The Design of Cryptographic S-Boxes using CSPs 1 V E N K A T E S H R A M A M O O R T H Y , M A R I U S C . S I L A G H I , T O S H I H I R O M A T S U I , K A T S U T O S H I H I R A Y A M A , a n d M A K O T O Y O K O O
Substitution-Permutation Network 2 Proposed by Claude Shannon [1948]. All Feistel Ciphers Data Encryption Standard, 3-DES Blowfish, Twofish, Camellia, RC5 Advanced Encryption Standard International Data Encryption Algorithm (IDEA) Linear Permutations – Diffusion Nonlinear Substitution – Confusion (S-Boxes) • any linearity helps attackers • designed via a combinatorial problem
S-P Networks and the Feistel Cipher 3 Invertible substitution Permutation S ( L , R ) L F ( R ), R S 1 ( L ', R ') L ' F ( R '), R ' S-P Network Feistel F function needs not be invertible. Any F leads to a “sound” cipher. Needs more rounds
The Function F of 3-DES 4 Expansion The eight S-Boxes
Example: The 3-DES 6 × 4 S-Box S 8 5 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7 1 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2 2 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8 3 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11 Applying S 8 on 44 yields 14: 0110 2 6 10 14 10 44 10 101100 2 =1110 2 Column 6 Row 2 10 2 2 10
Major Attacks 6 S-box design criteria developed as answer to attacks. Early Feistel cipher (Lucifer) weakness found [„74] [DES;76] Differential Cryptanalysis [Biham, Shamir; 1993] not new in 1993, but had been classified [Coppersmith; 1994] still somewhat successful on DES because its avoidance requires solving a hard combinatorial design problem we model it as a CSP! Linear Cryptanalysis [Matsui; 1994] A more efficient exploit of the same weaknesses (with minor twists) Same avoidance strategy (hard combinatorial design problem)
3-DES S -Box Criteria (Coppersmith, 1994) 7 The Criteria labeled S-1 to S-7, are stated as follows S-1 : Each S-box has six bits of input and four bits of output S-2 : No output bit of an S-box should be close to a linear function of the input bits. S-3 : If we fix the leftmost and rightmost input bits of the S-box and vary the four middle bits, each possible 4-bit output is attained exactly once as the middle four input bits range over their 16 possibilities. S-4 : If two inputs to an S-box differ in exactly one bit, the outputs must differ in at least two bits. (Avalanche) S-5 : If two inputs to an S-box differ in the two middle bits exactly, the outputs must differ in at least two bits S-6 : If two inputs to an S-box differ in their first two bits and are identical in their last two bits, the two outputs must not be the same S-7 : For any nonzero 6-bit difference between inputs, Δ I i,j , no more than eight of the 32 pairs of inputs exhibiting Δ I i,j may result in the same output difference Δ O i,j .
Why is S-Box Design an important Problem? 8 S -Boxes for security They form the only nonlinear operation in an encryption process (all other operations being linear) Each successful linearization approximation can help break a few bits of the key A known hard problem Toy instances solved fast, but not real world instances Existing methodologies are suboptimal They did not find the “strongest” S -boxes as we illustrate using CSPs
Previous Methods for S -Box Design 9 Hand-assembled Example: 3-DES Math functions known as difficult to analyze Example: GF 2k Inversion (AES), Bent Functions Generate-And-Test, Random Assignments Using Genetic Algorithms (with Hill Climbing and Simulated Annealing to guide S -Box search) [2003-2006] Capturing randomness from security protocols, keys [2008] Using Cellular Automata [2010]
n × m S-Box Design Using CSPs 10 Model each S -Box criterion into constraints Set of variables: X { x 0 , x 1 ,..., x 2 n 1 } Domains (identical): m D { 0 , 1 ,..., 2 1 } The constraints model the security criteria Any solution to the CSP can be used as an S -Box Security to known attacks optimized with a soft constraint An assignment of a value from D to a variable x i in X Represents the S-Box output for input i In the sample 3-DES S-Box S 8 , for example, x 44 = 14
S-1: Implicit Constraint 11 S-1 : Each S-box has six bits of input and four bits of output This constraint is implicit in the CSP formulation n input bits 2 n variables. m output bits domain size 2 m .
The Nonlinearity Criterion S-2 12 S-2: Any (subsets of) output bits should be independent of any (subset of) input bits Gives rise to Matsui‟s quality metric of an S -Box Linearization Effectiveness: X ( ) X – a set of variables Φ – the S-box function (assignment to variables in X) linearity if: some linear function “=“ selected outputs (for all inputs) some linear function “≠“ selected outputs (for all inputs) nonlinearity if: any linear function “=“ selected outputs (for half of inputs)
Example nonlinearity evaluation 13 Take the function : {0,1} × {0,1} {0,1} x0 x1 y0 Count the number of linearization hits: 0 0 1 0 1 0 2 2 a 0 , a 1 : {( x 0 , x 1 ) | a 0 x 0 a 1 x 1 ( x )} ? 1 0 1 2 1 1 1 a0 a1 x=00 x=01 x=10 x=11 # #-2 2 /2 score 0 0 0≠1 0=0 0≠1 0≠1 1 -1 1 0 1 0 ≠ 1 1 ≠0 0 ≠ 1 1=1 1 -1 1 1 0 0 ≠1 0=0 1=1 1=1 3 1 1 1 1 0 ≠1 1 ≠ 0 1=1 0 ≠1 1 -1 1 Function Φ(x 0 ,x 1 ) 1,0,1,1 has score X ( ) = 1
Implementing S-2 14 S-2 is a soft constraint. We need to minimize the Linearization Effectiveness We convert it into a hard constraint by fixing a threshold ( ≤ |X|/2 ) on it X ( ) ≤ Projected into smaller arity constraints for propagation. [Soft‟11]
3-DES Criterion S-3 16 S-3 : If we fix the leftmost and rightmost input bits of the S-box and vary the four middle bits, each possible 4-bit output is attained exactly once as the middle four input bits range over their 16 possibilities. AllDiff(x 0 , x 2 , …, x 28 ,x 30 ), AllDiff(x 1 , x 3 , …, x 29 , x 31 ), AllDiff(x 32 , x 34 , …, x 60 ,x 62 ), AllDiff(x 33 , x 35 , …, x 61 , x 63 )
3-DES Criterion S-4 (Avalanche) 17 The 3-DES Criterion S-4: If any two inputs i and j to a 6 × 4 S-Box differ in one bit, its corresponding outputs should differ by at least two bits. Binary Constraints for S-4 in First Order Logic form: 0,2 6 i , j wt ( i j ) 1 wt x i x j 2 = bit-wise exclusive-OR of integers a and b a b wt = Hamming weight
3-DES Criterion S-5 18 The 3-DES Criterion S-5: If two inputs to an S-box differ in the two middle bits exactly, the outputs must differ in at least two bits Binary Constraints for S-5 in First Order Logic form: ( i,j ) 0 ≤ i , j < 64 | i ≠ j | | i j | = 001100 2 wt( x i x j ) ≥ 2 = bit-wise exclusive-OR of integers a and b a b wt = Hamming weight
3-DES Criterion S-6 19 The 3-DES Criterion S-6: If two inputs to an S-box differ in their first two bits and are identical in their last two bits, the two outputs must not be the same Binary Constraints for S-6 in First Order Logic: ( i,j ) 0 ≤ i<j < 64 (| i j | 110011 2 ) = 110000 2 x i ≠ x j = bit-wise exclusive-OR of integers a and b a b wt = Hamming weight
3-DES Criterion S-7 20 S-7 : For any nonzero 6-bit difference between inputs, Δ I i,j , no more than eight of the 32 pairs of inputs exhibiting Δ I i,j may result in the same output difference Δ O i,j . Global constraint, projected on any subset of at least 17 variables.
Challenges in CSP-Based S -Box Modeling 21 Addressing inputs and outputs at the bit level Not well supported in first tried conventional CP solvers (particularly the nonlinearity requirement). We employed a MAC solver based on AC2001 Comparing certain heuristics with nice properties (completeness) but that found no solution so far. We quantified the search space traversed on given ordering X ' 1 X i 1 n m 2 m S p x i i 0
Heuristics for 6 × 4 S -Boxes 22 Three Heuristics reported here H S (64, ) – n-ary constraints evaluated at the end H C (64, ) – an incremental n-ary (projections of S-2 and S-7) H I (64, ) – an incremental n-ary, that skips the less promising search areas (becoming incomplete). Threshold values for = 16 for H S (64, ) and H C (64, ) = 16, 10 for H I (64, )
Results for 6 × 4 S -Boxes 23 Performance of Heuristics H C (64, 16) proceeded 20 – 200 times faster than H S (64,16)
Results for 6 × 4 S -Boxes 24 Quality metric (score) of obtained S -Boxes H I (64,10) yielded a number of S-Boxes with a score equal to 8 Score “better” (more secure) than the “worst” 3 -DES S-Box S 7 The score of S -Box S 7 is found to be equal to 18 Best previous score was 10 3,600 such S -Boxes found in 1 hour Increased to more than 13,500 in 5 hours The score 8 proves to be easy for the CSP search with incomplete heuristic!! unreachable for the complete heuristics, prior techniques
A 6 × 4 S -Box Generated by our CSP Solver 25 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 0 3 5 6 9 10 15 12 7 4 14 13 2 1 8 11 1 3 0 6 5 10 9 12 15 4 7 13 14 1 2 11 8 2 3 15 0 12 5 9 6 4 8 11 7 14 2 1 13 10 3 9 5 15 3 12 0 6 10 7 11 8 4 2 14 13 1 S-Box with Score = 8
Recommend
More recommend