Van Hoang Nguyen
Mail: startnewday85@gmail.com
Department of Computer Science – FITA – HUA
Information Security Course ---...
Information Security ------------- Fall 2013
Van Hoang Nguyen
What is a secure cipher?
Information Security ------------- Fall 2013
Van Hoang Nguyen
What is the best cipher?
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen
The cipher text should reveal no
information about the plain...
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Theoretic Security
(Shannon 1949)
perfect
secrec...
Information Security ------------- Fall 2013
Van Hoang Nguyen
K
xor
xor
Information Security ------------- Fall 2013
Van Hoang Nguyen
K
|K|
K
Information Security ------------- Fall 2013
Van Hoang Nguyen
P C
None
1
Information Security ------------- Fall 2013
Van Hoang Nguyen
xor xor
K
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen
“random”
“pseudorandom”
the random seed
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen
(key-length < message-length)
Information Security ------------- Fall 2013
Van Hoang Nguyen 16
Yes, if the PRG is really ”secure”
No, there are no ciphe...
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen
PRG must be unpredictable.
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen
Def: PRG is unpredictable if it is not predictable
⇒ ∀ i: no...
Information Security ------------- Fall 2013
Van Hoang Nguyen
ε
ε ε ≥ 1/230
ε ε ≤ 1/280 (won’t happen over life of key)
ε ...
Information Security ------------- Fall 2013
Van Hoang Nguyen
How must PRG be?
Information Security ------------- Fall 2013
Van Hoang Nguyen
⟶ n
Information Security ------------- Fall 2013
Van Hoang Nguyen
Statistical test on {0,1}n
is an algorithm A such that A(x) ...
Information Security ------------- Fall 2013
Van Hoang Nguyen
Advantage
⟶ n
n
A(x) = 0 ⇒ AdvPRG [A,G] =
Information Security ------------- Fall 2013
Van Hoang Nguyen
Def: We say that G: K ⟶{0,1}
n
is a secure PRG if
∀ “eff” st...
Information Security ------------- Fall 2013
Van Hoang Nguyen
PRG predictable ⇒ PRG is insecure
A secure PRG is unpredicta...
Information Security ------------- Fall 2013
Van Hoang Nguyen
Define statistical test B as:
A secure PRG is unpredictable
...
Information Security ------------- Fall 2013
Van Hoang Nguyen
Thm (Yao’82): an unpredictable PRG is secure
Let G:K ⟶{0,1}
...
Information Security ------------- Fall 2013
Van Hoang Nguyen
computationally indistinguishable P1 ≈p P2
∀ “eff” statistic...
Information Security ------------- Fall 2013
Van Hoang Nguyen
Silvio Micali Shafi Goldwasser
Information Security ------------- Fall 2013
Van Hoang Nguyen
Chal.
b
Adv. A
kK
m0 , m1  : |m0| = |m1|
c  E(k, mb)
b’ ...
Information Security ------------- Fall 2013
Van Hoang Nguyen
semantically secure
AdvSS[A, ]
{ E(k,m0) } ≈p { E(k,m1) }
Information Security ------------- Fall 2013
Van Hoang Nguyen
Adv. B (us)
Chal.
b{0,1}
Adv. A
(given)
kK
C E(k, mb)
m0,...
Information Security ------------- Fall 2013
Van Hoang Nguyen
For all A: AdvSS[A,OTP] = | Pr[ A(k⊕m0)=1 ] − Pr[ A(k⊕m1)=1 ...
Information Security ------------- Fall 2013
Van Hoang Nguyen
secure PRG
semantically secure
Information Security ------------- Fall 2013
Van Hoang Nguyen
Chal.
b
Adv. A
kK
m0 , m1  M : |m0| = |m1|
c  mb ⊕ r
b’ ...
Information Security ------------- Fall 2013
Van Hoang Nguyen
Chal.
b
Adv. A
m0 , m1  M : |m0| = |m1|
c  mb ⊕ G(k)
b’  ...
Information Security ------------- Fall 2013
Van Hoang Nguyen
Claim 1: |Pr[R0] – Pr[R1]| = AdvSS[A,OTP] = 0
Claim 2: ∃B: |...
Information Security ------------- Fall 2013
Van Hoang Nguyen
Proof: ∃B: |Pr[W0] – Pr[R0]| = AdvPRG[B,G]
PRG adv. B (us)
A...
Information Security ------------- Fall 2013
Van Hoang Nguyen
Real-world stream ciphers
Information Security ------------- Fall 2013
Van Hoang Nguyen
Ronald L. Rivest
RC4 (1987)
For i=0 to 255 do S[i]=i;
For i=...
Information Security ------------- Fall 2013
Van Hoang Nguyen
Ronald L. Rivest
RC4 (1987)
i,j=0;
While (true) do
Begin
i=(...
Information Security ------------- Fall 2013
Van Hoang Nguyen
Ronald L. Rivest
RC4 (1987)
2048 bits
128 bits
seed
1 byte
p...
Information Security ------------- Fall 2013
Van Hoang Nguyen
Information Security ------------- Fall 2013
Van Hoang Nguyen
Upcoming SlideShare
Loading in …5
×

Stream ciphers

452
-1

Published on

Introduce stream ciphers, perfect secrecy, semantic secrecy

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
452
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
25
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Stream ciphers

  1. 1. Van Hoang Nguyen Mail: startnewday85@gmail.com Department of Computer Science – FITA – HUA Information Security Course --------------------------------------------- Fall 2013 Dept. of Computer Science – FITA – HUA
  2. 2. Information Security ------------- Fall 2013 Van Hoang Nguyen What is a secure cipher?
  3. 3. Information Security ------------- Fall 2013 Van Hoang Nguyen What is the best cipher?
  4. 4. Information Security ------------- Fall 2013 Van Hoang Nguyen
  5. 5. Information Security ------------- Fall 2013 Van Hoang Nguyen
  6. 6. Information Security ------------- Fall 2013 Van Hoang Nguyen The cipher text should reveal no information about the plaintext.
  7. 7. Information Security ------------- Fall 2013 Van Hoang Nguyen Information Theoretic Security (Shannon 1949) perfect secrecy P (len( )=len( )) and c C Pr(E(k,m0)=c) = Pr(E(k,m1)=c)
  8. 8. Information Security ------------- Fall 2013 Van Hoang Nguyen K xor xor
  9. 9. Information Security ------------- Fall 2013 Van Hoang Nguyen K |K| K
  10. 10. Information Security ------------- Fall 2013 Van Hoang Nguyen P C None 1
  11. 11. Information Security ------------- Fall 2013 Van Hoang Nguyen xor xor K
  12. 12. Information Security ------------- Fall 2013 Van Hoang Nguyen
  13. 13. Information Security ------------- Fall 2013 Van Hoang Nguyen
  14. 14. Information Security ------------- Fall 2013 Van Hoang Nguyen “random” “pseudorandom” the random seed
  15. 15. Information Security ------------- Fall 2013 Van Hoang Nguyen
  16. 16. Information Security ------------- Fall 2013 Van Hoang Nguyen (key-length < message-length)
  17. 17. Information Security ------------- Fall 2013 Van Hoang Nguyen 16 Yes, if the PRG is really ”secure” No, there are no ciphers with perfect secrecy Yes, every cipher has perfect secrecy No, since the key is shorter than the message Can a stream cipher have perfect secrecy? Sourced by Online Cryptography Course – Dan Boneh
  18. 18. Information Security ------------- Fall 2013 Van Hoang Nguyen
  19. 19. Information Security ------------- Fall 2013 Van Hoang Nguyen
  20. 20. Information Security ------------- Fall 2013 Van Hoang Nguyen
  21. 21. Information Security ------------- Fall 2013 Van Hoang Nguyen
  22. 22. Information Security ------------- Fall 2013 Van Hoang Nguyen
  23. 23. Information Security ------------- Fall 2013 Van Hoang Nguyen
  24. 24. Information Security ------------- Fall 2013 Van Hoang Nguyen PRG must be unpredictable.
  25. 25. Information Security ------------- Fall 2013 Van Hoang Nguyen
  26. 26. Information Security ------------- Fall 2013 Van Hoang Nguyen Def: PRG is unpredictable if it is not predictable ⇒ ∀ i: no “eff” adv. can predict bit (i+1) for “non-neg” ε
  27. 27. Information Security ------------- Fall 2013 Van Hoang Nguyen ε ε ε ≥ 1/230 ε ε ≤ 1/280 (won’t happen over life of key) ε ε: Z≥0 ⟶ R≥0 and ε ∃d: ε(λ) ≥ 1/λd inf. often ε ε ∀d, λ≥λd: ε(λ) ≤ 1/λd ε
  28. 28. Information Security ------------- Fall 2013 Van Hoang Nguyen How must PRG be?
  29. 29. Information Security ------------- Fall 2013 Van Hoang Nguyen ⟶ n
  30. 30. Information Security ------------- Fall 2013 Van Hoang Nguyen Statistical test on {0,1}n is an algorithm A such that A(x) outputs 0 or 1.
  31. 31. Information Security ------------- Fall 2013 Van Hoang Nguyen Advantage ⟶ n n A(x) = 0 ⇒ AdvPRG [A,G] =
  32. 32. Information Security ------------- Fall 2013 Van Hoang Nguyen Def: We say that G: K ⟶{0,1} n is a secure PRG if ∀ “eff” statistical test A: AdvPRG(A,G) is “negligible”
  33. 33. Information Security ------------- Fall 2013 Van Hoang Nguyen PRG predictable ⇒ PRG is insecure A secure PRG is unpredictable Suppose A is an efficient algorithm s.t for non-negligible ε
  34. 34. Information Security ------------- Fall 2013 Van Hoang Nguyen Define statistical test B as: A secure PRG is unpredictable ε AdvPRG[B, G]=|Pr[B(r)=1] - Pr[B(G(k))=1]|>ε
  35. 35. Information Security ------------- Fall 2013 Van Hoang Nguyen Thm (Yao’82): an unpredictable PRG is secure Let G:K ⟶{0,1} n be PRG “Thm”: if ∀ i ∈ {0, … , n-1} PRG G is unpredictable at position i then G is a secure PRG.
  36. 36. Information Security ------------- Fall 2013 Van Hoang Nguyen computationally indistinguishable P1 ≈p P2 ∀ “eff” statistical test A: { k ⟵K : G(k) } ≈p uniform({0,1}n)
  37. 37. Information Security ------------- Fall 2013 Van Hoang Nguyen Silvio Micali Shafi Goldwasser
  38. 38. Information Security ------------- Fall 2013 Van Hoang Nguyen Chal. b Adv. A kK m0 , m1  : |m0| = |m1| c  E(k, mb) b’  {0,1}
  39. 39. Information Security ------------- Fall 2013 Van Hoang Nguyen semantically secure AdvSS[A, ] { E(k,m0) } ≈p { E(k,m1) }
  40. 40. Information Security ------------- Fall 2013 Van Hoang Nguyen Adv. B (us) Chal. b{0,1} Adv. A (given) kK C E(k, mb) m0, LSB(m0)=0 m1, LSB(m1)=1 C LSB(mb)=b Then AdvSS[B, E] = | Pr[ EXP(0)=1 ] − Pr[ EXP(1)=1 ] |= |0 – 1| = 1
  41. 41. Information Security ------------- Fall 2013 Van Hoang Nguyen For all A: AdvSS[A,OTP] = | Pr[ A(k⊕m0)=1 ] − Pr[ A(k⊕m1)=1 ] |= 0 Chal. b Adv. A kK m0 , m1  M : |m0| = |m1| c  k⊕m0 or c  k⊕m1 b’  {0,1}
  42. 42. Information Security ------------- Fall 2013 Van Hoang Nguyen secure PRG semantically secure
  43. 43. Information Security ------------- Fall 2013 Van Hoang Nguyen Chal. b Adv. A kK m0 , m1  M : |m0| = |m1| c  mb ⊕ r b’  {0,1} r{0,1}n For b=0,1: Rb := [ event that b’=1 ]
  44. 44. Information Security ------------- Fall 2013 Van Hoang Nguyen Chal. b Adv. A m0 , m1  M : |m0| = |m1| c  mb ⊕ G(k) b’  {0,1} For b=0,1: Rb := [ event that b’=1 ] kK r{0,1}n
  45. 45. Information Security ------------- Fall 2013 Van Hoang Nguyen Claim 1: |Pr[R0] – Pr[R1]| = AdvSS[A,OTP] = 0 Claim 2: ∃B: |Pr[Wb] – Pr[Rb]| = AdvPRG[B,G] for b = 0,1 0 1 Pr[W0] Pr[W1]Pr[Rb] ≤AdvPRG[B,G] ≤AdvPRG[B,G] ⇒ AdvSS[A,E] = |Pr[W0] – Pr[W1]| ≤ 2AdvPRG[B,G]
  46. 46. Information Security ------------- Fall 2013 Van Hoang Nguyen Proof: ∃B: |Pr[W0] – Pr[R0]| = AdvPRG[B,G] PRG adv. B (us) Adv. A (given) c  m0⊕y y ∈ {0,1}n m0, m1 b’ ∈ {0,1} |Pr[W0] – Pr[R0]| = = AdvPRG[B,G]
  47. 47. Information Security ------------- Fall 2013 Van Hoang Nguyen Real-world stream ciphers
  48. 48. Information Security ------------- Fall 2013 Van Hoang Nguyen Ronald L. Rivest RC4 (1987) For i=0 to 255 do S[i]=i; For i=0 to 255 do T[i]=K[i mode keylen]; j=0; For i=0 to 255 do Begin j=(j+S[i]+T[i]) mode 256; swap(S[i],S[j]); End
  49. 49. Information Security ------------- Fall 2013 Van Hoang Nguyen Ronald L. Rivest RC4 (1987) i,j=0; While (true) do Begin i=(i+1) mode 256; j=(j+S[i]) mode 256; swap(S[i],S[j]); t=(S[i]+S[j]) mode 256; ks=S[t]; End
  50. 50. Information Security ------------- Fall 2013 Van Hoang Nguyen Ronald L. Rivest RC4 (1987) 2048 bits 128 bits seed 1 byte per round
  51. 51. Information Security ------------- Fall 2013 Van Hoang Nguyen
  52. 52. Information Security ------------- Fall 2013 Van Hoang Nguyen
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×