Construction of Lightweight S-Boxes using Feistel and MISTY structures

Transcription

1 Construction of Lightweight S-Boxes using Feistel and MISTY structures Anne Canteaut Sébastien Duval Gaëtan Leurent Inria, France SAC 2015 A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

2 Block cipher design Shannon s criteria (1949) Diffusion Every bit of plaintext and key should affect every bit of output Usually linear mixing layers Confusion Relation between plaintext and ciphertext must be intractable Confusion requires non-linear operations Often implemented with tables: S-Box S S S S L S S S S L S S S S SPN cipher k k k S-Boxes are critical components of modern ciphers. A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

3 Lightweight cryptography 8-bit S-Boxes are expensive Maybe too large for RFID... Smaller S-Boxes require less resources table-based software: smaller table hardware: lower gate count bit-sliced implementation: lower instruction count vectorized implementation: 4-bit S-Box using vector permutation FPGA: small S-Boxes with LUT But require more rounds Differential probability: 2 6 for an 8-bit S-Box, 2 2 for a 4-bit S-Box And a more complex linear layer Can we find some trade-off? A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

4 Constructing S-Boxes from smaller ones L Feistel Misty SPN Lai-Massey Crypton v0.5 Fantomas Crypton v1.0 Whirlpool Zorro Iceberg Robin Khazad A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

5 Objective of this talk Study the construction of S-Boxes with Feistel and Misty structures In particular, construction of 8-bit S-Boxes from 4-bit ones Tradeoff between implementation cost and security parameters Focus on differential uniformity Linearity results in the paper Our results 1 Determine best properties achievable with these structures Application to 8-bit S-Boxes 2 Construct concrete lightweight S-Boxes A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

6 S-Box security parameters Definition (Differential uniformity [Nyberg93]) Let F be a function from F n 2 into Fn 2. The differential table of F is: δ F (a b) = #{x F n 2 F(x a) = F(x) b}. Moreover, the differential uniformity of F is δ(f) = max a 0,b δ F(a, b). δ F (a b) is always even δ(f) = 2 for APN functions (almost perfect nonlinear) e.g. x x 3 is APN A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

7 Feistel and Misty constructions x L k 1 k 2 S 1 S 2 x R Introduced by Feistel in 1973 for Lucifer, DES Builds a 2n-bit permutation out of n-bit functions In this talk: balanced Notations: k 3 S 3 Small functions S1, S 2, S 3 Full construction F Fixed key, k = 0 z L z R 3-round Feistel network A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

8 Feistel and Misty constructions x L x R S 1 S 2 k 1 k 2 Introduced by Matsui in 1996 for MISTY1 Builds a 2n-bit function out of n-bit functions In this talk: balanced Notations: S 3 k 3 Small functions S 1, S 2, S 3 Full construction F Fixed key, k = 0 z L z R 3-round MISTY network A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

9 Feistel and Misty constructions Come from block cipher design: keyed permutation Widely studied, lots of security results known 1 MEDP(F K ) = max δ FK (a,b) a 0,b 2 k K F k 2 2 n 1 MELP(F K ) = max a,b 0 λ F K (a,b) 2 k K F k n MEDP(S i ) p MEDP(F) p 2 [NK95, M96] MELP(S i ) q MELP(F) q 2 [N94, AO97] But not applicable in the fixed key setting! A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

10 MEDP and EMDP Example 3-round Misty structure S i = [A, 7, 9, 6, 0, 1, 5, B, 3, E, 8, 2, C, D, 4, F]. δ(s i ) = 4, MEDP(S i ) = 2 2 MEDP(F) 2 4 For every key, there is a differential with probability 2 3 MEDP bound means: 1 Choose input/output differences 2 For a random key, the differential probability is low No bound when the difference is chosen after the key! A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

11 Feistel: Previous results Theorem ([Li & Wang, CHES 14]) δ(f) 2δ(S 2 ) δ(f) 2 n+1 if S 2 is not a permutation In particular, for n = 4 δ(f) 8, tight A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

12 Theorem Feistel: New results δ(f) δ(s 2 ) max (δ min (S 1 ), δ min (S 3 )) δ(f) 2 n+1 if S 2 is not a permutation δ(f) max i 2,j i,2 δ(s i )δ min (S j ), δ(s i )δ min (S 1 2 ) if S 2 is a permutation In particular, for n = 4 δ(f) 8, tight δ min (S) = min a 0 max b δ S (a, b) Bounds involving all three S-boxes A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

13 Theorem MISTY: New results δ(f) δ(s 1 ) max (δ min (S 2 ), δ min (S 3 )) δ(f) 2 n+1 if S 1 is not a permutation δ(f) max i 1,j 1,i δ(s i )δ min (S j ), δ(s i )δ min (S 1 1 ) if S 1 is a permutation In particular, for n = 4 δ(f) 8, tight δ min (S) = min a 0 max b δ S (a, b) No previous results on fixed-key Misty structure A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

14 δx L = 0 δx R = a S 1 δy R = c Proof Proposition δ F (0 a, b c) = δ S1 (a, c) δ S3 (c, b c) Proof δx L = c δx L = c δx R = 0 S 2 δy R = 0 δx R = c S 3 δy R = b c F(x L x R ) F(x L (x R a)) = b c S 3(S 1 (x R ) x L ) S 3 (S 1 (x R a) x L ) = b c, S 2 (x L ) S 1 (x R ) x L S 2 (x L ) S 1 (x R a) x L = c S 3(S 1 (x R ) x L ) S 3 (S 1 (x R a) x L ) = b c, S 1 (x R ) S 1 (x R a) = c x R D S1 (a c) x L S 1 (x R ) D S3 (c b c) δz L = b δz R = c A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

15 δx L = 0 δx R = a S 1 δy R = c Proof Proposition δ F (0 a, b c) = δ S1 (a, c) δ S3 (c, b c) Application: if S 1 is not invertible δx L = c δx R = 0 S 2 δy R = 0 Set b = c = 0, δ S3 (0, 0) = 2 n Select a, so that δ S1 (a, 0) 2 δ(f) δ F (0 a, 0 0) 2 n+1 δx L = c δx R = c S 3 δy R = b c δz L = b δz R = c A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

16 δx L = 0 δx R = a S 1 δy R = c Proof Proposition δ F (0 a, b c) = δ S1 (a, c) δ S3 (c, b c) Application: if S 1 is invertible δx L = c δx R = 0 S 2 δy R = 0 Select a, c so that δ S1 (a, c) = δ(s 1 ) Select b with δ S3 (c, b c) δ min (S 3 ) δ(f) δ F (0 a, b c) δ(s 1 ) δ min (S 3 ) δx L = c δz L = b δx R = c S 3 δy R = b c δz R = c Select b, c so that δ S3 (c, b c) = δ(s 3 ) Select a with δ S1 (a, c) δ min (S 1 1 ) δ(f) δ F (0 a, b c) δ(s 3 ) δ min (S 1 1 ) A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

17 Proof δx L = 0 δx R = a δx L = a δx R = 0 δx L = b δx R = a S 1 S 1 S 1 δy R = c δy R = 0 δy R = b δx L = c δx R = 0 δx L = a δx R = a δx L = 0 δx R = b S 2 S 2 S 2 δy R = 0 δy R = a c δy R = c δx L = c δx R = c δx L = c δx R = a δx L = c δx R = 0 S 3 S 3 S 3 δy R = b c δy R = b c δy R = 0 δz L = b δz R = c δz L = b δz R = c δz L = c δz R = c A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

18 Application to n = 4 Properties of 4-bit S-Boxes Full classification of 4-bit permutations 302 affine eq. classes [de Cannière; Leander & Poschmann 07] Full classification of 4-bit APN functions 2 extended affine eq. classes [Brinkmann & Leander 08] There exist 4-bit APN functions δ(si ) = 2, δ min (S i ) = 2 There are no 4-bit APN permutations If S i is a permutation, δ(s i ) 4, δ min (S i ) 2 A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

19 8-bit MISTY S-Box Theorem δ(f) δ(s 1 ) max (δ min (S 2 ), δ min (S 3 )) δ(f) 2 n+1 if S 1 is not a permutation δ(f) max i 1,j 1,i δ(s i )δ min (S j ), δ(s i )δ min (S 1 1 ) if S 1 is a permutation If S 1 is a permutation, δ(s 1 ) 4, then δ(f) 8 If S 1 is not a permutation, then δ(f) 32 Can we reach δ(f) = 8? A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

20 8-bit MISTY S-Box with δ(f) = 8 Necessary conditions for δ(f) = 8 S 1 a permutation, with δ(s 1 ) = 4 S 2, S 3 APN Proof. Let s assume δ(s 3 ) 4 There exist a, b with δ S3 (a, b) 4 There are two pairs (x, x a), (y, y a) in DS3 (a b) Also two pairs (x, y), (x a, y a) in D S3 (a d ) with a = x y, d = S 3 (x) S 3 (y) Also two pairs (x, y a), (x a, y) in D S3 (a a b b ) There exist three columns a, a, a a, with values 4 A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

21 8-bit MISTY S-Box with δ(f) = 8 Necessary conditions for δ(f) = 8 S 1 a permutation, with δ(s 1 ) = 4 S 2, S 3 APN Proof. Let s assume δ(s 3 ) 4 There exist three columns a, a, a a, with values 4 We have δ F (0 a, b c) = δ S1 (a, c) δ S3 (c, b c) Lines of δ S1 and columns of δ S3 We need S 1 with three lines a, a, a a with value 2 Property invariant by affine equivalence Test equivalence class: no solution A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

22 Theorem 8-bit Feistel S-Box δ(f) δ(s 2 ) max (δ min (S 1 ), δ min (S 3 )) δ(f) 2 n+1 if S 2 is not a permutation δ(f) max i 2,j i,2 δ(s i )δ min (S j ), δ(s i )δ min (S 1 2 ) if S 2 is a permutation If S 2 is a permutation, δ(s 2 ) 4, then δ(f) 8 If S 2 is not a permutation, then δ(f) 32 Necessary conditions for δ(f) = 8 S 2 a permutation, with δ(s 2 ) = 4 S 1, S 3 APN A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

23 8-bit Feistel & MISTY S-Box Feistel δ(f) 8, tight Requires S 1, S 3 APN, S 2 permutation with δ(s 2 ) = 4 L(F) 48 L(F) 64 if δ(f) < 32 MISTY δ(f) 8, tight Requires S 2, S 3 APN, S 1 permutation with δ(s 1 ) = 4 F is not a permutation! L(F) 48 L(F) 64 if δ(f) < 32 Permutation: δ(f) = 16, tight A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

24 Building a good S-Box for lightweight designs According to previous results, Feistel structure is better We need S 1, S 3 APN, S 2 permutation with δ(s 2 ) = 4 Can we choose them with a small implementation? Small hardware, bitslice software Exhaustive search over small implementations until good property are reached [Üllrich & al. 11] Search sequences of instructions for bit-sliced implementation Use equivalences class to cut branches Minimize non-linear operations A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

25 Concrete example Permutation with δ = 4 Easy search Re-use results from Üllrich et al. 9-instruction solutions 4 non-linear 4 XOR 1 copy 4 NL gates is optimal APN function Expensive search No permutation filtering 6k core-hours 10-instruction solutions But 6 non-linear 11-instruction solutions 4 non-linear 5 XOR 2 copy 4 NL gates is optimal A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

26 Concrete example x 0 x 1 x 2 x 3 x 0 x 1 x 2 x 3 y 0 y 1 y 2 y 3 y 0 y 1 y 2 y 3 Permutation with δ = 4 APN function A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

27 Results Implem. Properties S-Box Construction, L δ cost AES Inversion Whirlpool Lai-Massey CRYPTON 3-r. Feistel Robin 3-r. Feistel Fantomas 3-r. MISTY (3/5 bits) LS (unnamed) Whirlpool-like New 3-r. Feistel A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

28 Conclusion 1 Bounds on the security of fixed-key Feistel & MISTY networks 2 Application to 8-bit S-Boxes Necessary conditions Refined bounds for permutations Feistel structure is better for 8-bit invertible S-Box 3 Construction of a concrete lightweight S-Box 8-bit S-Box with 3-round Feistel Improvement over previously used S-Boxes A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23

29 Thanks Q uestions? A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23