Stream Ciphers And Pseudorandomness Revisited. Table of contents

Size: px

Start display at page:

Download "Stream Ciphers And Pseudorandomness Revisited. Table of contents"

Rebecca Hancock
5 years ago
Views:

1 Stream Ciphers And Pseudorandomness Revisited Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Stream Ciphers Stream ciphers & pseudorandom functions Modes of operation

2 Pseudorandom generators (again) Definition Let `( ) be a polynomial and let G be a deterministic polynomial-time algorithm such that for any input s 2 {0.1} n, algorithm G outputs a string of length `(n). We say that G is a pseudorandom generator if the following two conditions hold: 1. (Expansion:) For every n it holds that `(n) > n. 2. (Pseudorandomness:) For all probabilistic polynomial-time distinguishers D, there exists a negligible function negl such that: Pr[D(r) = 1] Pr[D(G(s)) = 1] apple negl(n), where r is chosen uniformly at random from {0, 1}`(n),theseed s is chosen uniformly at random from {0, 1} n, and the probabilities are taken over the random coins used by D and the choice of r and s. *Our definition of a pseudorandom generator is limited in that the expansion factor is fixed, and the generator produces its entire output in one shot Stream ciphers Stream ciphers work somewhat di erently. The pseudorandom output bits of a stream cipher are produced gradually and on demand. We view a stream cipher as a pair of deterministic alogorithms: Init takes a seed e and an optimal initialization vector IV, and outputs an initial state st 0. Getbits takes as input state information st i, and outputs a bit y and updated state st i+1. Given a stream cipher and expansion factor `, we can define an algorithm G` mapping inuts of length n to outputs of length `(n).

Generating Bits Given a stream cipher and expansion factor `, we can define an algorithm G` mapping inputs of length n to outputs of length `(n). Algorithm 3.16.

3 Generating Bits Given a stream cipher and expansion factor `, we can define an algorithm G` mapping inputs of length n to outputs of length `(n). Algorithm Constructing G` from (Init, GetBits) Input: Seed s and optional initialization vector IV. Output: y 1,...,y` st 0 := Init(s, IV ) for i =1to`: (y i, st i ):=GetBits(st i 1 ) return y 1,...,y` Pseudorandomness Astreamcipherissecure if it takes no IV and for any polynomial ` with `(n) > n, the function G` is a pseudorandom generator with expansion factor `. The encryption scheme given in Construction 3.17* had two drawbacks: The length of the message is fixed; and the scheme is only EAV-secure, not CPA-secure. Stream ciphers can be used to address both drawbacks. *Reproduced on the following slide.

4 An early encryption scheme Construction Let G be a pseudorandom generator with expansion factor `. Define a private-key encryption scheme for messages of length ` as follows: Gen: On input 1 n, choose k and output it as the key. {0, 1} n uniformly at random Enc: On input a key k 2 {0, 1} n and a message m 2 {0, 1}`(n), output the ciphertext c := G(k) m. Dec: On input a key k 2 {0, 1} n and a ciphertext c 2 {0, 1}`(n), output the plaintext message m := G(k) c. Modifying Algorithm 3.16 We modify Algorithm 3.16 to take two inputs: A seed s and a desired output length 1`. Modified Algorithm Constructing G 1 from (Init, GetBits) Input: Seed s and an output length 1`. Output: y 1,...,y` st 0 := Init(s) for i =1to`: (y i, st i ):=GetBits(st i 1 ) return y 1,...,y`

Using G 1 in Construction 3.17 Construction 3.17 Modified. Define a private-key encryption scheme for messages of length ` as follows: Gen: Choose k as the key.

5 Using G 1 in Construction 3.17 Construction 3.17 Modified. Define a private-key encryption scheme for messages of length ` as follows: Gen: Choose k as the key. {0, 1} n * uniformly at random and output it Enc: On input a key k and a message m 2 {0, 1} m, output the ciphertext c := G 1 (k, 1 m ) m. Dec: On input a key k and a ciphertext c 2 {0, 1} c, output the plaintext message m := G 1 (k, 1 c ) c. *Where n is the length of the initial seed expected by G 1. A little thought If communicating parties are willing to maintain state, then they can use the same key to encrypt multiple messages. The idea is that parties can treat multiple messages m 1, m 2,... as a single long message. Furthermore, our construction has the property that initial portions of a message can be encrypted and transmitted even if the rest of the message is not yet known.

6 Pseudorandom functions and pseudorandom generators It is easy to construct a pseudorandom generator G from a pseudorandom function F : G(s) def = F s (1) k F s (2) k...k F s (`). More generally, we can use this idea to construct a stream cipher (Init, GetBits) that accepts an initialization vector IV. The di erence is that F s is evaluated on input IV, IV +1, IV +2,... *You get a chance to prove this in your next homework set. Pseudorandom functions and stream ciphers Construction 3.29 Let F be a pseudorandom function. Define a stream cipher (Init,GetBits), where each call to GetBits outputs n bits: Init: On input s 2 {0, 1} and IV,setst 0 := (s, IV ). GetBits: On input st i =(s, IV ), compute IV 0 := IV +1and set y := F s (IV 0 )andst i+1 := (s, IV 0 ). Output (y, st i+1 ). Remark Dedicated stream ciphers perform better than those constructed from block ciphers. However, stream ciphers are less well understood, so it is recommended to use block ciphers (possible converting them to stream ciphers first) when possible.

Stream-cipher synchronous mode The parties share a key k and both begin by computing st 0 := Init(k) To encrypt m 1 of length `1, thesenderrunsgitbits a total of `1 times,

7 Modes of operation Modes of operation provide awaytosecurely(and e ciently) encrypt long messages using stream or block ciphers. Today we examine two modes of operation for stream-ciphers. Block ciphers are up next. Stream-cipher synchronous mode The parties share a key k and both begin by computing st 0 := Init(k) To encrypt m 1 of length `1, thesenderrunsgitbits a total of `1 times, beginning at st 0, to obtain pad 1 def = y 1,...y`1 and st`; itsendsc 1 =pad 1 m 1. The other party runs GitBits a total of `1 times to obtain the same pad 1 and st`; itsusespad 1 to recover m 1 := pad 1 c 1.* *You see where this is going. **Notice that in this mode the stream cipher does not need to use an IV.

Unsynchronized mode We modify G 1 to accept three inputs: a seed s, an initialization vector IV, and a desired output length 1`.

8 Drawbacks to synchronized mode Encrypting multiple message requires both sides maintain synchronized state. Within a single session this may be okay, but over time or from di erent devices, it may not work so well. And if the parties ever get out of sync, pray the Lord your soul to keep. Unsynchronized mode We modify G 1 to accept three inputs: a seed s, an initialization vector IV, and a desired output length 1`. The algorithm first computes st 0 := Init(s, IV )beforerunning GetBits a total of ` times. To encrypt m using key k, the algorithm chooses vector IV 2 {0, 1} n and computes the c =(IV, G 1 (s, IV, 1 m ) m. Decryption of c is done by computing m = G 1 (s, IV, 1 c ) m. This scheme is CPA-secure if for any polynomial `, the F k (IV ) def = G 1 (s, IV, 1`) is a pseudorandom function.

Block Ciphers Security of block ciphers. Symmetric Ciphers

Block Ciphers Security of block ciphers. Symmetric Ciphers Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 26 Assume encryption and decryption use the same key. Will discuss how to distribute key to all parties later Symmetric ciphers unusable