hsc: building stream cipher from secure hash functions

HSC: Building Stream Cipher from Secure Hash

Functions

Juncao LiNov. 29th 2007

Department of Computer Science

Portland State University

Portland State University Nov. 29th 2007 2 [email protected]

Agenda

• Introduction to the Stream Cipher

• Security of the Stream Cipher• Construction of the Hashing

Stream Cipher• Analysis of the HSC


Agenda





Introduction: Stream Cipher

• Symmetric Cipher• Encryption/Decryption Scheme

– Take a Key and an IV (optional)– Generate a pseudorandom keystream(pad)

– XOR the pad with the plaintext like onetime pad

PNG

Plaintext

XOR

PN

Plaintext

Ciphertext


Stream Cipher: types

• State Cipher– Maintains an internal state– Based on which, the keystream is

generated– Usually, the internal state is kept

secrete– As large as possible


Stream Cipher: types

• Synchronous – The state changes independently of the

plaintext or ciphertext– RC4– Non-error-propagation– Keep synchronized

• Self-synchronizing stream ciphers– Previous ciphertext digits are used to compute

the keystream – CFB: a block cipher in cipher-feedback mode

(CFB)– Input to the generator is partially exposed– Limitation of the analyzability: keystream

depends on the messages


Agenda





Security analysis: goal

• Hard to guess next bit of the keystream generator with some probability: better than random guessing– About the appearance of the keystream– Noticeable more 1s than 0s in the

keystream• Hard to reproduce the keystream from

the keystream that we already have– About the inherent complexity of the

keystream– Existence of the short period


Formal security support

• Theoretical support– Yao’s work: a pseudo-random generator

could be 'effciently' predicted if, and only if, the generator could be 'effciently' distinguished from a perfectly random source.


Security in appearance

• Security measures in appearance– Long period

• A keystream generator can be modeled by a finite state machine

• Eventually some states will repeat which lead to a period

– Statistical measures• Have the appearance of (periodic) pseudo-

random sequences

– Complexity


Agenda

• Definition of the Stream Cipher• Security of the Stream Cipher• Construction of the Hashing



HSC

• It’s a synchronous streamcipher• It takes an IV and a random Key as input• Define

– Original Vector: OV = Key || IV

– Increasing Factor: , where is byte accumulation, and i is public. If IF = 0, set IF = 1

– Keystream Block: , where KBn represents nth keystream block

imOVIF 2mod mOV

}2 |{ xandNxxi

IFnOVHashKBn


HSC: Framework

Hash Function

Key || IV + IncreasingFactor

Fixed-length Key Stream Block 1

Hash Function

Key || IV + 2× IncreasingFactor

Fixed-length Key Stream Block 2

Hash Function

Key || IV + n× IncreasingFactor

Fixed-length Key Stream Block n……

…………

……


Intuitions: why HSC

• Hash function is easy to find– Easy to implement our scheme based on

the existing systems

• We can prove the security of HSC based on the security of Cryptographic Hash functions


Agenda





Secure analysis on HSC:Period

• Period– Ideally, no period if the core hash

function is collision-resistant – Assume there’s a m bits period, we can

find the collision every m/n iterations

Hash Function

OV + IF

Key Stream Block 1 ……

……

……

Hash Function

OV + 2× IF

Key Stream Block 2

Hash Function

OV + m/n× IF

Key Stream Block 1

Hash Function

OV + (m/n+1)× IF

Key Stream Block 2 ……

……

……


Secure analysis on HSC:Period

– But… the inner state has a limitation due to the implementation

– Configurable inner state size– The inner state size depends on the

limitation of the hash function input size – – Which is huge!

statesinner 2 implies sizeinput hash 264264


Secure analysis on HSC: Indistinguishability

• Indistinguishability of the keystream from the random stream – The distribution of the keystream

depends on the IV and Key



– Assumption 1: if the input of the hash function is random, the output should be random, or have a random distribution

– Every individual keystream block should look random, given the randomness of the key and the security of the hash function.

– Otherwise, we can find an easier way to invert the one-way function by analyzing the non-uniform distribution of the output



– Assumption 2: if the inputs of the hash function are different, but correlated, the outputs of a good hash function should at least have a good statistical distribution

– Global view of the keystream blocks – Collision-resistance guarantees that

keystream blocks are statistically different



– Almost no one can guarantee there’s no correlation in their keystream

– That’s why inner state should be kept secrete

– That’s why we are using i

mOVIF 2mod


Secure analysis on HSC: Information theory

• Information theory -- Entropy – The larger entropy of the keystream the better– Entropy comes from: IV and Key – The hash function will guarantee the entropy of

each stream block: min(|key|, |digest|)– IF will spread the key entropy to the whole

keystream


Secure analysis on HSC:Statistical analysis

• Three statistical test from the NIST standard– SHA-1, Key length 64 bytes, IV 16 bytes, and IF

1 byte– 1000 times test on 10 MB keystream. Threshold:

0.981– 1GB HSC costs 92,312ms ， RC4 costs 30,047ms

HSC 1 2 3 4 5 6 7 8 9 10

Frequency 0.992 0.994 0.991 0.994 0.997 0.994 0.989 0.992 0.989 0.989

Runs 0.995 0.994 0.993 0.989 0.992 0.989 0.992 0.989 0.995 0.991

Cumulative 0.986 0.994 0.988 0.992 0.995 0.993 0.985 0.993 0.988 0.989

RC4 1 2 3 4 5 6 7 8 9 10

Frequency 0.986 0.982 0.987 0.984 0.9840 ． 98

90.989

0 ． 989

0.989 0.991

Runs 0.992 0.993 0.990 0.987 0.9910 ． 99

30.996

0 ． 988

0.990 0.985

Cumulative 0.987 0.976 0.982 0.976 0.9860 ． 98

80.989

0 ． 989

0.983 0.989


References• Stream Ciphers, RSA Laboratories Technical Report TR-701,

Version 2.0, M.J.B. Robshaw, July 25, 1995• Stream Cipher Design -- An evaluation of the eSTREAM

candidate Polar Bear, JOHN MATTSSON, Master of Science Thesis, Stockholm, Sweden 2006

• On the Role of the Inner State Size in Stream Ciphers, Erik Zenner, Reihe Informatik 01-2004

• Attacks on RC4 and WEP, Scott Fluhrer, Itsik Mantin, Adi Shamir• CHOSEN-IV STATISTICAL ATTACKS ON eSTREAM CIPHERS,

Markku-Juhani O Saarinen.• http://www.wikipedia.org/• Yong Zhang, Xiamu Niu, Juncao Li, and Chunming Li. Research

on a novel Hashing Stream Cipher. In Proc. of CIS 2006, Guangzhou, China, November 3-6, 2006


Thanks

• Questions?



• Information theory -- Entropy – The larger entropy of the keystream the better– Entropy comes from: IV and Key

– But the IF will spread the entropy to the whole keystream

– This may lead to a better explanation of our construction



• Information theory -- Entropy – Why hash functions? – we want to shrink– The larger entropy of the keystream the better– Entropy come from: IV and Key – If |OV| > |Hash digest|, entropy loses on each

keystream block.– But the IF will spread the entropy to the whole

keystream – This may lead to a better explanation of our

construction

hsc: building stream cipher from secure hash functions

Documents