The SPEED Cipher ?

Home , M6 (cipher)

he iih gipher

uling heng

hool of gomputingD wonsh niversity

wwhons odD prnkstonD wel ourneD sg QIWWD eustrli

imilX yzhengdfitFmonshFeduFu

estrtF iih is privte key lo k ipherF st supp orts three vriE

le prmetersX @IA dt length | the length of plintextGiphertext

of iih n e TRD IPV or PST itsF @PA key length | the length of n

enryptionGderyption key of iih n e ny integer etween RV nd

PST @inlusiveA nd divisile y ITF @QA rounds | the numer of rounds

involved in enryptionGderyption n e ny integer divisile y R ut

not smller thn QPF

iih is omptD whih is indited y the ft tht the o jet o de

of strightforwrd implementtion of iih in the progrmming lnE

guge g o upies less thn Q kiloEytesF st mkes full use of urrentD

nd more imp ortntlyD emerging g rhitetures whih host lrge

numer of highEsp eed hrdwre registers diretly ville to ppliE

tion progrmsF enother imp ortnt feture of iih is tht it is uilt

on reent reserh results on highly nonliner ryptogrphi funtionsD

s well s other ounterEmesures ginst dierentil nd liner ryptE

nlyti ttksF

st is hop ed tht the omptnessD high throughput nd djustle pE

rmeters oered y iihD together with the ft tht the ipher is

in the puli dominD would mke it n ttrtive lterntive ipher for

seurity pplitions inluding eletroni nnil trnstionsF

I hesign hilosophy

he im of this pp er is to introdue privte key ipher tht is suitle for softE

wre implementtion nd tkes the mximum dvntge of emerging omputer

rhitetures tht host n inresing numer of fst internl hrdwre registers

diretly ville to pplition progrmsF he ipher is lled iih whih

stnds for eure kge for inrypting iletroni htF

gryptogrphi strength of iih is uilt on reent reserh results on onE

struting highly nonliner fo olen funtions ISD ITF yp ertion eieny is n

imp ortnt ftor tht hs een tken into ount in the pro ess of designF enE

other design gol is to provide the ipher with ppliility to fst oneEwy hshE

ing nd eient genertion of ryptogrphilly strong pseudoErndom numersF

inryption nd pseudoErndom numer genertion hve diret pplitions in

he soure o de of iih implemented in the progrmming lnguge g is lo ted

t the following vX httpXGGpsitEwwwFfitFmonshFeduFuG~yulingG

providing dt ondentilityD wheres oneEwy hshing is essentil for eient

uthentition nd digitl signtureF

hile most smrt rds use VEit g sD worksttions nd p ersonl omputE

ers re minly sed on QPEit g s whih supp ort fst pro essing of VD IT nd

QPEit dtF imilrlyD emerging TREit g s supp ort eient hndling of VD ITD

QP nd TREit dtF his results in our deision for the si dt unit for the

enryptionGderyption op ertion of iih to e VEitD ITEit or QPEit wordF

es plintextGiphertext of iih onsists of V wordsD hoosing VEit word s

the si dt unit results in lo k ipher on TREit dtD ITEit word results

in lo k ipher on IPVEit dtD nd QPEit word results in lo k ipher on

PSTEit dtF he pro ess of iih is omp osed of R pssesD eh involving V

or more onseutive roundsF hus similrly to gS IRD iih supp orts three

vrile prmetersD nmely dt lengthD key length nd the numer of roundsF

elevnt ides on vrile prmeters were previously used in oneEwy hshing

lgorithm lled reev IVF

e itEwise nonliner fo olen op ertion is employed in eh roundF o strengthen

the ipher ginst the dierentil ttk prop osed y fihm nd hmir ID

dtEdep endent yli shift is pplied on the output of the op ertionF his tehE

nique ws inspired y gSF he use of mximlly nonliner fo olen funtion

in itEwise fo olen op ertion would help thwrt the liner ttk disovered

y wtsui WF

he reminder of this pp er is orgnized s followsX etion P detils the

sp eition of iihD etion Q provides kground informtion on the round

trnsform used in iihD nd etion R disusses the onstrution nd prop erE

ties of the ve nonliner fo olen funtions used in iihF e preliminry nlE

ysis of the strength of the ipher ginst ryptnlysis is rep orted in etion SD

while omprison of iih with other iphers in terms of its throughput @the

numer of its enryptedGderypted p er unit of timeA is provided in etion TF

pinlly pplitions of iih in oneEwy hshing nd pseudoErndom numer

genertion re suggested in etions U nd VF

P hesription of iih

pirst we introdue few terms used in this pp erF es ommon prtieD yte

is omp osed of V itsF es we mentioned erlierD y word we men string of VD

IT or QP itsF ell its in yte or word re indexedD strting with HD from right

to left hnd sideF st is onvenient to ll right hnd side its lower its D while

left hnd side its upper itsF hree types of op ertions re pplied to dtF he

rst is itEwise fo olen op ertionsD the seond is yli shifts @iFeFD rottionA to

the right or leftD nd the third is mo dulr dditionsF

sn the following disussions we use w to indite the length of @iFeD the numer

of its inA plintextGiphertextD the length of keyD nd r the numer of

roundsF w n e hosen to e TRD IPV or PSTD n integer etween RV nd PST

@inlusiveA nd divisile y ITD nd r n integer lrger thn or equl to QP nd

divisile y RF iih with prmeters w D nd r my e denoted y @w Y Y r AE

iihD or simply y w Eit iih if the length of key nd the numer

of rounds re not onernedF sn le ID vrious p ossile omintions of the

prmeters w D nd r tht would provide dequte seurity re suggested F st

is reommended tht iih with less thn RH rounds e used only for oneEwy

hshingF

plinGiphertext length w TR IPV PST

@in itsA

key length @in itsA

@ a RVY TRY XXXY PSTD ! TR ! TR ! TR

divisile y ITA

numer of rounds r

@r a QPY QTY RHY XXXD ! TR ! RV ! RV

divisile y RA

le IF iih rmeters for edequte eurity @ r ` RV my e hosen only when

iih is used for oneEwy hshingA

PFI inryption

qiven key u of itsD iih srmles plintext w of w its into

iphertext g of the sme lengthF

plow of ht he ow of dt in iih is depited in pigure IF e ryptoE

grphi key u D whih is string of itsD is rst expnded y the key sheduling

funtion into four suEkeys u D u D u nd u F ih u D i a IY PY QY RD onsists

I P Q R i

r r

words or round keys where indites the numer of rounds in eh pssF of

R R

e plintext w is internlly represented s V wordsD eh itsF hese V

words re pro essed y D D nd onseutivelyF ih D i a IY PY QY RD

I P Q R i

is lled pss nd involves suEkey u F he output g of represents the

i R

iphertext of the originl plintext w F

pour snternl sses es n e seen from pigure PD the four internl psses

D i a IY PY QY RD ll op erte in similr fshionD lthough eh pss employs

dierent suEkeyD s well s dierent nonliner funtion for itEwise fo olen

op ertionsF he four nonliner itEwise op ertions re shown in le P in the

form of logi sum @yA of pro dut @exhA4F

ee lso reent rep ort y flze et l P whih suggests tht the length of key for

privte key ipher should e t lest US to provide dequte seurity for ritil

ommeril pplitionsF M

K 1 P 1

K 2 P 2 M a plaintext (64, 128 or 256 bits) K S C a ciphertext (64, 128 or 256 bits) K an encryption key (48,64,..., or 256 bits) K 3 P 3 K i a sub-key (r/4 words, r=32,36,40,...)

Pi a pass (r/4 rounds) S key scheduling K 4 P 4

pigF IF inryption sing iih

in p @ Y Y FFF Y A a

I I T S H T Q S I R P I H H

in p @ Y Y FFF Y A a

P P T S H T R H R Q H S P R Q R I Q H I

in p @ Y Y FFF Y A a

Q Q T S H S R H T R S P Q H I H Q

in p @ Y Y FFF Y A a

R R T S H T R P H T S R Q Q P I H P

where

Eit word @w a TRY IPV or PSTAD eh is

represents the itEwise exhD nd

i j

represents the itEwise y of the two words involvedF

i j

le PF fitEise xonliner fo olen yp ertions sed in D D nd

I P Q R

he input dt @ string of V wordsA to is pro essed in onseutive

roundsD eh involving the orresp onding word in the suEkey u D where i a

IY PY QY RF sn the rst round @round HAD the rst U words in the input re itEwise

pro essed ording to p whih is shown in le PF he result of this op ertion

is then ylilly shifted to rightF he ext numer of its y whih the result is

ylilly shifted is determined y the upp er log its of the @hlfEwordA sum

its re indexed of the left nd right hlves of the resultF hese upp er log

y ID P nd Q for w a TRD y RD SD T nd U for w a IPVD nd y IID IPD IQD IR

nd IS for w a PSTF he shifted version of the result of the nonliner itEwise

op ertion is dded @in the sense of mo dulo P A to the ylilly shifted @to the

I itsA version of the left most word in the inputD whose result is right y IT m i,7 m i,6 m i,5 m i,4 m i,3 m i,2 m i,1 m i,0

F i d

v Round 0 Ki,0

Rounds 1 ~ r/4-2

F i d

v Round r/4-1 Ki,r/4-1

c i,7 c i,6 c i,5 c i,4 c i,3 c i,2 c i,1 c i,0

d Ki,j w/8 bits cyclic shift to the right by d bits, d=w/16-1=3,7 or 15

v m i,j w/8 bits cyclic shift to the right by a variable number of bits w/8 c i,j w/8 bits addition modulo 2 w=64, 128 or 256 Fi bit-wise nonlinear Boolean operation

r = 32,36,40,...

pigF PF e ss in iihD i a IY PY QY R i

then dded to the rst word in the suEkey u F

he nl sum is regrded s n up dted version of the left most word in the

input to this roundF xow the eight words mong whih the left most one hs

een up dted re rotted to the left y wordD nd then used s n input to

the next roundF

he ove pro ess is iterted timesD eh involving dierent word in the

suEkey u F ht follows is pseudoEo de for pss F

i i

e ss in iihD i a IY PY QY R

tUD tTD F F FD tH hold VEword dtD while u iHD F F FD u ir aR I hold r aREword

suEkey used in F he ontents in tUD tTD F F FD tH re up dted ording to the

following stepsX

for j from H up to @rGR E IA do

tU a rotteright@tUD wGIT E IAY

tmp a pi@tTD tSD tRD tQD tPD tID tHAY

vv a @@@tmp bb wGITA C tmpA 8 revphweuA bb rspY

tmp a rotteright@tmpD vvAY

tmp a @tU C tmp C uijA 8 p vvhweuY

tU a tTY tT a tSY tS a tRY tR a tQY

tQ a tPY tP a tIY tI a tHY tH a tmpY

end of for loop

r ig ht@xY nA inE where 8 denotes itEwise exhD bb denotes shiftEtoErightD r otte

h weu dites ylilly shifting w aVEit word x to the right y n itsD p vv

w aV w aIT

a P ID revp h weu a P ID nd rsp tkes the vlue of

II for w a PSTD R for w a IPV nd I for w a TR resp etivelyF

PFP uey heduling

en enryptionGderyption key u for iih is inry string of itsD where

is n integer etween RV nd PST @inlusiveA nd divisile y ITF he funtion

of the key sheduling is to extend4 u into r words or round keys required y

the r rounds of pro essingF he following issues re onsidered in designing the

key shedulingX

IF st is simpleF

PF st llows fst softwre implementtionF

QF st do es not hve trivil wek keysF

RF st is oneEwy t lest in wek senseF

he si dt unit in the key sheduling is douleEyte dtF hus n

Eyte key is rst trnslted into internl douleEyte dt units k D Eit or

V IT

k D F F FD k denote the length of key in F por onvenieneD let a

I d

douleEytesF he key sheduling lgorithm extends k D k D F F FD k F into

H I I

n rry of units k D k D F F FD k D k D F F FD k D where l st is when

H I I lstI

d d

w a TRD r when w a IPVD nd P r when w a PST resp etivelyF pinlly these

units re trnslted into round keys @wordsA required y the r rounds in iihF

uey heduling of iih

tep IF vet k HD k ID F F FD k l st I e n rry of douleEytesD where l st is

when w a TRD r when w a IPVD nd P r when w a PST resp etivelyF e

store the originl Eit key in k HD F F FD k I s douleEyte dt

d d

itemsF xote tht the order of the originl key its is mintinedF

tep PF his step onstruts k D F F FD k l st I from the user key dt k HD

F F FD k IF st employs three douleEyte onstnts D nd F

d YH YI YP

IF vet a D a nd a F

H YH I YI P YP

PF por i from to l st I do the followingX

@A a q@ Y Y AF

P I H

@A otte to the right y S itsF

@A a C C k j @mo d P AD where j a i @mo d AF

P d

@dA k i a F

@eA a D a D a F

P I I H H

sn the lultionD q represents itEwise op ertion dened y

q@ Y Y A a

P I H P I I H H P

where eh is douleEyte dtD represents the itEwise exhD while

i i j

the itEwise y of the two dt involvedF

i j

tep QF his step trnsltes the l st douleEyte dt k D k D F F FD k into r

H I lstI

rounds keysD eh omp osed of itsF he trnsltion mintins the order

of the douleEyte dtF

he three douleEyte onstnts @ D nd A used in the seond

YH YI YP

step re tken from the frtionl prt of the squre ro ot of ISF he rst three

onstnts from the frtionl prt re used for the se of a RVD the next three

re for a TRD nd so onF hus in totl RP onstnts re required for the IR

dierent key lengthsF hese onstnts re shown elow in the hexdeiml formF

hpUf hTPW iWhf QTPp ShHH pPHp gQhI IphP SVWf RQIP WIif UIVi fpPe IiUh fPSU UUeT

ITSR TfPe HhWf eWhQ TTVp IWfi pVSS ThWV HPPh iRiP hHIU iePp USUP gQfS IHVT RVHg

QeeT WgeH WVpU hHiR PSQg gWHI SSpQ WfpR pTSW hUTg

hese onstnts re otined y using the following wple progrmX

redli@writeAY

open@sqrtISfrAY

printlevel Xa EIY

higits Xa QHHY

result Xa evlf@sqrt@ISA E QAY

u Xa P ITY

for i from I y I while i `a RP do

nextword Xa trun@result B uAY

writeln@onvert@nextwordDhexAAY

result Xa fr@result B uAY

odY

pigure Q illustrtes the seond step involved in the key shedulingF es n

e seen from the gureD the key sheduling lgorithm hs similrities with n

itertive ipherD with m jor exeption eing tht it is n irreversile pro essF

QQQl,2 l,1 l,0

kb 0 5 G

kb l/16

kbi mod (l/16) 5 G

kb i

i=l/16, ..., last-1

5 cyclic shift to the left by 5 bits

addition modulo 216 G (X2, X1, X0) = X2 X1 X1 X0 X0 X2 last = 2*r for w=256, r for w=128, and r/2 for w=64

QQQl,2 l,1 l,0 are constants l is the length of a key

Note: all data are of 16 bits

pigF QF tep P in uey heduling

PFQ heryption

es privte key ipherD iih uses the sme key oth for enryption nd

deryptionF o derypt iphertext g with key u D the whole pro ess of the

lgorithm is reversedD exept the key sheduling whih remins undistur edF

o e more preiseD the internl op ertions of eh D i a IY PY QY RD will e

onduted in reverse orderD whihD s depited in pigure RD results in or the

with suEkey u D inverse of F he iphertext g will e pro essed rst y

R R i

with u D with u D nd nlly with u F he ow of dt followed y

Q Q P P I I

in deryption is depited in pigure SF

Q yn the ound rnsform sed in iih

he widely used ht inryption tndrd or hi IH ws sed on funE

dmentl trnsform rst introdued y peistel RD SF sn its originl formD the

peistel trnsform n e represented y

s@vY A a @Y v f @AA

where v nd re inry strings of equl lengthD denotes itEwise y nd

f is length preserving funtionF

sing similr nottionD round in iih n e hrterized y

t@f Y FFF Y f Y f Y f A a @f Y FFF Y f Y f Y f h@f Y FFF Y f Y f AA

U P I H T I H U T I H

where eh f D i a HY IY FFF Y UD is word of denotes ddition mo dE itsD

ulo P D nd h is funtion tht shrinks U input words into oneF

he round trnsform used in iih n e regrded s generliztion

of the peistel trnsformF sn prtiulrD the ides ehind the round trnsform

n e tred k to theoretil studies of the peistel trnsform rried out

y the sme uthor in the lte IWVH9s in IUD where three types of generlized

peistel trnsforms were suggestedD together with thorough exmintion of their

ryptogrphi prop ertiesF sn the terminology of IUD the round trnsform used

in iih n e regrded s lightEweight4 version of the inverse of the third

type of generlized peistel trnsformsF

he round trnsform in iih n e further generlized to

t@f Y FFF Y f Y f Y f A a @f Y FFF Y f Y f Y f h@f Y FFF Y f Y f AA

k I P I H k P I H k I k P I H

for n integer k ! PF sing tehnique similr to tht for proving heorem gI

in IUD one n show tht the ontention of r indep endent rounds of trnsE

form dened y the trnsform yields soElled sup erEpseudoErndom p ermuE

ttion V if nd only if r ! k C PF e prtil implition of this result is tht

t lest IH rounds would e required y iihD should eh round employ

funtion hosen indep endently t rndomF

e note tht more reentlyD generlized peistel trnsforms hve found ppliE

tions in numer of oneEwy hshing lgorithmsD inluding whS IQD r IID

reev IV nd other losely relted lgorithmsF c i,7 c i,6 c i,5 c i,4 c i,3 c i,2 c i,1 c i,0

Ki,r/4-1 F i

v Round 0 d

Rounds 1 ~ r/4-2

Ki,0 F i

v Round r/4-1 d

m i,7 m i,6 m i,5 m i,4 m i,3 m i,2 m i,1 m i,0

d Ki,j w/8 bits cyclic shift to the left by d bits, d=w/16-1=3, 7 or 15

v m i,j w/8 bits cyclic shift to the right by a variable number of bits w/8 c i,j w/8 bits addition modulo 2 w = 64, 128 or 256 taking the negative (=multiplying by -1) r = 32,36,40,...

F i bit-wise nonlinear Boolean operation

pigF RF D the snverse of ss

i i C

K 4 P 4

K 3 P 3 C a ciphertext (64, 128 or 256 bits) K S M a plaintext (64, 128 or 256 bits) K a decryption key (48,64,.., or 256 bits) K 2 P 2 K i a sub-key (r/4 words, r=32,36,40,...)

Pi inverse of a pass Pi S key scheduling K 1 P 1

pigF SF heryption sing iih

R xonliner puntions sed in iih

e funtion f on D the vetor spe of dimension nD is sid to e nonliner if it

is not neF he nonlinerity of f is dened s the minimum distne from f

to ll the ne funtionsF st is known tht the nonlinerity of funtion on

nI nI

F f is sid to stisfy the propgtion riterion is upp erE ounded y P P

with resp et to vetor in if omplementing n input to f ording to the

vetor results in the output of f to e omplemented SH7 of the timesF ytherwise

if it results in the output of f to e onstnt @H or IAD the vetor is sid to

e liner struture of f F sn mny ryptogrphi pplitionsD it is desirle

for funtion to e highly nonlinerD to stisfy the propgtion riterion for

s mny vetors s p ossileD nd to hve s few liner strutures s p ossileF

es detiled disussion on nonlinerity is out of the sop e of this pp erD the

reder is referred to ISD IT for relevnt onepts s well s vrious metho ds for

onstruting highly nonliner funtionsF

pive nonliner funtions re used in iih for itEwise op ertionsF he rst

of these funtions is used in the key sheduling pro essD while the other four in

the four internl pro esses D D nd F

I P Q R

RFI sn the uey heduling

he nonliner fo olen funtion used in the key sheduling n e represented

g @x Y x Y x A a x x x x x x

P I H P I I H H P

g is lned m jority funtion with nonlinerity of PD whih is the mximum

vlue tht n e hieved y funtion on F st stises the propgtion riteE

rion with resp et to ll ut oneD @IDIDIAD nonEzero vetors in F he sme funtion

ws previously used in oneEwy hshing lgorithms r II nd whR IPF

RFP sn D D nd

I P Q R

he four nonliner fo olen funtions used in D D nd re represented

I P Q R

f @x Y x Y FFF Y x A a x x x x x x x x x

I T S H T Q S I R P I H H

f @x Y x Y FFF Y x A a x x x x x x x x x x x x x x x

P T S H T R H R Q H S P R Q R I Q H I

f @x Y x Y FFF Y x A a x x x x x x x x x x x x

Q T S H S R H T R S P Q H I H Q

f @x Y x Y FFF Y x A a x x x x x x x x x x x x x

R T S H T R P H T S R Q Q P I H P

xote tht f D f nd f D in their originl formsD were previously used in oneE

I Q R

wy hshing lgorithm lled reev IV @in its sses ID Q nd S resp etivelyAF

f is onstruted using tehnique shown in etion VFQ of ITF

he four funtions f D f D f nd f ll hve very go o d propgtion or

I P Q R

vlnhe hrteristisF sn prtiulrD

IF f stises the propgtion riterion with resp et to ll ut one nonEzero

vetors in F he vetor where the propgtion riterion is not stised is

the only nonEzero liner struture of the funtionF

he sme is true for funtions f nd f F

Q R

PF f stises the propgtion riterion with resp et to ll ut ve @SA nonEzero

vetors in F sn ontrst to f D f nd f D none of the ve vetors where

U I Q R

the propgtion riterion is not stised is liner struture of f F rene f

P P

do es not hve nonEzero liner strutureF

sn dditionD

IF hey hieve the mximum nonlinerity ST on F

PF hey re ll lnedF

QF hey re inequivlent in the sense tht they nnot e onverted into one

nother vi nonEsingulr ne trnsform on input o ordintesF @he inE

equivlene of f D f nd f is due to the ft tht eh hs dierent

I Q R

lgeri degreeF yn the other hndD s f hs dierent propgtion hrE

teristisD it is equivlent to none of the other three funtionsFA

RF ell nonEzero liner omintions of them re lnedF emong the fteen

dierent omintionsD nine hieve the highest nonlinerity STD three hieve

SPD nd the other three hieve RVF

st should e dded tht the o ordintes of f D f D f nd f hve een reE

I P Q R

ordered efore they tke the urrent formsF yriginlly the four funtions re s

followsX

f @x Y x Y FFF Y x A a x x x x x x x x x

T S H I R P S Q T H I H

f @x Y x Y FFF Y x A a x x x x x x x x x x x x x x x

T S H R R T Q T Q S P S T Q S T H I

f @x Y x Y FFF Y x A a x x x x x x x x x x x x

T S H I P Q I R P S Q T H Q H

f @x Y x Y FFF Y x A a x x x x x x x x x x x x x

T S H I R P S Q T H I P Q H S H

he o ordintes of the four originl funtions re reEordered ording to

le Q so tht the resulting funtions fulll the requirement tht ll their nonE

zero liner omintions re lnedF hese reEorderings hve een otined

through rndom smplingF

puntion x x x x x x x

T S R Q P I H

5 5 5 5 5 5 5

f x x x x x x x

P Q S R T I H

f x x x x x x x

R H I Q T S P

f x x x x x x x

I P T H S R Q

f x x x x x x x

I Q S H R T P

le QF eEordering the go ordintes

S eurity of iih

here re two iphers tht re struturlly relted to iihF hese two lE

gorithms re gS IR nd wqun QF es wqun round trnsforms re

sed on very simple reErrngement of the sustitution oxes @E oxesA used

in hiD iih is loser to gS thn to wqunF

elthough iih nd gS shre the sme feture tht oth iphers supp ort

three vrile prmetersD nmely dt lengthD key length nd the numer of

roundsD there re two sp ets tht dierentite the former from the ltterF pirstD

the key sheduling pro edures of the two iphers er no resemlneF eondD

iih employs fo olen funtion with the mximum nonlinerity in eh

roundD lone with dtEdep endent yli shiftF sn ontrstD dtEdep endent

yli shift is the only nonliner op ertion involved in round in gSF

sn TD uliski nd in hve presented onvining evidene whih suggests

tht gS e seure ginst oth liner nd dierentil ttks if the numer of

@douleA rounds in gS is IP or moreF @ee lso rened nlysis y unudsen

nd weier UFA

pigure T shows @douleA round in gS whih involves two yli shifts nd

hieves mixing eet in tht oth output words re mixture of oth input

wordsF es iih hs eight words in its input nd output dtD eight rounds re

required to hieve similr mixing eetD nmely eh output word is funE

tion of ll eight input wordsF hereforeD struturlly r Eround version of iih

roughly orresp onds to E@douleA round version of gSF hue to the use of

mximlly nonliner funtions in iihD we exp et tht for r ! QPD iih

E@douleA round gSF he reder is invited to exmE is t lest s seure s

ine the seurity of iih ginst ll ttksD inluding liner nd dierentil ryptnlysisF

A B B

S[2*i]

AB B

S[2*i+1]

B cyclic shift to the left by a variable number of bits (determined by the lower bits of B)

S is an array of 2*(r+1) round keys

pigF TF e @houleA ound in gS

le I suggests vrious p ossile omintions of the prmeters w D nd r

tht would provide dequte seurity for ommeril pplitionsF

T hroughput nd gomptness of iih

st n e seen from pigure P tht eh round involves the following op ertionsX

IF e nonliner itEwise op ertion on U wordsF he ext time for exeuting it is

determined y the omplexity of the nonliner funtionD nd more ritillyD

y the numer of fst hrdwre registers within g whih re diretly

ville to ryptogrphi pplition tht employs the ipherF he more

hrdwre registers the g hsD the fster the op ertionF

PF wo yli shift op ertionsF yn most mhinesD they re exeuted quiklyD

indep endently of the numer of its to e ylilly shiftedF

F he one whih is not shown in pigure P is used QF wo dditions mo dulo P

for nding out the numer of its for the output of the itEwise op ertion

to e ylilly shiftedF

he key sheduling involves dditionsD itEwise nonliner fo olen op ertions

nd rottionsD eh @l st A timesF

e strightforwrd implementtion of iih in the progrmming lnguge

g hs een rried outF le R shows the throughput @the numer of its enE

ryptedGderypted p er unit of timeA of the implementtion on un ltrpr P

interprise @PHHwrzA s well s on entium ro IVHF foth mhines run on the

olris PFSFI op erting systemF yn the ltrpr the gg ommnd lls prE

gompiler gCC RFID while on the entium it lls rogompiler gCC QFHIF he

throughput inditors hve ll een otined for sitution where the key shedE

ule is lled only oneF he tle lerly shows tht when the numer of rounds

re the smeD PSTEit iih is twie s fst s IPVEit iihD nd four times

s fst s TREit iihF por omprisonD the throughput of the shie ipher

hs lso een listed t the ottom of the tleF

es the nonliner fo olen op ertion in eh round of iih involves seven

wordsD inrese in the throughput of iih n e drmti when it is mde

prllel y hrdwreF sn dditionD pip eEline pro essingD nd more signintlyD

prtil prllel exeution of up to six onseutive rounds n e implemented

y hrdwreF his n e seen from the ft tht prt of the nonliner fo olen

op ertion in the seond roundD whih is not determined y the outome of the

rst roundD n e rried out while the rst round is eing exeutedF nder

onservtive ssumption tht hrdwre implementtion n e PH times s

fst s its softwre ounterprt on un ltrpr @PHHwrzAD the throughput

of @PSTY Y TRAEiihD would e o osted to WTT megitGseondF uh high

throughput would e dequte even for pplitions on future gigit networksF

pinllyD s indited y the strightforwrd o ding of the ipher in the proE

grmming lnguge gD iih is suitle for ompt implementtion either y

softwre or hrdwreF sn prtiulrD when ompiled using g EyP9 on the lE

trpr mhineD the o jet o de for the g implementtion o upies less thn

Q kiloEytesF snidentllyD this oinides with the size of the o jet o de of

strightforwrd implementtion of the shie ipher y F he wolinerD lso in

the progrmming lnguge gF

snstnes of throughput @megitsGseondA

iih on ltrpr PHH on entium ro IVH

g gg g gg

@PSTY Y RVAEiih RRFWI RVFQH PUFPQ PUFVQ

@PSTY Y TRAEiih QRFIQ QTFSU IVFWT PHFVI

@PSTY Y VHAEiih PUFVQ PWFUU ISFQQ ITFSP

@PSTY Y WTAEiih PQFHT PRFSV IPFVR IQFTW

@IPVY Y RVAEiih PIFQQ PRFTP IPFRQ IHFRI

@IPVY Y TRAEiih ITFPH IVFSS WFRV UFUI

@IPVY Y VHAEiih IPFWQ IRFVV UFTP TFIS

@IPVY Y WTAEiih IHFVS IPFSS TFQU SFIP

@TRY Y TRAEiih VFHH WFPV RFUR SFQV

@TRY Y VHAEiih TFRT UFRR QFVQ RFQP

@TRY Y WTAEiih SFRP TFPU QFPP QFST

shie UFUS ITFQH IQFTR WFQV

@IA gompilers nd optionsX

g EyP9 on oth mhinesD

gg Efst ExyR Extrgetaultr9 on ltrprD nd

gg Efst ExyR Epentium9 on entium

@PA shie is tested using pkge written y F he wolinerF

le RF hroughput of iih @nd shieA

U sing iih in yneEy rshing

iih is promising ndidte for digitlly ngerEprinting or oneEwy hshing

messge of ritrry lengthF he length of ngerEprint n e up to w a PST

itsF st is exp eted tht it is prtilly infesile to nd two or more dierent

messges tht hve the sme ngerEprintF

vet a PST nd w e n integer lrger thn or equl to the required numer

of its in ngerEprintF por the ske of eienyD r my e hosen from etween

QP nd RVF por eh messge w to e hshedD we tth to the end of w three

eldsF he rst eld strts with it I whih is followed y zero or more it

H9s so tht the length @in itsA of the nowEexpnded messge is IVR mo dulo PSTF

he seond eld hs TR its inditing the length of w D iFeFD the numer of its

in w F end nllyD the third eld onsists of V its whih indite the required

numer of its in the nl ngerEprintF sn wht follows it will eome ler tht

sine the three elds re tthed to the end of w D the op ertion do es not hve

to e rried out until hshing the lst lo k @of PST its or lessA in w F his is

useful in suh sitution s when the length of w is not known eforehndF

xow denote y w Y w Y FFF Y w the pdded messgeD where eh w

nI nP H i

onsists of PST itsF he ngerEprint of the messge is otined in the following

wyX

h a HY

h a h C i i h @h AY i a HY IY FFF Y n IX

iCI i w i

he ngerEprint of the originl messge w is represented y the desired numer

of its in the right hnd side of h F

xote tht in the lultionD i i h @h A should e interpreted s srmE

w i

ling h with w s keyD nd the summtion is wordEwise ddition mo dulo

i i

P F

V sing iih in seudoEndom xumer qenertion

es lo k ipherD iih n serve s ryptogrphilly strong pseudoE

rndom numer genertor when used in the output feedk mo de @ypfAF

enother simple wy to generte ryptogrphilly strong pseudoErndom

numers is sed on the oservtion tht if iih is strong ipherD then

it ts s pseudoErndom funtion whih pro dues w a TRD IPV or PST pseudoE

rndom its p er pplition of the lgorithmF vet e rndom seed of PST

itsF essume tht s g is w Eit initil onstnt vlueF hen

i i h @s g C iAY i a HY IY PY FFF Y

denes pseudoErndom string tht n e used in ryptogrphi pplitionsF

xote tht s g C i should e interpreted s s g C i mo dulo P F

eknowledgments

st is the uthor9s gretest plesure to thnk the following p eopleX inEwo hng

for vrious disussions on nonliner fo olen funtionsD oshiy stoh nd nonyE

mous referees for pinnil gryptogrphy9WU for suggestions tht hve help ed

improve the desription of the ipherD ui y9ng for ssistne with smo oth

lnding on wrs @pr IHAD tove @entium ro IVHA nd turn @ ltrprD

PHHwrzA to test the throughput of iihD nd nlly vrs unudsen nd rns

ho ertin for helpful ommentsF

eferenes

IF fihmD iFD nd hmirD eF hierentil gryptnlysis of the ht inryption

tndrdF pringerEerlgD xew orkD reidel ergD okyoD IWWQF

PF flzeD wFD hiffieD FD ivestD FD hneierD fFD himomurD FD hompE

sonD iFD nd ienerD wF winiml key length for symmetri iphers to provide

dequte ommeril seurityD tnury IWWTF

QF flzeD wFD nd hneierD fF he wqun lo k ipher lgorithmF sn pst

oftwre inryption @ferlinD xew orkD okyoD IWWSAD volF IHHV of veture xotes

in gomputer ieneD pringerEerlgD ppF WU{IIHF

RF peistelD rF gryptogrphy nd omputer privyF ienti emerin PPV @IWUQAD

IS{PQF

SF peistelD rFD xotzD F eFD nd mithD tF vF ome ryptogrphi tehniques

for mhineEtoEmhine dt ommunitionsF roeedings of siii TQD II @IWUSAD

ISRS{ISSRF

TF uliskiD fFD nd inD F yn dierentil nd liner ryptnlysis of the gS enE

ryption lgorithmF sn edvnes in gryptology E gy9WS @ferlinD xew orkD

okyoD IWWSAD volF WTQ of veture xotes in gomputer ieneD pringerEerlgD

ppF IUI{IVRF

UF unudsenD vFD nd weierD F smproved dierentil ttks on gSF sn edvnes

in gryptology E gy9WT @ferlinD xew orkD okyoD IWWTAD volF IIHW of veture

xotes in gomputer ieneD pringerEerlgD ppF PIT{PPVF

VF vuyD wFD nd koffD gF row to onstrut pseudorndom p ermuttions from

pseudorndom funtionsF sew tournl on gomputing IUD P @IWVVAD QUQ{QVTF e

preliminry version inluding other results pp ered in the ro eedings of the IVth

egw ymp osium on heory of gomputingD IWVTD ppFQSTEQTQF

WF wtsuiD wF viner ryptnlysis metho d for hi ipherF sn edvnes in grypE

tology E i yg9WQ @IWWRAD volF UTSD veture xotes in gomputer ieneD

pringerEerlgD ferlinD reidel ergD xew orkD ppF QVT{QWUF

IHF xtionl fureu of tndrdsF ht enryption stndrdF pederl snformE

tion ro essing tndrds ulition ps f RTD FF heprtment of gomE

mereD tnury IWUUF

IIF xtionl snstitute of tndrds nd ehnologyF eure hsh stndrdF

pederl snformtion ro essing tndrds ulition ps f IVHEID FF heE

prtment of gommereD epril IWWSF

IPF ivestD F he whR messge digest lgorithmD epril IWWPF equest for gomE

ments @pgA IQPHF @elso presented t grypto9WHD IWWHAF

IQF ivestD F he whS messge digest lgorithmD epril IWWPF equest for gomE

ments @pgA IQPIF

IRF ivestD F he gS enryption lgorithmF sn pst oftwre inryption @ferlinD

xew orkD okyoD IWWSAD volF IHHV of veture xotes in gomputer ieneD pringerE

erlgD ppF VT{WTF

ISF eerryD tFD hngD F wFD nd hengD F xonlinerity nd propgtion hrE

teristis of lned o olen funtionsF snformtion nd gomputtion IIWD I

@IWWSAD I{IQF

ITF hngD F wFD nd hengD F ghrterizing the strutures of ryptogrphi

funtions stisfying the propgtion riterion for lmost ll vetorsF hesignD godes

nd gryptogrphy U D IGP @IWWTAD III{IQRF sp eil issue dedited to qus immonsF

IUF hengD FD wtsumotoD FD nd smiD rF yn the onstrution of lo k iphers

provly seure nd not relying on ny unproved hypothesesF sn edvnes in

gryptology E gy9VW @ferlinD xew orkD okyoD IWWHAD volF RQS of veture

xotes in gomputer ieneD pringerEerlgD ppF RTI{RVHF

IVF hengD FD ieprzykD tFD nd eerryD tF reev E oneEwy hshing lgoE

rithm with vrile length of outputF sn edvnes in gryptology E e g9WP

@ferlinD xew orkD okyoD IWWQAD tF e erry nd F hengD idsFD volF UIV of veture

xotes in gomputer ieneD pringerEerlgD ppF VQ{IHRF

gertition ht for iih

ht re represented in the hexdeiml formF he yte order used in showing

the dt is s followsX

the most signint yte the lest signint yte

iihheevix a TRD iihuivix a TRD iihxyypxh a TR

key a HH HH HH HH HH HH HH HH

plintext a HH HH HH HH HH HH HH HH

iphertext a Pi HH VH IW fg PT VS Th

iihheevix a IPVD iihuivix a IPVD iihxyypxh a IPV

key a pp pp pp pp pp pp pp pp pp pp pp pp pp pp pp pp

plintext a pp pp pp pp pp pp pp pp pp pp pp pp pp pp pp pp

iphertext a Tg IQ iR fW gQ IU IS UI ef SR hV IT WI Sf gR iV

iihheevix a PSTD iihuivix a PSTD iihxyypxh a PST

key a TH Sp Si Sh Sg Sf Se SW SV SU ST SS SR SQ SP SI

SH Rp Ri Rh Rg Rf Re RW RV RU RT RS RR RQ RP RI

plintext a Ip Ii Ih Ig If Ie IW IV IU IT IS IR IQ IP II IH

Hp Hi Hh Hg Hf He HW HV HU HT HS HR HQ HP HI HH

iphertext a Qh iI Tg pe We TP TV RU RQ Ri IS UR TW Qp ig If

Qp ee SS Ve PW Tf TI hU HV fI QI gg fe QI IH TV

his rtile ws pro essed using the v mro pkge with vvxg style i