AVALANCHE EFFECT IN THE FAMILY OF BLOCK CIPHERS “SD-(n,k)” University “Ss Cyril and Methodius” – Skopje, RM S. Markovski, PhD A. Mileva, MSc D. Gligoroski, PhD V. Dimitrova, MSc NATO Advanced Research Workshop Velingrad, October 2006

2 Kerckoff’s principle: “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.” Shannon maxime: “The enemy knows the system.” Bruce Schneier: “Every secret creates potential failure point.” Kerckoff’s principle: “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.” Shannon maxime: “The enemy knows the system.” Bruce Schneier: “Every secret creates potential failure point.”

3  Introduction  The family of block ciphers “SD-(n,k)”  Avalanche effect in encryption  Avalanche effect in decryption  Future work  Conclusion  Introduction  The family of block ciphers “SD-(n,k)”  Avalanche effect in encryption  Avalanche effect in decryption  Future work  Conclusion Outline

4 Introduction Term first used by Horst Feistel The avalanche effect refers to a desirable property of cryptographic algorithms, typically block-ciphers and hash functions. The avalanche effect is evident if, when an input is changed slightly (for example, flipping a single bit) the output changes significantly. Constructing a cipher to exhibit a substantial avalanche effect is one of the primary design goals. If a block cipher does not exhibit the avalanche effect to a significant degree, then it has poor randomization, and thus a cryptanalyst can make predictions about the input, being given only the output. This may be sufficient to partially or completely break the algorithm. Term first used by Horst Feistel The avalanche effect refers to a desirable property of cryptographic algorithms, typically block-ciphers and hash functions. The avalanche effect is evident if, when an input is changed slightly (for example, flipping a single bit) the output changes significantly. Constructing a cipher to exhibit a substantial avalanche effect is one of the primary design goals. If a block cipher does not exhibit the avalanche effect to a significant degree, then it has poor randomization, and thus a cryptanalyst can make predictions about the input, being given only the output. This may be sufficient to partially or completely break the algorithm.

5 The family of block ciphers “SD-(n,k)” Based is on quasigroup operations and quasigroup string transformations Arbitrary alphabet A={a 0,a 1,...,a r } Quasigroup (A,*) of order r and two of its parastrophes (A,\) and (A, /) e-, d-, e’-, d’- transformations Based is on quasigroup operations and quasigroup string transformations Arbitrary alphabet A={a 0,a 1,...,a r } Quasigroup (A,*) of order r and two of its parastrophes (A,\) and (A, /) e-, d-, e’-, d’- transformations

6 Blocks with length of n letters Key K=K 0 K 1...K n+4k-1, K i  A, where k is number of repeating of 4 different quasigroup string transformations in encryption/decryption functions Input: plaintext m 0 m 1...m n-1, m i  A Output: ciphertext c 0 c 1...c n-1, c i  A Blocks with length of n letters Key K=K 0 K 1...K n+4k-1, K i  A, where k is number of repeating of 4 different quasigroup string transformations in encryption/decryption functions Input: plaintext m 0 m 1...m n-1, m i  A Output: ciphertext c 0 c 1...c n-1, c i  A The family of block ciphers “SD-(n,k)”

7 Subfamilies “SD4-(n,k)”, “SD16-(n,k)”, “SD256-(n,k)” For “SD4-(n,k)” examples in this talk we are using this quasigroup of order Subfamilies “SD4-(n,k)”, “SD16-(n,k)”, “SD256-(n,k)” For “SD4-(n,k)” examples in this talk we are using this quasigroup of order The family of block ciphers “SD-(n,k)”

8 Key length in bits kSD4-(40,k)SD16-(20,k)SD256-(10,k) The family of block ciphers “SD-(n,k)”

Example of avalanche effect in encryption in SD4-(4,1) subfamily (flipping one bit in plaintext)

Example of avalanche effect in encryption in SD4-(4,2) subfamily (flipping one bit in plaintext)

Example of avalanche effect in encryption in SD4-(4,1) subfamily (flipping one bit in key)

12 Avalanche effect in encryption  Block size of 80 bits  Subtract-with-borrow random number generator with period  Examination for each k={1,2,3,4,5,6,7,8,9,10} and for each subfamilies “SD4-(40,k)”, “SD16-(20,k)” and “SD256-(10,k)”  For every k, we use 1000 different random generated pairs of plaintext and keys  We compute mean and standard deviation of bit differences in ciphertext  Block size of 80 bits  Subtract-with-borrow random number generator with period  Examination for each k={1,2,3,4,5,6,7,8,9,10} and for each subfamilies “SD4-(40,k)”, “SD16-(20,k)” and “SD256-(10,k)”  For every k, we use 1000 different random generated pairs of plaintext and keys  We compute mean and standard deviation of bit differences in ciphertext

13 Avalanche effect in encryption Results for “SD4-(40, k)”:  Flipping one bit in plaintext cause already for k=2 50% different bits in ciphertext  Standard deviation is stabilized around 5,6 for k=3  Flipping one bit in key cause dropping of different bits in ciphertext from 50,57% for k=1 to 50,16% for k=10  Standard deviation drops from 6,31 for k=2 to 5,88 for k=10 Results for “SD4-(40, k)”:  Flipping one bit in plaintext cause already for k=2 50% different bits in ciphertext  Standard deviation is stabilized around 5,6 for k=3  Flipping one bit in key cause dropping of different bits in ciphertext from 50,57% for k=1 to 50,16% for k=10  Standard deviation drops from 6,31 for k=2 to 5,88 for k=10

14 Avalanche effect in encryption Results for “SD4-(40, k)” different modes CBC, OFB and CFB:  Random generated key and plaintext of bits  IV – first n letter from key  For OFB and CFB parameter r=8  Flipping one bit in last 4k letters in key cause already for k=1 50% different bits in ciphertext in all modes  Standard deviation varies between 0,28 and 0,49 in all modes

15 Avalanche effect in encryption Results for “SD16-(20, k)”:  Flipping one bit in plaintext cause already for k=1 50% different bits in ciphertext  Standard deviation is stabilized around 5,6 for k=2  Flipping one bit in key cause dropping of different bits in ciphertext from 50,15% for k=1 to 50,05% for k=10  Standard deviation is stabilized around 5,6 for k=2 Results for “SD16-(20, k)”:  Flipping one bit in plaintext cause already for k=1 50% different bits in ciphertext  Standard deviation is stabilized around 5,6 for k=2  Flipping one bit in key cause dropping of different bits in ciphertext from 50,15% for k=1 to 50,05% for k=10  Standard deviation is stabilized around 5,6 for k=2

16 Avalanche effect in encryption Results for “SD16-(20, k)” different modes CBC, OFB and CFB:  Random generated key and plaintext of bits  IV – first n letter from key  For OFB and CFB parameter r=8  Flipping one bit in last 4k letters in key cause already for k=1 50% different bits in ciphertext in all modes  Standard deviation varies between 0,30 and 0,38 in all modes

17 Avalanche effect in encryption Results for “SD256-(10, k)”:  Flipping one bit in plaintext cause already for k=1 50% different bits in ciphertext  Standard deviation is stabilized around 5,6 for k=1  Flipping one bit in key cause already for k=1 50% different bits in ciphertext  Standard deviation is stabilized around 5,6 for k=1 Results for “SD256-(10, k)”:  Flipping one bit in plaintext cause already for k=1 50% different bits in ciphertext  Standard deviation is stabilized around 5,6 for k=1  Flipping one bit in key cause already for k=1 50% different bits in ciphertext  Standard deviation is stabilized around 5,6 for k=1

18 Avalanche effect in encryption Results for “SD256-(10, k)” different modes CBC, OFB and CFB:  Random generated key and plaintext of bits  IV – first n letter from key  For OFB and CFB parameter r=8  Flipping one bit in last 4k letters in key cause already for k=1 50% different bits in ciphertext in all modes  Standard deviation varies between 0,32 and 0,42 in all modes

Example of avalanche effect in decryption in SD4-(4,1) subfamily (flipping one bit in ciphertext)

Example of avalanche effect in decryption in SD4-(4,2) subfamily (flipping one bit in ciphertext)

21 Avalanche effect in decryption  Avalanche effect in decryption function is not really a issue  Avalanche effect in decryption function usually is not so significant as in encryption function  Avalanche effect in decryption function is not really a issue  Avalanche effect in decryption function usually is not so significant as in encryption function

22 Avalanche effect in decryption  Substract-with-borrow random number generator with period  Examination for each k={1,2,...,20} and for each subfamilies “SD4-(40,k)”, “SD16- (20,k)” and “SD256-(10,k)”  For every k, we use 1000 different random generated pairs of ciphertext and keys  We compute mean and standard deviation of bit differences in plaintext  Substract-with-borrow random number generator with period  Examination for each k={1,2,...,20} and for each subfamilies “SD4-(40,k)”, “SD16- (20,k)” and “SD256-(10,k)”  For every k, we use 1000 different random generated pairs of ciphertext and keys  We compute mean and standard deviation of bit differences in plaintext

23 Avalanche effect in decryption Results for “SD4-(40, k)”:  Flipping one bit in ciphertext cause growing up different bits in plaintext from 6,46% for k=1 to 38,55% for k=10 and its stabilizing around 50% for k=19  Standard deviation is stabilized around 5,6 for k=19 Results for “SD4-(40, k)”:  Flipping one bit in ciphertext cause growing up different bits in plaintext from 6,46% for k=1 to 38,55% for k=10 and its stabilizing around 50% for k=19  Standard deviation is stabilized around 5,6 for k=19

24 Avalanche effect in decryption Results for “SD16-(20, k)”:  Flipping one bit in ciphertext cause growing up different bits in plaintext from 12,06% for k=1 and its stabilizing around 50% for k=10  Standard deviation is stabilized around 5,6 for k=10 Results for “SD16-(20, k)”:  Flipping one bit in ciphertext cause growing up different bits in plaintext from 12,06% for k=1 and its stabilizing around 50% for k=10  Standard deviation is stabilized around 5,6 for k=10

25 Avalanche effect in decryption Results for “SD256-(10, k)”:  Flipping one bit in ciphertext cause growing up different bits in plaintext from 22,05% for k=1 and its stabilizing around 50% for k=5  Standard deviation is stabilized around 5,6 for k=5 Results for “SD256-(10, k)”:  Flipping one bit in ciphertext cause growing up different bits in plaintext from 22,05% for k=1 and its stabilizing around 50% for k=5  Standard deviation is stabilized around 5,6 for k=5

26 Future work Cryptanalysis of “SD-(n,k)” linear cryptanalysis and its extensions and variants differential cryptanalysis and its extensions and variants multiset cryptanalysis other cryptanalysis Practical implementation Design improvement Cryptanalysis of “SD-(n,k)” linear cryptanalysis and its extensions and variants differential cryptanalysis and its extensions and variants multiset cryptanalysis other cryptanalysis Practical implementation Design improvement

27 Conclusion  The “SD-(n,k)” is a new family of block ciphers, based on quasigroup string transformations and quasigroup operations  The “SD-(n,k)” exhibit a substantial avalanche effect in encryption function  Avalanche effect is evident in all basic modes of operation (ECB, CBC, OFB, CFB)  Avalanche effect in decryption function is not so significant as in encryption function, which was expectable  The “SD-(n,k)” is a new family of block ciphers, based on quasigroup string transformations and quasigroup operations  The “SD-(n,k)” exhibit a substantial avalanche effect in encryption function  Avalanche effect is evident in all basic modes of operation (ECB, CBC, OFB, CFB)  Avalanche effect in decryption function is not so significant as in encryption function, which was expectable

28 Conclusion  For avalanche effect, k must be at least:  3, for “SD4-(n,k)” subfamily  2, for “SD16-(n,k)” subfamily  1, for “SD256-(n,k)” subfamily  To satisfy today security needs for key length, k must be at least:  6, for “SD4-(n,k)” subfamily  3, for “SD16-(n,k)” subfamily  2, for “SD256-(n,k)” subfamily  For avalanche effect, k must be at least:  3, for “SD4-(n,k)” subfamily  2, for “SD16-(n,k)” subfamily  1, for “SD256-(n,k)” subfamily  To satisfy today security needs for key length, k must be at least:  6, for “SD4-(n,k)” subfamily  3, for “SD16-(n,k)” subfamily  2, for “SD256-(n,k)” subfamily

THANKS FOR YOUR ATTENTION