Symmetric cryptography: scalable matrix cipher

Symmetric cryptography:scalable matrix cipher

Nguyen Dinh ThucUniversity of Science, HCMC

[email protected]

outline

• Matrix-base cipher• Advanced Encryption Standard• Scalable Substitution Matrix cipher

Matrix-base ciphermatrix cipher: introduction

• in Hill/matrix cipher, each letter is treated as a number in Z26. A block of n letters is processed as a vector of n dimensions, and multiplied by a nxn matrix, modulo 26.

• in order to decrypt, this permutation matrix must be invertible in Z26 and is considered as the cipher key

• Linearity encryption/decryption: fast but unsecure

• Scalability

Matrix-base cipher matrix cipher: properties

Matrix-base ciphermatrix cipher: key space

• let GL(d,Zm)={Adxd/A is invertible modulo m}

• |GL(d,Zp)|= i=0,…,d-1(pd – pi) where p is a prime number

• |GL(d,Zpn)|=p(n-1)d^2 i=0,…,d-1(pd – pi) where p is a

prime number• |GL(d,Zm)|= i=1,..,k(pi

(ni-1)d^2 j=0,…,d-1(pi

d – pij) where

m=p1n

1…pkn

k, pi: prime

Matrix-base ciphera symmetric cryptosystem over group Z2

n : LogSig

• Anxn: a non-singular matrix over Z2n

• B={a1,…,an /ai: ith of matrix A}: basis of Z2n

• B={a1,…,an} ={a1,…,ar1,ar1+1,…,ar1+r2,…,a(rs-1)+1,…,a(rs-1)+rs}• Let • i be a permutation on {1,…,ri}, i=1,…,s

• i be a linear combination of {a((ri-1)+1),…, a((ri-1)+ri)}, i=1,…,s and r0=1

= {1,…,s}: logarithmic signature over Z2n.

Matrix-base ciphera symmetric cryptosystem over group Z2

n : bijections

Given a logsig of type (r1,…,rs), which spanned by matrix A and permutations i, i=1,…,s

• mZ(2n

) whose the binary representation: m=(m11,…,m1r1,…,ms1,…,msrs)Z2

n (m) = (p1,…,p2) where pi is decimal value of binary

string mi1…miri, i=1,…,s (p1,…,ps)=i=1,…,r1p1ia1(i) + i=1,…,rspsias(i), where pij is

the jth of pi, i=1,…,2

Matrix-base ciphera symmetric cryptosystem over group Z2

n : factorization

Given a logsig of type (r1,…,rs), which spanned by matrix A and permutations i, i=1,…,s

• Given u Z2n , u=(u1,…,un)

• Compute v=u1xnAnxn=(v11,…,v1r1,…,vs1,…,vsrs) Z2n

• Let qi (i=1,…,s) be decimal value of binary string vii(1)…vii(ri)

(q1,…,qs) is factorization of u by

Matrix-base ciphera symmetric cryptosystem over group Z2

n : discussion

Let S be a finite set and let f be a bijection from S to S. The function f is an involution if f(f(x)) = x for all x S.

• Given two logarithmic signatures and , which are spanned by two non-singular A and B in respectively.

• When function E is involution: E(m)=m for all m Z(2n).

Advanced Encryption Standard:substitution-permutation network

S00 S01 S02 S03

S10 S11 S12 S13

S20 S21 S22 S23

S30 S31 S32 S33

in0 in4 in8 in12

in1 in5 in9 in13

in2 in6 in10 in14

in3 in7 in11 in15

AddRoundKey

SubBytes

ShiftRows

MixColumns

AddRoundKey

SubBytes

ShiftRows

AddRoundKey

xNr - 1

out0

out4

out8 out12

out1

out5

out9 out13

out2

out6

out10

out14

out3

out7

out11

out15

State S

Advanced Encryption Standard: design rationale

• two properties of operations of a secure cipher:– confusion: minimize input-output correlation– diffusion: maximize prop ratio

• wide trail strategy:– A general strategy to construct a modern secure block

cipher– base on substitution-permutation network (SPN)

which consists of multiple rounds of transformations, each of which consists of a substitution layer and a permutation layer to provide confusion and diffusion respectively

Advanced Encryption Standard: substitution layerbased on the AES S-box which is defined by the

composition of 3 operations:• inversion. The input byte to the S-Box is regarded

as an element w F, and for w 0 the output x=w-1; and 0-1=0. Where F is Rijndael field.

• GF(2)-linear mapping (affine mapping) is a linear transformation :GF(2)8 GF(2)8

• s-Box constant. The output of the GF(2)-linear mapping is regarded as an element of the Rijndael field and added to the field element 63 to produce the output of S-Box

Advanced Encryption Standard: S-BOXthe AES S-Box is actually a combination of a power

function P(x) and an affine surjection A(x): AP(x), where:

1

0

1

2

3

4

5

6

7

, 0( ) ,

0, 0

1 0 0 0 1 1 1 1 11 1 0 0 0 1 1 1 11 1 1 0 0 0 1 1 01 1 1 1 0 0 0 1 0

( )1 1 1 1 1 0 0 0 00 1 1 1 1 1 0 0 10 0 1 1 1 1 1 0 10 0 0 1 1 1 1 1 0

x xP x

x

xxxx

A xxxxx

Advanced Encryption Standard: diffusion layer

• has been designed in according with the wide trail strategy

• based on a 4x4 matrix over F used in MixColumns

• this is the parity check matrix for a maximal distance separable code, known as an MDS matrix

Advanced Encryption Standard: diffusion layer and branch number

• branch number B of a linear transformation F is defined as follows: B(F)=min{wt(a)+wt(F(a)), adom(F)\{0}} where wt is number of non-rezo elements in a given vector

• if F is defined over n-dimensional space, B(F)n+1

• if B(F)=n+1, F is considered as maximum diffusion layer

J.Daemen and V.Rijmen, AES proposal: Rijndael, AES algorithm submission , 1999. (available on Internet)

Scalable Substitution Matrix cipherstructure

• ssm is a byte-oriented block cipher.• plaintext block of a fixed length is transformed

into a corresponding cipher text block using a given key k

• cipher key is a nontrivial diffusion invertible matrix

• Encryption process consists of multiple rounds of transformations

Scalable Substitution Matrix cipherdiffusion matrix

• diffusion degree of a nxn matrix M is defined by: d(M)=minX0{wt(Xnx1)+wt(MnxnXnx1)}

• matrix M is called nontrivial diffusion matrix if d(M)>2; otherwise, M is called trivial diffusion matrix

D.H.Van, N.T.Binh. T.M.Triet, and T.N.Bao, SSM: Scalable Substitution Matrix cipher, Vietnam Journal of Science and Technology, vol.46, 2009.

Scalable Substitution Matrix cipherencryption process

• round transformation Nr=22n/2 +2, where is a branch number of the keyed linear transformation

• round transformation of round r, denoted r, consists two main steps:– Key-independent nonlinear transformation (denoted

): each byte of the state is substituted using a fixed nonlinear S-box

– Keyed linear transformation (denoted ): the whole state is linearly mixed using a matrix derived from the cipher key k

Scalable Substitution Matrix cipherschema

…

S S S S … S S S S

…

[kr]

n byte

SSM[k]=Nr-1[k]…1[k]0[k]

Scalable Substitution Matrix cipherkey independent nonlinear substitution

in SSM, all operations of are processed using a fixed S-Box constructed as follows:

• applying the affine mapping over GF(2)8 on the binary representation of x: y= 1x

• take the inverse mapping z=y-1 over GF(2)[x]/< (x)>, with 0-1=0

• apply the affine mapping over GF(2)8 on the binary representation of z: t= 2z

Bao Ngoc Tran, Thuc Dinh Nguyen, Thu Dan Tran, A New S-Box Structure to Increase Complexity of Algebraic Expression for Block Cipher Cryptosystems, icctd, vol. 2, pp.212-216, 2009 International Conference on Computer Technology and Development, 2009

1

2

1 1 0 0 0 0 0 00 1 1 0 0 0 0 00 0 1 1 0 0 0 00 0 0 1 1 0 0 00 0 0 0 1 1 0 00 0 0 0 0 1 1 00 0 0 0 0 0 1 10 0 0 0 0 0 0 1

1 0 0 0 1 1 1 11 1 0 0 0 1 1 11 1 1 0 0 0 1 11 1 1 1 0 0 0 11 1 1 1 1 0 0 00 1 1 1 1 1 0 00 0 1 1 1 1 1 00 0 0 1 1 1 1 1

Scalable Substitution Matrix cipherkeyed linear transformation

• operates on the whole state• the state is considered as an n-byte column

vector and multiplied [mod 256] an nxn matrix M

• M is cipher key, is also a nontrivial diffusion matrix

• it should be noticed that is defined over Zn256

instead of GF(28) as in the nonlinear step.

• SSM supports unlimited block length and key length.

• With non-linear substitution, SSM eliminates limitation of most matrix ciphers with only linear components.

• SSM can against differential and linear cryptanalysis

Scalable Substitution Matrix cipherconclusion

D.H.Van, N.T.Binh. T.M.Triet, and T.N.Bao, SSM: Scalable Substitution Matrix cipher, Vietnam Journal of Science and Technology, vol. 2009.