Reprint of pp in Advances in Cryptology-EUROCRYPT'90 Proceedings, LNCS 473, Springer-Verlag, Xuejia Lai and James L.

Transcription

1 Reprint of pp in Advances in Cryptology-EUROCRYPT'90 Proceedings, NCS 7, Springer-Verlag, 99. A Proposal for a New Block Encryption Standard Xuejia ai and James. Massey Institute for Signal and Information Processing Swiss Federal Institute of Technology CH{809 urich, Switzerland Abstract A new secret-key block cipher is proposed as a candidate for a new encryption standard. In the proposed cipher, the plaintext and the ciphertext are bit blocks, while the secret key is 8 bit long. The cipher is based on the design concept of \mixing operations from dierent algebraic groups". The cipher structure was chosen to provide confusion and diusion and to facilitate both hardware and software implementations. Introduction A new secret-key block cipher is proposed herein as a candidate for a new encryption standard. In the proposed cipher, the plaintext and the ciphertext are bit blocks, while the secret key is 8 bit long. The cipher is based on the design concept of \mixing operations from dierent algebraic groups". The required confusion is achieved by successively using three dierent group operations on pairs of -bit subblocks and the cipher structure was chosen to provide the necessary diusion. The cipher is so constructed that the deciphering process is the same as the enciphering process once the decryption key subblocks have been computed from the encryption key subblocks. The cipher structure was chosen to facilitate both hardware and software implementations. The cipher is described in Section. Section considers the relation of the three chosen dierent operations to one another and the eect of their \mixing". The design principles for the cipher are discussed in Section. Section discusses

2 the implementation of the cipher in software as well as in hardware. A C-language program of the cipher is given in Appendix B together with examples that can be used to test the correctness of implementations. Description of the Proposed Cipher The computational graph of the encryption process is shown in Fig.. The process consists of 8 similar rounds followed by an output transformation. The complete rst round and the output transformation are depicted in Fig.. In the encryption process shown in Fig., three dierent group operations on pairs of -bit subblocks are used, namely, { bit-by-bit exclusive-or of two -bit subblocks, denoted as ; { addition of integers modulo where the subblock is treated as the usual radix-two representation of an integer, the resulting operation is denoted as +; {multiplication of integers modulo + where the subblock is treated as the usual radix-two representation of an integer except that the all-zero subblock is treated as representing ; and the resulting operation is denoted as J. For example, because 0; :::; 0) J ; 0; :::; 0) = ; 0; :::; 0; ) mod +)= +: The -bit plaintext block is partitioned into four -bit subblocks, the i-th of which is denoted as X i in Fig.. The four plaintext subblocks are then transformed into four -bit ciphertext subblocks, Y ;Y ;Y and Y, under the control of key subblocks of bits, where the six key subblocks used in the r-th r=,..,8) round are denoted as r) ; ::; r) and where the four key subblocks used in the output transformation are denoted as 9) ; 9) ; 9) ; 9).

3 X X X X J J + +???? ) ) ) ) r r ) - - J - J?? r - + +?? -?? )?? r r - r 9 >= one round h hhhh h hhhh h hhhh h hhhh h hhhh h hhhh h hhh h hhh????. J. J???? ) 9) 9) 9) >; ) ) 7 more rounds output transformation???? Y Y Y Y X i : -bit plaintext subblock Y i : -bit ciphertext subblock r) i : -bit key subblock : bit-by-bit exclusive-or of -bit subblocks + : addition modulo of -bit integers J :multiplication modulo + of -bit integers with the zero subblock corresponding to Figure : Computational graph for encryption.

4 Decryption The computational graph of the decryption process is essentially the same as that of the encryption process, the only change being that the decryption key subblocks are computed from the encryption key subblocks as shown in the following table, where, denotes the multiplicative inverse modulo +)of, i.e., J, = and, denotes the additive inverse modulo )of, i.e.,,+ =0. Encryption key subblocks Decryption key subblocks -st ) ) ) ) -st 9), 9) round ) ) round 8) 8) -nd ) ) ) ) -nd 8), 8) round ) ) round 7) 7) -rd ) ) ) ) -rd 7), 7) round ) ) round ) ) -th ) ) ) ) -th ), ) round ) ) round ) ) -th ) ) ) ) -th ), ) round ) ) round ) ) -th ) ) ) ) -th ), ) round ) ) round ) ) 7-th 7) 7) 7) 7) 7-th ), ) round 7) 7) round ) ) 8-th 8) 8) 8) 8) 8-th ), ) round 8) 8) round ) ) output 9) 9) 9) 9) output ) transform. transform., ), 9),, 9), 8),, 8), 7),, 7), ),, ),, ), ),, ), ),, ), ),, ), ),, ), ) The key schedule The key subblocks used in the encryption process are generated from the 8 bit user-selected key as follows: The 8 bit user-selected key is partitioned into 8 subblocks that are directly used as the rst eight key subblocks, where the ordering of key subblocks is as follows: ), ),.., ), ),.., ),.., 8),.., 8), 9), 9), 9), 9). The 8 bit user-selected key is then cyclic shifted to the left by positions, after which the resulting 8 bit block is again partitioned into eight subblocks that are

5 taken as the next eight key subblocks. The obtained 8 bit block is cyclic shifted again to the left by positions to produce the next eight key subblocks, and this procedure is repeated until all key subblocks have been generated. Group Operations and Their Interaction The cipher is based on the design concept of \mixing operations from dierent algebraic groups having the same number of elements". Group operations were chosen because the statistical relation of random variables X; Y; related by a group operation as Y = X has the desired \perfect secrecy" property, i.e., if one of the random variables is chosen equally likely to be any group element, then the other two random variables are statistically independent. The interaction of dierent group operations contributes to the \confusion" required for a secure cipher. In this section, the interaction of dierent operations will be considered in terms of isotopism of quasigroups and in terms of polynomial expressions. The three operations as quasigroup operations Def. etsbeasetandlet denote an operation from pairs a; b) of elements of S to an element a b of S. Then S; ) is said to be an quasigroup if, for any a; b S; the equations a x = b and y a = b both have exactly one solution in S. A group is a quasigroup in which the operation is associative, i.e., for which a b c) =a b) c for all a; b and c in S. Quasigroups S ; ); S ; ) are said to be isotopic if there are bijective mappings ; ; : S! S, such that, for all x; y S ;x) y) = x y): Such a triple ; ; ) is then called an isotopism of S ; )upons ; ). Two groups are said to be isomorphic if they are isotopic as quasigroups for which the isotopism is ; ; ). It can be shown that two groups are isomorphic if and only if they are isotopic []. et n be one of the integers,,,8 or so that the integer n + is a prime, and let n denote the ring of integers modulo n. et n + ; ) denote the multiplicative group of the non-zero elements of the eld +, let n n ; +) denote the additive group of the ring n, and let F n ; ) denote the group of n{tuples over F under the bitwise exclusive-or operation. Then the following theorem states some of the \incompatibility" properties of these groups. Theorem For n f; ; ; 8; g: ) Quasigroups F n; ) and n; +) are not isotopic for n. ) Quasigroups ; ) and F n; n + ) are not isotopic for n. ) ; ; ) is an isotopism of ; ) upon n + n; +) if and only if there exist constants c ;c n and a primitive element a of the eld n + such that, for all x in

6 n, x), c = x), c = x), c + c ) = log a x); ) i.e., any isotopism between these groups is essentially the logarithm. Moreover, if ; ; ) is an isotopism, none of these maps will be the \mixing mapping" m from n + to n dened bymi) =i; for i = n and m n )=0when n. Proof. ) For n, the groups F n ; ) and n; +) are not isomorphic because n; +) is a cyclic group while F n ; ) is not. Thus, they are not isotopic as quasigroups. ) ; ) and n + n; +) are isomorphic groups for n =; ; ; 8; because both groups are cyclic. Thus, ; ) is isotopic to F n ; n + ) if and only if n; +) is isotopic to F n ; ). ) If ) holds, then for any x; y in n +, x y) = log a x y)+c + c = log a x) + log a y)+c + c = x)+y): Now suppose that ; ; ) is an isotopism. Then for all x; y, x)+y) = n + x y). et x) =x), ); x) =x), ) and x) = x), ), then ; ; ) is also an isotopism and ) = ) = ) = 0. In the equation x)+ y) = xy); setting rst x and then y to results in y) = y) = y) so that x y) = x)+ y): et a be the element of such that n + a) =, then a i )=ifor i =; ;:: n,and a n )=0: This implies that a is a primitive element of +. Thus, for each x n +, there exists a t n n such that, x) = a t )=t = t log a a) = log a a t )=log a x): etting c = );c = ), we arrive at equation ). Finally, suppose that the mixing mapping m is an isotopism. Then mx) = log a x)+c implies = m) = log a ) + c = c; =m)=log a )+; which implies that a =,and0=m n ) = log n )+=n +, which implies that n=. Polynomial expressions for multiplication and addition Under the mixing mapping m, multiplication modulo n +, which is a bilinear function over the eld +, isatwo variable function over the ring n n, which we denote by J x y. Similarly, under the inverse mixing mapping m,, addition modulo n, which is an ane function in each argument over the ring n,isatwo variable function over the eld +, which we denote by F X; Y ): Here and hereafter in this n section, we denote arguments with lower-case letters when we consider them to be elements of n and with upper-case letters when we consider them to be elements of +. For example, when n =,wehave n x + y mod! F X; Y )=XY mod ; XY mod! x J y = x + y +mod:

7 Theorem For n f; ; 8; g :. For any xed X = n i:e:; x = 0), the function F X; Y ); corresponding to addition x + y mod n in n; isapolynomial in Y over n + with degree n, : Similarly, for any xed Y = n ; FX; Y ) is a polynomial in X over n + with degree n,.. For any xed x = 0; i.e., X = n ; ), the function x J y,corresponding to multiplication XY mod n + in n + cannot be written as a polynomial in y over n: Similarly, for any xed y = 0;, x J y is not a polynomial in x over n: Example For n =,in, the function F X; Y ) corresponding to x + y mod is F X; Y )=X Y + X Y )+X Y + XY )+X Y +X Y + XY ): Proof.. In any nite eld GF q), we have Y j=i; j =0 x, j ), i )= Q jj=i); j =0 i, j ), i )=, Q i =0 i = x = i 0 x = i ; 0: Thus, every function fx) from the set GF q),f0g to GF q),f0g can be written as a polynomial over GFq) of degree at most q, asfollows: fx) = X i GF q),f0g f i ) Y j = i ;0 x, j ), i ): ) The function F A; X) corresponding to a+x mod n is a function from GF n +),f0g to GF n +),f0g in X. According to ), this function can be written as A + X X n, A F A; X) = A + X + n, A<X n = = X n,a I= n X I= A+I) A + I) Y X n X,J),I)+ J=I I= n,a+ J n Y X, J),I)+ J=I J n The coecient ofx n, in F A; X) is = n X I= AX I= A + I),I)+ I = AA +) ; n X I= n,a+,i) =,A n X A+I +) Y Y X,J),I) J=I J n X, J),I): I= n,a+ J=I J n n X I= I, n X I= I + X, I=,A,I) which is zero if and only if A =0orA =, = n,which cases are excluded by the assumption. Thus, degf X; A) = n,.. We show rst the following lemma: 7

8 emma If fx) is a polynomial over n; then for all x n; fx) mod=f0) mod : Proof. et fx) =a k x k + a k, x k, + + a x + a 0 : Then for all x n, fx) =a k x) k + a k, x) k, + + a x + a 0 : Taking both sides of this equation modulo n,wehave fx) =e+a 0 mod n ; where e is an element in n.thus, fx) mod=a 0 mod = f0) mod : Now let n >; then for every integer a, < a < n, there exists an integer x 0 f; ;:::; n g such that n +< ax 0 < n + ) and 0 ax 0, ) < n +: The rst inequality is equivalent to that 0 < ax 0, n +) < n + and ax 0, n +) is an odd integer. Hence the function f a x) =a J x corresponding to AX mod n +) satises f a x 0 )mod=ax 0, n +))mod=: On the other hand, the inequality 0 ax 0, ) < n + implies that ax 0, ) is an even integer in f0; ; ::; n g so that f a x 0, )) mod = ax 0, ) mod = 0: By the emma, f a x) is not a polynomial over n: Design Principles for the Proposed Cipher Confusion Confusion see [, ] ) means that the ciphertext depends on the plaintext and key in a complicated and involved way. The confusion is achieved by mixing three dierent group operations. In the computational graph of the encryption process, the three dierent group operations are so arranged that the output of an operation of one type is never used as the input to an operation of the same type. The three operations are incompatible in the sense that:. No pair of the operations satises a distributive law. For example, a+b J c) = a+b) J a+c):. No pair of the operations satises an associative law. For example, a+b c) = a+b) c: 8

9 . The operations are combined by the mixing mapping m, which inhibits isotopisms as was shown in Theorem. Thus, using any bijections on the operands, it is impossible to realize any one of the three operations by another operation.. Under the mixing mapping, multiplication modulo +,which is a bilinear function over +, corresponds a non-polynomial function over ; Under the inverse mixing mapping, addition modulo, which is an ane function in each argument over, corresponds a two variable polynomial of degree, in each variable over +. Diusion The diusion requirement on a cipher is that each plaintext bit should inuence every ciphertext bit and each key bit should inuence every ciphertext bitsee [, ]). For the proposed cipher, a check by computer has shown that the diusion requirement is satised after the rst round, i.e., each output bit of the rst round depends on every bit of the plaintext and on every bit of the key used for that round. Diusion is provided by the transformation called the multiplication-addition MA) structure. The computational graph of the MA structure is shown in Fig.. The MA structure transforms two bit subblocks into two bit subblocks controlled by two bit key subblocks. This structure has the following properties: { for any choice of the key subblocks and, MA; ; ; )isaninvertible transformation; for any choice of U and U, MAU ;U ; ; ) is also an invertible transformation; { this structure has a \complete diusion" eect in the sense that each output subblock depends on every input subblock, and { this structure uses the least number of operations four) required to achieve such complete diusion see Appendix A for the proof). U U J?? ??J?? V V Figure : Computational graph of the MA structure. 9

10 Similarity of encryption and decryption The similarity of encryption and decryption means that decryption is essentially the same process as encryption, the only dierence being that dierent key subblocks are used. This similarity results from { using the output transformation in the encryption process so that the eect of ; ; ; ) can be cancelled by using inverse key subblocks,,,,,,, ) in the decryption process, and from { using an involution i.e., a self-inverse function) with a bit input and a bit output controlled by a bit key within the cipher. The involution used in the cipher is shown in Fig.. The self-inverse property is a consequence of the fact that the exclusive-or of S ;S ) and S ;S ) is equal to the exclusive-or of T ;T ) and T ;T ); Thus, the input to the MA structure in Fig. is unchanged when S ;S ;S and S are replaced by T ;T ;T and T. Thus, if T ;T ;T and T are the inputs to the involution, the left half of the output is T ;T ) MAT ;T ) T ;T ); ; ) = S ;S ) MAS ;S ) S ;S ); ; ) MAS ;S ) S ;S ); ; ) = S ;S ): Similarly, the right half of the output is S ;S ). S ;S ) S ;S ) r -? MA?? - r ; ) h hhhh h hhh h?? T ;T ) T ;T ) Figure : Computational graph of the involution. Perfect secrecy for a \one-time" key Perfect secrecy in the sense of Shannon is obtained in each round of encryption if a \one-time" key is used. In fact, such perfect secrecy is achieved at the input transformation in the rst round because each operation is a group operation. In addition, 0

11 for every choice of p ;p ;p ;p ) and of q ;q ;q ;q )inf, there are exactly different choices of the key subblocks ; ::; ) such that the rst round of the cipher transforms p ;p ;p ;p )into q ;q ;q ;q ). Implementations of the Cipher The cipher structure was chosen to facilitate both hardware and software implementations. In the encryption process, a regular modular structure was chosen so that the cipher can be easily implemented in hardware. A VSI implementation of the cipher is being carried out at the Integrated Systems aboratory of the ETH, urich. The estimated data rate of this chip varies from Mbits per second to Mbits per second, depending on the complexity of the architecture chosen. The cipher can also be easily implemented in software because only operations on pairs of -bit subblocks are used in the encryption process. The most dicult part in the implementation, multiplication modulo + ), can be implemented in the way suggested by the following lemma. emma et a; b be two n-bit non-zero integers in +, then n ab mod ab mod n n ), ab div +)= n ) if ab mod n ) ab div n ) ab mod n ), ab div n )+ n + if ab mod n ) < ab div n ) where ab div n ) denotes the quotient when ab is divided by n. Note that ab mod n ) corresponds to the n least signicant bits of ab, and ab div n ) is just the right-shift of ab by n bits. Note also that ab mod n ) = ab div n ) implies that ab mod n + ) = 0 and hence cannot occur when n +is a prime. Proof. For any non-zero a and b in n +, there exist unique integers q and r such that ab = q n +)+r; 0 r< n +; 0 q< n : Moreover, q + r< n+ : Note that r = ab mod n +): We have q if q + r< ab div n n )= q + if q + r n and Thus q + r if q + r< ab mod n n )= q + r, n if q + r n : ab mod n ), ab div r = n ) if q + r< n ab mod n ), ab div n )+ n + if q + r n :

12 But q + r< n if and only if ab mod n ) ab div n ): This proves the emma. A C-program of the cipher together with some examples for checking the correctness of the implementation are given in Appendix B. Conclusion The cipher described above is proposed as a possible candidate for a new encryption standard. The cipher is based on the design concept of \mixing dierent group operations" to achieve the required confusion and diusion. Confusion is achieved by arranging the operations in a way that no pair of successive operations are of the same type and by the fact that operations of dierent types are incompatible. The structure of the cipher is so chosen that diusion can be achieved using a small number of operations. Enciphering and deciphering are essentially the same process, but with dierent key subblocks. Because of the use of -bit operations and a regular modular structure, the cipher can be implemented eciently in both hardware and software. In particular, bit-level permutations are avoided in the encryption process because such permutations are dicult to implement in software. In all of the statistical testings conducted up to now, we have not found any signicant dierence between the permutation of F determined by the cipher with a randomly chosen key and a permutation equiprobably chosen from all possible permutations of F. The security of the proposed cipher needs further intensive investigation. The authors hereby invite interested parties to attack this proposed cipher and will be grateful to receive the results positive or negative) of any such attacks. References [] C. E. Shannon, \Communication Theory of Secrecy Systems", B.S.T.J., Vol. 8, pp.-7, Oct. 99. [] J.. Massey, \An Introduction to Contemporary Cryptology", Proc. IEEE, Vol. 7, No., pp. {9, May 988. [] J.Denes, A.D.Keedwell, atin squares and their applications, Akademiai Kiado, Budapest 97.

13 Appendix A: Number of Operations Required for Diusion An operation is a mapping from two variables to one variable. A computational graph is a directed graph in which the vertices are operations, the edges entering a vertex are the inputs to the operation, the edges leaving a vertex are the outputs of the operation, the edges entering no vertex are the graph outputs, and the edges leaving no vertex are the graph inputs. An algorithm to compute a function determines a computational graph where the graph inputs are the inputs of the algorithm and the graph outputs are the outputs of the algorithm. Consider a function having the form Y ;Y )=EX ;X ; ; ); X i ;Y i F m ; i F k ) such that, for every choice of ; ), E; ; ; )isinvertible. Such a function will be called a cipher function. A cipher function is said to have complete diusion if each of its output variable depends non-idly on every input variable. Theorem If a cipher function of the form ) has complete diusion, then the computational graph of any algorithm that computes the function contains at least operations. Proof. et Y = E X ;X ; ; ); and Y = E X ;X ; ; ): Then if E has complete diusion, it contains at least operations because there are four input variables. Suppose E contains operations. The invertibility of the cipher function implies that E = E and complete diusion requires that E not equal any intermediate result that appears in E : Thus, at least one operation not appearing in E is required in E.Thisproves the theorem. It is easy to check that the MA structure shown in Fig., which has four operations, is a cipher function with complete diusion, i.e., that each of the output variables depends non-idly on all four input variables. Appendix B: C-program of the Cipher and Sample Data /* C - program blockcipher */ # define maxim 7 # define fuyi # define one # define round 8 void cipunsigned IN[],unsigned OUT[],unsigned [7][0]); void key short unsigned uskey[9],unsigned [7][0] ); void de_keyunsigned [7][0],unsigned DK[7][0]); unsigned invunsigned xin); unsigned mulunsigned a, unsigned b);

14 main) { unsigned [7][0], DK[7][0], XX[],TT[], YY[]; short unsigned uskey[9]; /* to generate encryption key blocks */ keyuskey,); /* to generate decryption key blocks */ de_key,dk); /* to encipher plaintext XX to ciphertext YY by key blocks */ cipxx,yy,); /* to decipher ciphertext YY to TT by decryption key blocks DK */ cipyy,tt,dk); /* encryption algorithm */ void cipunsigned IN[],unsigned OUT[],unsigned [7][0]) { unsigned r, x,x,x,x,kk,t,t,a; x=in[]; x=in[]; x= IN[]; x=in[]; for r= ; r<= 8; r++) { x =mulx,[][r]); x =mulx,[][r]); x = x+ [][r] ) & one; x = x + [][r] ) & one; kk = mul [][r], x^x ) ); t = mul [][r], kk+ x^x) )& one); t = kk+ t ) & one; a = x^t; x = x^t; x = a; a = x^t; x = x^t; x = a; OUT[] = mul x,[][round+] ); OUT[] = mul x,[][round+] ); OUT[] = x + [][round +] )& one; OUT[] = x + [][round+] ) & one; /* the multiplication */ unsigned mulunsigned a, unsigned b) { long int p; long unsigned q; if a==0) p = maxim-b; else if b==0 ) p = maxim-a; else { q=a*b; p= q & one) - q>>); if p<=0) p= p+maxim; return unsigned)p & one); /* compute multiplication inverse of integer xin by Euclidean gcd algorithm */ unsigned invunsigned xin) { long n,n,q,r,b,b,t; if xin == 0 ) b = 0;

15 else { n=maxim; n = xin; b= ; b= 0; do { r = n % n); q = n-r)/n ; if r== 0) {if b<0 ) b = maxim+b; else { n= n; n= r; t = b; b= b- q*b; b= t; while r!= 0); return unsigned)b; /* generate key blocks [i][r] from user key uskey */ void key short unsigned uskey[9], unsigned [7][0] ) { short unsigned S[]; int i,j,r; /* shifts */ for i = ; i<9; i++) S[i-] = uskey[i]; for i = 8; i< ; i++ ) { if i+)%8 == 0 ) /* for S[],S[],.. */ S[i] = S[i-7]<<9 )^ S[i-]>>7 ); else if i+)%8 ==0 ) /* for S[],S[],.. */ S[i] = S[i-]<<9 )^ S[i-]>>7 ); else /* for other S[i] */ S[i] = S[i-7]<<9 )^ S[i-]>>7 ); /* get encryption key blocks */ for r= ; r<=round+; r++) forj= ;j<7; j++) [j][r] = S[*r-) + j-]; /* compute decryption key blocks DK[i][r] from encryption key blocks [i][r] */ void de_keyunsigned [7][0],unsigned DK[7][0]) { int j; for j = ; j<=round+; j++) { DK[][round-j+] = inv[][j]); DK[][round-j+] = inv[][j]); DK[][round-j+] = fuyi-[][j] ) & one; DK[][round-j+] = fuyi-[][j] ) & one; for j= ;j<=round+;j++) { DK[][round+-j] = [][j]; DK[][round+-j] = [][j]; Some sample data for checking the correctness of implementations are given below. The numbers are -bit integers in the decimal form. the eight -bit user key subblocks: uskey[i] 7 8 encryption key subblocks [i][r]

16 [][r] [][r] [][r] [][r] [][r] [][r] -st round -nd round rd round th round 8 8 -th round th round th round th round output transf decryption key subblocks DK[i][r] -st round nd round rd round 0 -th round th round th round th round th round output transf plaintext XX 0 after -st round after -nd round after -rd round after -th round after -th round after -th round after 7-th round after 8-th round YY =cipxx,) TT=cipYY,DK) 0