The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho Moriai 1 , Tetsu Iwata 2 1 Sony Corporation 2 Nagoya University
Direction for designing a new blockcipher Priority for Choosing an algorithm 1. Security 2. Implementation cost and Encryption speed Security Security Algorithm X Algorithm Y Speed Low cost Low cost Speed
Target Category of CLEFIA Hardware Oriented • Smartcard, RFID • HIGHT, ICEBERG, Streamciphers Balanced (general-purpose) • Widely used in many products • AES, Serpent, Camellia, FOX, … Software Oriented • Servers for Huge Data Processing • RC6, SEA, Streamciphers
The Blockcipher CLEFIA Basic Information � Block Length : 128-bit � Key Length : 128-bit, 192-bit, 256-bit � Structure : 4-branch generalized Feistel (Type-II) � Number of Rounds : 18 (128-bit key), 22 (192-bit key), 26 (256-bit key)
Key Plaintext Key Scheduling Part Data Processing Part F 1 F 0 Bit Permutation F 0 F 1 Bit Permutation Reduced Bit Permutation Data F 1 F 0 Processing : : : : Bit Permutation Part Bit Permutation F 1 F 0 Bit Permutation F 1 F 0 Bit Permutation Ciphertext
SP-type F-functions F-functions Round function F 0 S 0 32 32 32 32 8 ⎛ ⎞ 01 02 04 06 ⎜ ⎟ S 1 RK 2i RK 2i+1 ⎜ ⎟ 02 01 06 04 8 ⎜ ⎟ S 0 04 06 01 02 32 32 ⎜ ⎟ 8 ⎜ ⎟ ⎝ ⎠ 06 04 02 01 S 1 F 1 F 0 8 F 1 S 1 8 ⎛ ⎞ 01 08 02 0 a ⎜ ⎟ S 0 ⎜ ⎟ 08 01 0 02 a 8 ⎜ ⎟ S 1 02 0 01 08 a ⎜ ⎟ 8 ⎜ ⎟ ⎝ ⎠ 0 02 08 01 a S 0 8
What ’ s New in CLEFIA Combination of 1. Diffusion Switching Mechanism (DSM) , and � � Type-II generalized Feistel structure (GFN) Two S-boxes System 2. Enhanced Key Scheduling Part 3.
2-branch Feistel VS. 4-branch Feistel 4-branch type-II generalized Feistel Structure Feistel Structure (GFN) 32 32 32 32 F F 64 64 F F F F F F + Better Diffusion - Slow diffusion requires more rounds - Large F-function +Compact F-function
What is Diffusion Switching Mechanism (DSM)? DSM enhance the diffusion � M 1 efficiency of Feistel structure Optimal Diffusion To strengthen against � Mappings M 1 (MDS matrices) � differential attack, and M 1 , M 2 � linear attack M 2 by switching plural diffusion matrices in F-functions concatenation References M 1 || M 2 � M 2 is also an optimal � Shirai, Shibutani@FSE04 diffusion mapping � Shirai, Preneel@Asiacrypt04 M 1 Shirai, Shibutani@FSE06 � M 1
4-branch GFN + DSM DSM is suitable to 4-branch GFN � No need for round depending Switching � Effect of reducing the number of rounds � Reducing about 30% of number of rounds in CLEFIA ’ s case � F F F 0 F 1 F F F F F 0 F F 1 F : : : : : : : : F F F 0 F F 1 F F F F 0 F 1 F F F F F 0 F F 1 F With DSM Without DSM
Estimation of active S-boxes S-box : S 0 = − 4 . 67 DP 2 max × = > 4 . 67 28 130 . 76 128 = − 4 . 38 LP 2 max × = > 4 . 38 30 131 . 4 128 128-bit key 192-bit key Minimum Requirement 256-bit key
2 S-box system � CLEFIA employs 2 different 8-bit S-boxes S 0 S 1 − = 6 DP 2 = − 4 . 67 2 DP max ⎛ ⎞ 1 2 max ⎜ ⎟ = − SS 0 SS 2 ⎜ ⎟ 6 − = LP 2 ⎛ ⎞ 4 . 38 2 ⎝ ⎠ LP 2 1 1 2 Inversion max max ⎜ ⎟ f GF(2 8 ) g ⎜ ⎟ Over ⎝ ⎠ 2 1 8 8 SS 1 SS 3 • Based on Inversion over GF(2 8 ) • Based on 4-bit S-boxes (Whirlpool, FOX) (AES, Camellia) Byte oriented saturation transition S All All S 0 S Const = 0 Balance S 1
Key Scheduling Part of CLEFIA (Concept) Key : RK 0 ,..,RK 3 Bit Permutation RK 4 ,..,RK 7 Bit Permutation Reduced-round RK 8 ,..,RK 11 Bit Permutation Data Processing RK 12 ,..,RK 15 Bit Permutation Part RK 16 ,..,RK 19 Bit Permutation RK 20 ,..,RK 23 Bit Permutation : : :
Key Scheduling Part of CLEFIA (128-bit key) Key 12-round 4-branch GFN 28 diff. Active S-boxes : F 0 F F 1 F RK 0 ,..,RK3 Bit Permutation RK 4 ,..,RK 7 Bit Permutation F 0 F F 1 F RK 8 ,..,RK 11 : : “DoubleSwap” function : : Bit Permutation A B C D F 0 F F 1 F RK 12 ,..,RK 15 Bit Permutation RK 16 ,..,RK 19 Bit Permutation F 0 F F 1 F B D A C RK 20 ,..,RK 23 Bit Permutation F 0 F 1 F F : : :
Key Scheduling Part of CLEFIA (192,256-bit key) Key F 0 F 1 F 0 F 1 RK 0 ,..,RK 7 Bit Permutation F 0 F 1 F 0 F 1 RK 8 ,..,RK 15 Bit Permutation 10-round F 0 F 1 F 0 F 1 8-branch GFN RK 16 ,..,RK 31 Bit Permutation 29 diff. Active S-boxes : : : : : : : : RK 32 ,..,RK 47 Bit Permutation : : : F 0 F 1 F 0 F 1 F 0 F 1 F 0 F 1 F 0 F 1 F 0 F 1
Security Evaluation (excerpt) [Data Processing Part] Differential Attack � 1. Differential Cryptanalysis 2. Linear Cryptanalysis � 12-round has 28 differential active S-boxes 3. Differential-Linear Cryptanalysis 4. Boomerang Attack Linear Attack � 5. Amplified Boomerang Attack 6. Rectangle Attack � 12-round has 29 linear active S-boxes 7. Truncated Differential Cryptanalysis 8. Truncated Linear Cryptanalysis 9. Impossible Differential Cryptanalysis Impossible Differential Attack � 10. Saturation Cryptanalysis 11. Higher Order Differential Cryptanalysis � Found 9-round Impossible Diff paths 12. Interpolation Cryptanalysis 13. XSL Attack 14. Chi-Square Cryptanalysis Saturation Attack � 15. Slide Attack 16. Related-Cipher Cryptanalysis � Found 6-round Saturation paths, 17. Related-Key Cryptanalysis 18. Related-Key Boomerang Cryptanalysis 10-round attack 19. Related-Key Rectangle Cryptanalysis 20. Collision Attack [Key Scheduling Part] Related-key type Attacks � � Expected to be difficult due to many active S-boxes
Performance : Software Estimation 90% of AES operations + dependency � � 144 S-boxes in CLEFIA vs. 160 S-boxes in AES (128-bit key) Current Experimental Results on Athlon 64 in assembly
Performance : Hardware Reasons for the Compactness 4-branch GFN � F-functions can be shared by Data Processing Part and Key � Scheduling Part Small footprint S-box and Matrices � Cycle Gate Efficiency * Process Type of Throughput Algorithm Ref Size [Throughput / [Mbps] Implementation Rule gate] 0.09 μ m CLEFIA 36 4,993 677 135 0.13 μ m Compact AES 54 5,398 311 85.5* [20] 0.13 μ m 44 6,511 325 75* Camellia [20] 0.09 μ m CLEFIA 18 6,061 1,424 235 0.13 μ m Speed AES 11 12,454 1,691 202.5* [20] 0.13 μ m Camellia 22 10,993 971 132* [20] *The values of efficiency are adjusted by multiplying 1.5 by taking the difference of process into account
Conclusion Proposed a new blockcipher CLEFIA � � DSM + 4-branch Feistel, Two S-boxes, Enhanced Key Schedule, etc.. Confirmed Potential ability for compact and fast � implementations Software – One of the fastest ciphers � Hardware – Achieved the best efficiency � among known general-purpose blockciphers. Keeping enough security margin against all known attacks � Analysis of CLEFIA is very welcome!
Recommend
More recommend