Automated cryptanalysis using statistical testing ... Automated cryptanalysis using statistical...

Click here to load reader

download Automated cryptanalysis using statistical testing ... Automated cryptanalysis using statistical testing

of 47

  • date post

    14-Sep-2020
  • Category

    Documents

  • view

    4
  • download

    1

Embed Size (px)

Transcript of Automated cryptanalysis using statistical testing ... Automated cryptanalysis using statistical...

  • Automated cryptanalysis using statistical testing

    Karel Kub́ıček

    Centre for Research on Cryptography and Security (CRoCS), Masaryk University, Brno, Czech Republic

    June 21, 2018

  • Outline

    1 Statistical testing in cryptanalysis

    2 CryptoStreams and Randomness Testing Toolkit

    Current research

    3 Statistical testing tool EACirc

    Master thesis

    4 Statistical testing tool BoolTest

    Current research of our group

    2 / 33

  • Motivation for cryptanalysis

    AES competition

    announced in 1997 Rijndael selected in 2000 FIPS approved in 2001 (November) 2018 – no sign of a successor

    DES – used more than 25 years

    3 / 33

  • Motivation for cryptanalysis

    AES competition

    announced in 1997 Rijndael selected in 2000 FIPS approved in 2001 (November) 2018 – no sign of a successor

    DES – used more than 25 years

    3 / 33

  • Motivation for cryptanalysis

    AES competition

    announced in 1997 Rijndael selected in 2000 FIPS approved in 2001 (November) 2018 – no sign of a successor

    DES – used more than 25 years

    3 / 33

  • Classical cryptanalysis

    Brute-force

    Differential cryptanalysis

    Linear cryptanalysis

    Algebraic cryptanalysis

    Meet-in-the-middle, key-scheduling, sliding attack, cube attack...

    Manual and skill-demanding

    Goals of statistical testing as cryptanalysis:

    Black-box method Easy to use for cipher designers Quick security margin estimate Test wide set of properties

    4 / 33

  • Classical cryptanalysis

    Brute-force

    Differential cryptanalysis

    Linear cryptanalysis

    Algebraic cryptanalysis

    Meet-in-the-middle, key-scheduling, sliding attack, cube attack...

    Manual and skill-demanding

    Goals of statistical testing as cryptanalysis:

    Black-box method Easy to use for cipher designers Quick security margin estimate Test wide set of properties

    4 / 33

  • Classical cryptanalysis

    Brute-force

    Differential cryptanalysis

    Linear cryptanalysis

    Algebraic cryptanalysis

    Meet-in-the-middle, key-scheduling, sliding attack, cube attack...

    Manual and skill-demanding

    Goals of statistical testing as cryptanalysis:

    Black-box method Easy to use for cipher designers Quick security margin estimate Test wide set of properties

    4 / 33

  • Statistical testing

    Example: Monobit test

    Set of statistical tests – batteries:

    Donald Knuth’s tests in TAoCP 2 (1969) NIST STS (FIPS 140-2) (1998) Dieharder (2004) TestU01 (2007)

    NIST STS used on AES competition (Soto, Juan. Randomness testing of the AES candidate algorithms. NIST (1999))

    5 / 33

  • Statistical testing

    Example: Monobit test

    Set of statistical tests – batteries:

    Donald Knuth’s tests in TAoCP 2 (1969) NIST STS (FIPS 140-2) (1998) Dieharder (2004) TestU01 (2007)

    NIST STS used on AES competition (Soto, Juan. Randomness testing of the AES candidate algorithms. NIST (1999))

    5 / 33

  • Statistical testing

    Example: Monobit test

    Set of statistical tests – batteries:

    Donald Knuth’s tests in TAoCP 2 (1969) NIST STS (FIPS 140-2) (1998) Dieharder (2004) TestU01 (2007)

    NIST STS used on AES competition (Soto, Juan. Randomness testing of the AES candidate algorithms. NIST (1999))

    5 / 33

  • Statistical testing

    Example: Monobit test

    Set of statistical tests – batteries:

    Donald Knuth’s tests in TAoCP 2 (1969) NIST STS (FIPS 140-2) (1998) Dieharder (2004) TestU01 (2007)

    NIST STS used on AES competition (Soto, Juan. Randomness testing of the AES candidate algorithms. NIST (1999))

    5 / 33

  • Statistical testing as cryptanalysis

    Analysis of cryptoprimitive’s output, but for what input?

    PRNG, stream ciphers → stream, keystream

    Block ciphers, hash functions → ? Test confusion → use low entropy inputs

    Test diffusion → use strict avalanche criterion, linear cryptanalysis scenario

    6 / 33

  • Statistical testing as cryptanalysis

    Analysis of cryptoprimitive’s output, but for what input?

    PRNG, stream ciphers → stream, keystream Block ciphers, hash functions → ?

    Test confusion → use low entropy inputs

    Test diffusion → use strict avalanche criterion, linear cryptanalysis scenario

    6 / 33

  • Statistical testing as cryptanalysis

    Analysis of cryptoprimitive’s output, but for what input?

    PRNG, stream ciphers → stream, keystream Block ciphers, hash functions → ?

    Test confusion → use low entropy inputs

    Test diffusion → use strict avalanche criterion, linear cryptanalysis scenario

    6 / 33

  • CryptoStreams

    Generalized crypto-data generator

  • CryptoStreams

    https://github.com/crocs-muni/CryptoStreams

    > 100 cryptoprimitives

    22 block ciphers (AES competition, TLS suite) 57 hash functions (SHA-3 competition) 32 stream ciphers (eSTREAM competition) 53 schemes of authenticated encryption (CAESAR) 6+ PRNGs (Master thesis in progress)

    Round-reduced

    10+ input strategies

    Output postprocessing

    8 / 33

    https://github.com/crocs-muni/CryptoStreams

  • RTT – Randomness Testing Toolkit

    https://github.com/crocs-muni/randomness-testing-toolkit

    http://rtt.ics.muni.cz

    RTT is a unification of statistical batteries

    9 / 33

    https://github.com/crocs-muni/randomness-testing-toolkit http://rtt.ics.muni.cz

  • 10 / 33

  • 11 / 33

  • 12 / 33

  • 13 / 33

  • 14 / 33

  • 15 / 33

  • 16 / 33

  • Results

    17 / 33

  • Results

    17 / 33

  • Results

    18 / 33

  • EACirc

    Analyzing randomness using supervised learning

    https://github.com/crocs-muni/eacirc

    https://github.com/crocs-muni/eacirc

  • Motivation

    Statistical batteries = fixed set of tests

    We can construct data passing all batteries

    Create tests while analyzing the data

    Incremental improving using supervised learning

    Individual (=statistical test) representation Neighbourhood Fitness

    20 / 33

  • Motivation

    Statistical batteries = fixed set of tests

    We can construct data passing all batteries

    Create tests while analyzing the data

    Incremental improving using supervised learning

    Individual (=statistical test) representation Neighbourhood Fitness

    20 / 33

  • EACirc test representation

    IN 0

    IN 1

    IN 2

    IN 3

    IN 4

    IN 5

    IN 6

    IN 7

    MASK 34

    SHIR 11

    NOT 106

    CONS 122

    AND 19

    SHIL 181

    AND 152

    NOR 52

    AND 10

    OR 188

    SHIL 22

    OR 246

    SHIR 82

    MASK 107

    NOP 176

    NOP 73

    ROTR 98

    NOP 79

    XOR 30

    NOP 228

    NOR 160

    SHIR 221

    NOP 32

    XOR 187

    SHIL 190

    ROTR 146

    ROTL 109

    NOT 247

    CONS 229

    ROTL 24

    OR 210

    SHIL 191

    NAND 244

    21 / 33

  • Problem optimization

    Individual (=statistical test) representation

    Simulated electronic circuit

    Neighborhood

    Changes of connectors and node functions

    Fitness

    Evaluate on 500 QRND reference vectors and 500 analyzed vectors Fitness = # correct guesses / 1000

    Optimization methods:

    Evolutionary algorithms Single-solution heuristics – iterated local search, neighborhood search, guided local search, simulated annealing. . .

    22 / 33

  • Problem optimization

    Individual (=statistical test) representation

    Simulated electronic circuit

    Neighborhood

    Changes of connectors and node functions

    Fitness

    Evaluate on 500 QRND reference vectors and 500 analyzed vectors Fitness = # correct guesses / 1000

    Optimization methods:

    Evolutionary algorithms Single-solution heuristics – iterated local search, neighborhood search, guided local search, simulated annealing. . .

    22 / 33

  • Approach advantages and limitations

    + Automatic

    + Better interpretation

    + Adapts to learning data

    + Simple distinguisher after learning

    − Only byte level bias − Only local bias − Huge solution space

    + Surpasses NIST STS

    − Dieharder and TestU01 are still superior

    23 / 33

  • Approach advantages and limitations

    + Automatic

    + Better interpretation

    + Adapts to learning data

    + Simple distinguisher after learning

    − Only byte level bias − Only local bias − Huge solution space + Surpasses NIST STS

    − Dieharder and TestU01 are still superior

    23 / 33

  • BoolTest

    Testing randomness with polynomials

    https://github.com/crocs-muni/bool