Session 6: Introduction to cryptanalysis part 1

1
Session 6 Introduction to cryptanalysispart 1
2

Contents

• Problem definition
• Symmetric systems cryptanalysis
• Particularities of block ciphers cryptanalysis
• Asymmetric systems cryptanalysis

3


Problem definition

4
Problem definition

• The problem of cryptanalysis
• Given some information related to the
  cryptosystem (at least the ciphertext), determine
  plaintext and/or the key.
• The goal of the designer is to make this problem
  as difficult as possible for the cryptanalyst.

5
Problem definition

• General assumption all the details of the
  cryptosystem are known to the cryptanalyst.
• The only unknown is the key.

6

Problem definition

• Types of attack
• Ciphertext-only attack
• Known plaintext attack
• Chosen plaintext attack
• Chosen ciphertext attack.
• The ciphertext-only attack is the most difficult
  one for the cryptanalyst (in general).
• The more information known to the cryptanalyst,
  the easier the attack.

7

Problem definition

• The brute force attack
• Elementary attack no knowledge about
  cryptanalysis is necessary.
• Assumptions
• The cryptosystem is known.
• The ciphertext is known.
• The goal
• Determine the key/plaintext.
• The means
• Trying all the possible keys.

8

Problem definition

• Complexity of the brute force attack
• Extremely high, if there are many possible keys
  impractical.
• Key space the total number of keys possible in
  a cryptosystem.

9

Problem definitionExamples of key space size
Key space 40 bits 1?1012
Key space 56 bits (DES) 7?1016
Key space 128 bits 3?1038
Key space 256 bits 1?1077
Number of 256-bit primes 1?1072
Age of the Sun in seconds 1?1016
Number of clock pulses of a 3GHz computer clock through the Suns age 5.4?1026

10
Problem definition

• A cryptosystems security is ultimately
  determined by the size of its key space.
• However, this is the upper limit of this security
  measure.
• There may be a problem in the system design that
  may cause a significant reduction of the
  effective key space.
• The task of the cryptanalyst to find this
  pitfall and to use it to attack the system.

11

Symmetric systems

• Basic attack methods against stream and block
  ciphers
• Algebraic
• Statistical
• Algebraic attack
• The key symbols (e.g. bits) are the unknowns in
  the system of equations assigned to the PRNG.

12

Symmetric systems

• Algebraic attack (cont.)
• Given all the details of the PRNG to be
  cryptanalyzed (except the key bits), determine
  the system of equations that relates the bits of
  the output sequence with the bits of the key.
• The designers goal
• To make this system as non-linear as possible.
• The reason non-linear systems are difficult to
  solve there is no general method other than
  trying all the possible values of the variables
  2n possibilities for a system with n variables.

13

Symmetric systems

• The problem of solving a non-linear system in
  GF(2) the satisfiability problem (SAT).
• Cooks theorem (1971)
• SAT is NP-complete
• However, some instances of the SAT problem may be
  easier to solve.
• The designer should check the system assigned to
  the PRNG.

14
Symmetric systems

• Example consider the PRNG below

15
Symmetric systems

• The system of equations
• (1) y1(x1x4)(x5x7)
• x1x5x1x7x4x5x4x7
• (2) y2(x1x4x3)(x5x7x6)
• x1x5x1x7x1x6x4x5x4x7x4x6
• x3x5x3x7x3x6
• (we need 7 independent equations)

16
Symmetric systems

• Methods of solving the system
• The brute force method try all the possible 27-1
  solutions (all zeros are not permitted).
• The linearization method
• Replace all the products by new variables
• Solve the obtained linear system (e.g. by
  Gaussian algorithm)
• Try to guess the variables that were included in
  the products, given the values of the new
  variables, in such a way that the overall system
  is consistent.

17
Symmetric systems

• Example (cont.)
• y1z1z2z3z4
• y2z1z2z5z3z4z6z7z8z9

18
Symmetric systems

• There are many other methods of solving systems
  assigned to PRNGs
• Linear consistency test (LCT)
• Methods of computational commutative algebra
  (Groebner bases etc.)
• etc.
• Cryptanalysis of a seriously designed system
  always includes search.

19
Symmetric systems

• Statistical methods
• In the previous example, the majority of the
  output symbols will be zero, due to the AND
  combining function.
• The non-linearity of the assigned system of
  equations is the highest possible.
• However, it is possible to make use of bad
  statistical properties of the output sequence to
  determine the plaintext sequence.

20
Symmetric systems

• Example
• With the AND output combiner, the probability of
  zero in the output sequence will be ¾.
• This means that, upon enciphering with this
  sequence as the keystream, the probability that
  the plaintext bit is equal to the ciphertext bit
  is ¾.
• Consequence easy reconstruction of the
  plaintext.

21
Symmetric systems

• Correlation The output sequence coincides too
  much with one or more internal sequences this
  enables correlation attacks a kind of
  statistical attack.
• Correlation attacks
• It is possible to divide the task of the
  cryptanalyst into several less difficult tasks
  Divide and conquer.

22
Symmetric systems

• Typical example the Geffes generator

F balanced good statistical properties
23
Symmetric systems

• Problem Correlation!

24
Symmetric systems

• Since the output sequence is correlated with both
  input sequences, we can independently guess the
  input sequences bits with high probability if
  the output sequence is known.

25


Symmetric systems

• Two most important attacks against block ciphers
• Linear cryptanalysis
• Differential cryptanalysis
• Modern block ciphers are designed in such a way
  that these attacks have no chance of success
  (Rijndael, Kasumi, etc.)

26


Symmetric systems

• Linear cryptanalysis
• Known plaintext attack
• the cryptanalyst has a set of plaintexts and the
  corresponding ciphertexts
• The cryptanalyst has no way of guessing which
  plaintext and the corresponding ciphertext were
  used.

27
Symmetric systems

• Linear cryptanalysis tries to take advantage of
  high probability occurrences of linear
  expressions involving plaintext bits, ciphertext
  bits (or round output bits) and subkey bits.
• The basic idea is to approximate the operation of
  a portion of the cipher with a linear expression.
• The approach is to determine such expressions
  with high or low probability of occurrence.

28
Symmetric systems

• Example
• Here, i and j are the numbers of the rounds from
  which the bits of the input vector X and the
  output vector Y are taken, respectively.
• u bits from the vector X and v bits from the
  vector Y are taken.

29
Symmetric systems

• If a block cipher displays a tendency for such
  linear equations to hold with a probability much
  higher (or much lower) than ½, this is evidence
  of the ciphers poor randomization abilities.
• The deviation (bias) from the probability of ½
  for such an expression to hold is exploited in
  linear cryptanalysis.
• This deviation is denominated linear probability
  bias.

30
Symmetric systems

• Denominate the probability that the equation
  holds with pL.
• The higher the magnitude of the probability bias
  ?pL-1/2?, the better the applicability of linear
  cryptanalysis with fewer known plaintexts
  required in the attack.
• pL1 catastrophic weakness there is always a
  linear relation in the cipher.
• pL0 catastrophic weakness there is an affine
  relationship in the cipher (a complement of a
  linear relationship).

31
Symmetric systems

• Consider two random variables, X1 and X2.
• X1?X20 a linear expression equivalent to
  X1X2.
• X1?X21 an affine expression equivalent to
  X1?X2.
• Assume the following probability distributions
  

32
Symmetric systems

• If X1 and X2 are independent, then

33


Symmetric systems

• It can be shown that

34

Symmetric systems

• With probability bias introduced
• p11/2?1
• p21/2?2
• -1/2? ?1, ?2 ?1/2
• we have

35

Symmetric systems

• Extension to n random binary variables the
  piling-up lemma Matsui, 1993
• For n independent random binary variables, X1,
  X2, , Xn
• or equivalently

36
Symmetric systems

• If pi0 or 1 for all i, then
  or 1.
• If only one pi1/2, then
• In developing the linear approximation of a
  cipher, the Xi values actually represent linear
  approximations of the S-boxes.

37
Symmetric systems

• Example
• Four random binary variables, X1, X2, X3 and X4.
• Let and
• Let us derive the expression for the sum of X1
  and X3 by adding

38
Symmetric ciphers

• Since we may consider X1?X2 and X2?X3 to be
  independent, we can use the piling-up lemma to
  determine
• and consequently

39
Symmetric systems

• The expressions X1?X20 and X2?X30 are analogous
  to linear approximations of S-boxes
• The expression X1?X30 is analogous to a cipher
  approximation where the intermediate bit X2 is
  eliminated.
• A real analysis is much more complex, involving
  many S-box approximations.