CRYPTOGRAPHY THROUGH THE PHYSICIST EYES1 YURIY N. ZAYKO1* 1
Russian Presidential Academy of National Economy and Public Administration, Stolypin Volga Region Institute, Russia, 410031, Saratov, Sobornaya st, 23/25
AUTHOR’S CONTRIBUTION This work was carried out by the author individually in all parts including design of the study, writing the protocol and interpretation the data, gathering the initial data and performing preliminary data analysis, managing the literature searches and producing the initial draft. The author read and approved the final manuscript.
Received: 8th December 2014
Research Paper __________________________________________________________________________________ ABSTRACT This article is devoted to the implementation of some concepts of nonlinear dynamics of complex systems in cryptography. Some parallels of these disciplines are discussed: such as mapping, ergodicity, stirring, etc. The concept of the Poincare trajectory of return well-known in the dynamics is introduced in cryptography, as much as graphical representations of mappings. These permits to solve a problem of selection elements of contemporary block cryptographic systems such as the tables of substitutions, called as S-blocks from the entire set of substitutions. A statistical analysis of real S-blocks was made on the basis of their decompositions on cycles. Keywords: S-block, substitution, cipher, mapping, ergodicity, stirring, trajectory of return.
1
Journal of Applied Physical Science International, 2015 , V: 2, No: 2, pp. 35-48
_____________________________________________________________________________________________________ *Corresponding author: Email:
[email protected]
Zayko; JAPSI, X(X): xxx-xxx, 20YY
between nonlinear dynamics and cryptography. Methods described below in co-operation with traditional cryptography methods will allow for a fresh look at the problem of block cryptographic systems and to obtain new and useful results.
1. INTRODUCTION Cryptography is one of the principal means of information protection. Encrypt the information can be done easily and most importantly, quickly - now for this can be used different algorithms, both in software and in hardware 2 . Perform the inverse transformation without knowledge of secret information - a key, i.e. crack the cipher in the present state of cryptanalysis, is much more complicated. For example, the breaking of the block symmetric cryptographic algorithm DES (Data Encryption Standard, the US, the key length is 56 bits), using distributed computing method according to the competition of RSA Data Security, held in 1997, took 140 days, and for the cryptographic algorithm RC5 with the same key length - 210 days. Details of such attacks can be found in [1,2]. Also there are shown that the results and forecasts of similar attacks on asymmetric cryptosystems require much more time and computational resources.
2. CERTIFIED MEASURES
In the US these tools include the already mentioned above encryption algorithm DES, developed by IBM under the direction of H. Feistel called Lucifer in 1976 and published in 1977 [4] 3 , and in Russia encryption algorithm GOST 28147 - 89, (Gosudarstvennyi 4 Standard) developed in 1989 of [5]. They are described in detail, for example, in [1,2]. Both are symmetric block cipher that is perform cryptographic transformations with blocks of text length of 64 bits, and have the keys of length 64 (effectively 56) and 256 bits, respectively. Both use the conversion scheme developed by H. Feistel, consisting in a cyclic permutation of the right and left parts of the block while adding bitwise modulo 2 regular right side and the current key. The only difference is the number of cycles: 16 cycles for the DES, and 32 cycles for the GOST. Other details of the transformations we drop (they are described in detail in [1,2]). Let only discuss transformations of 32-bit segments of cipher text using substitutions realized by a so-called S-blocks (S - substitution). C. Shannon proved [7] that the effective transformation of blocks of ciphertext can be achieved by alternating linear permutations of bits which store the number of significant bits, and nonlinear operations that breed significant bits, and realized by S-blocks (substitution) 5 . For linear operations in DES a socalled P-blocks are used (P - permutation), and in GOST - cyclic shift [2]. It follows that the two crypto algorithms have a lot of common features, which is not surprising when you consider that GOST is the Russian response to DES [8,9].
If we evaluate the degree of information protection with the help of ratio “cost of hacking”/ “cost of protection”, the cryptographic methods are far superior to all others. All governments have long used cryptography to protect diplomatic and military information. As for the commercial and especially private information, here the government exercise restraint, offering for usage cryptosystems with clearly impaired cryptographic properties, for example, reducing the length of the key. There are other ways to slow down the widespread use of cryptography. Senate Bill No 266, which requires to provide the government the right to receive a plain text content of the conversation, data, and other forms of communication and Presidential Decree number 334 [3] of the need to use only certified cryptographic means, in essence, are only different in the form of measures to establish State monitoring the use of cryptography to protect confidential information, including personal one.
The purpose of crypto transformations used in both algorithms, is to achieve the so-called avalanche effect which consists in that each bit of ciphertext depends on each bit of the plaintext and each bit of the key. In DES it takes five cycles, whereas in GOST - 8. However, GOST is composed of 32 cycles whereas DES - only of 16 ones. After 8 cycles DES demonstrates peak of avalanche effect - each bit of
Thus, the problem of strengthening cryptographic methods of information protection is important in terms of common action for the protection of fundamental human rights in today's society. In this article, attention is drawn to the fact that the methods and concepts of modern cryptography have much in common with the methods and concepts of nonlinear dynamics, such as mapping, stirring, etc. In this article an attempt is undertaken to make this analogy deeper and to find new points of contacts 2
CRYPTOGRAPHIC
3
In 2000, it was replaced by AES (Advanced Encryption Standard) [6]. 4 State, in English 5 In the book “Error-correcting codes and cryptography”, (SpringerVerlag US, 1981), N.J.A. Sloane notes that such alternation of operations is equivalent to the so-called "Baker's transformation" which is widely known in nonlinear dynamics.
Some reservations are mentioned below
2
Zayko; JAPSI, X(X): xxx-xxx, 20YY
Let us present for further purposes the S-blocks of the GOST [1,2] (Table 1) used in applications of the Central Bank of the Russian Federation [1].
ciphertext is a random function of all the bits of the plaintext and key. Successful attacks on DES with three, four and six cycles confirmed the importance of the avalanche effect [2].
The aim of the present study is an attempt to find out why the S-blocks of DES and GOST have such a form, and not some other, or, in other words, at least try to outline the algorithm of their choice from the set of all possible substitutions of 16 elements.
Results of attacks against block cryptographic algorithms was already cited above, including the algorithm RC5, which differs from DES by a block length (from 32 to 128 bits) and the key length (from 0 to 2048 bits),by the number of cycles (from 0 to 255) and by other items [2]. According to this data one can conclude about significant impact of key length on the cryptographic resistance. Time duration of attacks on RC5 with block length of 32 bits and the number of cycles 12 ranged from 313 hours (48 bit key length) to 3.5 hours (40 bit key length).
For a long time this topic has been the subject of much discussion, and in 1992, IBM unveiled the design secret of S-blocks. However, these attempts did not stop even after that, because the recommendations of IBM have heuristic character [1]. In [1] discusses the various proposals for the development of S-blocks - from the "manual" construction based on intuition to random selection or selection based on rigorous mathematical theory. Analysis of S-blocks based on the assumption of random selection poses a danger associated with the fact that [1]:
Thus, cryptographic encryption algorithm resistance is mainly determined by two elements: the key and tables of substitutions [2], the study of which further exposition will be devoted to.
3. BLOCKS OF SUBSTITUTIONS "The problem is complicated by the ability of the human consciousness to find structures in random data that are not really structures."
Blocks of substitutions or S-blocks is a table of decimal digits from 0 to 15, which size is 1x16 (GOST) or 4x16 (DES). This is due to difference of cryptoalgorithms. In the GOST segment of ciphertext of 32-bit length which is input to S-blocks, is divided into eight 4-bit segments according the number of Sblocks, which are transformed then individually on it's own block, and in the output again are collected in a 32-bit segment. The input to the S-block of the DES is not 32-bit, but 48-bit ciphertext segment which is derived from 32-bit segment after permutation with extension [2]. It is divided into eight 6-bit segments, each of which is input to one of eight S-blocks represented by similar tables of size 4x16. The two outermost bits with numbers 0 and 5 recorded in the decimal system determine the row number of the table at which bits from 1st to 4th are transformed. The combined transformed 32-bit segments are inputs of P-blocks.
In any case, the creators of crypto algorithms follow the requirements of its resistance against known cryptanalysis methods and possibilities of computer technology [1]. In the literature [1,2] one can find assertions that the choice of S-blocks of GOST is performed randomly. There is some evidence against it as is shown below. Another equally important goal is to estimate the quality of the S-blocks. It is generally recognized that there are "weak” S-blocks. A trivial example is the identity substitution, which does not change the 4-bit segment of cipher text. Another less obvious example is given in [10]: S=(9, 8, 3, 10, 12, 13, 7, 14, 0, 1, 11, 2, 4, 5, 15, 6)
(1)
Its weakness becomes apparent if we write it in binary form (Table 2).
The difference of S-blocks of DES from that ones of GOST consists also in the fact that DES S-blocks are part of the standard, i.e. do not change from session to session, whereas standard GOST does not specify a method for generating S-blocks. However, common to both of cryptographic algorithms is that the way to create the S-blocks is their secret part.
Here i is the binary number of transformed element, S(i) - the binary value of i-th element after the substitution. The table shows that the transformation leaves the two bits of the four unchanged 6. Besides
Obviously, the quality of the cryptographic algorithm, and especially its cryptographic strength depends on the quality of the S-blocks.
6
By itself, the number of constant bits says nothing. For example, for the substitution presented further (3) the number of constant bits can reach 3. Much more important is that these are the fixed bits (1st and 2nd), and that the substitution (1) does not have property of stirring: groups 4, 5; 8, 9 and 12, 13 are transformed in other compact groups.
3
Zayko; JAPSI, X(X): xxx-xxx, 20YY
that, the table of substitutions can contain another types of workarounds that allow to decrypt the message more effectively than by full search in a space of possible key values. The author of [10] expresses the pessimistic assertion that there is no way to weed out the weak tables of substitutions.
4. SOME PHYSICAL ANALOGY. PHENOMENON OF RETURN
(2) Here, the subscript is the length of the cycle, and the numbers in parentheses are the elements of S - block that are transforming according to the given cycle. Thus, we have shown that the weakness of the S-block is associated with a small length of the cycles, on which it is decomposed, or rather with a small value of their least common multiple (LCM).
THE
We consider below only the S-blocks by themselves without any connection with crypto algorithms. There is good reason for this, since substitutions are one of the objects of discrete mathematics and have always been of interest to researchers. Range of applications of this research is rather extensive [11]. Substitution on the set of N elements is a mapping of this set on itself, and we are interested in the properties of this mapping. In order not to get bogged down in abstractions, we will resort to geometric illustrations as far as possible. The first concept of the theory of maps, which will be illustrated by the example of Sblocks, is the notion of the Poincare return. H. Poincare proved the theorem of the return for continuous maps [12], which implies that over time, the trajectory of the dynamical system which is undergoing motion in a bounded region of phase space will come back in an arbitrarily small vicinity of the starting point. For discrete systems, this statement becomes apparent because the points in phase space of these systems is characterized by a finite volume V and the number of steps (analogue time) to return is estimated from above as the ratio of the volume of the phase space of the system (multi-dimensional, in the general case) to V. We illustrate this phenomenon on the example of the mapping of sequence integers from 0 to 15 with a weak S-block (1) (Fig. 1). The program does iterate of the mapping (1), i.e., yi = Si(x), x = {0, 1, ..., 15}, i number of iteration. As one can see on Fig. 1 after step 4 of iterations the displayed sequence came in the initial state, i.e., a phenomenon of return is happened. It is easy to understand that this is due to the fact that the maximum length of cycles, on which substitution (1) can be decomposed is equal 4, and the lengths of the other cycles are divisors of 4. Here is a complete decomposition of the substitution (1) on cycles. S = С4(9,8,1,0); C4(3,10,11,2); C4(7,14,15,6); C2(12,4); C2(13,5)
4
Zayko; JAPSI, X(X): xxx-xxx, 20YY
Table 1. S-blocks of the GOST 28147-89 S1 S2 S3 S4 S5 S6 S7 S8
4 14 5 7 6 4 13 1
10 11 8 13 12 11 11 5
9 4 1 10 7 10 4 13
2 12 13 1 1 0 1 0
13 6 10 0 5 7 3 5
8 13 3 8 15 2 15 7
0 15 4 9 13 1 5 10
14 10 2 15 8 13 9 4
6 2 14 14 4 3 0 9
11 3 15 4 10 6 10 2
1 8 12 6 9 8 14 3
12 1 7 12 14 5 7 14
7 0 6 11 0 9 6 6
15 7 0 2 3 12 8 11
5 5 9 5 11 15 2 8
3 9 11 3 2 14 12 12
Table 2. Binary form of S-block (1) i S(i ) i S(i )
0000 1001 1000 0000
0001 1000 1001 0001
0010 0011 1010 1011
0011 1010 1011 0010
0100 1100 1100 0100
0101 1101 1101 0101
0110 0111 1110 1111
0111 1110 1111 0110
Fig. 1. Demonstration of the phenomenon of return. The digit in the upper right corner is the number of iterations Substitutions’ representation using cycles is well There is another characteristic of mappings - stirring, studied [11]. Below, we will use these results. Note which assesses the degree of divergence of trajectories that in the cryptographic literature they receive less of the dynamical system. In nonlinear dynamics it is attention than they deserve. estimated using the so-called Lyapunov exponents [12] characterizing the velocity of diverging of two 5. SOME PHYSICAL ANALOGY. initially close trajectories. There is an analogy between the concept of stirring in dynamics and the concept of ERGODICITY stirring transformation in cryptography. Let us quote Ergodicity means the feature of mappings, which leads [13]: to uniform filling by the trajectory of the entire phase space. Below we consider the mappings in the phase space which is representing a hypercube of eight dimensions with edge length 15.
"Shannon calls the stirring transformation such one that realizes a mapping of the vector space onto itself, in which every or almost every of its compact domains due the mapping is transformed
5
Zayko; JAPSI, X(X): xxx-xxx, 20YY
measuring 8-dimensional cube with the its center coinciding with the center of the phase region, depending on the L -the size half edge of cube. Left part shows the volume V of the measuring cube (smooth curve) and the number of track points N in it (broken line), depending on L, and the right - their ratio. Starting point of the mapping has the coordinates 4, 15, 10, 7, 2, 12, 4, 2. This corresponds to the length of the return path C = 160167.
into a large domain, non-compact in terms of the metric ... Consider vectors substitution:
as
numbers
and
apply
the
0 1 2 3 4 5 6 7 7 3 1 5 4 2 3 0 We see that this transformation with good reason can be called as stirring one, because compact domain 0 1 2 is transformed in the 7 3 1"
These results indicate that the path points are not evenly distributed, but lie at the layers parallel to the faces of the cubic phase volume. The weak dependence of the result on the number of iterations (with the exception of the number of points of the map) suggests uniform filling the phase space by all points of map, i.e., ergodicity of S-blocks DES (at least those which are selected ,Tab. 3).
Stirring is stronger property of a dynamical system than ergodicity, in particular, the system which demonstrates stirring, always is ergodic. System with stirring exhibit a chaotic, unpredictable behavior. Finding analogies could go even further and compare the concepts of dynamic chaos in the dynamics and the avalanche effect in cryptography. However, it should be said that there is no direct analogy, because the mapping implemented in cryptography and substitutions considered here are always reversible, whereas the dynamics of chaotic systems demonstrates irreversibility.
Figs. 4 and 4a show the calculated results for the same S - blocks, but with a different starting point coordinates 14, 15, 10, 7, 2, 12, 4, 13 which corresponds to the length of the return path C = 1232. Comparison of Fig. 3, and 4 suggests that the uniformity fill the phase space by the points of the mapping does not depend on the mapping trajectory, and in particular on the length of the path of return.
In discreet systems, the notion of Lyapunov exponents stops working. If we consider two initially close trajectories belonging to one cycle, then with increasing number of iterations of the distance between the corresponding points of the trajectories behaves randomly. The degree of divergence of trajectories, or rather, the degree of the speed with which information about their initial proximity will be forgotten can be characterized by the autocorrelation function [14], by calculating it dependence on the number of iterations (see. paragraph 9).
Another feature of the mapping - absence of the points in the center of the cube is associated with the multidimensional nature of the trajectory and is consistent with the well-known feature of multidimensional objects - contribution in their entirety gives mainly by peripheral area. For comparison, Fig. 5 shows the results of a similar calculation for a single S-block - S31, which realizes monocycle substitution with the length of return path 16.
Let us return to the ergodicity. Here is its definition [14]: "If the motion of a dynamical system is ergodic, then the relative time spent by the phase trajectory within any region of phase space Г is equal to the relative volume of the area and does not depend on the choice of initial conditions. In other words, the phase trajectory of ergodic system is uniformly and densely fill the whole region Г "
6. QUALITY OF SUBSTITUTIONS Question about the quality of substitutions implemented by S-blocks of block ciphers, is one of the main. Good S-blocks (along with good keys) are needed to implement the requirements for crypto resistance of cipher. Obviously, algorithms of generating S-block in cryptosystems GOST 28147-89 and DES meet these requirements. But they are not disclosed. However, there is no any guarantee that, in
Below are the results of the calculation of the mapping trajectory implemented by iterations of DES S-blocks in the projection on the verge, corresponding to the first three S - blocks (U = S11, V = S21, S = S31, Fig. 2).
7
To compare the number of points and the volume of the hypercube, each point of the map is attributed the "volume" 158 / (C + 1). The figure shows the consequences of this rather arbitrary procedure - broken curve intersects a smooth curve, that may give the impression that the total "volume" of points in the map exceeds the volume of the hypercube.
Figs. 3 and 3a show the results of calculating the number of points of the trajectory, caught in
6
Zayko; JAPSI, X(X): xxx-xxx, 20YY
some implementations weak S-blocks like (1) are used. This is why researchers - cryptographers are
trying to find rules that allowing a priori to assess the quality of substitutions used in S-blocks.
Table 3. S-blocks of DES. The first lines of each S-block are used
S11
14
15
10
7
2
12
4
13
4
1
0
13
12
1
11
2
13
8
9
14
4
10
2
8
1
14
14
3
1
15
14
4
2
6
6
0
7
9
15
6
15
11
3
6
10
2
0
15
11
3
15
9
11
6
8
11
8
4
5
10
6
8
13
3
S21
9
S31
S41
1
S51
1
S61
8
0
S71
3
S81
1 10
10
7
13
2
5
13
12
6
2
12
8
3
3
9
9 3
12
13
7
5
15
4
7
14
5
12
11
11
13
14
5
5
9
0
4
12
0
7
10
0
0
5
2
4
14
5
6
12
7
10
8
15
9
11
1
7
15 10 5 0
0 5
5
10
10
15
15
U , V, S
Fig. 2. A three-dimensional projection of the phase trajectory for the elements of S-blocks with item numbers (1 0 0 0 0 0 0 1). Return path length is 16016. Axes respectively are U = S11, V = S21, S = S31
Fig. 3. The results of study of ergodicity for S-blocks DES. V is a volume of measuring cube having edge length 2L, L = n / 10, n is integer,0
