1. Block ciphers 1 Session 3

2. Contents Design of block ciphers Non-linear transformations 2/25

3. Design of block ciphers The problem of block cipher design: – Determine which set of 2 K block ciphers (K is the length of the key) to choose such that, for an unknown fixed key, it is virtually impossible to say anything about the ciphertext resulting from a known or chosen plaintext – Given prior knowledge of a number of plaintext/ciphertext pairs, it should be impossible to say anything about the fixed key 3/25

4. Design of block ciphers This is achieved via a combination of: – Confusion, which makes the relationship between the key and the ciphertext as complicated as possible (by means of substitution through non- linear functions, so called S-boxes) – Diffusion, which makes every symbol of the ciphertext dependent on as many plaintext letters as possible (by means of linear transformations such as permutations). 4/25

5. Design of block ciphers Theoretically, the ideal block cipher, from a security viewpoint, would involve one very large, well-chosen N-bit Substitution Box (S-Box), keyed by K key bits Ideally, it would be impossible to decompose this S-box into smaller sub-units Such a block cipher would have a huge implementation complexity 5/25

6. Design of block ciphers Any practical block cipher combines relatively small sub-units to confuse (S-boxes) and diffuse (linear transformation layers) the plaintext These sub-units are applied iteratively as keyed rounds, parameterized by sub-keys, which are derived from the master K-bit key 6/25

7. Design of block ciphers The decomposition of the theoretical large S-box into practical sub-units constitutes a trade-off between security and acceptable implementation complexity. 7/25

8. Non-linear transformations Non linearity in block ciphers is usually introduced by means of tables, so called S-boxes There are also designs without explicit S-boxes. Instead, integer addition and multiplication, discrete logarithm and exponentiation, etc. are used (examples of such ciphers are IDEA, RC6, etc.) 8/25

9. Non-linear transformations S-boxes can be very simple. For example, S-boxes of Rijndael and Camellia are essentially X -1 over GF(2 8 ) Regarding the relation with the key, S-boxes can be – Key dependent – Key independent So, to design block ciphers we need S-boxes – How do we get good, highly non-linear S-boxes? 9/25

10. Non-linear transformations Almost perfect non linear functions (APN) – Resistant to certain attacks against block ciphers (differential and linear cryptanalysis) – Let f(x) be a mapping: GF(p n )  GF(p n ) – Let N(a,b) denote the number of solutions x  GF(p n ) of the equation f(x+a)–f(x)=b, a,b  GF(p n ) – Let  f = max{N(a,b)|a,b  GF(p n ), a≠0} 10/25

11. Non-linear transformations For linear functions f(x+a)=f(x)+f(a) So, f(x+a)-f(x)=f(x)+f(a)-f(x)=f(a) Thus for linear functions b=f(a), which means that any x satisfies the equation A completely contrary case – Only 1 solution of the equation – the “most nonlinear” function f(x). 11/25

12. Non-linear transformations If  f =k, the mapping f is called differentially k uniform For applications in cryptography,  f should be as small as possible (i.e. non-linearity is maximum) If p is odd, there exist functions for which  f = 1  perfect nonlinear functions (PN) Functions of the form f(x)=x d over GF(p n ), p prime, are of special interest 12/25

13. Non-linear transformations Theorem 1 f(x)=x d is a mapping over GF(p n ), p>2 Then f(x) is 1-uniform (PN) in the following cases: d=2; d=p k +1, n/(n,k) is odd d=(3 k +1)/2, p=3, k odd, (n,k)=1 13/25

14. Non-linear transformations Since for the most interesting case, p=2, PN functions do not exist, we use APN APN functions   f = 2 For p = 2, if x is a solution of f(x+a)-f(x)=b, so is x+a Thus  f = 2 is the smallest possible value when p=2 This means that the restricted meaning of “almost” is not justified in this case 14/25

15. Non-linear transformations Theorem (1) f(x)=x d is a mapping over GF(2 n ) Then f(x) is APN in the following cases n=2m+1 d=2 n -2 (proved by Nyberg, 1993, Beth, Ding, 1993) d=2 k +1, (n,k)=1, 1  k  m (Gold’s function, 1968) d=2 2k -2 k +1, (n,k)=1, 2  k  m (Kasami’s function, 1971) d=2 m +3 (Welch’s function, 1972, proved by Dobbertin, 1999) d=2 m + 2 m/2 − 1 (even m), 2 m + 2 (3m+1)/2 − 1 (odd m) (Niho’s function, 1972, proved by Dobbertin, 1999) 15/25

16. Non-linear transformations Theorem (2) n=2m d=2 k +1, (n,k)=1, 1  k  m (Gold’s function, proved by Nyberg, 1993) d=2 2k -2 k +1, (n,k)=1, 2  k  m; (Kasami’s function, proved by Dobbertin, 1999) Problem with even n – No APN power function x d is one-to-one for even n, which means that such functions are not balanced 16/25

17. Non-linear transformations If the power function x d is PN (APN) for some d, it is also PN (APN) for 2 i d mod 2 n -1 (i<n) An S-box can be obtained by means of a linear transform F(x)=ax+b of an APN power function x d, i.e. S(x)=F(x)◦x d =F(x d )=ax d +b, a,b,x  GF(2 n ), deg a(x)<n, deg b(x)<n, a(x)  0. The non-linear order of the S-box obtained from x d is equal to the Hamming weight of d 17/25

18. Non-linear transformations Example (1): Use the Kasami exponent to design a 7-bit S-box. k=2, the generating polynomial of the field is f(x)=x 7 +x+1, a(x)=x 5 +x 4 +x+1, b(x)=x 4 +x n=7, m=3, 2  k  3 (2,7)=1 Then d=2 2k -2 k +1 = 2 4 -2 2 +1=13 The Hamming weight of d=13 10 =1101 2 is 3, so the non linear order of the S-box will be 3 18/25

19. Non-linear transformations Example (2) – We first generate the finite field GF(2 7 ) modulo the given irreducible polynomial f(x)=x 7 +x+1  0 =1  0000001  7 =  +1  0000011  1 =   0000010  8 =  2 +   0000110  2 =  2  0000100  9 =  3 +  2  0001100  3 =  3  0001000  10 =  4 +  3  0011000  4 =  4  0010000  11 =  5 +  4  0110000  5 =  5  0100000  12 =  6 +  5  1100000  6 =  6  1000000  13 =  6 +  +1  1000011 … 19/25

20. Non-linear transformations Example (3) – Then we power each element of the generated field, i.e. we compute (  0 ) 13 =1  0000001 (  1 ) 13 =  13 =  6 +  +1  1000011 (  2 ) 13 =  26 =  6 +  5 +  2 +1  1100101 (  3 ) 13 =  39 =  5 +  4 +  3 +   0111010 … (  10 ) 13 =  130 mod 127 =  3  0001000 … 20/25

21. Non-linear transformations Example (4) – Every (  i ) d =  (i  d) mod 127 should now be multiplied by a(x) mod f(x) and b(x) is added to the result. So we finally get  0 =0000001  a(x)+b(x)   5 +1  0100001  1 =0000010  ((x 5 +x 4 +x+1)(x 6 +x+1)+(x 4 +x)) mod (x 7 +x+1)  5 +  3 +  2  0101100 Etc. – Since x=0000000 is also an element of the field, F(0)=b(x)=x 4 +x  0010010 21/25

22. Non-linear transformations The addresses of the S-box items should be given in the increasing order, from 0000000 to 1111111, and the corresponding values of S are given for every address The addresses x are the elements of the original field The value at the address x is F(x)=a(x)x d +b(x) 22/25

23. Non-linear transformations Example – The S7 S-box (7 input bits, 7 output bits) of the block cipher KASUMI F(x)=x 81 over GF(2 7 ) 81 10 =1010001 2 =2 6 +2 4 +1=2 4 (2 4 – 2 2 + 1) (mod 2 7 – 1) The exponent d=2 4 – 2 2 + 1=13 is a Kasami’s exponent, k=2 The non-linear order of the function F(x)=x 13 is 3, since the Hamming weight of 13 10 =1101 2 is 3 Since 81= 2 4 (2 4 – 2 2 + 1) (mod 2 7 – 1), x 81 has the same non-linearity properties as x 13 over GF(2 7 ) 23/25

24. Non-linear transformations Example – The S9 S-box (9 input bits, 9 output bits) of the block cipher KASUMI F(x)=a(x)x 5 + b(x) over GF(2 9 ) a(x) and b(x) have not been published n=9=2  4+1, m=4, d=5=2 2 +1, k=2, (n,k)=1, 1  k  m Gold’s function 24/25

25. Non-linear transformations Example – The substitution S-box in Rijndael is an affine transformation of x -1 over GF(2 8 ) – Theorem (Nyberg, 1993) x -1 over GF(2 n ) is – Differentially 2-uniform, for n=2m+1 – Differentially 4-uniform, for n=2m – So, x -1 is not APN over GF(2 8 ) since n=8 is even 25/25