CSS428/CPE451 - Introduction to Cryptography

Lecture 1 - Perfect Secrecy, One-time Pad, Stream Cipher

Tuesday, January 15, 13

Reminder

• Join the facebook group

• https://www.facebook.com/groups/cpe.crypto.2.2555

• Join the MyLE system

• http://myle.lib.kmutt.ac.th

• Homework 0 due Friday

Tuesday, January 15, 13

Homework 0• Due: Friday Jan 18

• Your name (first, last, nickname) , student ID, and a photo of yourself

• Short paragraph about yourself, your background, why you’re taking this course

• Your level of confidence in background knowledge of the course - Mathematical proofs, Probability theory. Also describe any course you took that might be related to this course

• The grade you want, the grade you expect to get, and the reason.

Tuesday, January 15, 13

Today• We will look at the first secure cipher

• Its definition

• Proof Correctness

• First Security Definition

• Proof security property

• Then we will talk about Stream Cipher

• Lab/Hands-on: TA will talk about Cryptool

Tuesday, January 15, 13

Cipher definition

• Definition

• A Cipher defined over

• is a pair of “efficient” algorithms (E,D) where

• With correctness property:

(K,M, C)

E : K ⇥M ! C , D : K ⇥ C ! M

8m 2 M, k 2 K : D(k,E(k,m)) = m

Note that E is o"en randomized, but D is always deterministic

Tuesday, January 15, 13

One Time Pad (Vernam Cipher 1917)

• First “secure” cipher

• key = random bit string as long as the message

M = C = {0, 1}n,K = {0, 1}n

c = E(k,m) = k �m

m = D(k, c) = k � c

Tuesday, January 15, 13

Question

• Given a message m and a ciphertext c, can you compute the OTP secret key from m and c?

Tuesday, January 15, 13

One Time Pad

• Very fast

• Very long key

• We’ve proven correctness

• Next we’ll prove security property

Tuesday, January 15, 13

How do we convince ourselves of Security?• Which of these is most correct?

• Many very smart, highly motivated people tried to break it but couldn’t

• There are Quadrillion possible keys, so it must be secure

• Here’s a mathematical proof, accepted by experts, that shows the cipher is secure

• Here’s a strong argument why breaking the cipher is at least as hard as some other problem we believe to be hard

Tuesday, January 15, 13

What is a secure cipher?

Tuesday, January 15, 13

What is a secure cipher?

• Assuming Attacker’s model called Ciphertext-Only attack (CT)

Tuesday, January 15, 13

What is a secure cipher?

• Assuming Attacker’s model called Ciphertext-Only attack (CT)

• Possible answer:

Tuesday, January 15, 13

What is a secure cipher?

• Assuming Attacker’s model called Ciphertext-Only attack (CT)

• Possible answer:

• Attacker cannot recover secret key

Tuesday, January 15, 13

What is a secure cipher?

• Assuming Attacker’s model called Ciphertext-Only attack (CT)

• Possible answer:

• Attacker cannot recover secret key

• Attacker cannot recover all of the plaintext

Tuesday, January 15, 13

What is a secure cipher?

• Assuming Attacker’s model called Ciphertext-Only attack (CT)

• Possible answer:

• Attacker cannot recover secret key

• Attacker cannot recover all of the plaintext

• Shannon’s definition:

Tuesday, January 15, 13

What is a secure cipher?

• Assuming Attacker’s model called Ciphertext-Only attack (CT)

• Possible answer:

• Attacker cannot recover secret key

• Attacker cannot recover all of the plaintext

• Shannon’s definition:

• Ciphertext should reveal no “information” about the plaintext

Tuesday, January 15, 13

Information Theoretic Security (Shannon 1949)

• Definition: A cipher (E,D) over (K,M,C) has perfect secrecy if

8m0,m1 2 M where len(m0) = len(m1) and 8c 2 C

Pr[E(k,m0) = c] = Pr[E(k,m1) = c]

where k is chosen uniformly at random from K

kR � K

Tuesday, January 15, 13

What this means

• Given the ciphertext, adversary can’t tell if the original message is m0 or m1 (for all m0 and m1 pairs)

• Therefore, most powerful adversary, regardless of capabilities, learns nothing about Plaintext from the Ciphertext

• Absolutely no Ciphertext only attack!

Tuesday, January 15, 13

OTP has perfect secrecy

• Proof:

Tuesday, January 15, 13

Bad news

• Theorem states that perfect secrecy implies length of key >= length of message

• Hard to do in practice

• OTP only provide secrecy

• No integrity (OTP is malleable)

Tuesday, January 15, 13

Stream Ciphers

Tuesday, January 15, 13

Basic idea

• OTP is perfectly secret

• But impractical

• Replace “random string k” (the key) with a pseudorandom string

Tuesday, January 15, 13

Pseudorandom Generator

• PRG

• a function

• efficiently computable

• deterministic

G : {0, 1}s ! {0, 1}n;n � s

Tuesday, January 15, 13

Basic construction of Stream Cipher

c = E(k,m) = m�G(k)

m = D(k, c) = c�G(k)

k

G

G(k)

⨁m

=c

Tuesday, January 15, 13

Question

• Can a stream cipher achieve perfect secrecy?

Tuesday, January 15, 13

Stream Cipher

• Cannot have perfect secrecy

• To prove its security, we need a different definition, something slightly weaker

• Stream cipher depends on strength/security of the PRG used

Tuesday, January 15, 13

PRG property

• Unpredictable

• = !predictable

Tuesday, January 15, 13

Defining Predictability

• G: K ⟶ {0,1}n is predictable if:

9e�cient algorithm A and 90 i n� 1 such that

kR � K;Pr[A(G(k))|1,. . . ,i = G(k)|i+1] >

1

2+ ✏

for non-negligible ✏

Tuesday, January 15, 13

Unpredictability

• Definition: PRG is unpredictable if it is not predictable

8i : no ”e�cient” adversary can predict bit (i+1)

for non-negligible ✏

Tuesday, January 15, 13

Weak PRGs

• glibc random():

• r[i] ← (r[i-3] + r[i-31])%232

• output r[i] >> 1

• Never use these for Crypto

Tuesday, January 15, 13

Negligibility

• In theory:

• non-negligible:

• negligible:

• In practice:

• non-negligible:

• negligible:

✏ is a function: ✏ : Z�0 ! R�0

9d : ✏(�) � 1

�d

8d : � � �d : ✏(�) 1

�d

✏ is a scalar value

✏ � 1

230

✏ 1

280

Tuesday, January 15, 13

Stream Cipher Limitations

• Never use stream cipher key more than once

• No integrity (Malleable) - just like OTP

Tuesday, January 15, 13

Stream Cipher in the real world

Tuesday, January 15, 13

RC4 (1987)

• 128 bits seed input generate 2048 bit state - output 1 byte each round

• Used in HTTPS and WEP

Tuesday, January 15, 13

RC4 weakness

• output bias

• Not all byte sequence are equally likely

• Pr[2nd byte = 0] = 2/256

• Probability of [0,0] byte sequence is biased (1/2562 + 1/2563 as opposed to 1/2562)

• Related key attacks

Tuesday, January 15, 13

LFSR

• Linear feedback shi" register

• Badly broken

• Used in

• CSS (DVD) uses 2 LFSRs

• GSM - 3 LFSRs

• Bluetooth - 4 LFSRs

Tuesday, January 15, 13

CSS (DVD encryption)

• CSS: Seed = 5 bytes = 40 bits

• 2 LFSRs

• 17-bit LFSR

• 25-bit LFSR

• Output the XOR of the output of each LFSR

• Easy to break (under 217 time) using known plaintext attack (even if you know just a few bytes at the start)

Tuesday, January 15, 13

WEP

Tuesday, January 15, 13

Modern Stream Cipher

• eStream (2008) - classes of Stream Cipher (5 of them)

• PRG:

• where R is a “nonce” (Non-repeating value for a given key lifetime)

• The pair (k,r) is never used more than once

{0, 1}s ⇥R ! {0, 1}n

E(k,m, r) = m� PRG(k, r)

Tuesday, January 15, 13

Salsa 20

• Designed to run well on both Hardware and So"ware implementation

• part of eStream cipher set

• 2 versions - 128 and 256 bits

• Output a maximum of 273 bits

Salsa20 : {0, 1}128 ⇥ {0, 1}64 ! {0, 1}n

Tuesday, January 15, 13

Salsa20

• H is designed to be fast on x86 (SSE2) instruction set

• No existing attack discovered

• Very fast (3-4x faster than RC4 on optimized cpu)

Salsa20(k, r) = H(k, (r, 0))||H(k, (r, 1))||...

Tuesday, January 15, 13