Security Analysis of Block Cipher

2002. 10. 820022057

Park, SangBae

pinnon@lycos.co.kr 2

Contents

Introduction of Boolean FunctionBlock Cipher Design Review

– Cryptanalysis Method &Provable SecurityDesign Issue

– S-box Design & Diffusion LayerExample of S-box analysisFuture Works

pinnon@lycos.co.kr 3

Introduction

Boolean Fucntion– Function from GF(2n) to GF(2m)– Generally, when m > 1, Vector-valued Boolean Fun

ction (or Vector Boolean Function)– Example

• f(x1, x2, x3) = x1 x2 + x2 x3 • Sequence of f(): 00010010

pinnon@lycos.co.kr 4

Introduction

Block Cipher as Boolean Function– Block Cipher

• F: P ⅹ K → C with F(P, K) = C• GF(2128) ⅹ GF(2128) → GF(2128)

– Round Function• f: Pi ⅹ Ki → Ci with F(Pi, Ki) = Ci

• GF(264) ⅹ GF(264) → GF(264)

– S-box• s: Ini ⅹ ki → Outi with F(Ini, ki) = Outi

• GF(28) ⅹ GF(28) → GF(28)

pinnon@lycos.co.kr 5

Basic Properties

Representation– The Algebraic Normal Form

• Well known representation• ex) x1 x2 + x3 x1

– The Sequence of Given function• Value of given Boolean function• ex) 00010010

– The Walsh-Hadamard Transform• The correlation value to linear functions• ex) 2 0 -2 0 0 2 0 -2

pinnon@lycos.co.kr 6

Basic Properties

Balancedness– Hamming weight of given sequence

Nonlinear Order– Algebraic Nonlinear Order (Not Robust)

Completeness– Every input bit affect to the outptu bit

pinnon@lycos.co.kr 7

Basic Properties

Nonlinearity– minimum Hamming distance to linear functions

Correlation– autocorrelation– cross correlation

Propagation Criterion (including SAC)– can be guaranteed by high nonlinearity– diffusion property

pinnon@lycos.co.kr 8

Cryptanalysis Methods

Differential CryptanalysisLinear CryptanalysisInterpolation AttackSquare Attack

pinnon@lycos.co.kr 9

Differential Cryptanalysis

General– The First Attack against full round DES– Using the biased distribution of XOR pairs

f(S-Box)

Uniform

Uniform

Uniform

Uniform

f(S-Box)

= Input XOR(Uniform)

= Output XOR(Biased)

pinnon@lycos.co.kr 10

Differential Cryptanalysis

Difference Distribution Table– number of pairs satisfying given Input, output XOR

0x 1x 2x 3x 4x 5x 6x 7x 8x 9x Ax Bx Cx Dx Ex Fx

Output XORInputXOR

0x 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

1x 0 0 0 6 0 2 4 4 0 1012 4 10 6 2 4

3Fx 4 8 4 2 4 0 2 4 4 2 4 8 8 6 2 2

……

pinnon@lycos.co.kr 11

Differential Cryptanalysis

Example of 2 round characteristic

P = 00 80 82 00 60 00 00 00x

F

F

T = 60 00 00 00 00 00 00 00x

p = 14/64

p = 1

60 00 00 00x00 80 82 00x

00

pinnon@lycos.co.kr 12

Differential Cryptanalysis

Research Issue– Cryptanalysis

• How to find a characteristic with high probability

– Cryptography• How to construct secure S-Boxes• Markov Cipher• Boolean Function

– Nonlinearity– Propagation criteria– Bent function– Vector-valued Boolean function

pinnon@lycos.co.kr 13

Provable Security

Main Idea– Approach in the view of differential– Provable Security against DC and LC

• KN-Cipher – Lars R. Knudsen, Kaisa Nyberg– Round Function : g(x) = x3 in GF(233)

• MISTY– Mitsuru Matsui– Recursive Structure– Modified Feistel Network

pinnon@lycos.co.kr 14

Provable Security

Characteristic– Fixed Path

P

F

F

F

T

a1b1

a2b2

a3b3

p1

p2

p3

p = pi

pinnon@lycos.co.kr 15

Provable Security

Differential– Consider all possible path

P

F

F

F

T

a1ib1i

a2jb2j

a3kb3k

p1i

p2j

p3k

p = (p1i p2j p2j)

pinnon@lycos.co.kr 16

Provable Security

Recursive Structure of MISTY1

FO

FO

FO

32 32

FI

FI

FI

S9

16 16 9 7

S7

S7

pinnon@lycos.co.kr 17

Practical Security

The Wide Trail Strategy– Design the round transformation in such a way that

only trails with many S-boxes occur– Maximize the number of Active S-boxes– Branch Number B(f) = minx0(wh(x) + wh(f(x)))– SQUARE

• following the Wide Trail Strategy • MDS (Maximal Distance Separable) code

– Maximum Branch number• Self-reciprocal structure

pinnon@lycos.co.kr 18

Recent Block Ciphers

CAST Diffusion Effects– 8 32 S-box

<<

S1 S2 S3 S4

pinnon@lycos.co.kr 19

Recent Block Ciphers

CRYPTON SEED Diffusion Transform

pinnon@lycos.co.kr 20

Recent Block Ciphers

E2 Round Function (SPS-Structure)

S

P

S

Round key

Round key

pinnon@lycos.co.kr 21

S-box Construction

Simulation– DES

Combination of Boolean Function– CAST

Vector-valued Boolean Function– KN-Cipher, SEED, AES

Small Feistel Network– MISTY, Crypton

pinnon@lycos.co.kr 22

Diffusion Layer

Perfect S-box cannot guarantee the security of round function– 8 32 S-box– Wide Trail Strategy (using a MDS code)– SPS Structure

pinnon@lycos.co.kr 23

Project Progress

Boolean function analysis library– Three Representation

• sequence• algebraic normal form• Walsh-Hadamard

– Hamming Weight– Nonlinearity– Autocorrelation

Review recent block cipher algorithm and cryptanalysis methods

pinnon@lycos.co.kr 24

Project Progress

DES S-box (S1)– The first bit

• Algebraic Normal Form1 + x1 + x2 + x1 x2 x3 + x4 + x3 x4 + x1 x3 x4 + x2 x3 x4 + x5 + x4

x5 + x3 x4 x5 + x6 + x2 x6 + x3 x6 + x1 x3 x6 + x2 x4 x6 + x3 x4 x6 + x1 x3 x4 x6 + x2 x3 x4 x6 + x1 x2 x5 x6 + x3 x5 x6 + x1 x3 x5 x6 + x2 x3 x5 x6 + x4 x5 x6 + x1 x2 x4 x5 x6 + x3 x4 x5 x6 + x1 x3 x4 x5 x6

• Nonlinearity : 18• Hamming Weight : 32• Sequence :

1 0 0 1 1 0 0 0 0 1 1 0 1 1 1 0 0 1 1 0 0 1 1 1 0 1 1 0 0 0 0 10 1 0 1 1 1 1 0 1 0 0 1 0 0 1 0 1 0 1 1 1 0 0 1 0 1 1 0 0 0 0 1

pinnon@lycos.co.kr 25

Project Progress

DES S-box (S1)– The first bit

• W-H Sequence :0 0 4 4 -4 4 0 8 -8 0 -4 -12 4 4 8 -80 -8 -12 -4 4 20 8 -24 8 8 -4 -4 -4 4 0 80 0 -4 12 4 -4 0 8 8 0 4 -4 -4 -4 -8 -80 -8 -4 -12 -4 -4 8 8 8 -8 4 -28 -12 -4 0 -8

• Autocorrelation : 64 -32 -24 24 0 0 -8 8 0 -8 0 -16 -24 24 8 -16-32 24 8 -8 0 0 8 0 -8 0 0 16 24 -24 -16 8 0

0 8 -16 -24 32 16 -16 24 -16 -8 8 -8 8 -8 0 0 0 -8 16 24 -32 -16 16 -32 24 16 -16 0 0 16 -8

pinnon@lycos.co.kr 26

Future Works

Security analysis of block ciphers consisting of Boolean function of low algebraic order

Implement S-box Analysis Tools using current library

pinnon@lycos.co.kr 27

QnA