Stream ciphers

565 views
478 views

Published on

Introduce stream ciphers, perfect secrecy, semantic secrecy

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
565
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
25
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Stream ciphers

  1. 1. Van Hoang Nguyen Mail: startnewday85@gmail.com Department of Computer Science – FITA – HUA Information Security Course --------------------------------------------- Fall 2013 Dept. of Computer Science – FITA – HUA
  2. 2. Information Security ------------- Fall 2013 Van Hoang Nguyen What is a secure cipher?
  3. 3. Information Security ------------- Fall 2013 Van Hoang Nguyen What is the best cipher?
  4. 4. Information Security ------------- Fall 2013 Van Hoang Nguyen
  5. 5. Information Security ------------- Fall 2013 Van Hoang Nguyen
  6. 6. Information Security ------------- Fall 2013 Van Hoang Nguyen The cipher text should reveal no information about the plaintext.
  7. 7. Information Security ------------- Fall 2013 Van Hoang Nguyen Information Theoretic Security (Shannon 1949) perfect secrecy P (len( )=len( )) and c C Pr(E(k,m0)=c) = Pr(E(k,m1)=c)
  8. 8. Information Security ------------- Fall 2013 Van Hoang Nguyen K xor xor
  9. 9. Information Security ------------- Fall 2013 Van Hoang Nguyen K |K| K
  10. 10. Information Security ------------- Fall 2013 Van Hoang Nguyen P C None 1
  11. 11. Information Security ------------- Fall 2013 Van Hoang Nguyen xor xor K
  12. 12. Information Security ------------- Fall 2013 Van Hoang Nguyen
  13. 13. Information Security ------------- Fall 2013 Van Hoang Nguyen
  14. 14. Information Security ------------- Fall 2013 Van Hoang Nguyen “random” “pseudorandom” the random seed
  15. 15. Information Security ------------- Fall 2013 Van Hoang Nguyen
  16. 16. Information Security ------------- Fall 2013 Van Hoang Nguyen (key-length < message-length)
  17. 17. Information Security ------------- Fall 2013 Van Hoang Nguyen 16 Yes, if the PRG is really ”secure” No, there are no ciphers with perfect secrecy Yes, every cipher has perfect secrecy No, since the key is shorter than the message Can a stream cipher have perfect secrecy? Sourced by Online Cryptography Course – Dan Boneh
  18. 18. Information Security ------------- Fall 2013 Van Hoang Nguyen
  19. 19. Information Security ------------- Fall 2013 Van Hoang Nguyen
  20. 20. Information Security ------------- Fall 2013 Van Hoang Nguyen
  21. 21. Information Security ------------- Fall 2013 Van Hoang Nguyen
  22. 22. Information Security ------------- Fall 2013 Van Hoang Nguyen
  23. 23. Information Security ------------- Fall 2013 Van Hoang Nguyen
  24. 24. Information Security ------------- Fall 2013 Van Hoang Nguyen PRG must be unpredictable.
  25. 25. Information Security ------------- Fall 2013 Van Hoang Nguyen
  26. 26. Information Security ------------- Fall 2013 Van Hoang Nguyen Def: PRG is unpredictable if it is not predictable ⇒ ∀ i: no “eff” adv. can predict bit (i+1) for “non-neg” ε
  27. 27. Information Security ------------- Fall 2013 Van Hoang Nguyen ε ε ε ≥ 1/230 ε ε ≤ 1/280 (won’t happen over life of key) ε ε: Z≥0 ⟶ R≥0 and ε ∃d: ε(λ) ≥ 1/λd inf. often ε ε ∀d, λ≥λd: ε(λ) ≤ 1/λd ε
  28. 28. Information Security ------------- Fall 2013 Van Hoang Nguyen How must PRG be?
  29. 29. Information Security ------------- Fall 2013 Van Hoang Nguyen ⟶ n
  30. 30. Information Security ------------- Fall 2013 Van Hoang Nguyen Statistical test on {0,1}n is an algorithm A such that A(x) outputs 0 or 1.
  31. 31. Information Security ------------- Fall 2013 Van Hoang Nguyen Advantage ⟶ n n A(x) = 0 ⇒ AdvPRG [A,G] =
  32. 32. Information Security ------------- Fall 2013 Van Hoang Nguyen Def: We say that G: K ⟶{0,1} n is a secure PRG if ∀ “eff” statistical test A: AdvPRG(A,G) is “negligible”
  33. 33. Information Security ------------- Fall 2013 Van Hoang Nguyen PRG predictable ⇒ PRG is insecure A secure PRG is unpredictable Suppose A is an efficient algorithm s.t for non-negligible ε
  34. 34. Information Security ------------- Fall 2013 Van Hoang Nguyen Define statistical test B as: A secure PRG is unpredictable ε AdvPRG[B, G]=|Pr[B(r)=1] - Pr[B(G(k))=1]|>ε
  35. 35. Information Security ------------- Fall 2013 Van Hoang Nguyen Thm (Yao’82): an unpredictable PRG is secure Let G:K ⟶{0,1} n be PRG “Thm”: if ∀ i ∈ {0, … , n-1} PRG G is unpredictable at position i then G is a secure PRG.
  36. 36. Information Security ------------- Fall 2013 Van Hoang Nguyen computationally indistinguishable P1 ≈p P2 ∀ “eff” statistical test A: { k ⟵K : G(k) } ≈p uniform({0,1}n)
  37. 37. Information Security ------------- Fall 2013 Van Hoang Nguyen Silvio Micali Shafi Goldwasser
  38. 38. Information Security ------------- Fall 2013 Van Hoang Nguyen Chal. b Adv. A kK m0 , m1  : |m0| = |m1| c  E(k, mb) b’  {0,1}
  39. 39. Information Security ------------- Fall 2013 Van Hoang Nguyen semantically secure AdvSS[A, ] { E(k,m0) } ≈p { E(k,m1) }
  40. 40. Information Security ------------- Fall 2013 Van Hoang Nguyen Adv. B (us) Chal. b{0,1} Adv. A (given) kK C E(k, mb) m0, LSB(m0)=0 m1, LSB(m1)=1 C LSB(mb)=b Then AdvSS[B, E] = | Pr[ EXP(0)=1 ] − Pr[ EXP(1)=1 ] |= |0 – 1| = 1
  41. 41. Information Security ------------- Fall 2013 Van Hoang Nguyen For all A: AdvSS[A,OTP] = | Pr[ A(k⊕m0)=1 ] − Pr[ A(k⊕m1)=1 ] |= 0 Chal. b Adv. A kK m0 , m1  M : |m0| = |m1| c  k⊕m0 or c  k⊕m1 b’  {0,1}
  42. 42. Information Security ------------- Fall 2013 Van Hoang Nguyen secure PRG semantically secure
  43. 43. Information Security ------------- Fall 2013 Van Hoang Nguyen Chal. b Adv. A kK m0 , m1  M : |m0| = |m1| c  mb ⊕ r b’  {0,1} r{0,1}n For b=0,1: Rb := [ event that b’=1 ]
  44. 44. Information Security ------------- Fall 2013 Van Hoang Nguyen Chal. b Adv. A m0 , m1  M : |m0| = |m1| c  mb ⊕ G(k) b’  {0,1} For b=0,1: Rb := [ event that b’=1 ] kK r{0,1}n
  45. 45. Information Security ------------- Fall 2013 Van Hoang Nguyen Claim 1: |Pr[R0] – Pr[R1]| = AdvSS[A,OTP] = 0 Claim 2: ∃B: |Pr[Wb] – Pr[Rb]| = AdvPRG[B,G] for b = 0,1 0 1 Pr[W0] Pr[W1]Pr[Rb] ≤AdvPRG[B,G] ≤AdvPRG[B,G] ⇒ AdvSS[A,E] = |Pr[W0] – Pr[W1]| ≤ 2AdvPRG[B,G]
  46. 46. Information Security ------------- Fall 2013 Van Hoang Nguyen Proof: ∃B: |Pr[W0] – Pr[R0]| = AdvPRG[B,G] PRG adv. B (us) Adv. A (given) c  m0⊕y y ∈ {0,1}n m0, m1 b’ ∈ {0,1} |Pr[W0] – Pr[R0]| = = AdvPRG[B,G]
  47. 47. Information Security ------------- Fall 2013 Van Hoang Nguyen Real-world stream ciphers
  48. 48. Information Security ------------- Fall 2013 Van Hoang Nguyen Ronald L. Rivest RC4 (1987) For i=0 to 255 do S[i]=i; For i=0 to 255 do T[i]=K[i mode keylen]; j=0; For i=0 to 255 do Begin j=(j+S[i]+T[i]) mode 256; swap(S[i],S[j]); End
  49. 49. Information Security ------------- Fall 2013 Van Hoang Nguyen Ronald L. Rivest RC4 (1987) i,j=0; While (true) do Begin i=(i+1) mode 256; j=(j+S[i]) mode 256; swap(S[i],S[j]); t=(S[i]+S[j]) mode 256; ks=S[t]; End
  50. 50. Information Security ------------- Fall 2013 Van Hoang Nguyen Ronald L. Rivest RC4 (1987) 2048 bits 128 bits seed 1 byte per round
  51. 51. Information Security ------------- Fall 2013 Van Hoang Nguyen
  52. 52. Information Security ------------- Fall 2013 Van Hoang Nguyen

×