Improved Result on the Pseudorandomness of SPN-type transformations

SPN 블록 암호 구조의 의사 난수성에 대한 향상된 결과

Abstract

Iwata et al. analyzed the pseudorandomness of the block cipher Serpent which is a SPN-type transformation. In this parer, we introduce a generalization of the results, which can be applied to any SPN-type transformation. For the purpose, we give several explicit definitions and prove our main theorems. We will also apply our theorems to several SPN-type transformations including Serpent, Crypton and Rijndael.

Iwata 등은 SPN 구조에 기반한 블록 암호들 중 Serpent에 대한 의사 난수성을 분석하였다. 그들은 Serpent의 구조를 최대한 보존한 상태에서 의사 난수성을 분석하기 위하여 Serpent의 Diffusion layer의 특성을 그대로 보존하여 일반화 한 후 이론을 전개하였다. 본 논문에서는 Serpent가 취한 Diffusion layer 뿐만 아니라 SPN 구조에 기반한 블록 암호들이 취할 수 있는 임의의 Diffusion layer에 대하여 적용 가능한 일반적인 이론을 도출해 낼 것이다. 또한 이러한 일반적인 이론을 Serpent, Crypton, Rijindael 등과 같은 블록 암호들에 적용한 결과를 제시할 것이다.

Ⅰ. Introductionc

Luby and Rackoff^[1] introduced a theo­ retical model for the security of block cip­ hers by using the notion of pseudoran­ domness. The purpose of the security ana­ lysis using the notion of pseudorando- mness is to measure the security of the structures used in the block ciphers. Roughly speaking, the security of the structure is analyzed after the main func- tions(such as round functions in Feistel- type transformations or S-boxes in SPN- type transformations) is replaced with a pseudorandom function or pseudorandom permutation. With this model, Luby and Rackoff showed that the three round DES is a pseudorandom permutation and the four round DES is a super-pseudorandom permutation.' Maurer gave a simpler proof for non-adaptive adversaries.'2' Since the structure of Twofish has the same as DES, the three round Twofish is a pseudoran­ dom permutation and the four round Two­ fish is a super-pseudorandom permutation. MARS has a so called Type-3 Feistel str­ ucture. At the rump session of AES2, Vau- denay and Moriai claimed that the five round MARS is a pseudorandom permu- tation/3] The block ciphers such as RC₆, ⑷ MISTY⑸ and KASUMI⑹ were also ana- lyzed by many people on the view point of pseudorandomness."成 Note that these bl­ ock ciphers are not SPN-type transforma­ tions.

In this paper we will focus on analyzing SPN-type transformations by using the no­ tion of pseudorandomness. Actually, there was a result about Serpent which is a SPN-type transformation.[7j Iwata et al. proved that the two round Serpent, "이 in which the diffusion layer is left untouched and only the S-boxes are replaced with pseudorandom permutations, is not a pse­ udorandom permutation but the three ro­ und Serpent is a pseudorandom permu­ tation. The reason that they did not touch the diffusion layer is very natural because the structure of a SPN-type transforma­ tion completely depends on its diffusion layer. So it seems that there is no way to obtain a generalize! result which can be applied to any SPN-type transformation because there are many different diffusion layers in this world. In other words, it seems that the analysis should be diffe­ rently treated depending on the shape of a diffusion layer. But, in this paper we will show that there is a generalized result which can be applied to any SPN-type transformation. A specified SPN-type tran­ sformation depending on a diffusion layer will have an effect on the assumption of our theorems. The details will be expla­ ined with several definitions. At the end of the paper, we will also apply our results to several SPN-type transforma­ tions including Serpent, Crypton and Rij- ndael.

Ⅱ. Preliminaries

We denote by In the set of all 径-bit data. Let Qn be the set of all permuta­ tions from In to itself.

Definition 1. Qn is called a TPE(truly random permutation ensemble) if all per­ mutations in Qn are uniformly distributed. That is, for any permutation    

#

We consider the following security mo­ del. Let D be computationally unbounded distinguisher with an oracle O. The oracle O randomly chooses a permutation _tv from the TPE Qn or from a permutation ense­ mble Qn. For an w-bit block cipher, 叫 is the set of permutations obtained from all the secret keys. The purpose of the distinguisher D is to distinguish whe­ ther the oracle 0 implements the TPE Qn or 至"、We give several definitions in order to measure the ability of the distinguisher.

Definition 2. Let D be a distinguisher. Qn be a TPE, and Wn (으0) be a permu- tation ensemble. The advantage Adv日 of the distinguisher D is defined by

#

where

#

Assume that the distinguisher D is re­ stricted to make at most poly( n) queries to the oracle 0, where poly{ n) is some poly­ nomial in n. We call Z) is a pseudoran­ dom distinguisher if it queries % and the oracle answers y = 7t{x), where is a ran­ domly chosen permutation by 0.

Definition 3. A function h:N R is negli­ gible if for any constant c >0 and all suffi­ ciently large m eTV,

#

Definition 4. Let 叫 be an efficiently com­ putable permutation ensemble, where 'effi­ ciently computable" means that all permu­ tations in the ensemble can be efficiently computed. We call 叩\ is a PPE(pseudor andom permutation ensemble) if AdvD is negligible for any pseudorandom distin­ guisher D.

Throughout this paper, we consider a non-adaptive distinguisher which sends all the queries to the oracle at the same time.

Ⅲ. Pseudorandomness of SPN-type tra­ nsformations

In this section we define formally a po­ pular class of block ciphers, known as SPN -type transformations. It is well known that a diffusion layer palys an important role in a SPN-type transformation. The diffusion layer provides an avalanche eff­ ect which is a desirable property of any encryption algorithm. So we give a explicit definition which expresses an avalanche effect in a SPN-type transformation. The definition will be very useful in proving our theorems.

Definition 5. For any w-bit permutations f\, ... Qn, a mw-bit SPN-type transfor­

#

#

where 由........in and D is any diffusion layer from Imn to itself.

In this paper an element of In will be called by a word. In the above definition, D is any diffusion layer. So, for example D can be the bit-wise diffusion layer used in Serpent, the 2-bit-wise diffusion layer used in Crypton or byte-wise diffusion la­ yer used in RijndaeKSee'10'1, L for the deta­ ils). So we will describe each w-bit input word to a diffusion layer as s ^-bit data in order to model arbitrary diffusion layer including that of Serpent, Crypton and RijndaeKSee Fig. 1). As you know, this modeling is a basic step to analyze struc­ tures used in block ciphers on the view point of pseudorandomness. The values of m and s will be determined by a given SPN-type transformation but k will be a variable included in the domain N of the function h in Definition 3. As examples, we can actually model diffusion layers of Serpent, Crypton and Rijndael. As you can see in those figures, it is determined that (m = 32, s= 4). (m = 16, s = 4), and (秫=16, s = 1) for Serpent, Crypton and Rijndael respec­ tively. It is obvious that these values are determined by their internal structures. We will explain the details about these ex­ amples in section 4. In Section 4, we will also apply our theorems to these models of the block ciphers.

Fig. 1 mn- bit SPN Structure (s * k = n)

Definition 6. Let Jj = (/n, .......g\ =(/尸1, be given. Then the r ro­ und wn-bit SPN-type transformation Gr is defined by

#

where ... , xm e in .

The following definition expresses an avalanche effect in a SPN-type transfor­ mation. It is well known that the avalan­ che effect is completely determined by the diffusion layer of the SPN-type transfor­ mation. The definition will be very useful in proving our theorems.

Definition 7. Let a r round mw~bit SPN- type transformation Gr be given. Let (明, ..., xj be a plaintext to Gr. We denote by Avalanchej(xj) the number of words which are influenced by 給 after the ;-th round (IGMm At this time, MAX; and MINj are defined by

#

Definition 8. Let a r round mw-bit SPN- type transformation G'be given. If MINr= m, then RMIN is defined by

#

In the following we introduce our main results which can be applied to any SPN -type transformation.

Theorem 1. Let a r round mn-bit SPN-type transformation Gr in which fu, ... J rm are independently chosen from a w-bit PPE be given. If RMIN= r, then the Gr is not a pseudorandom permutation.

Proof : Let Wmn be the set of all permuta­ tions over Imn obtained from the Gr and the /-th round output of this transformation is denoted by (方 = (为 , ..., 毎가). Since RMIN= r, MINS. So there exist v and w (IM% w<.m) such that is not influenced by xv after ( r-l)-th round. Consider a distin- guisher D such as follows.

1. D chooses two plaintexts, 先⑴=(光】⑴, ..., 为甲)and ”2)=(明⑵........光 ¥))such that 先/學为胛 and 协.⑴ = 丿々⑵ for 겨= v.

2. D sends them to the oracle and recei­ ves the corresponding ciphertexts y(1)= ⑴#

3. D computes ’⑴= £)*y⑴)and /)= £广%⑵).

4. D outputs 1 if and only if /')=必气 where is the w~Xh word of /U) for u= 1, 2.

Suppose that the oracle implements the TPE Qmn. Then it is clear that = 2^n. Next suppose that the oracle implements Wmn. Then the input to is not infl­ uenced by the output of fiv. So 3 £'1加= 硏?-because 协⑴= %/)for i=^v. Hence 户=1. Therefore

#

Consequently, AdvD is non-negligible. He- nee the r round mw-bit Idealized SPN-type transformati on is not a pseudorandom per­ mutation.

Theorem 2. Let a (r+1) round ww-bit SPN-type transformation Gr+1 in which /h, ..., /冲 are independently chosen from a w-bit PPE be given. If RMIN= r, 나}en the Gr+1 is a pseudorandom permutation.

Proof : Without loss of generality, we can assume that /n, ...are independently chosen from the TPE 0.

Let 0林“ be the set of all permutations over Imn obtained from the (r+1) round wzw-bit SPN-type transformation Gr+i and the ;-th round output of this transfor­ mation is denoted by 

#

Suppose that D makes t oracle calls. In the z'-th oracle call, D sends a plaintext x0) =(廿', ..., %;?) to the oracle 0 and rece­ ives the corresponding ciphertext y'" =       

#

At this time, we can assume without loss of generality that x이), .…为"'are all dis­ tinct. For each u= 1, ...» we let £*[5^] be the event that 房?........我 are all dis­ tinct. And we let E[(5r] be the event that all 归1/肩......ESs] occur.

If E[5r] occurs, then y(1)......y(t) are com­ pletely random since ..., /(r+i)w are truly random permutations. Therefore, Advd is bounded above as follows;

#

Further, it is easy to see that

#

Fix i and j (i=f=j) arbitrarily. We now 아low that FT((睜 =(矽?)… , Pr(膻粉= d이?) are all sufficiently small. Since x'J二there exists such that .幻/妇以J”. For this v, has &(=??) output bits. In the foll­ owing we will assume that each inter­ mediate word influenced by some previous word contains at least ck bits of the pre­ vious word, where MgMs.

Case 1 : r=l.

By the assumption r= 1, the sk output bits of are distributed among exactly m 's, say u=\, Since fiv is truly ran­ dom permutation, the following inequation holds.

#

Therefore the following upper bound is obtained.

#

Consequently. AdvD is negligible, since t~ poly{mn) =poly(msk) and m, s, and c are all constants depending on the given 2 round mw-bit SPN-type transformation G2.

Case 2 : r>2

Depending on the property of Diffusion Layer, the sk output bits of fiv are distri­ buted among at most MAXx Us, say 丿= 서, .., "〃辺瑚. Since fXv is truly random per­ mutation, the following inequation holds.

#

Next each 3山 becomes the input to 质 The output bits of /2«|......are dis-tributed among at most MAX2        

#

Let 团箱]be the event that 建件*, for all 丿 =서, ..., u1 max, . Then we have

#

Next each becomes the input to /3^. The output bits of 乙知..., 厶爲頌 are dis­ tributed among at most MAX3           #

Let E[(52] be the event that 8% 노8毎 for all "J Then we have

#

#

Using mathematical induction and si­ milar notations as above, we can formu­ late the security of the r round mn-bit SPN -type transformation. As a result, the foll­ owing upper bound is obtained.

#

Consequently. Adv D is negligible, since t= poly( mn) =poly( msk) and r. m, s, and c are all constants depending on the given (r+1) round mw-bit SPN-type transfor­ mation Gr+l.

Note that the case r= 1 in the above theorem indicates the two round mw-bit SPN-type transformation G2 in which its diffusion layer has the maximal branch number, i.e., MAXx = MINX = m.

Ⅳ. Applications

4.1 Serpent

® Pseudorandomness In [7], Iwata et al. proved that the two round Serpent is not a pseudorandom permutation but the three round Serpent is a pseudorandom permutation. The results are also deri­ ved by our Theorem 1 and 2. Since Ser­ pent has a bit-wise diffusion layer, Iwa­ ta et al. decided that s = 4(The notation s can be seen in the previous part of this paper).

In this subsection, we don't explain the details about Serpent and its modeling because those can be found in ⑺.In the modeling of Serpent, we can know that RMIN=2 in our notation by the pro­ perty of the Serpent diffusion layer. So we directly obtain the following coro­ llary using our Theorem 1 and 2.

Corollary 1.〔7〕 The two round Serpent, in which the diffusion layer is left un­ touched and only the S-boxes are replaced with pseudorandom permutations is not a pseudorandom permutation but the three round Serpent is a pseudorandom permu­ tation.

4.2 Crypton

@ Description of Crypton Cryptonni 12j is a SPN-type transformation. The length of the block and the length of the key are 128 bits. A 128-bit data is usually represented in 4 x4 matrix in descrip­ tion of Crypton. The component func­ tions Ti. r, and o are as follows.

. / is a nonlinear byte-wise substitution. There are two versions of / : y(> is for odd rounds and is for even rounds.

. is a linear bit permutation. It bit- wisely mixes each column(4 bytes). There are two versions of 兀:ti0 is for odd ro­ unds and m is for even rounds.

, r is a linear transposition.

. <7 is an operation in which a round key is applied to the intermediate data by a simple bitwise XOR. We will use nota­ tion when the given key is K.

The 2;广round encryption of Crypton can be described as

#

where p “、= © 打 匚。兀。。Yo for odd rounds and P j、= Ss w 也 for even rounds and the linear output transformation 妇=z■。心。r is used at the end.

Modeling We can assume that )。兀 is the diffusion layer of Crypton. Note that the linear bit permutation 兀 in the di­ ffusion layer can be regarded as a 2-bit -wise permutation because a data is di­ vided into a bundle of 2~bit slices and then these 2-bit slices are mixed by the permutation. And r is a simple linear transposi tion. So we can assume that the Crypton diffusion layer is a 2-bit -wise diffusion layer. Then we can mo­ del Crypton as following way in order to analyze the security of the structure :

. Fix 16.

. Replace each S-box with an independent pseudorandom permutation over ln.

. We can assume that the Crypton diffu­ sion layer is a 2-bit-wise diffusion layer. So fix$=4.

® Pseudorandomness In the modeling of Crypton. we can know that RMIN =2 by the property of the Crypton diffusion layer. So we directly obtain the follo­ wing corollary using Theorem 1 and 2.

Corollary 2. The two round Crypton. in which the diffusion layer is left untouched and only the S-boxes are replaced with pseudorandom permutations is not a pseu­ dorandom permutation but the three round Crypton is a pseudorandom permutation.

4.3 Rijndael

® Description of Rijndael Rijndael'13 is a SPN-type transformation. The length of the block and the length of the key can be specified to be 128, 192, or 256 bits, independently of each other. In this paper we discuss the variant with 128-bit bio사is and 128-bit keys. In this variant, the cipher consists of 10 ro­ unds. A 128-bit data is usually repres­ ented in 4x4 matrix in description of Rijndael. Every round except for the last consist of four transformations:

. ByteSubstitution is a non-linear byte sub­ stitution, operating on each of the bytes independently.

, ShiftRow is a cyclic shift operation of the bytes of each row by 0, 1, 2. 3 re­ spectively.

. MixColumn is a linear transformation applied to columns of the matrix.

. AddRoundKey is an operation in which a round key is applied to the intermediate data by a simple bitwise XOR.

Before the first round AddRoundKey is performed. In the last round the MixCo­ lumn is omitted.

© Modeling We can assume that the diffu­ sion layer of Rijndael consists of the ShiftRow and the Mixc시umn transfor­ mation. We can model Rijndael as foll­ owing way in order to analyze the secu­ rity of the structure :

. Fix m= 16.

. Replace each S-box with an independent pseudorandom permutation over ln.

. In the MixColumn transformation, each column MDS opertation using a 4X4 ma­ trix L = (a 4x4, where a GF(28) is re­ placed with a new column MDS opera­ tion using a 4x4 matrix L=(a y) 4«4, where 為 wGF(2”). So we can decide that s=l. Hence, it is determined that k= n.

@ Pseudorandomness In the modeling of Rijndael, we can know that RMIN =2 by the property of the Rijndael diffusion layer. So we directly obtain the follo­ wing corollary using Theorem 1 and 2.

Corollary 3. The two round Rijndael, in which the diffusion layer is left untouched and only the S-boxes are replaced with pseudorandom permutations is not a pseu­ dorandom permutation but the three round Rijndael is a pseudorandom permutation.

Ⅴ. Conclusion

In this paper it was shown that there are generalized theorems for the pseudo­ randomness of SPN-type transformations. And we showed that our results can be applied for the security analysis of the block cipher Serpent, Crypton and Rijn­ dael. We emphasize that the results can be applied for any other SPN-type tran­ sformations.