Leo Reyzin. Notes for BU CAS CS 538.
1
1
Symmetric Cryptography
1.1
Stream Ciphers and Block Ciphers
Cryptographers have long been designing things called “stream ciphers” and “block ciphers.”
A stream
cipher (e.g., RC4 [Riv87]) takes an input key (also known as seed) and produces a long (usually unlimited)
stream of randomlooking bits. A block cipher (e.g., DES [NIS77]) takes a key and an input, and produces
an output of the same length as the input. For each key, a block cipher is a permutation.
While stream ciphers and block ciphers predate modern cryptographic notions, today people most often
model them as pseudorandom generations and pseudorandom permutations, respectively. Note that stream
ciphers and block ciphers used in practice are not provably pseudorandom generations and functions; rather,
they are
believed
to have these properties (although some think that this is too strong of an assumption).
We already designed pseudorandom generators that are provably secure under a reasonable assumption.
We will do the same for pseudorandom functions and permutations below (after defining them, of course).
It is therefore legitimate to ask why people use unprovable designs when so many provably secure ones are
available. The answer is mainly speed. As we will see shortly, traditional stream and block ciphers are orders
of magnitude faster than provable ones. Thus, they are preferred for encrypting bulk data, particularly by
computationally weak devices in real time (cell phones, wireless network cards, etc.).
We will spend this and next lecture understanding what pseudorandom generators and functions are and
how to build them (provably!). Note that our provably secure constructions will be of interest mainly as
“feasibility” results: we show that it can be done, but most people will not use our provable constructions.
Instead, in practice they will simply opt for assuming that RC4 is a pseudorandom generator and DES is a
pseudorandom function, even though these assumptions are seemingly stronger than simply assuming that
factoring is hard.
Nonetheless, whether you use a provable pseudorandom generator, such as BlumBlumShub, or a heuris
tic one, such as RC4, you still need to use it right. Therefore, we will then turn to understanding how to
use
pseudorandom generators and functions to accomplish actual goals (privacy and authenticity).
But first, by way of example, we briefly study RC4 and DES.
1.2
RC4
RC4, designed by Rivest, is a stream cipher that takes a key and produces a long stream of randomlooking
bits. The key is used to initialize an array
S
of 256 elements that contains each byte from 0 to 255 exactly
once.
The key is also used to initialize two indices,
i
and
j
, into the array.
We do not describe the
initialization step here.
After the initialization, the following steps take place.
All operations below are
modulo 256
Repeat for as many times as the number of output bytes needed:
1.
i
←
i
+ 1
2.
j
←
j
+
S
[
i
]
3. Swap
S
[
i
] and
S
[
j
]
4. Output
S
[
S
[
i
] +
S
[
j
]]
Thus, this stream cipher outputs 8 bits per 3 byte additions and 3 array lookups.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
This is the end of the preview.
Sign up
to
access the rest of the document.
 Spring '09
 Cryptography, Leo Reyzin, BU CAS CS

Click to edit the document details