COMPUTATION OF APPROXIMATION TABLES FOR …

Download Report

Transcript COMPUTATION OF APPROXIMATION TABLES FOR …

Scalable Involutional PP-1 Block Cipher
for Limited Resources
K. Chmiel, A. Grocholewska-Czuryło, J. Stokłosa
Poznan University of Technology
Institute of Control and Information Engineering
Poznan, Poland
Basic assumptions
of the PP-1 cipher project
•
•
Scalability – extendable data block size and key size;
Resources – limited (small memory, simple processor);
-
-
•
the same resources for encryption and decryption:
one involutional S-box (i.e. S−1 = S ),
one involutional P-box (i.e. P−1 = P ),
the same round keys;
simple elementary operations:
modulo 2 sum,
addition,
subtraction,
shifts;
Implementation – efficient in software and hardware.
10-12.06.2010
Scalable Involutional PP-1 Block Cipher for Limited Resources
CECC 2010 © Krzysztof Chmiel
2
Data processing path
Remarks:
• data blocks of n = t∙64 bits are processed in r rounds (t = 1, 2, 3, ... ),
• two n-bit round keys ki’=k2i–1 and ki”=k2i are used in round i.
xi
x i,j
n
Round #i
64
NL #j
64
NL
64
64
NL
64
NL
64
64
8
n
n
8
8
8
8
8
8
64
k i’=k2i–1
k i”=k 2i
S
S
8
vi
8
S
S
8
8
S
S
8
8
S
S
8
k i,j’
8
n
8
64
k i,j”
P
64
n
yi
v i,j
Fig. 1. One round of the PP-1
(i = 1, 2, ..., r)
10-12.06.2010
Fig. 2. Nonlinear element NL
(j = 1, 2, ..., t)
Scalable Involutional PP-1 Block Cipher for Limited Resources
CECC 2010 © Krzysztof Chmiel
3
64-bit variant of PP-1
m/c
64
Round #1
8
8
8
8
8
8
8
8
k1 = k1,1 ||k 1,2 || ...||k1,8
/ k 22 = k 22,1 ||k22,2 ...||k22,8
64
S
S
8
S
S
8
8
S
S
8
8
S
S
8
8
8
k2 = k2,1 ||k 2,2 || ...||k2,8
64
/ k 21 = k 21,1 ||k21,2 ...||k21,8
P
Rounds #2 to #10
8
8
8
8
8
8
8
8
k21 = k21,1 ||k 21,2 || ...||k 21,8
64
Fig. 3. Encryption
and decryption
performed by PP-1
(n = 64)
S
S
8
S
S
8
8
S
S
8
8
S
S
8
/ k 2 = k2,1 ||k 2,2 || ...||k2,8
8
8
k22 = k22,1 ||k22,2 ...||k 22,8
64
/ k 1 = k1,1 ||k 1,2 || ...||k1,8
Output transformation
64
c/m
10-12.06.2010
Scalable Involutional PP-1 Block Cipher for Limited Resources
CECC 2010 © Krzysztof Chmiel
4
Round key scheduling
Remarks:
• the cipher key k for the PP-1 algorithm is a sequence of n or 2n bits,
• the round keys k1, k2, ..., k2r are produced on outputs of iterations #1 to #2r.
depends on k
Xi
n
64
64
Iteration #i
64
64
n
KS
KS
64
Xi,j
KS
64
Ki
KS #j
8
8
8
8
8
8
8
8
Ki,j
64
64
8
E
Vi
S
n
4
ei
ki
S
8
RR(ei)
S
8
8
S
S
8
S
8
S
8
S
8
8
n
64
n
Vi,j
Yi
Fig. 4. One iteration of key
scheduling (i = 0, 1, ..., 2r)
10-12.06.2010
Fig. 5. KS − the main part of an
iteration (j = 1, 2, ..., t)
Scalable Involutional PP-1 Block Cipher for Limited Resources
CECC 2010 © Krzysztof Chmiel
5
Details
of round key scheduling
Remarks:
• function E value, is equal to XOR of 4MSBs of the two leftmost S-boxes,
• entry X0 of iteration #0, is supplied by the n-bit constant B,
• inputs Ki depend on cipher key k: n-bit or 2n-bit (k = kH||kL)..
Function E:
Inputs Ki:
ei = E(b1b2...bn) =
(b1b9)(b2b10)(b3b11)(b4b12)
for Vi = b1b2...bn, where b1 is the MSB.
 k if k  n
K0  
k H if k  2n
0 n if k  n
K1  
k L if k  2n
K2 = RL(B  (A(K0  K1)))
Entry X0:
X0 = B = B1||B2||...||Bt
where 64-bit B1 = 912B4769B2496E7C,
Bj = Prm(Bj–1) for j = 2, 3, ..., t,
Prm is calculated for nBb = 64 and nSb = 8.
10-12.06.2010
0 n if k  n
A n
1 if k  2n
Ki = RL(Ki−1) for i = 3, 4, ..., 2r
Scalable Involutional PP-1 Block Cipher for Limited Resources
CECC 2010 © Krzysztof Chmiel
6
Involutional substitution S
Method:
• generated using multiplicative inverse procedure, similar to AES,
• processed to remove existence of affine transformations between
component Boolean functions.
H
Parameters:
• nonlinearity – 110
(maxTA = 18),
• 2nd maximum
XOR DDT
value – 4
(maxTD = 4) .
Fig. 6. Involutional 88-bit S-box S
S(6F) = DA , S(DA) = 6F
10-12.06.2010
L|
0 1 2 3 4 5 6 7 8 9 A B C D E F
---------------------------------------------------0 | 9E BC C3 82 A2 7E 41 5A 51 36 3F AC E3 68 2D 2A
1 | EB 9B 1B 35 DC 1E 56 A5 B2 74 34 12 D5 64 15 DD
2 | B6 4B 8E FB CE E9 D9 A1 6E DB 0F 2C 2B 0E 91 F1
3 | 59 D7 3A F4 1A 13 09 50 A9 63 32 F5 C9 CC AD 0A
4 | 5B 06 E6 F7 47 BF BE 44 67 7B B7 21 AF 53 93 FF
5 | 37 08 AE 4D C4 D1 16 A4 D6 30 07 40 8B 9D BB 8C
6 | EF 81 A8 39 1D D4 7A 48 0D E2 CA B0 C7 DE 28 DA
7 | 97 D2 F2 84 19 B3 B9 87 A7 E4 66 49 95 99 05 A3
8 | EE 61 03 C2 73 F3 B8 77 E0 F8 9C 5C 5F BA 22 FA
9 | F0 2E FE 4E 98 7C D3 70 94 7D EA 11 8A 5D 00 EC
A | D8 27 04 7F 57 17 E5 78 62 38 AB AA 0B 3E 52 4C
B | 6B CB 18 75 C0 FD 20 4A 86 76 8D 5E 01 ED 46 45
C | B4 FC 83 02 54 D0 DF 6C CD 3C 6A B1 3D C8 24 E8
D | C5 55 71 96 65 1C 58 31 A0 26 6F 29 14 1F 6D C6
E | 88 F9 69 0C 79 A6 42 F6 CF 25 9A 10 9F BD 80 60
F | 90 2F 72 85 33 3B E7 43 89 E1 8F 23 C1 B5 92 4F
Scalable Involutional PP-1 Block Cipher for Limited Resources
CECC 2010 © Krzysztof Chmiel
7
Involutional permutation P
Remarks:
• dissipates 8-bit output subblocks of S-boxes S in the n-bit block of a round,
• can be implemented by transposition of 88 bit matrices in processor words.
1
10
17
12
33
14
49
16
2
15
18
3
34
7
50
11
3
18
19
20
35
22
51
24
4
31
20
19
36
23
52
27
5
26
21
28
37
30
53
32
6
47
22
35
38
39
54
43
7
34
23
36
39
38
55
40
8
63
24
51
40
55
56
59
9
42
25
44
41
46
57
48
10
1
26
5
42
9
58
13
11
50
27
52
43
54
59
56
12
17
28
21
44
25
60
29
13
58
29
60
45
62
61
64
14
33
30
37
46
41
62
45
15
2
31
4
47
6
63
8
16
49
32
53
48
57
64
61
IN
1 2 3 4 5 6 7 8
9 10 11 12 13 14 15 16 ... 61 62 63 64
OUT 1 2 3 4 5 6 7 8
9 10 11 12 13 14 15 16 ... 61 62 63 64
Fig. 7. Bit mappings of involutional bit permutation P and their illustration (n =64)
Fig. 8. P for 88 bit
matrices (n =64)
10-12.06.2010
a1
b1
c1
d1
e1
f1
g1
h1
a2
b2
c2
d2
e2
f2
g2
h2
a3
b3
c3
d3
e3
f3
g3
h3
a4
b4
c4
d4
e4
f4
g4
h4
a5
b5
c5
d5
e5
f5
g5
h5
a6
b6
c6
d6
e6
f6
g6
h6
a7
b7
c7
d7
e7
f7
g7
h7
a8
b8
c8
d8
e8
f8
g8
h8
P
=>
b2
f2
b4
f4
b6
f6
b8
f8
b7
a1
a3
a5
a7
b1
b3
b5
c2
g2
c4
g4
c6
g6
c8
g8
d7
c1
c3
c5
c7
d1
d3
d5
d2
h2
d4
h4
d6
h6
d8
h8
f7
e1
e3
e5
e7
f1
f3
f5
Scalable Involutional PP-1 Block Cipher for Limited Resources
CECC 2010 © Krzysztof Chmiel
e2
a2
e4
a4
e6
a6
e8
a8
h7
g1
g3
g5
g7
h1
h3
h5
8
Scalable permutation P
Method (n = 64):
• algorithm Prm calculates bit mappings in Prm, to dissipate 4-bit
subblocks in 32-bit block,
• algorithm P calculates involutional pairs of bit mappings in 64-bit P.
pno 1 2 3 4
Prm(x, nBb, nSb) {argument, number of block bits
(e.g.64), number of S-box bits (e.g. 8)}
1. nS  nBb div nSb
{number of S-boxes}
2. Sno  x mod nS +1
{S-box number(from 1)}
3. Sb  (x  1) div nS + 1 {S-box bit (from 1)}
4. y  (Sno  1) nSb + Sb {value of bit mapping}
5. return y
P(pno, nBb, nSb) {pair number (from 1), number of block
bits (e.g. 64), number of S-box bits (e.g. 8)}
1. y  Prm(pno, nBb div 2, nSb div 2) {value of Prm}
2. px  2 pno  1 {odd argument (value) of bit mapping}
3. py  2 y
{even value (argument) of bit mapping}
4. return (px, py)
5 6 7 8
9 10 11 12 ... 29 30 31 32
9 10 11 12 ... 29 30 31 32
Prm
y
1 2 3 4
5 6 7 8
px
1 3 5 7
9
11 13 15
17 19 21 23 ... 57 59 61 63
2 4 6 8
10 12 14 16
18 20 22 24 ... 58 60 62 64
P
py
Fig. 9. Algorithms to construct permutation P and their illustration (n = 64)
10-12.06.2010
Scalable Involutional PP-1 Block Cipher for Limited Resources
CECC 2010 © Krzysztof Chmiel
9
Differential and Linear Approximation
f(X)  f(X  X') = Y'
p = N(X’,Y’) / 2n
y
iY '
X'  {0,..,2n–1}, Y'  {0,..,2m–1}

x
j X '
j
Y[Y’] = X[X’]
p = N(X’,Y’) / 2n
p
X’  {1,..,n}, Y’  {1,..,m}
X
effectiveness of
differential
approximation
i
X’
n
|p| = | p – 1/2 |
p
f
Y’
m
effectiveness of
linear
approximation
Y
Fig. 10. Differential and linear approximation of function f : {0,1}n  {0,1}m
10-12.06.2010
Scalable Involutional PP-1 Block Cipher for Limited Resources
CECC 2010 © Krzysztof Chmiel
10
Approximation Tables
TDf[X’, Y’] = N(X’, Y’) TAf[X’, Y’] = N(X’, Y’) = N(X’, Y’) - 2n-1
maxTD = max{TDf[X', Y'] : X'  0  Y'  0}
maxTA = max{|TAf[X', Y']| : X'    Y'  }
X Y=f(X)
X'
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
3
3
3
0
1
3
1
1
0
0
3
3
1
2
2
2
(f)
Y'
0
16
10
6
6
2
2
0
2
4
2
8
8
0
0
2
2
1
0
0
0
0
8
8
2
4
2
0
2
2
6
6
8
12
(TDf)
2
0
2
2
2
6
6
12
10
0
2
0
0
8
8
6
2
3
0
4
8
8
0
0
2
0
10
12
6
6
2
2
0
0
X'
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Y'
0
8
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
2
2 1
1
2
0
1
0
3
0 1
0 3
2
1
2 1
1
4
0 1
2 5
2
1
2 3
2 1
4 1
0
1
(TAf)
3
1
1
1
1
7
1
1
1
1
1
1
1
1
1
1
1
Fig. 11. Function f: {0,1}4  {0,1}2 and its approximation tables TDf and TAf
10-12.06.2010
Scalable Involutional PP-1 Block Cipher for Limited Resources
CECC 2010 © Krzysztof Chmiel
11
Quality of S-box S (PP-1)
4
...
10
12
14
maxTA
18 ... 30 32 34 36
S
40
15
21
3
0
39
42
3
6
1
0
10
Total
44
0
410
2
528
1
56
0
6
3 1000
20
15
10
10
5
0
16
30
32
34
36
38
40
42
44
maxTA
Fig. 12. Comparison of S-box S to randomly selected S-boxes (n = 8, m = 8)
10-12.06.2010
Scalable Involutional PP-1 Block Cipher for Limited Resources
CECC 2010 © Krzysztof Chmiel
ax
TD
maxTD
32
48
58
5
0
111
m
10
12
14
16
Total
30
1
1
0
0
2
maxTA
34 36 38
163 119 61
190 177 73
21 14 11
4
1
1
378 311 146
% of functions
maxTD
12
DES Algorithm
c1(j)||c2(j) = c2(j-1)||c1(j-1)  f(c2(j-1), kj ) for j = 1, 2, ..., 15
c1(j)||c2(j) = c1(j-1)  f(c2(j-1), kj )||c2(j-1) for j = 16
m1
c1
m2
32
(0)
k1
y1
f
32
32
c2
y2
c1(15)
f
c1(16) 32
c1
f
E
xe
48
48
c2(1)
x2
k 16
y16
(0)
x1
k2
c1(1)
x
c2(15)
x 16
si1
si2
si3
si4
S1
S2
S3
S4
so1
so2
so3
so4
48
32
k
si5
si6
si7
si8
S5
S6
S7
S8
so5
so6
so7
so8
P
32
y
c2(16)
32
c2
Fig. 13. General structure and function f of DES (IBM 1977)
10-12.06.2010
Scalable Involutional PP-1 Block Cipher for Limited Resources
CECC 2010 © Krzysztof Chmiel
13
Quality of S-boxes S1-S8 (DES)
12
14
16
maxTA
10 12 14 16 18
S6 S2 S1
S3 S7
S4
S8
Total
14
323
440
164
47
11
1
1000
20
S5
30
25
20
15
12
10
16
20
5
24
0
10
12
14
16
ax
TD
maxTD
18
0
4
12
5
2
1
1
25
m
10
12
0
14
1
16
1
18
0
20
0
22
0
24
0
Total 2
maxTA
12 14 16
6
5
3
144 141 33
107 255 65
24 94 41
3 28 14
3
3
4
0
0
0
287 526 160
% of functions
maxTD
18
maxTA
Fig. 14. Comparison of S-boxes S1-S8 to randomly selected S-boxes (n = 6, m = 4)
10-12.06.2010
Scalable Involutional PP-1 Block Cipher for Limited Resources
CECC 2010 © Krzysztof Chmiel
14
Evaluation of PP-1
|pa+|  |pp+|

pa  2
r 1
r
 p

(1)
(2)
i
i 1
|pi+|  qa /2 s/2 +1
|pp+|  qp/2 n/2 +1
(3)
m
|pa+|  (1/2)(qa /2 s/2 )r (4)
(qa
/2 s/2 )r
 qp
n
/2 n/2
n
Lower bound to r
64
128
192
(7)
256
10.7 21.3 32.0 42.7
11
22
32
n
(6)
r  ( n/2 – log qp) / ( s/2 – log qa)
r
k
n
Sp
n
c
43
comparative
algorithm
Fig. 15. Number r of rounds for n-bit block ( s = 8, qa = 2, qp = 1)
10-12.06.2010
(5)
Scalable Involutional PP-1 Block Cipher for Limited Resources
CECC 2010 © Krzysztof Chmiel
15
Evaluation of DES
Evaluation methods:
• exact – the best nonzero linear approximation of a cipher is determined,
• rough – the best nonzero linear approximation of a cipher is assumed to be a
composition of the best nonzero linear approximation of a single iteration,
• intermediate –the best zero-nonzero approximation of a cipher is found, that
fulfils approximation conditions.
m
64
64
k
64
Sp
64
c
10-12.06.2010
r
| p +|
Compar ati ve algorithm (q p = 1)
1
1/233
Exac t method
16
1/223
Rough me thod
64
1/233
Inter me di ate me thod
48
1/233
improved
S1, S5, S7
Fig. 16. Comparative algorithm and evaluation of DES quality
Scalable Involutional PP-1 Block Cipher for Limited Resources
CECC 2010 © Krzysztof Chmiel
16
Conclusions
• PP-1, is a new scalable block cipher that is simple, efficient and
secure;
• PP-1 is aimed to be used on platforms with limited resources, and
especially with a limited amount of memory;
• Due to the fact that PP-1 uses only very simple arithmetic operations,
the cipher can be implemented on different platforms such as smartcards, TV decoders, mobiles, etc.;
• We could not find any significant constraint in PP-1 and have not
inserted any hidden weakness.
10-12.06.2010
Scalable Involutional PP-1 Block Cipher for Limited Resources
CECC 2010 © Krzysztof Chmiel
17