A Framework for Stream Ciphers Based on Pseudorandomness

A Framework for Stream Ciphers Based on Pseudorandomness, Randomness and Error-Correcting Coding Miodrag Mihaljevic Enhancing Crypto-Primitives with Techniques from Coding Theory NATO Advanced Research Workshop 6 - 9 October 2008 Veliko Tarnovo, Bulgaria 1

Roadmap • Introduction • Underlying Ideas and Novel Framework • Particular Novel Stream Ciphering Approaches Based on Employment of Pure Randomness • A Model of Certain Stream Ciphers Based on Pure Randomness • LPN Problem and a Security Evaluation Approach • Framework for the Security Evaluation • Concluding Remarks 2

I. Introduction Certain References on Cryptographic Primitives Based on Pure Randomness 3

Some Initial References • R. J. Mc. Eliece, “A public key cryptosystem based on algebraic coding theory”, DSN progress report, 42 -44: 114 -116, 1978. (well known reference) • M. Willett, “Deliberate noise in a modern cryptographic system”, IEEE Transactions on Information Theory, vol. 26, no. 1, pp. 102 -104, Jan. 1980. (almost forgotten reference) • A. Blum, M. Furst, M. Kearns and R. Lipton, “Cryptographic Primitives Based on Hard Learning Problems”, CRYPTO 1993, Lecture Notes in Computer Science, vol. 773, pp. 278– 291, 1994. • N. Hopper and M. Blum, ``Secure Human Identification Protocols'', ASIACRYPT 2001, Lecture Notes in Computer Science, vol. 2248, pp. 52 -66, 2001. 4

A. D. Wyner, “The wire-tap channel”, Bell Systems Technical Journal, vol. 54, pp. 1355 -1387, 1975. • A different approach for achieving secrecy of communication based on the noise has been reported by Wyner in 1975 assuming that the channel between the legitimate parties is with a lower noise in comparison with the channel via which a wire-tapper has access to the ciphertext. • The proposed method does not require any secret. It is based on a specific coding scheme which provides a reliably communications within the legitimate parties and prevents, at the same time, the wire-tapper from learning the communication's contents. 5

Some Recent References • J. Katz and J. Shin, “Parallel and Concurrent Security of the HB and HB+ Protocols”, EUROCRYPT 2006, Lecture Notes in Computer Science, vol. 4004, pp. 73– 87, 2006. • J. -P. Aumasson, M. Finiasz, W. Meier and S. Vaudenay, “TCHo: A Hardware-Oriented Trapdoor Cipher”, ACISP 2007, Lecture Notes in Computer Science, vol. 4586, pp. 184– 199, 2007. • H. Gilbert, M. J. B. Robshaw and Y. Seurin, “HB#: Increasing the Security and Efficiency of HB+”, EUROCRYPT 2008, Lecture Notes in Computer Science, vol. 4965, pp. 361 -378, 2008. • H. Gilbert, M. J. B. Robshaw, and Y. Seurin, “How to Encrypt with the LPN Problem”, ICALP 2008, Part II, Lecture Notes in Computer Science, vol. 5126, pp. 679 -690, 2008. 6

Certain Origins for Our Work • M. Mihaljevic, “Generic framework for secure Yuen 2000 quantum-encryption employing the wire-tap channel approach”, Physical Review A, vol. 75, no. 5, pp. 052334 -1 -5, May 2007. • M. Fossorier, M. Mihaljevic and H. Imai, “Modeling Block Encoding Approaches for Fast Correlation Attack”, IEEE Transactions on Information Theory, vol. 53, no. 12, pp. 4728 -4737, Dec. 2007. • M. Mihaljevic, M. Fossorier and H. Imai, “Security Evaluation of Certain Broadcast Encryption Schemes Employing a Generalized Time-Memory-Data Trade-Off”, IEEE Communications Letters, vol. 11, no. 12, pp. 988990, Dec. 2007. 7

II. Underlying Ideas and the Framework 8

Novelties of Our Designs in Comparison with the Reported ones Employment of two different binary pure randomness within a cryptographic primitive: • one Berunolli distributed with the parameter <<1/2 • another with Uniform distribution and the parameter equal to 1/2 Dedicated encoding for providing the attacker confusion employing: • Homophonic coding approaches • Wire-tap Channel coding approaches 9

General Underlying Ideas in Our Designs Enhancing cryptographic primitives employing - pure randomness and - coding theory • Particularly: Employment of the concept of the binary channels with insertion and complementation (and deletion). 10

Main Goals • A framework for design of stream ciphers which provides opportunity for design the security as high as possible based on the employed secret key, i. e. complexity of recovering the key as close as possible to O(2 K) • A trade-off between the security and the communications rate: Increase the security up to the upper limit at the expense of a moderate decrease of the communications rate. 11

Underlying Ideas for Novel Stream Ciphers Paradigm A Happy Merge (Marriage) of Pseudo -randomness and Randomness 12

The Main Underlying Ideas • Employ physical noise which an attacker must face, in order to strengthen the stream cipher. • Strengthen the stream cipher employing a dedicated encoding following the homophonic or wire-tap channel encoding approaches. 13

A Framework of Stream Ciphering Employing Randomness a related traditional stream cipher and a novel particular one based on deliberate randomness 14

A Traditional Stream Cipher based on Encode+Encrypt Paradigm in order to cope with an inherent noise in the public communication channel employ “encode+encrypt” (the paradigm employed in GSM) 15

Encryption secret key plaintext Keystream Generator Error-Correction Encoding + Public Comm. Channel Decryption plaintext Error-Correction Decoding secret key + Keystream Generator (b. s. c or erasure channel, for example) 16

Novel Framework Based on Employment of Randomness and Dedicated Coding&Ciphering 17

Encryption Keystream Generator secret key plaintext Error-Correction Encoding Dedicated Encoding&Encryption Source of Randomness Public Comm. Channel Decryption plaintext secret key Error-Correction Decoding Dedicated Decoding&Decryption Keystream Generator 18

Notes (1): Novel Paradigm • Traditional stream ciphers do not include any randomness: Basically, they are based on the deterministic operations which expand a short secret seed into a long pseudorandom sequence. • This talk proposes an alternative approach yielding a novel paradigm for design of stream ciphers. • The proposed framework employs a dedicated coding and a deliberate noise which, assuming the appropriate code and noise level, at the attacker's side provides increased confusion up to the limit determined by the secret key length. • Decoding complexities with and without the secret key are extremely different 19

Notes (2): Security-Overhead Trade-Off In order to achieve the main security goal, the proposed stream ciphering approach includes the following two encoding schemes with impacts on the communications overhead: • error-correction encoding of the messages; • dedicated homophonic/wiretap channel coding which performs expansion of the initial ciphertext. . • Both of these issues imply the communications overhead: Accordingly, the proposed stream ciphers framework includes certain trade-off between the security and the communications overhead which in a number of scenarios can be considered as very appropriate. 20

III. Particular Novel Stream Ciphering Approaches Employing Randomness Homophonic and Wire-Tap Channel Like Coding 21

III. 1 Two Variants of a Simple Construction embed random bits + enforce a binary symmetric noise channel 22

Variant A 23

Encryption Keystream Generator secret key plaintext Error-Correction Encoding + Embedding + Source of Randomness Public Comm. Channel Decryption plaintext secret key Error-Correction Decoding + Decimation Keystream Generator 24

Variant B 25

Encryption Keystream Generator secret key plaintext Error-Correction Encoding Embedding + + Source of Randomness Public Comm. Channel Decryption plaintext secret key Error-Correction Decoding Decimation + Keystream Generator 26

III. 2 Stream Ciphering Employing Wire-Tap Channel Coding - a generic scheme and its discussion - 27

Wire-Tap Channel A. D. Wyner, “The wire-tap channel”, Bell Systems Technical Journal, vol. 54, pp. 1355 -1387, 1975. 28

X U Y Alice Channel C 1 Bob Channel C 2 Z Eve 29

Coding Strategy for the Wire-Tap Channel • Goal of encoding paradigm for the wire-tap channel is to make the noisy data available to Eve (across the wire tap channel) useless and achieving this goal is based on adding the randomness in encoding algorithm. 30

Groups of the codewords: Same symbol denote different codewords belonging to the same group Codewords and N-dim Sphere * x x * * ** * xx x x x ***** * * x ** 31

Encryption Keystream Generator secret key plaintext Error-Correction Encoding + Mapping Wire-Tap Channel Encoding + Source of Randomness Public Comm. Channel Decryption plaintext secret key Error-Correction Decoding + Keystream Generator Wire-Tap Channel Decoding + Mapping 32

IV. A Model of Certain Stream Ciphers Based on Pure Randomness - a model suitable for security analysis - 33

Encryption Keystream Generator secret key plaintext Error-Correction Encoding Embedding + + Source of Randomness Public Comm. Channel Decryption plaintext secret key Error-Correction Decoding Decimation + Keystream Generator 34

Security as a Decoding Problem after Two Noisy Channels Encryption secret key plaintext Keystream Generator Error-Correction Encoding Channel with Insertion of Random Bits + Binary Symmetric Channel 35

Security Consideration via Implications of the Coding and the LPN Problem Encryption secret key plaintext Keystream Generator Error-Correction Encoding Homophonic Encoding LPN Problem Based Encryption 36

Analytical Specification 37

Simplified Model of a Stream Cipher 38

V. LPN Problem and a Security Evaluation Approach (LPN – Learning from Parity with Noise) 39

LPN Problem • Problem of decoding of a general random linear block code after a binary symmetric channel with given crossover probability. • More formal formulations of the problem as well as its solutions are possible. 40

Underlying Problem of the LPN noisy variables S Y S T E M linear-f 1(x 1, x 2, …, x. K) = z 1 linear-f 2(x 1, x 2, …, x. K) = z 2 … O V E R D E F I N E D linear-f. N(x 1, x 2, …, x. K) K << N = z. N 41

Notations (1) 42

Notations (2) 43

Notations (3) - Oracles 44

The LPN Problem and its Solution 45

Hardness of the LPN Problem • M. Fossorier, M. Mihaljevic, H. Imai, Y. Cui and K. Matsuura, “An Algorithm for Solving the LPN Problem and its Application to Security Evaluation of the HB Protocols for RFID Authentication”, INDOCRYPT 2006, LNCS, vol. 4329, pp. 48 -62, Dec. 2006. 46

A Technical Lemma 47

Security Evaluation Approaches and a Security Model 48

Two Particular Security Evaluation Approaches • Security evaluation via consideration of the a formal security underlying decoding model and an problem. evaluation game. • Further on, this approach will be discussed. 49

A Security Evaluation Approach 50

A Security Evaluation Game 51

52

53

VI. Framework for Security Evaluation 54

55

56

Proof. Recall that non-adaptive CPA-security (P 1) implies adaptive CPA-security (P 2), hence we may restrict ourselves to adversaries accessing the encryption oracle only during the first phase of the attack (before seeing the challenge ciphertext). 57

58

59

60

61

62

63

VII. Concluding Notes Framework, Instantiations and Security Evaluation Elements 64

Main messages • A general framework and certain particular incarnations of stream ciphers based on randomness and dedicated coding are proposed. • The dedicated coding employs homophonic and wire-tap channel like coding approaches. • A security evaluation has been performed implying that security under certain attacking scenarios appears as a consequence of hardness of the LPN problem. 65

Thank You Very Much for the Attention, and QUESTIONS Please! 66