A NEW TYPE OF CIPHER: DICING_CSB Li An-Ping Beijing 100085, P.R.China apli0001@sina.com Absrac: In his paper, we will propose a new ype of cipher named DICING_CSB, which come from our previous a synchronous sream cipher DICING. I applies a sream of subkeys and a encrypion form of block ciphers, so, i can be viewed a combinaive of sream cipher and block cipher. Hence, he new ype of cipher has fas speed like a sream cipher and no need MAC.. Keywords: sream cipher, block cipher, LFSR, projecor, finie field.
1. Inroducion In a synchronous sream cipher, he cipherex is generally made by biwise adding (XOR) he plainex wih a binary sequence called keysream. Clearly, in his encrypion form he plainex is easy o be falsified by oher people. As a resul, a synchronous sream cipher usually is equiped a MAC ( message auhenicaion code ) o proec he message from o be ampered. In our algorihm DICING [1], one of candidaes of estream ( The ECRYPT STREAM Ciphers Projec ), he combining funcion had mainly applied keyed-sboxes, which are ofen used in he block ciphers, we realize ha i is possible o make a combinaive of sream cipher and block cipher (CSB mode), so will be able o omi MAC in his way. In he proposal cipher, he componen u of DICING will be applied as a role of a sream of subkeys, and he encrypion means are mainly keyed-sboxes, like one ordinary block cipher. The componens are almos same o he ones in DICING, for he compleeness, which are repeaed in his paper. In he proposal cipher, we will apply he LFSR-like componens called projecor (Pr.). A projecor consiss of an elemen σ called sae from some finie field GF( 2 m ) and an updaing rule. The rule of updaing saes is ha muliplying σ wih σ = x σ k x, k is an ineger, namely, k +1. (1.1) The finie fields used in here are GF ( 2 m ), m = 128, 127, or126. In oher word, he operaion shif in LFSR now is replaced by muliplying k x in he field ( 2 m ) GF. As same as DICING, he key sizes in DICING_CSB can be 128 bis or 256 bis, and he size of iniial value may be aken as large as 256 bis, and he size of oupu is 128 bis. In his paper he finie field GF (2) is simply denoed as F, and F[ x] is he polynomial ring of unknown x over he field F. The symbols, will represen he biwise addiion XOR, biwise and, ha is he operaion & in C, and symbols >>, <<, and ~ sand for he operaions righ-shif, lef-shif, concaenae and complemen respecively. Suppose ha ζ is a binary sring, denoed by ζ [i] bi and [ i, j] bi ζ he i-h bi and he segmen from i-h bi o j-h bi respecively, and here are he similar expressions ζ [ i ], ζ [ i, j] and bye bye ζ [ i ], ζ [ i, j] measured in byes and 32-bis words respecively, and if he meaning is word word explici from he conex, he low-index bi, bye and word will be omied.
2. Consrucion We will use wo projecors Γ 1 and Γ 2, he firs one acs a conroller o conrol he updaing of he second one, which will be used o form a sream of subkeys, or runkeys. Denoed by α and ω he saes of Γ 1 and Γ 2 in ime respecively, which are based on he finie fields E1 and E 2, Ei = F [ x]/ pi( x), i = 1,2, p 1( x ) and p ( ) 2 x are wo primiive polynomials wih degree 127 and 128 respecively, which expressions are given in he Lis 1. The sae α saisfy he simple recurrence equaion α = = +. (2.1) 8 i 1 x αi, i 0,1,2,... The ineger of he las eigh bis of α is called he dice D, denoed by d = ( D >> 4) + 1, he saes ω will be updaed as d ω = 1 x + ω, for 0. (2.2) Besides, we use a memorizes u o assemble ω, The iniial values α0, ω0, and u0 will be specified in he laer. u = u 1 ω, for > 0, (2.3) Suppose ha K is a finie field GF ( 2 8 ), K = F [ x]/ px ( ), p (x) is an irreducible polynomial of degree eigh, which expression is given in he Lis 1. We define S-box S ( x) 0 as S x = x x K. (2.4) ( ) 5 ( 3) 127, 0 We also adop he represenaion S 0 ( ζ ) for a byes sring ζ o represen ha S-box S 0 subsiue each bye of he sring ζ. The sarup includes wo subprocesses keyseup and ivseup, where he basic maerials as he secre key and key-size will be inpu and he inernal saes will be iniialized. Besides, in he keyseup we will make a key-defined wo S-boxes S ( x) 1 and S ( x) 2 from S ( ) 0 x and a diffusion ransformaion L. The process is as following. For a sring ρ of 8 byes, we define a 8 8marix M ρ : M T J T = ρ u l. (2.5)
where T u = ( a i, j ) 8 8 and Tl = ( b i, j) 8 8are he upper-riangular marix and he lower-riangular marix respecively, ρ[8 i+ j] bi if i< j, ρ[8 i+ j] bi if i> j, ai, j= 1 if i = j, bi, j= 1 if i= j, 0 if i j, > 0 if i < j, and J is a key-defined permuaion marix, for he simpliciy, here ake J = 1. Suppose ha K is he secre key, le K = K[0,23] K[8,31] if K = 256, else c bye bye K = K[0,15] ( K[0,7] K[8,15]), λ = K [( i 1) 8, 8i 1], i= 1, 2, 3, and define c hree affine ransformaions on K, i c bye 1 2 3 (2.6) Ax ( ) = M ( x), Bx ( ) = M ( x), Cx ( ) = M ( x), x K, (2.7) λ λ λ 4 and a ransformaion L on K, A B A A B B A A B A L =. (2.8) A A B A B A B A B A Denoed by v = λ [ k], i = 1,2,3, and define wo new S-boxes i i bye 0 k< 8 S ( x) = S ( x v ) v, S ( x) = C( S ( x v ) v ), x K. (2.9) 1 0 1 2 2 0 2 3 Suppose ha ζ is a sring of n byes, if n= 4k we also view i as a sring of k words, and wrie L( ζ ) o represen ha L akes on he each word of ζ. Simply, we denoe Q( ζ) = L S ( ζ). (2.10) In he ivseup, he second sep of he sarup, he inernal saes will be iniialized wih he secre key and he iniial value. φ φ For a 32-byes sring ζ we define a byes permuaion φ : ζ = φζ ( ), ζ [] i = ζ[4i mod31], φ for 0 i < 31, and ζ [31] = ζ[31]. Le K = K if K = 256 else K = K ( K), denoed by K 0 = K, K = K [8 i,31] K [0,8 i 1], i = 1, 2,3, define he funcions recurrenly i bye bye 1 F( ζ) = Q( φ( ζ)), F ( ζ) = F( ζ) K, F( ζ) = F( F ( ζ)) K, i = 1, 2,3. (2.11) 0 0 i i 1 i Suppose ha IV is he iniial value of 32-byes, e is he base of naural logarihm and c he inegral par of e 57!, and ξ,0 i 3, are four 32-byes srings defined as i
ξ = F ( IV c), ξ = F ( ξ c), i= 1,2. (2.12) 0 3 i 3 i 1 In he encrypion we will employ an array of 16 byes η. The inernal saes are iniialized respecively as following η = ξ [0,15] ξ [16,31], u = ξ [0,15], α = ξ [128, 254], ω = ξ [0,15]. (2.13) 0 0 0 1 0 1 bi 0 2 If ξ 2 [0,15] = 0, he saes ω0 will be re-se as ( ω, τ ) = ξ [16,31]. (2.14) 0 0 2 Noe. For a secre key, here is a mos one IV such ha ξ 2 = 0. In he proposal cipher DICING_CSB, he sequence { u } will play a flow of subkeys. Afer iniializaion, he process eners he recurrence par of encrypion/decrypion, in which including he sub-process of updaing saes, namely, making he sream of subkeys{ u }. Denoed by { } x > 0 and { } 0 funcion is defined as y > he sequences of plainex and cipherex respecively, he encrypion y = Encryp( x ) = S ( Q( x u ) Q( η)) u. (2.15) 2 We have summarized he whole process in a skech as Fig. 1. Lis of he Primiive Polynomials used Polynomials Expression p (x) 8 6 5 x + x + x + x + 1 p 127 96 64 5 ( ) x + ( x + x + 1)( x + 1) 1 x p ( x ) 128 96 67 32 3 2 x + ( x + x + x + 1)( x + 1) Lis 1
The Skech of Encrypion Process Iniializing This is he recurrence par Updaing saes Plainex x Encryping Cipherex y Fig.1 3. Securiy analysis The analysis for DICING_CSB as a sream cipher will be similar o he one for DICING, refer o see paper [1]. Besides, as a block cipher, he encrypion mode of DICING_CSB is no as usual ieraive one, so he radiional analyses for he block ciphers of ieraive mode will no be feasible. Alhough he proposal cipher is sronger han addiive sream ciphers in plainex-recovery aacks, 16 i would be insecure if a IV s value would be allowed o use repeaedly more han 2 imes for a secree key K, as DICING_CSB only has he diffusion range of 32 bis. So, i is suggesed ha he usage of a IV is bes one ime one value. If inend o apply a IV many imes, hen in encrypion funcion should be added a more round in order o enlarge he range of diffusion, as a cos, he encryping rae will be raised abou 2 cycles/bye. I maybe should be menioned ha we have reduced wo Pr. s from DICING for we hink ha in his encrypion form he requiremen for he period of he sequence { u } may be relaxed, in his place, he period of he sequence{ u } is no less han 126 128 (17 2 1)(2 1). 4. Implemenaion In he plaform of 32-bi Windows OS and Inel Celeron 2.66G, 64-bi processor, Borland C++ 5.0, he performance of DICING_CSB is as following
Repor of Performance Encrypion Decrypion Sub-processes Time Sub-processes Time Keyseup 9890 cycles Keyseup 16400 cycles IVseup 2870 cycles IVseup 2920 cycles Encryping rae 10.3 cycles/bye Decryping rae 10.3 cycles/bye Lis 2 Remark: There is an alernae updaing rule for he saes 16 1 x, for 0. α and ω as following: α = + α > (2.1 ) Denoed by di = 1 + ( α + 1[ i] bye &15),0 i< 16, he saes ω are updaed as d ω i 16++ i 1 = x ω16 + i, 0 i< 16, for 0. (2.2 ) Wih he updaing rules above, he encryping/decryping rae will be as fas as 8.8 cycles / bye in he case of larger size of message. We call he rule (2.1 ) and (2.2 ) as loing. Besides, wih he processors as Penium-m, Penium 4 or AMD-64, he implemenaion will be faser abou 20~30%. 5. Conclusion The proposal cipher can be viewed as a combinaive of a sream cipher and a block cipher. I assimilaes he good qualiies of sream ciphers in he speed and block ciphers in he secure. I is able o serve as a synchronous sream cipher or a block cipher, and here will no be need o equip a MAC when i is applied as a synchronous sream cipher. While i is applied as block cipher, i will sill require a IV o iniilize he inernal saes, however, his requiremen is easy o be simply saisfied, for example, he name or he dae of files may be aken as he IV values. References [1] A.P. Li, A New Sream Cipher: DICING, now available a estream - The ECRYPT Sream Cipher Projec - Phase 2