MATRIX POWER S-BOX ANALYSIS 1. Kestutis Luksys, Petras Nefas

Similar documents
Matrix Power S-Box Construction

The simplest method for constructing APN polynomials EA-inequivalent to power functions

An Attack Bound for Small Multiplicative Inverse of ϕ(n) mod e with a Composed Prime Sum p + q Using Sublattice Based Techniques

A note on the multiplication of sparse matrices

Finite fields. and we ve used it in various examples and homework problems. In these notes I will introduce more finite fields

Block designs and statistics

s = (Y Q Y P)/(X Q - X P)

Feature Extraction Techniques

Uniform Approximation and Bernstein Polynomials with Coefficients in the Unit Interval

Fast Montgomery-like Square Root Computation over GF(2 m ) for All Trinomials

This model assumes that the probability of a gap has size i is proportional to 1/i. i.e., i log m e. j=1. E[gap size] = i P r(i) = N f t.

Lecture 21. Interior Point Methods Setup and Algorithm

Estimation of the Mean of the Exponential Distribution Using Maximum Ranked Set Sampling with Unequal Samples

. The univariate situation. It is well-known for a long tie that denoinators of Pade approxiants can be considered as orthogonal polynoials with respe

AN APPLICATION OF CUBIC B-SPLINE FINITE ELEMENT METHOD FOR THE BURGERS EQUATION

The Fundamental Basis Theorem of Geometry from an algebraic point of view

Lecture 13 Eigenvalue Problems

Model Fitting. CURM Background Material, Fall 2014 Dr. Doreen De Leon

Linear recurrences and asymptotic behavior of exponential sums of symmetric boolean functions

A remark on a success rate model for DPA and CPA

Multicollision Attacks on Some Generalized Sequential Hash Functions

TABLE FOR UPPER PERCENTAGE POINTS OF THE LARGEST ROOT OF A DETERMINANTAL EQUATION WITH FIVE ROOTS. By William W. Chen

Goals of Cryptography. Definition of a Cryptosystem. Security Kerckhoff's Requirements

Soft Computing Techniques Help Assign Weights to Different Factors in Vulnerability Analysis

Quadratic Equations from APN Power Functions

Page 1 Lab 1 Elementary Matrix and Linear Algebra Spring 2011

The Simplex Method is Strongly Polynomial for the Markov Decision Problem with a Fixed Discount Rate

A Self-Organizing Model for Logical Regression Jerry Farlow 1 University of Maine. (1900 words)

Introduction to Robotics (CS223A) (Winter 2006/2007) Homework #5 solutions

Revisiting the security model for aggregate signature schemes

ON REGULARITY, TRANSITIVITY, AND ERGODIC PRINCIPLE FOR QUADRATIC STOCHASTIC VOLTERRA OPERATORS MANSOOR SABUROV

PEA: Polymorphic Encryption Algorithm based on quantum computation. Nikos Komninos* and Georgios Mantas

A Five-Round Algebraic Property of the Advanced Encryption Standard

Elliptic Curve Scalar Point Multiplication Algorithm Using Radix-4 Booth s Algorithm

Closed-form evaluations of Fibonacci Lucas reciprocal sums with three factors

CHARACTER SUMS AND RAMSEY PROPERTIES OF GENERALIZED PALEY GRAPHS. Nicholas Wage Appleton East High School, Appleton, WI 54915, USA.

Divisibility of Polynomials over Finite Fields and Combinatorial Applications

arxiv: v1 [math.na] 10 Oct 2016

Vulnerability of MRD-Code-Based Universal Secure Error-Correcting Network Codes under Time-Varying Jamming Links

Parallel stream cipher for secure high-speed communications

13.2 Fully Polynomial Randomized Approximation Scheme for Permanent of Random 0-1 Matrices

Combinatorial Primality Test

ASSUME a source over an alphabet size m, from which a sequence of n independent samples are drawn. The classical

CHAPTER 8 CONSTRAINED OPTIMIZATION 2: SEQUENTIAL QUADRATIC PROGRAMMING, INTERIOR POINT AND GENERALIZED REDUCED GRADIENT METHODS

Quantum public-key cryptosystems based on induced trapdoor one-way transformations

Topic 5a Introduction to Curve Fitting & Linear Regression

The Frequent Paucity of Trivial Strings

Polygonal Designs: Existence and Construction

The Distribution of the Covariance Matrix for a Subset of Elliptical Distributions with Extension to Two Kurtosis Parameters

Order Recursion Introduction Order versus Time Updates Matrix Inversion by Partitioning Lemma Levinson Algorithm Interpretations Examples

ON THE TWO-LEVEL PRECONDITIONING IN LEAST SQUARES METHOD

ALGEBRA REVIEW. MULTINOMIAL An algebraic expression consisting of more than one term.

A Markov Framework for the Simple Genetic Algorithm

Analysis of Some Quasigroup Transformations as Boolean Functions

3.3 Variational Characterization of Singular Values

Distributed Subgradient Methods for Multi-agent Optimization

On Conditions for Linearity of Optimal Estimation

ESTIMATING AND FORMING CONFIDENCE INTERVALS FOR EXTREMA OF RANDOM POLYNOMIALS. A Thesis. Presented to. The Faculty of the Department of Mathematics

e-companion ONLY AVAILABLE IN ELECTRONIC FORM

THE KALMAN FILTER: A LOOK BEHIND THE SCENE

Chapter 6 1-D Continuous Groups

Randomized Recovery for Boolean Compressed Sensing

Lecture 21 Principle of Inclusion and Exclusion

Final Exam Practice: Part II Math MULTIPLE CHOICE Choose the one alternative that best completes the statement or answers the question.

Bernoulli Wavelet Based Numerical Method for Solving Fredholm Integral Equations of the Second Kind

Identity-Based Key Aggregate Cryptosystem from Multilinear Maps

Jordan Journal of Physics

Probability Distributions

On Concurrent Detection of Errors in Polynomial Basis Multiplication

CSE525: Randomized Algorithms and Probabilistic Analysis May 16, Lecture 13

PHY307F/407F - Computational Physics Background Material for Expt. 3 - Heat Equation David Harrison

A Link Between Integrals and Higher-Order Integrals of SPN Ciphers

Moment of Inertia. Terminology. Definitions Moment of inertia of a body with mass, m, about the x axis: Transfer Theorem - 1. ( )dm. = y 2 + z 2.

Construction of Some New Classes of Boolean Bent Functions and Their Duals

Tight Bounds for Maximal Identifiability of Failure Nodes in Boolean Network Tomography

G G G G G. Spec k G. G Spec k G G. G G m G. G Spec k. Spec k

List Scheduling and LPT Oliver Braun (09/05/2017)

Differential properties of power functions

THE POLYNOMIAL REPRESENTATION OF THE TYPE A n 1 RATIONAL CHEREDNIK ALGEBRA IN CHARACTERISTIC p n

COS 424: Interacting with Data. Written Exercises

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

RESTARTED FULL ORTHOGONALIZATION METHOD FOR SHIFTED LINEAR SYSTEMS

About the definition of parameters and regimes of active two-port networks with variable loads on the basis of projective geometry

arxiv: v1 [math.nt] 14 Sep 2014

Multiplicative Complexity Reductions in Cryptography and Cryptanalysis

Interactive Markov Models of Evolutionary Algorithms

REDUCTION OF FINITE ELEMENT MODELS BY PARAMETER IDENTIFICATION

C na (1) a=l. c = CO + Clm + CZ TWO-STAGE SAMPLE DESIGN WITH SMALL CLUSTERS. 1. Introduction

CMES. Computer Modeling in Engineering & Sciences. Tech Science Press. Reprinted from. Founder and Editor-in-Chief: Satya N.

The Weierstrass Approximation Theorem

Optimal Jamming Over Additive Noise: Vector Source-Channel Case

Testing equality of variances for multiple univariate normal populations

Prediction by random-walk perturbation

Accuracy of the Scaling Law for Experimental Natural Frequencies of Rectangular Thin Plates

Feedforward Networks

Virtual isomorphisms of ciphers: is AES secure against differential / linear attack?

A Note on Online Scheduling for Jobs with Arbitrary Release Times

Algorithms for parallel processor scheduling with distinct due windows and unit-time jobs

Estimating Parameters for a Gaussian pdf

AES side channel attacks protection using random isomorphisms

Transcription:

International Book Series "Inforation Science and Coputing" 97 MATRIX POWER S-BOX ANALYSIS Keutis Luksys, Petras Nefas Abract: Conruction of syetric cipher S-bo based on atri power function and dependant on key is analyzed. The atri consiing of plain data bit rings is cobined with three round key atrices using arithetical addition and eponent operations. The atri power eans the atri powered by other atri. This operation is linked with two sound one-way functions: the discrete logarith proble and decoposition proble. The latter is used in the infinite non-coutative group based public key cryptosyes. The atheatical description of proposed S-bo in its nature possesses a good confusion and diffusion properties and contains variables of a cople type as was forulated by Shannon. Core properties of atri power operation are forulated and proven. Soe preliinary cryptographic characteriics of conructed S-bo are calculated. Keywords: Matri power, syetric encryption, S-bo. ACM Classification Keywords: E.3 Data Encryption, F.2. Nuerical Algoriths and Probles. Conference: The paper is selected fro Sith International Conference on Inforation Research and Applications i.tech 2008, Varna, Bulgaria, June-July 2008 Introduction As it is known, the design criteria for the block ciphers as for other cryptographic syes are related with the known cryptoanalytic attacks. It is essential that after the new attack invention the old design criteria u be changed. Traditional design criteria are oriented to the o powerful attacks such as linear and differential and were successfully satisfied for the several known ciphers, for eaple AES, Serpent, Caellia Miy/Kasui etc. It was shown that the non-linearity properties of the inverse function in GF(2 n ) used as a single non-linear coponent in AES are close to optiality with respect to linear, differential and higher-order differential attacks [Canteaut and Videau, 2002]. But nevertheless it is shown that any known optial ciphers have a very siple algebraic ructure and are potentially vulnerable to the algebraic attack. This attack was declared in [Schauuller-Bihl, 983] and developed in [Courtois and Pieprzyk, 2002]. The vulnerability is related to S-bo description by iplicit input/output and key variables algebraic equations of polynoial type. For eaple the AES can be described by the sye of ultivariate quadratic equations in GF (2 8 ) for which the XL or XSL attack can be applied in principle. Then there is a principal opportunity to find the solution of these equations by soe feasible algorith that ight be of subeponential tie and recover the key fro a few plaintet/ciphertet pairs. The algebraic attack changes soe old security poulates [Courtois, 2005]:. The copleity is no longer condened to grow eponentially with the nuber of rounds. 2. The nuber of required plaintets ay be quite sall (e.g. ). 3. The wide trail rategy should have no ipact whatsoever for the copleity of the attack. Despite the fact that there are no practical results of breaking the entire AES by algebraic attack yet, it is sensible to build the new design ethods possessing a higher resiance to algebraic attack. According to Courtois the design of ciphers will never be the sae again and this is supported by the declared new ideas for the S-bo Work supported by the Lithuanian State Science and Studies Foundation

98 Advanced Studies in Software and Knowledge Engineering conruction laying on the sufficiently large rando S-boes to prevent all algebraic attacks one can think [Courtois et al., 2005]. In this paper we further discus so called atri power operation introduced in [Sakalauskas and Luksys, 2007] for a atri power S-bo conruction. Matri power S-bo is based on odular eponentiation over GF(2 n ). This leads to soe generalization of discrete logarith proble (DLP) using a atri group action proble over Galois field. The idea to use the group or seigroup action proble in vectorial spaces for the asyetric cryptographic priitives conruction can be found in [Monico, 2002]. We have generalized this approach and applied it to our S-bo conruction. As a result we have obtained soe one way function (OWF) which is linked not only with a classical DLP but also with so called decoposition proble (DP), used in the asyetric cryptosyes based on the hard probles in infinite non-coutative groups [Shpilrain and Ushakov, 2005]. The sae kind of DP is used also in digital signature schee and key agreeent protocol conruction [Sakalauskas, 2005] and [Sakalauskas et al., 2007]. Preliinaries Let us define atrices over GF(2 n ). The set of all those atrices over GF(2 n ) we denote as M. Plaintet and ciphertet data is represented in this set. We do not introduce any internal operations in the set M. For further considerations we are intereed only in eternal operations perfored in this set. Let M G be a group of atrices over N 2 n with the coonly defined atri ultiplication operation and atri inverse. Keys atrices should be chosen fro M G. Matri group M G left and right action operations in the set M are denoted by and respectively. In a foral way is a apping : M G M M and : M M G M. Then L, R M G and X M there ei soe Y, Z M such that L X Y and X R Z. The eleents of atrices L, X, R, Y and Z we denote by the indeed set of its eleents respectively, i.e. by { } we denote atri X. We have chosen the following action operations which can be written for the atri equation L X Y eleents y s l is sj, () and for the atri equation X R Z eleents z t rtj it. (2) The ultiplication and power operations are perfored using GF (2 n ) arithetic, i.e. odulo irreducible polynoial. Eaple. To give a siple eaple, let us assue that all atrices have two rows and two coluns, i.e. 2. In this case, atri Y can be epressed in the following way l l2 l l l 2 l2 2 2 2 22 Y L X l2 l22 l2 l22. l 2 l 22 2 22 2 2 22 Matri Z can be epressed in the following way r r2 r2 r 22 2 r r2 2 2 Z X R 2 2 22. r r r 2 22 r2 r22 2 22 2 22

International Book Series "Inforation Science and Coputing" 99 Matri power S-bo The S-bo input data we denote by atri D with eleents being binary rings in vector space F 2. n Using the certain key epansion procedure we can generate the round keys for encryption: atri K over F 2 and atrices L, R M G. Input/output and key atrices are all of the sae size. S-bo transforations of input data D to ciphered output data C are perfored as follows: D + K + X, (3) L X R C, (4) where D + K + denotes the ordinary arithetical addition of atrices odulo 2 n ; is the atri consiing of arithetical unity eleents in. Cobining (3) and (4) we obtain n F 2 L (D + K + ) R C. (5) Fro (3) we obtain a atri X M which does not contain zero eleents, i.e. is without zero binary rings. This is necessary because of ultiplications. If there would be at lea one zero eleent, then ciphertet will be zero atri. We can write now the iplicit forula for an eleent c : c t s lis rtj t s where is a bit ring corresponding to arithetical unit in l r is tj ( d + k + ), (6) Since M G is a group of atrices, then there eis the inverse atri R such that RR R R I, where I is the identity atri. Decryption operation can be written siilarly to (5): L C R K D. (7) Resulting atri of inverse S-bo can be epressed like this: d where { / t s l r n F 2. is tl c k, (8) / l } L and { r } R. Thus, we have to be able to calculate inverse atrices of L and R keys for decryption. Key atri K reains the sae, only during decryption ordinary subtraction is used inead of addition. For the validity of the la equations the left-right action operations u satisfy the following properties:. The action operations u be associative, i.e. L 2 (L X) (L 2 L ) X, (9a) (X R ) R 2 X (R R 2 ). (9b) 2. The action operations are both left and right invertible, i.e. L (L X) (L L) X I X X, (0a) (X R ) R X (R R) X I X. (0b) Theore. The action operations are associative. Proof. Let us consider encryption and decryption schee with plaintet atri X, key atries L and R, their inverse atrices L and R and cipher tet atri C. According to (4) and (7), following relations should be true: L X R C, L C R X. n

00 Advanced Studies in Software and Knowledge Engineering For the siplicity, we oit atri K here and consider that atri X has no zero eleents. This does not affect generality because atri K is added before atri power operation and subtracted after, in case of inverse S- bo. Then plaintet atri X can be epressed following way: X L C R v u t s Thus we receive that L t s ( L X R) lus rtv l iu rvj / / lus l iu rtv rvj u v R L t s v u t s ( L X R) R ( L L) X ( RR ) L // lik rtj t s lus rtv l iu rvj // lis rtj R // L X R t s v u t s lus rtv l iu rvj v u ( L L) X ( RR ). () We used ordinary features of power function and atri ultiplication, so this equation holds for any atrices. Lea. Defined atri power operation has the following property: if key atrices are identities, then resulting atri of ciphertet is equal to the atri of plaintet. Proof. Any eleent of ciphertet atri can be written following way: c t lii rjj rivluj tvu. u v v j & u i If key atrices are L R I, then we have that l ii r jj for any i and j fro to, and l r jj 0, if i j: 0 t tvu u v v j & u i c t. Theore 2. The action operations are both left and right invertible. Proof. According to () and Lea we obtain: ( L X R) R ( L L) X ( RR ) I X I X L Key atrices lus rtv liu rvj. (2) Key atrices L and R should be invertible in order that defined atri power S-bo would be bective, i.e. would have inverse S-bo. This is obvious fro the (2). Decryption of the ciphertet can be done only with L and R atrices. If L or R did not have inverse, then atri power S-bo is surjective and inverse S-bo does not ei. Matrices L and R are chosen fro group M G, therefore they have inverse atrices. The proble is, how to conruct group M G that it would be large enough and brute force attacks would be useless. One of the ethods is to use the certain non-coutative group representation in the set of atri group GL(, GF(2 n )). The non-coutative group is presented by finite sets of generators and relations. Then it is required to conruct representation atrices and their inverses for each initial group generator [Sakalauskas and Luksys, 2007]. Other ethod is to generate rando atrices and to check if they are invertible. We have used this ethod to evaluate key space and atri power S-bo security properties.

International Book Series "Inforation Science and Coputing" 0 For the analysis, we have chosen 3 3 atrices ( 3) and n 7. In this case key atrices L and R are over N 27 and data atrices are over GF(2 7 ). Irreducible polynoial was 7 + +. Key atrices L and R have nine eleents and each eleent can be randoly chosen fro 27 values. Thus we can generate 27 9 2 62.9 diinct atrices. But that would be all possible variants, including those atrices, which do not have inverse. We have generated 2 34 atrices and 0.969% of those atrices were not invertible. Therefore rough eiate of atri power key space would be around 2 63 (for two key atrices). Group No. Table. Cryptographic characteriics of 500 000 rando invertible atri power S-boes Algebraic Algebraic Algebraic k- quadratic biaffine Percentage, Bective Nonlinearity degree unifor equations equations % iunity iunity. T 4 56 2 2 9,53-0,9 2. T 6 54 2 2 5,63 2 2,68 5,5 3. T 5 44 4 2 9,53 2 9,65 3,5 4. T 5 44 4 2 9,53 2 9,44,8 5. T 5 44 4 2 9,53 2 9,23 0,2 6. T 5 44 6 2 3,84 2 2 0,9 7. T 4 56 2 2 0,75 2 9,65 3,5 8. T 4 56 2 2 0,75 2 9,44,8 9. T 4 56 2 2 0,75 2 9,23 0,2 0. T 4 56 2 2,72 2 2,0. T 3 56 2 2 9,53 2 999,0 2. T 3 44 4 2 9,53 2 9,65 3,6 3. T 3 44 4 2 9,53 2 9,44,8 4. T 3 44 4 2 9,53 2 9,23 0,2 5. T 3 44 6 2 3,84 2 2,0 6. T 2 56 2 2 0,75 2 9,65 3,5 7. T 2 56 2 2 0,75 2 9,44,8 8. T 2 56 2 2 0,75 2 9,23 0,2 9. T 2 56 2 2,72 2 2 0,9 20. T 0 28 2 7,84 2 6,34 5,5 2. F 7 0 2 2 7,7 2 6,34,5 22. F 7 0 2 2 7,35 2 6,294 0, It is very difficult to evaluate cryptographic characteriics of S-bo with 54 bit input and 63 bit output. Therefore we have ade two siplifications for the security analysis. Fir of all we did not do key addition (3). If data atri had zero eleent (-s) that atri was left unchanged. This let us to analyze S-bo with equal input and output size. For the second siplification, we fied all input atri eleents ecept one and analyzed only one particular eleent of the output atri. This led us to the analysis of the S-bo with input and output size of 7 bits. We have chosen to evaluate five cryptographic characteriics: algebraic degree [Meier et al., 2004], nonlinearity, differential coefficient k-unifor, algebraic quadratic equations iunity and algebraic biaffine equations iunity [Courtois et al., 2005]. Algebraic iunity is calculated as follows: Γ t n where t is nuber of ters in algebraic noral for (ANF) of Boole function, n nuber of variables, r nuber of biaffine or quadratic equations. t r,

02 Advanced Studies in Software and Knowledge Engineering We have generated 500 000 rando invertible atri power S-boes. Analysis results are shown in Table. We have grouped all generated S-boes into 22 groups according their characteriics. Two groups of S-boes are not bective, i.e. the representation of one eleent of input atri into one output atri eleent is not bective, but the whole atri power S-bo reains invertible. Group 20 th represents S-boes which perfors a linear transforation. Characteriics of groups 9 are siilar to those of ordinary power functions, like Gold, Kasai, Niho etc. [Cheon and Lee, 2004]. These are ju preliinary results and further analysis of atri power S-bo should be done. Conclusion In this paper we have analyzed key depended S-bo based on introduced atri power operation. We have forulated and proven core properties of this operation. Soe preliinary cryptographic characteriics of conructed S-bo are calculated. Characteriics of siplified version of atri power S-bo are siilar to those of ordinary power functions, like Gold, Kasai, Niho etc. Bibliography [Canteaut and Videau, 2002] A. Canteaut and M. Videau. Degree of coposition of highly nonlinear functions and applications to higher order differential cryptanalysis. Advances in Cryptology Eurocrypt 2002, Springer Verlag 2002. [Cheon and Lee, 2004] J.H. Cheon, D.H. Lee. Resiance of S-boes again Algebraic Attacks. Fa Software Encryp tion, LNCS 307, pp. 83-94, Springer-Verlag, 2004. [Courtois, 2005] N.T. Courtois. General Principles of Algebraic Attacks and New Design Criteria for Cipher Coponents. Advanced Encryption Standard AES, LNCS 3373, pp. 67-83, 2005. [Courtois et al., 2005] N.T. Courtois, B. Debraize and E. Garrido. On eact algebraic [non-]iunity of S-boes based on power functions. Cryptology eprint Archive: Report, no. 203 (2005), http://eprint.iacr.org/2005/203. [Courtois and Pieprzyk, 2002] N.T. Courtois and J. Pieprzyk. Cryptanalysis of Block Ciphers with Overdefined Syes of Equations. Proceedings of Asiacrypt 2002, LNCS 250, pp. 267-287, Springer-Verlag, 2002. [Meier et al., 2004] W.Meier, E.Pasalic and C.Carlet. Algebraic Attacks and Decoposition of Boolean Functions. Advances in Cryptology - EUROCRYPT 2004, LNCS 3027, Springer Berlin / Heidelberg, 2004, pp. 474-49. [Monico, 2002] C. Monico. Seirings and Seigroup actions in Public Key Cryptography. PhD. thesis, University of Notre Dae, May 2002. [Sakalauskas and Luksys, 2007] E.Sakalauskas and K.Luksys, Matri Power S-Bo Conruction. Cryptology eprint Archive: Report, no. 24 (2007), http://eprint.iacr.org/2007/24. [Sakalauskas et al., 2007] E. Sakalauskas, P. Tvaronas and A. Raulinaitis. Key Agreeent Protocol (KAP) Using Conjugacy and Discrete Logarith Probles in Group Representation Level, Inforatica, Vol. 8, No., 2007, pp. 5-24. [Sakalauskas, 2005] E. Sakalauskas. One Digital Signature Schee in Seiodule over Seiring, Inforatica, vol. 6, no. 3, 2005, pp. 383-394. [Schauuller-Bichl, 983] Schauuller-Bichl. Cryptanalysis of the Data Encryption Standard by the Method of Foral Coding. Advances in Cryptology EUROCRYPT-982, LNCS 49, Springer-Verlag, 983, pp. 235-255. [Shpilrain and Ushakov, 2005] V. Shpilrain and A. Ushakov. A new key echange protocol based on the decoposition proble. Cryptology eprint Archive: Report, no. 447 (2005), http://eprint.iacr.org/2005/447. Authors' Inforation Keutis Luksys PhD udent, Kaunas University of Technology, Studentu. 50-327A, Kaunas 5368, Lithuania; e-ail: keutis.luksys@ktu.lt. Petras Nefas Dr., Head of Division, GRC of State Security Departent, Lithuania; e-ail: petras.nefas@gail.co.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback