## A New Statistical Testing for Symmetric Ciphers and Hash Functions (2002)

Venue: | Proc. Information and Communications Security 2002, volume 2513 of LNCS |

Citations: | 13 - 1 self |

### BibTeX

@INPROCEEDINGS{Filiol02anew,

author = {Eric Filiol},

title = {A New Statistical Testing for Symmetric Ciphers and Hash Functions},

booktitle = {Proc. Information and Communications Security 2002, volume 2513 of LNCS},

year = {2002},

pages = {342--353},

publisher = {Springer}

}

### OpenURL

### Abstract

This paper presents a new, powerful statistical testing of symmetric ciphers and hash functions which allowed us to detect biases in both of these systems where previously known tests failed. We first give a complete characterization of the Algebraic Normal Form (ANF) of random Boolean functions by means of the M obius transform. Then we built a new testing based on the comparison between the structure of the different Boolean functions Algebraic Normal Forms characterizing symmetric ciphers and hash functions and those of purely random Boolean functions. Detailed testing results on several cryptosystems are presented. As a main result we show that AES, DES Snow and Lili-128 fail all or part of the tests and thus present strong biases.

### Citations

2651 | Handbook of Applied Cryptography - Menezes, Oorschot, et al. - 1997 |

1625 |
An Introduction to Probability Theory and its
- Feller
- 1971
(Show Context)
Citation Context ...n considers+f(x) as independent, identically distributed random variables for all x as well. Let us note Y = P x2F n 2 (f(x)+s>). For n > 5 (that is to say 2 n > 30), due to the central limit theorem [6], Y has a Gaussian distribution LG(E; 2 ) with E[Y ] = 2 n P [f(x)+s>= 1] = 2 n 1 ( Y ) 2 = 2 n P [f(x)+s>= 1]P [f(x)+s>6= 1] = 2 n 2 Hence c f (u) has Gaussian distribution with mean value E[c f... |

849 |
Communication Theory of Secrecy Systems
- Shannon
- 1949
(Show Context)
Citation Context ...lly the central limit theorem). When dealing with pure block ciphers or with hash functions, the scope of these tests could be questionned. In this latter case, the concepts of diusion and confusion [=-=3-=-0] are generally preferred (it is clear that one could dene them from a statistical point of view). However these concepts are dened either rather empirically or too theoretically (for example through... |

841 | Applied Cryptography: Protocols, Algorithms and Source Code in C
- Schneier
- 1996
(Show Context)
Citation Context ... which is the most interesting, we have the following ordering ( means "better than"): Bgml RC4 Snow Lili-128 T 1 1 T 2 1 T 1 2 T 2 2 Lili-128 fail fail fail fail Snow pass pass fail fail=-= RC4 [2-=-7] pass pass pass pass Bgml [25] pass pass pass pass Table 2: Stream Ciphers: Tests Results (signicance level = 0:05; 0:01; 0:001) T 1 1 T 2 1 T 1 2 T 2 2 D 2 39,344.03 400,839.93 667729.02 1,028,048... |

392 |
The MD5 Message Digest Algorithm
- Rivest
- 1992
(Show Context)
Citation Context ...e Section 5). Encryption and decryption exhibits quite the same overall statistical properties. 4.3 Hash Functions We tested the following hash functions: SHA-0 [15], SHA-1 [16], Ripemd160 [4], MD4 [=-=28-=-], MD5 [29], Ripe-MD [3] and Haval [34] (for this latter we tested all the dierent versions). Extensively detailed numerical results (due to lack of space) are only available in [7]. All the tested ha... |

289 |
Shift-register synthesis and BCH decoding
- Massey
- 1969
(Show Context)
Citation Context ... Le Chesnay Cedex, FRANCE Eric.Filiol@inria.fr 1 Yet statistically good according to these postulates, this kind of sequence has been shown very predictable when using the Berlekamp-Massey algorithm [=-=23-=-]. This is the illustration that randomness is uniquely dened relatively to the statistical tests we may use. Many other statistical tests have been proposed in order to better improve what may be con... |

118 | RIPEMD-160: a strengthened version of RIPEMD
- Dobbertin, Bosselaers, et al.
- 1996
(Show Context)
Citation Context ...f AES (see Section 5). Encryption and decryption exhibits quite the same overall statistical properties. 4.3 Hash Functions We tested the following hash functions: SHA-0 [15], SHA-1 [16], Ripemd160 [=-=4-=-], MD4 [28], MD5 [29], Ripe-MD [3] and Haval [34] (for this latter we tested all the dierent versions). Extensively detailed numerical results (due to lack of space) are only available in [7]. All the... |

94 |
The Art of Computer Programming, volume 2
- Knuth
- 1973
(Show Context)
Citation Context ...n order to better improve what may be considered as "random". Among many others, let us cite those that mainly implemented: frequency test, serial test, poker test, runs test and autocorrela=-=tion test [2, 14, 20]-=-, Maurer's universal statistical test [24], repetition test [17] (for a more detailed bibliography on statistical tests used in cryptography see [21, pp 188-189] and [5]). To be precise, these tests a... |

75 |
Probability and statistical inference
- Hogg
- 1983
(Show Context)
Citation Context ...art). We can give the following interesting observations based on the comparison of the tests convergence (that is to say the distance between the estimator and the threshold value; for details see [=-=19]). The str-=-eam ciphers of Table 2 can be sorted according to their relative "random" quality. For example when considering results of test T 1 1 (1-monomials), which is the most interesting, we have th... |

68 | A Universal Statistical Test for Random Bit Generators
- Maurer
- 1992
(Show Context)
Citation Context ...as "random". Among many others, let us cite those that mainly implemented: frequency test, serial test, poker test, runs test and autocorrelation test [2, 14, 20], Maurer's universal statist=-=ical test [24]-=-, repetition test [17] (for a more detailed bibliography on statistical tests used in cryptography see [21, pp 188-189] and [5]). To be precise, these tests are primarily intended for stream ciphers (... |

53 | HAVAL | a one-way hashing algorithm with variable length output
- Zheng, Pieprzyk, et al.
- 1993
(Show Context)
Citation Context ...ion exhibits quite the same overall statistical properties. 4.3 Hash Functions We tested the following hash functions: SHA-0 [15], SHA-1 [16], Ripemd160 [4], MD4 [28], MD5 [29], Ripe-MD [3] and Haval =-=[34-=-] (for this latter we tested all the dierent versions). Extensively detailed numerical results (due to lack of space) are only available in [7]. All the tested hash functions have passed the tests wha... |

52 |
Cipher Systems- The Protection of Communications
- Beker, Piper
- 1982
(Show Context)
Citation Context ...n order to better improve what may be considered as "random". Among many others, let us cite those that mainly implemented: frequency test, serial test, poker test, runs test and autocorrela=-=tion test [2, 14, 20]-=-, Maurer's universal statistical test [24], repetition test [17] (for a more detailed bibliography on statistical tests used in cryptography see [21, pp 188-189] and [5]). To be precise, these tests a... |

37 | Construction of nonlinear Boolean functions with important cryptographic properties
- Sarkar, Maitra
- 2000
(Show Context)
Citation Context ...e function input, the function should have the highest possible degree. 2 As a consequence, Boolean functions designed in [11] are more suitable for cryptographic applications than those presented in =-=[22, 32-=-] since these latter have a slightly lower degree. This fact has been conrmed by our tests when considering output sequences produced by nonlinear feedback shift registers. The statistical results are... |

37 |
The MD5 Message Digest Algorithm, Internet RFC 1321. http://people.csail.mit.edu/rivest/Rivest-MD5.txt
- RIVEST
- 1992
(Show Context)
Citation Context ...5). Encryption and decryption exhibits quite the same overall statistical properties. 4.3 Hash Functions We tested the following hash functions: SHA-0 [15], SHA-1 [16], Ripemd160 [4], MD4 [28], MD5 [=-=29-=-], Ripe-MD [3] and Haval [34] (for this latter we tested all the dierent versions). Extensively detailed numerical results (due to lack of space) are only available in [7]. All the tested hash functio... |

30 |
Highly nonlinear balanced Boolean functions with a good correlation immunity
- Filiol, Fontaine
- 1998
(Show Context)
Citation Context ...p good randomness properties forbidding to get combinatorial information on the function input, the function should have the highest possible degree. 2 As a consequence, Boolean functions designed in =-=[11-=-] are more suitable for cryptographic applications than those presented in [22, 32] since these latter have a slightly lower degree. This fact has been conrmed by our tests when considering output seq... |

27 | On Resilient Boolean Functions with Maximum Possible Nonlinearity
- Tarannikov
(Show Context)
Citation Context ...e function input, the function should have the highest possible degree. 2 As a consequence, Boolean functions designed in [11] are more suitable for cryptographic applications than those presented in =-=[22, 32-=-] since these latter have a slightly lower degree. This fact has been conrmed by our tests when considering output sequences produced by nonlinear feedback shift registers. The statistical results are... |

25 |
S.W.: Shift Register Sequences, Aegean
- Golomb
- 1982
(Show Context)
Citation Context ...uting facilities. Therefore many dierent statistical tests have been proposed and are usually implemented to evaluate these two requirements. Historically we must cite Golomb's randomness postulates [=-=18-=-]. These tests have been designed as necessary but not sucient tests to check if a shift register sequence statistically behaves properly. also INRIA, CODES Project, Domaine de Voluceau 78153 Le Ches... |

18 |
Correlation immunity of non-linear combining functions for cryptographic applications
- Siegenthaler
- 1984
(Show Context)
Citation Context ...s from the fact that a n-variable random Boolean function in average has its term of degree n with probability 1 2 and will contain n 2 terms of degree n 1. According to the upper bound of the degree =-=[3-=-1] of function presenting the best trade-o in terms of correlation immunity, balancedness and nonlinearity we have for a t-correlation immune function: deg(f(x 1 ; x 2 ; : : : ; x n )) n t 1: 4 Impos... |

15 |
Empirical tests of binary keystreams
- Erdmann
- 1992
(Show Context)
Citation Context ...d autocorrelation test [2, 14, 20], Maurer's universal statistical test [24], repetition test [17] (for a more detailed bibliography on statistical tests used in cryptography see [21, pp 188-189] and =-=[5]-=-). To be precise, these tests are primarily intended for stream ciphers (or block ciphers in modes as stream ciphers) whose output sequences are long enough to apply probability results (essentially t... |

13 |
Security Requirements for Cryptographic Modules, Federal Information Processing Standard
- FIPS
(Show Context)
Citation Context ...n order to better improve what may be considered as "random". Among many others, let us cite those that mainly implemented: frequency test, serial test, poker test, runs test and autocorrela=-=tion test [2, 14, 20]-=-, Maurer's universal statistical test [24], repetition test [17] (for a more detailed bibliography on statistical tests used in cryptography see [21, pp 188-189] and [5]). To be precise, these tests a... |

9 | On cryptographic properties of random Boolean functions
- Olejar, Stanek
- 1998
(Show Context)
Citation Context ...ts. Section 2 will present the necessary preliminaries and give the characterization of the Algebraic Normal Form (ANF) of random Boolean functions. In particular we complete the results presented in =-=[26]-=-, make them more practical and give new results on the total degree of a Boolean function. Section 3 presents the new test we designed whilst Section 4 gives detailed numerical results that have been ... |

4 |
A Spectral Characterization of Correlation Immune Functions
- Xiao, Massey
- 1988
(Show Context)
Citation Context ... 2 ; c f (u) = X x2F n 2 ( 1) f(x)+ wheresdenotes the usual scalar product. A well-known result allows to characterize the correlation immunity of f with the Walsh Hadamard transform: Proposition 2 [33] A Boolean function f is t-order correlation immune if and only if 8u 2 F n 2 ; 1 wt(u) t c f (u) = 0 Moreover f is balanced if and only if c f (0; 0; : : : ; 0) = 0. When balanced and t-corre... |

2 |
Fontaine A new Block Cipher Design: COS
- Filiol, C
- 2001
(Show Context)
Citation Context ...idering output sequences produced by nonlinear feedback shift registers. The statistical results are slightly but signicantly better for thesrst one which have been used in the design of COS ciphers [=-=12-=-]. 2.2 Characterization of the Walsh Coecients The Walsh Hadamard transform of a Boolean function f refers to the following transformation: 8u 2 F n 2 ; c f (u) = X x2F n 2 ( 1) f(x)+ wheresdenotes t... |

1 |
Preenel editors, Intregrity Primitives for Secure Information Systems
- Bosselaers, B
- 1995
(Show Context)
Citation Context ...on and decryption exhibits quite the same overall statistical properties. 4.3 Hash Functions We tested the following hash functions: SHA-0 [15], SHA-1 [16], Ripemd160 [4], MD4 [28], MD5 [29], Ripe-MD =-=[3-=-] and Haval [34] (for this latter we tested all the dierent versions). Extensively detailed numerical results (due to lack of space) are only available in [7]. All the tested hash functions have passe... |

1 | A New Cryptanalysis of Block Ciphers: the AES Case, Private Report - Filiol - 2002 |

1 |
Randomness Measures Related to Subset Occurence
- Golic
- 1996
(Show Context)
Citation Context ...y others, let us cite those that mainly implemented: frequency test, serial test, poker test, runs test and autocorrelation test [2, 14, 20], Maurer's universal statistical test [24], repetition test =-=[17]-=- (for a more detailed bibliography on statistical tests used in cryptography see [21, pp 188-189] and [5]). To be precise, these tests are primarily intended for stream ciphers (or block ciphers in mo... |