The MAGENTA Block Cipher Algorithm Contents

The MAGENTA Block Cipher Algorithm Contents

The MAGENTA Blo ck Cipher Algorithm y M.J. Jacobson, Jr. and K. Hub er Deutsche Telekom AG Am Kavalleriesand 3 64295 Darmstadt GERMANY June 8, 1998 Contents 1 Intro duction 2 2 The MAGENTA Algorithm 2 3 Computational Eciency 3 4 Algebraic Prop erties 5 4.1 The Function f x . 5 4.2 The Function PEx; y . 6 4.3 Two Successive Combinations of . 6 4.4 The Function T . 7 3 4.5 The Function E . 7 4.6 The MAGENTA Algorithm . 8 5 Avalanche Prop erties 8 5.1 The Function f x . 8 5.2 The Function PEx; y . 8 3 5.3 The Function E . 9 5.4 The MAGENTA Algorithm . 10 6 Statistical Tests 10 7 Di erential Cryptanalysis 12 8 Linear Cryptanalysis 13 9 Palindrome Prop erties 14 10 Conclusions 14 A Assembler Co de 16 [email protected] y hub [email protected] 1 1 Intro duction The developmentofMAGENTAMultifunctional Algorithm for General-purp ose Encryption and Network Telecommunication b egan in 1990, with the basic design principles explained in the unpublished pap er [7]. The idea was to apply simple and transparent techniques no magic tables or constants which can b e eciently implemented in b oth software and hardware. Originally, this was realized by using a butter y structure to accomplish di usion and discrete exp onentiation in a nite eld for confusion. In the following years, the idea of hardware realizations was investigated more closely. In co op eration with hardware sp ecialist S. Wolter the butter y structure of the original prop osal was switched to the FHT shue structure, which has the advantage of giving identical structures at each stage. Further slightchanges to the algorithm o ccurred when an analysis of the algorithm done by sp ecialists of the company SIT [5] was carried out in 1994. Plans were to develop a chip which would be capable of op erating up to the gigabit/sec range see [8]. It was envisioned to use suchchips for encryption of ATM connections. Unfortunately the hardware realization did not pro ceed as planned since the need for such encryption is not yet widely appreciated, although investigations have shown that it should b e p ossible to achieve [8]. Currently, the MAGENTA algorithm is used within Deutsche Telekom for securing sensitive management data. In addition, a VHDL design and a FPGA Field Programmable Gate Array realization are in progress. There are two schemes to mention which essentially used structures of the fast Fourier Transform for cryptographic purp oses prior to the MAGENTA algorithm. The rst is an invention of Jean Pierre Vaseur [19] whichwas led on 2nd June 1959. The second is the so-called Comp-128 algorithm which is used by some GSM providers. The Comp-128 algorithm was designed at the end of the eighties, and was recently disclosed through the Internet. In the next section, we describ e the MAGENTA algorithm in detail. As mentioned ab ove, the security of MAGENTA has b een analyzed in great detail on b ehalf of Deutsche Telekom by SIT GmbH for use with 128-bit keys. In Sections 4 to 9, we highlight the details of the internal rep ort based on this analysis [5] and extend the analysis to 192 and 256 bit keys where appropriate. 2 The MAGENTA Algorithm 8 Let B = f0; 1g b e the set of all 8-bit binary vectors bytes. For x 2 B; we will write x =x ;x ;:::;x ; 7 6 0 7 6 and we asso ciate eachbyte with an integer in f0; 1;:::;255g via the formula x ;x ;:::;x 7! 2 x +2 x + 7 6 0 7 6 ::: + x : The op erator will denote bitwise addition mo dulo 2; i.e., the usual bitwise XOR op eration. 0 The heart of the MAGENTA algorithm is based on the Fast Hadamard Transform FHT [10]. However, we replace the addition and subtraction at each no de in the shue structure by the following non-linear 8 6 op eration. Let b e a primitive element of the eld GF 256 with generating p olynomial px=X + X + 5 2 X + X + 1 and p =0: For all x 2 B; de ne x x 6= 255 f x= 1 0 x = 255 : 2 Then, for all x; y 2 B we de ne Ax; y =f x f y 2 and PEx; y =Ax; y ;Ay; x = f x f y ;fy f x : 3 16 For all x ;:::;x 2 B ; our mo di cation of the FHT is given by 0 15 T x ;:::;x = x ;:::;x ; 4 0 15 0 15 where x ;:::;x is de ned as 0 15 x ;:::;x =PEx ;x ;PEx ;x ;:::;PEx ;x : 5 0 15 0 8 1 9 7 15 2 The function T x ;:::;x op erates on a single 128-bit parameter and returns a 128-bit output. Clearly, 0 15 this op eration is very quick, since it can b e implemented entirely with bit op erations. 16 For all X =x ;:::;x 2 B ; de ne 0 15 X =x ;x ;:::;x e 0 2 14 and X =x ;x ;:::;x ; o 1 3 15 i.e., X consists of the bytes of X with even index and X consists of the bytes of X with o dd index. The e o function C consists of rep eated applications of our FHT variant, and is recursively de ned for j 1 and all x ;:::;x by 0 15 j +1 j j 6 C x ;:::;x =T x ;:::;x C ; x ;:::;x C 0 15 0 7 8 15 e o 1 where the initial value C = T x ;:::;x : For a xed numb er of rounds r; we de ne 0 15 r r E x ;:::;x =C : 7 0 15 e Originally,MAGENTAwas designed with r =7: However, during analysis by SIT GmbH [5, App endix] it was discovered that using r = 7 made a chosen plaintext attack p ossible. It was recommended that the numb er of rounds b e reduced to 3; and the analysis in the following chapters shows that to the b est of our knowledge this choice do es not result in any signi cant cryptographic weaknesses of the overall blo ck cipher. Therefore, we xr =3: The complete MAGENTA blo ck cipher makes use of the well-known Feistel construction [3] using the 3 16 8 function E as the basic cyryptomo dule. For x = x ;:::;x 2 B and y = y ;:::;y 2 B ; one 0 15 0 7 \Feistel-round" is de ned as 3 F x= x ;:::;x ; x ;:::;x E x ;:::;x ;y ;:::;y : 8 y 8 15 0 7 8 15 0 7 16 Let M =x ;:::;x 2 B b e one plaintext blo ck 128 bits. The MAGENTA algorithm supp orts the 0 15 following three key sizes: 128 bit: K =K ;K ; 1 2 192 bit: K =K ;K ;K ; 1 2 3 256 bit: K =K ;K ;K ;K ; 1 2 3 4 where K =y ;:::;y ;K =y ;:::;y ;K =y ;:::;y ; and K =y ;:::;y : The MAGENTA 1 0 7 2 8 15 3 16 23 4 24 31 algorithm makes use of six or eightFeistel rounds, where each round uses a di erent part of the key. The algorithm is given by 8 16 F F F F F F M if K =K K 2 B < K K K K K K 1 2 1 1 2 2 1 1 24 F F F F F F M if K =K K K 2 B Enc M = : 9 K K K K K K 1 2 3 K 1 2 3 3 2 1 : 32 F F F F F F F F M if K =K K K K 2 B K K K K K K K K 1 2 3 4 1 2 3 4 4 3 2 1 Due to a palindromic prop erty of Equation 9 given in Section 9, the decryption function can easily be expressed in terms of the encryption function by Dec M =V Enc V M ; 10 K K where V x ;:::;x =x ;x ;:::;x ;x ;x ;:::;x : 0 15 8 9 15 0 1 7 3 Computational Eciency In this section, we give estimates of the numb er of clo ck cycles required to p erform ve basic op erations of the MAGENTA algorithm on two architectures, an Intel Pentium Pro pro cessor running at 200 MHz and the Z80 micropro cessor, a typical 8-bit pro cessor. In particular, we consider the following op erations: 3 set up a key, change a key, initialize the algorithm, encrypt one 128-bit blo ck in ECB mo de, decrypt one 128-bit blo ck in ECB mo de. We analyze all three key sizes supp orted byMAGENTA, namely 128; 192; and 256 bits. In order to obtain eciency estimates on a Pentium Pro pro cessor, we computed the run times in seconds 6 required to p erform eachof the ve op erations 10 times on a given random key-plaintext pair using our optimized C implementation. These run times were then normalized to obtain an approximation of the 6 number of clo ck cycles required for one iteration by dividing by 10 the total number of iterations and 8 multiplying by the numb er of cycles p er second 2 10 . The results of these calculations are in Table 1.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    18 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us