The Code d'azur and Phoenix Ciphers- A Note on a New Class of Block Ciphers Based on Matrix Transposition

Similar documents
Lecture 12: Block ciphers

Towards Provable Security of Substitution-Permutation Encryption Networks

AES side channel attacks protection using random isomorphisms

Module 2 Advanced Symmetric Ciphers

CHAPTER 5 A BLOCK CIPHER INVOLVING A KEY APPLIED ON BOTH THE SIDES OF THE PLAINTEXT

Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Cryptography Lecture 4 Block ciphers, DES, breaking DES

3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis

K Anup Kumar et al,int.j.comp.tech.appl,vol 3 (1), 23-31

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

An Extended DES. National Chiao Tung University Hsinchu, 300 Taiwan

A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix

A Block Cipher using an Iterative Method involving a Permutation

V.U.K. Sastry et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 3 (1), 2012,

Modified Hill Cipher for a Large Block of Plaintext with Interlacing and Iteration

Modified Hill Cipher with Interlacing and Iteration

Block Ciphers and Feistel cipher

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

DD2448 Foundations of Cryptography Lecture 3

Cryptographically Robust Large Boolean Functions. Debdeep Mukhopadhyay CSE, IIT Kharagpur

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Ciphertext-only Cryptanalysis of a Substitution Permutation Network

Differential-Linear Cryptanalysis of Serpent

Diffusion Analysis of F-function on KASUMI Algorithm Rizki Yugitama, Bety Hayat Susanti, Magfirawaty

Lecture Notes. Advanced Discrete Structures COT S

Extended Criterion for Absence of Fixed Points

Algebraic Techniques in Differential Cryptanalysis

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Chosen Plaintext Attacks (CPA)

Classical Cryptography

A Polynomial Description of the Rijndael Advanced Encryption Standard

APPLYING QUANTUM SEARCH TO A KNOWN- PLAINTEXT ATTACK ON TWO-KEY TRIPLE ENCRYPTION

Benes and Butterfly schemes revisited

Analysis of Some Quasigroup Transformations as Boolean Functions

Structural Cryptanalysis of SASAS

Block Cipher Cryptanalysis: An Overview

Image Encryption and Decryption Algorithm Using Two Dimensional Cellular Automata Rules In Cryptography

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

Avalanche Characteristics of Substitution- Permutation Encryption Networks

Transform Domain Analysis of DES. Guang Gong and Solomon W. Golomb. University of Southern California. Tels and

Complementing Feistel Ciphers

A Pseudo-Random Encryption Mode

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Symmetric Crypto Systems

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

monoalphabetic cryptanalysis Character Frequencies (English) Security in Computing Common English Digrams and Trigrams Chapter 2

Linear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015

New Results in the Linear Cryptanalysis of DES

A Weak Cipher that Generates the Symmetric Group

Impossible Differential Cryptanalysis of Mini-AES

A block cipher enciphers each block with the same key.

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Cryptography CS 555. Topic 2: Evolution of Classical Cryptography CS555. Topic 2 1

CSCI3381-Cryptography

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

GENERALIZED NONLINEARITY OF S-BOXES. Sugata Gangopadhyay

functions. E.G.BARDIS*, N.G.BARDIS*, A.P.MARKOVSKI*, A.K.SPYROPOULOS**

Introduction to Cryptology. Lecture 2

All-Or-Nothing Transforms Using Quasigroups

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

Linear Cryptanalysis of Reduced-Round PRESENT

A Large Block Cipher Involving Key Dependent Permutation, Interlacing and Iteration

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Linear Cryptanalysis

Lecture Notes. Advanced Discrete Structures COT S

Type 1.x Generalized Feistel Structures

Computational security & Private key encryption

CPSC 467: Cryptography and Computer Security

CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER

Jay Daigle Occidental College Math 401: Cryptology

Data and information security: 2. Classical cryptography

Cook-Levin Theorem. SAT is NP-complete

Virtual isomorphisms of ciphers: is AES secure against differential / linear attack?

CS120, Quantum Cryptography, Fall 2016

Truncated differential cryptanalysis of five rounds of Salsa20

A Five-Round Algebraic Property of the Advanced Encryption Standard

About Vigenere cipher modifications

MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Efficient Cryptanalysis of Homophonic Substitution Ciphers

Concurrent Error Detection in S-boxes 1

Solution of Exercise Sheet 7

arxiv: v7 [quant-ph] 20 Mar 2017

UNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

5. Classical Cryptographic Techniques from modular arithmetic perspective

CPSC 467b: Cryptography and Computer Security

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Symmetric Crypto Systems

Optimal XOR based (2,n)-Visual Cryptography Schemes

Linear Cryptanalysis of RC5 and RC6

New Dynamical Key Dependent S-Box based on chaotic maps

Block ciphers And modes of operation. Table of contents

Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis

Improved Analysis of Some Simplified Variants of RC6

Security of Networks (12) Exercises

Transcription:

COMPUTING SCIENCE The Code d'azur and Phoenix CiphersA Note on a New Class of Block Ciphers Based on Matrix Transposition P. Y. A. Ryan TECHNICAL REPORT SERIES No. CS-TR-1072 February, 2008

TECHNICAL REPORT SERIES No. CS-TR-1072 February, 2008 The Code d'azur and Phoenix Ciphers- A Note on a New Class of Block Ciphers Based on Matrix Transposition Peter. Y. A. Ryan Abstract In this note I describe the use of transposition of binary matrices to create maximal diffusion and confusion in a block cipher. 2008 University of Newcastle upon Tyne. Printed and published by the University of Newcastle upon Tyne, Computing Science, Claremont Tower, Claremont Road, Newcastle upon Tyne, NE1 7RU, England.

Bibliographical details RYAN, P. Y. A.. The Code d'azur and Phoenix Ciphers-A Note on a New Class of Block Ciphers Based on Matrix Transposition [By] P. Y. A. Ryan. Newcastle upon Tyne: University of Newcastle upon Tyne: Computing Science, 2008. (University of Newcastle upon Tyne, Computing Science, Technical Report Series, No. CS-TR-1072) Added entries UNIVERSITY OF NEWCASTLE UPON TYNE Computing Science. Technical Report Series. CS-TR-1072 Abstract In this note I describe the use of transposition of binary matrices to create maximal diffusion and confusion in a block cipher. About the author Peter Ryan is a Professor of CSR. He is responsible for the security and privacy aspects of the DIRC program and is involved in the European MAFTIA project. Prior to joining the CSR, he conducted research in formal methods and information assurance at GCHQ, CESG, DERA, SRI Cambridge, the Norwegian Computing Centre Oslo and the Software Engineering Institute, Carnegie Mellon University. Before migrating into information assurance he was a theoretical physicist and holds a BSc in Theoretical Physics and a PhD in Mathematical Physics from the University of London for research in quantum gravity. He has published numerous articles; the most recent being "Mathematical Models of Computer Security," a chapter in LNCS 2171, is based on lectures given at the FOSAD 2000 Summer School. He is co-author of the book "Modelling and Analysis of Security Protocols," Pearson 2001. Recently he has been active in the area of cryptographic voting schemes, in particular developing the Pret a Voter scheme. He has co-chaired several worskhops in this area, notably WOTe 2006: http://www.wote2006.org/ Suggested keywords SPN BLOCK CIPHERS, STRICT AVALANCHE CRITERION, MAXIMAL DIFFUSION

The Code d Azur and Phoenix Ciphers- A Note on a New Class of Block Ciphers Based on Matrix Transposition P Y A Ryan 1 Introduction In this note I describe the use of transposition of binary matrices to create maximal diffusion and confusion in a block cipher. 2 Background The idea of basing a polygraphic cipher on matrix transposition goes back to an unpublished idea of the author and is in turn an extension of the old idea of fractionating ciphers, [1], to the case of binary representations. To set the scene we first describe how the binary matrix transposition notion can be used to create simple polygraphic ciphers. We will then go on in the next section to adapt the idea for use in a machine, block cipher. 2.1 The Code d Azur The basic form of the cipher acts on blocks of characters of length n. For illustration we describe a version of the cipher using blocks of five characters. First we segment the plaintext into blocks of length five. Suppose that we have an alphabet A of size 32, i.e., the Roman alphabet plus some additional characters. Denote the space of mappings from A into the 5 bit strings by Ψ and define a bijective map from a key space K into Ψ: ψ(k) : K Ψ 1

Similarly, we define a mapping from K into the space of mappings from 5 bit strings to A: ϕ(k) : K (B 5 A) A simple pentagraphic cipher can be constructed from this by taking blocks of five characters in A, translating each character into a 5 bit string via ψ(k 1 ). Each of these strings is written into a row of a 5 5 matrix according to a schedule dictated by a keyed permutation π(k 2 ). The ciphertext characters are read off the columns of the matrix according to a schedule given by π(k 3 ) a and translated into plaintext characters using ϕ(k 4 ). We see that this gives us a pentagraphic cipher that maps blocks of five plaintext characters into blocks of five ciphertext characters. Changing any character of the input plaintext group will result in a 50/50 probability of changing any one of the output ciphertext characters, thus providing maximal diffusion within blocks. The idea can be generalised and extended in various ways: we could use longer strings, hence larger matrices and larger encryption blocks. Matrices do not need to be square. 3 Block ciphers based on binary matrix transposition We now investigate how the idea of matrix transposition can be adapted to form the basis for a class of block ciphers, that we refer to as Phoenix ciphers. We will describe a version with block size 256, though variants with say 128 are also quite feasible. Encryption will involve n rounds. We will assume a suitable key scheduling algorithm that will generate a 256-bit round key for each round. We also assume a suitable S-box style mapping B 8 B 8. The F 8 inversion S-boxes used in AES would be suitable as they are known to be provide resistance to linear and differential attacks. 3.1 Some Notation Intermediate states are best thought of as structured into four segments of 64 bits each. Each segment is then partitioned into eight 8 bit strings. Let: 2

1. s i,j,k denote the ith string of the jth segment of the state in the kth round. s i,j,0 thus denotes the input plaintext strings. 2. k i,j,k denote ith string of the jth segment of the key in the kth round. 3. M j,k denote the jth matrix of the kth round. 4. M i, j,k denote the ith row of the jth matrix of the kth round. 5. M,i j,k denote the ith column of the jth matrix of the kth round. 6. f(s) denote the output of the s-box given input s. 3.2 The Rounds The state of each round will be represented as four 8 by 8 matrices. The first round of encryption proceeds as follows: Each plaintext input strings is ed with the first round key strings and put through the s-box transformation: s i,j,1 := f(s i,j,0 k i,j,1 ) The resulting strings are written into the rows of the first round matrices: M i, j,1 := s i,j,1 These four 8 by 8 matrices now constitute the state of the first round. The state of the second round is formed from the these four matrices as follows: we read down the columns of the matrices to give 8 bit substrings. Each of these 8-bit strings is ed with the appropriate key string and then fed through the S-box. The resulting transformed 8-bit strings are now written into the rows of the round two matrices according to a pattern designed to maximise diffusion and ensure the Strict Avalanche Criterion. More precisely, from the first matrix we read of the first two columns, we these with appropriate substrings of the second round key and the resulting strings are put through the s-box transform. The resulting pair of 8 bit strings are written into the first two rows of the first matrix of the 3

second round. The order of the rows may be governed by a further keyed permutation, but we will not discuss this possibility in this note. The next two columns of the first round one matrix are similarly ed with key strings, s-box transformed and written into first two rows of the second, second round matrix and so on until all the columns of the first matrix have been written into the first two rows of all four of the second round matrices. Notice that each of the second round matrices has its first two rows derived from pairs of columns drawn from the first, round one matrix. The columns of the second, round one matrix are similarly treated and written into the third and fourth of rows of the second round matrices, and so on for the third and fourth, round one matrices. The upshot of all this is that each second round matrix will have two rows derived from two columns of each of the first round matrices. This is to guarantee that the Strict Avalanche Criterion, [2], is achieved: for every output bit b i of the final ciphertext, flipping any input bit will have a 1/2 probability of flipping b i. More formally, the initial state is constructed as: M i, j,1 := f(s i,j,0 k i,j,1 ) The state matrices of the k + 1th round computed from the state of the kth round as follows: where i = 2l + p 2. M i,,p+2j j,k+1 := f(m l,k k i,j,k ) The final ciphertext string of 256 bits is derived from the state of the nth round by simply reading off the columns of the state marices in order, ing them with the strings of the final key string and S-box transforming them. c i,j := f(m,i j,n k i,j,n) 4 The Strict Avalanche Criterion Proof: the s-boxes ensure that flipping an input bit in any 8 bit sub-string results in a 1/2 probability of flipping each of corresponding 8 bits of output. 4

Thus the bits of the corresponding row in the matrix each have a 1/2 probability of being flipped. Thus for each of the column of this matrix there is a 1/2 probability that the input to the s-box has been altered and so a 1/4 probability of each of the output bits from the s-box being flipped. Thus, by feeding the output of two such columns into rows of each of the matrices of the next stage, we ensure that the probability that each of the resulting columns of each matrix has a 1/2 probability of being altered. 5 Decryption Decryption is achieved by simply running the above algorithm in reverse. 6 128 Block Version The above scheme can easily be adapted to a 128 bit version. To do this we simply use two 8 by 8 matrices and, instead of deriving two rows of each k + 1the round matrix from two columns of each of the kth round matrices, we now derive four columns. References [1] David Kahn. The codebreakers, 1996. Shribner. [2] A. F. Webster and Stafford E. Tavares. On the design of s-boxes, 1985. Advances in Cryptology - Crypto 85, LNCS vol 219. 5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback