Scalable Involutional PP-1 Block Cipher for Limited Resources K. Chmiel, A. Grocholewska-Czuryło, J. Stokłosa Poznan University of Technology Institute of Control and Information Engineering Poznan, Poland
Mar 31, 2015
Scalable Involutional PP-1 Block Cipher for Limited Resources
K. Chmiel, A. Grocholewska-Czuryło, J. Stokłosa
Poznan University of Technology
Institute of Control and Information Engineering
Poznan, Poland
10-12.06.2010 Scalable Involutional PP-1 Block Cipher for Limited Resources CECC 2010 © Krzysztof Chmiel
2
Basic assumptions of the PP-1 cipher project
• Scalability – extendable data block size and key size;• Resources – limited (small memory, simple processor);
- the same resources for encryption and decryption:- one involutional S-box (i.e. S−1 = S ),- one involutional P-box (i.e. P−1 = P ),- the same round keys;
- simple elementary operations:- modulo 2 sum,- addition, - subtraction,- shifts;
• Implementation – efficient in software and hardware.
10-12.06.2010 Scalable Involutional PP-1 Block Cipher for Limited Resources CECC 2010 © Krzysztof Chmiel
3
Data processing path
Fig. 2. Nonlinear element NL (j = 1, 2, ..., t)
NL NL NL
n
n
64 64 64
64 64 64
yi
Round #i
P
n
k i”=k2i
v i
x i
k i’=k2i–1 n n
S
8
8
8
S
8
8
S
8
S
8
8
S
8
8
8
S
8
8
S
8
S
8
8
NL #j
64
64
k i,j’
k i,j”
v i,j
x i,j
64
64
Fig. 1. One round of the PP-1 (i = 1, 2, ..., r)
Remarks:• data blocks of n = t∙64 bits are processed in r rounds (t = 1, 2, 3, ... ),• two n-bit round keys ki’=k2i–1 and ki”=k2i are used in round i.
10-12.06.2010 Scalable Involutional PP-1 Block Cipher for Limited Resources CECC 2010 © Krzysztof Chmiel
4
64-bit variant of PP-1
Fig. 3. Encryption and decryption performed by PP-1 (n = 64)
m/c
S
8
8
8
S
8
8
S
8
S
8
8
64
k1= k1,1||k1,2|| ...||k1,8
64
k2= k2,1||k2,2|| ...||k2,8
P
64
64
k22= k22,1||k22,2...||k22,8
c/m
64
64
S
8
8
8
S
8
8
S
8
S
8
8
S
8
8
8
S
8
8
S
8
S
8
8
S
8
8
8
S
8
8
S
8
S
8
8
k21= k21,1||k 21,2|| ...||k21,8
Round #1
Rounds #2 to #10
Output transformation
/ k22= k22,1||k22,2...||k22,8
/ k21= k21,1||k21,2...||k21,8
/ k2= k2,1||k 2,2|| ...||k2,8
/ k1= k1,1||k 1,2|| ...||k1,8
10-12.06.2010 Scalable Involutional PP-1 Block Cipher for Limited Resources CECC 2010 © Krzysztof Chmiel
5
Round key scheduling
Fig. 5. KS − the main part of an iteration (j = 1, 2, ..., t)
Fig. 4. One iteration of key scheduling (i = 0, 1, ..., 2r)
Remarks:• the cipher key k for the PP-1 algorithm is a sequence of n or 2n bits,• the round keys k1, k2, ..., k2r are produced on outputs of iterations #1 to #2r.
KS KS KS
n
n
64 64 64
64 64 64
Ki
Iteration #i
RR(ei)
n
E
ei
8
ki
Xi
Yi
4
Vi
n
n
64
S
8 8
S
8
S
8
S
8
8
64 Ki,j
S
8
8
8
S
8
8
S
8
S
8
8
KS #j
8 8
64
Xi,j
Vi,j
depends on k
10-12.06.2010 Scalable Involutional PP-1 Block Cipher for Limited Resources CECC 2010 © Krzysztof Chmiel
6
Details of round key scheduling
Remarks:• function E value, is equal to XOR of 4MSBs of the two leftmost S-boxes,• entry X0 of iteration #0, is supplied by the n-bit constant B,• inputs Ki depend on cipher key k: n-bit or 2n-bit (k = kH||kL)..
Entry X0:
X0 = B = B1||B2||...||Bt
where 64-bit B1 = 912B4769B2496E7C,
Bj = Prm(Bj–1) for j = 2, 3, ..., t,
Prm is calculated for nBb = 64 and nSb = 8.
Inputs Ki:
K2 = RL(B (A(K0 K1)))
Function E:
ei = E(b1b2...bn) = (b1b9)(b2b10)(b3b11)
(b4b12)
for Vi = b1b2...bn, where b1 is the MSB.
nk
nk
k
kK
H 2if
if0
nk
nk
kK
L
n
2if
if01
nk
nkA
n
n
2if
if
1
0
Ki = RL(Ki−1) for i = 3, 4, ..., 2r
10-12.06.2010 Scalable Involutional PP-1 Block Cipher for Limited Resources CECC 2010 © Krzysztof Chmiel
7
Involutional substitution S
Fig. 6. Involutional 88-bit S-box S S(6F) = DA , S(DA) = 6F
| 0 1 2 3 4 5 6 7 8 9 A B C D E F ---------------------------------------------------- 0 | 9E BC C3 82 A2 7E 41 5A 51 36 3F AC E3 68 2D 2A 1 | EB 9B 1B 35 DC 1E 56 A5 B2 74 34 12 D5 64 15 DD 2 | B6 4B 8E FB CE E9 D9 A1 6E DB 0F 2C 2B 0E 91 F1 3 | 59 D7 3A F4 1A 13 09 50 A9 63 32 F5 C9 CC AD 0A 4 | 5B 06 E6 F7 47 BF BE 44 67 7B B7 21 AF 53 93 FF 5 | 37 08 AE 4D C4 D1 16 A4 D6 30 07 40 8B 9D BB 8C 6 | EF 81 A8 39 1D D4 7A 48 0D E2 CA B0 C7 DE 28 DA 7 | 97 D2 F2 84 19 B3 B9 87 A7 E4 66 49 95 99 05 A3 8 | EE 61 03 C2 73 F3 B8 77 E0 F8 9C 5C 5F BA 22 FA 9 | F0 2E FE 4E 98 7C D3 70 94 7D EA 11 8A 5D 00 EC A | D8 27 04 7F 57 17 E5 78 62 38 AB AA 0B 3E 52 4C B | 6B CB 18 75 C0 FD 20 4A 86 76 8D 5E 01 ED 46 45 C | B4 FC 83 02 54 D0 DF 6C CD 3C 6A B1 3D C8 24 E8 D | C5 55 71 96 65 1C 58 31 A0 26 6F 29 14 1F 6D C6 E | 88 F9 69 0C 79 A6 42 F6 CF 25 9A 10 9F BD 80 60 F | 90 2F 72 85 33 3B E7 43 89 E1 8F 23 C1 B5 92 4F
LH
Method:• generated using multiplicative inverse procedure, similar to AES,• processed to remove existence of affine transformations between
component Boolean functions.
Parameters:• nonlinearity – 110
(maxTA = 18),• 2nd maximum
XOR DDT value – 4(maxTD = 4) .
10-12.06.2010 Scalable Involutional PP-1 Block Cipher for Limited Resources CECC 2010 © Krzysztof Chmiel
8
a1 a2 a3 a4 a5 a6 a7 a8 b2 b7 c2 d7 d2 f7 e2 h7 b1 b2 b3 b4 b5 b6 b7 b8 f2 a1 g2 c1 h2 e1 a2 g1 c1 c2 c3 c4 c5 c6 c7 c8 b4 a3 c4 c3 d4 e3 e4 g3 d1 d2 d3 d4 d5 d6 d7 d8 => f4 a5 g4 c5 h4 e5 a4 g5 e1 e2 e3 e4 e5 e6 e7 e8 b6 a7 c6 c7 d6 e7 e6 g7 f1 f2 f3 f4 f5 f6 f7 f8 f6 b1 g6 d1 h6 f1 a6 h1 g1 g2 g3 g4 g5 g6 g7 g8 b8 b3 c8 d3 d8 f3 e8 h3 h1 h2 h3 h4 h5 h6 h7 h8 f8 b5 g8 d5 h8 f5 a8 h5
P
Involutional permutation P
Fig. 8. P for 88 bit matrices (n =64)
Remarks:• dissipates 8-bit output subblocks of S-boxes S in the n-bit block of a round,• can be implemented by transposition of 88 bit matrices in processor
words.1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
10 15 18 31 26 47 34 63 42 1 50 17 58 33 2 49 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 12 3 20 19 28 35 36 51 44 5 52 21 60 37 4 53 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 14 7 22 23 30 39 38 55 46 9 54 25 62 41 6 57 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 16 11 24 27 32 43 40 59 48 13 56 29 64 45 8 61
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ... 61 62 63 64 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ... 61 62 63 64
OUT
IN
Fig. 7. Bit mappings of involutional bit permutation P and their illustration (n =64)
10-12.06.2010 Scalable Involutional PP-1 Block Cipher for Limited Resources CECC 2010 © Krzysztof Chmiel
9
Scalable permutation P
Fig. 9. Algorithms to construct permutation P and their illustration (n = 64)
Method (n = 64):• algorithm Prm calculates bit mappings in Prm, to dissipate 4-bit
subblocks in 32-bit block,• algorithm P calculates involutional pairs of bit mappings in 64-bit P.
1 2 3 4 5 6 7 8 9 10 11 12 ... 29 30 31 32 1 2 3 4 5 6 7 8 9 10 11 12 ... 29 30 31 32
y
pno
Prm
1 3 5 7 9 11 13 15 17 19 21 23 ... 57 59 61 63 2 4 6 8 10 12 14 16 18 20 22 24 ... 58 60 62 64
py
px
P
Prm(x, nBb, nSb) {argument, number of block bits (e.g.64), number of S-box bits (e.g. 8)}
1. nS nBb div nSb {number of S-boxes}2. Sno x mod nS +1 {S-box number(from 1)}3. Sb (x 1) div nS + 1 {S-box bit (from 1)}4. y (Sno 1) nSb + Sb {value of bit mapping}5. return y
P(pno, nBb, nSb) {pair number (from 1), number of block bits (e.g. 64), number of S-box bits (e.g. 8)}
1. y Prm(pno, nBb div 2, nSb div 2) {value of Prm} 2. px 2 pno 1 {odd argument (value) of bit mapping} 3. py 2 y {even value (argument) of bit mapping} 4. return (px, py)
10-12.06.2010 Scalable Involutional PP-1 Block Cipher for Limited Resources CECC 2010 © Krzysztof Chmiel
10
Differential and Linear Approximation
f
X
Y
p
X’ n
m Y’
p = N(X’,Y’) / 2n
X' {0,..,2n–1}, Y' {0,..,2m–1}
Fig. 10. Differential and linear approximation of function f : {0,1}n {0,1}m
f(X) f(X X') = Y'
jXj
iYi
xy
''
p
X’ {1,..,n}, Y’ {1,..,m}
Y[Y’] = X[X’]
p = N(X’,Y’) / 2n
|p| = | p – 1/2 |effectiveness of
differential approximation
effectiveness of linear
approximation
10-12.06.2010 Scalable Involutional PP-1 Block Cipher for Limited Resources CECC 2010 © Krzysztof Chmiel
11
Approximation Tables
Fig. 11. Function f: {0,1}4 {0,1}2 and its approximation tables TDf and TAf
TDf[X’, Y’] = N(X’, Y’) TAf[X’, Y’] = N(X’, Y’) = N(X’, Y’) - 2n-1
Y' Y' X Y=f(X) X'
0 1 2 3 X'
0 1 2 3 0 3 0 16 0 0 0 0 8 2 1 1 1 3 1 10 0 2 4 1 0 2 1 1 2 3 2 6 0 2 8 2 0 0 1 1 3 0 3 6 0 2 8 3 0 0 3 1 4 1 4 2 8 6 0 4 0 0 1 7 5 3 5 2 8 6 0 5 0 0 3 1 6 1 6 0 2 12 2 6 0 2 1 1 7 1 7 2 4 10 0 7 0 2 1 1 8 0 8 4 2 0 10 8 0 4 1 1 9 0 9 2 0 2 12 9 0 0 1 1
10 3 10 8 2 0 6 10 0 2 5 1 11 3 11 8 2 0 6 11 0 2 1 1 12 1 12 0 6 8 2 12 0 2 3 1 13 2 13 0 6 8 2 13 0 2 1 1 14 2 14 2 8 6 0 14 0 4 1 1 15 2 15 2 12 2 0 15 0 0 1 1
(f)
(TDf)
(TAf)
maxTD = max{TDf[X', Y'] : X' 0 Y' 0} maxTA = max{|TAf[X', Y']| : X' Y' }
10-12.06.2010 Scalable Involutional PP-1 Block Cipher for Limited Resources CECC 2010 © Krzysztof Chmiel
12
Quality of S-box S (PP-1)
maxTA maxTD
30 32 34 36 38 40 42 44 Total
10 1 48 163 119 61 15 3 0 410 12 1 58 190 177 73 21 6 2 528 14 0 5 21 14 11 3 1 1 56 16 0 0 4 1 1 0 0 0 6
Total 2 111 378 311 146 39 10 3 1000
0
5
10
15
20%
of
fun
ctio
ns
30 32 34 36 38 40 42 44
10
16
maxTA
Fig. 12. Comparison of S-box S to randomly selected S-boxes (n = 8, m = 8)
maxTA maxTD
18 ... 30 32 34 36 4 S ... 10 12 14
10-12.06.2010 Scalable Involutional PP-1 Block Cipher for Limited Resources CECC 2010 © Krzysztof Chmiel
13
DES Algorithm
Fig. 13. General structure and function f of DES (IBM 1977)
c1(j)||c2
(j) = c2
(j-1)||c1(j-1) f(c2
(j-1), kj ) for j = 1, 2, ..., 15
c1(j)||c2
(j) = c1
(j-1) f(c2(j-1), kj )||c2
(j-1) for j = 16
c1 c2
y16 f
x16
m1
k16
m2
y2 f
x2
k2
y1 f
x1
k1
c2(1)
c2(15)
c2(16)
c2(0)
c1(1)
c1(15)
c1(16)
c1(0)
32
32
32
32
S1 S2 S3 S4 S5 S6 S7 S8
P
y
E
si1 si2 si3 si4 si5 si6 si7 si8
so1 so2 so3 so4 so5 so6 so7 so8
32
x
xe
k
48
32
48
32
48
10-12.06.2010 Scalable Involutional PP-1 Block Cipher for Limited Resources CECC 2010 © Krzysztof Chmiel
14
Quality of S-boxes S1-S8 (DES)
maxTA maxTD
10 12 14 16 18 Total
12 0 6 5 3 0 14 14 1 144 141 33 4 323 16 1 107 255 65 12 440 18 0 24 94 41 5 164 20 0 3 28 14 2 47 22 0 3 3 4 1 11 24 0 0 0 0 1 1
Total 2 287 526 160 25 1000
Fig. 14. Comparison of S-boxes S1-S8 to randomly selected S-boxes (n = 6, m = 4)
0
5
10
15
20
25
30
% o
f fun
ctio
ns
10 12 14 16 18
12
16
20
24
maxTA
maxTA maxTD
10 12 14 16 18 20 12 14 16 S6 S2
S3 S4 S8
S1 S7
S5
10-12.06.2010 Scalable Involutional PP-1 Block Cipher for Limited Resources CECC 2010 © Krzysztof Chmiel
15
Evaluation of PP-1
Fig. 15. Number r of rounds for n-bit block ( s = 8, qa = 2, qp = 1)
n 64 128 192 256
Lower bound to r 10.7 21.3 32.0 42.7
r 11 22 32 43
r ( n/2 – log qp) / ( s/2 – log qa)
c
k
n
n
Sp
n
m
n
|pa+| |pp
+|
|pi+| qa /2
s/2 +1 |pp+| qp/2
n/2 +1
r
ii
ra pp
1
12
|pa+| (1/2)(qa /2
s/2 )r
(qa /2 s/2 )r qp /2
n/2
comparative algorithm
(1)
(5)
(4)
(2)
(3)
(7)
(6)
10-12.06.2010 Scalable Involutional PP-1 Block Cipher for Limited Resources CECC 2010 © Krzysztof Chmiel
16
r |p+|
Comparative algorithm (qp = 1) 1 1/233
Exact method 16 1/223
Rough method 64 1/233
Intermediate method 48 1/233
Evaluation of DES
Fig. 16. Comparative algorithm and evaluation of DES quality
Evaluation methods:
• exact – the best nonzero linear approximation of a cipher is determined,
• rough – the best nonzero linear approximation of a cipher is assumed to be a composition of the best nonzero linear approximation of a single iteration,
• intermediate –the best zero-nonzero approximation of a cipher is found, that fulfils approximation conditions.
improved S1, S5, S7
c
k
64
64
Sp
64
m
64
10-12.06.2010 Scalable Involutional PP-1 Block Cipher for Limited Resources CECC 2010 © Krzysztof Chmiel
17
Conclusions
• PP-1, is a new scalable block cipher that is simple, efficient and secure;
• PP-1 is aimed to be used on platforms with limited resources, and especially with a limited amount of memory;
• Due to the fact that PP-1 uses only very simple arithmetic operations, the cipher can be implemented on different platforms such as smart-cards, TV decoders, mobiles, etc.;
• We could not find any significant constraint in PP-1 and have not inserted any hidden weakness.