On some properties of PRNGs based on block ciphers in counter mode

Similar documents
Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Pseudo-random Number Generation. Qiuliang Tang

Public-key Cryptography: Theory and Practice

Notes for Lecture 9. 1 Combining Encryption and Authentication

Lecture 12: Block ciphers

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

CPSC 467: Cryptography and Computer Security

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn

Computer Science A Cryptography and Data Security. Claude Crépeau

Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics

Pseudo-Random Generators

Pseudo-Random Generators

Block ciphers And modes of operation. Table of contents

Topics. Pseudo-Random Generators. Pseudo-Random Numbers. Truly Random Numbers

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Private-key Systems. Block ciphers. Stream ciphers

Block Ciphers/Pseudorandom Permutations

Pseudorandom Generators

Lecture Notes 20: Zero-Knowledge Proofs

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Cryptography 2017 Lecture 2

The Indistinguishability of the XOR of k permutations

Lecture Notes. Advanced Discrete Structures COT S

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

A novel pseudo-random number generator based on discrete chaotic iterations

Solution of Exercise Sheet 7

Network Security (NetSec)

Data and information security: 2. Classical cryptography

CS 6260 Applied Cryptography

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Thesis Research Notes

Network Security. Random Numbers. Cornelius Diekmann. Version: November 21, 2015

CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER

-Cryptosystem: A Chaos Based Public Key Cryptosystem

Lecture Notes. Advanced Discrete Structures COT S

COMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.

Perfectly-Secret Encryption

El Gamal A DDH based encryption scheme. Table of contents

CTR mode of operation

III. Pseudorandom functions & encryption

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Modern Cryptography Lecture 4

Chapter 2 Balanced Feistel Ciphers, First Properties

CS 395T. Probabilistic Polynomial-Time Calculus

CPA-Security. Definition: A private-key encryption scheme

CHAPTER 6: OTHER CRYPTOSYSTEMS, PSEUDO-RANDOM NUMBER GENERATORS and HASH FUNCTIONS. Part VI

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Pseudorandom Sequences I: Linear Complexity and Related Measures

Lecture 2: Perfect Secrecy and its Limitations

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

CLASSICAL ENCRYPTION. Mihir Bellare UCSD 1

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Equivalences of Basic Cryptographic Functions

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Adaptive Security of Compositions

Random Bit Generation

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

AES side channel attacks protection using random isomorphisms

USING POLY-DRAGON CRYPTOSYSTEM IN A PSEUDORANDOM NUMBER GENERATOR MSTg. 1. Introduction

Lecture 9 - One Way Permutations

Computational security & Private key encryption

has the solution where M = Since c = w 2 mod n we have c w 2 (mod p) and c w 2 (mod q);

Perfect Block Ciphers With Small Blocks

Improved security analysis of OMAC

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA

Cook-Levin Theorem. SAT is NP-complete

Known and Chosen Key Differential Distinguishers for Block Ciphers

Public Key Cryptography

All-Or-Nothing Transforms Using Quasigroups

The failure of McEliece PKC based on Reed-Muller codes.

State Recovery Attacks on Pseudorandom Generators

STORY of SQUARE ROOTS. and QUADRATIC RESIDUES. Part I. Public-key cryptosystems II. Other cryptosystems and cryptographic primitives

Authentication. Chapter Message Authentication

Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes

CPSC 467: Cryptography and Computer Security

MasterMath Cryptology /2 - Cryptanalysis

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

Improbable Differential Cryptanalysis and Undisturbed Bits

STREAM CIPHER. Chapter - 3

CS 6260 Applied Cryptography

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

Lecture 4: DES and block ciphers

(Solution to Odd-Numbered Problems) Number of rounds. rounds

Lattice Cryptography

Notes on Alekhnovich s cryptosystems

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Public-seed Pseudorandom Permutations EUROCRYPT 2017

CPSC 467b: Cryptography and Computer Security

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Cryptography CS 555. Topic 2: Evolution of Classical Cryptography CS555. Topic 2 1

Symbolic Encryption with Pseudorandom Keys

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

MATH3302 Cryptography Problem Set 2

Solutions to the Mathematics Masters Examination

Transcription:

On some properties of PRNGs based on block ciphers in counter mode Alexey Urivskiy, Andrey Rybkin, Mikhail Borodin JSC InfoTeCS, Moscow, Russia alexey.urivskiy@mail.ru 2016

Pseudo Random Number Generators G: 0,1 m 0,1 M for M m Typical assumptions for a cryptographic PRNG: G is efficiently computable the seed is uniformly distributed on 0,1 m G is random-like : no polynomial statistical test can distinguish G from a truly random generator with uniform distribution (informally)

Pseudo Random = Unpredictable Predictability problem: predict the next output bit for G with probability better than ½ if all previously output bits are known Next-bit test: G passes the test if the next bit cannot be predicted by any polynomial predictor. Theorem [Yao 82] : if G passes the next-bit test it will pass any polynomial statistical test.

PRNGs based on block ciphers G1 E(K, T) block cipher K V k key T V n message G1: for i=0 to M do count IV + i mod 2 n a i E K, count Consider the case M < N = 2 n.

PRNGs based on block ciphers G1 G1 is highly appreciated and widely used ISO/IEC 18031 CTR_DRBG. However, if G1 has output a symbol, it will never output it again For M~ N due to the birthday paradox becomes distinguishable from a truly random uniform generator.

PRNGs based on block ciphers G2 G2: for i = 0 to M do count IV + i mod 2 n a i E K, count E 1 K, count + 1

PRNGs based on block ciphers G2 IV K +1 E(K, T) E 1 (K, T + 1)

PRNGs based on block ciphers G2 G2: for i = 0 to M do count IV + i mod 2 n a i E K, count E 1 K, count + 1 Will a second cipher help? and how?

Idealized model for PRNGs Assumption 1: encryption (decryption) procedure of an n-bit block cipher with a random key is a random permutation on V n 0 1 2 2 n -2 2 n -1 σ(0) σ(1) σ(2) σ(2 n -2) σ(2 n -1) Typical to cryptanalysis: a good block cipher with a random key must be indistinguishable from a random permutation.

Idealized model for PRNGs Assumption 2: encryption and decryption procedures of a block cipher with the same random key are independent so they are the two random and independent permutations on V n. G1I: E K, T σ T G2I: E K, T E 1 K, T + 1 σ 1 T σ 2 (T + 1)

Does IV matter? σ (i) = σ( i + IV mod 2 n ) Another choice of IV leads to a different σ given σ, however from the same set: IV = 0 G1I: E K, T σ T G2I: E K, T E 1 K, T + 1 σ 1 T σ 2 (T)

Output sequences G1I: a 0, a 1, a 2,, a N 2, a N 1 N N 1 N 2 2 1 = N! N 1 G2I: σ i = 0 i V n i=0 a i = σ 1 i σ 2 i = 0 i V n a 0, a 1, a 2,, a N 2, a N 1 N N N N 1 N N 1

Theorem (Hall 52). For any sequence a 0, a 1,, a N 1, a i V n, i = 0,1,, 2 n 1, satisfying the condition N 1 i=0 a i = 0 there exists at least one pair of permutations σ 1, σ 2 on V n such that a i = σ 1 i σ 2 i. a 0, Output sequences a 1, a 2,, a N 2, a N 1 N N N N 1 = N N 1

Output sequences: summary Type Number (of length N ) G1I σ count all elements are different N! G2I σ 1 count σ 2 (count) any fixed N 1 elements are arbitrary N N 1 N! N N 1 = 2πN NN e N N = N ln N e 2πN NN

Equivalent representation for G2I 0 1 2 3 N 1 0 0 1 2 3 N 1 1 1 0 3 2 N 2 2 2 3 0 1 N 3 M = 3 3 2 1 0 N 4 N 1 N 1 N 2 N 3 N 4 0

Equivalent representation for G2I Definition. A sequence of pairs of indices i 0, j 0, i 1, j 1,, (i N 1, j N 1 ), i l, j l {0,1,, N 1}, i k i t, j k j t for any t k is called a trajectory on M. Definition. The sequence M i 0, j 0, M i 1, j 1,, M(i N 1, j N 1 ) is called the output of the trajectory i 0, j 0, i 1, j 1,, (i N 1, j N 1 )

Equivalent representation for G2I Proposition. Between the set of ordered pairs of permutations on V n and the set of trajectories on matrix M a one-to-one correspondence can be defined so that the sum of the pair of permutations will coincide with the output of the corresponding trajectory. Corollary. The generation process is: the s-th output symbol a s is chosen randomly from M. After that the row and the column containing a s are struck out from M.

Equivalent representation for G2I 0 1 2 3 N 1 1 0 3 2 N 2 M = 2 3 0 1 N 3 3 2 1 0 N 4 N 1 N 2 N 3 N 4 0

Equivalent representation for G2I 0 1 2 3 N 1 1 0 3 2 N 2 M = 2 3 0 1 N 3 3 2 1 0 N 4 N 1 N 2 N 3 N 4 0 a 0 = 3 2,1,

Equivalent representation for G2I 0 1 2 3 N 1 1 0 3 2 N 2 M = 2 3 0 1 N 3 3 2 1 0 N 4 N 1 N 2 N 3 N 4 0 a 0 = 3 2,1,

Equivalent representation for G2I 0 1 2 3 N 1 1 0 3 2 N 2 M = 2 3 0 1 N 3 3 2 1 0 N 4 N 1 N 2 N 3 N 4 0 a 0 = 3, a 1 = 2 2,1, (1,3)

Equivalent representation for G2I 0 1 2 3 N 1 1 0 3 2 N 2 M = 2 3 0 1 N 3 3 2 1 0 N 4 N 1 N 2 N 3 N 4 0 a 0 = 3, a 1 = 2 2,1, (1,3)

Equivalent representation for G2I 0 1 2 3 N 1 1 0 3 2 N 2 M = 2 3 0 1 N 3 3 2 1 0 N 4 N 1 N 2 N 3 N 4 0 a 0 = 3, a 1 = 2, a 2 = N 3 2,1, (1,3), (N-1,2)

Equivalent representation for G2I 0 1 2 3 N 1 1 0 3 2 N 2 M = 2 3 0 1 N 3 3 2 1 0 N 4 N 1 N 2 N 3 N 4 0 a 0 = 3, a 1 = 2, a 2 = N 3 2,1, (1,3), (N-1,2)

Conditional probability Conditional probability P a s a s 1, a s 2,, a 0 is the probability for a generator to output a s provided a s 1, a s 2,, a 0 were output before. To estimate P a s a s 1, a s 2,, a 0 for G2I it suffices to estimate how many a s are left in M after s rows and columns were struck out.

Conditional probability G1I P a s a s 1, a s 2,, a 0 = 0, if a s {a s 1, a s 2,, a 0 }; 1, otherwise. N s G2I P 1 = N 2s N s 2 P a s a s 1, a s 2,, a 0 N s N s 2 = P 2 P 1 < 1 N < P 2

Conditional probability: summary Lower bound Number of symbols Upper bound Number of symbols G1I σ count 0 G2I σ 1 count σ 2 (count) N 2s N s 2 Ideal s N s N 1 N s 1 N s N s s N 1 N 1 N

Thank you! Questions?

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback