E2 - a Candidate Cipher for AES

Home , E2 (cipher), Interpolation attack

E2 - A Candidate Cipher for AES

Masayuki Kanda, Shiho Moriai, Kazumaro Aoki, Hiroki Ueda, Miyako Ohkubo, Youichi Takashima, Kazuo Ohta, Tsutomu Matsumoto*

[email protected] http://info.isl.ntt.co.jp/e2/

Nippon Telegraph and Telephone Corporation (NTT) *Yokohama National University

First AES Candidate Conference Copyright NTT 1998 Outline

· Overview

· Design

· Security

· Performance · Conclusion E2

First AES Candidate Conference Copyright NTT 1998 Design Goals

· A 128-bit symmetric block cipher · Key length of 128, 192, and 256 bits · Security : secure against all known attacks and more · Efficiency : faster than DES · Flexibility : efficient implementations on various platforms

First AES Candidate Conference Copyright NTT 1998 Security of E2 (1)

There are many attacks….

First AES Candidate Conference Copyright NTT 1998 Security of E2 (1)

BruteBrute ForceForce AttacksAttacks

There are many attacks….

First AES Candidate Conference Copyright NTT 1998 Security of E2 (1)

BruteBrute ForceForce AttacksAttacks DifferentialDifferential CryptanalysisCryptanalysis

There are many attacks….

First AES Candidate Conference Copyright NTT 1998 Security of E2 (1)

BruteBrute ForceForce AttacksAttacks DifferentialDifferential LinearLinear CryptanalysisCryptanalysis CryptanalysisCryptanalysis

There are many attacks….

First AES Candidate Conference Copyright NTT 1998 Security of E2 (1)

BruteBrute ForceForce AttacksAttacks DifferentialDifferential LinearLinear CryptanalysisCryptanalysis CryptanalysisCryptanalysis HigherHigher OrderOrder DifferentialDifferential AttackAttack

There are many attacks….

First AES Candidate Conference Copyright NTT 1998 Security of E2 (1)

BruteBrute ForceForce AttacksAttacks DifferentialDifferential LinearLinear CryptanalysisCryptanalysis CryptanalysisCryptanalysis HigherHigher OrderOrder InterpolationInterpolation DifferentialDifferential AttackAttack AttackAttack

There are many attacks….

First AES Candidate Conference Copyright NTT 1998 Security of E2 (1)

There are many attacks….

First AES Candidate Conference Copyright NTT 1998 Security of E2 (2)

DifferentialDifferential LinearLinear CryptanalysisCryptanalysis CryptanalysisCryptanalysis

E2 E2 is proven to have sufficient security

First AES Candidate Conference Copyright NTT 1998 Security of E2 (3)

DifferentialDifferential LinearLinear CryptanalysisCryptanalysis CryptanalysisCryptanalysis HigherHigher OrderOrder Interpolation Partitioning DifferentialDifferential Interpolation Partitioning Attack Cryptanalysis AttackAttack Attack Cryptanalysis

E2 S-box is designed to have no vulnerabilities First AES Candidate Conference Copyright NTT 1998 Security of E2 (4)

BruteBrute ForceForce AttacksAttacks

E2 E2 supports 128-bit block size and 128,192, 256-bit key sizes

First AES Candidate Conference Copyright NTT 1998 Design Goals (cont.)

First AES Candidate Conference Copyright NTT 1998 Efficiency and Flexibility of E2

32-bit 200MHz Intel Pentium Pro CPU ANSI C Assembly (Borland C++ 5.02) 711 clocks/block 420 clocks/block 36.0 Mbits/sec 61.0 Mbits/sec 64-bit 8-bit CPU CPU 600MHz DEC 21164A 5MHz Hitachi H8/300 Assembly Assembly 600 clocks/block 6,374 clocks/block 128 Mbits/sec 100.5 k bits/sec

First AES Candidate Conference Copyright NTT 1998 Efficiency and Flexibility of E2

32-bit 200MHz Intel Pentium Pro CPU ANSI C cf. DESAssembly (RSAREF, (Borland C++ 5.02) Borland C++ 5.0) 711 clocks/block 10.610.6420 Mbitsclocks/block/sec 36.0 Mbits/sec 61.0 Mbits/sec 64-bit 8-bit CPU CPU 600MHz DEC 21164A 5MHz Hitachi H8/300 Assembly Assembly 600 clocks/block 6,374 clocks/block 128 Mbits/sec 100.5 k bits/sec

First AES Candidate Conference Copyright NTT 1998 Outline

· Overview

· Design

· Security

· Performance · Conclusion E2

First AES Candidate Conference Copyright NTT 1998 High-level Structure of E2

Plaintext P Key K

IT k13 k14 k1 F Key Scheduling Part

k2 F

k12 F k FT 15 k16

First AES Candidate Conference Ciphertext C Copyright NTT 1998 High-level Structure of E2

Plaintext P Key K

k IT k13 Data 14 k1 randomizing F Key Scheduling Part part k2 F

k12 F k FT 15 k16

First AES Candidate Conference Ciphertext C Copyright NTT 1998 High-level Structure of E2

Plaintext P Key K

k IT k13 Data 14 Key k1 randomizing F Key Scheduling Part scheduling part k2 F part

k12 F k FT 15 k16

First AES Candidate Conference Ciphertext C Copyright NTT 1998 Data Randomizing Part Framework

· IT-Function k (Initial Transformation) IT 13 k14 k1 · Feistel structure F

k2 · FT-Function F (Final Transformation)

k12 F k FT 15 k16

First AES Candidate Conference Copyright NTT 1998 Design Rationale of Framework

· Feistel structure w Widely known and thought to offer long-term security w Symmetric encryption and decryption w Evaluation of security against DC and LC has been well studied

· IT-Function and FT-Function w Offer a proactive design and hinder later attacks

First AES Candidate Conference Copyright NTT 1998 Design Rationale of Framework

· Feistel structure w Widely known and thought to offer long-term security w Symmetric encryption and decryption w Evaluation of security against DC and LC has been well studied

· IT-Function and FT-Function w Offer a proactive design and hinder later attacks

First AES Candidate Conference Copyright NTT 1998 Design Rationale of F-Function (1)

· Structures for which security evaluation against DC and LC is easy w 1-round SPN structure (e.g., DES) w Recursive structure (e.g., MISTY) w 2-round SPN structure · Comparing the speed at the same level of security, we decided to adopt 2-round SPN structure

First AES Candidate Conference Copyright NTT 1998 Design Rationale of F-Function (1)

First AES Candidate Conference Copyright NTT 1998 Practical Measure for Feistel Cipher

· General case [Knudsen (FSE’93)] w Number of rounds: R = 2r, 2r + 1 (R) r (R) r w Evaluation: UDCP = p , ULCP = q · Bijective case [Kanda et al. (SAC’98)] w Number of rounds: R = 3r, 3r + 1, 3r + 2 (R) 2r (R) 2r w Evaluation: UDCP = p , ULCP = q (R = 3r, 3r + 1) (R) 2r+1 (R) 2r+1 UDCP = p , ULCP = q (R = 3r + 2) Note: p, q : Maximum differential and linear prob. of round function First AES Candidate Conference Copyright NTT 1998 Practical Measure for Feistel Cipher

· General case [Knudsen (FSE’93)] w Number of rounds: R = 2r, 2r + 1 When R = 6 (R) r (R) r w Evaluation: UDCP = p , UDCP ULCP = p3 [=General] q · Bijective case [Kanda et al.UDCP (SAC =’98) p4 ][Bijective] w Number of rounds: R = 3r, 3r + 1, 3r + 2 (R) 2r (R) 2r w Evaluation: UDCP = p , ULCP = q (R = 3r, 3r + 1) (R) 2r+1 (R) 2r+1 UDCP = p , ULCP = q (R = 3r + 2) Note: p, q : Maximum differential and linear prob. of round function First AES Candidate Conference Copyright NTT 1998 Design Rationale of F-Function (2)

350 slow 42 rounds 300

250

200

150 6 rounds 9 rounds 100 Performance 1-round SPN structure Recursive structure Total number of s-boxes 50 2-round SPN structure fast 0 -32 -64 -96 -128 -160 -192 -224

Upper bounds of max differential/linear prob( log2 ) Security secure First AES Candidate Conference Copyright NTT 1998 F - Function Overview

K (2) K (1)

F - Function s s s s s s s s s s s s s s s s

S - Function P - Function S - Function

First AES Candidate Conference Copyright NTT 1998 Design Rationale of P-Function

· Maximize minimum number of active s-boxes w Minimize upper bound of maximum differential / linear prob. of round function · Use only XOR operation w Simple construction w Efficient implementations in both software and hardware · Minimize gate counts required for hardware

First AES Candidate Conference Copyright NTT 1998 Design Rationale of P-Function

First AES Candidate Conference Copyright NTT 1998 # of Active s-boxes 3 (Bad P-Function)

K (2) K (1)

F - Function s s s s s s

D Y s s D X s s s s s s s s

P - Function Many active s-boxes mean high security against DC. First AES Candidate Conference Copyright NTT 1998 # of Active s-boxes 5 (E2 P-Function)

K (2) K (1)

F - Function s s s s s s

D Y s s D X s s s s s s s s

P - Function

First AES Candidate Conference Copyright NTT 1998 # of Active s-boxes 5 (cont.)

K (2) K (1)

F - Function s s s s s s

D Y s s D X s s s s s s s s

P - Function

First AES Candidate Conference Copyright NTT 1998 Design Rationale of s-box

1. Suitability for various platforms

2. No trap-doors

3. No vulnerability to known attacks

First AES Candidate Conference Copyright NTT 1998 Rationale 1 : Suitability for Various Platforms

· Table-lookup w efficiency does not depend on processors with various word-lengths (8, 16, 32, 64 bits)

· One 8-by-8-bit s-box w consideration for 8-bit smart card implementations

First AES Candidate Conference Copyright NTT 1998 Rationale 2 : No trap-doors

· Design principle is publicly given

· Based on well-known mathematical functions

First AES Candidate Conference Copyright NTT 1998 Candidates of s-box

· s : GF(2)8 GF(2)8 ; x s(x) = g ( f (x) ) candidates of f (x) and g(x) k 8 I. x in GF(2 ) " k ÎGF(28), k ¹ 1 x 8 II. u in Z/(2 +1)Z " u Î Z/(28+1)Z , u ¹ 0,1 k 8 III. x in Z/(2 +1)Z " k Î Z/(28+1)Z , k ¹ 1 8 IV. ax+b in Z/(2 )Z " a, b Î Z/(28)Z 8 V. ax+b in Z/(2 +1)Z " a, b Î Z/(28+1)Z 3 £ wH(a), wH(b) £ 5 Note that 256ÎZ/(28+1)Z corresponds to 0ÎGF(2)8 .

First AES Candidate Conference Copyright NTT 1998 Rationale 3 : No Vulnerability to Known Attacks

· Considered Attacks wDifferential cryptanalysis [BS90] wLinear cryptanalysis [M93] wHigher order differential attack [JK97] wInterpolation attack [JK97] wPartitioning cryptanalysis [HM97]

First AES Candidate Conference Copyright NTT 1998 How to select s-box

· s : GF(2)8 GF(2)8 ; x s(x) = g ( f (x) ) I. f (x) = x e in GF(28) IV. g(y) = ay + b in Z/(28)Z

Composition of functions from different groups

expected to be effective in thwarting algebraic attacks, e.g., interpolation attack

First AES Candidate Conference Copyright NTT 1998 How to select s-box parameters (1)

s : GF(2)8 GF(2)8 ; x s(x) = g ( f (x) ) f (x) = x e in GF(28) g (y) = ay + b in Z/(28)Z

a · Criteria for the considered 5 attacks · Bijectivity · Hamming weight of a, b · Differential-linear prob.