Lecture 9: Pseudorandom Numbers and Stream Ciphers (random numbers, DRBG, stream ciphers, OTP, visual cryptography, A5 cipher, RC4 cipher, ChaCha)

Question 1

What is a deterministic algorithm?

Answer 1

an algorithm that, given a particular input, will always produce the same output, with the underlying machine always passing through the same sequence of states

Question 2

What are stream ciphers constructed from?

Answer 2

(pseudo)random number

generators

Question 3

What are examples of stream ciphers widely deployed?

Answer 3

1) A5 cipher used in GSM mobile phones

2) AES in counter (CTR) mode

Question 4

What is the goal of randomness?

Answer 4

any specific string of bits is exactly as

random as any other string

Question 5

What are the two types of generators of random strings?

Answer 5

1) True random number generator (TRNG)

2) Pseudorandom number generator (PRNG)

Question 6

What is a true random number generator (TRNG)?

Answer 6

a physical
process which outputs each valid string independently with
equal probability

Question 7

What is a pseudorandom number generator (PRNG)

Answer 7

deterministic algorithm which approximates a TRNG

Question 8

What provides a seed for a PRNG?

Answer 8

using a TRNG

Question 9

What is NIST Special Publication 800-90B (Jan. 2016)?

Answer 9

Framework for design and validation of TRNG algorithms, called entropy sources

Specification of statistical tests for validating the suitability
of entropy sources

Question 10

What is an entropy source?

Answer 10

basis for the non-deterministic operation of the randomizer

Question 11

What does an entropy source include?

Answer 11

1) A physical noise source
2) A digitization process
3) Post-processing stages

Question 12

What is the output of an entropy source?

Answer 12

any requested number

of bits

Question 13

What is a periodic health test used for i.t.o TRNG?

Answer 13

ensure continuing reliable operation of TRNG

Question 14

When did Intel introduced TRNG into Ivy Bridge processors?

Answer 14

2012

Question 15

What is NIST Special Publication 800-90A (June 2015)?

Answer 15

Recommendation of specific PRNG algorithms, named

deterministic random bit generator (DRBG)

Question 16

What does DRBG stand for?

Answer 16

deterministic random bit generator

Question 17

What is DRBG based on?

Answer 17

hash functions, a specific MAC (known

as HMAC) and block ciphers in counter mode

Question 18

What does each PRBG generator takes as an input?

Answer 18

a seed

Question 19

What does each PRBG output? What is this before?

Answer 19

a bit string before updating its state

Question 20

How often should the seed for a PNGR be updated?

Answer 20

after some number of calls

Question 21

What can the seed for a PRNG be obtained from?

Answer 21

a TRNG

Question 22

List the functions of DRBG

Answer 22

1) instantiate
2) generate
3) reseed
4) test
5) uninstantiate

Question 23

Outline the instantiate function of DRBG

Answer 23

setting the initial state of the DRBG using a

seed

Question 24

Outline the generate function of DRBG

Answer 24

providing an output bit string for each request

Question 25

Outline the reseed function of DRBG

Answer 25

inputting a new random seed and updating the

state

Question 26

Outline the test function of DRBG

Answer 26

checking correct operation of the other functions

Question 27

Outline the uninstantiate function of DRBG

Answer 27

deleting (zeroising) the state of the DRBG

Question 28

What is backtracking resistance i.t.o DRBG?

Answer 28

an attacker who obtains the
current state of the DRBG should not be able to distinguish
between the output of earlier calls to the function Generate
and random strings

Question 29

What is forward prediction resistance i.t.o DRBG?

Answer 29

an attacker who obtains the current state of the DRBG should not be able to distinguish between the output of later calls to the function Generate
and random strings

Question 30

What mode does CTR_DRBG uses and what is the recommended block cipher and key size?

Answer 30

counter (CTR) mode

AES with 128-bit keys

Question 31

For CTR_DRBG, what initialises the seed and what is the seed’s length?

Answer 31

DRBG initialised with a seed

length is equal to the
key length PLUS the block length
–> 128 + 128 = 256 for AES with 128-bit master keys

Question 32

What does the seed define in CTR_DRBG?

Is there a separate nonce?

Answer 32

Seed defines a key K and a counter value ctr

No separate nonce as in a normal CTR mode

Question 33

How is the CTR mode encryption run in CTR_DRBG?

Answer 33

iteratively, with no plaintext

added

Question 34

What forms the CTR_DRBG output?

Answer 34

CTR output blocks

Question 35

How many bits does the update function of DRBG generate per request i.t.o CTR_DRBG?

Answer 35

up to 2^19 bits

Question 36

From the generate function in CTR_DRBG, whose state must be updated, when and how?

Answer 36

(K, ctr)’s state must be updated after each request by generating 2 blocks using the current key to obtain the new key and a counter

Question 37

What does the update function provide?

Answer 37

backtracking resistance

Question 38

What is the restriction on the number of requests to the generate function for CTR_DRBG before require reseeding?

Answer 38

up to 2^48

Question 39

What does each re-seed provided i.t.o CTR_DRBG?

Answer 39

forward prediction and backtracking resistance

Question 40

What is Dual_EC_DRBG based on?

Answer 40

elliptic curve discrete logarithm problem

BUT:
no security proof exists
many flaws

Question 41

Comment on the speed of Dual_EC_DRBG compared with other DRBGs in the standard

Answer 41

much slower

Question 42

What are stream ciphers characterised by?

Answer 42

the generation of a keystream using a

short key and an initialisation value IV

Question 43

What is each element of the keystream in a stream cipher used for?

Answer 43

used successively to

encrypt 1 or more ciphertext characters

Question 44

What type of cipher are stream ciphers usually? What does this mean?

Answer 44

symmetric key ciphers

1) sender and receiver share the same key
2) can generate the same keystream given the same IV

Question 45

I.t.o synchronous stream ciphers, is the keystream generated independently of the plaintext?

Answer 45

yes

Question 46

I.t.o synchronous stream ciphers, what do both the sender and receiver need to generate?

Answer 46

same keystream and synchronise on its usage

Question 47

What is cipher is the Vigenère cipher seen as?

Answer 47

a (periodic) synchronous stream cipher where each shift is defined by a key letter

Question 48

What is one mode of operation for a block cipher to generate a keystream?

Answer 48

CTR mode

Question 49

Explain the encryption and decryption diagrams for synchronous stream ciphers on slide 15 of set 9

Answer 49

TODO

Question 50

What are the components of binary synchronous stream ciphers?

Answer 50

For each time interval t:

Binary sequence s(t), that is the keystream

Binary plaintext p(t)

Binary ciphertext c(t)

Question 51

Given the encryption function for binary synchronous stream ciphers

Answer 51

c(t) = p(t) ⊕ s(t)

Question 52

Given the decryption function for binary synchronous stream ciphers

Answer 52

p(t) = c(t) ⊕ s(t)

Question 53

What is the one time pad often attributed to?

Answer 53

Vernam who made a one-time pad machine using teletype machinery in 1917 (earlier historical uses are known)

Question 54

Comment on the key of a one time pad

Answer 54

a random sequence of characters s.t. all of them are

independently generated

Question 55

How many times can each character in the key of a one time pad be used?

Answer 55

ONE TIME ONLY

Question 56

Comment on the alphabet of a one time pad

Answer 56

Alphabet of any length but usually:

1) A natural language alphabet
2) The binary alphabet {0, 1}

Question 57

What is a (non-periodic) binary synchronous stream

cipher an example of?

Answer 57

one time pad

Question 58

What does one time pad provide i.t.o secrecy?

Answer 58

perfect secrecy

Question 59

I.t.o Shannon’s definition of perfect secrecy, how is the message set defined?

Answer 59

{M1, · · · , Mk}

Question 60

I.t.o Shannon’s definition of perfect secrecy, how is the ciphertext set defined?

Answer 60

{C1, · · · , Cl}

Question 61

I.t.o Shannon’s definition of perfect secrecy, what is Pr(Mi|Cj) ?

Answer 61

the probability that Mi
is encrypted given that
Cj is observed

Question 62

I.t.o Shannon’s definition of perfect secrecy, comment on the messages Mi being equally likely

Answer 62

In most cases, the messages Mi are NOT be equally likely

Question 63

I.t.o Shannon’s definition of perfect secrecy, for all messages Mi and ciphertexts Ci, what is Pr(Mi
|Cj) equivalent to?

Answer 63

Pr(Mi|Cj) = Pr(Mi)

Question 64

What are the components involved when the one time pad uses the Roman alphabet

Answer 64

Plaintext characters: p1, · · · , pr

Ciphertext characters: c1, · · · , cr

Keystream: random characters k1, · · · , kr

Question 65

What is the encryption formula for the one time pad using the Roman alphabet?

Answer 65

ci = (pi + ki) mod 26

Ciphertext is the addition of plaintext and keystream
characters, modulo 26

Question 66

What is the decryption formula for the one time pad using the Roman alphabet?

Answer 66

pi = (ci − ki) mod 26

Question 67

Explain one time pad’s perfect secrecy and the conditional probability of Pr(Mi|Cj) = Pr(Mi)

Answer 67

Let a ciphertext Cj be observed

Any message could have been sent, depending on the
keystream

The probability that Mi
is sent given that Cj
is observed =
the probability that Mi
is chosen, weighted by the
probability that the right keystream is chosen

Each key is chosen with equal probability

Conditional probability is thus Pr(Mi|Cj) = Pr(Mi)

Question 68

What are the components of the vernam binary one time pad?

Answer 68

Plaintext: binary sequence b1, · · · , br

Ciphertext: binary sequence c1, · · · , cr

Keystream: random binary sequence k1, · · · , kr

Question 69

Comment on the encryption and decryption for the vernam binary one time pad

Answer 69

Encryption: ci ≡ pi ⊕ ki

Decryption: pi ≡ ci ⊕ ki

I Encryption and decryption are identical processes.

Question 70

Comment on the length of the keystream of the vernam binary one time pad

Answer 70

Keystream is SAME length as plaintext

Question 71

Does the vernam binary one time pad provide perfect secrecy? Why?

Answer 71

yes, since any ciphertext is equally possible given the plaintext

Question 72

How many keys MUST any cipher with perfect secrecy have?

Answer 72

as many keys as there are messages

Question 73

What cipher is the ONLY unbreakable cipher?

Answer 73

One time pad

Question 74

Under what conditions is the usage of the one time pad practical ?

Answer 74

for pre-assigned communications between fixed parties

Question 75

What is a problem with the one time pad?

Answer 75

how to deal with key management of completely random keys

–> Key generation, key transportation, key synchronization,
key destruction are ALL problematic since the keys are SO
large

Question 76

What is visual cryptography an application of?

Answer 76

one time pad

Question 77

What does visual cryptography involve?

Answer 77

splits an

image into 2 shares

Question 78

How does decryption work for visual cryptography?

Answer 78

overlaying the 2 shared images

Question 79

When and who proposed visual cryptography?

Answer 79

Naor and Shamir in 1994

Question 80

Give a simple case of visual cryptography

Answer 80

monochrome images with black and white pixels

Each pixel is shared in a random way, similar to splitting a
bit in the one time pad

Question 81

Does each share of the image reveal any info i.t.o visual cryptography?

Answer 81

Each share reveals NO information about the image

–> Unconditional security as one time pad

Question 82

Explain the encryption process for visual cryptography

see diagram on slide 27 of set 9

Answer 82

1) Generate a one time pad P (random bit string) with length equal to the number
of pixels for the image I

2) Generate a share SI,1 by replacing each bit in P using the sub-pixel patterns shown on the left
3) Generate the other share SI,2 s.t.:

the same as SI,1 for all the white pixels of I
&
the opposite of SI,1 for all black pixels
of I

Question 83

Explain the decryption process for visual cryptography

see diagram on slide 27 of set 10

Answer 83

1) To reveal the hidden image I, SI,1 and SI,2 are overlayed
2) Each black pixel of I is black in the overlay
3) Each white pixel of I is half white in the overlay

Question 84

What type of cipher is the A5 cipher and where is it applied?

Answer 84

Binary synchronous stream cipher applied in most GSM

mobile telephones

Question 85

What are the 3 variants of the A5 cipher?

Answer 85

A5/1
A5/2
A5/3

Question 86

What is A5/1?

Answer 86

original A5 algorithm defined in 1987

Question 87

What is A5/2? Where was it intended to be deployed? Is it still allowed?

Answer 87

a weakened version of A5/1, originally intended for
deployment outside Europe, but no longer allowed under
GSM standards

Question 88

What is A5/3?

Answer 88

also known as KASUMI, is an algorithm for

deployment in 3G mobile systems

Question 89

When did the A5 cipher’s design become public?

Answer 89

1994

Question 90

What does A5/1 algorithm use?

Answer 90

3 linear feedback shift registers (LFSRs) whose output is combined

Question 91

How are the 3 LFSRs for the A5/1 algorithm clocked?

Answer 91

irregularly clocked

Question 92

Because the 3 LFSRs are irregularly clocked for A5/1, what does this mean the output is?

Answer 92

The overall output is non-linear

Question 93

Because the 3 LFSRs are irregularly clocked for A5/1, what is the size of the keystream and how many bits are fixed at zero?

Answer 93

64-bit keystream s.t. 10 bits fixed at zero

Question 94

Because the 3 LFSRs are irregularly clocked for A5/1, what does this mean the effective key length must be?

Answer 94

The effective key length is thus 54 bits

Question 95

Outline the history of the RC4 cipher

Answer 95

World-based stream cipher designed by Ron Rivest in the 80s: “Ron’s code #4”

Simple, efficient for software implementation

Originally proprietary owned by RSA Security, but leaked in
1994

Widely deployed in TLS before 2013

Question 96

What are practical attacks on the RC4 cipher?

Answer 96

When used in TLS protocol and in wireless WPA-TKIP due to bias in its keystream output

Question 97

Can CR4 be used in new systems?

Answer 97

no, too weak

Question 98

What is the ChaCha algorithm available in and what does it replace?

Answer 98

Available in TLS ciphersuites (RFC 7905) as a possible

replacement for RC4

Question 99

Who designed the ChaCha algorithm?

Answer 99

D. J. Bernstein in 2008

Question 100

Compare the speed of the ChaCha algorithm to AES

Answer 100

Faster than AES

–> As little as 4 cycles per byte on x86 processors

Question 101

What does the ChaCha algorithm combine to produce 512 bits of keystream?

What is an example of this?

Answer 101

Combining XOR, addition modulo 232 and rotation
operations over 20 rounds

add-rotate-xor (ARX) cipher

Question 102

What key size does the ChaCha algorithm use?

Answer 102

256-bit key

Question 103

What is TRNG constructed from and what is it used as?

Answer 103

constructed from physical devices, used as seeds

for PRNG

Question 104

What is PRNG constructed from?

Answer 104

other primitives including block ciphers

Question 105

What is TRNG used to make?

Answer 105

unbreakable encryption via one time pad

Question 106

What is PRNG used as?

Answer 106

practical synchronous stream cipher