Stream ciphers Myrto Arapinis School of Informatics University of Edinburgh February 29, 2015 1 / 16 n I M = C = K = f0; 1g I Encryption: 8k 2 K: 8m 2 M: E(k; m) = k ⊕ m k = 0 1 1 0 1 0 0 1 m = 1 0 0 0 1 0 1 1 c = 1 1 1 0 0 0 1 0 I Decryption: 8k 2 K: 8c 2 C: D(k; c) = k ⊕ c k = 0 1 1 0 1 0 0 1 c = 1 1 1 0 0 0 1 0 m = 1 0 0 0 1 0 1 1 I Consistency: D(k; E(k; m)) = k ⊕ (k ⊕ m) = m The One-Time Pad (OTP) 2 / 16 I Encryption: 8k 2 K: 8m 2 M: E(k; m) = k ⊕ m k = 0 1 1 0 1 0 0 1 m = 1 0 0 0 1 0 1 1 c = 1 1 1 0 0 0 1 0 I Decryption: 8k 2 K: 8c 2 C: D(k; c) = k ⊕ c k = 0 1 1 0 1 0 0 1 c = 1 1 1 0 0 0 1 0 m = 1 0 0 0 1 0 1 1 I Consistency: D(k; E(k; m)) = k ⊕ (k ⊕ m) = m The One-Time Pad (OTP) n I M = C = K = f0; 1g 2 / 16 k = 0 1 1 0 1 0 0 1 m = 1 0 0 0 1 0 1 1 c = 1 1 1 0 0 0 1 0 I Decryption: 8k 2 K: 8c 2 C: D(k; c) = k ⊕ c k = 0 1 1 0 1 0 0 1 c = 1 1 1 0 0 0 1 0 m = 1 0 0 0 1 0 1 1 I Consistency: D(k; E(k; m)) = k ⊕ (k ⊕ m) = m The One-Time Pad (OTP) n I M = C = K = f0; 1g I Encryption: 8k 2 K: 8m 2 M: E(k; m) = k ⊕ m 2 / 16 I Decryption: 8k 2 K: 8c 2 C: D(k; c) = k ⊕ c k = 0 1 1 0 1 0 0 1 c = 1 1 1 0 0 0 1 0 m = 1 0 0 0 1 0 1 1 I Consistency: D(k; E(k; m)) = k ⊕ (k ⊕ m) = m The One-Time Pad (OTP) n I M = C = K = f0; 1g I Encryption: 8k 2 K: 8m 2 M: E(k; m) = k ⊕ m k = 0 1 1 0 1 0 0 1 m = 1 0 0 0 1 0 1 1 c = 1 1 1 0 0 0 1 0 2 / 16 k = 0 1 1 0 1 0 0 1 c = 1 1 1 0 0 0 1 0 m = 1 0 0 0 1 0 1 1 I Consistency: D(k; E(k; m)) = k ⊕ (k ⊕ m) = m The One-Time Pad (OTP) n I M = C = K = f0; 1g I Encryption: 8k 2 K: 8m 2 M: E(k; m) = k ⊕ m k = 0 1 1 0 1 0 0 1 m = 1 0 0 0 1 0 1 1 c = 1 1 1 0 0 0 1 0 I Decryption: 8k 2 K: 8c 2 C: D(k; c) = k ⊕ c 2 / 16 I Consistency: D(k; E(k; m)) = k ⊕ (k ⊕ m) = m The One-Time Pad (OTP) n I M = C = K = f0; 1g I Encryption: 8k 2 K: 8m 2 M: E(k; m) = k ⊕ m k = 0 1 1 0 1 0 0 1 m = 1 0 0 0 1 0 1 1 c = 1 1 1 0 0 0 1 0 I Decryption: 8k 2 K: 8c 2 C: D(k; c) = k ⊕ c k = 0 1 1 0 1 0 0 1 c = 1 1 1 0 0 0 1 0 m = 1 0 0 0 1 0 1 1 2 / 16 The One-Time Pad (OTP) n I M = C = K = f0; 1g I Encryption: 8k 2 K: 8m 2 M: E(k; m) = k ⊕ m k = 0 1 1 0 1 0 0 1 m = 1 0 0 0 1 0 1 1 c = 1 1 1 0 0 0 1 0 I Decryption: 8k 2 K: 8c 2 C: D(k; c) = k ⊕ c k = 0 1 1 0 1 0 0 1 c = 1 1 1 0 0 0 1 0 m = 1 0 0 0 1 0 1 1 I Consistency: D(k; E(k; m)) = k ⊕ (k ⊕ m) = m 2 / 16 Perfect secrecy Definition A cipher (E; D) over (M; C; K) satisfies perfect secrecy if for all messages m1; m2 2 M of same length (jm1j = jm2j), and for all ciphertexts c 2 C jPr(E(k; m1) = c) − Pr(E(k; m2) = c)j ≤ where k −Kr and is some \negligible quantity". 3 / 16 #fk2K: k⊕m=cg = #K #fk2K: k=m⊕cg = #K 1 = #K where k −Kr . Thus, for all messages m1; m2 2 M, and for all ciphertexts c 2 C 1 1 jPr(E(k; m1) = c) − Pr(E(k; m2) = c)j ≤ − = 0 #K #K Proof: We first note that for all messages m 2 M and all ciphertexts c 2 C Pr(E(k; m) = c) OTP satisfies perfect secrecy Theorem (Shannon 1949) The One-Time Pad satisfies perfect secrecy 4 / 16 #fk2K: k⊕m=cg = #K #fk2K: k=m⊕cg = #K 1 = #K Thus, for all messages m1; m2 2 M, and for all ciphertexts c 2 C 1 1 jPr(E(k; m1) = c) − Pr(E(k; m2) = c)j ≤ − = 0 #K #K OTP satisfies perfect secrecy Theorem (Shannon 1949) The One-Time Pad satisfies perfect secrecy Proof: We first note that for all messages m 2 M and all ciphertexts c 2 C Pr(E(k; m) = c) where k −Kr . 4 / 16 #fk2K: k=m⊕cg = #K 1 = #K Thus, for all messages m1; m2 2 M, and for all ciphertexts c 2 C 1 1 jPr(E(k; m1) = c) − Pr(E(k; m2) = c)j ≤ − = 0 #K #K OTP satisfies perfect secrecy Theorem (Shannon 1949) The One-Time Pad satisfies perfect secrecy Proof: We first note that for all messages m 2 M and all ciphertexts c 2 C #fk2K: k⊕m=cg Pr(E(k; m) = c) = #K where k −Kr . 4 / 16 1 = #K Thus, for all messages m1; m2 2 M, and for all ciphertexts c 2 C 1 1 jPr(E(k; m1) = c) − Pr(E(k; m2) = c)j ≤ − = 0 #K #K OTP satisfies perfect secrecy Theorem (Shannon 1949) The One-Time Pad satisfies perfect secrecy Proof: We first note that for all messages m 2 M and all ciphertexts c 2 C #fk2K: k⊕m=cg Pr(E(k; m) = c) = #K #fk2K: k=m⊕cg = #K where k −Kr . 4 / 16 Thus, for all messages m1; m2 2 M, and for all ciphertexts c 2 C 1 1 jPr(E(k; m1) = c) − Pr(E(k; m2) = c)j ≤ − = 0 #K #K OTP satisfies perfect secrecy Theorem (Shannon 1949) The One-Time Pad satisfies perfect secrecy Proof: We first note that for all messages m 2 M and all ciphertexts c 2 C #fk2K: k⊕m=cg Pr(E(k; m) = c) = #K #fk2K: k=m⊕cg = #K 1 = #K where k −Kr . 4 / 16 1 1 − = 0 #K #K OTP satisfies perfect secrecy Theorem (Shannon 1949) The One-Time Pad satisfies perfect secrecy Proof: We first note that for all messages m 2 M and all ciphertexts c 2 C #fk2K: k⊕m=cg Pr(E(k; m) = c) = #K #fk2K: k=m⊕cg = #K 1 = #K where k −Kr . Thus, for all messages m1; m2 2 M, and for all ciphertexts c 2 C jPr(E(k; m1) = c) − Pr(E(k; m2) = c)j ≤ 4 / 16 OTP satisfies perfect secrecy Theorem (Shannon 1949) The One-Time Pad satisfies perfect secrecy Proof: We first note that for all messages m 2 M and all ciphertexts c 2 C #fk2K: k⊕m=cg Pr(E(k; m) = c) = #K #fk2K: k=m⊕cg = #K 1 = #K where k −Kr . Thus, for all messages m1; m2 2 M, and for all ciphertexts c 2 C 1 1 jPr(E(k; m1) = c) − Pr(E(k; m2) = c)j ≤ − = 0 #K #K 4 / 16 I The key should be as long as the plaintext. I OTP is subject to two-time pad attacks given m1 ⊕ k and m2 ⊕ k, we can compute m1 ⊕ m2 = (m1 ⊕ k) ⊕ (m2 ⊕ k) English has enough redundancy s.t. m1 ⊕ m2 ! m1; m2 I OTP is malleable given the ciphertext c = E(k; m) with m = to bob : m0, it is possible to compute the ciphertext c0 = E(k; m0) with 0 m = to eve : m0 c0 := c ⊕ "to bob : 00 ::: 00" ⊕ "to eve : 00 ::: 00" I Key-length! I Getting true randomness! I The key should not be guessable from an attacker. I Perfect secrecy does not capture all possible attacks Limitations of OTP 5 / 16 I OTP is subject to two-time pad attacks given m1 ⊕ k and m2 ⊕ k, we can compute m1 ⊕ m2 = (m1 ⊕ k) ⊕ (m2 ⊕ k) English has enough redundancy s.t. m1 ⊕ m2 ! m1; m2 I OTP is malleable given the ciphertext c = E(k; m) with m = to bob : m0, it is possible to compute the ciphertext c0 = E(k; m0) with 0 m = to eve : m0 c0 := c ⊕ "to bob : 00 ::: 00" ⊕ "to eve : 00 ::: 00" I Getting true randomness! I The key should not be guessable from an attacker.