Bernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p

Transcription

1 Unit 20 February 25, Bernoulli variables Let X be a random variable such that { 1 with probability p X = 0 with probability q = 1 p Such an X is called a Bernoulli random variable

2 Unit 20 February 25, If X 1, X 2,..., X n are independent random variables all with the same probability distribution as X ( independent, identically distributed ) then P(X 1 + X X n = k) = The binomial distribution ( ) n n! special notation: = k k!(n k)! n! k!(n k)! pk q n k

3 Unit 20 February 25, Again, assume that { 1 with probability p X = 0 with probability q = 1 p Define β(x ) = p q the bias of X 0 β(x ) 1 β(x ) = 0 p = q = 1/2 β(x ) = 1 p = 0 or q = 0 β(x ) = β(x ) β(x ) = 2 p 1 2 = det ( p q q p ).

4 Unit 20 February 25, Suppose that Y is a second binomial variable { 1 with probability p Y = 0 with probability q = 1 p Assume that X and Y are independent. We can form a third binomial variable X Y. { 1 with probability pq + qp X Y = 0 with probability pp + qq Fact: β(x Y ) = β(x ) β(y ).

5 Unit 20 February 25, Experiment: Coin has bias β. Toss n times. If majority of the outcomes are heads, conclude coin is biased towards heads. What is the probability we make the right deduction? { 1 prob. p > 1 2 X i = for i = 1,..., n 0 prob. q = 1 p X = X 1 + X X n Note that p = (β + 1)/2

6 Unit 20 February 25, The probability that we make the right decision = P(X > n/2) = k>n/2 P(X = k) = k>n/2 1 2π ( ) n p k q n k k nβ e t2 /2 dt. To be right with probability at least.75, need n >.45/β 2.

7 Unit 20 February 25, Linear Crytanalysis Matsui 1993 First known-plaintext attack on DES that is better than brute-force Idea: find one (or several) linear relationships among the bits of the plaintext, ciphertext and key that has a high bias.

8 Unit 20 February 25, Linear cryptanalysis of 4-round baby lucifer Summary of baby lucifer: 8 bit block, 8 bit key 2 key bits/round

9 Unit 20 February 25, Each round looks like this: block: x 1 x 2... x 8 two key bits: k, l Apply f k to x 1 x 2 x 3 x 4 and f l to x 5 x 6 x 7 x 8 Permute the 8 bits k a f f l k b σ a l c 2011 Clifford Bergman

10 Unit 20 February 25, Here is a schmatic of the entire 4-round cipher. a 1 a 3 b 1 b 3 a 2 a 4 b 2 b 4 a 3 c 2011 Clifford Bergman a 5

11 Unit 20 February 25, I searched all linear combinations of inputs and outputs to the f -functions in order to find several with high biases. a1 a2 a3 a4 b1 b2 b3 b4 k Here are two (there are several other good ones)

12 Unit 20 February 25, a 4 b 1 b 2 b 3 k 1, β = 1 2 a 1 a 2 b 3 k 1, β = 3 8 (1) (2) Ie, for each of the 32 possible values of a 1, a 2, a 3, a 4, k let b 1, b 2, b 3, b 4 be the output bits. Count how many combinationsmake the expression yield 1 and how many yield 0. By including a 1 when necessary, we can ensure that the expression is always biased towards 0.

13 Unit 20 February 25, Applying equation (??) to the left side of round 2 a 2 4 b 2 1 b 2 2 b 2 3 k 3 1. After permuting the bits of b 2 : a 2 4 a3 5 a3 4 a3 6 k 3 1, β = 1/2 Similarly, applying equation (??) to the left side of round three: a 3 4 a4 5 a4 4 a4 6 k 5 1, β = 1/2 Applying equation (??) to right side of round 3: a 3 5 a3 6 a4 1 k 6 1, β = 3/8

14 Unit 20 February 25, Adding these three equations together, cancelling and rearranging (a 2 4 a 4 1 a 4 4 a 4 5 a 4 6) (k 3 k 5 k 6 1) A B (3) with a bias of β = 3/32 towards 0.

15 Unit 20 February 25, Now suppose that (p, c) is a p/c pair encrypted with the real key. Note that a 1 = p and a 5 = c. Guess the values of k 1, k 7, k 8 Use k 1 and a 1 to compute b 1 2 = a 2 4 Use k 7, k 8 and c to compute a 4 1, a 4 4, a 4 5, a 4 6 Compute the value of A in (??). Do this for many pairs (p, c). If we guessed right on k 1, k 7, k 8 then we should see a bias in A toward either 0 or 1. We assume then that k 3 k 5 k 6 = A 1. If we guessed wrong on k 1, k 7, k 8, there will (hopefully) be no bias in the value of A.

16 Unit 20 February 25, By checking (brute-force) all triples k 1, k 7, k 8, we should be able to determine those three bits plus the value of k 3 k 5 k 6. Now use brute-force to find k 2, k 3, k 4, k 5. Total keys checked by brute-force: = 24 which is a considerable improvement over 2 8 = 256. Number of known-plaintexts required for 75% accuracy: n.45β 2 =.45(32/3) 2 51

17 Unit 20 February 25, For DES, Matsui found a linear equation that spans 15 rounds with bias Using this equation, one can find 14 key-bits. Thus the number of keys to be tested by brute-force is Number of known-plaintexts required is 0.45/β

18 Unit 20 February 25, According to its designers: Every linear cryptanalytic attack on AES requires at least p/c pairs. This is worse than brute-force.