Presentation is loading. Please wait.

Presentation is loading. Please wait.

Aug. 27, 1998KCDSA Task Force Team1 Specification and Analysis of CRYPTON V1.0 Chae Hoon Lim Future Systems, Inc.

Published byAmberly Terry Modified over 9 years ago

Similar presentations

Presentation on theme: "Aug. 27, 1998KCDSA Task Force Team1 Specification and Analysis of CRYPTON V1.0 Chae Hoon Lim Future Systems, Inc."— Presentation transcript:

1 Aug. 27, 1998KCDSA Task Force Team1 Specification and Analysis of CRYPTON V1.0 Chae Hoon Lim Future Systems, Inc.

2 2 Contents 4 Design history 4 Basic building blocks 4 Encryption/decryption 4 Key Scheduling 4 Security/efficiency analysis 4 Conclusion

3 3 Design Objectives 4 An efficient and secure block cipher 4 Security: –security bounds high enough to defeat various existing attacks such as differential and linear cryptanalysis. –A large safety margin for the future 4 Efficiency: –high performance in software on large microprocessors –efficient implementation on low-cost 8-bit microprocessors –very high speed in hardware; low hardware complexity 4 Simplicity

4 4 Design Choices 4 Feistel vs Substitution-Permutation Network (SPN) –Feistel: more cryptanalytic experience, fewer constraints in round function design; poor parallelism –SPN: more parallelism, more hardware-efficient; more constraints in round function design 4 Choice from two alternative designs –design based on Feistel: much like Twofish  SALTIS (unpublished) –design based on SPN: used the global structure of Square –final decision: SPN-type cipher  CRYPTON

5 5 Main Features 4 secure against existing attacks 4 a simple, fine-grained design: easy to implement/analyze 4 symmetry in encryption and decryption 4 high performance on most CPU architectures 4 fast key scheduling: much faster than one-block encryption 4 efficient hardware implementation; low complexity 4 high degree of parallelism  very high speed in hardware: can achieve several Gbits/sec using about 30000 gates

6 6 CRYPTON v1.0: Motivations / Changes 4 Original AES proposal (CRYPTON v0.5): –at almost final stage of design, but not complete 4 Motivations to revision: –key scheduling was under examination for modification. –somewhat weak S-boxes; decided to replace S-boxes with stronger ones in this opportunity. 4 Tried to keep changes minimal: no substantial redesign 4 Changes: –Key scheduling strengthened (overall structure unchanged). –New 8 x 8 Sboxes (2 S-boxes --> 4 S-boxes).

7 7 High-level Structure of CRYPTON Bit-wise key addition Column-wise bit permutation Column-to-row transposition Bit-wise key addition Byte-wise substitution Row-wise bit permutation 4  4 byte array Input Input whitening Round transformation (12 rounds) Output transformation Output

8 8 Notation 4 Data representation in 4 x 4 byte array A = (A[3], A[2], A[1], A[0]) t = A[0] A[1] A[2] A[3] a 03 a 02 a 01 a 00 a 13 a 12 a 11 a 10 a 23 a 22 a 21 a 20 a 33 a 32 a 31 a 30 =

9 9 Basic Building Blocks 4 Components of Round Transformation: –Byte-wise Substitution  –Column-wise Bit Permutation  –Column-to-Row Transposition  –Key Xoring  4 Round Transformation  –Even rounds:  eK =  K o  o  e o  e –Odd rounds:  oK =  K o  o  o o  o

10 10 Encryption/Decryption 4 Round keys –i-th round encryption: K e i = {K e [4i+j]}(0  j  3) –i-th round decryption: K d i = {K d [4i+j]}(0  j  3) –  e =  o  e o ,  o =  o  o o  –K d i =  e ( K e i ) for even i,  o ( K e i ) for odd i. 4 Encryption E K : 4 Decryption D K : –same as encryption except for using K d instead of K e.

11 11 Byte-wise Substitution  4 Odd rounds: 4 Even rounds: S1S1 S0S0 S1S1 S1S1 S1S1 S0S0 S0S0 S0S0 S2S2 S2S2 S2S2 S2S2 S3S3 S3S3 S3S3 S3S3 S1S1 S0S0 S1S1 S1S1 S1S1 S0S0 S0S0 S0S0 S2S2 S2S2 S2S2 S2S2 S3S3 S3S3 S3S3 S3S3 Odd rounds Even rounds

12 12 Column-wise Bit Permutation  (1)  3  2  1  0 Odd rounds  1  0  3  2 Even rounds

13 13 Column-wise Bit Permutation  (2) 4 m 0 = 0xfc, m 1 = 0xf3, m 2 = 0xcf, m 3 = 0x3f 4 for 4-byte column vectors a and b, b =  0 (a) is defined by

14 14 Column-to-Row Transposition  / Key Add  4 Transposition: B =  (A)  b ij = a ji 4 Key addition: –B =  K (A)  B[i] = A[i]  K[i] for i=0,1,2,3. a 03 a 02 a 01 a 00 a 33 a 32 a 31 a 30 a 13 a 12 a 11 a 10 a 23 a 22 a 21 a 20 a 03 a 02 a 01 a 00 a 33 a 32 a 31 a 30 a 13 a 12 a 11 a 10 a 23 a 22 a 21 a 20 

15 15 Key Scheduling (1) 4 Overall structure: two-step generation  facilitate low-level implementations User Key (0~32bytes) Expanded Keys (32bytes) Encryption Round KeysDecryption Round Keys Decryption Transform  

16 16 Key Scheduling (2) 4 Already planned at the beginning 4 Known weakness: 2 32 weak keys for 256-bit key –found by J. Borst and S. Vaudenay independently. –due to regular patterns preserved in both round key generation and round transformation 4 Changes: –major changes made in round key generation –used distinct round constants –used 2/6-bit byte rotation and word-wise rotation 4 Consequence: believed secure against most known key schedule weaknesses

17 17 Diffusion Property of  (1) 4 Achieve diffusion order 4  at least 4 active bytes on average per round 4 Minimum diffusion set  =  x   y = {0x01,0x02, 0x03, 0x04, 0x08, 0x0c, 0x10, 0x20, 0x30, 0x40, 0x80, 0xc0}  {0x11, 0x12, 0x13, 0x21, 0x22, 0x23, 0x31, 0x32, 0x33, 0x44, 0x48, 0x4c, 0x84, 0x88, 0x8c, 0xc4, 0xc8, 0xcc}

18 18 Diffusion Property of  i (2) 4 I j = a set of input vectors of diffusion order 4 under  i with j nonzero bytes 4 No.minimum diffusion vectors = 48+48+60+48 = 204

19 19 Minimum Diffusion Patterns by  o  Round 1 Round 2 Round 3 Round 4 Type-1Type-2Type-3Type-4

20 20 Differential/Linear Prob. for n  n S-box S 4 S-box differential prob.: –  x /  y : input/output differences, resp. 4 S-box linear prob.: –  x /  y : input/output selection vectors, resp.

21 21 S-box Construction (1) 4 One 8x8 involution S-box S  4 S-boxes S i S ROL1 S0S0 S ROL3 S1S1 S ROL7 S2S2 S ROL5 S3S3

22 22 S-box Construction (2) 4 Design criteria for S-boxes: –should be efficiently implementable in hardware logic and on low-cost smart cards. –The prob. of differential and linear characteristics should be as small as possible. –High prob. I/O differences/selection vectors in S should have as high Hamming weights as possible. –The number of such pairs in all S i ’s should be as small as possible when restricted to .

23 23 The S-box S Search Model Bit Permutation ROLn Inverse Bit Permutation P 0 -1 P 1 -1 P1P1 P0P0 ROLn Left rotate by n bits

24 24 The Selected S-box S x 7 x 6 x 5 x 4 x 3 x 2 x 1 x 0 Input x P1P1 P0P0 z 7 z 6 z 5 z 4 z 3 z 2 z 1 z 0 4-bit P-boxes w 3 w 2 w 1 w 0 w 7 w 6 w 5 w 4 Output y P 0 -1 P 1 -1 y 3 y 2 y 1 y 0 y 7 y 6 y 5 y 4 Inverse P-boxes Linear involution z 7 z 6 z 5 z 4 z 3 z 2 z 1 z 0 z 4 z 0 z 3 z 7 z 5 z 1 z 2 z 6 z 2 z 5 z 7 z 0

25 25 Differential/Linear Char. of S-boxes (1) 4 Previous S-boxes: too many high prob. I/O pairs 4 The new S-boxes: –Pr(DC)  10/256 = 2 -4.68 for only 7 pairs –Pr(LC)  (32/128) 2 = 2 -4 for only 6 pairs –High prob. char.: sum of Hamming weights is at least 4, on average  8.

26 26 Differential/Linear Char. of S-boxes (2) 4 Observarion: –min. 4 active bytes/round only for byte values in  –for such values, max. entry in distr. tables : 6 / 24 –Pr(DC)  6/256 = 2 -5.42 –Pr(LC)  (24/128) 2 = 2 -4.83

27 27 Differential/Linear Cryptanalysis - Bounds 4 Observations: –Min. No. of active S-boxes up to 8 rounds = 32 –Suppose that all such active S-boxes have Pr(DC) = 2 -5.42 and Pr(LC) = 2 -4.83. 4 Overall char.prob.of DC/LC up to 8 rounds: –p C8  (2 -5.42 ) 32 = 2 -173.3 –p L8  (2 -4.83 ) 32 = 2 -154.6 4 Differential, linear hull/multiple linear approx.: –may increase the probabilities by a constant factor.

28 28 Differential/Linear Cryptanalysis - Simulation 4 Partial exhaustive search over the minimum diffusion set 4 theoretically breakable up to 7 rounds

29 29 Variants/Extensions of DC/LC 4 Variants of DC: –truncated/higher-order differentials, – impossible differentials: a number of impossible differentials up to 4 rounds; none for more than 5 rounds 4 Variants of LC: –nonlinear approximations, generalized LC, partitioning cryptanalysis

30 30 Other Possible Attacks 4 interpolation attacks: no simple algebraic description 4 dedicated SQUARE attacks: –the best known attack up to 6 rounds –can’t be extended to more round versions 4 Side-channel cryptanalysis: –timing attacks –differential fault analysis –differential power analysis 4 Key schedule cryptanalysis –weak keys, semi-weak keys, equivalent keys –simple relations, related keys

31 31 Software Efficiency 4 32-bit  Ps: same as the previous version –Pentium Pro 200 MHz, Windows 95, MSVC 5.0 –UltraSparc 167 MHz, Solaris 2.5, GNU C 4 ] 4 8-bit  Ps: 256 byte ROM, 52 byte RAM; a little bit slower than the previous version

32 32 Hardware Efficiency 4 Gate array implementation of 2-round iterative version –VHDL description & logic synthesis using Synopsys + HYUNDAI’s 0.35 micron gate array library 4 Simulation results:

33 33 Conclusion 4 Advantages: –strong security against various known attacks (with at least 3-round safety margin) –symmetry in encryption and decryption –uniformly fast on various architectures in software –efficiently implementable in hardware –high degree of parallelism: very high speed in hardware 4 Remarks: –can be freely used: royalty-free –welcome any comments/analysis reports

Download ppt "Aug. 27, 1998KCDSA Task Force Team1 Specification and Analysis of CRYPTON V1.0 Chae Hoon Lim Future Systems, Inc."

Similar presentations

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
Chap. 5: Advanced Encryption Standard (AES) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown.

Chap. 5: Advanced Encryption Standard (AES) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 5

Cryptography and Network Security Chapter 5
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
Cryptography and Network Security

Cryptography and Network Security
Rachana Y. Patil 1 Data Encryption Standard (DES) (DES)

Rachana Y. Patil 1 Data Encryption Standard (DES) (DES)
Data Encryption Standard (DES)

Data Encryption Standard (DES)
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.

Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
Cryptography and Network Security

Cryptography and Network Security
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
This Lecture: AES Key Expansion Equivalent Inverse Cipher Rijndael performance summary.

This Lecture: AES Key Expansion Equivalent Inverse Cipher Rijndael performance summary.
Cryptography1 CPSC 3730 Cryptography Chapter 3 DES.

Cryptography1 CPSC 3730 Cryptography Chapter 3 DES.
FEAL FEAL 1.

FEAL FEAL 1.
AES clear a replacement for DES was needed

AES clear a replacement for DES was needed
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
1 Chapter 3 – Block Ciphers and the Data Encryption Standard Modern Block Ciphers  now look at modern block ciphers  one of the most widely used types.

1 Chapter 3 – Block Ciphers and the Data Encryption Standard Modern Block Ciphers  now look at modern block ciphers  one of the most widely used types.
1 Chapter 3 – Block Ciphers and the Data Encryption Standard Modern Block Ciphers  now look at modern block ciphers  one of the most widely used types.

1 Chapter 3 – Block Ciphers and the Data Encryption Standard Modern Block Ciphers  now look at modern block ciphers  one of the most widely used types.
Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.

Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.
The Design of Improved Dynamic AES and Hardware Implementation Using FPGA 89321032 游精允.

The Design of Improved Dynamic AES and Hardware Implementation Using FPGA 游精允.

Similar presentations

Ads by Google