ABC: A New Fast Flexible Stream Cipher Vladimir Anashin Andrey - PowerPoint PPT Presentation

ABC: A New Fast Flexible Stream Cipher Vladimir Anashin Andrey Bogdanov* Ilya Kizhvatov Russian State University for the Humanities Faculty of Information Security *Partially supported by the Institute for Experimental Mathematics, University of Duisburg-Essen, Germany ABC: A New Fast Flexible Stream Cipher – p. 1/19

Motivation A highly flexible framework for manufacturing fast and secure stream ciphers. Illustration of our efficient techniques resting upon p -adic analysis and automata theory. Simplicity of design. ABC: A New Fast Flexible Stream Cipher – p. 2/19

Traditional design of PRNG B ( x ) x B C C ( x ) plain text stream encrypted text stream + B state transition function, period and distribution C non-linear filter function, other crypto properties ABC: A New Fast Flexible Stream Cipher – p. 3/19

The ABC design pattern z 1 ¯ B ( x ) z = (¯ z 1 , ¯ z 0 ) + z 1 + B ( x ) ¯ z A ( z ) A x B z 0 ¯ C C ( x ) + plain text stream encrypted text stream + + (mod 2 32 ) ⊞ = ⊕ = XOR ABC: A New Fast Flexible Stream Cipher – p. 4/19

ABC: Function A z 1 ¯ B ( x ) + z 0 ¯ z 1 ¯ z 1 + B ( x ) ¯ ≫ 1 ≪ 31 B x + + z 0 ¯ C C ( x ) + plain text stream encrypted text stream + LFSR of period 2 63 − 1 for each 32-bit half A : ABC: A New Fast Flexible Stream Cipher – p. 5/19

ABC: Function A in Detail φ ( θ ) = ( θ 63 + θ 31 + 1) θ z 0 ¯ z 1 ¯ to C to B z 0 ¯ z 1 ¯ ≫ 1 ≪ 31 z 1 ≪ 31 ¯ z 0 ≫ 1 ¯ + + A : Word oriented computation of LFSR ABC: A New Fast Flexible Stream Cipher – p. 6/19

ABC: Function B z 1 + ¯ B ( x ) z = (¯ z 1 , ¯ z 0 ) ≪ 2 z 1 + B ( x ) ¯ z A ( z ) A x + + + z 0 ¯ d 1 d 0 C C ( x ) + plain text stream encrypted text stream + B : Defines a single cycle permutation over Z / 2 32 Z ABC: A New Fast Flexible Stream Cipher – p. 7/19

ABC: Function B in Detail ≪ 2 5( x ⊕ d 1 ) x ⊕ d 1 + + + x B ( x ) d 1 d 0 B ( x ) = d 0 + 5( x ⊕ d 1 ) (mod 2 32 ) ABC: A New Fast Flexible Stream Cipher – p. 8/19

ABC: Function C z 1 ¯ B ( x ) z = (¯ z 1 , ¯ z 0 ) + z 1 + B ( x ) ¯ z A ( z ) A B z 0 ¯ + ≫ 16 + plain text stream encrypted text stream + ABC: A New Fast Flexible Stream Cipher – p. 9/19

ABC: Function C in Detail S ( x ) = e + � 31 i =0 e i δ i ( x ) (mod 2 32 ) , where δ i ( x ) ∈ { 0 , 1 } = the i -th bit of x , e, e i ∈ Z / 2 32 Z , e 31 ≡ 2 16 (mod 2 17 ) . C ( x ) = S ( x ) >>> 16 (mod 2 32 ) . NB! Not (mod 2 32 ) C ( x ) = S ( x ) + ( S ( x ) >>> 16 ) as in the contribution submitted to SKEW 2005! ABC: A New Fast Flexible Stream Cipher – p. 10/19

ABC: Function C in Detail 7 31 � � (mod 2 32 ) S ( x ) = e + e i δ i ( x ) + ∙ ∙ ∙ + e i δ i ( x ) i =0 i =24 x 0 ¯ x 1 ¯ x 2 ¯ x 3 ¯ T 0 T 1 T 2 T 3 T 0 (¯ x 0 ) T 1 (¯ x 1 ) T 2 (¯ x 2 ) T 3 (¯ x 3 ) + ≫ 16 C ( x ) ABC: A New Fast Flexible Stream Cipher – p. 11/19

ABC: Function C, SCA In applications subject to SCA we recommend to use masking: Modify each table by adding a random r or its additive inverse − r to the table elements depending on the parity of the table number. ABC: A New Fast Flexible Stream Cipher – p. 12/19

ABC: Function C, SCA r − r x 0 ¯ x 1 ¯ x 2 ¯ x 3 ¯ T 0 T 1 T 2 T 3 T 0 (¯ x 0 ) T 1 (¯ x 1 ) T 2 (¯ x 2 ) T 3 (¯ x 3 ) + r − r + r − r + ≫ 16 C ( x ) ABC: A New Fast Flexible Stream Cipher – p. 13/19

Properties of the ABC design pattern Provable properties of the ABC key stream: The period of (2 63 − 1) ∙ 2 32 words; Uniformly distributed key stream: ∀ 32 -bit word a the number µ ( a ) of occurrences of a on the period satisfies: � � (2 63 − 1) ∙ 2 32 − 1 µ ( a ) 1 � � � < (2 63 − 1) ∙ 2 32 ; � � 2 32 � � High linear complexity λ of the key stream: 2 31 ∙ (2 63 − 1) + 1 ≥ λ ≥ 2 31 + 1 . ABC: A New Fast Flexible Stream Cipher – p. 14/19

Properties of ABC circuit: Notes As a matter of fact we have proved the group of statements for a larger class of A, B, C. Thus, the designer can choose the maps suitable for the specific requirements. Note that the fact that these crucial security properties are proven does not exclude the necessity to analyse the concrete representations of A, B and C with respect to the whole set of cryptographical attacks. ABC: A New Fast Flexible Stream Cipher – p. 15/19

ABC: Key dependence, State space The following values can be (almost) freely defined without worsening the security properties of the resulting ABC mapping: A: The initial state z ∈ Z / 2 32 Z ; B: The coefficients d 0 , d 1 ∈ Z / 2 32 Z and initial state x ∈ Z / 2 32 Z ; C: The coefficients e, e 1 , . . . , e 31 ∈ Z / 2 32 Z . NB! All up to restrictions imposed above! Altogether we have 1195 bits to be freely set. Note that not all the bits have the same impact on the security of the cipher. ABC: A New Fast Flexible Stream Cipher – p. 16/19

ABC: Key dependence, Cycles The ABC stream cipher defines a family of cycles of length 2 32 (2 63 − 1) words in the following way: d 0 , d 1 , e, e 1 , . . . , e 31 define a concrete cycle of length P = 2 32 (2 63 − 1) ; d 0 , d 1 , e, { e i } 31 i =0 x, z x, z select a start point on the cycle defined (exactly 2 32 (2 63 − 1) variants). ABC: A New Fast Flexible Stream Cipher – p. 17/19

ABC: Speed & Memory consumption A generic reference C implementation on a standard 3.2 GHz Intel Pentium 4 processor under Linux. Minimum 132 byte memory used. w Speed, Cycles Table memory, Gbps per byte bytes 2 2 . 25 11 . 38 256 4 4 . 24 6 . 04 512 8 6.86 3.73 4096 ABC: A New Fast Flexible Stream Cipher – p. 18/19

ABC: Conclusion Freedom to choose mappings A, B, C; Important security properties are proven ; Novel approach to counter-dependence ; High degree of key-dependence ; Key material usage flexibility ; High flexibility in terms of memory consumption ; Extremely high throughput rate of a generic ANSI C implementation - 6.9 Gbps, or 3.7 clocks/byte on a Pentium 4 processor. ABC: A New Fast Flexible Stream Cipher – p. 19/19