Perfect Diffusion Primitives for Block – Building Efficient MDS Matrices

Pascal Junod and Serge Perfect Diffusion Primitives for Block Ciphers Vaudenay Preliminaries – Diffusion / Confusion Building Efficient MDS Matrices MDS Matrices ... Multipermutation ... and their Implementation Pascal Junod and Serge Vaudenay 32/64-bit Architectures 8-bit Architectures Bi-Regular Arrays Our Results Definition Some New Constructions (4, 4)-Multipermutation ÉCOLE POLYTECHNIQUE (8, 8)-Multipermutation FÉDÉRALE DE LAUSANNE Concluding Remarks

Selected Areas in '04 University of Waterloo (Canada), August 9, 2004 Perfect Diffusion Primitives Outline of this talk for Block Ciphers – Building Efficient MDS Matrices

Pascal Junod and Serge Vaudenay

Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation I Preliminaries 32/64-bit Architectures 8-bit Architectures I MDS Matrices ... Bi-Regular Arrays Our Results I ... and their Implementation Definition I Some New Constructions Bi-Regular Arrays (4, 4)-Multipermutation (8, 8)-Multipermutation I Some New Constructions Concluding Remarks Perfect Diffusion Primitives Back to Shannon for Block Ciphers – Building Efficient MDS Matrices

Pascal Junod and Serge Vaudenay

Preliminaries I Notions of introduced by Diffusion / Confusion MDS Matrices ... Shannon in “Communication Theory of Secrecy Multipermutation Systems” (1949) ... and their Implementation 32/64-bit Architectures I Confusion: “The method of confusion is to make the 8-bit Architectures Bi-Regular Arrays relation between the simple statistics of EK (.) and the Our Results simple description of K a very complex and involved Definition Some New Constructions one.” (4, 4)-Multipermutation I Diffusion: “In the method of diffusion the statistical (8, 8)-Multipermutation Concluding Remarks structure of M which leads to its redudancy is dissipated into long range statistics – i.e., into statistical structure involving long combinations of letters in the cryptogram.” Perfect Diffusion Primitives Confusion for Block Ciphers – Building Efficient MDS Matrices

Pascal Junod and Serge Vaudenay

Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation I ... and their Implementation Notion of confusion nowadays related to the ones of 32/64-bit Architectures 8-bit Architectures I S-Box Bi-Regular Arrays I non-linearity Our Results I Boolean functions Definition Some New Constructions I algebraic attacks (4, 4)-Multipermutation (8, 8)-Multipermutation I Plenty of academic papers on this subject ! Concluding Remarks Perfect Diffusion Primitives Diffusion : Historical Perspectives for Block Ciphers – Building Efficient MDS Matrices

Pascal Junod and Serge Vaudenay

I Less studied in a rigorous (mathematical) way until mid Preliminaries Diffusion / Confusion of 90’s MDS Matrices ... Multipermutation I Schnorr-Vaudenay (FSE’93 / EUROCRYPT’94) : ... and their Implementation introduction of the concept of multipermutation 32/64-bit Architectures 8-bit Architectures I Vaudenay (FSE’95) : a linear multipermutation is Bi-Regular Arrays Our Results equivalent to an MDS code Definition I Some New Constructions Daemen (PhD thesis, 1995): Wide-Trail Strategy (4, 4)-Multipermutation I (Choose “good” S-boxes) (8, 8)-Multipermutation I “Design the round transformation in such a way that only Concluding Remarks trails with many S-boxes occur.” I Rijmen, Daemen, Preneel, Bossalaers, De Win (FSE’96): design of SHARK whose diffusion layer is based on MDS codes Perfect Diffusion Primitives Multipermutation Nowadays for Block Ciphers – Building Efficient MDS Matrices

Pascal Junod and Serge Vaudenay

Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation I Very few MDS codes are known ... and their Implementation I 32/64-bit Architectures Seldom used in practice 8-bit Architectures I Bi-Regular Arrays Widely spread building block in symmetric schemes Our Results Definition I Non-linear multipermutation: CS- Some New Constructions I (4, 4)-Multipermutation Linear multipermutation (MDS matrices): AES, (8, 8)-Multipermutation , Twofish, Khazad, FOX, and many, many Concluding Remarks others ! Perfect Diffusion Primitives In this Talk for Block Ciphers – Building Efficient MDS Matrices

Pascal Junod and Serge Vaudenay

Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation I 32/64-bit Architectures Interested in “efficient” linear multipermutations 8-bit Architectures I Bi-Regular Arrays Brief recall about MDS matrices and their properties Our Results Definition I Definition of what we mean by “efficient” Some New Constructions I (4, 4)-Multipermutation New propositions (8, 8)-Multipermutation Concluding Remarks Perfect Diffusion Primitives Multipermutation: a De®nition for Block Ciphers – Building Efficient MDS Matrices

Pascal Junod and Serge Vaudenay

Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation 32/64-bit Architectures De®nition (Multipermutation) 8-bit Architectures p A diffusion function f from K to K is a multipermutation if Bi-Regular Arrays Our Results for any x1, . . . , xp ∈ K and any integer r with 1 ≤ r ≤ p, Definition modifying r input values on f (x1, . . . , xp) results in modifying Some New Constructions (4, 4)-Multipermutation at least q − r + 1 output values. (8, 8)-Multipermutation Concluding Remarks Perfect Diffusion Primitives Multipermutation: Another De®nition for Block Ciphers – Building Efficient MDS Matrices

Pascal Junod and Serge Vaudenay

Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation I De®nition (Multipermutation) ... and their Implementation p q 32/64-bit Architectures A diffusion function f from K to K is a 8-bit Architectures multipermutation if the set of all words consisting of Bi-Regular Arrays Our Results x1, . . . , xp concatenated with f (x1, . . . , xp) is a code of Definition p (#K) words of length p + q with minimal distance Some New Constructions (4, 4)-Multipermutation q + 1. (8, 8)-Multipermutation Concluding Remarks I Matches the Singleton bound (hence the link to MDS codes) Perfect Diffusion Primitives Multipermutation: Example for Block Ciphers – Building Efficient MDS Matrices

Pascal Junod and Serge Vaudenay

I Representation of the finite field GF(28) : polynomials Preliminaries Diffusion / Confusion of degree at most seven with coefficients in GF(2) MDS Matrices ... modulo the irreducible polynomial Multipermutation ... and their Implementation 32/64-bit Architectures p(ξ) = ξ8 + ξ7 + ξ6 + ξ5 + ξ4 + ξ3 + 1 8-bit Architectures Bi-Regular Arrays Our Results I Addition: XOR Definition I Multiplication: usual multiplication of polynomials Some New Constructions (4, 4)-Multipermutation modulo p(ξ) (8, 8)-Multipermutation I Consider the following multipermutation on GF(28)2: Concluding Remarks

x y 1 ξ x µ : 1 7→ 1 = × 1  x2   y2   1 1   x2  Perfect Diffusion Primitives Why is it a Multipermutation ? for Block Ciphers – Building Efficient MDS Matrices

Pascal Junod and Serge I Because µ is invertible : Vaudenay

− Preliminaries 1 7 5 3 7 5 3 1 ξ ξ + ξ + ξ ξ + ξ + ξ + 1 Diffusion / Confusion = 7 5 3 7 5 3 MDS Matrices ...  1 1   ξ + ξ + ξ ξ + ξ + ξ  Multipermutation ... and their Implementation I Because, when fixing x to a constant c, both y and y 32/64-bit Architectures 1 1 2 8-bit Architectures are permutations of x2 : Bi-Regular Arrays Our Results Definition y1 = c ⊕ (ξ · x2) Some New Constructions (4, 4)-Multipermutation y2 = c ⊕ x2 (8, 8)-Multipermutation Concluding Remarks I Because, when fixing x2 to a constant c, both y1 and y2 are permutations of x1 :

y1 = x1 ⊕ (ξ · c)

y2 = x1 ⊕ c Perfect Diffusion Primitives Why is it a Multipermutation (2)? for Block Ciphers – Building Efficient MDS Matrices

Pascal Junod and Serge Vaudenay

Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation 32/64-bit Architectures 8-bit Architectures I Bi-Regular Arrays Because det(µ) =6 0 and every sub-determinant of µ is Our Results different of 0. Definition Some New Constructions (4, 4)-Multipermutation (8, 8)-Multipermutation Concluding Remarks Perfect Diffusion Primitives 32/64-bit Architectures for Block Ciphers – Building Efficient MDS Matrices

Pascal Junod and Serge Vaudenay

Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation 32/64-bit Architectures 8-bit Architectures Bi-Regular Arrays Our Results Definition Some New Constructions (4, 4)-Multipermutation (8, 8)-Multipermutation Concluding Remarks I Lot of fast memory (L1 cache) I Table lookups + XORs:

y1 1 ξ = x1 × ⊕ x2 ×  y2   1   1  Perfect Diffusion Primitives 8-bit Architectures for Block Ciphers – Building Efficient MDS Matrices

Pascal Junod and Serge Vaudenay

Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation 32/64-bit Architectures 8-bit Architectures Bi-Regular Arrays Our Results Definition Some New Constructions (4, 4)-Multipermutation I Less memory at disposal → complete precomputation (8, 8)-Multipermutation is impossible! Concluding Remarks I The elements value matters ! I Multiplications by 1 are “free” operations I Possible to precompute the operation “multiplication by a constant c” Perfect Diffusion Primitives Our strategy for Block Ciphers – Building Efficient MDS Matrices

Pascal Junod and Serge Vaudenay

Preliminaries Diffusion / Confusion I MDS Matrices ... Maximize the number of 1’s in the matrix. Multipermutation I Minimize the number of different constants. ... and their Implementation 32/64-bit Architectures I Two criteria ... 8-bit Architectures Bi-Regular Arrays I ... among infinitely many others ! Our Results Definition I Corollary (and disclaimer) : it is always possible to find Some New Constructions (4, 4)-Multipermutation an architecture and side constraints such that our (8, 8)-Multipermutation strategy leads to poor results. Concluding Remarks I One of the constraints we did not consider: inverse of a matrix must be “efficient” as well. Perfect Diffusion Primitives Results for Block Ciphers – Building Efficient MDS Matrices

Pascal Junod and Serge Vaudenay

Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation I Definition of the concept of “bi-regular array” 32/64-bit Architectures 8-bit Architectures I Find the minimal amounts of 1’s and of different Bi-Regular Arrays Our Results coefficients for bi-regular arrays Definition I Some New Constructions Sequence of constructive proofs → matrix skeletons (4, 4)-Multipermutation I Examples of matrices (8, 8)-Multipermutation Concluding Remarks Perfect Diffusion Primitives Bi-Regular Arrays for Block Ciphers – Building Efficient MDS Matrices

Pascal Junod and Serge Vaudenay

Preliminaries Diffusion / Confusion I MDS Matrices ... A 2 × 2 array with entries in K is bi-regular if at least Multipermutation one row and one column have two different entries. ... and their Implementation 32/64-bit Architectures 8-bit Architectures 1 1 1 1 Bi-Regular Arrays 1 2 ξ ξ Our Results Definition Some New Constructions I A q × p array with entries in K is bi-regular if all 2 × 2 (4, 4)-Multipermutation (8, 8)-Multipermutation sub-arrays are bi-regular. Concluding Remarks I An MDS matrix must be a bi-regular array ... I ... but the converse is not true ! Perfect Diffusion Primitives From Bi-Regular Arrays to MDS for Block Ciphers – Building Efficient MDS Matrices Matrices Pascal Junod and Serge Vaudenay

Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation 32/64-bit Architectures 8-bit Architectures Bi-Regular Arrays I Construct a bi-regular array with large number of 1’s Our Results and small number of different coefficients. Definition Some New Constructions I (4, 4)-Multipermutation Find a suitable set of coefficients (if possible). (8, 8)-Multipermutation Concluding Remarks Perfect Diffusion Primitives Highest Possible Number of 1's for Block Ciphers – Building Efficient MDS Matrices

Pascal Junod and Serge Vaudenay

Preliminaries Diffusion / Confusion Summary of our results MDS Matrices ... Multipermutation ... and their Implementation 32/64-bit Architectures 2 3 4 5 6 7 8 8-bit Architectures 2 3 4 5 6 7 8 9 Bi-Regular Arrays Our Results 3 4 6 7 8 9 10 11 Definition 4 5 7 9 10 12 13 14 Some New Constructions (4, 4)-Multipermutation 5 6 8 10 12 13 14 17 (8, 8)-Multipermutation 6 7 9 12 13 16 18 19 Concluding Remarks 7 8 10 13 14 18 21 22 8 9 11 14 17 19 22 24 Perfect Diffusion Primitives Lowest Possible Number of Different for Block Ciphers – Building Efficient MDS Coef®cients Matrices Pascal Junod and Serge Vaudenay

Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation Summary of our results ... and their Implementation 32/64-bit Architectures 8-bit Architectures 2 3 4 5 6 7 8 Bi-Regular Arrays Our Results 2 2 2 2 3 3 3 3 Definition 3 2 2 3 3 3 3 2 Some New Constructions (4, 4)-Multipermutation 4 2 3 3 3 4 4 4 (8, 8)-Multipermutation 5 3 3 3 3 4 4 4 Concluding Remarks 6 3 3 4 4 4 4 5 7 3 3 4 4 4 4 5 8 3 4 4 4 5 5 5 Perfect Diffusion Primitives A (4, 4)-Multipermutation for Block Ciphers – Building Efficient MDS Matrices

Pascal Junod and Serge Vaudenay

Preliminaries Diffusion / Confusion I MDS Matrices ... Example of “optimal” 4 × 4-matrix Multipermutation ... and their Implementation 32/64-bit Architectures a 1 1 1 8-bit Architectures  1 1 b a  Bi-Regular Arrays 1 a 1 b Our Results   Definition  1 b a 1  Some New Constructions   (4, 4)-Multipermutation (8, 8)-Multipermutation I 9 coefficients equal to 1, 3 different values Concluding Remarks I Used as diffusive component in the round function of FOX64 Perfect Diffusion Primitives A Circulating-Like for Block Ciphers – Building Efficient MDS (8, 8)-Multipermutation Matrices Pascal Junod and Serge Vaudenay

Preliminaries Diffusion / Confusion I Example of a “non-optimal” 4 × 4-matrix MDS Matrices ... Multipermutation ... and their Implementation f 1 1 1 1 1 1 1 32/64-bit Architectures 8-bit Architectures  1 1 a b c d e f  Bi-Regular Arrays 1 f 1 a b c d e Our Results   Definition  1 e f 1 a b c d    Some New Constructions  1 d e f 1 a b c  (4, 4)-Multipermutation   (8, 8)-Multipermutation  1 c d e f 1 a b  Concluding Remarks    1 b c d e f 1 a     1 a b c d e f 1    I Used as diffusive component in the round function of FOX128 Perfect Diffusion Primitives A (8, 8)-Multipermutation with Rectangle for Block Ciphers – Building Efficient MDS Patterns Matrices Pascal Junod and Serge Vaudenay

Preliminaries Diffusion / Confusion I Example of a “partially optimal” 8 × 8-matrix MDS Matrices ... Multipermutation ... and their Implementation b a c b d c 1 d 32/64-bit Architectures  b c a d b 1 c 1  8-bit Architectures Bi-Regular Arrays c b d a 1 b 1 c Our Results   Definition  c d b 1 a 1 b d    Some New Constructions  d c 1 b 1 a d b  (4, 4)-Multipermutation   (8, 8)-Multipermutation  d 1 c 1 b d a c    Concluding Remarks  1 d 1 c d b c a     1 1 d d c c b b    I Optimal number of different coefficients I Non-optimal number of 1’s Perfect Diffusion Primitives Thank You ! for Block Ciphers – Building Efficient MDS Matrices

Pascal Junod and Serge Vaudenay

Preliminaries See you in 25 minutes for the presentation of Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation 32/64-bit Architectures 8-bit Architectures Bi-Regular Arrays Our Results Definition Some New Constructions (4, 4)-Multipermutation (8, 8)-Multipermutation Concluding Remarks Perfect Diffusion Primitives for Block Ciphers – Building Efficient MDS Matrices

Pascal Junod and Serge Vaudenay

Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation 32/64-bit Architectures Any Question ? 8-bit Architectures Bi-Regular Arrays Our Results Definition Some New Constructions (4, 4)-Multipermutation (8, 8)-Multipermutation Concluding Remarks