Cipher and Hash Function Design Strategies based on linear and differential cryptanalysis Joan Daemen March 1995 i Note: This version has been compiled in January 2004. With respect to the original version,the formatting of some formulas was modified for layout purposes and some sentences were rephrased to allow easier line breaks. ii Voorwoord In deze inleiding maak ik van de gelegenheid gebruik om al diegenen te bedanken die er voor hebben gezorgd dat dit doctoraat tot stand is gekomen in een informele en vriendschappelijke werksfeer met veel ruimte voor samenwerking,creativiteit en persoonlijk initiatief. In de eerste plaats denk ik hierbij aan mijn promotoren Prof. Ren´e Govaerts en Prof. Joos Vandewalle,die mij op weg hebben geholpen met concrete voorstellen voor onderzoek. Door mij steeds te wijzen op het belang van de praktische toepasbaarheid van onderzoeksresultaten hebben zij voor een belangrijk deel de toon gezet voor deze verhandeling. Voorts wil ik graag de overige leden van het leescomit´e bedanken,Prof. Bart De Decker van het Dept. Computerwetenschappen en Prof. Jean-Jacques Quisquater van de UCL. Mijn oprechte dank gaat ook uit naar mijn collega en jurylid Bart Preneel,die het manuscript op vrijwillige basis heeft nagelezen en met wie ik vele leerrijke gesprekken gevoerd heb. Een speciaal woord van dank gaat naar jurylid Prof. Luc Claesen van IMEC voor zijn inzet en enthousiasme die hebben geleid tot de vlotte implementatie en demonstratie van de Subterranean chip. I am also grateful to Prof. Peter Landrock of the university of Arhus˚ for serving in my jury despite his busy agenda. Als laatste jurylid bedank ik voorzitter Prof. Willy Dutr´e. Verder bedank ik graag mijn collega’s met wie ik binnen ESAT heb samengewerkt en op wie ik nooit tevergeefs een beroep heb gedaan. Ik denk hierbij speciaal aan Jan Verschuren die meer dan wie ook heeft bijgedragen tot de positieve sfeer. Verder vermeld ik graag Luc Van Linden,Antoon Bosselaers,Cristian Radu,Vincent Rij- men,Ria Vanden Eynde,Rita Dewolf,Steven Vanleemput,Patrick Wuytens,Mark Vandenwauver,Andr´eBarb´e,Elvira Wouters,Marc Genoe,Gert Peeters en Zohair Sahraoui. I would also like to thank all people from the international scientific community who have supported or helped me during my research. Among them are Tsutomu Matsumoto,Markus Dichtl,William Wolfowicz,Jorge Davila,Bert Den Boer,Dou- glas Stinson,Ronald Rivest and Jan Egil Øye. Ik wil graag besluiten met die mensen te bedanken die mij het nauwst aan het hart liggen. Mijn ouders,voor hun onvoorwaardelijke steun,hun aanmoedigingen en hun oprechte interesse. Mijn verloofde Ilse,voor haar voortdurende toewijding en liefde waardoor het mij nooit aan motivatie en energie ontbroken heeft of zal ontbreken. iii Abstract This thesis contains a new approach to design block ciphers,synchronous and self-synchronizing stream ciphers and cryptographic hash functions. The goal of this approach is the specification of cryptographic schemes that are secure,simple to describe and that can be implemented efficiently on a wide variety of platforms. Key words are simplicity,symmetry and parallelism. An overview of the different types of ciphers,encryption schemes and hash functions is given,the nature of cryptographic security is discussed and some new security-related definitions are presented. The design is mainly guided by the resistance against differential and linear cryptanalysis. The basic mechanisms of these two attacks are investigated and their structure is clarified by adopting a new formalism for their description and analysis. The resistance against differential and linear cryptanalysis is obtained by applying the new wide trail strategy that emphasizes the mechanism of diffusion. The application of this strategy for the different types of ciphers and hash functions leads to a number of new structures and specific designs. A new self-reciprocal block cipher structure is introduced together with a new type of cryptographic component: the stream/hash module. The design of single-bit self-synchronizing stream ciphers is treated and the potential weaknesses of ciphers that make use of arithmetic operations are analyzed. The design approach is supported by a number of new cryptanalytic results. iv Contents 1 Introduction 1 1.1Communicationandcomputersecurity................. 1 1.2Cryptography............................... 2 1.3 Research goals . ............................ 3 1.4Aboutthisthesis............................. 4 2 Encryption, Ciphers and Hash Functions 7 2.1Introduction................................ 7 2.2Thegenericencryptionscheme...................... 7 2.2.1 Encryptionthroughtransposition................ 8 2.2.2 Therealworld.......................... 9 2.2.3 Somedefinitions.......................... 10 2.2.4 Errorsensitivity.......................... 11 2.2.5 Streamversusblockencryption................. 13 2.3Synchronousstreamciphers....................... 14 2.3.1 Repeatedoccurrences....................... 16 2.3.2 Filteredcounterstreamciphers................. 16 2.4Self-synchronizingstreamciphers.................... 18 2.4.1 Repeatedoccurrences....................... 19 2.4.2 Outputfeedback(OFB)mode.................. 19 2.5Blockciphers............................... 20 2.5.1 Electroniccodebook(ECB)mode............... 21 2.5.2 Cipherblockchaining(CBC)mode............... 22 2.5.3 Outputfeedback(OFB)mode.................. 24 2.5.4 Filteredcounterscheme(FCS)mode.............. 26 2.5.5 Cipherfeedback(CFB)mode.................. 26 2.6Ciphersandencryptionschemes..................... 27 2.7Cryptographichashfunctions...................... 27 2.7.1 Hierarchicalhashingschemes.................. 29 2.7.2 Repeatedoccurrences....................... 29 2.8Conclusions................................ 31 3 Cryptographic Security 33 3.1Introduction................................ 33 3.2Thecryptanalyticsetting......................... 33 v vi CONTENTS 3.2.1 Ways of access .......................... 34 3.2.2 Exhaustivekeysearch...................... 35 3.3Provablesecurity............................. 36 3.3.1 Informationtheoreticapproach................. 37 3.3.2 Thecomplexitytheoreticapproach............... 38 3.4Securityinpractice............................ 42 3.4.1 Thecryptologicactivity..................... 43 3.5Definitionsofsecurity........................... 45 3.5.1 Superciphers........................... 45 3.5.2 Superencryptionschemes.................... 46 3.5.3 Supercryptographichashfunctions............... 46 3.5.4 K-secureprimitives........................ 47 3.5.5 Hermeticschemes......................... 48 3.6Manipulationdetectionindecryption.................. 49 3.7Conclusions................................ 52 4 Design Strategies 53 4.1Introduction................................ 53 4.2Generalrequirements........................... 53 4.2.1 Simplicity............................. 53 4.2.2 Structuraltransparency..................... 54 4.3Specificrequirements........................... 55 4.3.1 Portability ............................. 55 4.3.2 Dedicated hardware suitability .................. 55 4.4Blockciphers............................... 56 4.4.1 Ourapproach........................... 58 4.5Self-synchronizingstreamciphers.................... 58 4.5.1 Ourapproach........................... 59 4.6Synchronousstreamciphers....................... 59 4.6.1 Ourapproach........................... 61 4.7Cryptographichashfunctions...................... 62 4.7.1 Ourapproach........................... 64 4.8Choiceofbasicoperations........................ 65 4.8.1 Bitpermutations......................... 65 4.8.2 BitwiseBooleanoperations.................... 66 4.8.3 Substitution boxes ........................ 66 4.8.4 Modulararithmeticoperations.................. 67 4.8.5 Ourchoice............................. 68 4.9Conclusions................................ 68 5 Propagation and Correlation 69 5.1Introduction................................ 69 5.2TheDataEncryptionStandard..................... 69 5.3Differentialandlinearcryptanalysis................... 71 5.3.1 Differentialcryptanalysis..................... 71 CONTENTS vii 5.3.2 Linearcryptanalysis....................... 72 5.4Analyticalanddescriptivetools..................... 74 5.4.1 TheWalsh-Hadamardtransform................. 74 5.4.2 Correlationmatrices....................... 77 5.4.3 Derivedproperties........................ 79 5.4.4 Difference propagation ...................... 82 5.5Applicationtoiteratedtransformations................. 85 5.5.1 Correlation............................ 85 5.5.2 Difference propagation ...................... 87 5.5.3 DEScryptanalysisrevisited................... 89 5.6Thewidetrailstrategy.......................... 91 5.6.1 Traditionalapproach....................... 92 5.7Conclusions................................ 92 6 Shift-Invariant Transformations 95 6.1Introduction................................ 95 6.2Shift-invarianceandthestatespace................... 96 6.3Localmaps................................ 97 6.4 Invertibility ................................ 97 6.5Linearshift-invarianttransformations.................. 99 6.5.1 Invertibility ............................ 99 6.6 Nonlinear transformations with finite ν .................101 6.6.1 Local invertibility .........................101 6.6.2 Global invertibility ........................103 6.7Cyclicmultiplication...........................104 6.8Diffusion..................................105 6.8.1 Diffusion in invertible linear φ ..................106 6.9 Nonlinearity properties of χ .......................109
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages267 Page
-
File Size-