Maximum Likelihood Estimation for Block Cipher Keys

Maximum Likelihood Estimation for Block Cipher Keys

LIKELIHOOD ESTIMATION FOR BLOCK CIPHER KEYS Sean MurphyFred Pip er Michael Walkery Peter Wild Information Security Group yVo dafone Limited Royal Holloway The Courtyard University of London London Road Egham Newbury Surrey TW EX UK Berkshire RG JL UK May Abstract In this pap er we give a general framework for the analysis of blo ck ciphers using the statistical technique of likeliho o d estimation We showhowvarious recent successful cryptanalyses of blo ck ciphers can b e regarded in this framework By analysing the SAFER blo ck cipher in this framework we exp ose a cryptographic weakness of that cipher Key Words Statistical Inference Likeliho o d Estimation Blo ck Ciphers DES SAFER Cryptanalysis Dierential Cryptanalysis Linear Cryptanalysis This author acknowledges the supp ort of the Nueld Foundation Intro duction In this pap er we set up a general framework for analysing blo ck ciphers In this framework the plaintext and ciphertext spaces are partitioned into a numb er of classes We consider the probabilities of a plaintext in a given plaintext class b eing encrypted to a ciphertext in a given ciphertext class under dierentkeys For a judicious choice of partitions of plaintext and ciphertext spaces these probabilities give a partition of the key space into key classes whichallows the technique of likeliho o d estimation to b e used to nd the key class of the true key We explain this idea more fully in Section and showhow it applies to iterated blo ck ciphers in Section In the rest of the pap er we showhow the recent cryptanalytic techniques of Sb ox pairs analysis linear crytanalysis dierential cryptanalysis and linear structures t naturally into this framework so providing a comparison of these techniques Finally in Section weseehow this metho d can b e used to show a cryptographic weakness of the SAFER blo ck cipher Statistical Estimation of the Key We consider a blo ck cipher to consist of a nite set of plaintexts M a nite set of ciphertexts C and a nite set ff jk K g of invertible functions from k M onto C indexed bya setofkeys K The plain text set M the ciphertext set C the key set K and the set of invertible functions ff M C g are all k public The ciphertext c corresp onding to the plaintext m under a particular private key k is then c f m k The cryptanalysts task is to nd the particular key k given some information ab out a numb er of corresp onding plaintextciphertext pairs In particular if the plaintexts are known then wehave a known plaintext attack and if the plaintexts can b e chosen by the cryptanalyst then wehavea chosen plaintext attack We use the following framework to mo del the cryptanalysts knowledge of the plaintexts and corresp onding ciphertexts Let M X b e a function from the plaintext set M onto a set X and C Y a function from the ciphertext set C onto a set Y We call and partition functions The functions and partition the plaintext and ciphertext spaces into equivalence classes indexed by the elements of X and Y resp ectivelyandit is convenient to think of X and Y as sets of equivalence classes of M and C Supp ose that the cryptanalyst observes a pair x y where x mis the result of applying to some plaintext m and y c is the result of applying to the ciphertext c f m obtained by enciphering m under k the true key k Thus x y is a pair of plaintextciphertext equivalence classes which the cryptanalyst uses to estimate the true key k Weshowhow the true key k can b e estimated using the statistical tech nique of maximum likeliho o d estimation as describ ed in any textb o ok on statistical inference for example Silvey Let P x y denote the proba k bility that plaintext class x and ciphertext class y o ccur with key k P k denes a probability mass function on the set of p ossible plaintext and ci phertext classes X Y parameterised by elements of the key set K However we can regard P x y as a function on the key set K which is parameterised by elements of the set of p ossible plaintext and ciphertext classes X Y This function is known as the likelihood function Lx y k ofthekey k corre sp onding to the data x y and it is a measure of the plausibilitythatk is the true key k after wehave observed the data x y Thus wehave L x y k P x y k and Lx y k logLx y k log P x y k where Lx y k isthe loglikelihood functionFor anyxed k we can think of the likeliho o d function Lx y k as a random variable whose distribution is determined by the true distribution on the plaintextciphertext classes given by the true key k Thus we can dene the exp ected value of the loglikeliho o d function at key k as k E fLx y k g E flog P x y g k The following theorem whichw e state in terms of plaintext and ciphertext classes is a standard result for loglikeliho o d functions Theorem For all keys k K k k with equality if and only x y for every plaintextciphertext class pair x y if P x y P k k Theorem states that k attains its maximum at k and if the dis tributions corresp onding to dierentkeys on the plaintextciphertext classes are dierent then k is unique In any case we can dene an equivalence relation on the key space K in whichtwokeys are equivalentiftheyhave the same distribution on the plaintextciphertext classes and then estimate the unique key class which maximises the likeliho o d Let K Z be a partition function from the key space K onto a set Z such that k k if and only if Lx y k Lx y k for all x y Z can b e regarded as a set of key equivalence classes induced by the likeliho o d function Wecan thus dene the likeliho o d function Lx y z ofthekey class z corresp onding to the data x y The exp ected value of the loglikeliho o d function at key class z is then given by z E fLx y z g E flog P x y g z where P x y P x y for any k K for which k z Theorem z k shows that is uniquely maximised by z k the true key class Supp ose nowthatwehave N pairs of plaintext m m m with N corresp onding ciphertexts c c c thatgiv eplaintext classes x N x x and ciphertext classes y y y resp ectively The joint N N likeliho o d function is given by N Y P x y Lx y k k i i i so the joint loglikeliho o d function is given by N N X X log P x y Lx y k Lx y k k i i i i i i We prop ose to estimate the true key k from the data x yby the metho d of maxim um likeliho o d so wehave the following denition Denition A maximum likelihood estimate MLE of the true key k is any k K for which Lx y k orequivalently Lx y k is maximal We can express k in terms of exp ected value of the joint loglikeliho o d function since E Lx y k E flog P x y g k k N Thus from Theorem the exp ected value of the joint loglikeliho o d function is maximised by the true key k Ifwe dene the key partition function K Z as ab ove then we can dene the jointlikeliho o d function Lx y z of the key class z corresp onding to the data x y The exp ected value of the joint loglikeliho o d function at key class z is given by E Lx y z E flog P x y g z z N and so is uniquely maximised bythetruekey class z Wenowgive a brief description of the prop erties of the maximum likeli ho o d estimate that make it the optimal estimate of the key Denition Supp ose fz g is a sequence of estimates for z Thenz is n n consistent ifz z in the appropriate sto chastic sense n Theorem The maximum likeliho o d estimate of z is consistent Sketch Pro of We are essentially estimating z with Lx y z The N Lx y z law of large numb ers ensures that for large N and most x y N is near z Ifz is the maximum likeliho o d estimate of z based on N N plaintextciphertext classes then this showsz z in the appropriate N sto chastic sense Denition A statistic t is sucient for z if the distribution of a sample x ygiven the value of tx y do es not dep end on z Equivalently t is a sucient statistic for z if the distribution within an equivalence class of the partition induced by t is indep endentofz Thus the distribution of t contains all the information relevant to estimating z A necessary and sucient condition for t to b e sucientisgiven bythe following factorisation theorem Theorem t is a sucient statistic for the family fP jz Z g z if and only if P x y can b e expressed as P x y g tx y hx y z z z where h do es not dep end on z Denition A statistic t is minimalsucient for z if the partition induced by t contains every other sucient partition Equivalently t is a minimalsucient statistic for z if it is a function of every other sucient statistic for z Therefore a minimalsucient statistic contains the minimum information relevant to estimating z The following theorem concerning the maximum likeliho o d estimator is a corollary of the ab ove theorem Theorem The maximum likeliho o d estimate is a function of a minimalsucient statistic Thus the maximum likeliho o d estimate dep ends only on the minimal relevant information in the sample Hence the maximum likeliho o d estimate of the key is the optimal estimate of the key since it is b oth consistentand minimalsucient It is often convenient to express the likeliho o d in a dierent form Supp ose P x denotes the probability that plaintext class x o ccurs then we can write the likeliho o d function in the form Lx y k P x y P y jxP x k k where P y jx denotes the probability that a plaintext in class x is encrypted k to a ciphertext in class y under key k In any particular attack the dis tribution of the plaintexts induces a distribution on the plaintext classes Thus

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    27 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us