[PPT] - The Design of Cryptographic S-Boxes using CSPs 1 V E N K A T E S H PowerPoint Presentation

SLIDE 1

V E N K A T E S H R A M A M O O R T H Y , M A R I U S C . S I L A G H I , T O S H I H I R O M A T S U I , K A T S U T O S H I H I R A Y A M A , a n d M A K O T O Y O K O O

The Design of Cryptographic S-Boxes using CSPs

1

SLIDE 2

Substitution-Permutation Network

 Proposed by Claude Shannon

[1948].

 All Feistel Ciphers

 Data Encryption Standard, 3-DES  Blowfish, Twofish, Camellia, RC5

 Advanced Encryption Standard  International Data Encryption

Algorithm (IDEA)

 Linear Permutations – Diffusion  Nonlinear Substitution – Confusion

(S-Boxes)

2

any linearity helps attackers
designed via a combinatorial problem

SLIDE 3

S-P Networks and the Feistel Cipher

S-P Network

Invertible substitution Permutation Feistel F function needs not be invertible. Any F leads to a “sound” cipher. Needs more rounds

3

S(L,R) L F(R),R S 1(L',R') L' F(R'),R'

SLIDE 4

The Function F of 3-DES

The eight S-Boxes Expansion

4

SLIDE 5

Example: The 3-DES 6 × 4 S-Box S8

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 13 2 8 4 6 15 11 1 10 9 3 14 5 12 7 1 1 15 13 8 10 3 7 4 12 5 6 11 14 9 2 2 7 11 4 1 9 12 14 2 6 10 13 15 3 5 8 3 2 1 14 7 4 10 8 13 15 12 9 3 5 6 11

Applying S8 on 44 yields 14:

1011002 102 210 01102 610 Column 6 Row 2 1410 =11102 4410

5

SLIDE 6

Major Attacks

 S-box design criteria developed as answer to attacks.

 Early Feistel cipher (Lucifer) weakness found [„74]  [DES;76]

 Differential Cryptanalysis [Biham, Shamir; 1993]

 not new in 1993, but had been classified [Coppersmith; 1994]  still somewhat successful on DES because its avoidance

requires solving a hard combinatorial design problem

 we model it as a CSP!

 Linear Cryptanalysis [Matsui; 1994]

 A more efficient exploit of the same weaknesses (with minor

twists)

 Same avoidance strategy (hard combinatorial design problem)

6

SLIDE 7

3-DES S-Box Criteria (Coppersmith, 1994)

 The Criteria labeled S-1 to S-7, are stated as follows



S-1: Each S-box has six bits of input and four bits of output



S-2: No output bit of an S-box should be close to a linear function of the input bits.



S-3: If we fix the leftmost and rightmost input bits of the S-box and vary the four middle bits, each possible 4-bit output is attained exactly once as the middle four input bits range over their 16 possibilities.



S-4: If two inputs to an S-box differ in exactly one bit, the outputs must differ in at least two bits. (Avalanche)



S-5: If two inputs to an S-box differ in the two middle bits exactly, the outputs must differ in at least two bits



S-6: If two inputs to an S-box differ in their first two bits and are identical in their last two bits, the two outputs must not be the same



S-7: For any nonzero 6-bit difference between inputs, ΔIi,j, no more than eight of the 32 pairs of inputs exhibiting ΔIi,j may result in the same output difference ΔOi,j.

7

SLIDE 8

Why is S-Box Design an important Problem?

 S-Boxes for security

 They form the only nonlinear operation in an encryption

process (all other operations being linear)

 Each successful linearization approximation can help break a

few bits of the key

 A known hard problem

 Toy instances solved fast, but not real world instances

 Existing methodologies are suboptimal

 They did not find the “strongest” S-boxes  as we illustrate using CSPs

8

SLIDE 9

Previous Methods for S-Box Design

 Hand-assembled

 Example: 3-DES

 Math functions known as difficult to analyze

 Example: GF2k Inversion (AES), Bent Functions

 Generate-And-Test, Random Assignments

 Using Genetic Algorithms (with Hill Climbing and Simulated

Annealing to guide S-Box search) [2003-2006]

 Capturing randomness from security protocols, keys [2008]  Using Cellular Automata [2010]

9

SLIDE 10

n × m S-Box Design Using CSPs

 Model each S-Box criterion into constraints

 Set of variables:  Domains (identical):  The constraints model the security criteria  Any solution to the CSP can be used as an S-Box  Security to known attacks optimized with a soft constraint  An assignment of a value from D to a variable xi

in X  Represents the S-Box output for input i  In the sample 3-DES S-Box S8, for example, x44 = 14

X {x0,x1,...,x2n 1} } 1 2 ,..., 1 , {

m

D

10

SLIDE 11

S-1: Implicit Constraint

 S-1: Each S-box has six bits of input and four bits

f output

 This constraint is implicit in the CSP formulation

 n input bits  2n variables.  m output bits  domain size 2m. 11

SLIDE 12

The Nonlinearity Criterion S-2

S-2: Any (subsets of) output bits should be independent of any (subset of) input bits

 Gives rise to Matsui‟s quality metric of an S-Box  Linearization Effectiveness:

X( )

 X – a set of variables  Φ – the S-box function (assignment to variables in X)

 linearity if:

 some linear function “=“ selected outputs (for all inputs)  some linear function “≠“ selected outputs (for all inputs)

 nonlinearity if:

 any linear function “=“ selected outputs (for half of inputs)

12

SLIDE 13

Example nonlinearity evaluation

 Take the function : {0,1} × {0,1}

{0,1}

 Count the number of linearization hits:  Function Φ(x0,x1)1,0,1,1 has score

X( ) = 1

x0 x1 y0 1 1 1 1 1 1 1 a0 a1 x=00 x=01 x=10 x=11 # #-22/2 score 0≠1 0=0 0≠1 0≠1 1

1

1 1 0≠1 1≠0 0≠1 1=1 1

1

1 1 0≠1 0=0 1=1 1=1 3 1 1 1 1 0≠1 1≠0 1=1 0≠1 1

1

1

a0,a1 : {(x0,x1) | a0x0 a1x1 (x)} ? 2

2

13

SLIDE 14

Implementing S-2

 S-2 is a soft constraint.  We need to minimize the Linearization Effectiveness  We convert it into a hard constraint by fixing a

threshold ( ≤ |X|/2) on it

X( ) ≤

 Projected into smaller arity constraints for

propagation. [Soft‟11]

14

SLIDE 15

3-DES Criterion S-3

 S-3: If we fix the leftmost and rightmost input bits of the S-box and

vary the four middle bits, each possible 4-bit output is attained exactly

nce as the middle four input bits range over their 16 possibilities.

 AllDiff(x0, x2, …, x28,x30), AllDiff(x1, x3, …, x29, x31),  AllDiff(x32, x34, …, x60,x62), AllDiff(x33, x35, …, x61, x63)

16

SLIDE 16

3-DES Criterion S-4 (Avalanche)

 The 3-DES Criterion S-4: If any two inputs i and j to

a 6 × 4 S-Box differ in one bit, its corresponding

utputs should differ by at least two bits.

 Binary Constraints for S-4 in First Order Logic form:

i, j 0,26 wt(i j) 1 wt xi x j 2

b a

= bit-wise exclusive-OR of integers a and b

17

wt = Hamming weight

SLIDE 17

3-DES Criterion S-5

 The 3-DES Criterion S-5: If two inputs to an S-box

differ in the two middle bits exactly, the outputs must differ in at least two bits

 Binary Constraints for S-5 in First Order Logic form:

 ( i,j) 0 ≤ i,j < 64 |i ≠ j| |i j| = 0011002

wt(xi xj) ≥ 2

b a

= bit-wise exclusive-OR of integers a and b

18

wt = Hamming weight

SLIDE 18

3-DES Criterion S-6

 The 3-DES Criterion S-6: If two inputs to an S-box

differ in their first two bits and are identical in their last two bits, the two outputs must not be the same

 Binary Constraints for S-6 in First Order Logic:

 ( i,j) 0 ≤ i<j < 64 (|i j| 1100112) = 1100002

xi ≠ xj

b a

= bit-wise exclusive-OR of integers a and b

19

wt = Hamming weight

SLIDE 19

3-DES Criterion S-7

 S-7: For any nonzero 6-bit difference between inputs, ΔIi,j, no more

than eight of the 32 pairs of inputs exhibiting ΔIi,j may result in the same output difference ΔOi,j.

 Global constraint, projected on any subset of at least 17 variables.

20

SLIDE 20

Challenges in CSP-Based S-Box Modeling

 Addressing inputs and outputs at the bit level

 Not well supported in first tried conventional CP solvers

(particularly the nonlinearity requirement).

 We employed a MAC solver based on AC2001

 Comparing certain heuristics with nice properties

(completeness) but that found no solution so far.

 We quantified the search space traversed on given ordering

21

Sp

n m

xi 2m

X i 1 i 0 X ' 1

SLIDE 21

Heuristics for 6 × 4 S-Boxes

 Three Heuristics reported here

 HS(64, ) – n-ary constraints evaluated at the end  HC(64, ) – an incremental n-ary (projections of S-2 and S-7)  HI(64, ) – an incremental n-ary, that skips the less promising

search areas (becoming incomplete).

 Threshold values for



= 16 for HS(64, ) and HC(64, )



= 16, 10 for HI(64, )

22

SLIDE 22

Results for 6 × 4 S-Boxes

 Performance of Heuristics

 HC(64, 16) proceeded 20 – 200 times faster than HS(64,16)

23

SLIDE 23

Results for 6 × 4 S-Boxes

 Quality metric (score) of obtained S-Boxes

 HI(64,10) yielded a number of S-Boxes with a score equal to 8  Score “better” (more secure) than the “worst” 3-DES S-Box S7  The score of S-Box S7 is found to be equal to 18  Best previous score was 10  3,600 such S-Boxes found in 1 hour  Increased to more than 13,500 in 5 hours  The score 8 proves to be  easy for the CSP search with incomplete heuristic!!  unreachable for the complete heuristics, prior techniques

24

SLIDE 24

A 6 × 4 S-Box Generated by our CSP Solver

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 3 5 6 9 10 15 12 7 4 14 13 2 1 8 11 1 3 6 5 10 9 12 15 4 7 13 14 1 2 11 8 2 3 15 12 5 9 10 6 4 8 11 7 14 2 1 13 3 9 5 15 3 12 6 10 7 11 8 4 2 14 13 1 S-Box with Score = 8

25

SLIDE 25

Conclusions and Extensions

 CSP is the natural way to model S-Box criteria  CSPs model complex requirements such as 3-DES security

constraints

 Particularly nonlinearity

 CSPs aid us in obtaining “stronger” (more secure) S-Boxes

(compared to 3-DES)

 Easily extensible to include

 various special security requirements as newer constraints,  other S-box sizes

26

SLIDE 26

Questions?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 13 2 8 4 6 15 11 1 10 9 3 14 5 12 7 1 1 15 13 8 10 3 7 4 12 5 6 11 14 9 2 2 7 11 4 1 9 12 14 2 6 10 13 15 3 5 8 3 2 1 14 7 4 10 8 13 15 12 9 3 5 6 11

27