Overview on S-Box Design Principles



Similar documents
Department of Computer Science, University of Otago

SAMPLE QUESTIONS FOR FINAL EXAM. (1) (2) (3) (4) Find the following using the definition of the Riemann integral: (2x + 1)dx

Soving Recurrence Relations

CS100: Introduction to Computer Science

2-3 The Remainder and Factor Theorems

Modified Line Search Method for Global Optimization

Chapter 6: Variance, the law of large numbers and the Monte-Carlo method

CS103X: Discrete Structures Homework 4 Solutions

Vladimir N. Burkov, Dmitri A. Novikov MODELS AND METHODS OF MULTIPROJECTS MANAGEMENT

Multiplexers and Demultiplexers

Infinite Sequences and Series

Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics

Systems Design Project: Indoor Location of Wireless Devices

A Combined Continuous/Binary Genetic Algorithm for Microstrip Antenna Design

CME 302: NUMERICAL LINEAR ALGEBRA FALL 2005/06 LECTURE 8

FIBONACCI NUMBERS: AN APPLICATION OF LINEAR ALGEBRA. 1. Powers of a matrix

Normal Distribution.

NATIONAL SENIOR CERTIFICATE GRADE 12

Floating Codes for Joint Information Storage in Write Asymmetric Memories

How To Solve The Homewor Problem Beautifully

Chapter 5: Inner Product Spaces


Universal coding for classes of sources

5 Boolean Decision Trees (February 11)

AP Calculus BC 2003 Scoring Guidelines Form B

Our aim is to show that under reasonable assumptions a given 2π-periodic function f can be represented as convergent series

, a Wishart distribution with n -1 degrees of freedom and scale matrix.

Research Article Sign Data Derivative Recovery

Lecture 5: Span, linear independence, bases, and dimension

Ekkehart Schlicht: Economic Surplus and Derived Demand

T R A N S F O R M E R A C C E S S O R I E S SAM REMOTE CONTROL SYSTEM

Partial Di erential Equations

Convention Paper 6764

SECTION 1.5 : SUMMATION NOTATION + WORK WITH SEQUENCES

THE HEIGHT OF q-binary SEARCH TREES

Asymptotic Growth of Functions

Basic Measurement Issues. Sampling Theory and Analog-to-Digital Conversion

1 The Gaussian channel

Cooley-Tukey. Tukey FFT Algorithms. FFT Algorithms. Cooley

UC Berkeley Department of Electrical Engineering and Computer Science. EE 126: Probablity and Random Processes. Solutions 9 Spring 2006

AP Calculus AB 2006 Scoring Guidelines Form B

THE ARITHMETIC OF INTEGERS. - multiplication, exponentiation, division, addition, and subtraction

Approximating Area under a curve with rectangles. To find the area under a curve we approximate the area using rectangles and then use limits to find

Taking DCOP to the Real World: Efficient Complete Solutions for Distributed Multi-Event Scheduling

CS85: You Can t Do That (Lower Bounds in Computer Science) Lecture Notes, Spring Amit Chakrabarti Dartmouth College

A Faster Clause-Shortening Algorithm for SAT with No Restriction on Clause Length

Review: Classification Outline

1 Correlation and Regression Analysis

The Role of Latin Square in Cipher Systems: A Matrix Approach to Model Encryption Modes of Operation

CHAPTER 3 DIGITAL CODING OF SIGNALS

1. MATHEMATICAL INDUCTION

Problem Solving with Mathematical Software Packages 1

Theorems About Power Series

Semiconductor Devices

CHAPTER 3 THE TIME VALUE OF MONEY

Chapter 7 Methods of Finding Estimators

Section 11.3: The Integral Test

CS100: Introduction to Computer Science

The Stable Marriage Problem

Degree of Approximation of Continuous Functions by (E, q) (C, δ) Means

A probabilistic proof of a binomial identity

In nite Sequences. Dr. Philippe B. Laval Kennesaw State University. October 9, 2008

Trigonometric Form of a Complex Number. The Complex Plane. axis. ( 2, 1) or 2 i FIGURE The absolute value of the complex number z a bi is

Chatpun Khamyat Department of Industrial Engineering, Kasetsart University, Bangkok, Thailand

Maximum Likelihood Estimators.

Factors of sums of powers of binomial coefficients

Institute of Actuaries of India Subject CT1 Financial Mathematics

Sequences and Series

Study on the application of the software phase-locked loop in tracking and filtering of pulse signal

PROCEEDINGS OF THE YEREVAN STATE UNIVERSITY AN ALTERNATIVE MODEL FOR BONUS-MALUS SYSTEM

CS103A Handout 23 Winter 2002 February 22, 2002 Solving Recurrence Relations

Probabilistic Engineering Mechanics. Do Rosenblatt and Nataf isoprobabilistic transformations really differ?

4. Trees. 4.1 Basics. Definition: A graph having no cycles is said to be acyclic. A forest is an acyclic graph.

THE REGRESSION MODEL IN MATRIX FORM. For simple linear regression, meaning one predictor, the model is. for i = 1, 2, 3,, n

Chapter 10 Computer Design Basics

Exploratory Data Analysis

Math 114- Intermediate Algebra Integral Exponents & Fractional Exponents (10 )

Discrete Mathematics and Probability Theory Spring 2014 Anant Sahai Note 13

Confidence Intervals for One Mean

Solutions to Exercises Chapter 4: Recurrence relations and generating functions

Notes on exponential generating functions and structures.

Annuities Under Random Rates of Interest II By Abraham Zaks. Technion I.I.T. Haifa ISRAEL and Haifa University Haifa ISRAEL.

Module 2. The Science of Surface and Ground Water. Version 2 CE IIT, Kharagpur

Foundations of Operations Research

3 Basic Definitions of Probability Theory

Routine for 8-Bit Binary to BCD Conversion

Application of Combination Forecasting Model in the Patrol Sales Forecast

where: T = number of years of cash flow in investment's life n = the year in which the cash flow X n i = IRR = the internal rate of return

The analysis of the Cournot oligopoly model considering the subjective motive in the strategy selection

On Wiretap Networks II

Data Analysis and Statistical Behaviors of Stock Market Fluctuations

Building Blocks Problem Related to Harmonic Series

COMPARISON OF THE EFFICIENCY OF S-CONTROL CHART AND EWMA-S 2 CONTROL CHART FOR THE CHANGES IN A PROCESS

Confidence Intervals. CI for a population mean (σ is known and n > 30 or the variable is normally distributed in the.

Week 3 Conditional probabilities, Bayes formula, WEEK 3 page 1 Expected value of a random variable

Your organization has a Class B IP address of Before you implement subnetting, the Network ID and Host ID are divided as follows:

Transcription:

Overview o S-Box Desig Priciples Debdeep Mukhopadhyay Assistat Professor Departmet of Computer Sciece ad Egieerig Idia Istitute of Techology Kharagpur INDIA -721302 What is a S-Box? S-Boxes are Boolea mappigs from {0,1} m {0,1} m x mappigs Thus there are compoet fuctios each beig a map from m bits to 1 bit i other words, each compoet fuctio is a Boolea fuctio i m Boolea variables Security IIT Kharagpur 1

Boolea Fuctio A Boolea fuctio is a mappig from {0,1} m {0,1} A Boolea fuctio o -iputs ca be represeted i miimal sum (XOR +) of products (AND.) form: f(x 1,,x )=a 0 +a 1. x 1 + +a. x + a 1,2.x 1.x 2 + + a -1,.x -1.x + +a 1,2,.., x 1.x 2...x The ANF form is caoical If the ad terms have all zero co-efficiets we have a affie fuctio If the costat term is further 0, we have a liear fuctio Boolea Fuctio A Boolea fuctio is a mappig from {0,1} m {0,1} f : Σ {0,1} be a Boolea Fuctio. Biary sequece ( f ( α0), f ( α1),..., f ( α )) 2 1 is called the Truth Table of f Sequece of a Boolea Fuctio: f ( 0 ) f ( ( ) 1) f α 2 1 α α {( 1),( 1),...,( 1) } is called sequece of f Security IIT Kharagpur 2

Balaced Fuctio A Boolea fuctio is said to be balaced if its truth table has equal umber of oes ad zeros. The Hammig weight of a biary sequece is the umber of oes Scalar Product of Sequeces Cosider f ad g as two Boolea fuctios. Cosider, η be the sequece of f ad ε be the sequece of g. Defie, < η, ε >= (# o of cases whe f=g)-(#o of cases whe f g) Security IIT Kharagpur 3

No-liearity The o-liearity of a Boolea fuctio ca be defied as the distace betwee the fuctio ad the set of all affie fuctios. N f = mi g Α d ( f, g) where A is the set of all affie fuctios over Σ 1 1 d( f, g) = 2 < ηε, > 2 1 1 N f = 2 max 1{ η, l }, i= 0,1,...,2 i 2 where l is the sequece of a liear fuctio i x i A Compact Represetatio of all the liear fuctios Hadamard Matrix: Ay rxr matrix with elemets i {-1,1} if HH T =ri r, where I r is the idetity matrix of dimesio rxr. Walsh Hadamard Matrix: H 1 H 1 H0 = 1, H1 =, 1, 2,... H 1 H = 1 Each row of H is the sequece of a liear fuctio i x belogig to {0,1} Each row, l i is the sequece of the Boolea fuctio, gx ( ) =< αi, x>, αi is the biary represetatio of i Note that αi ad x are ot sequeces, but they are biary tuples of legth Security IIT Kharagpur 4

Effect of Iput Trasformatio o balaced-ess ad No-liearity If a Boolea fuctio, f(x) is balaced, the so is g=f(xb ^ A), A is a -bit vector ad B is a x 0-1 ivertible matrix No-liearity of f ad g are same. Strict Avalache Criteria Iformally, if oe bit iput is chaged i a S- Box, the half of the output bits should be chaged For a fuctio, f to satisfy SAC the followig coditio is satisfied: f ( x) f ( x α ) is balaced, where wt( α )=1 Higher order SAC, whe more tha oe iput bits chage Both the SAC ad the higher order SAC together make Propagatio Criteria (PC) Security IIT Kharagpur 5

How to make a Boolea Fuctio satisfy SAC? Cosider a Boolea fuctio, f(x) Cosider a o-sigular {0,1} matrix of dimesio x. If for each row of the matrix A if: f( x) f( x γ ) is balaced, γ is a row of the matrix A the g(x)=f(xa) satisfies the SAC. Example f(x)=x1x2 ^ x3 does ot satisfy SAC? Why? Cosider α=(001) f(x)^f(x^e1) is balaced, e1=(100) f(x)^f(x^e2) is balaced, e2=(010) f(x)^f(x^e3) is balaced, e3=(111) 1 0 0 A= 0 1 0 1 1 1 Check that g(x)=f(xa) satisfies SAC Security IIT Kharagpur 6

Bet Fuctios No-liearity of Boolea fuctios have a upper boud N f 1 1 2 2 2 Fuctios which achieve this are called Bet fuctios They satisfy PC for all α But they are always ubalaced Bet fuctios exist for eve values of Example f(x)=x1x2 ^ x3x4 is a Bet fuctio i 4 variables If f is a Bet fuctio so is f ^ (affie fuctio) f(xa ^ B) for a o-sigular biary matrix A is also Bet Bet fuctios are ot balaced. Number of zeros, is 2-1 ±2 /2-1 Security IIT Kharagpur 7

Creatig Balaced No-liear fuctio Take 2 -k, k-variable liear fuctio, where k>/2 Cocateate the truth-tables Thus, we obtai a xk mappig which is o-liear N f 2-1 -2 k-1 Balaced Ca be made to satisfy SAC. Is the S-Box good agaist LC ad DC? Not oly the compoet fuctios are good: high o-liearity satisfy PC etc. but their o-zero liear combiatios also have to satisfy. Challegig problem Security IIT Kharagpur 8

Desig of S-Box is eve more complex Good S-Boxes from the cryptographic poit of view whe put i hardware are foud to leak iformatio, like power cosumptio etc They thus lead to attacks called Side Chael Attacks, which ca break ciphers i miutes after all the hard-work The there are Algebraic Attacks So, what to do? Ope Research Problem(s) Criteria of Good S-Box Balaced Compoet fuctios No-liearity of Compoet fuctios high No-zero liear combiatios of Compoet fuctios balaced ad highly o-liear Satisfies SAC High Algebraic degree Security IIT Kharagpur 9

Exercise Eumerate 8 distict liear fuctios i 5 variables, x 1, x 2, x 3, x 4, x 5 Cocateate their Truth-tables to obtai a 8 iput, 5 output fuctio. Store the resultat mappig as a 8x5 S- Box. What is the o-liearity of your SBox? Does is satisfy SAC? If ot, modify the fuctio to do so. Further Readig J. Seberry, Zhag, Zhag, Cryptographic Boolea Fuctios via Group Hadamard Matrices, AJC Joural of Combiatorics, vol 10, 1994 K. Nyberg, Differetially Uiform Mappigs for Cryptography, Eurocrypt 1993 K. Nyberg, Perfect No-liear SBoxes, Eurocrypt 1991 Security IIT Kharagpur 10

Next Days Topic Modes of operatio of Block Ciphers Security IIT Kharagpur 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information