protocol (part of 802.11b standard): Using keys with known prefixes - BAD IV 1, key  IV 1, 0010101010 IV 2, key  IV 2, 1010110001 IV 3, key  IV 3, 0101010111 IV 4, key  IV 4, 1010101010 key

12 Recommendation Discard the first 256 bytes of RC4 output [RSA, MS] Is this enough?

13 RC4 internal state Permutation S on 256 bytes: Two indices i, j log 2 (256!  256)  1700 bits 2112313424912181325013853…

14 Key scheduling algorithm (all arithmetic is mod 256) for i := 0 to 255 S[i] := i j := 0 for i := 0 to 255 j := j + S[i] + key[i] swap (S[i], S[j])

15 Pseudo-random number generator i := 0 j := 0 repeat i := i + 1 j := j + S[i] swap (S[i], S[j]) output (S[ S[i] + S[j] ])

16 Both RC4’s routines for i := 0 to 255 S[i] := i j := 0 for i := 0 to 255 j := j + S[i] + key[i] swap (S[i], S[j]) i, j := 0 repeat i := i + 1 j := j + S[i] swap (S[i], S[j]) output (S[ S[i] + S[j] ]) key scheduling pseudo-random number generator

17 Both RC4’s routines for i := 0 to 255 S[i] := i j := 0 for i := 0 to 255 j := j + S[i] + key[i] swap (S[i], S[j]) i := 0 repeat i := i + 1 j := j + S[i] swap (S[i], S[j]) key scheduling pseudo-random number generator j := random (256), j

18 Both RC4’s routines for i := 0 to 255 S[i] := i j := random (256) swap (S[i], S[j]) key scheduling pseudo-random number generator i := 0 repeat i := i + 1 j := random (256) swap (S[i], S[j]) for i := 0 to 255

19 S[i] := i i := 0 repeat i := i + 1 j := random (256) swap (S[i], S[j]) Idealization of RC4

20 for i := 0 to n - 1 S[i] := i i := 0 repeat i := i + 1 j := random (n) swap (S[i], S[j]) Idealization of RC4

21 Talk overview

22 Exchange shuffle RC4 card shuffling: i random j iii When i = n - 1 the permutation is random i … not

23 Perfect shuffling The textbook algorithm to shuffle cards: i random j iii When i = n - 1 the permutation is perfectly random i swap( S[i], S[j]) …

24 Why is it not random? n! does not divide n n Sign of the permutation: the sign changes each time with probability 1-1/n Positions of individual cards are predictable

25 First byte of RC4 output The first byte, S[S[1]+S[S[1]]], is biased:

26 Distinguisher Less than 2,000 to recognize a non- random output with 10% error

27 Mixing time The permutation becomes more and more random. time nonrandomness

28 Variation distance Variation distance between two distributions, P and Q on S: d(P,Q)=½  s  S |P(s)-Q(s)| time variation distance

29 The end of the beginning of RC4 What is the sufficient number of swaps for the permutation to become random? Find t such thatd(P t, U) < 

30 Card shuffling To shuffle 52 cards: - 7 riffle shuffles ~ 100 random transpositions ~ 30,000 adjacent transpositions - exchange (RC4) shuffles?

31 Lower bound Sign of the permutation: after t rounds sign can be predicted with probability e -2t

32 Upper bound Checking argument: 1. 1. initially all cards are unchecked 2. 2. check S[i] if - either i=j - or S[j] is checked 3. 3. keep doing until all cards are checked

33 Checking argument i j

34 i j S[i] is indistinguishable from other checked cards j

35 Checking argument It takes  (n log n) steps to check all cards. It gives an upper bound.

36 Mixing time at least  (n) at most O (n log n)

37 What if n = 256? Optimistically (go with the lower bound) mixes in 4  256 steps Conservatively (use the upper bound) mixes in 16  256 steps

38 New development E. Mossel, A. Sinclair, Y. Peres (Berkeley): the upper bound is tight mixing time = Θ(n log n) Distinguisher: look at the cards from the left half

39 Talk overview

40 Backtracking j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t]

41 Backtracking j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[1]

42 Backtracking j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[1] S[j]

43 Backtracking j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[1] S[j] S[2]

44 Backtracking j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[1] S[j] S[2] S[j]

45 Backtracking j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[1] S[j] S[2] S[j] S[3]

46 Backtracking j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[1] S[j] S[2] S[j] S[3] S[j]

47 Backtracking j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[1] S[j] S[2] S[j] S[3]

48 Backtracking j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[1] S[j] S[2] S[j] S[3] S[j]

49 Backtracking j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[1] S[j] S[2] S[j] S[3]

50 Backtracking j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[1] S[j] S[2] S[j] S[3] S[j]

51 Cost of backtracking Keep guessing until there is a critical mass ≈ 100 entries Keep guessing until there is a critical mass ≈ 100 entries Each guess is ≈ 8 bits, which multiplies the running time by 2 8 Each guess is ≈ 8 bits, which multiplies the running time by 2 8 Estimated running time ~ 2 800 (for comparison – there are 2 200 particles in the universe) Estimated running time ~ 2 800 (for comparison – there are 2 200 particles in the universe)

52 Improvement j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[1] S[2] S[3]

53 Running time of improved algorithm Much more intricate analysis of an unbalanced tree Much more intricate analysis of an unbalanced tree Estimated less than 2 600 Estimated less than 2 600

54 Why is it interesting? What about “short RC4”: 64-byte permutation? What about “short RC4”: 64-byte permutation? internal state has size 300 bits 64-byte RC4 is secure against the old attack, borderline under the new attack 64-byte RC4 is secure against the old attack, borderline under the new attack

55 Talk overview

56 Broadcast encryption source receivers k kk k kk kk k k k  One rogue user compromises the whole system  Very little overhead

57 Broadcast encryption source receivers k 1, k 2, k 3, k 4, k 5,…, k n k1k1 k2k2 k3k3 k4k4 k5k5 k6k6 k7k7 knkn … broadcast E[k 1,k], E[k 2,k],…, E[k n,k], E[k,M]

58 Broadcast encryption source receivers k 1, k 2, k 3, k 4, k 5,…, k n k1k1 k2k2 k3k3 k4k4 k5k5 k6k6 k7k7 knkn …  Too many keys  Simple user revocation

59 Subset-cover framework (Naor-Naor-Lotspiech’01) S3S3 S5S5 S6S6 S1S1 S2S2 S4S4 S7S7 S8S8

60 S3S3 S5S5 S6S6 S1S1 S2S2 S4S4 S7S7 S8S8 k3k3 k4k4 k5k5 u receiver u knows keys:

61 Key distribution Based on some formal characteristic: e.g., DVD’s serial number Based on some formal characteristic: e.g., DVD’s serial number Using some real-life descriptors: Using some real-life descriptors: — Microsoft employees — researchers — California state residents — PhD’s

62 Broadcast using subset cover S3S3 S5S5 S6S6 S1S1 S8S8 S 10 header uses k 1, k 3, k 5, k 6, k 8, k 10

63 Subtree difference All receivers are associated with the leaves of a full binary tree k0k0 k 00 k 01 k 0…0 k 0…1 k 1…1

64 Subtree differences i j special set S i,j

65 Subtree difference

66

67

68

69

70

71

72

73 Greedy algorithm Easy greedy algorithm for constructing a subtree cover for any set of revoked users Easy greedy algorithm for constructing a subtree cover for any set of revoked users

74 Greedy algorithm Find a node such that both of its children have exactly one revoked descendant Find a node such that both of its children have exactly one revoked descendant

75 Greedy algorithm Add (at most) two sets to the cover Add (at most) two sets to the cover

76 Greedy algorithm Revoke the entire subtree Revoke the entire subtree

77 Greedy algorithm Could be less than two sets Could be less than two sets

78 Analysis of this algorithm R - number of revoked users R - number of revoked users C – number of sets in the cover C ≤ 2R-1 averaged over sets of fixed size [NNL’01] averaged over sets of fixed size [NNL’01] E[C] ≤ 1.38R simulation experiments give [NNL’01] simulation experiments give [NNL’01] E[C] ~ 1.25R

79 Analysis of this algorithm R - number of revoked users C – number of sets in the cover If a user is revoked with probability p«1: E[C] ≈ 1.24511 E[R]

80 Exact formula where

81 Mellin transform

82 Asymptotic p 1.24511 E[C]/E[R]

83 Asymptotic 1.2451134… 1.2451114… 3log 2 4/3 p

84 Talk overview

85 Halevy-Shamir scheme Noticed that subtree differences are decomposable: Noticed that subtree differences are decomposable:

86 Halevy-Shamir scheme Fewer special sets reduce memory requirement on receivers Fewer special sets reduce memory requirement on receivers

87 Improvement For practical parameters save additionally 20% compared to the Halevy-Shamir scheme For practical parameters save additionally 20% compared to the Halevy-Shamir scheme This is joint work with N. Alon, D. Halevy, A. Shamir This is joint work with N. Alon, D. Halevy, A. Shamir

88 Talk overview

89 Other work New classes of hash functions and analysis of a construction for hash functions [Eurocrypt’01] New classes of hash functions and analysis of a construction for hash functions [Eurocrypt’01] Crypto and game theory in peer-to-peer filesharing networks [EC’01, FC’02] Crypto and game theory in peer-to-peer filesharing networks [EC’01, FC’02] Construction of short signatures based on discrete logarithm [CT-RSA’03] Construction of short signatures based on discrete logarithm [CT-RSA’03]

Download ppt "Random walks and analysis of algorithms in cryptography Ilya Mironov Stanford University."

Similar presentations

Block Cipher Modes of Operation and Stream Ciphers

Block Cipher Modes of Operation and Stream Ciphers
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos
Chalmers University of Technology Wireless security Breaking WEP and WPA.

Chalmers University of Technology Wireless security Breaking WEP and WPA.
Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 5 Cryptography Protecting principals communication in systems.

Chapter 5 Cryptography Protecting principals communication in systems.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
What ~1.25 turned out to be or Complex poles and DVDs Ilya Mironov Microsoft Research, SVC October 3 rd, 2003.

What ~1.25 turned out to be or Complex poles and DVDs Ilya Mironov Microsoft Research, SVC October 3 rd, 2003.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
802.11 Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.

Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.
Foundations of Network and Computer Security J J ohn Black Lecture #24 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004.

Foundations of Network and Computer Security J J ohn Black Lecture #24 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.

Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3
ASYMMETRIC CIPHERS.

ASYMMETRIC CIPHERS.
Chapter 12 Cryptography (slides edited by Erin Chambers)

Chapter 12 Cryptography (slides edited by Erin Chambers)

Similar presentations

Ads by Google