a framework for stream ciphers based on pseudorandomness, randomness and error-correcting coding
DESCRIPTION
A Framework for Stream Ciphers Based on Pseudorandomness, Randomness and Error-Correcting Coding. Miodrag Mihaljevic Enhancing Crypto-Primitives with Techniques from Coding Theory NATO Advanced Research Workshop 6 - 9 October 2008 Veliko Tarnovo, Bulgaria. Roadmap. Introduction - PowerPoint PPT PresentationTRANSCRIPT
1
A Framework for Stream Ciphers Based on Pseudorandomness, Randomness and
Error-Correcting Coding
Miodrag Mihaljevic
Enhancing Crypto-Primitives with Techniques from Coding Theory
NATO Advanced Research Workshop6 - 9 October 2008
Veliko Tarnovo, Bulgaria
2
Roadmap
• Introduction • Underlying Ideas and Novel Framework• Particular Novel Stream Ciphering Approaches Based
on Employment of Pure Randomness • A Model of Certain Stream Ciphers Based on Pure
Randomness• LPN Problem and a Security Evaluation Approach• Framework for the Security Evaluation• Concluding Remarks
3
I. Introduction
Certain References on Cryptographic Primitives
Based on Pure Randomness
4
Some Initial References
• R.J. McEliece, “A public key cryptosystem based on algebraic coding theory”, DSN progress report, 42-44:114-116, 1978. (well known reference)
• M. Willett, “Deliberate noise in a modern cryptographic system”, IEEE Transactions on Information Theory, vol. 26, no. 1, pp.102-104, Jan. 1980. (almost forgotten reference)
• A. Blum, M. Furst, M. Kearns and R. Lipton, “Cryptographic Primitives Based on Hard Learning Problems”, CRYPTO 1993, Lecture Notes in Computer Science, vol. 773, pp. 278–291, 1994.
• N. Hopper and M. Blum, ``Secure Human Identification Protocols'', ASIACRYPT 2001, Lecture Notes in Computer Science, vol. 2248, pp. 52-66, 2001.
5
A.D. Wyner, “The wire-tap channel”, Bell Systems
Technical Journal, vol. 54, pp. 1355-1387, 1975. • A different approach for achieving secrecy of
communication based on the noise has been reported by Wyner in 1975 assuming that the channel between the legitimate parties is with a lower noise in comparison with the channel via which a wire-tapper has access to the ciphertext.
• The proposed method does not require any secret. It is based on a specific coding scheme which provides a reliably communications within the legitimate parties and prevents, at the same time, the wire-tapper from learning the communication's contents.
6
Some Recent References
• J. Katz and J. Shin, “Parallel and Concurrent Security of the HB and HB+ Protocols”, EUROCRYPT 2006, Lecture Notes in Computer Science, vol. 4004, pp. 73–87, 2006.
• J.-P. Aumasson, M. Finiasz, W. Meier and S. Vaudenay, “TCHo: A Hardware-Oriented Trapdoor Cipher”, ACISP 2007, Lecture Notes in Computer Science, vol. 4586, pp. 184–199, 2007.
• H. Gilbert, M.J.B. Robshaw and Y. Seurin, “HB#: Increasing the Security and Efficiency of HB+”, EUROCRYPT2008, Lecture Notes in Computer Science, vol. 4965, pp. 361-378, 2008.
• H. Gilbert, M.J.B. Robshaw, and Y. Seurin, “How to Encrypt with the LPN Problem”, ICALP 2008, Part II, Lecture Notes in Computer Science, vol. 5126, pp. 679-690, 2008.
7
Certain Origins for Our Work
• M. Mihaljevic, “Generic framework for secure Yuen 2000 quantum-encryption employing the wire-tap channel approach”, Physical Review A, vol. 75, no. 5, pp. 052334-1-5, May 2007.
• M. Fossorier, M. Mihaljevic and H. Imai, “Modeling Block Encoding Approaches for Fast Correlation Attack”, IEEE Transactions on Information Theory, vol. 53, no. 12, pp. 4728-4737, Dec. 2007.
• M. Mihaljevic, M. Fossorier and H. Imai, “Security Evaluation of Certain Broadcast Encryption Schemes Employing a Generalized Time-Memory-Data Trade-Off”, IEEE Communications Letters, vol. 11, no. 12, pp. 988-990, Dec. 2007.
8
II. Underlying Ideas and the Framework
9
Novelties of Our Designs in Comparison with the Reported ones
Employment of two different binary pure randomness within a cryptographic primitive:
• one Berunolli distributed with the parameter <<1/2
• another with Uniform distribution and the parameter equal to 1/2
Dedicated encoding for providing the attacker confusion employing:
• Homophonic coding approaches
• Wire-tap Channel coding approaches
10
General Underlying Ideas in Our Designs
Enhancing cryptographic primitives employing
- pure randomness and
- coding theory
• Particularly: Employment of the concept of the binary channels with insertion and complementation (and deletion).
11
Main Goals
• A framework for design of stream ciphers which provides opportunity for design the security as high as possible based on the employed secret key, i.e. complexity of recovering the key as close as possible to O(2K)
• A trade-off between the security and the communications rate: Increase the security up to the upper limit at the expense of a moderate decrease of the communications rate.
12
Underlying Ideas for Novel Stream Ciphers Paradigm
A Happy Merge (Marriage) of Pseudo-randomness and Randomness
13
The Main Underlying Ideas
• Employ physical noise which an attacker must face, in order to strengthen the stream cipher.
• Strengthen the stream cipher employing a dedicated encoding following the homophonic or wire-tap channel encoding approaches.
14
A Framework of Stream Ciphering Employing Randomness
a related traditional stream cipher and a novel particular one based on
deliberate randomness
15
A Traditional Stream Cipher based on Encode+Encrypt Paradigm
in order to cope with an inherent noise in the public communication channel employ
“encode+encrypt” (the paradigm employed in GSM)
16
Error-CorrectionEncoding
KeystreamGenerator
+PublicComm.Channel
Error-CorrectionDecoding
KeystreamGenerator
+
plaintext
secret key
plaintext
secret key
Encryption
Decryption
(b.s.c or erasure channel, for example)
17
Novel Framework
Based on Employment of Randomness and Dedicated
Coding&Ciphering
18
Error-CorrectionEncoding
KeystreamGenerator
PublicComm.Channel
Error-CorrectionDecoding
plaintext
secret key
plaintext
secret key
Encryption
Decryption
Dedicated Encoding&Encryption
Source of Randomness
KeystreamGenerator
Dedicated Decoding&Decryption
19
Notes (1): Novel Paradigm
• Traditional stream ciphers do not include any randomness: Basically, they are based on the deterministic operations which expand a short secret seed into a long pseudorandom sequence.
• This talk proposes an alternative approach yielding a novel paradigm for design of stream ciphers.
• The proposed framework employs a dedicated coding and a deliberate noise which, assuming the appropriate code and noise level, at the attacker's side provides increased confusion up to the limit determined by the secret key length.
• Decoding complexities with and without the secret key are extremely different
20
Notes (2): Security-Overhead Trade-Off
In order to achieve the main security goal, the proposed stream ciphering approach includes the following two encoding schemes with impacts on the communications overhead:
• error-correction encoding of the messages;
• dedicated homophonic/wire-tap channel coding which performs expansion of the initial ciphertext..
• Both of these issues imply the communications overhead: Accordingly, the proposed stream ciphers framework includes certain trade-off between the security and the communications overhead which in a number of scenarios can be considered as very appropriate.
21
III. Particular Novel Stream Ciphering Approaches Employing Randomness
Homophonic and Wire-Tap Channel Like
Coding
22
III.1 Two Variants of a Simple Construction
embed random bits +
enforce a binary symmetric noise channel
23
Variant A
24
Error-CorrectionEncoding
KeystreamGenerator
+
PublicComm.Channel
Error-CorrectionDecoding
KeystreamGenerator
+
plaintext
secret key
plaintext
secret key
Encryption
Decryption
Embedding
Decimation
+
Source of Randomness
25
Variant B
26
Error-CorrectionEncoding
KeystreamGenerator
+
PublicComm.Channel
Error-CorrectionDecoding
KeystreamGenerator
+
plaintext
secret key
plaintext
secret key
Encryption
Decryption
Embedding
Decimation
+
Source of Randomness
27
III.2 Stream Ciphering Employing Wire-Tap Channel Coding
- a generic scheme and its discussion -
28
Wire-Tap Channel
A. D. Wyner, “The wire-tap channel”,
Bell Systems Technical Journal, vol. 54, pp. 1355-1387, 1975.
29
Alice Bob
Eve
Channel C1
Channel C2
UX
Z
Y
30
Coding Strategy for the Wire-Tap Channel
• Goal of encoding paradigm for the wire-tap channel is to make the noisy data available to Eve (across the wire tap channel) useless and achieving this goal is based on adding the randomness in encoding algorithm.
31
Groups of the codewords: Same symbol denote different codewords belonging to the same group
*
x
Codewords and N-dim Sphere
x x x x x
* * * * *
x
*
*x
*x
*
*
*x
*
*x
*
32
Error-CorrectionEncoding
KeystreamGenerator
+
Mapping
PublicComm.Channel
Error-CorrectionDecoding
KeystreamGenerator
+
plaintext
secret key
plaintext
secret key
Encryption
Decryption
Wire-Tap Channel
Encoding
Wire-TapChannel
Decoding
+
Source of Randomness
Mapping
+
33
IV. A Model of Certain Stream Ciphers Based on Pure Randomness
- a model suitable for security analysis -
34
Error-CorrectionEncoding
KeystreamGenerator
+
PublicComm.Channel
Error-CorrectionDecoding
KeystreamGenerator
+
plaintext
secret key
plaintext
secret key
Encryption
Decryption
Embedding
Decimation
+
Source of Randomness
35
Error-CorrectionEncoding
KeystreamGenerator
+plaintext
secret key
Encryption
Channel with Insertion
of Random Bits
Security as a Decoding Problem after Two Noisy Channels
Binary Symmetric
Channel
36
Error-CorrectionEncoding
KeystreamGenerator
plaintext
secret key
Encryption
Homophonic Encoding
Security Consideration via Implications of the Coding and the LPN Problem
LPN Problem Based
Encryption
37
Analytical Specification
38
Simplified Model of a Stream Cipher
39
V. LPN Problem and a Security Evaluation Approach
(LPN – Learning from Parity with Noise)
40
LPN Problem
• Problem of decoding of a general random linear block code after a binary symmetric channel with given crossover probability.
• More formal formulations of the problem as well as its solutions are possible.
41
Underlying Problem of the LPN
linear-f1(x1, x2, …, xK) = z1
linear-f2(x1, x2, …, xK) = z2
linear-fN(x1, x2, …, xK) = zN
…
O SV YE SR TD EE MFINED
noisy variables
K << N
42
Notations (1)
43
Notations (2)
44
Notations (3) - Oracles
45
The LPN Problem and its Solution
46
Hardness of the LPN Problem
• M. Fossorier, M. Mihaljevic, H. Imai, Y. Cui and K. Matsuura, “An Algorithm for Solving the LPN Problem and its Application to Security Evaluation of the HB Protocols for RFID Authentication”, INDOCRYPT 2006, LNCS, vol. 4329, pp. 48-62, Dec. 2006.
47
A Technical Lemma
48
Security Evaluation Approaches and a Security Model
49
Two Particular Security Evaluation Approaches
• Security evaluation via consideration of the underlying decoding problem.
• Security evaluation via a formal security model and an evaluation game.
• Further on, this approach will be discussed.
50
A Security Evaluation Approach
51
A Security Evaluation Game
52
53
54
VI. Framework for Security Evaluation
55
56
57
Proof. Recall that non-adaptive CPA-security (P1) implies adaptive CPA-security (P2), hence we may restrict ourselves to adversaries accessing the encryption oracle
only during the first phase of the attack (before seeing the challenge ciphertext).
58
59
60
61
62
63
64
VII. Concluding Notes
Framework, Instantiations and Security Evaluation Elements
65
Main messages• A general framework and certain particular
incarnations of stream ciphers based on randomness and dedicated coding are proposed.
• The dedicated coding employs homophonic and wire-tap channel like coding approaches.
• A security evaluation has been performed implying that security under certain attacking scenarios appears as a consequence of hardness of the LPN problem.
66
Thank You Very Much for the Attention,
and
QUESTIONS Please!