Decorrelated Fast Cipher Serge Vaudenay Ecole Normale Sup erieure { CNRS August 1998 First Advanced Encryption Standard Conference Private Communications - secure K K ? ? CT CT - - - 1 insecure PT PT AES AES 128 message space: M = f0; 1g message blo ck: PT 2M encryption function: AES p ermutation over M K Security of Blo ck Ciphers - Random Secret Key K AES 6 CT = AES PT PT K ? - - 0 Random Tap e ! Attacker A K ! secret random p ermutation with a given public distribution ! we study the attack \on average" on the key De nition. AES is -secure against a class CL of attack if AES K 8A 2 CL Pr A = K !;K Previous Work on Provable Security [Shannon 49]: notion of p erfect secrecy, imp ossibilityof achieving it [Wegman-Carter 81]: provably secure MAC with universal hashing [Luby-Racko 88]: the Feistel scheme with random round function is \almost" a random p ermutation [Biham-Shamir 90]: notion of di erential cryptanalysis [Lai-Massey-Murphy 91]: notion of Markov cipher [Matsui 93]: notion of linear cryptanalysis [Nyb erg-Knudsen 92]: construction of cipher which is provably resistant against di erential cryptanalysis [Matsui 96]: construction of MISTY which is provably resistant against di erential and linear cryptanalysis Perfect Decorrelation To the order 1: 8PT AES PT has a uniform distribution K To the order 2: 0 0 8PT 6=PT AES PT; AES PT has a uniform distribution K K 0 0 among all CT; CT such that CT 6=CT To the order d: 8PT 6=PT AES PT ;:::;AES PT uniform i j K 1 K d among all CT ;:::;CT such that CT 6=CT 1 d i j Resistance Against Di erential Cryptanalysis If AES has a p erfect decorrelation to the order 2, then for all a 6=0 and b 6=0, we have 1 : Pr [AES PT a = AES PT b]= K K 128 K;PT 2 1 ! AES resists \on average" against any di erential attack with a xed characteristic. Basic Examples The Vernam Cipher One-time pad [Vernam 26] 128 AES PT = PT K with K 2 f0; 1g K U ! p erfect decorrelation to the order 1 Basic COCONUT Cipher 128 128 AES PT=A PT B with A; B 2 GF2 GF 2 A;B U ! p erfect decorrelation to the order 2 Design Strategy we do not need \p erfect" decorrelation: we tolerate imp erfect decorrelation as long as we can quantify it m we do not want GF2 multiplication: we want fast software implementations ! use the integer multiplication we do not want ad hoc construction: we want to get decorrelation on arbitrary cipher by adding a few \decorrelation mo dules" ! we add the m F x=A x + B modp mo d 2 A;B m 2 decorrelation mo dule with A; B 2 f0;:::;2 1g . U Decorrelation Distance To each random mapping F from A to B we asso ciate the 2 2 2 A B -matrix [F ] : the pairwise distribution matrix. 2 2 Given x =x ;x 2A and y =y ;y 2B , we have 1 2 1 2 2 [F ] = Pr[F x = y ;Fx =y ]: 1 1 2 2 x;y De nition. Given two random functions F and G from A to B , the pairwise decorrelation distance between F and G is X Gx = y F x = y 1 1 1 1 2 2 Pr Pr jj[F ] [G] jj = max x ;x Gx = y F x = y 1 2 2 2 2 2 y ;y 1 2 Theoretical Results If 64 64 F x= Ax + B mod2 + 13 mo d 2 A;B 128 64 for A; B 2 f0; 1g and F is a random function on f0; 1g U with a uniform distribution then 2 2 58 jj[F ] [F ] jj 2 : If DFC is a 6-round Feistel cipher in which each round A ;B ;:::;A ;B 1 1 6 6 function can be written 64 64 RF x = CPA x + B mod2 + 13 mo d 2 i i i 768 for A ;B ;:::;A ;B 2 f0; 1g and C is a random 1 1 6 6 U 128 p ermutation on f0; 1g with a uniform distribution then 2 2 113 jj[DFC] [C ] jj 2 : Security Results 2 2 Let = jj[DFC] [C ] jj. For any di erential or linear distinguisher, if the complexityis far 1 less than , then the success probabilityis negligible. 92 ! no such attacks p ossible if a key is used less than 2 times. For any iterated attackof order 1, if the complexityis far less than 1 2 , then the success probabilityis negligible. 48 times. ! no such attack p ossible if a key is used less than 2 Iterated Attack of Order 1 Input: a cipher AES, a complexity n, a test T , an acceptance set A 1. for i from 1 to n do a get a new X; Y pair with Y = AESX pair b set T = 0 or 1 with an exp ected value T X; Y i 2. if T ;:::;T 2 A accept otherwise reject 1 n The attack is successful if AES is likely to be accepted and a random p ermutation is likely to b e rejected. R R 0 1 RK 1 ? ? RF RK 2 ? R ? R RF 0 9 ? Enc CT PT One RK 3 ? ? ? RF ? R R Encryption RK 4 ? 1 8 ? RF RK RK RK . RK 5 ? ? 8 2 1 RF RK 6 ? ? EF RF K ? RK 7 ? ? RF RK 8 ? ? RF ? ? R R 9 8 The Round Function We let RK = ARK ; BRK . i i i The output of the decorrelation mo dule is 64 64 ARK R + BRK mod2 + 13 mo d 2 i i i RK i ? y l R CP dec. i y r The Confusion Permutation We use a Round Table RT0;:::;RT63. y y l r ? RT trunc 6 ? ? KC ? ? + KD ? The Expansion Function We use two linear functions EF and EF and let RK =0. 1 2 0 EF K and EF K are used exactly 4 times. 1 2 K EF 1 ? RK Enc i 6 EF 2 Implementations micropro cessor cycles-p er-bit clo ck-frequency bits-p er-second AXP 4.36 600MHz 137.6Mbps Pentium 5.89 200MHz 34.0Mbps SPARC 6.27 170MHz 27.1Mbps Motorola 6805 smart cards: one encryption within 9.80ms. Security Assumption: Enc indistinguishable from a random p ermutation within 4 calls EF 1 no di erential or iterated attackof order 1 on 6 rounds 192 weak keys for ARK = ARK = ARK =0 one out of 2 2 4 6 56 exhaustive search on 80 keys within 22 years for 2 bps p ossible no timing attacks with constant-time implementations no photo nishing attack no bitslice weak when reduced downto 4 rounds Errata Last lines of EES in the extended abstract p. 9: 78d56ced 94640d6e f0d3d37b e67008e1 86d1bf27 5b9b241d x eb64749a x Eq. 26 in the extended abstract p. 8 and Eq. 22 in the full rep ort p. 9: EES = RT0jRT1j :::jRT63jKDjKC.