890 likes | 915 Views
Random walks and analysis of algorithms in cryptography. Ilya Mironov Stanford University. Talk overview. Cryptanalysis RC4 stream cipher card shuffling brute force attack Broadcast encryption analysis optimization Other work. Talk overview. Cryptanalysis RC4 stream cipher
E N D
Random walks and analysis of algorithms in cryptography Ilya Mironov Stanford University
Talk overview • Cryptanalysis • RC4 stream cipher • card shuffling • brute force attack • Broadcast encryption • analysis • optimization • Other work
Talk overview • Cryptanalysis • RC4 stream cipher • card shuffling • brute force attack • Broadcast encryption • analysis • optimization • Other work
RC4 stream cipher • RC stands for “Ron’s Code,” designed in 1987 by Ron Rivest. • Several design goals: • speed • support of 8-bit architecture • simplicity (to circumvent export regulations)
Abridged history of [alleged] RC4™ • 1994 – leaked to cypherpunks mailing list • 1995 - first weakness (USENET post) • 1996 – appeared in “Applied Cryptography” by B. Schneier as “alleged RC4” • 1997 – first published analysis MS theses: 3 PhD thesis: 1
Usage • SSL/TLS • Windows, Lotus Notes, Oracle, etc. • Cellular Digital Packet Data • OpenBSD pseudo-random number generator
Encryption key 000111101010110101 state plain text plain text = cipher text cipher t
Decryption key 000111101010110101 state cipher text cipher t = plain text plain text
Security Requirement Indistinguishability from a perfect source of randomness: given part of the output stream, it is impossible to distinguish it from a random string
Second byte [MS01] • Second byte of RC4 output is 0 with twice the expected probability
Related key attack [FMS01] • Wireless Equivalent Privacy protocol (part of 802.11b standard): Using keys with known prefixes - BAD IV1, key IV1, 0010101010 IV2, key IV2, 1010110001 IV3, key IV3, 0101010111 IV4, key IV4, 1010101010 key
Recommendation Discard the first 256 bytes of RC4 output [RSA, MS] Is this enough?
RC4 internal state • Permutation S on 256 bytes: • Two indices i, j • log2 (256! 256) 1700 bits
Key scheduling algorithm (all arithmetic is mod 256) for i := 0 to 255 S[i] := i j := 0 for i := 0 to 255 j := j + S[i] + key[i] swap (S[i], S[j])
Pseudo-random number generator i := 0 j := 0 repeat i := i + 1 j := j + S[i] swap (S[i], S[j]) output (S[ S[i] + S[j] ])
Both RC4’s routines for i := 0 to 255 S[i] := i j := 0 for i := 0 to 255 j := j + S[i] + key[i] swap (S[i], S[j]) i, j := 0 repeat i := i + 1 j := j + S[i] swap (S[i], S[j]) output (S[ S[i] + S[j] ]) key scheduling pseudo-random number generator
Both RC4’s routines for i := 0 to 255 S[i] := i j := 0 for i := 0 to 255 j := j + S[i] + key[i] swap (S[i], S[j]) i := 0 repeat i := i + 1 j := j + S[i] swap (S[i], S[j]) key scheduling j := random (256) , j pseudo-random number generator j := random (256)
Both RC4’s routines for i := 0 to 255 S[i] := i j := random (256) swap (S[i], S[j]) key scheduling for i := 0 to 255 i := 0 repeat i := i + 1 j := random (256) swap (S[i], S[j]) pseudo-random number generator
Idealization of RC4 for i := 0 to 255 S[i] := i i := 0 repeat i := i + 1 j := random (256) swap (S[i], S[j])
Idealization of RC4 for i := 0 to n - 1 S[i] := i i := 0 repeat i := i + 1 j := random (n) swap (S[i], S[j])
Talk overview • Cryptanalysis • RC4 stream cipher • card shuffling • brute force attack • Broadcast encryption • analysis • optimization • Other work
Exchange shuffle • RC4 card shuffling: i i i i i … random j When i= n - 1 the permutation is random not
Perfect shuffling • The textbook algorithm to shuffle cards: swap( S[i], S[j]) i i i i i … random j When i= n - 1 the permutation is perfectly random
Why is it not random? • n! does not divide nn • Sign of the permutation: the sign changes each time with probability 1-1/n • Positions of individual cards are predictable
First byte of RC4 output • The first byte, S[S[1]+S[S[1]]], is biased:
Distinguisher • Less than 2,000 to recognize a non-random output with 10% error
Mixing time • The permutation becomes more and more random. nonrandomness time
Variation distance Variation distance between two distributions, P and Q on S: d(P,Q)=½ sS |P(s)-Q(s)| variation distance time
The end of the beginning of RC4 • What is the sufficient number of swaps for the permutation to become random? Find t such that d(Pt, U) <
Card shuffling To shuffle 52 cards: - 7 riffle shuffles ~ 100 random transpositions ~ 30,000 adjacent transpositions - exchange (RC4) shuffles?
Lower bound Sign of the permutation: after t rounds sign can be predicted with probability e-2t
Upper bound Checking argument: • initially all cards are unchecked • check S[i] if - either i=j - or S[j] is checked • keep doing until all cards are checked
Checking argument i j j S[i] is indistinguishable from other checked cards
Checking argument It takes (n log n) steps to check all cards. It gives an upper bound.
Mixing time • at least (n) • at most O(nlogn)
What if n = 256? • Optimistically (go with the lower bound) mixes in 4256 steps • Conservatively (use the upper bound) mixes in 16256 steps
New development • E. Mossel, A. Sinclair, Y. Peres (Berkeley): the upper bound is tight mixing time = Θ(n log n) • Distinguisher: look at the cards from the left half
Talk overview • Cryptanalysis • RC4 stream cipher • card shuffling • brute force attack • Broadcast encryption • optimization • analysis • Other work
Backtracking j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t]
Backtracking S[1] j:=S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t]
Backtracking S[1] j := S[1] t := S[1] + S[j] outputS[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[j]
Backtracking S[1] j := S[1] t := S[1] + S[j] outputS[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[j] S[2]
Backtracking S[1] j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[j] S[2] S[j]
Backtracking S[1] j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[j] S[2] S[j] S[3]
Backtracking S[1] j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[j] S[2] S[j] S[3] S[j]
Backtracking S[1] j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[j] S[2] S[j] S[3]
Backtracking S[1] j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[j] S[2] S[j] S[3] S[j]
Backtracking S[1] j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[j] S[2] S[j] S[3]
Backtracking S[1] j := S[1] t := S[1] + S[j] output S[t] j := j + S[2] t := S[2] + S[j] output S[t] j := j + S[3] t := S[3] + S[j] output S[t] S[j] S[2] S[j] S[3] S[j]