A NEW ALGORITHM TO CONSTRUCT S-BOXES WITH HIGH DIFFUSION

Similar documents
Towards Provable Security of Substitution-Permutation Encryption Networks

Affine equivalence in the AES round function

Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis

Extended Criterion for Absence of Fixed Points

Avalanche Characteristics of Substitution- Permutation Encryption Networks

Hyper-bent Functions

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Functions on Finite Fields, Boolean Functions, and S-Boxes

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

Analysis of Some Quasigroup Transformations as Boolean Functions

Diffusion Analysis of F-function on KASUMI Algorithm Rizki Yugitama, Bety Hayat Susanti, Magfirawaty

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Algebraic nonlinearity and its applications to cryptography

Virtual isomorphisms of ciphers: is AES secure against differential / linear attack?

AES side channel attacks protection using random isomorphisms

BLOCK ciphers are widely used in the field of information

Cryptographically Robust Large Boolean Functions. Debdeep Mukhopadhyay CSE, IIT Kharagpur

Specification on a Block Cipher : Hierocrypt L1

A New Algorithm to Construct. Secure Keys for AES

Non-Separable Cryptographic Functions

Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers

Analysis of cryptographic hash functions

Provable Security Against Differential and Linear Cryptanalysis

functions. E.G.BARDIS*, N.G.BARDIS*, A.P.MARKOVSKI*, A.K.SPYROPOULOS**

Smart Hill Climbing Finds Better Boolean Functions

Rotation-k Affine-Power-Affine-like Multiple Substitution-Boxes for Secure Communication

A Five-Round Algebraic Property of the Advanced Encryption Standard

Multiplicative complexity in block cipher design and analysis

Improved Cascaded Stream Ciphers Using Feedback

Improved S-Box Construction from Binomial Power Functions

Revisit and Cryptanalysis of a CAST Cipher

Statistical and Linear Independence of Binary Random Variables

Hardware Design and Analysis of Block Cipher Components

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Fast Algebraic Immunity of 2 m + 2 & 2 m + 3 variables Majority Function

Structural Cryptanalysis of SASAS

On Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds

Open problems related to algebraic attacks on stream ciphers

Linear Cryptanalysis of Reduced-Round PRESENT

Differential properties of power functions

Research Article A Novel Technique for the Construction of Safe Substitution Boxes Based on Cyclic and Symmetric Groups

How Fast can be Algebraic Attacks on Block Ciphers?

An Analytical Approach to S-Box Generation

Well known bent functions satisfy both SAC and PC(l) for all l n, b not necessarily SAC(k) nor PC(l) of order k for k 1. On the other hand, balancedne

On Feistel Structures Using a Diffusion Switching Mechanism

An Extended DES. National Chiao Tung University Hsinchu, 300 Taiwan

New Dynamical Key Dependent S-Box based on chaotic maps

Block Ciphers and Systems of Quadratic Equations

3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis

A Polynomial Description of the Rijndael Advanced Encryption Standard

Constructing differential 4-uniform permutations from know ones

Matrix Power S-Box Construction

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Algebraic properties of SHA-3 and notable cryptanalysis results

A New Approach for Designing Key-Dependent S-Box Defined over GF (2 4 ) in AES

Practically Secure against Differential Cryptanalysis for Block Cipher SMS4

Perfect Diffusion Primitives for Block Ciphers

Chapter 1 - Linear cryptanalysis.

On Correlation Between the Order of S-boxes and the Strength of DES

arxiv:math/ v1 [math.co] 24 Oct 2000

An Algebraic Framework for Cipher Embeddings

Concurrent Error Detection in S-boxes 1

On the computation of best second order approximations of Boolean Functions ΕΤΗΣΙΑ ΕΚΘΕΣΗ 2010

jorge 2 LSI-TEC, PKI Certification department

Algebraic Aspects of Symmetric-key Cryptography

Transform Domain Analysis of DES. Guang Gong and Solomon W. Golomb. University of Southern California. Tels and

Structural Evaluation by Generalized Integral Property

Essential Algebraic Structure Within the AES

CCZ-equivalence and Boolean functions

Generalized hyper-bent functions over GF(p)

Bitslice Ciphers and Power Analysis Attacks

Complementing Feistel Ciphers

Quadratic Almost Perfect Nonlinear Functions With Many Terms

On the Symmetric Property of Homogeneous Boolean Functions

DES S-box Generator. 2 EPFL, Switzerland

S-box (Substitution box) is a basic component of symmetric

On Cryptographic Properties of the Cosets of R(1;m)

Improbable Differential Cryptanalysis and Undisturbed Bits

Structural Cryptanalysis of SASAS

Higher-order differential properties of Keccak and Luffa

Block ciphers sensitive to Gröbner Basis Attacks

Céline Blondeau, Anne Canteaut and Pascale Charpin*

Truncated and Higher Order Differentials

Characterizations on Algebraic Immunity for Multi-Output Boolean Functions

KFC - The Krazy Feistel Cipher

On Existence and Invariant of Algebraic Attacks

A Sound Method for Switching between Boolean and Arithmetic Masking

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Royal Holloway University of London

On values of vectorial Boolean functions and related problems in APN functions

Construction and Count of Boolean Functions of an Odd Number of Variables with Maximum Algebraic Immunity

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Improved characteristics for differential cryptanalysis of hash functions based on block ciphers

Security Strength Evaluation of Some Chaos Based Substitution-Boxes

A Conjecture on Binary String and Its Applications on Constructing Boolean Functions of Optimal Algebraic Immunity

DK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Table Of Contents. ! 1. Introduction to AES

Higher-order differential properties of Keccak and Luffa

Thesis Research Notes

Transcription:

A NEW ALGORITHM TO CONSTRUCT S-BOXES WITH HIGH DIFFUSION Claudia Peerez Ruisanchez Universidad Autonoma del Estado de Morelos ABSTRACT In this paper is proposed a new algorithm to construct S-Boxes over GF(28) with Branch Number value at least 3. This is an important property that guarantees a high diusion in the S-Box [12]. Also are introduced some defnition and properties that show the be- havior of S-Boxes under the composition with affine functions. Finally is presented a comparision between this algorithm and the method pro-posed by Tavares [12]. 1 INTRODUCATION In his paper Communication Theory of Secrecy Systems", Claude Shannon defines confusion and diffusion as two essential properties for block cipher design. S-Boxes to be used in this cryptographic algorithms require the compliance of criteria such as Nonlinearity, Branch Number, Algebraic Degree and Differential Characteristic, which bring security against differential and linear cryptanalysis [9][10]. In 1994 Tavares [12] proposes a method to and S-Boxes with a desired value of Branch Number. The principal problem of this proposal is that the obtained S-Boxes can have a big number of fixed points and his Nonlinearity values were small to be used in Block Ciphers. In this paper we propose a new algorithm to construct S-Boxes with Branch Number at least 3. In this method the obtained S-Boxes doesn't have fixed points and his Nonlinearity values are acceptable. Also we present the definition of Parameter Set and introduce some properties that allow show when the parameter set of a S-Box is invariant under the composition with affine transformations. This have an special importance because we can obtain dynamic S-Boxes for Block Ciphers constructing one with good Parameter Set and making the composition with a_ne functions. 2 THEORETICAL ASPECTS In this section are presented some definitions related with S-boxes design that are very important for a better understanding of the paper. DOI : 10.14810/ijscmc.2015.4303 41

Definition 1. A function II : GF(2) n GF(2) m is called an n m S-Box, in which any input of n bits is transformed into output of m bits There are many criteria dedicated to measure the cryptographic security of S-Boxes. However, does not exists an universal measure that allow affirm which of this are the most important to take into account in S-Box design. We will work with the four criteria presented bellow [11]: Definition 2 (Nonlinearity). Let f : (GF(2)) n (GF(2)) n the nonlinearity of this function denoted by nl(f) is the magnitude: when A n is the set of affine functions and wt is the Hamming weight. Definition 3 (Algebraic Degree). Let f(x 1 ; x 2 x n ) a boolean function of n variables, then f could be represented as (ANF): when the coefficients a0, ai, aij,.,a12..n {0,1}. The number of variables in the product of higher order with non-zero coefficients is known as algebraic degree of f. The algebraic degree of a vectorial boolean function is the minimum algebraic degree of all nonzero linear combinations of his component functions. Definition 5 (Branch Number). The branch number (diffusion coefficient) of f : GF(2) n GF(2) n is defined as the value obtained from the expression: This four criteria: branch number, algebraic degree, nonlinearity and differential characteristic are very important because they provide the necessary elements against the linear and differential cryptanalysis. 42

Linear Cryptanalysis The main objective of linear cryptanalysis if to find a linear probabilistic relation for a part of the cipher equation that connects the input and the output data. Also this relation must be complied with a probability significantly different of 1/2. If this probability is denoted by pl is necessary minimize the magnitude to obtain a good security against this kind of attack. If we assume that the X was selected randomly, then; the better linear approximation of an S-Box in the form be obtained with probability pe. Also For example if we have a SP network with 10 rounds and an 8 8 S-Box with NL(II) = 112 like in AES, will be necessary at least 2 62 known plain-text to obtain a bit of the key. Differential Cryptanalysis In many of his papers Biham and Shamir show the witness of some ciphers against the differential cryptanalysis for this reasonis fundamental guaranties the protection against this kind of attack. In [12] is defined the probability of the difference par ( X, Y) in an S-Box to the probability that Y occurs when one of the input values is selected randomly and the other is deduced from the relation X. The probability of the most frequently par was denoted as pδ. Many authors affirm that the minimization of pδ brings resistance against differential cryptanalysis. O'Connor [13] shows that for a values of n, The probability of the difference par in an S-Box is expected less than the value. For example in an 8 8 S- Box pδ. 2-4. Another frequently cause of high probability characteristic is the pour diffusion in the S-Box bits [13][12]. 3 S-BOX CHARACTERIZATION In this section we introduce some definitions that allow us characterize S-Boxes from the values obtained in the four criteria shown before. Definition 6. Let II : GF(2 n ) GF(2 n ) we called Parameter Set of II to the vector when the parameters pe, bn, pδ, deg denote the static probability, branch number, characteristic probability and the algebraic degree of II respectively. 43

The definition shown before brings the necessary tools to introduce the next definition from whom will be characterize the S-Boxes. Another important approach would be posses dynamic S-Boxes in the cipher. However in practice is very difficult find S-Boxes with an acceptable parameter set. With this porpoise is presented the next definition. Definition 8. Let II 1 : GF(2n) GF(2 n ) and II 2 : GF(2 n ) GF(2 n ). We say that II 1 y II 2 are left affine equivalents if exists an affine function A : GF(2 n ) GF(2 n ) so that: Affine functions are very easy to construct, for this reason we could maybe think about obtain S- Boxes with an acceptable parameter set from the composition of one with an acceptable parameter set selected a priory and an affine function. Take this into account is important to know the be haviour of this composition. For this reason we consider the next example. The above example serves as a basis to demonstrate the following properties, which are an essential contribution to the development of this study. Proposition 1. Let II1 : GF(2 n ) GF(2 n ) and II2 : GF(2 n ) GF(2 n )S-Boxes left affine equivalent. Then we have that: 44

For static probability a similar result could be obtain: Proposition 2. Let II1 : GF(2 n ) GF(2 n ) and II2 : GF(2 n ) GF(2 n ) S-Boxes left affine equivalents. Then we have that: In the other side we have that: 45

To see how is the behaviour of branch number of an S-BOX under left affine equivalents transformations we consider the next example: And 46

4 PRESENTATION OF THE NEW ALGORITHM As we show before S-Boxes with good diffusion in the output bits posses a better resistance against differential cryptanalysis. The branch number is an S-Box design criterion that results as a diffusion measure. Unfortunately experimental results show that S-Boxes with non-trivial diffusion orders cant be determinate by randomly search (bn > 2). Table 1. Probability of randomly selection of S-Boxes with bn 3 47

A new algorithm for the construction of S-Boxes with bn = 3 is presented below. For a better understanding of the algorithm we consider the next sets: B(i) is the set formed by the images of the elements less equal than i. Then the construction is performed as follows: A random value different to 0 is assigned to the S-box for input 0. In the other way if ᴲ K< i so that (i, k) L 1. 48

4.1 Comparative results In [12] Tavares propose an algorithm for the construction of S-Boxes with bn 3, however this algorithm present some inconvenient. The 8 8 constructed S-Boxes could posses a high quantity of fixed points. Also the nonlinearity values for this constructions are always less equal than 96 as we can see in the table 3. Table 2. Nonlinearity of 8 8 S-Boxes in the new construction. We generate a set of 50 S-Boxes in which we find his nonlinearity values and the results are showed in the table 3. Is easy to see that if we compare the result of table 3 the output S-boxes of the new algorithm posses nonlinearity values higher than the S-boxes obtained by the Tavares algorithm. Table 3. Comparision between the new algorithm and the Tavares proposal. 5 CONCLUSIONS In this paper is presented an algorithm to generate S-boxes with high diffusion. Also was shown that these outputs could have acceptables values of nonlinearity and do not have fixed point wich allows that these S-boxes could be used as part of the cipher in a secure way. As a theoretical result was proved that the Parameter Set of an S-box is not invariant under left affine transformations. Take this into account is not possible obtain S-boxes with a good Parameter Set by the left composition with an affine function and a good S-box. Finally was shown that the outputs of the new algorithm have better results than the outputs of the Tavares algorithm. 49

REFERENCES [1] Daemen J. and Rijmen V. The Rijndael block cipher. AES Proposal. http/www.daimi.ai.dk/iran/rijndael.pdf. 1999. [2] Mister.S. & Adams.C. Practical S-Box Design. Nortel, P.O. Box 3511, Station C, Canada. 1990. [3] Webster.A.F. & Tavares.S.E. On the design of S-Boxes. Department of Electrical Engineering Queen's University. 1989. [4] Heys.H. & Tavares.S.E. Avalanche Characteristics of Substitution-Permutation Encryption Networks. IEEE. 1991. [5] Vergili.I & Yucel.M.D. Statistics on satisfaction of Security Criteria for RandomlyChosen S-Boxes. Middle East Technical University. 2000. [6] Daemen.J. & Rijmen.V. The Design of Rijndael. Springer. 2002. [7] Przemyslaw.R. & Mroczkowski.P. How to create goog s-boxes. 1st International Conference for Young Researchers. 2006. [8] Nyberg.K.Dierentially uniform mappings for cryptography. Institute of Computer Technology, Vienna Technical University. 1994. [9] Shamir.A.&Biham.E.Dierential Cryptanalysis of DES-like Cryptosystems. Journal of Cryptology. Vol.4, No 1. 1991. [10] Matsui.M. Linear cryptanalysis method for DES cipher. Advances in Cryptology: Proceedings of EUROCRYPT 93, Spriger-Verlag, Berlin. 1994. [11] Perez, Claudia and Gainzo, Felipe. Algunos criterios para determinar la seguridad en las S-cajas. Memorias del evento Compumat 2013. [12] Heys. H.M & Tavares. S. E. Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis. Department of Electrical and Computer Engineering, Queens University, Kingston, Ontario, Canada K7L 3N6. 1994. [13] OConnor. L. J. On the distribution of characteristics in bijective mappings. Advances in Cryptology: Proceedings of EUROCRYPT 93, Springer-Verlag, Berlin, pages 360370. 1994. [14] Youssef. A.M., Mister. S. & Tavares. S.E. On the Design of Linear Transformations for Substitution Permutation Encryption Networks. Department Of Electrical and Computer Engineering Queens University, Kingston, Ontario, Canada. 1998. 50

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback