# Automated cryptanalysis using statistical testing ... Automated cryptanalysis using statistical...

date post

14-Sep-2020Category

## Documents

view

4download

1

Embed Size (px)

### Transcript of Automated cryptanalysis using statistical testing ... Automated cryptanalysis using statistical...

Automated cryptanalysis using statistical testing

Karel Kub́ıček

Centre for Research on Cryptography and Security (CRoCS), Masaryk University, Brno, Czech Republic

June 21, 2018

Outline

1 Statistical testing in cryptanalysis

2 CryptoStreams and Randomness Testing Toolkit

Current research

3 Statistical testing tool EACirc

Master thesis

4 Statistical testing tool BoolTest

Current research of our group

2 / 33

Motivation for cryptanalysis

AES competition

announced in 1997 Rijndael selected in 2000 FIPS approved in 2001 (November) 2018 – no sign of a successor

DES – used more than 25 years

3 / 33

Motivation for cryptanalysis

AES competition

announced in 1997 Rijndael selected in 2000 FIPS approved in 2001 (November) 2018 – no sign of a successor

DES – used more than 25 years

3 / 33

Motivation for cryptanalysis

AES competition

announced in 1997 Rijndael selected in 2000 FIPS approved in 2001 (November) 2018 – no sign of a successor

DES – used more than 25 years

3 / 33

Classical cryptanalysis

Brute-force

Differential cryptanalysis

Linear cryptanalysis

Algebraic cryptanalysis

Meet-in-the-middle, key-scheduling, sliding attack, cube attack...

Manual and skill-demanding

Goals of statistical testing as cryptanalysis:

Black-box method Easy to use for cipher designers Quick security margin estimate Test wide set of properties

4 / 33

Classical cryptanalysis

Brute-force

Differential cryptanalysis

Linear cryptanalysis

Algebraic cryptanalysis

Meet-in-the-middle, key-scheduling, sliding attack, cube attack...

Manual and skill-demanding

Goals of statistical testing as cryptanalysis:

Black-box method Easy to use for cipher designers Quick security margin estimate Test wide set of properties

4 / 33

Classical cryptanalysis

Brute-force

Differential cryptanalysis

Linear cryptanalysis

Algebraic cryptanalysis

Meet-in-the-middle, key-scheduling, sliding attack, cube attack...

Manual and skill-demanding

Goals of statistical testing as cryptanalysis:

Black-box method Easy to use for cipher designers Quick security margin estimate Test wide set of properties

4 / 33

Statistical testing

Example: Monobit test

Set of statistical tests – batteries:

Donald Knuth’s tests in TAoCP 2 (1969) NIST STS (FIPS 140-2) (1998) Dieharder (2004) TestU01 (2007)

NIST STS used on AES competition (Soto, Juan. Randomness testing of the AES candidate algorithms. NIST (1999))

5 / 33

Statistical testing

Example: Monobit test

Set of statistical tests – batteries:

Donald Knuth’s tests in TAoCP 2 (1969) NIST STS (FIPS 140-2) (1998) Dieharder (2004) TestU01 (2007)

NIST STS used on AES competition (Soto, Juan. Randomness testing of the AES candidate algorithms. NIST (1999))

5 / 33

Statistical testing

Example: Monobit test

Set of statistical tests – batteries:

Donald Knuth’s tests in TAoCP 2 (1969) NIST STS (FIPS 140-2) (1998) Dieharder (2004) TestU01 (2007)

NIST STS used on AES competition (Soto, Juan. Randomness testing of the AES candidate algorithms. NIST (1999))

5 / 33

Statistical testing

Example: Monobit test

Set of statistical tests – batteries:

Donald Knuth’s tests in TAoCP 2 (1969) NIST STS (FIPS 140-2) (1998) Dieharder (2004) TestU01 (2007)

5 / 33

Statistical testing as cryptanalysis

Analysis of cryptoprimitive’s output, but for what input?

PRNG, stream ciphers → stream, keystream

Block ciphers, hash functions → ? Test confusion → use low entropy inputs

Test diffusion → use strict avalanche criterion, linear cryptanalysis scenario

6 / 33

Statistical testing as cryptanalysis

Analysis of cryptoprimitive’s output, but for what input?

PRNG, stream ciphers → stream, keystream Block ciphers, hash functions → ?

Test confusion → use low entropy inputs

Test diffusion → use strict avalanche criterion, linear cryptanalysis scenario

6 / 33

Statistical testing as cryptanalysis

Analysis of cryptoprimitive’s output, but for what input?

PRNG, stream ciphers → stream, keystream Block ciphers, hash functions → ?

Test confusion → use low entropy inputs

Test diffusion → use strict avalanche criterion, linear cryptanalysis scenario

6 / 33

CryptoStreams

Generalized crypto-data generator

CryptoStreams

https://github.com/crocs-muni/CryptoStreams

> 100 cryptoprimitives

22 block ciphers (AES competition, TLS suite) 57 hash functions (SHA-3 competition) 32 stream ciphers (eSTREAM competition) 53 schemes of authenticated encryption (CAESAR) 6+ PRNGs (Master thesis in progress)

Round-reduced

10+ input strategies

Output postprocessing

8 / 33

https://github.com/crocs-muni/CryptoStreams

RTT – Randomness Testing Toolkit

https://github.com/crocs-muni/randomness-testing-toolkit

http://rtt.ics.muni.cz

RTT is a unification of statistical batteries

9 / 33

https://github.com/crocs-muni/randomness-testing-toolkit http://rtt.ics.muni.cz

10 / 33

11 / 33

12 / 33

13 / 33

14 / 33

15 / 33

16 / 33

Results

17 / 33

Results

17 / 33

Results

18 / 33

EACirc

Analyzing randomness using supervised learning

https://github.com/crocs-muni/eacirc

https://github.com/crocs-muni/eacirc

Motivation

Statistical batteries = fixed set of tests

We can construct data passing all batteries

Create tests while analyzing the data

Incremental improving using supervised learning

Individual (=statistical test) representation Neighbourhood Fitness

20 / 33

Motivation

Statistical batteries = fixed set of tests

We can construct data passing all batteries

Create tests while analyzing the data

Incremental improving using supervised learning

Individual (=statistical test) representation Neighbourhood Fitness

20 / 33

EACirc test representation

IN 0

IN 1

IN 2

IN 3

IN 4

IN 5

IN 6

IN 7

MASK 34

SHIR 11

NOT 106

CONS 122

AND 19

SHIL 181

AND 152

NOR 52

AND 10

OR 188

SHIL 22

OR 246

SHIR 82

MASK 107

NOP 176

NOP 73

ROTR 98

NOP 79

XOR 30

NOP 228

NOR 160

SHIR 221

NOP 32

XOR 187

SHIL 190

ROTR 146

ROTL 109

NOT 247

CONS 229

ROTL 24

OR 210

SHIL 191

NAND 244

21 / 33

Problem optimization

Individual (=statistical test) representation

Simulated electronic circuit

Neighborhood

Changes of connectors and node functions

Fitness

Evaluate on 500 QRND reference vectors and 500 analyzed vectors Fitness = # correct guesses / 1000

Optimization methods:

Evolutionary algorithms Single-solution heuristics – iterated local search, neighborhood search, guided local search, simulated annealing. . .

22 / 33

Problem optimization

Individual (=statistical test) representation

Simulated electronic circuit

Neighborhood

Changes of connectors and node functions

Fitness

Evaluate on 500 QRND reference vectors and 500 analyzed vectors Fitness = # correct guesses / 1000

Optimization methods:

Evolutionary algorithms Single-solution heuristics – iterated local search, neighborhood search, guided local search, simulated annealing. . .

22 / 33

Approach advantages and limitations

+ Automatic

+ Better interpretation

+ Adapts to learning data

+ Simple distinguisher after learning

− Only byte level bias − Only local bias − Huge solution space

+ Surpasses NIST STS

− Dieharder and TestU01 are still superior

23 / 33

Approach advantages and limitations

+ Automatic

+ Better interpretation

+ Adapts to learning data

+ Simple distinguisher after learning

− Only byte level bias − Only local bias − Huge solution space + Surpasses NIST STS

− Dieharder and TestU01 are still superior

23 / 33

BoolTest

Testing randomness with polynomials

https://github.com/crocs-muni/bool

*View more*