EPCBC - A Block Cipher Suitable for Electronic Product Code ...

More documents

Recommendations

Info

(both rounds inclusive) by nk, for k ≤ i. Then n1 = 1, n2 ≥ 3, n3 ≥ 7, n4 ≥ 11, n5 ≥ 13, n6 ≥ 14 and nk ≥ 2k +1 for k = 7,8,9. Proof. The proof is similar to that of Lemma 1 and by using P1 and P2 instead. ⊓⊔ Lemma 3. For n ≥ 64, the r-round differential characteristic of PR-n has a minimum of 2r active S-boxes for r = 5,6,7,8,9. Proof. With no loss of generality, we consider the first round to the r-th round. Let Di be the number of active S-boxes in round i. It is proven in [10] that the case for r = 5 holds. Consider 6-round differential characteristic. Since there are at least 10 active S-boxes in the first five rounds, if there are at least two active S-boxes in the sixth round, then we are done. Otherwise, suppose that D6 = 1. If D5 ≥ 2, then applying Lemma 2 from round 6 to round 1, there is a minimum of 14 active S-boxes. Otherwise D5 = 1. Then we must have a single bit difference to the output of the active S-box in round 5, else it will contradict P1. Because of S2, D4 ≥ 2. Now we can apply Lemma 2 from round 5 to round 1, yielding � 6 i=1 Di ≥ 13+1 = 14. For r = 7,8,9, we apply similar argument as before. ⊓⊔ As a direct consequence of Lemma 3, we have the following result. Theorem 3. For n ≥ 64, the r-round differential characteristic of PR-n has a minimum of 2r active S-boxes for r ≥ 5. Linear cryptanalysis Lemma 4. Consider linear approximations of PR-n where n ≥ 64. The active S-boxes over consecutive rounds cannot form the following patterns: 1-2-1, 1-3-1, 1-3-2, 1-4-1, 1-4-2, 1-4-3, 1-i, i-1, for i ≥ 5. Proof. For i ≥ 5, the patterns 1-i and i-1 clearly cannot happen since the S-boxes are four-bit. If the pattern 1-2-1 were to happen, then the active S-boxes in the middle round are activated by the same S-box and must therefore belong to two different groups. However, they cannot activate only one S-box in the following round. Hence the pattern 1-2-1 is impossible. In general, we see that the active S-boxes in the middle round must activate at least an equal number of S-boxes in the following round. ⊓⊔ Definition 1. Let a and b be the input and output mask to a S-box respectively. If wt(a) = wt(b) = 1, then the S-box is said to have single-bit approximation. In particular, with reference to S4, we see that the bias of any single-bit approximation is less than 2 −3 . Further, we define ns to be the number of active S-boxes over r rounds with single-bit approximations. Lemma 5. Consider r-round linear approximations of PR-n where n ≥ 64. 1. For r = 3 and the pattern 1-j-j, where 1 ≤ j ≤ 4, ns = j. 2. For r = 3 and the pattern 1-2-3, ns = 1. 3. For r = 3 and the pattern 1-3-4, ns = 2. 4. For r = 9 and {1,1,1,1,1,1,1,1,i} where i ≥ 2, ns ≥ 6. 5. For r = 9 and {1,1,1,1,1,1,1,i,j} where i ≥ 2 and j ≥ 2, ns ≥ 3. 6. For r = 9 and {1,1,1,1,1,1,i,j,k} where i ≥ 2, j ≥ 2 and k ≥ 2, ns ≥ 2. Proof. (1) to (3) follows easily from P3 and P4, while (4) to (6) can be easily deduced from Lemma 4. ⊓⊔ Lemma 6. Consider nine-round linear approximations of PR-n where n ≥ 64. Suppose there are exactly k rounds with one active S-box each and for each of the remaining rounds, there are exactly 2 active S-boxes, where 3 ≤ k ≤ 8. Then ns ≥ k −2.
Proof. The result for k = 8 follows directly from Lemma 5.4. For k = 7, by Lemma 4, we either have two active S-boxes in the first and the last rounds, or, we have 1-2-2 occurring in the pattern. For the former, ns = 5. For the latter, by virtue of Lemma 5, each time 1-2-2 occurs in the pattern, there are two active S-boxes with single-bit approximations. Hence, ns ≥ 5. For k = 6, again, because of Lemma 4, either the pattern contains 1-2-2, or is of the form 2-2-2-1-···-1 or 2-2-1-1-···-1-2. Together with Lemma 5, it can thus be easily checked that ns ≥ 4. We can apply the same argument to the cases when k = 5,4 and 3. ⊓⊔ Theorem 4. Let ǫr be the maximal bias of a linear approximation of r rounds of PR-n where n ≥ 64. Then ǫr ≤ 2 −2r+1 for r = 4,5,6,7,8 and 9. Proof. Since the argument is similar for r = 4,5,6,7,8 and 9, we shall just consider the (most complicated) case of r = 9. Let ǫ j 9 denote the bias of a linear approximation over nine rounds involving j active S-boxes. We consider the following cases. Case 1: Each round of a nine-round linear approximation has exactly one active S-box. Then there are at least 7 active S-boxes with single-bit approximations. By virtue of Matsui’s piling-up lemma, we have ǫ 9 9 ≤ 2 8 ×(2 −3 ) 7 ×(2 −2 ) 2 = 2 −17 . Case 2: There are exactly ten active S-boxes over nine rounds. Then by Lemma 6, we have that ǫ 10 9 ≤ 2 9 ×(2 −3 ) 6 ×(2 −2 ) 4 = 2 −17 . Case3:ThereareexactlyelevenactiveS-boxesoverninerounds.Therearetwopossiblities:{1,1,1,1,1,1,1,2,2} and {1,1,1,1,1,1,1,1,3}. It can be deduced from Lemma 6 and Lemma 5.4 respectively that ns ≥ 5. Hence, we have ǫ 11 9 ≤ 2 10 ×(2 −3 ) 5 ×(2 −2 ) 6 = 2 −17 . Case 4: There are exactly twelve active S-boxes over nine rounds. We consider: (a) {1,1,1,1,1,1,2,2,2} (b) {1,1,1,1,1,1,1,2,3} (c) {1,1,1,1,1,1,1,1,4} For (a) and (c), we apply Lemma 6 and Lemma 5.4 respectively to deduce that ns ≥ 4. For (b), note that by Lemma 4, 1-3-2, 1-2-1 and 1-3-1 cannot occur in the pattern. So either 1-2-3 occurs in the pattern, or the pattern is of the form 2-3-1-···-1, 3-2-1-···-1, 2-1-···-1-3 or 3-1-···-1-2. Together with Lemma 5, ns ≥ 4. Therefore, ǫ 12 9 ≤ 2 11 ×(2 −3 ) 4 ×(2 −2 ) 8 = 2 −17 . Case 5: There are exactly thirteen active S-boxes over nine rounds. Note that the patterns 1-5 and 5-1 are impossiblebyLemma4.Thusitsufficestoconsiderthepatterns{1,1,1,1,1,2,2,2,2},{1,1,1,1,1,1,1,2,4}, {1,1,1,1,1,1,1,3,3} and {1,1,1,1,1,1,2,2,3}. Similar to Case 4, it can be shown that ns ≥ 3. Case 6: There are exactly fourteen active S-boxes over nine rounds. By first noting that the patterns 1-6 and 6-1 are impossible by Lemma 4 and following a similar argument to Cases 4 and 5, it can be shown that ns ≥ 2. Case 7: There are exactly fifteen active S-boxes over nine rounds. In a similar fashion to Cases 4, 5 and 6, we have ns ≥ 1. Hence for Case 5(j = 13,ns ≥ 3), Case 6(j = 14,ns ≥ 2) and Case 7(j = 15,ns ≥ 1), we have ǫ j 9 ≤ 2j−1 ×(2 −3 ) ns ×(2 −2 ) j−ns = 2 −17 . Case 8: There are more than 15 active S-boxes over nine rounds. Then ǫ j 9 ≤ 2j−1 ×(2 −2 ) j = 2 −j−1 ≤ 2 −17 , for j > 15. ⊓⊔
Page 1 and 2: EPCBC - A Block Cipher Suitable for
Page 3 and 4: Section 5. Hardware implementation
Page 5 and 6: 4.1 Brief Description of PR-n The d
Page 7 and 8: Theorem 4. Let ǫr be the maximal b
Page 9 and 10: fourth round. The attacker launches
Page 11 and 12: data_out 4 data_in data_out 4 data_
Page 13 and 14: It is noteworthy to stress that EPC
Page 15: 45. Virtual Silicon Inc. 0.18 µm V

EPCBC - A Block Cipher Suitable for Electronic Product Code ...

Create successful ePaper yourself

Delete template?

Save as template?