recursive diffusion layers for block ciphers and hash ... · conclusion • we introduced some...
Post on 26-Oct-2020
4 Views
Preview:
TRANSCRIPT
Recursive Diffusion Layers foryBlock Ciphers and Hash Functions
Mahdi Sajadieh, Mohammad Dakhilalian, Hamid Mala and Pouyan SepehrdadPouyan Sepehrdad
Isfahan University of Technology, Isfahan, IranIsfahan University, Isfahan, Iran
EPFL, Lausanne, Switzerland
Happy Persian New Year!
Outline
• Lightweight Algorithms and Diffusion Layers• Lightweight Algorithms and Diffusion Layers
• Designing A Recursive Diffusion LayerDesigning A Recursive Diffusion Layer
• Designing A Diffusion Layer with One Linear Function
• Designing A Diffusion Layer with Two Linear Functions
• Conclusion
3
Lightweight Algorithms and Diffusion Layersy
• Most block ciphers: A round consists of confusion and pdiffusion layers.
• The confusion layer: often uses small S-boxes.
• The diffusion layer: plays an efficacious role in providing• The diffusion layer: plays an efficacious role in providing resistance against DC and LC.
• Diffusion layers must– have large branch numbers.
b ffi i b h h l d i– be efficient, both the layer and its reverse.
4
Lightweight Algorithms and Diffusion Layersy
• Lightweight block ciphers:g g p– New ciphers appear everyday in the literature.– Compete over the throughput and GE.
Not providing the same level of security (LC DC AC)– Not providing the same level of security (LC, DC, AC).– Does the comparison make sense?
• Designing lightweight and efficient diffusion layers:– Efficient and perfect recursive Feistel-like diffusion layers. – We design one without any finite fields operationsWe design one without any finite fields operations.– Only have “XOR”s and “Shift” or “Rotations”.– LED and PHOTON: a nice and efficient MDS diffusion layer.
5
Designing A Recursive Diffusion Layer
• Maximal branch number• Length of the input words be changeable• Have a very simple inverse• An efficient linear functions F.
6
Designing A Recursive Diffusion Layer
7
Some Instances of Recursive Diffusion Layersy
• Feistel with a linear F
• Salsa20 (non linear )
• PHOTON matrixPHOTON matrix
8
The Proposed Regular s n-bit Words Diffusion Layery
• In the main pseudo code: ),...,,(),...,,( 1210121 −− = ssi xxxFxxxF
9
A Regular 4×4 In/Out Diffusion Layerwith Perfect Diffusion
⎪⎧ ⊕⊕⊕⊕=
⎪⎧ ⊕⊕⊕⊕= )()( 201233313200 yyLyyyxxxLxxxy
⎪⎪⎩
⎪⎪⎨
⊕⊕⊕⊕=⊕⊕⊕⊕=⊕⊕⊕⊕=
⇒
⎪⎪⎩
⎪⎪⎨
⊕⊕⊕⊕=⊕⊕⊕⊕=⊕⊕⊕⊕= −
)()()(
:
)()()(
:
312300
023011
1301221
202133
131022
020311
xxLxxyxyxLxyyxyxLyyyx
D
yyLyyxyyxLyyxyyxLyxxy
D
10
A Regular 4×4 In/Out Diffusion Layerwith Perfect Diffusion
11
Conditions on L: Maximal Branch Number
• Outputs based on inputs
• The linear functions must be invertible for maximal branch number:
12
Some Linear Functions1))3(()( >>>>>⊕= xxxL 1)1)2&(()( >>>>>⊕= xxxL 1))15(()( >>>>>⊕= xxxL 15))31(()( >>>>>⊕= xxxL 1))63(()( >>>>>⊕= xxxL
• Large number of linear functions satisfying the conditions, some are:some are:
• Without any circular shift:
13
Replacement of Some Diffusion Layers
• MDS_H of Hierocrypt– Performance two times better
• Binary matrix of MMBBinary matrix of MMB– Branch number of the MMB diffusion layer increases to 5.
• prevents the attacks [SAC’09] presented on this block cipher.P f i d d b 10%– Performance is decreased by 10%.
• PHOTON ⎞⎜⎛⎞
⎜⎛ 3 1 2 10 0 1 0
– If L(x)=2x in GF(24) , the matrix is:
⎟⎟⎟⎟
⎠⎜⎜⎜⎜⎜
⎝
=⇒
⎟⎟⎟⎟
⎠⎜⎜⎜⎜⎜
⎝
=
20 6 30 13
13 3 11 4
4 1 7 3 B
3 1 2 1
1 0 0 0
0 1 0 0 B 4
14
All Other Regular Diffusion Layers
For s > 4, no diffusion layer was found with only one linear function.
15
All Other Regular Diffusion Layers
.
16
Non-regular Recursive Diffusion Layers
• In the non-regular diffusion layers: Fi’s are different.– Use only one linear function.y
• The space for a complete search is for an s input/output diffusion layer.
22s2
17
Non-regular Recursive Diffusion Layers
• After a complete search
– For s = 3, the one with the least number of XORs:
⎪⎧ ⊕⊕= 2100 xxxy
For s = 4 the one with the least number of XORs:
⎪⎩
⎪⎨
⊕⊕=⊕⊕⊕=
1022
20211
yyxy)xL(yxxy:D
– For s = 4, the one with the least number of XORs:
⎪⎪⎨
⎧⊕⊕⊕⊕=
⊕⊕⊕=)(
)(
: 020311
32100
yxLyxxyxLxxxy
D
⎪⎪⎩
⎨
⊕⊕⊕=⊕⊕⊕⊕=)(
)(
02133
130322
yLyyxyyxLyxxy
• For s > 4, a complete search is too costly.18
Regular Recursive Diffusion Layers with Two Linear Functions
• If L1 and L2 do not have any relation, the analysis is hard.
or
19
Regular Diffusion Layer for s > 4
• The linear functions which must be invertible:
20
Conclusion
• We introduced some efficient and perfect recursive diffusion layers.
• Found all regular s input/output recursive diffusion layers with s < 8 and one linear function.
• Found all non-regular s input/output recursive diffusion layers with • s < 5 and one linear function.
• Found some efficient regular s input/output recursive diffusion layers with s < 9 and two linear function.
• A good candidate for designing new block ciphers or hash functions.
21
Q i ?Questions?
top related