4-7 SecurityEvaluationofCryptographicTechnology TANAKA Hidema Cryptography is the fundamental technology for information security. It plays in the function of confidential, authentication, signature in the various information security technologies. Since the status of security evaluation influences the reliability of information security, the security evaluation of cryptographic technologies is very important. In particular, the security evaluation of cryptographic technologies which is used in electrical government service now is requested to be executed by an impartial aspect. In addition it is necessary to estimate the cost of the attack and its feasibility. So it is appropriate that the National institute executes such research activity. In this paper, we show the outline of the security evaluation activity for symmetric ciphers of Security Fundamentals Group between 2006 and 2010. Keywords Symmetric cipher, Higher order differential attack, Side-channel attack, Fault based attack, Pseudo random number generator 1 Introduction as a trusted technique, it needs to be validated by a third party. This is because the security Cryptography is the fundamental technol- of public electronic services in Japan such as ogy for information security. It provides confi- electronic government services and the basic dentiality of communication, authentication for residential registers network system rely on validating communication partners, and signa- cryptographic technology, and if information ture functions for proving authenticity of data is provided by only one side, there is a danger in various attack scenarios. These are based that vulnerabilities may remain. In addition, on cryptographic technology (cryptographic studying academic trends will not be sufficient. primitives) and designed from various points There is a gap between academic achievements of view. Outside Japan, it is not unusual that and actual usage environments, and the argu- these are designed not only by private compa- ments of a paper are not always appropriate. nies but also by research organizations such as For the above reasons, security evaluation of universities. In Japan, private companies and cryptographic technologies should be carried universities loosely share roles. Private compa- out from a fair and neutral viewpoint, and in nies play the role of technology development, order to achieve this, initiatives of the public and universities the role of academic develop- sector are indispensable. ment. Since evaluation as academic achieve- In this paper, we show the outline of the ment (development of cryptanalysis methods) security evaluation activity for symmetric and development of cryptographic primitives ciphers of the Security Fundamentals Group are inextricably linked, at a glance it seems between 2006 and 2010. The activity of the that development of cryptographic technol- Security Fundamentals Group especially ogy is completed by collaboration between focused on the following points. private companies and universities; however, ● Improvement against algebraic attacks for in order for the technology to be recognized which the theory of proving security is TANAKA Hidema 219 immature car doors by radio signal). The security of a ● Effectiveness of attack methods against pseudo random number generator can be eval- cryptographic modules such as FPGA uated by long range periodicity, linear com- implementation plexity and correlation immunity, and thanks ● Reduction of evaluation costs to the improved performance of cryptographic We chose 64-bit block ciphers as the main modules, it is now possible to use a pseudo ran- subject of the security evaluation. Although dom number generator which is so large that it 128-bit block ciphers are becoming the main- cannot be evaluated by computer. As a result, stream in recent years, in some cases 64-bit it has become difficult to verify the security, block ciphers are more advantageous in terms and thus new evaluation methods are required. of implementability, and they are often used The Security Fundamentals Group developed for familiar services such as electronic money an algorithm that computes linear complexity type services as represented by Felica, and by a linearization method that is based on an smart cards for the basic residential registers algebraic attack. network system. Therefore, we consider it is This paper first describes scenarios of important to estimate the period for which they evaluation of cryptographic technologies in 2, can be used securely. We chose fault based as well as the presumption, purpose and valid- attacks that use electromagnetic emanation to ity of security evaluation of cryptography. In evaluate the security of cryptographic modules. 3, we outline a higher order differential attack Generally it is considered that attacks causing against a 64-bit block cipher, MISTY1. In 4, malfunction by electromagnetic emanation are we describe experiments on fault based attacks relatively low cost, and attack methods based that use electromagnetic emanation against on this assumption have been proposed in aca- FPGA implementations. In 5, we introduce demic conferences now and then; therefore, we evaluation of linear complexity by a lineariza- decided it was necessary to verify the viability. tion method for pseudo random number gen- The aforementioned evaluation of 64-bit block erators, and 6 provides a summary. ciphers is closely related to evaluation of cryp- tographic modules. This is because migration 2 Scenariosofevaluationof of a cryptographic technology that has already cryptographictechnologies come into wide use will require services to be stopped, and because migration will be The security of cryptography requires that a huge risk for the service provider since the confidential information such as keys should mixture of new and old cryptographic primi- not be found more efficiently than by exhaus- tives could reduce the security, and as a result tive search. Generally, cryptanalysis means to the migration process will be slowed down. recover plaintext from ciphertext, and has the Therefore, 64-bit block ciphers and their cryp- following two meanings. tographic modules, which are still used and 1) Directly recover plaintext from ciphertext. becoming popular, have a significant impact 2) Recover the key from ciphertext to decrypt on the reliability of future electronic services. the ciphertext to plaintext. In addition, performance of smart cards and As for 1), for example, 2n of plaintext can chips that provide the base for cryptographic be recovered from n bits of ciphertext, and modules has been improving rapidly, helping all of them are the candidates for the correct to improve the performance of a pseudo ran- plaintext; therefore, it is only necessary to dom number generator that is implemented on prevent the correct candidate from being dis- top of it. Pseudo random number generators tinguished from the incorrect ones. Although are used for key generation and authentication linguistic meanings of plaintext could have protocols. For example, they are widely imple- influences, since modern cryptography is mented and used for car keys (to lock/unlock based on the assumption that plaintext is 220 Journal of the National Institute of Information and Communications Technology Vol. 58 Nos. 3/4 2011 binary information, it is considered to be suf- they have obtained ciphertext that correspond ficient if the plaintext is not distinguished from to numbers 0, 1, 2, and 3. The key point in this random numbers. As for 2), consider a problem example is that all bits except the low two bits where Y = f(X, K) and Y is given, and find X should be fixed to 0. There are a number of and K. In this case, (X, K) will be underspeci- such attack methods against block ciphers, and fied as it is. In order to solve this problem as typical examples include differential attacks equation, it needs to be set up as simultaneous and higher order differential attacks. As for equations to eliminate one of the variables, or stream ciphers, some attack methods have been either X or K must be given. In the former case, proposed which are used when only the Initial since the key is an invariable, it is only neces- Value (IV, publicly known parameters exclud- sary to eliminate the key: this is equal to the ing the key) is changed, and the key is fixed. scenario 1). In the latter case, it is trivial that X Incidentally, the key size commonly used can be decrypted if the key is given. Therefore, for symmetric ciphers is generally 128 bits. an appropriate scenario for security evaluation In the above-mentioned attack method, it is would be to provide information of plaintext regarded that it is not secure if even one bit of to find the key. Thus, we evaluate the security the key has been determined. It is generally by estimating the required cost for recovering considered that it is not secure if one bit of an a key from plaintext and the corresponding expanded key (an internal key used in crypto- ciphertext. graphic algorithm) generated from a 128-bit The cost consists of computational cost key has been determined. On the other hand, and amount of data. For example, if no limit even the most advanced computer in the world is set to computer capability (assume unlimited can recover 60 bits of a key by exhaustive computational cost), the key can be found from search, and therefore, there is a gap between a pair of plaintext and ciphertext by conducting the actual computer security and theoretical an exhaustive search. This is the limit of the cryptanalysis. The gap between the limit of security of cryptography. So we conclude that exhaustive search by computer and theoretical even if a pair of plaintext and ciphertext that is cryptanalysis can be seen as the margin of the convenient for the attacker is provided, it will security and the period in which the cryptogra- be still secure if the key cannot be found more phy can be used securely. efficiently than it can be found by exhaustive search. There are two attack scenarios depend- 3 Securityevaluationof64-bit ing on how plaintext is provided.