26 research outputs found
Π Π½Π΅ΠΊΠΎΡΠΎΡΡΡ ΠΏΠΎΠ΄Π³ΡΡΠΏΠΏΠ°Ρ Π±Π΅ΡΠ½ΡΠ°ΠΉΠ΄ΠΎΠ²ΠΎΠΉ Π³ΡΡΠΏΠΏΡ B0(2, 5)
ΠΡΡΡΡ B0(2, 5) = {x,y) β Π½Π°ΠΈΠ±ΠΎΠ»ΡΡΠ°Ρ ΠΊΠΎΠ½Π΅ΡΠ½Π°Ρ Π΄Π²ΡΠΏΠΎΡΠΎΠΆΠ΄ΡΠ½Π½Π°Ρ Π±Π΅ΡΠ½ΡΠ°ΠΉΠ΄ΠΎΠ²Π° Π³ΡΡΠΏΠΏΠ° ΠΏΠ΅ΡΠΈΠΎΠ΄Π° 5, ΠΏΠΎΡΡΠ΄ΠΎΠΊ ΠΊΠΎΡΠΎΡΠΎΠΉ ΡΠ°Π²Π΅Π½ 534. Π ΡΠ°Π±ΠΎΡΠ΅ ΠΈΠ·ΡΡΠ΅Π½Π° ΡΠ΅ΡΠΈΡ ΠΏΠΎΠ΄Π³ΡΡΠΏΠΏ Hi = {ai,bi) Π³ΡΡΠΏΠΏΡ Bo(2, 5), Π³Π΄Π΅ ao = x, bo = y, ai = Oi-ibi-i ΠΈ bi = bi-iOi-i-1 Π΄Π»Ρ i G N. ΠΠΎΠ»ΡΡΠ΅Π½ΠΎ, ΡΡΠΎ Π³ΡΡΠΏΠΏΠ° H4 ΡΠ²Π»ΡΠ΅ΡΡΡ Π°Π±Π΅Π»Π΅Π²ΠΎΠΉ, ΠΏΠΎΡΡΠΎΠΌΡ H5 β ΡΠΈΠΊΠ»ΠΈΡΠ΅ΡΠΊΠ°Ρ Π³ΡΡΠΏΠΏΠ°, ΠΈ ΡΠ΅ΡΠΈΡ ΠΏΠΎΠ΄Π³ΡΡΠΏΠΏ ΠΏΡΠ΅ΡΡΠ²Π°Π΅ΡΡΡ. ΠΠΎΠΊΠ°Π·Π°Π½ΠΎ, ΡΡΠΎ ΡΠ»Π΅ΠΌΠ΅Π½ΡΡ = = xy^xyx^y^x^yxy^x ΠΈ b4 = yx^yxy^x^y^xyx^y Π΄Π»ΠΈΠ½Ρ 16 ΠΏΠΎΡΠΎΠΆΠ΄Π°ΡΡ Π² Bo(2, 5) Π°Π±Π΅Π»Π΅Π²Ρ ΠΏΠΎΠ΄Π³ΡΡΠΏΠΏΡ ΠΏΠΎΡΡΠ΄ΠΊΠ° 25, ΠΈ Π½ΠΈΠΊΠ°ΠΊΠΈΠ΅ Π΄ΡΡΠ³ΠΈΠ΅ Π΄Π²Π° Π³ΡΡΠΏΠΏΠΎΠ²ΡΡ
ΡΠ»ΠΎΠ²Π°, Π΄Π»ΠΈΠ½Ρ ΠΊΠΎΡΠΎΡΡΡ
ΠΌΠ΅Π½ΡΡΠ΅ 16, Π½Π΅ ΠΏΠΎΡΠΎΠΆΠ΄Π°ΡΡ Π½Π΅ΡΠΈΠΊΠ»ΠΈΡΠ΅ΡΠΊΡΡ Π°Π±Π΅Π»Π΅Π²Ρ ΠΏΠΎΠ΄Π³ΡΡΠΏΠΏΡ Π² Bo(2, 5). Let Π0(2,5) = (x,y) be the largest finite two generator Burnside group of exponent five and order 534. We study a series of subgroups Hi = (ai,bi) of the group B0(2, 5), where a0 = x, b0 = y, ai = ai-ibi-i and bi = bi-iai-i for i E N. It has been found that H4 is a commutative group. Therefore, H5 is a cyclyc group and the series of subgroups is broken. The elements a4 = xy2xyx2y2x2yxy2x and b4 = yx2yxy2x2y2xyx2y of length 16 generate an abelian subgroup of order 25 in B0(2, 5). Using computer calculations, we have found that there is no other pair of group words of length less than 16 that generate a noncyclic abelian subgroup in B0(2, 5)
Heuristic algorithm for obtaining permutations with given cryptographic properties using a generalized construction
ΠΡΡΠ»Π΅Π΄ΠΎΠ²Π°Π½Π° Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ ΠΏΠΎΡΡΡΠΎΠ΅Π½ΠΈΡ Ρ ΠΏΠΎΠΌΠΎΡΡΡ ΠΎΠ±ΠΎΠ±ΡΡΠ½Π½ΠΎΠΉ ΠΊΠΎΠ½ΡΡΡΡΠΊΡΠΈΠΈ ΠΏΠΎΠ΄ΡΡΠ°Π½ΠΎΠ²ΠΎΠΊ Ρ Π·Π°Π΄Π°Π½Π½ΡΠΌΠΈ ΠΊΡΠΈΠΏΡΠΎΠ³ΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠΌΠΈ Ρ
Π°ΡΠ°ΠΊΡΠ΅ΡΠΈΡΡΠΈΠΊΠ°ΠΌΠΈ, ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠΈΠ²Π°ΡΡΠΈΠΌΠΈ ΡΡΠΎΠΉΠΊΠΎΡΡΡ Π°Π»Π³ΠΎΡΠΈΡΠΌΠΎΠ² ΡΠΈΡΡΠΎΠ²Π°Π½ΠΈΡ ΠΊ Π»ΠΈΠ½Π΅ΠΉΠ½ΠΎΠΌΡ ΠΈ ΡΠ°Π·Π½ΠΎΡΡΠ½ΠΎΠΌΡ ΠΌΠ΅ΡΠΎΠ΄Π°ΠΌ ΠΊΡΠΈΠΏΡΠΎΠ°Π½Π°Π»ΠΈΠ·Π°. ΠΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½ ΡΠ²ΡΠΈΡΡΠΈΡΠ΅ΡΠΊΠΈΠΉ Π°Π»Π³ΠΎΡΠΈΡΠΌ ΠΏΠΎΠΈΡΠΊΠ° ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΠΎΠ² ΠΎΠ±ΠΎΠ±ΡΡΠ½Π½ΠΎΠΉ ΠΊΠΎΠ½ΡΡΡΡΠΊΡΠΈΠΈ, ΠΏΠΎΠ»ΡΡΠ΅Π½Π½ΡΡ
ΠΏΠΎΡΡΠ΅Π΄ΡΡΠ²ΠΎΠΌ ΡΠΌΠ½ΠΎΠΆΠ΅Π½ΠΈΡ Π½Π° ΡΡΠ°Π½ΡΠΏΠΎΠ·ΠΈΡΠΈΠΈ. ΠΡΠΏΠΎΠ»Ρ-Π·ΡΡΡΡΡ ΠΈΠ΄Π΅ΠΈ Π³Π΅Π½Π΅ΡΠΈΡΠ΅ΡΠΊΠΎΠ³ΠΎ Π°Π»Π³ΠΎΡΠΈΡΠΌΠ°, ΡΠΏΠ΅ΠΊΡΡΠ°Π»ΡΠ½ΠΎ-Π»ΠΈΠ½Π΅ΠΉΠ½ΠΎΠ³ΠΎ ΠΈ ΡΠΏΠ΅ΠΊΡΡΠ°Π»ΡΠ½ΠΎ-ΡΠ°Π·Π½ΠΎΡΡΠ½ΠΎΠ³ΠΎ ΠΌΠ΅ΡΠΎΠ΄ΠΎΠ². ΠΠ·ΡΡΠ΅Π½Ρ Π²ΠΎΠΏΡΠΎΡΡ ΠΎΠΏΡΠΈΠΌΠΈΠ·Π°ΡΠΈΠΈ Π²ΡΡΠΈΡΠ»Π΅Π½ΠΈΡ ΠΊΡΠΈΠΏΡΠΎΠ³ΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΡ
Ρ
Π°ΡΠ°ΠΊΡΠ΅ΡΠΈΡΡΠΈΠΊ Π½Π° ΠΊΠ°ΠΆΠ΄ΠΎΠΉ ΠΈΡΠ΅ΡΠ°ΡΠΈΠΈ Π°Π»Π³ΠΎΡΠΈΡΠΌΠ°. ΠΠΊΡΠΏΠ΅ΡΠΈΠΌΠ΅Π½ΡΠ°Π»ΡΠ½ΡΠ΅ ΠΈΡΡΠ»Π΅Π΄ΠΎΠ²Π°Π½ΠΈΡ Π½Π°ΠΈΠ±ΠΎΠ»Π΅Π΅ ΠΈΠ½ΡΠ΅ΡΠ΅ΡΠ½ΡΡ
Ρ ΠΏΡΠ°ΠΊΡΠΈΡΠ΅ΡΠΊΠΎΠΉ ΡΠΎΡΠΊΠΈ Π·ΡΠ΅Π½ΠΈΡ 8-Π±ΠΈΡΠΎΠ²ΡΡ
ΠΏΠΎΠ΄ΡΡΠ°Π½ΠΎΠ²ΠΎΠΊ ΠΏΠΎΠΊΠ°Π·Π°Π»ΠΈ, ΡΡΠΎ ΠΌΠΎΠΆΠ½ΠΎ ΠΏΠΎΡΡΡΠΎΠΈΡΡ 6-ΡΠ°Π²Π½ΠΎΠΌΠ΅ΡΠ½ΡΠ΅ ΠΏΠΎΠ΄ΡΡΠ°Π½ΠΎΠ²ΠΊΠΈ Ρ Π½Π΅Π»ΠΈΠ½Π΅ΠΉΠ½ΠΎΡΡΡΡ 108
ΠΠ± ΡΠ²ΡΠΈΡΡΠΈΡΠ΅ΡΠΊΠΎΠΌ ΠΏΠΎΠ΄Ρ ΠΎΠ΄Π΅ ΠΊ ΠΏΠΎΡΡΡΠΎΠ΅Π½ΠΈΡ Π±ΠΈΠ΅ΠΊΡΠΈΠ²Π½ΡΡ Π²Π΅ΠΊΡΠΎΡΠ½ΡΡ Π±ΡΠ»Π΅Π²ΡΡ ΡΡΠ½ΠΊΡΠΈΠΉ Ρ Π·Π°Π΄Π°Π½Π½ΡΠΌΠΈ ΠΊΡΠΈΠΏΡΠΎΠ³ΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠΌΠΈ Ρ Π°ΡΠ°ΠΊΡΠ΅ΡΠΈΡΡΠΈΠΊΠ°ΠΌΠΈ
ΠΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½ ΡΠ²ΡΠΈΡΡΠΈΡΠ΅ΡΠΊΠΈΠΉ Π°Π»Π³ΠΎΡΠΈΡΠΌ ΠΏΠΎΡΡΡΠΎΠ΅Π½ΠΈΡ Π±ΠΈΠ΅ΠΊΡΠΈΠ²Π½ΡΡ
Π±ΡΠ»Π΅Π²ΡΡ
ΡΡΠ½ΠΊΡΠΈΠΉ Ρ Π·Π°Π΄Π°Π½Π½ΡΠΌΠΈ ΠΊΡΠΈΠΏΡΠΎΠ³ΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠΌΠΈ ΡΠ²ΠΎΠΉΡΡΠ²Π°ΠΌΠΈ β Π½Π΅Π»ΠΈΠ½Π΅ΠΉΠ½ΠΎΡΡΡΡ ΠΈ Π΄ΠΈΡΡΠ΅ΡΠ΅Π½ΡΠΈΠ°Π»ΡΠ½ΠΎΠΉ ^-ΡΠ°Π²Π½ΠΎΠΌΠ΅ΡΠ½ΠΎΡΡΡΡ β Π½Π° ΠΎΡΠ½ΠΎΠ²Π΅ ΠΎΠ±ΠΎΠ±ΡΡΠ½Π½ΠΎΠΉ ΠΊΠΎΠ½ΡΡΡΡΠΊΡΠΈΠΈ. ΠΡΠΎΠΈΠ·Π²ΠΎΠ΄ΠΈΡΡΡ ΠΏΠΎΠΈΡΠΊ Π²ΡΠΏΠΎΠΌΠΎΠ³Π°ΡΠ΅Π»ΡΠ½ΡΡ
ΠΏΠΎΠ΄ΡΡΠ°Π½ΠΎΠ²ΠΎΠΊ ΠΌΠ΅Π½ΡΡΠ΅ΠΉ ΡΠ°Π·ΠΌΠ΅ΡΠ½ΠΎΡΡΠΈ Π² ΠΎΠ±ΠΎΠ±ΡΡΠ½Π½ΠΎΠΉ ΠΊΠΎΠ½ΡΡΡΡΠΊΡΠΈΠΈ Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ΠΌ ΠΈΠ΄Π΅ΠΉ ΡΠΏΠ΅ΠΊΡΡΠ°Π»ΡΠ½ΠΎ-Π»ΠΈΠ½Π΅ΠΉΠ½ΠΎΠ³ΠΎ ΠΈ ΡΠΏΠ΅ΠΊΡΡΠ°Π»ΡΠ½ΠΎ-ΡΠ°Π·Π½ΠΎΡΡΠ½ΠΎΠ³ΠΎ ΠΌΠ΅ΡΠΎΠ΄ΠΎΠ². ΠΡΡΠ»Π΅Π΄ΠΎΠ²Π°Π½Π° Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ ΠΎΠΏΡΠΈΠΌΠΈΠ·Π°ΡΠΈΠΈ Π²ΡΡΠΈΡΠ»Π΅Π½ΠΈΡ ΠΊΡΠΈΠΏΡΠΎΠ³ΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΡ
Ρ
Π°ΡΠ°ΠΊΡΠ΅ΡΠΈΡΡΠΈΠΊ Π½Π° ΠΊΠ°ΠΆΠ΄ΠΎΠΉ ΠΈΡΠ΅ΡΠ°ΡΠΈΠΈ Π°Π»Π³ΠΎΡΠΈΡΠΌΠ°. ΠΠΊΡΠΏΠ΅ΡΠΈΠΌΠ΅Π½ΡΠ°Π»ΡΠ½ΠΎ ΠΏΠΎΠ»ΡΡΠ΅Π½Ρ 8-Π±ΠΈΡΠΎΠ²ΡΠ΅ 6-ΡΠ°Π²Π½ΠΎΠΌΠ΅ΡΠ½ΡΠ΅ ΠΏΠΎΠ΄ΡΡΠ°Π½ΠΎΠ²ΠΊΠΈ Ρ Π½Π΅Π»ΠΈΠ½Π΅ΠΉΠ½ΠΎΡΡΡΡ 108. Bijective vector Boolean functions (permutations) are used as nonlinear primitives of many symmetric ciphers. In this paper, we study a generalized construction of (2m, 2m)-functions using monomial and arbitrary m-bit permutations as constituent elements. A heuristic algorithm for obtaining bijective Boolean functions with given nonlinearity and differential uniformity, based on this construction, is proposed. For this, a search is carried out for auxiliary permutations of a lower dimension using the ideas of spectral-linear and spectral-difference methods. The proposed algorithm consists of iterative multiplication of the initial randomly generated 4-bit permutations by transposition, selecting the best ones in nonlinearity, the differential uniformity, and the corresponding values in the linear and differential spectra among the obtained 8-bit permutations. The possibility of optimizing the calculation of cryptographic properties at each iteration of the algorithm is investigated; 8-bit 6-uniform permutations with nonlinearity 108 are experimentally obtained
Correlations Between (Nonlinear) Combiners of Input and Output of Random Functions and Permutations
Linear cryptanalysis considers correlations between linear input and output combiners for block ciphers and stream ciphers.
Daemen and Rijmen (2007) had obtained the distributions of the correlations between linear input and output combiners of
uniform random functions and uniform random permutations. The present work generalises these results to obtain the distributions of the correlations between arbitrary input and output combiners of uniform random functions and uniform random permutations
Linear and differential cryptanalysis of small-sized random (n, m)-S-boxes
S-boxes are used in cryptography in order to provide non-linearity in the design of cryptographic primitives such as block ciphers and hash functions. Some cryptographic primitives use bijective S-boxes as in the Advanced Encryption Standard (AES), and others use surjective S-boxes as in the Data Encryption Standard (DES). That is, S-boxes can have inputs and outputs of the same length as in the (8,8)-S-box of AES, or alternatively the input length can be larger than the output as in the (6, 4)-S-boxes of DES. In this paper, we perform a statistical study of linear and differential properties of randomly generated (n, m)-S-boxes, where m β€ n. We show that certain S-boxes with well-behaved linear and differential properties can be feasibly obtained via random search. We show further that certain types of S-boxes with specific desirable linear and differential properties are improbable
Another Look at Key Randomisation Hypotheses
In the context of linear cryptanalysis of block ciphers, let (resp. ) be the probability that a particular linear approximation holds for the right (resp. a wrong) key choice. The standard right key randomisation hypothesis states that is a constant and the standard wrong key randomisation hypothesis states that . Using these hypotheses, the success probability of the attack can be expressed in terms of the data complexity . The resulting expression for is a monotone increasing function of .
Building on earlier work by Daemen and Rijmen (2007), Bogdanov and Tischhauser (2014) argued that should be considered to be a random variable. They postulated the adjusted wrong key randomisation hypothesis which states that follows a normal distribution. A non-intuitive consequence was that the resulting expression for is no longer
a monotone increasing function of . A later work by Blondeau and Nyberg (2017) argued that should also be considered to be a random variable and they postulated the adjusted right key randomisation hypothesis which states that follows a normal distribution.
In this work, we revisit the key randomisation hypotheses. While the argument that and should be considered to
be random variables is indeed valid, we consider the modelling of their distributions by normal to be inappropriate. Being
probabilities, the support of the distributions of and should be subsets of which does not hold for normal distributions. We show that if and follow any distributions with supports which are subsets of , and and , then the expression for that is obtained is exactly the same as the one obtained using the standard key randomisation hypotheses. Consequently, is a monotone increasing function of even when and are considered to be random variables
Linear Hulls with Correlation Zero and Linear Cryptanalysis of Block Ciphers
Linear cryptanalysis, along with differential cryptanalysis, is an important tool to evaluate the security of block ciphers. This work introduces a novel extension of linear cryptanalysis: zero-correlation linear cryptanalysis, a technique applicable to many block cipher constructions. It is based on linear approximations with a correlation value of exactly zero. For a permutation on bits, an algorithm of complexity is proposed for the exact evaluation of correlation. Non-trivial zero-correlation linear approximations are demonstrated for various block cipher structures including AES, balanced Feistel networks, Skipjack, CLEFIA, and CAST256. As an example, using the zero-correlation linear cryptanalysis, a key-recovery attack is shown on 6 rounds of AES-192 and AES-256 as well as 13 rounds of CLEFIA-256
Security of the AES with a Secret S-box
How does the security of the AES change when the S-box is replaced
by a secret S-box, about which the adversary has no knowledge? Would it be safe to reduce the number of encryption rounds?
In this paper, we demonstrate attacks based on integral cryptanalysis
which allows to recover both the secret key and the secret S-box for respectively four, five,
and six rounds of the AES. Despite the significantly larger amount of secret information which an
adversary needs to recover, the attacks are very efficient with
time/data complexities of , and , respectively.
Another interesting aspect of our attack is that it works both as chosen plaintext and as chosen ciphertext attack. Surprisingly, the chosen ciphertext variant has a significantly lower time complexity in the attacks on four and five round, compared to the respective chosen plaintext attacks
HARPOCRATES: An Approach Towards Efficient Encryption of Data-at-rest
This paper proposes a new block cipher called HARPOCRATES, which is different from traditional SPN, Feistel, or ARX designs. The new design structure that we use is called the substitution convolution network. The novelty of the approach lies in that the substitution function does not use fixed S-boxes. Instead, it uses a key-driven lookup table storing a permutation of all 8-bit values. If the lookup table is sufficiently randomly shuffled, the round sub-operations achieve good confusion and diffusion to the cipher. While designing the cipher, the security, cost, and performances are balanced, keeping the requirements of encryption of data-at-rest in mind. The round sub-operations are massively parallelizable and designed such that a single active bit may make the entire state (an 8 Γ 16 binary matrix) active in one round. We analyze the security of the cipher against linear, differential, and impossible differential cryptanalysis. The cipherβs resistance against many other attacks like algebraic attacks, structural attacks, and weak keys are also shown. We implemented the cipher in software and hardware; found that the software implementation of the cipher results in better throughput than many well-known ciphers. Although HARPOCRATES is appropriate for the encryption of data-at-rest, it is also well-suited in data-in-transit environments