sign in sign up
<<
Home , Pseudorandom permutation

CMPT 404 — and Protocols

Outline Solutions to Exercises on Pseudorandom Generators, Functions and Permutations.

1. (a)√ Which of the following functions are superpolynomial: - 2 n; - n3 log n; - n log n? (b) Prove that for every superpolynomial function T the function

1 1 (T (n 3 )) 5 n4 is also superpolynomial. √ (a) 2 n and n3 log n are superpolynomial; n log n is not. (b) If 2 1 (T (n 3 )) 5 < p(n) n4 for some polynomial p(n), then 1 20 5 T (n 3 ) < n p (n), and T (m) < m60p5(m3), 1 60 5 3 where m = n 3 . However, m p (m ) is a polynomial in m. 2. (optional) This exercise will unable to test your favorite pseudorandom generator. The test is based on a well known property of random integers: Given two randomly chosen integers m and n, the probability 6 they are relatively prime (their greatest common divisor is 1) is π2 . Use this property in a program to determine statistically the value of π. The program should call the random number generator from the system library to generate the random integers. It should loop through a large number of random numbers to estimate the probability that two numbers are relatively prime. From this find an approximate value of π. Report the type/name of the random number generator(s), the number of pairs of numbers in your sam- ple, and the approximate value of π. For python’s random.randrange with range 50000000 and 10000000 trials the value of π is 3.1401. 3. Suppose you have a true random bit generator where each bit in the generated stream has the same probability of being a 0 or 1 as any other bit in the stream and that the bits are not correlated; that is the bits are generated from identical independent distribution. However, the bit stream is biased. The probability of a 1 is 1/2 + δ, and the probability of a 0 is 1/2 − δ, where 0 < δ < 1/2. A simple deskewing algorithm is as follows: Examine the bit stream as a sequence of non-overlapping pairs. Discard all 00 and 11 pairs. Replace each 01 pair with 0 and each 10 pair with 1. (a) What is the probability of occurrence of each pair in the original sequence? (b) What is the probability of occurrence of 0 and 1 in the modified sequence? (c) What is the expected number of input bits to produce k output bits? (d) Suppose that the algorithm uses overlapping successive bit pairs instead of non-overlapping succes- sive bit pairs. That is, the first output bit is based on input bits 1 and 2, the second output bit is based on input bits 2 and 3, and so on. What can you say about the output bit stream? Is it independent?

1 (a) Since every bit is chosen independently, the first bit is 1 with probability 1/2 + δ, and is 0 with probability 1/2 − δ. The same is true for the second bit of a pair, and it is independent of the first bit. Thus, 00 occur with probability (1/2 − δ)(1/2 − δ); 01 occurs with probability (1/2 − δ)(1/2 + δ); 10 occurs with probability (1/2 + δ)(1/2 − δ); and 11 occurs with probability (1/2 + δ)(1/2 + δ). (b) Since the probabilities of 01 and 10 in the original stream are equal, 0 and 1 also occur with the same probability, that is, 1/2. (c) We consider the original stream as a sequence of pairs. The pairs are clearly independent, so to find the expected number of bits in the output we need to find the probability that 01 or 10 occurs. This probability equals 2(1/2 + δ)(1/2 − δ) = 1/2 − 2δ2. Thus, if the original stream contains n bits (assume it is even), then n 2 the expected number of output bits 2 (1/2 − 2δ ). If we want to obain k output bits, the expected number of 2k original bits is 1/2−2δ2 . (d) The output stream is not independent. Indeed, if some output bit is 0, that is, the original stream contains pair 01, then the next pair starts with 1. If it is 10 then the next output bit is 1. If the original stream contains several consequent 1s, then some pairs are 11 and therefore skipped. But then, the first pair that is not skipped must be 10. In a similar way, after each 1 in the output stream we must have a 0. Thus the output stream looks like 01010101... 4. Suppose we use a full length RC4 seed (256 bytes) in the Scheduling Algorithm. What such a RC4 key value leaves S unchanged during the KSA? That is, after the initial permutation of S, the entries of S will be equal to the values from 0 to 255 in ascending order. The initialization phase of RC4 (that is, the KSA) works as follows: It starts with the identity permutation of bits, S[i] = i, and the key K, T [i] = K[i (mod keylength)]. Since in our case keylength = 256, we may assume T = K. Then starting from i = j = 0 it performs 256 rounds of the form j = (j + S[i] + T [i]) (mod 256) and Swap(S[i],S[j]). Therefore, if we can choose T in such a way that j = i in every iteration, the resulting S will still be the identity permutation. Clearly, in the first iteration, i = 0, the value T [0] = 0 will do. Suppose, we are successful up to iteration i − 1, that is, after considering rounds 0, 1, . . . , i − 1 the permutation S remains the identical permutation, and the current value of j is i − 1. Then in round i the value of j is set to be j = j + S[i] + T [i] (mod 256) = i − 1 + i + T [i] (mod 256). We want it to be i, and so we need to solve the equation

i = i − 1 + i + T [i] (mod 256) T [i] = 1 − i (mod 256)

5. The RSA SecurID card is a credit-card sized device that displays 6 digits that change every minute. The idea is that when you log into your account remotely (say when you want to log into your UNIX account in SFU from an Internet Cafe) then you have to type the numbers that appear in the card in addition to your PIN or password.

(a) What is the security of such a card over traditional password? That is, what sort of attack can this card resist which cannot be resisted using a standard password mechanism. (Assume that it’s possible for users to remember a 6-digits PIN or a password with similar security.) (b) Describe how you would implement such a scheme using pseudorandom functions. Assume that the PRF family takes a seed of size n, and that the number of possible devices is m (for m < 2n). How many bits of storage does your implementation use at the server and each of the devices? (there is an implementation that uses at most O(n) bits).

(a) This device can be used in 2 modes. First, if a is used then the device provides a pseudorandom string that can be added to a password. Second, if a is used, the device provides an extra password that changes all the time (don’t forget to replace batteries). In either case it improves the security of protocols, in which the key is not changed frequently. A possible attack in such a protocol is to intercept the encrypted

2 password, and later use it to get access to the server. If the password effectively changes every minute this type of attack is less likely. 6 (b) Let {fs} be a PRF and s a key assigned to each individual device. Then the device outputs fs(m) (mod 10 ) where m is the number of minutes passed since a certain moment modulo 2n. Then both, a device and the server, must store only the current time m, and a secret key s. Moreover, for the device the key can be replaced with an implementation of the function fs rather than the family {fs}.

n n 0 0 2n 6. Let {fs}, fs : {0, 1} → {0, 1} be a secure PRP. Consider the family of permutations {fs}, fs : {0, 1} → {0, 1}2n defined as follows: for any x, x0 ∈ {0, 1}n

0 0 0 fs(xx ) = fs(x)fs(x ⊕ x )

0 0 0 (xx denotes the concatenation of x and x ). Show that {fs} is not a secure PRP. 0 n It suffices to observe that fs on strings of the form x0 (that is the last n bits equal to 0) outputs fs(x)fs(x). 1 0 The probability that a random function outputs such a repeated string is 2n , and therefore fs can easily be distinguished from the random function.

n 7. Let {fs} be a pseudorandom permutation collection, where for s ∈ {0, 1} , fs is a permutation over {0, 1}m. Consider the following scheme (E,D) that encrypts m/2-bit messages in the following way: on m/2 m/2 input x ∈ {0, 1} , Ek chooses r at random from {0, 1} and outputs fk(x, r) (where comma denotes m/2 −1 concatenation), on input y ∈ {0, 1} , Dk computes (x, r) = fk (y) and outputs x. Give an idea of a proof that (E,D) is a CPA-secure scheme. Suppose that there is a polynomial time Eve that breaks the scheme. As in the proofs of CPA-security we use Eve to distinguish {fs} and a random function. First we observe that if we use a random function g in the scheme instead of {fs} then the scheme becomes CPA-secure. Indeed, since Alice adds a random part to the plaintext, the outputs Eve obtains for her queries are just random strings that carry no information. Thus the only way to make a choice between plaintexts P1,P2 is to choose one at random. The probability to guess it correctly is 1/2.

Now let a distinguisher Dist is given an access to a black box G(x) that can be either fs for a certain s or F . The distinguisher works as follows: – it runs Eve; m/2 – when Eve sends two plaintexts P1,P2 it selects Pi at random, chooses a random string r ∈ {0, 1} and returns G(Pi, r); – every time Eve makes a request to encrypt P , it chooses a random string r ∈ {0, 1}m/2 and returns G(P, r); – when makes her decision j, it outputs 1 if i = j and 0 if i 6= j.

The probability that i = j in the game with a truly random function equals 1/2. In the game with the PRF the probability to get 1 is greater than ε(m) for some polynomial ε(m). Therefore

|Pr[Dist(Game 1) = 1] − Pr[Dist(Game 2) = 1] ≥ ε(m),

and Dist distinguishes between a random function and the PRF. A contradiction. 8. Prove that AES is a permutation

Consider every step of AES encryption, and show it is invertible. First step, s := P ⊕ k0 is obviously invertible, as P = s ⊕ k0. Now we consider each step in each of the rounds of AES. For the S-box invertibility follows from the property of multiplication defined: every element has an inverse. Since S(a) = a−1, the inverse function is S itself. Shift-rows is just a permutation of bytes, and clearly invertible. mix-cols is defined through multiplication by a certain matrix A. Check that the determinant of this matrix is not 0. Therefore, there is A−1 that guarantees invertibility.

3 9. Consider a Feistel network composed of 16 rounds with a block length of 128 bits and a key of length of 128 bits. Suppose that, for a given key k , the key scheduling algorithm determines values for the first 8 subkeys, k1, k2, . . . , k8, then sets

k9 = k8, k10 = k7, k11 = k6, . . . , k16 = k1.

Suppose you have a C. Explain how, with access to the encryption algorithm as a black box, you decrypt C and determine the plaintext P using just a single query. This shows that such a cipher is vulnerable to a chosen plaintext attack. Hint: You may need to read about general properties of block ciphers based on Feistel network (Stallings’ book). As an optional exercise try to show that DES satisfies the required property. The idea of Feistel networks is that the decryption algorithm is the same as the encryption one, only using the subkeys in the reverse order. However, the subkey generation algorithm described in the problem the reverse order of subkeys is the same as the original one. Thus the encryption algorithm used as a black box decrypts ciphertext.

On a more detailed level a Feistel network divides an input string into two halves, L0,R0, and then updates the halves using the following rules: On round i it starts with strings Li−1,Ri−1 and sets

Li = Ri−1,Ri = Li−1 ⊕ F (Ri−1,Ki),

where F is a round function (fixed, realized through S-boxes), and Ki is the i-th round subkey. Now, we have to show that Ri−1 = Li,Li−1 = Ri ⊕ F (Li,Ki). (This means that applying the algorithm and swapping the two halves we in the end obtain the plaintext.) The first equation is obvious; to obtain the second we observe that Li = Ri−1, and so F (Li,Ki) = F (Ri−1,Ki. The second equation follows.

10. Alice uses a block cipher E where both block size and key size are 64 bits, but is worried that the key size is too small and thus brute force attacks feasible. She therefore decides to change to 128 bit keys (k0, k1) and encrypt message P as

C = Ek0 (P ) ⊕ k1. Now suppose that the adversary gets access to a few plaintext/ciphertext pairs and is indeed able to do a brute-force attack on the original E and recover the key in a known plaintext attack. Show that he can also break Alice’s “improved” cipher and recover her extended key. (Note that the attack may be different depending on wheteher the attacker knows just one plaintext/ciphertext pair or two.) Suppose the adversary has the plaintext/ciphertext pairs (P,C) and (P 0,C0) from the extended cipher, i.e. 0 0 C = Ek0 (P ) ⊕ k1 and C = Ek0 (P ) ⊕ k1. We XOR the two equations to get

0 0 0 C ⊕ C = Ek0 (P ) ⊕ k1 ⊕ Ek0 (P ) ⊕ k1 = Ek0 (P ) ⊕ Ek0 (P ).

Thus k1 has been eliminated and the adversary can try all possible keys k0 and check for this equation to hold. This is only twice as much computation as an attack against E alone, so is certainly feasible. Thus k0 is

determined and it is easy to use C = Ek0 (P ) ⊕ k1 to determine k1. Assume that the adversary has has only one plaintext/ciphertext pair (P,C). She can then do a brute force

attack on E part, i.e. compute X = Ek0 (P ) for all possible keys k0, and store the resulting pairs (X, k0) in a dictionary. Then she goes through all possible k1, computes C ⊕ k1 and looks it up in the dictionary. When found, she has a potential key pair (k0, k1). It has slightly lower time complexity than the previous attack, but uses a substantial amount of memory.

|s| |s| |s| 2|s| 11. (optional) Given a PRF {fs}, fs : {0, 1} → {0, 1} , construct a PRF {gs} with gs : {0, 1} → {0, 1} , which is a secure PRF as long as {fs} is secure.

4 Note first that constructions like gs(x) = fs(x)fs(fs(x)) do not work, because the adversary can recognize the pattern by making a request gs(x) and then gs(y) where y is the first half of gs(x).

Let x1 denote the first bit of a string x. Then set gs(x) = (fs(x))1(fs(fs(x)))1 ... (fs(. . . fs(fs(x)) ...))1. The crucial observation we use is that if F : {0, 1}n → {0, 1}n is a random function, then the function G : n 2n {0, 1} → {0, 1} constructed from F in the same way as gs from fs is also random. Indeed, as F is random, the functions F (x), F (F (x)),... are also random and independent (why?), and hence the first bits of 1 F (x),F (F (x)),... are independent and equal 1 with probability 2 .

Now suppose that an adversary ADV can break {gs}. We construct an adversary ADV’ that breaks {fs}. Recall that these adversaries get access to functions G and F for ADV and ADV’, respectively, that can be a random function or the PRF. ADV’: – Run ADV. – Every time ADV makes a request for G(x) return G(x) = (F (x))1(F (F (x))1 ... (F (...F (F (x)) ...))1. – When ADV outputs a bit b, output b. Clearly, Pr[ADV’ outputs 1 in Game 1] = Pr[ADV outputs 1 in Game 1]. By the observation above we also have Pr[ADV’ outputs 1 in Game 2] = Pr[ADV outputs 1 in Game 2], as Game 2 for ADV’ also means Game 2 for ADV. The result follows.

5