Substitution-Permutation Network Cryptosystems ... - Semantic Scholar

Substitution-Permutation Network Cryptosystems Using Key-Dependent S-Boxes by

Liam Keliher

A thesis submitted to the Department of Computing and Information Science in conformity with the requirements for the degree of Master of Science

Queen's University Kingston, Ontario, Canada September 1997

c Liam Keliher, 1997 Copyright

Abstract Substitution-permutation networks (SPNs) are an important class of private key cryptosystems, having substitution boxes (s-boxes) as a critical internal component. Much of the research into s-boxes has focussed on determining those s-box properties which yield a cryptographically strong SPN. We investigate s-boxes which are generated in a pseudo-random fashion from a key. This approach has the advantage of decreasing the eectiveness of certain attacks. In addition, combinatorial results give evidence that the resulting s-boxes will possess several desirable properties with high probability. We propose a key-dependent s-box generation method and an SPN which incorporates it. The proposed system successfully passes a range of standard statistical tests, as well as two new statistical tests which are designed to detect correlation between s-boxes. Some interesting theoretical results concerning these new tests are proven, and one of the tests is shown to be a generalisation of the existing test for s-box nonlinearity.

i

Acknowledgements I am grateful to my supervisor, Henk Meijer, for the fact that during the process of working on this thesis, he was a constant source of ideas, motivation, and encouragement. I am also thankful for my wonderful wife, Ronda, who brings joy to my life, and who gave me support through the (sometimes stressful) task of thesis creation. Most of all, I thank my Lord Jesus Christ, who truly came that we might have \life, and life more abundantly" (John 10:10).

ii

Contents Abstract

i

Acknowledgements

ii

Contents

iii

List of Figures

vi

Notation

vii

1 Introduction

1

1.1 Cryptography Background . . . . . 1.2 Substitution-Permutation Networks 1.2.1 SPN Concepts . . . . . . . . 1.2.2 Early SPN Development . . 1.3 Contributions of Thesis . . . . . . . 1.4 Outline of Thesis . . . . . . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

2 Review of S-Box and SPN Properties 2.1 De nition of S-Box and SPN Properties . 2.1.1 Completeness . . . . . . . . . . . 2.1.2 Avalanche and Strict Avalanche . 2.1.3 Bit Independence . . . . . . . . . 2.1.4 Nonlinearity . . . . . . . . . . . . iii

1 2 3 5 7 7

9 . . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

9 9 10 11 12

2.1.5 XOR Table Distribution . . . . . 2.1.6 Cyclic Properties . . . . . . . . . 2.2 Properties of Randomly Chosen S-Boxes 2.2.1 Completeness . . . . . . . . . . . 2.2.2 Avalanche and Strict Avalanche . 2.2.3 Bit Independence . . . . . . . . . 2.2.4 Nonlinearity . . . . . . . . . . . . 2.2.5 XOR Table Distribution . . . . . 2.2.6 Cyclic Properties . . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

3 Proposed SPN Cryptosystem

13 14 15 15 15 16 16 17 17

18

3.1 Known SPNs with Key-Dependent S-Boxes . 3.1.1 Khufu . . . . . . . . . . . . . . . . . 3.1.2 Blow sh . . . . . . . . . . . . . . . . 3.2 Design and Rationale of Proposed System . 3.2.1 Basic Design . . . . . . . . . . . . . . 3.2.2 Random S-Box Generation Process . 3.2.3 Advantages of Proposed System . . . 3.3 Comparison Systems . . . . . . . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

4 Analysis of Proposed System

18 18 19 19 19 20 22 23

25

4.1 Cryptanalysis of 2-Round System . . . . . . 4.2 Testing Standard S-Box Properties . . . . . 4.2.1 Testing SAC/MOSAC . . . . . . . . 4.2.2 Testing BIC/MOBIC . . . . . . . . . 4.2.3 Testing Nonlinearity . . . . . . . . . 4.2.4 Testing Maximum XOR Table Entry 4.2.5 Testing Cyclic Properties . . . . . . . 4.3 New Statistical Tests . . . . . . . . . . . . . iv

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

26 30 30 31 31 32 33 34

4.3.1 Column Correlation . . . . . . . . . . 4.3.2 Linear Combination Correlation . . . 4.3.3 Chi-Square Goodness-of-Fit Test . . 4.4 Theoretical Results Concerning T 0 . . . . 4.4.1 Relationship to Test for Nonlinearity 4.4.2 Mean and Variance of T 0 Entries . LCC

LCC

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

5 Test Results for Proposed System 5.1 Test Results for Standard S-Box Properties . 5.1.1 SAC/MOSAC . . . . . . . . . . . . . 5.1.2 BIC/MOBIC . . . . . . . . . . . . . 5.1.3 Nonlinearity . . . . . . . . . . . . . . 5.1.4 Maximum XOR Table Entry . . . . . 5.1.5 Cyclic Properties . . . . . . . . . . . 5.2 Test Results for New Statistical Tests . . . . 5.2.1 CC and LCC . . . . . . . . . . . . . 5.2.2 Chi-Square Results . . . . . . . . . . 5.3 Summary of Test Results . . . . . . . . . . .

34 35 36 38 38 39

48 . . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

6 Conclusion

48 49 49 49 50 51 52 53 53 55

57

6.1 Thesis Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2 Future Research Directions . . . . . . . . . . . . . . . . . . . . . . . .

57 58

Bibliography

59

A The RC4 Cipher

62

Vita

63

v

List of Figures 1.1 Basic cryptosystem layout . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Example SPN with N = 16, n = M = 4, R = 3 . . . . . . . . . . . . 1.3 Two methods of incorporating the key into an SPN . . . . . . . . . .

1 5 6

3.1 Conceptual approach to random s-box generation . . . . . . . . . . .

20

4.1 Determining T (S ) . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Information known about 2-round SPN . . . . . . . . . . . . . . . . .

27 29

DSAC/DMOSAC results for 1000 randomly generated 8 8 s-boxes . BIC/MOBIC results for 1000 randomly generated 8 8 s-boxes . . . Nonlinearity results for 1000 randomly generated 8 8 s-boxes . . . . Distribution of nonlinearities . . . . . . . . . . . . . . . . . . . . . . . Maximum XOR table entry results for 1000 randomly generated 8 8 s-boxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Distribution of maximum XOR table entries . . . . . . . . . . . . . . Cyclic properties results for 1000 randomly generated 8 8 s-boxes . Maximum CC value for all pairs of SPN s-boxes . . . . . . . . . . . . Maximum LCC value for all pairs of SPN s-boxes . . . . . . . . . . . Chi-square results|column correlation . . . . . . . . . . . . . . . . . Chi-square results|linear combination correlation . . . . . . . . . . .

49 49 49 50

XOR

5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 5.10 5.11

0

vi

50 51 52 53 53 54 54

Notation The following notation will be used in this thesis.

N

number of ciphertext/plaintext bits

n

number of s-box input bits

m

number of s-box output bits

R

number of SPN rounds

M

number of s-boxes per round

number of key bits

P = [PN ? P P ] C = [CN ? C C ] K = [K ? K K ] X = [Xt? X X ] ei wt(X) vw 1

1

0

plaintext bitstring

1

1

0

ciphertext bitstring

1

1

0

key bitstring

1

1

0

arbitrary bitstring X 2 f0; 1gt unit vector with bit i equal to 1 and all other bits 0 Hamming weight of bitstring X exclusive OR operation (XOR) dot product of vectors v and w

A

bitwise complement of binary matrix or binary vector A

0

all zero bitstring

vii

Chapter 1 Introduction 1.1 Cryptography Background Cryptography is the art and science of designing systems to encode and decode information to protect it from an \enemy." Such systems are referred to as cryptosystems, or ciphers. Cryptanalysis is the art and science of breaking cryptosystems. Figure 1.1

key

plaintext (message)

encryption algorithm

key

ciphertext

decryption algorithm

plaintext

enemy

Figure 1.1: Basic cryptosystem layout gives the basic layout of a cryptosystem. In the gure, the message being encoded is referred to as the plaintext. The plaintext is fed into an encryption algorithm, which 1

has a special parameter known as a key. The output of this algorithm, called the ciphertext, is transmitted to the receiver, who can recover the plaintext by running a decryption algorithm, which also has a key as a parameter. The cryptosystems investigated in this thesis, known as private key cryptosystems, have the property that the keys used for encryption and decryption are the same, and only the transmitter and receiver know the value of the key. Another class of cryptosystems, public key cryptosystems, use dierent keys for encryption and decryption; these do not fall within the scope of this thesis. Cryptanalysis can be classi ed into three broad areas, depending upon what is available to the attacker [9]: 1. Ciphertext only|the cryptanalyst has only some ciphertext strings from the cryptosystem. 2. Known plaintext|the cryptanalyst has one or more plaintext strings and the corresponding ciphertexts. 3. Chosen plaintext/ciphertext|the cryptanalyst has the ability to choose plaintext/ciphertext strings and acquire the corresponding ciphertexts/plaintexts. These attacks are listed in increasing order of strength. Even though a chosen plaintext/ciphertext attack is not always realistic, a cryptosystem should be designed to be resistant to this attack.

1.2 Substitution-Permutation Networks In this section we discuss a fundamental private key cryptosystem design called a substitution-permutation network (SPN). The SPN model has formed the basis for many of the private key cryptosystems introduced over the past 20 years, and is the structure being investigated in this thesis. 2

1.2.1 SPN Concepts Private key cryptosystems have been used for millenia. With the advent of the electronic computer, signi cant advances took place in the development of these cryptosystems. In 1948 and 1949, Claude Shannon, a researcher at Bell Laboratories, published two papers in which he proposed that a cryptosystem implement the two principles of \confusion" and \diusion" [25, 26]. Confusion is the obscuring of the relationship between elements of the plaintext and elements of the ciphertext, while diusion is the spreading of the in uence of plaintext elements over the ciphertext. Shannon suggested that these two principles be achieved through the use of a \mixing transformation" involving a number of rounds, in which each round consisted of a substitution operation followed by an invertible linear transformation. A practical realisation of Shannon's mixing transformation can be achieved using a substitution-permutation network (SPN) [6]. An SPN with key K is an invertible mapping fK : f0; 1gN ! f0; 1gN , where N is the number of plaintext and ciphertext bits. An SPN consists of R rounds, each made up of a substitution stage and a permutation stage (the last round often doesn't contain a permutation stage). In the substitution stage, the current N -bit string (block) is fed into a series of M substitution boxes (s-boxes). (We number the rounds 1; 2; : : : ; R; in a given round, the s-boxes are numbered from right to left as 0; 1; : : : ; M ? 1.) The same set of s-boxes may be used in each round, or the s-boxes may change from round to round. An n m s-box is a mapping S : f0; 1gn ! f0; 1gm, for integers n and m. For the purposes of this thesis, we consider only the case that n = m, N = nM , and each s-box is invertible. We can view S as a binary matrix with row indices 0; 1; : : : ; 2n ? 1, such that row X contains S (X) (with the usual correspondence between f0; 1; : : : ; 2n ? 1g and f0; 1gn). If Z 2 f0; 1gn, we use the convention of enumerating the bits of Z as Z = Zn? Zn? Z Z (Zn? is the most signi cant bit). Using this, and setting S (X) = Y, we can also view S as a vector of n functions mapping f0; 1gn ! f0; 1g: 1

2

1

0

1

S (X) = [cn? (X); cn? (X); : : : ; c (X); c (X)]; 1

2

3

1

0

where cj (X) = Yj . As with any function mapping f0; 1gn ! f0; 1g, we will at times view cj as a 2n-bit column vector; in fact, the cj are called the columns of S . The following is an example for n = 3: 2

S

3

1 0 17 7 1 1 77 7 0 0 77 7 0 1 777 7 1 1 77 7 1 0 77 7 0 0 775 010

6 6 60 6 6 61 6 6 6 60 = 66 61 6 6 61 6 6 6 60 4

2 3

2 3

2 3

6 7 6 7 6 07 6 7 6 7 6 17 6 7 6 7 6 7 6 07 = 66 77 6 17 6 7 6 7 6 17 6 7 6 7 6 7 6 07 4 5

6 7 6 7 617 6 7 6 7 607 6 7 6 7 6 7 607 6 7 6 7 617 6 7 6 7 617 6 7 6 7 6 7 607 4 5

6 7 6 7 617 6 7 6 7 607 6 7 6 7 6 7 617 = 66 77 617 6 7 6 7 607 6 7 6 7 6 7 607 4 5

1

c

2

0

c = 1

0

1

1

c

0

0

It can be shown that the columns of S are balanced, that is, they have an equal number of 1's and 0's (symbolically, wt(cj ) = 2n? for 0 j n ? 1). The substitution stage is followed by a permutation of the N bits. Decryption is accomplished by running the SPN \backwards," reversing the order of the rounds, and in each round rst performing the inverse permutation followed by application of the inverse s-boxes. A sample SPN with N = 16, n = M = 4, R = 3, and using the permutation of Kam and Davida [11] is given in Figure 1.2 (key not shown). The two standard ways to incorporate the key into an SPN are shown in Figure 1.3 (see [9]). In the rst method (a), the input to each s-box is rst XOR'd with n bits derived from the key before being fed into the s-box. This may be performed during each round, or only during certain rounds. The second method (b) uses one or more key bits to select among multiple s-boxes for each sub-block of n s-box input bits. 1

4

plaintext s-boxes

round 1

round 2

round 3

ciphertext

Figure 1.2: Example SPN with N = 16, n = M = 4, R = 3

1.2.2 Early SPN Development Feistel et al. Although the basic SPN principles derive from the work of Shannon, these ideas were not practically implemented until the late 1960's, when an IBM research team rst led by Horst Feistel produced an SPN cryptosystem known as Lucifer [24]. Lucifer is actually an example of a Feistel network, a variation of the basic SPN model which applies the substitution and permutation stages to only half of the block in each round. A Feistel network has the property that encryption and decryption are almost identical operations, eliminating the need for inverse permutations and inverse s-boxes.

5

input

key bits

s-box (a) key bits XOR’d with s-box inputs

key bit

S S*

(b) key bits used to select among s-boxes

Figure 1.3: Two methods of incorporating the key into an SPN

The Data Encryption Standard (DES) The work of the IBM research team which produced Lucifer led to the development of the Data Encryption Standard (DES), a cryptosystem published as a standard by the United States government in 1977 [5]. DES is a 64-bit Feistel cipher with a 56-bit key. DES uses 6 4 s-boxes, but on closer inspection each s-box is seen to be a set of four invertible 4 4 s-boxes. Two of the input bits are used to select one of these four s-boxes, and the remaining four bits comprise the input to the selected s-box. Although the DES algorithm was made public, many of the design decisions (e.g., justi cation of the choice of s-boxes) were not revealed until the early 1990's. The introduction of DES catalysed the development and cryptanalysis of SPNs, resulting in a growing list of desirable s-box and SPN properties. We investigate a number of these properties in Chapter 2.

6

1.3 Contributions of Thesis This thesis investigates the use of key-dependent, pseudo-randomly generated sboxes in SPNs. Although a small number of cryptosystems have incorporated this idea [16, 23], in general it has not been widely investigated in the literature. We have collected theoretical results concerning the cryptographic properties of a randomly chosen invertible n n s-box. Based on these results, we propose an SPN cryptosystem with a key-dependent s-box generation algorithm which is ecient, and for which there is evidence of good security properties. The s-boxes generated by our system behave predictably well when tested for standard cryptographic properties. In addition, however, we want to show that the sboxes are pairwise uncorrelated|this led to an investigation of the idea of correlation between two s-boxes. The pursuit of this idea resulted in new statistical testing methods, which are presented in this thesis. Further study of one of the new statistical tests revealed that it in fact generalised the existing test for s-box nonlinearity. As well, it led to a proof of two interesting theoretical results concerning the distribution of values generated by this test.

1.4 Outline of Thesis The rest of this thesis is organised as follows. In Chapter 2 we de ne standard s-box and SPN cryptographic properties, giving known theoretical results concerning the probability that a randomly chosen invertible n n s-box possesses a certain property. In Chapter 3 we present our proposed cryptosystem|an SPN with key-dependent s-boxes|and give two other simple systems for comparison purposes. Chapter 4 contains a description of the analyses performed on our system, both theoretical and statistical. As well, in this chapter we de ne the new statistical tests we have designed to detect correlation between s-boxes, and we prove some theoretical results about one of the tests. In Chapter 5 we give the results of the statistical testing performed 7

on our proposed system, and on the comparison systems. Finally, in Chapter 6 we summarise the work of the thesis, giving directions for future research.

8

Chapter 2 Review of S-Box and SPN Properties 2.1 De nition of S-Box and SPN Properties 2.1.1 Completeness In 1979, Kam and Davida [11] de ned the property of completeness for a bijective function f : f0; 1gt ! f0; 1gt: f is complete if for all i; j 2 f0; 1; : : : ; t ? 1g, there exists X 2 f0; 1gt such that S (X) and S (X ei) dier in at least bit j (ei is the t-bit unit vector with a 1 in position i). That is to say, every output bit depends upon every input bit. An s-box is complete if it satis es this property, and an SPN is complete if it is a complete function from f0; 1gN to f0; 1gN for every key. Kam and Davida gave an algorithm for constructing complete s-boxes, and speci ed a permutation to be used in each round in order to achieve completeness after a minimum number of rounds. In research published in 1981 and 1982, F. Ayoub extended Kam and Davida's study of permutations which produce complete SPNs. He introduced a class of permutations, referred to as cryptographically equivalent permutations (CEP) [2]. If a 9

permutation belongs to CEP, and if N = an for some a 2 f1; 2; : : : ; ng, then an N -bit SPN constructed using this permutation and complete n n s-boxes will satisfy completeness after a minimum number of rounds (two if a = 1 and three if 2 a n). Ayoub also investigated the possibility of using the key to construct a random permutation used in all the rounds, and proved that there is a high probability that the resulting SPN will be complete after a minimum number of rounds [3]. Moreover, Ayoub suggested the possibility of designing SPNs in which both the s-boxes and the permutation are generated in a pseudo-random fashion from the key, and claimed that such an approach would not weaken the security of the SPN. This idea of using key-dependent s-boxes in an SPN forms the central theme of this thesis. 2

2.1.2 Avalanche and Strict Avalanche Feistel et al. de ned a property of s-boxes and SPNs known as the avalanche criterion (AVAL) [6, 7]. A function f : f0; 1gt ! f0; 1gt satis es AVAL if whenever one input bit is changed, on average half the output bits change. In 1985, Webster and Tavares combined the completeness and avalanche properties into the strict avalanche criterion (SAC) [28]. A function f : f0; 1gt ! f0; 1gt satis es SAC if for all i; j 2 f0; 1; : : : ; t ? 1g, ipping input bit i changes output bit j with probability exactly one half. It is easy to demonstrate that a function f which satis es SAC is complete, and satis es AVAL. In addition, f is said to satisfy maximum order SAC (MOSAC) if for all j 2 f0; 1; : : : ; t ? 1g, ipping any combination of one or more input bits changes output bit j with probability one half [17]. The distance to SAC (DSAC) and distance to MOSAC (DMOSAC) of functions g : f0; 1gt ! f0; 1g and f : f0; 1gt ! f0; 1gt are de ned as in [17]. First it will be useful to introduce some notation. If 2 f0; 1gt, de ne g : f0; 1gt ! f0; 1g as

g (X) = g(X) g(X ); 10

for all X 2 f0; 1gt:

The function g is a \change function" for g: g (X) = 1 if the output of g changes when the input X is XOR'd with , and g (X) = 0 otherwise. Then 1 2n? ? wt(ge ) DSAC(g) = max it? 2 1 2n? ? wt(g ) : DMOSAC(g) = 2fmax ; g n0 2 1

0

i

1

1

01 t

(2.1) (2.2)

In (2.1) and (2.2) we multiply by since wt(g ) is always even (if g (X) = 1 then g (X ) = 1 as well). If f : f0; 1gt ! f0; 1gt and the output bits of f are ct? ; : : : ; c ; c : f0; 1gt ! f0; 1g, de ne 1 2

1

1

0

DSAC(f ) = max DSAC(cj ) j t? DMOSAC(f ) = max DMOSAC(cj ): j t? 0

1

0

1

(2.3) (2.4)

It can be seen that D(MO)SAC(f ) 2 f0; 1; 2; : : : ; 2n? g. If n 3 and S is an invertible n n s-box (with columns [cn? ; : : : ; c ; c ]), then D(MO)SAC(S ) is even, i.e., D(MO)SAC(S ) 2 f0; 2; 4; : : : ; 2n? g. This is due to the fact that the cj are balanced: if two 2n-bit column vectors, v and w, are balanced, it is easy to see that 2

1

1

0

2

wt(v w) = 2n ? 2(v w);

(2.5)

where (vw) is the dot product of v and w. If 2 f0; 1gnn0, and if we set v(X) = cj (X) and w(X) = cj (X ), then clearly v w is even, since if v(X) = w(X) = 1, then v(X) = w(X) = 1. It follows from (2.5) that wt(v w) = wt(cj ) is divisible by 4, and therefore D(MO)SAC(S ) is divisible by 2, using equations (2.1){(2.4). Note that if S satis es (MO)SAC, then D(MO)SAC(S ) = 0. Furthermore, if DSAC(S ) < 2n? then S is complete. 2

2.1.3 Bit Independence Webster and Tavares, in the paper in which they introduced SAC [28], also de ned a property called the bit independence criterion (BIC). A function f : f0; 1gt ! f0; 1gt satis es BIC if for all i; j; k 2 f0; 1; : : : ; t ? 1g with j 6= k, inverting input bit i 11

causes output bits j and k to change independently. We say f satis es maximum order BIC (MOBIC) if the same output bit independence holds whenever an input change consisting of one or more bits occurs. In what follows, we need the idea of the correlation coecient of two 2t -bit vectors, v and w, denoted corr(v; w) [28]. Viewing v and w as functions mapping f0; 1gt ! f0; 1g, we have

corr(v; w) =

P

1 2t

p

X2f0;1gt [v (X)w(X)] ? E (v ) E (w) ;

(E (v) ? E (v) ) (E (w) ? E (w) ) 2

2

(2.6)

where E (v) is the expected value of v:

E (v) = 21t

X

X2f0;1gt

v(X) = 21t wt(v)

(E (w) is de ned similarly). Now if the output bits of f are [cn? ; : : : ; c ; c ], and if j; k 2 f0; 1; : : : ; t ? 1g with j 6= k, then using the notation of Section 2.1.2, de ne 1

1

0

corr(ce ; ce ) BIC(cj ; ck ) = max j k it? corr(c ; c ) : MOBIC(cj ; ck ) = 2fmax j k ; g n0 0

i

i

1

01 t

We then de ne BIC(f ) = max BIC(cj ; ck ) j6 k =

MOBIC(f ) = max MOBIC(cj ; ck ) j6 k =

as a measure of how close f is to satisfying (MO)BIC. Note that 0 (MO)BIC(f ) 1; if f satis es (MO)BIC exactly, then (MO)BIC(f ) = 0.

2.1.4 Nonlinearity A function f : f0; 1gt ! f0; 1g is called ane if there exist constants ai 2 f0; 1g, for i = 0; 1; : : : ; t, such that for all X = Xt? X X 2 f0; 1gt, 1

1

0

f (X) = at at? Xt? a X a X : 1

1

12

1

1

0

0

An ane function is called linear if at = 0. S-boxes with \high nonlinearity" are needed to make an SPN immune to linear cryptanalysis, introduced in 1993 by M. Matsui [13]. Linear cryptanalysis attempts to nd a linear equation relating plaintext, ciphertext and key bits, i.e., it looks for indices i ; i ; : : : ; ib , j ; j ; : : : ; jc, and l ; l ; : : : ; ld, such that 1

1

2

1

2

2

Pi1 Pi2 Pi Cj1 Cj2 Cj = Kl1 Kl2 Kl : c

b

d

(2.7)

If the bits in (2.7) are assigned at random, the equation will be satis ed with probability exactly 1=2. Matsui's attack exploits the situation in which this equation is satis ed with probability signi cantly more or less than 1=2. We can quantify the term \high nonlinearity" as follows. Let At be the set of all ane functions g : f0; 1gt ! f0; 1g. For f : f0; 1gt ! f0; 1g, we de ne the nonlinearity of f , nl(f ), as wt(f g) nl(f ) = gmin 2A t

(in this expression, we view f and g as 2t-bit vectors). Clearly nl(f ) measures the distance of f from the closest ane function. If S is an s-box, let L be the set of all linear combinations of the columns of S . Then the nonlinearity of S is nl(S ) = `min nl(`): 2Ln0

It is not hard to see that all vectors ` 2 L n 0 and g 2 At n 0 are balanced. It follows that nl(`) is always even by (2.5). Also, if g 2 At n 0 is a linear function, and g is the ane function which is the bitwise complement of g, then wt(` g) = 2n ? wt(` g);

and therefore nl(S ) 2 f0; 2; 4; : : : ; 2n? g. 1

2.1.5 XOR Table Distribution In 1991, Biham and Shamir introduced a powerful cryptanalytic technique known as dierential cryptanalysis [4]. They have successfully applied their attack to a 13

variety of SPNs. Dierential cryptanalysis requires knowledge of the XOR tables of the s-boxes. For an n n s-box, S , the XOR table of S has rows and columns indexed by 0; 1; 2; : : : ; 2n ? 1, and the table entries are de ned as follows. If i; j 2 f0; 1; 2; : : : ; 2n ? 1g, position [i; j ] in the XOR table contains the value

jfX 2 f0; 1gn : S (X) S (X i) = j gj

(2.8)

(in (2.8) we are treating i and j as their equivalent n-bit strings). It can be shown that (2.8) always evaluates to an even number. The pair (i; j ) is called an input/output XOR pair. Dierential cryptanalysis exploits such XOR pairs with large XOR table entries. An SPN can be secured against dierential cryptanalysis by selecting sboxes with low XOR table entries, ideally all 0 or 2 (the one exception is entry (0; 0) which has value 2n). Even if the XOR table is not directly calculated, resistance to dierential cryptanalysis can be achieved by assuring that the s-boxes have good diusive properties, i.e., they reasonably satisfy AVAL or SAC [21].

2.1.6 Cyclic Properties Three cyclic properties of an invertible n n s-box, S , are interesting to consider: number of xed points, number of cycles, and average cycle length. The number of xed points of S is the number of X 2 f0; 1gn such that S (X) = X. A cycle is a sequence of elements in f0; 1gn, X ; X ; : : : ; XL, such that X` = S (X`) for 1 ` (L ? 1), and X = S (XL), but X 6= S (X`) for 2 ` (L ? 1). The length of this cycle is L. Let (X) be the length of the cycle to which X belongs, and let C ; C ; : : : ; C be the distinct cycles of S . Then the average cycle length, as used in [31], is 1

2

1

1

+1

1

2

1 X (X) = 1 X 2n X2f ; g 2n i jCi j ; 2

01 n

(2.9)

=1

where jCij denotes the length of Ci . There is evidence that the cyclic properties of an s-box are related to other cryptographic properties. Youssef et al. give experimental 14

results which show that, on average, s-boxes with fewer xed points have higher nonlinearity and lower maximum XOR table entries [31].

2.2 Properties of Randomly Chosen S-Boxes One of the principal objects of the research behind this thesis is the development of a new SPN cryptosystem using key-dependent s-boxes, and therefore it will be useful to investigate the average properties of random invertible n n s-boxes. Since the introduction of DES [5], a number of such results have appeared in the literature.

2.2.1 Completeness O'Connor proved in [19] that a randomly chosen invertible n n s-box has a high probability of being complete for suciently large n. In fact, he showed that the probability that such an s-box is not complete is

o 2

p

2n

?1 +n?1

2n

!

:

For an exact formula, see [20].

2.2.2 Avalanche and Strict Avalanche The author has not found any results giving the probability that a random invertible n n s-box satis es AVAL or SAC (although there are bounds on the probability that a random function f : f0; 1gt ! f0; 1g satis es SAC [30]). On the other hand, a number of theoretical and experimental results exist concerning the AVAL property for SPNs. Heys and Tavares developed a probabilistic model for the AVAL property of an SPN [10]. Their results for N = 64 and n = M = 8, using randomly selected s-boxes and the xed permutation of Kam and Davida [11], indicate that AVAL is reasonably satis ed after 5 or more rounds. In fact, if ER is the expected number 15

of output bit changes after R rounds when one input bit is ipped, and we de ne = j1 ? ER =(N=2)j, then . 10? for R 7. 5

2.2.3 Bit Independence The author is not aware of any theoretical results concerning the independence of output bits for randomly chosen invertible n n s-boxes.

2.2.4 Nonlinearity In 1983, Gordon and Retkin [8] showed that the probability that a randomly chosen invertible n n s-box has one or more output bits which are linear functions of the input bits is 2n (2n ? 1) (2n? !) : 2n ! 1

2

(2.10)

If n = 8, (2.10) evaluates to 7:1 10? . A more generally applicable result is due to Youssef and Tavares [29]. They prove that for an invertible n n s-box S and an integer 2L (0 L 2n? ), 73

2

prob nl(S )

? n?1 2

n? n ? 2L 2(2 !)2n(2! ? 1)

1

2

2

?2 X

2n

`=L

2

2n? 2n? + ` : 1

2

(2.11)

If n = 8, we have, for example, prob [nl(S ) 64] 1:410? and prob [nl(S ) 80] 4:6 10? . If L = 2n? , (2.11) evaluates to 2:3 10? ; this is an upper bound on the probability that nl(S ) = 0, i.e., that one or more of the linear combinations of the columns of S is an ane function. Compare this with the above value of Gordon and Retkin's expression (2.10) for n = 8. Experimental results support the theoretical result of (2.11). For example, Heys [9] generated 200 random invertible 8 8 s-boxes and found that each satis ed 86 nl(S ) 98. 11

5

2

71

16

2.2.5 XOR Table Distribution If S is a randomly chosen invertible n n s-box, and 0 A 2n is an even integer, a formula of Youssef and Tavares [29] gives an upper bound on the probability that the maximum XOR table entry of S (denoted maxXOR(S )) is A. For example, if n = 8 and A = 16, we have prob[maxXOR(S ) 16] 0:0042.

2.2.6 Cyclic Properties In [31], Youssef et al. prove that the expected number of xed points of a randomly chosen invertible n n s-box is 1, with a variance of 1. They also state that the expected value and variance of the number of cycles is approximately loge 2n 0:69n; and that the expected average cycle length is 2n? + 1=2. 1

17

Chapter 3 Proposed SPN Cryptosystem The results of Section 2.2 lend support to the idea of an SPN which uses pseudorandomly generated, key-dependent s-boxes, since if n is suciently large, these sboxes will on average possess several good cryptographic properties. In this chapter we present such an SPN. Work on this system was done by the author in collaboration with Henk Meijer [14].

3.1 Known SPNs with Key-Dependent S-Boxes In performing the literature search for this thesis, the author has discovered a small number of existing SPN cryptosystems which make use of key-dependent s-boxes. In this section we brie y discuss two such well-known systems; this allows some comparison with the system we introduce in Section 3.2.

3.1.1 Khufu Khufu is a Feistel network cryptosystem invented by Ralph Merkle [16]. It has a 64-bit block size, and uses a variable-length key (up to 512 bits). The number of rounds in Khufu is required to be a multiple of 8 (up to 64). Khufu uses one 8 32 s-box per round, and this s-box is changed every eight rounds. The 8 32 s-boxes are 18

generated in such a way that each of the four 8-bit output \columns" is a permutation of f0; 1g . Therefore, changing the 8-bit input vector changes all four bytes in the 32-bit output vector. The simple algorithm used to create these permutations requires a stream of random bytes, and these are produced by using Khufu (with standard initial s-boxes) to repeatedly encrypt a xed bitstring. The 64-bit output of each encryption provides eight random bytes; this process is continued until sucient random bytes have been generated to create the key-dependent s-boxes. This selfreferential approach eliminated the need for a separate algorithm to generate the key-dependent s-boxes, but it also complicates analysis of the system. 8

3.1.2 Blow sh Blow sh (like Khufu) is a 64-bit Feistel network created by Bruce Schneier [23]. Blow sh uses four 8 32 s-boxes which remain unchanged during its 16 rounds. As with Khufu, these s-boxes are lled by using Blow sh (with xed initial s-boxes) to repeatedly encrypt an initial block. Blow sh diers from Khufu in that while this initial block is being repeatedly encrypted, the initial s-boxes are being gradually modi ed until they reach their nal form. Analysis of this s-box generation process also seems dicult.

3.2 Design and Rationale of Proposed System 3.2.1 Basic Design The cryptosystem we are proposing is a 64-bit SPN with eight 8 8 key-dependent s-boxes per round. The basic SPN design has the advantages of being simple, and having been subjected to extensive cryptanalysis [9]. In each round we use the permutation of Kam and Davida [11], which connects output bit i of s-box j in round r, to input bit j of s-box i in round r + 1 (recall that the s-boxes in a given round 19

are numbered 0; 1; : : : ; 7 from right to left). Dierent s-boxes are used in each round, so the total number of s-boxes generated is MR. The number of rounds is variable, from 8 to 16, with a higher number of rounds aording greater security. The method of generating the s-boxes is discussed in Section 3.2.2. The use of the key will be limited to the s-box generation process|keying as in Figure 1.3 is not required.

3.2.2 Random S-Box Generation Process Figure 3.1 depicts the conceptual layout of our s-box generation process. The key, K,

K (key)

f

K1 g

f

K2

f

g

S1

K3 g

S2

f

K4

f

g

S3

S4

Figure 3.1: Conceptual approach to random s-box generation is used to generate a series of subkeys K ; K ; : : : ; KMR, by application of a function f . A second function g generates the i s-box, Si, from Ki. The functions f and g must meet certain requirements. First of all, they must produce s-boxes which are satisfactorily random, in order that the results of Section 2.2 apply. Secondly, even though the s-boxes are in principle secret, we want the generation process to be such that if a cryptanalyst obtains information about one of the s-boxes, this does not yield any information about any other s-box. We have outlined two general approaches to achieving this security. 1

2

th

1. Make f cryptographically secure; g can then be any simple function which generates pseudo-random s-boxes from the Ki. 20

2. Make g one-way, for example a secure hash function, or a many-to-one function. Then it is only required that f be suciently random. We are currently pursuing approach 1|we have chosen the RC4 cipher [24] for f . RC4 is a simple and widely used cipher which outputs pseudo-random bytes using a variable-length key (up to 2048 bits); these are XOR'd with the plaintext to produce the ciphertext. Software implementation of RC4 is extremely short, requiring about ten lines of code (we give the RC4 algorithm in Appendix A). Although technically proprietary, the RC4 cipher is publicly known and has undergone cryptanalysis . For g we use the following simple algorithm. 1

function GenerateRandomSBox for i = 0 to 255 do S (i) i /* initialise S to identity s-box */ for i = 0 to 255 do j RandomInRange (i; 255) swap (S (i); S (j )) end for end GenerateRandomSBox The function RandomInRange uses RC4 to select an integer uniformly from the closed interval [i; 255] (assuming that the pseudo-random bytes generated by RC4 are uniformly distributed). It then follows that GenerateRandomSBox chooses an s-box uniformly from the set of all invertible 8 8 s-boxes. RandomInRange actually generates an integer in the interval [0; k ? 1], where k = 255 ? i + 1, and then adds i. Since the output of RC4 is a pseudo-random byte, b, a rst attempt would be RC4 was developed in 1987 for RSA Data Security, Inc. by Ronald Rivest. The algorithm was kept a trade secret until 1994, when it was leaked to the Internet, where it has been widely discussed and analysed. The correctness of the algorithm was con rmed by comparison with commercial implementations of RC4 [24]. 1

21

for RandomInRange to return (b mod k) + i. However, for most values of k, this will not be uniformly selected from [i; 255]. This uniform distribution is achieved if b falls in the range [0; qk ? 1], where q = (256 div k) (integer division), and therefore we simply use RC4 to generate random bytes until this is satis ed (on average, 1.25 bytes are generated by RC4 for every value returned by RandomInRange). Approach 2 for s-box generation has not been considered for this thesis. It may be an area for future work. In Section 3.3 we introduce two simple s-box generation schemes which are not intended to be secure|they are given to provide comparisons to the proposed system for the statistical testing of Chapter 4.

3.2.3 Advantages of Proposed System The proposed cryptosystem has a number of advantages, most of which stem from the key-dependent s-box generation component. The results of Section 2.2 guarantee that if the s-boxes are generated in a suciently random fashion, each s-box has a high probability of being complete, possessing fairly high nonlinearity, having its largest XOR table entry < 16, and exhibiting good cyclic properties (few xed points and cycles). These s-box properties contribute to a cryptographically strong SPN. Setting the minimum number of rounds to 8 should guarantee with high probability that the SPN almost exactly satis es AVAL (Section 2.2.2). The fact that the s-boxes are unknown to the cryptanalyst is one of the principal strengths of our system, since this provides protection against linear and dierential cryptanalysis [23]. Randomly generated s-boxes should also be free from any built-in algebraic structure, which may provide a basis for cryptanalysis. It is not apparent that the pseudo-random nature of the s-boxes introduces any exploitable weakness into the system. There is a very small probability that a \weak" (say, highly linear) s-box may be generated in some round, but since we use at least 8 rounds, it is not clear that this will aect the security of the system. Neither is it clear how a cryptanalyst could even detect the presence of such an s-box. 22

We have intentionally kept the s-box generation process separate from the SPN itself. As stated in Sections 3.1.1 and 3.1.2, the cryptosystems Khufu and Blow sh also use key-dependent s-boxes, but each incorporates the cryptosystem itself in some initial state to pseudo-randomly generate the s-boxes used for actual encryption and decryption. By avoiding this self-referential approach, we hope that the analysis of our system will be simpli ed. Our system will require a small amount of startup time to generate the s-boxes, making it suitable for applications such as cellular phones, which can tolerate a short startup delay. For example, a non-optimised software version of our system using 16 rounds required 0.07 sec. of startup time on a SUN Ultra 1 (140 MHz UltraSPARC CPU).

3.3 Comparison Systems In this section we describe two s-box generation schemes which provide a means of comparison for the system introduced in Section 3.2.2. These schemes serve two dierent purposes. The rst was chosen on the basis that it appears to be a good source of randomness. The second was chosen for the opposite reason|it generates sboxes in a fairly structured manner; we wanted to see whether the new statistical tests we introduce in Section 4.3 would detect dependencies among the resulting s-boxes. The rst s-box generation scheme simply makes use of the UNIX drand48 function [27]. The function drand48 is a linear congruential pseudo-random number generator which operates on 48-bit integers internally and returns a oating-point number in the interval [0; 1). A 32-bit or 48-bit seed value is used to initialise drand48. We replace the function RandomInRange of Section 3.2.2 with RandomInRange (i; 255)

i + bdrand48() (256 ? i)c:

Provided drand48 is suciently random, this will select an integer essentially uniformly from the interval [i; 255]. 23

The second scheme uses an 8-byte key K = [K ; K ; K ; K ; K ; K ; K ; K ]; if S is the j s-box in round r, then S is generated by the function GenerateRandomSBox of Section 3.2.2 with RandomInRange replaced by 1

2

3

4

5

6

7

8

th

RandomInRange (i; 255)

i + [Kj + (i Or )] mod (256 ? i);

where Or is the r odd number greater than or equal to 3 (O = 3, O = 5; : : : ). If two s-boxes are in the same row, say in the j and k positions, then the values [Kj +(iOr )] and [Kk +(iOr )], computed before performing the modular arithmetic, dier by a constant for all values of i. We want to see if our tests will detect such correlations. (In the worst case, if two bytes of the key are the same, then the two s-boxes in each row which correspond to those key bytes will be identical.) For identi cation, we refer to this s-box generation scheme as the \weak" method in the remainder of this thesis. th

1

th

24

th

2

Chapter 4 Analysis of Proposed System In this chapter we describe theoretical and statistical analyses of the cryptosystem proposed in Chapter 3. As well as the straightforward testing for the properties of Section 2.1, we introduce new statistical tests designed to detect correlation between key-dependent pseudo-randomly generated s-boxes. These tests are given in Section 4.3. In Section 4.4 we prove some interesting theoretical results related to one of the new tests. The idea of correlation between s-boxes is worth considering further here. As stated in Section 3.2.2, we want the functions f and g used in the s-box generation process to be such that information about one s-box cannot be used to derive information about another s-box (recall Figure 3.1). For our system, this depends upon the properties of RC4. Let us rst assume that RC4 is secure, that is, given knowledge of some of the output sequence of RC4, it is computationally infeasible to determine anything about the remaining output. Now suppose that a cryptanalyst has derived information about some Si , and therefore about the corresponding Ki , since g is a simple function. If this yields information about Sj (and thus Kj ) for i 6= j , then the assumption about RC4 has been contradicted. The security of RC4 therefore guarantees the absence of any correlation (whether analytically or statistically derived) between the SPN 25

s-boxes. Note that in this thesis, we are not attempting to directly analyse the RC4 algorithm. Therefore, if RC4 is not secure, we attempt to detect any resulting weaknesses in the system by analysis of the SPN alone. It is interesting that even if RC4 is broken at some point in the future, this does not necessarily imply that our system is broken, since it does not immediately follow that a weakness in RC4 will assist a cryptanalyst in obtaining information about one or more of the unknown s-boxes.

4.1 Cryptanalysis of 2-Round System Consider a 2-round version of our system, with the assumption that the s-box generation process is secure. The cryptanalyst only has the input and output of a 2-round SPN with unknown s-boxes. Enumerate the s-boxes in the rst round from right to left as S , S ; : : : , S , and those in the second round as T , T ; : : : , T . We de ne a variation of the XOR table of Section 2.1.5 which we will use in this section and throughout the remainder of this thesis. 0

1

7

0

1

7

De nition 4.1.1. If S is an invertible n n s-box, then T (S ) is a 2n 2n table indexed by 0; 1; : : : ; 2n ? 1, such that if ; 2 f0; 1gn, then T (S )[; ] contains all n-bit vector pairs (X; X0) such that X X0 = and S (X) S (X0) = . XOR

XOR

This diers from what was previously de ned in that each position in the XOR table of Section 2.1.5 contains only a count of the vector pairs stored in the same position in T (S ) (note that at times will will simply write T when S is understood). We will show how each T (Si) can be determined, using S as an example. Fix the input to S ; S ; : : : ; S (use, say, the zero vector), and let the input to S vary over all X 2 f0; 1g (this is a chosen plaintext attack). The input to each Tj in the second round is xed except in the least signi cant bit position, which depends upon the j output bit of S (0 j 7). Let oj (X) be the output of Tj when X is the input to S (see Figure 4.1); oj (X) takes on two dierent values, depending XOR

XOR

XOR

1

2

0

7

0

8

th

0

0

26

0

0

0

X

S7

S6

S1

S0

T7

T6

T1

T0

o7 (X)

o6 (X)

o1 (X)

o0 (X)

Figure 4.1: Determining T

XOR

(S ) 0

upon whether the least signi cant input bit to Tj is 0 or 1. The actual value of this input bit is not important|what matters is whether or not there is a change in this bit. For all X; X0 2 f0; 1g , the ordered pair (X; X0) is placed in position [; ] of T (S ), where = X X0, and = b b b , such that bj = 0 if oj (X) = oj (X0) and bj = 1 if oj (X) 6= oj (X0). Thus T (S ) is completely determined; the other T (Si) are computed in an analogous fashion. By using a chosen ciphertext attack, we can also determine each T (Tj? ). The following lemma is useful. 8

XOR

0

7 6

XOR

0

0

XOR

XOR

1

Lemma 4.1.2. If S is an invertible n n s-box, then there are exactly 2n invertible n n s-boxes, T (including S ), such that TXOR (T ) = TXOR(S ). Proof. Let a 2 f0; 1gn, and de ne the n n s-box T (X) = S (X) a. It is not hard to see that T is invertible, and that each a 2 f0; 1gn will result in a dierent T . If

27

X; X0 2 f0; 1gn, then T (X) T (X0) = [S (X) a] [S (X0) a] = S (X) S (X0); so T (S ) = T (T ). Therefore there are at least 2n invertible n n s-boxes, T , such that T (T ) = T (S ), since there are 2n choices for a (note that T = S if a = 0). Now suppose T is an invertible n n s-box such that T (T ) = T (S ). If we let b = T (0), then for any nonzero X 2 f0; 1gn, the ordered pair (0; X) is found in T (T )[; ], where XOR

XOR

XOR

XOR

XOR

XOR

XOR

= 0X=X = T (0) T (X) = b T (X) =) T (X) = b ; i.e., T is completely determined. Since there are 2n possibilities for T (0), we conclude that there are at most 2n invertible n n s-boxes T such that T (T ) = T (S ). Combining this with the earlier result nishes the proof. XOR

XOR

We can deduce two useful facts from the proof of Lemma 4.1.2. First, every s-box which has the same XOR table as S is of the form S (X) a, for some a 2 f0; 1gn. Second, these s-boxes can be generated from T (S ) by choosing the image of 0, say b 2 f0; 1gn, since this determines the rest of the s-box. Denote an s-box constructed in this fashion by S b. Then we have XOR

S b (0) S b(X) = S (0) S (X) =) S b(X) = S (X) [S (0) b] =) S (X) = S b(X) a; 28

(4.1)

where a = S (0) b. Note that although (4.1) does not give the value of S (X), it does tell us that the output of S is equal to the XOR of the output of S b (a known s-box) with an unknown a 2 f0; 1gn. We are now ready to nish the cryptanalysis of the 2-round system. Using the ? ? ? above notation, generate the s-boxes S ; S ; : : : ; S , and T ? , T ? ; : : : , T ? . ? Then Si(X) = Si (X) ai and Tj? (X) = Tj? (X) bj , where ai ; bj 2 f0; 1g are unknown (we do know that ai = Si(0) 0 = Si(0) and bj = Tj? (0) 0 = Tj? (0)). We will be using a known plaintext attack, so we want the \forward" s-boxes in the second round, that is, s-boxes which are equivalent to the Tj . Since Tj? (X) = h? ? ? i? ? 0 0 Tj (X) bj , it follows that Tj (X) = Tj (X bj ), where Tj = Tj , which is an s-box we can compute. A depiction of what we know about the system is shown in Figure 4.2. We can combine the ai and bj to obtain the 8-bit vectors d ; d ; : : : ; d , 0 0

0 1

0

1 0

1

1 0

7

1 0

1

0

0 7

1 0

8

1

1

1

1 0

1

1 0

0

S 70

0

0

S1

S6

0

a6

a1

a0

b7

b6

b1

b0

T ’6

T ’1

7

S0

a7

T ’7

1

T ’0

Figure 4.2: Information known about 2-round SPN such that dj is XOR'd with the input of Tj0. Now we have a 2-round SPN with known s-boxes, and a 64-bit unknown key (the dj ) incorporated into the SPN as in 29

Figure 1.3 (a). If we encrypt a single plaintext, we know the output of each rstround s-box, and from the ciphertext we know the output of (and thus the input to) each second-round s-box. Therefore we can determine the dj ; the system is now broken because although we have not determined the unknown s-boxes, we have built a system which behaves equivalently to the original. It is interesting that since there ? are 2 choices for each of the 16 known s-boxes (replace Si with Sib and Tj? with ? ? b0 Tj for some b; b0 2 f0; 1g ), we can build (2 ) = 2 such equivalent systems. 8

1 0

0

1

8 16

8

128

4.2 Testing Standard S-Box Properties In this section we describe the implementation of the tests for the s-box properties of Section 2.1. Throughout this section S always denotes an invertible n n s-box. Some of the other notation in this section diers from that used in the rest of the thesis, since it is more of a pseudo-code style.

4.2.1 Testing SAC/MOSAC The values DSAC(S ) and DMOSAC(S ) can be calculated in a straightforward way from the formulae of Section 2.1.2, or they can be derived from T (S ). We use the latter approach (we assume T has been previously calculated as in Section 4.2.4). For each output bit j (0 j n ? 1) and each in delta 2 f0; 1gn, we execute: XOR

XOR

dist MOSAC 0 for each out delta 2 f0; 1gn do if out delta has a 1 in position j then dist MOSAC dist MOSAC + jT end if end for

dist MOSAC

1 2

j2n? ? dist MOSACj 1

30

XOR

[in delta; out delta]j

(here jT [in delta; out delta]j denotes the number of vector pairs in position [in delta; out delta] of T ). The statistic DMOSAC(S ) is the maximum value of dist MOSAC over all j (0 j n ? 1) and all in delta 2 f0; 1gn. The computation of DSAC(S ) is essentially identical to the above, except that in delta is restricted to the n-bit unit vectors. We can use T (S ) in this fashion because it contains all the necessary information. For a given output bit j and in delta 2 f0; 1gn, it is clear from equations (2.3) and (2.4) that it is required to count the X 2 f0; 1gn such that S (X) and S (X in delta) dier in at least position j . That is, we want to sum all the values jT [in delta; out delta]j where out delta has a 1 in position j . XOR

XOR

XOR

XOR

4.2.2 Testing BIC/MOBIC The computation of MOBIC(S ) (and BIC(S )) is straightforward. For each nonzero in delta in f0; 1gn, we compute the \change s-box," stored in array delta S:

delta S[X] = S (X) S (X in delta): Then for each i; j (0 i < j n ? 1) we compute the correlation coecient between columns i and j of delta S. MOBIC(S ) is the absolute value of the correlation coef cient which is largest in absolute value. BIC(S ) is computed as above by restricting in delta to the n-bit unit vectors. It is possible to calculate (MO)BIC(S ) using T (S ) (see Section 4.2.4). However this is computationally no more ecient than the method given. XOR

4.2.3 Testing Nonlinearity We test the nonlinearity of S , nl(S ), in the following way. Let the columns of S be enumerated as [cn? ; cn? ; : : : ; c ]. Let L(S ) be a 2n 2n binary matrix which stores the linear combinations of the columns of S , and enumerate the columns of L(S ) from left to right as [v ? ; v ? ; : : : ; v ; v ]. If 0 i (2n ? 1), let bi = bin? bin? bi 1

2n

2

1

2n

0

2

1

0

1

31

2

0

be the n-bit binary representation of i. Then vi is the linear combination of those cj (0 j n ? 1) for which bij = 1 (v is the trivial linear combination). We say that i is the \mask value" for vi . Now let In denote the n n identity s-box, i.e., In(X) = X for all X 2 f0; 1gn. The set of all linear combinations of the columns of In, i.e., the columns of L(In ), is the set of all linear functions (see Section 2.1.4). We use the notation Ln = L(In), and we enumerate the columns of Ln from left to right as `n ? ; `n ? ; : : : ; `n; `n . Let T (S ) be the 2n 2n nonlinearity table of S (we will omit S and write T when S is clear from the context): for 0 i; j (2n ? 1), T [i; j ] stores the distance between vi and the linear function `nj, that is 0

2n

nl

1

2n

2

1

0

nl

nl

?

T [i; j ] = wt vi `nj :

(4.2)

nl

Making use of the fact mentioned in Section 2.1.4 that for every linear function `nj, there is a corresponding ane function `nj (the bitwise complement of `nj), and that wt(`nj) = 2n ? wt(`nj), it follows that nl(S ) = i;jmin (T [i; j ]; 2n ? T [i; j ]) ? (although the entries T [i; 0] for i 6= 0 are technically included in the formula for nl(S ), according to the de nition of nonlinearity in Section 2.1.4, each such entry is equal to 2n? which is an upper bound on nl(S ), and therefore does not contribute to the minimum). Note that T is a variation of the linear approximation table (LAT) used by Youssef and Tavares [29]. In fact, LAT[i; j ] = 2n? ? T [i; j ] for 0 i; j 2n ? 1. 1

2n

1

nl

nl

nl

1

nl

1

nl

4.2.4 Testing Maximum XOR Table Entry We generate T (S ), the XOR table of S as given in De nition 4.1.1, in order to determine the entry of maximum size, to supply information for testing s-box properties such as DSAC/DMOSAC(S ) (see Section 4.2.1), and to compute the s? boxes Si and Tj? used in the 2-round cryptanalysis of our system (Section 4.1). XOR

0

1 0

32

Each entry of T

XOR

is initialised to the empty set, and then we execute

for each X in f0; 1gn do for each Y in f0; 1gn do

in delta X Y out delta S[X] S[Y] T [in delta; out delta] T XOR

XOR

[in delta; out delta] [ f(X; Y)g

end for end for Then maxXOR(S ) is the maximum of the values jT

XOR

[i; j ]j, for 1 i; j (2n ? 1).

4.2.5 Testing Cyclic Properties The function which computes the cyclic properties of S nds three values: number of xed points, number of cycles, and average cycle length. The number of xed points is determined by simply counting the X in f0; 1gn for which S (X) = X. To determine the number of cycles and average cycle length, rst mark all X in f0; 1gn as \unused." Select some X1 in f0; 1gn and follow the cycle to which it belongs until X1 is again encountered: S S S S S X1 ?! X2 ?! X3 ?! ?! Xm ?! X1 :

The elements X1; X2; : : : ; Xm are then marked \used." Select another \unused" X1 and repeat, until all elements are \used." Keep a count of the number of cycles. If the distinct cycles are C ; C ; ; C , and if (X) is the length of the cycle to which X belongs, then the average cycle length as de ned in Section 2.1.6 is: 1

2

? X 1 1 X 2n X (X) = 2n i jCij : 2n

1

2

=0

=0

33

4.3 New Statistical Tests In order to investigate the correlation between two randomly chosen s-boxes, it was necessary to devise new statistical testing. This pursuit led to some interesting theoretical results, as well as an understanding of the connection between one of the new tests and the existing test for nonlinearity (Section 2.1.4). The work in this section is due to the author; however, the catalyst was the idea of Section 4.3.1, which is due to Henk Meijer [14].

4.3.1 Column Correlation This section investigates the concept of column correlation (CC) between two randomly chosen invertible nn s-boxes, S and S . Let the columns of Si be enumerated as cin? ; cin? ; : : : ; ci ; ci (i = 1; 2). Let T (S ; S ) be an n n table such that for 0 i; j n ? 1, T (S ; S )[i; j ] = corr(ci ; cj ) (recall the de nition of the correlation coecient from Section 2.1.3). When S and S are obvious from the context, we will simply write T [i; j ]. We de ne the statistic 1

1

2

1

CC

2

CC

0

1

1

2

1

2

2

1

2

CC

CC(S ; S ) = max jT [i; j ]j : i;j n? 1

2

0

1

CC

We have 0 CC(S ; S ) 1, with larger values indicating higher correlation between a column of S and a column of S . It will be useful in what follows to simplify T somewhat. To do so, we make use of the following lemma. 1

2

1

2

CC

Lemma 4.3.1. Let T = 2t, where t is a positive integer, and let v and w be chosen uniformly at random from the set of all T -bit balanced binary vectors. Then the set of possible values for corr(v; w) is

4 k ? 1 : k an integer; 0 k T=2 ; T k where the value 4 T ? 1 occurs with probability ?T=22 ? kT

T=2

:

34

(4.3)

Proof. Since v and w are balanced vectors, E (v) = E (w) = 21 . By observing that the summation in (2.6) is simply the dot product of v and w, corr(v; w) reduces to

(v w) ? = 4 v T w ? 1: ( ? )( ? ) 1 4

1

qT

1 4

1 2

1 2

1 4

Since v and w are balanced, 0 v w T=2, and (4.3) is satis ed. Now let v be a xed balanced vector, and let k be an integer, with 0 k T=2. ? ? ? There are T=k T=T=?k = T=k ways to position the 1's of w such that v w = k ? ? ? ( T=k ways to position k 1's of w to correspond to 1's in v, and T=T=?k = T=k ways to position the remaining (T=2 ? k) 1's of w to correspond to 0's in v). Since the ? total number of T -bit balanced vectors is T=T , the probability that v w = k is 2

2 2

2

2

2

2

2

2

2

?T=22 ? kT

T=2

:

Note that the correlation value with the highest probability occurs when k = T (also when k = T if T is not divisible by 4). Returning to T for S and S , by Lemma 4.3.1 we can replace T [i; j ] with T 0 [i; j ] = ci cj , without losing any information. This results in a simpler table of integer values, each of which is in the set f0; 1; 2; : : : ; 2n? g by Lemma 4.3.1. 4

CC

4

CC

1

CC

1

2

2

1

4.3.2 Linear Combination Correlation If S and S are two invertible n n s-boxes, let L(Si) be the binary matrix which stores the linear combinations of the columns of Si (i = 1; 2), as in Section 4.2.3. Enumerate the columns of L(S ) as [v ? ; v ? ; : : : ; v ], and the columns of L(S ) as [w ? ; w ? ; : : : ; w ]. We generalise the CC statistic of Section 4.3.1 in a natural way. De ne the 2n 2n table T (S ; S ) such that T (S ; S )[i; j ] = corr(vi; wj ) (LCC stands for linear combination correlation; note that if i = 0 or j = 0, then T [i; j ] is unde ned). We will omit (S ; S ) and write T when it is clear which 1

2

2n

1

2n

1

2n

2

2

0

2

0

LCC

LCC

2n

1

1

2

1

35

LCC

2

1

LCC

2

two s-boxes are concerned. We de ne the statistic LCC(S ; S ) = i;jmax jT ? 1

2

2n

1

1

LCC

[i; j ]j :

As in Section 4.3.1, we make use of Lemma 4.3.1 and de ne T 0 [i; j ] = vi wj (this is de ned even when i or j is 0). From Lemma 4.3.1 we have T 0 [i; j ] 2 f0; 1; 2; : : : ; 2n? g for 1 i; j (2n ? 1), and T 0 [i; j ] = 0 if i = 0 or j = 0. LCC

LCC

1

LCC

4.3.3 Chi-Square Goodness-of-Fit Test In considering methods of testing for correlation between the s-boxes generated using our system, it seemed that we should be able to make use of the theoretical distribution of Lemma 4.3.1. Now given two invertible n n s-boxes, S and S , the values in the tables T 0 and T 0 are distributed in some fashion. If each table entry were obtained from the dot product of two randomly selected 2n-bit balanced vectors, then the resulting distribution should appear to be drawn from the theoretical distribution of Lemma 4.3.1, and this could be tested statistically. However, given one column or linear combination of columns of an s-box, clearly the other columns or linear combinations are not randomly distributed relative to it (in fact, the table T 0 is highly structured, as we will see in Section 4.4). In order to make use of the theoretical distribution of Lemma 4.3.1, we followed an idea due to Timothy Ramsay [22], which we present in this section. We will discuss this idea in the context of the linear combinations of the columns of two s-boxes. We rst generate a series of Q s-box pairs at random: 1

CC

2

LCC

LCC

?

?

S ; S ; S ; S ; : : : ; S Q; S Q : 1 1

1 2

2 1

2 2

1

2

For each xed i and j , for 1 i; j (2n ? 1), let q range from 1 to Q, and consider the distribution of values T 0 (S q ; S q )[i; j ] (we are only interested in correlation between nontrivial linear combinations of columns, and this corresponds to positive values of i and j ). This sample distribution should appear to be drawn from the theoretical LCC

1

2

36

distribution of Lemma 4.3.1. We can test this using a chi-square goodness-of- t test [18]. Our null hypothesis is

H : the form of the sample distribution is the form of the theoretical distribution. 0

We will use = 0:05, i.e., a 95-percent con dence interval. For each integer k, with 0 k 2n? , let Ok be the frequency of the value k in the sample distribution, and de ne 1

Ek =

?T=22 ? kT

T=2

Q;

which is the expected frequency of the value k, based on Lemma 4.3.1. For all suciently large Q there are integers k0 ; k00 such that

Ek 5

for k0 k k00

Ek < 5

for 0 k < k0 or k00 < k 2n? : 1

Each value of k for k0 k k00 represents a data \cell"; as well, the values of k for which 0 k < k0 are grouped together into a single \cell," as are those for which k00 < k 2n? (the use of 5 as a minimum expected value is common for the chi-square test [18]). De ne 1

X

O0 =

k > > :(2n? ) (w ? 1) if z = 1

?1 ? X

2n

j =0

0

1

0

2. the sum of the square of the dot product of z with each column of Ln , denoted SS n(z), takes one of two values:

SS n(z) =

?1 ? X

2n

2

8 > > > :(2n? ) Tw?

j =0

1

1

if z0 = 0 if z0 = 1

Proof. The proof proceeds by induction. The base case, when n = 1, is easy to verify. Assume that the statements of Items 1 and 2 above hold for some n 1. Let z be a 2n+1-bit column vector, z = [ bt ], where t and b are 2n-bit column vectors: 2

t

6 6 6 = 666 6 4

t t ...

0 1

t

2n

3

2

7 7 7 7 7 7 7 5

6 6 6 = 666 6 4

and b

?1

b b ...

0 1

b

2n

42

?1

3 7 7 7 7 7 7 7 5

(t and b stand for \top" and \bottom," respectively). Thus z = t . Let wt = wt(t) and wb = wt(b); then w = wt + wb. 0

0

1. For the sum of the dot product of z with each `nj , we have +1

S n (z) =

+1 X?1 ?

2n

+1

= =

z `nj

j =0

+1

?1 ? X

2n

j =0

t `nj + b `nj +

?1 ? X

2n

j =0

S n (t) + S n (b) + S n(t) +

t `nj + b `nj

?1 ? X

2n

j =0

(4.8)

b `nj ;

(4.9)

where (4.8) follows from the structure of Ln given in Lemma 4.4.3. Isolating the summation in (4.9) we have +1

?1 ? X

2n

j =0

b `nj

= =

?1 X

2n

?

wb ? b `nj

j =0 (2n) w

b?S

n (b):

(4.10)

Combining (4.9) and (4.10), and using the induction hypothesis, we obtain 8 > > > 2 (2n?1) wt + (2n) wb > > >
2 (2n? ) (wt ? 1) + (2n) wb +1

1

> > > > > :

= (2n) (w ? 1) if z = 1 0

which is what we wanted to show.

43

2. The result concerning SS n (z) is proven as follows. +1

SS n+1(z)

+1 X?1 ?

2n

=

z `nj

j =0

+1 2

?1 ? X

2n

=

t `nj + b `nj 2 +

j =0

?1 h? X

2n

=

2

?

t `nj + b `nj

j =0 ?

2

?

t `nj + 2 t `nj b `nj + b `nj

j =0

(4.11)

2 i

?1 h? X

2n

2SS n(t) + SS n(b) + 2

+

? ? ? t `nj 2 + 2 t `nj b `nj + b `nj 2

j =0

=

?1 ? X

2n

?1 ? X

2n

j =0

?1 ? X

2n

i

2

b `nj +

j =0

? t `nj b `nj + 2

?1 ? X

2n

j =0

?

t `nj b `nj : (4.12)

Note that (4.11) was obtained from the previous line by using the structure of Ln . Combining the last two summations in (4.12) gives +1

2

?1 ? X

2n

j =0

? ? t `nj b `nj + b `nj

= 2

?1 ? X

2n

j =0 2S n (t) w

=

t `nj wb b:

(4.13)

Also, we can combine two other terms in (4.12):

SS n(b) +

?1 ? X

2n

j =0

b `nj 2

SS n(b) +

=

?1 X

2n

?

wb ? b `nj

2

j =0 n SS (b) + (2n) wb2 ? 2S n(b) wb + SS n(b) 2SS n(b) + (2n) wb2 ? 2S n(b) wb: (4.14)

= =

If b = 0, then by the induction hypothesis (4.14) is equal to 0

?

?

2 2n? Tw + (2n) wb ? 2 2n? wb = (2n) Tw : 1

2

b

1

2

b

If b 6= 0, then (4.14) reduces to 0

?

?

2 2n? Tw ? + (2n) wb ? 2 2n? (wb ? 1) wb = (2n) Tw ? + (2n) wb = (2n) (Tw ? + wb) 1

b

1

2

1

1

b

b

= (2n) Tw : b

44

1

Therefore (4.14) is equal to (2n) Tw , independent of the value of b . Using this, together with (4.13), we return to (4.12): 0

b

SS n (z) = 28SS n(t) + (2n) Tw + 2S n(t) wb +1

b

=

> > n n n > > >(2 ) Twt + (2 ) Twb + (2 ) wt wb > > > > > > = (2n) Twt+wb = (2n) Tw > > >
> > > > > > (2n) Twt?1 + (2n) Twb + (2n) (wt > > > > > > > : = (2n) Twt+wb?1 = (2n) Tw?1

? 1) wb if t = 1 0

(in both cases we have applied the induction hypothesis and made use of the simple equality Ta + Tb + ab = Ta b , for integers a; b 0). +

This completes the proof of Lemma 4.4.4. Proof of Theorem 4.4.2. In light of Lemma 4.4.1, we can limit our consideration of 0 (S; In ), where S is any invertible n n the proof of Theorem 4.4.2 to the entries of TLCC s-box. Correspondingly, in the statement of Theorem 4.4.2 we replace the expression S1?1(0) = S2?1(0) (respectively, S1?1(0) 6= S2?1(0)) with S (0) = 0 (respectively, S (0) 6= 0). A few observations will be useful. First, recall that the nontrivial linear combinations of the columns of an invertible n n s-box are balanced, and thus have weight 2n?1. Secondly, if X = Xn?1 X1 X0 2 f0; 1gn with X 6= 0, and a0; a1 ; : : : ; an?1 2 f0; 1g, with not all ai = 0 simultaneously, then the expression

an? Xn? a X a X 1

1

1

1

0

0

evaluates to 1 for 2n? of the 2n possible nontrivial assignments of bits to the ai , and evaluates to 0 for the remaining (2n? ? 1) nontrivial assignments. Let [v ? ; : : : ; v ; v ] 1

1

2n

45

1

1

0

be the usual enumeration of the linear combinations of the columns of S (see Section 4.2.3). It follows that if S (0) 6= 0, and if 2

6 6 6 vi = 666 6 4

3

z z ...

0 1

z

2n

7 7 7 7 7; 7 7 5

(4.15)

?1

for 1 i (2n ? 1), then z = 1 for 2n? of the values of i in this range, and z = 0 for the remaining (2n? ? 1) values of i. The third observation is that S n (vi) is the sum of the entries in row i of T 0 (S; In) (by de nition, S n (vi) includes position [i; 0], but this can be ignored, since it is always equal to zero). Therefore, if S (0) 6= 0, the mean of the entries T 0 (S; In)[i; j ] for i; j 6= 0 is equal to 1

0

0

1

LCC

LCC

1

X

T 0 [i; j ] (2n ? 1) i;j ? ? X 1 S n(vi ) = n (2 ? 1) i ? n? ? ? ? ? ? = n1 2 ? 1 2n? 2n? + 2n? 2n? 2n? ? 1 (4.16) (2 ? 1) n? n = (2 )n (2 ? 2) ; (2 ? 1) completing this case. Note that (4.16) follows from the previous line by Lemma 4.4.4. If S (0) = 0, then z = 0 for all vi (with vi as in (4.15)). Therefore, applying Lemma 4.4.4 to (4.16), we have =

LCC

2

(2n

1

2n

1)

1

2

=1

1

1

1

1

1

1

2

1 2

2

0

= =

(2n ? 1)2 1

?1 X

2n

1

(2n ? 1) n? = (2(2n ? )1) ; 2

S n (vi)

i=1 ? (2n ? 1) 2n?1 2

1 2

which is what we wanted to show. This completes the proof of Item 1 of Theorem 4.4.2. 46

The proof of the variance, , of the entries of T 0 (S; In) is similar in approach to the above. Let be the value of when S (0) = 0, and let 6 be the value of P P when S (0) 6= 0. Suppose that S (0) = 0. Then writing for i;j ? , we have 2

LCC

=

=

1

= 2

1

(2n ? 1)2 1

X

[T 0 [i; j ] ? ( )] =

LCC

X

(2n

2

T 0 [i; j ] ? 2T 0 [i; j ] ( ) + ( ) n (2 ? 1) P 0 P 0 T [ i; j ] ? 2 ( ) Tn [i; j ] + ( ) = n (2 ? 1) (2 ? 1) P 0 T [i; j ] ? 2 ( ) + ( ) = (2n ? 1) P 0 T [i; j ] ? ( ) : = (2n ? 1) =

2

LCC

2

2

LCC

= 2

2

2

2

LCC

= 2

=

LCC

LCC

=

1)

= 2

= 2

2

2

LCC

= 2

2

(4.17)

Isolating the summation in (4.17) and using Lemma 4.4.4, we get X

i;j (2n ?1)

T0

LCC

?1 X

2n

[i; j ] = 2

i=1

1

SS n(vi)

?1 ? X

2n

=

2n? T 1

?1

2n

i=1 n?1 ? n?1 (2n ? 1) 2n?1 (2 ) (2 + 1)

=

= 2

n?4 + 23n?4 ? 22n?3 :

4

2

(4.18)

4 ?4 Now from the proof for we know that ( ) = ( ? 2) ; if we substitute this into (4.17) together with (4.18) and reduce, we get = 2

=2 2

2 n

(2n

1)

n?4 ? 22n?3 ; (2n ? 1)2

3

which is what we wanted to show. The proof for the case S (0) 6= 0 is similar to the above. We do not give it here.

47

Chapter 5 Test Results for Proposed System In this chapter we present the results of the statistical testing performed on our proposed system, giving also the test results for the two comparison systems of Section 3.3. The results for the standard s-box properties of Section 2.1 are given in Section 5.1. The test results for the new tests of Section 4.3 are given in Section 5.2. In Section 5.3 we summarise the results for all the tests performed.

5.1 Test Results for Standard S-Box Properties For the results of this section, we generated two sets of 1000 invertible 8 8 s-boxes and tested each s-box for D(MO)SAC(S ), (MO)BIC(S ), nl(S ), maxXOR(S ), and for three cyclic properties (number of xed points, number of cycles, average cycle length). The rst set of 1000 s-boxes was generated by our proposed system, using RC4 with a randomly selected 128-bit key. The second set was generated using the UNIX drand48 random number generator, as detailed in Section 3.3, using a randomly chosen 32-bit seed value. For each set of 1000 s-boxes, and for each property, we report the mean, standard deviation, and minimum and maximum of the values obtained. Concerning the completeness property, every s-box generated had a value of DSAC 30 and was therefore complete by Section 2.1.1. 48

5.1.1 SAC/MOSAC D(MO)SAC(S ) RC4 drand48

DSAC(S ) DMOSAC(S ) DSAC(S ) DMOSAC(S )

MEAN STD DEV MIN MAX 14.59 2.43 10 26 20.30 1.93 16 30 14.48 2.38 8 26 20.25 1.90 16 28

Figure 5.1: DSAC/DMOSAC results for 1000 randomly generated 8 8 s-boxes The test results for the statistics DSAC/DMOSAC are given in Figure 5.1. The values for our system and the comparison system using drand48 are clearly very close.

5.1.2 BIC/MOBIC (MO)BIC(S ) RC4 drand48

BIC(S ) MOBIC(S ) BIC(S ) MOBIC(S )

MEAN STD DEV 0.267 0.0321 0.346 0.0247 0.265 0.0318 0.346 0.0251

MIN 0.191 0.286 0.188 0.285

MAX 0.382 0.443 0.406 0.467

Figure 5.2: BIC/MOBIC results for 1000 randomly generated 8 8 s-boxes Figure 5.2 gives the test results for the BIC/MOBIC properties. Our system and the drand48 comparison system show very similar results.

5.1.3 Nonlinearity nl(S )

MEAN STD DEV MIN MAX RC4 92.65 2.20 84 98 drand48 92.68 2.14 84 98 Figure 5.3: Nonlinearity results for 1000 randomly generated 8 8 s-boxes 49

In Figure 5.3 we summarise the results of testing each set of 1000 s-boxes for nonlinearity. The values for our system and the drand48 system are quite close, with identical minimum and maximum values, and nearly identical means.

prob[nl(S ) A]

A 84 86 88 90 92 94 96 98 theoretical 0.0037 0.015 0.058 0.21 0.70 > 1 > 1 > 1 RC4 0.002 0.015 0.063 0.194 0.522 0.883 0.998 1.00 drand48 0.001 0.011 0.057 0.192 0.513 0.885 0.999 1.00 Figure 5.4: Distribution of nonlinearities

Figure 5.4 compares the distribution of s-box nonlinearities for the two sets of 1000 s-boxes with the theoretical values of Youssef and Tavares [29] (see Section 2.2.5). For each nonlinearity value A, the row labelled \theoretical" gives the theoretical upper bound on the probability that nl(S ) A. The following rows, labelled \RC4" and \drand48," give the actual percentages of the 1000 s-boxes generated using each system for which nl(S ) A. The experimental values for the two systems are found to be very close, and for each value of A, the upper bound of Youssef and Tavares is seen to hold.

5.1.4 Maximum XOR Table Entry maxXOR(S )

MEAN STD DEV MIN MAX RC4 11.29 1.22 10 16 drand48 11.36 1.20 10 16

Figure 5.5: Maximum XOR table entry results for 1000 randomly generated 8 8 s-boxes Figure 5.5 gives the statistical summary for the maximum XOR table entries of the generated s-boxes. The results for our system and the drand48 comparison system 50

are found to be very similar, having identical values for the minimum and maximum value of maxXOR(S ).

prob[maxXOR(S ) A]

A 10 12 14 16 theoretical > 1 0.94 0.067 0.0042 RC4 1.00 0.58 0.064 0.0030 drand48 1.00 0.61 0.066 0.0030

Figure 5.6: Distribution of maximum XOR table entries In Figure 5.6 we compare the distribution of values of the statistic maxXOR(S ) to the theoretical values of Section 2.2.5. For each value of A, the row labelled \theoretical" gives the upper bound of Youssef and Tavares [29] on the probability that maxXOR(S ) A. The percentages of each set of 1000 s-boxes which satisfy this inequality are given in the rows labelled \RC4" and \drand48," corresponding to our system and the comparison system, respectively. Again our system and the comparison system give nearly identical results; both systems also give percentages for each value of A which fall below the theoretical upper bound of Youssef and Tavares.

5.1.5 Cyclic Properties Figure 5.7 gives a summary of results from testing our system and the drand48 comparison system for the cyclic properties of Section 2.1.6. The theoretical results from Section 2.2.6 are included; as well, the minimum and maximum values possible for each cyclic property have been included in the Figure 5.7. (The only theoretical value not present is the variance of the average cycle length. Note that Section 2.2.6 gives the theoretical value for the variance of the number of xed points and the the variance of the number of cycles; we have taken the square root of these values to obtain the standard deviation, for presentation in Figure 5.7.) The rst observation to be made is that our system and the comparison system 51

Num. xed points

theoretical RC4 drand48

Num. cycles


Avg. cycle length


MEAN STD DEV MIN MAX 1 1.08 1.03

1 1.01 1.01

0 0 0

256 6 5

5.55 6.21 6.17

2.35 2.08 2.12

1 1 1

256 13 14

52.3 52.6

1.0 46.3 35.9

256.0 256.0 256.0

128.5 127.0 127.9

Figure 5.7: Cyclic properties results for 1000 randomly generated 8 8 s-boxes yield similar values, except for the minimum average cycle length, where the value for our system is noticeably higher. The second observation is that the values for both systems are close to the theoretical values for number of xed points and average cycle length. For the number of cycles, a more detectable dierence is found between the experimental values for our system and the theoretical values: our system yields a mean value of 6.21 versus the theoretical value of 5.55, and a variance of 2.08 versus the theoretical value of 2.35.

5.2 Test Results for New Statistical Tests In using the new testing methods of Section 4.3, we ran two dierent sets of tests. The rst involved the CC and LCC statistics de ned in Sections 4.3.1 and 4.3.2; the exact method of testing and the results are given in Section 5.2.1. The second set of tests involved the chi-square goodness-of- t test described in Section 4.3.3. The results of this set are given in Section 5.2.2.

52

5.2.1 CC and LCC In order to test our system using the CC and LCC statistics, the 64 s-boxes of an 8-round SPN were generated in three ways: using our method with a 128-bit randomly selected key for RC4; using the comparison system involving the drand48 pseudo-random number generator, with a randomly chosen 32-bit seed; and using the \weak" system of Section 3.3, with a randomly chosen 64-bit key. Then for each pair of distinct s-boxes in the SPN, fS; S 0g, we computed the values CC(S; S 0) and LCC(S; S 0), nding the overall maximum (this was run #1). This process was then repeated (run #2), using a dierent key/seed for each s-box generation method. The results are presented in Figure 5.8 and Figure 5.9.

Maximum CC value RC4

run #1 0.313 run #2 0.281

drand48

0.281 0.266

\weak" system 0.625 0.703

Figure 5.8: Maximum CC value for all pairs of SPN s-boxes

Maximum LCC value RC4

run #1 0.406 run #2 0.359

drand48

0.375 0.375

\weak" system 0.625 0.703

Figure 5.9: Maximum LCC value for all pairs of SPN s-boxes We observe that in Figure 5.8 and Figure 5.9, the values for the RC4 method and the drand48 method fall in the a similar range, whereas much higher values are consistently reported for the \weak" system.

5.2.2 Chi-Square Results In Figure 5.10 and Figure 5.11 we present the results of the chi-square goodness-of t tests described in Section 4.3.3. To test column correlation, we performed two runs, 53

Column correlation RC4 prob( 28:87) (run #1) 0.984 prob( 28:87) (run #2) 0.969 2 0 2 0

drand48

0.953 0.953

Figure 5.10: Chi-square results|column correlation

Linear combination correlation RC4 prob( 43:77) (run #1) 0.949 prob( 43:77) (run #2) 0.949 2 0 2 0

drand48

0.952 0.949

Figure 5.11: Chi-square results|linear combination correlation each of which was as follows. We generated 30,000 s-box pairs using two methods: the proposed system, with a randomly selected 128-bit key for RC4; and the system incorporating drand48 (see Section 3.3), with a random 32-bit seed (we do not test the \weak" system of Section 3.3 here, as it was designed to create the s-boxes of an SPN, not to generate a large number of s-boxes). We used = 0:05, and there were 30 degrees of freedom; this gives : ; = 43:77. For each method, and for each of the resulting 8 = 64 distributions (since n = 8), the chi-square goodness-of- t test was performed. The fraction of the distributions for which the null hypothesis was not rejected (i.e., for which : ; ) is found in Figure 5.10. To test the correlation between linear combinations of columns of s-boxes, two runs were performed in basically the same fashion as above (using the same key/seed in each run). We limited the number of s-box pairs to 500, since testing for correlation between linear combinations of columns is much more computationally expensive than testing for correlation between columns. The number of degrees of freedom was 18, and we used = 0:05, giving : ; = 28:87. Of the resulting 255 = 65; 025 distributions, the fraction for which the null hypothesis was not rejected is given in Figure 5.11. When testing for column correlation, we can see from Figure 5.10 that for both 2 0 05 30

2

2 0

2 0 05 30

2 0 05 18

2

54

methods and both runs, over 95% of the distributions did not cause the null hypothesis to be rejected. When testing for linear combination correlation, the fraction of distributions for which the null hypothesis was not rejected was almost exactly 95% in all cases (Figure 5.11).

5.3 Summary of Test Results The test results for the standard s-box properties of Section 2.1, presented in Section 5.1, suggest that our s-box generation scheme has good randomness properties. First of all, for each standard property the test values for the RC4 system and the drand48 system (a system believed to have high randomness) are almost identical. The only test for which there is any noticeably dierent result is for the minimum average cycle length (Section 5.1.5), where the value for the RC4 system is 46.3 and the value for the drand48 system is 35.9. The author suspects that further testing would show this to be statistically insigni cant; if not, if the RC4 system does generate s-boxes with higher minimum average cycle length, there is indication that this is a cryptographically good property [31]. Secondly, for those properties for which theoretical results exist|nonlinearity, maximum XOR table entry and cyclic properties|our system behaved predictably well with respect to the theoretical values. For nonlinearity and maximum XOR table entry, the percentage of s-boxes generated by our method which had values in a certain range fell below the corresponding theoretical upper bound in each case. For the mean and standard deviation of the number of cycles, we did note a dierence between experimental and theoretical values. Again the author suspects that this is statistically insigni cant, especially since the corresponding values for the drand48 system are quite close to those for the RC4 system. When testing all pairs of SPN s-boxes using the new statistical tests for column correlation (CC) and linear combination correlation (LCC), the maximum CC and 55

LCC values reported for our system and the drand48 system fell into roughly the same range. Since drand48 is believed to be a good source of randomness, this suggests that the RC4 method is as well. This is in comparison to our \weak" system, for which the correlation values were approximately twice those of the other systems. It appears that the \weak" system truly is weak, and that the CC and LCC statistics are able to detect this. The nal tests we performed implemented the chi-square goodness-of- t tests (for both column correlation and linear combination correlation) described in Section 4.3.3. Since we used a 95% con dence interval, in each case we expected that if our system were selecting s-boxes in a suciently random fashion, approximately 5% of the distributions tested would result in rejection of the null hypothesis. For column correlation, the null hypothesis was rejected for fewer than 5% of the distributions (for both test runs). For linear combination correlation, the proportion of distributions which resulted in rejection of the null hypothesis was almost exactly 5% (again for both test runs). The drand48 system behaved similarly. Overall, we conclude that there is statistical evidence that our RC4 s-box generation method has good randomness properties. Not only do the s-boxes generated perform well when tested for the standard s-box properties of Section 2.1, but there is evidence that the s-boxes are not pairwise correlated.

56

Chapter 6 Conclusion 6.1 Thesis Summary In this thesis we have investigated the use of key-dependent, pseudo-randomly generated s-boxes in a standard substitution-permutation network (SPN) cryptosystem. The SPN model has undergone cryptanalysis over many years, and is considered an eective implementation of Shannon's principles of confusion and diusion. Much of the known research concerning SPN s-boxes has focussed on developing a taxonomy of desirable s-box properties which will contribute to cryptographically strong SPNs, with the goal of selecting a small number of \good" s-boxes for inclusion in an SPN. However, there is theoretical and experimental evidence that pseudo-randomly chosen s-boxes of sucient size possess several good cryptographic properties on average. We feel that the use of key-dependent s-boxes merits further consideration. In keeping with this, we have proposed an SPN cryptosystem together with an s-box generation method based on the RC4 cipher. One of the principal advantages of key-dependent s-boxes is that they are unknown to a cryptanalyst|this decreases the eectiveness of linear and dierential cryptanalysis. We have speci cally designed our s-box generation scheme to be separate from the cryptosystem itself; we believe that this simpli es the system and 57

facilitates analysis. We have subjected our proposed system to a range of statistical tests|in all cases there is indication that it behaves in a highly random fashion. We also sought evidence for the absence of correlation between the dierent s-boxes generated by our method, and this resulted in the development of new statistical tests. These tests were found to be eective in detecting correlation between the s-boxes of a comparison generation scheme, which was intentionally weakened to create correlated s-boxes. One of the new statistical tests, the test for linear combination correlation (LCC), was found to be a generalisation of the standard test for s-box nonlinearity. In addition, we were able to prove results about the mean and variance of values generated during a run of this test.

6.2 Future Research Directions The work of this thesis is a preliminary investigation into the practical and theoretical aspects of the use of key-dependent pseudo-randomly chosen s-boxes in SPN cryptosystems. Because of limited time, many avenues have not been pursued. In Section 3.2.2 we mention two general approaches to s-box generation|the second approach, which places the security in the g function, was not treated in this thesis work, and so may be an area for future work. In addition, other modi cations could be made to our proposed system, including scaling the system to incorporate larger s-boxes and/or more rounds. Theoretical investigation of s-box properties also appears to be an area with potential for further research. It is thought that the results proven in this thesis concerning the new test for linear combination correlation may yield new bounds on the nonlinearity of a randomly chosen invertible n n s-box.

58

Bibliography [1] C.M. Adams, Constructing Symmetric Ciphers Using the CAST Design Procedure, to appear in: Designs, Codes and Cryptography. [2] F. Ayoub, The design of complete encryption networks using cryptographically equivalent permutations, Computers and Security, Vol. 2, 261{267, 1983. [3] F. Ayoub, Probabilistic completeness of substitution-permutation encryption networks, IEE Proceedings, Vol. 129, Part E, No. 5, 195{199, September 1982. [4] E. Biham and A. Shamir, Dierential cryptanalysis of DES-like cryptosystems, Journal of Cryptology, Vol. 4, No. 1, pp. 3{72, 1991. [5] Data Encryption Standard (DES), National Bureau of Standards FIPS Publication 46, 1977. [6] H. Feistel, Cryptography and computer privacy, Scienti c American, Vol. 228, No. 5, pp. 15{23, May 1973. [7] H. Feistel, W.A. Notz, and J.L. Smith, Some cryptographic techniques for machine to machine data communications, Proceedings of the IEEE, Vol. 63, No. 11, pp. 1545{1554, November 1975. [8] J.A. Gordon and H. Retkin, Are big s-boxes best?, Cryptography, proceedings, Burg Feurstein (T. Beth, Ed.), pp. 257{262, 1982. [9] H.M. Heys, The design of substitution-permutation network ciphers resistant to cryptanalysis, Ph.D. Thesis, Queen's University, Canada, 1994. [10] H.M. Heys and S.E. Tavares, Avalanche characteristics of substitutionpermutation encryption networks, IEEE Transactions on Computers, Vol. 44, No. 9, pp. 1131{1139, September 1995. 59

[11] J.B. Kam and G.I. Davida, Structured design of substitution-permutation encryption networks, IEEE Transactions on Computers, Vol. C-28, No. 10, pp. 747{753, October 1979. [12] J.C. Lagarias, Pseudo-random number generators in cryptography and number theory, Cryptology and Computational Number Theory, Proceedings of Symposia in Applied Mathematics, Vol. 42, 115{143, 1990. [13] M. Matsui, Linear cryptanalysis method for DES cipher, Advances in Cryptology: Proceedings of EUROCRYPT'93, Springer-Verlag, Berlin, pp. 386{397, 1994. [14] H. Meijer, Personal communication. [15] A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, 1997. [16] R. Merkle, Fast software encryption functions, Advances in Cryptology: Proceedings of CRYPTO'90, Springer-Verlag, Berlin, pp. 476{501, 1991. [17] S. Mister and C.M. Adams, Practical S-Box Design, SAC'96 | Third Annual Workshop on Selected Areas in Cryptography, Queen's University, Kingston, Ontario, pp. 61{76, August 1996. [18] D.C. Montgomery and G.C. Runger, Applied Statistics and Probability for Engineers, John Wiley and Sons, 1994. [19] L. O'Connor, Enumerating nondegenerate permutations, Advances in Cryptology: EUROCRYPT'91, Springer-Verlag, pp. 368{377, 1992. [20] L. O'Connor, Enumerating nondegenerate permutations, Technical Report 2527, University of Waterloo, Waterloo, Ontario, Canada, 1991. [21] L. O`Connor, On the distribution of characteristics in bijective mappings, Advances in Cryptology: Proceedings of EUROCRYPT'93, Springer-Verlag, Berlin, pp. 360{370, 1994. [22] Queen's University STATLAB, Timothy Ramsay, Personal communication. [23] B. Schneier, Description of a new variable-length, 64-bit block cipher (Blow sh), Fast Software Encryption, pp. 191{204. [24] B. Schneier, Applied Cryptography, Second Ed., John Wiley and Sons, 1996. 60

[25] C.E. Shannon, A mathematical theory of communication, Bell System Technical Journal, Vol. 27, No. 4, pp. 379{423, 623{656, 1948. [26] C.E. Shannon, Communication theory of secrecy systems, Bell System Technical Journal, Vol. 28, no. 4, pp. 656{715, 1949. [27] UNIX manual (man) pages under drand48. [28] A.F. Webster and S.E. Tavares, On the design of S-boxes, Advances in Cryptology: Proceedings of CRYPTO'85, Springer-Verlag, Berlin, pp. 523{534, 1986. [29] A.M. Youssef and S.E. Tavares, Resistance of balanced s-boxes to linear and dierential cryptanalysis, Information Processing Letters, Vol. 56, pp. 249{252, 1995. [30] A.M. Youssef and S.E. Tavares, Comment on \Bounds on the number of functions satisfying the Strict Avalanche Criterion", Information Processing Letters, Vol. 60, pp. 271{275, 1996. [31] A.M. Youssef, S.E. Tavares, and H.M. Heys, A new class of substitutionpermutation networks, SAC '96 | Third Annual Workshop on Selected Areas in Cryptography, Queen's University, Kingston, Ontario, pp. 132{147, August 1996.

61

Appendix A The RC4 Cipher In this appendix we present pseudo-code for the RC4 algorithm; this code comes from [24]. The RC4 cryptosystem has a single invertible 8 8 s-box, S , which must be initialised before operation begins. This s-box is constantly changing as RC4 proceeds. The key consists of one or more bytes, which are repeated to ll a 256-byte array K. (It is interesting in light of the topic of this thesis that RC4 uses a key-dependent s-box!) for i=0 to 255

/* initialise S to identity s-box */

S[i] := i j := 0 for i=0 to 255

/* generate initial RC4 s-box */

j := (j + S[i] + K[i]) mod 256 swap S[i] and S[j] end for

Once the RC4 s-box is initialised, counters i and j are set to 0. RC4 produces a pseudo-random byte, b, by executing the following: i := (i+1)

mod 256

j := (j+S[i]) mod 256 swap S[i] and S[j] t := (S[i] + S[j]) mod 256 b := S[t]

62

Vita Name

Liam Timothy Keliher

Place and year of birth

Seattle, Washington, 1971

Education

B.Sc. Honours (Mathematics) Saint Francis Xavier University, 1988{1993 M.Sc. (Mathematics) McGill University, 1993{1995 Teaching assistant, Department of Computing and Information Science, Queen's University, 1996{1997 Computer Lab Instructor, Department of Mathematics and Computer Science, St. Mary's University, 1996

Experience

Awards

NSERC PGS-A Scholarship, 1993{1995 A.A. MacDonald Prize for Mathematics, Saint Francis Xavier University, 1993 Francis J. Ginivan Mathematics Prize, Saint Francis Xavier University, 1990 Canada Scholarship, 1988{1991

63