Random Number Generation and Stream Cipher Random Number...Random Number Generation and Stream...

Random Number Generation andStream Cipher

GOUTAM PAUL

Asst. ProfessorDepartment of Computer Science & Engineering

Jadavpur University, Kolkata.

July 16, 2011

Tutorial Workshop on Cryptology(Jointly organized by: CU & Centre of Excellence in Cryptology, ISI)Rajabazar Science College Campus, University of Calcutta, India.

Outline

1 RandomnessDefining RandomnessTesting RandomnessCryptographic Randomness

2 Random Number GenerationNatural Random Number GeneratorsPseudo-Random Number Generators

3 Stream CiphersHardware Stream CiphersSoftware Stream CiphersDistinguisher

Roadmap

RandomnessRandom Number Generation

Stream Ciphers

Defining RandomnessTesting RandomnessCryptographic Randomness

Notion of Randomness

A numeric sequence is said to be statistically randomwhen it contains no recognizable patterns orregularities.Examples:

Sequence of Head and Tail in an unbiased coin toss.Results of an ideal die roll.Digits of π.

GOUTAM PAUL Random Number Generation and Stream Cipher Slide 4 of 51

Stream Ciphers

A numeric sequence is said to be statistically randomwhen it contains no recognizable patterns orregularities.

Examples:Sequence of Head and Tail in an unbiased coin toss.Results of an ideal die roll.Digits of π.

Stream Ciphers

Sequence of Head and Tail in an unbiased coin toss.

Results of an ideal die roll.Digits of π.

Stream Ciphers

Sequence of Head and Tail in an unbiased coin toss.Results of an ideal die roll.

Digits of π.

Stream Ciphers

Test of (Non-)Randomness

It is not possible to mathematically prove that asequence is random.It is possible to test whether a sequence isnon-random.

Stream Ciphers

It is not possible to mathematically prove that asequence is random.

It is possible to test whether a sequence isnon-random.

Stream Ciphers

It is not possible to mathematically prove that asequence is random.It is possible to test whether a sequence isnon-random.

Stream Ciphers

Frequency Test

Checking that each symbol occurs with equalfrequency.For a binary string, proportion of 0’s and 1’s shouldbe 0.5 each.Can be generalized to n-gram frequencies.

Stream Ciphers

Frequency Test

Checking that each symbol occurs with equalfrequency.

For a binary string, proportion of 0’s and 1’s shouldbe 0.5 each.Can be generalized to n-gram frequencies.

Stream Ciphers

Frequency Test

Checking that each symbol occurs with equalfrequency.For a binary string, proportion of 0’s and 1’s shouldbe 0.5 each.

Can be generalized to n-gram frequencies.

Stream Ciphers

Frequency Test

Checking that each symbol occurs with equalfrequency.For a binary string, proportion of 0’s and 1’s shouldbe 0.5 each.Can be generalized to n-gram frequencies.

Stream Ciphers

Gap Test

Look at the distances between a particular symbol.For example, for the symbol 0,

00 would be a distance of 0.030 would be a distance of 1.02250 would be a distance of 3, etc.

Stream Ciphers

Gap Test

Look at the distances between a particular symbol.

For example, for the symbol 0,00 would be a distance of 0.030 would be a distance of 1.02250 would be a distance of 3, etc.

Stream Ciphers

Gap Test

Stream Ciphers

Gap Test

Stream Ciphers

Run Test

A run is a sequence of consecutive digits.This test is based on the frequency of run-lengths.Example: 522238 has a run of 2’s of length 3.

Stream Ciphers

Run Test

A run is a sequence of consecutive digits.

This test is based on the frequency of run-lengths.Example: 522238 has a run of 2’s of length 3.

Stream Ciphers

Run Test

A run is a sequence of consecutive digits.This test is based on the frequency of run-lengths.

Example: 522238 has a run of 2’s of length 3.

Stream Ciphers

Run Test

A run is a sequence of consecutive digits.This test is based on the frequency of run-lengths.Example: 522238 has a run of 2’s of length 3.

Stream Ciphers

Autocorrelation Test

Correlation between two sequences/processes givesa measure of similarity between them.Autocorrelation: correlation between themeasurements of the same process at two differentinstances of time.If random, such autocorrelations should be near zerofor any and all time-lag separations.

Stream Ciphers

Correlation between two sequences/processes givesa measure of similarity between them.

Autocorrelation: correlation between themeasurements of the same process at two differentinstances of time.If random, such autocorrelations should be near zerofor any and all time-lag separations.

Stream Ciphers

Correlation between two sequences/processes givesa measure of similarity between them.Autocorrelation: correlation between themeasurements of the same process at two differentinstances of time.

If random, such autocorrelations should be near zerofor any and all time-lag separations.

Stream Ciphers

Correlation between two sequences/processes givesa measure of similarity between them.Autocorrelation: correlation between themeasurements of the same process at two differentinstances of time.If random, such autocorrelations should be near zerofor any and all time-lag separations.

Stream Ciphers

Maurer’s Universal Test

Source modeled as

an ergodic stationary processwith finite memoryhaving arbitrary (unknown) state transitionprobabilities.

Stream Ciphers

Source modeled asan ergodic stationary process

with finite memoryhaving arbitrary (unknown) state transitionprobabilities.

Stream Ciphers

Source modeled asan ergodic stationary processwith finite memory

having arbitrary (unknown) state transitionprobabilities.

Stream Ciphers

Source modeled asan ergodic stationary processwith finite memoryhaving arbitrary (unknown) state transitionprobabilities.

Stream Ciphers

Example with a Binary StringConsider the string 0010110011101.

Frequency test:freq(0)=6, freq(1)=7,freq(00) = 2, freq(01) = 4, freq(10)=3, freq(11) = 3.Gap test: freq(gap 0)=2, freq(gap 1)=1, freq(gap2)=1, freq(gap 3) = 1.Run test: freq(len 1)=4, freq(len 2)=3, freq(len 3)=1.Autocorrelation test:Lag 1 autocorrelation =0.0+0.1+1.0+0.1+1.1+1.0+0.0+0.1+1.1+1.1+1.0+0.1= 3,Lag 2 autocorrelation =0.1+0.0+1.1+0.1+1.0+1.0+0.1+0.1+1.1+1.0+1.1 = 3.

Stream Ciphers

Frequency test:freq(0)=6, freq(1)=7,freq(00) = 2, freq(01) = 4, freq(10)=3, freq(11) = 3.

Gap test: freq(gap 0)=2, freq(gap 1)=1, freq(gap2)=1, freq(gap 3) = 1.Run test: freq(len 1)=4, freq(len 2)=3, freq(len 3)=1.Autocorrelation test:Lag 1 autocorrelation =0.0+0.1+1.0+0.1+1.1+1.0+0.0+0.1+1.1+1.1+1.0+0.1= 3,Lag 2 autocorrelation =0.1+0.0+1.1+0.1+1.0+1.0+0.1+0.1+1.1+1.0+1.1 = 3.

Stream Ciphers

Frequency test:freq(0)=6, freq(1)=7,freq(00) = 2, freq(01) = 4, freq(10)=3, freq(11) = 3.Gap test: freq(gap 0)=2, freq(gap 1)=1, freq(gap2)=1, freq(gap 3) = 1.

Run test: freq(len 1)=4, freq(len 2)=3, freq(len 3)=1.Autocorrelation test:Lag 1 autocorrelation =0.0+0.1+1.0+0.1+1.1+1.0+0.0+0.1+1.1+1.1+1.0+0.1= 3,Lag 2 autocorrelation =0.1+0.0+1.1+0.1+1.0+1.0+0.1+0.1+1.1+1.0+1.1 = 3.

Stream Ciphers

Frequency test:freq(0)=6, freq(1)=7,freq(00) = 2, freq(01) = 4, freq(10)=3, freq(11) = 3.Gap test: freq(gap 0)=2, freq(gap 1)=1, freq(gap2)=1, freq(gap 3) = 1.Run test: freq(len 1)=4, freq(len 2)=3, freq(len 3)=1.

Autocorrelation test:Lag 1 autocorrelation =0.0+0.1+1.0+0.1+1.1+1.0+0.0+0.1+1.1+1.1+1.0+0.1= 3,Lag 2 autocorrelation =0.1+0.0+1.1+0.1+1.0+1.0+0.1+0.1+1.1+1.0+1.1 = 3.

Stream Ciphers

Frequency test:freq(0)=6, freq(1)=7,freq(00) = 2, freq(01) = 4, freq(10)=3, freq(11) = 3.Gap test: freq(gap 0)=2, freq(gap 1)=1, freq(gap2)=1, freq(gap 3) = 1.Run test: freq(len 1)=4, freq(len 2)=3, freq(len 3)=1.Autocorrelation test:Lag 1 autocorrelation =0.0+0.1+1.0+0.1+1.1+1.0+0.0+0.1+1.1+1.1+1.0+0.1= 3,Lag 2 autocorrelation =0.1+0.0+1.1+0.1+1.0+1.0+0.1+0.1+1.1+1.0+1.1 = 3.

Stream Ciphers

Encryption increases Randomness

The goal of encryption is to make the transmittedmessage look random.

Stream Ciphers

Encryption increases Randomness

The goal of encryption is to make the transmittedmessage look random.

Stream Ciphers

Perfect Secrecy

Information Theoretic Security:

Prob(P | C) = Prob(P).

Stream Ciphers

Perfect Secrecy

Stream Ciphers

Perfect Secrecy

Stream Ciphers

From Non-Random to Random-Looking

Result: XOR(Arbitrary bitstring, Random bitstring) =Random bitstring.Encryption Ci = Mi ⊕ Ki .Decryption: Mi = Ci ⊕ Ki .

Stream Ciphers

Result: XOR(Arbitrary bitstring, Random bitstring) =Random bitstring.

Encryption Ci = Mi ⊕ Ki .Decryption: Mi = Ci ⊕ Ki .

Stream Ciphers

Result: XOR(Arbitrary bitstring, Random bitstring) =Random bitstring.Encryption Ci = Mi ⊕ Ki .

Decryption: Mi = Ci ⊕ Ki .

Stream Ciphers

Result: XOR(Arbitrary bitstring, Random bitstring) =Random bitstring.Encryption Ci = Mi ⊕ Ki .Decryption: Mi = Ci ⊕ Ki .

Stream Ciphers

One Time Pad

A different keystream is XOR-ed with each differentplaintext message.Has the property of perfect secrecy.

Stream Ciphers

One Time Pad

A different keystream is XOR-ed with each differentplaintext message.

Has the property of perfect secrecy.

Stream Ciphers

One Time Pad

Stream Ciphers

One Time Pad

Roadmap

Stream Ciphers

Natural Random Number GeneratorsPseudo-Random Number Generators

Necessity

One Time Pad requires a long stream of random bits.Other cryptographic schemes also require randomnumbers as keys.

Stream Ciphers

Necessity

One Time Pad requires a long stream of random bits.

Other cryptographic schemes also require randomnumbers as keys.

Stream Ciphers

Necessity

One Time Pad requires a long stream of random bits.Other cryptographic schemes also require randomnumbers as keys.

Stream Ciphers

One option: Natural Randomness

Thermal noise from a semiconductor resistor.Atmospheric noise.Quantum-mechanical phenomena.Tossing a coin.

Stream Ciphers

Thermal noise from a semiconductor resistor.

Atmospheric noise.Quantum-mechanical phenomena.Tossing a coin.

Stream Ciphers

Thermal noise from a semiconductor resistor.Atmospheric noise.

Quantum-mechanical phenomena.Tossing a coin.

Stream Ciphers

Thermal noise from a semiconductor resistor.Atmospheric noise.Quantum-mechanical phenomena.

Tossing a coin.

Stream Ciphers

Thermal noise from a semiconductor resistor.Atmospheric noise.Quantum-mechanical phenomena.Tossing a coin.

Stream Ciphers

Why Natural Randomness is not useful?

Difficulty of sampling.Difficulty of synchronizing when the sender and thereceiver are far apart.

Stream Ciphers

Difficulty of sampling.

Difficulty of synchronizing when the sender and thereceiver are far apart.

Stream Ciphers

Difficulty of sampling.Difficulty of synchronizing when the sender and thereceiver are far apart.

Stream Ciphers

Pragmatic Solution

A Finite State Machine.A seed (called the secret key) characterizes the initialstate.Same seed generates the same output sequence.Seed can be shared between the sender and thereceiver.

Stream Ciphers

Pragmatic Solution

A Finite State Machine.

A seed (called the secret key) characterizes the initialstate.Same seed generates the same output sequence.Seed can be shared between the sender and thereceiver.

Stream Ciphers

Pragmatic Solution

A Finite State Machine.A seed (called the secret key) characterizes the initialstate.

Same seed generates the same output sequence.Seed can be shared between the sender and thereceiver.

Stream Ciphers

Pragmatic Solution

A Finite State Machine.A seed (called the secret key) characterizes the initialstate.Same seed generates the same output sequence.

Seed can be shared between the sender and thereceiver.

Stream Ciphers

Pragmatic Solution

A Finite State Machine.A seed (called the secret key) characterizes the initialstate.Same seed generates the same output sequence.Seed can be shared between the sender and thereceiver.

Stream Ciphers

Inherent Limitations

Each state transition of the FSM gives one newoutput.FSM has finite no. of states.So the output sequence must have a period.One Time Pad cannot be realized in practice.Goal: short seed, but long keystream.

Stream Ciphers

Each state transition of the FSM gives one newoutput.

FSM has finite no. of states.So the output sequence must have a period.One Time Pad cannot be realized in practice.Goal: short seed, but long keystream.

Stream Ciphers

Each state transition of the FSM gives one newoutput.FSM has finite no. of states.

So the output sequence must have a period.One Time Pad cannot be realized in practice.Goal: short seed, but long keystream.

Stream Ciphers

Each state transition of the FSM gives one newoutput.FSM has finite no. of states.So the output sequence must have a period.

One Time Pad cannot be realized in practice.Goal: short seed, but long keystream.

Stream Ciphers

Each state transition of the FSM gives one newoutput.FSM has finite no. of states.So the output sequence must have a period.One Time Pad cannot be realized in practice.

Goal: short seed, but long keystream.

Stream Ciphers

Each state transition of the FSM gives one newoutput.FSM has finite no. of states.So the output sequence must have a period.One Time Pad cannot be realized in practice.Goal: short seed, but long keystream.

Stream Ciphers

Linear Congruential Generator

xn = axn−1 + b(modm).

x0 is the initial seed.a,b,m are parameters.Example: C library function rand().Suitable for experimental purposes, butcryptographically not secure.Same is true for any polynomial congruentialgenerator.

Stream Ciphers

x0 is the initial seed.

a,b,m are parameters.Example: C library function rand().Suitable for experimental purposes, butcryptographically not secure.Same is true for any polynomial congruentialgenerator.

Stream Ciphers

x0 is the initial seed.a,b,m are parameters.

Example: C library function rand().Suitable for experimental purposes, butcryptographically not secure.Same is true for any polynomial congruentialgenerator.

Stream Ciphers

x0 is the initial seed.a,b,m are parameters.Example: C library function rand().

Suitable for experimental purposes, butcryptographically not secure.Same is true for any polynomial congruentialgenerator.

Stream Ciphers

x0 is the initial seed.a,b,m are parameters.Example: C library function rand().Suitable for experimental purposes, butcryptographically not secure.

Same is true for any polynomial congruentialgenerator.

Stream Ciphers

Blum-Blum-Shub (BBS) Generator

Choose two large primes p,q both congruent to3 mod 4.Set n = pq and choose a random integer x relativelyprime to n.Set initial seed x0 = x2(modn).j-th output is given by xj = x2

j−1(modn).Has provable security, but too slow for practical use.

Stream Ciphers

Choose two large primes p,q both congruent to3 mod 4.

Set n = pq and choose a random integer x relativelyprime to n.Set initial seed x0 = x2(modn).j-th output is given by xj = x2

Stream Ciphers

Choose two large primes p,q both congruent to3 mod 4.Set n = pq and choose a random integer x relativelyprime to n.

Set initial seed x0 = x2(modn).j-th output is given by xj = x2

Stream Ciphers

Choose two large primes p,q both congruent to3 mod 4.Set n = pq and choose a random integer x relativelyprime to n.Set initial seed x0 = x2(modn).

j-th output is given by xj = x2j−1(modn).

Has provable security, but too slow for practical use.

Stream Ciphers

j−1(modn).

Has provable security, but too slow for practical use.

Stream Ciphers

Roadmap

Stream Ciphers

Hardware Stream CiphersSoftware Stream CiphersDistinguisher

General Model of Stream Ciphers

Stream Ciphers

Need for Initialization Vector (IV)

The same key always produces the same keystream.Repeated use of the same key is just as bad asreusing a one-time pad.As a remedy, the IV is combined with the secret keyto form the effective key for the correspondingsession of the cipher, called a session key.Different session keys make the output of the streamcipher different in each session, even if the same keyis used.

Stream Ciphers

The same key always produces the same keystream.

Repeated use of the same key is just as bad asreusing a one-time pad.As a remedy, the IV is combined with the secret keyto form the effective key for the correspondingsession of the cipher, called a session key.Different session keys make the output of the streamcipher different in each session, even if the same keyis used.

Stream Ciphers

The same key always produces the same keystream.Repeated use of the same key is just as bad asreusing a one-time pad.

As a remedy, the IV is combined with the secret keyto form the effective key for the correspondingsession of the cipher, called a session key.Different session keys make the output of the streamcipher different in each session, even if the same keyis used.

Stream Ciphers

The same key always produces the same keystream.Repeated use of the same key is just as bad asreusing a one-time pad.As a remedy, the IV is combined with the secret keyto form the effective key for the correspondingsession of the cipher, called a session key.

Different session keys make the output of the streamcipher different in each session, even if the same keyis used.

Stream Ciphers

The same key always produces the same keystream.Repeated use of the same key is just as bad asreusing a one-time pad.As a remedy, the IV is combined with the secret keyto form the effective key for the correspondingsession of the cipher, called a session key.Different session keys make the output of the streamcipher different in each session, even if the same keyis used.

Stream Ciphers

Hardware vs. Software Stream Ciphers

Hardware Stream Ciphers.LFSRs are used as linear elements.Combining functions (may be with some amount ofmemory) are used as nonlinear elements.

Software Stream Ciphers.May use word-based LFSR / NFSRs.May use arrays, modular additions and otheroperators.

Stream Ciphers

Hardware Stream Ciphers.

LFSRs are used as linear elements.Combining functions (may be with some amount ofmemory) are used as nonlinear elements.

Stream Ciphers

Hardware Stream Ciphers.LFSRs are used as linear elements.

Combining functions (may be with some amount ofmemory) are used as nonlinear elements.

Stream Ciphers

Software Stream Ciphers.

May use word-based LFSR / NFSRs.May use arrays, modular additions and otheroperators.

Stream Ciphers

Software Stream Ciphers.May use word-based LFSR / NFSRs.

May use arrays, modular additions and otheroperators.

Stream Ciphers

Bit-oriented LFSR⊕ ⊕

b5 b4 b3 b2 b1 b0

⊕ ⊕b6 b5 b4 b3 b2 b1 b0

Figure: LFSR: one step evolution

Recurrence Relation: xn+6 = xn+4 ⊕ xn+1 ⊕ xn

Polynomial over GF (2): x6 + x4 + x1 + 1

Stream Ciphers

b5 b4 b3 b2 b1 b0

⊕ ⊕b6 b5 b4 b3 b2 b1 b0

Polynomial over GF (2): x6 + x4 + x1 + 1

Stream Ciphers

b5 b4 b3 b2 b1 b0

⊕ ⊕b6 b5 b4 b3 b2 b1 b0

Polynomial over GF (2): x6 + x4 + x1 + 1GOUTAM PAUL Random Number Generation and Stream Cipher Slide 28 of 51

Stream Ciphers

Bit-oriented LFSR (cont’d.)

Primitive polynomial provides maximum length cycle,2d − 1 for degree d . Well known as m-sequence.By itself, not cryptographically secure, but usefulbuilding block for pseudo-randomness.Easy and efficient implementation in hardware, usingregisters (Flip-Flops) and simple logic gates.Deep mathematical development for a long time.

Stream Ciphers

Primitive polynomial provides maximum length cycle,2d − 1 for degree d . Well known as m-sequence.

By itself, not cryptographically secure, but usefulbuilding block for pseudo-randomness.Easy and efficient implementation in hardware, usingregisters (Flip-Flops) and simple logic gates.Deep mathematical development for a long time.

Stream Ciphers

Primitive polynomial provides maximum length cycle,2d − 1 for degree d . Well known as m-sequence.By itself, not cryptographically secure, but usefulbuilding block for pseudo-randomness.

Easy and efficient implementation in hardware, usingregisters (Flip-Flops) and simple logic gates.Deep mathematical development for a long time.

Stream Ciphers

Primitive polynomial provides maximum length cycle,2d − 1 for degree d . Well known as m-sequence.By itself, not cryptographically secure, but usefulbuilding block for pseudo-randomness.Easy and efficient implementation in hardware, usingregisters (Flip-Flops) and simple logic gates.

Deep mathematical development for a long time.

Stream Ciphers

Primitive polynomial provides maximum length cycle,2d − 1 for degree d . Well known as m-sequence.By itself, not cryptographically secure, but usefulbuilding block for pseudo-randomness.Easy and efficient implementation in hardware, usingregisters (Flip-Flops) and simple logic gates.Deep mathematical development for a long time.

Stream Ciphers

Attacking the LFSR-based PRNGs

Suppose we know the segment 011010111100 of akeystream sequence.We also know that it is generated by some LFSR.We do not necessarily know the length of therecurrence.We need to determine the coefficients.

Stream Ciphers

Suppose we know the segment 011010111100 of akeystream sequence.

We also know that it is generated by some LFSR.We do not necessarily know the length of therecurrence.We need to determine the coefficients.

Stream Ciphers

Suppose we know the segment 011010111100 of akeystream sequence.We also know that it is generated by some LFSR.

We do not necessarily know the length of therecurrence.We need to determine the coefficients.

Stream Ciphers

Suppose we know the segment 011010111100 of akeystream sequence.We also know that it is generated by some LFSR.We do not necessarily know the length of therecurrence.

We need to determine the coefficients.

Stream Ciphers

Suppose we know the segment 011010111100 of akeystream sequence.We also know that it is generated by some LFSR.We do not necessarily know the length of therecurrence.We need to determine the coefficients.

Stream Ciphers

Try with Length 2

xn+2 = c0xn + c1xn+1.

[0 11 1

]Solution: c0 = 1, c1 = 1.But x6 6= x4 + x5.

Stream Ciphers

Try with Length 2

xn+2 = c0xn + c1xn+1.[0 11 1

Solution: c0 = 1, c1 = 1.But x6 6= x4 + x5.

Stream Ciphers

Try with Length 2

xn+2 = c0xn + c1xn+1.[0 11 1

]Solution: c0 = 1, c1 = 1.

But x6 6= x4 + x5.

Stream Ciphers

Try with Length 2

xn+2 = c0xn + c1xn+1.[0 11 1

]Solution: c0 = 1, c1 = 1.But x6 6= x4 + x5.

Stream Ciphers

Try with Length 3

xn+3 = c0xn + c1xn+1 + c2xn+2.

0 1 11 1 01 0 1

Solution: ?

Stream Ciphers

Try with Length 3

xn+3 = c0xn + c1xn+1 + c2xn+2.0 1 11 1 01 0 1

Solution: ?

Stream Ciphers

Try with Length 3

xn+3 = c0xn + c1xn+1 + c2xn+2.0 1 11 1 01 0 1

Solution: ?

Stream Ciphers

Try with Length 4

xn+4 = c0xn + c1xn+1 + c2xn+2 + c3xn+3.

0 1 1 01 1 0 11 0 1 00 1 0 1

Solution: c0 = 1, c1 = 1, c2 = 0, c3 = 0.

Stream Ciphers

Try with Length 4

xn+4 = c0xn + c1xn+1 + c2xn+2 + c3xn+3.0 1 1 01 1 0 11 0 1 00 1 0 1

Solution: c0 = 1, c1 = 1, c2 = 0, c3 = 0.

Stream Ciphers

Try with Length 4

xn+4 = c0xn + c1xn+1 + c2xn+2 + c3xn+3.0 1 1 01 1 0 11 0 1 00 1 0 1

Solution: c0 = 1, c1 = 1, c2 = 0, c3 = 0.

Stream Ciphers

General Problem

xn+m = c0xn + c1xn+1 + . . . + cm−1xn+m−1

x1 x2 . . . xm

x2 x3 . . . xm+1...

... . . . ...xm xm+1 . . . x2m−1

cm−1

xm+2...

Result: The m ×m matrix is invertible mod2, iff there isno linear recurrence relation of length less than m that issatisfied by the 2m values x1, x2, . . . , x2m.

Stream Ciphers

General Problem

xn+m = c0xn + c1xn+1 + . . . + cm−1xn+m−1x1 x2 . . . xm

x2 x3 . . . xm+1...

... . . . ...xm xm+1 . . . x2m−1

cm−1

xm+2...

Stream Ciphers

General Problem

xn+m = c0xn + c1xn+1 + . . . + cm−1xn+m−1x1 x2 . . . xm

x2 x3 . . . xm+1...

... . . . ...xm xm+1 . . . x2m−1

cm−1

xm+2...

Stream Ciphers

Nonlinear Combiner Model

Take n LFSRs of different length (may be pairwiseprime).Initialize them with seeds.In each clock, take the n-many outputs from theLFSRs, which are fed as n-inputs to an n-variableBoolean function.May be some memory element is added.

Stream Ciphers

Take n LFSRs of different length (may be pairwiseprime).

Initialize them with seeds.In each clock, take the n-many outputs from theLFSRs, which are fed as n-inputs to an n-variableBoolean function.May be some memory element is added.

Stream Ciphers

Take n LFSRs of different length (may be pairwiseprime).Initialize them with seeds.

In each clock, take the n-many outputs from theLFSRs, which are fed as n-inputs to an n-variableBoolean function.May be some memory element is added.

Stream Ciphers

Take n LFSRs of different length (may be pairwiseprime).Initialize them with seeds.In each clock, take the n-many outputs from theLFSRs, which are fed as n-inputs to an n-variableBoolean function.

May be some memory element is added.

Stream Ciphers

Take n LFSRs of different length (may be pairwiseprime).Initialize them with seeds.In each clock, take the n-many outputs from theLFSRs, which are fed as n-inputs to an n-variableBoolean function.May be some memory element is added.

Stream Ciphers

Nonlinear Filter-Generator Model

Take one LFSR.Initialize that with a seed.In each clock, take the n-many outputs from theLFSR from different locations, which are fed asn-inputs to an n-variable Boolean function.May be considered with additional memory element.The Boolean function and memory together form aFinite State Machine.

Stream Ciphers

Take one LFSR.

Initialize that with a seed.In each clock, take the n-many outputs from theLFSR from different locations, which are fed asn-inputs to an n-variable Boolean function.May be considered with additional memory element.The Boolean function and memory together form aFinite State Machine.

Stream Ciphers

Take one LFSR.Initialize that with a seed.

In each clock, take the n-many outputs from theLFSR from different locations, which are fed asn-inputs to an n-variable Boolean function.May be considered with additional memory element.The Boolean function and memory together form aFinite State Machine.

Stream Ciphers

Take one LFSR.Initialize that with a seed.In each clock, take the n-many outputs from theLFSR from different locations, which are fed asn-inputs to an n-variable Boolean function.

May be considered with additional memory element.The Boolean function and memory together form aFinite State Machine.

Stream Ciphers

Take one LFSR.Initialize that with a seed.In each clock, take the n-many outputs from theLFSR from different locations, which are fed asn-inputs to an n-variable Boolean function.May be considered with additional memory element.

The Boolean function and memory together form aFinite State Machine.

Stream Ciphers

Take one LFSR.Initialize that with a seed.In each clock, take the n-many outputs from theLFSR from different locations, which are fed asn-inputs to an n-variable Boolean function.May be considered with additional memory element.The Boolean function and memory together form aFinite State Machine.

Stream Ciphers

Boolean Function: Cryptographic Properties

BALANCEDNESS: Necessary to achievePseudo-Random sequence

ALGEBRAIC DEGREE: To achieve high Linear Complexity

NONLINEARITY: For higher Confusion and resistanceagainst: Best Affine Approximation (BAA) Attack andLinear Cryptanalysis.

AUTOCORRELATION: To achieve higher Diffusion, and toresist Differential Cryptanalysis.

CORRELATION IMMUNITY: To resist Correlation Attack

ALGEBRAIC IMMUNITY: To resist Algebraic Attack

Stream Ciphers

Hardware Stream Ciphers: Current Trends

Nonlinear Filter Generator Model With Memory.More than one bit processed together (32-bit words)Use LFSRs over larger fields: need the LFSRevolution operations to be efficient.GF (232) or GF (231 − 1) to relate with 32-bit words ofmodern processors. Are we moving towards 64-bitwords?FSM contains S-boxes and Registers.Registers are memory words.S-boxes are multiple output Boolean functions.

Stream Ciphers

Nonlinear Filter Generator Model With Memory.

More than one bit processed together (32-bit words)Use LFSRs over larger fields: need the LFSRevolution operations to be efficient.GF (232) or GF (231 − 1) to relate with 32-bit words ofmodern processors. Are we moving towards 64-bitwords?FSM contains S-boxes and Registers.Registers are memory words.S-boxes are multiple output Boolean functions.

Stream Ciphers

Nonlinear Filter Generator Model With Memory.More than one bit processed together (32-bit words)

Use LFSRs over larger fields: need the LFSRevolution operations to be efficient.GF (232) or GF (231 − 1) to relate with 32-bit words ofmodern processors. Are we moving towards 64-bitwords?FSM contains S-boxes and Registers.Registers are memory words.S-boxes are multiple output Boolean functions.

Stream Ciphers

Nonlinear Filter Generator Model With Memory.More than one bit processed together (32-bit words)Use LFSRs over larger fields: need the LFSRevolution operations to be efficient.

GF (232) or GF (231 − 1) to relate with 32-bit words ofmodern processors. Are we moving towards 64-bitwords?FSM contains S-boxes and Registers.Registers are memory words.S-boxes are multiple output Boolean functions.

Stream Ciphers

Nonlinear Filter Generator Model With Memory.More than one bit processed together (32-bit words)Use LFSRs over larger fields: need the LFSRevolution operations to be efficient.GF (232) or GF (231 − 1) to relate with 32-bit words ofmodern processors. Are we moving towards 64-bitwords?

FSM contains S-boxes and Registers.Registers are memory words.S-boxes are multiple output Boolean functions.

Stream Ciphers

Nonlinear Filter Generator Model With Memory.More than one bit processed together (32-bit words)Use LFSRs over larger fields: need the LFSRevolution operations to be efficient.GF (232) or GF (231 − 1) to relate with 32-bit words ofmodern processors. Are we moving towards 64-bitwords?FSM contains S-boxes and Registers.

Registers are memory words.S-boxes are multiple output Boolean functions.

Stream Ciphers

Nonlinear Filter Generator Model With Memory.More than one bit processed together (32-bit words)Use LFSRs over larger fields: need the LFSRevolution operations to be efficient.GF (232) or GF (231 − 1) to relate with 32-bit words ofmodern processors. Are we moving towards 64-bitwords?FSM contains S-boxes and Registers.Registers are memory words.

S-boxes are multiple output Boolean functions.

Stream Ciphers

Nonlinear Filter Generator Model With Memory.More than one bit processed together (32-bit words)Use LFSRs over larger fields: need the LFSRevolution operations to be efficient.GF (232) or GF (231 − 1) to relate with 32-bit words ofmodern processors. Are we moving towards 64-bitwords?FSM contains S-boxes and Registers.Registers are memory words.S-boxes are multiple output Boolean functions.

Stream Ciphers

Design Principle

Initially, stream ciphers were targeted towardshardware only.Later, software stream ciphers became popular dueto their speed and efficiency compared to softwareimplementation of block ciphers.Typically consists of two modules:

KSA : key × IV→ internal state andPRGA : internal state→ keystream word.

Stream Ciphers

Design Principle

Initially, stream ciphers were targeted towardshardware only.

Later, software stream ciphers became popular dueto their speed and efficiency compared to softwareimplementation of block ciphers.Typically consists of two modules:

Stream Ciphers

Design Principle

Initially, stream ciphers were targeted towardshardware only.Later, software stream ciphers became popular dueto their speed and efficiency compared to softwareimplementation of block ciphers.

Typically consists of two modules:KSA : key × IV→ internal state andPRGA : internal state→ keystream word.

Stream Ciphers

Design Principle

Initially, stream ciphers were targeted towardshardware only.Later, software stream ciphers became popular dueto their speed and efficiency compared to softwareimplementation of block ciphers.Typically consists of two modules:

Stream Ciphers

An Example: RC4 (Ron Rivest, 1987)

Wide commercial applications SSL, TLS, WEP, WPA,AOCE, Microsoft Windows, Lotus Notes, OracleSecure SQL etc.Generally used with 5 to 16 bytes key, thoughprovision for 256 bytes key is there.Uses a permutation over Z256 as the internal state.Operations: Swaps and Modulo 256 additions.

Stream Ciphers

Wide commercial applications SSL, TLS, WEP, WPA,AOCE, Microsoft Windows, Lotus Notes, OracleSecure SQL etc.

Generally used with 5 to 16 bytes key, thoughprovision for 256 bytes key is there.Uses a permutation over Z256 as the internal state.Operations: Swaps and Modulo 256 additions.

Stream Ciphers

Wide commercial applications SSL, TLS, WEP, WPA,AOCE, Microsoft Windows, Lotus Notes, OracleSecure SQL etc.Generally used with 5 to 16 bytes key, thoughprovision for 256 bytes key is there.

Uses a permutation over Z256 as the internal state.Operations: Swaps and Modulo 256 additions.

Stream Ciphers

Wide commercial applications SSL, TLS, WEP, WPA,AOCE, Microsoft Windows, Lotus Notes, OracleSecure SQL etc.Generally used with 5 to 16 bytes key, thoughprovision for 256 bytes key is there.Uses a permutation over Z256 as the internal state.

Operations: Swaps and Modulo 256 additions.

Stream Ciphers

Wide commercial applications SSL, TLS, WEP, WPA,AOCE, Microsoft Windows, Lotus Notes, OracleSecure SQL etc.Generally used with 5 to 16 bytes key, thoughprovision for 256 bytes key is there.Uses a permutation over Z256 as the internal state.Operations: Swaps and Modulo 256 additions.

Stream Ciphers

RC4 KSA

0 1 2 i j 255

· · · · · ·

Initialize S-box to identity permutation of{0,1, . . . ,255}Initialize counter: j = 0;for i = 0, . . . ,255

j = j + S[i] + K [i];Swap: S[i]↔ S[j];

Stream Ciphers

RC4 PRGA

0 1 2 S[i ] + S[j ] i j 254 255

· · · · · · · · ·

Initialize the counters: i = j = 0;While you need keystream bytes

Increment counters i = i + 1 and j = j + S[i];Swap S[i]↔ S[j];Output Z = S[S[i] + S[j]];

Stream Ciphers

Software Stream Ciphers: Current Trends

Word oriented design.Complicated Functions and Operations.Huge Internal State.

Stream Ciphers

Word oriented design.

Complicated Functions and Operations.Huge Internal State.

Stream Ciphers

Word oriented design.Complicated Functions and Operations.

Huge Internal State.

Stream Ciphers

Word oriented design.Complicated Functions and Operations.Huge Internal State.

Stream Ciphers

Basic Idea

An event that distinguishes the keystream from auniformly random stream.For a stream cipher, the event is based on somecombination of the keystream bits.The attack complexity is given by the number ofsamples required for a given success probability.

Stream Ciphers

Basic Idea

An event that distinguishes the keystream from auniformly random stream.

For a stream cipher, the event is based on somecombination of the keystream bits.The attack complexity is given by the number ofsamples required for a given success probability.

Stream Ciphers

Basic Idea

An event that distinguishes the keystream from auniformly random stream.For a stream cipher, the event is based on somecombination of the keystream bits.

The attack complexity is given by the number ofsamples required for a given success probability.

Stream Ciphers

Basic Idea

An event that distinguishes the keystream from auniformly random stream.For a stream cipher, the event is based on somecombination of the keystream bits.The attack complexity is given by the number ofsamples required for a given success probability.

Stream Ciphers

The Setup

Event A, P(A) = p.

Define Xr = 1, if A occurs in r -th sample, else it is 0.

If we observe n samples,n∑

Xr ∼ B(n,p).

When Xr ’s are i.i.d. and n is large enough,n∑

Xr ∼ N (np,np(1− p)) .

Stream Ciphers

The SetupEvent A, P(A) = p.

Xr ∼ B(n,p).

Xr ∼ N (np,np(1− p)) .

Stream Ciphers

Xr ∼ B(n,p).

Xr ∼ N (np,np(1− p)) .

Stream Ciphers

If we observe n samples,

n∑r=1

Xr ∼ B(n,p).

Xr ∼ N (np,np(1− p)) .

Stream Ciphers

Xr ∼ B(n,p).

Xr ∼ N (np,np(1− p)) .

Stream Ciphers

Xr ∼ B(n,p).

When Xr ’s are i.i.d. and n is large enough,

n∑r=1

Xr ∼ N (np,np(1− p)) .

Stream Ciphers

Xr ∼ B(n,p).

Xr ∼ N (np,np(1− p)) .

Stream Ciphers

Hypothesis Testing Approach

TestH0 : p = p0(1 + ε), ε > 0,

againstH1 : p = p0.

Stream Ciphers

TestH0 : p = p0(1 + ε), ε > 0,

againstH1 : p = p0.

Stream Ciphers

TestH0 : p = p0(1 + ε), ε > 0,

againstH1 : p = p0.

Stream Ciphers

Bounding the Errors

The objective is to find a threshold c in [np0,np0(1 + ε)]such that

Xr ≤ c | H0

)≤ α

Xr > c | H1

)≤ β.

Stream Ciphers

Bounding the Errors

Xr ≤ c | H0

)≤ α

Xr > c | H1

)≤ β.

Stream Ciphers

Bounding the Errors

Xr ≤ c | H0

)≤ α

Xr > c | H1

)≤ β.

Stream Ciphers

Bounding the Errors

Xr ≤ c | H0

)≤ α

Xr > c | H1

)≤ β.

Stream Ciphers

Necessary Condition

For such a c to exist,

np0(1 + ε)− κ1σ1 > np0 + κ2σ2,

σ21 = np0(1 + ε) (1− p0(1 + ε)) ,

σ22 = np0(1− p0),

Φ(−κ1) = α

and Φ(κ2) = 1− β.

Stream Ciphers

Necessary Condition

np0(1 + ε)− κ1σ1 > np0 + κ2σ2,

σ21 = np0(1 + ε) (1− p0(1 + ε)) ,

σ22 = np0(1− p0),

Φ(−κ1) = α

and Φ(κ2) = 1− β.

Stream Ciphers

Necessary Condition

np0(1 + ε)− κ1σ1 > np0 + κ2σ2,

σ21 = np0(1 + ε) (1− p0(1 + ε)) ,

σ22 = np0(1− p0),

Φ(−κ1) = α

and Φ(κ2) = 1− β.

Stream Ciphers

How Many Samples Required?

When p0, ε� 1,

n >(κ1 + κ2)2

p0ε2 .

κ1 = κ2 = 0.5 gives α = β = 1− 0.6915 and at least 1p0ε2

samples are required.

Stream Ciphers

How Many Samples Required?

When p0, ε� 1,

n >(κ1 + κ2)2

p0ε2 .

κ1 = κ2 = 0.5 gives α = β = 1− 0.6915 and at least 1p0ε2

samples are required.

Stream Ciphers

Example of a Distinguisher

RC4 2nd byte.Attack on Broadcast.

Stream Ciphers

RC4 2nd byte.

Attack on Broadcast.

Stream Ciphers

RC4 2nd byte.Attack on Broadcast.

Stream Ciphers

I end my talk here ...

Thank You

Homepage: http://www.goutampaul.comEmail: goutam.paul@ieee.org

Random Number Generation and Stream Cipher Random Number...Random Number Generation and Stream...

Documents

True Random Number Generation on FPGAsips.inesc-id.pt/~trudevice/presentations/True Random Number... · True Random Number Generation on FPGA ... I Clock signal: ... True Random Number

Random-Number Generation

Most Random Number

Chapter 4: (0,1) Random Number Generation · Random Stream Definition (Random Number Stream): The subsequence of random numbers generated from a given seed is called a random number

Stream ciphers and random number generators ciphers: Vernam Han Vinck 2012 4 data Random key sequence cipher vernam data Pseudo random sequence generator cipher „vernam“ key Remember

WE246: Random Number Generation A Practitioner's …mascagni/PO_KAUST.pdf · Pseudorandom number generation Quasirandom number generation Conclusions WE246: Random Number Generation

Retina Random Number Generator for Stream Cipher Cryptography · 2019-10-03 · III. STREAM CIPHER CRYPTOGRAPHY Stream ciphers are fast cryptographic primitives to provide confidentiality

A CIPHER BASED ON THE RANDOM SEQUENCE OF · PDF fileA CIPHER BASED ON THE RANDOM SEQUENCE OF DIGITS IN IRRATIONAL ... sequence of digits in irrational numbers. ... This concept of

The Linearly Conjugated Double Random Matrix Bifid Disrupted Incomplete Columnar Transposition Cipher

AlidN i lApplied Numerical Analysis - Sharifsharif.edu/~fatemizadeh/Courses/ANA/10-PRNG-View.pdfPseudo Random Number GeneratorPseudo Random Number Generator What is random number:

The Random Oracle Model and the Ideal Cipher Model are ... · The Random Oracle Model and the Ideal Cipher Model are Equivalent⋆ Jean-S´ebastien Coron1, Jacques Patarin2, and Yannick

Random-Number Generationjain/cse567-08/ftp/k_26rng.pdf · Random-Number Generation! Random Number = Uniform (0, 1)! Random Variate = Other distributions = Function(Random number)

Retina Random Number Generator for Stream Cipher Cryptography

Random number generation (in C++) - past, present and potential future+1… · (26.5 Random number generation N3797) Random = Distribution(Engine) Engines: linear_congruential_engine

Random Number Generator

Random Number Generators

Random Number GenerationBIG

Random Number Generators Tamer ÖZ. Random Number Generators OUTLINE Randomness And Random Number Usefulness Of Random Numbers Random Number Generators

Random Number Tests

AMD RANDOM NUMBER GENERATOR Librarydeveloper.amd.com/.../AMD-Random-Number-Generator... · AMD Random Number Generator Library − 3 Random Number Generators Within the context of