Block Cipher Design - White-Box Cryptography: Analysis of White-Box AES Implementations

The primary objective of a designer is to approximate ideal block ciphers, even though the design of block ciphers is assumed to be highly structured. Such structure within block ciphers is inevitable since it is impractical to store 2nk

truly randomly chosen permutations on Fnb

2 . However, even ideal block ciphers

(Def. 2) remain susceptible to a certain class of black-box attacks known as the generic attacks, i.e., attacks that do not exploit the internal structure of the block cipher. Section 2.5.1 elaborates on the various black-box attacks.

2.2.1 Confusion and Diffusion

Within the field of block cipher design, Shannon [99] laid in 1949 the foundation by introducing the concepts of confusion and diffusion, concepts that up to now are still widely considered in the process of designing new block ciphers. The motivation behind these concepts was to hide the redundancy inherently present in the plaintext. Both concepts can be described as follows:

Confusion captures the complex way in which the ciphertext bits depend on

the plaintext bits and key bits. The goal is to make this relationship as complicated as possible such that it is hard (and preferably impossible) to be exploited by an attack. Basic components achieving confusion are non-linear substitution boxes (S-boxes) that are typically implemented as lookup tables (see Def. 3 below). However, the storage requirement of lookup tables (see Property 1 below) imposes a restriction on their input size.

Diffusion captures the influence of each plaintext bit and each key bit on the

ciphertext bits. The goal is to make this influence as large as possible. The block cipher should exhibit the property that flipping a single plaintext bit or key bit results in flipping each ciphertext bit with probability 1₂. This propagation property is known as the avalanche effect. Basic components achieving diffusion are (i) linear diffusion boxes (D-boxes) comprising wide linear operations or (ii) permutations operating at bit-level or at the level of bundles of bits (e.g., at byte-level), also referred to as bit transpositions or bundle transpositions respectively. In contrast to the non-linear S-boxes, there is no restriction on the input size of these diffusion components. Typically, a strong block cipher contains a high degree of confusion and diffusion; this requires a close interaction between the following three operations: substitutions, linear operations and transpositions. Later, in Sect. 2.5.1, some desirable properties of S-boxes and diffusion components are discussed with respect to differential and linear cryptanalysis.

Definition 3 (Lookup table). A lookup table L mapping m bits to n bits is a

specific representation of any given function f : Fm2 → F

2, i.e., L is an array of

2m n-bit entries, denoted by L[i] for i = 0, 1, . . . , 2m− 1, with L[i] = f (bin(i)) where bin(i) ∈ Fm2 denotes the binary representation of i.

Property 1 (Storage requirement of a lookup table). A lookup table mapping

m bits to n bits requires a total of 2m_{· n bits of storage. As this amount is}

exponential in the table’s input size m (measured in bits), the storage requirement becomes quickly impractical for large m.

BLOCK CIPHER DESIGN 17

2.2.2 Constructions

The mix of non-linear substitutions and linear diffusion operations is a crucial component of most block cipher designs. This mix can be obtained in various ways such as the following two prominent and efficient constructions adopted by many important block ciphers (e.g., DES [68], AES [69], Serpent [7], . . . ): Feistel ciphers and Substitution-Permutation Network (SPN) ciphers. Both constructions belong to the class of iterative block ciphers, also known as product ciphers, introduced by Shannon in [99]. A product cipher is a block cipher made by iterating a fairly simple key-dependent round function many times. While a single key-dependent round function acts as a weak block cipher, the iteration of several round functions may result in a strong block cipher. A formal definition is given in the following.

Definition 4 (Iterative block cipher/product cipher). An nb-bit block cipher

E is called an iterative block cipher with R rounds if for each key k ∈ Fnk

2 ,

the bijective mapping Ek on Fn2b comprises the iterative application of R key-

dependent round transformations E(r)_k(r) with 1 ≤ r ≤ R, i.e.,

Ek = E (R) k(R)◦ · · · ◦ E (2) k(2)◦ E (1) k(1) , (2.2)

where each key-dependent round transformation E_k(r)(r) is a permutation on F

and where k(r) (1 ≤ r ≤ R) denotes the rth round key. All round keys are derived from the secret key k through the application of the key scheduling algorithm ks, defined as ks : Fnk 2 → F nK 2 : k 7→ K = (k (1)_{k k}(2)_{k · · · k k}(R)_{) ,} _(2.3)

where K is called the expanded key and represents the concatenation of all round keys and where nK denotes the length of K.

Within the class of iterative block ciphers (Def. 4), two (not distinct) subclasses can be identified: the iterated block ciphers and the key-alternating block ciphers. For iterated block ciphers, all key-dependent round transformations are identical, i.e., E_k(r)(r) = Ek(r) (1 ≤ r ≤ R). For key-alternating block

ciphers, all key-dependent round transformations are a two-layered structure consisting of a XOR with the round key followed by a key-independent round transformation, i.e., E_k(r)(r) = E

(r)_{◦ ⊕}

k(r) (1 ≤ r ≤ R). The intersection of the

two subclasses determines the class of key-iterated block ciphers, which essentially is defined as key-alternating block ciphers for which all key-independent round transformations are identical, i.e., E_k(r)(r) = E ◦ ⊕k(r) (1 ≤ r ≤ R).

Substitution-Permutation Network (SPN) Ciphers. In the following, one of the most widely accepted constructions to build iterative block ciphers is described, i.e., the class of Substitution-Permutation Network (SPN) ciphers. The description below is generic, hence deviations from it are most likely to occur in modern block cipher designs.

Definition 5 (Substitution-Permutation Network (SPN) cipher). An nb-bit

SPN cipher with R rounds is an iterative block cipher where each key-dependent round transformation E_k(r)(r) (1 ≤ r ≤ R) is a permutation on F

2 and typically

consists of three layers (not necessarily in the following order): (i) the confusion layer comprising (the parallel execution of) S-boxes, (ii) the diffusion layer comprising D-boxes and/or (bit or bundle) transpositions, and (iii) the round key k(r) _{addition layer.}

For SPN ciphers, decryption is performed by inverting the encryption process while taking the round keys in reversed order. As a consequence, each key- dependent round transformation E_k(r)(r) (1 ≤ r ≤ R) needs to be a bijective

mapping on Fnb

2 , which means that all layers defined in Def. 5 need to be

invertible as well. Because of the restriction on the input size of S-boxes due to the storage requirement (Property 1, p. 16), the nb-bit confusion layer typically

consists of s mi-bit bijective S-boxes Si (i = 1, 2, . . . , s) (each representing a

permutation on Fmi

2 ) in parallel with

i=1mi= nb. The nb-bit diffusion layer

typically comprises a bijective affine/linear mapping on Fnb

2 combined with

a (bit or bundle) transposition. Note that (bit or bundle) transpositions are invertible by definition.

An advantage of SPN ciphers is that they tend to have good diffusion properties since the diffusion layer typically operates on all nb bits of the

state simultaneously. Depending on the choice of the diffusion operations, full diffusion can already be achieved after two rounds (e.g., for AES). The concept of full diffusion is described in Sect. 2.5.1.

Example. The Advanced Encryption Standard or AES [69] abbreviated is a 128-bit key-iterated SPN block cipher. A detailed description of AES is given in the next section, i.e., Sect. 2.3.

In document White-Box Cryptography: Analysis of White-Box AES Implementations (Page 45-48)