Block ciphers 1

Block ciphers 1

Session 3

Contents

• Design of block ciphers• Non-linear transformations

2/25

Design of block ciphers

• The problem of block cipher design:– Determine which set of 2K block ciphers (K is the

length of the key) to choose such that, for an unknown fixed key, it is virtually impossible to say anything about the ciphertext resulting from a known or chosen plaintext

– Given prior knowledge of a number of plaintext/ciphertext pairs, it should be impossible to say anything about the fixed key

3/25


• This is achieved via a combination of:– Confusion, which makes the relationship between

the key and the ciphertext as complicated as possible (by means of substitution through non-linear functions, so called S-boxes)

– Diffusion, which makes every symbol of the ciphertext dependent on as many plaintext letters as possible (by means of linear transformations such as permutations).

4/25


• Theoretically, the ideal block cipher, from a security viewpoint, would involve one very large, well-chosen N-bit Substitution Box (S-Box), keyed by K key bits

• Ideally, it would be impossible to decompose this S-box into smaller sub-units

• Such a block cipher would have a huge implementation complexity

5/25


• Any practical block cipher combines relatively small sub-units to confuse (S-boxes) and diffuse (linear transformation layers) the plaintext

• These sub-units are applied iteratively as keyed rounds, parameterized by sub-keys, which are derived from the master K-bit key

6/25


• The decomposition of the theoretical large S-box into practical sub-units constitutes a trade-off between security and acceptable implementation complexity.

7/25

Non-linear transformations

• Non linearity in block ciphers is usually introduced by means of tables, so called S-boxes

• There are also designs without explicit S-boxes. Instead, integer addition and multiplication, discrete logarithm and exponentiation, etc. are used (examples of such ciphers are IDEA, RC6, etc.)

8/25


• S-boxes can be very simple. For example, S-boxes of Rijndael and Camellia are essentially X-1 over GF(28)

• Regarding the relation with the key, S-boxes can be– Key dependent– Key independent

• So, to design block ciphers we need S-boxes– How do we get good, highly non-linear S-boxes?

9/25


• Almost perfect non linear functions (APN)– Resistant to certain attacks against block ciphers

(differential and linear cryptanalysis)– Let f(x) be a mapping: GF(pn)GF(pn) – Let N(a,b) denote the number of solutions

xGF(pn) of the equation f(x+a)–f(x)=b, a,b GF(pn)

– Let f = max{N(a,b)|a,bGF(pn), a≠0}

10/25


• For linear functionsf(x+a)=f(x)+f(a)So, f(x+a)-f(x)=f(x)+f(a)-f(x)=f(a)Thus for linear functions b=f(a), which means that any x satisfies the equation

• A completely contrary case– Only 1 solution of the equation – the “most

nonlinear” function f(x).

11/25


• If f =k, the mapping f is called differentially k uniform

• For applications in cryptography, f should be as small as possible (i.e. non-linearity is maximum)

• If p is odd, there exist functions for which f = 1 perfect nonlinear functions (PN)

• Functions of the form f(x)=xd over GF(pn), p prime, are of special interest

12/25


• Theorem 1f(x)=xd is a mapping over GF(pn), p>2Then f(x) is 1-uniform (PN) in the following cases:

d=2;d=pk+1, n/(n,k) is oddd=(3k+1)/2, p=3, k odd, (n,k)=1

13/25


• Since for the most interesting case, p=2, PN functions do not exist, we use APN

• APN functions f = 2• For p = 2, if x is a solution of f(x+a)-f(x)=b, so is

x+a• Thus f = 2 is the smallest possible value when

p=2• This means that the restricted meaning of

“almost” is not justified in this case14/25


• Theorem (1)f(x)=xd is a mapping over GF(2n)Then f(x) is APN in the following cases• n=2m+1

d=2n-2 (proved by Nyberg, 1993, Beth, Ding, 1993)d=2k+1, (n,k)=1, 1km (Gold’s function, 1968)d=22k-2k+1, (n,k)=1, 2km (Kasami’s function, 1971)d=2m+3 (Welch’s function, 1972, proved by Dobbertin, 1999)d=2m + 2m/2 − 1 (even m), 2m + 2(3m+1)/2 − 1 (odd m) (Niho’s function, 1972, proved by Dobbertin, 1999)

15/25


• Theorem (2)• n=2m

d=2k+1, (n,k)=1, 1km (Gold’s function, proved by Nyberg, 1993)d=22k-2k+1, (n,k)=1, 2km; (Kasami’s function, proved by Dobbertin, 1999)

• Problem with even n– No APN power function xd is one-to-one for even

n, which means that such functions are not balanced

16/25


• If the power function xd is PN (APN) for some d, it is also PN (APN) for 2id mod 2n-1 (i<n)

• An S-box can be obtained by means of a linear transform F(x)=ax+b of an APN power function xd, i.e. S(x)=F(x)◦xd=F(xd)=axd+b, a,b,xGF(2n), deg a(x)<n, deg b(x)<n, a(x)0.

• The non-linear order of the S-box obtained from xd is equal to the Hamming weight of d

17/25


• Example (1): Use the Kasami exponent to design a 7-bit S-box. k=2, the generating polynomial of the field is f(x)=x7+x+1, a(x)=x5+x4+x+1, b(x)=x4+x

n=7, m=3, 2k3(2,7)=1Then d=22k-2k+1 = 24-22+1=13The Hamming weight of d=1310=11012 is 3, so the non linear order of the S-box will be 3

18/25


• Example (2)– We first generate the finite field GF(27) modulo the

given irreducible polynomial f(x)=x7+x+1 0=1 0000001 7= +1 0000111= 0000010 8= 2+ 00001102= 2 0000100 9= 3+2 00011003= 3 0001000 10= 4+3 00110004= 4 0010000 11= 5+4 01100005= 5 0100000 12= 6+5 11000006= 6 1000000 13= 6++1 1000011 …

19/25


• Example (3)– Then we power each element of the generated

field, i.e. we compute(0)13=1 0000001(1)13=13= 6++1 1000011(2)13=26= 6+5+2+1 1100101(3)13=39= 5+4+3+ 0111010…(10)13=130 mod 127=3 0001000…

20/25

1250127mod1312mod ,,i,iid n


• Example (4)– Every (i)d= (id) mod 127 should now be multiplied by

a(x) mod f(x) and b(x) is added to the result. So we finally get

0=0000001a(x)+b(x) 5+101000011=0000010 ((x5+x4+x+1)(x6+x+1)+(x4+x)) mod (x7+x+1) 5+3+20101100Etc.

– Since x=0000000 is also an element of the field, F(0)=b(x)=x4+x 0010010

21/25


• The addresses of the S-box items should be given in the increasing order, from 0000000 to 1111111, and the corresponding values of S are given for every address

• The addresses x are the elements of the original field

• The value at the address x is F(x)=a(x)xd+b(x)

22/25


• Example– The S7 S-box (7 input bits, 7 output bits) of the

block cipher KASUMI• F(x)=x81 over GF(27)• 8110=10100012=26+24+1=24(24 – 22 + 1) (mod 27– 1)• The exponent d=24 – 22 + 1=13 is a Kasami’s exponent,

k=2• The non-linear order of the function F(x)=x13 is 3, since

the Hamming weight of 1310=11012 is 3• Since 81= 24(24 – 22 + 1) (mod 27– 1), x81 has the same

non-linearity properties as x13 over GF(27)23/25


• Example– The S9 S-box (9 input bits, 9 output bits) of the

block cipher KASUMI• F(x)=a(x)x5 + b(x) over GF(29)• a(x) and b(x) have not been published• n=9=24+1, m=4, d=5=22+1, k=2, (n,k)=1, 1km• Gold’s function

24/25


• Example– The substitution S-box in Rijndael is an affine

transformation of x-1 over GF(28)– Theorem (Nyberg, 1993)• x-1 over GF(2n) is

– Differentially 2-uniform, for n=2m+1– Differentially 4-uniform, for n=2m

– So, x-1 is not APN over GF(28) since n=8 is even

25/25

Block ciphers 1

Documents

nonlinear sboxes

block ciphers differential

ideal block cipher

fx fafx

sboxes diffusion

explicit sboxes

nonlinear functions

linear cryptanalysislet