Security Analysis of Block Cipher - PowerPoint PPT Presentation

About This Presentation
Title:

Security Analysis of Block Cipher

Description:

Security Analysis of Block Cipher 2002. 10. 8 20022057 Park, SangBae – PowerPoint PPT presentation

Number of Views:117
Avg rating:3.0/5.0
Slides: 28
Provided by: plu47
Category:

less

Transcript and Presenter's Notes

Title: Security Analysis of Block Cipher


1
Security Analysis of Block Cipher
  • 2002. 10. 8
  • 20022057
  • Park, SangBae

2
Contents
  • Introduction of Boolean Function
  • Block Cipher Design Review
  • Cryptanalysis Method Provable Security
  • Design Issue
  • S-box Design Diffusion Layer
  • Example of S-box analysis
  • Future Works

3
Introduction
  • Boolean Fucntion
  • Function from GF(2n) to GF(2m)
  • Generally, when m gt 1, Vector-valued Boolean
    Function (or Vector Boolean Function)
  • Example
  • f(x1, x2, x3) x1 x2 x2 x3
  • Sequence of f() 00010010

4
Introduction
  • Block Cipher as Boolean Function
  • Block Cipher
  • F P ? K ? C with F(P, K) C
  • GF(2128) ? GF(2128) ? GF(2128)
  • Round Function
  • f Pi ? Ki ? Ci with F(Pi, Ki) Ci
  • GF(264) ? GF(264) ? GF(264)
  • S-box
  • s Ini ? ki ? Outi with F(Ini, ki) Outi
  • GF(28) ? GF(28) ? GF(28)

5
Basic Properties
  • Representation
  • The Algebraic Normal Form
  • Well known representation
  • ex) x1 x2 x3 x1
  • The Sequence of Given function
  • Value of given Boolean function
  • ex) 00010010
  • The Walsh-Hadamard Transform
  • The correlation value to linear functions
  • ex) 2 0 -2 0 0 2 0 -2

6
Basic Properties
  • Balancedness
  • Hamming weight of given sequence
  • Nonlinear Order
  • Algebraic Nonlinear Order (Not Robust)
  • Completeness
  • Every input bit affect to the outptu bit

7
Basic Properties
  • Nonlinearity
  • minimum Hamming distance to linear functions
  • Correlation
  • autocorrelation
  • cross correlation
  • Propagation Criterion (including SAC)
  • can be guaranteed by high nonlinearity
  • diffusion property

8
Cryptanalysis Methods
  • Differential Cryptanalysis
  • Linear Cryptanalysis
  • Interpolation Attack
  • Square Attack

9
Differential Cryptanalysis
  • General
  • The First Attack against full round DES
  • Using the biased distribution of XOR pairs

Input XOR(Uniform)
Uniform
Uniform
f (S-Box)
f (S-Box)
Uniform
Uniform
Output XOR(Biased)
10
Differential Cryptanalysis
  • Difference Distribution Table
  • number of pairs satisfying given Input, output XOR

Output XOR
Input XOR
0x
1x
2x
3x
4x
5x
6x
7x
8x
9x
Ax
Bx
Cx
Dx
Ex
Fx
0x
64
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1x
0
0
0
6
0
2
4
4
0
10
12
4
10
6
2
4


3Fx
4
8
4
2
4
0
2
4
4
2
4
8
8
6
2
2
11
Differential Cryptanalysis
  • Example of 2 round characteristic

?P 00 80 82 00 60 00 00 00x
60 00 00 00x
00 80 82 00x
F
p 14/64
0
0
F
p 1
?T 60 00 00 00 00 00 00 00x
12
Differential Cryptanalysis
  • Research Issue
  • Cryptanalysis
  • How to find a characteristic with high
    probability
  • Cryptography
  • How to construct secure S-Boxes
  • Markov Cipher
  • Boolean Function
  • Nonlinearity
  • Propagation criteria
  • Bent function
  • Vector-valued Boolean function

13
Provable Security
  • Main Idea
  • Approach in the view of differential
  • Provable Security against DC and LC
  • KN-Cipher
  • Lars R. Knudsen, Kaisa Nyberg
  • Round Function g(x) x3 in GF(233)
  • MISTY
  • Mitsuru Matsui
  • Recursive Structure
  • Modified Feistel Network

14
Provable Security
  • Characteristic
  • Fixed Path

?P
a1
b1
p1
F
a2
b2
p2
p ? pi
F
a3
b3
p3
F
?T
15
Provable Security
  • Differential
  • Consider all possible path

?P
a1i
b1i
p1i
F
a2j
b2j
p2j
p ? (p1i ? p2j ? p2j)
F
a3k
b3k
p3k
F
?T
16
Provable Security
  • Recursive Structure of MISTY1

32
32
16
16
9
7
FI
S9
FO
FI
S7
FO
S7
FI
FO
17
Practical Security
  • The Wide Trail Strategy
  • Design the round transformation in such a way
    that only trails with many S-boxes occur
  • Maximize the number of Active S-boxes
  • Branch Number B(f) minx?0(wh(x) wh(f(x)))
  • SQUARE
  • following the Wide Trail Strategy
  • MDS (Maximal Distance Separable) code
  • Maximum Branch number
  • Self-reciprocal structure

18
Recent Block Ciphers
  • CAST Diffusion Effects
  • 8 ? 32 S-box

ltlt
S1
S2
S3
S4
19
Recent Block Ciphers
  • CRYPTON SEED Diffusion Transform

20
Recent Block Ciphers
  • E2 Round Function (SPS-Structure)

Round key
S
P
Round key
S
21
S-box Construction
  • Simulation
  • DES
  • Combination of Boolean Function
  • CAST
  • Vector-valued Boolean Function
  • KN-Cipher, SEED, AES
  • Small Feistel Network
  • MISTY, Crypton

22
Diffusion Layer
  • Perfect S-box cannot guarantee the security of
    round function
  • 8 ? 32 S-box
  • Wide Trail Strategy (using a MDS code)
  • SPS Structure

23
Project Progress
  • Boolean function analysis library
  • Three Representation
  • sequence
  • algebraic normal form
  • Walsh-Hadamard
  • Hamming Weight
  • Nonlinearity
  • Autocorrelation
  • Review recent block cipher algorithm and
    cryptanalysis methods

24
Project Progress
  • DES S-box (S1)
  • The first bit
  • Algebraic Normal Form
  • 1 x1 x2 x1 x2 x3 x4 x3 x4 x1 x3 x4
    x2 x3 x4 x5 x4 x5 x3 x4 x5 x6 x2 x6
    x3 x6 x1 x3 x6 x2 x4 x6 x3 x4 x6 x1 x3 x4
    x6 x2 x3 x4 x6 x1 x2 x5 x6 x3 x5 x6 x1 x3
    x5 x6 x2 x3 x5 x6 x4 x5 x6 x1 x2 x4 x5 x6
    x3 x4 x5 x6 x1 x3 x4 x5 x6
  • Nonlinearity 18
  • Hamming Weight 32
  • Sequence
  • 1 0 0 1 1 0 0 0 0 1 1 0 1 1 1 0 0 1 1 0 0 1 1 1 0
    1 1 0 0 0 0 1
  • 0 1 0 1 1 1 1 0 1 0 0 1 0 0 1 0 1 0 1 1 1 0 0 1 0
    1 1 0 0 0 0 1

25
Project Progress
  • DES S-box (S1)
  • The first bit
  • W-H Sequence
  • 0 0 4 4 -4 4 0 8 -8 0 -4
    -12 4 4 8 -8
  • 0 -8 -12 -4 4 20 8 -24 8 8 -4 -4
    -4 4 0 8
  • 0 0 -4 12 4 -4 0 8 8 0 4
    -4 -4 -4 -8 -8
  • 0 -8 -4 -12 -4 -4 8 8 8 -8 4 -28
    -12 -4 0 -8
  • Autocorrelation
  • 64 -32 -24 24 0 0 -8 8 0 -8
    0 -16 -24 24 8 -16
  • -32 24 8 -8 0 0 8 0 -8 0
    0 16 24 -24 -16 8 0 0 8 -16 -24
    32 16 -16 24 -16 -8 8 -8 8 -8 0
    0 0 -8 16 24 -32 -16 16 -32 24 16
    -16 0 0 16 -8

26
Future Works
  • Security analysis of block ciphers consisting of
    Boolean function of low algebraic order
  • Implement S-box Analysis Tools using current
    library

27
QnA
Write a Comment
User Comments (0)
About PowerShow.com