Randomness and its relevance to Cryptology Rajeeva L. Karandikar - - PowerPoint PPT Presentation

Randomness and its relevance to Cryptology

Rajeeva L. Karandikar Director Chennai Mathematical Institute rlk@cmi.ac.in rkarandikar@gmail.com

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 1

One way to understand the role of Randomness in Cryptology is to view Cryptology as a Game - a Game between the algorithm designer and the hacker. Like in any game, both want to win.

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 2

Now Let us think about the game of Cricket. Suppose there is a new bowler, who is extremely good: He can bowl each ball to be at Yorker length, and if left alone by batsman, it will hit middle stump right in the middle. What do you think will happen in his first match? Lots of wickets as anytime aa batsman misses, it will hit stumps.

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 3

But then soon batsman would figure out and would happily hit every blowl for a six ! And if the bastman was one of say Kapil Dev, Shrikant, Sachin, Ganguly, Dravid, Sehwag, Dhoni, Rohit Sharma, Kohli, he could close his eyes and hit everyball for a six.

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 4

A bowler will be successful in the long run if he can bring in a lot of variation in his bowling... Variation means that a batsman facing him cannot easily guess the trajectory of the ball, in other words to the batsman, it would appear to be Random.

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 5

Cryptology and World War II

Most of you would have heard or read about Enigma cipher and its breaking by a team based in Bletchley Park in Buckinghamshire and its impact on World War II. The team that broke the code included Linguists and Mathematicians including Alan Turing. It is believed that breaking Enigma had a big impact on the course of the WWII.

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 6

Cryptology and World War I

It is less well known that an encrypted telegram sent by German Foreign Secretary Arthur Zimmermann to the German Ambassador Johann von Bernstorff in Washington also had an impact on WWI. The telegram was intended for German Ambassador Heinrich von Eckardt in Mexico City seeking an alliance with Mexico against United States. The encrypted telegram was intercepted by the British.

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 7

Zimmermann Telegram

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 8

Cryptology and World War I

The telegram has been termed as the Zimmermann telegram. The encrypted telegram was broken by Room 40, the Admiralty’s cipher bureau, named after the office in which it was initially housed. The team in Room 40 consisted of linguists, classical scholars and crossword addicts. The decoded message was passed onto United States by the

• British. This played a major role in USA’s decision to enter

the WWI against Germany.

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 9

Cryptology and World War

It seems that in the World War I era, the cipher bureau in Room 40 did not have mathematicians. By the time of World War II, the team had been expanded to include

• Mathematicians. Let us examine possible reasons behind this.

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 10

Examples of Ciphers

A substitution cipher: one could construct a permutation of 26 characers by say add 7 and multiply by 9 modulo 26. In this case 7 and 9 will need to be shared by the sender and receiver. The information needed to be shared is called a Key. In such cases, the linguists together with crossword enthusiasts can take a crack at breaking the code as was the case at Room 40 during WWI

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 11

Substitution ciphers....

One could use a more complicated permutation, but then encrypting a message and decrypting a message would become more tedious if we were to do these by hand. This is where rotary machines came in and by WWII they were being used to encrypt and decrypt. In some cases, a copy of the machine used was stolen or details revealed to the adversary by a spy and so the algorithm was known and problem was to guess or find the secret key.

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 12

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 13

Substitution ciphers....

The secret key was used by setting the initial positions of the rotating wheels. Once the type of machine being used was known, mathematical analysis of the possibilities became possible and this explains the reason that by the time of WWII the team at Room 40 was expanded to include mathematicians- a move that paid rich dividends.

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 14

Substitution ciphers

In a few decades after WWII, usage of computers became common and if the WWII era algorithms were still used in say the 80’s, it would have been possible to break the code easily using power of a workstation. But if the hackers could use computers, so could the sender and receiver and thus use more complex algorithms.

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 15

Absence of patterns

Now instead of the alphabet for the message being A, B, C, . . . ..., the alphabet is just {0, 1} and every message is coded as a string of 0’s and 1’s, i.e. as Binary string as it is stored on computer hard disc. When the messages were a string of alphabets, linguists had a role - in looking for patterns. If the encrypted message could be differentiated from pure gibberish that would give a starting point for cryptanalysis.

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 16

Absence of patterns... Randomness

When message as well as encrypted message is a long string of 0’s and 1’s, role of linguists has been reduced to deciding if a given text is meaningful text in the language or not. Now finding a pattern in a string of 0’s and 1’s can be thought of as follows: Can the given string be differentiated from results of a fair coin toss: with say head recorded as 1 and tail recorded as 0.

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 17

Absence of patterns... Randomness

Thus one necessary condition that emerges is that the output

• f an encryption algorithm should appear to be a random bit

stream i.e. it should be indistinguishable from output of a random bit stream.

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 18

Test for Randomness

This leads us to the question: Consider the Null Hpothesis H0 : X1, X2, . . . , XN are i.i.d with P(Xi = 1) = P(Xi = 0) = 0.5. The alternative hypothesis H1 is just the negation of H0. What statistical test should be used to test the hypothesis?

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 19

Test for Randomness

Analysis of Crypto algorithms is made assuming that the adversary knows the algorithm and the strength of the algorithm is in the secrecy of the key- This also means that the adversary can analyze the algorithm by trying various keys and hence can generate large encrypted texts to see patterns - if any, i.e. departures form randomness if any.

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 20

Test for Randomness

The standard test based on CLT is good and detects departure from the null hypothesis if P(Xi = 1) = p and P(Xi = 0) = 1 − p with p = 0.5. However, if X1, X2, . . . XN are not independent but {Xn} is a stationary process such that P(Xi = 1) = P(Xi = 0) = 0.5 then the power of the CLT based test is not high, because CLT holds under much more general conditions than i.i.d.

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 21

Test for Randomness

Given that we can observe X1, X2, . . . , XN for large N, a test called Maurer’s universal test seems to be good for this

• purpose. Let the observed values be written as a bitstream B
• f length N.

The test has a parameter L. We describe below the test statistic τ(B) with L = 8.

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 22

Maurer’s universal test

Let us split the bitstream B in non-overlapping L bit blocks: B = B1B2 . . . Bm where each Bi is L bits with N = Lm. For 1 ≤ i ≤ m let G(Bi) =

• (i − j)

if ∃j : Bj = Bi and Bk = Bi, j < k < i, i if no such j exists.

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 23

Maurer’s universal test

Thus, G(Bi) is the gap since the last occurrence of the pattern Bi in the stream B1B2 . . . Bi−1 and equals i if the pattern Bi has not occurred before. Let τ0(B) = 1 m − q

m

• i=q+1

log2(G(Bi)). The distribution of τ is asymptotically Normal (under the null-hypothesis) and the asymptotic mean and variance have been computed.

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 24

Maurer’s universal test

Recommended values of q, m are q = 10 × 2L and m = 1010 × 2L. For L = 8, it means that the bitstream should have N = 2068480 bits. In that case, the mean and standard deviation of τ0(B) (for a random bitstream) are 7.1836656 and 0.00217401 respectively. Thus τ(B) = τ0(B) − 7.1836656 0.00217401 has standard normal distribution under the null hypothesis that B is random bitstream.

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 25

What is a good block cipher?

We require that the cipher text is statistically indistinguishable from the output of a random bit-stream generator. If this holds, it can be taken as an indication that the ciphertext is not leaking any information about the message.

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 26

Test for Randomness for Blockciphers

For any plaintext F ( with N = 2068480 bits) and any key K (of the required size), we require that the resulting ciphertext E(F, K) is indistinguishable from random bitstream and hence τ(E(F, K)) should be an observation from standard normal distribution.

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 27

Test for Randomness for Blockciphers

In addition to requiring that for any plaintext F and key K, the stream E(F, K)) be indistinguishable from a random bitstream, it is usually required that a block cipher should satisfy the following properties:

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 28

Desirable properties of Blockciphers

(i) The plaintext and the corresponding ciphertext should be uncorrelated. (ii) Changing one bit of the plaintext in each block should change nearly half of the bits of ciphertext. (iii) Changing one bit of the Key in each block should change nearly half of the bits of ciphertext. (iv) cipheretxt decrypted with a wrong key (differing at exactly one bit from the correct key) should be statistically indistinguishable from the output of a Random bit-stream generator. .

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 29

Test for Randomness for Blockciphers

If the ciphertext is indistinguishable from a random bitstream, the requirement that the plaintext and the corresponding ciphertext be uncorrelated is equivalent to the requirement that roughly half the bits in the bitstream obtained by bitwise xor of the plaintext and ciphertext are 0’s. Now requiring that half the bits in a bistream are 0’s is much weaker than the requirement that the bitstream is indistinguishable from a random bitstream. Thus we require that F ⊕ E(F, K) is indistinguishable from a random bitstream for all i, j.

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 30

Test for Randomness for Blockciphers

We strengthen (ii), (iii) and (iv) as follows. Let F ∗t

i

denote the file obtained from F by changing tth bit in every block (where 1 ≤ t ≤ b, b being the block size). Since every bit is 0 or 1, changing here means if it is 1 then change it to 0 and if it is 0 change it to 1. So we require that (for a randomly chosen t, 1 ≤ t ≤ b) E(F, K) ⊕ E(F ∗t, K) is indistinguishable from a random bitstream. This strengthens (ii).

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 31

Test for Randomness for Blockciphers

Similarly for 1 ≤ s ≤ k (where k is the key size) let K ∗s denote the key obtained by changing the sth bit in K. We then require that E(F, K) ⊕ E(F, K ∗s) is indistinguishable from a random bitstream. This strengthens (iii). And we require that D(E(F, K), K ∗s) is indistinguishable from a random bitstream. This strengthens (iv).

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 32

Test for Randomness for Blockciphers

We further require that if the roles of E and D are interchanged, the resulting block cipher algorithm is also strong. For any plaintext F ( with N = 2068480 bits) and any key K (of the required size), we require that the following 10 bitstreams be indistinguishable from a random bitstream:

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 33

The Derived bitstreams

B1 = E(F, K) B2 = F ⊕ E(F, K) B3 = E(F, K) ⊕ E(F, K ∗s) B4 = D

• E(F, K), K ∗s

B5 = E(F, K) ⊕ E(F ∗t, K) B6 = D(F, K) B7 = F ⊕ D(F, K) B8 = D(F, K) ⊕ D(F, K ∗s) B9 = E

• D(F, K), K ∗s

B10 = D(F, K) ⊕ D(F ∗t, K). For any F, K these 10 bitstreams be indistinguishable from a random bitstream.

Rajeeva L. Karandikar Chennai Mathematical Institute Notion of Randomness and its relevance to Cryptology - 34