An Algebraic Approach to the Design of Block Ciphers José Valença Óscar Pereira Tiago Oliveira { jmvalenca, oscar, tfaoliveira }@di.uminho.pt HASLab, INESC TEC & Univ. of Minho (PT) Mathematical Methods for Cryptography Svolvær, Lofoten, Norway September 2017
In the beginning. . . . . . there was Óscar’s MSc thesis Wanted to build a (symmetric) cipher, using: • APNL (Almost Perfect Non-Linear) functions • CRT (Chinese Remainder Theorem) GOAL: simple algebraic description 2/15
And speaking of GOALs. . . We also aim to. . . • Being able to formally reason about security • Have a reasonably efficient implementation On the latter goal, we’re not quite there yet. . . 3/15
Cipher structure • Confusion-Diffusion Permutation (CDP) • Round (basically a keyed CDP) • Substitution-Permutation Network (SPN) — iterated round 4/15
CDP version 1 mod q crt q S � Π q � Π q � X q X q • X q → ring GF ( 2 )[ x ] / 〈 Φ 257 〉 , where Φ 257 = 1 + x + x 2 + ... + x 256 • Π q → product ring 15 � GF ( 2 )[ x ] / 〈 q i 〉 i = 0 where each q i is irreducible and with degree 16 • S → layer of Sboxes, aligned with the q i ’s 5/15
CDP version 1 mod q crt q S � Π q � Π q � X q X q Problems: • “good” sbox layer requires prod. ring with odd degree factors • key mixing also in X q ( ∼ = Π q ) → hence it is block-wise op, i.e. little actual mixture 6/15
CDP version 2 mod p crt p S � Π p � Π p � X p X p • Π p → prod. ring, with p i irreducible and of deg 9 or 11 [ ( 11 × 5 + 9 ) × 4 = 64 × 4 = 256] � • X p → ring over GF ( 2 ) , with modulus p i This is what is really implemented 7/15
� � � � � � CDP: two views F S is such that makes the diagram commute mod p crt p S � Π p � Π p � X p X p lift lift mod q crt q F S � Π q � X q X q Π q π Goal: reduce analysis to studying F S 8/15
� � Round � + � π � × � y x μ ν • Most operations can be stored as pre-computed matrices • Multiplicative key : op. done in X q (not X p ) • MK : increases the algebraic degree of equations? (i.e. increases resistance to algebraic cryptanalysis?) 9/15
Is it secure? A tentative argument. . . • APNL / AB strengthens differential immunity ◦ And to some extent, linear immunity. . . • Niho exponents (APNL power functions) increases algebraic immunity (cf. J. Cheon and D.H. Lee, “Almost Perfect Nonlinear Power Functions and Algebraic Attacks” , 2004) 10/15
Three ending notes • More of a “ framework for ciphers ” than a cipher per se • Diffusion matrices • A ( tentative ) lattice-based attack 11/15
Diffusion matrices Prob. of output weight r , when input has weight ℓ ? • � F � = Prob [ F � = 0 ] • ψ r ( x ) = 1 iff hw ( x ) = r DM ℓ , r = � ( ψ r ◦ F ) × ψ ℓ � / � ψ ℓ � • Spheres not centered in 0 : flipping bits in arbitrary vectors • Size is ( n + 1 ) × ( n + 1 ) ! 12/15
� � The lattice attack (KPA) s � × � + � S � y x x �→ x d μ ν � �� � � �� � mod p mod q � s = ( x + μ ) d ( mod p ) ( mod q ) y = s × ν • Resembles Coppersmith ( deg ( s , μ , ν ) < blocksize ) • Extends Cohn & Heninger (2013) 13/15
So to conclude. . . Feedback is welcome: • Efficiency improvements • The algebraic aspects (starting with the mult. keys) 14/15
Questions. . . � 15/15
Recommend
More recommend
