statistics in cryptanalysis
play

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical - PowerPoint PPT Presentation

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35


  1. Hypothesis Testing Hypothesis Testing A statistical hypothesis is in general refers to an assumption of any sort about the distribution function F ( x ) (say) of the population P . Assume that F ( x ) has a known functional form which involves a number of unknown parameters θ 1 , θ 2 , . . . , θ k . - Example: Normal distribution N ( µ, σ 2 ), where µ ∈ R and σ 2 ∈ R ≥ 0 are its parameters. Let ○ = ( θ 1 , θ 2 , . . . , θ k ). H 18/35

  2. Hypothesis Testing Hypothesis Testing A statistical hypothesis is in general refers to an assumption of any sort about the distribution function F ( x ) (say) of the population P . Assume that F ( x ) has a known functional form which involves a number of unknown parameters θ 1 , θ 2 , . . . , θ k . - Example: Normal distribution N ( µ, σ 2 ), where µ ∈ R and σ 2 ∈ R ≥ 0 are its parameters. Let ○ = ( θ 1 , θ 2 , . . . , θ k ). H Hypothesis A hypothesis is then any assumption regarding the parameters θ 1 , θ 2 , . . . , θ k . 18/35

  3. Hypothesis Testing Hypothesis Testing A statistical hypothesis is in general refers to an assumption of any sort about the distribution function F ( x ) (say) of the population P . Assume that F ( x ) has a known functional form which involves a number of unknown parameters θ 1 , θ 2 , . . . , θ k . - Example: Normal distribution N ( µ, σ 2 ), where µ ∈ R and σ 2 ∈ R ≥ 0 are its parameters. Let ○ = ( θ 1 , θ 2 , . . . , θ k ). H Hypothesis A hypothesis is then any assumption regarding the parameters θ 1 , θ 2 , . . . , θ k . Example: H 0 : µ = 2 , σ 2 = 0 . 1. 18/35

  4. Hypothesis Testing Null vs. Alternate Hypothesis 19/35

  5. Hypothesis Testing Null vs. Alternate Hypothesis Null Hypothesis We shall very often make a hypothesis wishing it to be accepted by the test, such a hypothesis is called a null hypothesis . 19/35

  6. Hypothesis Testing Null vs. Alternate Hypothesis Null Hypothesis We shall very often make a hypothesis wishing it to be accepted by the test, such a hypothesis is called a null hypothesis . Alternate Hypothesis Sometimes, it so happens that we know for certain that either ○ ∈ ω 0 or ○ ∈ ω A , where ω 0 and ω A are two disjoint point sets H H in P k and it remains for us to decide between the two by means of a test. Now, we have priory reasons to be more inclined to believe in the first hypothesis, then we set up the null hypothesis ○ ∈ ω 0 to be tested against the alternative hypothesis H 0 : H H 1 : ○ ∈ ω A , hoping that the null hypothesis will be accepted by H the test and thereby confirm our belief. Then H 1 : ○ ∈ ω A is H called the alternate hypothesis . 19/35

  7. Hypothesis Testing General Form Of A Test Let, ˜ x = ( x 1 , x 2 , . . . , x N ) be a sample of size N drawn from the population P . 20/35

  8. Hypothesis Testing General Form Of A Test Let, ˜ x = ( x 1 , x 2 , . . . , x N ) be a sample of size N drawn from the population P . On the evidence offered by this sample we shall have to decide whether to accept or reject the null hypothesis. 20/35

  9. Hypothesis Testing General Form Of A Test Let, ˜ x = ( x 1 , x 2 , . . . , x N ) be a sample of size N drawn from the population P . On the evidence offered by this sample we shall have to decide whether to accept or reject the null hypothesis. The mathematical formulation of this evidence is known as a test of the hypothesis H 0 . 20/35

  10. Hypothesis Testing General Form Of A Test (Cont.) A test of the hypothesis H 0 , in its general form, consists in choosing a region W in the sample space R n . 21/35

  11. Hypothesis Testing General Form Of A Test (Cont.) A test of the hypothesis H 0 , in its general form, consists in choosing a region W in the sample space R n . If the observed position of the sample point ˜ x ∈ W , then H 0 is x ∈ W c then, H 0 is accepted. rejected and if ˜ 21/35

  12. Hypothesis Testing General Form Of A Test (Cont.) A test of the hypothesis H 0 , in its general form, consists in choosing a region W in the sample space R n . If the observed position of the sample point ˜ x ∈ W , then H 0 is x ∈ W c then, H 0 is accepted. rejected and if ˜ W is called the rejection region or the critical region and W c is the acceptance region of the test. 21/35

  13. Hypothesis Testing Error Probabilities x ∈ W c ˜ x ∈ W ˜ H 0 True Type-I Error Accept H 1 True Reject Type-II Error Type-I Error Probability: Pr[ ˜ X ∈ W | H 0 holds] . Type-II Error Probability: X ∈ W c | H 1 holds] Pr[ ˜ 1 − Pr[ ˜ X ∈ W | H 1 holds] = = 1 − β ( W ) , 22/35

  14. Linear Cryptanalysis Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 22/35

  15. Linear Cryptanalysis Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 23/35

  16. Linear Cryptanalysis Substitution-Permutation Network (SPN) . . . . . . P 1 Plaintext P 16 Sub-key k (1) Mixing S 11 S 12 S 13 S 14 Round 1 Sub-key k (2) Mixing S 21 S 22 S 23 S 24 Round 2 Sub-key k (3) Mixing S 31 S 32 S 33 S 34 Round 3 Sub-key k (4) Mixing Round 4 S 41 S 42 S 43 S 44 Sub-key k (5) Mixing . . . . . . C 1 Ciphertext C 16 Figure : A Basic Substitution Permutation Network (SPN) Cipher (Courtesy: Heys’s Tutorial). 24/35

  17. Linear Cryptanalysis Substitution-Permutation Network (SPN) (Cont.) Consider an ( r + 1)-round cipher. 25/35

  18. Linear Cryptanalysis Substitution-Permutation Network (SPN) (Cont.) Consider an ( r + 1)-round cipher. Round Keys are n -bits long. 25/35

  19. Linear Cryptanalysis Substitution-Permutation Network (SPN) (Cont.) Consider an ( r + 1)-round cipher. Round Keys are n -bits long. Round Keys: k (0) , k (1) , . . . 25/35

  20. Linear Cryptanalysis Substitution-Permutation Network (SPN) (Cont.) Consider an ( r + 1)-round cipher. Round Keys are n -bits long. Round Keys: k (0) , k (1) , . . . Round Functions: R (0) k (0) , R (1) k (1) , . . . 25/35

  21. Linear Cryptanalysis Substitution-Permutation Network (SPN) (Cont.) Consider an ( r + 1)-round cipher. Round Keys are n -bits long. Round Keys: k (0) , k (1) , . . . Round Functions: R (0) k (0) , R (1) k (1) , . . . Each round function is a bijection of { 0 , 1 } n . 25/35

  22. Linear Cryptanalysis Substitution-Permutation Network (SPN) (Cont.) Consider an ( r + 1)-round cipher. Round Keys are n -bits long. Round Keys: k (0) , k (1) , . . . Round Functions: R (0) k (0) , R (1) k (1) , . . . Each round function is a bijection of { 0 , 1 } n . K ( i ) = k (0) || k (1) || · · · || k ( i − 1) 25/35

  23. Linear Cryptanalysis Substitution-Permutation Network (SPN) (Cont.) Consider an ( r + 1)-round cipher. Round Keys are n -bits long. Round Keys: k (0) , k (1) , . . . Round Functions: R (0) k (0) , R (1) k (1) , . . . Each round function is a bijection of { 0 , 1 } n . K ( i ) = k (0) || k (1) || · · · || k ( i − 1) E (1) K (1) = R (0) k (0) ; E ( i ) K ( i ) = R ( i − 1) k ( i − 1) ◦ · · · ◦ R (0) k (0) = R ( i − 1) k ( i − 1) ◦ E ( i − 1) K ( i − 1) , i ≥ 1 . 25/35

  24. Linear Cryptanalysis Design Goals Compact and efficient in hardware and/or software. Secure. 26/35

  25. Linear Cryptanalysis Design Goals Compact and efficient in hardware and/or software. Secure. Attack Types: Linear Cryptanalysis Differential Cryptanalysis Distinguishing Attacks . . . 26/35

  26. Linear Cryptanalysis Design Goals Compact and efficient in hardware and/or software. Secure. Attack Types: Linear Cryptanalysis Differential Cryptanalysis Distinguishing Attacks . . . Known Plaintext Attacks Cipher is instantiated with a secret key K . 26/35

  27. Linear Cryptanalysis Design Goals Compact and efficient in hardware and/or software. Secure. Attack Types: Linear Cryptanalysis Differential Cryptanalysis Distinguishing Attacks . . . Known Plaintext Attacks Cipher is instantiated with a secret key K . N plaintext-ciphertext pairs ( P 1 , C 1 ) , . . . , ( P N , C N ) sought, s.t., each C i = E K ( P i ). 26/35

  28. Linear Cryptanalysis Design Goals Compact and efficient in hardware and/or software. Secure. Attack Types: Linear Cryptanalysis Differential Cryptanalysis Distinguishing Attacks . . . Known Plaintext Attacks Cipher is instantiated with a secret key K . N plaintext-ciphertext pairs ( P 1 , C 1 ) , . . . , ( P N , C N ) sought, s.t., each C i = E K ( P i ). Goal: Obtain the secret key. 26/35

  29. Linear Cryptanalysis Key Recovery Attacks: A Top-Level View Structural analysis: 27/35

  30. Linear Cryptanalysis Key Recovery Attacks: A Top-Level View Structural analysis: A detailed study of the target algorithm to obtain a measurable deviation from “randomness”. 27/35

  31. Linear Cryptanalysis Key Recovery Attacks: A Top-Level View Structural analysis: A detailed study of the target algorithm to obtain a measurable deviation from “randomness”. Identify a target sub-key. Let the size of the target sub-key be m -bits. 27/35

  32. Linear Cryptanalysis Key Recovery Attacks: A Top-Level View Structural analysis: A detailed study of the target algorithm to obtain a measurable deviation from “randomness”. Identify a target sub-key. Let the size of the target sub-key be m -bits. Statistical analysis: 27/35

  33. Linear Cryptanalysis Key Recovery Attacks: A Top-Level View Structural analysis: A detailed study of the target algorithm to obtain a measurable deviation from “randomness”. Identify a target sub-key. Let the size of the target sub-key be m -bits. Statistical analysis: Obtain a tractable (closed form) relation between the following three quantities: - N: data complexity. - P S : (lower bound on the) success probability. - a : the (expected) number of false alarms is (at most) a fraction 2 − a of the number of all the 2 m possible choices of the target sub-key. 27/35

  34. Linear Cryptanalysis Linear Cryptanalysis n Γ P P k (0) Round 1 k (1) Round 2 K ( r ) = k (0) || k (1) || · · · || k ( r − 1) Γ K k ( r − 1) Round r Γ B B κ k ( r ) Round ( r + 1) m n C 28/35

  35. Linear Cryptanalysis Linear Cryptanalysis Proposed by Matsui in EU- ROCRYPT ’93. n Γ P P k (0) Round 1 k (1) Round 2 K ( r ) = k (0) || k (1) || · · · || k ( r − 1) Γ K k ( r − 1) Round r Γ B B κ k ( r ) Round ( r + 1) m n C 28/35

  36. Linear Cryptanalysis Linear Cryptanalysis Proposed by Matsui in EU- ROCRYPT ’93. n Random Variable: Γ P P L = � Γ P , P � ⊕ � Γ B , B � k (0) Round 1 k (1) Round 2 K ( r ) = k (0) || k (1) || · · · || k ( r − 1) Γ K k ( r − 1) Round r Γ B B κ k ( r ) Round ( r + 1) m n C 28/35

  37. Linear Cryptanalysis Linear Cryptanalysis Proposed by Matsui in EU- ROCRYPT ’93. n Random Variable: Γ P P L = � Γ P , P � ⊕ � Γ B , B � k (0) Round 1 Inner key bit: k (1) Round 2 z = � Γ K , K ( r ) � K ( r ) = k (0) || k (1) || · · · || k ( r − 1) Γ K k ( r − 1) Round r Γ B B κ k ( r ) Round ( r + 1) m n C 28/35

  38. Linear Cryptanalysis Linear Cryptanalysis Proposed by Matsui in EU- ROCRYPT ’93. n Random Variable: Γ P P L = � Γ P , P � ⊕ � Γ B , B � k (0) Round 1 Inner key bit: k (1) Round 2 z = � Γ K , K ( r ) � K ( r ) = k (0) || k (1) || · · · || k ( r − 1) Linear Approximation: Γ K L = z � p ; k ( r − 1) Round r if κ = κ ∗ Pr[ L = z ] = Γ B B κ if κ � = κ ∗ . 1 / 2; k ( r ) Round ( r + 1) m n C 28/35

  39. Linear Cryptanalysis Linear Cryptanalysis Proposed by Matsui in EU- ROCRYPT ’93. n Random Variable: Γ P P L = � Γ P , P � ⊕ � Γ B , B � k (0) Round 1 Inner key bit: k (1) Round 2 z = � Γ K , K ( r ) � K ( r ) = k (0) || k (1) || · · · || k ( r − 1) Linear Approximation: Γ K L = z � p ; k ( r − 1) Round r if κ = κ ∗ Pr[ L = z ] = Γ B B κ if κ � = κ ∗ . 1 / 2; k ( r ) Round ( r + 1) m n C Source of Randomness: P 1 , . . . , P N . 28/35

  40. Linear Cryptanalysis Linear Cryptanalysis (Cont.) P 1 , . . . , P N are assumed to be independent and uniformly dis- tributed. 29/35

  41. Linear Cryptanalysis Linear Cryptanalysis (Cont.) P 1 , . . . , P N are assumed to be independent and uniformly dis- tributed. The key is unknown but fixed. 29/35

  42. Linear Cryptanalysis Linear Cryptanalysis (Cont.) P 1 , . . . , P N are assumed to be independent and uniformly dis- tributed. The key is unknown but fixed. Test Statistics: T κ = | W κ | , where W κ = ( L κ, 1 + · · · + L κ, N ) − 1 / 2; 29/35

  43. Linear Cryptanalysis Linear Cryptanalysis (Cont.) P 1 , . . . , P N are assumed to be independent and uniformly dis- tributed. The key is unknown but fixed. Test Statistics: T κ = | W κ | , where W κ = ( L κ, 1 + · · · + L κ, N ) − 1 / 2; Each L κ, j follows a Bernoulli distribution. 29/35

  44. Linear Cryptanalysis Linear Cryptanalysis (Cont.) P 1 , . . . , P N are assumed to be independent and uniformly dis- tributed. The key is unknown but fixed. Test Statistics: T κ = | W κ | , where W κ = ( L κ, 1 + · · · + L κ, N ) − 1 / 2; Each L κ, j follows a Bernoulli distribution. W κ follows a Binomial which can be approximated by a normal distribution. - κ incorrect: T κ approximately follows half normal. - κ correct: T κ approximately follows folded normal. 29/35

  45. Linear Cryptanalysis Key Recovery via Hypothesis Testing Data: ( P 1 , C 1 ) , . . . , ( P N , C N ), where P 1 , . . . , P N are independent and uniform random n -bit strings. 30/35

  46. Linear Cryptanalysis Key Recovery via Hypothesis Testing Data: ( P 1 , C 1 ) , . . . , ( P N , C N ), where P 1 , . . . , P N are independent and uniform random n -bit strings. C 1 , . . . , C N are determined by κ ∗ (the actual target sub-key); 30/35

  47. Linear Cryptanalysis Key Recovery via Hypothesis Testing Data: ( P 1 , C 1 ) , . . . , ( P N , C N ), where P 1 , . . . , P N are independent and uniform random n -bit strings. C 1 , . . . , C N are determined by κ ∗ (the actual target sub-key); B κ, 1 , . . . , B κ, N are determined by the choice of κ . 30/35

  48. Linear Cryptanalysis Key Recovery via Hypothesis Testing Data: ( P 1 , C 1 ) , . . . , ( P N , C N ), where P 1 , . . . , P N are independent and uniform random n -bit strings. C 1 , . . . , C N are determined by κ ∗ (the actual target sub-key); B κ, 1 , . . . , B κ, N are determined by the choice of κ . Test statistics: For a particular choice κ ∈ { 0 , 1 } m of the target sub-key, T κ ≡ | W κ | . where the mean and variances of W κ are given by - µ 0 = E [ W κ ∗ ] = Np and µ 1 = E [ W κ | H 1 ] = N / 2. - σ 2 0 = Var ( W κ ∗ ) = Np (1 − p ) and σ 2 1 = Var ( W κ | H 1 ) = N / 4. 30/35

  49. Linear Cryptanalysis Key Recovery via Hypothesis Testing Hypothesis Testing Set-Up: H 0 : κ is correct; versus H 1 : κ is incorrect. Decision Rule: Reject H 0 if T κ < t . 31/35

  50. Linear Cryptanalysis Key Recovery via Hypothesis Testing Hypothesis Testing Set-Up: H 0 : κ is correct; versus H 1 : κ is incorrect. Decision Rule: Reject H 0 if T κ < t . Pr[Type-I error] = Pr[ T ≤ t | H 0 holds] ≤ α Pr[Type-II error] = Pr[ T > t | H 1 holds] ≤ β Pr[succ] = 1 − Pr[Type-I error] ≥ 1 − α = P S . 31/35

  51. Linear Cryptanalysis Key Recovery via Hypothesis Testing Hypothesis Testing Set-Up: H 0 : κ is correct; versus H 1 : κ is incorrect. Decision Rule: Reject H 0 if T κ < t . Pr[Type-I error] = Pr[ T ≤ t | H 0 holds] ≤ α Pr[Type-II error] = Pr[ T > t | H 1 holds] ≤ β Pr[succ] = 1 − Pr[Type-I error] ≥ 1 − α = P S . Requirement: Obtain the distributions of T κ under H 0 and H 1 . 31/35

  52. Linear Cryptanalysis Key Recovery via Hypothesis Testing Hypothesis Testing Set-Up: H 0 : κ is correct; versus H 1 : κ is incorrect. Decision Rule: Reject H 0 if T κ < t . Pr[Type-I error] = Pr[ T ≤ t | H 0 holds] ≤ α Pr[Type-II error] = Pr[ T > t | H 1 holds] ≤ β Pr[succ] = 1 − Pr[Type-I error] ≥ 1 − α = P S . Requirement: Obtain the distributions of T κ under H 0 and H 1 . Data Complexity: N 31/35

  53. Linear Cryptanalysis Key Recovery via Hypothesis Testing Hypothesis Testing Set-Up: H 0 : κ is correct; versus H 1 : κ is incorrect. Decision Rule: Reject H 0 if T κ < t . Pr[Type-I error] = Pr[ T ≤ t | H 0 holds] ≤ α Pr[Type-II error] = Pr[ T > t | H 1 holds] ≤ β Pr[succ] = 1 − Pr[Type-I error] ≥ 1 − α = P S . Requirement: Obtain the distributions of T κ under H 0 and H 1 . Data Complexity: N Goal: Express N in terms “ a ” and P S . 31/35

  54. Linear Cryptanalysis Key Recovery via Hypothesis Testing Relating to the advantage: Each Type-II error causes a false positive. There are a total of 2 m hypothesis tests of which 2 m − 1 are with incorrect κ . So, the expected number of false positives is β (2 m − 1) ≈ β 2 m . Advantage a implies that the size of false alarm list is 2 m − a . Equating to β 2 m gives β = 2 − a . 32/35

  55. Linear Cryptanalysis Type-I Error Probability Assume µ 0 > µ 1 . 33/35

  56. Linear Cryptanalysis Type-I Error Probability Assume µ 0 > µ 1 . The other case can be handled similarly. 33/35

Recommend


More recommend