Lecture 9: Pseudorandom Numbers and Stream Ciphers (random numbers, DRBG, stream ciphers, OTP, visual cryptography, A5 cipher, RC4 cipher, ChaCha) Flashcards
1
Q
What is a deterministic algorithm?
A
an algorithm that, given a particular input, will always produce the same output, with the underlying machine always passing through the same sequence of states
2
Q
What are stream ciphers constructed from?
A
(pseudo)random number
generators
3
Q
What are examples of stream ciphers widely deployed?
A
1) A5 cipher used in GSM mobile phones
2) AES in counter (CTR) mode
4
Q
What is the goal of randomness?
A
any specific string of bits is exactly as
random as any other string
5
Q
What are the two types of generators of random strings?
A
1) True random number generator (TRNG)
2) Pseudorandom number generator (PRNG)
6
Q
What is a true random number generator (TRNG)?
A
a physical
process which outputs each valid string independently with
equal probability
7
Q
What is a pseudorandom number generator (PRNG)
A
deterministic algorithm which approximates a TRNG
8
Q
What provides a seed for a PRNG?
A
using a TRNG
9
Q
What is NIST Special Publication 800-90B (Jan. 2016)?
A
Framework for design and validation of TRNG algorithms, called entropy sources
Specification of statistical tests for validating the suitability
of entropy sources
10
Q
What is an entropy source?
A
basis for the non-deterministic operation of the randomizer
11
Q
What does an entropy source include?
A
1) A physical noise source
2) A digitization process
3) Post-processing stages
12
Q
What is the output of an entropy source?
A
any requested number
of bits
13
Q
What is a periodic health test used for i.t.o TRNG?
A
ensure continuing reliable operation of TRNG
14
Q
When did Intel introduced TRNG into Ivy Bridge processors?
A
2012
15
Q
What is NIST Special Publication 800-90A (June 2015)?
A
Recommendation of specific PRNG algorithms, named
deterministic random bit generator (DRBG)
16
Q
What does DRBG stand for?
A
deterministic random bit generator
17
Q
What is DRBG based on?
A
hash functions, a specific MAC (known
as HMAC) and block ciphers in counter mode
18
Q
What does each PRBG generator takes as an input?
A
a seed
19
Q
What does each PRBG output? What is this before?
A
a bit string before updating its state
20
Q
How often should the seed for a PNGR be updated?
A
after some number of calls
21
Q
What can the seed for a PRNG be obtained from?
A
a TRNG
22
Q
List the functions of DRBG
A
1) instantiate
2) generate
3) reseed
4) test
5) uninstantiate
23
Q
Outline the instantiate function of DRBG
A
setting the initial state of the DRBG using a
seed
24
Q
Outline the generate function of DRBG
A
providing an output bit string for each request
25
Outline the reseed function of DRBG
inputting a new random seed and updating the
| state
26
Outline the test function of DRBG
checking correct operation of the other functions
27
Outline the uninstantiate function of DRBG
deleting (zeroising) the state of the DRBG
28
What is backtracking resistance i.t.o DRBG?
an attacker who obtains the
current state of the DRBG should not be able to distinguish
between the output of earlier calls to the function Generate
and random strings
29
What is forward prediction resistance i.t.o DRBG?
an attacker who obtains the current state of the DRBG should not be able to distinguish between the output of later calls to the function Generate
and random strings
30
What mode does CTR_DRBG uses and what is the recommended block cipher and key size?
counter (CTR) mode
AES with 128-bit keys
31
For CTR_DRBG, what initialises the seed and what is the seed's length?
DRBG initialised with a seed
length is equal to the
key length PLUS the block length
--> 128 + 128 = 256 for AES with 128-bit master keys
32
What does the seed define in CTR_DRBG?
| Is there a separate nonce?
Seed defines a key K and a counter value ctr
No separate nonce as in a normal CTR mode
33
How is the CTR mode encryption run in CTR_DRBG?
iteratively, with no plaintext
| added
34
What forms the CTR_DRBG output?
CTR output blocks
35
How many bits does the update function of DRBG generate per request i.t.o CTR_DRBG?
up to 2^19 bits
36
From the generate function in CTR_DRBG, whose state must be updated, when and how?
(K, ctr)’s state must be updated after each request by generating 2 blocks using the current key to obtain the new key and a counter
37
What does the update function provide?
backtracking resistance
38
What is the restriction on the number of requests to the generate function for CTR_DRBG before require reseeding?
up to 2^48
39
What does each re-seed provided i.t.o CTR_DRBG?
forward prediction and backtracking resistance
40
What is Dual_EC_DRBG based on?
elliptic curve discrete logarithm problem
BUT:
no security proof exists
many flaws
41
Comment on the speed of Dual_EC_DRBG compared with other DRBGs in the standard
much slower
42
What are stream ciphers characterised by?
the generation of a keystream using a
| short key and an initialisation value IV
43
What is each element of the keystream in a stream cipher used for?
used successively to
| encrypt 1 or more ciphertext characters
44
What type of cipher are stream ciphers usually? What does this mean?
symmetric key ciphers
1) sender and receiver share the same key
2) can generate the same keystream given the same IV
45
I.t.o synchronous stream ciphers, is the keystream generated independently of the plaintext?
yes
46
I.t.o synchronous stream ciphers, what do both the sender and receiver need to generate?
same keystream and synchronise on its usage
47
What is cipher is the Vigenère cipher seen as?
a (periodic) synchronous stream cipher where each shift is defined by a key letter
48
What is one mode of operation for a block cipher to generate a keystream?
CTR mode
49
Explain the encryption and decryption diagrams for synchronous stream ciphers on slide 15 of set 9
TODO
50
What are the components of binary synchronous stream ciphers?
For each time interval t:
Binary sequence s(t), that is the keystream
Binary plaintext p(t)
Binary ciphertext c(t)
51
Given the encryption function for binary synchronous stream ciphers
c(t) = p(t) ⊕ s(t)
52
Given the decryption function for binary synchronous stream ciphers
p(t) = c(t) ⊕ s(t)
53
What is the one time pad often attributed to?
Vernam who made a one-time pad machine using teletype machinery in 1917 (earlier historical uses are known)
54
Comment on the key of a one time pad
a random sequence of characters s.t. all of them are
| independently generated
55
How many times can each character in the key of a one time pad be used?
ONE TIME ONLY
56
Comment on the alphabet of a one time pad
Alphabet of any length but usually:
1) A natural language alphabet
2) The binary alphabet {0, 1}
57
What is a (non-periodic) binary synchronous stream
| cipher an example of?
one time pad
58
What does one time pad provide i.t.o secrecy?
perfect secrecy
59
I.t.o Shannon's definition of perfect secrecy, how is the message set defined?
{M1, · · · , Mk}
60
I.t.o Shannon's definition of perfect secrecy, how is the ciphertext set defined?
{C1, · · · , Cl}
61
I.t.o Shannon's definition of perfect secrecy, what is Pr(Mi|Cj) ?
the probability that Mi
is encrypted given that
Cj is observed
62
I.t.o Shannon's definition of perfect secrecy, comment on the messages Mi being equally likely
In most cases, the messages Mi are NOT be equally likely
63
I.t.o Shannon's definition of perfect secrecy, for all messages Mi and ciphertexts Ci, what is Pr(Mi
|Cj) equivalent to?
Pr(Mi|Cj) = Pr(Mi)
64
What are the components involved when the one time pad uses the Roman alphabet
Plaintext characters: p1, · · · , pr
Ciphertext characters: c1, · · · , cr
Keystream: random characters k1, · · · , kr
65
What is the encryption formula for the one time pad using the Roman alphabet?
ci = (pi + ki) mod 26
Ciphertext is the addition of plaintext and keystream
characters, modulo 26
66
What is the decryption formula for the one time pad using the Roman alphabet?
pi = (ci − ki) mod 26
67
Explain one time pad's perfect secrecy and the conditional probability of Pr(Mi|Cj) = Pr(Mi)
Let a ciphertext Cj be observed
Any message could have been sent, depending on the
keystream
```
The probability that Mi
is sent given that Cj
is observed =
the probability that Mi
is chosen, weighted by the
probability that the right keystream is chosen
```
Each key is chosen with equal probability
Conditional probability is thus Pr(Mi|Cj) = Pr(Mi)
68
What are the components of the vernam binary one time pad?
Plaintext: binary sequence b1, · · · , br
Ciphertext: binary sequence c1, · · · , cr
Keystream: random binary sequence k1, · · · , kr
69
Comment on the encryption and decryption for the vernam binary one time pad
Encryption: ci ≡ pi ⊕ ki
Decryption: pi ≡ ci ⊕ ki
I Encryption and decryption are identical processes.
70
Comment on the length of the keystream of the vernam binary one time pad
Keystream is SAME length as plaintext
71
Does the vernam binary one time pad provide perfect secrecy? Why?
yes, since any ciphertext is equally possible given the plaintext
72
How many keys MUST any cipher with perfect secrecy have?
as many keys as there are messages
73
What cipher is the ONLY unbreakable cipher?
One time pad
74
Under what conditions is the usage of the one time pad practical ?
for pre-assigned communications between fixed parties
75
What is a problem with the one time pad?
how to deal with key management of completely random keys
--> Key generation, key transportation, key synchronization,
key destruction are ALL problematic since the keys are SO
large
76
What is visual cryptography an application of?
one time pad
77
What does visual cryptography involve?
splits an
| image into 2 shares
78
How does decryption work for visual cryptography?
overlaying the 2 shared images
79
When and who proposed visual cryptography?
Naor and Shamir in 1994
80
Give a simple case of visual cryptography
monochrome images with black and white pixels
Each pixel is shared in a random way, similar to splitting a
bit in the one time pad
81
Does each share of the image reveal any info i.t.o visual cryptography?
Each share reveals NO information about the image
--> Unconditional security as one time pad
82
Explain the encryption process for visual cryptography
| see diagram on slide 27 of set 9
1) Generate a one time pad P (random bit string) with length equal to the number
of pixels for the image I
2) Generate a share SI,1 by replacing each bit in P using the sub-pixel patterns shown on the left
3) Generate the other share SI,2 s.t.:
the same as SI,1 for all the white pixels of I
&
the opposite of SI,1 for all black pixels
of I
83
Explain the decryption process for visual cryptography
| see diagram on slide 27 of set 10
1) To reveal the hidden image I, SI,1 and SI,2 are overlayed
2) Each black pixel of I is black in the overlay
3) Each white pixel of I is half white in the overlay
84
What type of cipher is the A5 cipher and where is it applied?
Binary synchronous stream cipher applied in most GSM
| mobile telephones
85
What are the 3 variants of the A5 cipher?
A5/1
A5/2
A5/3
86
What is A5/1?
original A5 algorithm defined in 1987
87
What is A5/2? Where was it intended to be deployed? Is it still allowed?
a weakened version of A5/1, originally intended for
deployment outside Europe, but no longer allowed under
GSM standards
88
What is A5/3?
also known as KASUMI, is an algorithm for
| deployment in 3G mobile systems
89
When did the A5 cipher's design become public?
1994
90
What does A5/1 algorithm use?
3 linear feedback shift registers (LFSRs) whose output is combined
91
How are the 3 LFSRs for the A5/1 algorithm clocked?
irregularly clocked
92
Because the 3 LFSRs are irregularly clocked for A5/1, what does this mean the output is?
The overall output is non-linear
93
Because the 3 LFSRs are irregularly clocked for A5/1, what is the size of the keystream and how many bits are fixed at zero?
64-bit keystream s.t. 10 bits fixed at zero
94
Because the 3 LFSRs are irregularly clocked for A5/1, what does this mean the effective key length must be?
The effective key length is thus 54 bits
95
Outline the history of the RC4 cipher
World-based stream cipher designed by Ron Rivest in the 80s: “Ron’s code #4”
Simple, efficient for software implementation
Originally proprietary owned by RSA Security, but leaked in
1994
Widely deployed in TLS before 2013
96
What are practical attacks on the RC4 cipher?
When used in TLS protocol and in wireless WPA-TKIP due to bias in its keystream output
97
Can CR4 be used in new systems?
no, too weak
98
What is the ChaCha algorithm available in and what does it replace?
Available in TLS ciphersuites (RFC 7905) as a possible
| replacement for RC4
99
Who designed the ChaCha algorithm?
D. J. Bernstein in 2008
100
Compare the speed of the ChaCha algorithm to AES
Faster than AES
| --> As little as 4 cycles per byte on x86 processors
101
What does the ChaCha algorithm combine to produce 512 bits of keystream?
What is an example of this?
Combining XOR, addition modulo 232 and rotation
operations over 20 rounds
add-rotate-xor (ARX) cipher
102
What key size does the ChaCha algorithm use?
256-bit key
103
What is TRNG constructed from and what is it used as?
constructed from physical devices, used as seeds
| for PRNG
104
What is PRNG constructed from?
other primitives including block ciphers
105
What is TRNG used to make?
unbreakable encryption via one time pad
106
What is PRNG used as?
practical synchronous stream cipher
