3. What does cipher need
Mapping : Input bits => Output bits
1. cannot be determined easily
2. must change based on the user-defined key
3. must be reversible for decryption
4. Crypto attacks
1. Should not guess cipher for any given plaintext :
(Small change in plaintext should cause large output change)
2. Should not guess cipher for any given key :
(Small change in key should cause large output change)
3. Strict avalanche criterion : Change in one input bit should change half the
output bits !
4. Bit independence criterion : no correlation between two output bits
5. Shannon
1. Confusion : hide relation between cipher and key
2. Diffusion : hide relation between cipher and plaintext
9. Linear, affine and non-linear functions
Linear function = linear combination of input bits
Affine = Linear + some constant
Non linear has combinations of terms
f(x, y) = x + y
f(x, y) = x + y + 1
f(x, y) = x.y
10. measure non-linearity
1. Find Hamming distance from affine : number of bits different in truth table
2. Use Walsh-Hadamard transform - (Like the Fourier transform)
Say boolean f(x, y) = (x & ~y)
Truth table = [0, 0, 1, 0]
import sympy
sympy.fwht([0, 0, 1, 0]) = [1, 1, -1, -1]
Truth table of f(x,y) = [0, 1, 1, 0]
Truth table of g(x,y) = [1, 0, 1, 0]
Hamming distance = 2
11. Bent function
Is a maximal non-linear function
Farthest Hamming distance from *ALL* linear and affine functions (to ensure
nonlinearity)
(hamming distance = differ in number of bits in truth table)
Walsh-Hadamard spectrum is flat (i.e. all coefficients equal = like white noise)
12. Balanced function
Balanced function has truth table with same number of zeroes and ones
This is useful to prevent differential cryptanalysis (i.e. relative changes)
differential => plaintext pairs which have constant difference
f(x,y) = x ^ y has truth table = [0, 1, 1, 0]
13. Finding bent and balanced
It’s hard to find good bent functions as number of bits increases.
Heuristic/iterative constructions to find them (e.g. Maiorana-McFarland)
Butler, J.T., Sasao, T.: Logic functions for cryptography - a tutorial
14. Another way to obtain bent functions
Galois field
In a limited set of elements, it is
possible to define addition and
multiplication
e.g. 011 x 100 = 111
15. Multiplicative inverse
Multiplicative inverses occur in pairs
This defines a non-linear invertible mapping
(29, OA) is a pair on your right
row=0, column=A has 29
0A => 29
row=2, column=9 has 0A
29 => OA
17. Substitution (S-box)
Creates confusion using nonlinearity
Like a giant lookup table indexed by the key
In practice, S-boxes are combinations of smaller boxes
● Hard to find perfect nonlinear functions in higher dimensions
● Easier to manage smaller boxes in hardware
e.g. AES S-box operates on 8-bit; DES on 4-bit
21. high level
three functions
1. S-box provides confusion
2. Byte shuffle and mixing provides diffusion (E-Box and P-box in DES,
MixColumns in AES)
3. Always XOR the key and data
22. high level
Operate on an even number of bits (if odd, some bit
can expose correlation)
Use multiple rounds to strengthen cipher
23. Rounds and key schedule
In each round, you create a “derived” key from main key to lookup the table
https://www.researchgate.net/figure/Figure-Structure-of-AES-III-Implementation-The-AES-algorithm-is-based-on-Key-Expansion_fig1_318486461
DES AES
24. Conclusion
1. S-Box is built from Non-linear boolean functions
2. Non-linearity : heuristic + iterative constructions, Galois field
3. Have to mix the key and data (XOR)
4. Use multiple rounds
5. Choice of permutations depend on the specific cipher
25. misc
Bent functions = strongly regular graph with e=d
Online database http://www.selmer.uib.no/odbf/search.html