arxiv: v2 [cs.cr] 10 Sep 2015

Similar documents
CSc 466/566. Computer Security. 6 : Cryptography Symmetric Key

Cryptographic Algorithms - AES

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms

U-II BLOCK CIPHER ALGORITHMS

Week 5: Advanced Encryption Standard. Click

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

CPSC 467: Cryptography and Computer Security

AIT 682: Network and Systems Security

Attacks on Advanced Encryption Standard: Results and Perspectives

Chapter 6: Contemporary Symmetric Ciphers

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

Modern Symmetric Block cipher

Fundamentals of Cryptography

Cryptography and Network Security. Sixth Edition by William Stallings

Computer Security CS 526

HOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)

CPSC 467b: Cryptography and Computer Security

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Network Security Essentials

L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

Information Security CS526

CENG 520 Lecture Note III

A SIMPLIFIED IDEA ALGORITHM

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Implementation and Performance analysis of Skipjack & Rijndael Algorithms

Computer and Data Security. Lecture 3 Block cipher and DES

Enhanced Cryptanalysis of Substitution Cipher Chaining mode (SCC-128)

Secret Key Algorithms (DES)

Implementation and Performance analysis of Skipjack & Rijndael Algorithms. by Viswnadham Sanku ECE646 Project Fall-2001

Content of this part

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

Data Encryption Standard (DES)

Cryptography III: Symmetric Ciphers

CPSC 467b: Cryptography and Computer Security

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

P2_L6 Symmetric Encryption Page 1

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Analysis of the Use of Whirlpool s S-box, S1 and S2 SEED s S- box in AES Algorithm with SAC Test Novita Angraini, Bety Hayat Susanti, Magfirawaty

AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2014 AEGIS 1

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

Network Security Essentials Chapter 2

Winter 2011 Josh Benaloh Brian LaMacchia

Modern Block Ciphers

Lecture 2: Secret Key Cryptography

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Cryptompress: A Symmetric Cryptography algorithm to deny Bruteforce Attack

Symmetric Cryptography. Chapter 6

Linear Cryptanalysis of FEAL 8X Winning the FEAL 25 Years Challenge

New Kid on the Block Practical Construction of Block Ciphers. Table of contents

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

ISSN: (Online) Volume 2, Issue 4, April 2014 International Journal of Advance Research in Computer Science and Management Studies

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

Elastic Block Ciphers: The Feistel Cipher Case

Sankeeth Kumar Chinta.

Introduction to cryptology (GBIN8U16)

Solutions to exam in Cryptography December 17, 2013

Chapter 3 Block Ciphers and the Data Encryption Standard

A General Analysis of the Security of Elastic Block Ciphers

CSCE 813 Internet Security Symmetric Cryptography

Block Ciphers Introduction

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa

Integral Cryptanalysis of the BSPN Block Cipher

Understanding Cryptography by Christof Paar and Jan Pelzl. Chapter 4 The Advanced Encryption Standard (AES) ver. October 28, 2009

Encryption Details COMP620

CSC 474/574 Information Systems Security

FPGA Based Design of AES with Masked S-Box for Enhanced Security

Goals of Modern Cryptography

Practical Aspects of Modern Cryptography

EEC-484/584 Computer Networks

Crypto: Symmetric-Key Cryptography

A Chosen-key Distinguishing Attack on Phelix

Lecture 3: Block Ciphers and the Data Encryption Standard. Lecture Notes on Computer and Network Security. by Avi Kak

Lecture 4. Encryption Continued... Data Encryption Standard (DES)

Darshan Institute of Engineering & Technology Page Information Security (IS) UNIT-2 Conventional Encryption Techniques

Cryptography and Network Security. Sixth Edition by William Stallings

Cryptography BITS F463 S.K. Sahay

A Survey On SecureImage Encryption Technique Using Blowfish And Chaos

in a 4 4 matrix of bytes. Every round except for the last consists of 4 transformations: 1. ByteSubstitution - a single non-linear transformation is a

Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN

Symmetric key cryptography

Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

Jordan University of Science and Technology

Part XII. From theory to practice in cryptography

Cryptography Functions

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

AN EFFECTIVE PERFORMANCE EVALUATION OF RC6, BLOWFISH, DES ALGORITHMS

Lecture 5. Encryption Continued... Why not 2-DES?

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Syrvey on block ciphers

Cryptography and Network Security Chapter 3. Modern Block Ciphers. Block vs Stream Ciphers. Block Cipher Principles

Jaap van Ginkel Security of Systems and Networks

Cryptography and Network Security

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

A New ShiftColumn Transformation: An Enhancement of Rijndael Key Scheduling

Transcription:

XCRUSH: A Family of ARX Block Ciphers arxiv:1509.02584v2 [cs.cr] 10 Sep 2015 Evan Saulpaugh evan.saulpaugh@gmail.com September 8, 2015 Abstract. The XCRUSH family of non-feistel, ARX block ciphers is designed to make efficient use of modern 64-bit general-purpose processors using a small number of encryption rounds which are simple to implement in software. The avalanche function, which applies one data-dependent, key-dependent rotation per 64-bit word of plaintext per round, allows XCRUSH to achieve a fully diffuse 256-bit ciphertext block after only two rounds. Designed for speed in software, the reference implementation for 3-round XCRUSH is measured at 7.3 cycles/byte single-threaded on an Intel Haswell processor. A pseudorandom number generator, constructed using the avalanche function, serves as a key scheduling algorithm. No security claims are made in this paper. Keywords: ARX, data-dependent rotations, DDR, XCRUSH 1 Introduction This author was originally inspired to create a new block cipher more efficient than Rijndael[1] in software run on modern general-purpose processors. The idea was to use 64-bit XOR, add, and rotate operations instead of lookup tables which work with only eight or 16 bits at a time, thinking that perhaps the technique was without precedent. Had it been, this cipher would likely have been called Czar or Tsar, a play on the letters XAR, meaning XOR, Add, Rotate. In experimenting with rotations of a 256-bit block using eight bits of key to determine the rotation distance, it became obvious that key-dependent rotations were just as ineffective as fixed rotations for achieving diffusion quickly. Subsequently and by default, data-dependent rotations came to be the tool of choice. XCRUSH has a fixed block length of 256 bits and supports key sizes of 128, The algorithms presented in this paper are free from any intellectual property restrictions. This release does not constitute an endorsement of these algorithms for official use. 1

192, and 256 bits. Developed uninfluenced by any prior work involving datadependent rotations, the techniques presented in this paper are the result of this author s attempts to achieve fast diffusion in software with 64-bit arithmetic. Table 1. Notation Notation x + y x y x y x y x i x i Description addition of x and y modulo 2 n multiplication of x and y modulo 2 n bitwise XOR of x and y bitwise AND of x and y right shift of x by i bits left rotation of x by i bits 2 Description 2.1 Algorithm Let P = (P 1, P 2, P 3, P 4 ) and C = C 1, C 2, C 3, C 4 ) be the 256-bit plaintext and ciphertext respectively where P i and C i are 64-bit words. Let SK j be the 64-bit subkey for j = 1,..., 16. Then, the encryption process can be formulated as in Algorithm 1. Algorithm 1 The Encryption Process of XCRUSH (T 1, T 2, T 3, T 4 ) = P = (P 1, P 2, P 3, P 4 ) SK = (SK 1, SK 2,..., SK 16 ) for i = 0 to 2 do j = i 4 (RK 1, RK 2, RK 3, RK 4 ) = (SK j+1, SK j+2, SK j+3, SK j+4 ) T 1 = A(T 1, T 2 + T 3 + T 4 + RK 1 ) T 2 = A(T 2, T 1 + T 3 + T 4 + RK 2 ) T 3 = A(T 3, T 1 + T 2 + T 4 + RK 3 ) T 4 = A(T 4, T 1 + T 2 + T 3 + RK 4 ) end for (C 1, C 2, C 3, C 4 ) = (T 1 SK 13, T 2 SK 14, T 3 SK 15, T 4 SK 16 ) A-Function A-Function is a keyed avalanche function that provides both confusion and diffusion. C-Function returns an integer on interval [0,63] which is used as the bitwise leftward rotation distance. A-Function is used in the encryption process and as part of the key expansion. Where X and A are 64-bit 2

words, A-Function can be formulated as in Algorithm 2. Algorithm 2 A-Function A(X, A) = (Y ) Y = (X + A) C(A) C -Function C -Function is a compression designed to produce a large set of 6-bit values when applied to a set of very similar inputs. Where X is a 64-bit word, C -Function can be formulated as in Algorithm 3. Algorithm 3 C -Function C(X) = (Y ) X = (X 32) + X X = (X 11) X X = (X 9) + X X = (X 6) + X Y = X 0x3f 2.2 Key Expansion The 16 64-bit subkeys necessary for the encryption process are generated by seeding a pseudorandom number generator with the encryption key. Let the encryption key K be equal to (K 1, K 2 ), (K 1, K 2, K 3 ), and (K 1, K 2, K 3, K 4 ) for key lengths 128, 192, and 256 bits respectively, where each K i is a 64-bit word. Let the 320-bit PRNG seed S = (S 1, S 2, S 3, S 4, S 5 ) be equal to (K 1, K 2, C, C, C), (K 1, K 2, K 3, C, C), and (K 1, K 2, K 3, K 4, C) for key lengths 128, 192, and 256 bits respectively, where C = 4142135623730950488 and S i, K i, and C are 64-bit words. Then, the key expansion can be formulated as in Algorithm 4. Algorithm 4 The Key Expansion Algorithm for i = 1 to 10 do (Y, S) = N(S) end for SK = (SK 1, SK 2,..., SK 16 ) for i = 1 to 16 do (Y, S) = N(S) SK i = Y end for 3

Algorithm 5 N -Function is a pseudorandom number generator with 320 bits of state. N -Function uses the avalanche function to generate a series of 64-bit outputs. N(S) = (Y, S) S = (S 1, S 2, S 3, S 4, S 5 ) T = S 2 S 2 = S 3 S 3 = S 4 S 4 = S 5 S 5 = S 1 Y = S 1 = A(S 1, S 1 + T ) S = (S 1, S 2, S 3, S 4, S 5 ) 3 Design Rationale 3.1 Algorithm By making the addition to, but more importantly the bitwise rotation of each 64-bit word of plaintext dependent on the other three words in the plaintext block, and by allowing the output of one avalanche operation to feed into the next, we can ensure that a small change in the plaintext block will tend to result in a very large change in the output block after each round. Given this construction, it appeared natural to simply add a 64-bit word of key material to the sum of the three words of plaintext going into the avalanche function. In this way, confusion and diffusion are achieved efficiently and simultaneously. Finally, as key whitening, the block is XORed with the final 256 bits of subkey in order to obscure all the inputs into the final invokations of the avalanche function. 3.2 Key Expansion The key expansion is done by way of seeding a deterministic random bit generator, also known as a pseudorandom number generator, with the encryption key to produce the subkeys used in the encryption process. The PRNG used is based on xorshift generators[2] and is chosen for speed and simplicity of implementation. 4

The complex one-way nature of the key expansion is intended to make it difficult for an attacker to use information about a subkey to recover infomation about the other subkeys or about the master key. Additionally, the PRNG method of subkey derivation, by which a stream of subkeys is dependent on all the bits of the master key, is intended to mitigate related-key attacks. The constant C, namely the leading decimal digits of the fractional part of the square root of two, is arbitrarily chosen to ensure that the PRNG is not seeded with all zeros. Note that, regardless of key size, XCRUSH is composed of three avalanche rounds and a key-whitening XOR. 4 Concluding Remarks XCRUSH is an ambitious attempt at creating an unconventional family of block ciphers which may or may not lend itself well to traditional cryptanalysis. It is the hope of this author that it may serve to advance the field of cryptography in its own way. References [1] Joan Daemen and Vincent Rijmen, AES Proposal: Rijndael, presented at the First Advanced Encryption Standard (AES) Candidate Conference, 1998 [2] George Marsaglia, Xorshift RNGs, Journal of Statistical Software, Vol. 8, Issue 14, Jul 2003. 5

RK 1 A RK 2 A RK 3 A RK 4 A 6 Figure 1: A round of XCRUSH.

32 11 9 6 0x3f AND Figure 2: The avalanche function. 7

Appendices A Test Vectors A.1 XCRUSH-128 KEY: 1599 D14129204267 E4C91210F1C15541 PLAINTEXT: 9338192346089EEE 965D12810033DDF0 434 C5669E9E31202 86416 B3296055DC1 CIPHERTEXT: 2AC5C0D9B62355A2 9DEFB4F22A3D6DBF CC18261B50072FBC CCB953C4947A6C39 A.2 XCRUSH-192 KEY: 4211121041 C35A31 E4E4961BB81941BA CC982462195662AA PLAINTEXT: 4440306090522AB0 31249688284691DF 4C15654900DB1A19 19 A0FF64135229D2 CIPHERTEXT: 2FEFD41974AFDD44 15 BA6339E5C03563 42BA28CF31B5F400 CCD58FC905686D9F A.3 XCRUSH-256 KEY: F0E0D0C0B0A09080 7060504030201000 F1D3B597795B3D1F 021346578A9BCEDF PLAINTEXT: 311 D411620304361 48165 C7790022614 9536295 B87012640 396218842 A490866 CIPHERTEXT: 000947604 A76E469 E34346B03745CAC9 244D96ACC783C42B 95406757 BE5653D9 8

B Reference Implementation / The C r e f e r e n c e implementation o f the b l o c k c i p h e r f a m i l y XCRUSH. This s o f t w a r e i s r e l e a s e d i n t o the p u b l i c domain. / #include <s t d i o. h> #define BLOCK LENGTH LONGS 4 #define KEY LEN 128 BITS 2 #define KEY LEN 192 BITS 3 #define KEY LEN 256 BITS 4 #define NUM SUBKEYS 16 #define C 4142135623730950488L #define LONG LONG SIZE 64 int compress ( unsigned long long x ) { x = ( x >> 32) + x ; x = ( x >> 11) ˆ x ; x = ( x >> 9) + x ; return ( ( x >> 6) + x ) & 0 x3f ; long long avalanche ( unsigned long long v, unsigned long long a ) { v += a ; const int shiftamount = compress ( a ) ; / ROTATE LEFT / return ( v << shiftamount ) ( v >> (LONG LONG SIZE shiftamount ) ) ; long long unavalanche ( unsigned long long v, unsigned long long a ) { const int shiftamount = compress ( a ) ; / ROTATE RIGHT / v = ( v >> shiftamount ) ( v << (LONG LONG SIZE shiftamount ) ) ; return v a ; void e n c r y p t ( unsigned long long p l a i n t e x t [ ], int o f f s e t, int length, unsigned long long subkeys [ 1 6 ] ) { const long 0 = subkeys [ 0 ] ; const long 1 = subkeys [ 1 ] ; 9

const long 2 = subkeys [ 2 ] ; const long 3 = subkeys [ 3 ] ; const long 4 = subkeys [ 4 ] ; const long 5 = subkeys [ 5 ] ; const long 6 = subkeys [ 6 ] ; const long 7 = subkeys [ 7 ] ; const long 8 = subkeys [ 8 ] ; const long 9 = subkeys [ 9 ] ; const long 10 = subkeys [ 1 0 ] ; const long 11 = subkeys [ 1 1 ] ; const long 12 = subkeys [ 1 2 ] ; const long 13 = subkeys [ 1 3 ] ; const long 14 = subkeys [ 1 4 ] ; const long 15 = subkeys [ 1 5 ] ; const int end = o f f s e t + l ength ; int o n e, two, t h r e e ; long a, b, c, d, temp ; // f o r each b l o c k for ( ; o f f s e t < end ; o f f s e t += BLOCK LENGTH LONGS) { o n e = o f f s e t + 1 ; t w o = o f f s e t + 2 ; t h r e e = o f f s e t + 3 ; a = p l a i n t e x t [ o f f s e t ] ; b = p l a i n t e x t [ o n e ] ; c = p l a i n t e x t [ t w o ] ; d = p l a i n t e x t [ t h r e e ] ; / round 1 / temp = c + d ; a = avalanche ( a, temp + b + 0 ) ; b = avalanche ( b, temp + a + 1 ) ; temp = a + b ; c = avalanche ( c, temp + d + 2 ) ; d = avalanche ( d, temp + c + 3 ) ; / round 2 / temp = c + d ; a = avalanche ( a, temp + b + 4 ) ; b = avalanche ( b, temp + a + 5 ) ; 10

temp = a + b ; c = avalanche ( c, temp + d + 6 ) ; d = avalanche ( d, temp + c + 7 ) ; / round 3 / temp = c + d ; a = avalanche ( a, temp + b + 8 ) ; b = avalanche ( b, temp + a + 9 ) ; temp = a + b ; c = avalanche ( c, temp + d + 10 ) ; d = avalanche ( d, temp + c + 11 ) ; p l a i n t e x t [ o f f s e t ] = a ˆ 12 ; p l a i n t e x t [ o n e ] = b ˆ 13 ; p l a i n t e x t [ t w o ] = c ˆ 14 ; p l a i n t e x t [ t h r e e ] = d ˆ 15 ; void decrypt ( unsigned long long c i p h e r t e x t [ ], int o f f s e t, int length, unsigned long long subkeys [ 1 6 ] ) { const long 0 = subkeys [ 0 ] ; const long 1 = subkeys [ 1 ] ; const long 2 = subkeys [ 2 ] ; const long 3 = subkeys [ 3 ] ; const long 4 = subkeys [ 4 ] ; const long 5 = subkeys [ 5 ] ; const long 6 = subkeys [ 6 ] ; const long 7 = subkeys [ 7 ] ; const long 8 = subkeys [ 8 ] ; const long 9 = subkeys [ 9 ] ; const long 10 = subkeys [ 1 0 ] ; const long 11 = subkeys [ 1 1 ] ; const long 12 = subkeys [ 1 2 ] ; const long 13 = subkeys [ 1 3 ] ; const long 14 = subkeys [ 1 4 ] ; const long 15 = subkeys [ 1 5 ] ; const int end = o f f s e t + l ength ; int o n e, two, t h r e e ; long a, b, c, d, temp ; 11

for ( ; o f f s e t < end ; o f f s e t += BLOCK LENGTH LONGS) { o n e = o f f s e t + 1 ; t w o = o f f s e t + 2 ; t h r e e = o f f s e t + 3 ; a = c i p h e r t e x t [ o f f s e t ] ˆ 12 ; b = c i p h e r t e x t [ o n e ] ˆ 13 ; c = c i p h e r t e x t [ t w o ] ˆ 14 ; d = c i p h e r t e x t [ t h r e e ] ˆ 15 ; temp = a + b ; d = unavalanche ( d, temp + c + 1 1 ) ; c = unavalanche ( c, temp + d + 1 0 ) ; temp = c + d ; b = unavalanche ( b, temp + a + 9 ) ; a = unavalanche ( a, temp + b + 8 ) ; temp = a + b ; d = unavalanche ( d, temp + c + 7 ) ; c = unavalanche ( c, temp + d + 6 ) ; temp = c + d ; b = unavalanche ( b, temp + a + 5 ) ; a = unavalanche ( a, temp + b + 4 ) ; temp = a + b ; d = unavalanche ( d, temp + c + 3 ) ; c = unavalanche ( c, temp + d + 2 ) ; temp = c + d ; b = unavalanche ( b, temp + a + 1 ) ; a = unavalanche ( a, temp + b + 0 ) ; c i p h e r t e x t [ o f f s e t ] = a ; c i p h e r t e x t [ o n e ] = b ; c i p h e r t e x t [ t w o ] = c ; c i p h e r t e x t [ t h r e e ] = d ; long long S 1, S 2, S 3, S 4, S 5 ; long long next ( ) { long long t = S 2 ; S 2 = S 3 ; S 3 = S 4 ; S 4 = S 5 ; 12

S 5 = S 1 ; S 1 = avalanche ( S 1, S 1 + t ) ; return S 1 ; void expand key ( unsigned long long key [ ], int keylen, unsigned long long subkeybuf [NUM SUBKEYS] ) { switch ( keylen ) { case KEY LEN 128 BITS : S 1 = key [ 0 ] ; S 2 = key [ 1 ] ; S 3 = C; S 4 = C; S 5 = C; break ; case KEY LEN 192 BITS : S 1 = key [ 0 ] ; S 2 = key [ 1 ] ; S 3 = key [ 2 ] ; S 4 = C; S 5 = C; break ; case KEY LEN 256 BITS : S 1 = key [ 0 ] ; S 2 = key [ 1 ] ; S 3 = key [ 2 ] ; S 4 = key [ 3 ] ; S 5 = C; break ; default : break ; for ( int i = 0 ; i < 1 0 ; i++) { next ( ) ; for ( int i = 0 ; i < NUM SUBKEYS; i++) { subkeybuf [ i ] = next ( ) ; int main ( int argc, const char argv [ ] ) { const int keylen = KEY LEN 256 BITS ; unsigned long long key [ keylen ] = { 13

; 0xF0E0D0C0B0A09080L, 0 x7060504030201000l, 0xF1D3B597795B3D1FL, 0x021346578A9BCEDFL const int datalen = 4 ; unsigned long long data [ datalen ] = { 0 x311d411620304361l, 0 x48165c7790022614l, 0 x9536295b87012640l, 0 x396218842a490866l ; unsigned long long subkeys [NUM SUBKEYS ] ; expand key ( key, keylen, subkeys ) ; for ( int i = 0 ; i < datalen ; i ++) { p r i n t f ( %#l l x, data [ i ] ) ; p r i n t f ( \n ) ; e n c r y p t ( data, 0, datalen, subkeys ) ; for ( int i = 0 ; i < datalen ; i ++) { p r i n t f ( %#l l x, data [ i ] ) ; p r i n t f ( \n ) ; decrypt ( data, 0, datalen, subkeys ) ; for ( int i = 0 ; i < datalen ; i ++) { p r i n t f ( %#l l x, data [ i ] ) ; ; return 0 ; 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback