Search

US-12627497-B2 - Apparatus and method for decrypting an encrypted bit sequence

US12627497B2US 12627497 B2US12627497 B2US 12627497B2US-12627497-B2

Abstract

An apparatus for decrypting an encrypted bit sequence comprises a test device configured to subject the bit sequence to a statistical test in view of an expected distribution of the bits in the bit sequence in order to obtain a test result. The apparatus is configured to decrypt the bit sequence should the test result indicate that the distribution follows the expected distribution, and to not decrypt the bit sequence should the test result indicate that the distribution does not follow the expected distribution.

Inventors

  • Thomas Poeppelmann
  • Peter Pessl
  • Daniel Heinz
  • Julius Hermelink

Assignees

  • INFINEON TECHNOLOGIES AG

Dates

Publication Date
20260512
Application Date
20221121
Priority Date
20211130

Claims (20)

  1. 1 . An apparatus for decrypting an encrypted bit sequence, comprising: decryption circuitry configured to perform decryption of bit sequences according to a cryptosystem; test circuitry configured to subject the bit sequence to a statistical test in view of an expected distribution of the bits in the bit sequence, to obtain a test result; and control circuitry configured to control the decryption circuitry so as to decrypt the bit sequence should the test result indicate that the distribution follows the expected distribution and to not decrypt the bit sequence should the test result indicate that the distribution does not follow the expected distribution.
  2. 2 . The apparatus of claim 1 , wherein the test circuitry is configured to determine a measure of uniformity of distribution in the encrypted bit sequence by means of the statistical test; the test circuitry being configured to provide the test result with information specifying the measure; or specifying whether the measure at least reaches a predefined threshold value, the apparatus comprising control circuitry configured to evaluate the test result and to allow or prevent, on the basis of the test result, a decryption of the bit sequence using the decryption circuitry.
  3. 3 . The apparatus of claim 1 , configured as part of a lattice-based cryptosystem.
  4. 4 . The apparatus of claim 1 , wherein the test circuitry is configured to decompose the encrypted bit sequence into a plurality of parts and to subject each part of the plurality of parts to the statistical test in view of the expected distribution of bits in order to obtain a respective partial test result, and wherein the control circuitry is configured to control the decryption circuitry to decrypt the bit sequence should each partial test result indicate that the distribution follows the expected distribution and to not decrypt the bit sequence should at least one of the partial test results indicate that the distribution does not follow the expected distribution.
  5. 5 . The apparatus of claim 4 , wherein the test circuitry is configured to decompose at least a first part into a first plurality of components of equal length and to obtain the first partial test result on the basis of an evaluation of the first plurality of components and to decompose a second part into a second plurality of components of equal length and to obtain the second partial test result on the basis of an evaluation of the second plurality of components.
  6. 6 . The apparatus of claim 1 , wherein the test circuitry is configured to decompose the encrypted bit sequence into a plurality of parts and to subject each part of the plurality of parts to the statistical test in view of the expected distribution of bits to obtain a respective partial test result, the control circuitry being configured to control the decryption circuitry to decrypt the bit sequence should each partial test result indicate that the distribution follows the expected distribution and follows a predetermined further criterion.
  7. 7 . The apparatus of claim 1 , wherein the decryption circuitry is configured to decrypt the bit sequence in correspondence with a symmetric encryption or an asymmetric encryption.
  8. 8 . The apparatus of claim 1 , wherein the test circuitry is configured to produce a signal that specifies that the distribution does not follow the expected distribution.
  9. 9 . The apparatus of claim 1 , wherein the decryption circuitry is configured to decrypt the bit sequence using a secret in order to obtain a decrypted bit sequence, and wherein the apparatus further comprises encryption circuitry configured to encrypt the decrypted bit sequence in order to obtain a re-encrypted bit sequence, the control circuitry being configured to compare the bit sequence with the re-encrypted bit sequence to obtain a comparison result and to output an alarm signal should the comparison result indicate a deviation between the bit sequence and the re-encrypted bit sequence.
  10. 10 . The apparatus of claim 1 , formed as a secure computing device.
  11. 11 . A method for verifying a bit sequence encrypted according to a cryptosystem, comprising: carrying out a statistical test on the bit sequence in view of an expected distribution of bits in the bit sequence in order to obtain a test result; decrypting the bit sequence according to the cryptosystem should the test result indicate that the distribution follows the expected distribution; or not decrypting the bit sequence should the test result indicate that the distribution does not follow the expected distribution.
  12. 12 . The method of claim 11 , further including: determining a measure of a uniform distribution in the encrypted bit sequence by means of the statistical test; providing the test result with information specifying the measure or specifying whether the measure at least reaches a predefined threshold value; evaluating the test result and allowing or preventing a decryption of the bit sequence on the basis of the test result.
  13. 13 . The method of claim 11 , carried out as part of a lattice-based cryptosystem.
  14. 14 . The method of claim 11 , further comprising: decomposing the encrypted bit sequence into a plurality of parts and subjecting each part of the plurality of parts to the statistical test in view of the expected distribution of bits in order to obtain a respective partial test result; decrypting the bit sequence should each partial test result indicate that the distribution follows the expected distribution; and not decrypting the bit sequence should at least one of the first partial test result and the second partial test result indicate that the distribution does not follow the expected distribution.
  15. 15 . The method of claim 14 , further comprising: dividing at least a first part into a first plurality of components of equal length and obtaining the first partial test result on the basis of an evaluation of the first plurality of components; dividing the second part into a second plurality of components of equal length; and obtaining the second partial test result on the basis of an evaluation of the second plurality of components.
  16. 16 . The method of claim 11 , further including: decomposing the encrypted bit sequence into a plurality of parts and subjecting each part of the plurality of parts to the statistical test in view of the expected distribution of bits in order to obtain a respective partial test result; decrypting the bit sequence should each partial test result indicate that the distribution follows the expected distribution and follows a predetermined further criterion.
  17. 17 . The method of claim 11 , wherein the bit sequence is decrypted in correspondence with a symmetric encryption or an asymmetric encryption.
  18. 18 . The method of claim 11 , further comprising: producing a signal that specifies that the distribution does not follow the expected distribution.
  19. 19 . The method of claim 11 , further including: decrypting the bit sequence using a secret to obtain a decrypted bit sequence; encrypting the decrypted bit sequence to obtain a re-encrypted bit sequence; comparing the bit sequence with the re-encrypted bit sequence to obtain a comparison result; and outputting an alarm signal should the comparison result indicate a deviation between the bit sequence and the re-encrypted bit sequence.
  20. 20 . The method of claim 11 , carried out using a secure computing device.

Description

TECHNICAL FIELD The present exemplary embodiments relate to an apparatus and method for decrypting an encrypted bit sequence. Exemplary embodiments further relate to a method for statistical testing of an encrypted text. BACKGROUND Bit sequences can be encrypted and decrypted with the aid of what are known as crypto methods, allowing an encrypted transmission of the information contained in the bit sequence. Attackers could attempt to obtain a key used for encryption or decryption purposes in order to obtain access to the plain text and/or in order to overcome the encryption method. Hence, there is a need of significant security in relation to encrypted bit sequences. SUMMARY A problem solved by the present exemplary embodiments can be considered that of enabling high security when decrypting bit sequences. According to an exemplary embodiment, an apparatus for decrypting an encrypted bit sequence is equipped with a test device configured to subject the bit sequence to a statistical test in view of an expected distribution of the bits in the bit sequence in order to obtain a test result. The apparatus is configured to decrypt the bit sequence should the test result indicate that the distribution follows the expected distribution, and to not decrypt the bit sequence should the test result indicate that the distribution does not follow the expected distribution. According to an exemplary embodiment, a method is provided which comprises an implementation of a statistical test on a received encrypted bit sequence and in view of an expected distribution of bits in the bit sequence in order to obtain a test result. The method further comprises a decryption of the bit sequence should the test result indicate that the distribution follows the expected distribution. Alternatively, should the test results indicate that the distribution does not follow the expected distribution, the bit sequence is not decrypted. Further embodiments are the subject matter of dependent patent claims. BRIEF DESCRIPTION OF THE FIGURES Some of the embodiments described herein are explained below with reference to the attached drawings, in which: FIG. 1 shows a schematic block diagram of an apparatus according to an exemplary embodiment; FIG. 2 shows a schematic block diagram of an apparatus with a control device according to an exemplary embodiment; FIG. 3 shows a schematic representation of a bit sequence for explaining advantageous configurations of exemplary embodiments described herein; FIG. 4 shows a schematic block diagram of an apparatus according to an exemplary embodiment, which comprises a decryption device; FIG. 5 shows an exemplary collision distribution for 10 000 valid ciphertexts and a binomial approximation in this respect; FIG. 6 shows a schematic representation of a binomial test and a calculation of a threshold value for the use in exemplary embodiments; FIG. 7 shows a schematic flowchart of a method according to one exemplary embodiment; FIG. 8 shows a processing apparatus according to an exemplary embodiment, comprising a CPU, a RAM, a non-volatile memory, a crypto module, an analog module, an input/output interface and a hardware random number generator; and FIG. 9 shows a processing apparatus according to an exemplary embodiment, comprising an application processor and a hardware security module. DETAILED DESCRIPTION Before exemplary embodiments of the present invention are explained in more detail below with reference to the drawings, attention is drawn to the fact that identical, functionally identical or identically acting elements, objects and/or structures are provided with the same reference signs in the various figures such that the description of these elements set forth in the various exemplary embodiments may be interchanged with one another or applied to one another. Exemplary embodiments described below are described in conjunction with a multiplicity of details. However, exemplary embodiments may also be implemented without these detailed features. Moreover, for the sake of clarity, exemplary embodiments are described using block diagrams as a replacement for a detailed representation. Further, details and/or features of individual exemplary embodiments can readily be combined for as long as nothing is explicitly described to the contrary. Present exemplary embodiments relate to the technical field of cryptography, which may include both an encryption and a decryption of bit sequences. In this case, some of the embodiments described herein are directed to a conditional decryption of bit sequences, especially in the context of what are known as lattice-based cryptosystems. Apparatuses and/or methods according to the exemplary embodiments described herein may represent parts of such a lattice-based cryptosystem. For example, Kyber and Saber are exemplary lattice-based cryptosystems. Irrespective thereof, the advantages obtained by the present exemplary embodiments may also be obtained using different syst