# CS计算机代考程序代写 Cryptography Basics – (Pseudo)Randomness

Cryptography Basics – (Pseudo)Randomness

ECEN 4133 Jan 21, 2021

Review

•Integrity of messages between Alice and Bob

•Alice appends bits that only Alice (and Bob) can compute

•Solution: Message Authentication Code (MAC)

• Hash-based MAC (HMAC) used in practice, e.g. v = HMAC-SHA256k(M)

k

m, v

m’, v’?

k

•Where does k come from?

• How do we generate it? [Today]

• How do we share it with Alice and Bob, but not Mallory? [Next time]

Mallory

Alice

Bob

Randomness

True Randomness

Output of a physical process that is inherently random Scarce and hard to get

Pseudorandom generator (PRG)

Takes small seed that is really random

Generates long sequence of numbers that are “as good as random”

True Randomness

Where do we get true randomness?

Want “indistinguishable from random” meaning: adversary can’t guess it Gather lots of details about the computer that the adversary will have trouble

guessing [Examples?]

Problem: Adversary can predict some of this

Problem: How do you know when you have enough randomness?

Getting a large amount of randomness

Difficult to collect lots of true random

Suppose we have 128-bits of true random (k), but want 1024-bits of random ◦ Can we expand our 128-bits? [Breakout]

◦ Can we extend to arbitrary lengths?

◦ Any caveats? How many unique “sequences” of 1024-bits can we produce with this technique?

Getting a large amount of randomness

“Pseudo” Randomness:

◦ Not truly random – usually an expansion of a (shorter) set of true random bits

One solution: Pseudo-random number generator (PRNG):

◦ Given 128-bit true random k

◦ HMAC-SHA256k(0), HMAC-SHA256k(1), HMAC-SHA256k(2), … HMAC-SHA256k(n)

Is it secure?

◦ Can an adversary tell what will come next without knowing k?

◦ Given HMAC-SHA256k(a), (but not k), can an adversary predict HMAC-SHA256k(b) for b>a ?

Pseudo-random generators (PRG)

Many different ways:

◦ Using hashes

◦ Using HMACs

◦ Using block ciphers (we’ll talk about these next)

Beware that there also exist non-cryptographic PRNGs:

◦ Linear feedback shift register (LFSR)

◦ Linear Congruential Generator (LCG)

◦ Used by rand() / srand() / Math.random() – Don’t use for cryptography!!!

128 bits

k PRG

n bits

Output stream

We are talking about Cryptographically Secure PRNG (CSPRNG)

◦ Should be difficult for adversary to predict future (or past!) outputs given some output

“Backdoored” CSPRNG

Dual_EC_DRBG

◦ Dual Elliptic Curve Deterministic Random Bit Generator

◦ Developed by the NSA in 2006, standardized by NIST

◦ Strange design, very slow, based off elliptic curve cryptography (next week!)

◦ If someone knows a mathematical relationship between P and Q, trivial to compute what comes next in the pseudorandom stream given current output (backdoor!!)

◦ No explanation for how P and Q were chosen by the NSA

◦ NSA paid $10 million to RSA Security to include

in their popular cryptographic library

◦ Snowden documents revealed this to be a standard developed solely by the NSA as a backdoor

Randomness in practice

Modern OSes typically collect randomness, give you API calls to get it

e.g., Linux:

/dev/random is a device that gives random bits, blocks until available

/dev/urandom gives output of a PRG, nonblocking, seeded from /dev/random eventually

Note: both /dev/random and /dev/urandom use a CSPRNG seeded from: ◦ Keystroke/mouse movement timing

◦ Network packet timing

◦ Scheduler / interrupt timing

◦ /dev/random tries to do “entropy accounting”: don’t give out more than has been “put in” to the pool

/dev/(u)random problems

/dev/random blocks – slow to read from

/dev/urandom doesn’t block – but might not be initialized at all!!!

Embedded devices:

◦ Often don’t have keyboard/mouse

◦ Might not be connected to Internet at first boot (no packets) ◦ Very slow to collect entropy!

Solution:

◦ Usegetrandom()

◦ Added in Linux 3.17 (2014)

◦ Blocks until pool has been initialized

Confidentiality

Integrity: prevent Mallory from tampering kk

Alice

Mallory

Bob

k

Confidentiality: prevent eavesdropper (Eve) from learning the (plaintext) message

v’ == MACk(m’) ?

m, v:= MACk(m)

m’, v’

Terminology

p plaintext message

c ciphertext

k secret key

E encryption function D decryption function

k c := Ek(p) Eve

Bob

p := Dk(c)

Classical Cryptography

Digression: Classical Cryptography Caesar Cipher

First recorded use: Julius Caesar (100-44 BC)

Replaces each plaintext letter with one a fixed number of places down the alphabet Encryption: ci := (pi + k) mod 26

Decryption: pi := (ci – k) mod 26

e.g. (k=3):

Plain: +Shift:

=Cipher:

Plain:

ABCDEFGHIJKLMNOPQRSTUVWXYZ 33333333333333333333333333 DEFGHIJKLMNOPQRSTUVWXYZABC

fox go wolverines

+Key:

=Cipher: ira jr zroyhulqhv

333 33 3333333333

[Break the Caesar cipher?]

Cryptanalysis of the Caesar Cipher Only 26 possible keys:

Try every possible k by “brute force”

Can a computer recognize the right one?

Use frequency analysis: English text has distinctive letter frequency distribution

Lateradvance: VigènereCipher First described by Bellaso in 1553,

later misattributed to Vigenère

Called « le chiffre indéchiffrable » (“the indecipherable cipher”)

Encrypts successive letters using a sequence of Caesar ciphers determined by the letters of a keyword For an n-letter keyword k,

Encryption: ci := (pi + ki mod n) mod 26 Decryption: pi := (ci – ki mod n) mod 26

Example: k=ABC (i.e. k0=0, k1=1, k2=2)

Plain: bbbbbb amazon

+Key: 012012 012012 =Cipher: bcdbcd anczpp

[Break le chiffre indéchiffrable?]

Cryptanalysis of the Vigènere Cipher

Simple, if we know the keyword length, n: 1. Break ciphertext into n slices

2. Solve each slice as a Caesar cipher

How to find n? One way: Kasiski method Published 1863 by Kasiski (earlier known to Babbage?)

Repeated strings in long plaintext will sometimes, by coincidence, be encrypted with same key letters

Plain: CRYPTOISSHORTFORCRYPTOGRAPHY

+Key: ABCDABCDABCDABCDABCDABCDABCD =Cipher: CSASTPKVSIQUTGQUCSASTPIUAQJB

Distance between repeated strings in the ciphertext is likely a multiple of key length e.g., distance 16 implies n is 16, 8, 4, 2, or 1

Find multiple repeats to narrow down

[What if key is as long as the plaintext?]

One-time Pad (OTP)

Alice and Bob jointly generate a secret, very long, string of random bits

(the one-time pad, k) To encrypt: ci = pi xor ki To decrypt: pi = ci xor ki

“one-time” means you should never reuse any part of the pad. If you do:

Let ki be pad bit

Adversary learns (a xor ki) and (b xor ki) Adversary xors those to get (a xor b), which might be useful [How?]

Provably secure [Why?]

Usually impractical [Why? Exceptions?]

a b axorb 000 011 101 110

a xor b xor b = a a xor b xor a = b

Practical One-time Pad

Idea: Use a pseudorandom generator (CSPRNG) instead of a truly random pad

(Recall: Secure PRG inputs a seed k, outputs a stream that is practically indistinguishable from true randomness unless you know k)

Called a stream cipher:

1. Start with shared secret key k

2. Alice & Bob each use k to seed the PRG

3. To encrypt, Alice XORs next bit of her generator’s output with next bit of plaintext

4. To decrypt, Bob XORs next bit of his generator’s output with next bit of ciphertext

Works nicely, but: don’t ever reuse the key, or the generator output bits