Lecture 3 - Stream Cipher Flashcards
(20 cards)
What is the alternative of OTP
Since the key must be as long as plaintext, we aim for computational security instead of perfect security.
What is the key idea behind using a pseudo-random generator (PRG) in OTP encryption?
Instead of using a truly random key for OTP, a PRG expands a short random seed into a long pseudorandom key stream. This makes OTP encryption practical while maintaining security, as long as the PRG output is indistinguishable from true randomness.
What are the key properties of a Pseudorandom Generator (PRG)?
- Expansion: Takes a short seed (s) and expands it into a longer output (n) where n»s.
- Security: The output G(k) should be computationally indistinguishable from a truly random sequence.
Why is using a PRG beneficial compared to a true OTP?
OTP requires a key as long as the message, making it impractical. A PRG-based OTP uses a short seed to generate a long pseudorandom key stream, reducing key management complexity while keeping encryption secure.
If k <– {0,1}^s is chosen randomly.
Can G(k) be equally distributed to the uniform distribution in {0,1}^n?
No! G(k) only maps to a small subset of {0,1}^n
Maps to G({0,1}^s)
PRG output “looks random” and must pass some tests to be used. Name 2 applications and what tests it must pass.
- Non-cryptographic applications - Must successfully pass some statistical tests (never use for cryptographic purposes)
- Cryptographic applications - must pas ALL efficient statistical tests with OVERWHELMING probability
What is the definition of a PRG?
Let l(n) be a polynomial in n and G:{0,1}^n –> {0,1}^ℓ(n) be an efficient algorithm.
G is a PRG if:
- Expansion: ∀n: ℓ(n) > n
- Pseudo-randomness if ∀ ppt distinguishers D exists negl() such that
the abs. value of the probability of D returning 1 on the truly random key - the probability of D returning 1 on the pseudorandom key is
<= negl(n)
explain indistinguishability
If P1 and P2 are two distributions over {0,1}^n. We say that P1 and P2 are computationally (computationally) indistinguishable if:
∀ ppt Distinguishers exists negl() such that
|Pr(D returns 1 on P1) - Pr(D returns 1 on P2)| <= negl(n)
Name types of attacks against a cryptographic scheme
- No ciphertext attack - Attacker doesn’t see ciphertexts except challange pair
- Known plaintext attack - Messages come from a certain distribution over which the attacker has no control
- Chosen-plaintext attack (CPA) - Attacker can choose messages m1,…mt and gets the corresponding ciphertexts
- Chosen ciphertext attack (CCA) - Attacker can additionally choose ciphertexts c1,…,ct and get their decryption
What is semantic security with PRGs?
If G is a PRG, than Enc(k,m) = G(k) ⊕ m is a semantically secure cryptoscheme.
What is the general idea of “Specification of reduction”
Describe how an adversary A against semantic security can be used to construct a distinguisher D against the PRG.
(PRG Secure –> stream cipher secure) <–> (Stream cipher not secure
–> PRG not secure) <–> (exitsts A against stream cipher –> exists D against PRG)
- Analysis of the reduction
- Analysis of the probability of success of the reduction
- Runtime of the reduction
explain simplest theoretical construction of PRG
“A PRG can be constructed from any one-way function”
One way function exist –> Cryptographic PRGs exist –> Semantic-secure encryption exists
What is a one-way function?
A function that’s easy to compute but difficult to invert.
what is the problem of PRGs in practice?
- Impractical for stream ciphers: entire bit string of length l(n) is generated at once
- Practice: PRGs with a fixed output length are used and iterated
How are practical PRGs/Stream ciphers utilized?
The PRG receives a seed per message, which is then expanded for that message, then repeat for amount of messages, each time a seed is changed to not produce same cipher. st=init(k, IV) IV is what changes st.
What is RC4?
- Rivest Cipher 4
- Popular until recently but big security issues
- Used in WEP, WPA and TLS
- Very efficient and simple, but has security issues
Issues with RC4
- No separate IV
- Discovered that some bytes of the output have bias
- The first bytes of the output sometimes reveal information about the key
- Other known weaknesses
What is WEP and how does it utilize RC4?
WEP - “Wired Equivalent Privacy”
- Launched in 1999, still used in WLAN communication
How RC4 is used:
- The seed is obtained by concatenating the key k and the IV
- Old version: |k|=40 bits, |IV|=24 bits (intentionally weakened due to US export restrictions) -> brute force possible
- New versions: |k|=104 bits, |IV|=24bits
Do stream ciphers provide integrity?
No, an attacker can manipulate the ciphertext undetected, resulting in a different plaintext. Therefore, though, not possible to eavesdrop on a conversation, it can be manipulated, to send a completely different message from the original one.
