Date post: | 02-Jan-2016 |
Category: |
Documents |
Upload: | pandora-kramer |
View: | 45 times |
Download: | 2 times |
Security Analysis of Block Cipher
2002. 10. 820022057
Park, SangBae
Contents
Introduction of Boolean FunctionBlock Cipher Design Review
– Cryptanalysis Method &Provable SecurityDesign Issue
– S-box Design & Diffusion LayerExample of S-box analysisFuture Works
Introduction
Boolean Fucntion– Function from GF(2n) to GF(2m)– Generally, when m > 1, Vector-valued Boolean Fun
ction (or Vector Boolean Function)– Example
• f(x1, x2, x3) = x1 x2 + x2 x3 • Sequence of f(): 00010010
Introduction
Block Cipher as Boolean Function– Block Cipher
• F: P ⅹ K → C with F(P, K) = C• GF(2128) ⅹ GF(2128) → GF(2128)
– Round Function• f: Pi ⅹ Ki → Ci with F(Pi, Ki) = Ci
• GF(264) ⅹ GF(264) → GF(264)
– S-box• s: Ini ⅹ ki → Outi with F(Ini, ki) = Outi
• GF(28) ⅹ GF(28) → GF(28)
Basic Properties
Representation– The Algebraic Normal Form
• Well known representation• ex) x1 x2 + x3 x1
– The Sequence of Given function• Value of given Boolean function• ex) 00010010
– The Walsh-Hadamard Transform• The correlation value to linear functions• ex) 2 0 -2 0 0 2 0 -2
Basic Properties
Balancedness– Hamming weight of given sequence
Nonlinear Order– Algebraic Nonlinear Order (Not Robust)
Completeness– Every input bit affect to the outptu bit
Basic Properties
Nonlinearity– minimum Hamming distance to linear functions
Correlation– autocorrelation– cross correlation
Propagation Criterion (including SAC)– can be guaranteed by high nonlinearity– diffusion property
Cryptanalysis Methods
Differential CryptanalysisLinear CryptanalysisInterpolation AttackSquare Attack
Differential Cryptanalysis
General– The First Attack against full round DES– Using the biased distribution of XOR pairs
f(S-Box)
Uniform
Uniform
Uniform
Uniform
f(S-Box)
= Input XOR(Uniform)
= Output XOR(Biased)
Differential Cryptanalysis
Difference Distribution Table– number of pairs satisfying given Input, output XOR
0x 1x 2x 3x 4x 5x 6x 7x 8x 9x Ax Bx Cx Dx Ex Fx
Output XORInputXOR
0x 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1x 0 0 0 6 0 2 4 4 0 1012 4 10 6 2 4
3Fx 4 8 4 2 4 0 2 4 4 2 4 8 8 6 2 2
……
Differential Cryptanalysis
Example of 2 round characteristic
P = 00 80 82 00 60 00 00 00x
F
F
T = 60 00 00 00 00 00 00 00x
p = 14/64
p = 1
60 00 00 00x00 80 82 00x
00
Differential Cryptanalysis
Research Issue– Cryptanalysis
• How to find a characteristic with high probability
– Cryptography• How to construct secure S-Boxes• Markov Cipher• Boolean Function
– Nonlinearity– Propagation criteria– Bent function– Vector-valued Boolean function
Provable Security
Main Idea– Approach in the view of differential– Provable Security against DC and LC
• KN-Cipher – Lars R. Knudsen, Kaisa Nyberg– Round Function : g(x) = x3 in GF(233)
• MISTY– Mitsuru Matsui– Recursive Structure– Modified Feistel Network
Provable Security
Characteristic– Fixed Path
P
F
F
F
T
a1b1
a2b2
a3b3
p1
p2
p3
p = pi
Provable Security
Differential– Consider all possible path
P
F
F
F
T
a1ib1i
a2jb2j
a3kb3k
p1i
p2j
p3k
p = (p1i p2j p2j)
Provable Security
Recursive Structure of MISTY1
FO
FO
FO
32 32
FI
FI
FI
S9
16 16 9 7
S7
S7
Practical Security
The Wide Trail Strategy– Design the round transformation in such a way that
only trails with many S-boxes occur– Maximize the number of Active S-boxes– Branch Number B(f) = minx0(wh(x) + wh(f(x)))– SQUARE
• following the Wide Trail Strategy • MDS (Maximal Distance Separable) code
– Maximum Branch number• Self-reciprocal structure
Recent Block Ciphers
E2 Round Function (SPS-Structure)
S
P
S
Round key
Round key
S-box Construction
Simulation– DES
Combination of Boolean Function– CAST
Vector-valued Boolean Function– KN-Cipher, SEED, AES
Small Feistel Network– MISTY, Crypton
Diffusion Layer
Perfect S-box cannot guarantee the security of round function– 8 32 S-box– Wide Trail Strategy (using a MDS code)– SPS Structure
Project Progress
Boolean function analysis library– Three Representation
• sequence• algebraic normal form• Walsh-Hadamard
– Hamming Weight– Nonlinearity– Autocorrelation
Review recent block cipher algorithm and cryptanalysis methods
Project Progress
DES S-box (S1)– The first bit
• Algebraic Normal Form1 + x1 + x2 + x1 x2 x3 + x4 + x3 x4 + x1 x3 x4 + x2 x3 x4 + x5 + x4
x5 + x3 x4 x5 + x6 + x2 x6 + x3 x6 + x1 x3 x6 + x2 x4 x6 + x3 x4 x6 + x1 x3 x4 x6 + x2 x3 x4 x6 + x1 x2 x5 x6 + x3 x5 x6 + x1 x3 x5 x6 + x2 x3 x5 x6 + x4 x5 x6 + x1 x2 x4 x5 x6 + x3 x4 x5 x6 + x1 x3 x4 x5 x6
• Nonlinearity : 18• Hamming Weight : 32• Sequence :
1 0 0 1 1 0 0 0 0 1 1 0 1 1 1 0 0 1 1 0 0 1 1 1 0 1 1 0 0 0 0 10 1 0 1 1 1 1 0 1 0 0 1 0 0 1 0 1 0 1 1 1 0 0 1 0 1 1 0 0 0 0 1
Project Progress
DES S-box (S1)– The first bit
• W-H Sequence :0 0 4 4 -4 4 0 8 -8 0 -4 -12 4 4 8 -80 -8 -12 -4 4 20 8 -24 8 8 -4 -4 -4 4 0 80 0 -4 12 4 -4 0 8 8 0 4 -4 -4 -4 -8 -80 -8 -4 -12 -4 -4 8 8 8 -8 4 -28 -12 -4 0 -8
• Autocorrelation : 64 -32 -24 24 0 0 -8 8 0 -8 0 -16 -24 24 8 -16-32 24 8 -8 0 0 8 0 -8 0 0 16 24 -24 -16 8 0
0 8 -16 -24 32 16 -16 24 -16 -8 8 -8 8 -8 0 0 0 -8 16 24 -32 -16 16 -32 24 16 -16 0 0 16 -8
Future Works
Security analysis of block ciphers consisting of Boolean function of low algebraic order
Implement S-box Analysis Tools using current library