Fast Data Encipherment Algorithm FEAL. Electrical Communication Laboratories, NTT , Take, Yokosuka-shi, Kanagawa-ken, , Japan

Similar documents
One subset of FEAL, called FEAL-NX, is N round FEAL using a 128-bit key without key parity.

Cryptanalysis of F.E.A.L.

Self evaluation of FEAL-NX

6. Symmetric Block Cipher BLOWFISH Performance. Memory space. 3. Simplicity The length of the key. The length of the data block is 64.

Network Working Group Request for Comments: S. Moriai Sony Computer Entertainment Inc. April 2004

Fundamentals of Cryptography

Secret Key Cryptography

Toshiki Habutsu Yoshifumi Nishio lwao Sasase Shinsaku Mori Department of Electrical Engineering, Keio University

On the Design of Secure Block Ciphers

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:

Stream Ciphers and Block Ciphers

Linear Cryptanalysis of Reduced Round Serpent

Improved Truncated Differential Attacks on SAFER

CIS-331 Spring 2016 Exam 1 Name: Total of 109 Points Version 1

Week 4. : Block Ciphers and DES

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

A KNOWN PLAINTEXT ATTACK OF FEAL-4 AND FEAL-6

A STATISTICAL ATTACK OF THE FEAL-8 CRYPTOSYSTEM

CSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms

AIT 682: Network and Systems Security

Cryptographic Techniques. Information Technologies for IPR Protections 2003/11/12 R107, CSIE Building

Cryptography Functions

Encryption Algorithms

6.1 Font Types. Font Types

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General Considerations:

CIS-331 Exam 2 Fall 2015 Total of 105 Points Version 1

Enhanced Play Fair Cipher

CIS-331 Fall 2014 Exam 1 Name: Total of 109 Points Version 1

Differential Attack on Message Authentication Codes

Differential Fault Analysis on the AES Key Schedule

CIS-331 Exam 2 Fall 2014 Total of 105 Points. Version 1

Triple DES and AES 192/256 Implementation Notes

4. Specifications and Additional Information

Stream Ciphers and Block Ciphers

Differential-Linear Cryptanalysis of Serpent

Integral Cryptanalysis of the BSPN Block Cipher

Avalanche Analysis of Extended Feistel Network

Team RZC: Fast Data Encipherment Algorithm (FEAL)

CIS-331 Fall 2013 Exam 1 Name: Total of 120 Points Version 1

Dierential-Linear Cryptanalysis of Serpent? Haifa 32000, Israel. Haifa 32000, Israel

Encryption. INST 346, Section 0201 April 3, 2018

Internet Engineering Task Force (IETF) Category: Standards Track March 2011 ISSN:

A Weight Based Attack on the CIKS-1 Block Cipher

A Chosen-Plaintext Linear Attack on DES

TLS 1.2 Protocol Execution Transcript

Remark on the Threshold RSA Signature Scheme

Biclique Attack of the Full ARIA-256

Increase Throughput of CCM Security Mode Using MKP

Cryptology Part 1. Terminology. Basic Approaches to Cryptography. Basic Approaches to Cryptography: (1) Transposition (continued)

Block Ciphers and the Data Encryption Standard (DES) Modified by: Dr. Ramzi Saifan

Improving Implementable Meet-in-the-Middle Attacks by Orders of Magnitude

Implementation of the AES as a Hash Function for Confirming the Identity of Software on a Computer System

Network Working Group Request for Comments: 1829 Category: Standards Track Piermont W. Simpson Daydreamer August 1995

A New Technique for Sub-Key Generation in Block Ciphers

SAFER K-64: A Byte.Oriented Block-Ciphering Algorithm

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

AN INTEGRATED BLOCK AND STREAM CIPHER APPROACH FOR KEY ENHANCEMENT

Distributed ID-based Signature Using Tamper-Resistant Module

Differential Cryptanalysis of Madryga

Other Systems Using Timing Attacks. Paul C. Kocher? EXTENDED ABSTRACT (7 December 1995)

AN EFFECTIVE PERFORMANCE EVALUATION OF RC6, BLOWFISH, DES ALGORITHMS

ASIC Performance Comparison for the ISO Standard Block Ciphers

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Cryptography and Network Security

Two Attacks on Reduced IDEA (Extended Abstract)

On the Security of the 128-Bit Block Cipher DEAL

Acquirer JCB EMV Test Card Set

Implementation of Full -Parallelism AES Encryption and Decryption

PUFFIN: A Novel Compact Block Cipher Targeted to Embedded Digital Systems

Journal of Global Research in Computer Science A UNIFIED BLOCK AND STREAM CIPHER BASED FILE ENCRYPTION

Kurose & Ross, Chapters (5 th ed.)

Technion - Computer Science Department - Technical Report CS

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

EFFICIENT OFFLINE ELECTRONIC CHECKS (Extended Abstract)

Network Security Essentials Chapter 2

Computational Security, Stream and Block Cipher Functions

PGP: An Algorithmic Overview

DATA ENCRYPTION STANDARD (DES)

LOKI - A Cryptographic Primitive for Authentication and Secrecy Applications 1

Chosen Ciphertext Attack on SSS

CIS-331 Exam 2 Spring 2016 Total of 110 Points Version 1

Reducing the collision probability of Alleged. Abstract. Wagner, Goldberg and Briceno have recently published an

Practical attacks on the Maelstrom-0 compression function

Cryptography Symmetric Cryptography Asymmetric Cryptography Internet Communication. Telling Secrets. Secret Writing Through the Ages.

3D (6 X 4 X 4) - Playfair Cipher

Related-key Attacks on Triple-DES and DESX Variants

SPAREPARTSCATALOG: CONNECTORS SPARE CONNECTORS KTM ART.-NR.: 3CM EN

Intended status: Informational Expires: January 21, 2016 CRYPTO-PRO V. Podobaev FACTOR-TS I. Ustinov Cryptocom July 20, 2015

A Related Key Attack on the Feistel Type Block Ciphers

Group Authentication Using The Naccache-Stern Public-Key Cryptosystem

OVE EDFORS ELECTRICAL AND INFORMATION TECHNOLOGY

Implementation and Evaluation of New Cryptography Algorithm for Applications

FPGA Implementation of Optimized DES Encryption Algorithm on Spartan 3E

SPARE CONNECTORS KTM 2014

CIS-331 Final Exam Spring 2018 Total of 120 Points. Version 1

Gateway Ascii Command Protocol

Introduction. Secret Key Cryptography. Outline. Secrets? (Cont d) Secret Keys or Secret Algorithms? Introductory Remarks Feistel Cipher DES AES

AES, DES, and RSA Support (Intended for Domestic Use) SASEBO-W Smart Card OS Specification

PART I Symmetric Ciphers

ISSN: Page 320

Transcription:

Fast Data Encipherment Algorithm FEAL Akihiro Shimizu 81 Shoj i. Miyaguchi Electrical Communication Laboratories, NTT 1-2356, Take, Yokosuka-shi, Kanagawa-ken, 238-03, Japan BACKGROUND In data communications and information processing systems, cryptography is the most effective way to secure communications and store data. The most commonly used cryptogryphic algorithm is DES [I]. However, it is generally implemented with hardware, and the cost is prohibitive for small scale systems such as personal computer communications. Accordingly, an encipherment algorithm that has safety equal to DES and is suitable for software as well as hardware implementation is needed. The FEAL (Fast data Encipherment ALgorihtm) fills this need. EVALUATION INDICES FOR ALGORITHM STRENGTH In FEAL design, two evaluation indices, M and Ms, are adopted to evaluate objectively the data randomization ability of the algorithm. These indices express the approximation degree of ciphertext variation to the binomial distribution B (n, 1 / 2), 1 ength. in which n is the ciphertext bit M is the average approximation degree of the distribution of D. Chaum and W.L. Price (Eds.): Advances in Cryptology - EUROCRYPT '87, LNCS 304, pp. 267-278, 1988. 0 Springer-Verlag Berlin Heidelberg 1988

268 ciphertext variations according to the plaintext or key variations from one-bit to n-bit. Ms is the standard deviation of the approximation degree. When M approaches one (100 percent) and Ms approaches zero, the algorithm does not leave clues which could be used to count backward to the input plaintext or key in the ciphertext. M and Ms are definded separately so that Mp and Mps are for plaintext variations and Mk and Mks are for key variations. To get the indices, many plaintexts or keys have to be used. Nevertheless, the amount of data which can be treated is generally small compared to the population. Thus, it is important to determine the theoretical index values according to the amount of data by means of statistical calculation. For example, the theoretical values for 16*16016*63 pieces of data, which are a combination of 16 plaintexts, 16 keys and 16.63 plaintext or key variations, are M = 96.5 percent and Ms = 2.6 percent (Table 1). When the measured values of the indices are close to the theoretical values, the randomness of algorithm ciphertexts is considered saturated. Items FEAL DES Theoretical values Key indices Mk 96. 5 MkS 2. 6 93. 4 96. 5 4. 9 2. 6 Plaintext MI? 96. 5 indices MPS 2. 6 95. s 96. 5 3. 4 2. 6 Note: Data amount=16~16*16*63

269 DESIGN FEAL consists of two processing parts. One is the key schedule which generates the 256-bit extended key from the 64-bit secret key. It is designed to generate different extended keys for different secret keys (Fig. 1). The other is the data randomizer (Fig. 2), which generates 64-bit ciphertext from 64-bit plaintext under control of the extended key. The data randomizer uses combinations of involutions (3). One program can perform two functions, enciphering and deciphering, except for the extended key entry. Moreover, the setting of 64-bit extended keys by means of an exclusive-or operation at the entrance and exit makes attack on the algorithm difficult. The construction of f (Fig. 3) is such that input bit variations influence all output data. Experiments confirmed that FEAL's f function randomization efficiency is two to three times that of DES. The S function in the f function, a one-byte data substitution, is as effective as DES' s S-box. The S fucntion is defined as: S (x, y, delta) = ROT2 (T) : T=x+y+delta mod256: x, y: one-byte data: de1ta:constant (0 or 1) : ROT2 (T) : 2-bit left rotation operation on T. Example 1 : Where x = 0001001 1, y = 11 110010, delta=l, T = 000001 10. Example 2: ROT2(11011100) = 01110011. The fk function (Fig.4) used in the key schedule is the same as the f fucntion except for the entry positon of parameter beta.

270 FEAL VERSIONS There is an earlier cryptoanalysis report (4) for FEAL (5). For this reason, the iterative number of data randomizer in FEAL is increased from 4 stages to 8 stages. FEAL described in (5) and (6) is called FEAL version 1.00, and the modified FEAL referred to in this paper is called FEAL Version 2.00. Details for FEAL versions are reported in (71 STRENGTH AND PERFORMANCE of FEAL (Version 2.00) FEAL working with no parity in a key block is safe from the allkey attack because it is controlled by a 64-bit key, which is more secure than the 56-bit DES key. Regarding ciphertext randomization, FEAL is considered safe because the randomization indices are closer to the theoretical values than those of DES. When FEAL is implemented in assembly language on an i-8086 16-bit microprocessor with 8 MHz frequency, it is confirmed that the program size is 400 bytes and the excution time speed reaches 120 kbps. CONCLUSION FEAL is an encipherment algorithm suitable for software implementation. It can be applied widely to small scale or other existing systems unable to use DES hardware because of cost. Moreover, FEAL is suitable for hardware implementation, too. Implementated as an LSI, it can be used as the cryptographic method in all data communication fields.

271 ACKNOWLEGEMENT We thank Dr. Bert den Boer for finding problems hidden in FEAL Version 1-00. RERERENCES (1) FIPS PUB 46, Data Encryption Standard (1977). (21 S. Miyaguchi, M. Hirano:' Evaluation Criteria for Encipherment and Authentication Algorihtrns', Trans. of IECE of Japan. Vol. J69-A, No. 10. pp. 1252-1259 (Oct. 1986) (in Japanese). (3) A.G. Kohnheim: 'Cryptography: A Primer', A Wiley Interscience Publication, pp. 236-240 (Jan. 1986). (4) Bert den Boer, ' Cryptonalysis of FEAL', Crypto' 87-Rump Session, Aug. 1987. (5) A. Shimizu, S. Miyaguchi, ' Fast Data Encipherment Algorihtm FEAL' I ABSTRACTS of EUROCRYPT 87 AMSTERDAM, April 1907. (6) A. Shimizu, S. Miyaguchi, ' Fast Data Enciphement Algorihtm FEAL' Trans. of IECE of Japan, Vol. J70-D No. 7 pp. 1413-1423, July 1987 (in Japanese). (7) An Extension of Fast Data Encipherment Algorithm FEAL, SITA' 87, 19-21, Nov. 1987 (in English).

272 Key block(64 bits) (32 bits) L (32 bits) B1 B2 B3 B4 B6 Kf) (32 bits) K2(r-1) : Left part of B r (16 bits) KZ(r-1)tl: Right part of B r (16 bits) Fig. 1 Key processing part

273 Plaintext (Ciphertext) block(64 bits) (K8. K9, Ka, Kb) (32 bits) LO (R8) LO (R8) KO (K7) L1 (R7) K1 (K6) L2 (R6) K2 (K5) L3 (R5) L4 (R4) > K4 (K3) L5 (R3) K5 (K2) L6 (R2) K6 {KI) L7 {Rl) K7 (KO) R8 (LO} (Kc, Kd, Ke, Kf) c ( (K8. K9, Ka, Kb) 1 Ciphertext (Plaintext} block ( 1 : Deciphering Fig. 2 Data randomize1

274 Y=S6 (Xl,X2)=ROTZ((Xl+XZ+S )mod256) Ytoutput, Xl/XZ:inputs, 6 :paraaeter(o or 1) ROT2:2 bit left rotation on 8-bit data Fig. 3 Function f a I (32 bits) E t-- (32bi t s ) 3 i, 6 i 8 bits Fig. 4 Function f K

Appendix FEAL Specifications 1 Notations (1) Block: U. Ur- are blocks of plural octets. (2) Octet block: U 1, U,J are the j th octets in the blocks U,Ur where j = 0, 1, -._ (3) Concatenation: (U, V, --) is a block concatenated with U, V,...... in this order. (4) Exclusive-or: U@V is bitwise exclusive-or of block U and V. (5) Q is a null block.four octets long. (6) Assignment: The value of the left side of =sign is assigned the value of the right side. 2 Functions 2.1 Function S S (Xl,X2, 6 ) = ROT2 (T) T = X 1 + X2 + 6 mod 256 where X1. X2 and T are blocks of one-octet,6 = 0 or 1 (constant value), and ROT2 (T) is the result of a 2 bit left rotation operation on T. Example 1 : Where X 1 = 00010011, X2 = 11110010. 8 = l.t = 00000110 Example 2: Rot2 (11011100) = 01110011 2.2 Function f Y Inputs of function f K, a and B, are divided into four 1-octet blocks as:

276 u = (am, u ', a2, a3) B = (8'. B '. B2. B 3 ). f K (a, B ) is shortened to f. f = ( f E, f I, f 2, f 3, are calculated in order. f ~ = ' 0 1 @ as f ~ = 2 u2 @ a3 fk' = s (fk', fk2@bs, 1) fk' = s ( f K 2, f K ' @ B ', 0 ) fks = s (a', fk'@bg, 0 ) fk3 = s ( a 3, fk2@b3, 1) 2.3 Function f f (a, B ) is shortened to f. f = ( f @, f ', f z, f j) are calculated in order f' = a1 @ B~ @ as f' = a' @ B ' @ a3 f' = s (f'. f2, 1 ) f' = s (f2, f'. 0 ) fe = s (am. f', 0 ) f 3 = s ( a 3. f2. 1) 3. Key processing Let As be to the left of the key K and B E to the right, i-e.. K = (As. BE) and DO = Q. Then calculate K i ( i = 0 to 15) for r = 1 to 8, Dr Ar-I Ar = Br-1 Br = fk (Ar-t, Br-1 @ Dr-1 ) K ~ ( r - 1 ) = (Br'. Br') K Z [ ~ - I ) + =! ( B r 2, B r3)

277 where Ar, B r and Dr are auxiliary variables. 4. Enciphering and deciphering 4.1 Enciphering procedure P is separated into Le, R E of equal lengths, i.e.,p = ( La. Re). Thus, ( L a, Re) = (La, Ra) @ (Ke. K9. KIE. KII) (Le, RE) = (La, Re) @ (0. La) Then calculate r = 1 to 8 in that order, Rr = Lr-1 @ f ( R r-i. Kr-I) Lr = Rr-I Lastly, calculate: (Re, La) = (Re, La) @ (0, Ra) (Re, Le) = (Re. La) @ (Kiz, Kia, K l r, K15) Ciphertext is ( R a, La). 4.2 Decipehring procedure Ciphertext is separated into Ra. Le of equal lengths. Then. (Ra, La) = (Ra, Le) @ (K12. Ki3, K I ~, KIS) (Ra, La) = (Ra, La) @ (0, Ra) Then calculate r = 8 to 1 in that order, Lr-1 = Rr@f (Lr, Kr-I) Rr-I = Lr Lastly, calculate: (La, Re) = (La, RE) @ (@, La) ( La, RE) = (La, Re) @ (Ks. K@, Kle, KI1) Plaintext is ( La, Ra).

278 5 Parity bits If parity bits are requested in a key block, the following rule is applied. Rule: A t the begining of key processing, bit positions 8 X i of key block are set to zero where 15 i S 16. 6. Working data is shown in hexadecimal notation. 6.1 When no parity bits exist in a key block (1) Key = 01 23 45 67 89 AB CD EF (2) Extended value of the key (KO, K1, K2. K3. K4. K5, K6. K7) = DF 38 CA 36 F1 7C 1 A EC 45 A5 B9 C7 26 EB AD 25 (K8. K9, KlO. K11. K12. K13. K14. K15) = 88 2A EC B7 AC 50 9D 4C 22 CD 47 9B A8 D5 OC B5 (3) Plaintext = 00 00 00 00 00 00 00 00 (4) Ciphertext= CE EF 2C 86 F2 49 07 52 6.2 Uheo parity bits exist in a key block (1) Key = 01 23 45 67 89 AB CD EF (2) Extended value of the key (KO. K1. K2. K3, K4. K5, K6. K7) = EF 37 FE DD 04 C3 E3 1 D F3 22 B9 A0 C7 AA F6 A6 (K8. KS, KlO. K11, K12, K13, K14. KlS) = 6A 82 D3 24 F5 DC 72 76 A1 7A OC 04 B4 E7 CC 8D (3) Plaintext = 00 00 00 00 00 00 00 00 (4) Ciphertext= 66 72 2D 1C 46 B3 93 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback