Secret agents leave big footprints: how to plant a trapdoor in a cryptographic function and why you...
-
date post
21-Dec-2015 -
Category
Documents
-
view
212 -
download
0
Transcript of Secret agents leave big footprints: how to plant a trapdoor in a cryptographic function and why you...
Secret agents leave big footprints: how to Secret agents leave big footprints: how to plant a trapdoor in a cryptographic function plant a trapdoor in a cryptographic function
and why you might not get away with it.and why you might not get away with it.
GECCO 2003GECCO 2003
John A Clark, Jeremy L Jacob and Susan Stepney
Dept of Computer ScienceUniversity of York,
York YO10 5DD, England
16 July 2003
A Research Exercise in Pure EvilA Research Exercise in Pure Evil
Do you feel frustrated and annoyed by people’s ability to use modern day crypto-algorithms when they have no intention whatsoever of supplying you with a secret key so you can listen in?
Don’t worry – there is a solution. – Get them to use an algorithm that looks secure but which only you
know how to break.
Technical: it’s in the cost function! Different cost functions give different results.
Moral: Optimisation may be used and abused.
The Data Encryption Standard is the most controversial cipher in history.– Developed on behalf of the US Govt..– Based on previous IBM work.– Issued in 1976 as FIPS 46.– 56 bit key (64 in fact but there are check bits) is
controversial: key length was originally 128; suspicion over NSA motives.
Criteria for the design were not revealed.
Conspiracy theory as motivation: Conspiracy theory as motivation: Data Encryption Standard (DES)Data Encryption Standard (DES)
Conspiracy theory as motivation: Conspiracy theory as motivation: Data Encryption Standard (DES)Data Encryption Standard (DES)
Input
IP
L0 R0
L16 R16
Sixteen cycles
R16 L16
Inverse IP
L Key
L'
Key'
Shift Shift
Compression Perm
48
56
R
R'
P-Box Perm
S-box Substitution
Expansion Perm
32
48
48
32
32 3264
S2 S3 S4 S5 S6 S7 S8S1
Matters became amusing in 1994 Theoretically promising method emerged in the late 80’s and
early 90’s - differential cryptanalysis. DES was surprisingly resilient to differential cryptanalysis. Don Coppersmith wrote a paper (1994) that revealed some of
the design criteria and stated that DES was resistant to differential cryptanalysis because it had been specifically designed so.
IBM (presumably from the NSA) knew about the method of attack 16 or more years before it was discovered and published by leading cryptography academics.
DES is more vulnerable to a later method (linear cryptanalysis) Actually specialised FPGA hardware can now break DES in a few
hours.
Conspiracy theory as motivation: Conspiracy theory as motivation: Data Encryption Standard (DES)Data Encryption Standard (DES)
Does DES have a trapdoor in it – a special property that can be exploited by people in the know?
We do not know. It seems actually to be a rather good algorithm.
– But the idea of having a secret trapdoor – now I like that. How can we design cryptosystem that looks good but which I may
know how to break? How can we prevent the wrangling about honesty in design?
Let’s try heuristic search. Will illustrate principle on the simplest component –a single-valued Boolean function used in stream ciphers.
Conspiracy theory as motivation: Conspiracy theory as motivation: Data Encryption Standard (DES)Data Encryption Standard (DES)
Classical Stream Cipher ModelClassical Stream Cipher Model
Plaintext Stream Pj
Keystream Zj
Cipherstream Cj
f
LSFR 1
LSFR 2
LSFR n
Pj
Zj
Cj
L1j
L2j
Lnj
Combining Boolean function f.Receiver can generate key stream and recover plaintext
say 32 Bit registers
Boolean Function DesignBoolean Function Design A Boolean function f:{0,1}n->{0,1}
Polar representation0 0 00 0 10 1 00 1 11 0 01 0 11 1 01 1 1
01234567
1 -10 10 10 11 -10 11 -11 -1
f(x) f(x)x
Will talk only about balanced functions where there are equal numbers of 1s and -1s.
A move simply swaps a 1 and a –1.
Functions are essentially represented as binary vectors
Planting TrapdoorsPlanting Trapdoors
Design Space
Trapdoor Property T
Public Goodness Property P
e.g. high non-linearity,
low autocorrelation
OptimisationOptimisation
Suppose you have an effective optimisation based approach to getting functions with public property P. Let the cost function used be – Cost=honest(f)
Suppose you have an effective optimisation based approach to getting functions with trapdoor property T. Let the cost function used be – Cost=trapdoor(f)
We can combine the two– sneakyCost(f) = (1- ) honest(f)+trapdoor(f) is the malice factor: =0 truly honest; =1=>wicked– Will you get caught out?
Example Trapdoor FunctionExample Trapdoor Function
We want to be able to tell whether an unknown trapdoor has been inserted.
Experiments have used a randomly generated vector as trapdoor. Closeness to this vector (measured by Hamming distance) represents a good trapdoor bias.
Want to investigate what happens when different malice factors are used.
We shall consider high non-linearity and low autocorrelation as public goodness measures.
You say you did, I say you didn’tYou say you did, I say you didn’t
Publicly good solutions with high trapdoor bias found by annealing and combined honest and trapdoor cost functions.
Publicly good solutions, e.g. Boolean functions with same very high non-linearity
Publicly good solutions found by annealing and honest cost function
There appears nothing to distinguish the sets of solutions obtained – unless you know what form the trapdoor takes!
Or is there…
n=8: Examples with non-linearity vs autocorrelationn=8: Examples with non-linearity vs autocorrelation
110 112 114 11664 0 0 0 056 0 0 0 048 0 0 0 140 0 0 3 432 0 2 7 1224 0 0 0 1
MeanTrap=12.8
Non-linearity
Au
tocorr
ela
tion
110 112 114 11664 0 0 0 056 0 0 1 048 0 0 7 040 0 0 16 032 0 0 6 024 0 0 0 0
MeanTrap=198.9
110 112 114 11664 0 0 1 056 0 0 2 048 0 1 6 040 0 2 17 032 0 0 1 024 0 0 0 0
MeanTrap=213.1
110 112 114 11664 0 0 1 056 0 1 2 048 0 5 7 040 0 2 12 032 0 0 0 024 0 0 0 0
MeanTrap=222.1
Au
tocorr
ela
tion
110 112 114 11664 0 1 0 056 0 4 1 048 0 19 1 040 0 3 1 032 0 0 0 024 0 0 0 0
MeanTrap=232.3
110 112 114 11680 2 0 0 072 4 1 0 064 10 6 0 056 2 5 0 048 0 0 0 040 0 0 0 032 0 0 0 024 0 0 0 0
MeanTrap=242.7
=0.0 =0.2 =0.4
=0.6 =0.8 =1.0
Vector RepresentationsVector Representations
+1
-1
+1
+1
-1
+1
-1
-1
Different cost functions may give similar goodness results but may do so in radically different ways.
Results using honest and dishonest cost functions cluster in different parts of the design space
Basically distinguish using discriminant analysis.
If you don’t have an alternative hypothesis then you can generate a family of honest results and ask how probable the offered one is.
Vector RepresentationsVector RepresentationsFor two groups G1 and G2.
Calculate the mean vectors m1 and m2. Project m2 onto m1 and obtain the residual r.
Now project each vector in each group onto the residual and take absolute value.
Games People PlayGames People Play
It seems possible to tell that something has been going on. And we don’t need to know precisely what has been going
on. Since any design has a binary vector representation the
technique is general. Meta games:
– Some variations on a theme can be attempted. If you know the means of detection you may be able to add a cost function component concerned with detectability
sneakierCost(f) = (1- ) honest(f)+malice(f)+ detectability(f)
Conclusions Conclusions
Optimisation based design process may be open and reproducible.
Optimisation can be abused. Optimisation allows a family of representative
designs to be obtained. Designs developed against different criteria just
look different. The games just do not stop.
Coda Coda
Search based approaches are not just for toy problems. – For several major criteria of interest search based
approaches have equalled or bettered the combined best efforts of theoreticians for n<=8.
– Have recently produced hitherto unattained results for n=9.
– Disproved cryptological conjectures in the literature.
CEC Special strand on computer security. Web page at www.cs.york.ac.uk/security
(part of virtual library)
Bonus Track Bonus Track
You cane even tell which technique people have used.– Simulated Annealing andGAs may also give different
types of solution. Experiment: Evolved a pseudo-random number generator as
FPGA netlist– Randomness criteria as cost function components– Cost function components can act as classifiers too!
View evolved programs as bit strings and feed them through the cost functions components used to evolve them.