Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.

Published byTiffany Harris Modified over 9 years ago

Similar presentations

Presentation on theme: "CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers."— Presentation transcript:

1 CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers

2 CS555Spring 2012/Topic 52 Outline and Readings Outline Stream ciphers LFSR RC4 Pseudorandomness Readings: Katz and Lindell: 3.3, 3.4.1

3 CS555Spring 2012/Topic 53 Stream Ciphers In One-Time Pad, a key is a random string of length at least the same as the message Stream ciphers: –Idea: replace “rand” by “pseudo rand” –Use a Pseudo Random (Number) Generator –G: {0,1} s  {0,1} n expand a short (e.g., 128-bit) random seed into a long (e.g., 10 6 bit) string that “looks random” –Secret key is the seed –Naïve encryption: E key [M] = M  G(key) –To encrypt more than one messages, need to be more sophisticated.

4 CS555Spring 2012/Topic 54 Linear Feedback Shift Register (LFSR) Example: 1000  Starting with 1000, the output stream is –1000 1001 1010 1111 000 Repeat every 2 4 – 1 bit The seed is the key

5 CS555Spring 2012/Topic 55 Linear Feedback Shift Register (LFSR) Example: z i = z i-4 +z i-3 mod 2 = 0  z i-1 + 0  z i-2 + 1  z i-3 + 1  z i-4 mod 2 We say that stages 0 & 1 are selected. Stage 0 Stage 1 Stage 2 Stage 3 

6 CS555Spring 2012/Topic 56 Properties of LFSR Fact: given an L-stage LFSR, every output sequence is periodic if and only if stage 0 is selected Definition: An L-stage LFSR is maximum-length if some initial state will results a sequence that repeats every 2 L  1 bit Whether an LFSR is maximum-length or not depends on which stages are selected.

7 CS555Spring 2012/Topic 57 Cryptanalysis of LFSR Vulnerable to know-plaintext attack –A LFSR can be described as z m+i =  j=0 m-1 c j z i+j mod 2 –Knowing 2m output bits, one can construct m linear equations with m unknown variables c 0, …, c m-1 recover c 0, …, c m-1

8 CS555Spring 2012/Topic 58 Cryptanalysis of LFSR Given a 4-stage LFSR, we know –z 4 =z 3 c 3 +z 2 c 2 +z 1 c 1 +z 0 c 0 mod 2 –z 5 =z 4 c 3 +z 3 c 2 +z 2 c 1 +z 1 c 0 mod 2 –z 6 =z 5 c 3 +z 4 c 2 +z 3 c 1 +z 2 c 0 mod 2 –z 7 =z 6 c 3 +z 5 c 2 +z 4 c 1 +z 3 c 0 mod 2 Knowing z 0,z 1,…,z 7, one can compute c 0,c 1,c 2,c 4. In general, knowing 2n output bits, one can solve an n-stage LFSR

9 CS555Spring 2012/Topic 59 The RC4 Stream Cipher A proprietary cipher owned by RSA, designed by Ron Rivest in 1987. Became public in 1994. Simple and effective design. Variable key size (typical 40 to 256 bits), Output unbounded number of bytes. Widely used (web SSL/TLS, wireless WEP). Extensively studied, not a completely secure PRNG, when used correctly, no known attacks exist

10 Spring 2012/Topic 510 The RC4 Cipher: Encryption The cipher internal state consists of –a 256-byte array S, which contains a permutation of 0 to 255 total number of possible states is 256!  2 1700 –two indexes: i, j i = j = 0 Loop i = (i + 1) (mod 256) j = (j + S[i]) (mod 256) swap(S[i], S[j]) output (S[i] + S[j]) (mod 256) End Loop CS555

11 Spring 2012/Topic 511 RC4 Initialization Generate the initial permutation from a key k; maximum key length is 2048 bits First divide k into L bytes Then for i = 0 to 255 do S[i] = i j = 0 for i = 0 to 255 do j = (j + S[i] + k[i mod L])(mod 256) swap (S[i], S[j]) CS555

12 Randomness and Pseudorandomness For a stream cipher (PRNG) is good, it needs to be “pseudo-random”. Random is not a property of one string –Is “000000” “less random” than “011001”? –Random is the property of a distribution, or a random variable drawn from the distribution Similarly, pseudo-random is property of a distribution We say that a distribution D over strings of length- l is pseudorandom if it is indistinguishable from a random distribution. We use “random string” and “pseudorandom string” as shorthands CS555Spring 2012/Topic 512

13 Distinguisher A distinguisher D for two distributions works as follows: – D is given one string sampled from one of the two distributions –D tries to guess which distribution it is from –D succeeds if guesses correctly How to distinguish a random binary string of 256 bits from one generated using RC4 with 128 bites seed? CS555Spring 2012/Topic 513

14 Pseudorandom Generator Definition (Asymptotic version) Definition 3.14. We say an algorithm G, which on input of length n outputs a string of length l (n), is a pseudorandom generator if 1.For every n, l (n) > n 2.For each PPT distinguisher D, there exists a negligible function negl such that |Pr[D(r)=1 – Pr[D(G(s))=1|  negl(n) Where r is chosen at uniformly random from {0,1} l (n) and s is chosen at uniform random from {0,1} s CS555Spring 2012/Topic 514

15 Security of using Stream Cipher for Encrpytion Consider the construction  of using G(k)  m as the encryption of m Theorem 3.16. If G is a pseudorandom generator, then  has indistinguishable encryptions in the presence of an eavesdropper. Proof idea? CS555Spring 2012/Topic 515

16 Proof of Theorem 3.16 If  does not have indistinguishable encryptions in the presence of an eavesdropper; then there exists adversary A that can break  with non-negligible prob; we construct a distinguisher D as follows CS555Spring 2012/Topic 516 A D w C = w  M b b’ 1 if b=b’; 0 otherwise M 0, M 1 b  {0,1}

17 A Bit More Details on the Proof Let  (n) be |Pr[PrivK eav A,  =1] - ½ | Then |Pr[D(r)=1 – Pr[D(G(s))=1| = | ½ - Pr[PrivK eav A,  =1] | =  (n) CS555Spring 2012/Topic 517

18 CS555Spring 2012/Topic 518 Recap of Pseudo Random Generator Useful for cryptography and for simulation –Stream ciphers, generating session keys The same seed always gives the same output stream Simulation requires uniform distributed sequences –E.g., having a number of statistical properties Definition 3.14 is equivalent to requiring unpredictable sequences –satisfies the "next-bit test“: given consecutive sequence of bits output (but not seed), next bit must be hard to predict Some PRNG’s are weak: knowing output sequence of sufficient length, can recover key. –Do not use these for cryptographic purposes

19 CS555Spring 2012/Topic 519 Coming Attractions … Number Theory Basics Reading: Katz & Lindell: 7.1

Download ppt "CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers."

Similar presentations

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Stream cipher diagram + + Recall: One-time pad in Chap. 2.

Stream cipher diagram + + Recall: One-time pad in Chap. 2.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.

Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
Chapter 2 (D) – Contemporary Symmetric Ciphers I am fairly familiar with all the forms of secret writings, and am myself the author of a trifling monograph.

Chapter 2 (D) – Contemporary Symmetric Ciphers "I am fairly familiar with all the forms of secret writings, and am myself the author of a trifling monograph.
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3
Foundations of Cryptography Lecture 9 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 9 Lecturer: Moni Naor.
CS555Spring 2012/Topic 91 Cryptography CS 555 Topic 9: Block Cipher Construction & DES.

CS555Spring 2012/Topic 91 Cryptography CS 555 Topic 9: Block Cipher Construction & DES.
Foundations of Cryptography Rahul Jain CS6209, Jan – April 2011

Foundations of Cryptography Rahul Jain CS6209, Jan – April 2011
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
CS526Topic 3: One-time Pad and Perfect Secrecy 1 Information Security CS 526 Topic 3 Cryptography: One-time Pad, Information Theoretic Security, and Stream.

CS526Topic 3: One-time Pad and Perfect Secrecy 1 Information Security CS 526 Topic 3 Cryptography: One-time Pad, Information Theoretic Security, and Stream.

Similar presentations

Ads by Google