Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Ashutosh Bhatia
BITS Pilani
ashutosh.bhatia@pilani.bits-pilani.ac.in
Recap
• Mono-alphabetic substitution ciphers are vulnerable to statistical attacks
• What about encrypting other forms of information like video, audio, images, binary
files etc. We need a generalized encryption scheme.
• Need to define the “Security” more formally, so that a given scheme can be shown
as secure or not in systematic and provable manner.
𝐷 𝑘, 𝐸 𝑘, 𝑚 =𝑚
• For a given key, the encryption (ek) defines an injective mapping between the plaintext set
(ℙ) and ciphertext set (ℂ)
• We assume that the key and plaintext are independent
• Alice picks a plaintext 𝑥 ∈ ℙ and encrypts it to obtain a ciphertext y ∈ ℂ
Plaintext Distribution
• Plaintext Distribution
• Let 𝕏 be a discrete random variable over the set P
• Alice chooses x from P based on some probability distribution
• Let Pr[𝕏 = x] be the probability that x is chosen
• This probability may depend on the language
Analyzing Unconditional Security
• Assumptions
• Ciphertext only attack model : The attacker only has information about the
ciphertext. The key and plaintext are secret.
msg: 0 1 1 0 1 1 1
E: 𝐶 = 𝐾 ⊕ 𝑀, 𝐷: 𝑀 = 𝐶 ⊕ K ⊕
key: 1 0 1 1 0 1 0
CT:
Shannon’s idea:
CT should reveal no “info” about PT
Information Theoretic Security
(Shannon 1949)
A cipher (E, D) over (K, M, C) has perfect secrecy if
∀ 𝑚0 , 𝑚1 ∈ 𝑀
Pr 𝐸 𝑘, 𝑚0 = 𝐶 = Pr 𝐸 𝑘, 𝑚1 = 𝐶
𝑤ℎ𝑒𝑟𝑒 𝑘 𝑖𝑠 𝑢𝑛𝑖𝑓𝑜𝑟𝑚 𝑖𝑛 𝐾
Let 𝑚 ∈ ℳ and 𝑐 ∈ 𝒞 .
None
1
2
Depends on 𝒎
What types of attacks do we have?
• Ciphertext only attack: The Adversary has one or more
ciphertexts.
𝑟 𝑖 = 𝑟 𝑖 − 3 + 𝑟 𝑖 − 31 % 232
Never Ever use build in functions for crypto purpose
𝑂𝑢𝑡𝑝𝑢𝑡: 𝑟 𝑖 ≫ 1
Homework: Try writing a next bit predictor for LCM
Attack 1: two time pad is insecure !!
Never use stream cipher key more than once !!
C1 m1 PRG(k)
C2 m2 PRG(k)
Eavesdropper does:
C1 C2 ?
• Enough redundancy in English and ASCII encoding: Not all possible
combinations of letters exist in the English language
m1 m2 m1 , m2
Real world examples
Project Venona
MS-PPTP (windows NT):
802.11b WEP:
m
k PRG( IV ll k ) k
IV ciphetext
Repeated IV after 224 ≈ 16M frames
On some 802.11 cards: IV resets to 0 after power cycle
Related Key Attack
In 2001 Scott Fluhrer, Itsik Mantin, and Adi Shamir (FMS) broke the PRG used
in WEP (RC4) using 106 frames. Now it is 40,000 frames
A better construction
PRG
k k K1 k2 k3 k4 k5
m1 m2 m3 m4 m5
• Weaknesses:
1. Bias in initial output: Pr[ 2nd byte = 0 ] = 2/256
2. Prob. of (0,0) is 1/2562 + 1/2563
3. Related key attacks
Old example (hardware): CSS (badly broken)
Linear feedback shift register (LFSR):
E(k, m ; r) = m ⊕ PRG(k ; r)
τ0
k
k τ1
64 byte
r r
i
h ⊕ output
i τ2 (10 rounds)
32 bytes k
τ3 64 bytes 64 bytes
n
Let G:K ⟶ {0,1} be a PRG
Examples:
1. 𝐴 𝑥 = 1 𝑖𝑓𝑓 #0 𝑥 − #1 𝑥 ≤ 10. 𝑛
𝑛
2. 𝐴 𝑥 = 1 𝑖𝑓𝑓 #00 𝑥 − 4 ≤ 10. 𝑛
3. 𝐴 𝑥 = 1 𝑖𝑓𝑓 max_run_of_0(x) ≤ 10 log 𝑛
Advantage
n n
Let G:K ⟶{0,1} be a PRG and A a stat. test on {0,1}
Define:
𝐴𝑑𝑣𝑃𝑅𝐺 𝐴, 𝐺 = | Pr [𝐴 𝐺 𝑘 = 1] − Pr 𝑛
𝐴 𝑟 =1 |
𝑘<−𝐾 𝑟<− 0,1
Then
AdvPRG [A,G] = ?
Secure PRGs: crypto definition
n
Def: We say that G:K ⟶{0,1} is a secure PRG if
b
Chal. m0 , m1 M : |m0| = |m1| Adv. A
kK
c E(k, mb)
AdvSS[A,E] := | Pr[ W
0 ] − Pr[ W1 ] | ∈ [0,1]
Semantic Security (one-time key)
Def: E is semantically secure if for all efficient A
AdvSS[A,E] is negligible.
b{0,1}
m0 , LSB(m0)=0
Chal. Adv. B (us)
m1, LSB(m1)=1
kK
C E(k, mb) C Adv. A
(given)
LSB(mb)=b
identical distributions
AdvSS[A,E] ≤ 2 ∙ AdvPRG[B,G]
We know that B has negligible advantage against generator but that implies
that A has negligible advantage against the stream cipher.
Proof: Let A be a sem. sec. adversary.
b’ {0,1}
For b=0,1: Wb := [ event that b’=1 ].
AdvSS[A,E] = | Pr[ W
0 ] − Pr[ W1 ] |
Proof: Let A be a sem. sec. adversary.
b’ {0,1}
For b=0,1: Wb := [ event that b’=1 ].
AdvSS[A,E] = | Pr[ W 0 ] − Pr[ W1 ] |
For b=0,1: Rb := [ event that b’=1 ]
Proof: Let A be a sem. sec. adversary.
Algorithm B: