On the Origin of Yet another Channel

Cryptanalysis of a cryptographic function like stream, block or hash function usually requires human cryptanalytical skills and labour. However, some automation is possible – e.g., by randomness testing suites like NIST/Diehard that can be applied to test statistical properties of cryptographic function outputs. Yet such testing suites are limited only to predefined statistical functions. We propose more open approach based on combination of software circuits and evolutionary algorithms to search for unwanted statistical properties like next bit predictability or random data non-distinguishability. Design of a software circuit acting as a testing function is automatically evolved by a stochastic optimization algorithm and uses the potentially unknown “other channel” leaking information during cryptographic function evaluation. We tested this approach on candidate algorithms for SHA-3 and eStream competitions with comparable (but slightly worse) results as STS NIST and Diehard tests w.r.t. the number of rounds of the inspected algorithm, where tests are still able to detect unwanted statistical properties in output. Additionally, the proposed approach is not limited only to assess randomness-like properties in function output, but can be also used for other tests like whether a function is invertible or how does its avalanche effect degrade. 1 Unguided hunt for weaknesses in cryptographic functions The main motivation for this work is to provide a tool with the crucial ability to automatically probe for unwanted properties of cryptographic functions that signalize flaws in the function design. Such properties might be (note that we intentionally target a broad range of cryptographic functions): – predictability of next output bit (stream ciphers), – corrupted avalanche effect (hash functions, stream ciphers), – distinguishability of function outputs from truly random data (block ciphers), etc. Typical cryptanalytical approach against new cryptographic function is usually based on application of various statistical testing tools (STS NIST, Diehard) as the first step and then application of established cryptanalytical procedures (algorithmic attacks, differential cryptanalysis) combined with an in-depth knowledge of the inspected function. The first step can be at least partly automated and (relatively) easy to apply, but will detect only most visible defects in function construction or apply only to limited number of algorithm rounds. The second approach usually yields much stronger insight and detected more defects, but usually requires extensive human cryptanalytical labour. Additionally, general statistical testing tools are limited to a predefined set of statistical tests. That on one hand makes the follow-up analytical work easier if the function does not pass a certain test, yet on the other hand severely limits the potential to detect other defects. We designed and tested an automated process that can be used in a similar manner as general statistical testing suites, but additionally provides the possibility to construct (again automatically) new tests. We represent “tests” as a hardware-like circuit with a software emulator to execute the circuit over given inputs and to compute outputs and evolutionary algorithms (EAs) to design the circuit layout (“wires” and “gates”). Although such an automated tool will not (at least for the moment) outperform a skilled cryptographer on particular cryptographic function, it still has two main advantages: – It can be applied automatically against multiple different cryptographic functions with no additional human labour working implementation of the inspected function is sufficient. – It may discover and use unanticipated information leakage “channels” from the function than those usually assumed by cryptographers. We implemented the tool (more details given in Section 3) and tested our idea on SHA-3/e-Stream candidate functions (details are given in Section 4). Results are very similar to those obtained from NIST and Diehard test suites w.r.t. the number of rounds of the inspected function where tests were able to find some defects. Based on experience with behaviour and significance of results, we add detailed discussion about potential extensions, expressive power of an circuit and interesting behaviour detected (Section 5). Conclusions are given in Section 6.