19
1.10.1 Taking Inspiration From Stream Ciphers
20
In 1999 [GG99] Guang Gong and Solomon Golomb observed that many block ciphers can be 21
viewed as a Non Linear Feedback Shift Register (NLFSR) with input. This includes most SPN 22
and Feistel Network designs. 23
From their analysis they concluded that the S-box should not only not be approximated by a lin- 24
ear function, but it should also not be approximated by a monomial. One can thus ask whether 25
one should turn their remark into a design concept, and explicitly use NLFSRs to design block 26
ciphers: the plaintext is used to initialize the state, the key provides the input, and the state af- 27
ter sufficiently many rounds is the ciphertext. The key observation here is that the changes per 28
round may be minimal, but they can be expressed as nonlinear, non-monomial transforms of 29
low degree, and a round can be executed extremely quickly – therefore one can pile up enough 30
rounds to get the desired confusion and diffusion and at the same time guarantee that the ci- 31
pher can only be approximated by a polynomial of prohibitively high degree. 32
This approach was in fact realized already in the mid 80’s in the design of KeeLoq (Section3.3.3 33
on page 138). KATAN (Section3.31 on page 209) is another, more recent, example of such a 34
cipher. 35
Other ciphers take inspiration from stream ciphers for thekey schedule. For instance, SIMON 36
and SPECK (Section3.36 on page 222), use LFSRs to generate the round keys. 37
1.10.2 Hybrid Designs
1
Because of the countless variations in both Feistel, SPNs and Lai-Massey designs, unavoidably 2
there are ciphers which resemble more then one design, or even combine them. 3
TWINE (Section3.34 on page 215) blurs the line between the classic Feistel and SP networks: It 4
is a Feistel-like design with a total of 16 branches, and the branches are shuffled by a complex 5
permutation based on colored de Bruijn graphs in place of a simple cyclic rotation. Therefore 6
we have a “partial” substitution layer alternated with a bit-permutation layer that operated on 7
16 nibbles. We discussed shuffle design in Subsection1.8.2 on page 44. 8
ZORRO (cf. Subsection3.38.2 on page 231) is an AES-like cipher that represents its state as 16 9
nibbles, so it is a SPN. But, at each round the S-boxes are applied only to four of the 16 nibbles. 10
This means that the cipher can be viewed represented as Matsui-like Feistel Network with linear 11
mixing layers in place of the branch permutations. 12
SC2000 (cf. Section3.22 on page 194) is unique in that it mixes SPN-like and Feistel-type rounds 13
in the data obfuscation path: it is the only such cipher we are aware of. 14
The Bielorussian standard block cipher BEL-T (Section3.33 on page 214) combines Feistel rounds 15
with Lai-Massey rounds in a single round. 16
1.10.3 Decorrelation Theory
17
Serge Vaudenay presented in [Vau98b] and further analysed in [Vau03] methods to harden 18
a cipher against linear and differential attacks. To achieve this he introduced the concept of 19
decorrelation, to measure the “distance” of a cipher from a perfect cipher with respect to linear 20
and differential properties. 21
Decorrelation is defined as follows: 22
• Given a function𝐹from a given setℳto a given set𝒩 and an integer𝑑, thed-wise distribution
23
matrix[𝐹]𝑑of𝐹is defined as theℳ𝑑×𝒩𝑑-matrix where the(𝑥, 𝑦)-entry of[𝐹]𝑑corresponding to
24
the multipoints x= (𝑥1, … , 𝑥𝑑) ∈ℳ𝑑andy = (𝑦1, … , 𝑦𝑑) ∈𝒩𝑑is the probability that we have
25
𝐹(𝑥𝑖)= 𝑦𝑖for𝑖 = 1, … , 𝑑.
26
• Given two functions𝐹and𝐺from a given setℳto a given set𝒩, an integer𝑑and a multiplicative
27
distance𝐿over the vector spaceℝℳ𝑑×𝒩𝑑
defined by a matrix norm, we call𝐿([𝐹]𝑑, [𝐺]𝑑)the𝑑-wise
28
L-decorrelationbetween𝐹and𝐺.
29
The goal of the designers of block ciphers is to minimise the decorrelation between their func- 30
tions and an ideal cipher with respect to suitable metrics. If we define𝐿([𝐹]𝑑)as𝐿([𝐹]𝑑, [𝐶∗]𝑑)
31
where𝐶∗is an ideal cipher, from the multiplicative property of matrix norms it holds that 32
𝐿([𝐹 ∘ 𝐺]𝑑)⩽ 𝐿([𝐹]𝑑)⋅ 𝐿([𝐺]𝑑) .
This enables the designers to build ciphers with bounded low decorrelation as block ciphers. 33
Taking 𝑑 = 1allows to bound resistance against linear cryptanalysis and𝑑 = 2against linear 34
and (first order) differential cryptanalysis. The number𝑑is called theorderof the attack, hence 35
in Vaudenay’s terminology [Vau99c] linear cryptanalysis is an iterated attack of order one and 36
differential cryptanalysis is an iterated attack of order two. 37
Vaudenay considers various norms, such as the 𝐿2norm, the infinity weighted pseudo-norm 1
𝑁∞, the𝐿∞-associated matrix norm|||⋅|||∞, and a new norm‖ ⋅ ‖𝑎defined in [Vau99a] as 2 ‖𝑀‖𝑎= max 𝑥1 ∑𝑦 1 max 𝑥2 ∑𝑦 2 ⋯ max 𝑥𝑑 ∑𝑦 𝑑 ∣𝑀x,y∣
which is designed to model adaptive attacks. These norms serve to easily compute bounds on 3
the success probabilities of guessing the output of a cipher, which can then be readily translated 4
into attack complexities. 5
An important result of Vaudenay’s regards Feistel ciphers. Theorem 9 of [Vau98b] states: 6
Let𝐹1, … , 𝐹𝑟, 𝑅be𝑟 independent functions on ℳwhere𝑅has a uniform distribution and such that
7
∣∣∣[𝐹𝑖]𝑑− [𝑅]𝑑∣∣∣
∞ ⩽ 𝜖 for 𝑖 = 1, … , 𝑟. Let 𝛹(𝐹1, … , 𝐹𝑟) denote the Feistel cipher with𝐹1, … , 𝐹𝑟 as
8
F-functions and𝐶∗the corresponding perfect cipher. For any𝑘 ⩾ 3we have:
9 ∣∣∣[𝛹(𝐹1, … , 𝐹𝑟)]𝑑− [𝐶∗]𝑑∣∣∣ ∞ ⩽((1 + 𝜖) 𝑘− 1 + 2𝑑2 √#ℳ) .
This makes the|||⋅|||∞-decorrelation a useful tool for constructing Feistel ciphers. (Similar results 10
are proved in [Vau03] for Lai-Massey ciphers with orthomorphisms; this type of ciphers is 11
defined in Section1.5 on page 37). 12
Decorrelation is achieved usingdecorrelation modules, i.e. simple functions for which decorrela- 13
tion cane easily computed, which are then composed to construct a product cipher. An impor- 14
tant class of decorrelation modules has the form 15
𝐹(𝑥)= 𝑘1+ 𝑘2⋅ 𝑥 (1.11)
over a finite field𝔽, where𝑘1and𝑘2are secret keys taken uniformly from𝔽 and𝔽∗. In Vaude- 16
nay’s terminology, this is a Type II NUT (𝑛-Universal Transformation), and this function offers 17
perfect decorrelation, i.e. it has the same decorrelation as a perfect cipher over𝔽. 18
If on the other hand the function defined in (1.11) is considered modulo𝑝where𝑝 =(1 − 𝛿)2𝑚 19
with 0 < 𝛿 < 1/14, but 𝑘1, 𝑘2 are independent uniformly distributed random variables in 20
ℳ ∶= [0..2𝑚− 1], and 𝐹∗ is a uniformly distributed random function from ℳ to ℳ, then 21
‖[𝐹]2− [𝐹∗]2‖
2 ⩽ √8𝛿. Thus, this type of decorrelation modules can be used to provide resis-
22
tance against differential cryptanalysis. 23
A total of six different types of NUTs are discussed in [Vau03]. An important class is the Type 24
IV NUT, of the form 25
𝐹(𝑥)=(𝑘1+ 𝑘2𝑥 + 𝑘3𝑥2+ ⋯ + 𝑘𝑑𝑥𝑑−1mod 𝑝)mod 2𝑚
where 𝑝 is a prime that this time is just slightlylarger than2𝑚. These NUTs are designed to 26
provide resistance against adaptive adversaries evaluated by the‖ ⋅ ‖𝑎norm. The bound on the 27
decorrelation is in this case given by‖[𝐹]𝑑− [𝐹∗]𝑑‖𝑎 ⩽ 2((1 + 𝛿)𝑑− 1). 28
The DFC cipher (Subsection3.19.2 on page 179) uses a Type IV linear NUT (i.e. with𝑑 = 2) that 29
mixes arithmetic modulo264+ 13and264. 30
Because of the form of many of Vaudenay’s decorrelation modules, his approach can thus be 31
viewed as a formalisation, generalisation and quantification of the use of different, and mutu- 32
ally algebraically incompatible arithmetic operations for the purpose of achieving non-linearity 1
(Section1.9 on page 56). 2
Besides DFC, ciphers constructed according to this principle include the COCONUT, PEANUT 3
and WALNUT families (presented in [Vau98b]), and DONUT [CLLL00]. The 64-bit block cipher 4
COCONUT consists of two small Feistel ciphers with a state-wide decorrelation module (a Type 5
II NUT over𝔽264) in the middle - the drawback being that decryption requires a field inversion.
6
Most of the decorrelation theory is developed under the assumption that different functions 7
used in a single cipher are assumed to be independent. In practice, however, these are instances 8
of just a few types of keyed functions with different round keys. Indeed, in Vaudenay’s own 9
words [Vau03],One problem with the COCONUT, PEANUT, or WALNUT constructions is that they
10
require a long key (in order to make the internal random functions independent). In real-life examples
11
we can generate this long key by using a pseudorandom generator fed with a short key, but the results
12
on the security based on decorrelation are no longer valid. However, provided that the pseudorandom
13
generator produces outputs which are indistinguishable from truly random sequences, we can still prove
14
the security.This puts considerable weight on proper key schedule while in the design of using 15
decorrelation theory, and makes the theory difficult to use in the context of lightweight block 16
cipher design in most circumstances. 17
Serge Vaudenay has made a wealth of information about DFC and the theory of decorrelation 18
modules available online [Vau00,Vau02]. 19
In 2006 two papers coauthored by Thomas Baignères and Matthieu Finiasz have been published 20
that present an interesting application of decorrelation theory. These deal with the block ci- 21
phers “C” [BF06a] and KFC, the “Krazy Feistel Cipher” [BF06b]. 22
The cipher C follows the same SPN as the AES (Section3.20 on page 182), i.e. the wide trails de- 23
sign represented in Figure1.5 on page 35, but with following differences: there is no round key 24
addition, and the substitution layer is formed by 16 independentperfectly random permutations
25
instead of 16 copies of a fixed substitution box. Here, perfectly random permutations refers that 26
the permutations are uniformly chosen among all permutations of a given set, andindependent
27
refers to the fact that a (pseudo) random number generator is used to select them. Since an 28
arbitrary permutation of the set𝑆 = [0, .., 255]can be described by⌈log2(28!)⌉ = 1, 684bits, an 29
algorithm is provided to turn 1,684 bits into a permutation of𝑆, and the key schedule expands 30
the secret key to160 × 1, 684 = 269, 440to describe a total of 160 random permutations on 𝑆. 31
The key expansion uses the Blum-Blum-Shub (BBS) PRNG, i.e. the PRNG proposed in 1986 by 32
Lenore Blum, Manuel Blum and Michael Shub in [BBS86], that consists of repeated squaring of 33
a seed modulo a RSA modulo. 34
Resistance to linear and differential cryptanalysis, including impossible differential cryptanal- 35
ysis is proved - but the key schedule makes the algorithm impractical in many contexts. 36
In order to optimise this construction, a smaller set𝒟 of mutually decorrelated S-boxes is used 37
in [BF06a]. Some options are given by the following families of permutations that guarantee 38
protection against order one and two attacks, i.e. against linear and differential cryptanalysis: 39
• The set𝒟 = {𝑋 𝐴 ⊕ 𝐵 ⋅ 𝑆(𝑋)| 𝐴, 𝐵 ∈ 𝔽28, 𝐵 ≠ 0}defined by Kazumaro Aoki and Serge
40
Vaudenay in [AV03], where𝑆is any fixed permutation of𝔽28and “⋅” is field multiplication.
41
• The set𝒟 ={𝑋 𝐴 ⊕ 𝐵 ⋅ 𝑋−1| 𝐴, 𝐵 ∈𝔽28, 𝐵 ≠ 0}, defined in [BF06a].
Each element in the sets can be defined by 16 output bits of the BBS PRNG, where the values 1
corresponding to𝐵 = 0can be skipped, and the next value is used, so on average 2,570 output 2
bits are needed in place of 269,440. It is proved that the permutation family reduced versions 3
of the cipher are no less secure than the general version. Another optimisation option is to use 4
a different PRNG, for instance a fast stream cipher, to speed up the key schedule (however, this 5
in general loses some of the assumptions upon which the proofs of security of C rely). 6
The analysis framework is the one developed in [BV05] by Thomas Baignères and Serge Vaude- 7
nay to analyse the intrinsic security of the AES SPN. 8
One issue with C is that it requires random permutations, and using random functions would 9
make the whole key scheduling process faster. This is solved in the design of KFC. KFC is a 10
three round Feistel network, where the F-function is a SPN constructed similarly to C, but us- 11
ing random functions in place of random permutations – the resulting function is no longer 12
injective, but this is not a problem in a Luby–Rackoff cipher. In order to make it difficult for 13
an attacker to successfully exploit collisions, the first and last substitution layers are still con- 14
structed from random permutations. 15
Pierre-Alain Fouque and Pierre Karpman in [FK13a, FK13b] strengthen the FX construction 16
(Section 1.6 on page 38) against MITM attacks (Section 2.4 on page 97) by using families of 17
decorrelation modules (parametrised by keys) in place of simple key whitening. 18