ABC: A New Fast Flexible Stream Cipher Vladimir Anashin Andrey - - PowerPoint PPT Presentation

ABC: A New Fast Flexible Stream Cipher

Vladimir Anashin Andrey Bogdanov* Ilya Kizhvatov Russian State University for the Humanities Faculty of Information Security

*Partially supported by the Institute for Experimental Mathematics, University of Duisburg-Essen, Germany

ABC: A New Fast Flexible Stream Cipher – p. 1/19

Motivation

A highly flexible framework for manufacturing fast and secure stream ciphers. Illustration of our efficient techniques resting upon p-adic analysis and automata theory. Simplicity of design.

ABC: A New Fast Flexible Stream Cipher – p. 2/19

Traditional design of PRNG

B

B(x)

C

C(x) x +

plain text stream encrypted text stream

B state transition function, period and distribution C non-linear filter function,

• ther crypto properties

ABC: A New Fast Flexible Stream Cipher – p. 3/19

The ABC design pattern

z = (¯ z1, ¯ z0) ¯ z0 ¯ z1

A

z A(z)

B

+ B(x) ¯ z1 + B(x)

C

+ C(x) x +

plain text stream encrypted text stream

⊞ = + (mod 232) ⊕ = XOR

ABC: A New Fast Flexible Stream Cipher – p. 4/19

ABC: Function A

¯ z0 ¯ z1

≫ 1 ≪ 31

+ + ¯ z0 ¯ z1

B

+ B(x) ¯ z1 + B(x)

C

+ C(x) x +

plain text stream encrypted text stream

A : LFSR of period 263 − 1 for each 32-bit half

ABC: A New Fast Flexible Stream Cipher – p. 5/19

ABC: Function A in Detail

φ(θ) = (θ63 + θ31 + 1)θ ¯ z0 ¯ z1

≫ 1 ≪ 31

+ +

¯ z0 ¯ z1 ¯ z0 ≫ 1 ¯ z1 ≪ 31

to C to B A : Word oriented computation of LFSR

ABC: A New Fast Flexible Stream Cipher – p. 6/19

ABC: Function B

A

z A(z) z = (¯ z1, ¯ z0) ¯ z0 ¯ z1 + + + +

≪ 2

d1 d0

B(x) ¯ z1 + B(x)

C

+ C(x) x +

plain text stream encrypted text stream

B : Defines a single cycle permutation over Z/232Z

ABC: A New Fast Flexible Stream Cipher – p. 7/19

ABC: Function B in Detail

+ + +

≪ 2

d1 d0 x

x ⊕ d1 5(x ⊕ d1)

B(x) B(x) = d0 + 5(x ⊕ d1) (mod 232)

ABC: A New Fast Flexible Stream Cipher – p. 8/19

ABC: Function C

A

z A(z) z = (¯ z1, ¯ z0) ¯ z0 ¯ z1

B

+ B(x) ¯ z1 + B(x) + +

≫ 16

+

plain text stream encrypted text stream

ABC: A New Fast Flexible Stream Cipher – p. 9/19

ABC: Function C in Detail

S(x) = e + 31

i=0 eiδi(x) (mod 232), where

δi(x) ∈ {0, 1} = the i-th bit of x, e, ei ∈ Z/232Z, e31 ≡ 216 (mod 217). C(x) = S(x) >>> 16 (mod 232). NB! Not C(x) = S(x) + (S(x) >>> 16) (mod 232) as in the contribution submitted to SKEW 2005!

ABC: A New Fast Flexible Stream Cipher – p. 10/19

ABC: Function C in Detail

S(x) = e +

7

• i=0

eiδi(x) + ∙ ∙ ∙ +

31

• i=24

eiδi(x) (mod 232) T0 T1 T2 T3 ¯ x0 ¯ x1 ¯ x2 ¯ x3 + T0(¯ x0) T1(¯ x1) T2(¯ x2) T3(¯ x3)

≫ 16

C(x)

ABC: A New Fast Flexible Stream Cipher – p. 11/19

ABC: Function C, SCA

In applications subject to SCA we recommend to use masking: Modify each table by adding a random r or its additive inverse −r to the table elements depending

• n the parity of the table number.

ABC: A New Fast Flexible Stream Cipher – p. 12/19

ABC: Function C, SCA

T0 T1 T2 T3 r −r ¯ x0 ¯ x1 ¯ x2 ¯ x3 + T0(¯ x0) +r T1(¯ x1) −r T2(¯ x2) +r T3(¯ x3) −r

≫ 16

C(x)

ABC: A New Fast Flexible Stream Cipher – p. 13/19

Properties of the ABC design pattern

Provable properties of the ABC key stream: The period of (263 − 1) ∙ 232 words; Uniformly distributed key stream: ∀ 32-bit word a the number µ(a) of occurrences of a on the period satisfies:

• µ(a)

(263 − 1) ∙ 232 − 1 232

• <

1

• (263 − 1) ∙ 232;

High linear complexity λ of the key stream: 231 ∙ (263 − 1) + 1 ≥ λ ≥ 231 + 1.

ABC: A New Fast Flexible Stream Cipher – p. 14/19

Properties of ABC circuit: Notes

As a matter of fact we have proved the group of statements for a larger class of A, B, C. Thus, the designer can choose the maps suitable for the specific requirements. Note that the fact that these crucial security properties are proven does not exclude the necessity to analyse the concrete representations of A, B and C with respect to the whole set of cryptographical attacks.

ABC: A New Fast Flexible Stream Cipher – p. 15/19

ABC: Key dependence, State space

The following values can be (almost) freely defined without worsening the security properties of the resulting ABC mapping: A: The initial state z ∈ Z/232Z; B: The coefficients d0, d1 ∈ Z/232Z and initial state x ∈ Z/232Z; C: The coefficients e, e1, . . . , e31 ∈ Z/232Z. NB! All up to restrictions imposed above! Altogether we have 1195 bits to be freely set. Note that not all the bits have the same impact on the security of the cipher.

ABC: A New Fast Flexible Stream Cipher – p. 16/19

ABC: Key dependence, Cycles

The ABC stream cipher defines a family of cycles of length 232(263 − 1) words in the following way: d0, d1, e, e1, . . . , e31 define a concrete cycle of length P = 232(263 − 1); d0, d1, e, {ei}31

i=0

x, z x, z select a start point on the cycle defined (exactly 232(263 − 1) variants).

ABC: A New Fast Flexible Stream Cipher – p. 17/19

ABC: Speed & Memory consumption

A generic reference C implementation on a standard 3.2 GHz Intel Pentium 4 processor under Linux. Minimum 132 byte memory used. w Speed, Cycles Table memory, Gbps per byte bytes 2 2.25 11.38 256 4 4.24 6.04 512 8 6.86 3.73 4096

ABC: A New Fast Flexible Stream Cipher – p. 18/19

ABC: Conclusion

Freedom to choose mappings A, B, C; Important security properties are proven; Novel approach to counter-dependence; High degree of key-dependence; Key material usage flexibility; High flexibility in terms of memory consumption; Extremely high throughput rate of a generic ANSI C implementation - 6.9 Gbps, or 3.7 clocks/byte on a Pentium 4 processor.

ABC: A New Fast Flexible Stream Cipher – p. 19/19