CMPT 404 — Cryptography and Protocols Outline Solutions to Exercises on Pseudorandom Generators, Functions and Permutations. 1. (a)√Which of the following functions are superpolynomial: - 2 n; - nlog n ; - n log n? (b) Prove that for every superpolynomial function T the function 1 3
(T ( T (n )) n3
1 3
is also superpolynomial.
√n
(a) 2
and nlog n are superpolynomial; superpolynomial; n log n is not.
(b) If 1 3
(T ( T (n )) n3
1 3
< p( p (n)
for some polynomial p(n), then 1 3
T ( T (n ) < n 9 p3 (n), and
T ( T (m) < m 27 p3 (m3 ), 1 3
where m = n . However, m27 p3 (m3 ) is a polynomial in m. 2. (optional) This exercise will unable to test your favorite pseudorandom generator. The test is based on a well known property of random integers: Given two randomly chosen integers m and n, the probability they are relatively prime (their greatest common divisor is 1) is π6 . Use Use this proper property ty in a progr program am to determine statistically the value of π. The program program should call the random random number generator generator from the system library library to generate generate the random integers. integers. It should loop through through a large large number of random random number numberss to estim estimate ate the proba probabil bility ity that that two two number numberss are are relat relativ ively ely prime. prime. From From this this find an appro approxim ximate ate value of π. 2
Report the type/name of the random number generator(s), the number of pairs of numbers in your sample, and the approximate value of π . How is it? 3. Suppose you have a true random bit generator where each bit in the generated stream has the same probability of being a 0 or 1 as any other bit in the stream and that the bits are not correlated; that is the bits are generated from identical identical independent distribution. distribution. However However,, the bit stream is biased. The probability of a 1 is 1/2 + δ , and the probability of a 0 is 1/2 − δ , where 0 < δ < 1/2. A simple deskewing algorith algorithm m is as follows follows:: Examine Examine the bit stream stream as a sequence sequence of non-overl non-overlappin apping g pairs. pairs. Discard Discard all 00 and 11 pairs. Replace each 01 pair with 0 and each 10 pair with 1. (a) What is the probability of occurrence occurrence of each pair in the original sequence? (b) What is the probability of occurrence occurrence of 0 and 1 in the modified sequence? (c) What is the expected number number of input bits to produce produce k output bits? (d) Suppose that the algorithm uses overlapping overlapping successive bit pairs instead of non-overlapping non-overlapping successive bit pairs. That is, the first output bit is based on input bits 1 and 2, the second output bit is based on input bits 2 and 3, and so on. What can you say about the output bit stream? Is it independent? 1
(a) Since every bit is chosen independently, the first bit is 1 with probability 1/2 + δ , and is 0 with probability 1/2 − δ. The same is true for the second vit of a pair, and it is independent of the first bit. Thus, 00 occur with probability (1/2 − δ)(1/2 − δ); 01 occurs with probability (1/2 − δ)(1/2 + δ); 10 occurs with probability (1/2 + δ)(1/2 − δ); and 11 occurs with probability (1/2 + δ)(1/2 + δ). (b) Since the probability of 01 and 10 in the original stream are equal, 0 and 1 also occur with the same probability, that is, 1/2. (c) We consider the original stream as a sequence of pairs. The pairs are clearly independent, so to find the expected number of bits in the output we need to find the probability that 01 or 10 occurs. This probability equals 2(1/2 + δ)(1/2 − δ) = 1/2 − 2δ 2 . Thus, if the original stream contains n bits (assume it is even), then the expected number of output bits n2 (1/2 − 2δ 2 ). If we want to obain k output bits, the expected number of original bits is 1/22−k2δ . 2
(d) The output stream is not independent. Indeed, if some output bit is 0, that is, the original stream contains pair 01, then the next pair starts with 1. If it is 10 then the next output bit is 1. If the original stream contains several consequent 1s, then some pairs are 11 and therefore skipped. But then, the first pair that is not skipped must be 10. In a similar way, after each 1 in the output stream we must have a 0. Thus the output stream looks like 01010101...
4. Suppose we use a full length RC4 seed (256 bytes) in the Key Scheduled Algorithm. What such a RC4 key value leaves S unchanged during the KSA? That is, after the initial permutation of S , the entries of S will be equal to the values from 0 to 255 in ascending order. The initialization phase of RC4 (that is, the KSA) works as follows: It starts with the identity permutation of bits, S [i] = i, and the key K , T [i] = K [i (mod keylength )]. Since in our case keylength = 256, we may assume T = K . Then starting from i = j = 0 it performs 256 rounds of the form j = ( j + S [i] + T [i]) (mod 256) and Swap(S [i], S [ j]). Therefore, if we can choose T in such a way that j = i in every iteration, the resulting S will still be the identity permutation. Clearly, in the first iteration, i = 0 , the value T [0] = 0 will do. Suppose, we are successful up to iteration i − 1, that is, after considering 1 = 0, 1, . . . , i − 1 the permutation S remains the identical permutation, and the current value of j is i − 1. Then in round i the value of j is set to be j = j + S [i] + T [i] (mod 256) = i − 1 + i + T [i] (mod 256). We want it to be i, and so we need to solve the equation
i = i − 1 + i + T [i] (mod 256) T [i] = 1 − i (mod 256) 5. The RSA SecurID card is a credit-card sized device that displays 6 digits that change every minute. The idea is that when you log into your account remotely (say when you want to log into your UNIX account in SFU from an Internet Cafe) then you have to type the numbers that appear in the card in addition to your PIN or password. (a) What is the security advantage of such a card over traditional password? That is, what sort of attack can this card resist which cannot be resisted using a standard password mechanism. (Assume that it’s possible for users to remember a 6-digits PIN or a password with similar security.) (b) Describe how you would implement such a scheme using pseudorandom functions. Assume that the PRF family takes a seed of size n, and that the number of possible devices is m (for m < 2n ). How many bits of storage does your implementation use at the server and each of the devices? (there is an implementation that uses at most O(n) bits). (c) Try to define what it means that such a scheme is secure and sketch a proof that your construction satisfies it (you don’t have to formally define and prove if you don’t want to — you can use English but try to be precise). Say how the security depends on n - the number of bits that the device stores in memory (where its running time is polynomial in n) and on k - the number of digits that we display to the user. 2
(a) This device can be used in 2 modes. First, if a block cipher is used then the device provides a pseudorandom string that can be added to a password. Second, if a stream cipher is used, the device provides an extra password that changes all the time (don’t forget to replace batteries). In either case it improves the security of protocols, in which the key is not changed frequently. A possible attack in such a protocol is to intercept the encrypted password, and later use it to get access to the server. If the password effectively changes every minute this type of attack is less likely. (b) Let {f s } be a PRF and s a key assigned to each individual device. Then the device outputs f s (m) (mod 106 ) where m is the number of minutes passed since a certain moment modulo 2n . Then both, a device and the server, must store only the current time m, and a secret key s. Moreover, for the device the key can be replaced with an implementation of the function f s rather than the family {f s }. (c) The device is secure, if a polynomial time adversary ADV after seeing polynomially many pairs (m, f s (m)) does not have significant advantage in guessing such a pair for a fresh m:
Pr[ADV(m) = f k (m)] < ε(k). 6. Let {f s }, f s : {0, 1}n → { 0, 1}n be a secure PRP. Consider the family of permutations {f s }, f s : {0, 1}2n → {0, 1}2n defined as follows: for any x, x ∈ {0, 1}n
f s (xx ) = f s (x)f s (x ⊕ x ) (xx denotes the concatenation of x and x ). Show that {f s } is not a secure PRP. It suffices to observe that f s on strings of the form x0n (that is the last n bits equal to 0) outputs f s (x)f s (x). The probability that a random function outputs such a repeated string is 21 , and therefore f s can easily be distinguished from the random function. n
7. Let {f s } be a pseudorandom permutation collection, where for s ∈ {0, 1}n , f s is a permutation over {0, 1}m . Consider the following scheme (E, D) that encrypts m/2-bit messages in the following way: on input x ∈ {0, 1}m/2 , E k chooses r at random from {0, 1}m/2 and outputs f k (x, r) (where comma denotes concatenation), on input y ∈ {0, 1}m/2 , Dk computes (x, r) = f k−1 (y) and outputs x. Give an idea of a proof that (E, D) is a CPA-secure encryption scheme. Suppose that there is a polynomial time Eve that breaks the scheme. as in the proofs of CPA-security we use Eve to distinguish {f s } and a random function. First we observe that if we use a random function g in the scheme instead of {f s } then the scheme becomes CPA-secure. Indeed, since Alice adds a random part to the plaintext, the outputs Eve obtains for her queries are just random strings that carry no information. Thus the only way to make a choice between plaintexts P 1 , P 2 is to choose one at random. The probability to guess it correctly is 1/2. Now let a distinguisher Dist is given an access to a black box G(x) that can be either f s for a certain s or F . The distinguisher works as follows: – it runs Eve; – when Eve sends two plaintexts P 1 , P 2 it selects P i at random, chooses a random string r ∈ {0, 1}m/2 and returns G(P i , r); – every time Eve makes a request to encrypt P , it chooses a random string r ∈ { 0, 1}m/2 and returns G(P, r); = j. – when makes her decision j , it outputs 1 if i = j and 0 if i The probability that i = j in the game with a truly random function equals 1/2. In the game with the PRF the probability to get 1 is greater than ε(m) for some polynomial ε(m). Therefore
|Pr[Dist(Game 1) = 1] − Pr[Dist(Game 2) = 1] ≥ ε(m), and Dist distinguishes between a random function and the PRF. A contradiction.
3
8. Prove that AES is a permutation Consider every step of AES encryption, and show it is invertible. First step, s := P ⊕ k0 is obviously invertible, as P = s ⊕ k0 . Now we consider each step in each of the rounds of AES. For the S-box invertibility follows from the property of multiplication defined: every element has an inverse. Since S (a) = a−1 , the inverse function is S itself. Shift-rows is just a permutation of bytes, and clearly invertible. mix-cols is defined through multiplication by a certain matrix A. Check that the determinant of this matrix is 38. Therefore, there is A−1 that guarantees invertibility. 9. Consider a Feistel network composed of 16 rounds with a block length of 128 bits and a key of length of 128 bits. Suppose that, for a given key k , the key scheduling algorithm determines values for the first 8 subkeys, k1 , k2 , . . . , k8 , then sets
k9 = k8 ,
k10 = k7 ,
k11 = k6 ,
...,
k 16 = k1 .
Suppose you have a ciphertext C . Explain how, with access to the encryption algorithm as a black box, you decrypt C and determine the plaintext P using just a single query. This shows that such a cipher is vulnerable to a chosen plaintext attack. Hint: You may need to read about general properties of block ciphers based on Feistel network (Stallings’ book). As an optional exercise try to show that DES satisfies the required property. 10. ( optional ) Given a PRF {f s }, f s : {0, 1}|s| → { 0, 1}|s| , construct a PRF {gs } with gs : {0, 1}|s| → { 0, 1}2|s| , which is a secure PRF as long as {f s } is secure. The idea of Feistel networks is that the decryption algorithm is the same as the encryption one, only using the subkeys in the reverse order. However, the subkey generation algorithm described in the problem the reverse order of subkeys is the same as the original one. Thus the encryption algorithm used as a black box decrypts ciphertext. On a more detailed level a Feistel network divides an input string into two halves, L0 , R0 , and then updates the halves using the following rules: On round i it starts with strings Li−1 , Ri−1 and sets
Li = Ri−1 ,
Ri = Li−1 ⊕ F (Ri−1 , K i ),
where F is a round function (fixed, realized through S-boxes), and K i is the i-th round subkey. Now, we have to show that
Ri−1 = Li ,
Li−1 = Ri ⊕ F (Li , K i ).
(This means that applying the algorithm and swapping the two halves we in the end obtain the plaintext.) The first equation is obvious; to obtain the second we observe that Li = Ri−1 , and so F (Li , K i ) = F (Ri−1 , K i . The second equation follows.
4