Its and

A New Class of Unbalanced CAST Ciphers and

Its Security Analysis

by

©X ia Zhu

A thesis submitted to the School of Graduate Studies inpartial fulfillment of the requirements for

the degree of Master of Engineering

Facultyof Engineering and Applied Science Memorial University of Newfoundland

April,1997

St.John's Newfoundland Canada

•••

NaUUnillUUlillY

ofcanada Acquisitions and Bibliographic Services 395 Wellington $lJeel OttawaON K1A 0N4

~

CIUUUU'C>.I""", . . .U... .

duGanada Acquisitionset services bibliographiques 395.rue Wellington OlIBwaONK1A0N4

"'"""

The author has granted a non- exclusive licence allowing the National Library of Canada to reproduce, loan, distribute or sell copies of this thesisinmicroform, paper or electronic formats.

The author retains ownership of the copyrightinthis thesis.Neither the thesis nor substantial extracts from it may be printed or otherwise reproduced without the author's permission.

L'auteur a accorde une licence non exclusive permettantit.la Bibliotheque nationale du Canada de reproduire, preter,distribuer au vendre des copies de cettetheseSOllS la forme de microfiche/film. de reproduction sur papier au sur format electronique.

L'auteur conserve laproprietedu droit d'euteurqui protegecettethese.

Ni la thesenides extraits substantiels de celle-ci ne doivent

etre

imprimes au autrementreproduits sans son autorisation.

0-612-25906-4

Canada

Abstract

The originalCASTcipherisanefficient andsecureprivate- keyblock cipherdesigned tobean altemanveto theDa ta EncryptionStandard (DES). Inthisthes is,weprese nt anew class of unbalan cedCASTciphers which em ploysthe samest ruc tu reof S-box and roundfunction of theorigin alCASTciphe r but has a lowermemoryrequireme nt.

e

nbalanced CASTciphers withone or two 8x3 2 S-box esin the round funct ionrequire only l/-tor 1/2themem oryofthe original CASTciphe r.respectively.

This thesisexaminesthe applicationofdifferentialand linear cryptanalysis, two ofthe most powerful met hodol ogies for attacking pri va t e-key blockciphers, tothe unbalanced. CAST ciphers.The resultsofanalysisshow thata 48-roundunbalanced CAS T cipherwithone 8 x32 S-box and a 24-roundunbalancedCASTcipher with two 8 x32 S-boxes.bothof which are equivalenttoa12-round original CASTcipher in efficiency,areresistan ttoboth differential andlin earcryptan alysis.

We alsoinvest iga te the unbalancedCAST ciphers from theperspectiveofinforma- tiontheo ry.Theresul ts sugges ttha tthemaxi mu mst a ticand dynam icinput-out put bit inform ationleakages forthe unbalanced CASTcipherscons t ructedby8 x 32 Scboxes are muchsmal lerthan forDES.

The conclusionreachedbythe thesisisthatunbalanced CAST cipherscanbe considered to be efficient , secure cipherswhichreq uireless memory thanthe original CASTcipher.

Dedicatedto mywife BoquanXie.

For her encouragemen tandsupport,Iamet ern ally grateful.

II

Acknowledgments

I would like to especiallythank my supervisor,Dr. HowardHeys,forhis research guidance.financialsupportandpersonal encou ragementthroughout this thesis.

1II

Contents

Abst ract

Acknowledgments

Co n t e nts

List of Figures

ListofTab les

List of Symbols

1 In trod u cti o n

1.1 Motivat ion forthe Research 1.2 Cont ribut ionsofthis Research. 1.3 Outl ine of Thesis

2 Review of PreviousResearch 2.1 Architectu res ..

III

IV VIII

IX

XIII

2.1.1 2.1.2

Substi t u tion PermutationNetworks. DES-likeBlockCiphers .

IV

2.2 Proposed Private- keyBlock Ciphers. 2.3 CryptographicProperties

2.3.1 Xonlinearity. 2.3.2 Informa t ion Theory. 2.3.3 Ot herCryptographicProperties . 2.4 Cryptanalysis

2.4.1 ExhaustiveKey Search. 2.4.2 DifferentialCryptanalysis 2.4.3 Linear Cryptanalysis

2.5 Design ofCASTcomponents .

2.5.1 Substitution Box 2.5.2 Round Function. 2.6 Cryptanalysis of CAST.

2.6.1 DifferentialCryptanalysisof CAST 2.6.2 Linear Cryptanalysis of CAST. .

2.6.3 Attack Based onNon-surjecriveRoundFunctions 2.7 Conclusion.

3 Differentialand LinearCrypt an aly s is 3.1 Different ial Cryptanalysis

3.1.1 XORTa ble 3.1.2 Characteristic.

3.1.3 GeneralAttack

v

II II 12 H 15 15 16 17 17 18 18 20 20 20 21 22 23

23 23 25 28

3.1.4 Counting Scheme 28

3.2 Linear Cryptanalysis 30

3.2.1 BasicAt t ack. 30

3.2.2 Linear Approximation of theS-box 31

3.2.3 Linear Approximationof theCipher. 31

3.3 Conclusion.. 32

4 A NewGeneralClas s ofUnb alancedCA STCip hers 33

"\'.1 Moeivaeton. 33

4.2 Description of the Algorithm. 35

4.3 Design Decisions 37

"\'.3.1 Scbox 38

4.3.2 Round Funct ion. .. .. ... . ... . . . ... 39

"\'.3.3 RotationOperat ion. 40

4.4 Conclusion 43

5 Diffe re ntialCryptanalysisof Unbalance d CASTCip hers 44

5.1 Distributionof Entries inthe XOR Table 45

5.2 IterativeCharacteristics -19

5.2.1 Likelihood of Occurrence ofIterat ive Characteristics. 51

5.2.2 Pseudo-IterativeCharacteristics. 60

5.2.3 Effectiveness of Iterative Characteristics 64 5.3 Biham'sCharacteristi cs

5.4 Conclusion.

vr

65 73

6 LinearCryptanalys isof UnbalancedCA ST Ciphers 76

6.1 Nonlinearityof S-boxes. 76

6.1.1 Effect of OutputSize of an ScboxonIts Nonlinearity 77 6.1.2 Discussionof Assumptions Used inthe Analysis 79

6.2 Linear Cryptanalysisofthe Ciphers. 83

6.2.1 It er ati veLinear Approxima t ion 83

6.2.2 Applicationof the Attack to Speci ficCiphers. 88

6.3 Conclus ion. 93

7 InformationTheoreticViewofUn b alance d CAST Ciphers 94

7.1 Infor ma t ionLeakage 94

;.2 Information Leakages of Round Fun ct ions 96

7.3 InformationLeakages ofthe Ciphers 103

7.4 Concl usio n. 107

8 Con cl u s io n s 10 9

8.1 Summaryof the Thesis. 109

8.2 Suggest ionsforFurt herResearch 111

References 112

VII

List of Figures

l.l A GeneralCry pto grap hicSystem

2.1 AnExampleofSubst it ution-P ermu tationNetworks 2.2 The StructureofDES-likeCiphers

2.3 TheRoundFunct ions of DES andCAST. 19

3.1 Inpu tandOut putof anS-bo x. 25

3.2 r-RoundCharacteristicOr 26

3.3 z-Ro un dIter a tive Charact eris tic. 28

4.1 i-t h Ro und Ope ra tionofan Unba lanc edCASTCiphe r 36

5.1 XOR Flow intbe RoundFunct ionofUnbala ncedCASTCiphers. 45

6.1 Nonlineari ty Dist ributionofan8 x 32 S-box with 2²²Selectio ns 81 6.2 NonlinearityDistri but ion of 2²²BooleanFunct ions 82

6.3 2·R oun dIter ativeLinear Approxima t ion 86

r.r BitStruc t ureoftbe RoundFunct ion 96

VIII

List of Tables

·U Rotation Operation for anUnbalancedCAST Cipher withJ;[ = l.

m:::: 8, and n=32 ~2

5.1 Distributionof EntryValues for a Particular .:1X in the XOR Table

forAl=4,m=8,and n=32.. 48

5.2 Distributionof Entry Values for a ParticularuXin the XOR Table

for.\>[ ::::2,m=8,andn::::16.. 49

5.3 Distributionof EntryValuesfor a Particular .;lX in the XOR Table

for,\I::::8.m ::::-I.andn::::32. 50

5..1 8-Round Iterative Ch a rac t erist ic for an unbalanced CASTCipher with

.Y1 :::: 1.m ::::8,andn::::32. . ... ... .... ... 51

5.5 Likelihood of Occurrenceof Iterative Cha racteris t ics for an Unbalanced CAST Cipherwitb .\Jl ::::4,m :::: 8.and n ::::32. 53 5.6 2-Round IterativeCharacteristicfor a BalancedCAST Cipher with

.\J

=

4,m

=

8,and n

=

32. 54

;). / -l-Round Iterative Characteristic for an UnbalancedCAST Cipherwit h

;'I.I=2, m= 8,andn=32 . 55

IX

5.8 likelihood of Occurrence of Iterative Characteristicsfor anCnbalanced

CAST Cipherwith.\1

=

2.m

=

8,andn

=

16. 56

5.9 -t-RcundIterative Characteristic for an UnbalancedC..\STCipherwith

.\l

=

2,m

=

8,andn

=

16. 56

5.10 8-Round Iterative Characteristic for an Unbalanced CAST Cipher with

.14=1,m=8,andn=16. 57

5.11Likelihood of Occurrence of IterativeCharacteristicsfor anunbalan ced

CAST Cipher withM

=

8, m=4,and n=32. 58

5.12Summary of Likelihood of OccurrenceofIt era tive Characteristics 61 5.13First 8-Round Pseduo-Iiterative Characteristic for anUnbalanced CAST

Cipherwith Af

=

1,m

=

8.andn

=

32 .

5.14Second 8-Round Pseudo-IterativeCharacteristic for an Unbalanced CAST Cipher withAJ=1,m

=

8,and n=32.

5.15Third 8-Round Pseudo-Iterative Characteristicfor anUnbalanced CAST 62

63

Cipher withM=1, m=8. and n=32 . 63

5.16Summary ofDifferential Cryptanalysis Based on the Best Iterative and

the Pseudo-Iterative Characteristics.. 65

5.17Biham'sType [ Characteristic of a 16-Round Unbalanced CAST Ci-

pher withM

=

1,m

=

8, andn

=

32. . 67

5.18Biham's TypeII Characteristicof a IS-Round Unbalanced CAST Ci-

pher withAI=1. m=8, and n=32 69

x

5.19Biham'sType I Characteristi cofan8-Round UnbalancedCASTCi-

pher with.\J

=

2.m

=

8.andn

=

32 70

5.20 Biham 'sTypeII Charact eristic of an 8-RoundUnbalancedCAST Ct-

pher with.\I=2.m

=

8.andn

=

32 70

5.21Biham'sTypeIIChar act erist icof a 16-RoundUnbalan ced CASTCl- pher with.H

=

1,m

=

8,and n=16

5.22 Resultof Differential Crypt an alys is BasedonBiham'sTypeIIChar- acteristica

6.1 Expected Numberof BooleanFunctions withN(f)<Nm;n 6.2 Scb oxeswithAllBooleanFunctions HavingHamming Weight sGreater

Thanwand Less Than 256 -wfora Certain Probability. 6.3 Summaryofthe ProbabilitiesofNil-RoundIterati veLinear Approxi-

mertens

71

74

78

89

91 6.4 Summary of Linear Cryptanalysiswith Iterative LinearApproxima ti ons93

•.1 Summary of Static Input-OutputBitInformat ion Leakag es ofRoun d

Functionsof UnbalancedCASTCiphers 100

7.2 ConditionalProbabilities of 51inthe RoundFunct ion ofDES 101 7.3 Summary of DynamicInput-OutputBit InformationLeaka ges of Round

FunctionsofUnbalancedC.-\ST Ciphers 103

7.4 Sum mary of StaticInput-Out pu t Bit InformationLeakagesforMulti-

pte RoundUnbalancedCASTCiphers 105

XI

7.5 Summary of Dynamic Inpu t- Out putBit Informa tionLeakagesCor~Iul-

tlpleRoundt:'nbalancedCAST Ciphers. 107

XII

~\i

R K K, L, EI.

p C

.'1

List of S ymbols

Cipherblock size Numberofrounds in a cipher Master key block usedin acipher Subkey blockused ini-t h round Leftha lf blockini-t h ro und Right halfblockini-th round Numberof input bits of an Scbox Numberof outputhits of an Scbox Plaintextblock

Ciphert ext block

Probability ofan r-round char acterist ic

Numberof chosenplaint extsreq uiredindifferenti alcry pt a na lysis Probabilityof a linearapproximation

Num berofknownplaintex tsrequired in linearcryptan alysis Numbe rof Scboxesin a round function

XIII

Chapter 1 Introduction

In recent years,with thera pid growth of computer networks, tbe threatofintercept - ing and/ormodifying informa tion during its transfer acrossa publiccommun ication channelhasincreased . Cryptogmphy, the scienceofmaking informationunintelligible and unmodifiab leby an unauthorizedintercepto rand still accessibleorverifia ble by a legit imatereceiver.is becomingmore and moreimpo rt an t in tbefieldofcommuni- cations. Figure1.1illus t r at es a generalcryp togra phic system.

Plaintext

Encryptio n---J

En,l,;on

^I

Key

Ciphertext

Pla intext

I

Dee)",n '-- cecrvcncn

Key

Figure1.1:A GeneralCryptographicSystem

Encryption,performedby a transmitte r,isa.transf orming process throug hwhich theoriginalinformationis replacedby the secretinformat io n,whiledecryptio nis a

reverseprocessperformedbyareceiver . The messageto beenc rypt ed isreferredto as theplain textand theencrypted messageis referredto as theciphertext. A set of rules by whicha transmitterencryptsthe plaintextand a receiverdecry pts the ciphertextis called acipher. Normal lytheopera t ion of thecipher dependsonakey . Cryptographyis the scienceof designinga cipher,whilecryptan alysisis the art of breaking the cipher, tha t is.essentiallydeterminingthekey.Cryptologyincludes both crypt ogra phy andcyp tan alysis.

Cryptographymaygenerallybe dividedinto two categories:public-keyciphersand private-keyciphers. In a public-keycipher,the encryptionkey and the decryption key aredifferent.Since itiscomput a tional lyinfeasi ble to dete rmine a decryption key givenan encryption key,the encrypt ionkey can be madepublic.Therefore,any transmit t er can send anencryptedmessage witha publicencryptionkey,whileonly the receiverwith asecretdecryptionkey candecrypt theciphertextcorrectly. ln a private-keycipher.theencryptionkey and the decryption key are thesam e and kept secret.Thekeymust be distributedby a securechan nelbefore any ciphertext istran smitt ed.In some cases.this may be difficultto achieve.However.generally private-k eyciphers havea much higherencryption/decrypt ion ra t e than public-key ciphers. Inthis thesis,wefocus our attentiononprivate-keycipherswhich encrypt and decryptdata in blocksof bits.

1.1 Motivation for the Research

The mostwidelyused private- key block encrypt ion algorithm , theData Encryptio n Standard(DES) (241 was first approved by theNationalBureauofSta ndards(NBS )

in1977 and was most recentlyreaffirmed in 1993,untilDecember L998.DEShasbeen involved in controversysince itsrelease.Its 56-bit keysizehas receivedwide criticis m and its designprincip lesare stillunknow n .Aftertwentyyears,DES is nearing theend of its useful life andis theoreticallybreakab leby two powerfulcry p tan alyt ic attacks, differential andlinearcrypt analysis[3,19J.In addition,DES was explicitlydesigned for fasthardware implementationand hasaslowsoftware performance{21j.

The NationalInst it ut e of Standards andTechnology(~IST)is initiatinga process to developaFederal Information Processing Standard(FI PS)foranAdvancedEn- cryption Standard(AES) incorporating an Advanced EncryptionAlgorithm(AEA) as areplacement standardof DES atthe1998 review.As the first step inthis process, draft minimumacceptabili tyrequirements and draftcriteriato evaluatecandidate algorit hmshave been issued:

-AESshallbe publiclydefined.

-AES shallbe a symmetric private-keyblockcipher.

-AES shallbe designed so that thekey lengthmay be increasedas needed. -AES shallbe implementa blein bothhard ware and software.

-AES shallbe eit her freely availableoravailable under terms consistent withthe AmericanNationalStandards Ins t it ute (ANSI)patentpolicy.

-Algorithms which meet the aboverequ irementswillbejudged based on the followingfactors:

•security,

• computationalefficiency,

• memory requirements.

... hardwareandsoftware suitability.

• simplicity,

• flexibility,and ...licensing requirements.

The originalCAST cipher(2) is a symmetricblock cipherand appears to bere- sistant to differential andlinear cryptanalysis [18, 14J. Itiseasily implemented by software andhas a good encryption/decryption performanceon 32-bitmicroproces- sors because of usingfour large 8 x 32 substitutions (S-boxes) and elimina tingthe need of permutations(Pcboxes)which are awkward to implement in software.How- ever, large S-boxes require morememory to store their lookup tables. This might be unacceptablein some implementations where the memoryisext remely restricted.

We present a family ofciphers referred to as unbalancedCASTciphers,which employ the same type of S-box and round function as the originalCAST cipher and require a variableamount of memory depending on the chosen parameters.

1.2 Contributions of this Research

In this thesis, we presen tanew class of private-key block ciphersknown asunbala nced CAST ciphers, incorpo rati ngthesame structureof the S-box and round function of the original CAST cipher. The ciphersin thisnew class are simple,fast,and suitable for software and hardwareimplementa t ions. They have a variable memory requirementand a v'ariable numberof rounds.We analyze the security of thisnew class ofciphers with respectto differentialand linear cryptanalysis and its information

theoretic properties so thatthe user can explicitlymanipulate the trade-off between higherspeed and higber security.Theresult s ofthe analysisshow thattbe unbalanced CAST ciphers with properparameters and an appropriate number of round sare secure and promisingciphers.

1.3 Outline of Thesis

The organizationof the remainder ofthisthesisis as following:Chapter2 gives an overview of previousresearch thatis directly relevant to our work.Cha pt er 3 presents a detaileddiscussion of differentialand linear cryptanalysistechniques. Chapter 4 describes a new generalclass of unbalancedCAST ciphers and its design decisions.

Chapter 5 examines the resistance ofthe unbalanced CAST ciphers wit ha set of typical parameters to differential cryptanalysis .Chapter6 examinesthe resistanceof the unbalanced CASTciphers to linearcry pt an alys is. Chapter 7 views the unbalanced CAST ciphers from the perspectiveof informationtheory.Finally,Chapter 8 provides asumma ry of the results of the thesis and somesuggestionsfor furtherresearch.

Chapter 2

Review of Previous Research

Inthis chap te rwe presenta review of previousresearch onpriva te-key blockciphers whichisdirectl y relatedto ourwork.

2. 1 A rchitect u res

Inthis section,weintroducetwomain architectureswhichare widelyquoted in de- signing private-keyblock ciphers.Other architectures are also detailed in the next section.

2.1.1 Subst itutionPermutat ionNetworks

In1949.Shan no n[311proposed two different conceptsof confusion anddiffusionin cryp tography, Suchconcepts are embodied in a Substitution-Perm utationNet work

(SP N),proposedby Feistel [111and Feistel, eta1(12).

The SP:'Jconsistsof a number ofsubstitution-per mut at ion layers (SPlayers), each of whi chiscomposed ofseveralsmallsub-blocksubst it utions(S-boxes) anda large bitperm utation (P-box).TheS-boxwhichprovides nonlinearinput-outputbit transformationsfulfillsShannon'sconceptof confusion.The P-boxwhich offerslinear

Figure2.1;An Example of Substitution-PermutationNetworks

bitspreadingoperations among S-boxes achieves Shannon'sconcept of diffusion. A primary key isused togenerateallsubkeysimplemented in each SP layer according to an algorithmreferred to as a key schedule.Key scheduleswill notbe discussed in thisthesis.In each SP layer.a subkeyiseitherXQRed withtheinp utbitsof that layer,then fedinto theScboxes,orusedto select differentmappingsfor the S-boxes in thatlayer.Two layers of anSP~based on -t-btt S-boxes are showninFigure2.1.

2.1.2 DES-likeBlockCiphers

Feistel,etat[12Jproposed anothercipherstructurewhichwas adoptedby the National Burea u of Standards(NBS) as thenetworkarchitect ureofDES[24J. Sucha structure, illustrated inFigur e 2.2, is known astheDES-like cipherarchitecture.

UnlikeSPNs,aDES-like cipherdividesanN-bit plaint ext into two N/2-b ithalves referred to as theleft andright halves. Foreachround , the right halfis inputinto around functionFwhose outp utisbit- wise XORedwiththe lefthalf,then the two

';,

.1. ..

t ,

~~.:... . -••---~F :-.- ••••••••-.~

~

..

' ".-

- :

Figure2.2:The Structureof DES-likeCiphers

halves are swapped . AfterRrounds.thetwo halves areconca t ena t ed to form the N-bitciphertext.Thecipher canbeviewedasthefollowing iteratedoperation:

L; H.-I

for 1$.i:$R- I,and

(2.1)

(2.2)

where

e

represents bit-wise XOR.

Encryptionand decryptionareachieved bythesa me algo rithm. However. for decrypt ionthe su bkeys areusedin reverse order. A key schedule is designed to generatesubkeyK,for everyround from a cipher key.

The plaintextrandomization is performed bythe roundfunction,whichisthe crucialpart in DES-likeciphers.The main difference among many DES-likeciphers istbestruc tureof the roundfunction.

DESisa 64-bitblockcipherwhichhas L6 rounds and a 56-hitkeysize. The round functionfirst expandsits 32-bit inputto a 48-bit blockusing abit-select ion table.The expandedblock isthen XORed with a 48-hit subkey generatedby the key schedule algorithm. The XORed -18-bitblockisfinally fedinto eight 6 x 4S-boxes whoseoutput passes througha 32-bit permuta tion tobe the 32-bitoutput of the roundfunction.

2.2 Proposed Private-key Block Ciphers

Manyprivate-keyblockciphers havebeen proposed as potentialreplacementsfor DES. These ciphers maybe DES-like or not. In thissectionweint roduce several algori thms.

FEAL[32, 23Jisexactlya DES-like encryption algorithm.It is a 54-bit block

cipher witha 54-bit keywhichcan be easilyand efficiently implementedin the 8-bit microprocessor enviro nmen t.The 8 x 8 S-boxesin the roun dfunctionperformbyte

rota tio ns andXORadditions. Lnfcrtunar eiy,FEALwit h less than 8roun ds was easily broken bydifferenti alcryptanalysis[41.and requiresatleast 32 roundsto be resistantto differ ent ial crypt an al ysis[261.

LOKI

[ .J

isalso a 6-&-bitblock cipher witha 64-bit key simil arto DES.The round functionemploys12 x 8 Scboxesbasedonirreducible polyn omials.andre-arran ges the expansion and permutationtables. The initi alversionofLOKIwasfound to be suscepti bleto differentialcryptanalysis[5J, andhas sincebeen strengthened(6 ).

IDEA(1. ] is a 64-bit block cipherwit h a 128-bitkey.Itisnotexac tl y aDES- likecipherin nature.The concepts of confusionanddiffusionareachievedbymixing three different groupsofope ra tions - bitby bitexcl usive-O R,addition of int egers,and multip licationof integers.Itisclaim ed thatthe impro vedversio nof thecipher is easily imp leme ntedinsoft ware andhardware,and resist an ttodiffer entialcryptanalysis.

Khafre(211is asoft war e-o rientedencryption algorithmwith64-bitblockswhose numberof roundsisnot specified,but shouldbe a multip leofeight. The round funct ionem ploys an 8x32 S-boxtoperform the plaintextrandomization ,and a rotation schedulebringsevery byteof theplai nt exttothe inputof the S-boxonce everyeigh trounds. Bibam successfullyapplied differentialcryptanalysis to break 16-round Khaf re with 1536 encryptio ns(5].

RCS [28]isafastword-oriented.symm etricblock cipher suitable forsoftware implementatio ns.Itisa parameterized familyofencry pti on algorithms,which has a varia ble wordsize,a vari a ble number ofrounds ,and a variable-length secre t key.

Differen tfromthe conceptofSPNs,the novelfeatureof RC5 isthe heavy use of 10

da ta -dependentrotationsinwhich onewordofintermediatedataiscyclically rotated byan amount determinedbythelow-orderbits ofanotherword ofinter med ia te data. Itappearstofrus tr a tedifferentialcryptanalysis andlinea rcrypt analysis[15].

2.3 Cryptographic Properties

In thissection,we presentseveralcryp t ogra phic properties which areimpor t an t to design and analyze theS-boxandthewhole cipherstruct ure.

2.3.1 Nonlinearity

Ifsome of the plaintex tbits,ciphertext bits,and key bitshave linearrelations ,the cipher couldbe easilybroken by solvingasetof linear equations witha smallamount of known plaintext-ciphertextpairs.Since Scboxesare the only nonlinearcomponent s in SPNsand DES-likeciphers, the designof highly nonlinear S-boxes becomes crucial to the development ofhighly secureciphers.

Anm-bit affine booleanfunctionis defined to be afun ct ionof theform (2.3) whereX

=

[Xt,..,Xm}represent s thern- bit binary inputanda.E {O,l},0:$i:5m.

TheHam mingdist an ce between twom-bit booleanfunctions, f(X)and y(X),can be defined to be

dU,g)

=

#{XE(a,qmlf(X) Ellg(X)

=

i}. Thenthe nonlin earityof an m-bitboolean function / is definedas

NU)=~ijdU,y}

11

(2.4)

(2.5)

whereAis theset ofallm-bit affine booleanfunctions. Sincean m xn S-boxhas nout putbits. eachof whichis anm-bitboolean function.thenonlinearity of the S-boxS is defined as theminimumnonlinearityover all non-zerolinearcombina t ions of output bit boolean function s:

.V{ S)

~

_c,E{O.t}.^min....,Allc. =O^{N{EBc, f, )}'= 1 wheref,isthem-b it booleanfunction of tbe i-th output bit of the Scbox.

(2.6)

The maximumnonlin eari t y of an m-bit booleanfunctionfor even valuesof mis given by(20J

(2.7) Only a special class of functio nsreferredto as bent functions [291 can achievemaxi- mum nonlineari ty.Nyber g[25}proves tha t an m xn S-boxca n be perfectly nonlinea r [i.e.N(S)

=

Nma.o: )if and onlyifm?:2n.

2.3.2 In fo r m a t io n Theory

The basicconcepts ofinformation theory,such as entropy,mutualinformat ion.equiv- oca rlon. andredu nd a ncywere firstintroducedby Shannon[311to analyze the secu rity ofcryptosyst em s.LetP be the plaintextandCbe theciphert ext.If the conditional ent ropyH(P [C )is equalto theent ropyH(P).tben tbe cipherhasperfect secrecy.

Unfortunately,perfect secrecyis generallyim prac t ical to achieve.

Ferre

(I3jfirst presented asetof cry ptogr a phic properties of S-boxes based on infor ma tion tbeory. Dawson and Tavares [101extendedFerre'sideas to define an expanded setof designcriteriaforcrypt ogra phical ly strongScboxes.Sivabalan .etal

12

{33J developedDawson and Tavares'sinfonnationleakage from a sing lebitlevelto a mult iple bit level.

Lettwo random variablesX and}"havepossiblevalues X E{It , ..,Im}and y'E{Yt ....Yn} separately.Theuncertainty or entropy ofYis defined as

H(Y)

~

- ;P(y, )IOgp(y, ) (2.8)

wherep(y,)isthe probabilityofY=Yi' Thecondit ional ent ropyofYgiven Xis definedas

H(YIX)

~

^-

f:

f:.(x" y,)logp(.,lx,)

;=l j= 1

(2.9)

wherep(I; 'Y J)is thejoi nt probabilityofX =I.andY⁼YJ'and P(Yj!Xi)is the conditionalprobability of}'

=

Yjgiven X

=

^Xi'The baseoftbelogarithmisarbit rary and amountsto acons t an t multipli cativefactor.

The stat ic input-o u tputinforma tionleakage of an S-boxis tbe mutual information.

l(}-',X).andis defined as

f(Y.X)=H(Y ) -H(Y"IX) (2.10)

where Xis any subsetof the inputbits,andY is any su bsetofout put bits ofan S-box. The dynamic inpu t-o ut pu t informa t ionleakage is themutualinfor ma t ion, [(.;lY.~X),andisdefinedas

(2.11)

where .;lX is XOR changes ina subset ofinputbits,and~yis XOR changesin a subset of outputbitsof an S-box.

13

An idealS-box should have bot hstatic and dynamicinput-outputinformatio n leakage equal to zero.However.due tothedet ermini st ic natureof an S-boxwhose inp ut-out put mappings are known.anideal S-boxcan not be obtained.The crypto- graphicallystrongS-box musthave as small an informationleakage as possible.This is often an objective of designinga private-keyblockcipher.

The staticand dynamic informa t ion leaka gereflect the vulnerabilityof an Scbox to correlatio nattacks. differentialcryptanalysisandlinear cryptana lysis. In[37J, Zhang,TavaresandCampbell suggested that the information leakage can be used as a fundamentalmeasure of the strength ofan S-boxand an encryptionalgorithm comprehensively,instead ofall othercry p t ographiccrit eria which general lyonly re- flect one aspect ofvulnerabilityseparately,such as nonlinearity,higherorder Strict AvalancheCriterion(SAC),andcorrelationimmunity.

2.3.3 OtherCry p t ograp hic Pro perties

Other cryptographic properties are avalanche

Ill,

12),completeness(16]andthe SAC [34]. For a cipher.the avalanche criterionisstrictlysatisfied if. on average,half of the ciphertextbits willcha ngewhenone plaintextbitchanges.and thecompletenesscri- terion is satisfiedif alloutp utbits depend on all inputbits. In18],Brown and Seberry have found that DESiscomplete afterfourto fiverounds with a highprobability.

webster and Tavares combinedtheavalancheand completenesscriteriaint o the SAC.A ciphersatisfies SAC if a one bit plaintextchange causes each ciphertextbit to change witha probabilityof 1/2 .DEShas beenfound to satisfySACafterfive or sixrounds.

14

2.4 Cryptanalysis

Theobj ectiv eofcryptan alys isisto det erm ine a secretmasterkeyused in a cipher.

The generalclasses ofcry p ta na lysisareciphertext only.kno wnplaintext .andchosen plaintext. A ciphertext only at t ackbastheknowledge ofciphert ext s only.Aknown plaintextattack uses the knowled ge of both plaintextsandcorrespo ndingctphe rte xrs.

Achosenplaintext att ac kassumestha tacryptan a lyst ca nchoosespecific sets of plaintext a,andobt ai ntbecorrespondi ngsetsofcipherte xts.

In thissection,webrieflyintr oduce thethree mostpowerful andwidely used crypt- analys istechn iquesof private-keyblock ciphers.Different ial andlinearcryptanalysis willbedescribed in mo redetai lin the next chapte r.

2.4.1 Exhaustive Key Search

Themet hod ofexha usti ve key searchisaknownplai nt extat tack.The cryptanalyst first acquires a knownplai ntext-cipher textpairencryptedwith an unknown mas te r keyand encrypt s the knownplaintex twit hallpossible keys.When akey generates thecorr ect ciphertext ,withhighproba bilit y,it is the correctkey.If necessa ry,several known plaintext-ciphertextpairs canbeusedto verifyitscor rectn ess.

Usuallycip hers aredesigned to havealarge enough key size to make exh au sti ve searc h infeasible.Unfort un a t ely,the56-bit key sizeofDESissosmal lthatit has re- ceivedext ensive criticis m . In general .if theworkloadof acryptanalyticat tac k isless thanthe work loadfor exh a ustiv e search of thekey space,theciphe ristheo retic ally broken.

15

2.4.2 Different ial Cryptanalysis

In[31.Biham andSharnir developed differenti alcry pt a nalysis,one of themostpow.

erfulcryp t a naly t ic method s on ite ra te d produ ct ciphe rs.such as SP :'-J'sand DES-like ciphers. Theyhave published aseries of pap ersattackingDES,FEAL,LOK I,and other proposedciphers bydifferential cryp tan al ysis[3,4. 5),which haveforcedthe re-designof severalproposedciphers.Mostimpressively,they havedemonstrated a successfulcryp t anal ysisof16-round DES with 2^{4 1}chosen plaint exts[3J.

Differential cryptan alysis is achos e n plainte xtattackwhichcompares the bit-wise XORvalueof twoplaintext s tothe XO R value ofthecorrespondi ngtwociphe rt ext s.

In an S-box.the knowledgeof thein put XOR of a paircannot guarantee the knowledge ofits output XOR. However, everyin putXOR of anS-boxsuggests a probabilistic distribu tionofthe possible outputXORs. Give n a particularinput XOR,it ispos- sible for some output XORs to havea relativelyhighprobability. Itissuch high probabilitiestha t canbeutilizedto expl oitmultipleroundXORst ruct urescalled different ial char acte rist ics witha high probabilityand derivea portionof the su bkey bitsappliedinan R-round cipher.

In orderto make theround funct ionimmun eto differentialcryp tan alysis, several methodshave beenproposed .One istoreduce highprobabilitiesinXO R distribu ti on s ofS-boxes, whichcan be achievedby ext endin gthenumberofout put bits of theS- boxes to a reasonablevalue [21. Anotherapproach is toreplacethe XOR operation in the round functionwhichinvolvesthesubkeyby a modularmultiplicationto bide the input of the S-boxes[11.

16

2.4.3 Line ar Cry ptanal ys is

In

f191,

Matsuiintroduceda knownplaintext attack againstDES:linearcrypt a nal- ysis.It studies statist icallinear relationsbetween bits of plaintext s, ciphert exrs and subkeys. Bythis met hod.thefull 16-rouodDES cipherisbrokenwith 2⁴¹known plaintext-ciphertex tpairs.

Truly,thereare many st a t ist ical linearrelations referred toas linear approxima- tions between input and outp utbits or an S-box.Since all operationsin DES,except the Scboxes.are linear,these linear relationscan beutilized toconst ruc t a linear ap- proximationor theent irealgorithm.Matsuipresentedtwo algorithmsto derive the subkey bit sfromalinea r approximation,basedon hypothesistesting.Algorit hm1 canretrieve an equivalent sub key bitexpressed asthe XOR sum or the subkey bits.

Algorit hm 2 canmoreefficientl y find anumber ofthe subkeybits atonetime.

Itis obvious that choosing S-boxeswith high nonlinearityis an effectiveway to make SPNsresistant to linearcrypt an alysis. Int roducingnonlinea roperations in roundfuncti ons is anotherway to make ciphersimm une to linear cryptanalysis.such askey-dependentrotations(28) and modularadditionsandsu bt r act ions[301.

2.5 Design of CAST components

Adams andTavares[2]proposeda new DES-likecry p t osyst emcalled theCAST encry pt ion algorithm,whichseems promisinginresistancetodiffe rential andlinea r cryptan al ysis, and has highencryption/dec ryptionperformance.

Inthis section,weint rod uce the CAST design procedure,focussingmainlyon the 17

structure of the S-box and the round function.which are significantly differentfrom DES.

2.5.1 Subs titut io n Box

Aswementioned.the S-boxin an SP>i or DES-likecipherisveryimportantto security sinceit isthe onlysource of nonlinearity.The CAST design proceduremakes useof S-boxes whichhave fewer inputbits than output bits,such as 8 x 32Scboxes.Some research has indicatedthat this class of S-boxesexhibits good confusion,complete diffusion.good avalanche, highest-orderSAC,a fiat distributionof outputXORs, and high nonlinearity[221.These importantcryptographic properties directlyinfluence the security and efficiency of the entirealgorithm.Altboughconfusion,diffusion,and avalancheare somewhat abstract concepts and cannotbe provenformally.the CAST cipherconstruct ed bysuch S-boxes shows goodsta tistical propertiesafter2-3 rounds while DES needs 5-6 roundsto exhibitsimilar properties .

2.5 .2 RoundFunction

Round functions of DES andCAST with a 64-bit blocksize are shown inFigure 2.3, whereE and Pare the expansion and permutationfunctionsofDES.In the round functionof CAST.32-bit dataR..-lisinputtothe round function and XORed with a subkeyKi•The 32-bit result issplit intofour 8-bit pieces each ofwhichisinput toa different 8 x 32 S-box and the four32-hitScboxoutputsare XORed togetherto form the 32-bit modified data,F(~_l ,Ki).Althougheach S-box causes dataexpansion, the structure ofthe round function guarantees thatthere is no data expansion by the

18

R;.,

DES

F(R;' I ,K;J

CAST Figur e 2.3:TheRoundFunct ionsorDESand CAST

round fun ctionopera ti on.

Wehave noticedtha t CASTeliminates the permut ationlayerinitsround func- tion because ofusin gfourlarge 8 x 32S-boxes.Intheroundfunction of DES.the permutationservestospreadout put bitchangesfromasinglesmall S-box everthe block halfso thatthesecha nges are input to severalsmal l S-boxes in the nextround.

In CAST.eachS-boxdirect lyaffectsthe entireblockhalf sothat anyoutput bit chan geisguara nteedto affectallScboxesinthenextround wit houta permuta t ion layer.Thismodificati ongreatly benefits thesoftwar eim plementa t ion andimp roves the encryption/decryptionperformancebecausethepermuta tionisinefficie ntlyim-

19

plemented in software. CAST has beenshown to be two to three timesfaster than a typical implementationof DES[11.

2 .6 C ryp t analys is of CAST

Inthissect ion.wedescribethree differentattacks which have been applied to the CAST encryptionalgorithm.differentialand linear cryptanalysis.and the attack based onnon-surjective roundfunctions.

2.6.1 Diff er ential Cryp t analys isofCAS T

Lee,etal[181showed thatCAST, usingrandomly ge nera tedScboxes.is resistant to differential crypt an alysis. In theirpaper,they developeda method to predict the entry distributionof the XOR tableof the round functionof CAST.Alt hough eachS-boxhas a highest differentialproba bilit y of2-⁷•asimplescreeningprocess can be applied to prevent the occurrenceof a 2-roundit erat ivechar act eris ti c witha probabilityof2-⁷•They claimed thatthe best 2-round itera t ive characteristichas a probability of2-¹⁰⁴forCAST, while the correspondingprobabilityinDESis1/234.

Ingeneral, a(R -2)-roundcha ract erist ic can be used to at tackanR~roundcipher.

Usinga concatenationof thefour best z-rcunditera t ive characteristics.a 10-round CAST has a characteristicwitha probabili tyof 2-⁵⁶,whichisbetter than onefor 16-round DES.

2.6.2 LinearCryptanalysi s ofCA S T

Heys and Tavares[14]invest igat edthe securityof CAST withrespectto linearcrypt- analysis. Assumingthat allfour 8x 32 S-boxes have nonlinearitiesgreater than or

20

equalto64.the analysisshows thatatleastz50known plaintext-ciphertextpairs are required forlineaecryptanalysis to dete rmine only one equivalentkey bit ofa 12-rou nd CAST.comparedtoz47known plaintext-ciphertextpairs requiredtodet ermineall key bits of 16-roundDES.Furt hermore,itisa very difficulttask for a cryptanalyst to findalineae approximationclosetothe [owerboun d.

The resultalsosuggeststhatat least99.95%of allrand oml y generated8 x 32S- boxes have nonlinearitiesof at least 64.Inrecent experiments,aUrandomly generated 8 x 32 S-boxes have beenfoundtohave nonlineari t .iesgreaterthan72 [361.

2.6.3 Attack Based on Non-surject ive Round Funct ions

Hijmenand Preneel[271suggested a statistical attackonDES-like cipherswithnon- surjectiveor non-uniformround functions.For aDES-like cipherwithR rounds.the following equationholds:

By rearrangingthe termsin Equation2.12.then

1l12-1

.3R_2(Lo,fl<J,K)

=

~ F2.(K2iED R2i- tl

=

il<JEBLREDFR(KREBRR)' (2.13)

Ifthenumb er of roundsRis smal l,non-surjectiveroun d functi onsF2i...illresult inanon-sur jecti vefJR-2.A basicat tac kcan be carriedonby calculat ingthe right hand side of Equat ion 2.13using the known plaintextil<Jand ciphertextLRforall valuesKR' Wrongkey candidateswilleventually produ ce a value ...hichis outside theran ge of.BR _ 2•Even ifthe numberof roundRbecomeslar ger and{JR- 2becomes

21

surjective.3R _ 2will not be uniformlydistributed.A statistical attackcanstill be applied to derive the most proba blekeys.

Theround function ofCASTis constructed by four 8 x 32 Scboxes.The output is obtained by XORingthe outputs of four S-boxeseachof which only has 256 outputs outof 2³²all possible values. If thefourS-boxesare selectedrandomly.the expected numberof possible outputs are(l -e-^I)x 2³²,whereedenotesthe nat ur al loga rithm base,about 63% ofall possib levalues.

The basic attack can beappli edto6-roun dCAST,req uiring a workfactorof 1.5x2^4t1operationsand 82 knownplai nt ext- ci ph ert ext pairs.However,this attackis not applicableto CAST withmorethan sixro unds since the XOR sum of two CAST round functions is surjective.The st atisticalattackhas notbee n implemented due to therequir ement of ata ble of size 2³²•

2.7 Conclusion

We haveint rod ucedtwo main structuresof encryption algorithmsusedinprivate-key blockciphers, and severalproposedblockciphers. In addition,we have presen ted severalcrypt ogr a phic propertiesthatarecrucia lto designand analyzeScboxes and ciphers. Furthermore,wehave brieflyint rod uced the two most powerfu lcry p tan a lys is methods ofprivat e-key blockciphers.Finally,wehaveoutlined the CAST encryption algorithm designprocedu reanddiscussed the security of the CAST withrespec t to three proposedattacks.

22

Chapter 3

Differential and L inear Cryptanalysis

[0thischapte r,we describedifferent ialandlinear cryptanalysisinmore det ai l. Both attackshave successfullybeen appliedtoavarie tyof SPNsorDES·likeciphers and haveforced thosecip hersto beredesigned to enhancetheirsecurity.Differenti aland linearcry ptan alysis appearto befairly general-pu rpose attacks andhelp to qualify the designparame tersof privat ekeyblockciphers.

3 .1 Differential Cryptanalysis

Differentialcryptanaly sis[3}isa chosen plaintextattack whichutilizeshighly probab le occurrences of outp utXOR differences ofeachroundfunction,givenpart icular input XOR differences. Inthissection we firstint rod uce definitionsofXOR tablesand cha racteris tics, and then describ e thegene ra lattack.

3.1.1 XOR Table

A table which showsthe distributionofthe input XORsandoutp utXORs of all the possible pairs ofanS-box is called the XORtable. In theXOR table,each

23

row corresponds to a particular inputXOR value, each columncor respo ndsto a particularoutputXOR value.For a givenm xnS-boxconstructedfrom a mapping 5:{O.l }'"-+{O,l ]",letting.;lXE{a,tt 'and..lYE{a,l]",the XOR table entry ofthe S-boxcorr esponding to (.!lX.~Y)is defined as

XOR(t.X.,,"y' )

=

#{XE(O.l}mIS(X)EllS(X Ell""XI~,,",'} (3.1)

where#denotes the cardinalityof the setand

e

representsbit-wiseXOR.TheXOR tablehas the following features:

- A zeroinput XOR alwaysgeneratesa zero outputXOR, since thesame input valuewill mapto the sameoutput value.

- Entries in an XOR table are always multiplesof 2,because two inputpairs (X.X

e

~X)and(X Efl.!lX,

Xl

willyieldthe same outputdifference.:11". - ~otallentriesare possible.For example.about 20% of allentriesare impossible

in a 6 x 4 S-box of DES.

ConsiderFigu re3.1.LetX and X·be twoinput data blocks,Y and Y·betwo corresponding outputdata blocks.andKbe a subkey.Thenwe haveI=X

e

K and I"=X·EEl K.It is obviousthat

(3.2)

where~X= X

e

X·,t11= I

e

t-, Equation 3.2means tha ttheact ua linput XOR to the S-box •.6.1,does not depend onthesubkey.However,tbe out putXOR

~r'=YeY· doesdepen d onthe subkey beca usebot hYandY·are related to the subkeyina nonlinear fash ion.

24

x

~.

y

Figure3.1:Inputand Outp utof an Scbox

Ifa triple(X, X',~Y)is known.theXORtablewillsuggest that there are XOR(~X.,;lY)possible inputvaluesto the Scbox.which canderive asetofpossible subkeys byK

=

XEDI.Give n many such triples, tbe corr ectsubkey issuggest edby alltriples.

3.1.2 Characteristic

Le t tbe input andout p utXORdifferen cesofthei-t hround functionbe,;lX.and .:11';,resp ect ively.Thentbe proba bility withwhich,;lX.may ca use.:lY;is deno t ed.

byPi- Anr-round characteristic.Or.is definedasasequenceofXOR difference pairsOr

=

^{(.:lX\ , .:lYt ) • . .,(.:lXT,j,Yr)}. FromFigu re 3.2,allXOR pairsof the cha r act erist ic satisfy the followingrequirements :

25

P,

--.-.---.-.-.-

Figure 3.2;r-Ro und Characterist ic

nO'

(3.3 )

where theinputand outp utXORsof the characteri stic is deno t edby(~Lo,.:lRo) and(LlL ..,~R,.) .The probab ility of the r-r ound cha rac te risticPa.is givenby

(3.4)

assumingindepe ndence between roun ds.

A pairof plaintext swith XOR~p=(~Lo,~.Ro)isdefined as a rightpair with respecttoacharact eristic Or,ifall XORpairs(a X;,~Y;)sati sfy Equat ion 3.3 for

26

1:Si:Sr-.Otherwise. the pairisdefined as a wrong pair.The right pair produces (il Lr•.:lI4)from(.:lLo,~Eo)wit h the probabilityPn~. Itis obvioustha t. for the giveninput XOR(.1Lo•.:.lEo).aright pairis more likely to occurwith fewer number oCchosen plaintextsifPn~is high.Theobjecti ve of differentialcryptanalysisis to findachar acte ristic with a relativelyhighprobability.

The most useful charac teris t ic is one cal led anit era tive cha racte ris ticwhich can be concatenated wit h its elf. Theadvantageof iterativecharacteristicsisthat we canbuild an r-roundcharacteristic for anylar gerwith afixed reductionrate of the probability for each additional round,while in non-it erativecharacteristicsthe reductionrate of the probability usually increases due totheavalanche effect. The z-rounditerative characteristicis illustrated in Figure3.3,based on a non-zero XOR inputtotheround functionwhich maycause a zeroXORout put with a relatively highproba bility.

3.1.3 General Attack

Ingeneral. differential crypt a nalysis attempts to findthesubkey bits used in the last roundof DES-likeciphers. Th ismay beachievedifthecrypta nal ystisawar eofa characterist ic witha high probabilityfor thefirst(R -1) rounds, OR_l,and targets the roundR S-boxes with non-zeroinput XORs.In the attack, thecryp t an al ys t has theknowledgeof theexact values ofthein put pairstothe round function of the last round,RRandRil,which are therighthalvesof the ciphertexts.Althoughthe corresponding output XOR value ofthe round function is not knowndirectly,when a rightpairoccurs it can be derivedbyXORing the righthalf outputXOR valueofthe

27

always

witha probability p. 0

Figure3.3:z-RoundItera t ive Characteristic

(R-1)characteristic.ilRR_ 1,with the left half XQR value oftheciphert exts.~LR' Usingthe method described in Section 3.1.1and detailedin[3}, we cangeta set of possible su bkeyvaluesused in thelast round.Thecorrect subkeyvalueshould be the one occurringmostfrequent ly when a sufficientnumber of chosen plaintextpair s are considered.Occurrencesof the other possible subkey values should be fairly randomly distributed.Some wrongpairscan be directly discarded by checking whetherthe right half XOR values of the ciphertextsareequal tothe expected left hal f output XOR values oftheR- 1characteristic,OR_I .

3.1.4 CountingScheme

A counting scheme is used to count the numberofoccurrences ofallpossiblesubkey values usedinthe last roun dandfinallyget the correctsu bkeyvalues.The following

28

definition isusable to evalua te acount ingschemebasedon acharacte rist ic.

Defini ti on 3.1[3JTheratiobetween the numberof rightpairsand the average count of theincorrect subkeys ina count ing schemeis called the signal tonoiseratio of the countingscheme an disdenot ed by SNR.

The magnitude ofSNRis determinedby thefollowing factors:

- p,the differential probabilityof a characteristi c.Obviously,a highprobabili ty charact erist ic generat esseveralright pairs with a fewchosenplai nt ext XOR pairs.

- k,the numberofsubkeybits whichwe simultaneouslycounton.Counti ngon a large numberofsubkey bits simult aneouslyis helpful toidentifythe correc t key values and needs a smallamountof data. However , it demandsmorememory, whichcan makethe attackimpracti cal.

-"Y.the average countamong all chosenplaintextXOR pairs.[fwe can distinguish

morewrongpairsby thecha r act erist ic,weneed fewercountsto getthecorr ect keyvalues.[0general.it isdifficulttodetermine theval ue of-v, Thesignal to noise ratioof a counting scheme,SNR,is

SNR= ~. ,

^(3.5)

Furthermore,we define the numberofchosen plaintexts,No,requiredtouniquely identify thecorr ect v-elue ofthesubkey as

No = !l p 29

(3.6)

whererJisthe numbe rofrightpai rsrequired to uniquelydeterminethe correct value of _thesubkey. WhenSNRis nigh.1'/will be small.WhenSNR is low.1'/will becom elar ge. C"nfortu na t ely,theexact rela tionsh ip betweenSNR and'1isunknown. However.no matterwhatvalueSNR is. 11 shouldbe greater thanone.

3.2 Linear Cryptanalysis

Linear cryptanalysis[191is aknown plai ntex tattackwhich extractskey information by finding a st atistical linear equationconsistingof plaintext,ciphertext.and key terms only. Inthissection weintr od uce thebasic ideaof linear cryptanalysis.

3.2.1 Basic Attack

Usually,thelinear approximationhas theform of

whereil. ..,i ...,i.. ..,j".k" ..,Iccdenotefixedbitposit ionsof theplaintextP, ciphertextC.andkeyK.respectively.LetP,be theproba bilit ywithwhich Equa- tion 3.7holds.IfIP,-1/21islarge eno ugh andsufficientplaintext-cip hertextpairs are known. it is possible to use a hyp othesis test to determi neoneequivalent key bitwhichis expressedbythe XORsumofthekey bitson the right hand side of Equ ation3.7.

LetNLbe the numbe r ofgivenrandom plaint exts . Matsui'sPiling-up Lemm a [191shows thatone equivalent key bit ofEquation3.7canbedete rminedwith97.7%

confidence ifNLsat isfies

N L :::::IFL -1/21-²• 30

(3.8)

3.2.2 Linear Approximationof the S-box

The linearapp roxima tionsof an$oboxare found from thelinearapproximation table oftheScbox.Inthe linearapproxi ma tio nta ble.eachrow corresponds to a subset of inputbitsof the>OOx. each columncorrespondstoasubse tof out putbitsofthe Scbcx.For a givenmx nScbox const ruct ed fromamappingS:{OfI}'" _ {O.I}".

let t ing0E{OfI}'"andfJE{O,1

r .

thelinear approximation ta ble entryof the >OOx corr espondingto (0.01)isdefined as

L.4T(a,Pl=#{XE(O,l} mlaX=PS(X )}-2m- ' (3.9)

where#denotesthe ca rdinality oftheset,and oX isdefinedas

wherea.:andI.E {O.I},1::fi::fm. Itisstr aig htforwar dtonot icetha t

L.4T(a,p)

=

2^m-' -d(aX.PS (X )) where

(3.10)

(3.11)

d(aX,pS(X ))

=

#{ XE(O,llmlaXa>PS(X)~l}. (3.12) Equa t ion3.12istheHammingdistance between an affine boolean functionaX and a linearcombinationofoutputbitbooleanfunctions of the SeboxOS(X ).

The maximumILAT(o,P Hin the linearapproximationtableexpressesthe best linear approximationoftheS-box whoseprobabili ty pisdefined as

Ip-1/21

=

maxIL AT( a,P)I/ 2^m•

31

(3.13)

3.2.3 Linear Approximation of theCipher

Alinear approximation of a cipher is derived by XORi nga numberof linear approx- imations of Scboxes such that anyint erm ed ia te terms {i.e. terms are not plaintext.

ciphertext.or key terms) arecan celled.Assumingthatthere are nsuch lineae ap- proximationswhose probabilitiesarePI, .. ,Pn,then Matsui'sPiling-up Lemma shows that theprobabilityof the linear approximationofthe ciphe r,PL,has

IF. -1( 21

=

2'-'

flip,-

^{1(21 (3.14)}

From Equat ion3.8,it is obviousth a tl'hcan be increasedby decreas ingIPc. -1/21. Therefore,Equation3.14 suggeststhatselecting Scboxes whichhavePi-+1/2and increasingthenumber oflinear ap proximationsof Scboxes involvedin the overal l linear approximationincreases the cipher'sresist an ceto linearcryptanalysis.

3 .3 Conclusion

In this chapter, we have described two of the most powerfulcryptanalysis techniq ues, different ialandlinearcryptanalysisinmor e detail. Themajorconceptsof XOR tables and characteristics in differentialcryptanalysis,and lineaeapproximationsinlinea r cry pt analysis were discussed. Theirsuccessfulapplica tio nto the DES encryption algorit hmand many otherproposedciphers suggestthattheyprovidetwo methods withwhich judge the securityof private-keyblockciphers.

32

Chapter 4

ANew General Class of Unbalanced CAST Ciphers

DES[241is nearing the end of its usefullife.Aftertwenty years, it is nowtheoret ically breakableby differential[31 and linear cryptanalysis[191,and practicallybreakableus- ing specialpurpose hardw are[351.Manycandidatesare proposed forthe replacement ofDES.Unfortunately,there is noobvious one wit h acceptab lespeed and security.

In thischapter.wepropose a new generalclassof encryp tionalgorithms referred to as anunbal an ced CASTcipher,and describeits designcri t eria and proced ure.

The cryptographicanalysis resultswillbe given in la terchapt ers.

4.1 Mot ivat io n

A successfulciph ershould havethe followingfeatures.

- Securit y:Thisisthemaingoalof the cipher design.A successful ciphershould be resistantto allproposedcrypt an alyses, suchas differentialandlinear crypt- analysis,and be a potential survivorin thefut urewhen computingcapability increases.Furt hermore,there shouldexista clear mathematical methodso that

33

the cryptographicstrengthof the ciphercan be easilyanalyzed. and evaluated.

A complicatedencryption algorithm is not guaranteed to have a strong crypto- graphicstrength.

- Efficiency;Thereisusu ally a trade-offbetween a higherlevel ofsecurityand a higher encryption/decrypt ionspeed.Ala rger number of roundsusua llyprovides a productcipher. such as SP:\'.with ahigher security.but impliesa lowerspeed.

A successfulciphershould have a high encry ption/decryptionspeed undera certainlevel of security.andallowusers to explicitlymanip ulatethe trade-o ff by selectinga variable number ofrounds.

- Parameterization :Withthe increasing growthoftelecommunications.encryp- tion technologyhas been moreand moreadoptedbyvari ous applications.This gives rise totheproblemthata singleencryptionalgorithmmay not efficientl y fit allapplicationssince hardware and software environmen tsmaybe totally different. Forexample,g..bit,16-bit.and32-hit microprocessorshave differ- ent dataprocessing abilities. Personal computers,cellularphones. and points of sales(POS) terminals have different memoriesavailable for anencry pt ion algorithm. Therefore.asuccessfulciphershouldbe a familyofencr yptional- gorithmscha ract erized by asetof parameters .

- Easeof Implementation:DES. whichwas designedin the 1970's ,is explicitly aha rd ware-orient ed encryptionalgorithm.Its extensive use of permutationsis inefficientin software,andits 6 x 4 S-boxes can not be efficientlyim plement ed by modern computers. A new ciphe r would be most valua ble ifitis easily

34

implementedin both softwareand hardware.

Theorigin al CAST cipher[2] appearsto beresistantto differenti aland linear cryptan alysis[18. 14].and possesses anumberof desirablecryptog raph ic pro pert ies suchas avalanche[11. 12)and SAC [3-1].Itis easilyimplementedby soft ware andhas a goodencry pt ion/decrypt ion performance on 32- bitmtcroprocesscrs.Byusing four large8x 32 Scboxes,CASTeliminat estheneed of permutations.However,largeS- boxesrequire morememoryto store theirlookup tables.This mightbe unaccep table in someimplement ations where thememory isextremelyrestricted,such as smart cards.

Keeping the aboveobjectives in mind,we presenta family of ciphersreferredtoas unbalancedCASTciphers, whichemploythesam e type of Scbox and roundfunct ion as theoriginalCASTcipher,andhave a variableamount of memoryrequirements dependent ontheselect ionofdifferent paramete rs .

4.2 Description of the Algorithm

The unbalancedCASTcipherisa produ ct ciphe r whichite ra tesarou nd ope ra tion Rtimes. The roundoperation ofthegeneral ciphermay be concept ualizedas in Figure4.1.LetNbe the blocksize of thecipher .In thei-t h round,anN-bitinput Biis first splitintothreepieces,Le.Hi,andU;.L.isinput totheround functionF XORed with anI-bit subkeyK_i,HiisXORed with theout put of theround function , andUibypasses the roundfunction.Finally,Li ,the XORsum ofthe outputof the roundfunction andHi,andU,are processed byarot a t ionoperation andresult in anN-bitout put,B;+I. The roundfunct ion has thesame structureasthe oneof

35

B;(N-bi ts)

U, (u-btts)

Hi (h-bits)

K, (I-bits)

L, (I-bi ts)

Rotation

Bi+, (N-b its )

Figure4.1:t-th Round Ope ra t ion of an Unbalan ced. CASTCipher theorigina lCASTcipher shownin Figu re2.3.Lettingj\,fbe the numb erof m xn S-boxesusedin theround function wit hm<n,thefollowin g relationsh ips hold

Jfxm

.V-l - h (4.1)

wherelis thenumberofbits ofL;,his thenumbe rofbitsofHi ,and uis thenumber ofbits ofU;.Also l~h.

In general.the roundopera t ionsofthe unb alanced CAST ciphers can be cha r- ecterizedent irelybythepar am e t ersN.i.H,m,nand therot a t ionopera t ion.For example,theoriginalCASTciphercan becharac terizedbyN==64,M

=

4, m=8,

36

ri =32, anda 32-bitrotationin the formof swapping the two halfblocks.Khafre ca n becharacte rized byN

=

64..\f

=

1. m

=

8. n

=

32.and a rotationof eight andsixt eenbitsspec ified according totheround number.We refertotheciphers as unbalancedsincelis not necessa rilyequal to.V/2.A balancedCAST cipher.suchas theoriginalCASTcipher,hasl

=

n

=

.V/2 and11.

=

O.

IT roundfuncti on sfrom two ciphers , Cipher 1 and Cipher 2. are const ruct ed by thesa me typeof m xnScboxesandthe followingequa t ion holds:

(4.2 )

...vhere thesu bscript is used toindicatethecipher number,then thetwociphers maybe conside red tobe roughlyequivalentin efficiencyifthe S-boxta ble lookupis cons ide red thedominantoperation{i.e. assuming data rotation inCPU registersmay beigno red). For example,anB-round original CAST cipherwithfour 8 x 32Scboxes maybeconsidered roughl yequivalentin efficien cy toa32-roundunbalancedCAST ciphe r wit h one 8x 32 S-boxin efficiency .However,Equation 4.2 does not imply tha t twociphers may have anequivalentlevel ofsecu rity.This issuewill be addressedin la t erchap ters.

Forcurrentcompute r technology, the blocksize 64 isquiteconvenient. Therefore, wechoose 64 as the default valueofNinthe remainderofthethesis.

4.3 Design Decisions

Basedonthe abovest ruct ure, we nowgive somedesign decisionswhich mainly focus onScbox. rotationoperation.and round function .

37

4.3.1 S-box

An m x n Scboxisa2m.x nlookup tablewhich maps m input bitston output bits.

In SP:;';s and most DES-likeciphers. Scboxesare criticallyimportantto securitysince theyarethe main components of nonlinearity in the algorithm. Since the sizeofthe lookup ta ble willexponentially increasewith the increaseof thevalue m.the value m shouldbe chosen to be small,sayless than10 . Converse ly,rbe value n can he chosen to he lar ge sincethesize of thelookuptable incr eas es linearlywith n.

The originalversionofCASTuses S-boxes bas ed onbentboolea nfunctions[21.

Tosim plify theproblemandbenefit the statisticalanalysis,we conside r ran doml y generatedS-boxes. Resea rch has shown that thereisnolarge cryptographic difference between thesetwokindsof S-boxes [221.To construct anmx n S-box one bitat a time, a random number gener ato risused whoseoutputshave eitheroneor zerowitha probabilityof1/2 .The ran do mlygene rat ed8 x 32Seboxhasfollowin g cryptographic properties.

-Good Avalanche:Approximately halfthe outputbits change whenone input bit changes [11, 12J.

- Bit Independence Criterion: Anytwo output bits change independent lywhen any singleinput bit changes[341.

-Equiprobable XOR Distribution:In the XORtable,witha very high probab ility, allentries are either 0or2.

-High Nonlinearity: The S-boxhas a nonline ari tyatleast64 with a highprobe- bility[141.

38

Usuall y.the valuesm andnare selected as an integer multiple of eightfor ease of implementation in modern computers. Howe ver,notallScboxes which have fewer input bits than outputbits are suitable to use in the unbalancedCAST ciphers.In later chapters.we will give the analysisresults.

4.3.2 RoundFuncti on

Differential and linearcryp t an alysis workon the principleoffindingcharact erist ics and linear approximationswith highproba bilit ies on a singleround. then cascading a sufficient numberof characteristicsandlinear approximationsof different single rounds in usefulways to attackthe whole cipher. It can be seen that adding sufficient roundsto a DES-like cipher makesthe ciphercom p uta t ional ly resistantto these attacks. The disadvantageof thisapproachis thatthe encryption/decryp tion speed of the cipher is reduced.An alternate approachistodecreasethe probabilities of characteristicsand linear approximations of anindividualroundby improvi ngthe cryptographic propertiesof S-boxes. Thismakes the cipherpotentiallyresistantto differentialand lineae cryptanalysiswithoutlosing the efficiencyof thealgorithm .

The differenceofthe roundfunctionsof DES andtheoriginal CASTcipher has been illustratedin Figure 2.3. In general.DES is a hardware-oriented encryption algorithm,whileCAST is a software-orientedencryption algorithm .However,a rel- ativelyefficient software implementat ionofDESca nelimina te tbe permutations by regardi ng al16x 4 S-boxes as 6 x 32 Scboxes. Then. the outputs of eight6 x 32 S-boxes areXORed togetherin thesame way as CAST,andthe permutations need not be applied .In thisway,DES and CAST can be viewed as having the round functions

39

similarin struc ture.The 8 x 32 Scbox of CAST has alloutput bits influencedby all inpu tbits, whereasthe6 x 32 Scbox ofDES has twenty-eightoutputbitsfixed at 0 and onlyfouroutputbitsinflue nced by all input bits sinceDESreallyjust has the 6 x-ISebox.Thisfea t ur e causes each outp ut bit oftheround functionofCASTto be influencedbyall four8 x 32 S- boxes,while the correspondi ngoutput bit of DES is influencedbyonly one of eight 6 x 32 Sboxes.The simplecomparison tellsus that the roundfunction of CAST shouldbe stronge rthantbe oneof DES.

The unbalancedCASTciphersmake use of theabove proposedScboxesandthe same roundfunct ion structureas CAST,but mightha ve fewerS-boxes in theroun d functionthanCASTto reduce the memoryrequirement.In exchange,morerounds acerequ ired to keep theciphe rat the same level ofsecurity.

4.3.3 Rotat ionOperation

IntheoriginalCAST cipher.abalf block passes throughthe roundfunc tionineach round.Swapping thetwo halfblocksin eachroundmakes each plaintex tbitpass throughtheround functio nonce aftertwo rounds. However,because tbe number of input bits of theround functionin anunbalan ced CAST ciphercan be less than thenumberof outputbits,the swappingoperatio n becomesnot eno ughto efficiently achievecompleteness.

The primarypurpose of the rot a t ion operationis to bringallplaintext bitsto the inputpositionofthe round funct ion inas fewrou nds as possibleso thateach plaintextbit caninfluenceevery cip hertextbit inas few roundsas possible. In general,we assumetbatNis divisible byl.Then it takesNIlround s to restorethe

40

plaintext bitsto theiroriginal posit ionand(SI'+1) rounds forh2:32toachieve the complet eness prcperrysincethe lastIbits ohhe plaintext\\;11 past throughtheround fun ct ionin the(.Vll)-t b round andgetinfluenced bythe mse lves in the(.vII+l)-t h round .Howe,rer,ifh<32.itwilltake a fewmor e roundstoachieve comp lete ness since thelastIbits ofthe plaintextwill not beimmediately influencedbythemselves

inthe(.VI I+1)-th round.Forexample,it takesthirt een rounds foranunbalanced

CASTciphe r withone8 x16 S-box. orsevenroundsfor an unbalancedCASTcipher wit htwo 8 x 16 S-boxes to achievethe complete nessproperty.

Basedon Figur e-1.1.weprop osea rot at ion opera tio nas well as the roundoper - ation.whichis effectivein ensuringtha tciphertext bits areinfluenced by plaintext bits as quicklyaspossible.Itisdescrib ed as the following:

1.Biisdivided intotwo halves,the righthalfandthe left half.

2.L"take nfrom theIleast significantbits ofthe rigbt half,isinputintotheF round functi onwhose out putisXORed'II1';t bH"whichisthehleastsignifican t bitsoftheleft balf.

3.The righthalfisrightcyclicall y rotated byIbits.

-l,Two halvesare swapped to form Bi+_l.

Note tbatthis operationis similarto.but slightly inconsistentwiththe convenient concept ual iza tio nofFigure 4.1. The swap pingoftwohalfblocks is stillnecessa ryin anunbalanced CASTcipher becausetheHiXORedwit h theout putof theround functi on can be immediatelybrou ght to the inputposition of theround functionat the nextrou nd,whichhas allciphertextbits influenced faster by all plaintex tbits.

The rotat ion oper ationof the8-round unbalanced CAST cipher wit h ;'-/ = 1.m = 8.

andn = 32isillustra tedin Table-l.L ...here a lett er represent san 8-bit datablock.

Rnd LeftHalf RightHalf

P, .4 B C D E F G H

1 A B C D E F G H

2 H E F G .4 B C D

3 D .4 B C H E F G

4 G H E F D .4 B C

5 C D .4 B G H E F

6 F G H E C D A B

7 B C D .{ F G H E

8 E F G H B C D .4

C, .4 B C D E F G H

Table-l.I: Rotation Op era t ion for anunbalancedCASTCipher withM= 1, m = 8, andn= 32

The datato theright side of the double vert ical lines is inputto theround function whose four byteout put dat a is XORed withthe left halfblock. After everyeight round s tiledata bitsarerest oredto theiroriginal positi on.It takes nine rounds for the ciphertobecomplet e.

Thereare twospecial casesin whichthe swappingisnotnecessary, the cipher withJ[=2,m

=

8,and n

=

48.and the cipherwith:\f

=

I,m =8,and n

=

56.

Bothcases haveN

=

l+h.wherel<32 andh>32.In the firstcas e,1

=

16 and it takes fourrounds before thecipher is complete; inthesecondcase,l=8 and it takes eightrounds before thecip her is complete.Thelarge num ber of outputhitsofthe S-boxes willmake such cipherssuit a ble for54-bit processorimplementations.

Theabove rotationoperationisa generalizedone.Amoreefficientrotation op- eraticn mayheusedin aspecific implementa ti on ,dependingon the structureof the micropro cessorand itsregisters.For exam ple,Kbafre [211, whichtargets 32-bitmicro-

42

processorswith16-bit registers .uses a combina tionof eight andsixteenbitrotations to increase itsoperationspeed.Howe....er.the main design principlerema ins same.

4 .4 Con clus io n

We have presented a new class ofencryption algorithmsreferred toas unbala nced CASTciphe rs. whichemploythe same type ofS-box and roundfuncti onas the orig- inal CASTcipher.By choosing differentparameters,thecipher can have a variable amountof memory requirements,whichis preferredin some implementations. VIle ha ve also describedthe gene raloperat ionofthecipher,anddiscussed the design decisions of theScbox,theroundfuncti on,andtherotation operationin detail.

43