1 / 34

PRNG, Block and Stream Cipher

2/34. Index. Pseudo Random Number GeneratorRandom bit generationPseudorandom bit generationStatistical testsCryptographically secure pseudorandom bit generationStream CipherFeedback shift registersStream ciphers based on LFSRsOther stream ciphersBlock CipherIntroductionDESEtc. 3/34. Intr

hide
Download Presentation

PRNG, Block and Stream Cipher

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. 1 PRNG, Block and Stream Cipher August 30, 2012 Yongdae Kim Hello! The title of this talk is “group key agreement”.Hello! The title of this talk is “group key agreement”.

    2. 2/34 Index Pseudo Random Number Generator Random bit generation Pseudorandom bit generation Statistical tests Cryptographically secure pseudorandom bit generation Stream Cipher Feedback shift registers Stream ciphers based on LFSRs Other stream ciphers Block Cipher Introduction DES Etc

    3. 3/34 Introduction RBG: a device or algorithm which outputs a sequence of statistically independent and unbiased binary digits. RBG can be used to generate random numbers E.g. a random integer in the interval [0; n] generating random bit sequence of length ?lg n? + 1, convert to integer if resulting integer exceeds n, discard it and generate a new sequence PRBG Given a truly random sequence of length k, deterministically outputs sequence of length l >> k which “appears” to be random Input to the PRBG is called the seed Output of PRBG is not random Intention is that an adversary cannot efficiently distinguish between sequences of PRBG and truly random sequences of length l.

    4. 4/34 Introduction (cnt.) LCM (linear congruential generators) produces a pseudorandom sequence of numbers x1, x2, x3… according to the linear recurrence xn = axn-1 + b mod m; n ? 1; a, b,and m are parameters which characterize the generator x0 is the (secret) seed. given a partial output sequence, the remainder of the sequence can be reconstructed even if the parameters a, b,and m are unknown. Unix Random Definitions Pass all polynomial-time statistical tests if no poly algorithm can distinguish between output sequence and truly random sequence of the same length with probability significantly greater that ˝ Pass next-bit test if no poly algorithm which, on input of first l bits, can predict (l + 1)st bit with probability significantly greater than ˝ PRBG that passes the next-bit test is called CSPRBG

    5. 5/34 Random Bit Generation Hardware-based elapsed time between emission of particle during radioactive decay thermal noise from a semiconductor diode or resistor; the frequency instability of a free running oscillator; air turbulence within disk drive which causes random fluctuations drive sector read latency times sound from a microphone or video input from a camera. Software-based the system clock elapsed time between keystrokes or mouse movement content of input/output buffers user input operating system values such as system load and network statistics

    6. 6/34 Random Bit Generation (cnt.) De-skewing A natural source of random bits may be defective in that the output bits may be biased or correlated De-skewing: techniques for generating truly random bit sequences from the output bits of such a defective generator Techniques Suppose that a generator produces biased but uncorrelated bits Suppose that probability of 1 is p where p is unknown but fixed, 0 < p<1 10 ? 1, 01 ? 0,and 00 and 11 pairs discarded then the resulting sequence is both unbiased and uncorrelated. A practical (not provable) technique is to pass sequence whose bits are biased or correlated through hash function (e.g. SHA-1 or MD5)

    7. 7/34 Pseudo Random Bit Generation ANSI X9.17 generator INPUT: m, a random seed s, Triple-DES encryption key k. OUTPUT: m pseudorandom 64-bit strings x1, x2, … , xm Compute the intermediate value I = Ek(D),where D is a 64-bit date/time to as fine a resolution as is available. For i from 1 to m do the following: xi ?Ek(I ? s). s ? Ek(xi ? I). Return(x1, x2, … , xm) More generators FIPS 186 for DSA

    8. 8/34 Statistical Test Why impossible to give a mathematical proof that a generator is indeed a random bit generator, the tests help detect certain kinds of weaknesses the generator may have. This is accomplished by taking a sample output sequence of the generator and subjecting it to various statistical tests. the term “accepted” should be replaced by “not rejected” Five Basic Test (Using Chi-square analysis) Frequency Test: # of 0 and 1 Serial Test: # of 00, 01, 10, 11 Poker-k Test: # of each k-bit string Run Test: comparing with expected run length Autocorrelation test: correlations between s and shifted version

    9. 9/34 Statistical test (cnt.) Maurer’s universal statistical test The basic idea is that it should not be possible to significantly compress the output sequence of a RBG Thus, if a sample output sequence s of a bit generator can be significantly compressed, the generator should be rejected The universality arises because it is able to detect any one of a very general class of possible defects a bit generator might have. A drawback over the five basic tests is that it requires a much longer sample output sequence in order to be effective.

    10. 10/34 CSPBG (RSA) Basic Algorithm Setup: p, q, n = pq and ? = (p - 1)(q - 1), 1 < e< ?, gcd(e, ?) =1 Select a random integer x0 (the seed) in the interval [1, n- 1]. For i from 1 to l do the following: xi ? xei-1 mod n. zi the least significant bit of xi. The output sequence is z1, z2, …, zl. Efficiency If e = 3, then generating zi requires one mod. mult. and squaring Improved by extracting j least significant bits of xi (j = c lg lg n) If n is sufficiently large, this generator is cryptographically secure For fixed n, explicit range of values of c under intractability of the RSA problem has not been determined.

    11. 11/34 Micali-Schnorr Setup: p, q, n = pq and ? = (p - 1)(q - 1), 1 < e< ?, gcd(e, ?) =1, N=bit length of n, 80 e ? n, k = ?N(1-2/?)? , r = N-k Select a random integer x0 (the seed) of bit length r Generate sequence of length l k: For i from 1 to l do the following: yi ? xei mod n. xi : r most significant bit of yi. zi : k least significant bit of yi. The output sequence is z1|| z2 || …|| zl. Properties Efficiency: ?N(1-2/?)? bit sequence is generated per exponentiation Secure under assumption that distribution xe mod n for random r-bit sequences x is indistinguishable by all poly statistical tests from the uniform distribution of integers in the interval [0, n-1]. stronger assumption than RSA problem

    12. 12/34 Blum-Blum-Shub PSBRG Basic Algorithm Setup: p, q (= 3 mod 4), n = pq Select a random integer s (seed) in [1, n- 1] such that gcd(s, n)=1 and compute x0 ? s2 mod n For i from 1 to l do the following: xi ? x2i-1 mod n. zi the least significant bit of xi. The output sequence is z1, z2, …, zl. Efficiency One modular squaring Improved by extracting j least significant bits of xi (j = c lg lg n) If n is sufficiently large, this generator is cryptographically secure For fixed n, explicit range of values of c under intractability of the factoring problem has not been determined.

    13. 13/34 Index Pseudo Random Number Generator Random bit generation Pseudorandom bit generation Statistical tests Cryptographically secure pseudorandom bit generation Stream Cipher Feedback shift registers Stream ciphers based on LFSRs Other stream ciphers Block Cipher Introduction DES etc

    14. 14/34 Introduction Definition encrypt individual characters of plaintext message one at a time, using encryption transformation which varies with time. Block vs. Stream Block ciphers process plaintext in relatively large blocks The same function is used to encrypt successive blocks ? memoryless stream ciphers process plaintext in small blocks, and the encryption function may vary as plaintext is processed ? have memory sometimes called state ciphers since encryption depends on not only the key and plaintext, but also on the current state. This distinction between block and stream ciphers is not definitive adding memory to a block cipher (as in CBC) results in a stream cipher

    15. 15/34 One-time Pad and Stream Cipher One-time pad Vernam cipher: ci=mi ? xi for i = 1, 2, 3… key is generated independently and randomly ? one-time pad H(M|C) = H(M), M, C are random variables for plain, cipher text Ciphertext contributes no information about plain text Shannon proved that a necessary condition for a symmetric-key encryption to be unconditionally secure is that H(K) ? H(M) If key is chosen independently and randomly, then H(K) = k ? k ? H(M) OTP is unconditionally secure regardless of distribution of plaintext Drawback is key should be as long as plaintext ? key management Hence, stream cipher tries to solve this problem having short key and generate pseudo-random sequence Not unconditionally secure, but try to be computationally secure

    16. 16/34 Synchronous Stream Cipher Definition keystream is generated independently of plaintext and of ciphertext si+1=f(si, k): next-state function zi=g(si, k): key-stream generation function ci = h(zi, mi): Encryption function e.g. OFB

More Related