密码学笔记：流密码

该部分为本科期间密码学课程复习笔记的备份。

Impact of Technology（技术的影响）

\[by hand⟶telegraph⟶radio⟶computer \]

New ciphers：

• based on computer characteristics rather than on language structure.
• on binary digits (bits) and not on alphabetic characters.

Computer characteristics

characteristic of computers:

• method of representing information
• produces a different approach to cipher systems

Data in computer systems

stored, processed, transmitted in binary form (as 0’s and 1’s)

Letters

• need to be represented as binary bits in a computer
• developed a standard code called ASCII which assigns a set of 8 bits to each letter

Stream Ciphers Introduction

implemented at the bit level

example: A is ASCII is 0100 0001

if we randomly change some 0’s to 1’s and some 1’s to 0’s the result might be 0010 1011 which is a “+”

binary function

exclusive-OR (XOR)：\(F=A\bigoplus B\)

XOR	A	B	F
Bit	0	0	0
Bit	0	1	1
Bit	1	0	1
Bit	1	1	0

example:

type	stream
plaintext	1 0 0 1 0 1 1 0 0 1 1 1 0 1 0 1 0 0 1
key	0 0 1 1 1 0 1 0 1 0 0 1 1 0 0 1 1 0 0
ciphertext	1 0 1 0 1 1 0 0 1 1 1 0 1 1 0 0 1 0 1

stream cipher model

\[Plaintext⨁ Key\ stream⟹Ciphertext⨁ Key\ stream⟹Plaintext \]

Stream cipher diagram

Key Stream choose

A short sequence of key bits

easy to remember but not very secure

A long sequence of key bits

secure but hard to remember

Problem

How can we generate（生成） a long random-appearing（伪随机） sequence of 0’s and 1’s in way that will ensure that everyone who should have access to the plaintext are able to generate the key when needed?

Shift Register

A shift register is a hardware device which saves bits and shifts bits

They can be loaded in parallel（平行线）, or can load bits in one at a time using shift mode

eg:

4-bit shift register looks like:

why should add some feedback?

• By a simple shift register, we can not solve the problem of generating a long “random appearing” bit stream for a key.
• It will only output the same bit that were shifted into it

liner feedback shift register (LFSR)

take some of the bits in the shift register, combine them with an XOR, and feedback the result as the input.

Breaking stream ciphers

most common ways

1. insertion attack
2. probable word search

Insertion Attack

1. Intercept（拦截） the ciphertext
2. Insert a known bit somewhere in the plaintext and get the modified（修改的） plaintext encrypted with the same key stream
3. Knowledge of the single bit will compromise the plaintext

eg:

Assume that the following ciphertext stream is intercepted

type	stream
plaintext	\(p_1\ p_2\ p_3\ p_4\ p_5\ . . .\ p_n\)
key stream	\(k_1\ k_2\ k_3\ k_4\ k_5\ . . .\ k_n\)
ciphertext	\(c_1\ c_2\ c_3\ c_4\ c_5\ . . .\ c_n\)

insert a bit p after p1 and observe the new ciphertext

type	stream
plaintext	\(p_1\ p \ p_2\ p_3\ p_4\ . . .\ p_n\)
key stream	\(k_1\ k_2\ k_3\ k_4\ k_5\ . . .\ k_n\)
ciphertext	\(c_1\ c \ c_3\ c_4\ c_5\ . . .\ c_n\)

The key and plaintext stream are given by

\[k_2=c ⨁ p ⟶p_2=c_2⨁k_2 \]

\[k_3=c_3 ⨁ p_2 ⟶p_3=c_3⨁k_3 \]

\[k_4=c_4 ⨁ p_3 ⟶p_4=c_4⨁k_4 \]

Probable Word Attack

• To illustrate（举例） a probable word attack, first assume that the LFSR has only 2 feedback links, the first bit and some unknown bit
• The goal of this attack is to discover the unknown link, the size of the LFSR and the key stream
• This will be done using the ciphertext stream and a probable word
• The process will be illustrated using an example
• The LFSR has 6 bits with feedback on the first and fourth bits as shown

step:

1. what we do know is the ciphertext stream
2. Guess the first word is “The”
3. Use this information to find the keystream

\[result_{shift}[0]=\varnothing \]

\[result_{shift}[i+1]=result[i]⨁result[i+1] \]

type	stream
\(word_{binary}\)	0 1 0 1 0 1 0 0 0 1 1 0 1 0 0 0 0 1 1 0 0 1 0 1 ...
\(plaintext\)	1 1 1 0 0 0 0 1 1 1 1 1 1 0 0 1 1 0 0 0 1 1 1 0 0 1 0 0 0 1 ...
\(result\)	1 0 1 1 0 1 0 1 1 0 0 1 0 0 0 1 1 1 1 0 1 0 1 1 ...
\(result_{shift}\)	\(\varnothing\) 1 1 0 1 1 1 1 0 1 0 1 1 0 0 1 0 0 0 1 1 1 1 0

Note: The distance identifies the second bit in the LSFR XOR,to recreate the keystream XOR the 1st and 4th bit

4. Generate the rest of the key stream

type	stream
ciphertext	111000011111100110001110010001101011100000100011
key	101101011001000111101011001000111101011001000111
plaintext	010101000110100001100101011001010110111001100100

RC4

Principle

Stream cipher

Encryption

• RC4 uses an arrangement of the numbers 0 to 255 (8 bits each) in an array S which changes over time
• It consists of two processes
  • A Key Scheduling（调度） Algorithm (KSA) to set up the initial permutation of S
  • A pseudo-random（伪随机） generation algorithm (PRGA) to randomly select elements of S and modify the permutation of S

KSA

1. begins by initialing S such that \(S(i) = i\) for i = 0 to 255

2. A secret key is constructed by selecting a set of numbers which are loaded into a key array K(0 to 255)

3. The usual process is to select a short sequence of numbers and repeat them until K is filled

4. The key array is used to randomize S based on the following algorithm

   \[for \ i = 0 \ to\ 255 \ do： \]
   \[j≡(j+S(i)+K(i))\mod{256} \]
   \[swap(S(i),S(j)) \]

PRGA

• Once the KSA has completed the initial randomization of S, the PRGA takes over and selects bytes for the key stream by selecting random elements of S and modifying S for the next selection
• The selection process relies on two indices i and j which both start at 0
• The following program is run to select each byte of the key stream

\[j≡(i+1)\mod{256} \]

\[j≡j+S(i)\mod{256} \]

\[swap(S(i),S(j)) \]

\[t≡S(j)+S(i)\mod{256} \]

\[k=S(t) \]

Simple example

1. assume using 3 bit representations (the
   numbers range from 0 to 7) and mod 8 operations (instead of mod 256)

   Initial Arrays:

   Type	Index	0	1	2	3	4	5	6	7
   S Array		0	1	2	3	4	5	6	7
   K Array		5	6	7	5	6	7	5	6

2. Use the key to randomize S:

   \[for \ i = 0 \ to\ 8 \ do： \]
   \[j≡(j+S(i)+K(i))\mod{8} \]
   \[swap(S(i),S(j)) \]

   result:

   Type	Index	0	1	2	3	4	5	6	7
   S Array		5	4	0	7	1	6	3	2

3. Now, the S array is ready to be used to produce a sequence of random numbers.

4. With i and j starting at 0, RC4 calculates the first random number as follows:

   when \(i=0\):

   \[i≡(i+1)\mod{8}⟶i=1 \]
   \[j≡(j+(S(i)))mod{8}⟶j=4 \]
   \[Swap \ (S(1),S(4)) \]
   \[t≡(S(i)+S(j))\mod{8}⟶t=5 \]
   \[k=S(t)⟶k=6 \]

5. repeat these steps

Security of RC4

• most important weakness: insufficient（不足的） key schedule
• new attack scenarios: new statistical biases in RC4 key table to recover plaintext with large number of TLS encryptions
• RFC 7465 prohibits the use of RC4 in TLS.
• In 2014 Ronald Rivest gave a talk and published a paper on an updated redesign called Spritz (A New RC4-Like Stream Cipher)

CA

Principle

Stream cipher

Encryption

1. 7 cell 1-dimensional CA is shown below：

   Index	0	1	2	3	4	5	6
   Cell	0	0	1	0	1	0	0

2. Each cell is initialized to 0 or 1

3. The cell values change based on a rule such as:

   Neighbor	000	001	010	011	100	101	110	111
   New State	0	0	0	1	0	1	1	1

4. CA rules are numbered by converting the next state to a decimal number，eg:

   New State: \((00010111)_{2}=23\)

   Rule 90 is：\(90=(01011010)_{2}\)

5. A CA can be used to generate random bits by selecting one of the cells as an output，eg:

   Initialize the CA

   Index	0	1	2	3	4	5	6	7
   cell	0	1	0	1	0	1	1	1

   Rule：30

   Neighbor	000	001	010	011	100	101	110	111
   New State	0	0	0	1	1	1	1	0

   Run CA, Stop when enough random bits have been generated.

2DCA

Introduction

A 2 dimensional CA offers a more powerful random number generator at the expense of additional complexity（复杂性）.

A 2-d CA is just an array of 1-d CA’s

A cell’s value is updated by some function of its current value and the values in its neighbors

Two definitions of neighborhood

In this case there are two different definitions of a neighborhood：

• The von Neumann Neighborhood consists of the cells above,below, to the right, and to the left of the target cell
• The Moore Neighborhood consists of all 8 cells that surround the target cell

2-d CA Rules

The rules for a 2-d CA are much like the 1-d CA rules. They define how a cell is updated based on the values in its neighborhood

Using a von Neumann neighborhood a general rule structure can be defined as:

\[s_{i,j}=X⨁(C*{s_{i,j}(t)})⨁(N*{S_{i-1,j}(t)})⨁(W*{s_{i,j-1}(t)})⨁(S*{s_{i+1,j}(t)})⨁(E*{s_{i,j+1}(t)}) \]

X：随机生成的二进制值（0/1）
C、N、W、S、E：选中的位置二进制值、向北位置的二进制值、向西位置的二进制值、向南位置的二进制值、向东位置的二进制值。

Note：如果是在边界上，向北的方向时向上没有位置了则是同列的最下端位置的值；向南的方向上向下没有位置了则是同列的最上端那个位置的值；向东的方向上向右没有位置了则是同行的最左端的值；向西的方向上向右没有位置了则是同行的最右端的值。

• The values of X,C,N,W,S, and E are used to identify a specific rule
• For example, if (X,C,N,S,W,E) = (001110) then it is rule 14 since (001110) is binary 14
• As a result there are 64 possible rules
• Studies have found that rules 31, 47 and 63 tend to produce good random bits in an 8 x 8 CA
• A random stream is generated by assigning a rule to each cell, initializing the CA to a random state, and running the CA using a center cell to produce the bit stream

example

3x3 CA where each cell is assigned rule 14

One Time Pad Introduction

The one-time pad (or Vernam Cipher) is a special variant of the stream cipher which was proposed in 1917

The pseudorandom keystream is replaced with a random (non-repeating) bit sequence, which is only used once

If used properly it is provably unbreakable (Shannon, 1949)

Key management is hard!

Thanks

Prof.Gao

Reference

Chapter 3 Stream Ciphers