hsc: building stream cipher from secure hash functions juncao li nov. 29 th 2007 department of...
Post on 19-Dec-2015
215 Views
Preview:
TRANSCRIPT
HSC: Building Stream Cipher from Secure Hash
Functions
Juncao LiNov. 29th 2007
Department of Computer Science
Portland State University
Portland State University Nov. 29th 2007 2 juncao@cs.pdx.edu
Agenda
• Introduction to the Stream Cipher
• Security of the Stream Cipher• Construction of the Hashing
Stream Cipher• Analysis of the HSC
Portland State University Nov. 29th 2007 3 juncao@cs.pdx.edu
Agenda
• Introduction to the Stream Cipher
• Security of the Stream Cipher• Construction of the Hashing
Stream Cipher• Analysis of the HSC
Portland State University Nov. 29th 2007 4 juncao@cs.pdx.edu
Introduction: Stream Cipher
• Symmetric Cipher• Encryption/Decryption Scheme
– Take a Key and an IV (optional)– Generate a pseudorandom keystream(pad)
– XOR the pad with the plaintext like onetime pad
PNG
Plaintext
XOR
PN
Plaintext
Ciphertext
Portland State University Nov. 29th 2007 5 juncao@cs.pdx.edu
Stream Cipher: types
• State Cipher– Maintains an internal state– Based on which, the keystream is
generated– Usually, the internal state is kept
secrete– As large as possible
Portland State University Nov. 29th 2007 6 juncao@cs.pdx.edu
Stream Cipher: types
• Synchronous – The state changes independently of the
plaintext or ciphertext– RC4– Non-error-propagation– Keep synchronized
• Self-synchronizing stream ciphers– Previous ciphertext digits are used to compute
the keystream – CFB: a block cipher in cipher-feedback mode
(CFB)– Input to the generator is partially exposed– Limitation of the analyzability: keystream
depends on the messages
Portland State University Nov. 29th 2007 7 juncao@cs.pdx.edu
Agenda
• Introduction to the Stream Cipher
• Security of the Stream Cipher• Construction of the Hashing
Stream Cipher• Analysis of the HSC
Portland State University Nov. 29th 2007 8 juncao@cs.pdx.edu
Security analysis: goal
• Hard to guess next bit of the keystream generator with some probability: better than random guessing– About the appearance of the keystream– Noticeable more 1s than 0s in the
keystream• Hard to reproduce the keystream from
the keystream that we already have– About the inherent complexity of the
keystream– Existence of the short period
Portland State University Nov. 29th 2007 9 juncao@cs.pdx.edu
Formal security support
• Theoretical support– Yao’s work: a pseudo-random generator
could be 'effciently' predicted if, and only if, the generator could be 'effciently' distinguished from a perfectly random source.
Portland State University Nov. 29th 2007 10 juncao@cs.pdx.edu
Security in appearance
• Security measures in appearance– Long period
• A keystream generator can be modeled by a finite state machine
• Eventually some states will repeat which lead to a period
– Statistical measures• Have the appearance of (periodic) pseudo-
random sequences
– Complexity
Portland State University Nov. 29th 2007 11 juncao@cs.pdx.edu
Agenda
• Definition of the Stream Cipher• Security of the Stream Cipher• Construction of the Hashing
Stream Cipher• Analysis of the HSC
Portland State University Nov. 29th 2007 12 juncao@cs.pdx.edu
HSC
• It’s a synchronous streamcipher• It takes an IV and a random Key as input• Define
– Original Vector: OV = Key || IV
– Increasing Factor: , where is byte accumulation, and i is public. If IF = 0, set IF = 1
– Keystream Block: , where KBn represents nth keystream block
imOVIF 2mod mOV
}2 |{ xandNxxi
IFnOVHashKBn
Portland State University Nov. 29th 2007 13 juncao@cs.pdx.edu
HSC: Framework
Hash Function
Key || IV + IncreasingFactor
Fixed-length Key Stream Block 1
Hash Function
Key || IV + 2× IncreasingFactor
Fixed-length Key Stream Block 2
Hash Function
Key || IV + n× IncreasingFactor
Fixed-length Key Stream Block n……
…………
……
Portland State University Nov. 29th 2007 14 juncao@cs.pdx.edu
Intuitions: why HSC
• Hash function is easy to find– Easy to implement our scheme based on
the existing systems
• We can prove the security of HSC based on the security of Cryptographic Hash functions
Portland State University Nov. 29th 2007 15 juncao@cs.pdx.edu
Agenda
• Introduction to the Stream Cipher
• Security of the Stream Cipher• Construction of the Hashing
Stream Cipher• Analysis of the HSC
Portland State University Nov. 29th 2007 16 juncao@cs.pdx.edu
Secure analysis on HSC:Period
• Period– Ideally, no period if the core hash
function is collision-resistant – Assume there’s a m bits period, we can
find the collision every m/n iterations
Hash Function
OV + IF
Key Stream Block 1 ……
……
……
Hash Function
OV + 2× IF
Key Stream Block 2
Hash Function
OV + m/n× IF
Key Stream Block 1
Hash Function
OV + (m/n+1)× IF
Key Stream Block 2 ……
……
……
Portland State University Nov. 29th 2007 17 juncao@cs.pdx.edu
Secure analysis on HSC:Period
– But… the inner state has a limitation due to the implementation
– Configurable inner state size– The inner state size depends on the
limitation of the hash function input size – – Which is huge!
statesinner 2 implies sizeinput hash 264264
Portland State University Nov. 29th 2007 18 juncao@cs.pdx.edu
Secure analysis on HSC: Indistinguishability
• Indistinguishability of the keystream from the random stream – The distribution of the keystream
depends on the IV and Key
Portland State University Nov. 29th 2007 19 juncao@cs.pdx.edu
Secure analysis on HSC: Indistinguishability
– Assumption 1: if the input of the hash function is random, the output should be random, or have a random distribution
– Every individual keystream block should look random, given the randomness of the key and the security of the hash function.
– Otherwise, we can find an easier way to invert the one-way function by analyzing the non-uniform distribution of the output
Portland State University Nov. 29th 2007 20 juncao@cs.pdx.edu
Secure analysis on HSC: Indistinguishability
– Assumption 2: if the inputs of the hash function are different, but correlated, the outputs of a good hash function should at least have a good statistical distribution
– Global view of the keystream blocks – Collision-resistance guarantees that
keystream blocks are statistically different
Portland State University Nov. 29th 2007 21 juncao@cs.pdx.edu
Secure analysis on HSC: Indistinguishability
– Almost no one can guarantee there’s no correlation in their keystream
– That’s why inner state should be kept secrete
– That’s why we are using i
mOVIF 2mod
Portland State University Nov. 29th 2007 22 juncao@cs.pdx.edu
Secure analysis on HSC: Information theory
• Information theory -- Entropy – The larger entropy of the keystream the better– Entropy comes from: IV and Key – The hash function will guarantee the entropy of
each stream block: min(|key|, |digest|)– IF will spread the key entropy to the whole
keystream
Portland State University Nov. 29th 2007 23 juncao@cs.pdx.edu
Secure analysis on HSC:Statistical analysis
• Three statistical test from the NIST standard– SHA-1, Key length 64 bytes, IV 16 bytes, and IF
1 byte– 1000 times test on 10 MB keystream. Threshold:
0.981– 1GB HSC costs 92,312ms , RC4 costs 30,047ms
HSC 1 2 3 4 5 6 7 8 9 10
Frequency 0.992 0.994 0.991 0.994 0.997 0.994 0.989 0.992 0.989 0.989
Runs 0.995 0.994 0.993 0.989 0.992 0.989 0.992 0.989 0.995 0.991
Cumulative 0.986 0.994 0.988 0.992 0.995 0.993 0.985 0.993 0.988 0.989
RC4 1 2 3 4 5 6 7 8 9 10
Frequency 0.986 0.982 0.987 0.984 0.9840 . 98
90.989
0 . 989
0.989 0.991
Runs 0.992 0.993 0.990 0.987 0.9910 . 99
30.996
0 . 988
0.990 0.985
Cumulative 0.987 0.976 0.982 0.976 0.9860 . 98
80.989
0 . 989
0.983 0.989
Portland State University Nov. 29th 2007 24 juncao@cs.pdx.edu
References• Stream Ciphers, RSA Laboratories Technical Report TR-701,
Version 2.0, M.J.B. Robshaw, July 25, 1995• Stream Cipher Design -- An evaluation of the eSTREAM
candidate Polar Bear, JOHN MATTSSON, Master of Science Thesis, Stockholm, Sweden 2006
• On the Role of the Inner State Size in Stream Ciphers, Erik Zenner, Reihe Informatik 01-2004
• Attacks on RC4 and WEP, Scott Fluhrer, Itsik Mantin, Adi Shamir• CHOSEN-IV STATISTICAL ATTACKS ON eSTREAM CIPHERS,
Markku-Juhani O Saarinen.• http://www.wikipedia.org/• Yong Zhang, Xiamu Niu, Juncao Li, and Chunming Li. Research
on a novel Hashing Stream Cipher. In Proc. of CIS 2006, Guangzhou, China, November 3-6, 2006
Portland State University Nov. 29th 2007 25 juncao@cs.pdx.edu
Thanks
• Questions?
Portland State University Nov. 29th 2007 26 juncao@cs.pdx.edu
Secure analysis on HSC: Information theory
• Information theory -- Entropy – The larger entropy of the keystream the better– Entropy comes from: IV and Key
– But the IF will spread the entropy to the whole keystream
– This may lead to a better explanation of our construction
Portland State University Nov. 29th 2007 27 juncao@cs.pdx.edu
Secure analysis on HSC: Information theory
• Information theory -- Entropy – Why hash functions? – we want to shrink– The larger entropy of the keystream the better– Entropy come from: IV and Key – If |OV| > |Hash digest|, entropy loses on each
keystream block.– But the IF will spread the entropy to the whole
keystream – This may lead to a better explanation of our
construction
top related