PRNG, Block and Stream Cipher

1
PRNG, Block and Stream Cipher

• November 12, 2009
• Yongdae Kim

2
Index

• Pseudo Random Number Generator
• Random bit generation
• Pseudorandom bit generation
• Statistical tests
• Cryptographically secure pseudorandom bit
  generation
• Stream Cipher
• Feedback shift registers
• Stream ciphers based on LFSRs
• Other stream ciphers
• Block Cipher
• Introduction
• DES
• Etc

3
Introduction

• RBG a device or algorithm which outputs a
  sequence of statistically independent and
  unbiased binary digits.
• RBG can be used to generate random numbers
• E.g. a random integer in the interval 0 n
• generating random bit sequence of length ?lg n?
  1, convert to integer
• if resulting integer exceeds n, discard it and
  generate a new sequence
• PRBG
• Given a truly random sequence of length k,
  deterministically outputs sequence of length l gtgt
  k which appears to be random
• Input to the PRBG is called the seed
• Output of PRBG is not random
• Intention is that an adversary cannot efficiently
  distinguish between sequences of PRBG and truly
  random sequences of length l.

4
Introduction (cnt.)

• LCM (linear congruential generators)
• produces a pseudorandom sequence of numbers x1,
  x2, x3 according to the linear recurrence xn
  axn-1 b mod m n ? 1
• a, b,and m are parameters which characterize the
  generator
• x0 is the (secret) seed.
• given a partial output sequence, the remainder of
  the sequence can be reconstructed even if the
  parameters a, b,and m are unknown.
• Unix Random
• Definitions
• Pass all polynomial-time statistical tests if no
  poly algorithm can distinguish between output
  sequence and truly random sequence of the same
  length with probability significantly greater
  that ½
• Pass next-bit test if no poly algorithm which, on
  input of first l bits, can predict (l 1)st bit
  with probability significantly greater than ½
• PRBG that passes the next-bit test is called
  CSPRBG

5
Random Bit Generation

• Hardware-based
• elapsed time between emission of particle during
  radioactive decay
• thermal noise from a semiconductor diode or
  resistor
• the frequency instability of a free running
  oscillator
• air turbulence within disk drive which causes
  random fluctuations
• drive sector read latency times
• sound from a microphone or video input from a
  camera.
• Software-based
• the system clock
• elapsed time between keystrokes or mouse movement
• content of input/output buffers
• user input
• operating system values such as system load and
  network statistics

6
Random Bit Generation (cnt.)

• De-skewing
• A natural source of random bits may be defective
  in that the output bits may be biased or
  correlated
• De-skewing techniques for generating truly
  random bit sequences from the output bits of such
  a defective generator
• Techniques
• Suppose that a generator produces biased but
  uncorrelated bits
• Suppose that probability of 1 is p where p is
  unknown but fixed, 0 lt plt1
• 10 ? 1, 01 ? 0,and 00 and 11 pairs discarded
• then the resulting sequence is both unbiased and
  uncorrelated.
• A practical (not provable) technique is to pass
  sequence whose bits are biased or correlated
  through hash function (e.g. SHA-1 or MD5)

7
Pseudo Random Bit Generation

• ANSI X9.17 generator
• INPUT m, a random seed s, Triple-DES encryption
  key k.
• OUTPUT m pseudorandom 64-bit strings x1, x2, ,
  xm
• Compute the intermediate value I Ek(D),where D
  is a 64-bit date/time to as fine a resolution as
  is available.
• For i from 1 to m do the following
• xi ?Ek(I ? s).
• s ? Ek(xi ? I).
• Return(x1, x2, , xm)
• More generators
• FIPS 186 for DSA

8
Statistical Test

• Why
• impossible to give a mathematical proof that a
  generator is indeed a random bit generator, the
  tests help detect certain kinds of weaknesses the
  generator may have.
• This is accomplished by taking a sample output
  sequence of the generator and subjecting it to
  various statistical tests.
• the term accepted should be replaced by not
  rejected
• Five Basic Test (Using Chi-square analysis)
• Frequency Test of 0 and 1
• Serial Test of 00, 01, 10, 11
• Poker-k Test of each k-bit string
• Run Test comparing with expected run length
• Autocorrelation test correlations between s and
  shifted version

9
Statistical test (cnt.)

• Maurers universal statistical test
• The basic idea is that it should not be possible
  to significantly compress the output sequence of
  a RBG
• Thus, if a sample output sequence s of a bit
  generator can be significantly compressed, the
  generator should be rejected
• The universality arises because it is able to
  detect any one of a very general class of
  possible defects a bit generator might have.
• A drawback over the five basic tests is that it
  requires a much longer sample output sequence in
  order to be effective.

10
CSPBG (RSA)

• Basic Algorithm
• Setup p, q, n pq and ? (p - 1)(q - 1), 1 lt
  elt ?, gcd(e, ?) 1
• Select a random integer x0 (the seed) in the
  interval 1, n- 1.
• For i from 1 to l do the following
• xi ? xei-1 mod n.
• zi the least significant bit of xi.
• The output sequence is z1, z2, , zl.
• Efficiency
• If e 3, then generating zi requires one mod.
  mult. and squaring
• Improved by extracting j least significant bits
  of xi (j c lg lg n)
• If n is sufficiently large, this generator is
  cryptographically secure
• For fixed n, explicit range of values of c under
  intractability of the RSA problem has not been
  determined.

11
Micali-Schnorr

• Setup p, q, n pq and ? (p - 1)(q - 1), 1 lt
  elt ?, gcd(e, ?) 1, Nbit length of n, 80 e ? n,
  k ?N(1-2/?)? , r N-k
• Select a random integer x0 (the seed) of bit
  length r
• Generate sequence of length l k For i from 1 to
  l do the following
• yi ? xei mod n.
• xi r most significant bit of yi.
• zi k least significant bit of yi.
• The output sequence is z1 z2 zl.
• Properties
• Efficiency ?N(1-2/?)? bit sequence is generated
  per exponentiation
• Secure under assumption that distribution xe mod
  n for random r-bit sequences x is
  indistinguishable by all poly statistical tests
  from the uniform distribution of integers in the
  interval 0, n-1.
• stronger assumption than RSA problem

12
Blum-Blum-Shub PSBRG

• Basic Algorithm
• Setup p, q ( 3 mod 4), n pq
• Select a random integer s (seed) in 1, n- 1
  such that gcd(s, n)1 and compute x0 ? s2 mod n
• For i from 1 to l do the following
• xi ? x2i-1 mod n.
• zi the least significant bit of xi.
• The output sequence is z1, z2, , zl.
• Efficiency
• One modular squaring
• Improved by extracting j least significant bits
  of xi (j c lg lg n)
• If n is sufficiently large, this generator is
  cryptographically secure
• For fixed n, explicit range of values of c under
  intractability of the factoring problem has not
  been determined.

13
Index

• Pseudo Random Number Generator
• Random bit generation
• Pseudorandom bit generation
• Statistical tests
• Cryptographically secure pseudorandom bit
  generation
• Stream Cipher
• Feedback shift registers
• Stream ciphers based on LFSRs
• Other stream ciphers
• Block Cipher
• Introduction
• DES
• etc

14
Introduction

• Definition
• encrypt individual characters of plaintext
  message one at a time, using encryption
  transformation which varies with time.
• Block vs. Stream
• Block ciphers
• process plaintext in relatively large blocks
• The same function is used to encrypt successive
  blocks ? memoryless
• stream ciphers
• process plaintext in small blocks, and the
  encryption function may vary as plaintext is
  processed ? have memory
• sometimes called state ciphers since encryption
  depends on not only the key and plaintext, but
  also on the current state.
• This distinction between block and stream ciphers
  is not definitive
• adding memory to a block cipher (as in CBC)
  results in a stream cipher

15
One-time Pad and Stream Cipher

• One-time pad
• Vernam cipher cimi ? xi for i 1, 2, 3
• key is generated independently and randomly ?
  one-time pad
• H(MC) H(M), M, C are random variables for
  plain, cipher text
• Ciphertext contributes no information about plain
  text
• Shannon proved that a necessary condition for a
  symmetric-key encryption to be unconditionally
  secure is that H(K) ? H(M)
• If key is chosen independently and randomly, then
  H(K) k ? k ? H(M)
• OTP is unconditionally secure regardless of
  distribution of plaintext
• Drawback is key should be as long as plaintext ?
  key management
• Hence, stream cipher tries to solve this problem
  having short key and generate pseudo-random
  sequence
• Not unconditionally secure, but try to be
  computationally secure

16
Synchronous Stream Cipher

• Definition
• keystream is generated independently of plaintext
  and of ciphertext
• si1f(si, k) next-state function
• zig(si, k) key-stream generation function
• ci h(zi, mi) Encryption function
• e.g. OFB

si
mi
si
ci
si1
si1
f
f
zi
zi
g
h
k
ci
g
h-1
k
mi
17
Synchronous Stream Cipher (Cnt.)

• Properties
• synchronization requirements both sender and
  receiver must be synchronized using same key
  and operating at the same position
• If lost due to inserted or deleted ciphertext,
  decryption fails and can only be restored through
  additional techniques for re-synchronization.
• no error propagation A modified ciphertext
  during transmission does not affect the
  decryption of other ciphertext digits.
• active attacks the insertion, deletion, or
  replay of ciphertext digits by an active
  adversary causes immediate loss of synchronization

18
Stream Cipher

• Binary additive stream cipher
• synchronous stream cipher in which keystream,
  plaintext, and ciphertext are binary digits, and
  output function h is XOR function
• Self-synchronizing stream cipher
• key-stream is generated as a function of the key
  and a fixed number of previous ciphertext digits
  (e.g. 1-bit CFB)

mi
ci
zi
zi
KSG
k
ci
KSG
k
mi


mi
ci
zi
zi
g
h
k
ci
g
h
k
mi
19
Linear Feedback Shift Registers

• Properties
• LFSRs are well-suited to hardware implementation
• can produce sequences of large period
• can produce sequences with good statistical
  properties
• because of the structure, can be analyzed using
  algebra
• Definition
• LFSR of length L consists of L stages numbered 0,
  1, , L- 1, each capable of storing one bit and
  having one input and one output, and clock which
  controls the movement of data
• content of stage 0 is output and forms part of
  the output sequence
• the content of stage i is moved to stage i - 1
  for each i, 1 ? i ? L - 1
• new content of stage L - 1 is feedback bit sj
  calculated by adding together modulo 2 previous
  contents of fixed subset of stages

20
LFSR (cnt.)

• Output sequence
• sj (c1sj-1 c2sj-1 cLsj-L) mod 2
• Some facts
• If C(D) is a primitive polynomial, LFSR produces
  output sequence with maximum possible period 2L-
  1 ? m-LFSR
• Has very good statistical properties
• Linear complexity of sequence s is the shortest
  LFSR generating s
• If a stream cipher has linear complexity n, we
  can find initial sequence using 2n consecutive
  bits using Massey-Berlekamp alg

21
Stream ciphers based on LFSR

• Why
• To augment LC, use non-linear combination of
  stream ciphers
• LC of linear combination of two LFSR is at most
  LC of 1 LFSR
• Example

LSFR1
f
LSFR2
LSFR1
LSFR2
LSFRn
22
Other Stream Ciphers

• Optimized for software implementation
• RC4
• Proprietary, not presented here
• SEAL (Software-optimized Encryption ALgorithm)
• length-increasing pseudorandom function which
  maps a 32-bit sequence number n to an L-bit
  keystream under control of a 160-bit secret key a
• In the preprocessing stage, the key is stretched
  into larger tables using the table-generation
  function Ga (based on SHA-1)
• Subsequent to this preprocessing, keystream
  generation requires about 5 machine instructions
  per byte
• order of magnitude faster than DES

23
Index

• Pseudo Random Number Generator
• Random bit generation
• Pseudorandom bit generation
• Statistical tests
• Cryptographically secure pseudorandom bit
  generation
• Stream Cipher
• Feedback shift registers
• Stream ciphers based on LFSRs
• Other stream ciphers
• Block Cipher
• Introduction
• DES
• etc

24
Introduction

• maps n-bit plaintext blocks to n-bit ciphertext
  blocks (n blocklength)
• Use of plaintext and ciphertext of equal size
  avoids data expansion
• To allow unique decryption, encryption function
  must be 1-1(invertible)
• For n-bit plaintext and ciphertext blocks and a
  fixed key, the encryption function is a
  bijection, defining a permutation on n-bit
  vectors
• Each key potentially defines a different
  bijection
• Def
• n-bit block cipher is E Vn X K ? Vn such that
  for all key k ? K, E(P, k) is an invertible
  mapping (the encryption for k) from Vn to Vn,
  written Ek(P).
• The inverse mapping is the decryption function,
  denoted Dk(C)
• C Ek(P) denotes ciphertext C results from
  encrypting plaintext P under k

25
Practical security and complexity of attack

• Basic assumption
• adversary has access to all data transmitted over
  cipher channel
• (Kerckhoffs assumption) adversary knows all
  details of the encryption function except the
  secret key
• Classes of attacks
• ciphertext-only no additional information is
  available
• known-plaintext plaintext-ciphertext pairs are
  available
• chosen-plaintext ciphertexts are available
  corresponding to plaintexts of the adversarys
  choice
• adaptive chosen-plaintext choice of plaintexts
  may depend on previous plaintext-ciphertext pairs

26
Modes of operation
Cj-1
c0IV
xj
xj
E
k
E-1
k
E
k
Cj-1
cj
xj
xj
Oj-1
Oj-1
r-bit shift
r-bit shift
Ij
Ij
Ij
Ij
I1IV
I1IV
E
E
k
k
E
E
k
k
Oj
Oj
Oj
Oj
xj
xj
xj
xj
27
Modes of operation (cnt.)

• ECB
• Encryption cj ?EK(xj)
• Decryption xj ? E-1K (cj)
• Identical plaintext (under the same key) result
  in identical ciphertext
• blocks are enciphered independently of other
  blocks
• bit errors in a single ciphertext affect
  decipherment of that block only
• CBC
• Encryption c0 ? IV, cj ? EK(cj-1? xj)
• Decryption c0 ? IV, xj ? cj-1 ? E-1K(cj)
• chaining causes ciphertext cj to depend on all
  preceding plaintext
• a single bit error in cj affects decipherment of
  blocks cj and cj1
• self-synchronizing error cj (not cj1, cj2) is
  correctly decrypted to xj2.

28
Modes of operation (cnt.)

• CFB
• Encryption I1 ? IV
• Oj ? EK(Ij). (Compute the block cipher output)
• tj r leftmost bits of Oj (Assume the leftmost
  is identified as bit 1)
• cj ? xj ? tj . (Transmit the r-bit ciphertext
  block cj)
• Shift cj into right end of shift register
• Decryption I1 ? IV , xj ? cj ? tj ,where tj, Oj
  and Ij are as above
• re-ordering ciphertext blocks affects decryption
• one or more bit errors in any single r-bit
  ciphertext block cj affects the decipherment of
  next ?n/r? ciphertext blocks
• self-synchronizing similar to CBC, but requires
  ?n/r? blocks to recover.
• for r ltn, throughput is decreased by a factor of
  n/r

29
Modes of operation (cnt.)

• CFB
• Encryption I1 ? IV
• Oj ? EK(Ij). (Compute the block cipher output)
• tj r leftmost bits of Oj (Assume the leftmost
  is identified as bit 1)
• cj ? xj ? tj . (Transmit the r-bit ciphertext
  block cj)
• Shift oj into right end of shift register
• Decryption I1 ? IV , xj ? cj ? tj ,where tj, Oj
  and Ij are as above
• keystream is plaintext-independent
• bit errors affects the decipherment of only that
  character
• recovers from ciphertext bit errors, but cannot
  self-synchronize
• for r ltn, throughput is decreased as per the CFB
  mode

30
DES

• Basic Idea Product Feistel cipher
• Product cipher
• To build complex function to compose several
  simple operation offer complementary, but
  individually insufficient protection
• Basic operation transposition, translation (XOR)
  and linear transformation, arithmetic operation,
  mod mult, simple substitution
• Substitution-permutation (SP) network is product
  cipher composed of a number of stages each
  involving substitution and permutation

31
Feistal Cipher

• Def
• iterated cipher mapping 2t-bit plaintext (L0, R0)
  to ciphertext (Rr, Lr) through r-round process,
  (Li-1, Ri-1) ?Ki (Li, Ri) as follows
• Li Ri-1, Ri Li-1 ? f(Ri-1, Ki), subkey Ki is
  derived from cipher key K

Li-1
Ri-1
f
Li
Ri
32
DES algorithm

• Overview
• DES(K, P) C where P, C 64, K 56
• 16 rouns
• From the input key K, sixteen 48-bit subkeys Ki
  are generated
• In each round, 8 fixed S-boxes Si collectively
  denoted S are used
• The 64-bit plaintext is divided into 32-bit
  halves L0 and R0
• Li Ri-1, Ri Li-1 ? f(Ri-1, Ki) where f(Ri-1,
  Ki) P(S(E(Ri-1) ? Ki))
• E is a fixed expansion permutation mapping Ri-1
  from 32 to 48 bits
• P is another fixed permutation on 32 bits
• An initial bit permutation (IP) precedes the
  first round
• Decryption involves the same key and algorithm,
  but with subkeys applied to the internal rounds
  in the reverse order

33
DES structure
Input
Ri-1
Ki
IP
IP
Input
L0
R0
f
K1
Input
L1
R1
f
K2
Input
L15
R15
f
K16
P
Input
L16
R16
IP-1
Output
34
Other Block Ciphers

• FEAL
• Fast N-round block cipher
• Suffers a lot of attacks, and hence introduce new
  attacks on block ciphers
• Japan standard
• IDEA
• 64-64-128-8
• James Massey
• Using algebraic functions (mult mod 2n1, add mod
  2n)
• SAFER, RC-5, AES