Aug. 27, 1998KCDSA Task Force Team1 Specification and Analysis of CRYPTON V1.0 Chae Hoon Lim Future Systems, Inc.

2 Contents 4 Design history 4 Basic building blocks 4 Encryption/decryption 4 Key Scheduling 4 Security/efficiency analysis 4 Conclusion

3 Design Objectives 4 An efficient and secure block cipher 4 Security: –security bounds high enough to defeat various existing attacks such as differential and linear cryptanalysis. –A large safety margin for the future 4 Efficiency: –high performance in software on large microprocessors –efficient implementation on low-cost 8-bit microprocessors –very high speed in hardware; low hardware complexity 4 Simplicity

4 Design Choices 4 Feistel vs Substitution-Permutation Network (SPN) –Feistel: more cryptanalytic experience, fewer constraints in round function design; poor parallelism –SPN: more parallelism, more hardware-efficient; more constraints in round function design 4 Choice from two alternative designs –design based on Feistel: much like Twofish  SALTIS (unpublished) –design based on SPN: used the global structure of Square –final decision: SPN-type cipher  CRYPTON

5 Main Features 4 secure against existing attacks 4 a simple, fine-grained design: easy to implement/analyze 4 symmetry in encryption and decryption 4 high performance on most CPU architectures 4 fast key scheduling: much faster than one-block encryption 4 efficient hardware implementation; low complexity 4 high degree of parallelism  very high speed in hardware: can achieve several Gbits/sec using about gates

6 CRYPTON v1.0: Motivations / Changes 4 Original AES proposal (CRYPTON v0.5): –at almost final stage of design, but not complete 4 Motivations to revision: –key scheduling was under examination for modification. –somewhat weak S-boxes; decided to replace S-boxes with stronger ones in this opportunity. 4 Tried to keep changes minimal: no substantial redesign 4 Changes: –Key scheduling strengthened (overall structure unchanged). –New 8 x 8 Sboxes (2 S-boxes --> 4 S-boxes).

7 High-level Structure of CRYPTON Bit-wise key addition Column-wise bit permutation Column-to-row transposition Bit-wise key addition Byte-wise substitution Row-wise bit permutation 4  4 byte array Input Input whitening Round transformation (12 rounds) Output transformation Output

8 Notation 4 Data representation in 4 x 4 byte array A = (A[3], A[2], A[1], A[0]) t = A[0] A[1] A[2] A[3] a 03 a 02 a 01 a 00 a 13 a 12 a 11 a 10 a 23 a 22 a 21 a 20 a 33 a 32 a 31 a 30 =

9 Basic Building Blocks 4 Components of Round Transformation: –Byte-wise Substitution  –Column-wise Bit Permutation  –Column-to-Row Transposition  –Key Xoring  4 Round Transformation  –Even rounds:  eK =  K o  o  e o  e –Odd rounds:  oK =  K o  o  o o  o

10 Encryption/Decryption 4 Round keys –i-th round encryption: K e i = {K e [4i+j]}(0  j  3) –i-th round decryption: K d i = {K d [4i+j]}(0  j  3) –  e =  o  e o ,  o =  o  o o  –K d i =  e ( K e i ) for even i,  o ( K e i ) for odd i. 4 Encryption E K : 4 Decryption D K : –same as encryption except for using K d instead of K e.

11 Byte-wise Substitution  4 Odd rounds: 4 Even rounds: S1S1 S0S0 S1S1 S1S1 S1S1 S0S0 S0S0 S0S0 S2S2 S2S2 S2S2 S2S2 S3S3 S3S3 S3S3 S3S3 S1S1 S0S0 S1S1 S1S1 S1S1 S0S0 S0S0 S0S0 S2S2 S2S2 S2S2 S2S2 S3S3 S3S3 S3S3 S3S3 Odd rounds Even rounds

12 Column-wise Bit Permutation  (1)  3  2  1  0 Odd rounds  1  0  3  2 Even rounds

13 Column-wise Bit Permutation  (2) 4 m 0 = 0xfc, m 1 = 0xf3, m 2 = 0xcf, m 3 = 0x3f 4 for 4-byte column vectors a and b, b =  0 (a) is defined by

14 Column-to-Row Transposition  / Key Add  4 Transposition: B =  (A)  b ij = a ji 4 Key addition: –B =  K (A)  B[i] = A[i]  K[i] for i=0,1,2,3. a 03 a 02 a 01 a 00 a 33 a 32 a 31 a 30 a 13 a 12 a 11 a 10 a 23 a 22 a 21 a 20 a 03 a 02 a 01 a 00 a 33 a 32 a 31 a 30 a 13 a 12 a 11 a 10 a 23 a 22 a 21 a 20 

15 Key Scheduling (1) 4 Overall structure: two-step generation  facilitate low-level implementations User Key (0~32bytes) Expanded Keys (32bytes) Encryption Round KeysDecryption Round Keys Decryption Transform  

16 Key Scheduling (2) 4 Already planned at the beginning 4 Known weakness: 2 32 weak keys for 256-bit key –found by J. Borst and S. Vaudenay independently. –due to regular patterns preserved in both round key generation and round transformation 4 Changes: –major changes made in round key generation –used distinct round constants –used 2/6-bit byte rotation and word-wise rotation 4 Consequence: believed secure against most known key schedule weaknesses

17 Diffusion Property of  (1) 4 Achieve diffusion order 4  at least 4 active bytes on average per round 4 Minimum diffusion set  =  x   y = {0x01,0x02, 0x03, 0x04, 0x08, 0x0c, 0x10, 0x20, 0x30, 0x40, 0x80, 0xc0}  {0x11, 0x12, 0x13, 0x21, 0x22, 0x23, 0x31, 0x32, 0x33, 0x44, 0x48, 0x4c, 0x84, 0x88, 0x8c, 0xc4, 0xc8, 0xcc}

18 Diffusion Property of  i (2) 4 I j = a set of input vectors of diffusion order 4 under  i with j nonzero bytes 4 No.minimum diffusion vectors = = 204

19 Minimum Diffusion Patterns by  o  Round 1 Round 2 Round 3 Round 4 Type-1Type-2Type-3Type-4

20 Differential/Linear Prob. for n  n S-box S 4 S-box differential prob.: –  x /  y : input/output differences, resp. 4 S-box linear prob.: –  x /  y : input/output selection vectors, resp.

21 S-box Construction (1) 4 One 8x8 involution S-box S  4 S-boxes S i S ROL1 S0S0 S ROL3 S1S1 S ROL7 S2S2 S ROL5 S3S3

22 S-box Construction (2) 4 Design criteria for S-boxes: –should be efficiently implementable in hardware logic and on low-cost smart cards. –The prob. of differential and linear characteristics should be as small as possible. –High prob. I/O differences/selection vectors in S should have as high Hamming weights as possible. –The number of such pairs in all S i ’s should be as small as possible when restricted to .

23 The S-box S Search Model Bit Permutation ROLn Inverse Bit Permutation P 0 -1 P 1 -1 P1P1 P0P0 ROLn Left rotate by n bits

24 The Selected S-box S x 7 x 6 x 5 x 4 x 3 x 2 x 1 x 0 Input x P1P1 P0P0 z 7 z 6 z 5 z 4 z 3 z 2 z 1 z 0 4-bit P-boxes w 3 w 2 w 1 w 0 w 7 w 6 w 5 w 4 Output y P 0 -1 P 1 -1 y 3 y 2 y 1 y 0 y 7 y 6 y 5 y 4 Inverse P-boxes Linear involution z 7 z 6 z 5 z 4 z 3 z 2 z 1 z 0 z 4 z 0 z 3 z 7 z 5 z 1 z 2 z 6 z 2 z 5 z 7 z 0

25 Differential/Linear Char. of S-boxes (1) 4 Previous S-boxes: too many high prob. I/O pairs 4 The new S-boxes: –Pr(DC)  10/256 = for only 7 pairs –Pr(LC)  (32/128) 2 = 2 -4 for only 6 pairs –High prob. char.: sum of Hamming weights is at least 4, on average  8.

26 Differential/Linear Char. of S-boxes (2) 4 Observarion: –min. 4 active bytes/round only for byte values in  –for such values, max. entry in distr. tables : 6 / 24 –Pr(DC)  6/256 = –Pr(LC)  (24/128) 2 =

27 Differential/Linear Cryptanalysis - Bounds 4 Observations: –Min. No. of active S-boxes up to 8 rounds = 32 –Suppose that all such active S-boxes have Pr(DC) = and Pr(LC) = Overall char.prob.of DC/LC up to 8 rounds: –p C8  ( ) 32 = –p L8  ( ) 32 = Differential, linear hull/multiple linear approx.: –may increase the probabilities by a constant factor.

28 Differential/Linear Cryptanalysis - Simulation 4 Partial exhaustive search over the minimum diffusion set 4 theoretically breakable up to 7 rounds

29 Variants/Extensions of DC/LC 4 Variants of DC: –truncated/higher-order differentials, – impossible differentials: a number of impossible differentials up to 4 rounds; none for more than 5 rounds 4 Variants of LC: –nonlinear approximations, generalized LC, partitioning cryptanalysis

30 Other Possible Attacks 4 interpolation attacks: no simple algebraic description 4 dedicated SQUARE attacks: –the best known attack up to 6 rounds –can’t be extended to more round versions 4 Side-channel cryptanalysis: –timing attacks –differential fault analysis –differential power analysis 4 Key schedule cryptanalysis –weak keys, semi-weak keys, equivalent keys –simple relations, related keys

31 Software Efficiency 4 32-bit  Ps: same as the previous version –Pentium Pro 200 MHz, Windows 95, MSVC 5.0 –UltraSparc 167 MHz, Solaris 2.5, GNU C 4 ] 4 8-bit  Ps: 256 byte ROM, 52 byte RAM; a little bit slower than the previous version

32 Hardware Efficiency 4 Gate array implementation of 2-round iterative version –VHDL description & logic synthesis using Synopsys + HYUNDAI’s 0.35 micron gate array library 4 Simulation results:

33 Conclusion 4 Advantages: –strong security against various known attacks (with at least 3-round safety margin) –symmetry in encryption and decryption –uniformly fast on various architectures in software –efficiently implementable in hardware –high degree of parallelism: very high speed in hardware 4 Remarks: –can be freely used: royalty-free –welcome any comments/analysis reports