1 / 89

Random walks and analysis of algorithms in cryptography

Random walks and analysis of algorithms in cryptography. Ilya Mironov Stanford University. Talk overview. Cryptanalysis RC4 stream cipher card shuffling brute force attack Broadcast encryption analysis optimization Other work. Talk overview. Cryptanalysis RC4 stream cipher

erikson
Télécharger la présentation

Random walks and analysis of algorithms in cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Random walks and analysis of algorithms in cryptography Ilya Mironov Stanford University

  2. Talk overview • Cryptanalysis • RC4 stream cipher • card shuffling • brute force attack • Broadcast encryption • analysis • optimization • Other work

  3. Talk overview • Cryptanalysis • RC4 stream cipher • card shuffling • brute force attack • Broadcast encryption • analysis • optimization • Other work

  4. RC4 stream cipher • RC stands for “Ron’s Code,” designed in 1987 by Ron Rivest. • Several design goals: • speed • support of 8-bit architecture • simplicity (to circumvent export regulations)

  5. Abridged history of [alleged] RC4™ • 1994 – leaked to cypherpunks mailing list • 1995 - first weakness (USENET post) • 1996 – appeared in “Applied Cryptography” by B. Schneier as “alleged RC4” • 1997 – first published analysis MS theses: 3 PhD thesis: 1

  6. Usage • SSL/TLS • Windows, Lotus Notes, Oracle, etc. • Cellular Digital Packet Data • OpenBSD pseudo-random number generator

  7. Encryption key 000111101010110101 state  plain text plain text = cipher text cipher t

  8. Decryption key 000111101010110101 state  cipher text cipher t = plain text plain text

  9. Security Requirement Indistinguishability from a perfect source of randomness: given part of the output stream, it is impossible to distinguish it from a random string

  10. Second byte [MS01] • Second byte of RC4 output is 0 with twice the expected probability

  11. Related key attack [FMS01] • Wireless Equivalent Privacy protocol (part of 802.11b standard): Using keys with known prefixes - BAD IV1, key  IV1, 0010101010 IV2, key  IV2, 1010110001 IV3, key  IV3, 0101010111 IV4, key  IV4, 1010101010 key

  12. Recommendation Discard the first 256 bytes of RC4 output [RSA, MS] Is this enough?

  13. RC4 internal state • Permutation S on 256 bytes: • Two indices i, j • log2 (256!  256)  1700 bits

  14. Key scheduling algorithm (all arithmetic is mod 256) for i := 0 to 255 S[i] := i j := 0 for i := 0 to 255 j := j + S[i] + key[i] swap (S[i], S[j])

  15. Pseudo-random number generator i := 0 j := 0 repeat i := i + 1 j := j + S[i] swap (S[i], S[j]) output (S[ S[i] + S[j] ])

  16. Both RC4’s routines for i := 0 to 255 S[i] := i j := 0 for i := 0 to 255 j := j + S[i] + key[i] swap (S[i], S[j]) i, j := 0 repeat i := i + 1 j := j + S[i] swap (S[i], S[j]) output (S[ S[i] + S[j] ]) key scheduling pseudo-random number generator

  17. Both RC4’s routines for i := 0 to 255 S[i] := i j := 0 for i := 0 to 255 j := j + S[i] + key[i] swap (S[i], S[j]) i := 0 repeat i := i + 1 j := j + S[i] swap (S[i], S[j]) key scheduling j := random (256) , j pseudo-random number generator j := random (256)

  18. Both RC4’s routines for i := 0 to 255 S[i] := i j := random (256) swap (S[i], S[j]) key scheduling for i := 0 to 255 i := 0 repeat i := i + 1 j := random (256) swap (S[i], S[j]) pseudo-random number generator

  19. Idealization of RC4 for i := 0 to 255 S[i] := i i := 0 repeat i := i + 1 j := random (256) swap (S[i], S[j])

  20. Idealization of RC4 for i := 0 to n - 1 S[i] := i i := 0 repeat i := i + 1 j := random (n) swap (S[i], S[j])

  21. Talk overview • Cryptanalysis • RC4 stream cipher • card shuffling • brute force attack • Broadcast encryption • analysis • optimization • Other work

  22. Exchange shuffle • RC4 card shuffling: i i i i i … random j When i= n - 1 the permutation is random not

  23. Perfect shuffling • The textbook algorithm to shuffle cards: swap( S[i], S[j]) i i i i i … random j When i= n - 1 the permutation is perfectly random

  24. Why is it not random? • n! does not divide nn • Sign of the permutation: the sign changes each time with probability 1-1/n • Positions of individual cards are predictable

  25. First byte of RC4 output • The first byte, S[S[1]+S[S[1]]], is biased:

  26. Distinguisher • Less than 2,000 to recognize a non-random output with 10% error

  27. Mixing time • The permutation becomes more and more random. nonrandomness time

  28. Variation distance Variation distance between two distributions, P and Q on S: d(P,Q)=½ sS |P(s)-Q(s)| variation distance time

  29. The end of the beginning of RC4 • What is the sufficient number of swaps for the permutation to become random? Find t such that d(Pt, U) < 

  30. Card shuffling To shuffle 52 cards: - 7 riffle shuffles ~ 100 random transpositions ~ 30,000 adjacent transpositions - exchange (RC4) shuffles?

  31. Lower bound Sign of the permutation: after t rounds sign can be predicted with probability e-2t

  32. Upper bound Checking argument: • initially all cards are unchecked • check S[i] if - either i=j - or S[j] is checked • keep doing until all cards are checked

  33. Checking argument i j

  34. Checking argument i j j S[i] is indistinguishable from other checked cards

  35. Checking argument It takes (n log n) steps to check all cards. It gives an upper bound.

  36. Mixing time • at least (n) • at most O(nlogn)

  37. What if n = 256? • Optimistically (go with the lower bound) mixes in 4256 steps • Conservatively (use the upper bound) mixes in 16256 steps

  38. New development • E. Mossel, A. Sinclair, Y. Peres (Berkeley): the upper bound is tight mixing time = Θ(n log n) • Distinguisher: look at the cards from the left half

  39. Talk overview • Cryptanalysis • RC4 stream cipher • card shuffling • brute force attack • Broadcast encryption • optimization • analysis • Other work

  40. Backtracking j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t]

  41. Backtracking S[1] j:=S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t]

  42. Backtracking S[1] j := S[1] t := S[1] + S[j] outputS[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[j]

  43. Backtracking S[1] j := S[1] t := S[1] + S[j] outputS[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[j] S[2]

  44. Backtracking S[1] j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[j] S[2] S[j]

  45. Backtracking S[1] j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[j] S[2] S[j] S[3]

  46. Backtracking S[1] j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[j] S[2] S[j] S[3] S[j]

  47. Backtracking S[1] j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[j] S[2] S[j] S[3]

  48. Backtracking S[1] j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[j] S[2] S[j] S[3] S[j]

  49. Backtracking S[1] j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[j] S[2] S[j] S[3]

  50. Backtracking S[1] j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[j] S[2] S[j] S[3] S[j]

More Related