chap 567 new
Post on 06-Apr-2018
239 Views
Preview:
TRANSCRIPT
-
8/3/2019 Chap 567 New
1/38
PRNG, Stream and Block Cipher
Feb. 15, 2002
-
8/3/2019 Chap 567 New
2/38
2/38
Index
Pseudo Random Number Generator Random bit generation
Pseudorandom bit generation
Statistical tests
Cryptographically secure pseudorandom bit generation
Stream Cipher Feedback shift registers
Stream ciphers based on LFSRs
Other stream ciphers
Block Cipher Introduction
Modes of Operation
etc
-
8/3/2019 Chap 567 New
3/38
3/38
Introduction
RBG: a device or algorithm which outputs a sequence ofstatistically independent and unbiased binary digits.
RBG can be used to generate random numbers
Example : a random integer in the interval [0; n]
generating random bit sequence of length -lg n + 1, convert to integer
if resulting integer exceeds n, discard it and generate a new sequence
PRBG
Given a truly random sequence of length k, deterministically
outputs sequence of length l >> k which appears to be random
Input to the PRBG is called the seed Output of PRBG is not random
Intention is that an adversary cannot efficiently distinguish between
sequences of PRBG and truly random sequences of length l.
-
8/3/2019 Chap 567 New
4/38
4/38
Introduction (contd.)
LCG (linear congruential generators) produces a pseudorandom sequence of numbers x1, x2, x3
according to the linear recurrence xn = axn1 + b mod m; n u 1;
a, b,and m are parameters which characterize the generator
x0 is the (secret) seed.
given a partial output sequence, the remainder of the sequence canbe reconstructed even if the parameters a, b,and m are unknown.
Unix Random
Definitions Pass allpolynomial-time statistical tests if no poly algorithm can
distinguish between output sequence and truly random sequenceof the same length with probability significantly greater that
Pass next-bit testif no poly algorithm which, on input of first l bits,can predict (l + 1)st bit with probability significantly greater than
PRBG that passes the next-bit test is called CSPRBG
-
8/3/2019 Chap 567 New
5/38
5/38
Random Bit Generation
Hardware-based elapsed time between emission of particle during radioactive decay
thermal noise from a semiconductor diode or resistor;
the frequency instability of a free running oscillator;
air turbulence within disk drive which causes random fluctuations
drive sector read latency times
sound from a microphone or video input from a camera.
Software-based
the system clock
elapsed time between keystrokes or mouse movement
content of input/output buffers
user input
operating system values such as system load and network statistics
-
8/3/2019 Chap 567 New
6/38
6/38
Random Bit Generation (contd)
De-skewing A natural source of random bits may be defective in that the output
bits may be biased or correlated
De-skewing: techniques for generating truly random bit sequences
from the output bits of such a defective generator
Techniques
Suppose that a generator produces biased but uncorrelated bits
Suppose that probability of 1 is p where p is unknown but fixed, 0 < p
-
8/3/2019 Chap 567 New
7/38
7/38
Pseudo Random Bit Generation
ANSI X9.17 generator INPUT: m, a random seed s, Triple-DES encryption key k.
OUTPUT: m pseudorandom 64-bit strings x1, x2, , xm
1. Compute the intermediate value I = Ek(D),where D is a 64-bit
date/time to as fine a resolution as is available.
2. For i from 1 to m do the following:
1. xi nEk(I s).
2. sn Ek(xi I).
3. Return(x1, x2, , xm)
More generators FIPS 186 for DSA
-
8/3/2019 Chap 567 New
8/38
8/38
Statistical Test
Why impossible to give a mathematical proof that a generator is indeed
a random bit generator, the tests help detect certain kinds of
weaknesses the generator may have.
This is accomplished by taking a sample output sequence of the
generator and subjecting it to various statistical tests.
the term accepted should be replaced by not rejected
Five Basic Test (Using Chi-square analysis)
Frequency Test: # of 0 and 1
Serial Test: # of 00, 01, 10, 11 Poker-k Test: # of each k-bit string
Run Test: comparing with expected run length
Autocorrelation test: correlations between s and shifted version
-
8/3/2019 Chap 567 New
9/38
9/38
FIPS 140-1 statistical tests for randomness
A single bit strings of length 20000 bits, output from agenerator, is subjected to each of the following tests. If any of
the tests fail, then the generator fails the test.
(i) monobit test. The number n1 of 1s in s should satisfy 9654 < n1< 10346.
(ii) poker test. The statistic X3 defined by equation (5.3) is computed for
m = 4. The poker test is passed if1.3
-
8/3/2019 Chap 567 New
10/38
10/38
Statistical test (contd)
Maurers universal statistical test The basic idea is that it should not be possible to significantly
compress the output sequence of a RBG
Thus, if a sample output sequence s of a bit generator can be
significantly compressed, the generator should be rejected
The universality arises because it is able to detect any one of avery general class of possible defects a bit generator might have.
A drawback over the five basic tests is that it requires a much
longer sample output sequence in order to be effective.
A two-sided test used with a significance level between 0.001 and
0.01
E
-
8/3/2019 Chap 567 New
11/38
11/38
CSPRBG (RSA)
Basic Algorithm Setup: p, q, n = pq and * = (p 1)(q 1), 1 < e< *, gcd(e, *) =1
1. Select a random integer x0 (the seed) in the interval [1, n 1].
2. For i from 1 to l do the following:
1. xi n xei1 mod n.
2. zi the least significant bit of xi.
3. The output sequence is z1, z2, , zl.
Efficiency
If e = 3, then generating zi requires one mod. mult. and squaring
Improved by extracting j least significant bits of xi (j = c lg lg n) If n is sufficiently large, this generator is cryptographically secure
For fixed n, explicit range of values of c under intractability of the
RSA problem has not been determined.
-
8/3/2019 Chap 567 New
12/38
12/38
Micali-Schnorr
Setup: p, q, n = pq and * = (p 1)(q 1), 1 < e< *, gcd(e, *) =1,N=bit length of n, 80 e e n, k = -N(1-2/e) , r = N-k
1. Select a random integer x0 (the seed) of bit length r
2. Generate sequence of length k l: For i from 1 to l do the following:
1. yi n xei mod n.
2. xi : r most significant bit of yi.3. zi : k least significant bit of yi.
3. The output sequence is z1|| z2 || || zl.
Properties
Efficiency: -N(1-2/e) bit sequence is generated per exponentiation
Secure under assumption that distribution xe mod n for random r-
bit sequences x is indistinguishable by all poly statistical tests from
the uniform distribution of integers in the interval [0, n1].
stronger assumption than RSA problem
-
8/3/2019 Chap 567 New
13/38
13/38
Blum-Blum-Shub(BBS) PRBG
Basic Algorithm Setup: p, q (= 3 mod 4), n = pq
1. Select a random integer s (seed) in [1, n 1] such that gcd(s, n)=1and compute x0 n s
2 mod n
2. For i from 1 to l do the following:
1. xi n x2i1 mod n.
2. zi n the least significant bit of xi.
3. The output sequence is z1, z2, , zl.
Efficiency One modular squaring
Improved by extracting j least significant bits of xi (j = c lg lg n) If n is sufficiently large, this generator is cryptographically secure
For fixed n, explicit range of values of c under intractability of thefactoring problem has not been determined.
-
8/3/2019 Chap 567 New
14/38
14/38
Index
Pseudo Random Number Generator Random bit generation
Pseudorandom bit generation
Statistical tests
Cryptographically secure pseudorandom bit generation
Stream Cipher Feedback shift registers
Stream ciphers based on LFSRs
Other stream ciphers
Block Cipher Introduction
DES
etc
-
8/3/2019 Chap 567 New
15/38
15/38
Stream Cipher : Introduction
Definition encrypt individual characters of plaintext message one at a time,
using encryption transformation which varies with time.
Block vs. Stream
Block ciphers
process plaintext in relatively large blocks(e.g. nu64 bits)
The same function is used to encrypt successive blocks memoryless
stream ciphers
process plaintext in small blocks, and the encryption function may vary
as plaintext is processed have memory
sometimes called state ciphers since encryption depends on not only
the key and plaintext, but also on the current state.
This distinction between block and stream ciphers is not definitive
adding memory to a block cipher (as in CBC) results in a stream cipher
-
8/3/2019 Chap 567 New
16/38
16/38
One-time Pad and Stream Cipher
One-Time Pad(OTP) Vernam cipher: ci=mi xi for i = 1, 2, 3
key is generated independently and randomly one-time pad
H(M|C) = H(M), M, C are random variables for plain, cipher text
Ciphertext contributes no information about plaintext
Shannon proved that a necessary condition for a symmetric-keyencryption to be unconditionally secure is that H(K) u H(M)
If the key with bit length k, is chosen independently and randomly, thenH(K) = k k u H(M)
OTP is unconditionally secure regardless of distribution of plaintext
Drawback is key should be as long as plaintext key management
Hence, stream cipher tries to solve this problem havingshort key and generate pseudo-random sequence Not unconditionally secure, but try to be computationally secure
-
8/3/2019 Chap 567 New
17/38
17/38
Synchronous Stream Cipher
Definition keystream is generated independently of plaintext and of ciphertext
si+1=f(si, k): next-state function, s0 is the initial state
zi=g(si, k): key-stream generation function
ci
= h(zi
, mi
): output(encryption) function
e.g. OFB
f
g
si
hk
si+1
zi
mi
ci
f
g
si
h-1k
si+1
zi
ci
mi
-
8/3/2019 Chap 567 New
18/38
18/38
Synchronous Stream Cipher (Cnt.)
Properties synchronization requirements: both sender and receiver must be
synchronized using same key and operating at the same position
If sync. is lost due to inserted or deleted ciphertext, decryption fails
and can only be restored through additional techniques for
re-synchronization. no error propagation: A modified ciphertext during transmission
does not affect the decryption of other ciphertext digits.
active attacks: the insertion, deletion, or replay of ciphertext digits
by an active adversary causes immediate loss of synchronization
-
8/3/2019 Chap 567 New
19/38
19/38
Stream Cipher
Binary additive stream cipher synchronous stream cipher in which keystream, plaintext, and
ciphertext are binary digits, and output function h is XOR function
Self-synchronizing stream cipher key-stream is generated as a function of the key and a fixed
number of previous ciphertext digits (e.g. 1-bit CFB)
KSGk zi
mi
ci KSGk zi
ci
mi
g hkzi
mi
ci
g hkzi
ci
mi
-
8/3/2019 Chap 567 New
20/38
20/38
Linear Feedback Shift Registers
Properties LFSRs are well-suited to hardware implementation;
Can produce sequences of large period
Can produce sequences with good statistical properties
Because of the structure, can be analyzed using algebra
Definition
LFSR of length L consists of L stages numbered 0, 1, , L 1,
each capable of storing one bit and having one input and one
output, and clock which controls the movement of data
content of stage 0 is output and forms part of the output sequence
the content of stage i is moved to stage i 1 for each i, 1 e i e L 1
new content of stage L 1 is feedback bit sj calculated by adding
together modulo 2 previous contents of fixed subset of stages
-
8/3/2019 Chap 567 New
21/38
21/38
Pseudo-Random Binary Sequence (PRBS) by a Linear-
Feedback Shift Register (LFSR) with a (2L-1) Period
L-1 L-2 11 00 output
Sj
c2c1 cL-1 cL
A LFSR of length L, denoted by
-
8/3/2019 Chap 567 New
22/38
22/38
LFSR (cnt.)
Output sequence sj= (c1sj-1 + c2sj-2 + + cLsj-L) mod 2 for j u L
Some facts
If C(D) is a primitive polynomial, LFSR produces output sequence
with maximum possible period 2L 1 m-LFSR, m-sequence
Has very good statistical properties
Linear complexity of sequence s is the length of the shortest LFSR
generating s, and denoted by L(s)
If a stream cipher has linear complexity n, we can find initial
sequence using 2n consecutive bits using Massey-Berlekamp
algorithm
-
8/3/2019 Chap 567 New
23/38
23/38
Stream ciphers based on LFSRs
Why To augment LC,(or destroy the linear properties of LFSRs)
use nonlinear combining function on the output of several LFSRs
: LC of linear combination of two LFSR is at most LC of 1 LFSR
Use a nonlinear filtering function on the contents of a single LFSR
Use the output of one (or more) LFSRs to control the clock of one (or more) otherLFSRs
Desirable properties ofLFSR-based keystream generators
large period;
large linear complexity
good statistical properties
computationally secure : no mathematical proofs of security ofsuch generators
-
8/3/2019 Chap 567 New
24/38
24/38
LSFR1
LSFR2
LSFRn
f LSFR1 LSFR2
Examples
Stream ciphers based on LFSRs(Contd)
-
8/3/2019 Chap 567 New
25/38
25/38
Other Stream Ciphers
Optimized for software implementation RC4
Proprietary, not presented here
SEAL (Software-optimized Encryption ALgorithm)
length-increasing pseudorandom function which maps a 32-bitsequence number n to an L-bit keystream under control of a 160-bit
secret key a
In the preprocessing stage, the key is stretched into larger tables
using the table-generation function Ga (based on SHA-1)
Subsequent to this preprocessing, keystream generation requiresabout 5 machine instructions per byte
order of magnitude faster than DES
-
8/3/2019 Chap 567 New
26/38
26/38
Index
Pseudo Random Number Generator Random bit generation
Pseudorandom bit generation
Statistical tests
Cryptographically secure pseudorandom bit generation
Stream Cipher Feedback shift registers
Stream ciphers based on LFSRs
Other stream ciphers
Block Cipher Introduction
Modes of Operation
etc
-
8/3/2019 Chap 567 New
27/38
27/38
Block Cipher: Introduction
maps n-bit plaintext blocks to n-bit ciphertext blocks (n: block length) Use of plaintext and ciphertext of equal size avoids data expansion
To allow unique decryption, encryption function must be 1-1(invertible)
For n-bit plaintext and ciphertext blocks and a fixed key, the encryption
function is a bijection, defining a permutation on n-bit vectors
Each key potentially defines a different bijection Def
n-bit block cipher is E : Vn X K p Vn such that for all key k K, E(P, k) is
an invertible mapping (the encryption for k) from Vn to Vn, written Ek(P).
The inverse mapping is the decryption function, denoted Dk(C)
C = Ek(P) denotes ciphertext C results from encrypting plaintext P under k
-
8/3/2019 Chap 567 New
28/38
28/38
Practical security and complexity of attack
Basic assumption adversary has access to all data transmitted over cipher channel
(Kerckhoffs assumption) adversary knows all details of the
encryption function except the secret key
Classes of attacks
ciphertext-only no additional information is available
known-plaintext plaintext-ciphertext pairs are available
chosen-plaintext ciphertexts are available corresponding to
plaintexts of the adversarys choice
adaptive chosen-plaintext choice of plaintexts may depend onprevious plaintext-ciphertext pairs
-
8/3/2019 Chap 567 New
29/38
29/38
ECB(Electronic CodeBook) Mode
Encryption: for 1jt, cj
-
8/3/2019 Chap 567 New
30/38
30/38
CBC(Cipher-Block Chaining) Mode
Encryption: c0 n IV, cj n EK(cj1 xj)
Decryption: c0 n IV, xj n cj1 E1
K(cj)
chaining causes ciphertext cj to depend on all preceding plaintext
a single bit error in cj affects decipherment of blocks cj and cj+1
self-synchronizing: error cj (not cj+1, cj+2) is correctly decrypted to xj+2. Can use as a MAC: x1, x2, . . . , xn, cn
C0=IV Cj
Cj-1
E
Cj-1
E-1
xj n
Cj
key
Xj = xjn
key
-
8/3/2019 Chap 567 New
31/38
31/38
CFB-r(CipherFeedBack) Mode
INPUT: k-bit key K; n-bit IV; r-bit plaintext blocks x1, xu(1 rn)
OUTPUT: produce r-bit ciphertext blocks c1,,cu
1) Encryption: I1IV.(Ij is the input value in a shift register) For1 ju:
Oj Ek(Ij). (Compute the block cipher output)
tj the r leftmost bits ofOj.(Assume the leftmost is identified as bit 1.)
cj xjtj.(Transmit the r-bit ciphertext block cj.)
Ij+1 2r Ij+cj mod 2
n.(Shift cj into right end of shift register.)
2) Decryption: I1 IV. For1ju, upon receiving cj:
x j cjtj, where tj,Oj and Ij are computed as above
-
8/3/2019 Chap 567 New
32/38
32/38
CFB-rMode(Contd)
r-bit Shift
I1=IV
E
Oj
xj
ci
leftmost r bits
key
Encipherment
r-bit Shift
ci
xj
leftmost r bits
key
Decipherment
E
Oj
-
8/3/2019 Chap 567 New
33/38
33/38
re-ordering ciphertext blocks affects decryption
one or more bit errors in any single r-bit ciphertext
block cj affects the decipherment of next n/rciphertext blocks
self-synchronizing similar to CBC, but requires n/rblocks to recover.
for r
-
8/3/2019 Chap 567 New
34/38
34/38
INPUT: k-bit key K; n-bit IV; r-bit plaintext blocksx1,, xu (1rn)
OUTPUT: produce r-bit ciphertext blocks c1,, cu Encryption: I1IV. For 1 ju, given plaintext block xj:
Oj Ek(
Ij). (Compute the block cipher output)
tj the r leftmost bits of Oj.(Assume the leftmost is identified as bit 1.)
cj xjtj.(Transmit the r-bit ciphertext block cj.)
Ij+1 Oj(Updatetheblock cipherinputforthenextblock.)
Ij+1 2rIj +tj mod 2
n(shiftoutputtj intorightendofshiftregister.)
Decryption
:I1 IV. For1ju, upon receiving cj
:
x j cjtj, where tj,Oj and Ij are computed as above
OFB(Output FeedBack) Mode
with full(or r-bit) feedback
-
8/3/2019 Chap 567 New
35/38
35/38
OFB-r Mode
r-bit Shift
I1=IV
Oj
xj
cj
Leftmost r-bits
key
Encipherment
r-bit Shift
cj
xj
Leftmost r-bits
key
Deciphering
E
Oj
E
IjIj
-
8/3/2019 Chap 567 New
36/38
36/38
Properties of the OFB-r
keystream is plaintext-independent
bit errors affects the decipherment of only that
character
recovers from ciphertext bit errors, but cannot self-
synchronize
for r
-
8/3/2019 Chap 567 New
37/38
37/38
Other Block Ciphers
FEAL Fast N-round block cipher
Suffers a lot of attacks, and hence introduce new attacks on block
ciphers
Japan standard
IDEA
64-64-128-8
James Massey
Using algebraic functions (mult mod 2n+1, add mod 2n)
SAFER, RC-5, AES
-
8/3/2019 Chap 567 New
38/38
38/38
To teach is to learn twice !!
top related