1 / 41

Pseudorandom Bit Generators (PRBGs) and Stream Ciphers Based on Random Shuffle

Pseudorandom Bit Generators (PRBGs) and Stream Ciphers Based on Random Shuffle. Speaker: Souradyuti Paul Co mputer S ecurity and I ndustrial C ryptography ( COSIC ) Department of Electrical Engineering Katholieke Universiteit Leuven, Belgium

charla
Download Presentation

Pseudorandom Bit Generators (PRBGs) and Stream Ciphers Based on Random Shuffle

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Pseudorandom Bit Generators (PRBGs) and Stream Ciphers Based on Random Shuffle Speaker: Souradyuti Paul Computer Security and Industrial Cryptography (COSIC) Department of Electrical Engineering Katholieke Universiteit Leuven, Belgium Email: Souradyuti.Paul@esat.kuleuven.be CACR-Seminar

  2. Indian Statistical Institute, Kolkata Master of Computer Sc. (2001) CACR-Seminar

  3. Katholieke Universiteit Leuven, Belgium, Ph.D. (2002- ) CACR-Seminar

  4. My given name is Souradyuti Meaning: Rays of Sun (in Bengali) My family name is Paul But ….. CACR-Seminar

  5. The rest of the world: Paul Bengal: Souradyuti CACR-Seminar

  6. “What's in a Name?“ -William Shakespeare CACR-Seminar

  7. Pseudorandom Bit Generators (PRBG) and Stream Ciphers Based on Random Shuffle Speaker: Souradyuti Paul Computer Security and Industrial Cryptography (COSIC) Department of Electrical Engineering Katholieke Universiteit Leuven, Belgium Email: Souradyuti.Paul@esat.kuleuven.be CACR-Seminar

  8. Overview • PRBG and Stream Cipher • Random Shuffle • RC4 • Basic Strengths and Weaknesses • Some attacks on RC4 • RC4A, VMPC, NGG, Py etc. • Conclusions and Remarks CACR-Seminar

  9. What is aPseudorandom Bit Generator? • Deterministic algorithm, Short input (seed) and long output • Distribution of output is computationally indistinguishable from the uniform distribution On a uniformly selected seed an attacker (with limited resource) cannot distinguishoutput bits from random bits seed 011001001101001101010010….. CACR-Seminar

  10. Stream Cipher from a Pseudorandom Bit Generator seed 011001001101001101010010….. Bitwise XOR Plaintext: 100101001000101001001110….. Ciphertext: 111100000101011001101100… CACR-Seminar

  11. How to construct a Pseudorandom Bit Generator (I) • Well Structured Methods: • Use number theoretic hard problems such as factorization problem, discrete logarithm problem etc. • Elegant • Very slow because of heavy operations like modular exponentiation • Not very attractive for practical purposes CACR-Seminar

  12. How to construct a Pseudorandom Bit Generator (II) • Crazy Methods: • Mix many simple operations • Not very elegant and not easy to analyze • Extremely fast • Suitable for practical purposes CACR-Seminar

  13. How Stream Ciphers Work (I) • (Step1) Initialization (Key/IV Scheduling Algorithm): Mixing Key, IV and fixed Initial state to generate the working Internal State. • (Step 2) Pseudorandom Bit Generation algorithm: Update Internal State and produce pseudorandom bits which are XORed with paintexts. CACR-Seminar

  14. How Stream Ciphers Work (II) Key scheduling Algo (Step 1) Initialization CACR-Seminar

  15. How Stream Ciphers Work(III) Pseudorandom Generation Algorithm (Step 2) PRBG PRBG . . . Output 0Output 1Output 2 XOR … … Plaintext 0 … … Ciphertext 0 CACR-Seminar

  16. What isRandom Shuffle? • Shuffling of a deck of Cards. Start with an initial permutation and end up with a “random looking” permutation of cards. Shuffle CACR-Seminar

  17. Meaning ofRandom shuffle • Statistical indistinguishability: The probablility distribution of the permutation after the shuffling process is uniform Or atleast • Computational indistinguishability: It is difficult to tell apart two distributions CACR-Seminar

  18. How to generate arandom shuffle? • In 1987, such an attempt was made by Ron Rivest to design the famous RC4 stream cipher CACR-Seminar

  19. 000 001 254 002 095 093 255 094 255 094 000 001 002 093 ... 254 095 ... RC4 Key Scheduling Algo. Input: Key, Indentity permutation 094 254 000 001 i j CACR-Seminar

  20. 094 000 001 254 002 093 255 095 221 009 187 210 138 130 241 ... 142 ... RC4 Key Scheduling Algo. (II) Output: Pseudorandom Permutation, known pointers i=j=0 CACR-Seminar

  21. Does RC4 Key Scheduling Algo. Generate a Random Shuffle? • NO. • Key size of RC4 is 40 t0 256 bits. • 256! all possible permutations • 256!>>> 2256 • Idealized model of RC4 is not a random shuffle, sign distinguisher, position distinguisher [Mironov, Crypto 2002] CACR-Seminar

  22. 255 254 000 095 001 002 094 093 033 099 205 092 013 ... 143 162 079 ... RC4 Pseudorandom Bit Generation Algo. (again shuffle) Input: Internal state, Output: Next internal state, psedorandom bits i:=i+1 j:=(j + S[i]) mod 256 swap S[i] and S[j] t:=(S[i] + S[j]) mod 256 output S[t] t 162 92 i CACR-Seminar

  23. Strengths of RC4-like Ciphers (I) Key scheduling Algo (Step 1) • Short key to large Internal State: Increase in the pseudo-entropy • Recovery of internal state from output bits is difficult CACR-Seminar

  24. Strengths of RC4-like Ciphers (II) • It is ‘hard’ to represent inputs and outputs of RC4 as a set of multivariate polynomial equations • Apparently resists algebraic attacks CACR-Seminar

  25. Weaknesses of RC4-like Ciphers: Approximating Inter. States PRBG PRBG • Most of the elements in two successive rounds of RC4 remain stationary • Generation of Outputs involve small number of variables • Outputs and Internal States in near-by rounds seem to have high correlation leading to distinguishing attacks = = . . . CACR-Seminar

  26. Attacks on RC4-like Ciphers • The approach to most of the attacks • Distinguishing attacks • Fix one or more elements in the Internal State • Show a relation among outputs with probability significantly different from random CACR-Seminar

  27. Attack on RC4: Biased 2nd Output [Mantin and Shamir, SAC 2001](I) Index: 0 1 2 3 4 x N-1 i j CACR-Seminar

  28. Attack on RC4: Biased 2nd Output [Mantin and Shamir, SAC 2001](II) Index: 0 1 2 3 4 …. x N-1 j i Index: 0 1 2 3 4 …. N-1 i j Output: S2 [X]=0 CACR-Seminar

  29. First Two Outputs are Unequal if S0[1]=2 [Paul and Preneel FSE04] Index: 0 1 2 3 4 N-1 i j CACR-Seminar

  30. First Two Outputs are Unequal if S0[1]=2 (contd.) Index: 0 1 2 3 4 …. N-1 i j Output: S1 [X+2] Index: 0 1 2 3 4 …. N-1 i j • S1[X+2] ≠ S2[Z+2] Output: S2 [Z+2] CACR-Seminar

  31. Generalizing: Predictive States Snapshot at Round t Round: 0 1 … … r …. c i j Number of Known elements in the S-box is a. CACR-Seminar

  32. Generalizing: Predictive States Snapshot at Round t + c Round: 0 1 … … r …. c i j Outputs:Z1 Z2 Z3 …… Zb Number of Predicted Outputs is b. CACR-Seminar

  33. Distinguishing attacks on RC4

  34. Distinguishers after N bytes CACR-Seminar

  35. Other recent RC4-like ciphers • VMPC-one way function • Bartoz Zoltak at FSE 2004 • Main features: 8-bit output, one S-box, swapping, more memory accesses to generate output, slower than RC4 • Vulnerable against same types of distinguishing attacks as RC4 (fix elements and predict outputs) CACR-Seminar

  36. Other recent RC4-like ciphers • RC4A • Paul and Preneel at FSE 2004 • Main features: 8-bit output, two S-boxes, swapping, less operations per byte, marginally faster than RC4 • Vulnerable against same types of distinguishing attacks as RC4 (fix elements and predict outputs) CACR-Seminar

  37. Other recent RC4-like ciphers • NGG (suitable for 32-bit machine) • Nawaz, Gupta, Gong, IACR ePrint 2005 • Main features: 32-bit output, one S-box, swapping, less operations per byte, 3 times as fast as RC4 • Weakness: short index (8-bit) and long word (32-bit), correlation among elements of internal state, slow change • Latest News: Repaired recently… CACR-Seminar

  38. Other recent RC4-like ciphers • Py (suitable for 32-bit machine) • Biham and Seberry, ECRYPT proposal 2005 • Main features: 32-bit output, two S-boxes, swapping, less operations per byte, 2.5 times as fast as RC4 • Weakness: short index (8-bit) and long word (32-bit), slow change in rounds • Investigation underway …. • IB, IBAA, ISAAC by Jenkins, FSE 1996 CACR-Seminar

  39. 255 001 000 094 096 095 096 254 002 000 001 002 093 094 095 255 143 143 079 096 079 ... 093 001 ... … 093 165 205 251 003 011 ... 233 033 162 Example: RC4A 165 93 i j1 251 003 i j2 CACR-Seminar

  40. Conclusions and Remarks • some attacks on RC4-like ciphers derived from some generic flaws such as slow change in successive rounds • Common problems in designing ciphers based on shuffling • Future work: extending the weaknesses of Py, IB, IBAA, ISAAC and similar ciphers into cryptanaytic attacks CACR-Seminar

  41. Thanks. CACR-Seminar

More Related