Supporting Document of MISTY1 Version 1.10

Supporting Document of MISTY1

Version 1.10

Mitsuru Matsui

Mitsubishi Electric Corporation

September 25, 2000

Supporting Document of MISTY1 Version 1.10

1. Introduction

The algorithm MISTY1 is a 64-bit with 128-bit , whose detailed specification was first published in Japan in 1996 [1] and then presented at the international workshop of Fast Software Encryption in 1997 [2]. Its design principles and security assessments by the designer can be also found in these papers. Needless to say, the designer did not insert any hidden weakness in MISTY1. MISTY1 has been, since then, publicly evaluated from both academic and practical viewpoints; no security flaws have been found. The second paper [2] is attached to this document for reference. MISTY1 has a variable number of rounds; we recommend an 8-round version, which is most commonly used in real applications.

MISTY1 is one of the earliest block ciphers that were aimed at being suitable for software and hardware systems as well, particularly for low cost applications. It was designed so that practical encryption performance could be achieved even in heavy resource constraints. For instance, MISTY1 can be implemented with a very small RAM size (e.g. within 100 bytes) in software on cheap processors, and with a small number of gate counts and low power consumption (e.g. within 10 K gates) in hardware.

MISTY1 is now widely used in many commercial and governmental applications. In software, its target platforms range from 8-bit microprocessors for smart cards and 16-bit digital signal processors for wireless communication systems to high-end 32-bit and 64-bit processors for PKI applications. Also, encryption LSI’s with MISTY1 are being used in public transportation systems and high-speed network applications (e.g. hubs and routers). Recently the 3rd generation partnership project (3GPP) adopted a variant of MISTY1, which is called KASUMI, as a mandatory algorithm in the confidentiality and integrity mechanisms of the forthcoming W-CDMA systems.

It is undoubted that 64-bit block ciphers will be eventually shifted to 128-bit block ciphers. However, it is also true that for the time being 64-bit block ciphers will coexist with 128-bit block ciphers because of market requirements of low cost implementation and message format compatibility. We believe that 64-bit block ciphers still are worthy of being standardized internationally and MISTY1 is worthwhile.

MISTY1 is a patented algorithm. However, the owner of its essential patent, Corporation, has declared that it will give a license without any loyalty fee. For more details, see http://www.mitsubishi.com/ghp_japan/misty/licensee.htm.

Supporting Document of MISTY1 Version 1.10

2. Security Analysis of MISTY1

MISTY1 was designed on the basis of the theory of “provable security” against differential and linear [3][4][5]. It was also carefully designed to withstand various cryptanalytic attacks that were known at the time of designing. The detailed design principles and methodologies of MISTY1 to balance its security and performance in various platforms can be found in [2].

Since the publication of MISTY1, many research efforts have been done for evaluating its security level; no security flaws of MISTY1 have been so far found for the recommended 8-round version. In this section we describe, among them, several results about security level of round-reduced versions of MISTY1 that were not fully covered by the designer’s papers.

2.1 Higher order differential cryptanalysis Higher order differential cryptanalysis was proposed by Lai [6] and developed by Knudsen [7], which is effectively applicable to a block cipher whose algebraic degree is small. MISTY1 contains two look-up tables S7 and S9, both of which have a low algebraic degree, specifically 3 and 2, respectively. Although these look-up tables with the low algebraic degrees contribute to realizing small and fast hardware, it is also natural that many papers concentrated on higher order differential cryptanalysis of MISTY1. The best-known result among them is a successful attack of MISTY1 reduced to five rounds without FL-functions [8]. However the algebraic structure of MISTY1 with FL-functions significantly varies according to the key value due to bit-wise AND/OR operations used in the FL-functions, and hence we believe that it is unlikely that higher order differential cryptanalysis can be applied to the full 8-round MISTY1 with FL-functions.

2.2 The slide attack, which was invented by Biryukov and Wagner [9], is applicable to a block cipher where the same subkey value is supplied to each round (or every n-th round). This attack was strongly motivated by related-key cryptanalysis introduce by Biham [10]. Since MISTY1 has a simple key scheduler for hardware reasons, it is also natural to pay an attention to related key cryptanalysis. The only known observation about related key attacks of MISTY1 is that, if all FL-functions are removed from MISTY1, the slide attack works when one of 65536 keys is used [11]. However, this attack is weaker than a trivial exhaustive key search to find one of the 65536 keys and does not work for other keys. Also MISTY1 with FL-functions withstand this attack. Note that the slide attack is newer than MISTY1, but protection from related-key type cryptanalysis was one of the design principles of the key-scheduling algorithm of MISTY1.

Supporting Document of MISTY1 Version 1.10

2.3 Impossible differential cryptanalysis Impossible differential cryptanalysis is a recent attack, which was proposed by Biham and Shamir [12] after the motivation given by Knudsen in his paper about an analysis of DEAL cipher [13]. Impossible differential cryptanalysis pays attention to characteristic paths that never appear, and narrows possible key candidates using this information. This attack, revealed that any with a bijective round function has impossible characteristic paths in five rounds, which enables us to distinguish the five round cipher from a randomly chosen permutation. This result is a good contrast to the Luby-Rackoff analysis that showed that a four round Feistel cipher with a pseudo-random round function is a pseudo-random permutation and hence is impossible to distinguish from a randomly given permutation. No results about impossible differential cryptanalysis specific to MISTY1 are known; just a general theory tells us that MISTY1 reduced to five rounds without FL-functions can distinguish from a randomly chosen permutation. However again due to the existence of the FL-functions, impossible characteristic paths become heavily dependent on the key value. We hence believe that it is extremely unlikely that impossible differential cryptanalysis is applicable to the full MISTY1.

2.4 Luby-Rackoff style evaluation The Luby-Rackoff style evaluation of a block cipher is to look into (complexity theoretic) pseudo-randomness of the entire structure of the cipher assuming pseudo-randomness of its smallest components [14]. Several works are known about the Luby-Rackoff style security assessment of the “MISTY1-like” structure. Note that this type of analysis does not direct lead to an attack of a block cipher itself, since the security is asymptotically evaluated in terms of its block size and the attacker’s computational power is limited to polynomial time of its block size. On the other hand, meeting the pseudo-randomness criteria might be considered as an evidence of (sort of) soundness of the basic structure. It is known that purified and idealized “MISTY1-like” structure is a pseudo-random permutation when the number of rounds is five or more, if the smallest components, which correspond to the two loop-up tables S7 and S9, are assumed to be pseudo-random permutations. For more details, see [15].

2.5 Implementation attacks Implementational attacks, such as timing attacks and , are often powerful and realistic threats in smart card applications. Since MISTY1 is composed of logical operations and lookup tables only, it is easy to apply standard methods to avoid implementation weakness of block ciphers, for instance removing “jumps” or “variable-cycle instructions”, to MISTY1. However, differential power analysis is a much deeper attack using subtle hardware characteristics. We believe that it is too early to say any conclusive statements about resistance to differential power attack.

Supporting Document of MISTY1 Version 1.10

3. Implementation Analysis of MISTY1

3.1 Software implementations The sample C source code attached to the designer’s paper [1] shows an example of straightforward implementation based on the description of MISTY1. There are however many more techniques for implementing MISTY1 in software balancing speed and memory requirements. The designer and developers of MISTY1 have published several results about how to implement MISTY1 on various processors [16][17][18]. Here we describe further updated software performance information on MISTY1. For instance, it is not difficult to see that the 9 7 FI-function can be also written as shown in fig.1, where S9A and S9B are newly introduced

S9 look-up tables that transform 9 and 7 input bits into 16 output bits, respectively. Note that the zero- subkey Kij1 can be “embedded” into other ext subkeys. Though implementing this form requires more memory than the straightforward Kij2 method, but faster speed is expected. Moreover,

9 7 noting that the number of possible varieties of S9A S7A Kij2 is only eight, we can even remove the 16 16 subkey by introducing eight different S9A tables if a target processor has on-chip cache of 16K bytes or more. Table 1 summarizes implementation results of Fig 1: An Alternative Form of FI MISTY1 on Pentium II processor.

Implementation Method Language Key Setup Time Encryption Time

Straightforward C 170 cycles 450 cycles/block = 56.25 cycles/byte

Fig.1 with Kij2 C 300 cycles 300 cycles/block = 37.50 cycles/byte

Fig.1 without Kij2 (self modified code) Assembly 8700 cycles 190 cycles/block = 23.75 cycles/byte

Table 1: Software Performance of MISTY1 (Pentium II 500MHz 128MB Memory / Windows 98)

Supporting Document of MISTY1 Version 1.10

For another implementation example, Sano et al. showed a software implementation of MISTY1 on a typical 8-bit microprocessor Z80 [19]. According the paper, MISTY1 can be implemented on the processor in 1598 ROM bytes and 44 RAM bytes. It worked in 25486 cycles for one block encryption with key scheduling, which is approximately 5 msec in 5 MHz. This result shows that MISTY1 is highly practical in smart card applications. Note that this implementation is based on a straightforward method. Further speeding-up can be expected in return for some increase in ROM size by using the above reduction form.

3.2 Hardware implementations MISTY1 is suitable not only for high-speed applications but also for low cost applications with small number of gate counts and low power consumption. MISTY1 is composed of only two small basic components, namely the FI-function and the FL-function. Hence by using repeatedly these functions one can design small hardware. The designer and developers of MISTY1 have published several results about how to implement MISTY1 on various processors [20][21].

Plaintext/ 256-bit register256-bit

Encryption/ Key Key Decryption Scheduling Logic Logic

64-bit register Fig 2: Hardware Structure of MISTY1 Ciphertext/Plaintext

A recent example of hardware implementation of MISTY1 realizes 7.6 Kgates at an encryption speed of 72Mbit/sec, which can encrypts one block plaintext in 35 cycles. Another implementation works at an encryption speed of 800Mbps in approximately 50Kgates, whose structure is able to encrypt one block plaintext in one cycle (see fig.2). Both circuits, which contain full encryption, decryption and key-scheduling functions without pipeline architecture --- hence feedback modes can be applied ---, were designed using Mitsubishi’s 0.35-micron ASIC design library and evaluated as a worst-case speed. We believe that this is in the smallest and fastest level among currently used secure 64-bit block ciphers.

Supporting Document of MISTY1 Version 1.10

4. Further Information of MISTY1

As was written in the first section, MISTY1 is now used in various real applications. Including some of them, information of MISTY1 and related encryption technology can be seen at http://www.security.melco.co.jp/.

5. References

[1] M. Matsui, “Block Encryption Algorithm MISTY”, Technical Report of IEICE, ISEC96-11 (1996) [in Japanese] [2] M. Matsui, “New Block Encryption Algorithm MISTY”, FSE’97, LNCS 1267 (1997) [3] K. Nyberg, L. Knudsen, “Provable Security against Differential Cryptanalysis”, Journal of Cryptology, Vol.8, no.1 (1995) [4] K. Nyberg, “Linear Approximation of Block Ciphers”, Eurocrypt’94, LNCS 950 (1995) [5] M. Matsui, “New Structure of Block Ciphers with Provable Security against Differential and ”, FSE’96, LNCS 1039 (1996) [6] X. Lai, “Higher order derivatives and differential cryptanalysis”, In Proceeding of "Symposium on Communication, Coding and ", in honor of James L. Massey on the occasion of his 60'th birthday (1994) [7] L. Knudsen, “Truncated and Higher Order Differentials”, FSE’95, LNCS 1008 (1994) [8] H. Tanaka, H. Hisamatsu, K. Kaneko, “Higher Order Differential Attack of MISTY1 without FL functions”, Japan-Singapore Joint Workshop on Information Security, JWIS’98 (1998) [9] A. Biryukov and D. Wagner, “Slide Attacks”, FSE’99, LNCS 1636 (1999) [10] E. Biham, “New Types of Cryptanalytic Attacks Using Related Keys”, Journal of Cryptology, Vol.7 (1994) [11] S. Furuya and K. Takaragi, “Slide Attacks Combined with Known-Plaintext Attacks”, Symposium on Cryptography and Information Security SCIS’2000 (2000) [in Japanese] [12] E. Biham, A. Biryukov, A. Shamir, “Cryptanalysis of Reduced to 31 Rounds Using Impossible Differentials”, Eurocrypt’99, LNCS 1592 (1999) [13] L. Knudsen, “DEAL – A 128-bit Block Cipher” Technical report no. 151, Department of Informatics, University of Bergen, Norway,

Supporting Document of MISTY1 Version 1.10

(1998) [14] M. Luby, C. Rackoff, “How to construct pseudorandom permutations from pseudorandom functions”, SIAM J. Computation, Vol.17, no.2 (1988) [15] M. Sugita, “On pseudo-randomness of the block cipher MISTY1”, Technical Report of IEICE, ISEC97-109 (1997) [16] J. Nakajima, M. Matsui, “On Fast Software Implementation of MISTY (I)”, Technical Report of IEICE, ISEC97-12 (1997) [in Japanese] [17] J. Nakajima, M. Matsui, “On Fast Software Implementation of MISTY (II)”, Symposium on Cryptography and Information Security SCIS’98 (1998) [in Japanese] [18] J. Nakajima, M. Matsui, “Fast Software Implementations of MISTY1 on Alpha Processors”, IEICE Trans. Fundamentals, Vol.E82-A, no.1 (1999) [19] F. Sano, M. Koike, S. Kawamura, M. Shiba, “Performance Evaluation of AES Finalists on the High-End Smart Card”, Proceedings of the third Advanced Encryption Standard conference (2000) [20] T. Ichikawa, T. Sorimachi, M. Matsui, “On Hardware Design of Secret Key Ciphers”, Symposium on Cryptography and Information Security SCIS’97 (1997) [in Japanese] [21] T. Ichikawa, J. Katoh, M. Matsui, “A Method for Hardware Implementation of MISTY1”, Symposium on Cryptography and Information Security SCIS’98 (1998) [in Japanese]

xew flo ™k in™ryption elgorithm wsƒ„‰

witsuru w—tsui

snform—tion „e™hnology ‚8h genter

witsu˜ishi ile™tri™ gorp or—tion

SEIEID yfun—D u—m—kur—D u—n—g—w—D PRUD t—p—n

m—tsuidissFislFmel™oF™oFjp

e˜str—™tF ‡e prop ose se™retEkey ™ryptosystems wsƒ„‰I —nd wsƒ„‰PD

whi™h —re ˜lo ™k ™iphers with — IPVE˜it keyD — TRE˜it ˜lo ™k —nd — v—ri—˜le

num˜er of roundsF wsƒ„‰ is — generi™ n—me for wsƒ„‰I —nd wsƒ„‰PF

„hey —re designed on the ˜—sis of the theory of prov—˜le se™urity —g—inst

dierenti—l —nd line—r ™rypt—n—lysisD —nd moreover they re—lize high sp eed

en™ryption on h—rdw—re pl—tforms —s well —s on softw—re environmentsF

yur softw—re implement—tion shows th—t wsƒ„‰I with eight rounds ™—n

en™rypt — d—t— stre—m in gfg mo de —t — sp eed of PHw˜ps —nd RHw˜ps on

€entiumGIHHwrz —nd €eEUPHHGIPHwrzD resp e™tivelyFpor its h—rdw—re

p erform—n™eD we h—ve pro du™ed — prototype vƒs ˜y — pro ™ess of HFS"

gwyƒ g—teE—rr—y —nd ™onrmed — sp eed of RSHw˜psF sn this p—p erD we

des™ri˜ e the det—iled sp e™i™—tions —nd design prin™iples of wsƒ„‰I —nd

wsƒ„‰PF

I pund—ment—l hesign €oli™ies of wsƒ„‰

yur purp ose of designing wsƒ„‰ is to oer se™retEkey ™ryptosystems th—t —re

—ppli™—˜le to v—rious pr—™ti™—l systems —s widely —s p ossi˜leY for ex—mpleD softE

w—re stored in sg ™—rds —nd h—rdw—re used in f—st e„w networksF „o re—lize

thisD we ˜ eg—n its design with the following three fund—ment—l p oli™iesX

IF wsƒ„‰ should h—ve — numeri™—l ˜—sis for its se™urityD

PF wsƒ„‰ should ˜ere—son—˜ly f—st in softw—re on —ny pro™essorD

QF wsƒ„‰ should ˜e su™iently f—st in h—rdw—re implement—tionF

por the rst p oli™yDweh—ve —dopted the theory of prov—˜le se™urity —g—inst

dierenti—l —nd line—r ™rypt—n—lysis ‘I“‘P“‘R“D whi™h w—s origin—lly introdu™ed ˜y

u—is— xy˜ erg —nd v—rs unudsenF es f—r —s we knowD wsƒ„‰ is the rst ˜lo ™k

en™ryption —lgorithm designed for pr—™ti™—l use with prov—˜le se™urity —g—inst

dierenti—l —nd line—r ™rypt—n—lysisF elthough this —dv—nt—ge do es not me—n

inform—tion theoreti™ prov—˜le se™urityDwe ˜ elieve th—t it is — go o d st—rting

p oint for dis™ussing se™ure ˜lo ™k ™iphersF

ƒe™ondlyDweh—ve noti™ed the f—™t th—t m—ny re™ent ˜lo ™k ™iphers were deE

signed so th—t they ™ould ˜ e f—stest —ndGor sm—llest on sp e™i™ t—rgetsY for

ex—mpleD QPE˜it mi™ropro ™essorsF „his often results in slow —ndGor ˜ig impleE

ment—tion on other types of pro ™essorsF ƒin™e we reg—rded seeking —ppli™—˜ility

to v—rious systems —s more imp ort—nt th—n pursuing m—ximum p erform—n™e on I

sp e™i™ t—rgetsD we de™ided to design — ™ipher th—t ™ould ˜ e re—son—˜ly f—st —nd

sm—ll on —ny pl—tformD —nd hen™e not to —dopt softw—re instru™tions th—t —re

ee™tive on sp e™i—l pro ™essors onlyF

por the l—st p oli™yD we should note th—t hiƒ is re—son—˜ly f—st in ˜ oth softE

w—re —nd h—rdw—reD while m—ny re™ent ™iphers —re seriously slow —ndGor ˜ig when

they —re implemented in h—rdw—re ˜ e™—use of their softw—reEoriented stru™tureF

yn the other h—ndD sin™e one of our t—rget systems is — f—st e„w network of

sever—l hundreds w˜psD whi™h ™—nnot ˜ e re—™hed in softw—re for the presentD

we h—ve ™—refully optimized the lo okEup t—˜les of wsƒ„‰ from the viewp oint of

its h—rdw—re p erform—n™eF st should ˜ e —lso noted th—tD in gener—lD — ™hoi™e of

su˜stitution t—˜les do es not signi™—ntly —e™t their softw—re exe™ution sp eedY

iFeF memory —™™ess timeF

P his™ussions on f—si™ yp er—tions

sn this se™tion we ™l—ssify ˜—si™ op er—tions th—t —re frequently used in ˜lo ™k

™iphers into four ™—tegories —nd dis™uss their —ppli™—˜ility to wsƒ„‰ in terms of

™omp—ti˜ility ˜ etween their se™urity level —nd softw—reGh—rdw—re e™ien™yF

{ vogi™—l yp er—tions

vogi™—l op er—tions su™h —s exhD y‚ —nd esp e™i—lly ˆy‚ —re most ™omE

mon ™omp onents of se™retEkey ™iphers —nd —re ™le—rly sm—ll —nd f—st in —ny

softw—re or h—rdw—re systemF rowever we ™—nnot exp e™t mu™h se™urity of

themF

{ erithmeti™ yp er—tions

erithmeti™ op er—tions su™h —s —dditionsD su˜tr—™tions —nd sometimes multiE

pli™—tions —re —lso ™ommonly used in softw—reEoriented ™iphers ˜ e™—use they

™—n ˜ e ™—rried out ˜y one instru™tion on m—ny pro ™essors —nd f—irly ™onE

tri˜ute to their se™urityF roweverD in h—rdw—reD their ee™t on d—t— diusion

is not ne™ess—rily high enoughD ™onsidering their en™ryption sp eedD sin™e their

del—y time due to ™—rryEspre—ding is often long —nd exp ensiveF

{ ƒhift yp er—tions

ƒhift op er—tionsD esp e™i—lly rot—teEshiftingD —re frequently used in designing

se™retEkey ™iphersF „hey indire™tly improve d—t— diusionD —nd in h—rdw—re

they —re o˜viously ™he—p —nd f—st if the num˜er of shift ™ounts is xedF ‡e

should noteD howeverD th—t softw—re p erform—n™e of shift op er—tions he—vily

dep ends on their t—rget sizeY for inst—n™eD when — rot—te shift of QPE˜it d—t—

is exe™uted on VE˜it or ITE˜it mi™ropro ™essorsD its sp eed m—y ˜ e quite slowF

{ vo okEup „—˜les

sn softw—reD e™ien™y of lo opEup t—˜les strongly dep ends on memory —™™ess

sp eedF sn e—rly mi™ropro ™essorsD memory —™™ess w—s mu™h more exp ensive

th—n register —™™essD while m—ny re™ent pro ™essors ™—n re—d from —nd write to

memory in one ™y™le @or often less th—n one ™y™le due to p—r—llel pro ™essingA

under ™ert—in ™onditionsF yn the other h—ndD in h—rdw—reD the use of ‚yw

is slow in gener—lD ˜ut if the t—˜les —re optimized for dire™t ™onstru™tion P

˜y logi™ g—tesD their del—y time ™—n ˜ e dr—sti™—lly redu™edF woreoverD —s for

the se™urityD the lo okEup t—˜le metho d ™le—rly ™ontri˜utes to d—t— diusion

ee™tivelyF

„—king the —˜ ove dis™ussion into ™onsider—tionD we h—ve ™on™luded th—t logi™—l

op er—tions —nd lo okEup t—˜les —rr—nged in terms of se™urity level —nd h—rdw—re

p erform—n™e meet our design p oli™ies —nd hen™e they —re desir—˜le —s ˜—si™ ™omE

p onents of wsƒ„‰F

Q „heory of €rov—˜le ƒe™urity

„his se™tion ˜riey summ—rizes the theory of prov—˜le se™urity —g—inst dierenE

ti—l —nd line—r ™rypt—n—lysisF por more det—ilD see ‘R“F „his theory forms — ˜—sis

of the se™urity of wsƒ„‰F

henition IF vet p @xA ˜ e — fun™tion with —n nE˜it input x —nd —n –E˜it p—E

k

p

r—meter k F‡e dene —ver—ge dierenti—l pro˜—˜ility h€ —nd —ver—ge line—r

p

pro˜—˜ility v€ of the fun™tion p —s

ˆ

5fxjp @xA  p @x  xAa y g I

def

k k

p

m—x Y @IA h€ a

– n

xTaHYy

P P

k

 

P

ˆ

I 5fxjx  x a p @xA  yg

def

k

p

a v€ m—x I Y @PA P

– n

xY y TaH

P P

k

resp e™tivelyF‡e —lso —pply this denition to — fun™tion p @xA without the p—E

r—meter k ˜y setting – aHF

p p

‡hen p @xA is —n en™ryption fun™tion with — key k D h€ —nd v€ represent —

k

stri™t level of se™urity of the fun™tion —g—inst dierenti—l —nd line—r ™rypt—n—lysisD

resp e™tivelyF ƒin™e we ™—n prove th—t p is se™ure —g—inst the two —tt—™ks when

p p

these v—lues —re sm—llD we s—y th—t p is prov—˜ly se™ure if h€ —nd v€ —re

proved to ˜ e su™iently sm—llF

„he following three theorems give rel—tionships ˜ etween —ver—ge dierenE

ti—lGline—r pro˜—˜ility of — ’sm—ll4 fun™tion —nd th—t of — ’l—rge4 fun™tion th—t

is — ™om˜in—tion of the sm—ll fun™tionsF „h—t is to s—yD using these theoremsD we

™—n ™onstru™t — ’l—rge —nd strong4 fun™tion from ’sm—ll —nd strong4 fun™tionsF

„heorem P w—s rst proved for —ver—ge dierenti—l pro˜—˜ility ˜y xy˜ erg —nd

unudsen ‘I“D —nd then shown for —ver—ge line—r pro˜—˜ility ˜y xy˜ erg ‘P“F

f f

i i

„heorem PF sn gure ID —ssume th—t e—™h f is ˜ije™tive —nd h€ @respF v€ A

i

is sm—l ler th—n pF sf the entire fun™tion p @k a k jjk jjk XXXA shown in the gure

I P

k

p p P

h—s —t le—st threeroundsD then h€ @respF v€ A is sm—l ler th—n p F

P P

xoteX „he —uthors of ‘I“ origin—lly proved Pp @not p A for — ™ipher with ˜ije™tive

f —nd —t le—st three roundsD —nd for — ™ipher with —ny f —nd —t le—st four roundsF

i i

P

‚e™ently eoki —nd yht— improved this ˜ ound to p when f is ˜ije™tvie ‘Q“F

i Q

‡e proved in ‘R“ th—t the —˜ ove theorem is v—lid for the —lgorithm shown in

gure PF en essenti—l dieren™e ˜ etween gures I —nd P is th—t the fun™tions f

i

™—n ˜ e pro ™essed in p—r—llel in gure PD —nd ™onsequently the stru™ture of gure

P is f—ster th—n th—t of gure IF

f f

i i

„heorem QF sn gure PD —ssume th—t e—™h f is ˜ije™tive —nd h€ @respF v€ A

i

is sm—l ler th—n pF sf the entire fun™tion p @k a k jjk jjk XXXA shown in the gure

I P Q

k

p p P

h—s —t le—st threeroundsD then h€ @respF v€ A is sm—l ler th—n p F

‡e found th—t — simil—r formul— holds even if the input string is divided into two

strings of unequ—l ˜it lengthF ƒp e™i™—llyD ™onsider the —lgorithm shown in gure

QD where the input string is divided into n ˜its —nd n ˜its @n ! n AF xow

I P I P

—ssuming th—t in o dd rounds the right n E˜it string is zeroEextended to n ˜its

P I

˜ efore ˆy‚Eed with the left n E˜it stringD —nd in even rounds the right n E˜it

I I

string is trun™—ted to n ˜its ˜ efore ˆy‚Eed with the left n E˜it stringD we h—ve

P P

the following gener—l theorem ‘R“X

f f

i i

„heorem RF sn gure QD —ssume th—t e—™h f is ˜ije™tive —nd h€ @respF v€ A

i

is sm—l ler th—n pF sf the entire fun™tion p @k a k jjk jjk XXXA shown in the gure

I P Q

k

p p

h—s —t le—st threeroundsD then h€ @respF v€ A is sm—l ler th—n

n n

I P

m—xfp p Ypp Y P p p gX @QA

I P P Q I Q

nn12

k1 k1 k1 f1 f1 f1 zero-extend

k2 k2 k2 f2 f2 f2 truncate

k3 k3 k3 f3 f3 f3

zero-extend

pigure IF pigure PF pigure QF R

R hesign of the h—t— ‚—ndomizing €—rt

sn this se™tion we dis™uss the stru™ture of the d—t— r—ndomizing p—rt of wsƒ„‰F

por — ™omplete des™ription of wsƒ„‰I —nd wsƒ„‰PD see —n —pp endixF

RFI „he pr—mework

yur ˜—si™ str—tegy in designing the d—t— r—ndomizing p—rt of wsƒ„‰ is to ˜uild

the entire —lgorithm from sm—ll ™omp onents using the metho ds shown in the

previous se™tion re™ursivelyF „his en—˜les us to e—sily ev—lu—te the se™urity level

of the tot—l —lgorithm ˜y th—t of the sm—ll onesF por inst—n™eD let us —pply the

stru™ture of gure P re™ursively to —ll f fun™tions given in gure PF sn this ™—seD

i

if the —ver—ge dierenti—lGline—r pro˜—˜ility of the sm—llest fun™tion is less th—n

pD we ™—n prove from theorem Q th—t the pro˜—˜ility of the entire —lgorithm is

R

less th—n p F

xow ˜y —pplying theorem P or theorem Q to — TRE˜it ˜lo ™k ™ipherD where

theorems P —nd Q ™orresp ond to wsƒ„‰I —nd wsƒ„‰PD resp e™tivelyDweh—ve—

’sm—ll4 fun™tion with QPE˜it inputGoutputD whi™h is ™—lled —n py fun™tion in

wsƒ„‰ @gure RAF xext ˜y —pplying theorem P —g—in to the py fun™tionD we

h—ve — ’sm—ller4 fun™tion with ITE˜it inputGoutputD whi™h is referred to —s —n

ps fun™tion in wsƒ„‰F ƒin™e the size of the ps fun™tion is still ˜ig to use —s —

lo okEup t—˜leD we h—ve divided the ITE˜it string into W ˜its —nd U ˜itsD not V ˜its

—nd V ˜itsD using the —lgorithm given in gure QF

„his unequ—l division is due to the f—™t th—t ˜ije™tive fun™tions of o dd size —re

gener—lly ˜ etter th—n those of even size from the viewp oint of prov—˜le se™urity

—g—inst dierenti—l —nd line—r ™rypt—n—lysisF wore sp e™i™—llyD when the size n

of — fun™tion is o ddD the p ossi˜le minim—l v—lue of its —ver—ge dierenti—lGline—r

nCI

pro˜—˜ility is proved to ˜ e P D ˜ut when it is evenD it is only ™onje™tured th—t

nCP

the p ossi˜le minim—l v—lue is P @—n op en pro˜lemAF „hereforeD if we divide

the ITE˜it into V ˜its —nd V ˜itsD the —ver—ge dierenti—lGline—r pro˜—˜ility of the

VCP P P P RV

entire TRE˜it ™ipher is proved to ˜ e less th—n @@@P A A A aP @on ™ondition

th—t the —˜ ove ™onje™ture is ™orre™tAD while if we divide it into W ˜its —nd U ˜itsD

WCI UCI P P ST

then we ™—n gu—r—ntee th—t the pro˜—˜ility is less th—n @@P P A A aP

from theorem R whenever —ll su˜key ˜its —re indep endentF

„his shows th—t —n unequ—l division gener—lly h—s —n —dv—nt—ge for se™uE

rity —g—inst dierenti—l —nd line—r ™rypt—n—lysisF yn the other h—ndD it h—s two

p en—lties in implement—tionY the rst is —n o˜stru™tion to p—r—llel ™omput—tionD

—nd the se™ond is — de™re—se in softw—re p erform—n™e ™—used ˜y h—ndling d—t—

with —n o dd num˜er of ˜itsF ‡e h—ve nevertheless —dopted the unequ—l division

˜ e™—use of its se™urityF sn the followingD we refer to the rst —nd third fun™tions

of the lowest level —s ƒ D —nd the se™ond fun™tion —s ƒ D whi™h —re ’sm—llest4

W U

™omp onents of wsƒ„‰F por redu™ing the size of softw—reD we use the s—me t—˜le

in the rst —nd third roundsF

sn ˜ oth wsƒ„‰I —nd wsƒ„‰PD for the s—ke of exi˜ility of their se™urity levelD

the num˜er of rounds n of level I @see gure RA is v—ri—˜le on ™ondition th—t n

is — multiple of fourD while th—t of levels P —nd Q is xed to three roundsF xow S

™omp—re en™ryptionGde™ryption sp eed of wsƒ„‰I —nd wsƒ„‰PF sf we do not

t—ke —ny p—r—llel pro ™essing into ™onsider—tionD the tot—l ™omplexity of wsƒ„‰I

—nd wsƒ„‰P with the s—me num˜er of rounds is ™le—rly the s—meY however if

we —llow p—r—llel ™omput—tionsD their en™ryption sp eed is not the s—meF „his is

m—inly ˜ e™—use wsƒ„‰I ™—n ™—rry out two ps9s —t — timeD while wsƒ„‰P ™—n

exe™ute four ps9s in p—r—llelF

„—˜le I gives en™ryptionGde™ryption time of wsƒ„‰I —nd wsƒ„‰PD where

e—™h entry shows the num˜er of ™—l™ul—tions of ƒ —ssuming the ™omput—tion

W

time of ƒ is the s—me —s th—t of ƒ Fpor simpli™ity we h—ve ignored the time

U W

for ˆy‚ op er—tionsF st is ™le—rly seen from t—˜le I th—t wsƒ„‰P is f—ster th—n

wsƒ„‰I in en™ryptionD ˜ut wsƒ„‰I is f—ster in igf —nd gfg de™ryptionF

„his is ˜ e™—use p—r—llel ™omput—tions —re imp ossi˜le in inverse ™—l™ul—tion of

wsƒ„‰PF wsƒ„‰P is therefore suit—˜le for ypf —nd gpf mo desF

in™ryption he™ryption he™ryption

igfDgfgDypfDgpf igfDgfg ypfDgpf

nEround wsƒ„‰I Qn Qn Qn

nEround wsƒ„‰P IXSn Wn IXSn

„—˜le IF in™ryptionGhe™ryption time of wsƒ„‰I —nd wsƒ„‰P

@num˜er of ™—l™ul—tions of ƒ AF W

32 32 32 32

FO FO 16 16 FI 97

S9

FO FO FI S7

S9 FI FO FO FI Level3 (3 rounds) FO Level2 (3 rounds)

MISTY1 Level1 MISTY2 Level1

(n rounds) (n rounds)

pigure RX ‚e™ursive stru™ture of wsƒ„‰ T

RFP ƒ —nd ƒ

U W

sn sele™ting ƒ —nd ƒ Dwe h—ve the following three ™riteri—X

U W

IF „heir —ver—ge dierenti—lGline—r pro˜—˜ility must ˜e minim—lD

PF „heir del—y time in h—rdw—re is —s short —s possi˜leD

QF „heir —lge˜r—i™ degree is highD if possi˜leF

por the rst ™riterionD — sequen™e of p ower fun™tions over nite elds is known

T V

to —tt—in the minim—l v—lue @th—t isD P for ƒ —nd P for ƒ AD —nd —s f—r —s we

U W

knowD this is the only ex—mple th—t ™—n ˜ e o˜t—ined in — system—ti™ w—yF ren™e

we rst pl—nned to investig—te the h—rdw—re del—yD whose ex—™t denition we



—dopted will ˜ e given ˜ elowD for —ll fun™tions th—t h—ve the form ƒ @xAa e x f

i

@i aUY WAD where e —nd f —re —r˜itr—ry ˜ije™tive line—r tr—nsform—tions —nd  is

i

—n integer su™h th—t @P IYA a IF „he l—st equ—lity is — ne™ess—ry —nd su™ient

™ondition th—t — p ower fun™tion ™—n ˜ e ˜ije™tiveF

roweverD ˜ e™—use it w—s timeE™onsuming for us to ™—l™ul—te the del—y for —ll

fun™tions —˜ oveD we next restri™ted our se—r™h to the fun™tions th—t h—ve the form



ƒ @xAae  x @i aUY WA —nd h—ve — p olynomi—l ˜—sis or — norm—l ˜—sis over

i

qp @PAF sn other wordsD we investig—ted —ll p ossi˜le line—r tr—nsform—tions for

e —nd — limited num˜er of line—r tr—nsform—tions for f F xote th—t the —ver—ge

dierenti—lGline—r pro˜—˜ility do es not dep end on — sele™tion of e or f D ˜ut the

del—y do esF xow the following is our form—l denition of the h—rdw—re del—y —nd

the —lge˜r—i™ degree of ƒ @xAX

i

henition SF por — fun™tion y a f @xA with —n iE˜it input x a@x Yx Yx Y XXXY x A

H I P iI

—nd — j E˜it output y a@y Yy Yy Y XXXY y AD we ™—ll the following equ—tion —n —lE

H I P j I

ge˜r—i™ norm—l form of the —Eth output ˜it y of f X

—

ˆ ˆ

@—YPA @—YIA

@—YHA

x x x C e y a e C e

k k k —

I P I

k Yk k

I P I

H k `k `i H k `i

I P I

ˆ

@—YQA

x x x C XXXXY @RA e C

k k k

I P Q

k Yk Yk

I P Q

H k `k `k `i

I P Q

€

@—YIA @—YPA @—YQA

@—YHA

where e De De D e FFFF —re ˜in—ry v—luesD —nd the sum denotes

k k Yk k Yk Yk

I I P I P Q

—n ˆy‚ op er—tionF

„he h—rdw—re length of y is dened —s the num˜er of nonEzero terms of

—

equ—tion RD —nd the h—rdw—re length of the fun™tion f is the m—xim—l h—rdw—re

length of —ll output ˜its of f F elsoD the —lge˜r—i™ degree of y is dened —s the

—

m—xim—l degree of equ—tion RD —nd the —lge˜r—i™ degree of the fun™tion f is the

m—xim—l —lge˜r—i™ degree of —ll output ˜its of f F

xote th—t the h—rdw—re length of y minus I is equiv—lent to the num˜er of twoE

—

input ˆy‚ g—tes required for ™onstru™ting y from x @H k iA in h—rdw—reD

— k

—nd the log—rithm of the h—rdw—re length of f indi™—tes its h—rdw—re del—y timeF

elthough we h—ve to ™ount the num˜er of exh g—tes —nd f—nEouts to see the

ex—™t del—y time in h—rdw—reD we h—ve —dopted the —˜ ove denition for simpli™ityF



elso note th—t the —lge˜r—i™ degree of ƒ @xAae  x  f —grees with the ˜in—ry

i

h—mming weightof F U

ƒele™tion of ƒ

U

 U

por —ll fun™tions h—ving the form e  x over qp @P A with — p olynomi—l or

U

norm—l ˜—sis —nd @P IYA a ID we rst ™—l™ul—ted the —lge˜r—i™ degree —nd

h—rdw—re length of e—™h output ˜itY —s — resultD we o˜t—ined the followingX

{ sf the —lge˜r—i™ degree is —t le—st RD then the h—rdw—re length of —ny output

˜it is —t le—st PIF

{ sf the —lge˜r—i™ degree is equ—l to QD then the h—rdw—re length of —ny output

˜it is —t le—st IHF

{ sf the —lge˜r—i™ degree is equ—l to PD then the h—rdw—re length of —ny output

˜it is —t le—st UF

ƒin™e we reg—rded the length —s to o long when the —lge˜r—i™ degree is four or

moreD we de™ided to —dopt — fun™tion whose —lge˜r—i™ degree is equ—l to threeF

„hen for —ll fun™tions whose —lge˜r—i™ degree is threeD we ™—l™ul—ted their entire

h—rdw—re lengthD —nd found th—t the minim—l length is IQ —nd the fun™tion th—t

—tt—ins this length is unique up to the order of output ˜itsF v—stlyD ˜y —dding —

™onst—nt v—lue to its outputD we determined the n—l form of ƒ D whose ™on™rete

U

logi™ is —s followsX

y a x C x x C x x x C x x C x x x C x x C x x x C x x C x x x C x x x CI

H H I Q H Q R I S H P S R S H I T P T H S T Q S T

y a x x C x x C x x C x x C x x x C x C x x C x x C x x x C x x x C x x x CI

I H P H R Q R I S P R S T H T Q T P Q T I R T H S T

y a x x C x x x C x C x x C x x x C x x C x x x C x x x C x x C x x C

P I P H P Q R I R H I R H S H R S Q R S I T Q T

x x x C x x C x x x

H Q T R T P R T

y a x C x C x x x C x x C x x C x x x C x x C x x x C x x x C x x CI

Q H I H I P H Q P R I R S P T I Q T H R T S T

y a x x C x x C x x x C x C x x C x x x C x x x C x x C x x x C x x x CI

R P Q H R I Q R S P S I P S H Q S I T I S T R S T

y a x C x C x C x x x C x x C x x x C x x C x x x C x x C x x x C

S H I P H I P H Q I P Q I R H P R H S H I S

x x C x x C x x x

Q S H T P S T

y a x x C x C x x C x x x C x x C x x C x x C x x x C x x C x x x C

T H I Q H Q P Q R H S P S Q S I Q S I T I P T

x x x C x x C x x x

H Q T R T P S T

ƒele™tion of ƒ

W

 W

ƒimil—rlyD for —ll fun™tions h—ving the form ƒ @xAae  x over qp @P A with —

W

W

p olynomi—l or norm—l ˜—sis —nd @P IYA a ID we rst ™—l™ul—ted the —lge˜r—i™

degree —nd h—rdw—re length of e—™h output ˜itY —s — resultD we h—d the followingX

{ sf the —lge˜r—i™ degree is —t le—st QD then the h—rdw—re length of —ny output

˜it is —t le—st PUF

{ sf the —lge˜r—i™ degree is equ—l to PD then the h—rdw—re length of —ny output

˜it is —t le—st WF

ƒin™e we reg—rded the length —s to o long if the —lge˜r—i™ degree is three or moreD

we de™ided to —dopt — fun™tion whose —lge˜r—i™ degree is equ—l to twoF „hen for

—ll fun™tions whose —lge˜r—i™ degree is twoD we ™—l™ul—ted their entire h—rdw—re

lengthD —nd found th—t the minim—l length is IP —nd there —re nine fun™tions

th—t —tt—in this length up to the order of output ˜itsF v—stly ˜y sele™ting one of

them r—ndomly —nd —dding — ™onst—ntv—lue to its outputD we determined the

n—l form of ƒ D whose ™on™rete logi™ is —s followsX

W V

y a x x C x x C x x C x x C x x C x x C x x C x x C x x CI

H H R H S I S I T P T P U Q U Q V R V

y a x x C x C x x C x x C x x C x x C x x C x x C x C x x C x x C x x CI

I H P Q I Q P Q Q R R S H T P T U H V Q V S V

y a x x C x x C x C x x C x x C x x C x x C x x C x x C x x C x x C x

P H I I Q R H R P R Q R R S H T S T I U Q U V

y a x C x x C x x C x C x x C x x C x x C x x C x x C x x C x x C x x

Q H I P P R S I S Q S R S S T I U T U P V R V

y a x C x x C x x C x x C x x C x C x x C x x C x x C x x C x x C x x

R I H Q P Q H S Q S T P T R T S T T U P V U V

y a x C x x C x x C x x C x x C x x C x C x x C x x C x x C x x C x x

S P H Q I R Q R I T R T U Q U S U T U H V U V

y a x x C x C x x C x x C x x C x x C x x C x C x x C x x C x x C x x CI

T H I Q I R P S R S P U S U V H V R V T V U V

y a x C x x C x x C x x C x x C x C x x C x x C x x C x x C x x C x x CI

U I H I I P P Q H R S I T Q T H U R U T U I V

y a x C x x C x x C x C x x C x x C x x C x x C x x C x x C x x C x x CI

V H H I I P R H S P S Q T S T H U H V Q V T V

RFQ „he fun™tion pv

por the purp ose of —voiding p ossi˜le —tt—™ks other th—n dierenti—l —nd line—r

™rypt—n—lysisD we h—ve supplemented —n —ddition—l simple fun™tion pvD whose

design ™riteri— —re @IA to ˜ e — line—r fun™tion for —ny xed key —nd @PA to h—ve

—v—ri—˜le form dep ending on — key v—lueF

ƒin™e this fun™tion is line—r —s long —s the key is xedD it do es not —e™t

the —ver—ge dierenti—lGline—r pro˜—˜ility of the entire —lgorithmF woreoverD this

fun™tion is o˜viously f—st in ˜ oth softw—re —nd h—rdw—re sin™e it is ™onstru™ted

˜y logi™—l op er—tions su™h —s exhD y‚ —nd ˆy‚ onlyF

S hesign of the uey ƒ™heduling €—rt

sn designing the key s™heduling p—rt of wsƒ„‰D we set up the following ™riteri—

from the viewp oint of ™omp—ti˜ility ˜ etween its se™urity level —nd —ppli™—˜ility

to v—rious systemsX

IF „he size of key is IPV ˜itsD

PF „he size of su˜key is PST ˜itsD

QF ivery round is —e™ted ˜y —l l key ˜itsD

RF ivery round is —e™ted ˜y —s m—ny su˜key ˜its —s possi˜leF

por se™urity re—sons we h—ve —dopted the IPVE˜it keyD —nd for pr—™ti™—l re—sons

weh—ve limited the size of the su˜key to PST ˜itsF ‚edu™ing the size of su˜key h—s

two imp ort—nt p erform—n™e —dv—nt—gesF „he rst —dv—nt—ge ™—n ˜ e o˜t—ined in

systems whose resour™es —re limited su™h —s in sg ™—rdsF sn these systemsD sin™e

‚ew size for temp or—ry use is usu—lly stri™tly limitedD it is gener—lly imp ossi˜le

to store —ll su˜key ˜its in ‚ew if its size is l—rgeY hen™e we h—ve to ™—rry out

the key s™heduling p—rt in every d—t— ˜lo ™kD whi™h ™ould ˜ e — he—vy p en—lty on

p erform—n™eF ‡e de™ided to ™hoose su˜keys of PST ˜itsD so th—t —ll the ˜its ™ould

˜ e stored in ‚ew even for extremely restri™ted softw—re environmentsF

„he se™ond —dv—nt—ge ™omes from the f—™t th—t in mi™ropro ™essors with m—ny

integer registers su™h —s ‚sƒg pro ™essorsD the PSTE˜it su˜key ™—n ˜ e lo—ded

™ompletely into the registersF sn most implement—tion of ˜lo ™k ™iphersD —ll su˜key

˜its —re written into memory in key s™heduling pro ™essD —nd in en™ryption pro ™ess

they —re re—d from the memory round ˜y roundF ren™e if —ll the su˜key ˜its —re W

kept in the registers during the entire en™ryption pro ™essD the tot—l p erform—n™e

is exp e™ted to ˜ e signi™—ntly improvedF

yn the other h—ndD in ™omp ens—tion for this sm—ll num˜er of su˜key ˜its

—nd simple key s™heduling —lgorithmD we h—ve est—˜lished the third —nd fourth

design ™riteri—F sn wsƒ„‰D —n py fun™tion —nd —n pv fun™tion use IIP su˜key

˜its —nd QP su˜key ˜itsD resp e™tivelyF„o gener—te the IIP su˜key ˜itsD —ll of IPV

key ˜its —re requiredF „he num˜er of tot—l indep endent su˜key ˜its of wsƒ„‰I

or wsƒ„‰P with eight roundsD for ex—mpleD is IPITF

T ix—mples of smplement—tion of wsƒ„‰

sn this se™tion we show two ex—mples of our softw—re implement—tion —nd one

ex—mple of our h—rdw—re implement—tion of wsƒ„‰I with eight roundsF

TFI €entium

€entium h—s two indep endent integer exe™ution units ™—lled Epip e —nd †Epip eD

where the Epip e is usu—lly used for ™—rrying out instru™tionsF rowever some inE

stru™tions ™—n ˜ e —lso exe™uted in the †Epip e while the Epip e is ˜ eing o ™™upied

˜y sp e™i—l ’p—ir—˜le4 instru™tionsF „hough the num˜ er of these p—ir—˜le instru™E

tions is sm—llD if we write — progr—m so th—t these two pip es ™—n ˜ e e™iently

usedD the p erform—n™e of the softw—re is extremely improvedD p ossi˜ly twi™e or

more due to resolution of register ™ontentionsF

‡e wrote —n —ssem˜ly l—ngu—ge progr—m of wsƒ„‰I with eight rounds on

€entium IHHwrzD whi™h en™rypts —n input pl—intext stre—m in gfg mo de —t —

sp eed of PHw˜psF „his is QH7 f—ster th—n hightly optimized hiƒ for €entiumF

„he progr—m he—vily uses †Epip e ˜ e™—use of the highly p—r—llel stru™ture of

wsƒ„‰Y it t—kes —pproxim—tely QHH ™y™les to pro ™ess one ˜lo ™kD where the E

pip e h—s no idle time —nd the †Epip e is used in more th—n WS7 of the QHH ™y™lesF

TFP €eEUPHH

€eEUPHH ™—n —lso exe™ute twointeger instru™tions —t — time under v—rious reE

stri™tionsF woreover €eE‚sƒg series mi™ropro ™essors h—ve QP integer registersD

—lmost —ll of whi™h ™—n ˜ e used freely ˜y usersY this me—ns th—t it is e—sy to lo—d

—ll PSTE˜it su˜key inform—tion of wsƒ„‰D even every IT ˜its in e—™h registerF

€eEUPHH h—s SIPuf onE™hip ™—™he @PSTuf for ™o de —nd PSTuf for d—t—AD

whi™h en—˜les us to redu™e ™omput—tion—l time of wsƒ„‰ ˜y h—ving — ˜ig preE

dened t—˜leF „h—t is to s—yDwe ™—n m—ke — IPVuf t—˜le th—t represents the

rst two rounds of the ps fun™tion in —dv—n™eF fy doing thisD ™—l™ul—tion of ps

is signi™—ntly simpliedF xote th—t this te™hnique ™—nnot ˜ e used in €entium

˜ e™—use €entium h—s only sm—ll ™—™he @Vuf for d—t—A whi™h gener—lly ™—uses

serious p en—lty ™y™les due to ™—™he missesF

‡e wrote —n —ssem˜ly l—ngu—ge progr—m of wsƒ„‰I with eight rounds on

€eEUPHH IPHwrz using the —˜ ove te™hniquesF st ™—n en™rypt —n input pl—intext

stre—m in gfg mo de —t — sp eed of RHw˜psF IH

TFQ r—rdw—re

‡e h—ve —lso designed — prototype vƒs of wsƒ„‰I with eight roundsD whi™h h—s

the following sp e™i™—tionsX

in™ryption ƒpeedX RSHw˜ps @typi™—lA

glo™kX IRwrz

sGyX QPE˜it p—r—l lel  Q @pl—intextD ™iphertextD keyA

ƒupportedwodesX igfDgfgDypfETRDgpfETR

hesign €ro™essX HFS" gwyƒ g—teE—rr—y

xum˜er of q—tesX TSu g—tes

€—™k—geX PHVEpin —t p—™k—ge

„his vƒs h—s no rep etition stru™tureY th—t isD it ™ont—ins the full h—rdw—re of

eight py fun™tions —nd ten pv fun™tionsF st t—kes two ™y™les to en™rypt — TRE˜it

pl—intextF st —lso h—s three indep endent TRE˜it registers th—t store — pl—intextD

—n intermedi—te text —fter the fourth roundD —nd — ™iphertextD resp e™tivelyF „his

stru™ture m—kes the following pip eline d—t— pro ™essing p ossi˜leX

pl—intext I pl—intext P pl—intext Q pl—intext R

gy™les I —nd P snput

gy™les Q —nd R in™ryption snput

gy™les S —nd T yutput in™ryption snput

gy™les U —nd V yutput in™ryption snput

U gon™lusions

„his p—p er prop osed new se™retEkey ˜lo ™k ™ryptosystems wsƒ„‰I —nd wsƒ„‰PF

et presentD the —uthor re™ommends to use wsƒ„‰I with eight roundsD —nd to

use wsƒ„‰PD whi™h h—s — newer stru™tureD with twelve roundsF „he next four

p—ges show — ™omplete —nd selfE™ont—ined des™ription of wsƒ„‰I —nd wsƒ„‰PF

‚eferen™es

IF xy˜ ergD uFD unudsenD vFDX €rov—˜le ƒe™urity —g—inst hierenti—l grypt—n—lysisF

tourn—l of gryptologyD†olFVD noFI @IWWSA

PF xy˜ ergD uFDX vine—r epproxim—tion of flo ™k giphersF edv—n™es in gryptology {

iuro ™rypt9WRD ve™ture xotes in gomputer ƒ™ien™e WSHD ƒpringer †erl—g @IWWRA

QF eokiD uFD yht—D uFDX ƒtri™ter iv—lu—tion for the w—ximum ever—ge of hierenti—l

€ro˜—˜ility —nd the w—ximum ever—ge of vine—r €ro˜—˜ility @in t—p—neseAF €roE

™eedings of ƒgsƒ9WTD ƒgsƒWTERe @IWWTA

RF w—tsuiD wFDX xew ƒtru™ture of flo ™k giphers with €rov—˜le ƒe™urity —g—inst hierE

enti—l —nd vine—r grypt—n—lysisF €ro ™eedings of the third intern—tion—l workshop of

f—st softw—re en™ryptionD ve™ture xotes in gomputer ƒ™ien™e IHQWD ƒpringer †erl—g

@IWWTA II

flo ™k gipher elgorithms wsƒ„‰I —nd wsƒ„‰P

idition PFI he™em˜ er IT IWWT

„his do ™ument shows — ™omplete des™ription of en™ryption —lgorithms wsƒ„‰I

—nd wsƒ„‰PD whi™h —re se™retEkey ™iphers with — TRE˜it d—t— ˜lo ™kD — IPVE˜it

se™ret key —nd — v—ri—˜le num˜er of rounds nD where n is—multiple of fourF

h—t— ‚—ndomizing €—rt

{ pigure e —nd f show the d—t— r—ndomizing p—rt of wsƒ„‰I —nd wsƒ„‰PD

resp e™tivelyX „he TRE˜it pl—intext € is divided into the left QPE˜it string —nd

the right QPE˜it stringD whi™h —re tr—nsformed into the TRE˜it ™iphertext g

˜y me—ns of ˜itwise ˆy‚ op er—tions denoted ˜y  —nd su˜Efun™tions py

i

@I i nA —nd pv @I i n C PAF py uses — TRE˜it su˜key uy —nd —

i i i

RVE˜it su˜key us F pv uses — QPE˜it su˜key uv F

i i i

{ pigure g shows the stru™ture of py X „he input is divided into the left ITE˜it

i

string —nd the right ITE˜it stringD whi™h —re tr—nsformed into the output ˜y

me—ns of ˜itwise ˆy‚ op er—tions —nd su˜Efun™tions ps @I j QAD where

ij

uy @I j RA —nd us @I j QA —re the j Eth @from leftA IT ˜its of uy

ij ij i

—nd us D resp e™tivelyF

i

{ pigure h shows the stru™ture of ps X „he input is divided into the left WE˜it

ij

string —nd the right UE˜it stringD whi™h —re tr—nsformed into the output ˜y

me—ns of ˜itwise ˆy‚ op er—tions —nd su˜stitution t—˜les ƒ —nd ƒ F sn the

U W

rst —nd third ˆy‚sD the UE˜it string is zeroEextended to W ˜itsD —nd in the

se™ond ˆy‚D the WE˜it string is trun™—ted to U ˜its ˜y dis™—rding its highest

two ˜itsF us —nd us —re the left U ˜its —nd the right W ˜its of us D

ij I ij P ij

resp e™tivelyF

{ pigure i shows the stru™ture of pv F „he input is divided into the left ITE˜it

i

string —nd the right ITE˜it stringD whi™h —re tr—nsformed into the output ˜y

me—ns of ˜itwise ˆy‚ op er—tionsD — ˜itwise exh op er—tion denoted ˜y ’

—nd — ˜itwise y‚ op er—tion denoted ˜y ‘D where uv @I j PA is the j Eth

ij

@from leftA IT ˜its of uv F

i

{ sn the next p—geD the su˜stitution t—˜les ƒ —nd ƒ —re shown in de™im—l

U W

formF

uey ƒ™heduling €—rt

{ pigure p shows the key s™heduling p—rt of wsƒ„‰I —nd wsƒ„‰PX u @I

i

H

@I i VA i VA is the iEth @from leftA IT ˜its of the se™ret key u D —nd u

i

is the output of ps when the input of ps is —ssigned to u —nd the key

ij ij i

us is set to u D where u is identied with u F

ij iCI W I

{ „he ™orresp onden™e ˜ etween the round su˜keys uy Dus Duv —nd the

ij ij ij

H

is —s followsD where i is identied with iV when ib VX —™tu—l su˜keys u Du

i

i

‚ound uy uy uy uy us us us uv uv

iI iP iQ iR iI iP iQ iI iP

H H H H

e™tu—l u u u u u u u u u @o dd iA @o dd iA

iCI

i iCP iCU iCR

iCI

iCS iCI iCQ

CT

P

P

H

@even iA u @even iA u i

i

CR

CP

P

P IP

„est h—t— of wsƒ„‰I with eight rounds

uey @u to u AX HH II PP QQ RR SS TT UU VV WW —— ˜˜ ™™ dd ee ff

I V

H H

AX ™f SI Ve Uf Se PW TU Q— ™d ˜™ HU dT ˜f QS Se II to u ƒu˜key @u

V I

€l—intextX HI PQ RS TU VW —˜ ™d ef

giphertextX V˜ Id —S fS T— ˜Q dH U™

„—˜le of ƒU

PUD SHD SID WHD SWD ITD PQD VRD WID PTDIIRDIISDIHUD RRDIHPD UQD

QID QTD IWDIHVD SSD RTD TQD URD WQD ISD TRD VTD QUD VID PVD RD

IID UHD QPD IQDIPQD SQD TVD TTD RQD QHD TSD PHD USDIPID PIDIIID

IRD VSD WD SRDIITD IPDIHQD VQD RHD IHDIPTD STD PD UD WTD RID

PSD IVDIHID RUD RVD SUD VDIHRD WSDIPHD RPD UTDIHHD TWDIIUD TID

VWD UPD QD VUDIPRD UWD WVD THD PWD QQD WRD QWDIHTDIIPD UUD SVD

IDIHWDIIHD WWD PRDIIWD QSD SD QVDIIVD HD RWD RSDIPPDIPUD WUD

VHD QRD IUD TD UID PPD VPD UVDIIQD TPDIHSD TUD SPD WPD VVDIPS

„—˜le of ƒW

RSIDPHQDQQWDRISDRVQDPQQDPSID SQDQVSDIVSDPUWDRWIDQHUD WD RSDPIID

IWWDQQHD SSDIPTDPQSDQSTDRHQDRUPDITQDPVTD VSD RRD PWDRIVDQSSDPVHD

QQIDQQVDRTTD ISD RQD RVDQIRDPPWDPUQDQIPDQWVD WWDPPUDPHHDSHHD PUD

IDISUDPRVDRITDQTSDRWWD PVDQPTDIPSDPHWDIQHDRWHDQVUDQHIDPRRDRIRD

RTUDPPIDRVPDPWTDRVHDPQTD VWDIRSD IUDQHQD QVDPPHDIUTDQWTDPUIDSHQD

PQIDQTRDIVPDPRWDPITDQQUDPSUDQQPDPSWDIVRDQRHDPWWDRQHD PQDIIQD IPD

UID VVDIPUDRPHDQHVDPWUDIQPDQRWDRIQDRQRDRIWD UPDIPRD VIDRSVD QSD

QIUDRPQDQSUD SWD TTDPIVDRHPDPHTDIWQDIHUDISWDRWUDQHHDQVVDPSHDRHTD

RVIDQTIDQVID RWDQVRDPTTDIRVDRURDQWHDQIVDPVRD WTDQUQDRTQDIHQDPVID

IHIDIHRDISQDQQTD VD UDQVHDIVQD QTD PSDPPPDPWSDPIWDPPVDRPSD VPD

PTSDIRRDRIPDRRWD RHDRQSDQHWDQTPDQURDPPQDRVSDQWPDIWUDQTTDRUVDRQQD

IWSDRUWD SRDPQVDRWRDPRHDIRUD UQDISRDRQVDIHSDIPWDPWQD IID WRDIVHD

QPWDRSSDQUPD TPDQISDRQWDIRPDRSRDIURD ITDIRWDRWSD UVDPRPDSHWDIQQD

PSQDPRTDITHDQTUDIQIDIQVDQRPDISSDQITDPTQDQSWDISPDRTRDRVWD QDSIHD

IVWDPWHDIQUDPIHDQWWD IVD SIDIHTDQPPDPQUDQTVDPVQDPPTDQQSDQRRDQHSD

QPUD WQDPUSDRTIDIPIDQSQDRPIDQUUDISVDRQTDPHRD QRDQHTD PTDPQPD RD

QWIDRWQDRHUD SUDRRUDRUID QWDQWSDIWVDISTDPHVDQQRDIHVD SPDRWVDIIHD

PHPD QUDIVTDRHIDPSRD IWDPTPD RUDRPWDQUHDRUSDIWPDPTUDRUHDPRSDRWPD

PTWDIIVDPUTDRPUDIIUDPTVDRVRDQRSD VRDPVUD USDIWTDRRTDPRUD RIDITRD

IRDRWTDIIWD UUDQUVDIQRDIQWDIUWDQTWDIWIDPUHDPTHDISIDQRUDQSPDQTHD

PISDIVUDIHPDRTPDPSPDIRTDRSQDIIID PPD URDITIDQIQDIUSDPRIDRHHD IHD

RPTDQPQDQUWD VTDQWUDQSVDPIPDSHUDQQQDRHRDRIHDIQSDSHRDPWIDITUDRRHD

QPID THDSHSDQPHD RPDQRIDPVPDRIUDRHVDPIQDPWRDRQID WUDQHPDQRQDRUTD

IIRDQWRDIUHDISHDPUUDPQWD TWDIPQDIRIDQPSD VQD WSDQUTDIUVD RTD QPD

RTWD TQDRSUDRVUDRPVD TVD STD PHDIUUDQTQDIUIDIVID WHDQVTDRSTDRTVD

PRDQUSDIHHDPHUDIHWDPSTDRHWDQHRDQRTD SDPVVDRRQDRRSDPPRD UWDPIRD

QIWDRSPDPWVD PID TDPSSDRIIDITTD TUDIQTD VHDQSIDRVVDPVWDIISDQVPD

IVVDIWRDPHIDQUIDQWQDSHIDIITDRTHDRVTDRPRDRHSD QID TSD IQDRRPD SHD

TIDRTSDIPVDITVD VUDRRIDQSRDQPVDPIUDPTID WVDIPPD QQDSIIDPURDPTRD

RRVDITWDPVSDRQPDRPPDPHSDPRQD WPDPSVD WIDRUQDQPRDSHPDIUQDITSD SVD

RSWDQIHDQVQD UHDPPSD QHDRUUDPQHDQIIDSHTDQVWDIRHDIRQD TRDRQUDIWHD

IPHD HDIUPDPUPDQSHDPWPD PDRRRDITPDPQRDIIPDSHVDPUVDQRVD UTDRSH IQ P P 64 64 32 32 32 32

KL1FL1KI1,KO1 FL2 KL2 KL1FL1 FL2 KL2

FO1 KI1,KO1 FO1 KL3 FL3 KI2,KO2

FO2 KI2,KO2 FO2

KL3FL3KI3,KO3 FL4 KL4 KI3,KO3 FO3 KL4 FO3 FL4

KI4,KO4 KI4,KO4 FO4 FO4

KL5FL5KI5,KO5 FL6 KL6 KL5FL5 FL6 KL6 FO5 KI5,KO5 FO5 KL7 FL7 KI6,KO6

FO6 KI6,KO6 FO6

KL7FL7KI7,KO7 FL8 KL8

FO7 KI7,KO7 FO7 KL8

FL8 KI8,KO8

FO8 KI8,KO8 FO8

KL n+1 FL n+1 FL n+2 KL n+2 KL n+1 FL n+1 FL n+2 KL n+2

C C

Figure A: MISTY1 Figure B: MISTY2 IR 32 16 32 16 16 97 16 16 KO i1 KL i1 KI i1 FI i1 S9 zero-extend KL i2

KO i2 KI i2 FI i2 S7

truncate KI ij1 KI ij2

KO i3 KI i3 FI i3 S9

zero-extend

KO i4

Figure C: FOi Figure D: FIij Figure E: FLi

K1 K2 K3 K4 K5 K6 K7 K8

FI FI FI FI FI FI FI FI

K'1 K'2 K'3 K'4 K'5 K'6 K'7 K'8

Figure F: Key Scheduling IS