The Design of Cryptographic S-Boxes using CSPs 1 V E N K A T E S H - PowerPoint PPT Presentation

The Design of Cryptographic S-Boxes using CSPs 1 V E N K A T E S H R A M A M O O R T H Y , M A R I U S C . S I L A G H I , T O S H I H I R O M A T S U I , K A T S U T O S H I H I R A Y A M A , a n d M A K O T O Y O K O O

Substitution-Permutation Network 2  Proposed by Claude Shannon [1948].  All Feistel Ciphers  Data Encryption Standard, 3-DES  Blowfish, Twofish, Camellia, RC5  Advanced Encryption Standard  International Data Encryption Algorithm (IDEA)  Linear Permutations – Diffusion  Nonlinear Substitution – Confusion (S-Boxes) • any linearity helps attackers • designed via a combinatorial problem

S-P Networks and the Feistel Cipher 3 Invertible substitution Permutation S ( L , R ) L F ( R ), R S 1 ( L ', R ') L ' F ( R '), R ' S-P Network Feistel F function needs not be invertible. Any F leads to a “sound” cipher. Needs more rounds

The Function F of 3-DES 4 Expansion The eight S-Boxes

Example: The 3-DES 6 × 4 S-Box S 8 5 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7 1 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2 2 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8 3 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11 Applying S 8 on 44 yields 14: 0110 2 6 10 14 10 44 10 101100 2 =1110 2 Column 6 Row 2 10 2 2 10

Major Attacks 6  S-box design criteria developed as answer to attacks.  Early Feistel cipher (Lucifer) weakness found [„74]  [DES;76]  Differential Cryptanalysis [Biham, Shamir; 1993]  not new in 1993, but had been classified [Coppersmith; 1994]  still somewhat successful on DES because its avoidance requires solving a hard combinatorial design problem  we model it as a CSP!  Linear Cryptanalysis [Matsui; 1994]  A more efficient exploit of the same weaknesses (with minor twists)  Same avoidance strategy (hard combinatorial design problem)

3-DES S -Box Criteria (Coppersmith, 1994) 7  The Criteria labeled S-1 to S-7, are stated as follows S-1 : Each S-box has six bits of input and four bits of output  S-2 : No output bit of an S-box should be close to a linear function of  the input bits. S-3 : If we fix the leftmost and rightmost input bits of the S-box and  vary the four middle bits, each possible 4-bit output is attained exactly once as the middle four input bits range over their 16 possibilities. S-4 : If two inputs to an S-box differ in exactly one bit, the outputs  must differ in at least two bits. (Avalanche) S-5 : If two inputs to an S-box differ in the two middle bits exactly,  the outputs must differ in at least two bits S-6 : If two inputs to an S-box differ in their first two bits and are  identical in their last two bits, the two outputs must not be the same S-7 : For any nonzero 6-bit difference between inputs, Δ I i,j , no more  than eight of the 32 pairs of inputs exhibiting Δ I i,j may result in the same output difference Δ O i,j .

Why is S-Box Design an important Problem? 8  S -Boxes for security  They form the only nonlinear operation in an encryption process (all other operations being linear)  Each successful linearization approximation can help break a few bits of the key  A known hard problem  Toy instances solved fast, but not real world instances  Existing methodologies are suboptimal  They did not find the “strongest” S -boxes  as we illustrate using CSPs

Previous Methods for S -Box Design 9  Hand-assembled  Example: 3-DES  Math functions known as difficult to analyze  Example: GF 2k Inversion (AES), Bent Functions  Generate-And-Test, Random Assignments  Using Genetic Algorithms (with Hill Climbing and Simulated Annealing to guide S -Box search) [2003-2006]  Capturing randomness from security protocols, keys [2008]  Using Cellular Automata [2010]

n × m S-Box Design Using CSPs 10  Model each S -Box criterion into constraints  Set of variables: X { x 0 , x 1 ,..., x 2 n 1 }  Domains (identical): m D { 0 , 1 ,..., 2 1 }  The constraints model the security criteria  Any solution to the CSP can be used as an S -Box  Security to known attacks optimized with a soft constraint  An assignment of a value from D to a variable x i in X  Represents the S-Box output for input i  In the sample 3-DES S-Box S 8 , for example, x 44 = 14

S-1: Implicit Constraint 11  S-1 : Each S-box has six bits of input and four bits of output  This constraint is implicit in the CSP formulation  n input bits  2 n variables.  m output bits  domain size 2 m .

The Nonlinearity Criterion S-2 12 S-2: Any (subsets of) output bits should be independent of any (subset of) input bits  Gives rise to Matsui‟s quality metric of an S -Box  Linearization Effectiveness: X ( )  X – a set of variables  Φ – the S-box function (assignment to variables in X)  linearity if:  some linear function “=“ selected outputs (for all inputs)  some linear function “≠“ selected outputs (for all inputs)  nonlinearity if:  any linear function “=“ selected outputs (for half of inputs)

Example nonlinearity evaluation 13  Take the function : {0,1} × {0,1} {0,1} x0 x1 y0  Count the number of linearization hits: 0 0 1 0 1 0 2 2 a 0 , a 1 : {( x 0 , x 1 ) | a 0 x 0 a 1 x 1 ( x )} ? 1 0 1 2 1 1 1 a0 a1 x=00 x=01 x=10 x=11 # #-2 2 /2 score 0 0 0≠1 0=0 0≠1 0≠1 1 -1 1 0 1 0 ≠ 1 1 ≠0 0 ≠ 1 1=1 1 -1 1 1 0 0 ≠1 0=0 1=1 1=1 3 1 1 1 1 0 ≠1 1 ≠ 0 1=1 0 ≠1 1 -1 1  Function Φ(x 0 ,x 1 )  1,0,1,1 has score X ( ) = 1

Implementing S-2 14  S-2 is a soft constraint.  We need to minimize the Linearization Effectiveness  We convert it into a hard constraint by fixing a threshold ( ≤ |X|/2 ) on it X ( ) ≤  Projected into smaller arity constraints for propagation. [Soft‟11]

3-DES Criterion S-3 16  S-3 : If we fix the leftmost and rightmost input bits of the S-box and vary the four middle bits, each possible 4-bit output is attained exactly once as the middle four input bits range over their 16 possibilities.  AllDiff(x 0 , x 2 , …, x 28 ,x 30 ), AllDiff(x 1 , x 3 , …, x 29 , x 31 ),  AllDiff(x 32 , x 34 , …, x 60 ,x 62 ), AllDiff(x 33 , x 35 , …, x 61 , x 63 )

3-DES Criterion S-4 (Avalanche) 17  The 3-DES Criterion S-4: If any two inputs i and j to a 6 × 4 S-Box differ in one bit, its corresponding outputs should differ by at least two bits.  Binary Constraints for S-4 in First Order Logic form: 0,2 6 i , j wt ( i j ) 1 wt x i x j 2 = bit-wise exclusive-OR of integers a and b a b wt = Hamming weight

3-DES Criterion S-5 18  The 3-DES Criterion S-5: If two inputs to an S-box differ in the two middle bits exactly, the outputs must differ in at least two bits  Binary Constraints for S-5 in First Order Logic form:  ( i,j ) 0 ≤ i , j < 64 | i ≠ j | | i j | = 001100 2 wt( x i x j ) ≥ 2 = bit-wise exclusive-OR of integers a and b a b wt = Hamming weight

3-DES Criterion S-6 19  The 3-DES Criterion S-6: If two inputs to an S-box differ in their first two bits and are identical in their last two bits, the two outputs must not be the same  Binary Constraints for S-6 in First Order Logic:  ( i,j ) 0 ≤ i<j < 64 (| i j | 110011 2 ) = 110000 2 x i ≠ x j = bit-wise exclusive-OR of integers a and b a b wt = Hamming weight

3-DES Criterion S-7 20  S-7 : For any nonzero 6-bit difference between inputs, Δ I i,j , no more than eight of the 32 pairs of inputs exhibiting Δ I i,j may result in the same output difference Δ O i,j .  Global constraint, projected on any subset of at least 17 variables.

Challenges in CSP-Based S -Box Modeling 21  Addressing inputs and outputs at the bit level  Not well supported in first tried conventional CP solvers (particularly the nonlinearity requirement).  We employed a MAC solver based on AC2001  Comparing certain heuristics with nice properties (completeness) but that found no solution so far.  We quantified the search space traversed on given ordering X ' 1 X i 1 n m 2 m S p x i i 0

Heuristics for 6 × 4 S -Boxes 22  Three Heuristics reported here  H S (64, ) – n-ary constraints evaluated at the end  H C (64, ) – an incremental n-ary (projections of S-2 and S-7)  H I (64, ) – an incremental n-ary, that skips the less promising search areas (becoming incomplete).  Threshold values for = 16 for H S (64, ) and H C (64, )  = 16, 10 for H I (64, ) 

Results for 6 × 4 S -Boxes 23  Performance of Heuristics  H C (64, 16) proceeded 20 – 200 times faster than H S (64,16)

Results for 6 × 4 S -Boxes 24  Quality metric (score) of obtained S -Boxes  H I (64,10) yielded a number of S-Boxes with a score equal to 8  Score “better” (more secure) than the “worst” 3 -DES S-Box S 7  The score of S -Box S 7 is found to be equal to 18  Best previous score was 10  3,600 such S -Boxes found in 1 hour  Increased to more than 13,500 in 5 hours  The score 8 proves to be  easy for the CSP search with incomplete heuristic!!  unreachable for the complete heuristics, prior techniques

A 6 × 4 S -Box Generated by our CSP Solver 25 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 0 3 5 6 9 10 15 12 7 4 14 13 2 1 8 11 1 3 0 6 5 10 9 12 15 4 7 13 14 1 2 11 8 2 3 15 0 12 5 9 6 4 8 11 7 14 2 1 13 10 3 9 5 15 3 12 0 6 10 7 11 8 4 2 14 13 1 S-Box with Score = 8