Perfect Diffusion Primitives for Block Ciphers – Building Efficient MDS Matrices Pascal Junod and Serge Perfect Diffusion Primitives for Block Ciphers Vaudenay Preliminaries – Diffusion / Confusion Building Efficient MDS Matrices MDS Matrices ... Multipermutation ... and their Implementation Pascal Junod and Serge Vaudenay 32/64-bit Architectures 8-bit Architectures Bi-Regular Arrays Our Results Definition Some New Constructions (4; 4)-Multipermutation ÉCOLE POLYTECHNIQUE (8; 8)-Multipermutation FÉDÉRALE DE LAUSANNE Concluding Remarks Selected Areas in Cryptography '04 University of Waterloo (Canada), August 9, 2004 Perfect Diffusion Primitives Outline of this talk for Block Ciphers – Building Efficient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation I Preliminaries 32/64-bit Architectures 8-bit Architectures I MDS Matrices ... Bi-Regular Arrays Our Results I ... and their Implementation Definition I Some New Constructions Bi-Regular Arrays (4; 4)-Multipermutation (8; 8)-Multipermutation I Some New Constructions Concluding Remarks Perfect Diffusion Primitives Back to Shannon for Block Ciphers – Building Efficient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries I Notions of confusion and diffusion introduced by Diffusion / Confusion MDS Matrices ... Shannon in “Communication Theory of Secrecy Multipermutation Systems” (1949) ... and their Implementation 32/64-bit Architectures I Confusion: “The method of confusion is to make the 8-bit Architectures Bi-Regular Arrays relation between the simple statistics of EK (:) and the Our Results simple description of K a very complex and involved Definition Some New Constructions one.” (4; 4)-Multipermutation I Diffusion: “In the method of diffusion the statistical (8; 8)-Multipermutation Concluding Remarks structure of M which leads to its redudancy is dissipated into long range statistics – i.e., into statistical structure involving long combinations of letters in the cryptogram.” Perfect Diffusion Primitives Confusion for Block Ciphers – Building Efficient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation I ... and their Implementation Notion of confusion nowadays related to the ones of 32/64-bit Architectures 8-bit Architectures I S-Box Bi-Regular Arrays I non-linearity Our Results I Boolean functions Definition Some New Constructions I algebraic attacks (4; 4)-Multipermutation (8; 8)-Multipermutation I Plenty of academic papers on this subject ! Concluding Remarks Perfect Diffusion Primitives Diffusion : Historical Perspectives for Block Ciphers – Building Efficient MDS Matrices Pascal Junod and Serge Vaudenay I Less studied in a rigorous (mathematical) way until mid Preliminaries Diffusion / Confusion of 90’s MDS Matrices ... Multipermutation I Schnorr-Vaudenay (FSE’93 / EUROCRYPT’94) : ... and their Implementation introduction of the concept of multipermutation 32/64-bit Architectures 8-bit Architectures I Vaudenay (FSE’95) : a linear multipermutation is Bi-Regular Arrays Our Results equivalent to an MDS code Definition I Some New Constructions Daemen (PhD thesis, 1995): Wide-Trail Strategy (4; 4)-Multipermutation I (Choose “good” S-boxes) (8; 8)-Multipermutation I “Design the round transformation in such a way that only Concluding Remarks trails with many S-boxes occur.” I Rijmen, Daemen, Preneel, Bossalaers, De Win (FSE’96): design of SHARK whose diffusion layer is based on MDS codes Perfect Diffusion Primitives Multipermutation Nowadays for Block Ciphers – Building Efficient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation I Very few MDS codes are known ... and their Implementation I 32/64-bit Architectures Seldom used in practice 8-bit Architectures I Bi-Regular Arrays Widely spread building block in symmetric schemes Our Results Definition I Non-linear multipermutation: CS-Cipher Some New Constructions I (4; 4)-Multipermutation Linear multipermutation (MDS matrices): AES, (8; 8)-Multipermutation Camellia, Twofish, Khazad, FOX, and many, many Concluding Remarks others ! Perfect Diffusion Primitives In this Talk for Block Ciphers – Building Efficient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation I 32/64-bit Architectures Interested in “efficient” linear multipermutations 8-bit Architectures I Bi-Regular Arrays Brief recall about MDS matrices and their properties Our Results Definition I Definition of what we mean by “efficient” Some New Constructions I (4; 4)-Multipermutation New propositions (8; 8)-Multipermutation Concluding Remarks Perfect Diffusion Primitives Multipermutation: a De®nition for Block Ciphers – Building Efficient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation 32/64-bit Architectures De®nition (Multipermutation) 8-bit Architectures p q A diffusion function f from K to K is a multipermutation if Bi-Regular Arrays Our Results for any x1; : : : ; xp 2 K and any integer r with 1 ≤ r ≤ p, Definition modifying r input values on f (x1; : : : ; xp) results in modifying Some New Constructions (4; 4)-Multipermutation at least q − r + 1 output values. (8; 8)-Multipermutation Concluding Remarks Perfect Diffusion Primitives Multipermutation: Another De®nition for Block Ciphers – Building Efficient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation I De®nition (Multipermutation) ... and their Implementation p q 32/64-bit Architectures A diffusion function f from K to K is a 8-bit Architectures multipermutation if the set of all words consisting of Bi-Regular Arrays Our Results x1; : : : ; xp concatenated with f (x1; : : : ; xp) is a code of Definition p (#K) words of length p + q with minimal distance Some New Constructions (4; 4)-Multipermutation q + 1. (8; 8)-Multipermutation Concluding Remarks I Matches the Singleton bound (hence the link to MDS codes) Perfect Diffusion Primitives Multipermutation: Example for Block Ciphers – Building Efficient MDS Matrices Pascal Junod and Serge Vaudenay I Representation of the finite field GF(28) : polynomials Preliminaries Diffusion / Confusion of degree at most seven with coefficients in GF(2) MDS Matrices ... modulo the irreducible polynomial Multipermutation ... and their Implementation 32/64-bit Architectures p(ξ) = ξ8 + ξ7 + ξ6 + ξ5 + ξ4 + ξ3 + 1 8-bit Architectures Bi-Regular Arrays Our Results I Addition: XOR Definition I Multiplication: usual multiplication of polynomials Some New Constructions (4; 4)-Multipermutation modulo p(ξ) (8; 8)-Multipermutation I Consider the following multipermutation on GF(28)2: Concluding Remarks x y 1 ξ x µ : 1 7! 1 = × 1 x2 y2 1 1 x2 Perfect Diffusion Primitives Why is it a Multipermutation ? for Block Ciphers – Building Efficient MDS Matrices Pascal Junod and Serge I Because µ is invertible : Vaudenay − Preliminaries 1 7 5 3 7 5 3 1 ξ ξ + ξ + ξ ξ + ξ + ξ + 1 Diffusion / Confusion = 7 5 3 7 5 3 MDS Matrices ... 1 1 ξ + ξ + ξ ξ + ξ + ξ Multipermutation ... and their Implementation I Because, when fixing x to a constant c, both y and y 32/64-bit Architectures 1 1 2 8-bit Architectures are permutations of x2 : Bi-Regular Arrays Our Results Definition y1 = c ⊕ (ξ · x2) Some New Constructions (4; 4)-Multipermutation y2 = c ⊕ x2 (8; 8)-Multipermutation Concluding Remarks I Because, when fixing x2 to a constant c, both y1 and y2 are permutations of x1 : y1 = x1 ⊕ (ξ · c) y2 = x1 ⊕ c Perfect Diffusion Primitives Why is it a Multipermutation (2)? for Block Ciphers – Building Efficient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation 32/64-bit Architectures 8-bit Architectures I Bi-Regular Arrays Because det(µ) =6 0 and every sub-determinant of µ is Our Results different of 0. Definition Some New Constructions (4; 4)-Multipermutation (8; 8)-Multipermutation Concluding Remarks Perfect Diffusion Primitives 32/64-bit Architectures for Block Ciphers – Building Efficient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation 32/64-bit Architectures 8-bit Architectures Bi-Regular Arrays Our Results Definition Some New Constructions (4; 4)-Multipermutation (8; 8)-Multipermutation Concluding Remarks I Lot of fast memory (L1 cache) I Table lookups + XORs: y1 1 ξ = x1 × ⊕ x2 × y2 1 1 Perfect Diffusion Primitives 8-bit Architectures for Block Ciphers – Building Efficient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation 32/64-bit Architectures 8-bit Architectures Bi-Regular Arrays Our Results Definition Some New Constructions (4; 4)-Multipermutation I Less memory at disposal ! complete precomputation (8; 8)-Multipermutation is impossible! Concluding Remarks I The matrix elements value matters ! I Multiplications by 1 are “free” operations I Possible to precompute the operation “multiplication by a constant c” Perfect Diffusion Primitives Our strategy for Block Ciphers – Building Efficient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion I MDS Matrices ... Maximize the number of 1’s in the matrix. Multipermutation I Minimize the number of different