An Algebraic Approach to the Design of Block Ciphers Jos Valena - - PowerPoint PPT Presentation

an algebraic approach to the design of block ciphers
SMART_READER_LITE
LIVE PREVIEW

An Algebraic Approach to the Design of Block Ciphers Jos Valena - - PowerPoint PPT Presentation

Nov 06, 2023 240 likes •404 views

An Algebraic Approach to the Design of Block Ciphers Jos Valena scar Pereira Tiago Oliveira { jmvalenca, oscar, tfaoliveira }@di.uminho.pt HASLab, INESC TEC & Univ. of Minho (PT) Mathematical Methods for Cryptography Svolvr,

slide-1
SLIDE 1

An Algebraic Approach to the Design

  • f Block Ciphers

José Valença Óscar Pereira Tiago Oliveira

{ jmvalenca, oscar, tfaoliveira }@di.uminho.pt

HASLab, INESC TEC & Univ. of Minho (PT)

Mathematical Methods for Cryptography Svolvær, Lofoten, Norway September 2017

slide-2
SLIDE 2

. . . there was Óscar’s MSc thesis

Wanted to build a (symmetric) cipher, using:

  • APNL (Almost Perfect Non-Linear) functions
  • CRT (Chinese Remainder Theorem)

GOAL: simple algebraic description In the beginning. . .

2/15

slide-3
SLIDE 3

We also aim to. . .

  • Being able to formally reason about security
  • Have a reasonably efficient implementation

On the latter goal, we’re not quite there yet. . .

And speaking of GOALs. . .

3/15

slide-4
SLIDE 4
  • Confusion-Diffusion Permutation (CDP)
  • Round (basically a keyed CDP)
  • Substitution-Permutation Network (SPN) — iterated round

Cipher structure

4/15

slide-5
SLIDE 5

Xq

modq

Πq

S

Πq

crtq

Xq

  • Xq → ring GF(2)[x]/〈Φ257〉, where Φ257 = 1 + x + x 2 + ... + x 256
  • Πq → product ring

15

  • i=0

GF(2)[x]/〈qi〉 where each qi is irreducible and with degree 16

  • S → layer of Sboxes, aligned with the qi’s

CDP version 1

5/15

slide-6
SLIDE 6

Xq

modq

Πq

S

Πq

crtq

Xq

Problems:

  • “good” sbox layer requires prod. ring with odd degree factors
  • key mixing also in Xq (∼

= Πq) → hence it is block-wise op, i.e. little actual mixture

CDP version 1

6/15

slide-7
SLIDE 7

Xp

modp

Πp

S

Πp

crtp

Xp

  • Πp → prod. ring, with pi irreducible and of deg 9 or 11

[(11 × 5 + 9) × 4 = 64 × 4 = 256]

  • Xp → ring over GF(2), with modulus
  • pi

This is what is really implemented CDP version 2

7/15

slide-8
SLIDE 8

FS is such that makes the diagram commute Xp

modp

Πp

S

Πp

crtp

Xp

  • lift
  • Xq
  • lift
  • modq
  • π
  • Πq

FS

Πq

crtq

Xq Goal: reduce analysis to studying FS

CDP: two views

8/15

slide-9
SLIDE 9

x + π × y μ

  • ν
  • Most operations can be stored as pre-computed matrices
  • Multiplicative key: op. done in Xq (not Xp)
  • MK: increases the algebraic degree of equations? (i.e.

increases resistance to algebraic cryptanalysis?)

Round

9/15

slide-10
SLIDE 10

A tentative argument. . .

  • APNL / AB strengthens differential immunity
  • And to some extent, linear immunity. . .
  • Niho exponents (APNL power functions) increases algebraic

immunity (cf. J. Cheon and D.H. Lee, “Almost Perfect Nonlinear Power Functions and Algebraic Attacks”, 2004)

Is it secure?

10/15

slide-11
SLIDE 11
  • More of a “framework for ciphers” than a cipher per se
  • Diffusion matrices
  • A (tentative) lattice-based attack

Three ending notes

11/15

slide-12
SLIDE 12
  • Prob. of output weight r, when input has weight

ℓ?

  • F = Prob[F = 0]
  • ψr(x) = 1 iff hw(x) = r

DMℓ,r = (ψr ◦ F) × ψℓ / ψℓ

  • Spheres not centered in 0: flipping bits in arbitrary vectors
  • Size is (n + 1) × (n + 1)!

Diffusion matrices

12/15

slide-13
SLIDE 13

x + S

s

× y μ

  • x → xd

ν

  • mod p
  • mod q
  • s = (x + μ)d

(mod p) y = s × ν (mod q)

  • Resembles Coppersmith (deg(s, μ, ν) < blocksize)
  • Extends Cohn & Heninger (2013)

The lattice attack (KPA)

13/15

slide-14
SLIDE 14

Feedback is welcome:

  • Efficiency improvements
  • The algebraic aspects (starting with the mult. keys)

So to conclude. . .

14/15

slide-15
SLIDE 15
  • Questions. . .
  • 15/15