Li An-Ping. Beijing , P.R.China

Transcription

1 A New Type of Cpher: DICING_csb L An-Png Bejng , P.R.Chna apl0001@sna.com Absrac: In hs paper, we wll propose a new ype of cpher named DICING_csb, whch s derved from our prevous sream cpher DICING. I has appled a sream of subkey and an encrypon form of block cphers, so may be vewed as a combnave of sream cpher and block cpher. Hence, he new ype of cpher has fas rae lke a sream cpher and need no MAC.. Keywords: sream cpher, LFSR, projecor, fne feld, correlaon aack, algebrac aack, dsngushng aack.

2 1. Inroducon The encrypon form n a synchronous sream cpher usually s bwse addon, namely, he cpherex s made by bwse addng (XOR) he planex wh a bnary sequence called keysream. A mer of hs knd of cphers s ha here wll be few of propagaons for he errors n he communcaons. However, s clear ha n hs addve encrypon form he planex s easy o be falsfed by oher people. As a resul, a synchronous sream cpher usually s equped a MAC (message auhencaon code) o proec he message from o be ampered. In our algorhm DICING [1], he combnng funcon had manly appled keyed-sboxes, whch are ofen used n he block cphers, we realze ha s possble o make a combnave of sream cpher and block cpher (CSB mode), so wll be able o om MAC n hs way. The man dfference beween he proposal cpher and he prevous one DICING s he encrypon forms. In he new one, he componen u of DICING wll be appled as a role of a sream of subkeys, and he encrypon means are manly keyed-sboxes, lke one ordnary block cpher. The componens used here are same n DICING, for he compleeness, whch wll be repeaed n hs paper. In he proposal cpher, we wll apply a LFSR-lke componen called projecor (Pr.). A projecor consss of an elemen σ called sae from some fne feld GF( 2 m ) and an updang rule. The rule of updang saes s ha mulplyng σ wh σ = x σ k x, k s an neger, namely, k +1. (1.1) The fne felds used n here are GF ( 2 m ), m = 128, or 127. In oher word, he operaon shf n LFSR now s replaced by mulplyng k x n he feld ( 2 m ) GF. Lke DICING, he key szes n DICING_csb can be 128 bs or 256 bs, and he sze of nal value may be aken as large as 256 bs, and he sze of oupu of DICING s 128 bs. In hs paper he fne feld GF (2) s smply denoed as F, and F[ x] s he polynomal rng of unknown x over he feld F. The symbols, wll represen he bwse addon XOR, bwse and, ha s he operaon & n C, and symbols >>, <<, and ~ sand for he operaons rgh-shf, lef-shf, concaenae and complemen respecvely. Suppose ha ζ s a bnary srng, denoed by ζ [] b and [, j] b ζ he -h b and he segmen from -h b o j-h b respecvely, and here are he smlar expressons ζ [ ], ζ [, j] and bye bye ζ [ ], ζ [, j] measured n byes and 32-bs words respecvely, and f he meanng s word word explc from he conex, he low-ndex b, bye and word wll be omed.

3 2. Consrucon We wll use wo projecors Γ1 and Γ 2, he frs one acs a conroller o conrol he updang of he second one, whch wll be used o form a sream of subkeys. Denoed by α and ω he saes of Γ1 and Γ 2 n me respecvely, whch are based on he fne felds E, E = F [ x]/ p ( x), = 1, 2. p ( ) and p ( ) are he prmve 1 x 2 x polynomals wh degree 127 and 128 respecvely, whch expresson are gven n he Ls 1. They sasfy he smple recurrence equaons α = = +. (2.1) 8 1 x α, 0,1,2,... The neger of he las egh bs of α s called he dce D, denoed by d = 1 + ( D >> 4), he sae ω wll be updaed as d ω = 1 x + ω, for > 0. (2.2) Besdes, we use a memorzes u o assembleω, The nal valuesα 0, ω 0 and u 0 wll be specfed n he laer. u = u 1 ω, for > 0, (2.3) Suppose ha K s a fne feld GF ( 2 8 ), K = F [ x]/ px ( ), p (x) s an rreducble polynomal of degree egh, whch expresson s gven n he Ls 1. We defne S-box S ( x) 0 as S x = x x K. (2.4) ( ) 5 ( 3) 127, 0 We also adop he represenaon S 0 ( ζ ) for a byes srng ζ o represen ha S-box S 0 subsue each bye of he srng ζ. The sarup ncludes wo subprocesses keyseup and vseup, where he basc maerals as he secre key and key-sze wll be npu and he nernal saes wll be nalzed. Besdes, n he keyseup we wll make wo key-defned he S-boxes S ( x) 1 and S ( x) 2 from S ( ) 0 x and a dffuson ransformaon L. The process s as followng. For a srng ρ of 8 byes, we defne an 8-bs vecor V ρ and a 8 8marx M ρ : Vρ[] = ρ[8 + ] b,0 < 8, M = T ρ u J Tl. (2.5)

4 where T u = ( a, j ) 8 8 and Tl = ( b, j) 8 8are he upper-rangular marx and he lower-rangular marx respecvely, ρ[8 + j] b f < j, ρ[8 + j] b f > j, a, j= 1 f = j, b, j= 1 f = j, 0 f j, > 0 f < j, and J s a key-defned permuaon marx, for he smplcy, here ake J = 1. (2.6) Suppose ha K s he secre key, le K = K[0,23] K[8,31], f K = 256, else c bye bye K = K[0,15] ( K[0,7] K[8,15]), λ = K [( 1) 8,8 1], = 1, 2,3. and defne hree c c affne ransformaons on K A( x) = M ( x), B( x) = M ( x), C( x) = M ( x), (2.7) λ λ λ and a ransformaon L on K, A B A A B B A A B A L =. (2.8) A A B A B A B A B A Denoed by v = λ [ k], = 1,2,3, and defne wo new S-boxes bye 0 k< 8 S ( x) = S ( x v ) v, S ( x) = C( S ( x v ) v ), x K. (2.9) Suppose ha ζ s a srng of n byes, f n= 4k we also vew as a srng of k words, and wre L( ζ ) o represen ha L akes on he each word of ζ. Smply, we denoe Q( ζ) = L S( ζ). (2.10) In he vseup, he second sep of he sarup, he nernal saes wll be nalzed wh he secre key and he nal value. φ φ For a 32-byes srng ζ we defne a byes permuaonφ : ζ = φζ ( ), ζ [] = ζ[4 mod31], φ for 0 < 31, and ζ [31] = ζ[31]. Le K = K f K = 256 else K = K ( K), denoed by K 0 = K, K = K [8,31] K [0,8 1], = 1,2,3. We defne he funcons recurrenly bye bye F( ζ) = Q( φ( ζ)), F ( ζ) = F( ζ) K, F( ζ) = F( F ( ζ)) K. = 1,2,3. (2.11) Suppose ha IV s he nal value of 32-byes, e s he base of naural logarhm and c he negral par of e 57!, and ξ,0 3, are hree 32-byes srngs defned as

5 ξ0 = F3( IV c), ξ = F3( ξ 1 c), = 1,2. (2.12) Le η = ξ0[0,15] ξ0[16,31], whch wll be employed n he encrypon, and he nernal saes are nalzed respecvely as followng u = ξ [0,15], α = ξ [128,254], ω = ξ [0,15], 2.13) b 0 2 If ξ 2 [0,15] = 0, he saes ω0 wll be re-se as ω = ξ [16, 31]. (2.14) 0 2 Noe. For a secre key, here s a mos one IV such ha ξ 2 = 0. In he proposal cpher DICING_csb, he sequence { u } wll play a flow of subkeys. Afer nalzng, he process eners he recurrence par of encrypon/decrypon, n whch ncludng he sub-process of updang he saes, ha s, makng he sream of subkeys { u }. Denoed by { } x > 0 and 0 s defned as { y } > he sequences of planex and cpherex respecvely, he encrypon funcon y = S ( Q( x u ) Q( η)) u (2.15) 2. We have summarzed he whole process n a skech as Fg. 1. The Skech of Encrypon Process Inalzng Ths s he recurrence par Updang saes u Planex Encrypng Cpherex Fg.1

6 Ls of he Prmve Polynomals used Polynomals Expresson p (x) x + x + x + x + 1 p ( ) x + ( x + x + 1)( x + 1) 1 x p ( ) x + ( x + x + x + 1)( x + 1) 2 x Ls 1 3. Secury Analyss The analyss for DICING_csb as a sream cpher wll be smlar o he one for DICING, refer o see he paper [1]. Besdes, as a block cpher, he encrypon form of DICING_csb s no usual erave one, so he radonal analyses for he block cphers of erave mode wll no be feasble. On he oher hand, no as addve sream cphers are vulnerable for planex-recovery aacks 16 such ha a IV may be appled only one me, DICING_csb may use a IV as mos as 2 mes. Ths also means ha a keysream u may be employed several mes n he CSB encrypon form, whch wll refer o an alernave verson, see he secon 5. If nend o apply a IV more han 16 2 mes, hen n encrypon funcon should be added a more round n order o enlarge he range of dffuson, as a cos, he encrypng rae wll be added more abou 2 cycles/bye. I maybe should be menoned ha we have reduced wo Pr. s from DICING for we hnk ha n hs encrypon form he requremen for he perod of he sequence { u } may be relaxed, here he perod of { u } s no less han (17 2 1)(2 1). 4. Implemenaon In he plaform of 32-b Wndows OS and AMD Ahlon(m) 64 x2 Dual Core processor 3600+, 2.00G Borland C++ 5.0, he performance of DICING_csb s as followng Repor of Performance Encrypon Decrypon Sub-processes Tme Sub-processes Tme Keyseup 8340 cycles Keyseup cycles IVseup 4280 cycles IVseup 4340 cycles Encrypon rae 8.4 cycles/bye Decrypon 8.4 cycles/bye

7 Ls 2 5. Some varans of DICING_csb I. There s an alernae updang rule for he saes α and ω as followng 16 1 x α, for 0. α = > + (5.1) Denoed by d = 1 + ( α + 1[ ] bye &15), 0 < 16, he saes ω are updaed as d ω = x ω16 +, 0 < 16, for ) Wh he updang rule above, he encrypng/decrypng rae wll be fased o 6.8 cycles / bye n he case of larger sze of massage. We call he rules (5.1) and (5.2) as long. 256 II. As menoned n DICING [1], we may subsue a Pr. ˆΓ of a fne feld GF (2 ) for he wo Pr. s Γ 1 and Γ 2. Suppose ha ζ s he sae of ˆΓ n he me, whch s updaed as followng where r = 1 + ζ [252,255]. b r ζ = 1 x + ζ, for > 0, (5.3) Le { w } be a sequence of 32-byes words, whch s defned recurrenly w 1 = w ζ 1, denoed by w = w[0,15], w = w[16, 31], he encrypon funcon s defned as + + y ( ( ) ( )) = S2 Q x w Q η w. (5.4) III. In he secon 3, we menoned ha for DICING_csb a IV may be permed o use several mes, and a keysream u (or w) also may be eravely employed n encrypon a number of mes, say, 16 mes, hen he encrypon funcon defned n (2.15) wll be changed no ha y = S ( Q( x u ) Q( η)) u, 0, 0 < 16. (5.5) Clearly, n hs way, wh ncrease he usage of a keysream u (or w ), he encrypon/decrypon rae wll be much mproved, and cach up wh a sream cpher, he form more lke a block cpher. 6. Concluson The proposal cpher can be vewed as a combnave of sream cpher and block cpher. I

8 assmlaes he good quales of sream cphers n he speed and block cphers n he secure. I s able o serve as a synchronous sream cpher or a block cpher, and here wll no need o equp a MAC when s appled as a synchronous sream cpher. Whle s appled as block cpher, wll sll requre a IV o nalze he nernal saes, however, hs requremen s easy o be smply sasfed, for example, he name or he dae of fles may be aken as he IV values. References [1] A.P. L, A New Sream Cpher: DICING, arxv, eprn archve,