370 likes | 376 Vues
CIS 5371 Cryptography. 3b. Pseudorandomness B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography. Pseudorandomness An introduction.
E N D
CIS 5371 Cryptography 3b. Pseudorandomness Based on: Jonathan Katz and Yehuda LindellIntroduction to Modern Cryptography
Pseudorandomness An introduction • A distribution D is pseudorandom if no PPT distinguisher can detect if it a string sampled according to D or chosen uniformly at random. • This is formalized by requiring that every PPT algorithm outputs 1 with almost the same probability when given a truly random string as when given a pseudorandom string.
Pseudorandomness An introduction • A pseudorandom generator is a deterministic algorithm that given a short truly random seed of length nwill stretch it to into a longer string of length that is pseudorandom.
Existence of pseudorandom generators • We cannot prove that pseudorandom generators exist! • We believe that such generators can be constructed from one-way functions. • There are some long-standing problems that have no efficient solution and it is believed that they are unsolvable in polynomial time.
Pseudorandom generators informal definition • A distribution D is pseudorandom if no PPT distinguisher can detect if it is given a string sampled according to D or a string chosen uniformly at random. • This can be formalized by requiring that a PPT distinguisher D outputs 1 with almost the same probability when given a truly random string and when given a pseudorandom string.
Pseudorandom generator Definition Let be a polynomial and a deterministic polynomial-time algorithm that for any and any input will output string of length . is a pseudorandomgenerator if: • ∀ PPT algorithm (distinguisher) , where is uniform random string of length is uniform random of length and the probabilities are taken over the coins used by and the choices of .
Stream Ciphers A stream cipher is a deterministic algorithm (Init, GetBits) where, • Init takes as input a seed and an optional initialization vector and outputs a state • GetBits takes as input and outputs a bit and state .
Algorithm 3.16 Construct from (Init, GetBits) Input: Seed and optional Output: Init() for to GetBits return. This can easily be modified to get a variable output pseudorandom generator
Discussion • We use the term • stream cipher forthe PR stream generator, • not the encryption algorithm. • There are a number of practical constructions of stream ciphers that are extraordinarily fast, such as the stream cipher RC4.
Discussion • The WEP encryption protocol for 802.11 used RC4 and was broken. • But since then it is fixed---and the standard updated. • If RC4 has to be used the first 1024 bits or so should be discarded.
Discussion • From a security point of view it is advocated to use block cipher constructions for constructing secure encryption schemes. • This disadvantage is that this approach is less efficient when compared to using a dedicated stream cipher.
Secure fixed length encryption • Protocol • Let be a pseudorandom generator with expansion • factor . Define a private-key encryption scheme • for messages of length as follows • Gen: on input choose uniformly at • random and output as key. • Enc: on input a key and a message • output the ciphertext • Dec: on input a key and a ciphertext • c output the plaintext
Secure fixed length encryption Theorem If be a pseudorandom generator then protocol is a fixed-length private-key encryption scheme that has indistinguishable encryptions in the presence of an eavesdropper.
A secure fixed length encryption reduction:is secure if is a pseudorandom generator Adversary A’(Distinguisher D) Adversary A (Protocol ) israndom or pseudorandom? Suppose that A succeeds with probability choose a random bit compute 1 if Distinguish Break 0 if
A secure fixed length encryption Proof • when is uniform random we have. • when we have • ] • Since is a pseudorandom generator • - | negl() • Therefore • |]| negl(), or • |]| + negl()
Multiple encryptions security Definition A private-key encryption scheme =(Gen,Enc,Dec) that has indistinguishable multiple encryptions in the presence of an eavesdropper satisfies: : where the probability is taken over the random coins of , and the experiment.
Indistinguishable single encryptions vs indistinguishable multiple encryptions • The secure fixed length encryption Protocol presented earlier is deterministic and cannot be used as a construction for indistinguishable multiple encryptions. • To see why use the experiment for the pair of vector messages and • There is a private-key single encryption scheme that has indistinguishable single encryptions but distinguishable multiple encryptions.
Secure multiple encryptions using a stream-cipher mode of operation • Synchronized mode • Communicating parties use a different part of the stream cipher output to encrypt a message. • Useful for parties communicating in the same session. • Communicating parties must maintainstate between encryptions.
Secure multiple encryptions stream-cipher mode of operation Unsynchronized mode • Encryptions are carried out independently of one another. • Communicating parties are not required to maintain state between encryptions. where the initial vector is chosen at random.
Security against Chosen-Plaintext Attacks (CPA) • We now consider a more powerful adversary that is active. • The adversary can ask for the encryptions of some specific plaintext messages, as well as eavesdrop.
Indistinguishable encryptions under CPADefinition A private-key encryption scheme has indistinguishable encryptions under CPA if where the probability is taken over the coins of A and those of the experiment.
CPA security for multiple encryptions • As for single encryption, extend the experiment to in which the adversary outputs a pair of vectors of plaintext. • Any private-key encryption scheme that has indistinguishable encryptions under CPA also has indistinguishable multiple encryptions under CPA.
APPENDIX, RC4 • Designed in 1987 by Ron Rivest for RSA Security • Variable key size stream cipher with byte-oriented operations • Based on the use of a random permutation • Eight to sixteen machine operations are required per output byte and the cipher can be expected to run very quickly in software • Used in the Secure Sockets Layer/Transport Layer Security (SSL/TLS) standards for communication between Web browsers and servers • Used in the Wired Equivalent Privacy (WEP) protocol and the newer WiFi Protected Access (WPA) protocol (IEEE 802.11 wireless LAN standard)
RC4 • Generates a pseudorandom stream (keystream) that can be used for encryption by XOR-ing it with the plaintext. • The internal state of the cipher has two parts: • a permutation of 256 bytes (S) • two 8-bit pointers: i, j RC4: byte K is output
RC4, protocol (KSA) Key scheduling algorithm (KSA) (initialize S, using key, 1 keylength 256) fori from 0 to 255 (S is initialized) S[i] := i endfor j := 0 fori from 0 to 255 (initial permutation is performed) j := (j + S[i] + key[i mod keylength]) mod 256 swap values of S[i] and S[j] endfor
RC4, protocol (PRGA) Pseudo-random generation algorithm i := 0 j := 0 whileGeneratingOutput: i := (i + 1) mod 256 j := (j + S[i]) mod 256 swap values of S[i] and S[j] K := S[(S[i] + S[j]) mod 256] output K endwhile
Simple RC4 example Instead of the full 256 bytes, use 8 × 3-bits. Assume we use a 4 x 3-bit key: K = [1 2 3 6] Initialization of S: S = [0 1 2 3 4 5 6 7] Initial permutation: j := 0 for i from 0 to7 j := (j + S[i] + key[i mod 3) mod 8 swap values of S[i] and S[j] endfor
Simple RC4 example K = [1 2 3 6], S = [0 1 2 3 4 5 6 7] We go through for each iteration of i: For i = 0: j = (0 + 0 + 1) mod 8 = 1 Swap(S[0],S[1]); S = [1 0 2 3 4 5 6 7] For i = 1: j = (1+0+2) mod 8 = 3 Swap(S[1],S[3]) S = [1 32 0 45 6 7];
Simple RC4 example K = [1 2 3 6], S = [1 3 2 0 4 5 6 7] For i = 2: j = (3+2+3) mod 8 = 0 Swap(S[2],S[0]); S = [2 3 104 5 6 7] For i = 3: j = (0+0+6) mod 8 = 6 Swap(S[3],S[6]) S = [2 3 1 6 45 0 7];
Simple RC4 example K = [1 2 3 6], S = [2 3 1 6 4 5 0 7] For i = 4: j = (6+4+1) mod 8 = 3 Swap(S[4],S[3]); S = [2 3 1 4 6 5 07] For i = 5: j = (3+5+2) mod 8 = 2 Swap(S[5],S[2]) S = [2 3 5 4 6 1 7];
Simple RC4 example K = [1 2 3 6], S = [2 3 5 4 6 1 0 7] For i = 6: j = (2+0+3) mod 8 = 5 Swap(S[6],S[5]); S = [2 3 5 4 6 0 1 7] For i = 7: j = (5+7+6) mod 8 = 2 Swap(S[7],S[2]) S = [2 3 7 4 6 0 1 5];
RC4, protocol (PRGA) Now we run PRGA for S = [2 3 7 4 6 0 1 5], i = 0, j = 0 whileGeneratingOutput: i := (i + 1) mod 8 j := (j + S[i]) mod 8 swap values of S[i] and S[j] K := S[(S[i] + S[j]) mod 8] output K endwhile
RC4, generating output First iteration S = [2 3 7 4 6 0 1 5], i=0, j=0 i := (0 + 1) mod 8 = 1 j := (0 + S[1]) mod 8 = 3 swap values of S[1] and S[3]: S = [2 4 7 3 6 0 1 5] K := S[(S[1] + S[3]) mod 8] = S[7] = 5 output K = 5
RC4, generating output 2nd iteration, S = [2 4 7 3 6 0 1 5], i=1, j=3 i := (1 + 1) mod 8 = 2 j := (3 + S[2]) mod 8 = 2 swap values of S[2] and S[2]: S = [2 4 7 3 6 0 1 5] K := S[(S[2] + S[2]) mod 8] = S[6] = 1 output K = 1 3nd iteration, S = [2 4 7 3 6 0 1 5], i=2, j=2 i := (2 + 1) mod 8 = 3 j := (2 + S[3]) mod 8 = 5 swap values of S[3] and S[5]: S = [2 4 7 0 6 3 1 5] K := S[(S[3] + S[5]) mod 8] = S[3] = 0 output K = 0