Cryptography

One Time Pad (OTP), Perfect Secrecy, and

Stream Ciphers

Ashutosh Bhatia
BITS Pilani
ashutosh.bhatia@pilani.bits-pilani.ac.in
 Recap
• Mono-alphabetic substitution ciphers are vulnerable to statistical attacks

• Although poly alphabetic substation ciphers breaks the statistical correlation

between the plaintext and the corresponding cipher text to a certain extent they
are not secure against more power full attacks like known plaintext and chosen
plaintext attacks.

• What about encrypting other forms of information like video, audio, images, binary
files etc. We need a generalized encryption scheme.

• Need to define the “Security” more formally, so that a given scheme can be shown
as secure or not in systematic and provable manner.

• Security schemes are required to be standardized

 Exercise
Suppose we have an n-bit block cipher E with the property

E(k; m1 ⊕ m2) = E(k;m1) ⊕ E(k; m2).

How many minimum number of chosen plaintexts are required to decipher
(with probability 1) a given ciphertext (not from the list of ciphetexts
corresponding to the chosen plaintexts) without knowing the secret key k
and what would be those plaintexts.
 Symmetric Ciphers: definition
Def: a cipher defined over : (𝐾, 𝑀, 𝐶)

is a pair of “efficient” algs (E, D) where

𝐸: 𝐾 𝑥 𝑀 → 𝐶, 𝐷: 𝐾 𝑥 𝐶 → 𝑀, 𝑠. 𝑡. ∀𝑚 ∈ 𝑀, 𝑘 ∈ 𝐾

𝐷 𝑘, 𝐸 𝑘, 𝑚 =𝑚

• E is often randomized. D is always deterministic.

How do we design Ciphers

 Cipher Models
(What are the goals of the design?)
 Encryption

• For a given key, the encryption (ek) defines an injective mapping between the plaintext set
(ℙ) and ciphertext set (ℂ)
• We assume that the key and plaintext are independent
• Alice picks a plaintext 𝑥 ∈ ℙ and encrypts it to obtain a ciphertext y ∈ ℂ
 Plaintext Distribution
• Plaintext Distribution
• Let 𝕏 be a discrete random variable over the set P
• Alice chooses x from P based on some probability distribution
• Let Pr[𝕏 = x] be the probability that x is chosen
• This probability may depend on the language
 Analyzing Unconditional Security

• Assumptions
• Ciphertext only attack model : The attacker only has information about the
ciphertext. The key and plaintext are secret.

• We first analyze a single encryption then relax this assumption by

analyzing multiple encryptions with the same key
Key Distribution
Ciphertext Distribution
Pr[y|x]
Attacker’s Probabilities
A posteriori Probabilities
Computing A Posteriori Probabilities
Perfect Secrecy
Observations on Perfect Secrecy
 The One Time Pad (Vernam 1917)
First example of a “secure” cipher 𝑀 = 𝐶 = 0,1 𝑛 , 𝐾 = 0,1 𝑛

msg: 0 1 1 0 1 1 1
E: 𝐶 = 𝐾 ⊕ 𝑀, 𝐷: 𝑀 = 𝐶 ⊕ K ⊕
key: 1 0 1 1 0 1 0
CT:

key = (random bit string as long the message)

You are given a message (m) and its OTP encryption (c).
Can you compute the OTP key from m and c ?

No, I cannot compute the key.

Yes, the key is k = m ⊕ c.
I can only compute half the bits of the key.
Yes, the key is k = m ⊕ m.
 The One Time Pad (Vernam 1917)

Very fast enc/dec !!

… but long keys (as long as plaintext)

Is the OTP secure? What is a secure cipher?

 What is a secure cipher?
Attacker’s abilities: CT only attack (for now)

Possible security requirements:

attempt #1: attacker cannot recover secret key

attempt #2: attacker cannot recover all of plaintext

Shannon’s idea:
CT should reveal no “info” about PT
 Information Theoretic Security
(Shannon 1949)
A cipher (E, D) over (K, M, C) has perfect secrecy if
∀ 𝑚0 , 𝑚1 ∈ 𝑀
Pr 𝐸 𝑘, 𝑚0 = 𝐶 = Pr 𝐸 𝑘, 𝑚1 = 𝐶
𝑤ℎ𝑒𝑟𝑒 𝑘 𝑖𝑠 𝑢𝑛𝑖𝑓𝑜𝑟𝑚 𝑖𝑛 𝐾

 Theorem: OTP has perfect secrecy.

 Given CT can’t tell whether the message is m0 or m1
 Most powerful adversary learns nothing about PT from CT
 No, CT only Attack (but other attacks possible)
 How many OTP keys map 𝒎 to 𝒄 ?

Let 𝑚 ∈ ℳ and 𝑐 ∈ 𝒞 .

 None
1
2
 Depends on 𝒎
 What types of attacks do we have?
• Ciphertext only attack: The Adversary has one or more
ciphertexts.

• Known plaintext attacks: The Adversary has one or more

plaintexts and the corresponding cipher texts.

• Chosen plaintext attack: The Adversary can choose

plaintexts, have them encrypted and obtain the
corresponding ciphertexts
 The bad news …
Thm: perfect secrecy ⇒ 𝐾 ≥ 𝑀

 Hard to use in practice.

 Stream Ciphers: making OTP practical
Idea: replace “random” key by “pseudorandom” key
 𝑈𝑠𝑒 𝑜𝑓 𝑃𝑠𝑒𝑢𝑑𝑜 𝑅𝑎𝑛𝑑𝑜𝑚 𝐺𝑒𝑛𝑒𝑟𝑎𝑡𝑜𝑟𝑠 (PRG)
𝑠 𝑛
𝐺: 0,1 → 0,1 , 𝑛≫𝑠
 Expand k to G(k) then
E: 𝐶 = 𝐺(𝐾) ⊕ 𝑀, 𝐷: 𝑀 = 𝐶 ⊕ G(K)
Can a stream cipher have perfect secrecy?

 Yes, if the PRG is really “secure”

 No, there are no ciphers with perfect secrecy
 Yes, every cipher has perfect secrecy
 No, since the key is shorter than the message
 Stream Ciphers: making OTP practical

Stream ciphers cannot have perfect secrecy !!

• Need a different definition of security

• Security will depend on specific PRG

 PRG must be unpredictable
 A PRG is said to be predictable if
Alg
∃𝑖: 𝐺 𝑘 ቚ → 𝐺 𝑘 ቚ
1,… 𝑖 𝑖+1,... ,𝑛

 PRG is unpredictable if it is not predictable

 ∀i: no “eff” adv. can predict bit (i+1) for “non-neg” ε
n
 Suppose G:K ⟶ {0,1} is such that for all k: XOR(G(k)) = 1
Is G predictable ?
 Exercises
 Let 𝐺: 0,1 𝑠 → 0,1 𝑛 be a secure PRG. Which of the
following is a secure PRG

1. 𝐺 ′ 𝑘1, 𝑘2 = 𝐺 𝑘1 ||𝐺 𝑘2 (here ∥ denotes concatenation)

2. 𝐺 ′ 𝑘 = 𝐺 𝑘 ||0
3. 𝐺 ′ 𝑘 = 𝐺 𝑘 ||𝐺(𝑘)
4. 𝐺 ′ 𝑘 = 𝐺(𝑘)𝑋𝑂𝑅 1𝑛
 Weak PRG (Do not use for Crypto)
• To produce a sequence of integers, X1, X2, … between 0 and m-1 by following a recursive relationship:

X i 1  (aX i  c) mod m, i  0,1,2,...

The The The

multiplier increment modulus

• X0 is called the seed

• The selection of the values for a, c, m, and X0 drastically affects the statistical properties and the cycle
length.
• If c 0 then it is called mixed congruential method
• When c=0 it is called multiplicative congruential method
glibc random();

𝑟 𝑖 = 𝑟 𝑖 − 3 + 𝑟 𝑖 − 31 % 232
Never Ever use build in functions for crypto purpose
𝑂𝑢𝑡𝑝𝑢𝑡: 𝑟 𝑖 ≫ 1
Homework: Try writing a next bit predictor for LCM
 Attack 1: two time pad is insecure !!
Never use stream cipher key more than once !!
C1  m1  PRG(k)

C2  m2  PRG(k)

 Eavesdropper does:
C1  C2  ?
• Enough redundancy in English and ASCII encoding: Not all possible
combinations of letters exist in the English language
m1  m2  m1 , m2
 Real world examples
Project Venona
MS-PPTP (windows NT):
802.11b WEP:
m
k PRG( IV ll k ) k
IV ciphetext
 Repeated IV after 224 ≈ 16M frames
 On some 802.11 cards: IV resets to 0 after power cycle
 Related Key Attack
 In 2001 Scott Fluhrer, Itsik Mantin, and Adi Shamir (FMS) broke the PRG used
in WEP (RC4) using 106 frames. Now it is 40,000 frames
 A better construction

PRG
k k K1 k2 k3 k4 k5

m1 m2 m3 m4 m5

⇒ now each frame has a pseudorandom key

better solution: use stronger encryption method (as in WPA2)
 Attack 2: no integrity (OTP is malleable)
enc ( ⊕k )
m m⊕k
⊕
p
dec ( ⊕k )
m⊕p (m⊕k)⊕p

Modifications to ciphertext are undetected and

have predictable impact on plaintext
 Attack 2: no integrity (OTP is malleable)
enc ( ⊕k )
From: Bob From: Bob
⊕
⋯
dec ( ⊕k )
From: Eve From: Eve

Bob ( 42 6F 62 ) ⊕ Eve ( 45 76 65) = 07 19 07

Modifications to ciphertext are undetected and

have predictable impact on plaintext
Real-world Stream Ciphers
 Old example (software): RC4 (1987)
2048 bits
128 bits
1 byte
per round
seed

• Used in HTTPS and WEP

• Weaknesses:
1. Bias in initial output: Pr[ 2nd byte = 0 ] = 2/256
2. Prob. of (0,0) is 1/2562 + 1/2563
3. Related key attacks
 Old example (hardware): CSS (badly broken)
Linear feedback shift register (LFSR):

DVD encryption (CSS): 2 LFSRs

GSM encryption (A5/1,2): 3 LFSRs all broken
Bluetooth (E0): 4 LFSRs

 Content Scrambling System (CSS): Seed 5 bytes

1 || K(2 bytes) 17-bit LFSR 8
8 Easy to break
+ (mod 256) in time 217
1 || K(3 bytes) 25-bit LFSR 8
 Modern stream ciphers: eStream
PRG: {0,1}s × R ⟶ {0,1}n

Nonce: a non-repeating value for a given key.

E(k, m ; r) = m ⊕ PRG(k ; r)

The pair (k,r) is never used more than once.

 eStream: Salsa 20 (SW+HW)
Salsa20: {0,1} 128 × {0,1}64 ⟶ {0,1}n

Salsa20( k ; r) := H( k , (r, 0)) ll H( k , (r, 1)) ll …

τ0
k
k τ1
64 byte
r r
i
h ⊕ output
i τ2 (10 rounds)
32 bytes k
τ3 64 bytes 64 bytes

h: invertible function. designed to be fast on x86 (SSE2)

 Is Salsa20 secure (unpredictable) ?
• Unknown: no known provably secure PRGs

• In reality: no known attacks better than exhaustive search

Performance (AMD Opteron, 2.2 GHz)

PRG Speed (MB/sec)
RC4 126
Salsa 20 643
Sosemanuk 727
 Unpredictability of PRG

n
Let G:K ⟶ {0,1} be a PRG

Goal: define what it means that output of G(k) is

is “indistinguishable” from truly random selection.

 Statistical Tests
Statistical test on {0,1}n:
an alg. A s.t. A(x) outputs “0” (not-random) or “1”
(random)

Examples:

1. 𝐴 𝑥 = 1 𝑖𝑓𝑓 #0 𝑥 − #1 𝑥 ≤ 10. 𝑛
𝑛
2. 𝐴 𝑥 = 1 𝑖𝑓𝑓 #00 𝑥 − 4 ≤ 10. 𝑛
3. 𝐴 𝑥 = 1 𝑖𝑓𝑓 max_run_of_0(x) ≤ 10 log 𝑛
 Advantage
n n
Let G:K ⟶{0,1} be a PRG and A a stat. test on {0,1}

Define:
𝐴𝑑𝑣𝑃𝑅𝐺 𝐴, 𝐺 = | Pr [𝐴 𝐺 𝑘 = 1] − Pr 𝑛
𝐴 𝑟 =1 |
𝑘<−𝐾 𝑟<− 0,1

What is the interpretation of 𝐴𝑑𝑣𝑃𝑅𝐺 𝐴, 𝐺 = 1 and 𝐴𝑑𝑣𝑃𝑅𝐺 𝐴, 𝐺 = 0

Example: A(x) = 0 ⇒ AdvPRG [A,G] = ?

 Example
n
Suppose G:K ⟶{0,1} satisfies msb(G(k)) = 1 for 2/3 of keys in
K

Define stat. test A(x) as:

if [ msb(x)=1 ] output “1” else output “0”

Then
AdvPRG [A,G] = ?
 Secure PRGs: crypto definition
n
 Def: We say that G:K ⟶{0,1} is a secure PRG if

∀ eff𝑖𝑐𝑖𝑒𝑛𝑡 𝑠𝑡𝑎𝑡𝑡𝑖𝑠𝑡𝑖𝑐𝑎𝑙 𝑡𝑒𝑠𝑡 𝐴: 𝐴𝑑𝑣𝑃𝑅𝐺 𝐴, 𝐺 𝑖𝑠 𝑛𝑒𝑔𝑙𝑖𝑔𝑖𝑏𝑙𝑒

 Are there provably secure PRGs?

 No as you have to prove that 𝑃 ≠ 𝑁𝑃

 A secure PRG is unpredictable

 PRG predictable ⇒ PRG is insecure
 Let Algorithm A is a good predictor for G then the statistical
test B that outputs 1 whenever A predicts correctly otherwise 0
Will have a non-negligible advantage over B.
Thm (Yao’82): an unpredictable PRG is secure
n
Let G:K ⟶{0,1} be PRG

“Thm”: if ∀ i ∈ {0, … , n-1} PRG G is unpredictable at pos. i

then G is a secure PRG.

If next-bit predictors cannot distinguish G from random

then no statistical test can !!

HW: Prove this theorem yourself

 n
Let G:K ⟶{0,1} be a PRG such that
from the last n/2 bits of G(k)
it is easy to compute the first n/2 bits.

Is G predictable for some i ∈ {0, … , n-1} ?

 More Generally
Let P1 and P2 be two distributions over {0,1}n

Def: We say that P1 and P2 are

computationally indistinguishable (denoted 𝑃1 ≈𝑝 𝑃2 )
𝑖𝑓 ∀ eff𝑖𝑐𝑒𝑛𝑡 𝑠𝑡𝑎𝑡. 𝑡𝑒𝑠𝑡𝑠 𝐴

| Pr [𝐴(𝑥) = 1] − Pr 𝐴 𝑥 = 1 | < 𝑛𝑒𝑔𝑙𝑖𝑔𝑖𝑏𝑙𝑒

𝑥<−𝑃1 𝑥<−𝑃2

Example: a PRG is secure if { k ⟵K : G(k) } ≈p uniform({0,1}n)

 Recall Shannon’s perfect secrecy
Let (E,D) be a cipher over (K,M,C)

(E,D) has perfect secrecy if ∀ m0, m1 ∈ M ( |m0| = |m1| )

{ E(k,m0) } = { E(k,m1) } where k⟵K

(E,D) has perfect secrecy if ∀ m0, m1 ∈ M ( |m0| = |m1| )

{ E(k,m0) } ≈p { E(k,m1) } where k⟵K

 Semantic Security (one-time key)
For b=0,1 define experiments EXP(0) and EXP(1) as:

b
Chal. m0 , m1  M : |m0| = |m1| Adv. A
kK
c  E(k, mb)

for b=0,1: Wb := [ event that EXP(b)=1 ] b’  {0,1}

AdvSS[A,E] := | Pr[ W
0 ] − Pr[ W1 ] | ∈ [0,1]
 Semantic Security (one-time key)
Def: E is semantically secure if for all efficient A
AdvSS[A,E] is negligible.

⇒ for all explicit m0 , m1  M : { E(k,m0) } ≈p { E(k,m1) }

 Examples
Suppose efficient A can always deduce LSB of PT from CT.
⇒ E = (E,D) is not semantically secure.

b{0,1}
m0 , LSB(m0)=0
Chal. Adv. B (us)
m1, LSB(m1)=1
kK
C E(k, mb) C Adv. A
(given)
LSB(mb)=b

Then AdvSS[B, E] = | Pr[ EXP(0)=1 ] − Pr[ EXP(1)=1 ] |= |0 – 1| = 1

 OTP is semantically secure

EXP(0): Chal. m0 , m1  M : |m0| = |m1| Adv. A

kK
c  k⊕m0 b’  {0,1}

identical distributions

Chal. m0 , m1  M : |m0| = |m1| Adv. A

EXP(1):
kK
c  k⊕m1 b’  {0,1}

For all A: AdvSS[A,OTP] = | Pr[ A(k⊕m0)=1 ] − Pr[ A(k⊕m1)=1 ] |=

 Stream ciphers are semantically secure
n
Thm: G:K ⟶{0,1} is a secure PRG ⇒
stream cipher E derived from G is sem. secure.

∀ sem. sec. adversary A , ∃a PRG adversary B s.t.

AdvSS[A,E] ≤ 2 ∙ AdvPRG[B,G]

Given an adversary A we're going to build an adversary B.

We know that B has negligible advantage against generator but that implies
that A has negligible advantage against the stream cipher.
 Proof: Let A be a sem. sec. adversary.

Chal. m0 , m1  M : |m0| = |m1| Adv. A

b kK
r{0,1}n
c  mb ⊕ G(k)

b’  {0,1}
For b=0,1: Wb := [ event that b’=1 ].
AdvSS[A,E] = | Pr[ W
0 ] − Pr[ W1 ] |
 Proof: Let A be a sem. sec. adversary.

Chal. m0 , m1  M : |m0| = |m1| Adv. A

b kK
r{0,1}n
c  mb ⊕ r

b’  {0,1}
For b=0,1: Wb := [ event that b’=1 ].
AdvSS[A,E] = | Pr[ W 0 ] − Pr[ W1 ] |
For b=0,1: Rb := [ event that b’=1 ]
Proof: Let A be a sem. sec. adversary.

Claim 1: |Pr[R0] – Pr[R1]| = AdvSS[A,OTP] = 0

Claim 2: ∃B: |Pr[Wb] – Pr[Rb]| = AdvPRG[B,G] , For b = 0,1
AdvPRG[B,G] AdvPRG[B,G]

0 Pr[W0] Pr[Rb] Pr[W1] 1

⇒ AdvSS[A,E] = |Pr[W0] – Pr[W1]| ≤ 2 ∙ AdvPRG[B,G]

Proof of claim 2: ∃B: |Pr[W0] – Pr[R0]| = AdvPRG[B,G]

Algorithm B:

y ∈ {0,1}n PRG adv. B (us)

m0, m1
Adv. A
c  m0⊕y (given)
b’ ∈ {0,1}