Testing the Randomness of Cryptographic Function Mappings

A cryptographic function with a fixed-length output, such as a block cipher, hash function, or message authentication code (MAC), should behave as a random mapping. The mapping\u27s randomness can be evaluated with statistical tests. Statistical test suites typically used to evaluate cryptographic functions, such as the NIST test suite, are not well-suited for testing fixed-output-length cryptographic functions. Also, these test suites employ a frequentist approach, making it difficult to obtain an overall evaluation of the mapping\u27s randomness. This paper describes CryptoStat, a test suite that overcomes the aforementioned deficiencies. CryptoStat is specifically designed to test the mappings of fixed-output-length cryptographic functions, and CryptoStat employs a Bayesian approach that quite naturally yields an overall evaluation of the mappings\u27 randomness. Results of applying CryptoStat to reduced-round and full-round versions of the AES block ciphers and the SHA-1 and SHA-2 hash functions are reported; the results are analyzed to determine the algorithms\u27 randomness margins

New results on the genetic cryptanalysis of TEA and reduced-round versions of XTEA

Congress on Evolutionary Computation. Portland, USA, 19-23 June 2004Recently, a simple way of creating very efficient distinguishers for cryptographic primitives such as block ciphers or hash functions, was presented by the authors. Here, this cryptanalysis attack is shown to be successful when applied over reduced round versions of the block cipher XTEA. Additionally, a variant of this genetic attack is introduced and its results over TEA shown to be the most powerful published to date

GENEROWANIE SEKWENCJI LOSOWYCH O ZWIĘKSZONEJ SILE KRYPTOGRAFICZNEJ

Random sequences are used in various applications in construction of cryptographic systems or formations of noise-type signals. For these tasks there is used the program generator of random sequences which is the determined device. Such a generator, as a rule, has special requirements concerning the quality of the numbers formation sequence. In cryptographic systems, the most often used are linearly – congruent generators, the main disadvantage of which is the short period of formation of pseudo-random number sequences. For this reason, in the article there is proposed the use of chaos generators as the period of the formed selection in this case depends on the size of digit net of the used computing system. It is obvious that the quality of the chaos generator has to be estimated through a system of the NIST tests. Therefore, detailed assessment of their statistical characteristics is necessary for practical application of chaos generators in cryptographic systems. In the article there are considered various generators and there is also given the qualitative assessment of the formation based on the binary random sequence. Considered are also the features of testing random number generators using the system. It is determined that not all chaos generators meet the requirements of the NIST tests. The article proposed the methods for improving statistical properties of chaos generators. The method of comparative analysis of random number generators based on NIST statistical tests is proposed, which allows to select generators with the best statistical properties. Proposed are also methods for improving the statistical characteristics of binary sequences, which are formed on the basis of various chaos generators.Sekwencje losowe wykorzystywane są do tworzenia systemów kryptograficznych lub do formowania sygnałów zakłócających. Do tych zadań wykorzystywany jest generator sekwencji losowych, który jest urządzeniem deterministycznym. Taki generator z reguły ma specjalne wymagania dotyczące jakości tworzenia sekwencji liczbowej. W systemach kryptograficznych najczęściej stosuje się generatory liniowo-przystające, których główną wadą jest krótki okres formowania pseudolosowych sekwencji liczbowych. Z tego powodu w artykule zaproponowano użycie generatora chaotycznego, jako że okres próbkowania w tym przypadku zależy od rozmiaru siatki bitowej w używanym systemie obliczeniowym. Oczywistym jest, że należy oszacować jakość generatora chaotycznego za pomocą systemu testów NIST, dlatego też do praktycznego zastosowania generatorów chaotycznych w systemach kryptograficznych wymagana jest szczegółowa ocena ich cech statystycznych. W artykule rozważono różne generatory, a także podano ocenę jakościową procesu formacji na podstawie losowej sekwencji binarnej. Rozważano również funkcje testowania generatorów liczbowych przy użyciu systemu. Stwierdzono, że nie wszystkie generatory chaotyczne spełniają wymagania testów NIST. W artykule zaproponowano metody poprawy właściwości statystycznych generatorów chaotycznych, tak jak również metodę analizy porównawczej generatorów liczb losowych, która oparta jest na testach statystycznych NIST, i która pozwala wybrać generatory o najlepszych cechach statystycznych. Przedstawiono także metody poprawy właściwości statystycznych sekwencji binarnych, które powstają na podstawie różnych generatorów chaotycznych

MV3: A new word based stream cipher using rapid mixing and revolving buffers

MV3 is a new word based stream cipher for encrypting long streams of data. A direct adaptation of a byte based cipher such as RC4 into a 32- or 64-bit word version will obviously need vast amounts of memory. This scaling issue necessitates a look for new components and principles, as well as mathematical analysis to justify their use. Our approach, like RC4's, is based on rapidly mixing random walks on directed graphs (that is, walks which reach a random state quickly, from any starting point). We begin with some well understood walks, and then introduce nonlinearity in their steps in order to improve security and show long term statistical correlations are negligible. To minimize the short term correlations, as well as to deter attacks using equations involving successive outputs, we provide a method for sequencing the outputs derived from the walk using three revolving buffers. The cipher is fast -- it runs at a speed of less than 5 cycles per byte on a Pentium IV processor. A word based cipher needs to output more bits per step, which exposes more correlations for attacks. Moreover we seek simplicity of construction and transparent analysis. To meet these requirements, we use a larger state and claim security corresponding to only a fraction of it. Our design is for an adequately secure word-based cipher; our very preliminary estimate puts the security close to exhaustive search for keys of size < 256 bits.Comment: 27 pages, shortened version will appear in "Topics in Cryptology - CT-RSA 2007

Towards Human Computable Passwords

An interesting challenge for the cryptography community is to design authentication protocols that are so simple that a human can execute them without relying on a fully trusted computer. We propose several candidate authentication protocols for a setting in which the human user can only receive assistance from a semi-trusted computer --- a computer that stores information and performs computations correctly but does not provide confidentiality. Our schemes use a semi-trusted computer to store and display public challenges $C_i\in[n]^k$. The human user memorizes a random secret mapping $\sigma:[n]\rightarrow\mathbb{Z}_d$ and authenticates by computing responses $f(\sigma(C_i))$ to a sequence of public challenges where $f:\mathbb{Z}_d^k\rightarrow\mathbb{Z}_d$ is a function that is easy for the human to evaluate. We prove that any statistical adversary needs to sample $m=\tilde{\Omega}(n^{s(f)})$ challenge-response pairs to recover $\sigma$, for a security parameter $s(f)$ that depends on two key properties of $f$. To obtain our results, we apply the general hypercontractivity theorem to lower bound the statistical dimension of the distribution over challenge-response pairs induced by $f$ and $\sigma$. Our lower bounds apply to arbitrary functions $f$ (not just to functions that are easy for a human to evaluate), and generalize recent results of Feldman et al. As an application, we propose a family of human computable password functions $f_{k_1,k_2}$ in which the user needs to perform $2k_1+2k_2+1$ primitive operations (e.g., adding two digits or remembering $\sigma(i)$), and we show that $s(f) = \min\{k_1+1, (k_2+1)/2\}$. For these schemes, we prove that forging passwords is equivalent to recovering the secret mapping. Thus, our human computable password schemes can maintain strong security guarantees even after an adversary has observed the user login to many different accounts.Comment: Fixed bug in definition of Q^{f,j} and modified proofs accordingl