270 likes | 492 Views
HSC: Building Stream Cipher from Secure Hash Functions. Juncao Li Nov. 29 th 2007 Department of Computer Science Portland State University. Agenda. Introduction to the Stream Cipher Security of the Stream Cipher Construction of the Hashing Stream Cipher Analysis of the HSC. Agenda.
E N D
HSC: Building Stream Cipher from Secure Hash Functions Juncao Li Nov. 29th 2007 Department of Computer Science Portland State University
Agenda • Introduction to the Stream Cipher • Security of the Stream Cipher • Construction of the Hashing Stream Cipher • Analysis of the HSC Portland State University Nov. 29th 2007
Agenda • Introduction to the Stream Cipher • Security of the Stream Cipher • Construction of the Hashing Stream Cipher • Analysis of the HSC Portland State University Nov. 29th 2007
Introduction: Stream Cipher • Symmetric Cipher • Encryption/Decryption Scheme • Take a Key and an IV (optional) • Generate a pseudorandom keystream(pad) • XOR the pad with the plaintext like onetime pad Portland State University Nov. 29th 2007
Stream Cipher: types • State Cipher • Maintains an internal state • Based on which, the keystream is generated • Usually, the internal state is kept secrete • As large as possible Portland State University Nov. 29th 2007
Stream Cipher: types • Synchronous • The state changes independently of the plaintext or ciphertext • RC4 • Non-error-propagation • Keep synchronized • Self-synchronizing stream ciphers • Previous ciphertext digits are used to compute the keystream • CFB: a block cipher in cipher-feedback mode (CFB) • Input to the generator is partially exposed • Limitation of the analyzability: keystream depends on the messages Portland State University Nov. 29th 2007
Agenda • Introduction to the Stream Cipher • Security of the Stream Cipher • Construction of the Hashing Stream Cipher • Analysis of the HSC Portland State University Nov. 29th 2007
Security analysis: goal • Hard to guess next bit of the keystream generator with some probability: better than random guessing • About the appearance of the keystream • Noticeable more 1s than 0s in the keystream • Hard to reproduce the keystream from the keystream that we already have • About the inherent complexity of the keystream • Existence of the short period Portland State University Nov. 29th 2007
Formal security support • Theoretical support • Yao’s work: a pseudo-random generator could be 'effciently' predicted if, and only if, the generator could be 'effciently' distinguished from a perfectly random source. Portland State University Nov. 29th 2007
Security in appearance • Security measures in appearance • Long period • A keystream generator can be modeled by a finite state machine • Eventually some states will repeat which lead to a period • Statistical measures • Have the appearance of (periodic) pseudo-random sequences • Complexity Portland State University Nov. 29th 2007
Agenda • Definition of the Stream Cipher • Security of the Stream Cipher • Construction of the Hashing Stream Cipher • Analysis of the HSC Portland State University Nov. 29th 2007
HSC • It’s a synchronous streamcipher • It takes an IV and a random Key as input • Define • Original Vector: OV = Key || IV • Increasing Factor: , where is byte accumulation, and iis public. If IF = 0, set IF = 1 • Keystream Block: , where KBn represents nth keystream block Portland State University Nov. 29th 2007
HSC: Framework Portland State University Nov. 29th 2007
Intuitions: why HSC • Hash function is easy to find • Easy to implement our scheme based on the existing systems • We can prove the security of HSC based on the security of Cryptographic Hash functions Portland State University Nov. 29th 2007
Agenda • Introduction to the Stream Cipher • Security of the Stream Cipher • Construction of the Hashing Stream Cipher • Analysis of the HSC Portland State University Nov. 29th 2007
Secure analysis on HSC:Period • Period • Ideally, no period if the core hash function is collision-resistant • Assume there’s a mbits period, we can find the collision every m/n iterations Portland State University Nov. 29th 2007
Secure analysis on HSC:Period • But… the inner state has a limitation due to the implementation • Configurable inner state size • The inner state size depends on the limitation of the hash function input size • Which is huge! Portland State University Nov. 29th 2007
Secure analysis on HSC: Indistinguishability • Indistinguishability of the keystream from the random stream • The distribution of the keystream depends on the IV and Key Portland State University Nov. 29th 2007
Secure analysis on HSC: Indistinguishability • Assumption 1: if the input of the hash function is random, the output should be random, or have a random distribution • Every individual keystream block should look random, given the randomness of the key andthe security of the hash function. • Otherwise, we can find an easier way to invert the one-way function by analyzing the non-uniform distribution of the output Portland State University Nov. 29th 2007
Secure analysis on HSC: Indistinguishability • Assumption 2: if the inputs of the hash function are different, but correlated, the outputs of a good hash function should at least have a good statistical distribution • Global view of the keystream blocks • Collision-resistance guarantees that keystream blocks are statistically different Portland State University Nov. 29th 2007
Secure analysis on HSC: Indistinguishability • Almost no one can guarantee there’s no correlation in their keystream • That’s why inner state should be kept secrete • That’s why we are using Portland State University Nov. 29th 2007
Secure analysis on HSC:Information theory • Information theory -- Entropy • The larger entropy of the keystream the better • Entropy comes from: IV and Key • The hash function will guarantee the entropy of each stream block: min(|key|, |digest|) • IF will spread the key entropy to the whole keystream Portland State University Nov. 29th 2007
Secure analysis on HSC:Statistical analysis • Three statistical test from the NIST standard • SHA-1, Key length 64 bytes, IV 16 bytes, and IF 1 byte • 1000 times test on 10 MB keystream. Threshold: 0.981 • 1GB HSCcosts 92,312ms,RC4costs 30,047ms Portland State University Nov. 29th 2007
References • Stream Ciphers, RSA Laboratories Technical Report TR-701, Version 2.0, M.J.B. Robshaw, July 25, 1995 • Stream Cipher Design -- An evaluation of the eSTREAM candidate Polar Bear, JOHN MATTSSON, Master of Science Thesis, Stockholm, Sweden 2006 • On the Role of the Inner State Size in Stream Ciphers, Erik Zenner, Reihe Informatik 01-2004 • Attacks on RC4 and WEP, Scott Fluhrer, Itsik Mantin, Adi Shamir • CHOSEN-IV STATISTICAL ATTACKS ON eSTREAM CIPHERS, Markku-Juhani O Saarinen. • http://www.wikipedia.org/ • Yong Zhang, Xiamu Niu, Juncao Li, and Chunming Li. Research on a novel Hashing Stream Cipher. In Proc. of CIS 2006, Guangzhou, China, November 3-6, 2006 Portland State University Nov. 29th 2007
Thanks • Questions? Portland State University Nov. 29th 2007
Secure analysis on HSC:Information theory • Information theory -- Entropy • The larger entropy of the keystream the better • Entropy comes from: IV and Key • But the IF will spread the entropy to the whole keystream • This may lead to a better explanation of our construction Portland State University Nov. 29th 2007
Secure analysis on HSC:Information theory • Information theory -- Entropy • Why hash functions? – we want to shrink • The larger entropy of the keystream the better • Entropy come from: IV and Key • If |OV| > |Hash digest|, entropy loses on each keystream block. • But the IF will spread the entropy to the whole keystream • This may lead to a better explanation of our construction Portland State University Nov. 29th 2007