Turk J Elec Engin, VOL.9, NO.2 2001, c TUB¨ ITAK˙ Performance Evaluation of Safer K-64 and S-Boxes of the Safer Family Ekrem ARAS, Melek D. YUCEL¨ Electrical Engineering Department of Middle East Technical University, 06531 Ankara-TURKEY Abstract If the characteristics of s-boxes of the SAFER family of ciphers are examined for the criteria of strict avalanche, bit independence, and XOR table distribution, experiments show that the “exponentiating” s-box has a weakness for an input difference of 128 (=10000000 2) and the “logarithm-taking” s-box has a weakness for an input difference of 253 (=111111012). However, since these experiments are performed by isolating the s-boxes from the general structure, they do not necessarily indicate a weakness in the overall algorithm. We propose a quick and rough test method, called the avalanche weight distribution criterion, to evaluate the overall performance of block ciphers. We then apply this novel criterion and the conventional strict avalanche criterion to SAFER K-64, and show that the algorithm passes both tests successfully despite the specific weaknesses of its isolated s-boxes. 1. Introduction Secure And Fast Encryption Routine with a Key of length 64 bits [1] (SAFER K-64) is a symmetric (one- key) block cipher, designed by James L. Massey. SAFER K-64 is the first designed cipher of the SAFER family of ciphers, which differ only in their key schedules and in the number of rounds used. The encryption and decryption blocks of the SAFER family of ciphers contain two nonlinear oper- ations, called the “exponentiating box” and “logarithm-taking box”, which may have significant effects on the strength of the entire system. If the “exponentiating” and “logarithm-taking” boxes of the SAFER fam- ily of ciphers are examined with respect to the criteria of completeness, avalanche, strict avalanche (SAC ) and bit independence (BIC ), by considering them to be isolated from the general structure of the cipher [2,3,4], experiments show that the “exponentiating” s-box has a weakness for an input difference of 128 (=10000000 2 ) and the “logarithm-taking” s-box has a weakness for an input difference of 253 (correspond- ing to 111111012 ). However, since these experiments are performed by isolating the boxes from the general structure, these results do not indicate an overall weakness in the SAFER algorithms. We propose a quick and rough test method, called the Avalanche Weight Distribution (AWD ) criterion, to evaluate the overall performance of block ciphers [4,5,6]. We then apply this novel criterion and the conventional strict avalanche criterion to SAFER K-64, and show that the cryptographic algorithm passes both tests successfully. 161 Turk J Elec Engin, VOL.9, NO.2, 2001 In Section II, we introduce the Avalanche Weight Distribution (AWD ) criterion after briefly dis- cussing the conventional criteria of completeness, avalanche, strict avalanche, bit independence and X-OR distribution. SAFER K-64 is described and the corresponding s-box results are summarized in Section III. The overall round by round performance of SAFER K-64 is presented in terms of AWD curves in Section IV, and with reference to the conventional strict avalanche criterion in Section V. Conclusions are discussed in Section VI. 2. Cryptographic Test Criteria Ideally, a block cipher should be hard to break, easy to implement, and fast to encrypt. In 1949, Shannon gave us the fundamental theory of symmetric (secret-key) cryptosystems [7], in which he presented the principles of diffusion and confusion. Since then, these principles have become the essential properties that block ciphers must have and methods of achieving good diffusion and confusion have been at the heart of block cipher design. Actually both principles are defined in quite similar forms and try to achieve the same goal: hiding the statistical features of the plaintext. To design a cipher according to the principle of diffusion means that one designs it to ensure that “the statistical structure of plaintext which leads to its redundancy is dissipated into long term statistics” [7]. Lai [8] states the principle of diffusion as follows: “for virtually every key, the encryption function should be such that there is no statistical dependence between simple structures in the plaintext and simple structures in the ciphertext and that there is no simple relation between different encryption functions ”. In other words, every bit of the ciphertext should depend on every bit of the plaintext and every bit of the key, i.e., the effect of changing one bit in the plaintext or in the key should be sensed on all ciphertext bits. This ensures that the statistics of the plaintext are dissipated within the ciphertext so that an attacker cannot predict the plaintext that corresponds to a particular ciphertext, even after observing a number of similar plaintexts and their corresponding ciphertexts. To design a cipher according to the principle of confusion means that one designs it so as “to make the relation between the simple statistics of ciphertext and the simple description of key a very complex and involved one” [7]. The principle of confusion is also stated [8] as follows: “the dependence of the key on the plaintext and ciphertext should be so complex that cryptanalysis is useless”. We first describe the conventional test criteria which can be applied either to the overall transformation describing a block cipher or to the isolated s-boxes of substitution permutation networks. We then define our novel criterion of Avalanche Weight Distribution (AWD ), which measures the overall performance roughly but quickly. 2.1. Conventional Test Methods 1) Completeness The idea of completeness was introduced by Kam and Davida [9]. If a cryptographic transformation is complete, then each ciphertext bit must depend on all of the plaintext bits. Thus, if it were possible to find the simplest Boolean expression for each ciphertext bit in terms of the plaintext bits, each of those expressions would have to contain all of the plaintext bits if the function was complete. 2) Avalanche Criterion The idea of avalanche was introduced by Feistel [10]. For a given transformation to exhibit the avalanche effect, an average of one half of the output bits should change whenever a single input bit is 162 ARAS, YUCEL:¨ Performance Evaluation of Safer K-64..., n → n complemented. In order to determine whether a given function f :Z2 Z2 (from the n dimensional binary n vector space into itself) satisfies this requirement, 2 plaintext pairs, P and P i , such that P and P i differ only in bit i(P i = P ⊕ e i ,ande i is the n-bit unit vector with a one in position i) are used to calculate n the 2 exclusive-or sums, Cd = f (P) ⊕ f (P i ). These output difference vectors Cd are referred to as avalanche vectors, and their elements are called avalanche variables. If one half of the avalanche variables are equal to 1 for each i in 1≤ i ≤ n, then the function f has a good avalanche effect. 3) Strict Avalanche Criterion The concepts of the completeness and the avalanche effect were combined by Webster and Tavares [11] to define the Strict Avalanche Criterion (SAC ). If a cryptographic function is to satisfy the strict avalanche criterion, then each output bit should change with a probability of one half whenever a single input bit is complemented. Consider two input vectors which differ only in bit i,with the corresponding avalanche vector Cd . f meets the strict avalanche criterion, if the probability that each bit in the avalanche vector Cd is equal to 1 is one half over the set of all possible input vectors P and P i , for all values of i. Therefore, completeness and the avalanche effect are necessary conditions if the strict avalanche criterion is to be met. In addition, f is said to satisfy the Maximum Order Strict Avalanche Criterion (MOSAC ) if for all j such that 1≤ j ≤ n, flipping any combination of one or more input bits changes the output bit j with probability one half [12]. Distance to SAC and distance to MOSAC are the measures of the closeness of the cipher function f, to SAC and MOSAC respectively. We define normalized distance to SAC for the jth avalanche variable as follows: X 1 n−1 {DSAC [j] | Pd = ei} = 2 − Cd [j] (1) 2n−1 all(P,Pi ) max { | } DSAC [j]= max DSAC [j] Pd = ei (2) 1≤i≤n th where e i is the n-bit unit vector with a 1 in position i, P d is the input difference, Cd [ j ]isthej max avalanche variable of the avalanche vector Cd .IfSAC is satisfied perfectly, then DSAC[j] is 0 for all output max bits, and in the worst case normalized distanceDSAC [j] is equal to 1. Similarly, we define normalized distance to MOSAC for the jth avalanche variable as X 1 n−1 {DMOSAC [j] | Pd = δ} = 2 − Cd [j] (3) 2n−1 all(P,P⊕δ) max { | } DMOSAC [j]= max DMOSAC [j] Pd = δ (4) 1≤δ≤2n−1 n where δ is the n-bit binary representation of any integer in [1, 2 −1], and the avalanche vector Cd = f (P) ⊕ ⊕ max f (P δ ). If MOSAC is satisfied, then DMOSAC[j] is 0, which is the ideal case. In the worst case, the max normalized distance DMOSAC[j] is equal to 1. 163 Turk J Elec Engin, VOL.9, NO.2, 2001 4) Bit Independence Criterion The idea of Bit Independence Criterion (BIC ) was introduced by Webster and Tavares [11]. For a given set of avalanche vectors generated by complementing a single plaintext bit, all avalanche variables should be pairwise independent.