The Design of Cryptographic S-Boxes using CSPs

Size: px

Start display at page:

Download "The Design of Cryptographic S-Boxes using CSPs"

Quentin Wilcox
7 years ago
Views:

1 The Design of Cryptographic S-Boxes using CSPs 1 V E N K A T E S H R A M A M O O R T H Y, M A R I U S C. S I L A G H I, T O S H I H I R O M A T S U I, K A T S U T O S H I H I R A Y A M A, a n d M A K O T O Y O K O O

2 Substitution-Permutation Network Proposed by Claude Shannon [1948]. All Feistel Ciphers Data Encryption Standard, 3-DES Blowfish, Twofish, Camellia, RC5 Advanced Encryption Standard International Data Encryption Algorithm (IDEA) 2 Linear Permutations Diffusion Nonlinear Substitution Confusion (S-Boxes) any linearity helps attackers designed via a combinatorial problem

3 S-P Networks and the Feistel Cipher 3 Invertible substitution Permutation S(L,R) L F(R),R S 1 (L',R') L' F(R'),R' S-P Network Feistel F function needs not be invertible. Any F leads to a sound cipher. Needs more rounds

4 The Function F of 3-DES 4 Expansion The eight S-Boxes

5 Example: The 3-DES 6 4 S-Box S Applying S 8 on 44 yields 14: Column 6 Row =1110 2

6 Major Attacks S-box design criteria developed as answer to attacks. Early Feistel cipher (Lucifer) weakness found [ 74] [DES;76] Differential Cryptanalysis [Biham, Shamir; 1993] not new in 1993, but had been classified [Coppersmith; 1994] still somewhat successful on DES because its avoidance requires solving a hard combinatorial design problem we model it as a CSP! Linear Cryptanalysis [Matsui; 1994] A more efficient exploit of the same weaknesses (with minor twists) 6 Same avoidance strategy (hard combinatorial design problem)

7 3-DES S-Box Criteria (Coppersmith, 1994) 7 The Criteria labeled S-1 to S-7, are stated as follows S-1: Each S-box has six bits of input and four bits of output S-2: No output bit of an S-box should be close to a linear function of the input bits. S-3: If we fix the leftmost and rightmost input bits of the S-box and vary the four middle bits, each possible 4-bit output is attained exactly once as the middle four input bits range over their 16 possibilities. S-4: If two inputs to an S-box differ in exactly one bit, the outputs must differ in at least two bits. (Avalanche) S-5: If two inputs to an S-box differ in the two middle bits exactly, the outputs must differ in at least two bits S-6: If two inputs to an S-box differ in their first two bits and are identical in their last two bits, the two outputs must not be the same S-7: For any nonzero 6-bit difference between inputs, ΔI i,j, no more than eight of the 32 pairs of inputs exhibiting ΔI i,j may result in the same output difference ΔO i,j.

8 Why is S-Box Design an important Problem? S-Boxes for security They form the only nonlinear operation in an encryption process (all other operations being linear) Each successful linearization approximation can help break a few bits of the key A known hard problem Toy instances solved fast, but not real world instances Existing methodologies are suboptimal They did not find the strongest S-boxes as we illustrate using CSPs 8

9 Previous Methods for S-Box Design Hand-assembled Example: 3-DES Math functions known as difficult to analyze Example: GF 2 k Inversion (AES), Bent Functions Generate-And-Test, Random Assignments Using Genetic Algorithms (with Hill Climbing and Simulated Annealing to guide S-Box search) [ ] Capturing randomness from security protocols, keys [2008] Using Cellular Automata [2010] 9

10 n m S-Box Design Using CSPs Model each S-Box criterion into constraints Set of variables: X {x 0,x 1,...,x } 2 n 1 Domains (identical): m D {0,1,...,2 1} The constraints model the security criteria 10 Any solution to the CSP can be used as an S-Box Security to known attacks optimized with a soft constraint An assignment of a value from D to a variable x i in X Represents the S-Box output for input i In the sample 3-DES S-Box S 8, for example, x 44 = 14

11 S-1: Implicit Constraint S-1: Each S-box has six bits of input and four bits of output 11 This constraint is implicit in the CSP formulation n input bits 2 n variables. m output bits domain size 2 m.

12 The Nonlinearity Criterion S-2 S-2: Any (subsets of) output bits should be independent of any (subset of) input bits Gives rise to Matsui s quality metric of an S-Box Linearization Effectiveness: X( ) X a set of variables Φ the S-box function (assignment to variables in X) linearity if: some linear function = selected outputs (for all inputs) some linear function selected outputs (for all inputs) nonlinearity if: any linear function = selected outputs (for half of inputs) 12

13 Example nonlinearity evaluation 13 Take the function : {0,1} {0,1} {0,1} Count the number of linearization hits: a 0,a 1 : {(x 0,x 1 ) a 0 x 0 a 1 x 1 (x)}? x0 x1 y a0 a1 x=00 x=01 x=10 x=11 # #-2 2 /2 score = = =0 1=1 1= = Function Φ(x 0,x 1 ) 1,0,1,1 has score X( ) = 1

14 S-2 is a soft constraint. Implementing S-2 14 We need to minimize the Linearization Effectiveness We convert it into a hard constraint by fixing a threshold ( X /2) on it X( ) Projected into smaller arity constraints for propagation. [Soft 11]

15 3-DES Criterion S-3 16 S-3: If we fix the leftmost and rightmost input bits of the S-box and vary the four middle bits, each possible 4-bit output is attained exactly once as the middle four input bits range over their 16 possibilities. AllDiff(x 0, x 2,, x 28,x 30 ), AllDiff(x 1, x 3,, x 29, x 31 ), AllDiff(x 32, x 34,, x 60,x 62 ), AllDiff(x 33, x 35,, x 61, x 63 )

16 3-DES Criterion S-4 (Avalanche) 17 The 3-DES Criterion S-4: If any two inputs i and j to a 6 4 S-Box differ in one bit, its corresponding outputs should differ by at least two bits. Binary Constraints for S-4 in First Order Logic form: i, j 0,2 6 wt(i j) 1 wt x i x j 2 a b = bit-wise exclusive-or of integers a and b wt = Hamming weight

17 3-DES Criterion S-5 The 3-DES Criterion S-5: If two inputs to an S-box differ in the two middle bits exactly, the outputs must differ in at least two bits 18 Binary Constraints for S-5 in First Order Logic form: ( i,j) 0 i,j < 64 i j i j = wt(x i x j ) 2 a b = bit-wise exclusive-or of integers a and b wt = Hamming weight

18 3-DES Criterion S-6 19 The 3-DES Criterion S-6: If two inputs to an S-box differ in their first two bits and are identical in their last two bits, the two outputs must not be the same Binary Constraints for S-6 in First Order Logic: ( i,j) 0 i<j < 64 ( i j ) = x i x j a b = bit-wise exclusive-or of integers a and b wt = Hamming weight

19 3-DES Criterion S-7 S-7: For any nonzero 6-bit difference between inputs, ΔI i,j, no more than eight of the 32 pairs of inputs exhibiting ΔI i,j may result in the same output difference ΔO i,j. 20 Global constraint, projected on any subset of at least 17 variables.

20 Challenges in CSP-Based S-Box Modeling Addressing inputs and outputs at the bit level Not well supported in first tried conventional CP solvers (particularly the nonlinearity requirement). We employed a MAC solver based on AC Comparing certain heuristics with nice properties (completeness) but that found no solution so far. We quantified the search space traversed on given ordering S p n m X ' 1 i 0 x i 2 m X i 1

21 Heuristics for 6 4 S-Boxes Three Heuristics reported here H S (64, ) n-ary constraints evaluated at the end H C (64, ) an incremental n-ary (projections of S-2 and S-7) H I (64, ) an incremental n-ary, that skips the less promising search areas (becoming incomplete). Threshold values for = 16 for H S (64, ) and H C (64, ) = 16, 10 for H I (64, ) 22

22 Results for 6 4 S-Boxes Performance of Heuristics H C (64, 16) proceeded times faster than H S (64,16) 23

23 Results for 6 4 S-Boxes Quality metric (score) of obtained S-Boxes H I (64,10) yielded a number of S-Boxes with a score equal to 8 Score better (more secure) than the worst 3-DES S-Box S 7 The score of S-Box S 7 is found to be equal to 18 Best previous score was ,600 such S-Boxes found in 1 hour Increased to more than 13,500 in 5 hours The score 8 proves to be easy for the CSP search with incomplete heuristic!! unreachable for the complete heuristics, prior techniques

24 A 6 4 S-Box Generated by our CSP Solver S-Box with Score = 8

25 Conclusions and Extensions CSP is the natural way to model S-Box criteria CSPs model complex requirements such as 3-DES security constraints Particularly nonlinearity CSPs aid us in obtaining stronger (more secure) S-Boxes (compared to 3-DES) Easily extensible to include various special security requirements as newer constraints, other S-box sizes 26

26 Questions?

Cryptography and Network Security

Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 3: Block ciphers and DES Ion Petre Department of IT, Åbo Akademi University January 17, 2012 1 Data Encryption Standard