A Stream Ciphering Approach Based on the Wire
Download
Report
Transcript A Stream Ciphering Approach Based on the Wire
A Framework for Stream Ciphers Based
on Pseudorandomness, Randomness and
Error-Correcting Coding
Miodrag Mihaljevic
Enhancing Crypto-Primitives with Techniques from
Coding Theory
NATO Advanced Research Workshop
6 - 9 October 2008
Veliko Tarnovo, Bulgaria
1
Roadmap
• Introduction
• Underlying Ideas and Novel Framework
• Particular Novel Stream Ciphering Approaches Based
on Employment of Pure Randomness
• A Model of Certain Stream Ciphers Based on Pure
Randomness
• LPN Problem and a Security Evaluation Approach
• Framework for the Security Evaluation
• Concluding Remarks
2
I. Introduction
Certain References on
Cryptographic Primitives
Based on Pure Randomness
3
Some Initial References
• R.J. McEliece, “A public key cryptosystem based on algebraic
coding theory”, DSN progress report, 42-44:114-116, 1978.
(well known reference)
• M. Willett, “Deliberate noise in a modern cryptographic
system”, IEEE Transactions on Information Theory, vol. 26,
no. 1, pp.102-104, Jan. 1980. (almost forgotten reference)
• A. Blum, M. Furst, M. Kearns and R. Lipton, “Cryptographic
Primitives Based on Hard Learning Problems”, CRYPTO
1993, Lecture Notes in Computer Science, vol. 773, pp. 278–
291, 1994.
• N. Hopper and M. Blum, ``Secure Human Identification
Protocols'', ASIACRYPT 2001, Lecture Notes in Computer
Science, vol. 2248, pp. 52-66, 2001.
4
A.D. Wyner, “The wire-tap channel”, Bell Systems
Technical Journal, vol. 54, pp. 1355-1387, 1975.
• A different approach for achieving secrecy of
communication based on the noise has been reported
by Wyner in 1975 assuming that the channel between
the legitimate parties is with a lower noise in
comparison with the channel via which a wire-tapper
has access to the ciphertext.
• The proposed method does not require any secret.
It is based on a specific coding scheme which
provides a reliably communications within the
legitimate parties and prevents, at the same time, the
wire-tapper from learning the communication's
contents.
5
Some Recent References
• J. Katz and J. Shin, “Parallel and Concurrent Security of the
HB and HB+ Protocols”, EUROCRYPT 2006, Lecture Notes
in Computer Science, vol. 4004, pp. 73–87, 2006.
• J.-P. Aumasson, M. Finiasz, W. Meier and S. Vaudenay,
“TCHo: A Hardware-Oriented Trapdoor Cipher”, ACISP 2007,
Lecture Notes in Computer Science, vol. 4586, pp. 184–199,
2007.
• H. Gilbert, M.J.B. Robshaw and Y. Seurin, “HB#: Increasing
the Security and Efficiency of HB+”, EUROCRYPT2008,
Lecture Notes in Computer Science, vol. 4965, pp. 361-378,
2008.
• H. Gilbert, M.J.B. Robshaw, and Y. Seurin, “How to Encrypt
with the LPN Problem”, ICALP 2008, Part II, Lecture Notes
in Computer Science, vol. 5126, pp. 679-690, 2008.
6
Certain Origins for Our Work
• M. Mihaljevic, “Generic framework for secure Yuen 2000
quantum-encryption employing the wire-tap channel
approach”, Physical Review A, vol. 75, no. 5, pp. 0523341-5, May 2007.
• M. Fossorier, M. Mihaljevic and H. Imai, “Modeling Block
Encoding Approaches for Fast Correlation Attack”, IEEE
Transactions on Information Theory, vol. 53, no. 12, pp.
4728-4737, Dec. 2007.
• M. Mihaljevic, M. Fossorier and H. Imai, “Security
Evaluation of Certain Broadcast Encryption Schemes
Employing a Generalized Time-Memory-Data Trade-Off”,
IEEE Communications Letters, vol. 11, no. 12, pp. 988990, Dec. 2007.
7
II. Underlying Ideas and the
Framework
8
Novelties of Our Designs in
Comparison with the Reported ones
Employment of two
different binary pure
randomness within a
cryptographic primitive:
• one Berunolli distributed
with the parameter <<1/2
• another with Uniform
distribution and the
parameter equal to 1/2
Dedicated encoding for
providing the attacker
confusion employing:
• Homophonic coding
approaches
• Wire-tap Channel coding
approaches
9
General Underlying Ideas in Our
Designs
Enhancing
cryptographic
primitives employing
- pure randomness and
- coding theory
• Particularly:
Employment of the
concept of the binary
channels with
insertion and
complementation
(and deletion).
10
Main Goals
• A framework for design of
stream ciphers which
provides opportunity for
design the security as
high as possible based on
the employed secret key,
i.e. complexity of
recovering the key as
close as possible to O(2K)
• A trade-off between the
security and the
communications rate:
Increase the security up to
the upper limit at the
expense of a moderate
decrease of the
communications rate.
11
Underlying Ideas for Novel
Stream Ciphers Paradigm
A Happy Merge (Marriage) of
Pseudo-randomness and Randomness
12
The Main Underlying Ideas
• Employ physical noise which an attacker
must face, in order to strengthen the stream
cipher.
• Strengthen the stream cipher employing
a dedicated encoding following the
homophonic or wire-tap channel encoding
approaches.
13
A Framework of Stream Ciphering
Employing Randomness
a related traditional stream cipher and
a novel particular one based on
deliberate randomness
14
A Traditional Stream Cipher based
on Encode+Encrypt Paradigm
in order to cope with an inherent noise in
the public communication channel employ
“encode+encrypt”
(the paradigm employed in GSM)
15
Encryption
secret key
plaintext
Keystream
Generator
Error-Correction
Encoding
+
Public
Comm.
Channel
Decryption
plaintext
Error-Correction
Decoding
secret key
+
Keystream
Generator
(b.s.c
or erasure
channel,
for example)
16
Novel Framework
Based on Employment of
Randomness and Dedicated
Coding&Ciphering
17
Encryption
Keystream
Generator
secret key
plaintext
Error-Correction
Encoding
Dedicated
Encoding&Encryption
Source of Randomness
Public
Comm.
Channel
Decryption
plaintext
secret key
Error-Correction
Decoding
Dedicated
Decoding&Decryption
Keystream
Generator
18
Notes (1): Novel Paradigm
• Traditional stream ciphers
do not include any
randomness: Basically,
they are based on the
deterministic operations
which expand a short
secret seed into a long
pseudorandom sequence.
• This talk proposes an
alternative approach
yielding a novel
paradigm for design of
stream ciphers.
• The proposed framework
employs a dedicated coding
and a deliberate noise
which, assuming the
appropriate code and noise
level, at the attacker's side
provides increased
confusion up to the limit
determined by the secret
key length.
• Decoding complexities with
and without the secret key
are extremely different
19
Notes (2): Security-Overhead Trade-Off
In order to achieve the main
security goal, the proposed
stream ciphering approach
includes the following two
encoding schemes with
impacts on the
communications overhead:
• error-correction encoding of
the messages;
• dedicated homophonic/wiretap channel coding which
performs expansion of the
initial ciphertext..
• Both of these issues imply
the communications
overhead: Accordingly,
the proposed stream
ciphers framework
includes certain trade-off
between the security and
the communications
overhead which in a
number of scenarios can
be considered as very
appropriate.
20
III. Particular Novel Stream Ciphering
Approaches Employing Randomness
Homophonic and Wire-Tap Channel Like
Coding
21
III.1 Two Variants of a Simple
Construction
embed random bits +
enforce a binary symmetric noise
channel
22
Variant A
23
Encryption
Keystream
Generator
secret key
plaintext
Error-Correction
Encoding
+
Embedding
+
Source of Randomness
Public
Comm.
Channel
Decryption
plaintext
secret key
Error-Correction
Decoding
+
Decimation
Keystream
Generator
24
Variant B
25
Encryption
Keystream
Generator
secret key
plaintext
Error-Correction
Encoding
Embedding
+
+
Source of Randomness
Public
Comm.
Channel
Decryption
plaintext
secret key
Error-Correction
Decoding
Decimation
+
Keystream
Generator
26
III.2 Stream Ciphering Employing
Wire-Tap Channel Coding
- a generic scheme and its discussion -
27
Wire-Tap Channel
A. D. Wyner, “The wire-tap channel”,
Bell Systems Technical Journal, vol. 54, pp. 1355-1387, 1975.
28
X
U
Y
Alice
Channel C1
Bob
Channel
C2
Z
Eve
29
Coding Strategy for the
Wire-Tap Channel
• Goal of encoding paradigm for the wire-tap
channel is to make the noisy data
available to Eve (across the wire tap
channel) useless and achieving this goal is
based on adding the randomness in
encoding algorithm.
30
Groups of the codewords: Same
symbol denote different codewords
belonging to the same group
Codewords and N-dim Sphere
*
x
x
*
*
**
x*
x
x x x x x
x
*****
*
*
x
**
31
Encryption
Keystream
Generator
secret key
plaintext
Error-Correction
Encoding
+
Mapping
Wire-Tap
Channel
Encoding
+
Source of Randomness
Public
Comm.
Channel
Decryption
plaintext
secret key
Error-Correction
Decoding
+
Keystream
Generator
Wire-Tap
Channel
Decoding
+
Mapping
32
IV. A Model of Certain Stream
Ciphers Based on Pure Randomness
- a model suitable for security
analysis -
33
Encryption
Keystream
Generator
secret key
plaintext
Error-Correction
Encoding
Embedding
+
+
Source of Randomness
Public
Comm.
Channel
Decryption
plaintext
secret key
Error-Correction
Decoding
Decimation
+
Keystream
Generator
34
Security as a Decoding Problem
after Two Noisy Channels
Encryption
secret key
plaintext
Keystream
Generator
Error-Correction
Encoding
Channel
with Insertion
of Random Bits
+
Binary
Symmetric
Channel
35
Security Consideration via Implications
of the Coding and the LPN Problem
Encryption
secret key
plaintext
Keystream
Generator
Error-Correction
Encoding
Homophonic
Encoding
LPN Problem
Based
Encryption
36
Analytical Specification
37
Simplified Model of a Stream Cipher
38
V. LPN Problem and a Security
Evaluation Approach
(LPN – Learning from Parity with Noise)
39
LPN Problem
• Problem of decoding
of a general random
linear block code after
a binary symmetric
channel with given
crossover probability.
• More formal
formulations of the
problem as well as its
solutions are possible.
40
Underlying Problem of the LPN
noisy variables
S
Y
S
T
E
M
linear-f1(x1, x2, …, xK)
= z1
linear-f2(x1, x2, …, xK)
= z2
…
O
V
E
R
D
E
F
I
N
E
D
linear-fN(x1, x2, …, xK)
K << N
= zN
41
Notations (1)
42
Notations (2)
43
Notations (3) - Oracles
44
The LPN Problem and its Solution
45
Hardness of the LPN Problem
• M. Fossorier, M. Mihaljevic, H. Imai, Y. Cui and K. Matsuura, “An Algorithm
for Solving the LPN Problem and its Application to Security Evaluation of the
HB Protocols for RFID Authentication”, INDOCRYPT 2006, LNCS, vol. 4329,
pp. 48-62, Dec. 2006.
46
A Technical Lemma
47
Security Evaluation Approaches
and a Security Model
48
Two Particular
Security Evaluation Approaches
• Security evaluation via • Security evaluation via
consideration of the
a formal security
underlying decoding
model and an
problem.
evaluation game.
• Further on, this
approach will be
discussed.
49
A Security Evaluation Approach
50
A Security Evaluation Game
51
52
53
VI. Framework for Security
Evaluation
54
55
56
Proof. Recall that non-adaptive CPA-security (P1) implies adaptive CPA-security
(P2), hence we may restrict ourselves to adversaries accessing the encryption oracle
only during the first phase of the attack (before seeing the challenge ciphertext).
57
58
59
60
61
62
63
VII. Concluding Notes
Framework, Instantiations and
Security Evaluation Elements
64
Main messages
• A general framework and certain particular
incarnations of stream ciphers based on
randomness and dedicated coding are proposed.
• The dedicated coding employs homophonic and
wire-tap channel like coding approaches.
• A security evaluation has been performed
implying that security under certain attacking
scenarios appears as a consequence of hardness of
the LPN problem.
65
Thank You Very Much for the
Attention,
and
QUESTIONS Please!
66