Docstoc

Perfect Diffusion Primitives for Block Ciphers -- Building

Document Sample
Perfect Diffusion Primitives for Block Ciphers -- Building Powered By Docstoc
					                                                         Perfect Diffusion Primitives
                                                              for Block Ciphers
                                                                       –
                                                           Building Efficient MDS
                                                                   Matrices

                                                          Pascal Junod and Serge
                                                                 Vaudenay
Perfect Diffusion Primitives for Block Ciphers
                      –                                  Preliminaries
                                                          Diffusion / Confusion
       Building Efficient MDS Matrices                    MDS Matrices ...
                                                          Multipermutation
                                                         ... and their Implementation
         Pascal Junod and Serge Vaudenay                   32/64-bit Architectures
                                                           8-bit Architectures
                                                         Bi-Regular Arrays
                                                          Our Results
                                                          Definition
                                                         Some New Constructions
                                                          (4, 4)-Multipermutation
                                                          (8, 8)-Multipermutation
                 ÉCOLE POLYTECHNIQUE
                 FÉDÉRALE DE LAUSANNE                    Concluding Remarks



             Selected Areas in Cryptography ’04
       University of Waterloo (Canada), August 9, 2004
                                   Perfect Diffusion Primitives
Outline of this talk                    for Block Ciphers
                                                 –
                                     Building Efficient MDS
                                             Matrices

                                    Pascal Junod and Serge
                                           Vaudenay


                                   Preliminaries
                                    Diffusion / Confusion
                                   MDS Matrices ...
                                    Multipermutation
                                   ... and their Implementation
    Preliminaries                    32/64-bit Architectures
                                     8-bit Architectures
    MDS Matrices ...               Bi-Regular Arrays
                                    Our Results
    ... and their Implementation    Definition
                                   Some New Constructions
    Bi-Regular Arrays               (4, 4)-Multipermutation
                                    (8, 8)-Multipermutation
    Some New Constructions         Concluding Remarks
                                                                    Perfect Diffusion Primitives
Back to Shannon                                                          for Block Ciphers
                                                                                  –
                                                                      Building Efficient MDS
                                                                              Matrices

                                                                     Pascal Junod and Serge
                                                                            Vaudenay


                                                                    Preliminaries
   Notions of confusion and diffusion introduced by                  Diffusion / Confusion

   Shannon in “Communication Theory of Secrecy                      MDS Matrices ...
                                                                     Multipermutation
   Systems” (1949)                                                  ... and their Implementation
                                                                      32/64-bit Architectures
   Confusion: “The method of confusion is to make the                 8-bit Architectures

   relation between the simple statistics of EK (.) and the         Bi-Regular Arrays
                                                                     Our Results
   simple description of K a very complex and involved               Definition
                                                                    Some New Constructions
   one.”                                                             (4, 4)-Multipermutation
                                                                     (8, 8)-Multipermutation
   Diffusion: “In the method of diffusion the statistical           Concluding Remarks
   structure of M which leads to its redudancy is
   dissipated into long range statistics – i.e., into statistical
   structure involving long combinations of letters in the
   cryptogram.”
                                                         Perfect Diffusion Primitives
Confusion                                                     for Block Ciphers
                                                                       –
                                                           Building Efficient MDS
                                                                   Matrices

                                                          Pascal Junod and Serge
                                                                 Vaudenay


                                                         Preliminaries
                                                          Diffusion / Confusion
                                                         MDS Matrices ...
                                                          Multipermutation
                                                         ... and their Implementation
   Notion of confusion nowadays related to the ones of     32/64-bit Architectures
                                                           8-bit Architectures
       S-Box
                                                         Bi-Regular Arrays
       non-linearity                                      Our Results
                                                          Definition
       Boolean functions
                                                         Some New Constructions
       algebraic attacks                                  (4, 4)-Multipermutation
                                                          (8, 8)-Multipermutation
   Plenty of academic papers on this subject !           Concluding Remarks
                                                                  Perfect Diffusion Primitives
Diffusion : Historical Perspectives                                    for Block Ciphers
                                                                                –
                                                                    Building Efficient MDS
                                                                            Matrices

                                                                   Pascal Junod and Serge
                                                                          Vaudenay


   Less studied in a rigorous (mathematical) way until mid        Preliminaries
                                                                   Diffusion / Confusion
   of 90’s                                                        MDS Matrices ...
                                                                   Multipermutation
   Schnorr-Vaudenay (FSE’93 / EUROCRYPT’94) :                     ... and their Implementation
   introduction of the concept of multipermutation                  32/64-bit Architectures
                                                                    8-bit Architectures

   Vaudenay (FSE’95) : a linear multipermutation is               Bi-Regular Arrays
                                                                   Our Results
   equivalent to an MDS code                                       Definition

   Daemen (PhD thesis, 1995): Wide-Trail Strategy                 Some New Constructions
                                                                   (4, 4)-Multipermutation
                                                                   (8, 8)-Multipermutation
       (Choose “good” S-boxes)
                                                                  Concluding Remarks
       “Design the round transformation in such a way that only
       trails with many S-boxes occur.”
   Rijmen, Daemen, Preneel, Bossalaers, De Win
   (FSE’96): design of SHARK whose diffusion layer is
   based on MDS codes
                                                       Perfect Diffusion Primitives
Multipermutation Nowadays                                   for Block Ciphers
                                                                     –
                                                         Building Efficient MDS
                                                                 Matrices

                                                        Pascal Junod and Serge
                                                               Vaudenay


                                                       Preliminaries
                                                        Diffusion / Confusion
                                                       MDS Matrices ...
                                                        Multipermutation
   Very few MDS codes are known                        ... and their Implementation
                                                         32/64-bit Architectures
   Seldom used in practice                               8-bit Architectures
                                                       Bi-Regular Arrays
   Widely spread building block in symmetric schemes    Our Results
                                                        Definition
   Non-linear multipermutation: CS-Cipher              Some New Constructions
                                                        (4, 4)-Multipermutation
   Linear multipermutation (MDS matrices): AES,         (8, 8)-Multipermutation

   Camellia, Twofish, Khazad, FOX, and many, many       Concluding Remarks

   others !
                                                           Perfect Diffusion Primitives
In this Talk                                                    for Block Ciphers
                                                                         –
                                                             Building Efficient MDS
                                                                     Matrices

                                                            Pascal Junod and Serge
                                                                   Vaudenay


                                                           Preliminaries
                                                            Diffusion / Confusion
                                                           MDS Matrices ...
                                                            Multipermutation
                                                           ... and their Implementation
                                                             32/64-bit Architectures
    Interested in “efficient” linear multipermutations        8-bit Architectures
                                                           Bi-Regular Arrays
    Brief recall about MDS matrices and their properties    Our Results
                                                            Definition
    Definition of what we mean by “efficient”                Some New Constructions
                                                            (4, 4)-Multipermutation
    New propositions                                        (8, 8)-Multipermutation
                                                           Concluding Remarks
                                                                        Perfect Diffusion Primitives
Multipermutation: a Definition                                                for Block Ciphers
                                                                                      –
                                                                          Building Efficient MDS
                                                                                  Matrices

                                                                         Pascal Junod and Serge
                                                                                Vaudenay


                                                                        Preliminaries
                                                                         Diffusion / Confusion
                                                                        MDS Matrices ...
                                                                         Multipermutation
                                                                        ... and their Implementation
                                                                          32/64-bit Architectures
Definition (Multipermutation)                                              8-bit Architectures

A diffusion function f from Kp to Kq is a multipermutation if           Bi-Regular Arrays
                                                                         Our Results
for any x1 , . . . , xp ∈ K and any integer r with 1 ≤ r ≤ p,            Definition

modifying r input values on f (x1 , . . . , xp ) results in modifying   Some New Constructions
                                                                         (4, 4)-Multipermutation
at least q − r + 1 output values.                                        (8, 8)-Multipermutation
                                                                        Concluding Remarks
                                                                         Perfect Diffusion Primitives
Multipermutation: Another Definition                                           for Block Ciphers
                                                                                       –
                                                                           Building Efficient MDS
                                                                                   Matrices

                                                                          Pascal Junod and Serge
                                                                                 Vaudenay


                                                                         Preliminaries
                                                                          Diffusion / Confusion
                                                                         MDS Matrices ...
                                                                          Multipermutation
   Definition (Multipermutation)                                          ... and their Implementation
   A diffusion function f from Kp to Kq is a                               32/64-bit Architectures
                                                                           8-bit Architectures
   multipermutation if the set of all words consisting of                Bi-Regular Arrays
                                                                          Our Results
   x1 , . . . , xp concatenated with f (x1 , . . . , xp ) is a code of    Definition
   (#K)p words of length p + q with minimal distance                     Some New Constructions
                                                                          (4, 4)-Multipermutation
   q + 1.                                                                 (8, 8)-Multipermutation
                                                                         Concluding Remarks
   Matches the Singleton bound (hence the link to MDS
   codes)
                                                             Perfect Diffusion Primitives
Multipermutation: Example                                         for Block Ciphers
                                                                           –
                                                               Building Efficient MDS
                                                                       Matrices

                                                              Pascal Junod and Serge
                                                                     Vaudenay


   Representation of the finite field GF(28 ) : polynomials    Preliminaries
                                                              Diffusion / Confusion
   of degree at most seven with coefficients in GF(2)         MDS Matrices ...
   modulo the irreducible polynomial                          Multipermutation
                                                             ... and their Implementation
                                                               32/64-bit Architectures
                     8     7    6     5     4    3
            p(ξ) = ξ + ξ + ξ + ξ + ξ + ξ + 1                   8-bit Architectures
                                                             Bi-Regular Arrays
                                                              Our Results
       Addition: XOR                                          Definition

       Multiplication: usual multiplication of polynomials   Some New Constructions
                                                              (4, 4)-Multipermutation
       modulo p(ξ)                                            (8, 8)-Multipermutation

   Consider the following multipermutation on GF(28 )2 :     Concluding Remarks




              x1           y1             1 ξ         x1
       µ:           →            =               ×
              x2           y2             1 1         x2
                                                               Perfect Diffusion Primitives
Why is it a Multipermutation ?                                      for Block Ciphers
                                                                             –
                                                                 Building Efficient MDS
                                                                         Matrices

                                                                Pascal Junod and Serge
   Because µ is invertible :                                           Vaudenay


                                                               Preliminaries
                             ξ7 + ξ5 + ξ3   ξ7 + ξ5 + ξ3 + 1
               −1
        1 ξ                                                     Diffusion / Confusion
                    =
        1 1                  ξ7 + ξ5 + ξ3     ξ7 + ξ5 + ξ3     MDS Matrices ...
                                                                Multipermutation
                                                               ... and their Implementation
   Because, when fixing x1 to a constant c, both y1 and y2        32/64-bit Architectures
                                                                 8-bit Architectures
   are permutations of x2 :                                    Bi-Regular Arrays
                                                                Our Results
                                                                Definition
                        y1    = c ⊕ (ξ · x2 )                  Some New Constructions
                                                                (4, 4)-Multipermutation
                        y2    = c ⊕ x2                          (8, 8)-Multipermutation
                                                               Concluding Remarks

   Because, when fixing x2 to a constant c, both y1 and y2
   are permutations of x1 :

                        y1    = x1 ⊕ (ξ · c)
                        y2    = x1 ⊕ c
                                                          Perfect Diffusion Primitives
Why is it a Multipermutation (2)?                              for Block Ciphers
                                                                        –
                                                            Building Efficient MDS
                                                                    Matrices

                                                           Pascal Junod and Serge
                                                                  Vaudenay


                                                          Preliminaries
                                                           Diffusion / Confusion
                                                          MDS Matrices ...
                                                           Multipermutation
                                                          ... and their Implementation
                                                            32/64-bit Architectures
                                                            8-bit Architectures

   Because det(µ) = 0 and every sub-determinant of µ is   Bi-Regular Arrays
                                                           Our Results
   different of 0.                                         Definition
                                                          Some New Constructions
                                                           (4, 4)-Multipermutation
                                                           (8, 8)-Multipermutation
                                                          Concluding Remarks
                                                  Perfect Diffusion Primitives
32/64-bit Architectures                                for Block Ciphers
                                                                –
                                                    Building Efficient MDS
                                                            Matrices

                                                   Pascal Junod and Serge
                                                          Vaudenay


                                                  Preliminaries
                                                   Diffusion / Confusion
                                                  MDS Matrices ...
                                                   Multipermutation
                                                  ... and their Implementation
                                                    32/64-bit Architectures
                                                    8-bit Architectures
                                                  Bi-Regular Arrays
                                                   Our Results
                                                   Definition
                                                  Some New Constructions
                                                   (4, 4)-Multipermutation
                                                   (8, 8)-Multipermutation
                                                  Concluding Remarks
   Lot of fast memory (L1 cache)
   Table lookups + XORs:

            y1             1                  ξ
                 = x1 ×            ⊕   x2 ×
            y2             1                  1
                                                             Perfect Diffusion Primitives
8-bit Architectures                                               for Block Ciphers
                                                                           –
                                                               Building Efficient MDS
                                                                       Matrices

                                                              Pascal Junod and Serge
                                                                     Vaudenay


                                                             Preliminaries
                                                              Diffusion / Confusion
                                                             MDS Matrices ...
                                                              Multipermutation
                                                             ... and their Implementation
                                                               32/64-bit Architectures
                                                               8-bit Architectures
                                                             Bi-Regular Arrays
                                                              Our Results
                                                              Definition
                                                             Some New Constructions
                                                              (4, 4)-Multipermutation
   Less memory at disposal → complete precomputation          (8, 8)-Multipermutation

   is impossible!                                            Concluding Remarks


   The matrix elements value matters !
   Multiplications by 1 are “free” operations
   Possible to precompute the operation “multiplication by
   a constant c”
                                                               Perfect Diffusion Primitives
Our strategy                                                        for Block Ciphers
                                                                             –
                                                                 Building Efficient MDS
                                                                         Matrices

                                                                Pascal Junod and Serge
                                                                       Vaudenay


                                                               Preliminaries
                                                                Diffusion / Confusion

   Maximize the number of 1’s in the matrix.                   MDS Matrices ...
                                                                Multipermutation

   Minimize the number of different constants.                 ... and their Implementation
                                                                 32/64-bit Architectures
                                                                 8-bit Architectures
   Two criteria ...
                                                               Bi-Regular Arrays
   ... among infinitely many others !                            Our Results
                                                                Definition

   Corollary (and disclaimer) : it is always possible to find   Some New Constructions
                                                                (4, 4)-Multipermutation
   an architecture and side constraints such that our           (8, 8)-Multipermutation

   strategy leads to poor results.                             Concluding Remarks


   One of the constraints we did not consider: inverse of
   a matrix must be “efficient” as well.
                                                        Perfect Diffusion Primitives
Results                                                      for Block Ciphers
                                                                      –
                                                          Building Efficient MDS
                                                                  Matrices

                                                         Pascal Junod and Serge
                                                                Vaudenay


                                                        Preliminaries
                                                         Diffusion / Confusion
                                                        MDS Matrices ...
                                                         Multipermutation
                                                        ... and their Implementation
   Definition of the concept of “bi-regular array”         32/64-bit Architectures
                                                          8-bit Architectures
   Find the minimal amounts of 1’s and of different     Bi-Regular Arrays
                                                         Our Results
   coefficients for bi-regular arrays                     Definition

   Sequence of constructive proofs → matrix skeletons   Some New Constructions
                                                         (4, 4)-Multipermutation
                                                         (8, 8)-Multipermutation
   Examples of matrices                                 Concluding Remarks
                                                                Perfect Diffusion Primitives
Bi-Regular Arrays                                                    for Block Ciphers
                                                                              –
                                                                  Building Efficient MDS
                                                                          Matrices

                                                                 Pascal Junod and Serge
                                                                        Vaudenay


                                                                Preliminaries
                                                                 Diffusion / Confusion
                                                                MDS Matrices ...
   A 2 × 2 array with entries in K is bi-regular if at least     Multipermutation
   one row and one column have two different entries.           ... and their Implementation
                                                                  32/64-bit Architectures
                                                                  8-bit Architectures
                     1 1                1 1                     Bi-Regular Arrays
                     1 2                ξ ξ                      Our Results
                                                                 Definition
                                                                Some New Constructions
   A q × p array with entries in K is bi-regular if all 2 × 2    (4, 4)-Multipermutation
                                                                 (8, 8)-Multipermutation
   sub-arrays are bi-regular.                                   Concluding Remarks

   An MDS matrix must be a bi-regular array ...
   ... but the converse is not true !
                                                           Perfect Diffusion Primitives
From Bi-Regular Arrays to MDS                                   for Block Ciphers
                                                                         –
                                                             Building Efficient MDS
Matrices                                                             Matrices

                                                            Pascal Junod and Serge
                                                                   Vaudenay


                                                           Preliminaries
                                                            Diffusion / Confusion
                                                           MDS Matrices ...
                                                            Multipermutation
                                                           ... and their Implementation
                                                             32/64-bit Architectures
                                                             8-bit Architectures
                                                           Bi-Regular Arrays
   Construct a bi-regular array with large number of 1’s    Our Results
                                                            Definition
   and small number of different coefficients.              Some New Constructions
                                                            (4, 4)-Multipermutation
   Find a suitable set of coefficients (if possible).        (8, 8)-Multipermutation
                                                           Concluding Remarks
                                              Perfect Diffusion Primitives
Highest Possible Number of 1’s                     for Block Ciphers
                                                            –
                                                Building Efficient MDS
                                                        Matrices

                                               Pascal Junod and Serge
                                                      Vaudenay


                                              Preliminaries
                                               Diffusion / Confusion

               Summary of our results         MDS Matrices ...
                                               Multipermutation
                                              ... and their Implementation
                                                32/64-bit Architectures
           2     3    4    5    6    7    8     8-bit Architectures

       2   3     4    5    6    7    8    9   Bi-Regular Arrays
                                               Our Results
       3   4     6    7    8    9   10   11    Definition

       4   5     7    9   10   12   13   14   Some New Constructions
                                               (4, 4)-Multipermutation
       5   6     8   10   12   13   14   17    (8, 8)-Multipermutation
                                              Concluding Remarks
       6   7     9   12   13   16   18   19
       7   8    10   13   14   18   21   22
       8   9    11   14   17   19   22   24
                                           Perfect Diffusion Primitives
Lowest Possible Number of Different             for Block Ciphers
                                                         –
                                             Building Efficient MDS
Coefficients                                          Matrices

                                            Pascal Junod and Serge
                                                   Vaudenay


                                           Preliminaries
                                            Diffusion / Confusion
                                           MDS Matrices ...
                                            Multipermutation
              Summary of our results       ... and their Implementation
                                             32/64-bit Architectures
                                             8-bit Architectures

               2   3   4   5   6   7   8   Bi-Regular Arrays
                                            Our Results
          2    2   2   2   3   3   3   3    Definition

          3    2   2   3   3   3   3   2   Some New Constructions
                                            (4, 4)-Multipermutation
          4    2   3   3   3   4   4   4    (8, 8)-Multipermutation

          5    3   3   3   3   4   4   4   Concluding Remarks

          6    3   3   4   4   4   4   5
          7    3   3   4   4   4   4   5
          8    3   4   4   4   5   5   5
A (4, 4)-Multipermutation                                 Perfect Diffusion Primitives
                                                               for Block Ciphers
                                                                        –
                                                            Building Efficient MDS
                                                                    Matrices

                                                           Pascal Junod and Serge
                                                                  Vaudenay


                                                          Preliminaries
                                                           Diffusion / Confusion
                                                          MDS Matrices ...
   Example of “optimal” 4 × 4-matrix                       Multipermutation

                                                        ... and their Implementation
                        a 1 1 1                             32/64-bit Architectures
                                                            8-bit Architectures
                     1 1 b a                            Bi-Regular Arrays
                                                         Our Results
                     1 a 1 b                             Definition
                        1 b a 1                           Some New Constructions
                                                           (4, 4)-Multipermutation
                                                           (8, 8)-Multipermutation
   9 coefficients equal to 1, 3 different values           Concluding Remarks

   Used as diffusive component in the round function of
   FOX64
                                                          Perfect Diffusion Primitives
A Circulating-Like                                             for Block Ciphers
                                                                        –

(8, 8)-Multipermutation                                     Building Efficient MDS
                                                                    Matrices

                                                           Pascal Junod and Serge
                                                                  Vaudenay


                                                          Preliminaries
                                                           Diffusion / Confusion

   Example of a “non-optimal” 4 × 4-matrix                MDS Matrices ...
                                                           Multipermutation
                                                        ... and their Implementation
                f 1 1 1 1 1 1 1                             32/64-bit Architectures
                                                            8-bit Architectures
             1 1 a b c d e f                
                                                        Bi-Regular Arrays
             1 f 1 a b c d e                             Our Results
                                                         Definition
             1 e f 1 a b c d                            Some New Constructions
                                            
             1 d e f 1 a b c                             (4, 4)-Multipermutation
                                                         (8, 8)-Multipermutation
             1 c d e f 1 a b                            Concluding Remarks
                                            
             1 b c d e f 1 a                
                1 a b c d e f 1

   Used as diffusive component in the round function of
   FOX128
A (8, 8)-Multipermutation with Rectangle           Perfect Diffusion Primitives
                                                        for Block Ciphers
                                                                 –
                                                     Building Efficient MDS
Patterns                                                     Matrices

                                                    Pascal Junod and Serge
                                                           Vaudenay


                                                   Preliminaries
                                                    Diffusion / Confusion

   Example of a “partially optimal” 8 × 8-matrix   MDS Matrices ...
                                                    Multipermutation
                                                 ... and their Implementation
                b a c b d c 1 d                      32/64-bit Architectures
             b c a d b 1 c 1                       8-bit Architectures
                                                 Bi-Regular Arrays
             c b d a 1 b 1 c                      Our Results
                                                    Definition
                                             
             c d b 1 a 1 b d 
                                                 Some New Constructions
             d c 1 b 1 a d b                      (4, 4)-Multipermutation
                                                  (8, 8)-Multipermutation
             d 1 c 1 b d a c 
                                                 Concluding Remarks
             1 d 1 c d b c a 
                1 1 d d c c b b

   Optimal number of different coefficients
   Non-optimal number of 1’s
                                                Perfect Diffusion Primitives
Thank You !                                          for Block Ciphers
                                                              –
                                                  Building Efficient MDS
                                                          Matrices

                                                 Pascal Junod and Serge
                                                        Vaudenay


                                                Preliminaries
                                                 Diffusion / Confusion
See you in 25 minutes for the presentation of   MDS Matrices ...
                                                 Multipermutation
                                                ... and their Implementation
                                                  32/64-bit Architectures
                                                  8-bit Architectures
                                                Bi-Regular Arrays
                                                 Our Results
                                                 Definition
                                                Some New Constructions
                                                 (4, 4)-Multipermutation
                                                 (8, 8)-Multipermutation
                                                Concluding Remarks
                 Perfect Diffusion Primitives
                      for Block Ciphers
                               –
                   Building Efficient MDS
                           Matrices

                  Pascal Junod and Serge
                         Vaudenay


                 Preliminaries
                  Diffusion / Confusion
                 MDS Matrices ...
                  Multipermutation
                 ... and their Implementation

Any Question ?     32/64-bit Architectures
                   8-bit Architectures
                 Bi-Regular Arrays
                  Our Results
                  Definition
                 Some New Constructions
                  (4, 4)-Multipermutation
                  (8, 8)-Multipermutation
                 Concluding Remarks

				
DOCUMENT INFO