towards cryptographic function distinguishers with
play

Towards cryptographic function distinguishers with evolutionary - PowerPoint PPT Presentation

Feb 27, 2023 •164 likes •367 views

Towards cryptographic function distinguishers with evolutionary circuits Statistical testing of cryptographic function output based on genetic programming Petr venda, Martin Ukrop, Vashek Maty {svenda,xukrop,matyas}@fi.muni.cz Overview

  1. Towards cryptographic function distinguishers with evolutionary circuits Statistical testing of cryptographic function output based on genetic programming Petr Švenda, Martin Ukrop, Vashek Matyáš {svenda,xukrop,matyas}@fi.muni.cz

  2. Overview 1. Randomness testing with STS NIST & Dieharder – Can we beat traditional approach? (Speed, input length.) 2. Random distinguisher based on software circuit – Our approach based on genetic programming 3. Results for selected eStream/SHA-3 candidates – How good is it? 4. Discussion, interesting observations 2 | SeCrypt 2013, Reykjavík, 30.7.2013

  3. Why to test randomness of function output? 1. Building block for pseudorandom generator 2. Common requirement – AES, SHA-3 competition, FIPS-140 3. Significant deviances from uniform distribution and unpredictability indicate function defects – but no proof in opposite case • Manual approach: human cryptanalysis • Automated approach: statistical testing 3 | SeCrypt 2013, Reykjavík, 30.7.2013

  4. Workflow with STS NIST/Dieharder Tests Count the 1s Overlapping permutations 1001110011...100 1001110011...100 Runs tests 1001110011...100 .... 1001110011...100 1001110011...100 1001110011...100 1001110011...100 “null hypothesis” 10 5 -10 9 B ⇒ p-values p-value < α ⇒ fail 4 | SeCrypt 2013, Reykjavík, 30.7.2013

  5. Test vectors 1011010100...101 1001110011...100 500x 500x 1011010100...101 Algorithm execution Hypothesis: If function output is somehow defective, we should be able to distinguish between the data produced by a function and truly random data. Results 1/0 1 => QRNG 5 | SeCrypt 2013, Reykjavík, 30.7.2013

  6. Proposed idea – software circuit • Design test(s) automatically – test is algorithm ⇒ hardware-like circuit (next slide) • Several issues: – Who will define null hypothesis? (random distinguisher) – Who will design the circuit? (genetic programming) – How to compare quality of candidates? (test vectors) 6 | SeCrypt 2013, Reykjavík, 30.7.2013

  7. https://github.com/petrs/EACirc/ Software circuit (EACirc) Input layer Internal layers Output layer Outputs 7 | SeCrypt 2013, Reykjavík, 30.7.2013

  8. Genetic programming of circuits Test vectors (10 2 -10 5 ) [input i ] [exp.output i ] Population fitness % correct answers Comparator exp.output i == output Circuit emulator 8 | SeCrypt 2013, Reykjavík, 30.7.2013

  9. Test vectors 1011010100...101 1001110011...100 500x 500x 1011010100...101 Circuit execution Fitness 10110111 HW(10110111) > 4 => QRNG 9 | SeCrypt 2013, Reykjavík, 30.7.2013

  10. Methodology • Limit number of algorithm rounds – tested on 7 eStream and 18 SHA-3 candidates • Generate & run STS NIST and Dieharder tests • Prepare input data for EACirc – generate ½ test vectors from function (key change freq.) – generate ½ test vectors from truly random source (QRBGS http://random.irb.hr/) • Generate & test software circuits (repeat, EA) 10 | SeCrypt 2013, Reykjavík, 30.7.2013

  11. Were we successful? • Definition of success? • Better than random guessing? • Better or at least as good as human-made batteries? • Other advantages against statistical batteries? 11 | SeCrypt 2013, Reykjavík, 30.7.2013

  12. Salsa20 – limited to two rounds (0.87 success rate) 12 | SeCrypt 2013, Reykjavík, 30.7.2013

  13. Test vectors – key change frequency Key fixed for whole run (all generations) 100111101001110100...01010101010010100011100 Key fixed only for one test set (e.g., 500 test vectors) 10011...1100 10011...1100 10011...1100 Key per every test vector (e.g., every 16 bytes) 100...10 110...11 101...00 100...10 110...11 101...00 13 | SeCrypt 2013, Reykjavík, 30.7.2013

  14. 14 | SeCrypt 2013, Reykjavík, 30.7.2013

  15. Decim – 6 out of 8 rounds (preliminary) test vector change (drop in success) χ 2 difference between random/fnc histograms of categories 15 | SeCrypt 2013, Reykjavík, 30.7.2013

  16. What is a function test then? • One particular circuit? – circuit was evolved for particular function and key – sometimes, circuit works even when key is changed – (most probably) not useful for a different function • Test = whole process with evolution of circuits! – Is evolution able to design a distinguisher in limited number of generations? – If so, then function output is defective! 16 | SeCrypt 2013, Reykjavík, 30.7.2013

  17. Comparison to statistical batteries • Advantages – new approach, no need for predefined pattern – dynamic construction of test for particular function – works on very short sequences (16 bytes only) • Disadvantages – no proof of test quality or coverage (random search) – possibly hard to analyze the result (possibly automatic) – possibly longer test run time (learning period) Questions 17 | SeCrypt 2013, Reykjavík, 30.7.2013

  18. Thank you for your attention! Questions 18 | SeCrypt 2013, Reykjavík, 30.7.2013

  19. 19 | SeCrypt 2013, Reykjavík, 30.7.2013

Recommend

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
ASIACRYPT 2013 1 Cryptographic Hash Function Public function Input: arbitrary long

ASIACRYPT 2013 1 Cryptographic Hash Function Public function Input: arbitrary long

Improved Cryptanalysis of Reduced RIPEMD-160 Florian Mendel, Thomas Peyrin, Martin Schlffer, Lei Wang, and Shuang Wu ASIACRYPT 2013 1 Cryptographic Hash Function Public function Input: arbitrary long messages Output: short random

840 views • 50 slides
Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must provide o Compression output length is small o Efficiency h(x) easy to compute for any x o One-way given a value y it is infeasible to find

465 views • 42 slides
Cryptographic Hash Function EDON-R Presented by Prof. Danilo Gligoroski Department of

Cryptographic Hash Function EDON-R Presented by Prof. Danilo Gligoroski Department of

1 Cryptographic Hash Function EDON-R Presented by Prof. Danilo Gligoroski Department of Telematics Faculty of Information Technology, Mathematics and Electrical Engineering Norwegian University of Science and TechnologyTechnology - NTNU,

719 views • 55 slides
Model-driven Design &amp; Synthesis of the SHA-256 Cryptographic Hash Function in ReWire Bill

Model-driven Design &amp; Synthesis of the SHA-256 Cryptographic Hash Function in ReWire Bill

Model-driven Design &amp; Synthesis of the SHA-256 Cryptographic Hash Function in ReWire Bill Harrison University of Missouri Adam Procter Intel Corp. Gerard Allwein US Naval Research Laboratory October 7, 2016 Challenge: High Assurance Hardware

495 views • 14 slides
On CCZ-Equivalence, Extended-Affine Equivalence and Function Twisting Anne Canteaut, L eo

On CCZ-Equivalence, Extended-Affine Equivalence and Function Twisting Anne Canteaut, L eo

On CCZ-Equivalence, Extended-Affine Equivalence and Function Twisting Anne Canteaut, L eo Perrin June 3, 2019 Fq14, Vancouver Setting up the background Cryptographic properties Equivalence classes CCZ-equivalence Cryptographic

885 views • 63 slides
CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools Cryptographic Tools Cryptographic algorithms important element in security services Review various types of elements symmetric encryption secure

1.27k views • 23 slides
Standardization Robustness Distinguishers/Key recovery for FFX-3.1 and FEA Orr Dunkelman 1 ,

Standardization Robustness Distinguishers/Key recovery for FFX-3.1 and FEA Orr Dunkelman 1 ,

Standardization Robustness Distinguishers/Key recovery for FFX-3.1 and FEA Orr Dunkelman 1 , Abhishek Kumar 2 , Eran Lambooij 1 and Somitra Kumar Sanadhya 2 1 University of Haifa, Israel 2 IIT Ropar, India 1 / 7 ISO 3103 Figure: A broken tea cup

676 views • 12 slides
Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits

Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits

Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits (where k n ). k is smaller then n except in unusual circumstances Example: ASCII parity bit ASCII has 7 bits; 8th bit is

979 views • 40 slides
Cryptographic Sboxes Anne Canteaut Anne.Canteaut@inria.fr

Cryptographic Sboxes Anne Canteaut Anne.Canteaut@inria.fr

Cryptographic Sboxes Anne Canteaut Anne.Canteaut@inria.fr http://www-rocq.inria.fr/secret/Anne.Canteaut/ Summer School, Sardegna, October 2015 Vectorial Boolean functions A vectorial Boolean function with n inputs and m outputs is a function

820 views • 31 slides
Cryptographic Hash Functions Debdeep Mukhopadhyay IIT Kharagpur Data Integrity

Cryptographic Hash Functions Debdeep Mukhopadhyay IIT Kharagpur Data Integrity

Cryptographic Hash Functions Debdeep Mukhopadhyay IIT Kharagpur Data Integrity Cryptographic Hash Function: Provides assurance of data integrity Let h be a hash function and x some data. The hash creates a fingerprint of the data,

564 views • 31 slides
Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic protocols and how to prove it? Yu ZHANG Including joint work with J. Goubault-Larrecq, D. Nowak and S. Lasota EVEREST, INRIA Sophia-Antipolis February

487 views • 37 slides
Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing Modes Xiaoyang Dong and Xiaoyun Wang Shandong University, Tsinghua University FSE 2017 Tokyo, Japan Outline 2 Secret-key and Open-key Models u

526 views • 24 slides
Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6

Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6

Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6 Lightweight Block Ciphers Zejun Xiang Wentao Zhang Zhenzhen Bao Dongdai Lin Institute of Information Engineering, CAS, Beijing, China December 7, 2016.

1.5k views • 74 slides
How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

Department of Informatics Security and Privacy Maximilian Blochberger How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic pitfalls by design Goal Raise awareness of cryptographic misuse Disclaimer

910 views • 29 slides
Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES Lorenzo Grassi, IAIK, TU Graz (Austria) March, 2019 www.iaik.tugraz.at Motivation At Eurocrypt 2017, the first secret-key distinguisher for

576 views • 42 slides
New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Ben-Gurion University, Israel

New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Ben-Gurion University, Israel

New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Ben-Gurion University, Israel Cryptographic Hash Functions A cryptographic hash function is hash function H:{0,1}*-&gt; {0,1} n with strong requirements : Collision

461 views • 33 slides
Limited-Birthday Distinguishers for Hash Functions Collisions Beyond the Birthday Bound can be

Limited-Birthday Distinguishers for Hash Functions Collisions Beyond the Birthday Bound can be

Limited-Birthday Distinguishers for Hash Functions Collisions Beyond the Birthday Bound can be Meaningful Mitsugu Iwamoto 1 , Thomas Peyrin 2 and Yu Sasaki 3 1: The University of Electro-Communications, Japan 2:Nanyang Technological University,

877 views • 20 slides
SymSum : Symmetric-Sum Distinguishers Against Round Reduced SHA3 Dhiman Saha 1 , Sukhendu Kuila 2

SymSum : Symmetric-Sum Distinguishers Against Round Reduced SHA3 Dhiman Saha 1 , Sukhendu Kuila 2

SymSum : Symmetric-Sum Distinguishers Against Round Reduced SHA3 Dhiman Saha 1 , Sukhendu Kuila 2 , Dipanwita Roy Chowdhury 1 1 Crypto Research Lab Department of Computer Science &amp; Engineering, IIT Kharagpur, India { dhimans,drc }

449 views • 34 slides
Generic Side-Channel Distinguishers: Improvements and Limitations N. Veyrat-Charvillon and F-X.

Generic Side-Channel Distinguishers: Improvements and Limitations N. Veyrat-Charvillon and F-X.

Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Generic Side-Channel Distinguishers: Improvements and Limitations N. Veyrat-Charvillon and F-X. Standaert UCL Crypto Group, Universit e catholique

355 views • 24 slides
, R ADIO G ATN , a belt-and-mill hash function a belt-and-mill hash function Guido Bertoni,

, R ADIO G ATN , a belt-and-mill hash function a belt-and-mill hash function Guido Bertoni,

R ADIO G ATN , R ADIO G ATN , a belt-and-mill hash function a belt-and-mill hash function Guido Bertoni, Joan Daemen, Michal Peeters * and Gilles Van Assche STMicroelectronics * De Valck Consultants Second Cryptographic Hash Workshop

474 views • 16 slides
Revealing the secrets of success Theoretical efficiency of side-channel distinguishers Annelie

Revealing the secrets of success Theoretical efficiency of side-channel distinguishers Annelie

Revealing the secrets of success Theoretical efficiency of side-channel distinguishers Annelie Heuser, Sylvain Guilley, Olivier Rioul INSTITUT MINES-TLCOM Outline Motivation State of the art New metric: success metric (SM)

1.32k views • 25 slides
Hash Functions Vincent Rijmen Challenges and Perspectives for Academia and Industry Antwerp, May

Hash Functions Vincent Rijmen Challenges and Perspectives for Academia and Industry Antwerp, May

Hash Functions Vincent Rijmen Challenges and Perspectives for Academia and Industry Antwerp, May 27 th , 2008 A cryptographic hash function produces cryptographic checksums or fingerprints cryptographic checksums or fingerprints Fast

716 views • 25 slides
A General Proof Framework for Recent AES Distinguishers Christina Boura, Anne Canteaut, Daniel

A General Proof Framework for Recent AES Distinguishers Christina Boura, Anne Canteaut, Daniel

A General Proof Framework for Recent AES Distinguishers Christina Boura, Anne Canteaut, Daniel Coggia Inria, Project Team SECRET, France March 27, FSE 2019 Outline Definitions and the multiple-of-8 distinguisher Proof for the distinguisher

700 views • 67 slides

More recommend