E2 - A Candidate Cipher for AES Masayuki Kanda, Shiho Moriai, Kazumaro Aoki, Hiroki Ueda, Miyako Ohkubo, Youichi Takashima, Kazuo Ohta, Tsutomu Matsumoto* [email protected] http://info.isl.ntt.co.jp/e2/ Nippon Telegraph and Telephone Corporation (NTT) *Yokohama National University First AES Candidate Conference Copyright NTT 1998 Outline · Overview · Design · Security · Performance · Conclusion E2 First AES Candidate Conference Copyright NTT 1998 Design Goals · A 128-bit symmetric block cipher · Key length of 128, 192, and 256 bits · Security : secure against all known attacks and more · Efficiency : faster than DES · Flexibility : efficient implementations on various platforms First AES Candidate Conference Copyright NTT 1998 Security of E2 (1) There are many attacks…. First AES Candidate Conference Copyright NTT 1998 Security of E2 (1) BruteBrute ForceForce AttacksAttacks There are many attacks…. First AES Candidate Conference Copyright NTT 1998 Security of E2 (1) BruteBrute ForceForce AttacksAttacks DifferentialDifferential CryptanalysisCryptanalysis There are many attacks…. First AES Candidate Conference Copyright NTT 1998 Security of E2 (1) BruteBrute ForceForce AttacksAttacks DifferentialDifferential LinearLinear CryptanalysisCryptanalysis CryptanalysisCryptanalysis There are many attacks…. First AES Candidate Conference Copyright NTT 1998 Security of E2 (1) BruteBrute ForceForce AttacksAttacks DifferentialDifferential LinearLinear CryptanalysisCryptanalysis CryptanalysisCryptanalysis HigherHigher OrderOrder DifferentialDifferential AttackAttack There are many attacks…. First AES Candidate Conference Copyright NTT 1998 Security of E2 (1) BruteBrute ForceForce AttacksAttacks DifferentialDifferential LinearLinear CryptanalysisCryptanalysis CryptanalysisCryptanalysis HigherHigher OrderOrder InterpolationInterpolation DifferentialDifferential AttackAttack AttackAttack There are many attacks…. First AES Candidate Conference Copyright NTT 1998 Security of E2 (1) BruteBrute ForceForce AttacksAttacks DifferentialDifferential LinearLinear CryptanalysisCryptanalysis CryptanalysisCryptanalysis HigherHigher OrderOrder InterpolationInterpolation PartitioningPartitioning DifferentialDifferential AttackAttack CryptanalysisCryptanalysis AttackAttack There are many attacks…. First AES Candidate Conference Copyright NTT 1998 Security of E2 (2) DifferentialDifferential LinearLinear CryptanalysisCryptanalysis CryptanalysisCryptanalysis E2 E2 is proven to have sufficient security First AES Candidate Conference Copyright NTT 1998 Security of E2 (3) DifferentialDifferential LinearLinear CryptanalysisCryptanalysis CryptanalysisCryptanalysis HigherHigher OrderOrder Interpolation Partitioning DifferentialDifferential Interpolation Partitioning Attack Cryptanalysis AttackAttack Attack Cryptanalysis E2 S-box is designed to have no vulnerabilities First AES Candidate Conference Copyright NTT 1998 Security of E2 (4) BruteBrute ForceForce AttacksAttacks E2 E2 supports 128-bit block size and 128,192, 256-bit key sizes First AES Candidate Conference Copyright NTT 1998 Design Goals (cont.) · A 128-bit symmetric block cipher · Key length of 128, 192, and 256 bits · Security : secure against all known attacks and more · Efficiency : faster than DES · Flexibility : efficient implementations on various platforms First AES Candidate Conference Copyright NTT 1998 Efficiency and Flexibility of E2 32-bit 200MHz Intel Pentium Pro CPU ANSI C Assembly (Borland C++ 5.02) 711 clocks/block 420 clocks/block 36.0 Mbits/sec 61.0 Mbits/sec 64-bit 8-bit CPU CPU 600MHz DEC 21164A 5MHz Hitachi H8/300 Assembly Assembly 600 clocks/block 6,374 clocks/block 128 Mbits/sec 100.5 k bits/sec First AES Candidate Conference Copyright NTT 1998 Efficiency and Flexibility of E2 32-bit 200MHz Intel Pentium Pro CPU ANSI C cf. DESAssembly (RSAREF, (Borland C++ 5.02) Borland C++ 5.0) 711 clocks/block 10.610.6420 Mbitsclocks/block/sec 36.0 Mbits/sec 61.0 Mbits/sec 64-bit 8-bit CPU CPU 600MHz DEC 21164A 5MHz Hitachi H8/300 Assembly Assembly 600 clocks/block 6,374 clocks/block 128 Mbits/sec 100.5 k bits/sec First AES Candidate Conference Copyright NTT 1998 Outline · Overview · Design · Security · Performance · Conclusion E2 First AES Candidate Conference Copyright NTT 1998 High-level Structure of E2 Plaintext P Key K IT k13 k14 k1 F Key Scheduling Part k2 F k12 F k FT 15 k16 First AES Candidate Conference Ciphertext C Copyright NTT 1998 High-level Structure of E2 Plaintext P Key K k IT k13 Data 14 k1 randomizing F Key Scheduling Part part k2 F k12 F k FT 15 k16 First AES Candidate Conference Ciphertext C Copyright NTT 1998 High-level Structure of E2 Plaintext P Key K k IT k13 Data 14 Key k1 randomizing F Key Scheduling Part scheduling part k2 F part k12 F k FT 15 k16 First AES Candidate Conference Ciphertext C Copyright NTT 1998 Data Randomizing Part Framework · IT-Function k (Initial Transformation) IT 13 k14 k1 · Feistel structure F k2 · FT-Function F (Final Transformation) k12 F k FT 15 k16 First AES Candidate Conference Copyright NTT 1998 Design Rationale of Framework · Feistel structure w Widely known and thought to offer long-term security w Symmetric encryption and decryption w Evaluation of security against DC and LC has been well studied · IT-Function and FT-Function w Offer a proactive design and hinder later attacks First AES Candidate Conference Copyright NTT 1998 Design Rationale of Framework · Feistel structure w Widely known and thought to offer long-term security w Symmetric encryption and decryption w Evaluation of security against DC and LC has been well studied · IT-Function and FT-Function w Offer a proactive design and hinder later attacks First AES Candidate Conference Copyright NTT 1998 Design Rationale of F-Function (1) · Structures for which security evaluation against DC and LC is easy w 1-round SPN structure (e.g., DES) w Recursive structure (e.g., MISTY) w 2-round SPN structure · Comparing the speed at the same level of security, we decided to adopt 2-round SPN structure First AES Candidate Conference Copyright NTT 1998 Design Rationale of F-Function (1) · Structures for which security evaluation against DC and LC is easy w 1-round SPN structure (e.g., DES) w Recursive structure (e.g., MISTY) w 2-round SPN structure · Comparing the speed at the same level of security, we decided to adopt 2-round SPN structure First AES Candidate Conference Copyright NTT 1998 Design Rationale of F-Function (1) · Structures for which security evaluation against DC and LC is easy w 1-round SPN structure (e.g., DES) w Recursive structure (e.g., MISTY) w 2-round SPN structure · Comparing the speed at the same level of security, we decided to adopt 2-round SPN structure Evaluated using practical measure First AES Candidate Conference Copyright NTT 1998 Practical Measure for Feistel Cipher · General case [Knudsen (FSE’93)] w Number of rounds: R = 2r, 2r + 1 (R) r (R) r w Evaluation: UDCP = p , ULCP = q · Bijective case [Kanda et al. (SAC’98)] w Number of rounds: R = 3r, 3r + 1, 3r + 2 (R) 2r (R) 2r w Evaluation: UDCP = p , ULCP = q (R = 3r, 3r + 1) (R) 2r+1 (R) 2r+1 UDCP = p , ULCP = q (R = 3r + 2) Note: p, q : Maximum differential and linear prob. of round function First AES Candidate Conference Copyright NTT 1998 Practical Measure for Feistel Cipher · General case [Knudsen (FSE’93)] w Number of rounds: R = 2r, 2r + 1 When R = 6 (R) r (R) r w Evaluation: UDCP = p , UDCP ULCP = p3 [=General] q · Bijective case [Kanda et al.UDCP (SAC =’98) p4 ][Bijective] w Number of rounds: R = 3r, 3r + 1, 3r + 2 (R) 2r (R) 2r w Evaluation: UDCP = p , ULCP = q (R = 3r, 3r + 1) (R) 2r+1 (R) 2r+1 UDCP = p , ULCP = q (R = 3r + 2) Note: p, q : Maximum differential and linear prob. of round function First AES Candidate Conference Copyright NTT 1998 Design Rationale of F-Function (2) 350 slow 42 rounds 300 250 200 150 6 rounds 9 rounds 100 Performance 1-round SPN structure Recursive structure Total number of s-boxes 50 2-round SPN structure fast 0 -32 -64 -96 -128 -160 -192 -224 Upper bounds of max differential/linear prob( log2 ) Security secure First AES Candidate Conference Copyright NTT 1998 F - Function Overview K (2) K (1) F - Function s s s s s s s s s s s s s s s s S - Function P - Function S - Function First AES Candidate Conference Copyright NTT 1998 Design Rationale of P-Function · Maximize minimum number of active s-boxes w Minimize upper bound of maximum differential / linear prob. of round function · Use only XOR operation w Simple construction w Efficient implementations in both software and hardware · Minimize gate counts required for hardware First AES Candidate Conference Copyright NTT 1998 Design Rationale of P-Function · Maximize minimum number of active s-boxes w Minimize upper bound of maximum differential / linear prob. of round function · Use only XOR operation w Simple construction w Efficient implementations in both software and hardware · Minimize gate counts required for hardware First AES Candidate Conference Copyright NTT 1998 # of Active s-boxes 3 (Bad P-Function) K (2) K (1) F - Function s s s s s s D Y s s D X s s s s s s s s P - Function Many active s-boxes mean high security against DC. First AES Candidate Conference Copyright NTT 1998 # of Active s-boxes 5 (E2 P-Function) K (2) K (1) F - Function s s s s s s D Y s s D X s s s s s s s s P - Function First AES Candidate Conference Copyright NTT 1998 # of Active s-boxes 5 (cont.) K (2) K (1) F - Function s s s s s s D Y s s D X s s s s s s s s P - Function First AES Candidate Conference Copyright NTT 1998 Design Rationale of s-box 1. Suitability for various platforms 2. No trap-doors 3. No vulnerability to known attacks First AES Candidate Conference Copyright NTT 1998 Rationale 1 : Suitability for Various Platforms · Table-lookup w efficiency does not depend on processors with various word-lengths (8, 16, 32, 64 bits) · One 8-by-8-bit s-box w consideration for 8-bit smart card implementations First AES Candidate Conference Copyright NTT 1998 Rationale 2 : No trap-doors · Design principle is publicly given · Based on well-known mathematical functions First AES Candidate Conference Copyright NTT 1998 Candidates of s-box · s : GF(2)8 GF(2)8 ; x s(x) = g ( f (x) ) candidates of f (x) and g(x) k 8 I.