EPCBC - A Block Cipher Suitable for Electronic Product Code ...

More documents

Recommendations

Info

S-box in the round. Otherwise, that round has no active S-box and zero output difference. Then the subsequent nonzero subkey difference when xored with this zero differential will cause an active S-box in the subsequent round. Hence, there are at least two active S-boxes every four rounds of the main cipher when the subkeys have non-zero differential. Hence over 28 rounds of the main cipher, there are at least 6 active S-boxes. This is because there are always at least three blocks of four consecutive rounds of the main cipher with non-zero key differentials. Therefore p c|k ≤ (2 −2 ) 6 = 2 −12 and the related key differential probability satisfies p c|k×pk ≤ 2 −12 ×2 −48 = 2 −60 . Thus the attack complexity of related-key differential attack is at least 2 60 . Moreover, the adversary needs to obtain ciphertexts corresponding to 2 48 related keys, which might be infeasible in practice. Analysis of EPCBC(96,96) We assume minus-4 round attacks, so a distinguisher of EPCBC(96,96) is on 28 rounds. For protection against differential cryptanalysis, we apply Theorem 3 on 28 rounds. The differential characteristic probability is at most: ∆28 ≤ (2 −2 ) 28×2 = 2 −112 < 2 −96 = 2 −blocksize . For protection against linear cryptanalysis, there are three 9-round blocks in 27 out of 28 rounds. By Theorem 4, the linear bias is at most: ǫ27 ≤ (2 2 )×ǫ 3 9 ≤ (2 2 )×(2 −17 ) 3 = 2 −49 < 2 −48 = 2 −blocksize/2 . For protection against related-key differential attack, we need to bound both pk and p c|k as in the proof for EPCBC(48,96). By Theorem 3, pk ≤ 2 −96 . With some simple argument as before, we can prove that there are at least one active S-box every two rounds of the main cipher because the subkeys have non-zero differential. Thus p c|k ≤ (2 −2 ) 14 = 2 −28 and the related-key differential probability satisfies p c|k ×pk ≤ 2 −28 ×2 −96 = 2 −124 < 2 −96 . Thus related-key differential attack is infeasible. 5.2 Other Attacks on EPCBC Integral Attacks The integral attack [31] is a chosen plaintext attack originally applied to byte-based ciphers such as SQUARE and Rijndael. Lucks [37] ported it as the ‘saturation attack’ to Twofish, which is fundamentally a byte-based algorithm incorporating bit-oriented rotations. On this basis, the authors of PRESENT, which contains a bit-based permutation, discarded this attack almost out of hand. In 2008, Z’aba et al. [48] developed the bit-based integral attack, which they applied to very reduced-round versions of Noekeon, Serpent and PRESENT. The attack categorizes each bit or byte across a structure of texts, as to whether or not it is balanced (the sum of its value in each text equals zero). At some point in the evolution of the text through the encryption, the balance property is lost. The attacker can guess parts of the subsequent round key, and partially decrypt this point. If the balance is not restored, the partial round key guess is incorrect. The details of the attack are driven by the structure of the linear permutation rather than of the S-boxes. The attack works best for ciphers in which the block size is less than the size of the secret key. It applies to seven of PRESENT’s 31 rounds, partly due to a weakness in its key schedule that allows 61 bits of round keys 5 and 6 to be deduced by guessing the 64 bits of round key 7. The integral attacks on EPCBC(48, 96) and EPCBC(96, 96) use very similar differentials to those in the PRESENT attack, since the S-box is identical and permutation scaled to a different block size. In particular, the S-box has a probability-one differential 0x1 → w||0x1 for w ∈ {0x1,0x3,0x4,0x6}. In both cases, the attacker uses a structure of sixteen chosen plaintexts. For EPCBC(48, 96), each text in the structure is of the form (c0,c1,c2||j), where c0 and c1 are 16-bit constants, c2 is a 12-bit constant, and j varies from 0 through to 15. This permits a 3.5 round differential similar to that of PRESENT except that the balance of bits relating to S-boxes 2, 5 and 8 are lost in the third rather than
fourth round. The attacker launches an attack on EPCBC(48, 96) reduced to four rounds, recovering 32 bits of the fourth round key with 2 12 partial decryptions, and brute forcing the remaining 16 bits of the key for a total complexity of O(2 16.13 ). The attack can be extended to five rounds, in which the attacker guesses 16 bits of the fifth round key for every four bits of the fourth round key. Due to the structure of the key schedule, the attacker does not need to perform an additional brute force on the fourth round key, so the complexity of the attack on five rounds is O(2 27.9 ). As per the PRESENT attack, a seven round attack can be mounted by adding one round at the beginning of the cipher, and brute forcing the seventh round key for a total complexity of O(2 91.9 ) (due to the structure of the key schedule, the seventh round key does not allow the attacker shortcuts in deducing parts of the sixth round key). ForEPCBC(96,96),theattackerusesastructureof16chosenplaintextsofform(c0,c1,c2,c3,c4,c5||j) where j varies from 0 to 16. This permits the same 3.5 round differential as PRESENT. The attack on 4 rounds has complexity O(2 13.58 ). The structure of the key schedule means that in an attack on five rounds, the attacker can work out the relevant parts of the fourth round key from his guesses on the fifth. The attack can be extended to six rounds with complexity O(2 33.6 ). It is possible to extend the attack to seven rounds, guessing on a set of 64 key bits. The remaining 32 bits of the key can be brute forced. The complexity of the attack is O(2 88 ). Because the point at which the balance property is lost in the structure cannot be easily extended, the number of rounds for which the integral attack is applicable cannot be readily increased. So the full version of EPCBC is immune to integral attacks. Statistical Saturation Attacks Statistical saturation attack (SSA) was first proposed by Collard and Standaert in [16] to cryptanalyze PRESENT. The attack targets mainly the diffusion properties of the permutation layer. By first fixing some plaintext bits, the attacker extracts information about the key by observing non-uniform distributions in the ciphertexts. This leads to an estimated attack against PRESENT up to 24 rounds, using approximately 2 60 chosen plaintexts. Collard and Standaert later proposed the use of multiple trails in [15] which provided experimental evidence that SSA can attack up to 15 rounds of PRESENT with 2 35.6 plaintext-ciphertext pairs. However as noted by the authors, this attack is only of theoretical interest and their results do not threaten the security of PRESENT in practice. Since EPCBC and PRESENT use the same main cipher structure (in particular, the same permutation layer), statistical saturation attack does not work on the full version of EPCBC. Higher Order Differential Attack Higher order differential attack was introduced by Knudsen in [28]. This attack works especially well on block ciphers with components of low algebraic degree such as the KN-Cipher (see [28]), whereby the ciphers can be represented as Boolean polynomials of low degree in terms of the plaintext. The attack requires O(2 d+1 ) chosen plaintext when the cipher has degree d. Hence we are interested in estimating the degree of a composed function G◦F say. Trivially, deg(G ◦ F) ≤ deg(F) × deg(G). A first improvement of the trivial bound was provided by Canteaut and Videau [13] and recently further improved by Boura et al[11]. Recall that the PRESENT S-box has algebraic degree 3. Hence by applying Theorem 2 of [11], from the composition of r S-box layers, the algebraic degree of r rounds of EPCBC is expected to be min(3 r ,blocksize− blocksize−deg(Rr−1 ) ,blocksize−1), 3 where R denotes one round of EPCBC. This implies that EPCBC(48,96) reaches the maximum degree of 47 after 5 rounds while EPCBC(96,96) reaches the maximum degree of 95 after 6 rounds. Thus it is unlikely that higher order differential attack will work on EPCBC which has 32 rounds. Slide Attacks Slide attacks exploit block ciphers that can be broken down into multiple rounds of an identical F function [7,8]. Usually, a block cipher iterates a round function, with a different subkey being
Page 1 and 2: EPCBC - A Block Cipher Suitable for
Page 3 and 4: Section 5. Hardware implementation
Page 5 and 6: 4.1 Brief Description of PR-n The d
Page 7: Theorem 4. Let ǫr be the maximal b
Page 11 and 12: data_out 4 data_in data_out 4 data_
Page 13 and 14: It is noteworthy to stress that EPC
Page 15 and 16: 45. Virtual Silicon Inc. 0.18 µm V
Page 17 and 18: Proof. The result for k = 8 follows

EPCBC - A Block Cipher Suitable for Electronic Product Code ...

Create successful ePaper yourself

Delete template?

Save as template?