MATRIX POWER S-BOX ANALYSIS 1. Kestutis Luksys, Petras Nefas

Transcription

1 International Book Series "Inforation Science and Coputing" 97 MATRIX POWER S-BOX ANALYSIS Keutis Luksys, Petras Nefas Abract: Conruction of syetric cipher S-bo based on atri power function and dependant on key is analyzed. The atri consiing of plain data bit rings is cobined with three round key atrices using arithetical addition and eponent operations. The atri power eans the atri powered by other atri. This operation is linked with two sound one-way functions: the discrete logarith proble and decoposition proble. The latter is used in the infinite non-coutative group based public key cryptosyes. The atheatical description of proposed S-bo in its nature possesses a good confusion and diffusion properties and contains variables of a cople type as was forulated by Shannon. Core properties of atri power operation are forulated and proven. Soe preliinary cryptographic characteriics of conructed S-bo are calculated. Keywords: Matri power, syetric encryption, S-bo. ACM Classification Keywords: E.3 Data Encryption, F.2. Nuerical Algoriths and Probles. Conference: The paper is selected fro Sith International Conference on Inforation Research and Applications i.tech 2008, Varna, Bulgaria, June-July 2008 Introduction As it is known, the design criteria for the block ciphers as for other cryptographic syes are related with the known cryptoanalytic attacks. It is essential that after the new attack invention the old design criteria u be changed. Traditional design criteria are oriented to the o powerful attacks such as linear and differential and were successfully satisfied for the several known ciphers, for eaple AES, Serpent, Caellia Miy/Kasui etc. It was shown that the non-linearity properties of the inverse function in GF(2 n ) used as a single non-linear coponent in AES are close to optiality with respect to linear, differential and higher-order differential attacks [Canteaut and Videau, 2002]. But nevertheless it is shown that any known optial ciphers have a very siple algebraic ructure and are potentially vulnerable to the algebraic attack. This attack was declared in [Schauuller-Bihl, 983] and developed in [Courtois and Pieprzyk, 2002]. The vulnerability is related to S-bo description by iplicit input/output and key variables algebraic equations of polynoial type. For eaple the AES can be described by the sye of ultivariate quadratic equations in GF (2 8 ) for which the XL or XSL attack can be applied in principle. Then there is a principal opportunity to find the solution of these equations by soe feasible algorith that ight be of subeponential tie and recover the key fro a few plaintet/ciphertet pairs. The algebraic attack changes soe old security poulates [Courtois, 2005]:. The copleity is no longer condened to grow eponentially with the nuber of rounds. 2. The nuber of required plaintets ay be quite sall (e.g. ). 3. The wide trail rategy should have no ipact whatsoever for the copleity of the attack. Despite the fact that there are no practical results of breaking the entire AES by algebraic attack yet, it is sensible to build the new design ethods possessing a higher resiance to algebraic attack. According to Courtois the design of ciphers will never be the sae again and this is supported by the declared new ideas for the S-bo Work supported by the Lithuanian State Science and Studies Foundation

2 98 Advanced Studies in Software and Knowledge Engineering conruction laying on the sufficiently large rando S-boes to prevent all algebraic attacks one can think [Courtois et al., 2005]. In this paper we further discus so called atri power operation introduced in [Sakalauskas and Luksys, 2007] for a atri power S-bo conruction. Matri power S-bo is based on odular eponentiation over GF(2 n ). This leads to soe generalization of discrete logarith proble (DLP) using a atri group action proble over Galois field. The idea to use the group or seigroup action proble in vectorial spaces for the asyetric cryptographic priitives conruction can be found in [Monico, 2002]. We have generalized this approach and applied it to our S-bo conruction. As a result we have obtained soe one way function (OWF) which is linked not only with a classical DLP but also with so called decoposition proble (DP), used in the asyetric cryptosyes based on the hard probles in infinite non-coutative groups [Shpilrain and Ushakov, 2005]. The sae kind of DP is used also in digital signature schee and key agreeent protocol conruction [Sakalauskas, 2005] and [Sakalauskas et al., 2007]. Preliinaries Let us define atrices over GF(2 n ). The set of all those atrices over GF(2 n ) we denote as M. Plaintet and ciphertet data is represented in this set. We do not introduce any internal operations in the set M. For further considerations we are intereed only in eternal operations perfored in this set. Let M G be a group of atrices over N 2 n with the coonly defined atri ultiplication operation and atri inverse. Keys atrices should be chosen fro M G. Matri group M G left and right action operations in the set M are denoted by and respectively. In a foral way is a apping : M G M M and : M M G M. Then L, R M G and X M there ei soe Y, Z M such that L X Y and X R Z. The eleents of atrices L, X, R, Y and Z we denote by the indeed set of its eleents respectively, i.e. by { } we denote atri X. We have chosen the following action operations which can be written for the atri equation L X Y eleents y s l is sj, () and for the atri equation X R Z eleents z t rtj it. (2) The ultiplication and power operations are perfored using GF (2 n ) arithetic, i.e. odulo irreducible polynoial. Eaple. To give a siple eaple, let us assue that all atrices have two rows and two coluns, i.e. 2. In this case, atri Y can be epressed in the following way l l2 l l l 2 l Y L X l2 l22 l2 l22. l 2 l Matri Z can be epressed in the following way r r2 r2 r 22 2 r r2 2 2 Z X R r r r 2 22 r2 r

3 International Book Series "Inforation Science and Coputing" 99 Matri power S-bo The S-bo input data we denote by atri D with eleents being binary rings in vector space F 2. n Using the certain key epansion procedure we can generate the round keys for encryption: atri K over F 2 and atrices L, R M G. Input/output and key atrices are all of the sae size. S-bo transforations of input data D to ciphered output data C are perfored as follows: D + K + X, (3) L X R C, (4) where D + K + denotes the ordinary arithetical addition of atrices odulo 2 n ; is the atri consiing of arithetical unity eleents in. Cobining (3) and (4) we obtain n F 2 L (D + K + ) R C. (5) Fro (3) we obtain a atri X M which does not contain zero eleents, i.e. is without zero binary rings. This is necessary because of ultiplications. If there would be at lea one zero eleent, then ciphertet will be zero atri. We can write now the iplicit forula for an eleent c : c t s lis rtj t s where is a bit ring corresponding to arithetical unit in l r is tj ( d + k + ), (6) Since M G is a group of atrices, then there eis the inverse atri R such that RR R R I, where I is the identity atri. Decryption operation can be written siilarly to (5): L C R K D. (7) Resulting atri of inverse S-bo can be epressed like this: d where { / t s l r n F 2. is tl c k, (8) / l } L and { r } R. Thus, we have to be able to calculate inverse atrices of L and R keys for decryption. Key atri K reains the sae, only during decryption ordinary subtraction is used inead of addition. For the validity of the la equations the left-right action operations u satisfy the following properties:. The action operations u be associative, i.e. L 2 (L X) (L 2 L ) X, (9a) (X R ) R 2 X (R R 2 ). (9b) 2. The action operations are both left and right invertible, i.e. L (L X) (L L) X I X X, (0a) (X R ) R X (R R) X I X. (0b) Theore. The action operations are associative. Proof. Let us consider encryption and decryption schee with plaintet atri X, key atries L and R, their inverse atrices L and R and cipher tet atri C. According to (4) and (7), following relations should be true: L X R C, L C R X. n

4 00 Advanced Studies in Software and Knowledge Engineering For the siplicity, we oit atri K here and consider that atri X has no zero eleents. This does not affect generality because atri K is added before atri power operation and subtracted after, in case of inverse S- bo. Then plaintet atri X can be epressed following way: X L C R v u t s Thus we receive that L t s ( L X R) lus rtv l iu rvj / / lus l iu rtv rvj u v R L t s v u t s ( L X R) R ( L L) X ( RR ) L // lik rtj t s lus rtv l iu rvj // lis rtj R // L X R t s v u t s lus rtv l iu rvj v u ( L L) X ( RR ). () We used ordinary features of power function and atri ultiplication, so this equation holds for any atrices. Lea. Defined atri power operation has the following property: if key atrices are identities, then resulting atri of ciphertet is equal to the atri of plaintet. Proof. Any eleent of ciphertet atri can be written following way: c t lii rjj rivluj tvu. u v v j & u i If key atrices are L R I, then we have that l ii r jj for any i and j fro to, and l r jj 0, if i j: 0 t tvu u v v j & u i c t. Theore 2. The action operations are both left and right invertible. Proof. According to () and Lea we obtain: ( L X R) R ( L L) X ( RR ) I X I X L Key atrices lus rtv liu rvj. (2) Key atrices L and R should be invertible in order that defined atri power S-bo would be bective, i.e. would have inverse S-bo. This is obvious fro the (2). Decryption of the ciphertet can be done only with L and R atrices. If L or R did not have inverse, then atri power S-bo is surjective and inverse S-bo does not ei. Matrices L and R are chosen fro group M G, therefore they have inverse atrices. The proble is, how to conruct group M G that it would be large enough and brute force attacks would be useless. One of the ethods is to use the certain non-coutative group representation in the set of atri group GL(, GF(2 n )). The non-coutative group is presented by finite sets of generators and relations. Then it is required to conruct representation atrices and their inverses for each initial group generator [Sakalauskas and Luksys, 2007]. Other ethod is to generate rando atrices and to check if they are invertible. We have used this ethod to evaluate key space and atri power S-bo security properties.

5 International Book Series "Inforation Science and Coputing" 0 For the analysis, we have chosen 3 3 atrices ( 3) and n 7. In this case key atrices L and R are over N 27 and data atrices are over GF(2 7 ). Irreducible polynoial was Key atrices L and R have nine eleents and each eleent can be randoly chosen fro 27 values. Thus we can generate diinct atrices. But that would be all possible variants, including those atrices, which do not have inverse. We have generated 2 34 atrices and 0.969% of those atrices were not invertible. Therefore rough eiate of atri power key space would be around 2 63 (for two key atrices). Group No. Table. Cryptographic characteriics of rando invertible atri power S-boes Algebraic Algebraic Algebraic k- quadratic biaffine Percentage, Bective Nonlinearity degree unifor equations equations % iunity iunity. T ,53-0,9 2. T ,63 2 2,68 5,5 3. T ,53 2 9,65 3,5 4. T ,53 2 9,44,8 5. T ,53 2 9,23 0,2 6. T , ,9 7. T ,75 2 9,65 3,5 8. T ,75 2 9,44,8 9. T ,75 2 9,23 0,2 0. T ,72 2 2,0. T , ,0 2. T ,53 2 9,65 3,6 3. T ,53 2 9,44,8 4. T ,53 2 9,23 0,2 5. T ,84 2 2,0 6. T ,75 2 9,65 3,5 7. T ,75 2 9,44,8 8. T ,75 2 9,23 0,2 9. T , ,9 20. T ,84 2 6,34 5,5 2. F ,7 2 6,34,5 22. F ,35 2 6,294 0, It is very difficult to evaluate cryptographic characteriics of S-bo with 54 bit input and 63 bit output. Therefore we have ade two siplifications for the security analysis. Fir of all we did not do key addition (3). If data atri had zero eleent (-s) that atri was left unchanged. This let us to analyze S-bo with equal input and output size. For the second siplification, we fied all input atri eleents ecept one and analyzed only one particular eleent of the output atri. This led us to the analysis of the S-bo with input and output size of 7 bits. We have chosen to evaluate five cryptographic characteriics: algebraic degree [Meier et al., 2004], nonlinearity, differential coefficient k-unifor, algebraic quadratic equations iunity and algebraic biaffine equations iunity [Courtois et al., 2005]. Algebraic iunity is calculated as follows: Γ t n where t is nuber of ters in algebraic noral for (ANF) of Boole function, n nuber of variables, r nuber of biaffine or quadratic equations. t r,

6 02 Advanced Studies in Software and Knowledge Engineering We have generated rando invertible atri power S-boes. Analysis results are shown in Table. We have grouped all generated S-boes into 22 groups according their characteriics. Two groups of S-boes are not bective, i.e. the representation of one eleent of input atri into one output atri eleent is not bective, but the whole atri power S-bo reains invertible. Group 20 th represents S-boes which perfors a linear transforation. Characteriics of groups 9 are siilar to those of ordinary power functions, like Gold, Kasai, Niho etc. [Cheon and Lee, 2004]. These are ju preliinary results and further analysis of atri power S-bo should be done. Conclusion In this paper we have analyzed key depended S-bo based on introduced atri power operation. We have forulated and proven core properties of this operation. Soe preliinary cryptographic characteriics of conructed S-bo are calculated. Characteriics of siplified version of atri power S-bo are siilar to those of ordinary power functions, like Gold, Kasai, Niho etc. Bibliography [Canteaut and Videau, 2002] A. Canteaut and M. Videau. Degree of coposition of highly nonlinear functions and applications to higher order differential cryptanalysis. Advances in Cryptology Eurocrypt 2002, Springer Verlag [Cheon and Lee, 2004] J.H. Cheon, D.H. Lee. Resiance of S-boes again Algebraic Attacks. Fa Software Encryp tion, LNCS 307, pp , Springer-Verlag, [Courtois, 2005] N.T. Courtois. General Principles of Algebraic Attacks and New Design Criteria for Cipher Coponents. Advanced Encryption Standard AES, LNCS 3373, pp , [Courtois et al., 2005] N.T. Courtois, B. Debraize and E. Garrido. On eact algebraic [non-]iunity of S-boes based on power functions. Cryptology eprint Archive: Report, no. 203 (2005), [Courtois and Pieprzyk, 2002] N.T. Courtois and J. Pieprzyk. Cryptanalysis of Block Ciphers with Overdefined Syes of Equations. Proceedings of Asiacrypt 2002, LNCS 250, pp , Springer-Verlag, [Meier et al., 2004] W.Meier, E.Pasalic and C.Carlet. Algebraic Attacks and Decoposition of Boolean Functions. Advances in Cryptology - EUROCRYPT 2004, LNCS 3027, Springer Berlin / Heidelberg, 2004, pp [Monico, 2002] C. Monico. Seirings and Seigroup actions in Public Key Cryptography. PhD. thesis, University of Notre Dae, May [Sakalauskas and Luksys, 2007] E.Sakalauskas and K.Luksys, Matri Power S-Bo Conruction. Cryptology eprint Archive: Report, no. 24 (2007), [Sakalauskas et al., 2007] E. Sakalauskas, P. Tvaronas and A. Raulinaitis. Key Agreeent Protocol (KAP) Using Conjugacy and Discrete Logarith Probles in Group Representation Level, Inforatica, Vol. 8, No., 2007, pp [Sakalauskas, 2005] E. Sakalauskas. One Digital Signature Schee in Seiodule over Seiring, Inforatica, vol. 6, no. 3, 2005, pp [Schauuller-Bichl, 983] Schauuller-Bichl. Cryptanalysis of the Data Encryption Standard by the Method of Foral Coding. Advances in Cryptology EUROCRYPT-982, LNCS 49, Springer-Verlag, 983, pp [Shpilrain and Ushakov, 2005] V. Shpilrain and A. Ushakov. A new key echange protocol based on the decoposition proble. Cryptology eprint Archive: Report, no. 447 (2005), Authors' Inforation Keutis Luksys PhD udent, Kaunas University of Technology, Studentu A, Kaunas 5368, Lithuania; e-ail: keutis.luksys@ktu.lt. Petras Nefas Dr., Head of Division, GRC of State Security Departent, Lithuania; e-ail: petras.nefas@gail.co.