Random Number Generation and Stream Cipher Random Number...Random Number Generation and Stream...

Random Number Generation andStream Cipher

GOUTAM PAUL

Asst. ProfessorDepartment of Computer Science & Engineering

Jadavpur University, Kolkata.

July 16, 2011

Tutorial Workshop on Cryptology(Jointly organized by: CU & Centre of Excellence in Cryptology, ISI)Rajabazar Science College Campus, University of Calcutta, India.

Outline

1 RandomnessDefining RandomnessTesting RandomnessCryptographic Randomness

2 Random Number GenerationNatural Random Number GeneratorsPseudo-Random Number Generators

3 Stream CiphersHardware Stream CiphersSoftware Stream CiphersDistinguisher

Roadmap




RandomnessRandom Number Generation

Stream Ciphers

Defining RandomnessTesting RandomnessCryptographic Randomness

Notion of Randomness

A numeric sequence is said to be statistically randomwhen it contains no recognizable patterns orregularities.Examples:

Sequence of Head and Tail in an unbiased coin toss.Results of an ideal die roll.Digits of π.

GOUTAM PAUL Random Number Generation and Stream Cipher Slide 4 of 51


Stream Ciphers



A numeric sequence is said to be statistically randomwhen it contains no recognizable patterns orregularities.

Examples:Sequence of Head and Tail in an unbiased coin toss.Results of an ideal die roll.Digits of π.



Stream Ciphers







Stream Ciphers




Sequence of Head and Tail in an unbiased coin toss.

Results of an ideal die roll.Digits of π.



Stream Ciphers




Sequence of Head and Tail in an unbiased coin toss.Results of an ideal die roll.

Digits of π.



Stream Ciphers







Stream Ciphers


Test of (Non-)Randomness

It is not possible to mathematically prove that asequence is random.It is possible to test whether a sequence isnon-random.



Stream Ciphers



It is not possible to mathematically prove that asequence is random.

It is possible to test whether a sequence isnon-random.



Stream Ciphers



It is not possible to mathematically prove that asequence is random.It is possible to test whether a sequence isnon-random.



Stream Ciphers


Frequency Test

Checking that each symbol occurs with equalfrequency.For a binary string, proportion of 0’s and 1’s shouldbe 0.5 each.Can be generalized to n-gram frequencies.



Stream Ciphers


Frequency Test

Checking that each symbol occurs with equalfrequency.

For a binary string, proportion of 0’s and 1’s shouldbe 0.5 each.Can be generalized to n-gram frequencies.



Stream Ciphers


Frequency Test

Checking that each symbol occurs with equalfrequency.For a binary string, proportion of 0’s and 1’s shouldbe 0.5 each.

Can be generalized to n-gram frequencies.



Stream Ciphers


Frequency Test

Checking that each symbol occurs with equalfrequency.For a binary string, proportion of 0’s and 1’s shouldbe 0.5 each.Can be generalized to n-gram frequencies.



Stream Ciphers


Gap Test

Look at the distances between a particular symbol.For example, for the symbol 0,

00 would be a distance of 0.030 would be a distance of 1.02250 would be a distance of 3, etc.



Stream Ciphers


Gap Test

Look at the distances between a particular symbol.

For example, for the symbol 0,00 would be a distance of 0.030 would be a distance of 1.02250 would be a distance of 3, etc.



Stream Ciphers


Gap Test





Stream Ciphers


Gap Test





Stream Ciphers


Run Test

A run is a sequence of consecutive digits.This test is based on the frequency of run-lengths.Example: 522238 has a run of 2’s of length 3.



Stream Ciphers


Run Test

A run is a sequence of consecutive digits.

This test is based on the frequency of run-lengths.Example: 522238 has a run of 2’s of length 3.



Stream Ciphers


Run Test

A run is a sequence of consecutive digits.This test is based on the frequency of run-lengths.

Example: 522238 has a run of 2’s of length 3.



Stream Ciphers


Run Test

A run is a sequence of consecutive digits.This test is based on the frequency of run-lengths.Example: 522238 has a run of 2’s of length 3.



Stream Ciphers


Autocorrelation Test

Correlation between two sequences/processes givesa measure of similarity between them.Autocorrelation: correlation between themeasurements of the same process at two differentinstances of time.If random, such autocorrelations should be near zerofor any and all time-lag separations.



Stream Ciphers



Correlation between two sequences/processes givesa measure of similarity between them.

Autocorrelation: correlation between themeasurements of the same process at two differentinstances of time.If random, such autocorrelations should be near zerofor any and all time-lag separations.



Stream Ciphers



Correlation between two sequences/processes givesa measure of similarity between them.Autocorrelation: correlation between themeasurements of the same process at two differentinstances of time.

If random, such autocorrelations should be near zerofor any and all time-lag separations.



Stream Ciphers



Correlation between two sequences/processes givesa measure of similarity between them.Autocorrelation: correlation between themeasurements of the same process at two differentinstances of time.If random, such autocorrelations should be near zerofor any and all time-lag separations.



Stream Ciphers


Maurer’s Universal Test

Source modeled as

an ergodic stationary processwith finite memoryhaving arbitrary (unknown) state transitionprobabilities.



Stream Ciphers



Source modeled asan ergodic stationary process

with finite memoryhaving arbitrary (unknown) state transitionprobabilities.



Stream Ciphers



Source modeled asan ergodic stationary processwith finite memory

having arbitrary (unknown) state transitionprobabilities.



Stream Ciphers



Source modeled asan ergodic stationary processwith finite memoryhaving arbitrary (unknown) state transitionprobabilities.



Stream Ciphers


Example with a Binary StringConsider the string 0010110011101.

Frequency test:freq(0)=6, freq(1)=7,freq(00) = 2, freq(01) = 4, freq(10)=3, freq(11) = 3.Gap test: freq(gap 0)=2, freq(gap 1)=1, freq(gap2)=1, freq(gap 3) = 1.Run test: freq(len 1)=4, freq(len 2)=3, freq(len 3)=1.Autocorrelation test:Lag 1 autocorrelation =0.0+0.1+1.0+0.1+1.1+1.0+0.0+0.1+1.1+1.1+1.0+0.1= 3,Lag 2 autocorrelation =0.1+0.0+1.1+0.1+1.0+1.0+0.1+0.1+1.1+1.0+1.1 = 3.



Stream Ciphers



Frequency test:freq(0)=6, freq(1)=7,freq(00) = 2, freq(01) = 4, freq(10)=3, freq(11) = 3.

Gap test: freq(gap 0)=2, freq(gap 1)=1, freq(gap2)=1, freq(gap 3) = 1.Run test: freq(len 1)=4, freq(len 2)=3, freq(len 3)=1.Autocorrelation test:Lag 1 autocorrelation =0.0+0.1+1.0+0.1+1.1+1.0+0.0+0.1+1.1+1.1+1.0+0.1= 3,Lag 2 autocorrelation =0.1+0.0+1.1+0.1+1.0+1.0+0.1+0.1+1.1+1.0+1.1 = 3.



Stream Ciphers



Frequency test:freq(0)=6, freq(1)=7,freq(00) = 2, freq(01) = 4, freq(10)=3, freq(11) = 3.Gap test: freq(gap 0)=2, freq(gap 1)=1, freq(gap2)=1, freq(gap 3) = 1.

Run test: freq(len 1)=4, freq(len 2)=3, freq(len 3)=1.Autocorrelation test:Lag 1 autocorrelation =0.0+0.1+1.0+0.1+1.1+1.0+0.0+0.1+1.1+1.1+1.0+0.1= 3,Lag 2 autocorrelation =0.1+0.0+1.1+0.1+1.0+1.0+0.1+0.1+1.1+1.0+1.1 = 3.



Stream Ciphers



Frequency test:freq(0)=6, freq(1)=7,freq(00) = 2, freq(01) = 4, freq(10)=3, freq(11) = 3.Gap test: freq(gap 0)=2, freq(gap 1)=1, freq(gap2)=1, freq(gap 3) = 1.Run test: freq(len 1)=4, freq(len 2)=3, freq(len 3)=1.

Autocorrelation test:Lag 1 autocorrelation =0.0+0.1+1.0+0.1+1.1+1.0+0.0+0.1+1.1+1.1+1.0+0.1= 3,Lag 2 autocorrelation =0.1+0.0+1.1+0.1+1.0+1.0+0.1+0.1+1.1+1.0+1.1 = 3.



Stream Ciphers



Frequency test:freq(0)=6, freq(1)=7,freq(00) = 2, freq(01) = 4, freq(10)=3, freq(11) = 3.Gap test: freq(gap 0)=2, freq(gap 1)=1, freq(gap2)=1, freq(gap 3) = 1.Run test: freq(len 1)=4, freq(len 2)=3, freq(len 3)=1.Autocorrelation test:Lag 1 autocorrelation =0.0+0.1+1.0+0.1+1.1+1.0+0.0+0.1+1.1+1.1+1.0+0.1= 3,Lag 2 autocorrelation =0.1+0.0+1.1+0.1+1.0+1.0+0.1+0.1+1.1+1.0+1.1 = 3.



Stream Ciphers


Encryption increases Randomness

The goal of encryption is to make the transmittedmessage look random.



Stream Ciphers


Encryption increases Randomness

The goal of encryption is to make the transmittedmessage look random.



Stream Ciphers


Perfect Secrecy

Information Theoretic Security:

Prob(P | C) = Prob(P).



Stream Ciphers


Perfect Secrecy





Stream Ciphers


Perfect Secrecy





Stream Ciphers


From Non-Random to Random-Looking

Result: XOR(Arbitrary bitstring, Random bitstring) =Random bitstring.Encryption Ci = Mi ⊕ Ki .Decryption: Mi = Ci ⊕ Ki .



Stream Ciphers



Result: XOR(Arbitrary bitstring, Random bitstring) =Random bitstring.

Encryption Ci = Mi ⊕ Ki .Decryption: Mi = Ci ⊕ Ki .



Stream Ciphers



Result: XOR(Arbitrary bitstring, Random bitstring) =Random bitstring.Encryption Ci = Mi ⊕ Ki .

Decryption: Mi = Ci ⊕ Ki .



Stream Ciphers



Result: XOR(Arbitrary bitstring, Random bitstring) =Random bitstring.Encryption Ci = Mi ⊕ Ki .Decryption: Mi = Ci ⊕ Ki .



Stream Ciphers


One Time Pad

A different keystream is XOR-ed with each differentplaintext message.Has the property of perfect secrecy.



Stream Ciphers


One Time Pad

A different keystream is XOR-ed with each differentplaintext message.

Has the property of perfect secrecy.



Stream Ciphers


One Time Pad




Stream Ciphers


One Time Pad



Roadmap





Stream Ciphers

Natural Random Number GeneratorsPseudo-Random Number Generators

Necessity

One Time Pad requires a long stream of random bits.Other cryptographic schemes also require randomnumbers as keys.



Stream Ciphers


Necessity

One Time Pad requires a long stream of random bits.

Other cryptographic schemes also require randomnumbers as keys.



Stream Ciphers


Necessity

One Time Pad requires a long stream of random bits.Other cryptographic schemes also require randomnumbers as keys.



Stream Ciphers


One option: Natural Randomness

Thermal noise from a semiconductor resistor.Atmospheric noise.Quantum-mechanical phenomena.Tossing a coin.



Stream Ciphers



Thermal noise from a semiconductor resistor.

Atmospheric noise.Quantum-mechanical phenomena.Tossing a coin.



Stream Ciphers



Thermal noise from a semiconductor resistor.Atmospheric noise.

Quantum-mechanical phenomena.Tossing a coin.



Stream Ciphers



Thermal noise from a semiconductor resistor.Atmospheric noise.Quantum-mechanical phenomena.

Tossing a coin.



Stream Ciphers



Thermal noise from a semiconductor resistor.Atmospheric noise.Quantum-mechanical phenomena.Tossing a coin.



Stream Ciphers


Why Natural Randomness is not useful?

Difficulty of sampling.Difficulty of synchronizing when the sender and thereceiver are far apart.



Stream Ciphers



Difficulty of sampling.

Difficulty of synchronizing when the sender and thereceiver are far apart.



Stream Ciphers



Difficulty of sampling.Difficulty of synchronizing when the sender and thereceiver are far apart.



Stream Ciphers


Pragmatic Solution

A Finite State Machine.A seed (called the secret key) characterizes the initialstate.Same seed generates the same output sequence.Seed can be shared between the sender and thereceiver.



Stream Ciphers


Pragmatic Solution

A Finite State Machine.

A seed (called the secret key) characterizes the initialstate.Same seed generates the same output sequence.Seed can be shared between the sender and thereceiver.



Stream Ciphers


Pragmatic Solution

A Finite State Machine.A seed (called the secret key) characterizes the initialstate.

Same seed generates the same output sequence.Seed can be shared between the sender and thereceiver.



Stream Ciphers


Pragmatic Solution

A Finite State Machine.A seed (called the secret key) characterizes the initialstate.Same seed generates the same output sequence.

Seed can be shared between the sender and thereceiver.



Stream Ciphers


Pragmatic Solution

A Finite State Machine.A seed (called the secret key) characterizes the initialstate.Same seed generates the same output sequence.Seed can be shared between the sender and thereceiver.



Stream Ciphers


Inherent Limitations

Each state transition of the FSM gives one newoutput.FSM has finite no. of states.So the output sequence must have a period.One Time Pad cannot be realized in practice.Goal: short seed, but long keystream.



Stream Ciphers



Each state transition of the FSM gives one newoutput.

FSM has finite no. of states.So the output sequence must have a period.One Time Pad cannot be realized in practice.Goal: short seed, but long keystream.



Stream Ciphers



Each state transition of the FSM gives one newoutput.FSM has finite no. of states.

So the output sequence must have a period.One Time Pad cannot be realized in practice.Goal: short seed, but long keystream.



Stream Ciphers



Each state transition of the FSM gives one newoutput.FSM has finite no. of states.So the output sequence must have a period.

One Time Pad cannot be realized in practice.Goal: short seed, but long keystream.



Stream Ciphers



Each state transition of the FSM gives one newoutput.FSM has finite no. of states.So the output sequence must have a period.One Time Pad cannot be realized in practice.

Goal: short seed, but long keystream.



Stream Ciphers



Each state transition of the FSM gives one newoutput.FSM has finite no. of states.So the output sequence must have a period.One Time Pad cannot be realized in practice.Goal: short seed, but long keystream.



Stream Ciphers


Linear Congruential Generator

xn = axn−1 + b(modm).

x0 is the initial seed.a,b,m are parameters.Example: C library function rand().Suitable for experimental purposes, butcryptographically not secure.Same is true for any polynomial congruentialgenerator.



Stream Ciphers







Stream Ciphers




x0 is the initial seed.

a,b,m are parameters.Example: C library function rand().Suitable for experimental purposes, butcryptographically not secure.Same is true for any polynomial congruentialgenerator.



Stream Ciphers




x0 is the initial seed.a,b,m are parameters.

Example: C library function rand().Suitable for experimental purposes, butcryptographically not secure.Same is true for any polynomial congruentialgenerator.



Stream Ciphers




x0 is the initial seed.a,b,m are parameters.Example: C library function rand().

Suitable for experimental purposes, butcryptographically not secure.Same is true for any polynomial congruentialgenerator.



Stream Ciphers




x0 is the initial seed.a,b,m are parameters.Example: C library function rand().Suitable for experimental purposes, butcryptographically not secure.

Same is true for any polynomial congruentialgenerator.



Stream Ciphers







Stream Ciphers


Blum-Blum-Shub (BBS) Generator

Choose two large primes p,q both congruent to3 mod 4.Set n = pq and choose a random integer x relativelyprime to n.Set initial seed x0 = x2(modn).j-th output is given by xj = x2

j−1(modn).Has provable security, but too slow for practical use.



Stream Ciphers



Choose two large primes p,q both congruent to3 mod 4.

Set n = pq and choose a random integer x relativelyprime to n.Set initial seed x0 = x2(modn).j-th output is given by xj = x2




Stream Ciphers



Choose two large primes p,q both congruent to3 mod 4.Set n = pq and choose a random integer x relativelyprime to n.

Set initial seed x0 = x2(modn).j-th output is given by xj = x2




Stream Ciphers



Choose two large primes p,q both congruent to3 mod 4.Set n = pq and choose a random integer x relativelyprime to n.Set initial seed x0 = x2(modn).

j-th output is given by xj = x2j−1(modn).

Has provable security, but too slow for practical use.



Stream Ciphers




j−1(modn).

Has provable security, but too slow for practical use.



Stream Ciphers






Roadmap





Stream Ciphers

Hardware Stream CiphersSoftware Stream CiphersDistinguisher

General Model of Stream Ciphers



Stream Ciphers


Need for Initialization Vector (IV)

The same key always produces the same keystream.Repeated use of the same key is just as bad asreusing a one-time pad.As a remedy, the IV is combined with the secret keyto form the effective key for the correspondingsession of the cipher, called a session key.Different session keys make the output of the streamcipher different in each session, even if the same keyis used.



Stream Ciphers



The same key always produces the same keystream.

Repeated use of the same key is just as bad asreusing a one-time pad.As a remedy, the IV is combined with the secret keyto form the effective key for the correspondingsession of the cipher, called a session key.Different session keys make the output of the streamcipher different in each session, even if the same keyis used.



Stream Ciphers



The same key always produces the same keystream.Repeated use of the same key is just as bad asreusing a one-time pad.

As a remedy, the IV is combined with the secret keyto form the effective key for the correspondingsession of the cipher, called a session key.Different session keys make the output of the streamcipher different in each session, even if the same keyis used.



Stream Ciphers



The same key always produces the same keystream.Repeated use of the same key is just as bad asreusing a one-time pad.As a remedy, the IV is combined with the secret keyto form the effective key for the correspondingsession of the cipher, called a session key.

Different session keys make the output of the streamcipher different in each session, even if the same keyis used.



Stream Ciphers



The same key always produces the same keystream.Repeated use of the same key is just as bad asreusing a one-time pad.As a remedy, the IV is combined with the secret keyto form the effective key for the correspondingsession of the cipher, called a session key.Different session keys make the output of the streamcipher different in each session, even if the same keyis used.



Stream Ciphers


Hardware vs. Software Stream Ciphers

Hardware Stream Ciphers.LFSRs are used as linear elements.Combining functions (may be with some amount ofmemory) are used as nonlinear elements.

Software Stream Ciphers.May use word-based LFSR / NFSRs.May use arrays, modular additions and otheroperators.



Stream Ciphers



Hardware Stream Ciphers.

LFSRs are used as linear elements.Combining functions (may be with some amount ofmemory) are used as nonlinear elements.




Stream Ciphers



Hardware Stream Ciphers.LFSRs are used as linear elements.

Combining functions (may be with some amount ofmemory) are used as nonlinear elements.




Stream Ciphers







Stream Ciphers




Software Stream Ciphers.

May use word-based LFSR / NFSRs.May use arrays, modular additions and otheroperators.



Stream Ciphers




Software Stream Ciphers.May use word-based LFSR / NFSRs.

May use arrays, modular additions and otheroperators.



Stream Ciphers







Stream Ciphers


Bit-oriented LFSR⊕ ⊕

b5 b4 b3 b2 b1 b0

⊕ ⊕b6 b5 b4 b3 b2 b1 b0

Figure: LFSR: one step evolution

Recurrence Relation: xn+6 = xn+4 ⊕ xn+1 ⊕ xn

Polynomial over GF (2): x6 + x4 + x1 + 1



Stream Ciphers



b5 b4 b3 b2 b1 b0

⊕ ⊕b6 b5 b4 b3 b2 b1 b0



Polynomial over GF (2): x6 + x4 + x1 + 1



Stream Ciphers



b5 b4 b3 b2 b1 b0

⊕ ⊕b6 b5 b4 b3 b2 b1 b0



Polynomial over GF (2): x6 + x4 + x1 + 1GOUTAM PAUL Random Number Generation and Stream Cipher Slide 28 of 51


Stream Ciphers


Bit-oriented LFSR (cont’d.)

Primitive polynomial provides maximum length cycle,2d − 1 for degree d . Well known as m-sequence.By itself, not cryptographically secure, but usefulbuilding block for pseudo-randomness.Easy and efficient implementation in hardware, usingregisters (Flip-Flops) and simple logic gates.Deep mathematical development for a long time.



Stream Ciphers



Primitive polynomial provides maximum length cycle,2d − 1 for degree d . Well known as m-sequence.

By itself, not cryptographically secure, but usefulbuilding block for pseudo-randomness.Easy and efficient implementation in hardware, usingregisters (Flip-Flops) and simple logic gates.Deep mathematical development for a long time.



Stream Ciphers



Primitive polynomial provides maximum length cycle,2d − 1 for degree d . Well known as m-sequence.By itself, not cryptographically secure, but usefulbuilding block for pseudo-randomness.

Easy and efficient implementation in hardware, usingregisters (Flip-Flops) and simple logic gates.Deep mathematical development for a long time.



Stream Ciphers



Primitive polynomial provides maximum length cycle,2d − 1 for degree d . Well known as m-sequence.By itself, not cryptographically secure, but usefulbuilding block for pseudo-randomness.Easy and efficient implementation in hardware, usingregisters (Flip-Flops) and simple logic gates.

Deep mathematical development for a long time.



Stream Ciphers



Primitive polynomial provides maximum length cycle,2d − 1 for degree d . Well known as m-sequence.By itself, not cryptographically secure, but usefulbuilding block for pseudo-randomness.Easy and efficient implementation in hardware, usingregisters (Flip-Flops) and simple logic gates.Deep mathematical development for a long time.



Stream Ciphers


Attacking the LFSR-based PRNGs

Suppose we know the segment 011010111100 of akeystream sequence.We also know that it is generated by some LFSR.We do not necessarily know the length of therecurrence.We need to determine the coefficients.



Stream Ciphers



Suppose we know the segment 011010111100 of akeystream sequence.

We also know that it is generated by some LFSR.We do not necessarily know the length of therecurrence.We need to determine the coefficients.



Stream Ciphers



Suppose we know the segment 011010111100 of akeystream sequence.We also know that it is generated by some LFSR.

We do not necessarily know the length of therecurrence.We need to determine the coefficients.



Stream Ciphers



Suppose we know the segment 011010111100 of akeystream sequence.We also know that it is generated by some LFSR.We do not necessarily know the length of therecurrence.

We need to determine the coefficients.



Stream Ciphers



Suppose we know the segment 011010111100 of akeystream sequence.We also know that it is generated by some LFSR.We do not necessarily know the length of therecurrence.We need to determine the coefficients.



Stream Ciphers


Try with Length 2

xn+2 = c0xn + c1xn+1.

[0 11 1

] [c0

c1

]=

[10

]Solution: c0 = 1, c1 = 1.But x6 6= x4 + x5.



Stream Ciphers


Try with Length 2

xn+2 = c0xn + c1xn+1.[0 11 1

] [c0

c1

]=

[10

]

Solution: c0 = 1, c1 = 1.But x6 6= x4 + x5.



Stream Ciphers


Try with Length 2

xn+2 = c0xn + c1xn+1.[0 11 1

] [c0

c1

]=

[10

]Solution: c0 = 1, c1 = 1.

But x6 6= x4 + x5.



Stream Ciphers


Try with Length 2

xn+2 = c0xn + c1xn+1.[0 11 1

] [c0

c1

]=

[10

]Solution: c0 = 1, c1 = 1.But x6 6= x4 + x5.



Stream Ciphers


Try with Length 3

xn+3 = c0xn + c1xn+1 + c2xn+2.

0 1 11 1 01 0 1

c0

c1

c2

=

010

Solution: ?



Stream Ciphers


Try with Length 3

xn+3 = c0xn + c1xn+1 + c2xn+2.0 1 11 1 01 0 1

c0

c1

c2

=

010

Solution: ?



Stream Ciphers


Try with Length 3

xn+3 = c0xn + c1xn+1 + c2xn+2.0 1 11 1 01 0 1

c0

c1

c2

=

010

Solution: ?



Stream Ciphers


Try with Length 4

xn+4 = c0xn + c1xn+1 + c2xn+2 + c3xn+3.

0 1 1 01 1 0 11 0 1 00 1 0 1

c0

c1

c2

c3

=

1011

Solution: c0 = 1, c1 = 1, c2 = 0, c3 = 0.



Stream Ciphers


Try with Length 4

xn+4 = c0xn + c1xn+1 + c2xn+2 + c3xn+3.0 1 1 01 1 0 11 0 1 00 1 0 1

c0

c1

c2

c3

=

1011

Solution: c0 = 1, c1 = 1, c2 = 0, c3 = 0.



Stream Ciphers


Try with Length 4

xn+4 = c0xn + c1xn+1 + c2xn+2 + c3xn+3.0 1 1 01 1 0 11 0 1 00 1 0 1

c0

c1

c2

c3

=

1011

Solution: c0 = 1, c1 = 1, c2 = 0, c3 = 0.



Stream Ciphers


General Problem

xn+m = c0xn + c1xn+1 + . . . + cm−1xn+m−1

x1 x2 . . . xm

x2 x3 . . . xm+1...

... . . . ...xm xm+1 . . . x2m−1

c0

c1...

cm−1

=

xm+1

xm+2...

x2m

Result: The m ×m matrix is invertible mod2, iff there isno linear recurrence relation of length less than m that issatisfied by the 2m values x1, x2, . . . , x2m.



Stream Ciphers


General Problem

xn+m = c0xn + c1xn+1 + . . . + cm−1xn+m−1x1 x2 . . . xm

x2 x3 . . . xm+1...

... . . . ...xm xm+1 . . . x2m−1

c0

c1...

cm−1

=

xm+1

xm+2...

x2m




Stream Ciphers


General Problem

xn+m = c0xn + c1xn+1 + . . . + cm−1xn+m−1x1 x2 . . . xm

x2 x3 . . . xm+1...

... . . . ...xm xm+1 . . . x2m−1

c0

c1...

cm−1

=

xm+1

xm+2...

x2m




Stream Ciphers


Nonlinear Combiner Model

Take n LFSRs of different length (may be pairwiseprime).Initialize them with seeds.In each clock, take the n-many outputs from theLFSRs, which are fed as n-inputs to an n-variableBoolean function.May be some memory element is added.



Stream Ciphers



Take n LFSRs of different length (may be pairwiseprime).

Initialize them with seeds.In each clock, take the n-many outputs from theLFSRs, which are fed as n-inputs to an n-variableBoolean function.May be some memory element is added.



Stream Ciphers



Take n LFSRs of different length (may be pairwiseprime).Initialize them with seeds.

In each clock, take the n-many outputs from theLFSRs, which are fed as n-inputs to an n-variableBoolean function.May be some memory element is added.



Stream Ciphers



Take n LFSRs of different length (may be pairwiseprime).Initialize them with seeds.In each clock, take the n-many outputs from theLFSRs, which are fed as n-inputs to an n-variableBoolean function.

May be some memory element is added.



Stream Ciphers



Take n LFSRs of different length (may be pairwiseprime).Initialize them with seeds.In each clock, take the n-many outputs from theLFSRs, which are fed as n-inputs to an n-variableBoolean function.May be some memory element is added.



Stream Ciphers


Nonlinear Filter-Generator Model

Take one LFSR.Initialize that with a seed.In each clock, take the n-many outputs from theLFSR from different locations, which are fed asn-inputs to an n-variable Boolean function.May be considered with additional memory element.The Boolean function and memory together form aFinite State Machine.



Stream Ciphers



Take one LFSR.

Initialize that with a seed.In each clock, take the n-many outputs from theLFSR from different locations, which are fed asn-inputs to an n-variable Boolean function.May be considered with additional memory element.The Boolean function and memory together form aFinite State Machine.



Stream Ciphers



Take one LFSR.Initialize that with a seed.

In each clock, take the n-many outputs from theLFSR from different locations, which are fed asn-inputs to an n-variable Boolean function.May be considered with additional memory element.The Boolean function and memory together form aFinite State Machine.



Stream Ciphers



Take one LFSR.Initialize that with a seed.In each clock, take the n-many outputs from theLFSR from different locations, which are fed asn-inputs to an n-variable Boolean function.

May be considered with additional memory element.The Boolean function and memory together form aFinite State Machine.



Stream Ciphers



Take one LFSR.Initialize that with a seed.In each clock, take the n-many outputs from theLFSR from different locations, which are fed asn-inputs to an n-variable Boolean function.May be considered with additional memory element.

The Boolean function and memory together form aFinite State Machine.



Stream Ciphers



Take one LFSR.Initialize that with a seed.In each clock, take the n-many outputs from theLFSR from different locations, which are fed asn-inputs to an n-variable Boolean function.May be considered with additional memory element.The Boolean function and memory together form aFinite State Machine.



Stream Ciphers


Boolean Function: Cryptographic Properties

BALANCEDNESS: Necessary to achievePseudo-Random sequence

ALGEBRAIC DEGREE: To achieve high Linear Complexity

NONLINEARITY: For higher Confusion and resistanceagainst: Best Affine Approximation (BAA) Attack andLinear Cryptanalysis.

AUTOCORRELATION: To achieve higher Diffusion, and toresist Differential Cryptanalysis.

CORRELATION IMMUNITY: To resist Correlation Attack

ALGEBRAIC IMMUNITY: To resist Algebraic Attack



Stream Ciphers











Stream Ciphers











Stream Ciphers











Stream Ciphers











Stream Ciphers











Stream Ciphers











Stream Ciphers


Hardware Stream Ciphers: Current Trends

Nonlinear Filter Generator Model With Memory.More than one bit processed together (32-bit words)Use LFSRs over larger fields: need the LFSRevolution operations to be efficient.GF (232) or GF (231 − 1) to relate with 32-bit words ofmodern processors. Are we moving towards 64-bitwords?FSM contains S-boxes and Registers.Registers are memory words.S-boxes are multiple output Boolean functions.



Stream Ciphers



Nonlinear Filter Generator Model With Memory.

More than one bit processed together (32-bit words)Use LFSRs over larger fields: need the LFSRevolution operations to be efficient.GF (232) or GF (231 − 1) to relate with 32-bit words ofmodern processors. Are we moving towards 64-bitwords?FSM contains S-boxes and Registers.Registers are memory words.S-boxes are multiple output Boolean functions.



Stream Ciphers



Nonlinear Filter Generator Model With Memory.More than one bit processed together (32-bit words)

Use LFSRs over larger fields: need the LFSRevolution operations to be efficient.GF (232) or GF (231 − 1) to relate with 32-bit words ofmodern processors. Are we moving towards 64-bitwords?FSM contains S-boxes and Registers.Registers are memory words.S-boxes are multiple output Boolean functions.



Stream Ciphers



Nonlinear Filter Generator Model With Memory.More than one bit processed together (32-bit words)Use LFSRs over larger fields: need the LFSRevolution operations to be efficient.

GF (232) or GF (231 − 1) to relate with 32-bit words ofmodern processors. Are we moving towards 64-bitwords?FSM contains S-boxes and Registers.Registers are memory words.S-boxes are multiple output Boolean functions.



Stream Ciphers



Nonlinear Filter Generator Model With Memory.More than one bit processed together (32-bit words)Use LFSRs over larger fields: need the LFSRevolution operations to be efficient.GF (232) or GF (231 − 1) to relate with 32-bit words ofmodern processors. Are we moving towards 64-bitwords?

FSM contains S-boxes and Registers.Registers are memory words.S-boxes are multiple output Boolean functions.



Stream Ciphers



Nonlinear Filter Generator Model With Memory.More than one bit processed together (32-bit words)Use LFSRs over larger fields: need the LFSRevolution operations to be efficient.GF (232) or GF (231 − 1) to relate with 32-bit words ofmodern processors. Are we moving towards 64-bitwords?FSM contains S-boxes and Registers.

Registers are memory words.S-boxes are multiple output Boolean functions.



Stream Ciphers



Nonlinear Filter Generator Model With Memory.More than one bit processed together (32-bit words)Use LFSRs over larger fields: need the LFSRevolution operations to be efficient.GF (232) or GF (231 − 1) to relate with 32-bit words ofmodern processors. Are we moving towards 64-bitwords?FSM contains S-boxes and Registers.Registers are memory words.

S-boxes are multiple output Boolean functions.



Stream Ciphers



Nonlinear Filter Generator Model With Memory.More than one bit processed together (32-bit words)Use LFSRs over larger fields: need the LFSRevolution operations to be efficient.GF (232) or GF (231 − 1) to relate with 32-bit words ofmodern processors. Are we moving towards 64-bitwords?FSM contains S-boxes and Registers.Registers are memory words.S-boxes are multiple output Boolean functions.



Stream Ciphers


Design Principle

Initially, stream ciphers were targeted towardshardware only.Later, software stream ciphers became popular dueto their speed and efficiency compared to softwareimplementation of block ciphers.Typically consists of two modules:

KSA : key × IV→ internal state andPRGA : internal state→ keystream word.



Stream Ciphers


Design Principle

Initially, stream ciphers were targeted towardshardware only.

Later, software stream ciphers became popular dueto their speed and efficiency compared to softwareimplementation of block ciphers.Typically consists of two modules:




Stream Ciphers


Design Principle

Initially, stream ciphers were targeted towardshardware only.Later, software stream ciphers became popular dueto their speed and efficiency compared to softwareimplementation of block ciphers.

Typically consists of two modules:KSA : key × IV→ internal state andPRGA : internal state→ keystream word.



Stream Ciphers


Design Principle

Initially, stream ciphers were targeted towardshardware only.Later, software stream ciphers became popular dueto their speed and efficiency compared to softwareimplementation of block ciphers.Typically consists of two modules:




Stream Ciphers


An Example: RC4 (Ron Rivest, 1987)

Wide commercial applications SSL, TLS, WEP, WPA,AOCE, Microsoft Windows, Lotus Notes, OracleSecure SQL etc.Generally used with 5 to 16 bytes key, thoughprovision for 256 bytes key is there.Uses a permutation over Z256 as the internal state.Operations: Swaps and Modulo 256 additions.



Stream Ciphers



Wide commercial applications SSL, TLS, WEP, WPA,AOCE, Microsoft Windows, Lotus Notes, OracleSecure SQL etc.

Generally used with 5 to 16 bytes key, thoughprovision for 256 bytes key is there.Uses a permutation over Z256 as the internal state.Operations: Swaps and Modulo 256 additions.



Stream Ciphers



Wide commercial applications SSL, TLS, WEP, WPA,AOCE, Microsoft Windows, Lotus Notes, OracleSecure SQL etc.Generally used with 5 to 16 bytes key, thoughprovision for 256 bytes key is there.

Uses a permutation over Z256 as the internal state.Operations: Swaps and Modulo 256 additions.



Stream Ciphers



Wide commercial applications SSL, TLS, WEP, WPA,AOCE, Microsoft Windows, Lotus Notes, OracleSecure SQL etc.Generally used with 5 to 16 bytes key, thoughprovision for 256 bytes key is there.Uses a permutation over Z256 as the internal state.

Operations: Swaps and Modulo 256 additions.



Stream Ciphers



Wide commercial applications SSL, TLS, WEP, WPA,AOCE, Microsoft Windows, Lotus Notes, OracleSecure SQL etc.Generally used with 5 to 16 bytes key, thoughprovision for 256 bytes key is there.Uses a permutation over Z256 as the internal state.Operations: Swaps and Modulo 256 additions.



Stream Ciphers


RC4 KSA

0 1 2 i j 255

· · · · · ·

Initialize S-box to identity permutation of{0,1, . . . ,255}Initialize counter: j = 0;for i = 0, . . . ,255

j = j + S[i] + K [i];Swap: S[i]↔ S[j];



Stream Ciphers


RC4 PRGA

0 1 2 S[i ] + S[j ] i j 254 255

· · · · · · · · ·

Z �

Initialize the counters: i = j = 0;While you need keystream bytes

Increment counters i = i + 1 and j = j + S[i];Swap S[i]↔ S[j];Output Z = S[S[i] + S[j]];



Stream Ciphers


Software Stream Ciphers: Current Trends

Word oriented design.Complicated Functions and Operations.Huge Internal State.



Stream Ciphers



Word oriented design.

Complicated Functions and Operations.Huge Internal State.



Stream Ciphers



Word oriented design.Complicated Functions and Operations.

Huge Internal State.



Stream Ciphers



Word oriented design.Complicated Functions and Operations.Huge Internal State.



Stream Ciphers


Basic Idea

An event that distinguishes the keystream from auniformly random stream.For a stream cipher, the event is based on somecombination of the keystream bits.The attack complexity is given by the number ofsamples required for a given success probability.



Stream Ciphers


Basic Idea

An event that distinguishes the keystream from auniformly random stream.

For a stream cipher, the event is based on somecombination of the keystream bits.The attack complexity is given by the number ofsamples required for a given success probability.



Stream Ciphers


Basic Idea

An event that distinguishes the keystream from auniformly random stream.For a stream cipher, the event is based on somecombination of the keystream bits.

The attack complexity is given by the number ofsamples required for a given success probability.



Stream Ciphers


Basic Idea

An event that distinguishes the keystream from auniformly random stream.For a stream cipher, the event is based on somecombination of the keystream bits.The attack complexity is given by the number ofsamples required for a given success probability.



Stream Ciphers


The Setup

Event A, P(A) = p.

Define Xr = 1, if A occurs in r -th sample, else it is 0.

If we observe n samples,n∑

r=1

Xr ∼ B(n,p).

When Xr ’s are i.i.d. and n is large enough,n∑

r=1

Xr ∼ N (np,np(1− p)) .



Stream Ciphers


The SetupEvent A, P(A) = p.



r=1

Xr ∼ B(n,p).


r=1

Xr ∼ N (np,np(1− p)) .



Stream Ciphers





r=1

Xr ∼ B(n,p).


r=1

Xr ∼ N (np,np(1− p)) .



Stream Ciphers




If we observe n samples,

n∑r=1

Xr ∼ B(n,p).


r=1

Xr ∼ N (np,np(1− p)) .



Stream Ciphers





r=1

Xr ∼ B(n,p).


r=1

Xr ∼ N (np,np(1− p)) .



Stream Ciphers





r=1

Xr ∼ B(n,p).

When Xr ’s are i.i.d. and n is large enough,

n∑r=1

Xr ∼ N (np,np(1− p)) .



Stream Ciphers





r=1

Xr ∼ B(n,p).


r=1

Xr ∼ N (np,np(1− p)) .



Stream Ciphers


Hypothesis Testing Approach

TestH0 : p = p0(1 + ε), ε > 0,

againstH1 : p = p0.



Stream Ciphers



TestH0 : p = p0(1 + ε), ε > 0,

againstH1 : p = p0.



Stream Ciphers



TestH0 : p = p0(1 + ε), ε > 0,

againstH1 : p = p0.



Stream Ciphers


Bounding the Errors

The objective is to find a threshold c in [np0,np0(1 + ε)]such that

P

(n∑

r=1

Xr ≤ c | H0

)≤ α

and

P

(n∑

r=1

Xr > c | H1

)≤ β.



Stream Ciphers


Bounding the Errors


P

(n∑

r=1

Xr ≤ c | H0

)≤ α

and

P

(n∑

r=1

Xr > c | H1

)≤ β.



Stream Ciphers


Bounding the Errors


P

(n∑

r=1

Xr ≤ c | H0

)≤ α

and

P

(n∑

r=1

Xr > c | H1

)≤ β.



Stream Ciphers


Bounding the Errors


P

(n∑

r=1

Xr ≤ c | H0

)≤ α

and

P

(n∑

r=1

Xr > c | H1

)≤ β.



Stream Ciphers


Necessary Condition

For such a c to exist,

np0(1 + ε)− κ1σ1 > np0 + κ2σ2,

where

σ21 = np0(1 + ε) (1− p0(1 + ε)) ,

σ22 = np0(1− p0),

Φ(−κ1) = α

and Φ(κ2) = 1− β.



Stream Ciphers


Necessary Condition


np0(1 + ε)− κ1σ1 > np0 + κ2σ2,

where

σ21 = np0(1 + ε) (1− p0(1 + ε)) ,

σ22 = np0(1− p0),

Φ(−κ1) = α

and Φ(κ2) = 1− β.



Stream Ciphers


Necessary Condition


np0(1 + ε)− κ1σ1 > np0 + κ2σ2,

where

σ21 = np0(1 + ε) (1− p0(1 + ε)) ,

σ22 = np0(1− p0),

Φ(−κ1) = α

and Φ(κ2) = 1− β.



Stream Ciphers


How Many Samples Required?

When p0, ε� 1,

n >(κ1 + κ2)2

p0ε2 .

κ1 = κ2 = 0.5 gives α = β = 1− 0.6915 and at least 1p0ε2

samples are required.



Stream Ciphers


How Many Samples Required?

When p0, ε� 1,

n >(κ1 + κ2)2

p0ε2 .

κ1 = κ2 = 0.5 gives α = β = 1− 0.6915 and at least 1p0ε2

samples are required.



Stream Ciphers


Example of a Distinguisher

RC4 2nd byte.Attack on Broadcast.



Stream Ciphers



RC4 2nd byte.

Attack on Broadcast.



Stream Ciphers



RC4 2nd byte.Attack on Broadcast.



Stream Ciphers


I end my talk here ...

Thank You

Homepage: http://www.goutampaul.comEmail: [email protected]


http://www.goutampaul.com

[email protected]

Date post:	14-Aug-2020
Category:	Documents
Upload:	others
View:	11 times
Download:	0 times

Random Number Generation and Stream Cipher Random Number...Random Number Generation and Stream...

Documents