Lecture 9: Pseudorandom Numbers and Stream Ciphers (random numbers, DRBG, stream ciphers, OTP, visual cryptography, A5 cipher, RC4 cipher, ChaCha) Flashcards
What is a deterministic algorithm?
an algorithm that, given a particular input, will always produce the same output, with the underlying machine always passing through the same sequence of states
What are stream ciphers constructed from?
(pseudo)random number
generators
What are examples of stream ciphers widely deployed?
1) A5 cipher used in GSM mobile phones
2) AES in counter (CTR) mode
What is the goal of randomness?
any specific string of bits is exactly as
random as any other string
What are the two types of generators of random strings?
1) True random number generator (TRNG)
2) Pseudorandom number generator (PRNG)
What is a true random number generator (TRNG)?
a physical
process which outputs each valid string independently with
equal probability
What is a pseudorandom number generator (PRNG)
deterministic algorithm which approximates a TRNG
What provides a seed for a PRNG?
using a TRNG
What is NIST Special Publication 800-90B (Jan. 2016)?
Framework for design and validation of TRNG algorithms, called entropy sources
Specification of statistical tests for validating the suitability
of entropy sources
What is an entropy source?
basis for the non-deterministic operation of the randomizer
What does an entropy source include?
1) A physical noise source
2) A digitization process
3) Post-processing stages
What is the output of an entropy source?
any requested number
of bits
What is a periodic health test used for i.t.o TRNG?
ensure continuing reliable operation of TRNG
When did Intel introduced TRNG into Ivy Bridge processors?
2012
What is NIST Special Publication 800-90A (June 2015)?
Recommendation of specific PRNG algorithms, named
deterministic random bit generator (DRBG)
What does DRBG stand for?
deterministic random bit generator
What is DRBG based on?
hash functions, a specific MAC (known
as HMAC) and block ciphers in counter mode
What does each PRBG generator takes as an input?
a seed
What does each PRBG output? What is this before?
a bit string before updating its state
How often should the seed for a PNGR be updated?
after some number of calls
What can the seed for a PRNG be obtained from?
a TRNG
List the functions of DRBG
1) instantiate
2) generate
3) reseed
4) test
5) uninstantiate
Outline the instantiate function of DRBG
setting the initial state of the DRBG using a
seed
Outline the generate function of DRBG
providing an output bit string for each request
Outline the reseed function of DRBG
inputting a new random seed and updating the
state
Outline the test function of DRBG
checking correct operation of the other functions
Outline the uninstantiate function of DRBG
deleting (zeroising) the state of the DRBG
What is backtracking resistance i.t.o DRBG?
an attacker who obtains the
current state of the DRBG should not be able to distinguish
between the output of earlier calls to the function Generate
and random strings
What is forward prediction resistance i.t.o DRBG?
an attacker who obtains the current state of the DRBG should not be able to distinguish between the output of later calls to the function Generate
and random strings
What mode does CTR_DRBG uses and what is the recommended block cipher and key size?
counter (CTR) mode
AES with 128-bit keys
For CTR_DRBG, what initialises the seed and what is the seed’s length?
DRBG initialised with a seed
length is equal to the
key length PLUS the block length
–> 128 + 128 = 256 for AES with 128-bit master keys
What does the seed define in CTR_DRBG?
Is there a separate nonce?
Seed defines a key K and a counter value ctr
No separate nonce as in a normal CTR mode
How is the CTR mode encryption run in CTR_DRBG?
iteratively, with no plaintext
added
What forms the CTR_DRBG output?
CTR output blocks
How many bits does the update function of DRBG generate per request i.t.o CTR_DRBG?
up to 2^19 bits
From the generate function in CTR_DRBG, whose state must be updated, when and how?
(K, ctr)’s state must be updated after each request by generating 2 blocks using the current key to obtain the new key and a counter
What does the update function provide?
backtracking resistance
What is the restriction on the number of requests to the generate function for CTR_DRBG before require reseeding?
up to 2^48
What does each re-seed provided i.t.o CTR_DRBG?
forward prediction and backtracking resistance
What is Dual_EC_DRBG based on?
elliptic curve discrete logarithm problem
BUT:
no security proof exists
many flaws
Comment on the speed of Dual_EC_DRBG compared with other DRBGs in the standard
much slower
What are stream ciphers characterised by?
the generation of a keystream using a
short key and an initialisation value IV
What is each element of the keystream in a stream cipher used for?
used successively to
encrypt 1 or more ciphertext characters
What type of cipher are stream ciphers usually? What does this mean?
symmetric key ciphers
1) sender and receiver share the same key
2) can generate the same keystream given the same IV
I.t.o synchronous stream ciphers, is the keystream generated independently of the plaintext?
yes
I.t.o synchronous stream ciphers, what do both the sender and receiver need to generate?
same keystream and synchronise on its usage
What is cipher is the Vigenère cipher seen as?
a (periodic) synchronous stream cipher where each shift is defined by a key letter
What is one mode of operation for a block cipher to generate a keystream?
CTR mode
Explain the encryption and decryption diagrams for synchronous stream ciphers on slide 15 of set 9
TODO
What are the components of binary synchronous stream ciphers?
For each time interval t:
Binary sequence s(t), that is the keystream
Binary plaintext p(t)
Binary ciphertext c(t)
Given the encryption function for binary synchronous stream ciphers
c(t) = p(t) ⊕ s(t)
Given the decryption function for binary synchronous stream ciphers
p(t) = c(t) ⊕ s(t)
What is the one time pad often attributed to?
Vernam who made a one-time pad machine using teletype machinery in 1917 (earlier historical uses are known)
Comment on the key of a one time pad
a random sequence of characters s.t. all of them are
independently generated
How many times can each character in the key of a one time pad be used?
ONE TIME ONLY
Comment on the alphabet of a one time pad
Alphabet of any length but usually:
1) A natural language alphabet
2) The binary alphabet {0, 1}
What is a (non-periodic) binary synchronous stream
cipher an example of?
one time pad
What does one time pad provide i.t.o secrecy?
perfect secrecy
I.t.o Shannon’s definition of perfect secrecy, how is the message set defined?
{M1, · · · , Mk}
I.t.o Shannon’s definition of perfect secrecy, how is the ciphertext set defined?
{C1, · · · , Cl}
I.t.o Shannon’s definition of perfect secrecy, what is Pr(Mi|Cj) ?
the probability that Mi
is encrypted given that
Cj is observed
I.t.o Shannon’s definition of perfect secrecy, comment on the messages Mi being equally likely
In most cases, the messages Mi are NOT be equally likely
I.t.o Shannon’s definition of perfect secrecy, for all messages Mi and ciphertexts Ci, what is Pr(Mi
|Cj) equivalent to?
Pr(Mi|Cj) = Pr(Mi)
What are the components involved when the one time pad uses the Roman alphabet
Plaintext characters: p1, · · · , pr
Ciphertext characters: c1, · · · , cr
Keystream: random characters k1, · · · , kr
What is the encryption formula for the one time pad using the Roman alphabet?
ci = (pi + ki) mod 26
Ciphertext is the addition of plaintext and keystream
characters, modulo 26
What is the decryption formula for the one time pad using the Roman alphabet?
pi = (ci − ki) mod 26
Explain one time pad’s perfect secrecy and the conditional probability of Pr(Mi|Cj) = Pr(Mi)
Let a ciphertext Cj be observed
Any message could have been sent, depending on the
keystream
The probability that Mi is sent given that Cj is observed = the probability that Mi is chosen, weighted by the probability that the right keystream is chosen
Each key is chosen with equal probability
Conditional probability is thus Pr(Mi|Cj) = Pr(Mi)
What are the components of the vernam binary one time pad?
Plaintext: binary sequence b1, · · · , br
Ciphertext: binary sequence c1, · · · , cr
Keystream: random binary sequence k1, · · · , kr
Comment on the encryption and decryption for the vernam binary one time pad
Encryption: ci ≡ pi ⊕ ki
Decryption: pi ≡ ci ⊕ ki
I Encryption and decryption are identical processes.
Comment on the length of the keystream of the vernam binary one time pad
Keystream is SAME length as plaintext
Does the vernam binary one time pad provide perfect secrecy? Why?
yes, since any ciphertext is equally possible given the plaintext
How many keys MUST any cipher with perfect secrecy have?
as many keys as there are messages
What cipher is the ONLY unbreakable cipher?
One time pad
Under what conditions is the usage of the one time pad practical ?
for pre-assigned communications between fixed parties
What is a problem with the one time pad?
how to deal with key management of completely random keys
–> Key generation, key transportation, key synchronization,
key destruction are ALL problematic since the keys are SO
large
What is visual cryptography an application of?
one time pad
What does visual cryptography involve?
splits an
image into 2 shares
How does decryption work for visual cryptography?
overlaying the 2 shared images
When and who proposed visual cryptography?
Naor and Shamir in 1994
Give a simple case of visual cryptography
monochrome images with black and white pixels
Each pixel is shared in a random way, similar to splitting a
bit in the one time pad
Does each share of the image reveal any info i.t.o visual cryptography?
Each share reveals NO information about the image
–> Unconditional security as one time pad
Explain the encryption process for visual cryptography
see diagram on slide 27 of set 9
1) Generate a one time pad P (random bit string) with length equal to the number
of pixels for the image I
2) Generate a share SI,1 by replacing each bit in P using the sub-pixel patterns shown on the left
3) Generate the other share SI,2 s.t.:
the same as SI,1 for all the white pixels of I
&
the opposite of SI,1 for all black pixels
of I
Explain the decryption process for visual cryptography
see diagram on slide 27 of set 10
1) To reveal the hidden image I, SI,1 and SI,2 are overlayed
2) Each black pixel of I is black in the overlay
3) Each white pixel of I is half white in the overlay
What type of cipher is the A5 cipher and where is it applied?
Binary synchronous stream cipher applied in most GSM
mobile telephones
What are the 3 variants of the A5 cipher?
A5/1
A5/2
A5/3
What is A5/1?
original A5 algorithm defined in 1987
What is A5/2? Where was it intended to be deployed? Is it still allowed?
a weakened version of A5/1, originally intended for
deployment outside Europe, but no longer allowed under
GSM standards
What is A5/3?
also known as KASUMI, is an algorithm for
deployment in 3G mobile systems
When did the A5 cipher’s design become public?
1994
What does A5/1 algorithm use?
3 linear feedback shift registers (LFSRs) whose output is combined
How are the 3 LFSRs for the A5/1 algorithm clocked?
irregularly clocked
Because the 3 LFSRs are irregularly clocked for A5/1, what does this mean the output is?
The overall output is non-linear
Because the 3 LFSRs are irregularly clocked for A5/1, what is the size of the keystream and how many bits are fixed at zero?
64-bit keystream s.t. 10 bits fixed at zero
Because the 3 LFSRs are irregularly clocked for A5/1, what does this mean the effective key length must be?
The effective key length is thus 54 bits
Outline the history of the RC4 cipher
World-based stream cipher designed by Ron Rivest in the 80s: “Ron’s code #4”
Simple, efficient for software implementation
Originally proprietary owned by RSA Security, but leaked in
1994
Widely deployed in TLS before 2013
What are practical attacks on the RC4 cipher?
When used in TLS protocol and in wireless WPA-TKIP due to bias in its keystream output
Can CR4 be used in new systems?
no, too weak
What is the ChaCha algorithm available in and what does it replace?
Available in TLS ciphersuites (RFC 7905) as a possible
replacement for RC4
Who designed the ChaCha algorithm?
D. J. Bernstein in 2008
Compare the speed of the ChaCha algorithm to AES
Faster than AES
–> As little as 4 cycles per byte on x86 processors
What does the ChaCha algorithm combine to produce 512 bits of keystream?
What is an example of this?
Combining XOR, addition modulo 232 and rotation
operations over 20 rounds
add-rotate-xor (ARX) cipher
What key size does the ChaCha algorithm use?
256-bit key
What is TRNG constructed from and what is it used as?
constructed from physical devices, used as seeds
for PRNG
What is PRNG constructed from?
other primitives including block ciphers
What is TRNG used to make?
unbreakable encryption via one time pad
What is PRNG used as?
practical synchronous stream cipher
