Scalable Involutional PP-1 Block Cipher for Limited Resources K. Chmiel, A. Grocholewska-Czuryło, J. Stokłosa Poznan University of Technology Institute.

Scalable Involutional PP-1 Block Cipher for Limited Resources

K. Chmiel, A. Grocholewska-Czuryło, J. Stokłosa

Poznan University of Technology

Institute of Control and Information Engineering

Poznan, Poland

10-12.06.2010 Scalable Involutional PP-1 Block Cipher for Limited Resources CECC 2010 © Krzysztof Chmiel

2

Basic assumptions of the PP-1 cipher project

• Scalability – extendable data block size and key size;• Resources – limited (small memory, simple processor);

- the same resources for encryption and decryption:- one involutional S-box (i.e. S−1 = S ),- one involutional P-box (i.e. P−1 = P ),- the same round keys;

- simple elementary operations:- modulo 2 sum,- addition, - subtraction,- shifts;

• Implementation – efficient in software and hardware.


3

Data processing path

Fig. 2. Nonlinear element NL (j = 1, 2, ..., t)

NL NL NL

n

n

64 64 64

64 64 64

yi

Round #i

P

n

k i”=k2i

v i

x i

k i’=k2i–1 n n

S

8

8

8

S

8

8

S

8

S

8

8

S

8

8

8

S

8

8

S

8

S

8

8

NL #j

64

64

k i,j’

k i,j”

v i,j

x i,j

64

64

Fig. 1. One round of the PP-1 (i = 1, 2, ..., r)

Remarks:• data blocks of n = t∙64 bits are processed in r rounds (t = 1, 2, 3, ... ),• two n-bit round keys ki’=k2i–1 and ki”=k2i are used in round i.


4

64-bit variant of PP-1

Fig. 3. Encryption and decryption performed by PP-1 (n = 64)

m/c

S

8

8

8

S

8

8

S

8

S

8

8

64

k1= k1,1||k1,2|| ...||k1,8

64

k2= k2,1||k2,2|| ...||k2,8

P

64

64

k22= k22,1||k22,2...||k22,8

c/m

64

64

S

8

8

8

S

8

8

S

8

S

8

8

S

8

8

8

S

8

8

S

8

S

8

8

S

8

8

8

S

8

8

S

8

S

8

8

k21= k21,1||k 21,2|| ...||k21,8

Round #1

Rounds #2 to #10

Output transformation

/ k22= k22,1||k22,2...||k22,8

/ k21= k21,1||k21,2...||k21,8

/ k2= k2,1||k 2,2|| ...||k2,8

/ k1= k1,1||k 1,2|| ...||k1,8


5

Round key scheduling

Fig. 5. KS − the main part of an iteration (j = 1, 2, ..., t)

Fig. 4. One iteration of key scheduling (i = 0, 1, ..., 2r)

Remarks:• the cipher key k for the PP-1 algorithm is a sequence of n or 2n bits,• the round keys k1, k2, ..., k2r are produced on outputs of iterations #1 to #2r.

KS KS KS

n

n

64 64 64

64 64 64

Ki

Iteration #i

RR(ei)

n

E

ei

8

ki

Xi

Yi

4

Vi

n

n

64

S

8 8

S

8

S

8

S

8

8

64 Ki,j

S

8

8

8

S

8

8

S

8

S

8

8

KS #j

8 8

64

Xi,j

Vi,j

depends on k


6

Details of round key scheduling

Remarks:• function E value, is equal to XOR of 4MSBs of the two leftmost S-boxes,• entry X0 of iteration #0, is supplied by the n-bit constant B,• inputs Ki depend on cipher key k: n-bit or 2n-bit (k = kH||kL)..

Entry X0:

X0 = B = B1||B2||...||Bt

where 64-bit B1 = 912B4769B2496E7C,

Bj = Prm(Bj–1) for j = 2, 3, ..., t,

Prm is calculated for nBb = 64 and nSb = 8.

Inputs Ki:

K2 = RL(B (A(K0 K1)))

Function E:

ei = E(b1b2...bn) = (b1b9)(b2b10)(b3b11)

(b4b12)

for Vi = b1b2...bn, where b1 is the MSB.

nk

nk

k

kK

H 2if

if0

nk

nk

kK

L

n

2if

if01

nk

nkA

n

n

2if

if

1

0

Ki = RL(Ki−1) for i = 3, 4, ..., 2r


7

Involutional substitution S

Fig. 6. Involutional 88-bit S-box S S(6F) = DA , S(DA) = 6F

| 0 1 2 3 4 5 6 7 8 9 A B C D E F ---------------------------------------------------- 0 | 9E BC C3 82 A2 7E 41 5A 51 36 3F AC E3 68 2D 2A 1 | EB 9B 1B 35 DC 1E 56 A5 B2 74 34 12 D5 64 15 DD 2 | B6 4B 8E FB CE E9 D9 A1 6E DB 0F 2C 2B 0E 91 F1 3 | 59 D7 3A F4 1A 13 09 50 A9 63 32 F5 C9 CC AD 0A 4 | 5B 06 E6 F7 47 BF BE 44 67 7B B7 21 AF 53 93 FF 5 | 37 08 AE 4D C4 D1 16 A4 D6 30 07 40 8B 9D BB 8C 6 | EF 81 A8 39 1D D4 7A 48 0D E2 CA B0 C7 DE 28 DA 7 | 97 D2 F2 84 19 B3 B9 87 A7 E4 66 49 95 99 05 A3 8 | EE 61 03 C2 73 F3 B8 77 E0 F8 9C 5C 5F BA 22 FA 9 | F0 2E FE 4E 98 7C D3 70 94 7D EA 11 8A 5D 00 EC A | D8 27 04 7F 57 17 E5 78 62 38 AB AA 0B 3E 52 4C B | 6B CB 18 75 C0 FD 20 4A 86 76 8D 5E 01 ED 46 45 C | B4 FC 83 02 54 D0 DF 6C CD 3C 6A B1 3D C8 24 E8 D | C5 55 71 96 65 1C 58 31 A0 26 6F 29 14 1F 6D C6 E | 88 F9 69 0C 79 A6 42 F6 CF 25 9A 10 9F BD 80 60 F | 90 2F 72 85 33 3B E7 43 89 E1 8F 23 C1 B5 92 4F

LH

Method:• generated using multiplicative inverse procedure, similar to AES,• processed to remove existence of affine transformations between

component Boolean functions.

Parameters:• nonlinearity – 110

(maxTA = 18),• 2nd maximum

XOR DDT value – 4(maxTD = 4) .


8

a1 a2 a3 a4 a5 a6 a7 a8 b2 b7 c2 d7 d2 f7 e2 h7 b1 b2 b3 b4 b5 b6 b7 b8 f2 a1 g2 c1 h2 e1 a2 g1 c1 c2 c3 c4 c5 c6 c7 c8 b4 a3 c4 c3 d4 e3 e4 g3 d1 d2 d3 d4 d5 d6 d7 d8 => f4 a5 g4 c5 h4 e5 a4 g5 e1 e2 e3 e4 e5 e6 e7 e8 b6 a7 c6 c7 d6 e7 e6 g7 f1 f2 f3 f4 f5 f6 f7 f8 f6 b1 g6 d1 h6 f1 a6 h1 g1 g2 g3 g4 g5 g6 g7 g8 b8 b3 c8 d3 d8 f3 e8 h3 h1 h2 h3 h4 h5 h6 h7 h8 f8 b5 g8 d5 h8 f5 a8 h5

P

Involutional permutation P

Fig. 8. P for 88 bit matrices (n =64)

Remarks:• dissipates 8-bit output subblocks of S-boxes S in the n-bit block of a round,• can be implemented by transposition of 88 bit matrices in processor

words.1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

10 15 18 31 26 47 34 63 42 1 50 17 58 33 2 49 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 12 3 20 19 28 35 36 51 44 5 52 21 60 37 4 53 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 14 7 22 23 30 39 38 55 46 9 54 25 62 41 6 57 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 16 11 24 27 32 43 40 59 48 13 56 29 64 45 8 61

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ... 61 62 63 64 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ... 61 62 63 64

OUT

IN

Fig. 7. Bit mappings of involutional bit permutation P and their illustration (n =64)


9

Scalable permutation P

Fig. 9. Algorithms to construct permutation P and their illustration (n = 64)

Method (n = 64):• algorithm Prm calculates bit mappings in Prm, to dissipate 4-bit

subblocks in 32-bit block,• algorithm P calculates involutional pairs of bit mappings in 64-bit P.

1 2 3 4 5 6 7 8 9 10 11 12 ... 29 30 31 32 1 2 3 4 5 6 7 8 9 10 11 12 ... 29 30 31 32

y

pno

Prm

1 3 5 7 9 11 13 15 17 19 21 23 ... 57 59 61 63 2 4 6 8 10 12 14 16 18 20 22 24 ... 58 60 62 64

py

px

P

Prm(x, nBb, nSb) {argument, number of block bits (e.g.64), number of S-box bits (e.g. 8)}

1. nS nBb div nSb {number of S-boxes}2. Sno x mod nS +1 {S-box number(from 1)}3. Sb (x 1) div nS + 1 {S-box bit (from 1)}4. y (Sno 1) nSb + Sb {value of bit mapping}5. return y

P(pno, nBb, nSb) {pair number (from 1), number of block bits (e.g. 64), number of S-box bits (e.g. 8)}

1. y Prm(pno, nBb div 2, nSb div 2) {value of Prm} 2. px 2 pno 1 {odd argument (value) of bit mapping} 3. py 2 y {even value (argument) of bit mapping} 4. return (px, py)


10

Differential and Linear Approximation

f

X

Y

p

X’ n

m Y’

p = N(X’,Y’) / 2n

X' {0,..,2n–1}, Y' {0,..,2m–1}

Fig. 10. Differential and linear approximation of function f : {0,1}n {0,1}m

f(X) f(X X') = Y'

jXj

iYi

xy

''

p

X’ {1,..,n}, Y’ {1,..,m}

Y[Y’] = X[X’]

p = N(X’,Y’) / 2n

|p| = | p – 1/2 |effectiveness of

differential approximation

effectiveness of linear

approximation


11

Approximation Tables

Fig. 11. Function f: {0,1}4 {0,1}2 and its approximation tables TDf and TAf

TDf[X’, Y’] = N(X’, Y’) TAf[X’, Y’] = N(X’, Y’) = N(X’, Y’) - 2n-1

Y' Y' X Y=f(X) X'

0 1 2 3 X'

0 1 2 3 0 3 0 16 0 0 0 0 8 2 1 1 1 3 1 10 0 2 4 1 0 2 1 1 2 3 2 6 0 2 8 2 0 0 1 1 3 0 3 6 0 2 8 3 0 0 3 1 4 1 4 2 8 6 0 4 0 0 1 7 5 3 5 2 8 6 0 5 0 0 3 1 6 1 6 0 2 12 2 6 0 2 1 1 7 1 7 2 4 10 0 7 0 2 1 1 8 0 8 4 2 0 10 8 0 4 1 1 9 0 9 2 0 2 12 9 0 0 1 1

10 3 10 8 2 0 6 10 0 2 5 1 11 3 11 8 2 0 6 11 0 2 1 1 12 1 12 0 6 8 2 12 0 2 3 1 13 2 13 0 6 8 2 13 0 2 1 1 14 2 14 2 8 6 0 14 0 4 1 1 15 2 15 2 12 2 0 15 0 0 1 1

(f)

(TDf)

(TAf)

maxTD = max{TDf[X', Y'] : X' 0 Y' 0} maxTA = max{|TAf[X', Y']| : X' Y' }


12

Quality of S-box S (PP-1)

maxTA maxTD

30 32 34 36 38 40 42 44 Total

10 1 48 163 119 61 15 3 0 410 12 1 58 190 177 73 21 6 2 528 14 0 5 21 14 11 3 1 1 56 16 0 0 4 1 1 0 0 0 6

Total 2 111 378 311 146 39 10 3 1000

0

5

10

15

20%

of

fun

ctio

ns

30 32 34 36 38 40 42 44

10

16

maxTA

Fig. 12. Comparison of S-box S to randomly selected S-boxes (n = 8, m = 8)

maxTA maxTD

18 ... 30 32 34 36 4 S ... 10 12 14


13

DES Algorithm

Fig. 13. General structure and function f of DES (IBM 1977)

c1(j)||c2

(j) = c2

(j-1)||c1(j-1) f(c2

(j-1), kj ) for j = 1, 2, ..., 15

c1(j)||c2

(j) = c1

(j-1) f(c2(j-1), kj )||c2

(j-1) for j = 16

c1 c2

y16 f

x16

m1

k16

m2

y2 f

x2

k2

y1 f

x1

k1

c2(1)

c2(15)

c2(16)

c2(0)

c1(1)

c1(15)

c1(16)

c1(0)

32

32

32

32

S1 S2 S3 S4 S5 S6 S7 S8

P

y

E

si1 si2 si3 si4 si5 si6 si7 si8

so1 so2 so3 so4 so5 so6 so7 so8

32

x

xe

k

48

32

48

32

48


14

Quality of S-boxes S1-S8 (DES)

maxTA maxTD

10 12 14 16 18 Total

12 0 6 5 3 0 14 14 1 144 141 33 4 323 16 1 107 255 65 12 440 18 0 24 94 41 5 164 20 0 3 28 14 2 47 22 0 3 3 4 1 11 24 0 0 0 0 1 1

Total 2 287 526 160 25 1000

Fig. 14. Comparison of S-boxes S1-S8 to randomly selected S-boxes (n = 6, m = 4)

0

5

10

15

20

25

30

% o

f fun

ctio

ns

10 12 14 16 18

12

16

20

24

maxTA

maxTA maxTD

10 12 14 16 18 20 12 14 16 S6 S2

S3 S4 S8

S1 S7

S5


15

Evaluation of PP-1

Fig. 15. Number r of rounds for n-bit block ( s = 8, qa = 2, qp = 1)

n 64 128 192 256

Lower bound to r 10.7 21.3 32.0 42.7

r 11 22 32 43

r ( n/2 – log qp) / ( s/2 – log qa)

c

k

n

n

Sp

n

m

n

|pa+| |pp

+|

|pi+| qa /2

s/2 +1 |pp+| qp/2

n/2 +1

r

ii

ra pp

1

12

|pa+| (1/2)(qa /2

s/2 )r

(qa /2 s/2 )r qp /2

n/2

comparative algorithm

(1)

(5)

(4)

(2)

(3)

(7)

(6)


16

r |p+|

Comparative algorithm (qp = 1) 1 1/233

Exact method 16 1/223

Rough method 64 1/233

Intermediate method 48 1/233

Evaluation of DES

Fig. 16. Comparative algorithm and evaluation of DES quality

Evaluation methods:

• exact – the best nonzero linear approximation of a cipher is determined,

• rough – the best nonzero linear approximation of a cipher is assumed to be a composition of the best nonzero linear approximation of a single iteration,

• intermediate –the best zero-nonzero approximation of a cipher is found, that fulfils approximation conditions.

improved S1, S5, S7

c

k

64

64

Sp

64

m

64


17

Conclusions

• PP-1, is a new scalable block cipher that is simple, efficient and secure;

• PP-1 is aimed to be used on platforms with limited resources, and especially with a limited amount of memory;

• Due to the fact that PP-1 uses only very simple arithmetic operations, the cipher can be implemented on different platforms such as smart-cards, TV decoders, mobiles, etc.;

• We could not find any significant constraint in PP-1 and have not inserted any hidden weakness.

Scalable Involutional PP-1 Block Cipher for Limited Resources K. Chmiel, A. Grocholewska-Czuryło, J. Stokłosa Poznan University of Technology Institute.

Documents

scalable involutional

block cipher

involutional sbox

box s pp

involutional pbox

n bits

limited resources cecc

involutional substitution