CSS428/CPE451 - Introduction to Cryptography
Lecture 1 - Perfect Secrecy, One-time Pad, Stream Cipher
Tuesday, January 15, 13
Reminder
• Join the facebook group
• https://www.facebook.com/groups/cpe.crypto.2.2555
• Join the MyLE system
• http://myle.lib.kmutt.ac.th
• Homework 0 due Friday
Tuesday, January 15, 13
Homework 0• Due: Friday Jan 18
• Your name (first, last, nickname) , student ID, and a photo of yourself
• Short paragraph about yourself, your background, why you’re taking this course
• Your level of confidence in background knowledge of the course - Mathematical proofs, Probability theory. Also describe any course you took that might be related to this course
• The grade you want, the grade you expect to get, and the reason.
Tuesday, January 15, 13
Today• We will look at the first secure cipher
• Its definition
• Proof Correctness
• First Security Definition
• Proof security property
• Then we will talk about Stream Cipher
• Lab/Hands-on: TA will talk about Cryptool
Tuesday, January 15, 13
Cipher definition
• Definition
• A Cipher defined over
• is a pair of “efficient” algorithms (E,D) where
• With correctness property:
(K,M, C)
E : K ⇥M ! C , D : K ⇥ C ! M
8m 2 M, k 2 K : D(k,E(k,m)) = m
Note that E is o"en randomized, but D is always deterministic
Tuesday, January 15, 13
One Time Pad (Vernam Cipher 1917)
• First “secure” cipher
• key = random bit string as long as the message
M = C = {0, 1}n,K = {0, 1}n
c = E(k,m) = k �m
m = D(k, c) = k � c
Tuesday, January 15, 13
Question
• Given a message m and a ciphertext c, can you compute the OTP secret key from m and c?
Tuesday, January 15, 13
One Time Pad
• Very fast
• Very long key
• We’ve proven correctness
• Next we’ll prove security property
Tuesday, January 15, 13
How do we convince ourselves of Security?• Which of these is most correct?
• Many very smart, highly motivated people tried to break it but couldn’t
• There are Quadrillion possible keys, so it must be secure
• Here’s a mathematical proof, accepted by experts, that shows the cipher is secure
• Here’s a strong argument why breaking the cipher is at least as hard as some other problem we believe to be hard
Tuesday, January 15, 13
What is a secure cipher?
• Assuming Attacker’s model called Ciphertext-Only attack (CT)
Tuesday, January 15, 13
What is a secure cipher?
• Assuming Attacker’s model called Ciphertext-Only attack (CT)
• Possible answer:
Tuesday, January 15, 13
What is a secure cipher?
• Assuming Attacker’s model called Ciphertext-Only attack (CT)
• Possible answer:
• Attacker cannot recover secret key
Tuesday, January 15, 13
What is a secure cipher?
• Assuming Attacker’s model called Ciphertext-Only attack (CT)
• Possible answer:
• Attacker cannot recover secret key
• Attacker cannot recover all of the plaintext
Tuesday, January 15, 13
What is a secure cipher?
• Assuming Attacker’s model called Ciphertext-Only attack (CT)
• Possible answer:
• Attacker cannot recover secret key
• Attacker cannot recover all of the plaintext
• Shannon’s definition:
Tuesday, January 15, 13
What is a secure cipher?
• Assuming Attacker’s model called Ciphertext-Only attack (CT)
• Possible answer:
• Attacker cannot recover secret key
• Attacker cannot recover all of the plaintext
• Shannon’s definition:
• Ciphertext should reveal no “information” about the plaintext
Tuesday, January 15, 13
Information Theoretic Security (Shannon 1949)
• Definition: A cipher (E,D) over (K,M,C) has perfect secrecy if
8m0,m1 2 M where len(m0) = len(m1) and 8c 2 C
Pr[E(k,m0) = c] = Pr[E(k,m1) = c]
where k is chosen uniformly at random from K
kR � K
Tuesday, January 15, 13
What this means
• Given the ciphertext, adversary can’t tell if the original message is m0 or m1 (for all m0 and m1 pairs)
• Therefore, most powerful adversary, regardless of capabilities, learns nothing about Plaintext from the Ciphertext
• Absolutely no Ciphertext only attack!
Tuesday, January 15, 13
Bad news
• Theorem states that perfect secrecy implies length of key >= length of message
• Hard to do in practice
• OTP only provide secrecy
• No integrity (OTP is malleable)
Tuesday, January 15, 13
Basic idea
• OTP is perfectly secret
• But impractical
• Replace “random string k” (the key) with a pseudorandom string
Tuesday, January 15, 13
Pseudorandom Generator
• PRG
• a function
• efficiently computable
• deterministic
G : {0, 1}s ! {0, 1}n;n � s
Tuesday, January 15, 13
Basic construction of Stream Cipher
c = E(k,m) = m�G(k)
m = D(k, c) = c�G(k)
k
G
G(k)
⨁m
=c
Tuesday, January 15, 13
Stream Cipher
• Cannot have perfect secrecy
• To prove its security, we need a different definition, something slightly weaker
• Stream cipher depends on strength/security of the PRG used
Tuesday, January 15, 13
Defining Predictability
• G: K ⟶ {0,1}n is predictable if:
9e�cient algorithm A and 90 i n� 1 such that
kR � K;Pr[A(G(k))|1,. . . ,i = G(k)|i+1] >
1
2+ ✏
for non-negligible ✏
Tuesday, January 15, 13
Unpredictability
• Definition: PRG is unpredictable if it is not predictable
8i : no ”e�cient” adversary can predict bit (i+1)
for non-negligible ✏
Tuesday, January 15, 13
Weak PRGs
• glibc random():
• r[i] ← (r[i-3] + r[i-31])%232
• output r[i] >> 1
• Never use these for Crypto
Tuesday, January 15, 13
Negligibility
• In theory:
• non-negligible:
• negligible:
• In practice:
• non-negligible:
• negligible:
✏ is a function: ✏ : Z�0 ! R�0
9d : ✏(�) � 1
�d
8d : � � �d : ✏(�) 1
�d
✏ is a scalar value
✏ � 1
230
✏ 1
280
Tuesday, January 15, 13
Stream Cipher Limitations
• Never use stream cipher key more than once
• No integrity (Malleable) - just like OTP
Tuesday, January 15, 13
RC4 (1987)
• 128 bits seed input generate 2048 bit state - output 1 byte each round
• Used in HTTPS and WEP
Tuesday, January 15, 13
RC4 weakness
• output bias
• Not all byte sequence are equally likely
• Pr[2nd byte = 0] = 2/256
• Probability of [0,0] byte sequence is biased (1/2562 + 1/2563 as opposed to 1/2562)
• Related key attacks
Tuesday, January 15, 13
LFSR
• Linear feedback shi" register
• Badly broken
• Used in
• CSS (DVD) uses 2 LFSRs
• GSM - 3 LFSRs
• Bluetooth - 4 LFSRs
Tuesday, January 15, 13
CSS (DVD encryption)
• CSS: Seed = 5 bytes = 40 bits
• 2 LFSRs
• 17-bit LFSR
• 25-bit LFSR
• Output the XOR of the output of each LFSR
• Easy to break (under 217 time) using known plaintext attack (even if you know just a few bytes at the start)
Tuesday, January 15, 13
Modern Stream Cipher
• eStream (2008) - classes of Stream Cipher (5 of them)
• PRG:
• where R is a “nonce” (Non-repeating value for a given key lifetime)
• The pair (k,r) is never used more than once
{0, 1}s ⇥R ! {0, 1}n
E(k,m, r) = m� PRG(k, r)
Tuesday, January 15, 13
Salsa 20
• Designed to run well on both Hardware and So"ware implementation
• part of eStream cipher set
• 2 versions - 128 and 256 bits
• Output a maximum of 273 bits
Salsa20 : {0, 1}128 ⇥ {0, 1}64 ! {0, 1}n
Tuesday, January 15, 13
Top Related