Randomness and its relevance to Cryptology

Rajeeva L. Karandikar
Director
Chennai Mathematical Institute
rlk@cmi.ac.in
rkarandikar@gmail.com

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 1
 One way to understand the role of Randomness in Cryptology
is to view Cryptology as a Game - a Game between the
algorithm designer and the hacker.

Like in any game, both want to win.

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 2
 Now Let us think about the game of Cricket. Suppose there is
a new bowler, who is extremely good:

He can bowl each ball to be at Yorker length, and if left alone

by batsman, it will hit middle stump right in the middle.

What do you think will happen in his first match? Lots of

wickets as anytime aa batsman misses, it will hit stumps.

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 3
 But then soon batsman would figure out and would happily hit
every blowl for a six !

And if the bastman was one of say Kapil Dev, Shrikant,

Sachin, Ganguly, Dravid, Sehwag, Dhoni, Rohit Sharma, Kohli,
he could close his eyes and hit everyball for a six.

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 4
 A bowler will be successful in the long run if he can bring in a
lot of variation in his bowling...

Variation means that a batsman facing him cannot easily

guess the trajectory of the ball, in other words to the batsman,
it would appear to be Random.

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 5
Cryptology and World War II

Most of you would have heard or read about Enigma cipher

and its breaking by a team based in Bletchley Park in
Buckinghamshire and its impact on World War II. The team
that broke the code included Linguists and Mathematicians
including Alan Turing. It is believed that breaking Enigma had
a big impact on the course of the WWII.

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 6
Cryptology and World War I

It is less well known that an encrypted telegram sent by

German Foreign Secretary Arthur Zimmermann to the German
Ambassador Johann von Bernstorff in Washington also had an
impact on WWI. The telegram was intended for German
Ambassador Heinrich von Eckardt in Mexico City seeking an
alliance with Mexico against United States. The encrypted
telegram was intercepted by the British.

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 7
Zimmermann Telegram

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 8
Cryptology and World War I

The telegram has been termed as the Zimmermann telegram.

The encrypted telegram was broken by Room 40, the
Admiralty’s cipher bureau, named after the office in which it
was initially housed. The team in Room 40 consisted of
linguists, classical scholars and crossword addicts. The
decoded message was passed onto United States by the
British. This played a major role in USA’s decision to enter
the WWI against Germany.

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 9
Cryptology and World War

It seems that in the World War I era, the cipher bureau in

Room 40 did not have mathematicians. By the time of World
War II, the team had been expanded to include
Mathematicians. Let us examine possible reasons behind this.

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 10
Examples of Ciphers

A substitution cipher: one could construct a permutation of 26

characers by say add 7 and multiply by 9 modulo 26. In this
case 7 and 9 will need to be shared by the sender and receiver.
The information needed to be shared is called a Key.
In such cases, the linguists together with crossword enthusiasts
can take a crack at breaking the code as was the case at
Room 40 during WWI

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 11
Substitution ciphers....

One could use a more complicated permutation, but then

encrypting a message and decrypting a message would become
more tedious if we were to do these by hand. This is where
rotary machines came in and by WWII they were being used to
encrypt and decrypt. In some cases, a copy of the machine
used was stolen or details revealed to the adversary by a spy
and so the algorithm was known and problem was to guess or
find the secret key.

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 12
Rajeeva L. Karandikar Chennai Mathematical Institute
Notion of Randomness and its relevance to Cryptology - 13
Substitution ciphers....

The secret key was used by setting the initial positions of the
rotating wheels. Once the type of machine being used was
known, mathematical analysis of the possibilities became
possible and this explains the reason that by the time of WWII
the team at Room 40 was expanded to include
mathematicians- a move that paid rich dividends.

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 14
Substitution ciphers

In a few decades after WWII, usage of computers became

common and if the WWII era algorithms were still used in say
the 80’s, it would have been possible to break the code easily
using power of a workstation. But if the hackers could use
computers, so could the sender and receiver and thus use more
complex algorithms.

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 15
Absence of patterns

Now instead of the alphabet for the message being

A, B, C , . . . ..., the alphabet is just {0, 1} and every message is
coded as a string of 0’s and 1’s, i.e. as Binary string as it is
stored on computer hard disc.

When the messages were a string of alphabets, linguists had a

role - in looking for patterns. If the encrypted message could
be differentiated from pure gibberish that would give a starting
point for cryptanalysis.

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 16
Absence of patterns... Randomness

When message as well as encrypted message is a long string of

0’s and 1’s, role of linguists has been reduced to deciding if a
given text is meaningful text in the language or not. Now
finding a pattern in a string of 0’s and 1’s can be thought of
as follows:

Can the given string be differentiated from results of a fair

coin toss: with say head recorded as 1 and tail recorded as 0.

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 17
Absence of patterns... Randomness

Thus one necessary condition that emerges is that the output

of an encryption algorithm should appear to be a random bit
stream i.e. it should be indistinguishable from output of a
random bit stream.

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 18
Test for Randomness

This leads us to the question:

Consider the Null Hpothesis
H0 : X1 , X2 , . . . , XN are i.i.d with

P(Xi = 1) = P(Xi = 0) = 0.5.

The alternative hypothesis H1 is just the negation of H0 .

What statistical test should be used to test the hypothesis?

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 19
Test for Randomness

Analysis of Crypto algorithms is made assuming that the

adversary knows the algorithm and the strength of the
algorithm is in the secrecy of the key- This also means that
the adversary can analyze the algorithm by trying various keys
and hence can generate large encrypted texts to see patterns -
if any, i.e. departures form randomness if any.

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 20
Test for Randomness

The standard test based on CLT is good and detects departure

from the null hypothesis if P(Xi = 1) = p and
P(Xi = 0) = 1 − p with p 6= 0.5. However, if X1 , X2 , . . . XN
are not independent but {Xn } is a stationary process such that

P(Xi = 1) = P(Xi = 0) = 0.5

then the power of the CLT based test is not high, because
CLT holds under much more general conditions than i.i.d.

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 21
Test for Randomness

Given that we can observe X1 , X2 , . . . , XN for large N, a test

called Maurer’s universal test seems to be good for this
purpose. Let the observed values be written as a bitstream B
of length N.
The test has a parameter L. We describe below the test
statistic τ (B) with L = 8.

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 22
Maurer’s universal test

Let us split the bitstream B in non-overlapping L bit blocks:

B = B1 B2 . . . Bm

where each Bi is L bits with N = Lm. For 1 ≤ i ≤ m let

(
(i − j) if ∃j : Bj = Bi and Bk 6= Bi , j < k < i,
G (Bi ) =
i if no such j exists.

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 23
Maurer’s universal test

Thus, G (Bi ) is the gap since the last occurrence of the

pattern Bi in the stream B1 B2 . . . Bi−1 and equals i if the
pattern Bi has not occurred before. Let
m
1 X
τ0 (B) = log (G (Bi )).
m − q i=q+1 2

The distribution of τ is asymptotically Normal (under the

null-hypothesis) and the asymptotic mean and variance have
been computed.

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 24
Maurer’s universal test

Recommended values of q, m are q = 10 × 2L and

m = 1010 × 2L . For L = 8, it means that the bitstream should
have N = 2068480 bits. In that case, the mean and standard
deviation of τ0 (B) (for a random bitstream) are 7.1836656
and 0.00217401 respectively. Thus
τ0 (B) − 7.1836656
τ (B) =
0.00217401
has standard normal distribution under the null hypothesis
that B is random bitstream.

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 25
What is a good block cipher?

We require that the cipher text is statistically indistinguishable

from the output of a random bit-stream generator.
If this holds, it can be taken as an indication that the
ciphertext is not leaking any information about the message.

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 26
Test for Randomness for Blockciphers

For any plaintext F ( with N = 2068480 bits) and any key K

(of the required size), we require that the resulting ciphertext
E(F , K ) is indistinguishable from random bitstream and hence

τ (E(F , K ))

should be an observation from standard normal distribution.

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 27
Test for Randomness for Blockciphers

In addition to requiring that for any plaintext F and key K ,

the stream E(F , K )) be indistinguishable from a random
bitstream, it is usually required that a block cipher should
satisfy the following properties:

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 28
Desirable properties of Blockciphers

(i) The plaintext and the corresponding ciphertext

should be uncorrelated.
(ii) Changing one bit of the plaintext in each block
should change nearly half of the bits of ciphertext.
(iii) Changing one bit of the Key in each block should
change nearly half of the bits of ciphertext.
(iv) cipheretxt decrypted with a wrong key (differing
at exactly one bit from the correct key) should be
statistically indistinguishable from the output of a
Random bit-stream generator.
.
Rajeeva L. Karandikar Chennai Mathematical Institute
Notion of Randomness and its relevance to Cryptology - 29
Test for Randomness for Blockciphers

If the ciphertext is indistinguishable from a random bitstream,

the requirement that the plaintext and the corresponding
ciphertext be uncorrelated is equivalent to the requirement
that roughly half the bits in the bitstream obtained by bitwise
xor of the plaintext and ciphertext are 0’s.
Now requiring that half the bits in a bistream are 0’s is much
weaker than the requirement that the bitstream is
indistinguishable from a random bitstream. Thus we require
that F ⊕ E(F , K ) is indistinguishable from a random bitstream
for all i, j.

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 30
Test for Randomness for Blockciphers

We strengthen (ii), (iii) and (iv) as follows. Let Fi∗t denote the
file obtained from F by changing t th bit in every block (where
1 ≤ t ≤ b, b being the block size). Since every bit is 0 or 1,
changing here means if it is 1 then change it to 0 and if it is 0
change it to 1.
So we require that (for a randomly chosen t, 1 ≤ t ≤ b)

E(F , K ) ⊕ E(F ∗t , K )

is indistinguishable from a random bitstream.

This strengthens (ii).

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 31
Test for Randomness for Blockciphers

Similarly for 1 ≤ s ≤ k (where k is the key size) let K ∗s denote

the key obtained by changing the s th bit in K . We then
require that
E(F , K ) ⊕ E(F , K ∗s )
is indistinguishable from a random bitstream.
This strengthens (iii).
And we require that

D(E(F , K ), K ∗s )

is indistinguishable from a random bitstream.

This strengthens (iv).
Rajeeva L. Karandikar Chennai Mathematical Institute
Notion of Randomness and its relevance to Cryptology - 32
Test for Randomness for Blockciphers

We further require that if the roles of E and D are

interchanged, the resulting block cipher algorithm is also
strong.
For any plaintext F ( with N = 2068480 bits) and any key K
(of the required size), we require that the following 10
bitstreams be indistinguishable from a random bitstream:

Rajeeva L. Karandikar Chennai Mathematical Institute

Notion of Randomness and its relevance to Cryptology - 33
The Derived bitstreams
B1 = E(F , K )
B2 = F ⊕ E(F , K )
B3 = E(F , K ) ⊕ E(F , K ∗s )
 
B4 = D E(F , K ), K ∗s
B5 = E(F , K ) ⊕ E(F ∗t , K )
B6 = D(F , K )
B7 = F ⊕ D(F , K )
B8 = D(F , K ) ⊕ D(F , K ∗s )
 
B9 = E D(F , K ), K ∗s
B10 = D(F , K ) ⊕ D(F ∗t , K ).
For any F , K these 10 bitstreams be indistinguishable from a random
bitstream.
Rajeeva L. Karandikar Chennai Mathematical Institute
Notion of Randomness and its relevance to Cryptology - 34