Transcript Symmetric cryptography: scalable substitution matrix cipher

Symmetric cryptography:
scalable matrix cipher
Nguyen Dinh Thuc
University of Science, HCMC
[email protected]
outline
• Matrix-base cipher
• Advanced Encryption Standard
• Scalable Substitution Matrix cipher
Matrix-base cipher
matrix cipher: introduction
• in Hill/matrix cipher, each letter is treated as a
number in Z26. A block of n letters is processed
as a vector of n dimensions, and multiplied by
a nxn matrix, modulo 26.
• in order to decrypt, this permutation matrix
must be invertible in Z26 and is considered as
the cipher key
Matrix-base cipher
matrix cipher: properties
• Linearity
 encryption/decryption: fast
 but unsecure
• Scalability
Matrix-base cipher
matrix cipher: key space
• let GL(d,Zm)={Adxd/A is invertible modulo m}
• |GL(d,Zp)|=i=0,…,d-1(pd – pi) where p is a prime
number
• |GL(d,Zpn)|=p(n-1)d^2i=0,…,d-1(pd – pi) where p is a
prime number
• |GL(d,Zm)|=i=1,..,k(pi(ni-1)d^2j=0,…,d-1(pid – pij)
where m=p1n1…pknk, pi: prime
Matrix-base cipher
a symmetric cryptosystem over group Z2n : LogSig
• Anxn: a non-singular matrix over Z2n
• B={a1,…,an /ai: ith of matrix A}: basis of Z2n
• B={a1,…,an}
={a1,…,ar1,ar1+1,…,ar1+r2,…,a(rs-1)+1,…,a(rs-1)+rs}
• Let
• i be a permutation on {1,…,ri}, i=1,…,s
• i be a linear combination of
{a((ri-1)+1),…, a((ri-1)+ri)}, i=1,…,s and r0=1
  = {1,…,s}: logarithmic signature over Z2n.
Matrix-base cipher
a symmetric cryptosystem over group Z2n : bijections
Given a logsig  of type (r1,…,rs), which spanned by
matrix A and permutations i, i=1,…,s
• mZ(2n) whose the binary representation:
m=(m11,…,m1r1,…,ms1,…,msrs)Z2n
 (m) = (p1,…,p2) where pi is decimal value of
binary string mi1…miri, i=1,…,s
(p1,…,ps)=i=1,…,r1p1ia1(i) + i=1,…,rspsias(i),
where pij is the jth of pi, i=1,…,2
Matrix-base cipher
a symmetric cryptosystem over group Z2n : factorization
Given a logsig  of type (r1,…,rs), which spanned by
matrix A and permutations i, i=1,…,s
• Given uZ2n , u=(u1,…,un)
• Compute v=u1xnAnxn=(v11,…,v1r1,…,vs1,…,vsrs)Z2n
• Let qi (i=1,…,s) be decimal value of binary string
vii(1)…vii(ri)
 (q1,…,qs) is factorization of u by 
Matrix-base cipher
a symmetric cryptosystem over group Z2n : discussion
Let S be a finite set and let f be a bijection from S to
S. The function f is an involution if f(f(x)) = x for
all xS.
• Given two logarithmic signatures  and , which
are spanned by two non-singular A and B in
respectively.
• When function E is involution: E(m)=m for all
mZ(2n).
Advanced Encryption Standard:
substitution-permutation network
AddRoundKey
SubBytes
ShiftRows
xNr - 1
MixColumns
AddRoundKey
SubBytes
ShiftRows
AddRoundKey
State S
in0
in4
in8
in12
in1
in5
in9
in13
in2
in6
in10
in14
in3
in7
in11
in15
S00
S01
S02
S03
S10
S11
S12
S13
S20
S21
S22
S23
S30
S31
S32
S33
out0
out4
out8
out12
out1
out5
out9
out13
out2
out6
out10
out14
out3
out7
out11
out15
Advanced Encryption Standard:
design rationale
• two properties of operations of a secure cipher:
– confusion: minimize input-output correlation
– diffusion: maximize prop ratio
• wide trail strategy:
– A general strategy to construct a modern secure block
cipher
– base on substitution-permutation network (SPN)
which consists of multiple rounds of transformations,
each of which consists of a substitution layer and a
permutation layer to provide confusion and diffusion
respectively
Advanced Encryption Standard:
substitution layer
based on the AES S-box which is defined by the
composition of 3 operations:
• inversion. The input byte to the S-Box is regarded
as an element wF, and for w0 the output
x=w-1; and 0-1=0. Where F is Rijndael field.
• GF(2)-linear mapping (affine mapping) is a linear
transformation :GF(2)8GF(2)8
• s-Box constant. The output of the GF(2)-linear
mapping is regarded as an element of the
Rijndael field and added to the field element 63
to produce the output of S-Box
Advanced Encryption Standard:
S-BOX
the AES S-Box is actually a combination of a power
function P(x) and an affine surjection A(x): AP(x),
where:
 x 1 ,
P ( x)  
 0,
1

1

1

1

A( x) 
1

0
0

0

x0
x0
,
0
0
0
1
1
1
1
0
0
0
1
1
1
1
0
0
0
1
1
1
1
0
0
0
1
1
1
1
0
0
1
1
1
1
1
0
0
1
1
1
1
1
0
0
1
1
1
1
1   x0
 
x
1
  1
1   x2
 
1   x3

0   x4
 
0   x5
0   x6
 
1   x 7














1
 
1
 
0
 
0
0
 
1
1
 
0
 
Advanced Encryption Standard:
diffusion layer
• has been designed in according with the wide
trail strategy
• based on a 4x4 matrix over F used in
MixColumns
• this is the parity check matrix for a maximal
distance separable code, known as an MDS
matrix
Advanced Encryption Standard:
diffusion layer and branch number
• branch number B of a linear transformation F is
defined as follows:
B(F)=min{wt(a)+wt(F(a)), adom(F)\{0}} where
wt is number of non-rezo elements in a given
vector
• if F is defined over n-dimensional space, B(F)n+1
• if B(F)=n+1, F is considered as maximum diffusion
layer
J.Daemen and V.Rijmen, AES proposal: Rijndael, AES algorithm
submission , 1999. (available on Internet)
Scalable Substitution Matrix cipher
structure
• ssm is a byte-oriented block cipher.
• plaintext block of a fixed length is transformed
into a corresponding cipher text block using a
given key k
• cipher key is a nontrivial diffusion invertible
matrix
• Encryption process consists of multiple rounds
of transformations
Scalable Substitution Matrix cipher
diffusion matrix
• diffusion degree of a nxn matrix M is defined
by: d(M)=minX0{wt(Xnx1)+wt(MnxnXnx1)}
• matrix M is called nontrivial diffusion matrix if
d(M)>2; otherwise, M is called trivial diffusion
matrix
D.H.Van, N.T.Binh. T.M.Triet, and T.N.Bao, SSM: Scalable Substitution
Matrix cipher, Vietnam Journal of Science and Technology, vol.46, 2009.
Scalable Substitution Matrix cipher
encryption process
• round transformation Nr=22n/2+2, where  is
a branch number of the keyed linear
transformation 
• round transformation of round r, denoted r,
consists two main steps:
– Key-independent nonlinear transformation (denoted
): each byte of the state is substituted using a fixed
nonlinear S-box
– Keyed linear transformation (denoted ): the whole
state is linearly mixed using a matrix derived from the
cipher key k
Scalable Substitution Matrix cipher
schema
SSM[k]=Nr-1[k]…1[k]0[k]
n byte
…
S S S S … S S S S
[kr]
…
Scalable Substitution Matrix cipher
key independent nonlinear substitution 
in SSM, all operations of  are processed using a
fixed S-Box constructed as follows:
• applying the affine mapping over GF(2)8 on
the binary representation of x: y=1x
• take the inverse mapping z=y-1 over
GF(2)[x]/<(x)>, with 0-1=0
• apply the affine mapping over GF(2)8 on the
binary representation of z: t=2z
Bao Ngoc Tran, Thuc Dinh Nguyen, Thu Dan Tran, A New S-Box Structure
to Increase Complexity of Algebraic Expression for Block Cipher
1
2





 







1
1
0
0
0
0
0
0
1
1
0
0
0
0
0
0
1
1
0
0
0
0
0
0
1
1
0
0
0
0
0
0
1
1
0
0
0
0
0
0
1
1
0
0
0
0
0
0
1
0
0
0
0
0
0
0





 







1
0
0
0
1
1
1
1
1
0
0
0
1
1
1
1
1
0
0
0
1
1
1
1
1
0
0
0
1
1
1
1
1
0
0
0
1
1
1
1
1
0
0
0
1
1
1
1
1
0
0
0
1
1
1
1
0 

0

0 

0 
0 

0 
1 

1 

1 

1

1 

1 
0 

0 
0 

1 

Scalable Substitution Matrix cipher
keyed linear transformation 
•  operates on the whole state
• the state is considered as an n-byte column
vector and multiplied [mod 256] an nxn matrix
M
• M is cipher key, is also a nontrivial diffusion
matrix
• it should be noticed that  is defined over
Zn256 instead of GF(28) as in the nonlinear step.
Scalable Substitution Matrix cipher
conclusion
• SSM supports unlimited block length and key
length.
• With non-linear substitution, SSM eliminates
limitation of most matrix ciphers with only
linear components.
• SSM can against differential and linear
cryptanalysis
D.H.Van, N.T.Binh. T.M.Triet, and T.N.Bao, SSM: Scalable Substitution
Matrix cipher, Vietnam Journal of Science and Technology, vol. 2009.