斯坦福密码学课程-笔记-02-Stream Ciphers流密码

02-流密码 Stream Ciphers

The One Time Pad

Symmetric Ciphers: definition

Def: a cipher defined over $(K,M,C)$ is a pair of “efficient” algorithms $(E,D)$ where

$K$: the set of all possible keys (also called key space)
$M$: the set of all possible messages
$C$: the set of all possible ciphertexts
$E$: the encryption algorithm
$D$: the decryption algorithm

$E:K\times M\to C$
$D:K\times C\to M$

$\forall m\in M,k\in K,D(k,E(k,m))=m$
[Consistency Equation]

$E$ is often randomized, $D$ is often deterministic

The One Time Pad (Vernam 1917)

First example of a secure" cipher

M = C = { 0 , 1 } n M=C=\{0,1\}^n M=C={0,1}n
K = { 0 , 1 } n K=\{0,1\}^n K={0,1}n
$Key=$(rand. bit string as long as msg.)

$c:=E(k,m)=k\oplus m$
$D(k,c)=k\oplus c$

$Indeed:D(k,E(k,m))=D(k,k\oplus m)=k\oplus (k\oplus m)=m$

Very fast enc/dec !!
… but long keys (as long as plaintext)

Is OTP a good cipher? What is a good cipher?

Information Theoretic Security (Shannon 1949)

Basic idea: CT should reveal no “info” about PT

Def: Acipher $(E,D)$ over $(K,M,C)$ has perfect secrecy if

$\forall m_0,m_1\in M,(|m_0|=|m_1|)$ and $\forall c\in C$,
$Pr[E(k,m_0)=c]=Pr[E(k,m_1)=c]$
where $k\stackrel{R}{\leftarrow }K$

• Given CT can’t tell if msg. is $m_0$ or $m_1$ (for all $m_0,m_1$)
• most powerful adversary learns nothing about PT from CT
• no CT only attack !! (but other attacks may be possible)

Lemma: OTP has perfect secrecy
Proof:
$\forall m,c:Pr[E(k,m)=c]=\frac{\#keys,k\in K,s.t,E(k,m)=c}{|K|}$
so: ∀ m , c : # { k ∈ K : E ( k , m ) = c } = c o n s t . \forall m,c: \#\{k\in K: E(k,m)=c\}=const. ∀m,c:#{k∈K:E(k,m)=c}=const.
$⟹$ cipher has perfect secrecy

The bad news …

Thm: perfect secrecy $⟹|K|\ge |M|$

Symmetric Encryption

Stream Cipher: making OPT practical

idea: replace “random” key by “pseudorandom” key

pseudo-random generator (PRG): is a func. G : { 0 , 1 } s → { 0 , 1 } n , n > > s G:\{0,1\}^s\rightarrow\{0,1\}^n,n>>s G:{0,1}s→{0,1}n,n>>s
{ 0 , 1 } s \{0,1\}^s {0,1}s: seed space
{ 0 , 1 } n \{0,1\}^n {0,1}n: output

(“efficient” computable by deterministic algorithm)

$c=E(k,m)=m\oplus G(k)$
$D(c,m)=c\oplus G(k)$

Stream cipher cannot have perfect secrecy !!

• Need a different definition of secrecy
• Security will depend on specific PRG

PRG must be unpredictable

suppose PRG is predictable
$\exists i:G(k{)}_{1,2,\cdots ,i}\stackrel{alg.}{⟶}G(k{)}_{i+1}$
is a problem !!

We say G : K → { 0 , 1 } n G: K\rightarrow\{0,1\}^n G:K→{0,1}n is predictable if:
$\exists$ eff. alg. $A$ and $\exists 1\le i\le n-1$
$s.t.P{r}_{k\stackrel{R}{\leftarrow }K}[A(G(k){)}_{1,\cdots ,i}=G(k{)}_{i+1}]\ge \frac{1}{2}+ϵ$
For some “non-negligible” $ϵ$

Def: PRG is unpredictable if it is not predictable
$⟹$$\forall i:$ no “eff.” adversary can predict bit $(i+1)$ for “non-neg.” $ϵ$

Weak PRGs (do not use for crypto)

• Linear Congruential Generator
  $r[0]\equiv seed,r[i]\leftarrow a\cdot r[i-1]+b(modp)$
  output few bits of $r[i]$
  [easy to pred. !!]

• glibc random()
  $r[i]\leftarrow (r[i-3]+r[i-31])$
  output $r[i]>>1$

never use random() for crypto !!

Negligible and non-negligible

In practice: $ϵ$ is a scalar and

• $ϵ$ non-neg.: $ϵ\ge 1/2^{30}$ (likely to happen over 1GB of data)
• $ϵ$ negligible: $ϵ\le 1/2^{80}$ (won’t happen over life of key)

In theory: $ϵ$ is a function $ϵ:Z^{\ge 0}\to R^{\ge 0}$ and

• $ϵ$ non-neg.: $\exists d:ϵ(\lambda )\ge 1/{\lambda }^d$ inf. often ($ϵ\ge 1/poly$, for many $\lambda$)
• $ϵ$ negligible.: $\forall d,\lambda \ge {\lambda }_d:ϵ(\lambda )\le 1/{\lambda }^d$

Few Examples

$ϵ(\lambda )=1/2^{\lambda }$: negligible
$ϵ(\lambda )=1/2^{1000}$: non-negligible

$ϵ(\lambda )=\{\begin{array}{ll}1/2^{\lambda }& forodd\lambda \\ 1/2^{1000}& foreven\lambda \end{array}$: Non-negligible

Attacks on OTP and stream ciphers

Attack 1: two time pad is insecure !!

Never use stream cipher key more than once !!

$c_1\leftarrow m_1\oplus PRG(k)$
$c_2\leftarrow m_2\oplus PRG(k)$

Eavesdropper does:
$c_1\oplus c_2\to m_1\oplus m_2$
Enough redundancy in English and ASCII encoding that:
$m_1\oplus m_2\to m_1,m_2$

Real world examples

• Project Venona (1941-1946)

• MS-PPTP(windows NT)
  
  Need different keys for $C\to S$ and $S\to C$
  $k=(k_{S\to C},k_{C\to S})$

• 802.11b WEP:
  
  Length of $IV$: 24 bits

• Repeated $IV$ after $2^{24}\approx 16M$ frames

• On some 802.11 cards: $IV$ resets to $0$ after power cycle

For PRG in WEP (RC4) :
(by Fluhrer, Mantin, Shamir, 2011): 10^6 Frame can recover $k$
Recently: 40000 Frames sufficient

WEP provides no security:

1. it can resolve in the two time pad
2. keys are closely related, possible to recover the key by watching just a few cipher texts

A better construction

$k\stackrel{PRG}{⟶}$ long stream of bits look essentially random

$⟹$ now each frame has a pseudorandom key

Yet another example: disk encryption

if one change takes place, the it’s very easy to tell where that change occurred.

Two time pad: summary

Never use stream cipher key more than once !!

• Network traffic: negotiate new key for every session (e.g. TLS)
• Disk encryption: typically do not use a stream cipher

Attack 2: no integrity (OTP is malleable)

Modification ciphertext are undetected and have predictable impact on plaintext.

$Bob\to 426F62$
$Eve\to 457665$
$Bob\oplus Eve\to 071907$

Example Stream Ciphers

Old example (software): RC4 (1987)

• Used in HTTPS and WEP
• Weaknesses:
  1. Bias in initial output: $Pr[2^{nd}byte=0]=2/256$ ()
  2. Prob. of $(0,0)$ is $1/256^2+1/256^3$
  3. Related key attacks

Old example (hardware): CSS (badly broken)

Linear feedback shift register (LFSR):

• Examples:[All broken]
  DVD encryption (CSS): 2 LFSRs
  GSM encryption(A5/1,2): 3 LFSRs
  Bluetooth(E0): 4 LFSRs

CSS: $seed=5bytes=40bits$

Easy to break $\approx 2^{17}times$:
suppose knowing first 20bytes of message
$⟶$ first 20bytes of message $\oplus$ first 20bytes of ciphertext $=$ first 20bytes of stream cipher
$⟶$ try all 17-bits LFSR
$⟶$ get stream cipher of 25-bits LFSR (Check if right or not)

Modern stream ciphers: eStream(2008)

P R G : { 0 , 1 } s × R → { 0 , 1 } n PRG: \{0,1\}^s\times R\to\{0,1\}^n PRG:{0,1}s×R→{0,1}n
$n>>s$

{ 0 , 1 } s \{0,1\}^s {0,1}s: seed
$R$: nonce
(Nonce: a non-repeating value for a given key)

$E(k,m;r)=m\oplus PRG(k;r)$
The pair $(k,r)$ is never used more than once.
$⟹$ reuse the key because $(k,r)$ unique.

eStream: Salsa 20 (Software+Hardware)

Salsa20: { 0 , 1 } 128 o r 256 × { 0 , 1 } 64 → { 0 , 1 } n \{0,1\}^{128or256}\times\{0,1\}^{64}\to \{0,1\}^n {0,1}128or256×{0,1}64→{0,1}n

$Salsa20(k;r):=H(k,(r,0))||H(k,(r,1))...$

h: invertible function. designed to be fast on x86 (SSE2)

PRG Security Defs

Let G : K → { 0 , 1 } n G:K\to\{0,1\}^n G:K→{0,1}n be a PRG

Goal: define what it means that
$[k\stackrel{R}{\leftarrow }K,outputG(k)]$
is “indistinguishable” from
[ r ← R { 0 , 1 } n , o u t p u t   r ] [r\overset{R}{\leftarrow}\{0,1\}^n,output\ r] [r←R{0,1}n,output r]

Statistical Tests

Statistical test on { 0 , 1 } n \{0,1\}^n {0,1}n：
an alg. $A$ s.t. $A(x)$ outputs “0” or “1”

Examples:

1. $|\#0(x)-\#1(x)|\le 10\sqrt{n}$
2. $|\#00(x)-n/4|\le 10\sqrt{n}$
3. $longestsequenceof0\le 10\cdot {\log }_2(n)$

($\#0(x)$: the number of ‘0’ in the string)

Advantage

Let G : K → { 0 , 1 } n G:K\to\{0,1\}^n G:K→{0,1}n be a PRG and $A$ a stat.test on { 0 , 1 } n \{0,1\}^n {0,1}n

Define:
A d v P R G [ A , G ] : = ∣ P k ← R K [ A ( G ( k ) ) = 1 ] − P r ← R { 0 , 1 } n [ A ( r ) = 1 ] ∣ ∈ [ 0 , 1 ] \displaystyle Adv_{PRG}[A,G]:=|P_{k\overset{R}{\leftarrow}K}[A(G(k))=1]-P_{r\overset{R}{\leftarrow}\{0,1\}^n}[A(r)=1]|\in[0,1] AdvPRG​[A,G]:=∣Pk←RK​[A(G(k))=1]−Pr←R{0,1}n​[A(r)=1]∣∈[0,1]

Adv close to 1 $⟹$ $A$ can distinguish G from rand.
Adv close to 0 $⟹$ $A$ cannot distinguish G from rand.

Example:

Suppose G : K → { 0 , 1 } n G:K\to\{0,1\}^n G:K→{0,1}n satisfies $msb(G(k))=1$ for $2/3$ of keys in $K$
Define stat. test $A$ as:
if $[msb(x)=1]$ output “1” else output “0”

Then
$Ad{v}_{PRG}[A,G]=|P[A(G(k))=1]-P[A(r)=1]|=|2/3-1/2|=1/6$
$⟹A$ breaks $G$ with adv. $1/6$

Secure PRGs: crypto definition

Def: We say that G : K → { 0 , 1 } n G:K\to\{0,1\}^n G:K→{0,1}n is a secure PRG if
$\forall$ “eff.” stat. test $A$: $Ad{v}_{PRG}[A,G]$ is “negligible”

Are there provably secure PRGs?
Unknown !! ($⟹P\ne NP$)
but we have heuristic candidates

Easy fact: a secure PRG is unpredictable

We show: PRG predictable $\Rightarrow$ PRG is insecure

Suppose $A$ is an efficient algorithm s.t.
$P_{k\stackrel{R}{\leftarrow }K}[A(G(k){|}_{1,\cdots ,n})=G(k){|}_{i+1}]=1/2+ϵ$
for non-negligible $ϵ$ (e.g. $ϵ=1/1000$)

Define statistical test $B$ as:
$B(X)=\{\begin{array}{ll}ifA(X{|}_{1,\cdots ,i}=X_{i+1})& output1\\ else& output0\end{array}$

r ← R { 0 , 1 } n : P [ B ( r ) = 1 ] = 1 / 2 r\overset{R}{\leftarrow}\{0,1\}^n:P[B(r)=1]=1/2 r←R{0,1}n:P[B(r)=1]=1/2
$k\stackrel{R}{\leftarrow }K:P[B(r)=1]>1/2+ϵ$
$⟹Ad{v}_{PRG}[B,G]>ϵ$

Thm(Yao’82): an unpredictable PRG is secure

Let G : K → { 0 , 1 } n G:K\to\{0,1\}^n G:K→{0,1}n be PRG
“Thm”: if ∀ i ∈ { 0 , ⋯   , n − 1 } \forall i \in\{0,\cdots,n-1\} ∀i∈{0,⋯,n−1} PRG $G$ is unpredictable at pos. $i$, then $G$ is a secure PRG.

If next-bit predictors cannot distinguish $G$ from random then no statistical test can !!

More Generally

Let $P_1$ and $P_2$ be two distributions over { 0 , 1 } n \{0,1\}^n {0,1}n

Def: We say $P_1$ and $P_2$ are computationally indistinguishable(denoted $P_1{\approx }_p{P}_2$)
if $\forall$ “eff.” stat. tests $A$: $|P_{X\leftarrow P_1}[A(X)=1]-P_{X\leftarrow P_2}[A(X)=1]|<neg.$

Example: a PRG is secure if { k ← R K : G ( k ) } ≈ p u n i f o r m ( { 0 , 1 } n ) \{k\overset{R}{\leftarrow}K:G(k)\}\approx_{p} uniform(\{0,1\}^n) {k←RK:G(k)}≈p​uniform({0,1}n)

Semantic security

Goal: secure PRG $⟹$ “secure” stream cipher

What is a secure cipher?

Attacker’s abilities: obtains one ciphertext (for now)

Possible security requirements:
attempt #1: attacker cannot recover secret key
attempt #2: attacker cannot recover all of plaintext

Recall Shannon’s idea:
CT should reveal no “info” about PT

Recall Shannon’s perfect secrecy

Let $(E,D)$ be a cipher over $(K,M,C)$

$(E,D)$ has perfect secrecy if $\forall m_0,m_1\in M(|m_0|=|m_1|)$
{ E ( k , m 0 ) } = { E ( k , m 1 ) }   w h e r e   k ← K \{E(k,m_0)\}=\{E(k,m_1)\}\ where\ k\leftarrow K {E(k,m0​)}={E(k,m1​)} where k←K

$\Downarrow$weaken

$(E,D)$ has perfect secrecy if $\forall m_0,m_1\in M(|m_0|=|m_1|)$
{ E ( k , m 0 ) } ≈ p { E ( k , m 1 ) }   w h e r e   k ← K \{E(k,m_0)\}\approx_{p}\{E(k,m_1)\}\ where\ k\leftarrow K {E(k,m0​)}≈p​{E(k,m1​)} where k←K
but also need adversary to exhibit $m_0,m_1\in M$ explicitly

Semantic Security (one-time key)

For $b=0,1$ define experiments $EXP(0)$ and $EXP(1)$ as:

$Ad{v}_{SS}[A,E]:=|P[W_0]-P[W_1]|\in [0,1]$

Def: $E$ is semantically secure if for all efficient $A$,
$As{v}_{SS}[A,E]$ is negligible.

$\Rightarrow$ for all explicit m 0 , m 1 ∈ M : { E ( k , m 0 ) } ≈ p { E ( k , m 1 ) } m_0,m_1\in M: \{E(k,m_0)\}\approx_p\{E(k,m_1)\} m0​,m1​∈M:{E(k,m0​)}≈p​{E(k,m1​)}

Examples

Suppose efficient $A$ can always deduce LSB of PT from CT
$\Rightarrow E(E,D)$ is not semantically secure.

Any bit about the plaintext the adversary can be learned basically would mean that the system is not semantically secure.

OTP is semantically secure

Stream ciphers are semantically secure

Stream ciphers are semantically secure

Thm: G : K → { 0 , 1 } n G:K\to\{0,1\}^n G:K→{0,1}n is a secure PRG $\Rightarrow$ stream cipher $E$ derived from $G$ is sem. sec.

$\Downarrow$ the same as to prove

$\forall$ sem. sec. adversary $A$, $\exists$ a PRG adversary $B$,
$s.t.Ad{v}_{SS}[A,E]\le 2\cdot Ad{v}_{PRG}[B,G]$

Proof:
Let $A$ be a sem. sec. adversary

Claim 1: $|P[R_0]-P[R_1]|=Ad{v}_{SS}(A,OTP)=0$
Claim 2: $\exists B:|P[W_b]-P[R_b]|=Ad{v}_{PRG}(B,G)forb=0,1$

$\Rightarrow Ad{v}_{SS}[A,E]=|P[W_0]-P[W_1]|\le 2\cdot Ad{v}_{PRG}[B,G]$

Proof of Claim 2: $\exists B:|P[W_b]-P[R_b]|=Ad{v}_{PRG}(B,G)$