Secret agents leave big footprints: how to plant a trapdoor in a cryptographic function and why you might not get away with it. GECCO 2003 John A Clark,

Secret agents leave big footprints: how to Secret agents leave big footprints: how to plant a trapdoor in a cryptographic function plant a trapdoor in a cryptographic function

and why you might not get away with it.and why you might not get away with it.

GECCO 2003GECCO 2003

John A Clark, Jeremy L Jacob and Susan Stepney

Dept of Computer ScienceUniversity of York,

York YO10 5DD, England

16 July 2003

A Research Exercise in Pure EvilA Research Exercise in Pure Evil

Do you feel frustrated and annoyed by people’s ability to use modern day crypto-algorithms when they have no intention whatsoever of supplying you with a secret key so you can listen in?

Don’t worry – there is a solution. – Get them to use an algorithm that looks secure but which only you

know how to break.

Technical: it’s in the cost function! Different cost functions give different results.

Moral: Optimisation may be used and abused.

The Data Encryption Standard is the most controversial cipher in history.– Developed on behalf of the US Govt..– Based on previous IBM work.– Issued in 1976 as FIPS 46.– 56 bit key (64 in fact but there are check bits) is

controversial: key length was originally 128; suspicion over NSA motives.

Criteria for the design were not revealed.

Conspiracy theory as motivation: Conspiracy theory as motivation: Data Encryption Standard (DES)Data Encryption Standard (DES)

Conspiracy theory as motivation: Conspiracy theory as motivation: Data Encryption Standard (DES)Data Encryption Standard (DES)

Input

IP

L0 R0

L16 R16

Sixteen cycles

R16 L16

Inverse IP

L Key

L'

Key'

Shift Shift

Compression Perm

48

56

R

R'

P-Box Perm

S-box Substitution

Expansion Perm

32

48

48

32

32 3264

S2 S3 S4 S5 S6 S7 S8S1

Matters became amusing in 1994 Theoretically promising method emerged in the late 80’s and

early 90’s - differential cryptanalysis. DES was surprisingly resilient to differential cryptanalysis. Don Coppersmith wrote a paper (1994) that revealed some of

the design criteria and stated that DES was resistant to differential cryptanalysis because it had been specifically designed so.

IBM (presumably from the NSA) knew about the method of attack 16 or more years before it was discovered and published by leading cryptography academics.

DES is more vulnerable to a later method (linear cryptanalysis) Actually specialised FPGA hardware can now break DES in a few

hours.

Conspiracy theory as motivation: Conspiracy theory as motivation: Data Encryption Standard (DES)Data Encryption Standard (DES)

Does DES have a trapdoor in it – a special property that can be exploited by people in the know?

We do not know. It seems actually to be a rather good algorithm.

– But the idea of having a secret trapdoor – now I like that. How can we design cryptosystem that looks good but which I may

know how to break? How can we prevent the wrangling about honesty in design?

Let’s try heuristic search. Will illustrate principle on the simplest component –a single-valued Boolean function used in stream ciphers.

Conspiracy theory as motivation: Conspiracy theory as motivation: Data Encryption Standard (DES)Data Encryption Standard (DES)

Classical Stream Cipher ModelClassical Stream Cipher Model

Plaintext Stream Pj

Keystream Zj

Cipherstream Cj

f

LSFR 1

LSFR 2

LSFR n

Pj

Zj

Cj

L1j

L2j

Lnj

Combining Boolean function f.Receiver can generate key stream and recover plaintext

say 32 Bit registers

Boolean Function DesignBoolean Function Design A Boolean function f:{0,1}n->{0,1}

Polar representation0 0 00 0 10 1 00 1 11 0 01 0 11 1 01 1 1

01234567

1 -10 10 10 11 -10 11 -11 -1

f(x) f(x)x

Will talk only about balanced functions where there are equal numbers of 1s and -1s.

A move simply swaps a 1 and a –1.

Functions are essentially represented as binary vectors

Planting TrapdoorsPlanting Trapdoors

Design Space

Trapdoor Property T

Public Goodness Property P

e.g. high non-linearity,

low autocorrelation

OptimisationOptimisation

Suppose you have an effective optimisation based approach to getting functions with public property P. Let the cost function used be – Cost=honest(f)

Suppose you have an effective optimisation based approach to getting functions with trapdoor property T. Let the cost function used be – Cost=trapdoor(f)

We can combine the two– sneakyCost(f) = (1- ) honest(f)+trapdoor(f) is the malice factor: =0 truly honest; =1=>wicked– Will you get caught out?

Example Trapdoor FunctionExample Trapdoor Function

We want to be able to tell whether an unknown trapdoor has been inserted.

Experiments have used a randomly generated vector as trapdoor. Closeness to this vector (measured by Hamming distance) represents a good trapdoor bias.

Want to investigate what happens when different malice factors are used.

We shall consider high non-linearity and low autocorrelation as public goodness measures.

You say you did, I say you didn’tYou say you did, I say you didn’t

Publicly good solutions with high trapdoor bias found by annealing and combined honest and trapdoor cost functions.

Publicly good solutions, e.g. Boolean functions with same very high non-linearity

Publicly good solutions found by annealing and honest cost function

There appears nothing to distinguish the sets of solutions obtained – unless you know what form the trapdoor takes!

Or is there…

n=8: Examples with non-linearity vs autocorrelationn=8: Examples with non-linearity vs autocorrelation

110 112 114 11664 0 0 0 056 0 0 0 048 0 0 0 140 0 0 3 432 0 2 7 1224 0 0 0 1

MeanTrap=12.8

Non-linearity

Au

tocorr

ela

tion

110 112 114 11664 0 0 0 056 0 0 1 048 0 0 7 040 0 0 16 032 0 0 6 024 0 0 0 0

MeanTrap=198.9

110 112 114 11664 0 0 1 056 0 0 2 048 0 1 6 040 0 2 17 032 0 0 1 024 0 0 0 0

MeanTrap=213.1

110 112 114 11664 0 0 1 056 0 1 2 048 0 5 7 040 0 2 12 032 0 0 0 024 0 0 0 0

MeanTrap=222.1

Au

tocorr

ela

tion

110 112 114 11664 0 1 0 056 0 4 1 048 0 19 1 040 0 3 1 032 0 0 0 024 0 0 0 0

MeanTrap=232.3

110 112 114 11680 2 0 0 072 4 1 0 064 10 6 0 056 2 5 0 048 0 0 0 040 0 0 0 032 0 0 0 024 0 0 0 0

MeanTrap=242.7

=0.0 =0.2 =0.4

=0.6 =0.8 =1.0

Vector RepresentationsVector Representations

+1

-1

+1

+1

-1

+1

-1

-1

Different cost functions may give similar goodness results but may do so in radically different ways.

Results using honest and dishonest cost functions cluster in different parts of the design space

Basically distinguish using discriminant analysis.

If you don’t have an alternative hypothesis then you can generate a family of honest results and ask how probable the offered one is.

Vector RepresentationsVector RepresentationsFor two groups G1 and G2.

Calculate the mean vectors m1 and m2. Project m2 onto m1 and obtain the residual r.

Now project each vector in each group onto the residual and take absolute value.

Games People PlayGames People Play

It seems possible to tell that something has been going on. And we don’t need to know precisely what has been going

on. Since any design has a binary vector representation the

technique is general. Meta games:

– Some variations on a theme can be attempted. If you know the means of detection you may be able to add a cost function component concerned with detectability

sneakierCost(f) = (1- ) honest(f)+malice(f)+ detectability(f)

Conclusions Conclusions

Optimisation based design process may be open and reproducible.

Optimisation can be abused. Optimisation allows a family of representative

designs to be obtained. Designs developed against different criteria just

look different. The games just do not stop.

Coda Coda

Search based approaches are not just for toy problems. – For several major criteria of interest search based

approaches have equalled or bettered the combined best efforts of theoreticians for n<=8.

– Have recently produced hitherto unattained results for n=9.

– Disproved cryptological conjectures in the literature.

CEC Special strand on computer security. Web page at www.cs.york.ac.uk/security

(part of virtual library)

Bonus Track Bonus Track

You cane even tell which technique people have used.– Simulated Annealing andGAs may also give different

types of solution. Experiment: Evolved a pseudo-random number generator as

FPGA netlist– Randomness criteria as cost function components– Cost function components can act as classifiers too!

View evolved programs as bit strings and feed them through the cost functions components used to evolve them.