Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
5Activity
0 of .
Results for:
No results containing your search query
P. 1
Practical S-Box Design

Practical S-Box Design

Ratings: (0)|Views: 452 |Likes:
Published by Señor Smiles

More info:

Published by: Señor Smiles on Aug 13, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

10/15/2011

pdf

text

original

 
1
Practical S-Box Design
Serge Mister, Carlisle Adams 
Nortel, P.O. Box 3511, Station C, Ottawa, Ontario, Canada, K1Y 4H7 
cf744@freenet.carleton.ca, cadams@nortel.ca
1. Introduction
Much of the security of a block cipher based on the Feistel network [8, 9] depends on theproperties of the substitution boxes (s-boxes) used in the round function. Although manydesirable properties have been studied, relatively little work has been done to determine towhat degree these properties are achievable in practice. This paper presents one effort toconstruct large, cryptographically secure s-boxes, contrasting theoretical and practicallimitations, and highlighting areas for future research.
2. Background
An
nm
×
s-box
S
is a mapping
S
nm
:{,}{,}0101
.
S
can be represented as
2
n
 
m
-bitnumbers, denoted
r
n
021
,,
, in which case
Sx
 x
()
=
,
02
<
 x
n
and the
i
are the rows of the s-box. Alternatively,
[ ]
Sxcxcxcx
mm
()()()()
=
120
where the
c
i
are fixed Booleanfunctions
ci
in
:{,}{,}0101
; these are the columns of the s-box. Finally,
S
can berepresented by a
2
n
m
×
binary matrix
 M 
with the
ij
,
entry being bit
 j
of row
i
. All threerepresentations will be used in this paper.The linear combination of two functions
 fg
n
,:{,}{,}0101
is defined to be()()()()
 fgxfxgx
=
where
denotes modulo 2 addition. Let
n
denote the set of functions mapping{,}{,}0101
n
. Let
 L
n
denote the set of linear functions mapping {,}{,}0101
n
. Let
 A
n
denote the set of affine functions mapping {,}{,}0101
n
.The following definitions will be useful in the discussion.
2.1 Walsh Transform
The Walsh transform of a function
 f 
n
:{,}{,}0101
is defined by
W
(f)(w)
 fxwx x
n
()
(){0,}
+
1
1
 
2where
wxwxwx
nn
=
1100
(note that the transform is usually normalized by multiplyingby2
2
n
 / 
).The set of bent functions, denoted
 B
n
with
n
even, is the set of functions
 f 
n
:{,}{,}0101
such that [14]
W
(f)(w)=w
nn
±
201
2
{,}.
2.2 Inverse Walsh Transform
The inverse Walsh transform of a function
n
:{,}01
Z
is
W
-nwxw
(F)(x)=Fw
n
11
121()()
{0,}
.
2.3 Nonlinearity
The nonlinearity of a function
 f 
n
:{,}{,}0101
is
nl()minwt()
 ffl
lA
n
=
where
wt()
denotes the Hamming weight of the function.The nonlinearity of an s-box
S
isnl()minnl()
S
 f
=
where
is the set of all nontrivial linear combinations of the columns of 
S
.
2.4 XOR Table
Let
α β 
{,}\{},{,}0101
nm
0
. The XOR table entry of an s-box
S
corresponding to
(,)
α β 
is
XOR(,)#{{,}:()(}}
α β α β 
= =
 xSxSx
n
01
where
#
denotes the cardinality of the set. The XOR value of an s-box is the highest XORtable entry:
XOR()maxXOR(,)
,
S
=
α β 
α β 
.
2.5 Dynamic Distance
We define the dynamic distance of order
 j
of a function
 f 
n
:{,}{,}0101
as follows:
DD()max()()
{0,}()
 jwtdjn x
 ffxfx
nn
=
=
111021
122
.
 
3It provides a measure from which can be defined other dynamic properties such as the strictavalanche criterion, bit independence criterion, and a precise “distance” from these properties.
2.6 Strict Avalanche Criterion (SAC)
A Boolean function
 f 
n
:{,}{,}0101
satisfies the SAC if 
DD()
1
0
 f 
=
. The distance to SAC isdefined by
DSAC()DD()
 f
=
1
. Similarly,
 f 
n
:{,}{,}0101
satisfies higher-order SAC(HOSAC) of order
 j
if 
DD()
 j
 f 
=
0
and the distance to higher-order SAC of order
 j
isdefined by
DHOSAC()DD()
 jj
 f
=
. Maximum order SAC (MOSAC) and the distance tomaximum order SAC (DMOSAC) correspond to the case
 jn
=
. The concepts of SAC,higher-order SAC, and maximum order SAC coincide with those of [4, 15] (see also [13]).An s-box satisfies the (HO, MO)SAC if all of its columns satisfy (HO,MO)SAC.
2.7 Bit Independence Criterion (BIC)
For an s-box
S
, the distance to higher order BIC is defined byDHOBIC()maxDD()
,{0,}()
ijcwtci j
SMc
m
=
<
11
where
 M 
is the binary matrix corresponding to
S
and the matrix multiplication is done usingmodulo 2 addition.
S
satisfies BIC
1
[15] if 
DHOBIC()
,21
0
S
=
and satisfies
HOBIC
,
ij
if 
DHOBIC()
,
ij
S
=
0
(note that HOBIC can be defined in terms of varying
i
, or varying
 j
, orboth). Distances to BIC and HOBIC are given by
DHOBIC()
,21
S
and
DHOBIC()
,
ij
S
respectively. Maximum order BIC (MOBIC) and the distance to MOBIC (DMOBIC)correspond to HOBIC and DHOBIC with
imjn
= =
,.
2.8 Ideal S-Box Properties
The following are properties which we feel that an ideal s-box would possess:
I1. All linear combinations of s-box columns are bent.I2. All entries in the s-box XOR table are 0 or 2.I3. The s-box satisfies MOSAC.I4. The s-box satisfies MOBIC.I5. The set of weights of rows has a binomial distribution with mean
m
 /2.I6. The set of weights of all pairs of rows has a binomial distribution with mean
m
 /2.
 
1
The (output) Bit Independence Criterion (BIC) states that s-box output bits
 j
and
should changeindependently when any single input bit
i
is inverted, for all
i
,
 j
, and
(note that for a given
i
,
 j
, and
theindependence is computed over the set of all pairs of input vectors which differ only in bit
i
).

Activity (5)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads
Harris Aziz liked this
Hams Alwejood liked this
newtonapple liked this

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->