Random walks and analysis of algorithms in cryptography - PowerPoint PPT Presentation

About This Presentation

Title:

Random walks and analysis of algorithms in cryptography

Description:

Broadcast encryption. analysis. optimization. Other work. RC4 stream cipher ... Broadcast encryption. source. receivers. k1, k2, k3, k4, k5,..., kn. k1. k2. k3 ... – PowerPoint PPT presentation

Number of Views:159

Avg rating:3.0/5.0

Slides: 90

Provided by: cryptoS

Learn more at: http://crypto.stanford.edu

Category:

more less

Transcript and Presenter's Notes

Title: Random walks and analysis of algorithms in cryptography

1
Random walks and analysis of algorithms in
cryptography

Ilya Mironov
Stanford University

2
Talk overview

Cryptanalysis
RC4 stream cipher
card shuffling
brute force attack
Broadcast encryption
analysis
optimization
Other work

3
Talk overview

Cryptanalysis
RC4 stream cipher
card shuffling
brute force attack
Broadcast encryption
analysis
optimization
Other work

4
RC4 stream cipher

RC stands for Rons Code, designed in 1987 by
Ron Rivest.
Several design goals
speed
support of 8-bit architecture
simplicity (to circumvent export regulations)

5
Abridged history of alleged RC4

1994 leaked to cypherpunks mailing list
1995 - first weakness (USENET post)
1996 appeared in Applied Cryptography by
B. Schneier as alleged RC4
1997 first published analysis
MS theses 3
PhD thesis 1

6
Usage

SSL/TLS
Windows, Lotus Notes, Oracle, etc.
Cellular Digital Packet Data
OpenBSD pseudo-random number generator

7
Encryption
key
000111101010110101
state
?
plain text plain text

cipher text cipher t
8
Decryption
key
000111101010110101
state
?
cipher text cipher t

plain text plain text
9
Security Requirement

Indistinguishability from a perfect source of
randomness
given part of the output stream, it is
impossible to distinguish it from a
random string

10
Second byte MS01

Second byte of RC4 output is 0 with twice the
expected probability

11
Related key attack FMS01

Wireless Equivalent Privacy protocol (part of
802.11b standard)
Using keys with known prefixes - BAD

IV1, key ? IV1, 0010101010 IV2, key ? IV2,
1010110001 IV3, key ? IV3, 0101010111 IV4, key ?
IV4, 1010101010
key
12
Recommendation

Discard the first 256 bytes of RC4 output RSA,
MS
Is this enough?

13
RC4 internal state

Permutation S on 256 bytes
Two indices i, j
log2 (256! ? 256) ? 1700 bits

21 123 134 24 91 218 13 250 138 53
14
Key scheduling algorithm

(all arithmetic is mod 256)
for i 0 to 255
Si i
j 0
for i 0 to 255
j j Si keyi
swap (Si, Sj)

15
Pseudo-random number generator

i 0
j 0
repeat
i i 1
j j Si
swap (Si, Sj)
output (S Si Sj )

16
Both RC4s routines

for i 0 to 255
Si i
j 0
for i 0 to 255
j j Si keyi
swap (Si, Sj)
i, j 0
repeat
i i 1
j j Si
swap (Si, Sj)
output (S Si Sj )

key scheduling
pseudo-random number generator
17
Both RC4s routines

for i 0 to 255
Si i
j 0
for i 0 to 255
j j Si keyi
swap (Si, Sj)
i 0
repeat
i i 1
j j Si
swap (Si, Sj)

key scheduling
j random (256)
, j
pseudo-random number generator
j random (256)
18
Both RC4s routines

for i 0 to 255
Si i
j random (256)
swap (Si, Sj)

key scheduling
for i 0 to 255
i 0 repeat i i 1 j random
(256) swap (Si, Sj)
pseudo-random number generator
19
Idealization of RC4
for i 0 to 255 Si i i 0 repeat
i i 1 j random (256) swap (Si,
Sj)
20
Idealization of RC4
for i 0 to n - 1 Si i i 0 repeat
i i 1 j random (n) swap (Si,
Sj)
21
Talk overview

Cryptanalysis
RC4 stream cipher
card shuffling
brute force attack
Broadcast encryption
analysis
optimization
Other work

22
Exchange shuffle

RC4 card shuffling

i
i
i
i
i

random j
When i n - 1 the permutation is random
not
23
Perfect shuffling

The textbook algorithm to shuffle cards

swap( Si, Sj)
i
i
i
i
i

random j
When i n - 1 the permutation is perfectly
random
24
Why is it not random?

n! does not divide nn
Sign of the permutation
the sign changes each time with
probability 1-1/n
Positions of individual cards are predictable

25
First byte of RC4 output

The first byte, SS1SS1, is biased

26
Distinguisher

Less than 2,000 to recognize a non-random output
with 10 error

27
Mixing time

The permutation becomes more and more random.

nonrandomness
time
28
Variation distance

Variation distance between two distributions, P
and Q on S
d(P,Q)½ ?s?S P(s)-Q(s)

variation distance
time
29
The end of the beginning of RC4

What is the sufficient number of swaps for the
permutation to become random?

Find t such that d(Pt, U) lt ?
30
Card shuffling

To shuffle 52 cards
- 7 riffle shuffles
100 random transpositions
30,000 adjacent transpositions
- exchange (RC4) shuffles?

31
Lower bound

Sign of the permutation
after t rounds sign can be predicted with
probability e-2t

32
Upper bound

Checking argument
initially all cards are unchecked
check Si if
- either ij
- or Sj is checked
keep doing until all cards are checked

33
Checking argument
i

j
34
Checking argument
i

j
j
Si is indistinguishable from other checked cards
35
Checking argument

It takes ?(n log n) steps to check all cards.
It gives an upper bound.

36
Mixing time

at least
? (n)
at most
O (n log n)

37
What if n 256?

Optimistically (go with the lower bound)
mixes in 4?256 steps
Conservatively (use the upper bound)
mixes in 16?256 steps

38
New development

E. Mossel, A. Sinclair, Y. Peres (Berkeley)
the upper bound is tight
mixing time T(n log n)
Distinguisher
look at the cards from the left half

39
Talk overview

Cryptanalysis
RC4 stream cipher
card shuffling
brute force attack
Broadcast encryption
optimization
analysis
Other work

40
Backtracking

j S1
t S1 Sj
output St
j j S2
t S2 Sj
output St
j j S3
t S3 Sj
output St

41
Backtracking
S1

j S1
t S1 Sj
output St
j j S2
t S2 Sj
output St
j j S3
t S3 Sj
output St

42
Backtracking
S1

j S1
t S1 Sj
output St
j j S2
t S2 Sj
output St
j j S3
t S3 Sj
output St

Sj
43
Backtracking
S1

j S1
t S1 Sj
output St
j j S2
t S2 Sj
output St
j j S3
t S3 Sj
output St

Sj
S2
44
Backtracking
S1

j S1
t S1 Sj
output St
j j S2
t S2 Sj
output St
j j S3
t S3 Sj
output St

Sj
S2
Sj
45
Backtracking
S1

j S1
t S1 Sj
output St
j j S2
t S2 Sj
output St
j j S3
t S3 Sj
output St

Sj
S2
Sj
S3
46
Backtracking
S1

j S1
t S1 Sj
output St
j j S2
t S2 Sj
output St
j j S3
t S3 Sj
output St

Sj
S2
Sj
S3
Sj
47
Backtracking
S1

j S1
t S1 Sj
output St
j j S2
t S2 Sj
output St
j j S3
t S3 Sj
output St

Sj
S2
Sj
S3
48
Backtracking
S1

j S1
t S1 Sj
output St
j j S2
t S2 Sj
output St
j j S3
t S3 Sj
output St

Sj
S2
Sj
S3
Sj
49
Backtracking
S1

j S1
t S1 Sj
output St
j j S2
t S2 Sj
output St
j j S3
t S3 Sj
output St

Sj
S2
Sj
S3
50
Backtracking
S1

j S1
t S1 Sj
output St
j j S2
t S2 Sj
output St
j j S3
t S3 Sj
output St

Sj
S2
Sj
S3
Sj
51
Cost of backtracking

Keep guessing until there is a critical mass
100 entries
Each guess is 8 bits, which multiplies the
running time by 28
Estimated running time 2800 (for comparison
there are 2200 particles in the universe)

52
Improvement
S1

j S1
t S1 Sj
output St
j j S2
t S2 Sj
output St
j j S3
t S3 Sj
output St

S2
S3
53
Running time of improved algorithm

Much more intricate analysis of an unbalanced
tree
Estimated less than 2600

54
Why is it interesting?

What about short RC4 64-byte permutation?
internal state has size 300 bits
64-byte RC4 is secure against the old attack,
borderline under the new attack

55
Talk overview

Cryptanalysis
RC4 stream cipher
card shuffling
brute force attack
Broadcast encryption
analysis
optimization
Other work

56
Broadcast encryption
source
k
k
k
k
k
k
k
k
k
k
receivers
? Very little overhead
? One rogue user compromises the whole system
57
Broadcast encryption
source
k1, k2, k3, k4, k5,, kn
k1
k2
k3
k4
k5
k6
k7
kn

receivers
broadcast Ek1,k, Ek2,k,, Ekn,k, Ek,M
58
Broadcast encryption
source
k1, k2, k3, k4, k5,, kn
k1
k2
k3
k4
k5
k6
k7
kn

receivers
? Simple user revocation
? Too many keys
59
Subset-cover framework (Naor-Naor-Lotspiech01)
S1
S7
S8
S6
S2
60
Subset-cover framework (Naor-Naor-Lotspiech01)
k3
k5
receiver u knows keys
k4
S1
S7
S8
S6
S2
61
Key distribution

Based on some formal characteristic e.g., DVDs
serial number
Using some real-life descriptors
Microsoft employees
researchers
California state residents
PhDs

62
Broadcast using subset cover
S10
S1
S8
S6
S3
S5
header uses k1, k3, k5, k6, k8, k10
63
Subtree difference
All receivers are associated with the leaves of a
full binary tree
k0
k00
k01
k00
k01
k11
64
Subtree differences
special set Si,j
i
j
65
Subtree difference
66
Subtree difference
67
Subtree difference
68
Subtree difference
69
Subtree difference
70
Subtree difference
71
Subtree difference
72
Subtree difference
73
Greedy algorithm

Easy greedy algorithm for constructing a subtree
cover for any set of revoked users

74
Greedy algorithm

Find a node such that both of its children have
exactly one revoked descendant

75
Greedy algorithm

Add (at most) two sets to the cover

76
Greedy algorithm

Revoke the entire subtree

77
Greedy algorithm

Could be less than two sets

78
Analysis of this algorithm

R - number of revoked users
C number of sets in the cover
C 2R-1
averaged over sets of fixed size NNL01
EC 1.38R
simulation experiments give NNL01
EC 1.25R

79
Analysis of this algorithm

R - number of revoked users
C number of sets in the cover
If a user is revoked with probability p1
EC 1.24511 ER

80
Exact formula
where
81
Mellin transform
82
Asymptotic
EC/ER
1.24511
p
83
Asymptotic
EC/ER
1.2451134
3log2 4/3
1.2451114
p
84
Talk overview

Cryptanalysis
RC4 stream cipher
card shuffling
brute force attack
Broadcast encryption
analysis
optimization
Other work

85
Halevy-Shamir scheme

Noticed that subtree differences are decomposable

86
Halevy-Shamir scheme

Fewer special sets reduce memory requirement on
receivers

87
Improvement

For practical parameters save additionally 20
compared to the Halevy-Shamir scheme
This is joint work with N. Alon, D. Halevy, A.
Shamir

88
Talk overview

Cryptanalysis
RC4 stream cipher
card shuffling
brute force attack
Broadcast encryption
analysis
optimization
Other work

89
Other work

New classes of hash functions and analysis of a
construction for hash functions Eurocrypt01
Crypto and game theory in peer-to-peer
filesharing networks EC01, FC02
Construction of short signatures based on
discrete logarithm CT-RSA03

Write a Comment

User Comments (0)