Analysis and Design of Block Ciphers by Amr Mohamed Youssef A thesis submitted to the Department of Electrical and Cornputer Engineering in conformity with the requirements for the degree of Doctor of Philosophy Queen's University Kingston, Ontario, Canada December 1997 Copyright @ 1997 Amr Mobamed Youssef National Library Bibliothèque nationale du Canada Acquisitions and Acquisitions et Bibliographie Services services bibliographiques 395 Wellington Street 395. rue Wellington OttawaON K1AON4 Ottawa ON K1A ON4 Canada Canada The author has granted a non- L'auteur a accordé une licence non exclusive licence dowing the exclusive permettant à la National Library of Canada to Bibliothèque nationale du Canada de reproduce, loan, distribute or sel1 reproduire, prêter, distribuer ou copies of this thesis in microform, vendre des copies de cette thèse sous paper or electronic formats. la forme de microfiche/fih, de reproduction sur papier ou sur format électronique. The author retains ownership of the L'auteur conserve la propriété du copyright in this thesis. Neither the droit d'auteur qui protège cette thèse. thesis nor substantial extracts fiom it Ni la thèse ni des extraits substantiels may be printed or otherwise de celle-ci ne doivent être imprimés reproduced without the author's ou autrement reproduits sans son permission. autorisation. In this thesis we study various cryptographic properties of boolean mappings from n bits to m bits. In particular, we derive expressions for the expected size of the maximum XOR table entry and the maximum Linear Approximation Table enûy for some combinatorid structures of interest such as regular (balanced) mappings, and injective mappings. We derive similar expressions for the expected value of different foms of information leakage and relate different forms of information leakage to the spectral properties of the function. We also extend the definitions of many cryptographic criteria to multi-ouput boolean functions and study the relationship between the Walsh-Hadamard transform and various types of information leakage. A new construction method for highly nonlinea. injective s-boxes is presented. It is shown that the resistance of CAST-like encryption algorithms (based on randornly selected substitution boxes) to the basic linear cryptanalysis was underestimated in previous work. We introduce a new class of Substitution Permutation Networks (SPNs) with the advantage that the sarne network cm be used to perform both the encryption and the decryption operations. Different cryptographic properties of this class such as resistance to both linear and differential cryptanalysis are exarnined. We also presenr two constmction methods for involution linear transformations for SPNs based on Maximum Distance Separable codes. An analytical mode1 for the avalanche characteristics of SPNs with difierent linear transformation layers is developed. We dso prove a conjecture by Cusick regarding the number of functions satisfying the Strict Avalanche Criterion. Dedicated to my parents For their etemal love, encouragement, and support, 1 am grateful. iii Acknowledgments This work would never have been possible without the guidance, encouragement, and suggestions of my supervisor, Dr. Stafford Tavares. It is my pleasure to thank him for al1 of his help. 1 wish to thank Dr. Moustafa Fahrny who introduced me to Dr. Tavares. 1 gratefully acknowledge the financial support of the Ontario Ministry of Educarion, Telecommunication Research Lnstitute of Ontario (TRIO), and Queen's University. Special thanks and appreciation go to my wife, Ayda, for her many years of patient support and encouragement. List of Notation The set of binary numben The set of binary n-niples XOR operation A variable in Zi or GF(2") A scalar variable A random vaiable in 2; or GF(2") The cardinality of the enclosed set A mapping from 2: -, ZF The Hamming weight of a The dot product of a and x over Z2 The multiplication of a and x over GF(Zn) The Walsh transform of (- 1 ) ce/ (XI Linear Approximation Table entry XOR distribution table entry LAT* rnax 1 L AT(a.b) 1 a#O.b XO R* NA~A~ Ax#O,Ay NLf Nonlinearity of f In(n. m) Number of injective fùnctions f : ZI: + Zy Number of balanced functions f : 21" -. Zr: The entropy hinction The binary entropy function The mutuai information Static information leakage Self static information leakage Dynamic information leakage Trace function Table of Contents Abstract ........................................... ii ................................................. iv List of Notation ...................................... v List of Figures ....................................... xi List of Tables ....................................... xiii Chapter 1 Introduction ............................. 1 1.1 Motivation for this Research ................... 2 1.2 Outline of Remainder of Thesis ................. 3 Chapter 2 Previous Research ........................ 4 2.1 Architectures ............................ 4 2.1.1 Substitution-Permutation Networks ............... 5 2.1.2 DES-like Structure (Feistel Networks) ............. 7 2.1.3 Other Structures .......................... 9 2.2 S-box versus Non S-box Approaches ............. 9 2.3 Cryptanalysis ..........................10 2.3.1 Exhaustive Search .........................11 2.3.2 Differential Cryptanalysis .....................12 2.3.3 Linear Cryptanalysis .......................-14 2.3.4 Extensions to Linear and Differential Cryptanalysis ....15 2.3.5 Other Attacks ............................16 2.3.6 lmplementation Dependent Attacks ..............17 2.3.6.1 Timing Attacks ...........................17 2.3.6.2 Differential Fault Cryptanalysis .................17 Advanced Encryption Standard (AES) Requirements ...19 Mathematical Background and Definitions .........-21 Cryptographic Criteria for Boolean Functions ........21 The Inclusion-Exclusion Principle ................25 The Walsh Transform of Boolean Functions .........26 Chapter 3 Linear Approximation Table and XOR Distribution Table of Balanced S-boxes ........................ 29 Linear Approximation Table of Balanced S-boxes .....30 XOR Distribution Table of Balanced S-boxes ........32 3.4 Counting the Number of Nonlinear Balanced S-boxes ...38 3.5 Conclusion .............................-41 Chapter 4 Linear Approximation of Injective S-boxes ..........43 Definitions and Notation .....................43 Linear Approximation Table of Injective Mappings .....44 Construction of Highly Nonlinear Injective S-boxes ....47 Definitions .............................-47 Construction Method I ......................-49 Construction Method II ..................... -50 Comments on the Security of the CAST Encryption Algorithm .............................. 53 Chapter 5 Information Leakage and Spectral Properties of Boolean Functions ..............................55 Introduction ............................ -55 Definitions ..............................56 viii Information Leakage of a Randornly Selected Boolean Function ...............................60 Information Leakage of a Randorniy Selected Balanced Boolean Function ........................ -64 Information Leakage of a Randomly Selected Injective Boolean Function .........................67 Relation Between the Walsh Transforrn and Different Foms of Information Leakage ................ 69 5.6.1.1 Extended Definitions .......................73 5.7 Conclusion ............................. -75 Chapter 6 A New Class of Substitution-Permutation Networks ....77 6.1 Introduction ............................-77 6.2 S-boxes ...............................79 6.3 S-box lnterconnection Layer .................87 6.3.1 Proposed Linear Transformation ................88 6.3.2 Involution Linear Transformations based on MDS codes . 89 6.4 Resistance to Differential and Linear Cryptanalysis ....93 6.5 Cyclic Properties of the Proposed SPN ...........96 6.6 Key Scheduling Algorithm ....................97 6.7 Performance ...........................100 6.8 Conclusion .............................100 Chapter 7 Modelling Avalanche Characteristics of Substitution- Permutation Networks Using Markov Chains ....... 102 Introduction ............................102 Convergence in Markov Chains ...............105 7.3 Modelling Avalanche in S-boxes ............... 106 7.4 Modelling the Linear Transformation Layer .........108 7.4.1 Model A .Fixed Permutation Layer ......108 7.4.2 Model 8 .Linear Transformation Type 1 .........108 7.4.3 Model C .Linear Transformation Type 2 ...111 7.4.4 Model 0 .Linear Transformation Type 3 .........113 7.5 Resufts and Discussion ..................... 114 Chapter 8 Conclusion ............................. 120 8.1 Contributions of the Thesis .................. 120 8.2 Future Worù ............................ 121 Appendix A Cryptanalysis of the 'Nonlinear-Panty Circuitsn Proposed at Crypto '90 ........................... 123 Appendix B Cryptanalysis of 'key agreement scheme based on generalized inverses of matricesn .............. 127 Appendix C Bounds on the Number of Functions Satisfying the Strict Avalanche Criterion ................. , ..... 131 References ........................................137 Vitae ................................151 List of Figures Figure 2.1 General Classification of Block Cipher Architectures .... 5 Figure 2.2 SPN with N = 16. R = 4 and R = 3 .............. 6 Figure 2.3 Round i of DES-like Cipher ................... 8 Figure 4.1 CAST Round Function ......................53 Figure 5.1 Lower Bound for the Binary Entropy Function ........61