sign in sign up
<<
Home , Feistel cipher

338 THE SHADE : AN EFFICIENT HAS ASED FEISTEL NETWO C. Adams Entrust Technologies Limited 750 Heron Road Ottawa, Canada, K1V 1A7

ABSTRACT The remainder of this paper is organized as follows. In this paper we propose SHADE, a balanced Feistel Section 2 introduces the concepts and terminology which network that uses a modified hash function that accepts will be useful for understanding the remainder of the two fixed-size inputs (each of which is the size of the paper. Section 3 provides a description of SHADE, and function output) as the round function. This new hash Section 4 discusses the principles involved in its design. function blends many of the concepts of MD5 and SHA- Section 5 comments on the performance of this algorithm 1, with some modifications and extensions. A complete and the paper closes in Section 6 with some concluding description of the SHADE cipher, including remarks. schedule, blocksize, round (hash) function, and number of rounds, is presented. 2. CONCEPTS AND TERMINOLOGY 1. INTRODUCTION This section briefly explains the concepts and terminology which will be needed throughout the Luby and Rackoff have shown [I] that provably secure remainder of the paper. Further details and background pseudorandom permutations can be constructed using can be found in the papers in which these concepts are provably secure pseudorandom functions. They achieve introduced [ 1,2, 31. this by building a as a three- or four-round Feistel network [2, 31 and using the 2.1. Feistel pseudorandom functions as the component round hctions in this network. Although provably secure Feistel, et al, in [2, 31 made Shannon’s suggestion of pseudorandom functions can be constructed from “mixing transfomations” for cryptographic applications provably secure pseudorandom bit generators [4] (and [I31 more concrete by introducing the Substitution- pseudorandom bit generators whose security rests, for Permutation Network. SPNs are alternating layers of example, on the difficulty of computing discrete nonlinear substitution boxes (s-boxes) and linear logarithms [5] or factoring [6]have been constructed), in permutations which serve to scramble the bits of the practice such pseudorandom functions execute very in a key-dependent way to create the ; slowly, making the Luby-Rackoff ciphers impractical for an s-box layer and a permutation layer together are often many environments. referred to as a single “round”. The input to the cipher is a “block” of plaintext 2n bits in length. There are two Some researchers (see, for example, [7, 8, 9]), general classes of SPNs: those which operate on the full attracted by the promise of the Luby-Rackoff design, 2n bits of data in each round; and those which operate on have replaced provably secure pseudorandom functions fewer than 2n bits (i.e., partial blocks) and then swap the (due to their inefficiency) with hash functions such as partial blocks between rounds (the Data MD5 [lo], SHA-1 [Ill, or RIPE-MD [12]. One of the Standard, DES [14], was constructed using this difficulties with this approach is that such ciphers tend to approach). Note that the second class is what is typically be “unbalanced” Feistel networks (in which the plaintext meant in the cryptographic literature by the terms is split into two pieces of unequal size) and may need to “Feistel cipher” and “Feistel network”. incorporate another primitive, such as a , to with the unbalance. The general structure of a Feistel network is shown in the following diagram. Basic operation is as follows. In this paper we construct balanced Feistel networks A message block of 2n bits is input and split into a left using a new hash hction as the round function. half Lo and a right half Ro. The right half and a subkey Although still not provably secure, some confidence may are input to a “round function”, the output of be gained from the fact that the resulting cipher more KO fo, closely resembles the Feistel network which has been which is used to modify (through XOR addition) the left examined so carefully in the cryptologic community, half. Swapping the left and right halves completes round while still resting upon the theoretical underpinnings of one. This process continues for as many rounds as are Luby and Rackoff. The hash function used here blends defined for the cipher (r in the diagram). After the final many of the concepts from MD5 and SHA-1 with round (which does not contain a swap in order to specific extensions and modifications so that it accepts simplify implementation of the decryption process), the two fixed-size inputs, each of which is the size of the left and right halves are concatenated to form the function output. The design principles of this hash ciphertext. function, along with other aspects of the cipher, are discussed in some detail.

CCECE’97 0-7803-3716-6 /97/$5.00 0 1997 IEEE 339

rounds as another. The overall cipher is then equivalent to the composition of these two ciphers, which will w compensate (to at least some degree) for any non-optimal security in the component ciphers due to the use of apparently secure, but not provably secure, round functions.

3. THE SHADE CIPHER SHADE is an 8-round Feistel cipher with a blocksize and keysize of 256 bits. Its round function and are given in detail in the following two subsections; justification for the various design choices made is the subject of Section 4.

3.1. The SHADE Round Function For a 128-bit string X, let x,,~,,x,,~,represent the four 32-bit words (most significant to least significant) which are concatenated to form X. Furthermore, let a J b represent a circular left shift of the value in a by b bits', and let +, 0, A, V, 7 represent ciphertext addition modulo 32, bitwise XOR, bitwise AND, bitwise OR, and bitwise complement, respectively. Figure 1: Feistel Cipher The round function used in SHADE takes as input two 128-bit strings, R and K, and returns as output a 128- bit string R'. Referring to Figure 1 above (and ignoring An approach proposed by some researchers is to use subscripts for a given round), the string R is the data well-studied and widely-accepted hash functions, which block (the right half of the data for a given round) and are very efficient and which appear to be strongly the string K is the subkey for that round; the string R' is pseudorandom, as the round functions. This is the the modified right half, which is XORd with the left half approach taken by the SHADE cipher. However, rather of the data from the previous round to become the right than using a specific hash function directly, we develop a half of the data for the following round. Computation of slightly modified hash function. The reason for this is the round function involves two steps: two-fold. Firstly, this allows us to blend what appear to 1) Mask R with K to produce M (the subscript on be the best ideas from MD5 and SHA-I., along with K is reduced modulo 4 when necessary): minor extensions, into a single new function. Secondly, this allows us to tailor the function to this particular fori = 0...3, Mi= ((((Ri-'K(,+*))+ application (i.e., to construct a good, pseudorandom round function for a balanced Feistel network); we are not explicitly concemed with creating a function which can be used as a dedicated hash function in any other 2) Transform Musing the mapping function F(M). context. The goal is to create a function which retains the (apparent) pseudorandom properties of MD5 and SHA-1, but which is more suitable for a fixed-size, The mapping function F(M) is defined as follows (note symmetric . that the argument to the sine function below is in It is important to recognize that Luby and Rackoff's radians): result (security against both chosen plaintext and chosen Initialize to ciphertext attacks for super (i.e., 4-round) pseudorandom 4,4,4,d, 4=(+A@. invertible permutations) depends on the fact that the For i = 0...19 do (the subscript on d is reduced component round functions are either truly random or modulo 4) provably pseudorandom, as discussed in Section 2. In an attempt to compensate for the fact that hash functions are not provably pseudorandom, the SHADE cipher uses 8 rounds instead of 4. This choice relies on another result by Luby and Rackoff ([15]; see also the concluding comments in [ 11) which proves that the composition of two permutation generators which are less than perfectly secure creates a permutation generator which is more secure than either one alone. In SHADE, therefore, the first four rounds can be viewed as one super 11n what follows, a will be a 32-bit number so only the pseudorandom invertible permutation and the last four least significant 5 bits of b will be used for the rotation operation if b is greater than 5 bits in length. 340

where

Do = 2'"fi = 5a827999 (hex) 4. DESIGN PRINCIPLES D, = 230J? = 6ed9ebal (hex) This section discusses the design principles of the various aspects and components of the SHADE cipher, including D, = 230& = 8flbbcdc (hex) the overall framework, the round function, and the key D3 = 230J% = ca62cld6 (hex) schedule. 4.1. The SHADE Cipher i = 0...3 mi= As mentioned above, SHADE is built around the i"((mj-3 , @ m,-,)J 3), i = 4.. .19 Luby-Rackoff model for designing secure pseudorandom permutations from random or pseudorandom functions. Their model requires four rounds of a Feistel network (xA~)v(+Az), t = 0...3 (for security against chosen plaintext and chosen ciphertext attacks by a polynomially-bounded adversary), (zAx)v(-GA~), t =4... 7 when the component round functions are provably t = &..I1 secure. In SHADE, we replace the provably secure t = 12... 15 functions with functions which appear to be secure and execute quite efficiently. To compensate to some degree z@(~vJc), t = 16... 19 for the lack of provable security, SHADE uses eight rounds rather than four, relying on Luby and Rackoff s formal confirmation of Shannon's intuition [I31 that the composition of two ciphers (in this case, permutation generators constructed out of Feistel networks) results in a cipher which is stronger than either of its components. The choice of blocksize and keysize (256 bits each) is motivated by the feeling that currently common sizes (64 bits) are likely to be inadequate for many environments in the very near future (and are already inadequate for some environments). The very large keysize is intended to provide a wide safety margin against (as yet unknown) cryptanalytic attacks against the cipher since a fairly large majority of the key bits must be recovered by some attack(s) before exhaustive search Output I?,'=di. over the remaining bits becomes computationally feasible even within the foreseeable future. Furthermore, Biham has shown [ 161 that the theoretical security of any 3.2. The SHADE Key Schedule block cipher is at most the root of the size of the keyspace (due to so-called key-collision attacks), so that The key schedule in SHADE takes a 256-bit input for true 128-bit security, 256-bit keys must be used. The (the original user key) and creates eight 128-bit round large blocksize allows the cipher to be used with (from a keys using the mapping function F(.) as defined in the practical point of view) an almost unlimited number of round function above. Let the input key be split into two , so that SHADE may be appropriate even for halves K4 (the most significant 128 bits) and KB (the environments in which many Terabytes of data must be least significant 128 bits). encrypted with a single key.

Let kh = F(K,) 4.2. The SHADE Round Function for i =1 ...7 k,, = F(k,_J The SHADE round function hashes 256 input bits (128 data bits and 128 subkey bits) to 128 output bits. Let kB, = F( KB 0 k,, ) The frst step masks the data with the subkey to produce a 128-bit string and the second step substitutes this 128- for i-1 ...7 kBi =F(kBj,) bit string with another (pseudorandomly chosen) 128-bit string. The first step uses every 32-bit word of the subkey, with three different binary operations, to modify for i=1 ...7 ki =(k,; @kBj) each 32-bit word of the data; this appears to be a much more effective masking operation than a simple XOR of The key ki is then the string K given above in the the two input bit strings and helps to ensure that the input description of the round function. to the second step is not known if the subkey is not known. 34 I

relevance unless this can be shown to produce an attack The { 0, 1] 128-to-{ 0,1] 12* mapping is computed on the cipher itself (i.e., a way to recover unknown using a slightly modified blend of MD5 and SHA-1. plaintext or key bits). Note that the driving principle These hash functions were chosen because of their speed behind the original Feistel network is that the round and well-recognized design principles and pseudorandom function itself does not have to be strong (e.g., it may be properties2, but other promising hash functions such as easy to invert, or it may be easy to find “collisions” - FUPEMD- 160 [ 171 or TIGER [ 181 could conceivably be recall the DES round function); it is the layering of these used in alternate definitions of SHADE (ones in which relatively “weak” round functions which provides the blocksize is 320 bits or 384 bits, for example). The cryptographic strength in the overall cipher. design principles of the mapping function are as follows. The four values for the Di are identical to four 4.3. The SHADE Key Schedule constants used in the compression function of The design goal of the SHADE key schedule is that SHA-1 (note that the initial values used in MD5 it produces eight 128-bit random-looking subkeys. In are much “simpler”). However, instead of using this context, “random-looking” has the following these directly as the for the definition. mapping function, the Di are modified (through Any change in the initial 256-bit key results in a addition modulo 232) by the input vector. This large, unpredictable change in every generated has the effect of somewhat randomizing the subkey. starting point of the mapping operation without allowing the input to actually be the starting Partial or complete knowledge of any given set point. of subkeys provides no advantage in the computation of the remaining subkeys if the Iterating (in the for loop) 20 times is initial 256-bit key is unknown. conceptually similar to SHA-1, in which the data string is expanded to five times its size for Additionally, it is desirable that the key scheduling input to the update function. However, in this process not be prohibitively long (compared with, for case the data string is 128 bits rather than 512 example, the encryption of a single block of plaintext). bits, so the iteration is done 20 times rather than If the mapping function F(.) in the SHADE round 80 times (as in SHA-1). This makes function is sufficiently pseudorandom (which may be a computation of the mapping function reasonable conjecture, given the apparent considerably faster than SHA- 1. pseudorandomness of MD5 and SHA- 1 and the relatively minor changes made to construct F(.)), then the key The update function for the di is taken from schedule given in section 3.3 seems to satisfy the MD5. requirements given here. The assignment of values to the follows the mj 5. PERFORMANCE SHA-1 design (in that the mi are more than a simple permutation of the input words), but An estimate of the speed of SHADE can be computed as each value depends on only 2 previous values follows. The round function, with a 128-bit output size (for faster operation) and a different shift value but with 20 iterations instead of 64, is roughly three is used (3 bits instead of 1 bit). times faster than MD5. However, it operates on 128-bit inputs rather than 512-bit inputs, so the actual data The function j(t,xj,z) is a slight extension of throughput is approximately 75% of MD5. Since eight that defined for MD5 (the final expression, for t rounds are used to encrypt 256 bits, there is another = 16... 19, is new). reduction of a factor of four. Thus, the throughput of The function S(t,i) is a slight extension of that SHADE is x - $ 4 = $, where x is the throughput of defined for MD5 (the final expression, for t = MD5. 16... 19, is new). Dobbertin, Bosselaers, and Preneel have The values for Ti are identical to the first 20 Ti implemented MD5 in Assembly language on a 90 MHz values in MD5. Pentium at 113.5 Mbits/s [17]. Such an implementation would result in roughly 21 Mbits/s = 2.66 MBytes/s for Again, it is emphasized that what is required of the SHADE. Since the scaling is almost exactly linear, this SHADE round function is good pseudorandom means that SHADE would run at roughly 4.4 MBytes/s properties; its utility as a dedicated hash function is of on a 150 MHz Pentium (a platform which is starting to secondary (if any) concern. This means that the ability become common in some environments). These speeds to find collisions in the compression function, or to find compare very favourably with the published performance an input which will produce a given output, is of little of recently-proposed block ciphers such as BEAR and LION [7] (1.625 MBytesh on a 133 MHz Alpha) and SHARK [19] (0.80 MBytes/s on a P-90). 2Even though collisions have been found in the compression function of MD5, it still appears to be the case that small changes in the input to MD5 lead to pseudorandom changes in the output, which is the property required for the SHADE cipher. 342

on Fast Software Encryption, Cambridge, UK, 6. CONCLUSION§ Springer LNCS 1039, pp.113-120, February 1996. r81 S. Lucks. Faster Lubv-Rackoff Ciohers, In this paper we propose a new symmetric cipher, ,._I in SHADE, which has a 256-bit blocksize and a 256-bit Proceedings of the Third- IntemAonal -Workshop key. The cipher is built around the theoretical security on Fast Software Encryption, Cambridge, UK, framework developed by Luby and Rackoff, but uses a Springer LNCS 1039, pp.189-203, February 1996. hash function as the round function rather than a truly [9] P. Morin, Provably Secure and Eflcient Block random or provably pseudorandom function. The hash Ciphers, in Workshop Record of the Third Annual function is a blend of MD5 and SHA-1, with some minor Workshop on Selected Areas in , extensions, and is intended to retain their pseudorandom Kingston, Ontario, Canada, pp.30-37, August 15- characteristics; it is not an explicit design goal that this 16, 1996. round function necessarily be suitable as a dedicated hash function in any other context. [lo] R. Rivest, The MD5 Message Digest Algorithm, Request for Comments (RFC) 1321, Internet SHADE appears to have good cryptographic Activities Board, April, 1992. strength and high performance on common computing platforms. The performance is a result of the use of fast [ 111 National Institute of Standards and Technology, hash functions, which are further tuned for this particular Secure Hash Standard, Federal Information application, as the basis of the cipher. Processing Standard Publication 180-1, U.S. Department of Commerce, April, 1995. Members of the cryptologic community are strongly encouraged to examine the SHADE cipher presented in [ 121 RIPE, Integrity Primitives for Secure Information this paper in order to assess the cryptographic strength of Systems: Final Report of RACE Integrity this approach to symmetric cipher design. Primitives Evaluation (RIPE-RACE I040), LNCS -1007, Springer-Verlag, 1995. 7. ACKNOWLEDGEMENTS [13] C. Shannon, Communication Theory of Secrecy Many thanks are due to Michael Wiener for fruitful Systems, Bell System Technical Journal, vo1.28, discussions during the design of SHADE and for helpful pp.656-715, 1949. feedback on early drafts of this paper. Thanks are also [14] National Bureau of Standards, Data Encryption due to Paul Van Oorschot for a careful and critical Standard (DES), Federal Information Processing reading of an early draft. Standard Publication 46, U.S. Department of Commerce, January, 1977. 8. REFERENCES [15] M. Luby and C. Rackoff, Pseudorandom M. Luby and C. Rackoff, How To Construct permutation generator and cryptographic Pseudorandom Permutations From Pseudorandom composition, in Proceedings of the 18th Annual Functions, SIAM Joumal of Computing, vol. 17 #2, Symposium on Theory of Computing, May 28-30, pp.373-386, April, 1988. 1986. [2] H. Feistel, Cryptography and Computer Privacy, [ 161 E. Biham, How to Forge DES-Encrypted Messages Scientific American, ~01.228,pp. 15-23, 1973. in 228 Steps, Technical Report CS 884, Department [3] H. Feistel, W. Notz, and J.L. Smith, Some of Computer Science, Technion, Haifa, Israel, Cryptographic Techniquesfor Machine-to-Machine August, 1996 (also available at http:llwww.cs. Datu Communications, Proceedings of the IEEE, technion.ac.il/-bihdpublications.htm1). ~01.63#11, pp.1545-1554, 1975. [17] H. Dobbertin, A. Bosselaers, and B. Preneel, [4] 0. Goldreich, S. Goldwasser, and S. Micali, How to RIPEMD-I60: A StrenPthened Version of Construct Random Functions, in Proceedings of the RIPEMD, in Proceedings of &e Third Intemationil 25th Symposium on Foundations of Computer Workshop on Fast Software Encryption, Science, October 24-26, 1984. Cambridge, UK, Springer LNCS 1039, pp.71-82, February 1996. [SI M. Blum and S. Micali, How to generate CryptographicaIIy strong sequences of pseudo- [18] R. Anderson and E. Biham, Tiger: A Fast New random bits, in Proceedings of the 23rd Hash Function, in Proceedings of the Third Symposium on Foundations of Computer Science, International WorkshoD on Fast Software pp.112-117, November 3-5, 1982 (see also SIAM Encryption, Cambridge, UK, Springer LNCS 1039, Journal of Computing, vo1.13, pp.850-886, 19F pp.89-97, February 1996. [6] A. Yao, Theory and applications of trapdoor [19] V. Rijmen, J. Daemen, B. Preneel, A. Bosselaers, finctions, in Proceedings of the 23rd IEEE and E. DeWin, The Cipher SHARK, in Proceedings Symposium on Foundations of Computer Science, of the Third Intemational Workshop on Fast pp.80-91, November 3-5, 1982. Sohare Encryption, Cambridge, UK, Springer LNCS 1039, pp.99-111, February 1996. [7] R. Anderson and E. Biham, Two PracticaZ and Provably Secure Block Ciphers: BEAR and LION, in Proceedings of the Third International Workshop