Cryptography

Cryptography

Cryptography Prof. Dr. Carsten Damm Dr. Henrik Brosenne University of Goettingen Institut of Computer Science Winter 2013/2014 Table of Contents Stream Ciphers Types of Stream Ciphers Pseudorandomness Linear Feedback Shift Register sequences Linear Complexity RC4 stream cipher Published worksheet 06 general considerations. Setup recall: stream ciphers encipher plaintext symbols/blocks one at a time, but the cipher transformation (the key) varies with time Vigenere, running key, auto-key, Vernam the cipher is determined by the current state S (which requires some memory to be stored) of a key stream generator G G is basically determined by a state function fk : current state 7! next state in the narrow sense \stream cipher" refers to bit based encryption Synchronous stream ciphers in synchronous stream ciphers the keystream is generated independently from plaintext or ciphertext given key k and initial state S0, the encryption process is defined by key stream function ki = gk (Si ) output function ci = h(ki ; mi ) next state function Si+1 = fk (Si ) the stream ciphers we study are additive binary stream ciphers, i.e., h = XOR (repeating) XOR-cipher = Vigenere-cipher on the binary alphabet Properties of synchronous stream ciphers synchronization: while processing the ith symbol sender and receiver must be in same state and process corresponding plain-/ciphertext symbols error propagation: none attacks: active adversary can use insertion/deletion/replay of ciphertext and observe the result (chosen plaintext attack) Self-synchronizing ciphers other name: asynchronous stream cipher requirement: keystream is function of the key and fixed number ` of previous ciphertext characters ) state i can be encoded as vector of last ` cipher symbols stored in a shift register S0 = (c−`; :::; c−1) initial state Si = (ci−`; :::; ci−1) state i key stream function and output function as in the synchronous case ki = gk (Si ) ci = h(ki ; mi ) Properties of self-synchronizing ciphers synchronization: insertion/deletion/change of ciphertext symbols results in loss of a fixed number of blocks, afterwards the cipher self-synchronizes in the following sense: I after the change is \shifted out", the receiver observes the unchanged cipher bits from which the key is derived error propagation: ciphertext transmission errors affect at most ` deciphered plaintext symbols attacks: changing attacks are more easily detected (because of error propagation); insertion/deletion/replay are harder to detect because of self-synchronization; better diffusion properties compared to synchronous stream cipher remark: similar to OFB mode of block ciphers Example 1: One-time pad key = keystream, determined by true randomness from the real world last digits of time difference between keyboard strokes or mouse events Linux machines maintain a special device /dev/random/ that outputs random bits \distilled" by hashing many system states, quick&dirty access: echo $RANDOM (see man urandom for more information), this is a rather slow device and it is not designed for security applications the one time pad is very secure and very impractical as the huge key has to be transferred in advance and kept secret Example 2: the binary XOR cipher = Vigenere cipher on the binary alphabet Example: 8 bit key 1110011 defines the keystream 1110011 1110011 1110011 1110011 . vulnerable against known plaintext attacks (key = cipher ⊕ knownplaintext) vulnerable against ciphertext only statistical attacks very practical but very insecure Exercise 24 see published worksheet 06 exercise 24 Serious and practical stream ciphers generate k 7! k0k1k2::: key stream that \looks random" but is easily reconstructed from a short key most generators can be considered as feedback shift registers: I state = last ` output values I initial state determined by key I current output = function of current state I next state = current state shifted by one place (oldest output thrown away) and current output appended shift clock bit stream bn−1 b1 b0 f : f0; 1gn ! f0; 1g feedback shift register shift clock bit stream bn−1 b1 b0 f : f0; 1gn ! f0; 1g if the generator has ` memory cells, each able to store one out of m symbols, the system has N = m` states obvious consequence: the key stream period d = minft j 8i : ki = ki+t g satisfies d ≤ N Example Linear concruential generators (LCG) the bits will be derived from the sequence kn = (a · kn−1 + c) (mod m) initial state k0 and a; c are part of the key a; b; m are called multiplier, increment and modulus of the LCG Table of Contents Stream Ciphers Types of Stream Ciphers Pseudorandomness Linear Feedback Shift Register sequences Linear Complexity RC4 stream cipher Published worksheet 06 pseudorandomness. What is a random bit sequence? A bit sequence is 1 truly random if the next bit is unpredictable by whatever means (no precise mathematical definition) 2 Kolmogoroff random if it is \not compressible", i.e., the string has essentially no significantly shorter description than itself I precise description can be given but is somehow cumbersome I main drawback: it is provably impossible, to prove that a given string is Kolmogorov random (at the same time it is easy to prove, that there are Kolmogorov random strings) 3 statistically random if it passes any statistical test of randomness frequency tests, auto correlation tests, graphical tests, . difficult to specify 4 computational random restricts this to polynomial time computable statistical tests (precise definition somewhat cumbersome, input consists of the data to be tested and the confidence level of the test) random bit sequence truly random or Kolmogorov random bit sequences cannot be algorithmically generated from a short key we can only generate pseudorandom bit sequences, i.e., sequences that \look random" to any observer who does not know initial state and parameters of the generation process (the seed) to be precise we require computational randomness Cryptographic requirements we need a good trade-off between \quality of randomness" and practicability in particular we need: C1 good expansion = ratio period/key length C2 simple and fast generation of bits C3 computation of next bit given all previous bits takes more resources than an attacker is willing/able to invest linear congruential generator satisfies C1, C2, but not C3 (see Exercise 25) Quadratic generator (Blum, Blum, Shub 1986) let p; q be Blum primes = primes that are congruent to 3 modulo 4 (there are infinitely many Blum primes) ∗ let n = p · q and k 2 Zn (this means: gcd(k; n) = 1) based on these values we define a sequence of residues 2 a0 = k (mod n) 2 ai+1 = ai (mod n) and a sequence of bits xi = ai (mod 2) obviously C1, C2 are satisfied and under the following complexity theoretic assumption also C3 is satisfied Quadratic residue Quadratic residue assumption (QRA): There is no polynomial time algorithm, that given only n (not its factorization into p · q) and a 2 Zn decides, wheher a is a quadratic residue, i.e., whether there is some b such that b2 = a (mod n). Remark The obvious brute force attack of testing all possible b is an exponential time algorithm!: running time is measured in dependence of input length in bits (which is O(log n)). Theorem If quadratic residue assumption (QRA) holds then the quadratic generator generates a computationally random bit sequence. Exercise 25 1 Consider a LCG with modulus 231 and three consecutive generated values 1403686589, 4653678, 1890276371. Compute the next three values. Table of Contents Stream Ciphers Types of Stream Ciphers Pseudorandomness Linear Feedback Shift Register sequences Linear Complexity RC4 stream cipher Published worksheet 06 LFSR sequences. Definition a linear feedback shift register sequence of n registers is the output sequence of a binary FSR with linear output function n−1 X f (x0;:::; xn−1) = ci · xi (mod 2) i=0 where ci are the feedback coefficients bn−1 b1 b0 ci cn−1 c0 2n states, period ≤ 2n − 1 (because state 0 = (0; :::; 0) is stable) linear feedback shift register bn−1 b1 b0 ci cn−1 c0 the characteristic polynomial of the LFSR with feedback coefficients c0; :::; cn−1 is ∗ n−1 n f (X ) = c0 + c1x + ::: + cn−1X + X 2 GF(2)[X ] f ∗(X ) is called primitive if ∗ I f (X ) is irreducible (has no non-trivial divisors) AND n ∗ m I for every m < 2 − 1 holds: f (X ) does not divide X − 1 linear feedback shift register Theorem A linear feedback shift register (LFSR) with characteristic polynomial ∗ n−1 n f (X ) = c0 + c1x + ::: + cn−1X + X has period 2n − 1 (which is maximal) if and only if f ∗(X ) is primitive. Obvious consequence In case f ∗(X ) is primitive, every initial state6= 0 leads to a maximum period sequence LFSR sequences for cryptographic use Fact 1: the number of primitive polynomials of degree n is '(2n − 1) n where '(n) = number of coprimes to n (Euler totient function, will be considered in more detail later) I just keep in mind: there are many maximal LFSR-sequences for any number of registers I coefficients + initial state could be used as key for a stream cipher Fact 2: maximal LFSR sequences \look randomly" as seen below Pseudorandom periodic sequences by definition: periodic sequences are not random what is a \randomly looking" bit sequence of period d? consider weak version of the requirements for statistical randomness using following notions/notations: I t- block = subsequence of shape 0 11:::1 0 | {z } t I t- gap = subsequence of shape 1 00:::0 1 | {z } t a d-periodic bit sequence x = x0;:::; xN−1 is Golomb-random, if for every length d subsequence x of x holds: G1 balance. the number of 1's and the number of 0's is ≈ d=2 G2 for small enough t the number of t-blocks and the number of t-gaps are both ≈ d=4t G3 autocorrelation.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    47 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us