Crypto-Archaeology: unearthing design methodology of DES s-boxes

10.7287/peerj.preprints.3285v1 ◽

2017 ◽

Author(s):

Sankhanil Dey ◽

Ranjan Ghosh

Keyword(s):

Boolean Function ◽

Boolean Functions ◽

Design Methodology ◽

Block Cipher ◽

Block Ciphers ◽

Public Domain ◽

Differential Cryptanalysis ◽

Linear Cryptanalysis ◽

Strict Avalanche Criterion ◽

Independence Criterion

US defence sponsored the DES program in 1974 and released it in 1977. It remained as a well-known and well accepted block cipher until 1998. Thirty-two 4-bit DES S-Boxes are grouped in eight each with four and are put in public domain without any mention of their design methodology. S-Boxes, 4-bit, 8-bit or 32-bit, find a permanent seat in all future block ciphers. In this paper, while looking into the design methodology of DES S-Boxes, we find that S-Boxes have 128 balanced and non-linear Boolean Functions, of which 102 used once, while 13 used twice and 92 of 102 satisfy the Boolean Function-level Strict Avalanche Criterion. All the S-Boxes satisfy the Bit Independence Criterion. Their Differential Cryptanalysis exhibits better results than the Linear Cryptanalysis. However, no S-Boxes satisfy the S-Box-level SAC analyses. It seems that the designer emphasized satisfaction of Boolean-Function-level SAC and S-Box-level BIC and DC, not the S-Box-level LC and SAC.

Download Full-text

Crypto Archeology: Unearthing Design Methodologies of DES S-Boxes

Circulation in Computer Science ◽

10.22632/ccs-2017-252-57 ◽

2017 ◽

Vol 2 (9) ◽

pp. 30-34

Author(s):

Sankhanil Dey ◽

Ranjan Ghosh

Keyword(s):

Boolean Functions ◽

Design Methodology ◽

Block Ciphers ◽

Public Domain ◽

Keen Interest ◽

Design Methodologies ◽

Substitution Boxes

US defense sponsored the DES program in 1971 and released it on 1977. It remained as a well-known and well-accepted de-facto standard of block ciphers until 1998. Thirty-two 4-bit DES S-Boxes are grouped in eight each having four and are put in public domain without any mention of their design methodology. Due to this discovery of substitution Boxes, S-Boxes, 4-bit, 8-bit or 32-bit, find a permanent seat in all future block ciphers. In this paper, a brief study on Crypto relevant properties of 4-bit Boolean Functions as well as 4-bit S-Boxes has been elaborated. The design Methodology of 32 4-bit DES S-Boxes have been of keen interest of this paper. The methodology of such 4-bit DES S-boxes that remained unturned due to the interference of NIST, have also been elaborated in this paper.

Download Full-text

Generalized differential-linear cryptanalysis of block cipher

Radiotekhnika ◽

10.30837/rt.2021.1.204.01 ◽

2021 ◽

pp. 5-15

Author(s):

A.N. Alekseychuk

Keyword(s):

Block Cipher ◽

Block Ciphers ◽

Linear Cryptanalysis ◽

Information Complexity ◽

The Matrix ◽

First Results ◽

Scientific Substantiation ◽

The Subject ◽

Linear Attack ◽

Generalized Differential

Differential-linear cryptanalysis of block ciphers was proposed in 1994. It turns out to be more efficient in comparison with (separately) differential and linear cryptanalytic methods, but its scientific substantiation remains the subject of further research. There are several publications devoted to formalization of differential-linear cryptanalysis and clarification of the conditions under which its complexity can be mathematically accurately assessed. However, the problem of the differential-linear cryptanalytic method substantiation remains completely unresolved. This paper presents first results obtained by the author in the direction of solving this problem. The class of differential-linear attacks on block ciphers is expanded. Namely, both distinguishing attacks and attacks aimed at recovering one bit of information about a key are considered. In this case, no assumptions are made (as in well-known publications) about the possibility of representing the cipher in the form of some two components. Lower bounds of information complexity of these attacks are obtained. The expressions of these bounds depend on the averaged (by keys) values of the elements’ squares of the generalized autocorrelation table of the encryption transformation. In contrast to the known ones, the obtained bounds are not based on any heuristic assumptions about the investigated block ciphers and are valid for a wider class of attacks as compared to the traditional differential-linear attack. Relations between, respectively, differential, linear and differential-linear properties of bijective Boolean mappings are given. In contrast to the well-known works, the matrix form of the relations is used that makes it possible to clarify better their essence and simplify the proofs. A new relation is derived for the elements of the generalized autocorrelation table of the encryption transformation of the product of two block ciphers, which may be useful in further research.

Download Full-text

THE DEUTSCH–JOZSA ALGORITHM REVISITED IN THE DOMAIN OF CRYPTOGRAPHICALLY SIGNIFICANT BOOLEAN FUNCTIONS

International Journal of Quantum Information ◽

10.1142/s0219749905000980 ◽

2005 ◽

Vol 03 (02) ◽

pp. 359-370 ◽

Cited By ~ 8

Author(s):

SUBHAMOY MAITRA ◽

PARTHA MUKHOPADHYAY

Keyword(s):

Boolean Function ◽

Boolean Functions ◽

Block Cipher ◽

Quantum Algorithm ◽

Building Blocks ◽

Linear Functions ◽

Constant Time ◽

Exponential Time ◽

Classical Algorithm ◽

Walsh Spectra

Boolean functions are important building blocks in cryptography for their wide application in both stream and block cipher systems. For cryptanalysis of such systems, one tries to find out linear functions that are correlated to the Boolean functions used in the crypto system. Let f be an n-variable Boolean function and its Walsh spectra is denoted by Wf(ω) at the point ω ∈ {0, 1}n. The Boolean function is available in the form of an oracle. We like to find a ω such that Wf(ω) ≠ 0 as this will provide one of the linear functions which are correlated to f. We show that the quantum algorithm proposed by Deutsch and Jozsa7 solves this problem in constant time. However, the best known classical algorithm to solve the problem requires exponential time in n. We also analyze certain classes of cryptographically significant Boolean functions and highlight how the basic Deutsch–Jozsa algorithm performs on them.

Download Full-text

Construction of an S-Box Based on Chaotic and Bent Functions

Symmetry ◽

10.3390/sym13040671 ◽

2021 ◽

Vol 13 (4) ◽

pp. 671

Author(s):

Zijing Jiang ◽

Qun Ding

Keyword(s):

Chaos Theory ◽

Boolean Functions ◽

Security Analysis ◽

Bent Function ◽

Bent Functions ◽

Encryption Algorithm ◽

Symmetric Encryption ◽

Differential Uniformity ◽

Strict Avalanche Criterion ◽

Independence Criterion

An S-box is the most important part of a symmetric encryption algorithm. Various schemes are put forward by using chaos theory. In this paper, a construction method of S-boxes with good cryptographic properties is proposed. The output of an S-box can be regarded as a group of Boolean functions. Therefore, we can use the different properties of chaos and Bent functions to generate a random Bent function with a high nonlinearity. By constructing a set of Bent functions as the output of an S-box, we can create an S-box with good cryptological properties. The nonlinearity, differential uniformity, strict avalanche criterion and the independence criterion of output bits are then analyzed and tested. A security analysis shows that the proposed S-box has excellent cryptographic properties.

Download Full-text

SITM: See-In-The-Middle Side-Channel Assisted Middle Round Differential Cryptanalysis on SPN Block Ciphers

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2020.i1.95-122 ◽

2019 ◽

pp. 95-122

Author(s):

Shivam Bhasin ◽

Jakub Breier ◽

Xiaolu Hou ◽

Dirmanto Jap ◽

Romain Poussier ◽

...

Keyword(s):

Block Cipher ◽

State Of The Art ◽

Block Ciphers ◽

Differential Cryptanalysis ◽

Side Channel ◽

Secret Key ◽

Side Channel Analysis ◽

Cryptographic Algorithms ◽

Channel Analysis ◽

Symmetric Block

Side-channel analysis constitutes a powerful attack vector against cryptographic implementations. Techniques such as power and electromagnetic side-channel analysis have been extensively studied to provide an efficient way to recover the secret key used in cryptographic algorithms. To protect against such attacks, countermeasure designers have developed protection methods, such as masking and hiding, to make the attacks harder. However, due to significant overheads, these protections are sometimes deployed only at the beginning and the end of encryption, which are the main targets for side-channel attacks.In this paper, we present a methodology for side-channel assisted differential cryptanalysis attack to target middle rounds of block cipher implementations. Such method presents a powerful attack vector against designs that normally only protect the beginning and end rounds of ciphers. We generalize the attack to SPN based ciphers and calculate the effort the attacker needs to recover the secret key. We provide experimental results on 8-bit and 32-bit microcontrollers. We provide case studies on state-of-the-art symmetric block ciphers, such as AES, SKINNY, and PRESENT. Furthermore, we show how to attack shuffling-protected implementations.

Download Full-text

Calculating the number of solutions of a difference equation

Discrete Mathematics and Applications ◽

10.1515/dma-2014-0025 ◽

2014 ◽

Vol 24 (5) ◽

Author(s):

Sergey D. Loshkarev

Keyword(s):

Difference Equation ◽

Boolean Function ◽

Boolean Functions ◽

Hash Function ◽

Differential Cryptanalysis ◽

Cyclic Shift ◽

Number Of Solutions ◽

Special Equation ◽

Cyclic Shifts ◽

The Impact

AbstractThe hash algorithms of the MDx family involve cyclic shifts, computation of primitive Boolean functions, and addition of constants. So far, very few works have been published in which the authors attempt to explain the impact that the choice of constants, shifts, and Boolean functions has on the cryptographic properties of the algorithms. G. A. Karpunin and H. T. Nguyen suggested a model in which the resistance against differential cryptanalysis may be quantitatively estimated in terms of the number of solutions of a special equation. In this work, in the framework of the aforementioned model, an equation for the MD5 hash function is derived. Examination of one Boolean function and one value of the cyclic shift through exhaustive search requires 2

Download Full-text

On Third-Order Nonlinearity of Biquadratic Monomial Boolean Functions

International Journal of Engineering Mathematics ◽

10.1155/2014/937386 ◽

2014 ◽

Vol 2014 ◽

pp. 1-7

Author(s):

Brajesh Kumar Singh

Keyword(s):

Lower Bound ◽

Positive Integer ◽

Boolean Function ◽

Lower Bounds ◽

Boolean Functions ◽

Coding Theory ◽

Block Ciphers ◽

Covering Radius ◽

Third Order ◽

Complicated Problem

The rth-order nonlinearity of Boolean function plays a central role against several known attacks on stream and block ciphers. Because of the fact that its maximum equals the covering radius of the rth-order Reed-Muller code, it also plays an important role in coding theory. The computation of exact value or high lower bound on the rth-order nonlinearity of a Boolean function is very complicated problem, especially when r>1. This paper is concerned with the computation of the lower bounds for third-order nonlinearities of two classes of Boolean functions of the form Tr1nλxd for all x∈𝔽2n, λ∈𝔽2n*, where a d=2i+2j+2k+1, where i, j, and k are integers such that i>j>k≥1 and n>2i, and b d=23ℓ+22ℓ+2ℓ+1, where ℓ is a positive integer such that gcdℓ,𝓃=1 and n>6.

Download Full-text

Generic Hardware Private Circuits

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2022.i1.323-344 ◽

2021 ◽

pp. 323-344

Author(s):

David Knichel ◽

Pascal Sasdrich ◽

Amir Moradi

Keyword(s):

Boolean Function ◽

Boolean Functions ◽

Design Automation ◽

Design Methodology ◽

Circuit Complexity ◽

First Order ◽

Generic Framework ◽

Secure Hardware ◽

Function Expression ◽

Eda Tools

With an increasing number of mobile devices and their high accessibility, protecting the implementation of cryptographic functions in the presence of physical adversaries has become more relevant than ever. Over the last decade, a lion’s share of research in this area has been dedicated to developing countermeasures at an algorithmic level. Here, masking has proven to be a promising approach due to the possibility of formally proving the implementation’s security solely based on its algorithmic description by elegantly modeling the circuit behavior. Theoretically verifying the security of masked circuits becomes more and more challenging with increasing circuit complexity. This motivated the introduction of security notions that enable masking of single gates while still guaranteeing the security when the masked gates are composed. Systematic approaches to generate these masked gates – commonly referred to as gadgets – were restricted to very simple gates like 2-input AND gates. Simply substituting such small gates by a secure gadget usually leads to a large overhead in terms of fresh randomness and additional latency (register stages) being introduced to the design.In this work, we address these problems by presenting a generic framework to construct trivially composable and secure hardware gadgets for arbitrary vectorial Boolean functions, enabling the transformation of much larger sub-circuits into gadgets. In particular, we present a design methodology to generate first-order secure masked gadgets which is well-suited for integration into existing Electronic Design Automation (EDA) tools for automated hardware masking as only the Boolean function expression is required. Furthermore, we practically verify our findings by conducting several case studies and show that our methodology outperforms various other masking schemes in terms of introduced latency or fresh randomness – especially for large circuits.

Download Full-text

How Many Weak-Keys Exist in T-310 ?

Tatra Mountains Mathematical Publications ◽

10.2478/tmmp-2019-0006 ◽

2019 ◽

Vol 73 (1) ◽

pp. 61-82

Author(s):

Nicolas T. Courtois ◽

Matteo Scarlata ◽

Marios Georgiou

Keyword(s):

Cold War ◽

Block Cipher ◽

Internal State ◽

Differential Cryptanalysis ◽

Linear Cryptanalysis ◽

Vast Number ◽

Weak Keys ◽

Slide Attacks ◽

Slide Attack ◽

Decryption Oracle

Abstract T-310 is an important Cold War cipher. The cipher is extremely complex and it outputs extremely few bits from the internal state. A recent paper [Courtois, N. T.: Decryption oracle slide attacks on T-310, Cryptologia, 42 (2018), no. 3, 191–204] shows an example of a highly anomalous key such that T-310 can be broken by a slide attack with a decryption oracle. In this paper, we show that the same attacks are ALSO possible for regular keys which satisfy all the official KT1 requirements. Two other recent papers [Courtois, N. T.—Georgiou, M.—Scarlata, M.: Slide attacks and LC-weak keys in T-310, Cryptologia 43 (2019), no. 3, 175–189]; [Courtois, N. T.—Oprisanu, M. B.—Schmeh, K.: Linear cryptanalysis and block cipher design in East Germany in the 1970s, Cryptologia (published online), December 5, 2018] show that some of the KT1 keys are very weak w.r.t. Linear Cryptanalysis. In this paper, we show that a vast number of such weak keys exist and study the exact pre-conditions which make them weak. In addition we introduce a new third class of weak keys for RKDC (Related-Key Differential Cryptanalysis). We show that the original designers in the 1970s have ensured that these RKDC properties cannot happen for 4 rounds. We have discovered that these properties can happen for as few as 5 rounds for some keys, and for 10 to 16 rounds they become hard to avoid. The main reason why we study weak keys is to show that none of these properties occur by accident, rather that they are governed by precise pre-conditions which guarantee their existence, and countless other keys with the same properties exist. Eventually, this is how interesting attacks can be found.

Download Full-text