Random walks and analysis of algorithms in cryptography
- Slides: 89
Random walks and analysis of algorithms in cryptography Ilya Mironov Stanford University
Talk overview n Cryptanalysis RC 4 stream cipher n card shuffling n brute force attack n n Broadcast encryption analysis n optimization n n Other work
Talk overview n Cryptanalysis RC 4 stream cipher n card shuffling n brute force attack n n Broadcast encryption analysis n optimization n n Other work
RC 4 stream cipher n n RC stands for “Ron’s Code, ” designed in 1987 by Ron Rivest. Several design goals: speed n support of 8 -bit architecture n simplicity (to circumvent export regulations) n
Abridged history of [alleged] RC 4™ n n 1994 – leaked to cypherpunks mailing list 1995 - first weakness (USENET post) 1996 – appeared in “Applied Cryptography” by B. Schneier as “alleged RC 4” 1997 – first published analysis MS theses: 3 Ph. D thesis: 1
Usage n n SSL/TLS Windows, Lotus Notes, Oracle, etc. Cellular Digital Packet Data Open. BSD pseudo-random number generator
Encryption key state 0001111010101 plain text = cipher text cipher t
Decryption key state 0001111010101 cipher text cipher t = plain text
Security Requirement Indistinguishability from a perfect source of randomness: given part of the output stream, it is impossible to distinguish it from a random string
Second byte [MS 01] n Second byte of RC 4 output is 0 with twice the expected probability
Related key attack [FMS 01] n Wireless Equivalent Privacy protocol (part of 802. 11 b standard): Using keys with known prefixes - BAD IV 1, key IV 1, 001010 IV 2, key IV 2, 1010110001 IV 3, key IV 3, 010111 IV 4, key IV 4, 101010 key
Recommendation Discard the first 256 bytes of RC 4 output [RSA, MS] Is this enough?
RC 4 internal state n 21 Permutation S on 256 bytes: 123 134 24 91 218 13 n Two indices i, j n log 2 (256! 256) 1700 bits 250 138 53 …
Key scheduling algorithm (all arithmetic is mod 256) for i : = 0 to 255 S[i] : = i j : = 0 for i : = 0 to 255 j : = j + S[i] + key[i] swap (S[i], S[j])
Pseudo-random number generator i : = 0 j : = 0 repeat i : = i + 1 j : = j + S[i] swap (S[i], S[j]) output (S[ S[i] + S[j] ])
Both RC 4’s routines for i : = 0 to 255 S[i] : = i j : = 0 for i : = 0 to 255 j : = j + S[i] + key[i] swap (S[i], S[j]) i, j : = 0 repeat i : = i + 1 j : = j + S[i] swap (S[i], S[j]) output (S[ S[i] + S[j] ]) key scheduling pseudo-random number generator
Both RC 4’s routines for i : = 0 to 255 S[i] : = i j : = 0 for i : = 0 to 255 j : = random j + S[i] +(256) key[i] swap (S[i], S[j]) i, j : = 0 repeat i : = i + 1 j : = random j + S[i] (256) swap (S[i], S[j]) key scheduling pseudo-random number generator
Both RC 4’s routines for i : = 0 to 255 S[i] : = i for i : = 0 to 255 j : = random (256) swap (S[i], S[j]) i : = 0 repeat i : = i + 1 j : = random (256) swap (S[i], S[j]) key scheduling pseudo-random number generator
Idealization of RC 4 for i : = 0 to 255 S[i] : = i i : = 0 repeat i : = i + 1 j : = random (256) swap (S[i], S[j])
Idealization of RC 4 for i : = 0 to n - 1 S[i] : = i i : = 0 repeat i : = i + 1 j : = random (n) swap (S[i], S[j])
Talk overview n Cryptanalysis RC 4 stream cipher n card shuffling n brute force attack n n Broadcast encryption analysis n optimization n n Other work
Exchange shuffle n RC 4 card shuffling: i i … i random j When i = n - 1 the permutation is not random
Perfect shuffling n The textbook algorithm to shuffle cards: swap( S[i], S[j]) i i … i random j When i = n - 1 the permutation is perfectly random
Why is it not random? n n! does not divide nn Sign of the permutation: the sign changes each time with probability 1 -1/n Positions of individual cards are predictable
First byte of RC 4 output n The first byte, S[S[1]+S[S[1]]], is biased:
Distinguisher n Less than 2, 000 to recognize a nonrandom output with 10% error
Mixing time n The permutation becomes more and more random. nonrandomness time
Variation distance between two distributions, P and Q on S: d(P, Q)=½ s S |P(s)-Q(s)| variation distance time
The end of the beginning of RC 4 n What is the sufficient number of swaps for the permutation to become random? Find t such that d(Pt, U) <
Card shuffling To shuffle 52 cards: - 7 riffle shuffles ~ 100 random transpositions ~ 30, 000 adjacent transpositions - exchange (RC 4) shuffles?
Lower bound Sign of the permutation: after t rounds sign can be predicted with probability e-2 t
Upper bound Checking argument: 1. initially all cards are unchecked 2. check S[i] if - either i=j - or S[j] is checked 3. keep doing until all cards are checked
Checking argument i j
Checking argument i j S[i] is indistinguishable from other checked cards
Checking argument It takes (n log n) steps to check all cards. It gives an upper bound.
Mixing time n at least (n) n at most O (n log n)
What if n = 256? n n Optimistically (go with the lower bound) mixes in 4 256 steps Conservatively (use the upper bound) mixes in 16 256 steps
New development n n E. Mossel, A. Sinclair, Y. Peres (Berkeley): the upper bound is tight mixing time = Θ(n log n) Distinguisher: look at the cards from the left half
Talk overview n Cryptanalysis RC 4 stream cipher n card shuffling n brute force attack n n Broadcast encryption optimization n analysis n n Other work
Backtracking j : = S[1] t : = S[1] + S[j] output S[t] j : = j + S[2] t : = S[2] + S[j] output S[t] j : = j + S[3] t : = S[3] + S[j] output S[t]
Backtracking j : = S[1] t : = S[1] + S[j] output S[t] j : = j + S[2] t : = S[2] + S[j] output S[t] j : = j + S[3] t : = S[3] + S[j] output S[t] S[1]
Backtracking j : = S[1] t : = S[1] + S[j] output S[t] j : = j + S[2] t : = S[2] + S[j] output S[t] j : = j + S[3] t : = S[3] + S[j] output S[t] S[1] S[j]
Backtracking j : = S[1] t : = S[1] + S[j] output S[t] j : = j + S[2] t : = S[2] + S[j] output S[t] j : = j + S[3] t : = S[3] + S[j] output S[t] S[1] S[j] S[2]
Backtracking j : = S[1] t : = S[1] + S[j] output S[t] j : = j + S[2] t : = S[2] + S[j] output S[t] j : = j + S[3] t : = S[3] + S[j] output S[t] S[1] S[j] S[2] S[j]
Backtracking j : = S[1] t : = S[1] + S[j] output S[t] j : = j + S[2] t : = S[2] + S[j] output S[t] j : = j + S[3] t : = S[3] + S[j] output S[t] S[1] S[j] S[2] S[j] S[3]
Backtracking j : = S[1] t : = S[1] + S[j] output S[t] j : = j + S[2] t : = S[2] + S[j] output S[t] j : = j + S[3] t : = S[3] + S[j] output S[t] S[1] S[j] S[2] S[j] S[3] S[j]
Backtracking j : = S[1] t : = S[1] + S[j] output S[t] j : = j + S[2] t : = S[2] + S[j] output S[t] j : = j + S[3] t : = S[3] + S[j] output S[t] S[1] S[j] S[2] S[j] S[3]
Backtracking j : = S[1] t : = S[1] + S[j] output S[t] j : = j + S[2] t : = S[2] + S[j] output S[t] j : = j + S[3] t : = S[3] + S[j] output S[t] S[1] S[j] S[2] S[j] S[3] S[j]
Backtracking j : = S[1] t : = S[1] + S[j] output S[t] j : = j + S[2] t : = S[2] + S[j] output S[t] j : = j + S[3] t : = S[3] + S[j] output S[t] S[1] S[j] S[2] S[j] S[3]
Backtracking j : = S[1] t : = S[1] + S[j] output S[t] j : = j + S[2] t : = S[2] + S[j] output S[t] j : = j + S[3] t : = S[3] + S[j] output S[t] S[1] S[j] S[2] S[j] S[3] S[j]
Cost of backtracking n n n Keep guessing until there is a critical mass ≈ 100 entries Each guess is ≈ 8 bits, which multiplies the running time by 28 Estimated running time ~ 2800 (for comparison – there are 2200 particles in the universe)
Improvement j : = S[1] t : = S[1] + S[j] output S[t] j : = j + S[2] t : = S[2] + S[j] output S[t] j : = j + S[3] t : = S[3] + S[j] output S[t] S[1] S[2] S[3]
Running time of improved algorithm n n Much more intricate analysis of an unbalanced tree Estimated less than 2600
Why is it interesting? n n What about “short RC 4”: 64 -byte permutation? internal state has size 300 bits 64 -byte RC 4 is secure against the old attack, borderline under the new attack
Talk overview n Cryptanalysis RC 4 stream cipher n card shuffling n brute force attack n n Broadcast encryption analysis n optimization n n Other work
Broadcast encryption k k k source k k k receivers Very little overhead One rogue user compromises the whole system
Broadcast encryption source k 1 k 2 k 3 k 4 k 5 k 1, k 2, k 3, k 4, k 5, …, kn k 6 k 7 … kn receivers broadcast E[k 1, k], E[k 2, k], …, E[kn, k], E[k, M]
Broadcast encryption source k 1 k 2 k 3 k 4 k 5 receivers Simple user revocation Too many keys k 1, k 2, k 3, k 4, k 5, …, kn k 6 k 7 … kn
Subset-cover framework (Naor-Lotspiech’ 01) S 7 S 1 S 8 S 6 S 4 S 5 S 3 S 2
Subset-cover framework (Naor-Lotspiech’ 01) receiver u knows keys: k 3 k 4 k 5 S 7 S 1 S 8 S 6 S 4 u S 3 S 5 S 2
Key distribution n n Based on some formal characteristic: e. g. , DVD’s serial number Using some real-life descriptors: — Microsoft employees — researchers — California state residents — Ph. D’s
Broadcast using subset cover S 10 S 8 S 1 S 3 S 5 header uses k 1, k 3, k 5, k 6, k 8, k 10 S 6
Subtree difference All receivers are associated with the leaves of a full binary tree k 00 k 01 k 0… 0 k 0… 1 k 1… 1
Subtree differences special set Si, j i j
Subtree difference
Subtree difference
Subtree difference
Subtree difference
Subtree difference
Subtree difference
Subtree difference
Subtree difference
Greedy algorithm n Easy greedy algorithm for constructing a subtree cover for any set of revoked users
Greedy algorithm n Find a node such that both of its children have exactly one revoked descendant
Greedy algorithm n Add (at most) two sets to the cover
Greedy algorithm n Revoke the entire subtree
Greedy algorithm n Could be less than two sets
Analysis of this algorithm R - number of revoked users C – number of sets in the cover C ≤ 2 R-1 n averaged over sets of fixed size [NNL’ 01] E[C] ≤ 1. 38 R n simulation experiments give [NNL’ 01] E[C] ~ 1. 25 R n
Analysis of this algorithm R - number of revoked users C – number of sets in the cover If a user is revoked with probability p « 1: E[C] ≈ 1. 24511 E[R]
Exact formula where
Mellin transform
Asymptotic E[C]/E[R] 1. 24511 p
Asymptotic 1. 2451134… 3 log 2 4/3 1. 2451114… E[C]/E[R] p
Talk overview n Cryptanalysis RC 4 stream cipher n card shuffling n brute force attack n n Broadcast encryption analysis n optimization n n Other work
Halevy-Shamir scheme n Noticed that subtree differences are decomposable:
Halevy-Shamir scheme n Fewer special sets reduce memory requirement on receivers
Improvement n n For practical parameters save additionally 20% compared to the Halevy-Shamir scheme This is joint work with N. Alon, D. Halevy, A. Shamir
Talk overview n Cryptanalysis RC 4 stream cipher n card shuffling n brute force attack n n Broadcast encryption analysis n optimization n n Other work
Other work n n n New classes of hash functions and analysis of a construction for hash functions [Eurocrypt’ 01] Crypto and game theory in peer-to-peer filesharing networks [EC’ 01, FC’ 02] Construction of short signatures based on discrete logarithm [CT-RSA’ 03]
- He who walks with integrity walks securely meaning
- Physics review letter
- Random assignment vs random sampling
- Random assignment vs random selection
- Theme of the poem she walks in beauty
- Personification in she walks in beauty
- Imagery she walks in beauty
- 1001 design
- Association analysis: basic concepts and algorithms
- Cluster analysis basic concepts and algorithms
- Probabilistic analysis and randomized algorithms
- Introduction of design and analysis of algorithms
- Cluster analysis basic concepts and algorithms
- Cluster analysis basic concepts and algorithms
- Cluster analysis basic concepts and algorithms
- Binary search in design and analysis of algorithms
- Introduction to the design and analysis of algorithms
- Design and analysis of algorithms
- Design and analysis of algorithms
- Cluster analysis basic concepts and algorithms
- Design and analysis of algorithms
- Algorithm analysis examples
- Analysis of algorithms
- Input in algorithm
- Analysis of algorithms
- Analysis of algorithms
- Mathematical analysis of non-recursive algorithms
- Analysis of algorithms lecture notes
- Goals of analysis of algorithms
- Competitive analysis algorithms
- What runs but never walks
- Summary of to kill a mockingbird chapter 26
- She walks in beauty metaphors
- She walks in beauty rhyme scheme
- A woman walks into a hospital clutching her abdomen
- Cehl:morv::wybf:
- How creatures move poem
- Past simple movies
- She walks in beauty tone
- Once upon a time there lived a little
- Steve walks from point p to point q
- The fly cup inverurie
- Who walks the golden chain of lukomorye
- Walks talent management
- Definition of pure
- Jazz walk
- Quantum walks
- Quantum walks
- Gordon 101 poems
- Lord byron kimdir
- Quinton typically walks 28 yards south
- He who walks with the wise grows wise
- She walks in beauty quiz
- Wireless security in cryptography
- Modulo table
- Introduction to network security and cryptography
- Number theory in cyber security
- Firewall in cryptography and network security
- Authentication in cryptography and network security
- Cryptography standards and protocols
- Confusion and diffusion
- Approaches to message authentication
- Divisibility and division algorithm in cryptography
- Intruders in network security
- Elliptic curves number theory and cryptography
- Cryptography security services
- Primitive root
- Cryptography and network security 6th edition pdf
- Cryptography and network security pearson
- Euler's theorem in cryptography and network security
- Cryptography and network security 4th edition
- What are cryptography and cryptanalysis
- Fermat's theorem in cryptography and network security
- Finite fields in cryptography and network security
- Dsa in network security
- Modular arithmetic in cryptography and network security
- Pgp in cryptography and network security
- Define diffusion and confusion
- Algebra and cryptography
- Euler's theorem in cryptography and network security
- Malicious software in cryptography and network security
- Introduction to cryptography and network security
- Rsa algorithm in cryptography and network security
- Introduction to cryptography and network security
- Computational thinking algorithms and programming
- Data structures and algorithms iit bombay
- Fftooo
- Amit agarwal princeton
- Data structures and algorithms tutorial
- Algorithms for select and join operations