Nov 4, 2015 - Vector Boolean Functions: Applications in Symmetric Cryptography. José Antonio Álvarez Cubero. Departamento de Matemática Aplicada a las ...
Vector Boolean Functions: Applications in Symmetric Cryptography
José Antonio Álvarez Cubero Departamento de Matemática Aplicada a las Tecnologías de la Información y las Comunicaciones Universidad Politécnica de Madrid
This dissertation is submitted for the degree of Doctor Ingeniero de Telecomunicación
Escuela Técnica Superior de Ingenieros de Telecomunicación
November 2015
I would like to thank my wife, Isabel, for her love, kindness and support she has shown during the past years it has taken me to finalize this thesis. Furthermore I would also like to thank my parents for their endless love and support. Last but not least, I would like to thank my loved ones such as my daughter and sisters who have supported me throughout entire process, both by keeping me harmonious and helping me putting pieces together. I will be grateful forever for your love.
Declaration
The following papers have been published or accepted for publication, and contain material based on the content of this thesis. 1. [7] Álvarez-Cubero, J. A. and Zufiria, P. J. (expected 2016). Algorithm xxx: VBF: A library of C++ classes for vector Boolean functions in cryptography. ACM Transactions on Mathematical Software. (In Press: http://toms.acm.org/Upcoming.html) 2. [6] Álvarez-Cubero, J. A. and Zufiria, P. J. (2012). Cryptographic Criteria on Vector Boolean Functions, chapter 3, pages 51–70. Cryptography and Security in Computing, Jaydip Sen (Ed.), http://www.intechopen.com/books/cryptography-and-security-in-computing/ cryptographic-criteria-on-vector-boolean-functions. (Published) 3. [5] Álvarez-Cubero, J. A. and Zufiria, P. J. (2010). A C++ class for analysing vector Boolean functions from a cryptographic perspective. In Katsikas, S. K. and Samarati, P., editors, SECRYPT 2010 - Proceedings of the International Conference on Security and Cryptography, Athens, Greece, July 26-28, 2010, SECRYPT is part of ICETE - The International Joint Conference on e-Business and Telecommunications, pages 512–520. SciTePress. (Published) 4. [4] Álvarez-Cubero, J. A. and Zufiria, P. J. (2005). Aplicaciones de la transformada de Walsh al criptoanaálisis lineal y diferencial. In Domínguez, A. P. and Caballero-Gil, P., editors, I Simposio sobre Seguridad Informaática (SSI 2005), pages 11–18. Thomson. (Published) José Antonio Álvarez Cubero November 2015
Acknowledgements
I would like to thank all the people who have helped me through the years along the route. I would like to express my gratitude to my supervisor Prof. Pedro J. Zufiria for the useful comments, remarks and engagement through the learning process of this thesis. I would also like to acknowledge the editor and reviewers of the journals I published the papers related to this thesis.
viii
Resumen Esta tesis establece los fundamentos teóricos y diseña una colección abierta de clases C++ denominada VBF (Vector Boolean Functions) para analizar funciones booleanas vectoriales (funciones que asocian un vector booleano a otro vector booleano) desde una perspectiva criptográfica. Esta nueva implementación emplea la librería NTL de Victor Shoup, incorporando nuevos módulos que complementan a las funciones de NTL, adecuándolas para el análisis criptográfico. La clase fundamental que representa una función booleana vectorial se puede inicializar de manera muy flexible mediante diferentes estructuras de datas tales como la Tabla de verdad, la Representación de traza y la Forma algebraica normal entre otras. De esta manera VBF permite evaluar los criterios criptográficos más relevantes de los algoritmos de cifra en bloque y de stream, así como funciones hash: por ejemplo, proporciona la no-linealidad, la distancia lineal, el grado algebraico, las estructuras lineales, la distribución de frecuencias de los valores absolutos del espectro Walsh o del espectro de autocorrelación, entre otros criterios. Adicionalmente, VBF puede llevar a cabo operaciones entre funciones booleanas vectoriales tales como la comprobación de igualdad, la composición, la inversión, la suma, la suma directa, el bricklayering (aplicación paralela de funciones booleanas vectoriales como la empleada en el algoritmo de cifra Rijndael), y la adición de funciones coordenada. La tesis también muestra el empleo de la librería VBF en dos aplicaciones prácticas. Por un lado, se han analizado las características más relevantes de los sistemas de cifra en bloque. Por otro lado, combinando VBF con algoritmos de optimización, se han diseñado funciones booleanas cuyas propiedades criptográficas son las mejores conocidas hasta la fecha.
Abstract
This thesis develops the theoretical foundations and designs an open collection of C++ classes, called VBF, designed for analyzing vector Boolean functions (functions that map a Boolean vector to another Boolean vector) from a cryptographic perspective. This new implementation uses the NTL library from Victor Shoup, adding new modules which complement the existing ones making VBF better suited for cryptography. The fundamental class representing a vector Boolean function can be initialized in a flexible way via several alternative types of data structures such as Truth Table, Trace Representation, Algebraic Normal Form (ANF) among others. This way, VBF allows the evaluation of the most relevant cryptographic criteria for block and stream ciphers as well as for hash functions: for instance, it provides the nonlinearity, the linearity distance, the algebraic degree, the linear structures, the frequency distribution of the absolute values of the Walsh Spectrum or the Autocorrelation Spectrum, among others. In addition, VBF can perform operations such as equality testing, composition, inversion, sum, direct sum, bricklayering (parallel application of vector Boolean functions as employed in Rijndael cipher), and adding coordinate functions of two vector Boolean functions. This thesis also illustrates the use of VBF in two practical applications. On the one hand, the most relevant properties of the existing block ciphers have been analysed. On the other hand, by combining VBF with optimization algorithms, new Boolean functions have been designed which have the best known cryptographic properties up-to-date.
Table of contents List of figures
xix
List of tables
xxi
1
2
3
Introduction 1.1 Information Security . . . . . . . . . . 1.2 Motivation . . . . . . . . . . . . . . . . 1.3 Objectives and Outcomes of the Thesis . 1.4 Structure of the Thesis . . . . . . . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
Fundamentals of Block Ciphers and the VBF Library 2.1 Basic Theoretical Background . . . . . . . . . . . . . . . . . . . . . . 2.1.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Block Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.1 Mini-AES Cipher . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.2 KASUMI Cipher . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.3 DES Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.4 AES Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 VBF (Vector Boolean Functions) library . . . . . . . . . . . . . . . . . 2.3.1 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3.2 State-of-the-art on Vector Boolean Functions Analysis Software Representations and Characterizations 3.1 Truth Table . . . . . . . . . . . . . 3.1.1 Description . . . . . . . . . 3.1.2 Library . . . . . . . . . . . 3.2 Trace Representation . . . . . . . . 3.2.1 Description . . . . . . . . . 3.2.2 Library . . . . . . . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . .
. . . . . . . . . .
. . . . . .
. . . .
5 5 8 9 11
. . . . . . . . . .
13 13 14 16 17 22 23 25 30 30 34
. . . . . .
37 39 39 40 45 45 46
xiv
Table of contents 3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.10
3.11
3.12
3.13
3.14 3.15
Polynomials in ANF . . . . . . . . . . . . . . . . . . 3.3.1 Description . . . . . . . . . . . . . . . . . . . 3.3.2 Library . . . . . . . . . . . . . . . . . . . . . ANF Table . . . . . . . . . . . . . . . . . . . . . . . . 3.4.1 Description . . . . . . . . . . . . . . . . . . . 3.4.2 Library . . . . . . . . . . . . . . . . . . . . . Image . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5.1 Description . . . . . . . . . . . . . . . . . . . 3.5.2 Library . . . . . . . . . . . . . . . . . . . . . Walsh Spectrum . . . . . . . . . . . . . . . . . . . . . 3.6.1 Description . . . . . . . . . . . . . . . . . . . 3.6.2 Library . . . . . . . . . . . . . . . . . . . . . Linear Profile and Linear Cryptanalysis . . . . . . . . 3.7.1 Description . . . . . . . . . . . . . . . . . . . 3.7.2 Library . . . . . . . . . . . . . . . . . . . . . Differential Profile and Differential Cryptanalysis . . . 3.8.1 Description . . . . . . . . . . . . . . . . . . . 3.8.2 Library . . . . . . . . . . . . . . . . . . . . . Autocorrelation Spectrum . . . . . . . . . . . . . . . . 3.9.1 Description . . . . . . . . . . . . . . . . . . . 3.9.2 Linear structures . . . . . . . . . . . . . . . . 3.9.3 Library . . . . . . . . . . . . . . . . . . . . . Affine Function and Affine Equivalence . . . . . . . . 3.10.1 Description . . . . . . . . . . . . . . . . . . . 3.10.2 Library . . . . . . . . . . . . . . . . . . . . . Cycle Structure, Fixed Points and Negated Fixed Points 3.11.1 Description . . . . . . . . . . . . . . . . . . . 3.11.2 Library . . . . . . . . . . . . . . . . . . . . . Permutation Vector . . . . . . . . . . . . . . . . . . . 3.12.1 Description . . . . . . . . . . . . . . . . . . . 3.12.2 Library . . . . . . . . . . . . . . . . . . . . . DES Representations . . . . . . . . . . . . . . . . . . 3.13.1 Description . . . . . . . . . . . . . . . . . . . 3.13.2 Library . . . . . . . . . . . . . . . . . . . . . Auxiliary Functions . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. 49 . 49 . 49 . 51 . 51 . 51 . 53 . 53 . 54 . 55 . 55 . 65 . 67 . 67 . 70 . 73 . 73 . 76 . 79 . 79 . 81 . 82 . 84 . 84 . 87 . 90 . 90 . 91 . 93 . 93 . 93 . 94 . 94 . 95 . 99 . 100
xv
Table of contents 4
Cryptographic Criteria 4.1 Introduction . . . . . . . . . . . . . . . . . 4.1.1 Definitions . . . . . . . . . . . . . 4.1.2 Cryptographically Weak Functions . 4.2 Algebraic Degree . . . . . . . . . . . . . . 4.2.1 Description . . . . . . . . . . . . . 4.2.2 Library . . . . . . . . . . . . . . . 4.3 Nonlinearity . . . . . . . . . . . . . . . . . 4.3.1 Description . . . . . . . . . . . . . 4.3.2 Library . . . . . . . . . . . . . . . 4.4 r-th Order Nonlinearity . . . . . . . . . . . 4.4.1 Description . . . . . . . . . . . . . 4.4.2 Library . . . . . . . . . . . . . . . 4.5 Balancedness . . . . . . . . . . . . . . . . 4.5.1 Description . . . . . . . . . . . . . 4.5.2 Library . . . . . . . . . . . . . . . 4.6 Correlation Immunity . . . . . . . . . . . . 4.6.1 Description . . . . . . . . . . . . . 4.6.2 Library . . . . . . . . . . . . . . . 4.7 Algebraic Immunity . . . . . . . . . . . . . 4.7.1 Description . . . . . . . . . . . . . 4.7.2 Library . . . . . . . . . . . . . . . 4.8 Global Avalanche Criterion . . . . . . . . . 4.8.1 Description . . . . . . . . . . . . . 4.8.2 Library . . . . . . . . . . . . . . . 4.9 Linearity Distance . . . . . . . . . . . . . . 4.9.1 Description . . . . . . . . . . . . . 4.9.2 Library . . . . . . . . . . . . . . . 4.10 Propagation Criterion . . . . . . . . . . . . 4.10.1 Description . . . . . . . . . . . . . 4.10.2 Library . . . . . . . . . . . . . . . 4.11 Bounds, Properties and Trade-offs . . . . . 4.11.1 Bounds . . . . . . . . . . . . . . . 4.11.2 Properties . . . . . . . . . . . . . . 4.11.3 Trade-offs . . . . . . . . . . . . . . 4.12 Summary . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
103 103 103 105 105 105 106 110 110 113 116 116 117 118 118 119 121 121 123 124 124 125 127 127 127 129 129 131 132 132 133 134 135 135 135 143
xvi 5
6
Table of contents Constructions for Vector Boolean Functions 5.1 Equality Testing . . . . . . . . . . . . . . 5.1.1 Description . . . . . . . . . . . . 5.1.2 Library . . . . . . . . . . . . . . 5.2 Composition Function . . . . . . . . . . 5.2.1 Description . . . . . . . . . . . . 5.2.2 Library . . . . . . . . . . . . . . 5.3 Functional Inverse . . . . . . . . . . . . . 5.3.1 Description . . . . . . . . . . . . 5.3.2 Library . . . . . . . . . . . . . . 5.4 Sum . . . . . . . . . . . . . . . . . . . . 5.4.1 Description . . . . . . . . . . . . 5.4.2 Library . . . . . . . . . . . . . . 5.5 Direct Sum . . . . . . . . . . . . . . . . 5.5.1 Description . . . . . . . . . . . . 5.5.2 Library . . . . . . . . . . . . . . 5.6 Concatenation . . . . . . . . . . . . . . . 5.6.1 Description . . . . . . . . . . . . 5.6.2 Library . . . . . . . . . . . . . . 5.7 Concatenation of Polynomials in ANF . . 5.7.1 Description . . . . . . . . . . . . 5.7.2 Library . . . . . . . . . . . . . . 5.8 Addition of Coordinate Functions . . . . 5.8.1 Description . . . . . . . . . . . . 5.8.2 Library . . . . . . . . . . . . . . 5.9 Bricklayer . . . . . . . . . . . . . . . . . 5.9.1 Description . . . . . . . . . . . . 5.9.2 Library . . . . . . . . . . . . . . 5.10 Summary . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
Security Evaluation of Cryptographic Algorithms 6.1 KASUMI Cipher Algorithm Evaluation . . . . 6.1.1 S-boxes Characterization . . . . . . . . 6.1.2 FI Function Characterization . . . . . . 6.2 Mini-AES Cipher Algorithm Evaluation . . . . 6.2.1 S-box Characterization . . . . . . . . . 6.2.2 Mini-AES Cipher Characterization . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
145 145 145 146 147 147 149 154 154 154 156 156 158 161 161 164 168 168 169 172 172 173 174 174 175 179 179 182 188
. . . . . .
189 189 190 193 194 194 195
xvii
Table of contents 6.3
6.4 7
8
CLEFIA . . . . . . . . . . . 6.3.1 S0 . . . . . . . . . . 6.3.2 S1 . . . . . . . . . . Computational Cost Results
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
Design of Cryptographically Robust Vector Boolean Functions 7.1 Multi-Objective Combinatorial Optimization (MOCO) . . . . . . . . 7.1.1 Problem Formulation . . . . . . . . . . . . . . . . . . . . . . 7.1.2 Preferences among Criteria. Weighting Method . . . . . . . . 7.2 Boolean Function Design Procedures . . . . . . . . . . . . . . . . . . 7.2.1 Algebraic Construction Techniques . . . . . . . . . . . . . . 7.2.2 Computational Techniques for Approximating the Efficient Set 7.2.3 The Balancedness Constraint . . . . . . . . . . . . . . . . . . 7.2.4 Combining Different Algorithms . . . . . . . . . . . . . . . .
. . . .
. . . . . . . .
. . . .
. . . . . . . .
. . . .
196 198 201 201
. . . . . . . .
205 205 205 207 208 209 215 217 217
Conclusions and Future Research 231 8.1 Summary and Conclusions of the Thesis . . . . . . . . . . . . . . . . . . . 231 8.2 Future Directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
References
235
Appendix A Mathematical Background A.1 The Vector Space Vn . . . . . . . . . . . A.1.1 Definition . . . . . . . . . . . . . A.1.2 Lexicographic Order . . . . . . . A.1.3 The Hamming Distance . . . . . A.2 Characters . . . . . . . . . . . . . . . . . A.2.1 Characters on Vn . . . . . . . . . A.2.2 Characters on Vn × Vm . . . . . . A.3 The Vector Space GF(2n ) . . . . . . . . . A.3.1 Definition . . . . . . . . . . . . . A.3.2 Operations on Polynomials . . . . A.3.3 Relation between Vn and GF(2n ) A.3.4 Mini-AES Finite Field in GF(24 ) A.4 The Vector Space Rn . . . . . . . . . . . A.4.1 The Inner Product . . . . . . . . A.4.2 Distance . . . . . . . . . . . . . .
247 247 247 248 249 250 250 252 253 253 253 254 254 255 255 255
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
xviii A.4.3 The Pointwise Product A.5 The Vector Space Mn×m (R) . . A.5.1 The Inner Product . . A.5.2 Distance . . . . . . . . A.5.3 The Pointwise Product A.6 Kronecker Product of Matrices A.7 Convolution and Correlation . A.7.1 One-dimensional . . . A.7.2 Bidimensional . . . .
Table of contents . . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
Appendix B CLEFIA Description B.1 Truth Tables of CLEFIA SSi (0 ≤ i ≤ 3) S-boxes B.2 Truth Table of Mul2(x) = 0x2 · x operation . . . B.3 Truth Tables of u0 , u1 , y0 an y1 . . . . . . . . . B.4 Trace Representation of S0 and S1 . . . . . . .
. . . . . . . . .
. . . .
. . . . . . . . .
. . . .
. . . . . . . . .
. . . .
. . . . . . . . .
. . . .
. . . . . . . . .
. . . .
. . . . . . . . .
. . . .
. . . . . . . . .
. . . .
. . . . . . . . .
. . . .
. . . . . . . . .
. . . .
. . . . . . . . .
. . . .
. . . . . . . . .
. . . .
. . . . . . . . .
. . . .
. . . . . . . . .
. . . .
. . . . . . . . .
. . . .
. . . . . . . . .
256 256 256 256 257 257 258 258 258
. . . .
261 261 261 262 269
Appendix C Using the Library 273 C.1 An Example Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 C.2 Compiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 C.3 How to Evaluate New Algorithms . . . . . . . . . . . . . . . . . . . . . . 280
List of figures 1.1
Block Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6
2.1
Typical internal construction of a Block Cipher . . . . . . . . . . . . . . .
17
2.2
Structure of Mini-AES cipher . . . . . . . . . . . . . . . . . . . . . . . . .
20
2.3
Structure of KASUMI cipher FI function . . . . . . . . . . . . . . . . . . .
24
2.4
Structure of DES cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . .
26
2.5
The Feistel function of DES . . . . . . . . . . . . . . . . . . . . . . . . .
27
2.6
Rijndael S-box SRD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
29
3.1
Relationships among representations and characterizations of a Vector Boolean function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
38
3.2
Image representations of NibbleSub . . . . . . . . . . . . . . . . . . . . .
56
3.3
Linear Profile of NibbleSub . . . . . . . . . . . . . . . . . . . . . . . . . .
73
3.4
Differential Profile of NibbleSub . . . . . . . . . . . . . . . . . . . . . . .
79
3.5
Linear structures of NibbleSub . . . . . . . . . . . . . . . . . . . . . . . .
84
3.6
S1, S2, S3, S4 DES S-boxes . . . . . . . . . . . . . . . . . . . . . . . . . .
96
3.7
S5, S6, S7, S8 DES S-boxes . . . . . . . . . . . . . . . . . . . . . . . . . .
96
4.1
Relationships among representations and criteria of a Vector Boolean function104
4.2
Algebraic Degree of NibbleSub: Degree 4 . . . . . . . . . . . . . . . . . . 107
4.3
Algebraic Degree of NibbleSub: Degree 3 . . . . . . . . . . . . . . . . . . 108
4.4
Algebraic Degree of NibbleSub: Degree 2 . . . . . . . . . . . . . . . . . . 109
4.5
Nonlinearity of NibbleSub . . . . . . . . . . . . . . . . . . . . . . . . . . 115
4.6
Balancedness of NibbleSub . . . . . . . . . . . . . . . . . . . . . . . . . . 121
4.7
Correlation immunity of f . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
4.8
Absolute indicator of NibbleSub . . . . . . . . . . . . . . . . . . . . . . . 129
4.9
Sum-of-squares indicator of NibbleSub . . . . . . . . . . . . . . . . . . . 130
4.10 Propagation Criterion of f . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
xx
List of figures 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8
Composition . . . . . . . . . . Inverse . . . . . . . . . . . . . Direct Sum . . . . . . . . . . CAST Cipher . . . . . . . . . Adding Coordinate functions . Bricklayer . . . . . . . . . . . DES S-boxes . . . . . . . . . KHAZAD S-box construction
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
147 154 161 164 175 179 182 183
6.1 6.2 6.3 6.4 6.5
CLEFIA S0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CLEFIA S1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CLEFIA S-box S0 . . . . . . . . . . . . . . . . . . . . . . . . . . . Overall CPU time in seconds for cryptographic characterization of S-boxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CPU timing measurements for all functions in Algorithm I . . . . .
. . . . . . . . . . . . n×m . . . . . . . .
197 197 199
7.1
Relationship between Known Functions, PE and BKPE. . . . . . . . . . . . 210
202 203
List of tables 1
Set operators notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1
2
Characteristics of sets notation . . . . . . . . . . . . . . . . . . . . . . . .
1
3
Important number sets notation . . . . . . . . . . . . . . . . . . . . . . . .
1
4
Function notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2
5
Matrices notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2
6
Vectors notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
2.1
NibbleSub Truth Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18
2.2
Generation of the Round Keys of Mini-AES. . . . . . . . . . . . . . . . . .
21
2.3
Inverse NibbleSub Truth Table. . . . . . . . . . . . . . . . . . . . . . . . .
22
2.4
NTL modules used in VBF. . . . . . . . . . . . . . . . . . . . . . . . . . .
33
2.5
New modules created for VBF. . . . . . . . . . . . . . . . . . . . . . . . .
33
3.1
Identification of a coordinate function of NibbleSub with trace function. . .
47
3.2
Cycle structure of NibbleSub. . . . . . . . . . . . . . . . . . . . . . . . .
93
3.3
Representation of VBF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
3.4
Chacterizations of VBF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
4.1
Maximum nonlinearity of Boolean functions for n odd. . . . . . . . . . . . 112
4.2
Cryptographic criteria bounds. . . . . . . . . . . . . . . . . . . . . . . . . 136
4.3
Are the criteria affine invariant? . . . . . . . . . . . . . . . . . . . . . . . 136
4.4
Weight related cryptographic criteria properties. . . . . . . . . . . . . . . . 136
4.5
Walsh related cryptographic criteria properties. . . . . . . . . . . . . . . . 136
4.6
Maximum nonlinearity of Balanced Boolean functions for n. . . . . . . . . 137
4.7
Cryptographic criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
4.8
Member functions of the cryptographic criteria. . . . . . . . . . . . . . . . 144
5.1
Results of spectral radius(R),NL, l p, d p, ACmax and LD for bricklayer of DES S-boxes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
xxii 5.2 5.3 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.9
List of tables Results of spectral radius(r),NL, l p, d p, ACmax and LD for bricklayer of P and Q mini S-boxes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Constructions over VBF. . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Cycle structure for S7. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cycle structure for S9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . S7 and S9 Cryptographic criteria. . . . . . . . . . . . . . . . . . . . . . . . S7 and S9 Cryptographic criteria. . . . . . . . . . . . . . . . . . . . . . . . Cycle structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NibbleSub Cryptographic criteria. . . . . . . . . . . . . . . . . . . . . . . Tables of CLEFIA S-boxes SSi (0 ≤ i ≤ 3). . . . . . . . . . . . . . . . . . . Table of the multiplication 0x2 · x. . . . . . . . . . . . . . . . . . . . . . . Results of spectral radius (r),NL, l p, d p, ACmax and LD for CLEFIA S0 construction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.10 Results of deg,AI,σ ,CI for CLEFIA S0 construction. . . . . . . . . . . . . 6.11 Results of spectral radius (r),NL, l p, d p, ACmax ,LD,deg,AI,σ and CI for CLEFIA S1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.12 Some CLEFIA S0 security properties versus modern S-boxes based on field inversion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 7.9 7.10 7.11 7.12 7.13
191 192 192 192 195 195 198 198 199 200 201 201
Nonlinearity, algebraic degree, absolute and sum-of-squares indicators for Maitra construction in [88]. . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Nonlinearity, algebraic degree for Maitra construction in [133]. . . . . . . . 211 Nonlinearity, absolute and sum-of-squares indicators for Zhang and Zheng construction [160]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Nonlinearity, algebraic degree and algebraic immunity for Carlet construction [26]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Nonlinearity, algebraic degree for Charpin construction [30]. . . . . . . . . 213 Nonlinearity, algebraic degree and algebraic immunity for certain power functions xd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Comparison of the best achieved computer search results for (NL, deg, ACmax ).218 Comparison of profiles with n = 9. . . . . . . . . . . . . . . . . . . . . . . 218 Comparison of profiles with n = 11. . . . . . . . . . . . . . . . . . . . . . 219 Comparison of nonlinearity achieved in Boolean functions. . . . . . . . . . 223 Results obtained for different n-input balanced Boolean functions. . . . . . 223 Representations of Boolean functions in Table 7.11. . . . . . . . . . . . . . 224 Frequency distribution of the absolute values of the Walsh Spectrum. . . . . 225
List of tables
xxiii
7.14 Frequency distribution of the absolute values of the Autocorrelation Spectrum.225 7.15 Additional cryptographic criteria for f1 - f5 classes. . . . . . . . . . . . . . . 226 7.16 Comparison of the best results for (NL, deg, AI, ACmax , σ ). . . . . . . . . . 229
Notation Table 1 Set operators notation Notation e A A⊆B A∪B A−B A∆B A≺B
Description
Definition
Complement of A {x | (x ∈ / A)} A is a subset of B {x | (x ∈ A) ⇒ (x ∈ B)} Union of sets A and B {x | (x ∈ A) ∧ (x ∈ B)} Difference of sets A and B {x | (x ∈ A) ∧ (x ∈ / B)} Symmetric difference of A and B (A − B) ∪ (B − A) A is a subspace of B
Table 2 Characteristics of sets notation Notation
Description
Definition
#A Cardinality of the set A Number of elements in A Supp(A) Support of A {a ∈ A | a ̸= 0}
Table 3 Important number sets notation Notation
Description
Definition
N Z ZN ZnN R C
Set of natural numbers Set of integer numbers Set of integers modulo N Set of vectors whose n components ∈ ZN Set of real numbers Set of complex numbers
{1, 2, 3, . . .} {. . . , −2, −1, 0, 1, 2, . . .} {0, . . . , N − 1} (x1 , · · · , xn ) xi ∈ ZN (−∞, +∞) √ {x + iy | x, y ∈ R, i = −1}
2
List of tables
Table 4 Function notation Notation
Description
Definition
δ (x) F (A, B) Im( f ) End(A) GL(A) f |A
Kronecker delta function of x
1 if x = 0 0 if x ̸= 0
Set of functions with { f | f : A → B} codomain A and domain B Image set of the function f : A → B {y ∈ B | ∃x ∈ A y = f (x)} Set of endomorphisms of A { f : A → A | f homomorphism} Set of automorphisms of A { f ∈ End(A) | f biyective} Function restriction of f to A {(x, f (x)) | x ∈ A}
Table 5 Matrices notation Notation
Description
A ∈ Mn×m (K)
n × m matrix of elements ∈ K
Ai
i-th row vector of A
Aj
j-th column vector of A
Definition a11 . . . a1m a21 . . . a2m A= . . . . . . . . . an1 . . . anm ai1 . . . aim a1 j .. . an j
AT
Transposed matrix of A
In
Identity matrix of order n
Pn
Permutation matrix of order n
AB
Kronecker product of A and B
A|B
Concatenation of A ∈ Mn×m (GF(2)) and B ∈ M p×m (GF(2))
AT
= B ∈ Mm×n (K) ai j = b ji aii = 1 ∀ i ∈ {1, . . . , n} and ai j = 0 ∀ i ̸= j ∧ i, j ∈ {1, . . . , n} ∀ i ∈ {1, . . . , n}∃ j ∈ {1, . . . , n} Pni =In j a11 B . . . a1m B a21 B . . . a2m B . . . . . . . . . . . an1B . . . anm B A A|B = ∈ M(n+p)×m (GF(2)) B
3
List of tables
Table 6 Vectors notation Notation
Description
Bn = {e1 , . . . , en }
Canonical basis of Vn
∥x∥ ∠(x, y) ⟨x, y⟩ xy Supp(x)
Norm of the vector x Angle set by the vectors x and y Inner product of the vectors x and y Kronecker product of x ∈ Vn and y ∈ Vm Support of the vector x
Definition ei = (x1 , · · · , xn ) xi = 1 ∧p x j = 0 ∀ j ̸= i + ⟨x, x⟩ ⟨x,y⟩ cos(∠(x, y)) = ∥x∥·∥y∥ ∑ni=1 xi yi (x1 y, . . . , xn y) {i ∈ {1, . . . , n} | xi ̸= 0}
Chapter 1 Introduction 1.1
Information Security
Information security defines a series of techniques in order to guarantee that a sender can deliver a message (usually called plaintext) to a receiver in a secure manner over a channel accessible by third-parties. This security is based on three main principles: confidentiality, integrity and availability (known as the CIA triad). The confidentiality of a message is assured if the sender prevents the intentional or unintentional unauthorized disclosure of its contents. To achieve this objective, the plaintext is processed in such a way that its meaning is hidden. This process is called encryption and is performed by a cipher. As a result, we obtain a message whose contents are meaningless, and it is called ciphertext. The process of reverting the ciphertext into plaintext again is called decryption, and usually make use of a key previously shared between sender and receiver. Cryptology is a discipline whose objective is to safeguard the secrecy of communications over an insecure channel in such a way that any non-authorized entity is unable to recover the message (plaintext) from what is sent in its place over the channel (ciphertext). Cryptology comprises two complementary fields: cryptography and cryptanalysis. Cryptography is the art of designing secure ciphers to provide services such as data confidentiality, integrity and authentication. Cryptanalysis is the study of methods for breaking ciphers, that is, to assess and explore design features that may lead to the discovery of some piece of secret information. A cryptographic algorithm, also called a cipher or cryptographic scheme, is a function which enables the encryption (or ciphering) and the decryption (or deciphering). Three types of cryptographic schemes can be identified: public-key (or asymmetric) cryptography, hash functions and secret key (or symmetric) cryptography. In public key cryptography (e.g. RSA), the encryption and decryption is performed with different keys (public and private
6
Introduction
keys), while in secret key cryptography (e.g. DES, AES) both parties share the same key. Hash functions (e.g. MD5, SHA-family) are algorithms that compute a fixed-length hash value based upon the plaintext that makes it impossible for either the contents or length of the plaintext to be recovered. Secret-key (or symmetric) cryptosystems can be further classified into Block Ciphers and stream ciphers. While Block Ciphers (e.g. DES [107], AES [108]) operate with a fixed transformation on blocks of data, stream ciphers (e.g. RC4, A5/1 and A5/2) typically operate with a time-varying transformation on smaller units of plaintext, usually bits.
Fig. 1.1 Block Cipher. For electronic information, asymmetric cryptography together with hash functions can be used to verify the authorship and the integrity of a document by means of digital signatures. Symmetric cryptography can be used to guarantee the confidentiality of a message. Every cryptanalysis technique assumes that a cryptographic algorithm is known and public. The only piece of information that is maintained secret is the key used in the ciphering process. The cipher is considered broken or not secure if a non-authorized party can extract the key within a time complexity less than the time needed to invest in key exhaustive search or brute-force attack (process of trying every possible key and checking whether the resulting plaintext is meaningful). There are many cryptanalytic attacks. Some attacks are applicable to only one particular encryption algorithm.
1.1 Information Security
7
In general, cryptanalytic attacks can be categorized based on the information available to the analyst with respect to the attack:
• Ciphertext-only attack. The cryptanalyst has the ciphertext of several messages encrypted with the same cipher. The analyst will be trying to recover the plaintext of as many messages as possible, or even to deduce the key (or keys) used to encrypt the plaintexts. If the key is found, it will be possible to decrypt other ciphertexts encrypted with the same key and the same cipher. • Known-plaintext attack. The cryptanalyst has the ciphertext of several messages and their corresponding plaintexts, all of them encrypted with the same cipher. The analyst will be trying to deduce the key (or keys) used to encrypt the plaintexts or an algorithm to decrypt any new plaintexts with these keys. • Chosen-plaintext attack. The cryptanalyst has the ciphertext of messages and their corresponding plaintexts, all of them encrypted with the same cipher. In this attack, the analyst can choose the plaintexts that want to be encrypted in order to deduce the same piece of information as in the previous attack. • Chosen-ciphertext attack. The cryptanalyst can choose the ciphertexts to be decrypted and has access to their corresponding plaintexts. The analyst will be trying to deduce the key.
Most of the contemporary data encryption principles and concepts were proposed by Claude Elwood Shannon (1916-2001). Indeed, Shannon in [143] presented the principles of what he called confusion and diffusion, establishing that both of them should be present in a computationally secure cryptosystem. The purpose of confusion is to make the relation between the key and the ciphertext as complex as possible (usually obtained by nonlinear transformations in the form of S-boxes) 1 so that any algebraic structure in the system is concealed. Diffusion has the role of dissipating the redundancy of the plaintext by spreading out the influence of any minor modification of the plaintext or of the key over all ciphertext bits (usually obtained by linear transformations such as permutations). 1S
stands for Substitution. This term is used to designate Vector Boolean functions (functions that map a Boolean vector to another Boolean vector) whose role is to provide confusion in a cipher. The most fundamental property of an S-box is that it is a nonlinear mapping.
8
1.2
Introduction
Motivation
During the last years, several international initiatives for selecting ciphers have taken place: AES (United States), CRYPTEC (Japan), NESSIE (European Union). All of them defined evaluation criteria that can be divided into three major categories: security, cost and algorithm and implementation characteristics. Security is the most important category, but it is considered the most difficult to assess. Normally, the institution which organizes the competition invites the cryptology community to mount attacks and to try to cryptanalyse the different candidates. The candidates not satisfying the security requirements imposed by the institution are eliminated from the contest. Section 3 in [105] discusses the tools that the NESSIE project developed to support the evaluation process: It is clear that modern computers and sophisticated software tools cannot replace human cryptanalysis. Nevertheless, software tools can play an important role in modern cryptanalysis. In most cases, the attacks found by the cryptanalyst require a large number of computational steps, hence the actual computation of the attack is performed on a computer. However, software and software tools can also be essential to find a successful way to attack a symmetric cryptographic algorithm; examples include differential and linear cryptanalysis, dependence tests, and statistical tests. Within NESSIE, we distinguish two classes of tools. The general tools are not specific for the algorithms to be analyzed. Special tools, which are specific for the analysis of one algorithm, are implemented when, in the course of the cryptanalysis of an algorithm, the need for such a tool turns up... ... The software for these tools will not be made available outside the project, but all the results obtained using these tools will be made public in full detail. It is worth mentioning that a comprehensive set of general tools for the evaluation of symmetric ciphers is available such as, for instance, RIPE and NIST test suites. These consist of a collection of statistical tests such as: the frequency test, the collision test, the overlapping m-tuple test, the gap test, the constant runs test, the coupon collector’s test, Maurer’s universal test, the poker test, the spectral test, the correlation test, and the rank test among others. Nevertheless, such available tools are not enough for a rigorous characterization of cryptographic primitives. Section 4 in [104] provides a detailed description of this issue:
1.3 Objectives and Outcomes of the Thesis
9
This document describing the NESSIE security methodology has given a list of important issues that are considered in making a security evaluation of a submitted primitive. Clearly, this list is not complete. Cryptographic primitives with completely inadequate security can often be identified. However, for the remaining cryptographic primitives, the situation is nothing like as clear-cut. There is neither an automatic method of assessing the security of such a primitive nor a general consensus on the relative importance of different security criteria. The few previous initiatives that have undertaken a similar task to the NESSIE project, such as AES, have been more limited in scope and have reached a subjective judgment by experts on the security of such primitives. The NESSIE project will produce a security judgment for the submitted primitives based on the issues discussed in this report. From above, it is clear that there is no general set of tools to assess the security of cipher components. Because of the size and complexity of modern ciphers, automatic analysis programs are very helpful in reducing the time required to study cryptographic properties of Vector Boolean functions.
1.3
Objectives and Outcomes of the Thesis
Listed below are the main objectives of the research presented in this thesis: 1. To gather, derive and/or reformulate in an efficient manner all the relevant theoretical results associated with the characterization of robust cryptographic functions. The research work reported in this thesis requires knowledge of previously established Boolean function and S-box theory. Such knowledge is essential not only for linking the theoretical concepts to practical applications, but also in order to understand the significance of the research and where this work is placed in relation to the field of cryptology. 2. To make available a free open source general tool to automatically assess the security of a cryptographic algorithm defined as a Vector Boolean function. The execution of Boolean function research requires the development of specialised programs, typically written using the C or C++ language. These programs can involve a large amount of computation steps and it is therefore imperative that all appropriate optimisation techniques are used to exploit the full processing power available in
10
Introduction modern computer systems. There is however, a noticeable absence in the related cryptographic literature of reference to the implementation issues facing Boolean function researchers and with no readily available software for cryptographic Boolean function analysis, researchers have had to independently develop their own implementations. 3. To assess to security of modern Block Ciphers. Fundamental to any area of research is the ability to develop a methodology to perform a systematic observation, measurement, and experiment, and the formulation, testing, and modification of hypotheses. The study of Block Ciphers is an area where this basic principle of research has been ignored; the security of these cryptographic algorithms is measured by the best public cryptanalysis reported by an expert. As a result, considerable restrictions have existed with regard to perform an homogeneous analysis of these cryptosystems. 4. To design new robust Boolean functions in order to increase the security of ciphers based on them. These robust cipher components will be those Boolean functions which exhibit suitable measures for a combination of cryptographic properties appropriate for their use according to the type of cipher employing them. The task of obtaining such functions involves generating and/or constructing Boolean functions which not only exhibit the required measures of cryptographic properties but are also of a large enough dimension that they are able to provide resistance to attacks in the long term. Additionally, the means of obtaining these strong cipher components must be computationally efficient.
The outcomes of the work in this thesis are now discussed with reference to the above objectives. To achieve objective 1, fundamental theoretical results have been gathered and/or derived concerning the properties of Boolean functions, S-boxes and different architectures constructed combining them. To accomplish objective 2, a library of C++ classes for analyzing cryptographic properties of Vector Boolean functions (VBF) is presented in this thesis. The stated mission of the VBF library is to provide with a free open source general tool to automatically assess the security of a cryptographic algorithm defined as a Vector Boolean function, and to help in the design of new cryptographic-interesting functions. This library presents the three main features: 1. It supports a large variety of representations useful from the cryptological viewpoint such as: Truth Table (binary, decimal and hexadecimal), ANF Table, polynomials in
1.4 Structure of the Thesis
11
ANF, Characteristic function, Walsh Spectrum; and characterizations such as Trace, Linear Profile, Differential Profile and Autocorrelation Spectrum. 2. It allows the analysis the robustness of a cryptographic algorithm by means of a set of criteria related to confusion (Algebraic Degree, Nonlinearity, Balancedness, Correlation Immunity (CI), Resiliency and Algebraic Immunity among others) and diffusion (Global Avalanche, Linearity Distance and Propagation among others). 3. It allows to obtain some basic Vector Boolean functions such as: Composition, Inverse, Sum, Direct Sum, Concatenation, Addition of coordinate functions and Bricklayering. The research work performed in this thesis relating to the first two outcomes has been published in http://vbflibrary.tk, [4], [5], [6], and [7]. Note that the theoretical results and the VBF library allows to analyse the behaviour of the representations, characterizations and criteria when several cryptographic algorithms are interconnected. Accordingly, to count with objective 3, we have conducted numerous security analysis of some Block Ciphers candidates for the AES, CRYPTEC and NESSIE projects together with some other ciphers. This allowed us to obtain representations, characterizations and cryptographic criteria for these ciphers. The research work performed in this thesis relating to this outcome is published in http://vbflibrary.tk and in [7]. Finally, objective 4, has been fulfilled by developing optimization tools to obtain robust cipher components. Sets of balanced Boolean functions for 9 and 11 number of inputs with best profiles known up-to-date have been obtained.
1.4
Structure of the Thesis
This thesis is divided into eight chapters, including this introductory chapter. Chapter 2 presents a preliminary general framework including some basic theoretical background (to make the reader familiar with the notation and fundamental definitions), a brief description of several modern Block Ciphers, and the main basic features of the VBF library. Chapter 3 presents the typical forms of Vector Boolean function representation used in cryptography. A definition of all these representations is given, as well as an introduction to the main cryptographic characterizations relating to each representation. In addition, the VBF library methods to obtain these representations and characterizations are described, and the relationships among them are also discussed. Chapter 4 defines and discusses many important cryptographic criteria of Boolean functions and their extension to Vector Boolean functions. Following, we develop a brief
12
Introduction
discussion on the relationship among criteria and to what extent they may reach good values within the same function. The methods in VBF library to obtain these cryptographic criteria are also described and the relationships among them are also discussed. Chapter 5 describes some basic constructions for Vector Boolean functions together with the corresponding conditions on the cryptographic criteria that are obtained for such constructions. The methods in VBF library to implement these constructions are also described. Based on the previous chapters results, Chapter 6 analyses several modern cryptographic algorithms used in symmetric Block Ciphers. The research described in this chapter is complemented with a further analysis of other cryptosystems provided in http://vbflibrary.tk. Chapter 7 presents a theoretical framework for the multicriteria optimization of Boolean functions and presents several computational schemes for the optimization of certain cryptographic criteria of Vector Boolean functions. New Boolean functions with unprecedented features are provided. Finally, Chapter 8, draws the main conclusions from the research performed for this thesis. It also highlights several directions for future research in this field.
Chapter 2 Fundamentals of Block Ciphers and the VBF Library This chapter provides a preliminary general framework to be referred in the following chapters of the thesis. First, some basic theoretical background is provided to make the reader familiar with the notation and fundamental definitions employed in the chapter. Then, we present the structure of some well known Block Ciphers to be employed as a reference when developing the theoretical and practical contributions. Finally, we present the VBF library basic structure; this will allow a better combined exposition of the theoretical results together with the coding tools in the following chapters.
2.1
Basic Theoretical Background
In a symmetric cipher, the encryption (E) and decryption (D) can be defined as Vector Boolean functions E : K × P → C and D : K ×C → P such that D(K, E(K, P)) = P where: • A = Symbols used in P,C or K. • P = Plaintext space. • C = Ciphertext space. • K = Keyspace. In modern symmetric ciphers, this concepts take the following values: • A = GF(2) = Z2 = {0, 1}.
14
Fundamentals of Block Ciphers and the VBF Library n
z }| { • P = C = Vn = GF(2) × · · · × GF(2) k
z }| { • K = Vk = GF(2) × · · · × GF(2) • E = D = Vk × Vn → Vn For most Block Ciphers, the ciphertext is produced by repeatedly applying a so-called round function. The key material used in the round function is called a round key. The round keys are computed from the key using a key-schedule algorithm. In the scope of modern ciphers, two different design approaches can be distinguished: Feistel ciphers and ciphers with substitution-permutation networks (SPNs). While a Feistel cipher modifies only half of the data in each round, a cipher with SPN modifies the entire data. The nice feature of a Feistel cipher is that encryption and decryption are structurally identical, except for the round keys which are reversed. Note that DES [107] is an example of a Feistel cipher and the current NIST block encryption standard AES [108] is an SPN cipher. A modern Block Cipher results from the association of Vector Boolean functions. Most of these functions are linear or affine, but some of them called S-boxes are nonlinear preventing from the overall cryptosystem to be linear or affine, and thus not so easily cryptoanalysable. We could say that the robustness of a modern Block Cipher resides in the S-boxes and in the way of interconnection of all the building blocks of the cipher which can be interpreted as Vector Boolean functions. In stream cipher cryptography a pseudo-random sequence of bits of length equal to the message length is generated. This sequence is then bit-wise XOR-ed (addition modulo 2) with the message sequence and the resulting sequence is transmitted. At the receiving end, deciphering is done by generating the same pseudo-random sequence and again bit-wise XOR-ing the cipher bits with the random bits. The seed of the pseudo-random bit generator is obtained from the secret key. Linear Feedback Shift Registers (LFSRs) are important building blocks in stream cipher systems. A standard model of stream [17], cipher [145],[146], combines the outputs of several independent LFSR sequences using a nonlinear Boolean Function to produce the keystream. As LFSRs are linear, some form of nonlinearity is introduced by using nonlinear Boolean Functions (see [130]).
2.1.1
Definitions
The mathematical theory of Vector Boolean functions starts with the formal definition of vector spaces whose elements (vectors) have binary elements. Let < GF(2), +, · >
15
2.1 Basic Theoretical Background
be the finite field of order 2, where GF(2) = Z2 = {0, 1}, ’+’ is the ’integer addition modulo 2’ and ’·’ is the ’integer multiplication modulo 2’. Vn is the vector space of ntuples of elements from GF(2). The direct sum of x ∈ Vn1 and y ∈ Vn2 is defined as x ⊕ y = (x1 , . . . , xn1 , y1 , . . . , yn2 ) ∈ Vn1 +n2 . The inner product of x, y ∈ Vn is denoted by x · y, and the inner product of real vectors x, y ∈ Rn is denoted by ⟨x, y⟩. The weight of an n-bit vector u is the number of ones in u and will be denoted by wt(u). The (Hamming) distance between two vectors x = (x1 , x2 , . . . , xn ) and y = (y1 , y2 , . . . , yn ) is the number of places where they differ and is denoted by d(x, y). One can now define binary functions between this type of vector spaces, whose cryptanalysis (for robustness-against-attacks purposes) is very important. f : Vn → GF(2) is called a Boolean function and Fn is the set of all Boolean functions on Vn . Ln is the set of all linear Boolean functions on Vn : Ln = {lu ∀ u ∈ Vn | lu (x) = u · x} and An is the set of all affine Boolean functions on Vn . A Truth Table is a tabulation of all possible combinations of input values and their corresponding outputs. For an n-variable Boolean function the Truth Table contains 2n rows for all the enumerations of the input variables and one column for output. The weight of a Boolean function is the weight of its Truth Table. It is possible to characterize Boolean functions via alternative and very useful associated mappings. In the following, some of these mappings are presented. The real-valued mapping i=n χu (x) = (−1)∑i=1 ui xi = (−1)u·x for x, u ∈ Vn is called a character. The character form of f ∈ Fn is defined as χ f (x) = (−1) f (x) . The Truth Table of χ f is called as the (1, −1)-sequence n vector or sequence vector of f and is denoted by ξ f ∈ R2 . The autocorrelation of f ∈ Fn with respect to the shift u ∈ Vn is a measure of the statistical dependency among the involved variables (indicating robustness against randomness-based attacks). It is the cross-correlation of f with itself, denoted by r f (u) : Vn → Z and defined by 1 : r f (u) = ∑ χ f (x)χ f (x + u) = ∑ (−1) f (x)+ f (u+x) (2.1) x∈Vn
x∈Vn
The directional derivative of f ∈ Fn in the direction of u ∈ Vn is defined by: ∆u f (x) = f (x + u) + f (x), x ∈ Vn
(2.2)
We shall call the linear kernel of f the set of those vectors u such that ∆u f is a constant function. The linear kernel of any Boolean function is a subspace of Vn . Any element u of the linear kernel of f is said to be a linear structure of f . Let f ∈ Fn , u ∈ Vn is called a linear structure of f if and only if [116] |r f (u)| = 2n . 1 Most
authors omit the factor
1 2n
16
Fundamentals of Block Ciphers and the VBF Library
We now extend the scope of the study by considering functions between any pair of binary-valued vector spaces. F : Vn → Vm , F(x) = ( f1 (x), . . . , fm (x)) is called a Vector Boolean function and Fn,m is the set of all Vector Boolean functions F : Vn → Vm . Each fi : Vn → GF(2) ∀ i ∈ {1, . . . , m} is a coordinate function of F. The component functions of F are the linear combinations, with non all-zero coefficients, of the coordinate functions of F (their set is the vector space spanned by the coordinate functions, deprived of the null function if the coordinate functions are GF(2)-linearly independent). The indicator function of F ∈ Fn,m , denoted by θF : Vn × Vm → {0, 1}, is defined in [29] as: ( θF (x, y) =
1 if y = F(x) 0 if y ̸= F(x)
(2.3)
A Vector Boolean function F ∈ Fn,m defined as F(x) = x · A + b with x ∈ Vn , A ∈ Mn×m (GF(2)) and b ∈ Vm so that if b = 0 then F is linear and if b ̸= 0 then F is affine. Several mappings associated with a Vector Boolean functions can be defined, in similar terms to the binary functions case. Hence, the character form of (u, v) ∈ Vn × Vm can be defined as follows: χ(u,v) (x, y) = (−1)u·x+v·y . Also, the autocorrelation of F ∈ Fn,m with respect to the shift (u, v) ∈ Vn × Vm is the cross-correlation of F with itself, denoted by rF (u, v) : Vn × Vm → Z, so that [115]: rF (u, v) =
∑
x∈Vn
χvF (x + u)χvF (x) =
∑ (−1)vF(x+u)+vF(x)
(2.4)
x∈Vn
Let F ∈ Fn,m and u ∈ Vn , then the difference Vector Boolean function of F in the direction of u ∈ Vn , denoted by ∆u F ∈ Fn,m is defined as follows: ∆u F(x) = F(x + u) + F(x), x ∈ Vn . F has a linear structure if exists a vector u ∈ Vn and v ∈ Vm so that |rv·F (u)| = 2n . Finally, we define the simplifying notation for the maximum of the absolute values of a set of real numbers {auv }u,v , characterized by vectors u and v, as: max (auv ) = max(u,v) {|auv |}. ∗
Using the same simplifying notation, we can define the max (·) operator on a set of real ∗ numbers {auv }u,v , as: max (auv ) = max(u,v)̸=(0,0) {|auv |}. This notation will be used in some criteria definitions.
2.2
Block Ciphers
A Block Cipher can be divided into two parts: a data processing part and a key scheduling part. Among the Block Ciphers that are analysed throughout this thesis, it is important to mention mini-AES, KASUMI, DES and AES. In this section, we provide a succinct description
2.2 Block Ciphers
17
Fig. 2.1 Typical internal construction of a Block Cipher. of these algorithms. A detailed cryptographical analysis of them and other ciphers can be found on http://vbflibrary.tk.
2.2.1
Mini-AES Cipher
Introduction Raphael Chung-Wei Phan presented a version of the AES [120], with all the parameters significantly reduced while preserving its original structure. This Mini version is purely educational and is designed to grasp the underlying concepts of Rijndael-like ciphers. It may also serve as a test-bed for starting cryptanalysts to experiment with various cryptanalytic attacks. The Mini-AES cipher is a 16 × 16 Vector Boolean function and the Mini-AES encryption is performed with a secret key of 16 bits. It takes a 16-bit input block and processes the block by repeating the basic operations of a round twice. Each round consists of (1) substitution based on the S-box NibbleSub γ, (2) a transposition of the bits (i.e., permutation of the bit positions) based on ShiftRow π and MixColumn θ , and (3) key addition σki . Mini-AES has an S-box, NibbleSub, which operates on a nibble (4 bits) at a time. In addition, another component, MixColumn operates on words of 4 nibbles. In section A.3 is
18
Fundamentals of Block Ciphers and the VBF Library
presented the mathematical background needed for the reader to have a clearer understanding of the components of Mini-AES. Substitution In Mini-AES cipher, we break the 16-bit plaintext block into four 4-bit sub-blocks. Each sub-block forms an input to a 4 × 4 S-box (a substitution with 4 input and 4 output bits) called NibbleSub γ, which can be easily implemented with a table lookup of sixteen 4-bit values, indexed by the integer represented by the 4 input bits. For Mini-AES cipher, the same nonlinear mapping for all S-boxes is used. The mapping chosen for our cipher, given in Table 2.1, is chosen from the S-boxes of DES. (It is the first row of the first S-box.) Table 2.1 NibbleSub Truth Table. Input
Output
0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111
1110 0100 1101 0001 0010 1111 1011 1000 0011 1010 0110 1100 0101 1001 0000 0111
Permutation The permutation portion of a round is simply the transposition of the bits or the permutation of the bit positions. The permutation of Figure 2.2 is given by two operations ShifRow π and MixColumn θ . Note that there would be no MixColumn in the last round. ShiftRow rotates each row of the input block to the left by different nibble amounts. The first row is unchanged while the second row is rotated left by one nibble.
19
2.2 Block Ciphers
MixColumn takes each column of the input block and multiplies it with a constant matrix to obtain a new output column. If a = (a0 , a1 , a2 , a3 ) and b = (b0 , b1 , b2 , b3 ) denote the input and output to MixColumn respectively, then: " # " #" # b0 0011 0010 a0 = b1 0010 0011 a1
(2.5)
" # " #" # b2 0011 0010 a2 = b3 0010 0011 a3
(2.6)
and
Hence, b0 = (0011 × a0 ) + (0010 × a1 ) and b1 = (0010 × a0 ) + (0011 × a1 ). Similarly, b2 = (0011 × a2 ) + (0010 × a3 ) and b3 = (0010 × a2 ) + (0011 × a3 ).
Key Addition To achieve the key addition, Mini-AES uses a simple bit-wise exclusive-OR between the key bits associated with a round (referred to as a subkey) and the data block input to a round. Normally, in a cipher, the subkey for a round is derived from the cipher’s master key through a process known as the key schedule. In Mini-AES, the 16-bit secret key is passed through a key-schedule to produce one 16-bit round key, k0 to be used prior to the first round, and a 16-bit round key, ki for use in each round of mini-AES. Mini-AES encryption is defined to have 2 rounds, hence three round keys, k0 , k1 and k2 are generated. The Key Addition operation is denoted by σk0 , σk1 , σk2 respectively. Denote the 16-bit secret key, K as 4 nibbles, K = (k0 , k1 , k2 , k3 ), and likewise, k0 = (w0 , w1 , w2 , w3 ), k1 = (w4 , w5 , w6 , w7 ) and k2 = (w8 , w9 , w10 , w11 ). Then, the round key values are obtained from the secret key as in Table 2.2. Note that in each round, round constants rcon(i) are used, where rcon(1) = 0001 and rcon(2) = 0010.
Encryption The application of the four components NibbleSub, ShiftRow, MixColumn and KeyAddition in sequence constitutes one round. The full mini-AES encryption consists of two such rounds, with the exclusion of MixColumn from the last round and the inclusion of an extra KeyAddition prior to the first round. Hence, mini-AES encryption can be denoted by: Mini − AESEncrypt = σk2 ◦ π ◦ γ ◦ σk1 ◦ θ ◦ π ◦ γ ◦ σk0
(2.7)
20
Fundamentals of Block Ciphers and the VBF Library
Fig. 2.2 Structure of Mini-AES cipher.
21
2.2 Block Ciphers Table 2.2 Generation of the Round Keys of Mini-AES. Round
0
1
2
Round Key Values w0 = k0 w1 = k1 w = k2 2 w3 = k3 w4 = w0 + NibbleSub(w3 ) + rcon(1) w5 = w1 + w4 w = w2 + w5 6 w3 + w6 w5 = w = w + NibbleSub(w 8 4 7 ) + rcon(2) w9 = w5 + w8 w = w6 + w9 10 w11 = w7 + w10
Note that the symbol ◦ refers to the composition of functions and the order of execution is from right to left, which means that σk0 is executed first. Decryption In order to decrypt, data is essentially passed backwards through the cipher. However, the mappings used in the S-boxes of the decryption network are the inverse of the mappings in the encryption network (i.e., input becomes output, output becomes input). This implies that in order for a cipher to allow for decryption, all S-boxes must be bijective, that is, a one-to-one mapping with the same number input and output bits. As well, in order for the cipher to properly decrypt, the subkeys are applied in reverse order and the bits of the subkeys must be moved around according to the permutation. Note also that the lack of the permutation after the last round ensures that the decryption network can be the same structure as the encryption network.
Mini − AESDecrypt = (σk2 ◦ π ◦ γ ◦ σk1 ◦ θ ◦ π ◦ γ ◦ σk0 )−1 = σk0 −1 ◦ γ −1 ◦ π −1 ◦ θ −1 ◦ σk1 −1 ◦ γ −1 ◦ π −1 ◦ σk2 −1 = σk0 ◦ γ −1 ◦ π ◦ θ ◦ σk1 ◦ γ −1 ◦ π ◦ σk2
(2.8)
We arrive at this expression since σk0 is an XOR operation, which is its own inverse. We have also specially chosen the constant matrix in MixColumn, θ such that the inverse of MixColumn, θ −1 is the same as MixColumn itself. Since ShiftRow simply causes the
22
Fundamentals of Block Ciphers and the VBF Library
second row to be rotated left by one nibble amount, then the inverse of ShiftRow, π −1 causes the second row to be rotated right by one nibble. Rotating the nibble left or right are one and the same operation because one row only has two nibbles, therefore inverse ShiftRow is the same as ShiftRow. NibbleSub is a nibble substitution operation based on Table 2.1. The inverse of Table 2.1 is easily computed by interchanging the input nibble with the output nibble, and then resorting it based on the new input nibble, as given in Table 2.3 below. Table 2.3 Inverse NibbleSub Truth Table.
2.2.2
Input
Output
0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111
1110 0011 0100 1000 0001 1100 1010 1111 0111 1101 1001 0110 1011 0010 0000 0101
KASUMI Cipher
Description KASUMI cipher is used in UMTS [155], GSM [67], and GPRS [65] mobile communications systems. UMTS uses KASUMI [76] in the confidentiality and integrity algorithms named UEA1 and UIA1 [76], respectively. GSM employs KASUMI in the A5/3 key stream generator whereas GPRS does so in the GEA3 key stream generator. KASUMI encrypts a 64-bit input by iterating a round function 8 times. The round function consists of the composition of a 32-bit non-linear mixing function (FO) and a 32-bit linear mixing function (FL). The FO-function is again an iterated "ladder-design" consisting of 3 rounds of a 16-bit non-linear mixing function FI. In turn, FI is defined as a 4-round
23
2.2 Block Ciphers
structure using non-linear look-up tables S7 and S9. All functions involved will mix the data input with key material.
FI Function The FI function is a 16 × 16 Vector Boolean function which constitutes the basic randomizing function of KASUMI. It is composed of a four round structure using the S-boxes S7 and S9 as shown in Figure 2.3. The function FI takes a 16-bit data input I and 16-bit subkey KIi, j . The input I is split into two unequal components, a 9-bit left half L0 and a 7-bit right half R0 where I = L0 ||R0 . Similarly the key KIi, j is split into a 7-bit component KIi, j,1 and a 9-bit component KIi, j,2 where KIi, j = KIi, j,1 ||KIi, j,2 . The function uses two S-boxes, S7 which maps a 7-bit input to a 7-bit output, and S9 which maps a 9-bit input to a 9-bit output. It also uses two additional functions which are designated ZE() and T R() where ZE(x) takes the 7-bit value x and converts it to a 9-bit value by adding two zero bits to the most-significant end and T R(x) takes the 9-bit value x and converts it to a 7-bit value by discarding the two most-significant bits. The following equations summarize the implementation of function FI: I = L0 ||R0 KIi, j = KIi, j,1 ||KIi, j,2 L1 L2 L3 L4
= = = =
R0 , R1 = S9(L0 ) + ZE(R0 ) R1 + KIi, j,2 , R2 = S7(L1 ) + T R(R1 ) + KIi, j,1 R2 , R3 = S9(L2 ) + ZE(R2 ) S7(L3 ) + T R(R3 ), R4 = R3
(2.9)
(2.10)
L4 = S7(S7(R0 ) + T R(S9(L0 ) + ZE(R0 )) + KIi, j,1 ) + T R(S9(S9(L0 ) + ZE(R0 ) +KIi, j,2 ) + ZE(S7(R0 ) + T R(S9(L0 ) + ZE(R0 )) + KIi, j,1 )) R4 = S9(R1 + KIi, j,2 ) + ZE(S7(R0 ) + T R(S9(L0 ) + ZE(R0 )) + KIi, j,1 ) (2.11) being the output L4 ||R4 .
2.2.3
DES Cipher
The Data Encryption Standard (DES) was approved as a federal standard in November 1976, and published on 15 January 1977 as FIPS PUB 46, authorized for use on all unclassified
24
Fundamentals of Block Ciphers and the VBF Library
16 9
7
S9 zero−extend
S7 truncate KIi,j,1
KIi,j,2
S9 zero−extend
S7 truncate
Fig. 2.3 Structure of KASUMI cipher FI function.
2.2 Block Ciphers
25
data. On 26 May 2002, DES was finally superseded by the Advanced Encryption Standard (AES), following a public competition. DES operates on a 64-bit block of plaintext. After an initial permutation (IP), the block is broken into a right half (R0 ) and a left half (L0 ), each 32 bits long. Then there are 16 rounds of identical operations, called Function f or Feistel function, in which data are combined with the key. After the sixteenth round, the right and left halves are joined, and a final permutation (the inverse of the initial permutation IP−1 ) finished off the algorithm. The Feistel function ( f ), depicted in Figure 2.5, operates on half a block (32 bits) at a time and consists of four stages: 1. Expansion: the 32-bit half-block is expanded to 48 bits using the expansion permutation, denoted E in the diagram, by duplicating half of the bits. The output consists of eight 6-bit (8 × 6 = 48 bits) pieces, each containing a copy of 4 corresponding input bits, plus a copy of the immediately adjacent bit from each of the input pieces to either side. 2. Key mixing: the result is combined with a subkey using an XOR operation. Sixteen 48-bit subkeys ( one for each round ) are derived from the main key using the key schedule. 3. Substitution: after mixing in the subkey, the block is divided into eight 6-bit pieces before processing by the S-boxes, or substitution boxes. Each of the 8 S-boxes replaces its 6 input bits with 4 output bits according to a non-linear transformation, provided in the form of a lookup table. 4. Permutation: the 32 outputs from the S-boxes are rearranged according to a fixed permutation, the P-box. This is designed so that, after permutation, each S-box’s output bits are spread across 4 different S boxes in the next round.
2.2.4
AES Cipher
The Advanced Encryption Standard (AES), also referenced as Rijndael (its original name), has been adopted by the U.S. government and is now used worldwide. It supersedes the Data Encryption Standard (DES) since 2002. The AES is a 128-bit Block Cipher, and supports secret key sizes of 128, 192 or 256 bits. We will describe the details of the AES with reference to a 128-bit key. The other variants are similar in nature. The 128-bit block of the AES is expressed as a matrix of 4 × 4 bytes called state, in contrast to Mini-AES being expressed as a matrix of 2 × 2 nibbles. AES consists of 10
26
Fundamentals of Block Ciphers and the VBF Library
Fig. 2.4 Structure of DES cipher.
27
2.2 Block Ciphers
Fig. 2.5 The Feistel function of DES. rounds, where each round is similar to the round of Mini-AES, with the last round having no MixColumn. There is also a KeyAddition prior to the first round. The purpose of the extra KeyAddition and the omission of MixColumn is so that encryption and decryption of the AES would be similar in structure, and this simplifies implementation. The round components of the AES are SubBytes, ShiftRow, MixColumn and KeyAddition. SubBytes is similar to NibbleSub, but operates on one byte instead of one nibble. Likewise, ShiftRow rotates each row of the input block to the left by different byte amounts. The first row is unchanged, the second rotated left by 1 byte, the third by 2 and the fourth by 3. MixColumn takes each column of the input block and multiplies it with a constant 4 × 4 matrix. KeyAddition is similar to that of Mini-AES. A high-level description of this algorithm would be: 1. KeyExpansions: round keys are derived from the cipher key using Rijndael’s key schedule. AES requires a separate 128-bit round key block for each round plus one more. 2. InitialRound
28
Fundamentals of Block Ciphers and the VBF Library (a) AddRoundKey: each byte of the state is combined with a block of the round key using bit-wise xor. 3. Rounds (a) SubBytes: a non-linear substitution step where each byte is replaced with another according to a lookup table. (b) ShiftRows: a transposition step where the last three rows of the state are shifted cyclically a certain number of steps. (c) MixColumns: a mixing operation which operates on the columns of the state, combining the four bytes in each column. (d) AddRoundKey 4. Final Round (no MixColumns) (a) SubBytes (b) ShiftRows (c) AddRoundKey
The Mini-AES key schedule takes the 16-bit secret key and expresses it as a group of four nibbles. Meanwhile, the AES key schedule takes the 128-bit secret key and expresses it as a group of four 32-bit words. The 0th round key, K0 equals the secret key itself while each subsequent round key is derived from the secret key in almost the same way as Mini-AES. Substitution or SubBytes Step In AES cipher, we break the 128-bit plaintext block into four 8-bit sub-blocks. Each subblock forms an input to a 8 × 8 S-box (a substitution with 8 input and 8 output bits) called Rijndael S-box SRD . It is represented in hexadecimal notation as shown in Figure 2.6. There the column is determined by the least significant nibble (four-bit aggregation), and the row is determined by the most significant nibble. For example, the value 0x9a is converted into 0xb8 by Rijndael S-box. Note that the multiplicative inverse of 0x00 is defined as itself. Permutation The permutation of AES is given by two steps: ShifRows and MixColumns. Note that there would be no MixColumns in the last round.
29
2.2 Block Ciphers
Fig. 2.6 Rijndael S-box SRD .
30
Fundamentals of Block Ciphers and the VBF Library
ShiftRows step is a byte transposition that cyclically shifts the rows of the state (array of bytes) over different offsets. MixColumns step is a bricklayer permutation operating on the state column by column. Key Addition and AddRoundKey To achieve the key addition, AES applies a simple bit-wise exclusive-OR between the key bits associated with a round (referred to as a round key) and the data block input to a round.
2.3 2.3.1
VBF (Vector Boolean Functions) library Features
The main features of the VBF library are the following: • It is free/open source under the GPL. In this sense, we are aligned with the Sage project developers who affirm the following: A standard rule in the mathematics community is that everything is laid open for inspection. The Sage project believes that not doing the same for mathematics software is at best a gesture of impoliteness and rudeness, and at worst a violation against standard scientific practices. An underlying philosophical principle of Sage is to apply the system of open exchange and peer review that characterizes scientific communication to the development of mathematics software. Neither the Sage project nor the Sage Development Team make any claims to being the original proponents of this principle. The development model of Sage is largely inspired by the free software movement as spearheaded by the Free Software Foundation, and by the open source movement. One source of inspiration from within the mathematics community is Joachim Neubuser as expressed in the paper [109] and in particular the following quotation from his paper: "You can read Sylow’s Theorem and its proof in Huppert’s book in the library without even buying the book and then you can use Sylow’s Theorem for the rest of your life free of charge, but...for many computer algebra systems license fees have to be paid regularly for the total time of their use. In order to protect what you pay for, you do not get the source, but only an executable, i.e. a black box. You can press buttons and you get
2.3 VBF (Vector Boolean Functions) library
31
answers in the same way as you get the bright pictures from your television set but you cannot control how they were made in either case. With this situation two of the most basic rules of conduct in mathematics are violated: In mathematics information is passed on free of charge and everything is laid open for checking. Not applying these rules to computer algebra systems that are made for mathematical research...means moving in a most undesirable direction. Most important: Can we expect somebody to believe a result of a program that he is not allowed to see? Moreover: Do we really want to charge colleagues in Moldava several years of their salary for a computer algebra system?" Similar sentiments were also expressed by Andrei Okounkov as can be found in [110], in particular the following quotation: "Computers are no more a threat to mathematicians than food processors are a threat to cooks. As mathematics gets more and more complex while the pace of our lives accelerates, we must delegate as much as we can to machines. And I mean both numeric and symbolic work. Some people can manage without dishwashers, but I think proofs come out a lot cleaner when routine work is automated. This brings up many issues. I am not an expert, but I think we need a symbolic standard to make computer manipulations easier to document and verify. And with all due respect to the free market, perhaps we should not be dependent on commercial software here. An open-source project could, perhaps, find better answers to the obvious problems such as availability, bugs, backward compatibility, platform independence, standard libraries, etc. One can learn from the success of TeX and more specialized software like Macaulay2. I do hope that funding agencies are looking into this." • It is a library allowing us to use it in conjunction with other tools and libraries. • It is implemented in C++ language. The main advantages of this language are derived from the object oriented implementation and the use of effective algorithms; such advantages are: reusability, maintainability, extensibility and flexibility in the analysis of a broad range of Vector Boolean functions employed in symmetric ciphers. The size of the vector Boolean functions that can be analyzed by VBF is restricted by the computational resources (memory, disk space, CPU, . . . ) of the platform on which it is executed. However, the maximum value for n and m to be handled by the different functions is conditioned by the maximum value attainable by long int variables (for the
32
Fundamentals of Block Ciphers and the VBF Library computer employed in this work, it is approximately 230 , so that nmax = mmax ≈ 30). Note that, although this size functions would be compatible with the VBF resource management procedures, the run time requirements for computing the characteristics would exceed any realistic bound. • It can be easily installed in several platforms such as Windows, Linux and MacOS among others. • It makes use of some modules from the well-known Number Theory Library NTL implemented by Victor Shoup (VBF works with any version of NTL, up to the latest one [111]). A preliminary version of VBF, lacking several of the modules and features in the current package, was presented in [5]. NTL is a high-performance, portable C++ library providing data structures and algorithms for manipulating signed, arbitrary length integers, as well as vectors, matrices, and polynomials over the integers and over finite fields. The decision to use this library is mainly based on four reasons: 1. It is free software, and may be used according to the terms of the GNU General Public License. 2. It provides high quality implementations of state-of-the-art algorithms for the Galois field of order 2. 3. It may be easily installed in a wide range of platforms. 4. It provides a clean and consistent interface to a large variety of classes representing mathematical objects which are useful in cryptology. The core of VBF library is the VBF class which represents vector Boolean functions whose data members and member functions make use of the NTL modules listed in Table 2.5. However, some new cryptography-related member functions were added to the previous modules. New modules, which are not present in NTL, are defined and they are listed in Table 2.5. The main file in the library, called VBF.h has the definitions of the objects described in the next subsection and makes use of the cited modules. The process of development of VBF library consisted in four steps: 1. To study the most common representation methods employed in the modern cryptosystems.
2.3 VBF (Vector Boolean Functions) library
Table 2.4 NTL modules used in VBF. CLASS NAME GF2 vec_GF2 mat_GF2 RR vec_RR mat_RR ZZ vec_ZZ mat_ZZ GF2X GF2E GF2EX vec_GF2E
DESCRIPTION Galois Field of order 2 denoted by GF(2) Vectors over GF(2) Matrices over GF(2) Arbitrary-precision floating point numbers Vectors over reals Matrices over reals Signed, arbitrary length integers Vectors over integers Matrices over integers Implements polynomial arithmetic modulo 2 Polynomials in F2 [X] modulo a polynomial P Polynomials over GF2E Vectors over GF2E
Table 2.5 New modules created for VBF. CLASS NAME pol vec_pol
DESCRIPTION Polynomial in ANF of a Boolean Function Polynomials in ANF of a Vector Boolean Function
33
34
Fundamentals of Block Ciphers and the VBF Library 2. To compile and elaborate cryptograhic criteria for Vector Boolean functions. 3. To analyse the structure of modern cryptographic algorithms in order to identify most common interconnections among their subsystems. It is important to understand the behaviour of the representations, characterizations and criteria of cryptosystem in terms of the representations, characterizations and criteria of their subsystems. 4. To develop algorithms to load representations, calculate its characterizations and criteria, and apply constructions to subsystems.
2.3.2
State-of-the-art on Vector Boolean Functions Analysis Software
To support our own contributions, we will now survey previous research made regarding the analysis Vector Boolean functions from the cryptographical point of view. At the present time, several other packages are available, for example: 1. CrypTool [44] is a free, open-source e-learning application, used in the implementation and analysis of cryptographic algorithms. It provides cryptanalytical measurement methods (entropy, n-grams, autocorrelation, etc.) but it does not allow the calculation of cryptographic criteria. The current release version, CrypTool 2, is based on the latest .NET Framework (currently .NET 4.0) and it has a pure-plugin architecture. There is also another project called JCrypTool developed in Java and based on Eclipse RCP. 2. Matpack [90] is a C++ numerics and graphics library implementing computational methods that are needed in engineering. The cryptographic algorithms are included in the commercial library; these can only be used to analyze some cryptographic properties of Boolean functions and do not address Vector Boolean functions. 3. In [12], a system for assisting analysis of some criteria of DES-like ciphers is described. This system analyzes only a small subset of the criteria considered by VBF. 4. bma [122] outputs the value table, Walsh Spectrum (WS) (a generalized Fourier spectrum), linear profile, differential profile, and some linearity/nonlinearity measures, given the ANF of a Vector Boolean function. It is an open-source executable program written in C, computationally very efficient for specific S-boxes analysis. 5. The boolfun package [14] is open source software, written in R, to assess cryptographic properties of Boolean functions. It implements three representations: Truth Table, ANF and WS. It can calculate cryptographic properties of Boolean functions that are relevant for the design of stream ciphers (i.e., cryptographic pseudo-random generators), namely
2.3 VBF (Vector Boolean Functions) library
35
nonlinearity, algebraic immunity, correlation immunity and resiliency. Unfortunately it does not provide specific tools for analyzing vector functions. 6. Sage [132] is free open source mathematical software that supports research and teaching in algebra, geometry, number theory, cryptography, and related areas. The Cryptography module contains some descriptions of classical ciphers and simplified modern ciphers such as Simplified DES and Mini-AES. Compared with the VBF library, SAGE lacks much useful functionality. In summary, the packages cited above present one (or more) of the following disadvantages: they are commercial, they do not benefit from the new paradigms of object orientation and generic programming, or they do not cover the broad spectrum of representation and cryptographic criteria for both Boolean and Vector Boolean functions that VBF does. The aim of the VBF package presented in this thesis is to provide an easy-to-use tool both for the designer and the cryptanalyst of symmetric ciphers. The user only needs to code the basic features related to the Vector Boolean functions associated with a cipher (e.g., Truth Table, ANF table, polynomial in ANF, etc). The following chapter analyses the possible representations and characterizations of Boolean functions with the aim of their efficient management via the VBF library.
Chapter 3 Representations and Characterizations This chapter presents a review of theory relevant to the study of the typical forms of Vector Boolean function representations and chacterizations. We will consider representations those that uniquely represents a Vector Boolean function. Characterizations does not uniquely determine the Vector Boolean function in contrast to the previous matrices but provide some useful information in the context of cryptography. Representations included in this chapter are the Truth Table (TT), the polynomials in Algebraic Normal Form (Pol) and ANF Table (ANF), the Image (Char), Component functions Truth Table(LTT), Sequence vectors of Component functions CTT, the Trace Representation (Trace) and Affine function Representation. A definition for all these representations are given and the relationships among them and their various properties are also discussed. Characterizations such as Linear Profile (LP), Differential Profile (DP), Autocorrelation Spectrum (AC), Linear Structures (LS) are introduced. A definition for all these representations are given and the relationships among them and the above representations and their various properties are also discussed. The basic concepts of linear and differential cryptanalysis are introduced in terms of the Linear Profile and Differential Profile, together with other properties related with these attacks, such as: linear potential, differential potential, linear or differential relations associated with a specific value. Affine equivalence analysis of Boolean functions by means of VBF library is described. It is showed how to obtain the Frequency distribution of the absolute values of the Walsh Spectrum and of the Autocorrelation Spectrum. It is possible to check randomness of a Vector Boolean function outputs with VBF by means of its cycle structure, and the analysis of the presence of fixed points or negated fixed points.
38
Representations and Characterizations
Finally, some other representations useful in block ciphers are described such as the Permutation Vector (Per), Expansion and Compression DES permutations and DES-like S-box representations. The description of each representation and characterization is complemented with the description of the methods in VBF related to them. Most of the member functions of V BF have an in-line definition, for instance: void TT(NTL::mat_GF2& X, VBF& F) is also defined as inline NTL::mat_GF2 TT(VBF& F). The figure 3.1 summarizes the relationships among the different representations.
Fig. 3.1 Relationships among representations and characterizations of a Vector Boolean function.
The representations which are Boolean matrices are coloured in red, those which are Integer matrices are coloured in blue, those that are vector of integers are coloured in yellow and those which are polynomial are coloured in green. In this chapter we apply VBF library methods to find out representations and characterizations of several cryptographic algorithms. Refer to http://vbflibrary.tk for an extensive description of representations and characterizations of modern cryptographic algorithms apart from those described in this chapter.
39
3.1 Truth Table
3.1
Truth Table
3.1.1
Description
A Vector Boolean function F ∈ Fn,m can be uniquely represented by its Truth Table which is a matrix with 2n rows and m columns whose elements are the values of F taken on all possible vector of Vn ordered lexicographically. Definition 3.1.1. Let F ∈ Fn,m , if we take into account the one-to-one mapping of Vn onto the set of integers as defined in theorem A.1.1, we are able to define any vector Boolean function by the corresponding set of values: F(αi ) ∈ Vm ∀ i ∈ {0, . . . , 2n − 1}
(3.1)
The matrix with 2n rows and m columns will be referred as the Truth Table of F and will be generally written as TTF :
f1 (α0 ) f (α ) 1 1 TTF = . . . . . . . f1 (α2n −1 )
... fm (α0 ) ... fm (α1 ) . . . . . . . . . . . . . . fm (α2n −1 )
(3.2)
each αi = (x1 , . . . , xn ) ∈ Vn i ∈ {1, . . . , 2n − 1} is a vector whose decimal equivalent is dec(αi ) = i = ∑nj=1 x j 2n− j , and all the vectors of Vn can be listed so that α0 < α1 < · · · < α2n−1 . As a total order is defined over the assignments (inputs) of the Vector Boolean Function, the Truth Table can be uniquely represented by this matrix. Any function F can be uniquely described by its Truth Table TTF ∈ M2n ×m (GF(2)) (or by the Truth Tables of its coordinate functions TT fi i ∈ {1, . . . , m}) and it holds that: γ : Fn,m → M2n ×m (GF(2)) F → TTF
(3.3) n
is an isomorphism between the vector spaces Fn,m and M2n ×m (GF(2)), so that #Fn,m =22 ·m . The Truth Table for an n-variable Boolean function f should be in lexicographical form, i.e., TT f = ( f (0), f (1), f (2), . . . , f (2n − 1)). Since the Truth Table length might be too large, we represent it in hexadecimal rather than in binary notation. The hexadecimal Truth Table is obtained by replacing each four bits by their corresponding hexadecimal form. For instance, to enter TT f = (0, 0, 1, 1, 1, 1, 1, 1) one should just write TT f = 3 f .
40
Representations and Characterizations
The distance between two Vector Boolean functions F, G ∈ Fn,m is defined as the number of bits that are different in their respective Truth Tables: d(F, G) =
∑
d (F(x), G(x))
(3.4)
x∈Vn
where d (F(x), G(x)) is the Hamming distance between the two vectors F(x), G(x) ∈ Vm . The weight of a Vector Boolean function F ∈ Fn,m is equal to the distance between F and the corresponding zero Vector Boolean function 0 ∈ Fn,m where 0(x) = 0 ∀ x ∈ Vn . In order to obtain certain characterizations (such as Autocorrelation Spectrum), it is important to take into account two additional representations related to the Truth Table: LTT and CTT. We will denote by LTT of F ∈ Fn,m the matrix whose columns are the Truth Tables of the 2m component functions of F. We will denote by CTT of F the matrix whose columns are the sequence vectors of the 2m component functions of F 1 .
3.1.2
Library
A VBF class can be initialized by a Boolean Matrix representing the Truth Table with the following method: void puttt(const NTL::mat_GF2& T) To obtain the Truth Table of a Vector Boolean function the following method must be used: void TT(NTL::mat_GF2& X, VBF& F) A VBF class can be initialized by a collection of strings separated by carriage returns defined by s with the following method: void putHexTT(istream& s) Each row must be the hexadecimal representation of the Truth Table of the coordinate functions of a Vector Boolean function. To obtain the Truth Table in hexadecimal representation the following method must be used: void getHexTT(ostream& s) 1 Sometimes
it is called the Polarity Truth Table.
3.1 Truth Table
41
Analogously a VBF class can be initialized by a collecting of strings with binary representation of the Truth Table of coordinate functions: void putBinTT(istream& s) To obtain its Truth Table in binary representation the following method must be used: void getBinTT(ostream& s) A VBF class can be initialized by a Boolean vector representing the decimal representation of the Truth Table of a Vector Boolean Function defined by a vector of outputs in lexicographic order, called d, and knowing the number of component Boolean functions m: void putDecTT(const NTL::vec_long& d,const long& m) To obtain the Truth Table in decimal representation the following method must be used: NTL::vec_long getDecTT() const To obtain the weight of a Vector Boolean function F the following method must be used: void weight(long& w, VBF& F) A VBF class can be initialized by a Boolean Matrix representing the Truth Table of their component functions with the following method: void putltt(const NTL::mat_GF2& L) To obtain the Truth Table of the component functions of a Vector Boolean function the following method must be used: void LTT(NTL::mat_GF2& X, VBF& F) A VBF class can be initialized by a Boolean Matrix representing its Polarity Truth Table with the following method: void putctt(const NTL::mat_ZZ& C) To obtain the Polarity Truth Table of a Vector Boolean function the following method must be used: void CTT(NTL::mat_ZZ& X, VBF& F)
42
Representations and Characterizations
Example 3.1.1. The Truth Table of the NibbleSub S-box described in Table 2.1 is the following: [[1 1 1 0] [0 1 0 0] [1 1 0 1] [0 0 0 1] [0 0 1 0] [1 1 1 1] [1 0 1 1] [1 0 0 0] [0 0 1 1] [1 0 1 0] [0 1 1 0] [1 1 0 0] [0 1 0 1] [1 0 0 1] [0 0 0 0] [0 1 1 1] ] If we use a file with this matrix as the input of the following program, we can obtain its hexadecimal, binary and decimal representation, as well as the Truth Tables of the components functions and its Polarity Truth Table. #include #include #include "VBF.h" int main(int argc, char *argv[]) { using namespace VBFNS; VBF F; NTL::mat_GF2 T;
ifstream input(argv[1]);
3.1 Truth Table if(!input) { cerr