EPCBC - A Block Cipher Suitable for Electronic Product Code ...

More documents

Recommendations

Info

3.1 EPCBC(48,96) - EPCBC with 48-bit block size and 96-bit key size The main cipher of EPCBC(48,96) iterates the PR-48 structure for 32 rounds, i.e. it uses the PRESENT description of Section 4.1 with n = 48 and r = 32. Due to n = 48, EPCBC(48,96) will be suited for applications with the key being changed frequently. The choice of r = 32 ensures security of the cipher against differential and linear cryptanalysis as explained in Section 5.1. However, the key schedule of EPCBC(48,96) is different from that of PRESENT. The EPCBC(48,96) key schedule takes in the 96-bit secret key as a 96-bit keystate. The left half of the keystate is taken as the first subkey. Then a variant-Feistel structure is applied to the keystate for 8 rounds. Each nonlinear function F of the Feistel variant consists of 4 rounds of the PR-48 main cipher structure where a subkey is output after each round, giving 8 × 4 + 1 = 33 subkeys in total. The following is a description of the EPCBC(48,96) key schedule where 1Round denotes one round of PR-48 without subkey addition. Subkey[i] represents the subkey for round i of the main cipher. (LKeystate,RKeystate) = 96-bit key Subkey[0] ← LKeystate for i = 0 to 7 do temp ← LKeystate ⊕ RKeystate for j = 0 to 3 do RKeystate ← 1Round(RKeystate) ⊕ (4i+j) Subkey[4i+j +1] ← RKeystate end for LKeystate ← RKeystate RKeystate ← temp end for 3.2 EPCBC(96,96) - EPCBC with 96-bit block size and 96-bit key size The main cipher of EPCBC(96,96) iterates the PR-96 structure for 32 rounds, i.e. it uses the PRESENT description of Section 4.1 with n = 96 and r = 32. The choice of r = 32 ensures security of the cipher against differential and linear cryptanalysis as explained in Section 5.1. The key schedule of EPCBC(96,96) is also different from the PRESENT key schedule. It takes in the 96-bit secret key as a 96-bit keystate, outputs this keystate as the first subkey and applies the PR-96 main cipher structure 1 to it for 32 rounds where a subkey is output after each round. Let 1Round denote one round of PR-96 without subkey addition. Subkey[i] represents the subkey for round i of the main cipher. Keystate = 96-bit key Subkey[0] ← Keystate for i = 0 to 31 do Keystate ← 1Round(Keystate) ⊕ i Subkey[i+1] ← Keystate end for 4 Improved Differential and Linear Cryptanalyis of PR-n As we are using the structure of PRESENT for the main cipher of EPCBC, we did a security analysis of n-bit block size PRESENT (PR-n) against differential and linear cryptanalysis, and, we obtained new results. We first give a brief description of PR-n. 1 Note that the hash function WHIRLPOOL[3] and the block cipher SMS4[19] also use an identical function for both their main cipher and key schedule.
4.1 Brief Description of PR-n The detailed description of PRESENT can be found in [10]. The r-round encryption of the plaintext STATE can be written at a top-level as follows: for i = 1 to r do STATE ← STATE ⊕ eLayer(KEY, i) STATE ← sBoxLayer(STATE) STATE ← pLayer(STATE) KEY ← genLayer(KEY, i) end for STATE ← STATE ⊕ eLayer(KEY, r +1) The eLayer describes how a subkey is combined with a cipher STATE, sBoxLayer (S-box layer) and pLayer (permutation layer) describe how the STATE evolves, and genLayer is used to describe the generation of the next subkey. According to [9], the building blocks sBoxLayer and pLayer can be generalized for n-bit block size PRESENT: 1. sBoxLayer: This denotes use of the PRESENT 4-bit to 4-bit S-box S and is applied n 4 times in parallel. 2. pLayer: This is an extension of the PRESENT bit-permutation[10] and moves bit i of STATE to bit position P(i), where � i· P(i) = n 4 (mod n−1), if i ∈ {0,1,··· ,n−2} n−1, if i = n−1. The sBoxLayer Denote the Fourier coefficient of a S-box S by S W b (a) = � (−1) 〈b,S(x)〉+〈a,x〉 . x∈F 4 2 Then the properties of the 4-bit PRESENT S-boxes can be described as follows: S1. For any fixed non-zero input difference ∆I ∈ F 4 2 and any fixed non-zero output difference ∆O ∈ F 4 2, #{x ∈ F 4 2 | S(x)+S(x+∆I) = ∆O} ≤ 4. S2. For any fixed non-zero input difference ∆I ∈ F 4 2 and any fixed non-zero output difference ∆O ∈ F 4 2 such that wt(∆I) = wt(∆O) = 1, {x ∈ F 4 2 | S(x)+S(x+∆I) = ∆O} = ∅. S3. For all non-zero a ∈ F4 2 and all non-zero b ∈ F4 2, it holds that |SW b (a)| ≤ 8. S4. For all non-zero a ∈ F4 2 and all non-zero b ∈ F4 2 such that wt(a) = wt(b) = 1, it holds that SW b (a) = ±4. As in the case of PRESENT [10], for PR-n where 16|n, we divide the n 4 S-boxes into groups of four as follows: – Number the S-boxes from 0 to ( n 4 −1) in a right-to-left manner. – Then Group j comprises S-boxes 4(j−1), 4(j−1)+1, 4(j−1)+2 and 4(j−1)+3 for j = 1,2,··· , n 4 .
Page 1 and 2: EPCBC - A Block Cipher Suitable for
Page 3: Section 5. Hardware implementation
Page 7 and 8: Theorem 4. Let ǫr be the maximal b
Page 9 and 10: fourth round. The attacker launches
Page 11 and 12: data_out 4 data_in data_out 4 data_
Page 13 and 14: It is noteworthy to stress that EPC
Page 15 and 16: 45. Virtual Silicon Inc. 0.18 µm V
Page 17 and 18: Proof. The result for k = 8 follows

EPCBC - A Block Cipher Suitable for Electronic Product Code ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?