Li An-Ping. Beijing , P.R.China

Similar documents
Li An-Ping. Beijing , P.R.China

THE NEW HEURISTIC GUESS AND DETERMINE ATTACK ON SNOW 2.0 STREAM CIPHER

Linear Cryptanalysis

Longest Common Prefixes

10. State Space Methods

EE363 homework 1 solutions

Cryptanalysis of RAKAPOSHI Stream Cipher

Morning Time: 1 hour 30 minutes Additional materials (enclosed):

Spring Ammar Abu-Hudrouss Islamic University Gaza

2.7. Some common engineering functions. Introduction. Prerequisites. Learning Outcomes

Linear Time-invariant systems, Convolution, and Cross-correlation

Laplace transfom: t-translation rule , Haynes Miller and Jeremy Orloff

An Excursion into Set Theory using a Constructivist Approach

Some Ramsey results for the n-cube

Cryptanalysis of Reduced NORX initially discussed at ASK 2016

Chapter 2. First Order Scalar Equations

MATH 2050 Assignment 9 Winter Do not need to hand in. 1. Find the determinant by reducing to triangular form for the following matrices.

Learning Objectives: Practice designing and simulating digital circuits including flip flops Experience state machine design procedure

More Digital Logic. t p output. Low-to-high and high-to-low transitions could have different t p. V in (t)

CSE Computer Architecture I

Application of a Stochastic-Fuzzy Approach to Modeling Optimal Discrete Time Dynamical Systems by Using Large Scale Data Processing

Comments on Window-Constrained Scheduling

Inventory Analysis and Management. Multi-Period Stochastic Models: Optimality of (s, S) Policy for K-Convex Objective Functions

15. Vector Valued Functions

Algebraic Attacks on Summation Generators

Lecture Notes 2. The Hilbert Space Approach to Time Series

EECE 301 Signals & Systems Prof. Mark Fowler

23.2. Representing Periodic Functions by Fourier Series. Introduction. Prerequisites. Learning Outcomes

The average rate of change between two points on a function is d t

3.1.3 INTRODUCTION TO DYNAMIC OPTIMIZATION: DISCRETE TIME PROBLEMS. A. The Hamiltonian and First-Order Conditions in a Finite Time Horizon

Section 7.4 Modeling Changing Amplitude and Midline

Course Notes for EE227C (Spring 2018): Convex Optimization and Approximation

Let us start with a two dimensional case. We consider a vector ( x,

4.6 One Dimensional Kinematics and Integration

RC, RL and RLC circuits

Chapter #1 EEE8013 EEE3001. Linear Controller Design and State Space Analysis

EXPLICIT TIME INTEGRATORS FOR NONLINEAR DYNAMICS DERIVED FROM THE MIDPOINT RULE

Modal identification of structures from roving input data by means of maximum likelihood estimation of the state space model

Class Meeting # 10: Introduction to the Wave Equation

Logic in computer science

Reading from Young & Freedman: For this topic, read sections 25.4 & 25.5, the introduction to chapter 26 and sections 26.1 to 26.2 & 26.4.

Notes 04 largely plagiarized by %khc

di Bernardo, M. (1995). A purely adaptive controller to synchronize and control chaotic systems.

This document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore.

SOLUTIONS TO ECE 3084

Generalized Chebyshev polynomials

Appendix 14.1 The optimal control problem and its solution using

Constant Acceleration

Solutions - Midterm Exam

Bernoulli numbers. Francesco Chiatti, Matteo Pintonello. December 5, 2016

CHAPTER 12 DIRECT CURRENT CIRCUITS

EECE 301 Signals & Systems Prof. Mark Fowler

Vehicle Arrival Models : Headway

6.003 Homework #13 Solutions

AP Chemistry--Chapter 12: Chemical Kinetics

ODEs II, Lecture 1: Homogeneous Linear Systems - I. Mike Raugh 1. March 8, 2004

Wavelet Methods for Time Series Analysis. What is a Wavelet? Part I: Introduction to Wavelets and Wavelet Transforms. sines & cosines are big waves

Appendix to Online l 1 -Dictionary Learning with Application to Novel Document Detection

EE650R: Reliability Physics of Nanoelectronic Devices Lecture 9:

d 1 = c 1 b 2 - b 1 c 2 d 2 = c 1 b 3 - b 1 c 3

Lab 10: RC, RL, and RLC Circuits

Chapter 7: Solving Trig Equations

A Shooting Method for A Node Generation Algorithm

Challenge Problems. DIS 203 and 210. March 6, (e 2) k. k(k + 2). k=1. f(x) = k(k + 2) = 1 x k

Anonymity in Shared Symmetric Key Primitives

Speech and Language Processing

Probabilistic Robotics

Module 4: Time Response of discrete time systems Lecture Note 2

Kinematics Vocabulary. Kinematics and One Dimensional Motion. Position. Coordinate System in One Dimension. Kinema means movement 8.

Math 334 Fall 2011 Homework 11 Solutions

Traversal of a subtree is slow, which affects prefix and range queries.

2. Nonlinear Conservation Law Equations

( ) ( ) ( ) ( u) ( u) = are shown in Figure =, it is reasonable to speculate that. = cos u ) and the inside function ( ( t) du

State-Space Models. Initialization, Estimation and Smoothing of the Kalman Filter

Pade and Laguerre Approximations Applied. to the Active Queue Management Model. of Internet Protocol

Learning Enhancement Team

0.1 MAXIMUM LIKELIHOOD ESTIMATION EXPLAINED

An introduction to the theory of SDDP algorithm

Physical Limitations of Logic Gates Week 10a

Lecture 4 Notes (Little s Theorem)

Economics 8105 Macroeconomic Theory Recitation 6

Lectures 29 and 30 BIQUADRATICS AND STATE SPACE OP AMP REALIZATIONS. I. Introduction

THE GENERALIZED PASCAL MATRIX VIA THE GENERALIZED FIBONACCI MATRIX AND THE GENERALIZED PELL MATRIX

Chapter 8 The Complete Response of RL and RC Circuits

Section 3.5 Nonhomogeneous Equations; Method of Undetermined Coefficients

1. Consider a pure-exchange economy with stochastic endowments. The state of the economy

Math 333 Problem Set #2 Solution 14 February 2003

Some Basic Information about M-S-D Systems

Simulation-Solving Dynamic Models ABE 5646 Week 2, Spring 2010

Chapter 3 Boundary Value Problem

Random Walk with Anti-Correlated Steps

Then. 1 The eigenvalues of A are inside R = n i=1 R i. 2 Union of any k circles not intersecting the other (n k)

STATE-SPACE MODELLING. A mass balance across the tank gives:

Solutions to Assignment 1

ADDITIONAL PROBLEMS (a) Find the Fourier transform of the half-cosine pulse shown in Fig. 2.40(a). Additional Problems 91

Hamilton- J acobi Equation: Weak S olution We continue the study of the Hamilton-Jacobi equation:

Introduction to Mobile Robotics

MATH 128A, SUMMER 2009, FINAL EXAM SOLUTION

Finish reading Chapter 2 of Spivak, rereading earlier sections as necessary. handout and fill in some missing details!

CHAPTER 6: FIRST-ORDER CIRCUITS

Transcription:

A NEW TYPE OF CIPHER: DICING_CSB Li An-Ping Beijing 100085, P.R.China apli0001@sina.com Absrac: In his paper, we will propose a new ype of cipher named DICING_CSB, which come from our previous a synchronous sream cipher DICING. I applies a sream of subkeys and a encrypion form of block ciphers, so, i can be viewed a combinaive of sream cipher and block cipher. Hence, he new ype of cipher has fas speed like a sream cipher and no need MAC.. Keywords: sream cipher, block cipher, LFSR, projecor, finie field.

1. Inroducion In a synchronous sream cipher, he cipherex is generally made by biwise adding (XOR) he plainex wih a binary sequence called keysream. Clearly, in his encrypion form he plainex is easy o be falsified by oher people. As a resul, a synchronous sream cipher usually is equiped a MAC ( message auhenicaion code ) o proec he message from o be ampered. In our algorihm DICING [1], one of candidaes of estream ( The ECRYPT STREAM Ciphers Projec ), he combining funcion had mainly applied keyed-sboxes, which are ofen used in he block ciphers, we realize ha i is possible o make a combinaive of sream cipher and block cipher (CSB mode), so will be able o omi MAC in his way. In he proposal cipher, he componen u of DICING will be applied as a role of a sream of subkeys, and he encrypion means are mainly keyed-sboxes, like one ordinary block cipher. The componens are almos same o he ones in DICING, for he compleeness, which are repeaed in his paper. In he proposal cipher, we will apply he LFSR-like componens called projecor (Pr.). A projecor consiss of an elemen σ called sae from some finie field GF( 2 m ) and an updaing rule. The rule of updaing saes is ha muliplying σ wih σ = x σ k x, k is an ineger, namely, k +1. (1.1) The finie fields used in here are GF ( 2 m ), m = 128, 127, or126. In oher word, he operaion shif in LFSR now is replaced by muliplying k x in he field ( 2 m ) GF. As same as DICING, he key sizes in DICING_CSB can be 128 bis or 256 bis, and he size of iniial value may be aken as large as 256 bis, and he size of oupu is 128 bis. In his paper he finie field GF (2) is simply denoed as F, and F[ x] is he polynomial ring of unknown x over he field F. The symbols, will represen he biwise addiion XOR, biwise and, ha is he operaion & in C, and symbols >>, <<, and ~ sand for he operaions righ-shif, lef-shif, concaenae and complemen respecively. Suppose ha ζ is a binary sring, denoed by ζ [i] bi and [ i, j] bi ζ he i-h bi and he segmen from i-h bi o j-h bi respecively, and here are he similar expressions ζ [ i ], ζ [ i, j] and bye bye ζ [ i ], ζ [ i, j] measured in byes and 32-bis words respecively, and if he meaning is word word explici from he conex, he low-index bi, bye and word will be omied.

2. Consrucion We will use wo projecors Γ 1 and Γ 2, he firs one acs a conroller o conrol he updaing of he second one, which will be used o form a sream of subkeys, or runkeys. Denoed by α and ω he saes of Γ 1 and Γ 2 in ime respecively, which are based on he finie fields E1 and E 2, Ei = F [ x]/ pi( x), i = 1,2, p 1( x ) and p ( ) 2 x are wo primiive polynomials wih degree 127 and 128 respecively, which expressions are given in he Lis 1. The sae α saisfy he simple recurrence equaion α = = +. (2.1) 8 i 1 x αi, i 0,1,2,... The ineger of he las eigh bis of α is called he dice D, denoed by d = ( D >> 4) + 1, he saes ω will be updaed as d ω = 1 x + ω, for 0. (2.2) Besides, we use a memorizes u o assemble ω, The iniial values α0, ω0, and u0 will be specified in he laer. u = u 1 ω, for > 0, (2.3) Suppose ha K is a finie field GF ( 2 8 ), K = F [ x]/ px ( ), p (x) is an irreducible polynomial of degree eigh, which expression is given in he Lis 1. We define S-box S ( x) 0 as S x = x x K. (2.4) ( ) 5 ( 3) 127, 0 We also adop he represenaion S 0 ( ζ ) for a byes sring ζ o represen ha S-box S 0 subsiue each bye of he sring ζ. The sarup includes wo subprocesses keyseup and ivseup, where he basic maerials as he secre key and key-size will be inpu and he inernal saes will be iniialized. Besides, in he keyseup we will make a key-defined wo S-boxes S ( x) 1 and S ( x) 2 from S ( ) 0 x and a diffusion ransformaion L. The process is as following. For a sring ρ of 8 byes, we define a 8 8marix M ρ : M T J T = ρ u l. (2.5)

where T u = ( a i, j ) 8 8 and Tl = ( b i, j) 8 8are he upper-riangular marix and he lower-riangular marix respecively, ρ[8 i+ j] bi if i< j, ρ[8 i+ j] bi if i> j, ai, j= 1 if i = j, bi, j= 1 if i= j, 0 if i j, > 0 if i < j, and J is a key-defined permuaion marix, for he simpliciy, here ake J = 1. Suppose ha K is he secre key, le K = K[0,23] K[8,31] if K = 256, else c bye bye K = K[0,15] ( K[0,7] K[8,15]), λ = K [( i 1) 8, 8i 1], i= 1, 2, 3, and define c hree affine ransformaions on K, i c bye 1 2 3 (2.6) Ax ( ) = M ( x), Bx ( ) = M ( x), Cx ( ) = M ( x), x K, (2.7) λ λ λ 4 and a ransformaion L on K, A B A A B B A A B A L =. (2.8) A A B A B A B A B A Denoed by v = λ [ k], i = 1,2,3, and define wo new S-boxes i i bye 0 k< 8 S ( x) = S ( x v ) v, S ( x) = C( S ( x v ) v ), x K. (2.9) 1 0 1 2 2 0 2 3 Suppose ha ζ is a sring of n byes, if n= 4k we also view i as a sring of k words, and wrie L( ζ ) o represen ha L akes on he each word of ζ. Simply, we denoe Q( ζ) = L S ( ζ). (2.10) In he ivseup, he second sep of he sarup, he inernal saes will be iniialized wih he secre key and he iniial value. φ φ For a 32-byes sring ζ we define a byes permuaion φ : ζ = φζ ( ), ζ [] i = ζ[4i mod31], φ for 0 i < 31, and ζ [31] = ζ[31]. Le K = K if K = 256 else K = K ( K), denoed by K 0 = K, K = K [8 i,31] K [0,8 i 1], i = 1, 2,3, define he funcions recurrenly i bye bye 1 F( ζ) = Q( φ( ζ)), F ( ζ) = F( ζ) K, F( ζ) = F( F ( ζ)) K, i = 1, 2,3. (2.11) 0 0 i i 1 i Suppose ha IV is he iniial value of 32-byes, e is he base of naural logarihm and c he inegral par of e 57!, and ξ,0 i 3, are four 32-byes srings defined as i

ξ = F ( IV c), ξ = F ( ξ c), i= 1,2. (2.12) 0 3 i 3 i 1 In he encrypion we will employ an array of 16 byes η. The inernal saes are iniialized respecively as following η = ξ [0,15] ξ [16,31], u = ξ [0,15], α = ξ [128, 254], ω = ξ [0,15]. (2.13) 0 0 0 1 0 1 bi 0 2 If ξ 2 [0,15] = 0, he saes ω0 will be re-se as ( ω, τ ) = ξ [16,31]. (2.14) 0 0 2 Noe. For a secre key, here is a mos one IV such ha ξ 2 = 0. In he proposal cipher DICING_CSB, he sequence { u } will play a flow of subkeys. Afer iniializaion, he process eners he recurrence par of encrypion/decrypion, in which including he sub-process of updaing saes, namely, making he sream of subkeys{ u }. Denoed by { } x > 0 and { } 0 funcion is defined as y > he sequences of plainex and cipherex respecively, he encrypion y = Encryp( x ) = S ( Q( x u ) Q( η)) u. (2.15) 2 We have summarized he whole process in a skech as Fig. 1. Lis of he Primiive Polynomials used Polynomials Expression p (x) 8 6 5 x + x + x + x + 1 p 127 96 64 5 ( ) x + ( x + x + 1)( x + 1) 1 x p ( x ) 128 96 67 32 3 2 x + ( x + x + x + 1)( x + 1) Lis 1

The Skech of Encrypion Process Iniializing This is he recurrence par Updaing saes Plainex x Encryping Cipherex y Fig.1 3. Securiy analysis The analysis for DICING_CSB as a sream cipher will be similar o he one for DICING, refer o see paper [1]. Besides, as a block cipher, he encrypion mode of DICING_CSB is no as usual ieraive one, so he radiional analyses for he block ciphers of ieraive mode will no be feasible. Alhough he proposal cipher is sronger han addiive sream ciphers in plainex-recovery aacks, 16 i would be insecure if a IV s value would be allowed o use repeaedly more han 2 imes for a secree key K, as DICING_CSB only has he diffusion range of 32 bis. So, i is suggesed ha he usage of a IV is bes one ime one value. If inend o apply a IV many imes, hen in encrypion funcion should be added a more round in order o enlarge he range of diffusion, as a cos, he encryping rae will be raised abou 2 cycles/bye. I maybe should be menioned ha we have reduced wo Pr. s from DICING for we hink ha in his encrypion form he requiremen for he period of he sequence { u } may be relaxed, in his place, he period of he sequence{ u } is no less han 126 128 (17 2 1)(2 1). 4. Implemenaion In he plaform of 32-bi Windows OS and Inel Celeron 2.66G, 64-bi processor, Borland C++ 5.0, he performance of DICING_CSB is as following

Repor of Performance Encrypion Decrypion Sub-processes Time Sub-processes Time Keyseup 9890 cycles Keyseup 16400 cycles IVseup 2870 cycles IVseup 2920 cycles Encryping rae 10.3 cycles/bye Decryping rae 10.3 cycles/bye Lis 2 Remark: There is an alernae updaing rule for he saes 16 1 x, for 0. α and ω as following: α = + α > (2.1 ) Denoed by di = 1 + ( α + 1[ i] bye &15),0 i< 16, he saes ω are updaed as d ω i 16++ i 1 = x ω16 + i, 0 i< 16, for 0. (2.2 ) Wih he updaing rules above, he encryping/decryping rae will be as fas as 8.8 cycles / bye in he case of larger size of message. We call he rule (2.1 ) and (2.2 ) as loing. Besides, wih he processors as Penium-m, Penium 4 or AMD-64, he implemenaion will be faser abou 20~30%. 5. Conclusion The proposal cipher can be viewed as a combinaive of a sream cipher and a block cipher. I assimilaes he good qualiies of sream ciphers in he speed and block ciphers in he secure. I is able o serve as a synchronous sream cipher or a block cipher, and here will no be need o equip a MAC when i is applied as a synchronous sream cipher. While i is applied as block cipher, i will sill require a IV o iniilize he inernal saes, however, his requiremen is easy o be simply saisfied, for example, he name or he dae of files may be aken as he IV values. References [1] A.P. Li, A New Sream Cipher: DICING, now available a estream - The ECRYPT Sream Cipher Projec - Phase 2

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback