EPCBC - A Block Cipher Suitable for Electronic Product Code ...

More documents

Recommendations

Info

The pLayer For n ≥ 64, the (generalized) pLayer observe the following properties: P1. The input bits to an S-box come from 4 distinct S-boxes of the same group. P2. The input bits to a group of four S-boxes come from 16 different S-boxes. P3. The four output bits from a particular S-box enter four distinct S-boxes, each of which belongs to a distinct group of S-boxes in the subsequent round. P4. The output bits of S-boxes in distinct groups go to distinct S-boxes. For PR-48, observe that while P1 and P4 are still true, P2 and P3 do not hold. Instead of P3, PR-48 (and in fact PR-n for all n, 16|n) obeys the following: P3 ′ . The four output bits from a particular S-box enter four distinct S-boxes. In the remaining of this paper, we only consider PR-n where 16|n. 4.2 Improved Differential and Linear cryptanalysis Differential and linear cryptanalysis are among the most powerful techniques available to the cryptanalyst. In order to evaluate the resistance of a block cipher to differential and linear cryptanalysis, we provide a lower bound to the number of active S-boxes involved in a differential/linear characteristic. We first prove new bounds for the differential and linear resistance of PRESENT-n which are of particular interest with regards to n < 64. Theorem 1. Any 4-round differential characteristic of PR-n has a minimum of 6 active S-boxes. Proof. Suppose there are at most 5 active S-boxes for four consecutive rounds. The numbers of active S-boxes in the four consecutive rounds takes up one of the following patterns: 1-1-1-1, 2-1-1-1, 1-2-1-1, 1-1-2-1, or 1-1-1-2. But the patterns 1-1-1 and and 1-2-1 are impossible by virtue of S2 and P3’. The result now follows. ⊓⊔ Theorem 2. Let ǫ4 be the maximal bias of a linear approximation of 4 rounds of PR-n. Then ǫ4 ≤ 2 −7 . Proof. The proof is similar to that of [10, Theorem 2]. However note that when n < 64, the patterns (denoting the numbers of active S-boxes over four consecutive rounds) 1-2-1-1 and 1-1-2-1 are now allowed, in addition to the existing patterns of [10, Theorem 2]. But due to P3 ′ , we must have at least one active S-box with single-bit approximation over four rounds for all possible patterns. It follows that ǫ4 ≤ 2 4 ×(2 −3 )×(2 −2 ) 4 ≤ 2 −7 , as desired. ⊓⊔ Remark 1. ThenewboundsinTheorems1and2areneededwhenanalyzingthesecurityofEPCBC(48,96) against DC and LC because the block size n = 48 is less than 64. In the remaining of this section, we state the improved and generalized results on the differential and linear probability bounds of [10]. As many technicalities and rigorous arguments are involved, we have included the formal proofs of the theorems in Appendix A.1. Theorem 3. For n ≥ 64, the r-round differential characteristic of PR-n has a minimum of 2r active S-boxes for r ≥ 5. Remark 2. Note that if we have used the differential bound in [10, Theorem 1], we would only be able to deduce 10 (differential) active S-boxes every 5 rounds. For example, if there are 14 rounds, [10, Theorem 1] would give 20 active S-boxes from 10 out of 14 rounds, the security margin from the remaining 4 rounds is not captured. In contrast, Theorem 3 would give us 28 active S-boxes from 14 rounds.
Theorem 4. Let ǫr be the maximal bias of a linear approximation of r rounds of PR-n where n ≥ 64. Then ǫr ≤ 2 −2r+1 for r = 4,5,6,7,8 and 9. Remark 3. Note that [10, Theorem 2] only proves the LC bound for 4 rounds. If we consider linear cryptanalysis over e.g. 11 rounds, then applying [10, Theorem 2] would give us: ǫ11 ≤ 2×ǫ4 ×ǫ4 ≤ 2×2 −7 ×2 −7 = 2 −13 , which only uses 8 out of 11 rounds, and the security margin from the remaining 3 rounds is not captured. If we apply Theorem 4, we obtain the tighter (better) bound: ǫ11 ≤ 2×ǫ5 ×ǫ6 ≤ 2×2 −9 ×2 −11 = 2 −19 . Theorem 4 enables us to use all 11 rounds in deriving the linear probability bound for PR-n, n ≥ 64. Remark 4. Note also that the linear probability bound for 8 rounds, which is given by ǫ8 ≤ 2 −15 , is better than applying the bound for 4 rounds twice, which is given by 2×(ǫ4) 2 ≤ 2 −13 . 5 Security Analysis of EPCBC We now present the results of a security analysis of EPCBC. 2 5.1 Differential, Linear and Related-Key Differential Cryptanalysis Analysis of EPCBC(48,96) We assume minus-4 round attacks, so a distinguisher of EPCBC(48,96) is on 28 rounds. For protection against differential cryptanalysis, there are seven 4-round blocks in 28 rounds. By Theorem 1, the differential characteristic probability is at most: ∆28 ≤ [(2 −2 ) 6 ] 7 = 2 −84 < 2 −48 = 2 −blocksize . For protection against linear cryptanalysis, there are seven 4-round blocks in 28 rounds. By Theorem 2, the linear bias is at most: ǫ28 = (2 6 )×(ǫ4) 7 ≤ (2 6 )×(2 −7 ) 7 = 2 −43 < 2 −24 = 2 −blocksize/2 . For protection against related-key differential cryptanalysis, we consider the related key differential characteristic probability, given by p c|k×pk. p c|k is the differential characteristic probability of the main cipher conditioned on subkey differential and pk is the differential characteristic probability of the key schedule. We first bound pk which is the differential probability of the key schedule. A minus-4 round attack would involve 7 variant-Feistel rounds of the key schedule. By Theorem 1, every 4-round nonlinear functionF ofthevariant-Feistelstructureinthekeyschedulehasdifferentialprobabilityatmost(2 −2 ) 6 = 2 −12 . It is easy to deduce that there are at least two active nonlinear functions F for every three rounds of the variant-Feistel structure. We consider all three possible cases: (∆LKeystate,0), (0,∆RKeystate) and (∆LKeystate,∆RKeystate) �= (0,0). Based on the structure of the variant-Feistel, it can then be shown directly that at least two of the three nonlinear functions have non-zero input differentials. Thus over 6 rounds of the key schedule, we have pk ≤ [(2 −12 ) 2 ] 2 = 2 −48 . By the key schedule design, we see that the differential of four consecutive subkeys are either all zero or all non-zero. In the case when the subkeys have non-zero differential, for a particular round of the main cipher, if the input differential is not cancelled by the key difference, then we have at least an active 2 We leave the analysis of linear hull effect on EPCBC as future work.
Page 1 and 2: EPCBC - A Block Cipher Suitable for
Page 3 and 4: Section 5. Hardware implementation
Page 5: 4.1 Brief Description of PR-n The d
Page 9 and 10: fourth round. The attacker launches
Page 11 and 12: data_out 4 data_in data_out 4 data_
Page 13 and 14: It is noteworthy to stress that EPC
Page 15 and 16: 45. Virtual Silicon Inc. 0.18 µm V
Page 17 and 18: Proof. The result for k = 8 follows

EPCBC - A Block Cipher Suitable for Electronic Product Code ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?