7.2.1
Evolving Boolean Functions and Correlation Immunity
The work of Chapters 3 and 4 has exhibited considerable originality and achieve- ment. Metaheuristic search has been used to generate functions with hitherto un- demonstrated characteristics (counter-examples to conjectures on autocorrelation and sums-of-squares, PC(2) functions meeting the ‘trivial’ bound on algebraic de- gree). These results are of immediate interest to researchers in Boolean functions. The approach has considerable potential to act as a rapid and efficient mechanism for gaining increased confidence in private conjectures. The best nonlinearity and autocorrelation values reported by previous optimisation researchers have been exceeded, often simultaneously. The work extends naturally to S-boxes. The re- sults of previous optimisation work on injective and also bijective S-boxes have been improved on, though it seems clear that theoretical construction remains sig- nificantly better with respect to nonlinearity.
Previous optimisation-based work on correlation immunity attained only functions and produced no functions with optimal profiles. In this thesis Siegen- thaler optimal functions with highest possible nonlinearity values have been evolved (for small numbers of inputs). The techniques have been used to evolve several functions that have been demonstrated only very recently by theoreticians.
Change of basis is clearly a powerful tool. The original suggestion to inves- tigate simple linear change of basis came from a leading Boolean functions re- searcher (Dr Subhamoy Maitra) who had made use of such transformations in his work. The variations on a theme that followed are the author’s own. An annealing approach to change of basis to obtain high order properties would seem original and useful.
For theoreticians, working with the Walsh-Hadamard spectrum is pretty much second nature but its manipulation in the manner of the ABF-1 and ABF-2 tech- niques seems original. The notion of ‘almost a boolean function’ is a simple concept that enables some very difficult functions to be obtained. As far as the author is aware, no optimisation work has ever generated bent functions before.
The limitations of the techniques become apparent when attempts are made to generate functions with nine variables and above. A limited family of cost functions has been considered. No attempt has been made to design cost functions or their particular parameter values — greater theoretical insight should now be brought to bear. There would also seem to be an obvious need to extend the criteria considered. Very little work has been performed on propagation characteristics, although this did produce something new — the PC(2) function on 6 inputs with degree 5. Similarly other S-box criteria could easily be addressed (e.g. criteria more directly related to differential cryptanalysis). Equally, attempting to evolve large S-boxes (e.g. 8 by 32 S-boxes) would seem the obvious next step to take.
Overall, it seems reasonable to claim that considerable novelty has been ex- hibited in these chapters; there are several new ways of approaching the evolution of desirable Boolean functions. In terms of effectiveness, previous optimisation results have been improved on. The correlation immunity results for functions with eight inputs or fewer, have matched those that theoreticians have been able to demonstrate. In a small number of cases, the properties of functions evolved are better than any demonstrated by other means. The ease with which additional uses were readily found for techniques initially motivated only by achieving high nonlinearity and specific degrees of correlation immunity serves to emphasise the flexibility of the metaheuristic approach. It would seem reasonable to claim that an original and a competitive contribution has been made.
7.2.2
Perceptron and Permuted Perceptron Problems
The results reported in Chapter 5 show that all sizes ( , B and
) of PPP scheme suggested by Pointcheval are susceptible (on occasion) to annealing-based attacks. Knudsen and Meier [65] have previously shown that (101,117) instances are insecure. Perceptron Problem instances of hugely greater size than anything previously considered feasible are also shown to be susceptible. The power of previous annealing-based attacks has been significantly increased.
More important, however, are the concepts of problem warping and timing
channel. Though similar ‘side-channels’ are now well-known methods of attack
on cryptosystems, no search-based cryptanalysis analogues have been found in the literature (though dynamic profiling of the search is a known metaheuristic concept). The notion of analysis side-channels is novel and potentially very pow- erful; the author knows of no cryptosystem that has been designed to be secure against such attacks.
Perhaps the most important observation in the whole thesis is that cryptosys- tems would seem ideal candidates for profiling. It is this notion that unifies the problem warping and the timing channel ideas. Every annealing run achieves
something and does so in some way. The real issue is understanding how the com-
putational dynamics and final results of search algorithm runs relate to what we actually want to find. This would seem to be an exercise in profiling (though a theoretical approach is not precluded). Finding such relationships may well prove to be very difficult. Interpreting the results of annealing-based searches may be- gin to look like an exercise in cryptanalysis. Cryptanalysts, however, have a long history of doing cryptanalysis.
The results show that using the schemes is unsafe but fall short of providing a repeatable and reliable means of breaking specific instances. The overriding weakness is that the side-channels have only been demonstrated on a single prob- lem family (Perceptron Problem variants). There would seem to be a pressing need to demonstrate the efficacy of these concepts on schemes based on other NP-complete problem families.
Overall, the notion of analysis side channels is original and previous optimi- sation based results (which are the best results to date) have been improved on. It seems reasonable to claim that an original and competitive contribution has been made.
7.2.3
The Evolution of Security Protocols
Security protocol engineering is one of the most active areas of security. Auto- mated security protocol synthesis has only recently emerged; there would appear to be no papers on the topic prior to 2000. The only two techniques in the literature
(as far as the author is aware) are the metaheuristic search approach of Chapter 6 [22, 24] and the model checking approach of Song and Perrig [117, 118].
The approach reported in this thesis has significant strengths. In particular, it finds protocols satisfying a specification in at most a few minutes and is able to work with very large protocols (some specifications could not be refined to fewer than 8 messages). This contrasts markedly with the hours of computation time required by model checking approaches to generate even quite small protocols (e.g. 3 or 4 messages).
However, the current toolset implements only a small subset of BAN logic (public key encryption is not currently handled, for example ) and, consequently, the model checking work of Song and Perrig has a richer design space. Their approach incorporates a sophisticated attack model too. A belief logic approach is only as powerful as the logic it implements. If the logic misses certain flaws, or else makes particular assumptions, the user must augment any automated designs the technique produces with additional checks to ensure adequate security. The approach currently produces only an abstract refinement, not an implementation. Adding a code generation stage would enable rapid experimentation and complete the automated design path.
The work reported in Chapter 6 establishes ‘proof of concept’. The meta- heuristic evolution of security protocols is, perhaps, a surprising idea but it has not produced any surprising protocols. The examples reported in this thesis are really staged exploratory tests. The approach has obvious potential for extension but requires significant further development and experimentation before a true assessment of its merits can be made. It also adds a new twist to the long and controversial life of BAN logic.
Overall, the technique shows promise. It clearly out-performs rival approaches with respect to the size of protocols that can be generated and also the speed with which they are generated, but suffers in terms of restrictiveness of the design space and the power of the underlying logic. It would seem reasonable to claim that a ‘competitive’ contribution has been made in this new area. A claim to originality is easier — there are only two approaches at present and the metaheuristic search one is radically different from Song and Perrig’s model checking approach!
7.2.4
A Significant Increase in Power?
The research reported in this thesis has addressed a number of problems. Only problems of modern day cryptology have been addressed — a very deliberate choice. The thesis would appear very unusual in this respect. Boolean function work is a well-established topic in cryptology, crypto-schemes based on instances of NP-complete problems might plausibly be described as ‘home ground’ and the metaheuristic evolution of security protocols with proofs of their own correctness
is a very significant leap in the level of abstraction at which metaheuristic search has been applied in cryptology.
The results reported in this thesis have improved on the published results of search-based cryptological research. In addition, results have been generated of genuine interest to professional cryptological researchers. In some cases, results have been demonstrated that improve on those of any applied techniques. The achievements of the research reported in this thesis have been summarised in Sec- tion 7.2. Those achievements allow a reasonable claim that the power of meta-
heuristic search as a tool for modern-day cryptological research is significantly greater than currently evidenced in publicly available literature.