12
| Date post: | 18-Nov-2023 |
| Category: |
Documents |
| Upload: | independent |
| View: | 0 times |
| Download: | 0 times |
= 1ptTo appear in Proc. of CRYPTO'90.A Recursive Construction Method ofS-boxes Satisfying Strict Avalanche CriterionKwangjo KimTsutomu MatsumotoHideki ImaiDivision of Electrical and Computer EngineeringYokohama National University156 Tokiwadai, Hodogaya, Yokohama 240 JapanAbstractS(ubstitution)-boxes are quite important components of modern symmet-ric cryptosystems. S-boxes bring nonlinearity to cryptosystems and strengthentheir cryptographic security. An S-box satis�es the strict avalanche criterion(SAC), if and only if for any single input bit of the S-box, the inversion of itchanges each output bit with probability one half. We present some interestingproperties of S-boxes and propose an e�cient and systematic means of generat-ing arbitrary input size bijective S-boxes satisfying the SAC by applying simplerules recursively given 3-bit input bijective S-box(es) satisfying the SAC.1 IntroductionFor the good S-box design of DES [NBS]-like cryptosystems (FEAL [MSS],LOKI[BPS],etc) in the open cryptologic society, Kam and Davida [KD] proposed the com-pleteness condition that each output bit depends on all input bits of the substitution.Webster and Tavares [WT] introduced the strict avalanche criterion(\SAC") in orderto combine the notions of the completeness and the avalanche e�ect [Fe]. Moreover,Forr�e [Fo] discussed the Walsh spectral properties of S-boxes satisfying the SAC andextended the concept of SAC to the subfunctions obtained from the original function1
by keeping one or more input bits constant, in order to prevent partial approxima-tion cryptanalysis. Lloyd [Ll] re-stated the Forr�e's extended SAC and suggested thecounting functions satisfying a higher order SAC.Some results [GR],[Ay] were published to design S-boxes by randomly selectingfrom all possible reversible transformations. Recently, Pieprzyk [Pi] has proposed oneconstruction method of S-box satisfying maximum nonlinearity1 by exponentiationover GF (2n).However in the open literature there are sparse publications concerning the sys-tematic design methods for the generation of S-boxes satisfying the SAC. The mainpurpose of this paper is to suggest the properties of S-boxes satisfying the SAC andto propose the recursive construction methods of S-boxes satisfying the SAC.2 Basic De�nitionsWe summarize here the formal de�nition of the related criteria. Let Z denote theset of integers and Zn2 denote the n-dimensional vector space over the �nite �eldZ2 = GF (2). Also let � denote the addition over Zn2 , or, the bit-wise exclusive-or.De�nition 1 For a positive integer n, de�ne c(n)1 ; c(n)2 ; : : : c(n)n 2 Zn2 byc(n)1 = [0; 0; : : : ; 0; 0; 1]c(n)2 = [0; 0; : : : ; 0; 1; 0]...c(n)n = [1; 0; : : : ; 0; 0; 0]:De�nition 2 (Completeness) A function f : Zn2 ! Zm2 is complete if and only ifXx2Zn2 f(x)� f(x� c(n)i ) > (0; 0; : : : ; 0)for all i (1 � i � n), where both the summation and the greater-than are component-wise over Zm.This means that each output bit depends on all of the input bits. Thus, if it werepossible to �nd the simplest Boolean expression for each output bit in terms of theinput bits, each of those expressions would have to contain all of the input bits if thefunction is complete.De�nition 3 (Avalanche e�ect) A function f : Zn2 ! Zm2 exhibits the avalanchee�ect if and only if Xx2Zn2 wt(f(x)� f(x� c(n)i )) = m2n�1for all i (1 � i � n). Here wt( ) denotes the Hamming weight function.1De�ned as the Hamming distance between the function in question and the set of all linearfunctions. 2
This means that an average of one half of the output bits change whenever a singleinput bit is complemented.De�nition 4 (SAC, Strong S-box) We say that a function f : Zn2 ! Zm2 satis�esthe SAC, or f is a strong S-box, if for all i (1 � i � n) there hold the followingequations : Xx2Zn2 f(x)� f(x� c(n)i ) = (2n�1; 2n�1; : : : ; 2n�1):If a function satis�es the SAC, each of its output bits should change with a prob-ability of one half whenever a single input bit is complemented. Clearly, a strongS-box is complete and exhibits the avalanche e�ect.If some output bits depend on only a few input bits, then, by observing a signi�cantnumber of input-output pairs such as chosen plaintext attack, a cryptanalyst mightbe able to detect these relations and use this information to aid the search for the key.And because any lower-dimensional space approximation of a mapping yields a wrongresult in 25 % [Ba] of the cases, strong S-boxes play signi�cant roles in cryptography.Notation For a function f : Zn2 ! Zm2 , denote by fj (1 � j � m) the functionZn2 ! Z2 such that f(x) = (fm(x); fm�1(x); : : : ; f2(x); f1(x)): We identify an elementz = (zk; zk�1; : : : ; z2; z1) of Zk2 with an integer Pki=1 zi2i�1. To represent a functionf : Zn2 ! Zm2 , we often use the integer tuple < f >= [f(0); f(1); f(2); : : : ; f(2n � 1)]and call it the integer representation of f . This representation can be obtained bycombining < fm >, < fm�1 >, : : :, < f2 >, < f1 > as < f >= Pmj=1 < fj > �2j�1:3 Properties of Strong S-boxLet us discuss the cryptographic properties of strong S-boxes or functions satisfyingthe SAC.3.1 Some Functions Never Satisfy the SACDe�nition 5 (Linearity, A�nity) A function f from Zn2 into Zm2 is a�ne if thereexist an n�m matrix Af over Z2 and an m-dimensional vector bf over Z2 such thatf(x) = xAf + bfwhere x denotes the indeterminate n-dimensional vector. A function f is linear if itis a�ne with bf = 0.It is well known[HM] that any cryptosystem which implements linear or a�nefunctions can be easily broken. This fact brings us the question : Are there linear ora�ne functions satisfying the SAC ? The answer is of course \no".Theorem 1 A strong S-box is neither linear nor a�ne.3
And also it is easy to see thatTheorem 2 For n = 1; or 2, any bijective function f from Zn2 into Zn2 never satisfythe SAC.Thus in order to obtain bijective strong S-boxes, we must treat at least quadraticfunction of at least three variables.3.2 Use of Single Output Strong S-boxWhen m = 1, and n = 3 or 4, the experiments tell us that we can easily generatemany strong S-boxes f : Zn2 ! Z2 by random search on an engineering workstation(SONY NWS810) in a few microseconds. But for the case of n � 5 it becomes ratherdi�cult to e�ciently generate single output strong S-boxes in the same computationalenvironment.Example 1 For n = 3 and m = 1,< p >= [1; 0; 1; 1; 1; 0; 0; 0];< q >= [1; 1; 1; 0; 0; 0; 1; 0];< r >= [1; 1; 0; 1; 0; 1; 0; 0]are integer representations of strong S-boxes p, q and r respectively. By complement-ing the output bit of the single output strong S-box p, q and r, we have< p0 >= [0; 1; 0; 0; 0; 1; 1; 1];< q0 >= [0; 0; 0; 1; 1; 1; 0; 1];< r0 >= [0; 0; 1; 0; 1; 0; 1; 1]:It is easy to check that all of these functions are strong S-boxes.By the de�nition of the SAC and by the above observation, we can readily showthe following.Theorem 3 Let e (g; resp:) denote an a�ne function from Zn2 (Zm2 ; resp:) into itselfwith a permutation matrix and an arbitrary binary vector. Then, a function f :Zn2 ! Zm2 satis�es the SAC if and only if the composite function g � f � e : Zn2 ! Zm2satis�es the SAC.Given some single output strong S-boxes, we can generate multiple output strongS-boxes using the idea summarized in the above theorem. (However, note that astrong S-box of m = n generated by this method is not guaranteed to be bijective.)4
Example 2 The 3-input 3-output S-box f de�ned by f(x) = (r(x); p(x); q0(x)) isstrong, i.e., satis�es the SAC. Since< r >= [1; 1; 0; 1; 0; 1; 0; 0];< p >= [1; 0; 1; 1; 1; 0; 0; 0];< q0 >= [0; 0; 0; 1; 1; 1; 0; 1];then, the integer representation of f is< r > �4+ < p > �2+ < q0 > = [6; 4; 2; 7; 3; 5; 0; 1]:Thus we can conclude this section by describing that there are no di�culties toe�ciently generate many strong S-boxes up to the 4-bit input case.4 Enlargement of Strong S-box4.1 ConstructionNext we discuss the expandable properties of strong S-boxes and present the recursiveconstruction of strong S-boxes of arbitrary n and m.Let us construct (n+ 1)-bit input S-boxes using n-bit input S-boxes.De�nition 6 For a function f : Zn2 ! Z2, an integer k 2 f1; 2; : : : ; ng and a constantb 2 Z2, de�ne a function Dkb [f ] : Zn+12 ! Z2 by Dkb [f ](0;x) = f(x) and Dkb [f ](1;x) =f(x� c(n)k )� b for all x 2 Zn2 :De�nition 7 For a function f : Zn2 ! Zn2 such that f(x) = (fn(x); fn�1(x); : : : ; f1(x));and a function g : Zn2 ! Z2 and an integer k 2 f1; 2; : : : ; ng, de�ne the functionEk[g; f ] : Zn+12 ! Zn+12 byEk[g; f ](y) = (Dk1[g](y);Dk0 [fn](y);Dk0 [fn�1](y); : : : ;Dk0[f1](y))for all y 2 Zn+12 :We can show that the constructed S-boxes have nice properties.Theorem 4 If a function f : Zn2 ! Z2 satis�es the SAC, then for any k 2 f1; 2; : : : ; ngand any b 2 Z2, Dkb [f ] also satis�es the SAC.Proof : Since f satis�es the SAC, it holds thatXx2Zn2 f(x)� f(x� c(n)i ) = 2n�15
for any i 2 f1; 2; : : : ; ng: Thus it also holds thatXx2Zn2 f(x)� f(x� c(n)i )� 1= 2n � Xx2Zn2 f(x)� f(x� c(n)i )= 2n � 2n�1= 2n�1To prove the theorem, we denoteDkb [f ] by g and show that for any i 2 f1; 2; : : : ; n+1g;Xy2Zn+12 g(y)� g(y � c(n+1)i ) = 2n(Case 1) i 2 f1; 2; : : : ; ng:Xy2Zn+12 g(y)� g(y � c(n+1)i )= Xx2Zn2 g(0;x)� g(0;x � c(n)i ) + Xx2Zn2 g(1;x)� g(1;x � c(n)i )= Xx2Zn2 f(x)� f(x� c(n)i ) + Xx2Zn2 (f(x� c(n)k )� b)� (f((x� c(n)i )� c(n)k )� b)= Xx2Zn2 f(x)� f(x� c(n)i ) + Xx2Zn2 f(x� c(n)k )� f((x� c(n)k )� c(n)i )= 2 � Xx2Zn2 f(x)� f(x� c(n)i )= 2 � 2n�1= 2n(Case 2) i = n + 1 Xy2Zn+12 g(y)� g(y � c(n+1)n+1 )= Xx2Zn2 g(0;x)� g(1;x) + Xx2Zn2 g(1;x)� g(0;x)= 2 � Xx2Zn2 g(0;x)� g(1;x)= 2 � Xx2Zn2 f(x)� f(x� c(n)k )� b= 2 � 2n�1= 2nThus, we complete the proof. 26
Theorem 5 For a bijection f : Zn2 ! Zn2 , a function g : Zn2 ! Z2, and an integerk 2 f1; 2; : : : ; ng, the function Ek[g; f ] : Zn+12 ! Zn+12 is bijective.Proof : By the de�nition of Ek[g; f ] we have for any x 2 Zn2 ,Ek[g; f ](0;x) = (g(x); f(x));Ek[g; f ](1;x � c(n)k ) = (g(x)� 1; f(x)):For any u 2 Zn2 and v 2 Zn2 , letA(u;v) = Ek[g; f ](0;u) �Ek[g; f ](0;v);B(u;v) = Ek[g; f ](1;u � c(n)k )�Ek[g; f ](1;v � c(n)k );C(u;v) = Ek[g; f ](0;u) �Ek[g; f ](1;v � c(n)k ):We have A(u;v) = B(u;v)= (g(u)� g(v); f(u)� f(v))C(u;v) = (g(u)� g(v)� 1; f(u)� f(v))Since f is bijective, f(u) � f(v) = 0 if and only if u = v. Therefore, if u 6= v,we have A(u;v) = B(u;v) 6= (0; 0) and C(u;v) 6= (0; 0). And if u = v, we haveA(u;v) = B(u;v) = (0; 0) and C(u;v) = (1; 0) 6= (0; 0): Thus, A(u;v) and B(u;v)equals to zero if and only if u = v, and C(u;v) never equals to zero for any u andv. These facts show that for any s 2 Zn+12 and t 2 Zn+12 , Ek[g; f ](s) = Ek[g; f ](t) ifand only if s = t, in other words, that Ek[g; f ] is bijective. 2Theorem 6 If both a bijection f : Zn2 ! Zn2 and a function g : Zn2 ! Z2 satisfy theSAC, then for any integer k 2 f1; 2; : : : ; ng, the function Ek[g; f ] : Zn+12 ! Zn+12 isa bijection satisfying the SAC.Proof : This theorem follows directly from Theorems 4 and 5. 2For the explanatory purpose, we illustrate this method like Fig.1 in the Ap-pendix.Remark: De�ne fi : Zn2 ! Z2 (i = 1; 2; : : : ; n) by f(x) = (fn(x); fn�1(x); : : : ; f1(x))from the bijection f : Zn2 ! Zn2 satisfying the SAC. Noting that fi satis�es the SAC,Theorem 6 tells us that given a bijection f : Zn2 ! Zn2 satis�es the SAC we canconstruct a bijection Ek[fi; f ] : Zn+12 ! Zn+12 satisfying the SAC using only f (SeeFig.2 in the Appendix). 2By using these construction methods, we can generate strong S-boxes in an e�cientand systematic way. We give some examples in the next section.7
4.2 ExamplesHere we give detailed examples to generate strong S-boxes.Example 3 A function f : Z32 ! Z2 which satis�es the SAC is given as < f >=[1; 1; 0; 0; 0; 1; 0; 1]: Then,< D10[f ] >= [1; 1; 0; 0; 0; 1; 0; 1; 1; 1; 0; 0; 1; 0; 1; 0];and < D11[f ] >= [1; 1; 0; 0; 0; 1; 0; 1; 0; 0; 1; 1; 0; 1; 0; 1]:By Theorem 4, these expanded functions also satisfy the SAC.Example 4 When a strong S-box g : Z32 ! Z2 is [1,0,0,0,1,1,0,1] and a bijectivestrong S-box f : Z32 ! Z32 is [3,1,4,0,2,5,6,7],< D11[g] >= [1; 0; 0; 0; 1; 1; 0; 1; 1; 0; 1; 1; 0; 0; 0; 1];and < D10[f ] >= [3; 1; 4; 0; 2; 5; 6; 7; 1; 3; 0; 4; 5; 2; 7; 6]:By Theorem 6, we can get a strong bijective S-box :< E1[g; f ] >= [11; 1; 4; 0; 10; 13; 6; 15; 9; 3; 8; 12; 5; 2; 7; 14]:Also by applying Thereom 6 two times, we can get 6-bit input bijective strongS-boxes : [4; 53; 16; 57; 43; 45; 2; 6; 12; 55; 63; 33; 8; 26; 30; 51;37; 20; 41; 0; 61; 59; 22; 18; 39; 28; 49; 47; 10; 24; 35; 14;21; 36; 25; 48; 13; 11; 38; 34; 23; 44; 1; 31; 58; 40; 19; 62;52; 5; 32; 9; 27; 29; 50; 54; 60; 7; 15; 17; 56; 42; 46; 3];and [36; 21; 48; 57; 43; 45; 2; 38; 12; 23; 63; 1; 8; 58; 30; 19;37; 20; 9; 0; 29; 27; 22; 50; 39; 60; 49; 15; 10; 56; 35; 46;53; 4; 25; 16; 13; 11; 6; 34; 55; 44; 33; 31; 26; 40; 51; 62;52; 5; 32; 41; 59; 61; 18; 54; 28; 7; 47; 17; 24; 42; 14; 3]:As stated earlier, the experiments on the random search show that we can easily�nd 3-bit input bijective strong S-boxes, but when the number of input is increased,it becomes more and more di�cult to �nd even a 5-bit input bijective strong S-box.By applying Theorem 6 recursively, however, we can generate arbitrary inputsize bijective strong S-boxes given 3-bit input bijective strong S-boxes. This methodis very useful in designing a bijective strong S-box with a larger input size.8
5 Concluding RemarksWe have summarized the cryptographically signi�cant criteria for S-boxes of symmet-ric cryptosystems and proved several interesting theorems of strong S-boxes. More-over, we proposed two recursive construction methods from 3-bit input bijective strongS-box(es) to an arbitrary input size bijective strong S-box.The generated strong S-boxes can be useful for a basic building block of symmetriccryptosystems or pseudorandom generators, etc.Acknowledgment The �rst author is supported in part by Electronics and Telecom-munications Research Institute.References[NBS] NBS, \Data Encryption Standard(DES)", FIPS PUB 46, US National Bureauof Standards, Washinston DC, Jan., 1977.[MSS] S.Miyaguchi, A.Shiraishi and A.Shimizu, \Fast data encryption algorithmFEAL{8 ( in Japanese )", Electr. Comm. Lab. Tech. J., NTT, Vol.37, No.4/5,pp.321{327, 1988.[BPS] L. Brown, J.Pieprzyk and J. Seberry, \LOKI { a cryptographic primitive forauthentication and secrecy", Proc. of AUSCRYPT90, 1990.[KD] J.B. Kam and G.I. Davida, \Structured design of substitution{permutationencryption network", IEEE Trans. on Comput., Vol.C-28, No.10, pp.747{753,Oct., 1979.[WT] A.F. Webster and S.E. Tavares, \On the design of S-boxes", Proc. ofCRYPTO85, Springer-Verlag, 1985.[Fe] H. Feistel, \Cryptography and computer privacy", Scienti�c American,Vol.228, No.5, pp 15{23, 1973.[Fo] R.Forr�e, \The strict avalanche criterion : spectral properties of Boolean func-tions and an extended de�nition", Proc.of CRYPTO88, Springer-Verlag, 1988.[Ll] S.Lloyd, \Counting functions satisfying a higher order strict avalanche crite-rion", Proc. of EUROCYRPT89, Springer-Verlag, 1989.[GR] J.A.Gordon and H. Retkin, \Are big S-boxes best ? ", IEEE workshop oncomputer security, pp.257{262, 1981.[Ay] F.Ayoub, \Probabilistic completeness of substitution{permutation encryptionnetworks", IEE, Vol.129, E, 5, pp195{199, Sep., 1982.9
[Pi] J.P.Pieprzyk, \Non-linearity of exponent permutations", Proc. of EURO-CRYPTO89, Springer-Verlag, 1989.[Ba] S.Babbage, \On the relevance of the strict avalanche criterion", ElectronicsLetters, Vol.26, No.7, pp.461-462, 29th Mar., 1990.[HM] M. Hellman, R. Merkle ,R. Schroeppel, L. Washington, W. Di�e, S. Pohligand P. Schweitzer, \Results of an initial attempt to analyze the NBS data en-cryption standard", Information Systems Laboratory Report, Stanford Uni-versity, 1976.
10
Appendix
bbbb1knn + 1 -- -r?j - - jrrr r r r rr r r r --- f --- bbbb 1n� 1nn+ 1g ? -rrrFigure 1: Construction method using f and g ( 1 � k � n).
11
bbbb
1knn + 1
-- - -rrrrrr
r?j - f ---r6j -bbbbrrrrrr 1jnn+ 1
Figure 2: Construction method using only f ( 1 � k; j � n).
12
