Cryptography CS 555. Topic 5: Pseudorandomness and Stream Ciphers. CS555 Spring 2012/Topic 5 1

Similar documents
LFSR stream cipher RC4. Stream cipher. Stream Cipher

Stream Cipher. Block cipher as stream cipher LFSR stream cipher RC4 General remarks. Stream cipher

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 2 Stream Ciphers ver.

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 2 Stream Ciphers ver.

V.Sorge/E.Ritter, Handout 5

Sequences and Cryptography

Fault Analysis of Stream Ciphers

Attacking of Stream Cipher Systems Using a Genetic Algorithm

Fault Analysis of Stream Ciphers

How to Predict the Output of a Hardware Random Number Generator

A Pseudorandom Binary Generator Based on Chaotic Linear Feedback Shift Register

CSc 466/566. Computer Security. 4 : Cryptography Introduction

Pseudorandom bit Generators for Secure Broadcasting Systems

MATHEMATICAL APPROACH FOR RECOVERING ENCRYPTION KEY OF STREAM CIPHER SYSTEM

New Address Shift Linear Feedback Shift Register Generator

(12) Patent Application Publication (10) Pub. No.: US 2003/ A1

Performance Evaluation of Stream Ciphers on Large Databases

Randomness analysis of A5/1 Stream Cipher for secure mobile communication

Testing of Cryptographic Hardware

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

CS408 Cryptography & Internet Security

Modified Version of Playfair Cipher Using Linear Feedback Shift Register and Transpose Matrix Concept

DESIGN and IMPLETATION of KEYSTREAM GENERATOR with IMPROVED SECURITY

Physical Layer Built-in Security Analysis and Enhancement of CDMA Systems

Multiple Image Secret Sharing based on Linear System

ISSN (Print) Original Research Article. Coimbatore, Tamil Nadu, India

An Introduction to Cryptography

Stream Ciphers. Debdeep Mukhopadhyay

Individual Project Report

Physical Layer Built-in Security Enhancement of DS-CDMA Systems Using Secure Block Interleaving

Modified Alternating Step Generators with Non-Linear Scrambler

Cryptanalysis of LILI-128

21.1. Unit 21. Hardware Acceleration

Cryptanalysis of the Bluetooth E 0 Cipher using OBDD s

Permutation-based cryptography for the Internet of Things

Physical Layer Built-in Security Enhancement of DS-CDMA Systems Using Secure Block Interleaving

SECURED EEG DISTRIBUTION IN TELEMEDICINE USING ENCRYPTION MECHANISM

STA4000 Report Decrypting Classical Cipher Text Using Markov Chain Monte Carlo

David Chaum s Voter Verification using Encrypted Paper Receipts

BLOCK CIPHER AND NON-LINEAR SHIFT REGISTER BASED RANDOM NUMBER GENERATOR QUALITY ANALYSIS

True Random Number Generation with Logic Gates Only

Cellular Automaton prng with a Global Loop for Non-Uniform Rule Control

NON-BREAKABLE DATA ENCRYPTION WITH CLASSICAL INFORMATION

Designing Integrated Accelerator for Stream Ciphers with Structural Similarities

WG Stream Cipher based Encryption Algorithm

Institute of Southern Punjab, Multan

CRYPTOGRAPHY AND STATISTICS: A DIDACTICAL PROJECT. Massimo BORELLI, Anna FIORETTO, Andrea SGARRO, Luciana ZUCCHERI

CRYPTOGRAPHY. Sharafat Ibn Mollah Mosharraf TOUCH-N-PASS EXAM CRAM GUIDE SERIES. Special Edition for CSEDU. Students CSE, DU )

Decim v2. To cite this version: HAL Id: hal

Breaking the Enigma. Dmitri Gabbasov. June 2, 2015

Statistical analysis of the LFSR generators in the NIST STS test suite

Scrambling and Descrambling SMT-LIB Benchmarks

The reduction in the number of flip-flops in a sequential circuit is referred to as the state-reduction problem.

Perfect Localized Security of the Fourtytwofish Cipher in the Delphic Oracle Model

BeepBeep: Embedded Real-Time Encryption

The Swiss cipher machine NeMa

Assistant Professor, Electronics and Telecommunication Engineering, DMIETR, Wardha, Maharashtra, India

LFSR Based Watermark and Address Generator for Digital Image Watermarking SRAM

Exercise 4. Data Scrambling and Descrambling EXERCISE OBJECTIVE DISCUSSION OUTLINE DISCUSSION. The purpose of data scrambling and descrambling

PA Substitution Cipher

A New Proposed Design of a Stream Cipher Algorithm: Modified Grain - 128

A New Random Keys Generator Depend on Multi Techniques

A Dominant Gene Genetic Algorithm for a Substitution Cipher in Cryptography

A Novel Dynamic Method to Generate PRBS Pattern

Segmented Leap-Ahead LFSR Architecture for Uniform Random Number Generator

Encryption. Secure Chat. Encryption Machine

6.115 KryptoPhone Final Project Report

Fault Analysis of GRAIN-128

Reducing DDR Latency for Embedded Image Steganography

(12) United States Patent (10) Patent No.: US 6,409,089 B1. Eskicioglu (45) Date of Patent: Jun. 25, 2002

Design for Test. Design for test (DFT) refers to those design techniques that make test generation and test application cost-effective.

Keywords- Cryptography, Frame, Least Significant Bit, Pseudo Random Equations, Text, Video Image, Video Steganography.

Design and Implementation of Data Scrambler & Descrambler System Using VHDL

UPDATE TO DOWNSTREAM FREQUENCY INTERLEAVING AND DE-INTERLEAVING FOR OFDM. Presenter: Rich Prodan

Security Assessment of TUAK Algorithm Set

Cold Boot Attacks are Still Hot: Security Analysis of Memory Scramblers in Modern Processors

UC Berkeley UC Berkeley Previously Published Works

Welch Gong (Wg) 128 Bit Stream Cipher For Encryption and Decryption Algorithm

On Properties of PN Sequences Generated by LFSR a Generalized Study and Simulation Modeling

EFFICIENT IMPLEMENTATION OF RECENT STREAM CIPHERS ON RECONFIGURABLE HARDWARE DEVICES

University of Toronto

Enigma. Developed and patented (in 1918) by Arthur Scherbius Many variations on basic design Eventually adopted by Germany

HCCA: A Cryptogram Analysis Algorithm Based on Hill Climbing

Digital Implementation of a True Random Number Generator

Securing Scan Design Using Lock & Key Technique

Improved Coercion-Resistant Electronic Elections through Deniable Re-Voting

ARM7 Microcontroller Based Digital PRBS Generator

Ultra-lightweight 8-bit Multiplicative Inverse Based S-box Using LFSR

Eric Roberts and Jerry Cain Handout #36 CS 106J May 15, The Enigma Machine

Optimization of FPGA Architecture for Uniform Random Number Generator Using LUT-SR Family

The Design and Analysis of a True Random Number Generator in a Field Programmable Gate Array

Efficient Realization for A Class of Clock-Controlled Sequence Generators

Random Number Generators Based on EEG Non-linear and Chaotic Characteristics RETRACTED. Dang Nguyen, Dat Tran, Wanli Ma and Dharmendra Sharma

Power Optimization of Linear Feedback Shift Register Using Clock Gating

System Identification

DESIGN OF RECONFIGURABLE IMAGE ENCRYPTION PROCESSOR USING 2-D CELLULAR AUTOMATA GENERATOR

VLSI System Testing. BIST Motivation

FPGA DESIGN OF CLUTTER GENERATOR FOR RADAR TESTING

Design of Fault Coverage Test Pattern Generator Using LFSR

116 Facta Universitatis ser.: Elect. and Energ. vol. 11, No.1 è1998è to use any kind of encrypted information or with not very pleased attitude of loc

Transcription:

Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers CS555 Spring 2012/Topic 5 1

Outline and Readings Outline Stream ciphers LFSR RC4 Pseudorandomness Readings: Katz and Lindell: 3.3, 3.4.1 CS555 Spring 2012/Topic 5 2

Stream Ciphers In One-Time Pad, a key is a random string of length at least the same as the message Stream ciphers: Idea: replace rand by pseudo rand Use a Pseudo Random (Number) Generator G: {0,1} s {0,1} n expand a short (e.g., 128-bit) random seed into a long (e.g., 10 6 bit) string that looks random Secret key is the seed Naïve encryption: E key [M] = M G(key) To encrypt more than one messages, need to be more sophisticated. CS555 Spring 2012/Topic 5 3

Linear Feedback Shift Register (LFSR) Example: 1 0 0 0 Starting with 1000, the output stream is 1000 1001 1010 1111 000 Repeat every 2 4 1 bit The seed is the key CS555 Spring 2012/Topic 5 4

Linear Feedback Shift Register (LFSR) Example: Stage 0 Stage 1 Stage 2 Stage 3 z i = z i-4 +z i-3 mod 2 = 0 z i-1 + 0 z i-2 + 1 z i-3 + 1 z i-4 mod 2 We say that stages 0 & 1 are selected. CS555 Spring 2012/Topic 5 5

Properties of LFSR Fact: given an L-stage LFSR, every output sequence is periodic if and only if stage 0 is selected Definition: An L-stage LFSR is maximum-length if some initial state will results a sequence that repeats every 2 L 1 bit Whether an LFSR is maximum-length or not depends on which stages are selected. CS555 Spring 2012/Topic 5 6

Cryptanalysis of LFSR Vulnerable to know-plaintext attack A LFSR can be described as z m+i = j=0 m-1 c j z i+j mod 2 Knowing 2m output bits, one can construct m linear equations with m unknown variables c 0,, c m-1 recover c 0,, c m-1 CS555 Spring 2012/Topic 5 7

Cryptanalysis of LFSR Given a 4-stage LFSR, we know z 4 =z 3 c 3 +z 2 c 2 +z 1 c 1 +z 0 c 0 mod 2 z 5 =z 4 c 3 +z 3 c 2 +z 2 c 1 +z 1 c 0 mod 2 z 6 =z 5 c 3 +z 4 c 2 +z 3 c 1 +z 2 c 0 mod 2 z 7 =z 6 c 3 +z 5 c 2 +z 4 c 1 +z 3 c 0 mod 2 Knowing z 0,z 1,,z 7, one can compute c 0,c 1,c 2,c 4. In general, knowing 2n output bits, one can solve an n-stage LFSR z j c 1 z j 1 c c CS555 Spring 2012/Topic 5 8 2 z j 2

The RC4 Stream Cipher A proprietary cipher owned by RSA, designed by Ron Rivest in 1987. Became public in 1994. Simple and effective design. Variable key size (typical 40 to 256 bits), Output unbounded number of bytes. Widely used (web SSL/TLS, wireless WEP). Extensively studied, not a completely secure PRNG, when used correctly, no known attacks exist CS555 Spring 2012/Topic 5 9

The RC4 Cipher: Encryption The cipher internal state consists of a 256-byte array S, which contains a permutation of 0 to 255 total number of possible states is 256! 2 1700 two indexes: i, j i = j = 0 Loop i = (i + 1) (mod 256) j = (j + S[i]) (mod 256) swap(s[i], S[j]) output (S[i] + S[j]) (mod 256) E n d L o o p CS555 Spring 2012/Topic 5 10

RC4 Initialization Generate the initial permutation from a key k; maximum key length is 2048 bits First divide k into L bytes Then for i = 0 to 255 do j = 0 S[i] = i for i = 0 to 255 do j = (j + S[i] + k[i mod L])(mod 256) swap (S[i], S[j]) CS555 Spring 2012/Topic 5 11

Randomness and Pseudorandomness For a stream cipher (PRNG) is good, it needs to be pseudo-random. Random is not a property of one string Is 000000 less random than 011001? Random is the property of a distribution, or a random variable drawn from the distribution Similarly, pseudo-random is property of a distribution We say that a distribution D over strings of length-l is pseudorandom if it is indistinguishable from a random distribution. We use random string and pseudorandom string as shorthands CS555 Spring 2012/Topic 5 12

Distinguisher A distinguisher D for two distributions works as follows: D is given one string sampled from one of the two distributions D tries to guess which distribution it is from D succeeds if guesses correctly How to distinguish a random binary string of 256 bits from one generated using RC4 with 128 bites seed? CS555 Spring 2012/Topic 5 13

Pseudorandom Generator Definition (Asymptotic version) Definition 3.14. We say an algorithm G, which on input of length n outputs a string of length l(n), is a pseudorandom generator if 1. For every n, l(n) > n 2. For each PPT distinguisher D, there exists a negligible function negl such that Pr[D(r)=1 Pr[D(G(s))=1 negl(n) Where r is chosen at uniformly random from {0,1} l(n) and s is chosen at uniform random from {0,1} s CS555 Spring 2012/Topic 5 14

Security of using Stream Cipher for Encrpytion Consider the construction of using G(k) m as the encryption of m Theorem 3.16. If G is a pseudorandom generator, then has indistinguishable encryptions in the presence of an eavesdropper. Proof idea? CS555 Spring 2012/Topic 5 15

Proof of Theorem 3.16 If does not have indistinguishable encryptions in the presence of an eavesdropper; then there exists adversary A that can break with non-negligible prob; we construct a distinguisher D as follows D w b {0,1} M 0, M 1 C = w M b A 1 if b=b ; b 0 otherwise CS555 Spring 2012/Topic 5 16

A Bit More Details on the Proof Let (n) be Pr[PrivK eav A, =1] - ½ Then Pr[D(r)=1 Pr[D(G(s))=1 = ½ - Pr[PrivK eav A, =1] = (n) CS555 Spring 2012/Topic 5 17

Recap of Pseudo Random Generator Useful for cryptography and for simulation Stream ciphers, generating session keys The same seed always gives the same output stream Simulation requires uniform distributed sequences E.g., having a number of statistical properties Definition 3.14 is equivalent to requiring unpredictable sequences satisfies the "next-bit test : given consecutive sequence of bits output (but not seed), next bit must be hard to predict Some PRNG s are weak: knowing output sequence of sufficient length, can recover key. Do not use these for cryptographic purposes CS555 Spring 2012/Topic 5 18

Coming Attractions Number Theory Basics Reading: Katz & Lindell: 7.1 CS555 Spring 2012/Topic 5 19

2024 © artsdocbox.com Privacy Policy | Terms of Service | Feedback