1 / 25

Block ciphers 1

Block ciphers 1. Session 3. Contents. Design of block ciphers Non-linear transformations. Design of block ciphers. The problem of block cipher design:

zavad
Download Presentation

Block ciphers 1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Block ciphers 1 Session 3

  2. Contents • Design of block ciphers • Non-linear transformations

  3. Design of block ciphers • The problem of block cipher design: • Determine which set of 2K block ciphers (K is the length of the key) to choose such that, for an unknown fixed key, it is virtually impossible to say anything about the ciphertext resulting from a known or chosen plaintext • Given prior knowledge of a number of plaintext/ciphertext pairs, it should be impossible to say anything about the fixed key

  4. Design of block ciphers • This is achieved via a combination of: • Confusion, which makes the relationship between the key and the ciphertext as complicated as possible (by means of substitution through non-linear functions, so called S-boxes) • Diffusion, which makes every symbol of the ciphertext dependent on as many plaintext letters as possible (by means of linear transformations such as permutations).

  5. Design of block ciphers • Theoretically, the ideal block cipher, from a security viewpoint, would involve one very large, well-chosen N-bit Substitution Box (S-Box), keyed by K key bits • Ideally, it would be impossible to decompose this S-box into smaller sub-units • Such a block cipher would have a huge implementation complexity

  6. Design of block ciphers • Any practical block cipher combines relatively small sub-units to confuse (S-boxes) and diffuse (linear transformation layers) the plaintext • These sub-units are applied iteratively as keyed rounds, parameterized by sub-keys, which are derived from the master K-bit key

  7. Design of block ciphers • The decomposition of the theoretical large S-box into practical sub-units constitutes a trade-off between security and acceptable implementation complexity.

  8. Non-linear transformations • Non linearity in block ciphers is usually introduced by means of tables, so called S-boxes • There are also designs without explicit S-boxes. Instead, integer addition and multiplication, discrete logarithm and exponentiation, etc. are used (examples of such ciphers are IDEA, RC6, etc.)

  9. Non-linear transformations • S-boxes can be very simple. For example, S-boxes of Rijndael and Camellia are essentially X-1 over GF(28) • Regarding the relation with the key, S-boxes can be • Key dependent • Key independent • So, to design block ciphers we need S-boxes • How do we get good, highly non-linear S-boxes?

  10. Non-linear transformations • Almost perfect non linear functions (APN) • Resistant to certain attacks against block ciphers (differential and linear cryptanalysis) • Let f(x) be a mapping: GF(pn)GF(pn) • Let N(a,b) denote the number of solutions xGF(pn) of the equation f(x+a)–f(x)=b, a,b GF(pn) • Let f = max{N(a,b)|a,bGF(pn), a≠0}

  11. Non-linear transformations • For linear functions f(x+a)=f(x)+f(a) So, f(x+a)-f(x)=f(x)+f(a)-f(x)=f(a) Thus for linear functions b=f(a), which means that any x satisfies the equation • A completely contrary case • Only 1 solution of the equation – the “most nonlinear” function f(x).

  12. Non-linear transformations • If f =k, the mapping f is called differentially k uniform • For applications in cryptography, f should be as small as possible (i.e. non-linearity is maximum) • If p is odd, there exist functions for which f = 1 perfect nonlinear functions (PN) • Functions of the form f(x)=xd over GF(pn), p prime, are of special interest

  13. Non-linear transformations • Theorem 1 f(x)=xd is a mapping over GF(pn), p>2 Then f(x) is 1-uniform (PN) in the following cases: d=2; d=pk+1, n/(n,k) is odd d=(3k+1)/2, p=3, k odd, (n,k)=1

  14. Non-linear transformations • Since for the most interesting case, p=2, PN functions do not exist, we use APN • APN functions f = 2 • For p = 2, if x is a solution of f(x+a)-f(x)=b, so is x+a • Thus f = 2 is the smallest possible value when p=2 • This means that the restricted meaning of “almost” is not justified in this case

  15. Non-linear transformations • Theorem (1) f(x)=xd is a mapping over GF(2n) Then f(x) is APN in the following cases • n=2m+1 d=2n-2 (proved by Nyberg, 1993, Beth, Ding, 1993) d=2k+1, (n,k)=1, 1km (Gold’s function, 1968) d=22k-2k+1, (n,k)=1, 2km (Kasami’s function, 1971) d=2m+3 (Welch’s function, 1972, proved by Dobbertin, 1999) d=2m + 2m/2 − 1 (even m), 2m + 2(3m+1)/2 − 1 (odd m)(Niho’s function, 1972, proved by Dobbertin, 1999)

  16. Non-linear transformations • Theorem (2) • n=2m d=2k+1, (n,k)=1, 1km (Gold’s function, proved by Nyberg, 1993) d=22k-2k+1, (n,k)=1, 2km; (Kasami’s function, proved by Dobbertin, 1999) • Problem with even n • No APN power function xd is one-to-one for even n, which means that such functions are not balanced

  17. Non-linear transformations • If the power function xd is PN (APN) for some d, it is also PN (APN) for 2id mod 2n-1 (i<n) • An S-box can be obtained by means of a linear transform F(x)=ax+bof an APN power function xd, i.e. S(x)=F(x)◦xd=F(xd)=axd+b, a,b,xGF(2n), deg a(x)<n, deg b(x)<n, a(x)0. • The non-linear order of the S-box obtained from xdis equal to the Hamming weight of d

  18. Non-linear transformations • Example (1): Use the Kasami exponent to design a 7-bit S-box. k=2, the generating polynomial of the field isf(x)=x7+x+1, a(x)=x5+x4+x+1, b(x)=x4+x n=7, m=3, 2k3 (2,7)=1 Then d=22k-2k+1 = 24-22+1=13 The Hamming weight of d=1310=11012 is 3, so the non linear order of the S-box will be 3

  19. Non-linear transformations • Example (2) • We first generate the finite field GF(27) modulo the given irreducible polynomial f(x)=x7+x+1 0=1  0000001 7= +1  000011 1=   0000010 8= 2+  0000110 2= 2 0000100 9= 3+2 0001100 3= 3 0001000 10= 4+3 0011000 4= 4 0010000 11= 5+4 0110000 5= 5 0100000 12= 6+5 1100000 6= 6 1000000 13= 6++1  1000011 …

  20. Non-linear transformations • Example (3) • Then we power each element of the generated field, i.e. we compute (0)13=1  0000001 (1)13=13= 6++1  1000011 (2)13=26= 6+5+2+1  1100101 (3)13=39= 5+4+3+   0111010 … (10)13=130 mod 127=3  0001000 …

  21. Non-linear transformations • Example (4) • Every (i)d= (id) mod 127 should now be multiplied by a(x) mod f(x) and b(x) is added to the result. So we finally get 0=0000001a(x)+b(x)5+10100001 1=0000010((x5+x4+x+1)(x6+x+1)+(x4+x)) mod (x7+x+1) 5+3+20101100 Etc. • Since x=0000000 is also an element of the field, F(0)=b(x)=x4+x 0010010

  22. Non-linear transformations • The addresses of the S-box items should be given in the increasing order, from 0000000 to 1111111, and the corresponding values of S are given for every address • The addresses x are the elements of the original field • The value at the address x is F(x)=a(x)xd+b(x)

  23. Non-linear transformations • Example • The S7 S-box (7 input bits, 7 output bits) of the block cipher KASUMI • F(x)=x81 over GF(27) • 8110=10100012=26+24+1=24(24 – 22 + 1) (mod 27– 1) • The exponent d=24 – 22 + 1=13 is a Kasami’s exponent, k=2 • The non-linear order of the function F(x)=x13 is 3, since the Hamming weight of 1310=11012 is 3 • Since 81= 24(24 – 22 + 1) (mod 27– 1), x81 has the same non-linearity properties as x13 over GF(27)

  24. Non-linear transformations • Example • The S9 S-box (9 input bits, 9 output bits) of the block cipher KASUMI • F(x)=a(x)x5 + b(x) over GF(29) • a(x) and b(x) have not been published • n=9=24+1, m=4, d=5=22+1, k=2, (n,k)=1, 1km • Gold’s function

  25. Non-linear transformations • Example • The substitution S-box in Rijndael is an affine transformation of x-1 over GF(28) • Theorem (Nyberg, 1993) • x-1 over GF(2n) is • Differentially 2-uniform, for n=2m+1 • Differentially 4-uniform, for n=2m • So, x-1 is not APN over GF(28) since n=8 is even

More Related