sign in sign up
<<
Home , DFC (cipher)

Decorrelated Fast Cipher

Serge Vaudenay

Ecole Normale Sup erieure { CNRS

August 1998

First Advanced Standard Conference

Private Communications

-

secure

K K

? ?

CT CT

- - -

1

insecure

PT PT AES

AES

128

message space: M = f0; 1g

message blo ck: PT 2M

encryption function: AES p ermutation over M K

Security of Blo ck Ciphers

-

Random Secret K

AES

6

CT = AES PT

PT

K

?

- -

0

Random Tap e !

Attacker A

K

! secret random p ermutation with a given public distribution

! we study the attack \on average" on the key

De nition. AES is -secure against a class CL of attack if

 

AES

K

8A 2 CL Pr A = K  

!;K

Previous Work on Provable Security

[Shannon 49]: notion of p erfect secrecy, imp ossibilityof achieving it

[Wegman-Carter 81]: provably secure MAC with universal hashing

[Luby-Racko 88]: the Feistel scheme with random round function

is \almost" a random p ermutation

[Biham-Shamir 90]: notion of di erential

[Lai-Massey-Murphy 91]: notion of Markov cipher

[Matsui 93]: notion of

[Nyb erg-Knudsen 92]: construction of cipher which is provably

resistant against di erential cryptanalysis

[Matsui 96]: construction of MISTY which is provably resistant

against di erential and linear cryptanalysis

Perfect Decorrelation

To the order 1:

8PT AES PT has a uniform distribution

K

To the order 2:

0 0

8PT 6=PT AES PT; AES PT  has a uniform distribution

K K

0 0

among all CT; CT  such that CT 6=CT

To the order d:

8PT 6=PT  AES PT ;:::;AES PT  uniform

i j K 1 K d

among all CT ;:::;CT  such that CT 6=CT 

1 d i j

Resistance Against Di erential Cryptanalysis

If AES has a p erfect decorrelation to the order 2, then for all a 6=0

and b 6=0, we have

1

: Pr [AES PT  a = AES PT  b]=

K K

128

K;PT

2 1

! AES resists \on average" against any di erential attack with a

xed characteristic.

Basic Examples

The Vernam Cipher One-time pad [Vernam 26]

128

AES PT = PT  K with K 2 f0; 1g

K U

! p erfect decorrelation to the order 1

Basic COCONUT Cipher

128  128

AES PT=A  PT  B with A; B  2 GF2   GF 2 

A;B U

! p erfect decorrelation to the order 2

Design Strategy

 we do not need \p erfect" decorrelation: we tolerate imp erfect

decorrelation as long as we can quantify it

m

 we do not want GF2  multiplication: we want fast software

implementations

! use the integer multiplication

 we do not want ad hoc construction: we want to get

decorrelation on arbitrary cipher by adding a few

\decorrelation mo dules"

! we add the

m

F x=A  x + B modp mo d 2

A;B

m 2

decorrelation mo dule with A; B  2 f0;:::;2 1g . U

Decorrelation Distance

To each random mapping F from A to B we asso ciate the

2 2 2

A B -matrix [F ] : the pairwise distribution matrix.

2 2

Given x =x ;x  2A and y =y ;y  2B , we have

1 2 1 2

2

[F ] = Pr[F x = y ;Fx =y ]:

1 1 2 2

x;y

De nition. Given two random functions F and G from A to B ,

the pairwise decorrelation distance between F and G is

   

X

Gx = y F x = y

1 1 1 1

2 2

Pr Pr jj[F ] [G] jj = max

x ;x

Gx = y F x = y

1 2

2 2 2 2

y ;y

1 2

Theoretical Results

If

64 64

F x= Ax + B mod2 + 13 mo d 2

A;B

128  64

for A; B  2 f0; 1g and F is a random function on f0; 1g

U

with a uniform distribution then

2  2 58

jj[F ] [F ] jj  2 :

If DFC is a 6-round in which each round

A ;B ;:::;A ;B

1 1 6 6

function can be written

64 64

RF x = CPA x + B mod2 + 13 mo d 2 

i i i

768 

for A ;B ;:::;A ;B  2 f0; 1g and C is a random

1 1 6 6 U

128

p ermutation on f0; 1g with a uniform distribution then

2  2 113

jj[DFC] [C ] jj  2 :

Security Results

2  2

Let  = jj[DFC] [C ] jj.

For any di erential or linear distinguisher, if the complexityis far

1

less than  , then the success probabilityis negligible.

92

! no such attacks p ossible if a key is used less than 2 times.

For any iterated attackof order 1, if the complexityis far less than

1

2

, then the success probabilityis negligible. 

48

times. ! no such attack p ossible if a key is used less than 2

Iterated Attack of Order 1

Input: a cipher AES, a complexity n, a test T , an acceptance set A

1. for i from 1 to n do

a get a new X; Y  pair with Y = AESX  pair

b set T = 0 or 1 with an exp ected value T X; Y 

i

2. if T ;:::;T  2 A accept otherwise reject

1 n

The attack is successful if AES is likely to be accepted and a

random p ermutation is likely to b e rejected.

One Encryption

PT K

R R

0 1

?

EF

? ?

RK

1



RK

2



.

.

Enc

.

RK

8



R R

9 8

? CT 1 2 3 4 5 6 7 8 RK RK RK RK RK RK RK RK 1 8 ? R R         ? ? ? ? ? ? ? ? RF RF RF RF RF RF RF RF         0 9 ? ? ? ? ? ? ? ? ?         R R

The Round Function

We let RK = ARK ; BRK .

i i i

The output of the decorrelation mo dule is

64 64

ARK  R + BRK mod2 + 13 mo d 2

i i i

RK

i

?

y

l



 

R

CP

dec.

i



y

r

The Confusion Permutation

We use a Round Table RT0;:::;RT63.

y y

l r

?

RT  trunc

6

? ?

 

 

KC

? ?



+

KD ?

The Expansion Function

We use two linear functions EF and EF and let RK =0.

1 2 0

EF K  and EF K  are used exactly 4 times.

1 2

K

 

EF

1

?



RK

Enc

i

6

 

EF

2

Implementations

micropro cessor cycles-p er-bit clo ck-frequency bits-p er-second

AXP 4.36 600MHz 137.6Mbps

Pentium 5.89 200MHz 34.0Mbps

SPARC 6.27 170MHz 27.1Mbps

Motorola 6805 smart cards: one encryption within 9.80ms.

Security

Assumption:

Enc indistinguishable from a random p ermutation within 4 calls

EF

1

 no di erential or iterated attackof order 1 on 6 rounds

192

 weak keys for ARK = ARK = ARK =0 one out of 2 

2 4 6

56

 exhaustive search on 80 keys within 22 years for 2 bps p ossible

 no timing attacks with constant-time implementations

 no photo nishing attack no bitslice

 weak when reduced downto 4 rounds

Errata

Last lines of EES in the extended abstract p. 9:

78d56ced 94640d6e f0d3d37b e67008e1 86d1bf27 5b9b241d

x

eb64749a

x

Eq. 26 in the extended abstract p. 8 and Eq. 22 in the full

rep ort p. 9:

EES = RT0jRT1j :::jRT63jKDjKC