Cryptography Summer Term 2010 Harald Baier Chapter 3: Pseudo Random Bit Generators and Stream Ciphers
Contents Random bits and pseudo random bits Stream ciphers Harald Baier Cryptography h_da, Summer Term 2010 2
Contents Random bits and pseudo random bits Stream ciphers Source: http://www.xkcd.com/221/ Harald Baier Cryptography h_da, Summer Term 2010 3
Cryptographic applications of (pseudo) random bits Key streams for symmetric stream ciphers: ciphertext = plaintext XOR keystream We need a keystream which is as long as the plaintext. Key generation of symmetric block ciphers: Let l denote the key length in bits (e.g. l = 128 for AES) What is the attack complexity of a brute force attack, if every bit is truly random? if the key is derived from s truly random bits and then mapped to the whole key using a public mapping f (e.g. f = SHA-256)? Key generation of public / private key pairs Harald Baier Cryptography h_da, Summer Term 2010 4
Random bit generators Definition: Device or algorithm which outputs a sequence of statistically independent and unbiased binary digits. Examples? Generation of random numbers in 2 steps: Generate enough bits Map the bit string to a number Examples: Find a random integer in the interval [0, n]. Find a random real number in the interval [1,3]. Harald Baier Cryptography h_da, Summer Term 2010 5
Pseudo random bit generators (PRBG) Definition: A deterministic algorithm. Input (= seed) is a short truly random bit string of length k. Output is a bit string of length l» k seeming to be random. Remarks: The pseudo random bit sequence of length l is not random: There are 'only' 2^k different pseudo random sequences. BUT: There are 2^l different random sequences. An adversary SHALL not efficiently distinguish between truly random sequences and pseudo random sequences. Harald Baier Cryptography h_da, Summer Term 2010 6
The seed is crucial for security openssl-bug in Debian distribution: Seed was initialised with process ID On a Linux platform: s = 15 Every Debian generated RSA, AES,... key for use in TLS or SSH may be affected Time period: September 2006 May 2008 CVE-2008-0166: OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debianbased operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys. Harald Baier Cryptography h_da, Summer Term 2010 7
Elementary tests for PRBG Polynomial-time statistical test: No polynomial-time algorithm can distinguish between truly random bits and pseudo random bits with probability significantly greater than 50%. Next-bit test: There is no polynomial-time algorithm which knows the first k bits of a PRBG but can not predict the k+1 bit with probability significantly greater than 50%. Such a PRBG is called a Cryptographically Secure PRBG (CSPRBG) Harald Baier Cryptography h_da, Summer Term 2010 8
A general concept for computational secure PRBG The concept is based on a one-way function f : f may be a cryptographically strong hash function. f may be a symmetric encryption scheme using a secret key. Input is a seed s. Output is the sequence f(s), f(s+1), f(s+2),... Often only a few bits of f(s+i) are used to hide correlations. Examples: PRBG in TLS (f makes use of an HMAC) PRBG of ANSI X9.17 (f makes use of Triple-DES) Harald Baier Cryptography h_da, Summer Term 2010 9
Example of a PRBG from ANSI Properties: Source: Handbook of Applied Cryptography ANSI X9.17 PRBG is 'only' computational secure. It is not a CSPRBG. Harald Baier Cryptography h_da, Summer Term 2010 10
Example of a CSPRBG: BBS Source: Handbook of Applied Cryptography Lenore Blum, Manuel Blum, and Michael Shub A Simple Unpredictable Pseudo-Random Number Generator SIAM Journal on Computing, volume 15, pages 364 383, 1986 Harald Baier Cryptography h_da, Summer Term 2010 11
Further information on BBS Variations of BBS: Output r least significant bits in step 3.2: Take care to hide correlations. Only O(log(log(n))) bits shall be output in one step. Output the parity bit of x i. Properties of Blum-Blum-Shub PRBG: BBS is a CSPRBG under the assumption that factoring integers is intractable I.e. BBS is a provable secure PRBG. n has to be chosen as for RSA (bit length about 2048). A relatively slow PRBG due to modulo squaring. Harald Baier Cryptography h_da, Summer Term 2010 12
Contents Random bits and pseudo random bits Stream ciphers Harald Baier Cryptography h_da, Summer Term 2010 13
Basic idea of stream ciphers Recapitulation of Vernam's cipher: c = m XOR k k is a truly random bit string as long as the message m. Unconditionally secure. Idea of stream ciphers: Replace truly random key string in Vernam's cipher by a pseudo-random sequence. The only source of true randomness is the seed: The symmetric key is essentially the seed. Expand it to a long key stream using a PRBG Harald Baier Cryptography h_da, Summer Term 2010 14
Model of stream ciphers (1/2) Finite state machine of the key stream. Two states: The current state of the machine. Update function to get the updated state. Mapping: Output filter to map the current state of the key stream to a an output bit / byte. Security requirement: Hide correlation between key bits (i.e. the seed) and output bits. Harald Baier Cryptography h_da, Summer Term 2010 15
Model of stream ciphers (2/2) Source: Nigel Smart Harald Baier Cryptography h_da, Summer Term 2010 16
A famous stream cipher: RC4 Officially 'Alleged RC4' for license reasons. Invented by Ron Rivest (the 'R' in RSA). RC = Ron's Cipher = Ron's Code = Rivest Cipher Remark: RC2, RC5, RC6 are symmetric block ciphers. Key length: 40 2048 bits Very fast in software and very easy to remember. Harald Baier Cryptography h_da, Summer Term 2010 17
RC4: Internal state An array S of 256 bytes: Every byte 0, 1,..., 255 appears exactly once. Initially we have S[i] = i for all 0 <= i <= 255. Then S is permuted in some key dependent way: Key Scheduling Algorithm (KSA). Two pointers to elements of S: The pointer i is increased by 1 in each step. The pointer j is updated in some key and state dependent way. The pointers are used within the Pseudo Random Generation Algorithm (PRGA). Harald Baier Cryptography h_da, Summer Term 2010 18
RC4: Key Scheduling Algorithm Let K be a key-dependent array of 256 bytes: If the input key k is shorter then 256 bytes (=2048 bits), concatenate k as often as necessary to get K. Generate the key-dependent array S as follows: for i=0 to 255 do S[i]=i; j = 0; for i=0 to 255 do { } j = ( j + S[i] + K[i] ) % 256; swap( S[i], S[j] ); Harald Baier Cryptography h_da, Summer Term 2010 19
RC4: Pseudo Random Generation Algorithm Initialisation: i=0; j=0; Generation of the next byte of the key stream: i = ( i + 1 ) % 256; j = ( j + S[i]) % 256; swap( S[i], S[j] ); tmp = ( S[i] + S[j] ) % 256; output( S[tmp] ); Every line needs to be there to make RC4 a secure cipher. Harald Baier Cryptography h_da, Summer Term 2010 20