Document Sample

Perfect Diffusion Primitives for Block Ciphers – Building Efﬁcient MDS Matrices Pascal Junod and Serge Vaudenay Perfect Diffusion Primitives for Block Ciphers – Preliminaries Diffusion / Confusion Building Efﬁcient MDS Matrices MDS Matrices ... Multipermutation ... and their Implementation Pascal Junod and Serge Vaudenay 32/64-bit Architectures 8-bit Architectures Bi-Regular Arrays Our Results Deﬁnition Some New Constructions (4, 4)-Multipermutation (8, 8)-Multipermutation ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE Concluding Remarks Selected Areas in Cryptography ’04 University of Waterloo (Canada), August 9, 2004 Perfect Diffusion Primitives Outline of this talk for Block Ciphers – Building Efﬁcient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation Preliminaries 32/64-bit Architectures 8-bit Architectures MDS Matrices ... Bi-Regular Arrays Our Results ... and their Implementation Deﬁnition Some New Constructions Bi-Regular Arrays (4, 4)-Multipermutation (8, 8)-Multipermutation Some New Constructions Concluding Remarks Perfect Diffusion Primitives Back to Shannon for Block Ciphers – Building Efﬁcient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Notions of confusion and diffusion introduced by Diffusion / Confusion Shannon in “Communication Theory of Secrecy MDS Matrices ... Multipermutation Systems” (1949) ... and their Implementation 32/64-bit Architectures Confusion: “The method of confusion is to make the 8-bit Architectures relation between the simple statistics of EK (.) and the Bi-Regular Arrays Our Results simple description of K a very complex and involved Deﬁnition Some New Constructions one.” (4, 4)-Multipermutation (8, 8)-Multipermutation Diffusion: “In the method of diffusion the statistical Concluding Remarks structure of M which leads to its redudancy is dissipated into long range statistics – i.e., into statistical structure involving long combinations of letters in the cryptogram.” Perfect Diffusion Primitives Confusion for Block Ciphers – Building Efﬁcient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation Notion of confusion nowadays related to the ones of 32/64-bit Architectures 8-bit Architectures S-Box Bi-Regular Arrays non-linearity Our Results Deﬁnition Boolean functions Some New Constructions algebraic attacks (4, 4)-Multipermutation (8, 8)-Multipermutation Plenty of academic papers on this subject ! Concluding Remarks Perfect Diffusion Primitives Diffusion : Historical Perspectives for Block Ciphers – Building Efﬁcient MDS Matrices Pascal Junod and Serge Vaudenay Less studied in a rigorous (mathematical) way until mid Preliminaries Diffusion / Confusion of 90’s MDS Matrices ... Multipermutation Schnorr-Vaudenay (FSE’93 / EUROCRYPT’94) : ... and their Implementation introduction of the concept of multipermutation 32/64-bit Architectures 8-bit Architectures Vaudenay (FSE’95) : a linear multipermutation is Bi-Regular Arrays Our Results equivalent to an MDS code Deﬁnition Daemen (PhD thesis, 1995): Wide-Trail Strategy Some New Constructions (4, 4)-Multipermutation (8, 8)-Multipermutation (Choose “good” S-boxes) Concluding Remarks “Design the round transformation in such a way that only trails with many S-boxes occur.” Rijmen, Daemen, Preneel, Bossalaers, De Win (FSE’96): design of SHARK whose diffusion layer is based on MDS codes Perfect Diffusion Primitives Multipermutation Nowadays for Block Ciphers – Building Efﬁcient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation Very few MDS codes are known ... and their Implementation 32/64-bit Architectures Seldom used in practice 8-bit Architectures Bi-Regular Arrays Widely spread building block in symmetric schemes Our Results Deﬁnition Non-linear multipermutation: CS-Cipher Some New Constructions (4, 4)-Multipermutation Linear multipermutation (MDS matrices): AES, (8, 8)-Multipermutation Camellia, Twoﬁsh, Khazad, FOX, and many, many Concluding Remarks others ! Perfect Diffusion Primitives In this Talk for Block Ciphers – Building Efﬁcient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation 32/64-bit Architectures Interested in “efﬁcient” linear multipermutations 8-bit Architectures Bi-Regular Arrays Brief recall about MDS matrices and their properties Our Results Deﬁnition Deﬁnition of what we mean by “efﬁcient” Some New Constructions (4, 4)-Multipermutation New propositions (8, 8)-Multipermutation Concluding Remarks Perfect Diffusion Primitives Multipermutation: a Deﬁnition for Block Ciphers – Building Efﬁcient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation 32/64-bit Architectures Deﬁnition (Multipermutation) 8-bit Architectures A diffusion function f from Kp to Kq is a multipermutation if Bi-Regular Arrays Our Results for any x1 , . . . , xp ∈ K and any integer r with 1 ≤ r ≤ p, Deﬁnition modifying r input values on f (x1 , . . . , xp ) results in modifying Some New Constructions (4, 4)-Multipermutation at least q − r + 1 output values. (8, 8)-Multipermutation Concluding Remarks Perfect Diffusion Primitives Multipermutation: Another Deﬁnition for Block Ciphers – Building Efﬁcient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation Deﬁnition (Multipermutation) ... and their Implementation A diffusion function f from Kp to Kq is a 32/64-bit Architectures 8-bit Architectures multipermutation if the set of all words consisting of Bi-Regular Arrays Our Results x1 , . . . , xp concatenated with f (x1 , . . . , xp ) is a code of Deﬁnition (#K)p words of length p + q with minimal distance Some New Constructions (4, 4)-Multipermutation q + 1. (8, 8)-Multipermutation Concluding Remarks Matches the Singleton bound (hence the link to MDS codes) Perfect Diffusion Primitives Multipermutation: Example for Block Ciphers – Building Efﬁcient MDS Matrices Pascal Junod and Serge Vaudenay Representation of the ﬁnite ﬁeld GF(28 ) : polynomials Preliminaries Diffusion / Confusion of degree at most seven with coefﬁcients in GF(2) MDS Matrices ... modulo the irreducible polynomial Multipermutation ... and their Implementation 32/64-bit Architectures 8 7 6 5 4 3 p(ξ) = ξ + ξ + ξ + ξ + ξ + ξ + 1 8-bit Architectures Bi-Regular Arrays Our Results Addition: XOR Deﬁnition Multiplication: usual multiplication of polynomials Some New Constructions (4, 4)-Multipermutation modulo p(ξ) (8, 8)-Multipermutation Consider the following multipermutation on GF(28 )2 : Concluding Remarks x1 y1 1 ξ x1 µ: → = × x2 y2 1 1 x2 Perfect Diffusion Primitives Why is it a Multipermutation ? for Block Ciphers – Building Efﬁcient MDS Matrices Pascal Junod and Serge Because µ is invertible : Vaudenay Preliminaries ξ7 + ξ5 + ξ3 ξ7 + ξ5 + ξ3 + 1 −1 1 ξ Diffusion / Confusion = 1 1 ξ7 + ξ5 + ξ3 ξ7 + ξ5 + ξ3 MDS Matrices ... Multipermutation ... and their Implementation Because, when ﬁxing x1 to a constant c, both y1 and y2 32/64-bit Architectures 8-bit Architectures are permutations of x2 : Bi-Regular Arrays Our Results Deﬁnition y1 = c ⊕ (ξ · x2 ) Some New Constructions (4, 4)-Multipermutation y2 = c ⊕ x2 (8, 8)-Multipermutation Concluding Remarks Because, when ﬁxing x2 to a constant c, both y1 and y2 are permutations of x1 : y1 = x1 ⊕ (ξ · c) y2 = x1 ⊕ c Perfect Diffusion Primitives Why is it a Multipermutation (2)? for Block Ciphers – Building Efﬁcient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation 32/64-bit Architectures 8-bit Architectures Because det(µ) = 0 and every sub-determinant of µ is Bi-Regular Arrays Our Results different of 0. Deﬁnition Some New Constructions (4, 4)-Multipermutation (8, 8)-Multipermutation Concluding Remarks Perfect Diffusion Primitives 32/64-bit Architectures for Block Ciphers – Building Efﬁcient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation 32/64-bit Architectures 8-bit Architectures Bi-Regular Arrays Our Results Deﬁnition Some New Constructions (4, 4)-Multipermutation (8, 8)-Multipermutation Concluding Remarks Lot of fast memory (L1 cache) Table lookups + XORs: y1 1 ξ = x1 × ⊕ x2 × y2 1 1 Perfect Diffusion Primitives 8-bit Architectures for Block Ciphers – Building Efﬁcient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation 32/64-bit Architectures 8-bit Architectures Bi-Regular Arrays Our Results Deﬁnition Some New Constructions (4, 4)-Multipermutation Less memory at disposal → complete precomputation (8, 8)-Multipermutation is impossible! Concluding Remarks The matrix elements value matters ! Multiplications by 1 are “free” operations Possible to precompute the operation “multiplication by a constant c” Perfect Diffusion Primitives Our strategy for Block Ciphers – Building Efﬁcient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion Maximize the number of 1’s in the matrix. MDS Matrices ... Multipermutation Minimize the number of different constants. ... and their Implementation 32/64-bit Architectures 8-bit Architectures Two criteria ... Bi-Regular Arrays ... among inﬁnitely many others ! Our Results Deﬁnition Corollary (and disclaimer) : it is always possible to ﬁnd Some New Constructions (4, 4)-Multipermutation an architecture and side constraints such that our (8, 8)-Multipermutation strategy leads to poor results. Concluding Remarks One of the constraints we did not consider: inverse of a matrix must be “efﬁcient” as well. Perfect Diffusion Primitives Results for Block Ciphers – Building Efﬁcient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation Deﬁnition of the concept of “bi-regular array” 32/64-bit Architectures 8-bit Architectures Find the minimal amounts of 1’s and of different Bi-Regular Arrays Our Results coefﬁcients for bi-regular arrays Deﬁnition Sequence of constructive proofs → matrix skeletons Some New Constructions (4, 4)-Multipermutation (8, 8)-Multipermutation Examples of matrices Concluding Remarks Perfect Diffusion Primitives Bi-Regular Arrays for Block Ciphers – Building Efﬁcient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion MDS Matrices ... A 2 × 2 array with entries in K is bi-regular if at least Multipermutation one row and one column have two different entries. ... and their Implementation 32/64-bit Architectures 8-bit Architectures 1 1 1 1 Bi-Regular Arrays 1 2 ξ ξ Our Results Deﬁnition Some New Constructions A q × p array with entries in K is bi-regular if all 2 × 2 (4, 4)-Multipermutation (8, 8)-Multipermutation sub-arrays are bi-regular. Concluding Remarks An MDS matrix must be a bi-regular array ... ... but the converse is not true ! Perfect Diffusion Primitives From Bi-Regular Arrays to MDS for Block Ciphers – Building Efﬁcient MDS Matrices Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation 32/64-bit Architectures 8-bit Architectures Bi-Regular Arrays Construct a bi-regular array with large number of 1’s Our Results Deﬁnition and small number of different coefﬁcients. Some New Constructions (4, 4)-Multipermutation Find a suitable set of coefﬁcients (if possible). (8, 8)-Multipermutation Concluding Remarks Perfect Diffusion Primitives Highest Possible Number of 1’s for Block Ciphers – Building Efﬁcient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion Summary of our results MDS Matrices ... Multipermutation ... and their Implementation 32/64-bit Architectures 2 3 4 5 6 7 8 8-bit Architectures 2 3 4 5 6 7 8 9 Bi-Regular Arrays Our Results 3 4 6 7 8 9 10 11 Deﬁnition 4 5 7 9 10 12 13 14 Some New Constructions (4, 4)-Multipermutation 5 6 8 10 12 13 14 17 (8, 8)-Multipermutation Concluding Remarks 6 7 9 12 13 16 18 19 7 8 10 13 14 18 21 22 8 9 11 14 17 19 22 24 Perfect Diffusion Primitives Lowest Possible Number of Different for Block Ciphers – Building Efﬁcient MDS Coefﬁcients Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation Summary of our results ... and their Implementation 32/64-bit Architectures 8-bit Architectures 2 3 4 5 6 7 8 Bi-Regular Arrays Our Results 2 2 2 2 3 3 3 3 Deﬁnition 3 2 2 3 3 3 3 2 Some New Constructions (4, 4)-Multipermutation 4 2 3 3 3 4 4 4 (8, 8)-Multipermutation 5 3 3 3 3 4 4 4 Concluding Remarks 6 3 3 4 4 4 4 5 7 3 3 4 4 4 4 5 8 3 4 4 4 5 5 5 A (4, 4)-Multipermutation Perfect Diffusion Primitives for Block Ciphers – Building Efﬁcient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion MDS Matrices ... Example of “optimal” 4 × 4-matrix Multipermutation ... and their Implementation a 1 1 1 32/64-bit Architectures 8-bit Architectures 1 1 b a Bi-Regular Arrays Our Results 1 a 1 b Deﬁnition 1 b a 1 Some New Constructions (4, 4)-Multipermutation (8, 8)-Multipermutation 9 coefﬁcients equal to 1, 3 different values Concluding Remarks Used as diffusive component in the round function of FOX64 Perfect Diffusion Primitives A Circulating-Like for Block Ciphers – (8, 8)-Multipermutation Building Efﬁcient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion Example of a “non-optimal” 4 × 4-matrix MDS Matrices ... Multipermutation ... and their Implementation f 1 1 1 1 1 1 1 32/64-bit Architectures 8-bit Architectures 1 1 a b c d e f Bi-Regular Arrays 1 f 1 a b c d e Our Results Deﬁnition 1 e f 1 a b c d Some New Constructions 1 d e f 1 a b c (4, 4)-Multipermutation (8, 8)-Multipermutation 1 c d e f 1 a b Concluding Remarks 1 b c d e f 1 a 1 a b c d e f 1 Used as diffusive component in the round function of FOX128 A (8, 8)-Multipermutation with Rectangle Perfect Diffusion Primitives for Block Ciphers – Building Efﬁcient MDS Patterns Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion Example of a “partially optimal” 8 × 8-matrix MDS Matrices ... Multipermutation ... and their Implementation b a c b d c 1 d 32/64-bit Architectures b c a d b 1 c 1 8-bit Architectures Bi-Regular Arrays c b d a 1 b 1 c Our Results Deﬁnition c d b 1 a 1 b d Some New Constructions d c 1 b 1 a d b (4, 4)-Multipermutation (8, 8)-Multipermutation d 1 c 1 b d a c Concluding Remarks 1 d 1 c d b c a 1 1 d d c c b b Optimal number of different coefﬁcients Non-optimal number of 1’s Perfect Diffusion Primitives Thank You ! for Block Ciphers – Building Efﬁcient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion See you in 25 minutes for the presentation of MDS Matrices ... Multipermutation ... and their Implementation 32/64-bit Architectures 8-bit Architectures Bi-Regular Arrays Our Results Deﬁnition Some New Constructions (4, 4)-Multipermutation (8, 8)-Multipermutation Concluding Remarks Perfect Diffusion Primitives for Block Ciphers – Building Efﬁcient MDS Matrices Pascal Junod and Serge Vaudenay Preliminaries Diffusion / Confusion MDS Matrices ... Multipermutation ... and their Implementation Any Question ? 32/64-bit Architectures 8-bit Architectures Bi-Regular Arrays Our Results Deﬁnition Some New Constructions (4, 4)-Multipermutation (8, 8)-Multipermutation Concluding Remarks

DOCUMENT INFO

Shared By:

Categories:

Tags:
block ciphers, Selected Areas in Cryptography, Serge Vaudenay, Pascal Junod, Block Cipher, International Workshop, how to, linear cryptanalysis, Public Key Cryptography, J. Cryptology

Stats:

views: | 24 |

posted: | 5/5/2011 |

language: | English |

pages: | 25 |

OTHER DOCS BY wanghonghx

How are you planning on using Docstoc?
BUSINESS
PERSONAL

By registering with docstoc.com you agree to our
privacy policy and
terms of service, and to receive content and offer notifications.

Docstoc is the premier online destination to start and grow small businesses. It hosts the best quality and widest selection of professional documents (over 20 million) and resources including expert videos, articles and productivity tools to make every small business better.

Search or Browse for any specific document or resource you need for your business. Or explore our curated resources for Starting a Business, Growing a Business or for Professional Development.

Feel free to Contact Us with any questions you might have.