CA2299538C - Apparatus and method for evaluating randomness of functions, random function generating apparatus and method, and recording medium having recorded thereon programs for implementing the methods. - Google Patents
Apparatus and method for evaluating randomness of functions, random function generating apparatus and method, and recording medium having recorded thereon programs for implementing the methods. Download PDFInfo
- Publication number
- CA2299538C CA2299538C CA002299538A CA2299538A CA2299538C CA 2299538 C CA2299538 C CA 2299538C CA 002299538 A CA002299538 A CA 002299538A CA 2299538 A CA2299538 A CA 2299538A CA 2299538 C CA2299538 C CA 2299538C
- Authority
- CA
- Canada
- Prior art keywords
- function
- resistance
- cryptanalysis
- evaluating
- input
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/065—Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
- H04L9/0656—Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
- H04L9/0662—Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/04—Masking or blinding
- H04L2209/046—Masking or blinding of operations, operands or results of the operations
Abstract
In the evaluation of the randomness of an S-box, measures of resistance to higher order cryptanalysis, interpolation cryptanalysis, partitioning cryptanalysis and differential-linear cryptanalysis and necessa ry conditions for those measures to have resistance to each cryptanalysis are set, then for functions as candidates for the S-box, it is evaluated whether one or all of the conditions are satisfied, and those of the candidate functions fo r which one or all of the conditions are satisfied are selected as required. I t is also possible to further evaluate the resistance of such selected functio ns to at least one of differential cryptanalysis and linear cryptanalysis and select those of the candidate functions which are resistant to at least one of the cryptanalyses as required.
Description
APPARATUS AND METHOD FOR EVALUATING RANDOMNESS OF
FUNCTIONS, RANDOM FUNCTION GENERATING .APPARATUS AND
METHOD, AND RECORDING MEDIUM HAVING RECORDED
THEREON PROGRAMS FOR IMPLEMENTING THF; METHODS
TECHNICAL FIELD
The present invention relates to an apparatus and method which are applied, for example, to a cryptographic device to evaluate whether candidate functions satisfy several randomness criteria so as to obtain functions that generate randomly an output from the input and hence make the analysis of its operation difficult; the invention also pertains to an apparatus and method for generating random functions evaluated to satisfy the randomness criteria, and a recording medium having recorded thereon programs for implementing these methods.
PRIOR ART
Cryptographic techniques are effective in concealing data. Encryption schemes fall into a secret-key cryptosystem and a public-key cryptosystem. In general, the public-key cryptosystem is more advanced in the research of security proving techniques than secret-key cryptosystem, and hence it can be used with the limit of security in mind. On the other hand, since security proving techniques have not been established completely for the secret-key cryptosystem, it is necessary to individually deal with cryptanalytic methods when they are found.
To construct fast and secure secret-key cryptography, there has been proposed a block cipher scheme that divides data into blocks of a suitable length and enciphers each block. Usually, the block cipher is made secure by applying a cryptographically not so strong function to the plaintext a plurality of times. The cryptographically not so strong function is called an F-function.
FUNCTIONS, RANDOM FUNCTION GENERATING .APPARATUS AND
METHOD, AND RECORDING MEDIUM HAVING RECORDED
THEREON PROGRAMS FOR IMPLEMENTING THF; METHODS
TECHNICAL FIELD
The present invention relates to an apparatus and method which are applied, for example, to a cryptographic device to evaluate whether candidate functions satisfy several randomness criteria so as to obtain functions that generate randomly an output from the input and hence make the analysis of its operation difficult; the invention also pertains to an apparatus and method for generating random functions evaluated to satisfy the randomness criteria, and a recording medium having recorded thereon programs for implementing these methods.
PRIOR ART
Cryptographic techniques are effective in concealing data. Encryption schemes fall into a secret-key cryptosystem and a public-key cryptosystem. In general, the public-key cryptosystem is more advanced in the research of security proving techniques than secret-key cryptosystem, and hence it can be used with the limit of security in mind. On the other hand, since security proving techniques have not been established completely for the secret-key cryptosystem, it is necessary to individually deal with cryptanalytic methods when they are found.
To construct fast and secure secret-key cryptography, there has been proposed a block cipher scheme that divides data into blocks of a suitable length and enciphers each block. Usually, the block cipher is made secure by applying a cryptographically not so strong function to the plaintext a plurality of times. The cryptographically not so strong function is called an F-function.
It is customary in the art to use, as an element of the F-function, a random function, called an S-box, which generates randomly an output from the input thereto, making it difficult to analyze its operation. With the S-box that has the random function capability of providing a unique input/output relationship, it is possible to achieve constant and fast output generation irrespective of the complexity of the random function operation itself, by implementing the S-box in a ROM where the output data associated with the input data are memorized as a table. Since the S-box was adopted typically in DES (Data Encryption Standard), its security and design strategy have been studied. Conventionally, the security criterion assumed in the design of the S-box is only such that each bit of encrypted data, for instance, would be a 0 or 1 with a statistical probability of 50 percent-this is insufficient as the theoretical criterion for the security of block ciphers.
In actual fact, cryptanalysis methods for block ciphers that meet the above-mentioned criterion have been proposed: a differential cryptanalysis in literature "E. Biham, A. Shamir, 'Differential Cryptanalysis of DES-like cryptosystems,' Journal of Cryptology, Vol. 4, No. 1, pp. 3-'72" and a linear cryptanalysis in literature "M. Matsui, 'Linear Cryptanalysis Method for DES
Ciphers,' Advances in Cryptology-EUROCRYPT' 93 (Lecture Notes in Computer Science 765), pp. 386-397, Springer-Verlag, 1994." It has been found that many block ciphers can be cryptanalyzed by these methods; hence, it is now necessary to review the criteria for security.
After the proposal of the differential and linear cryptanalysis methods the block ciphers have been required to be secure against them.
In actual fact, cryptanalysis methods for block ciphers that meet the above-mentioned criterion have been proposed: a differential cryptanalysis in literature "E. Biham, A. Shamir, 'Differential Cryptanalysis of DES-like cryptosystems,' Journal of Cryptology, Vol. 4, No. 1, pp. 3-'72" and a linear cryptanalysis in literature "M. Matsui, 'Linear Cryptanalysis Method for DES
Ciphers,' Advances in Cryptology-EUROCRYPT' 93 (Lecture Notes in Computer Science 765), pp. 386-397, Springer-Verlag, 1994." It has been found that many block ciphers can be cryptanalyzed by these methods; hence, it is now necessary to review the criteria for security.
After the proposal of the differential and linear cryptanalysis methods the block ciphers have been required to be secure against them.
To meet the requirement, there have been proposed, as measures indicating the security against the cryptanalysis methods, a maximum average differential probability and a maximum average linear probability in literature "M. Matsui, 'New Structure of Block Ciphers with Provable Security against Differential and Linear Cryptarialysis,' D. Gollmann, editor, Fast Software Encryption, Third International Workshop, Cambridge, UK, February 1996, Proceedings, Vol. 1039 of Lecture Notes in Computer Science, pp. 205-218, Springer-Verlag, Berlin, Heidelberg, New York, 1996." It is indicated that the smaller the measures, the higher the security against the respective cryptanalysis.
Moreover, it has recently been pointed out that even ciphers secure against the differential and the linear cryptanalysis are cryptanalyzed by other cryptanalysis methods, and consequently, the criterion for security needs a further reappraisal. More specifically, in literature "T. Jackson, L.
R. Knudsen, 'The Interpolation Attack on Block Ciphers,' Fast Software Encryption Workshop (FSE4) (Lecture Notes in Computer Science 1276), pp. 28-40, Springer-Verlag, 1997," it is described that some ciphers, even if secure against the differential and the linear cryptanalysis, are cryptanalyzed by a higher order differential attack or interpolation attack.
Other than the higher order differential attack and interpolation attack, a partitioning cryptanalysis generalized from the linear cryptanalysis is introduced in literature "C. Harpes, J. L. Massey, 'Partitioning Cryptanalysis, 'Fast Software Encryption Workshop (FSE4) (Lecture Notes in Computer Science 1267), pp. 13-27, Springer-Verlag, 1997," and hence it is necessary to provide ciphers with sufficient security against this cryptanalysis.
The technology to ensure the security against the differential and the linear cryptanalysis has been established for the construction of some block ciphers, while as of this point in time no technology has been established yet which guarantees perfect security against the higher order differential attack, the interpolation attack and the partitioning attack. In other words, there have not been clarified necessary and sufficient conditions that random functions, i.e.
the so-called S-boxes, need to satisfy so as to make ciphers invulnerable to these attacks.
In designing the S-boxes it is an important issue to provide sufficient security against these attacks. The attacks on block ciphers often the S-boxes utilize any imbalances in their input/output relationships of S-boxes.
Accordingly, to design an S-box resistant to an attack is to design an S-box that has little unbalanced, that is, random input/output relationship. Hence, to evaluate the resistance of the S-box to an attack is equivalent to the evaluation of its randomness.
It is therefore an object of the present invention to find out a criterion closely related to the level of security against each of the above-mentioned attacks, to show the criterion representing a necessary condition to be met for providing the resistance to the attack (not a necessary and sufficient condition for guaranteeing the security against the attack), and to provide a function randomness evaluating apparatus and method which evaluate the randomness of the function concerned according to the criterion, and a recording medium having recorded thereon the method as a program. Another object of the present invention is to provide an apparatus and method for generating random functions that satisfy the security criteria, and a recording medium having recorded thereon the method as a program.
In accordance with one aspect of the present invention there is provided a function randomness evaluating apparatus comprising: input means for inputting 4a digital signals representing candidate functions S(x) of S-bo:x to be evaluated, input difference values Ox and output mask values ry, and storing them in storage means; differential-linear-cryptanalysis resistance evaluating means for:
counting, for all sets of input difference value Ox and output mask value ry of each of the functions S(x) read out of the storage means, a number of input values x for which the inner product of (S(x)+S(x+~x)) and said output mask value ry is 1; and evaluating resistance of said function to differential-linear cryptanalysis based on the result of said number; and output means for outputting an output digital signal representing an evaluation result.
In accordance with another aspect of the present invention there is provided a random function generating apparatus comprising: input means for inputting digital signals representing parameter values of each of a plurality of functions of different algebraic structures and storing them in storage means;
candidate function generating means for generating candidate functions each formed by a combination of said plurality of functions of different algebraic structures based on said plurality of parameters read out of the storage means;
resistance evaluating means for evaluating resistance of each of said candidate functions to a cryptanalysis; selecting means for selecting those of said resistance-evaluated candidate functions which have highly .resistant to said cryptanalysis and outputting digital signals representing selected ones of said resistance-evaluated candidate functions, wherein one of said plurality of functions of different algebraic structures is resistant to each of differential cryptanalysis and linear cryptanalysis.
In accordance with yet another aspect of the present invention there is provided a method for evaluating the randomness of the input/output relationship of a function, said method comprising: inputting digital signals representing candidate functions S(x) of S-box to be evaluated, input difference values Ox and output mask values ry, and storing them in storage means; a differential-linear 4b cryptanalysis resistance evaluating step of counting, for every set of input difference value Ox and output mask value ry of each of the functions S(x) read out of the storage means, a number of input values x for which an inner product of (S(x)+S(x+0x)) and said output mask value ry is l ; and evaluating resistance of said function to differential-linear cryptanalysis based on the result of said number; and outputting an output digital signal representing an evaluation result.
In accordance with still yet another aspect of the present invention there is provided a random function generating method comprising the steps of (o) inputting digital signals representing input difference values Ox, output mask values ry and parameter values of each of a plurality of functions of different algebraic structures and storing them in storage means; (a) setting various input values read out of the storage means for each of candidate functions S(x) of S-box and calculating output values corresponding to said v<~rious input values x;
(b) storing the output values in storage means; and (c) evaluating resistance of each of said candidate functions to a cryptanalysis based on the output values stored in said storage means, and selectively outputting candidate function highly resistant to said cryptanalysis; and wherein said step (c) comprising: (c-1) a higher-order cryptanalysis resistance evaluating step of: calculating a minimum value of the degree of a Boolean polynomial for input bits of each of said candidate functions by which its output bits are expressed; evaluating the resistance of said each candidate function to higher order cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined first reference and discarding the others;
(c-2) a differential-linear cryptanalysis resistance evaluating step of calculating, for every set of input difference value 0x and output mask value ry of each candidate function S(x), a number of input values x for which the inner product of (S(x)+S(x+0x)) and said output mask value ry is 1; evaluating resistance of said function to differential-linear cryptanalysis based on the result of said 4c calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined second reference and discarding the others; (c-3) a partitioning-cryptanalysis resistance evaluating step of: dividing all input values of each candidate function and the corresponding output values into input subsets and output subsets; calculating an imbalance of the relationships between the input subset and the output subset with respect to their average corresponding relationship; evaluating the resistance of said each candidate function to said partitioning cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined third reference and discarding the others; and (c-4) an interpolation-cryptanalysis resistance evaluating step of: expressing an output value y a.s y = fk(x) for an input value x and a fixed key k using a polynomial over Galois field which is composed of elements equal to a prime p or a power of said prime p; counting a number of terms of said polynomial; evaluating the resistance of said function to interpolation cryptanalysis; and leaving those of said candidate functions whose resistance is higher than a predetermined fourth reference and discarding the others.
In accordance with still yet another aspect of the present invention there is provided a computer-readable recording medium having recorded thereon statements and instructions for use in the execution in a computer of the method for generating a random function, said method comprising the steps of: (a) setting various values as each parameter for candidate functions S(x) of S-box function and calculating output values corresponding to various input values;
(b) storing the output values in storage means; and (c) evaluating resistance of each of said candidate functions to a cryptanalysis based on the output values stored in said storage means, and selectively outputting candidate function highly resistant to said cryptanalysis; and wherein said Step (c) comprising: (c-1) a higher-order cryptanalysis resistance evaluating step of: calculating a minimum value of the 4d degree of a Boolean polynomial for input bits of each of said candidate functions by which its output bits are expressed; evaluating the resistance of said each candidate function to higher order cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined first reference and discarding the others; (c-2) a differential-linear cryptanalysis resistance evaluating step of: calculating, for every set of input difference value 0x and output mask value ry of each candidate function S(x), a number of input values x for which the inner product of (S(x)+S(x+~x)) and said output mask value ry is 1; evaluating resistance of said function to differential-linear cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined second reference and discarding the others; (c-3) a partitioning-cryptanalysis resistance evaluating step of dividing all input values of each candidate function and the corresponding output values into input subsets and output subsets; calculating an imbalance of the relationships between the input subset and the output subset with respect to their average corresponding relationship; evaluating the resistance of said each candidate function to said partitioning cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined third reference and discarding the others; and (c-4) an interpolation-cryptanalysis resistance evaluating step of expressing an output value y as y = fk(x) for an input value x and a fixed key k using a polynomial over Galois field which is composed of elements equal to a prime p or a power of said prime p; counting a number of terms of said polynomial; evaluating the resistance of said function to interpolation cryptanalysis; and leaving those of said candidate functions whose resistance is higher than a predetermined fourth reference and discarding the others.
4e In accordance with still yet another aspect of the present invention there is provided a computer readable recording medium having recorded thereon statements and instructions for use in the execution in a computer of the method for evaluating randomness of the input/output relationship of a function, said program comprising: (a) a differential-linear cryptanalysis resistance evaluating step of calculating, for every set of input difference value ~x and output mask value ry of a function S(x) to be evaluated, a number of input values x for which the inner product of (S(x)+S(x+Ox)) and said output mask value ry is l; and evaluating resistance of said function to differential-linear cryptanalysis based on the result of said calculation.
The function randomness evaluating apparatus and method according to exemplary aspects of the present invention execute at least one of the processes of:
calculating the minimum value of the degree of a Boolean polynomial regarding the input by which each output bit of the function to be evaluated is expressed, and evaluating the resistance of the function to higher order differential cryptanalysis accordingly;
when fixing a key y and letting x denote the input, expressing an output y by y = fk(x) using a polynomial over the Galois field which is composed of elements equal to a prime p or a power of the prime p, then calculating the number of terms of the polynomial, and evaluating the resistance of the function to interpolation cryptanalysis accordingly;
dividing all inputs of the function to be evaluated and the corresponding outputs into input subsets and output subsets, then calculating an imbalance of the relationship between the subset of an input and the subset of the corresponding output with respect to their average corresponding relationship, and evaluating the resistance of the function to partitioning cryptanalysis accordingly; and calculating, for every set of input difference 0x and output mask value ry of the function S(x) to be evaluated, the number of inputs x for which the inner product of (S(x)+S(x+~x)) and the output mask value ry is l, and evaluating the resistance of the function to differential-linear cryptanalysis accordingly.
The random function generating apparatus and method according to an exemplary aspect of the present invention generate candidate functions each formed by a plurality of functions of different algebraic structures and having a plurality of parameters, evaluates the resistance of each candidate function to cryptanalysis, and select candidate functions of higher resistance to the cryptanalysis.
-s-BRIEF DESCRIPTION OF THE DRAWINGS
Fig. 1 is a block diagram illustrating an example of the functional configuration of each of the random function generating apparatus and the function randomness evaluating apparatus according to the present invention.
Fig. 2 is a block diagram depicting an example of the basic configuration of the random function generating apparatus according to the present invention.
Fig. 3 is a flowchart showing an example of a procedure of an embodiment of the random function generating apparatus according to the present invention.
BEST MODE FOF CARRYING OUT THE INVENTION
Embodiment according to a first aspect of the present invention In Fig. 1 there is depicted the functional configuration of an embodiment of each of the random function generating apparatus and the function randomness evaluating apparatus according to the present invention.
An input part 11 inputs therethrough data and a parameter that are needed to , generate a candidate function in a candidate function generating part 12.
The candidate function generating part 2 generates a candidate function based on the input provided through the input part 11, and provides its parameter value, the input value and the calculation result (an output value) to a storage part 13. Various pieces of data thus stored in the storage part 13 are read out therefrom and fed to a differential-cryptanalysis resistance evaluating part 14a, a linear-cryptanalysis resistance evaluating part 14b, a higher-order-differential-attack resistance evaluating part 14c, an interpolation-attack resistance evaluating part 14d, a partitioning-attack _7_ resistance evaluating part 14e, a differential-linear-attack resistance evaluating part 14f, and a criteria evaluating part 14g for evaluating other criteria. Based on the results of evaluations made in the respective evaluating parts, candidate functions of high resistance to the attacks are selected in a function select part 15 and stored in a storage part 16, from which a required one of the candidate functions is read out and provided to the outside via an output part 17.
In the function randomness evaluating apparatus according to the present invention, the functions to be evaluated are provided via the input part 11 to the respective evaluating parts 14a to 14g for the evaluation of their randomness.
A description will be given below of security criteria for the differential cryptanalysis, the linear cryptanalysis, the higher order differential attack, the interpolation attack, the partitioning attack and the differential-linear attack and of necessary conditions for the security criteria to have resistance to the respective attacks. In the following description, let n and m be arbitrary natural numbers and consider, as the S-box (a random function), a function S of an n-bit input and an m-bit output:
GF(2)" --> GF(2)m. GF(2)° represents a set of all n-bit data.
(a) Necessary Condition for Resistance to Differential Cryptanalysis A description will be given below of a criterion for differential cryptanalysis is defined as a measure of the resistance thereto of the S-box, a method for measuring the criterion and a necessary condition for the resistance to differential cryptanalysis. In the differential cryptanalysis method, an observation is made of the difference between outputs (an output difference value) of the S-box corresponding to the difference between its two inputs (an input difference value), and if a large imbalance is found between them, it can be used to cryptanalyze the whole cipher.
Letting the input value to the S-box be represented by x, the difference value between the two inputs by Ox, the difference value of the two outputs corresponding to the two inputs by 0y, the function of the S-box by S and the output y from the S-box for the input thereto by y=S(x), let ~S(tlx,~y) be the number of those values x of all n-bit input values x which satisfy the following equation ( 1 ) for an arbitrary input difference value Ox and an arbitrary output difference value Dy.
S(x) + S(x+Ox) _ ~Y (1) where "+" is usually defined by the exclusive OR (XOR) for each bit. As described in literature "X. Lai, J. M. Massey, and S. Murphy, 'Markov Ciphers and Differential Cryptanalysis,' In D. W. Davies, editor, Advances in Cryptology-EUROCRYPT '91, Volume 547 of Lecture Notes in Computer Science, pp. 17-38, Springer-Verlag, Berlin, Heidelberg, New York, 1991," the difference operation can be substituted with an arbitrary binary operation that provides a general inverse; the differential cryptanalysis method mentioned herein includes them. The differential cryptanalysis utilizes an imbalance in the relationship between the operation results on two arbitrary inputs and the two outputs corresponding thereto.
The number 8s (~x,Dy) of inputs x that satisfy Eq. ( 1 ) for a given pair of Ox and Dy is expressed by the following equation (2):
8s(Ox,t~y)=#{xsGF(2)° I S(x) + S(x + 0x) = Dy} (2) where #{x I conditional equation} represents the number of inputs x that satisfy the conditional equation. The number 8s(Ox,Dy) of inputs x can be calculated from Eq. (2) for all pieces of n-bit data Ox as the input difference value, except 0, and all pieces of m-bit data Dy as the output difference value. A combination of Ox and Dy that maximizes the above-said number constitutes a vulnerability to the differential cryptanalysis--this means that the smaller the maximum value of 8S (Ax, ey), the higher the resistance to differential cryptanalysis. Therefore, it is the necessary condition for the resistance to differential cryptanalysis that the criterion for differential cryptanalysis, es , given by the following equation (3) is small.
es = max 8S (Ax, ~y) (3) Eq. (3) indicates selecting that one of all the combinations of ex ~ 0 and ey which provides the maximum value of 8S and using it as the value of es .
(b) Necessary Condition for Resistance to Linear Cryptanalysis A description will be given below of the definition of a criterion for linear cryptanalysis as a measure of the resistance thereto of the S-box, a method for measuring the criterion and a necessary condition for the resistance to linear cryptanalysis.
In the linear cryptanalysis method, an observation is made of an arbitrary exclusive OR between the input and output values of the S-box, and if a large imbalance is found between them, it can be used to cryptanalyze the whole cipher.
Letting the input to the S-box be represented by x, an input mask value by r x and an output mask value by r y, ~,S (rx, ry) defined by the following equation (4) can be calculated for a certain input mask value r x and a certain output mask value r y.
as(rx,ry)=I~#~E(2)°~x~rx=s(x)~ry}-an~
where "~ " is usually defined by the inner product. x ~ rx means summing-up of all only those bit values in the input x which correspond to "1s" in the mask value t x, ignoring the bit values corresponding to "Os". That is, x ~ rx = fix, (where ~ is the sum total of i-th bits in r x which are "1 s"), ' 10-where x=(xn_l, ... , xo). The same is true of y ~ Ty . Accordingly, Eq. (4) expresses the absolute value of a value obtained by subtracting 2" from the double of the number of those of all (2°) n-bit inputs x which satisfy x ~ T x=S(x) ~ T y for given sets of mask values ( T x, T y).
From Eq. (4) ~,s (Tx, Ty) can be calculated for all sets of n-bit data T x as the input mask value and m-bit data T y as the output mask value, except 0. A combination of T x and T y that maximizes ~.S (Tx, Ty) constitutes a vulnerability to the linear cryptanalysis--this means that the smaller the maximum value of ~,S (Tx, Ty) , the higher the resistance to linear cryptanalysis. Therefore, it is the necessary condition for the resistance to linear cryptanalysis that the criterion for linear cryptanalysis, ns , given by the following equation (5) is small.
ns = maxas (rx,ry) (5) Eq. (5) indicates selecting that one of all the combinations of T x and T y ~ 0 which provides the maximum value of ~.s (Tx,Ty) and setting as the value of ns .
(c) Necessary Condition for Resistance to Higher Order Differential Attack A description will be given below of the definition of a criterion for higher order differential attack as a measure of the resistance thereto of the S-box, a method for measuring the criterion and a necessary condition for the resistance to higher order differential attack.
The higher order differential attack utilizes the fact that the computation of a higher order differential the intermediate output in the course of encryption with respect to the input provides a key-independent constant. An arbitrary bit of arbitrary intermediate data during encryption can be expressed by a Boolean polynomial regarding the input. For instance, a bit y~ of certain intermediate data can be expressed by a Boolean polynomial regarding an N-bit input x as follows:
y~ = Xo+X1X3+XpXZX3+ ... +X1X4XSX6 ... XN
When the degree of the Boolean polynomial is d, the calculation of the (d+1)-th order differential (for instance, XOR of 2d+i outputs) results in providing a key-independent constant; attacks on ciphers of low-degree Boolean polymers are reported in the afore-mentioned literature. "The Interpolation Attack on Block Ciphers" by T. Jackson and L.R. Knudsen.
With a low-degree Boolean polynomial representation of an F-function, an insufficient number of iterations of the F-function will not raise the degree of the Boolean representation of the whole cipher, increasing the risk of the cipher being cryptanalyzed. Hence, a necessary condition for making the cipher secure against higher order differential attack without increasing the number of iterations of the F-function is that the degree of the Boolean polynomial representation of the S-box as a component of the F-function is also high.
For S-box S: GF(2)"~GF(2)"' ; x~-->S(x), set y = S(x), (7a) x = (x"_1, x"_z, ..., xo) E GF(2)", (7b) y = (y",_1, Ym-2~ ..., Yo) E GF(2)"' (7c) And a set of variables X = {x"_1, x"-z, ..., xo} is defined. At this time, a Boolean function y; = S;(x) is defined as follows:
S; : GF(2)"-~GF(2); xl-~S;(x) (8) Let degXS; denote the degree of the Boolean function S; (0<_ i <_ m-1 ) regarding the variable set X. Let the minimum value of degXS; (0<_ i <_m-1) be represented by degxS, which is the criterion for higher order differential attack.
degxS = min(degxS;) (9) where min is conditioned by 0 s i s m-1.
A necessary condition that the S-box needs to satisfy to provide security against higher order differential attack is that degxS has a large value: It is known that when S is bijective (i.e. the input/output relationship can be determined uniquely in both directions), the maximum value of degxS is n-1.
(d) Necessary Condition for Resistance to Interpolation Attack A description will be given below of the definition of a criterion for interpolation attack as a measure of the resistance thereto of the S-box, a method for measuring the criterion and a necessary condition for the resistance to interpolation attack.
The principle of interpolation attack is as follows: With a key k fixed, a ciphertext y can be expressed, for example, by the following equation using a polynomial fk(x) over GF(q) regarding a plaintext X.
y = fk(X) - Cq_lXq 1 ~- Cq_2Xq 2 -E- ... ~- GXl + ... -fClX1 + COXO (10) where q is a prime or its power. When the number of terms of non-zero coefficients contained in the polynomial fk(x) with respect to x is c, the polynomial fk(x) can be constructed as by the Lagrange interpolation theorem if c different sets of plaintexts and the corresponding sets of ciphertexts (x;, y;) (where i = 1, ... , c) are given. By this, a ciphertext corresponding a desired plaintext x can be obtained.
The larger the number of terms contained in the polynomial fk(x), the larger the number of sets of plaintexts and ciphertexts necessary for interpolation attack using the polynomial representation fk(x) over GF(q), and the attack becomes difficult accordingly or becomes impossible.
When the number of terms contained in the polynomial representation over GF(q) of the S-box is small, there is a possibility that the number of terms contained in the polynomial of the whole cipher over GF(q) decreases. Of course, even if the number of terms contained in the polynomial over GF(q) of the S-box is large, care should be taken in the construction of the whole cipher to avoid that the terms cancel out each other, resulting in a decrease in the number of terms contained in the polynomial over GF(q) of the whole cipher; however, this concerns encryption technology, and as the criterion of the S-box for interpolation attack, it is a necessary condition for the resistance to interpolation attack that the number of terms contained in the polynomial representation over GF(q) is large. Let the number of terms contained in the polynomial representation over GF(q) of the function S of the S-box be represented by coeffqS, which is used as the criterion for interpolation attack using the polynomial representation over GF(q).
Since the interpolation attack exists by the number of possible qs, it is desirable to calculate the number of terms coeffqS in as many polynomials over GF(q) as possible and make sure that they do not take small values.
(e) Necessary Condition for Resistance to Partitioning Cryptanalysis A description will be given below of the deEnition of a criterion for partitioning cryptanalysis as a measure of the resistance thereto of the S-box, a method for measuring the criterion and a necessary condition for providing the resistance to partitioning cryptanalysis. In partitioning cryptanalysis, an observation is made of some measure which holds for a certain subset of the whole plaintext set and a certain subset of the whole ciphertext set, and if a large imbalance is found in the measure, then it can be used to cryptanalyze the whole cipher. As "some measure I" there are mentioned a peak imbalance and a squared Euclidean imbalance in literature "C. Harpes, J. L. Massey, 'Partitioning Cryptanalysis,' Fast Software Encryption Workshop (FSE4) (Lecture Notes in Computer Science 1267), pp. 13-27, Springer-Verlag, 1997."
In literature "Takeshi Hamada, Takafumi Yokoyama, Tohru Shimada, Toshinobu Kaneko, 'On partitioning cryptanalysis of DES,' Proc. in 1998 Symposium on Cryptography and Information Security (SCIS'98-2.2.A)," it is reported that an attack on the whole cipher succeeded through utilization of imbalance observed in input and output sets of the S-box of the DES
cipher--this indicates that the criterion for partitioning cryptanalysis similarly defined for the input and output sets of the S-box is a necessary condition for the whole cipher to be secure against partitioning cryptanalysis.
Let a divided subsets of the whole set of S-box inputs be represented by F~, Fl, ... , F"_1 and v divided subsets of the whole set of S-box outputs by Go, Gl, ... , G,,_i. Suppose that all the subsets contain an equal number of elements. A function f for mapping the input x on the subscript {0, 1, ... , u-1} of each subset will hereinafter be referred to as an input partitioning function and a function g for mapping the output y on the subscript {0, 1, ...
, v-1} of each subset as an output partitioning function. That is, the function f indicates the input subset to which the input x belongs, and the function g indicates the output subset to which the output y belongs. Let partitions F
and G be defined by F = {Fo, Fl, ..., F"_1}, G = {Go, Gl, ..., G~_1}.
Then, an imbalance I$(F, G) of an S-box partition pair (F, G) is given by the following equation (11).
I
IS(F, G) = a ~1(g(s(xyF(x) = i) (11) Expressing I(g(S(x))~F(x)=i on the right-hand side of Eq. (11) by I(V), this is the afore-mentioned "Measure L" According to the afore-mentioned literature by C. Harpes et al., in the case of using the peak imbalance as this measure, it is expressed as follows:
Ip(~ = VV 1 maxpw ~ ~~- v (12) In the case of using the squared Euclidean imbalance as this measure, it is expressed as follows:
y ~_i _1 a IE(V ) = v _ 1 ~ ~p[V ~ j) _ v ) (13) P[V=jJ represents the probability that the whole output y corresponding to the whole input x of an i-th (i=0, ... , u-1) input group F; assigned to an output group G~ (j=0, ... , v-1), and the sum total of probabilities of the assignment to respective output groups is 1. For example, if k~ outputs of the whole output y (k; outputs) corresponding to the whole input x (assumed to consist of k; inputs) are assigned to the group G~, then the probability of assignment to the group G~ is k~/k;. The peak imbalance IP(V) of Eq. (12) represents a value obtained by normalizing imbalance of the maximum assignment probability relative to an average probability, and the Euclidean imbalance IE(V) of Eq. (13) represents a value obtained by normalizing a square-sum of imbalance of the assignment probability from the average one.
This measure IP or IE is applied to Eq. (11) to calculate the imbalance IS(F, G) for each partition-pair (F, G). The partition-pair varies, for instance, with the way of selecting the partitioning functions f and g. For example, the division numbers a and v are also parameters that are specified by the functions f and g.
The measure given by Eq. (11) is the criterion for the partitioning ' 16-attack on the S-box and takes a value greater than 0 and smaller than 1; it is a necessary condition for the resistance to the partitioning attack that the difference between the above value and its one-half is small. Accordingly, the S-box function is chosen which minimizes the value ~IS(F, G)-1/2~.
(f) Necessary Condition for Resistance to Differential-Linear Cryptanalysis A description will be given below of the definition of a criterion for differential-linear cryptanalysis as a measure of the resistance thereto of the S-box, a method for measuring the criterion and a necessary condition for providing the resistance to differential-linear cryptanalysis.
In differential-linear cryptanalysis, an observation is made of, for example, the exclusive OR of S-box input and output difference values, and if a large imbalance is found, then it can be used to cryptanalyze the whole cipher.
Letting the S-box input, input difference value and output mask value be represented by x, a x and r y, respectively, ~ S( 0 x, t y) defined by the following equation can be calculated.
~S(ex,ry)=I2#fxEcF(a)~I~s(x)+s(x+ex)~~ry'y-2~I (14) where the operations "+" and "~ " are the same as those used in the criterion for differential cryptanalysis and the criterion for linear cryptanalysis, respectively. The maximum value ~ S given by the following equation for any one of all combinations of a x and r y in the measure ~ S( a x, r y) thus calculated is used as the criterion for differential-linear cryptanalysis.
~S i max ~s (~~rv> (15) ex~o,ry~o Since a large value of the criterion ~ S may be a weakness in differential-linear cryptanalysis, it is a necessary condition for the resistance thereto that this value is small (no marked imbalance).
Incidentally, such functions S as expressed by the following equations are used in some ciphers.
S: GF(2)"--~GF(2)": x--~x2k in GF(2") (16a) S: GF(2)"-~GF(2)": x~xZk+i iri GF(2") (16a) Letting k denote a natural number equal to or greater than n, the differential-linear attack criteria of these functions S take 2n (the maximum theoretical value). No report has been made of an example in which this property leads to a concrete cipher attack, but it is desirable that the criteria take as small a value as possible.
Next, a description will be given of an embodiment according to a second aspect of the present invention.
The resistance of the S-box to various attacks is evaluated as described above, but the generation of a highly resistant random function gives rise to an issue of how to select a group of candidate functions. The reason for this is that much complexity is needed to select functions satisfying the above-mentioned condition from an enormous number of functions.
By the way, from an example cited in literature "T. Jakobsen, L. R.
Knudsen, 'The Interpolation Attack on Block Cipher,' Fast Software Encryption Workshop (FSE4) (Lecture Notes in Computer Science 1267), pp. 28-40, Springer-Verlag, 1997," it is known that the block cipher is readily cryptanalyzed by the higher order and the interpolation cryptanalysis in the case where the S-box is formed by a function of a certain algebraic structure selected as a function resistant to the differential and the linear cryptanalysis and the whole cipher is constructed in combination with only an operation which does not destroy the algebraic structure. On the other hand, the inventors of this application have found that a composite function, which is a combination of a function resistant to the differential and the linear cryptanalysis with a function of a different algebraic structure (basic operation structure), is also resistant to other attacks in many cases.
According to the second aspect of the present invention, functions resistant to the differential and the linear cryptanalysis and functions which have algebraic structures different from those of the first-mentioned functions are combined (composition of functions, for instance) and such composite functions are selected as groups of candidate functions; the resistance to each cryptanalysis is evaluated fox each function group and functions of high resistance are chosen.
Incidentally, the way of selecting the candidate function groups in the present invention is not limited specifically to the above.
According to the second aspect of the present invention, a function (for example, a composite function), which is a combination of at least one function resistant to the differential and the linear cryptanalysis with at least one function of a different algebraic structure is selected as a candidate function group.
With this scheme, it is possible to efficiently narrow down from a small number of candidates those functions which are resistant not only to the differential and the linear cryptanalysis but also to attacks which utilize the algebraic structures of the functions used, such as the higher order differential and the :interpolation attack.
In the following embodiment according to the second aspect of the present invention, a description will be given of how to design an 8-bit I/O S-box.
Now, consider that a P-function part 21 for generating a function P(x, e) and an A-function part 22 for generating a function A(y, a, b) of an algebraic structure different from the function P(x, e) are combined as a candidate function for forming an S-box 20 as shown in Fig. 2.
S: GF(2)g-~GF(2)g; xl--~A((P(x, e)), a, b) where P(x, e) = xe in GF(2g) (17) A(y, a, b) = ay + b(mod 28) ( 18) The function P(x, e) defined by Eq. (17) is a power function to be defined over Galois Field GF(2g); this function is resistant to differential cryptanalysis and linear cryptanalysis when the parameter a is selected suitably, but it has no resistance to higher order differential, linear-differential, interpolation and partitioning attacks. On the other hand, the function A(y, a, b) defined by Eq.
(18) is constructed by a simple addition and a simple multiplication, and this function has no resistance to any of the attacks.
Here, the parameters a, b and a can freely be set to any natural numbers in the range of from 0 to 255 (i.e. 2g-1). Ofthem, the parameters a and b need to have a Hamming weight greater than 3 but smaller than 5, that is, these parameters a and b are each 8-bit and required to have three to five "1" (or "0") bits, and the S-box needs to be bijective; the parameters a, b and c are narrowed down by evaluating whether they satisfy such necessary conditions for providing security against differential cryptanalysis, linear cryptanalysis, interpolation attack and partitioning attack.
In Fig. 3 there is depicted the procedure of an embodiment of the apparatus according to the present invention. Incidentally, the invention is not limited specifically to this embodiment. There is flexibility in the way of selecting functions as candidates for the S-box. Further, the number of design criteria for the S-box is also large, and their priority and the order of narrowing down the candidates are also highly flexible.
Step S 1: In the input part 11, predetermine the range of each of the parameters a, b and a in Eqs. ( 17) and ( 18) to be greater than 0 but smaller than 2g-1, and limit the Hamming weights W,,(a) and W,,(b) of the parameters a and b to the range of from 3 to 5.
Step S2: Evaluate whether candidate functions S are bijective or not.
When the parameter a is an odd number and the parameter a is prime relative to 28-1 (which parameter is expressed by (e,255)=1), the functions S are bijective;
Moreover, it has recently been pointed out that even ciphers secure against the differential and the linear cryptanalysis are cryptanalyzed by other cryptanalysis methods, and consequently, the criterion for security needs a further reappraisal. More specifically, in literature "T. Jackson, L.
R. Knudsen, 'The Interpolation Attack on Block Ciphers,' Fast Software Encryption Workshop (FSE4) (Lecture Notes in Computer Science 1276), pp. 28-40, Springer-Verlag, 1997," it is described that some ciphers, even if secure against the differential and the linear cryptanalysis, are cryptanalyzed by a higher order differential attack or interpolation attack.
Other than the higher order differential attack and interpolation attack, a partitioning cryptanalysis generalized from the linear cryptanalysis is introduced in literature "C. Harpes, J. L. Massey, 'Partitioning Cryptanalysis, 'Fast Software Encryption Workshop (FSE4) (Lecture Notes in Computer Science 1267), pp. 13-27, Springer-Verlag, 1997," and hence it is necessary to provide ciphers with sufficient security against this cryptanalysis.
The technology to ensure the security against the differential and the linear cryptanalysis has been established for the construction of some block ciphers, while as of this point in time no technology has been established yet which guarantees perfect security against the higher order differential attack, the interpolation attack and the partitioning attack. In other words, there have not been clarified necessary and sufficient conditions that random functions, i.e.
the so-called S-boxes, need to satisfy so as to make ciphers invulnerable to these attacks.
In designing the S-boxes it is an important issue to provide sufficient security against these attacks. The attacks on block ciphers often the S-boxes utilize any imbalances in their input/output relationships of S-boxes.
Accordingly, to design an S-box resistant to an attack is to design an S-box that has little unbalanced, that is, random input/output relationship. Hence, to evaluate the resistance of the S-box to an attack is equivalent to the evaluation of its randomness.
It is therefore an object of the present invention to find out a criterion closely related to the level of security against each of the above-mentioned attacks, to show the criterion representing a necessary condition to be met for providing the resistance to the attack (not a necessary and sufficient condition for guaranteeing the security against the attack), and to provide a function randomness evaluating apparatus and method which evaluate the randomness of the function concerned according to the criterion, and a recording medium having recorded thereon the method as a program. Another object of the present invention is to provide an apparatus and method for generating random functions that satisfy the security criteria, and a recording medium having recorded thereon the method as a program.
In accordance with one aspect of the present invention there is provided a function randomness evaluating apparatus comprising: input means for inputting 4a digital signals representing candidate functions S(x) of S-bo:x to be evaluated, input difference values Ox and output mask values ry, and storing them in storage means; differential-linear-cryptanalysis resistance evaluating means for:
counting, for all sets of input difference value Ox and output mask value ry of each of the functions S(x) read out of the storage means, a number of input values x for which the inner product of (S(x)+S(x+~x)) and said output mask value ry is 1; and evaluating resistance of said function to differential-linear cryptanalysis based on the result of said number; and output means for outputting an output digital signal representing an evaluation result.
In accordance with another aspect of the present invention there is provided a random function generating apparatus comprising: input means for inputting digital signals representing parameter values of each of a plurality of functions of different algebraic structures and storing them in storage means;
candidate function generating means for generating candidate functions each formed by a combination of said plurality of functions of different algebraic structures based on said plurality of parameters read out of the storage means;
resistance evaluating means for evaluating resistance of each of said candidate functions to a cryptanalysis; selecting means for selecting those of said resistance-evaluated candidate functions which have highly .resistant to said cryptanalysis and outputting digital signals representing selected ones of said resistance-evaluated candidate functions, wherein one of said plurality of functions of different algebraic structures is resistant to each of differential cryptanalysis and linear cryptanalysis.
In accordance with yet another aspect of the present invention there is provided a method for evaluating the randomness of the input/output relationship of a function, said method comprising: inputting digital signals representing candidate functions S(x) of S-box to be evaluated, input difference values Ox and output mask values ry, and storing them in storage means; a differential-linear 4b cryptanalysis resistance evaluating step of counting, for every set of input difference value Ox and output mask value ry of each of the functions S(x) read out of the storage means, a number of input values x for which an inner product of (S(x)+S(x+0x)) and said output mask value ry is l ; and evaluating resistance of said function to differential-linear cryptanalysis based on the result of said number; and outputting an output digital signal representing an evaluation result.
In accordance with still yet another aspect of the present invention there is provided a random function generating method comprising the steps of (o) inputting digital signals representing input difference values Ox, output mask values ry and parameter values of each of a plurality of functions of different algebraic structures and storing them in storage means; (a) setting various input values read out of the storage means for each of candidate functions S(x) of S-box and calculating output values corresponding to said v<~rious input values x;
(b) storing the output values in storage means; and (c) evaluating resistance of each of said candidate functions to a cryptanalysis based on the output values stored in said storage means, and selectively outputting candidate function highly resistant to said cryptanalysis; and wherein said step (c) comprising: (c-1) a higher-order cryptanalysis resistance evaluating step of: calculating a minimum value of the degree of a Boolean polynomial for input bits of each of said candidate functions by which its output bits are expressed; evaluating the resistance of said each candidate function to higher order cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined first reference and discarding the others;
(c-2) a differential-linear cryptanalysis resistance evaluating step of calculating, for every set of input difference value 0x and output mask value ry of each candidate function S(x), a number of input values x for which the inner product of (S(x)+S(x+0x)) and said output mask value ry is 1; evaluating resistance of said function to differential-linear cryptanalysis based on the result of said 4c calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined second reference and discarding the others; (c-3) a partitioning-cryptanalysis resistance evaluating step of: dividing all input values of each candidate function and the corresponding output values into input subsets and output subsets; calculating an imbalance of the relationships between the input subset and the output subset with respect to their average corresponding relationship; evaluating the resistance of said each candidate function to said partitioning cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined third reference and discarding the others; and (c-4) an interpolation-cryptanalysis resistance evaluating step of: expressing an output value y a.s y = fk(x) for an input value x and a fixed key k using a polynomial over Galois field which is composed of elements equal to a prime p or a power of said prime p; counting a number of terms of said polynomial; evaluating the resistance of said function to interpolation cryptanalysis; and leaving those of said candidate functions whose resistance is higher than a predetermined fourth reference and discarding the others.
In accordance with still yet another aspect of the present invention there is provided a computer-readable recording medium having recorded thereon statements and instructions for use in the execution in a computer of the method for generating a random function, said method comprising the steps of: (a) setting various values as each parameter for candidate functions S(x) of S-box function and calculating output values corresponding to various input values;
(b) storing the output values in storage means; and (c) evaluating resistance of each of said candidate functions to a cryptanalysis based on the output values stored in said storage means, and selectively outputting candidate function highly resistant to said cryptanalysis; and wherein said Step (c) comprising: (c-1) a higher-order cryptanalysis resistance evaluating step of: calculating a minimum value of the 4d degree of a Boolean polynomial for input bits of each of said candidate functions by which its output bits are expressed; evaluating the resistance of said each candidate function to higher order cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined first reference and discarding the others; (c-2) a differential-linear cryptanalysis resistance evaluating step of: calculating, for every set of input difference value 0x and output mask value ry of each candidate function S(x), a number of input values x for which the inner product of (S(x)+S(x+~x)) and said output mask value ry is 1; evaluating resistance of said function to differential-linear cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined second reference and discarding the others; (c-3) a partitioning-cryptanalysis resistance evaluating step of dividing all input values of each candidate function and the corresponding output values into input subsets and output subsets; calculating an imbalance of the relationships between the input subset and the output subset with respect to their average corresponding relationship; evaluating the resistance of said each candidate function to said partitioning cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined third reference and discarding the others; and (c-4) an interpolation-cryptanalysis resistance evaluating step of expressing an output value y as y = fk(x) for an input value x and a fixed key k using a polynomial over Galois field which is composed of elements equal to a prime p or a power of said prime p; counting a number of terms of said polynomial; evaluating the resistance of said function to interpolation cryptanalysis; and leaving those of said candidate functions whose resistance is higher than a predetermined fourth reference and discarding the others.
4e In accordance with still yet another aspect of the present invention there is provided a computer readable recording medium having recorded thereon statements and instructions for use in the execution in a computer of the method for evaluating randomness of the input/output relationship of a function, said program comprising: (a) a differential-linear cryptanalysis resistance evaluating step of calculating, for every set of input difference value ~x and output mask value ry of a function S(x) to be evaluated, a number of input values x for which the inner product of (S(x)+S(x+Ox)) and said output mask value ry is l; and evaluating resistance of said function to differential-linear cryptanalysis based on the result of said calculation.
The function randomness evaluating apparatus and method according to exemplary aspects of the present invention execute at least one of the processes of:
calculating the minimum value of the degree of a Boolean polynomial regarding the input by which each output bit of the function to be evaluated is expressed, and evaluating the resistance of the function to higher order differential cryptanalysis accordingly;
when fixing a key y and letting x denote the input, expressing an output y by y = fk(x) using a polynomial over the Galois field which is composed of elements equal to a prime p or a power of the prime p, then calculating the number of terms of the polynomial, and evaluating the resistance of the function to interpolation cryptanalysis accordingly;
dividing all inputs of the function to be evaluated and the corresponding outputs into input subsets and output subsets, then calculating an imbalance of the relationship between the subset of an input and the subset of the corresponding output with respect to their average corresponding relationship, and evaluating the resistance of the function to partitioning cryptanalysis accordingly; and calculating, for every set of input difference 0x and output mask value ry of the function S(x) to be evaluated, the number of inputs x for which the inner product of (S(x)+S(x+~x)) and the output mask value ry is l, and evaluating the resistance of the function to differential-linear cryptanalysis accordingly.
The random function generating apparatus and method according to an exemplary aspect of the present invention generate candidate functions each formed by a plurality of functions of different algebraic structures and having a plurality of parameters, evaluates the resistance of each candidate function to cryptanalysis, and select candidate functions of higher resistance to the cryptanalysis.
-s-BRIEF DESCRIPTION OF THE DRAWINGS
Fig. 1 is a block diagram illustrating an example of the functional configuration of each of the random function generating apparatus and the function randomness evaluating apparatus according to the present invention.
Fig. 2 is a block diagram depicting an example of the basic configuration of the random function generating apparatus according to the present invention.
Fig. 3 is a flowchart showing an example of a procedure of an embodiment of the random function generating apparatus according to the present invention.
BEST MODE FOF CARRYING OUT THE INVENTION
Embodiment according to a first aspect of the present invention In Fig. 1 there is depicted the functional configuration of an embodiment of each of the random function generating apparatus and the function randomness evaluating apparatus according to the present invention.
An input part 11 inputs therethrough data and a parameter that are needed to , generate a candidate function in a candidate function generating part 12.
The candidate function generating part 2 generates a candidate function based on the input provided through the input part 11, and provides its parameter value, the input value and the calculation result (an output value) to a storage part 13. Various pieces of data thus stored in the storage part 13 are read out therefrom and fed to a differential-cryptanalysis resistance evaluating part 14a, a linear-cryptanalysis resistance evaluating part 14b, a higher-order-differential-attack resistance evaluating part 14c, an interpolation-attack resistance evaluating part 14d, a partitioning-attack _7_ resistance evaluating part 14e, a differential-linear-attack resistance evaluating part 14f, and a criteria evaluating part 14g for evaluating other criteria. Based on the results of evaluations made in the respective evaluating parts, candidate functions of high resistance to the attacks are selected in a function select part 15 and stored in a storage part 16, from which a required one of the candidate functions is read out and provided to the outside via an output part 17.
In the function randomness evaluating apparatus according to the present invention, the functions to be evaluated are provided via the input part 11 to the respective evaluating parts 14a to 14g for the evaluation of their randomness.
A description will be given below of security criteria for the differential cryptanalysis, the linear cryptanalysis, the higher order differential attack, the interpolation attack, the partitioning attack and the differential-linear attack and of necessary conditions for the security criteria to have resistance to the respective attacks. In the following description, let n and m be arbitrary natural numbers and consider, as the S-box (a random function), a function S of an n-bit input and an m-bit output:
GF(2)" --> GF(2)m. GF(2)° represents a set of all n-bit data.
(a) Necessary Condition for Resistance to Differential Cryptanalysis A description will be given below of a criterion for differential cryptanalysis is defined as a measure of the resistance thereto of the S-box, a method for measuring the criterion and a necessary condition for the resistance to differential cryptanalysis. In the differential cryptanalysis method, an observation is made of the difference between outputs (an output difference value) of the S-box corresponding to the difference between its two inputs (an input difference value), and if a large imbalance is found between them, it can be used to cryptanalyze the whole cipher.
Letting the input value to the S-box be represented by x, the difference value between the two inputs by Ox, the difference value of the two outputs corresponding to the two inputs by 0y, the function of the S-box by S and the output y from the S-box for the input thereto by y=S(x), let ~S(tlx,~y) be the number of those values x of all n-bit input values x which satisfy the following equation ( 1 ) for an arbitrary input difference value Ox and an arbitrary output difference value Dy.
S(x) + S(x+Ox) _ ~Y (1) where "+" is usually defined by the exclusive OR (XOR) for each bit. As described in literature "X. Lai, J. M. Massey, and S. Murphy, 'Markov Ciphers and Differential Cryptanalysis,' In D. W. Davies, editor, Advances in Cryptology-EUROCRYPT '91, Volume 547 of Lecture Notes in Computer Science, pp. 17-38, Springer-Verlag, Berlin, Heidelberg, New York, 1991," the difference operation can be substituted with an arbitrary binary operation that provides a general inverse; the differential cryptanalysis method mentioned herein includes them. The differential cryptanalysis utilizes an imbalance in the relationship between the operation results on two arbitrary inputs and the two outputs corresponding thereto.
The number 8s (~x,Dy) of inputs x that satisfy Eq. ( 1 ) for a given pair of Ox and Dy is expressed by the following equation (2):
8s(Ox,t~y)=#{xsGF(2)° I S(x) + S(x + 0x) = Dy} (2) where #{x I conditional equation} represents the number of inputs x that satisfy the conditional equation. The number 8s(Ox,Dy) of inputs x can be calculated from Eq. (2) for all pieces of n-bit data Ox as the input difference value, except 0, and all pieces of m-bit data Dy as the output difference value. A combination of Ox and Dy that maximizes the above-said number constitutes a vulnerability to the differential cryptanalysis--this means that the smaller the maximum value of 8S (Ax, ey), the higher the resistance to differential cryptanalysis. Therefore, it is the necessary condition for the resistance to differential cryptanalysis that the criterion for differential cryptanalysis, es , given by the following equation (3) is small.
es = max 8S (Ax, ~y) (3) Eq. (3) indicates selecting that one of all the combinations of ex ~ 0 and ey which provides the maximum value of 8S and using it as the value of es .
(b) Necessary Condition for Resistance to Linear Cryptanalysis A description will be given below of the definition of a criterion for linear cryptanalysis as a measure of the resistance thereto of the S-box, a method for measuring the criterion and a necessary condition for the resistance to linear cryptanalysis.
In the linear cryptanalysis method, an observation is made of an arbitrary exclusive OR between the input and output values of the S-box, and if a large imbalance is found between them, it can be used to cryptanalyze the whole cipher.
Letting the input to the S-box be represented by x, an input mask value by r x and an output mask value by r y, ~,S (rx, ry) defined by the following equation (4) can be calculated for a certain input mask value r x and a certain output mask value r y.
as(rx,ry)=I~#~E(2)°~x~rx=s(x)~ry}-an~
where "~ " is usually defined by the inner product. x ~ rx means summing-up of all only those bit values in the input x which correspond to "1s" in the mask value t x, ignoring the bit values corresponding to "Os". That is, x ~ rx = fix, (where ~ is the sum total of i-th bits in r x which are "1 s"), ' 10-where x=(xn_l, ... , xo). The same is true of y ~ Ty . Accordingly, Eq. (4) expresses the absolute value of a value obtained by subtracting 2" from the double of the number of those of all (2°) n-bit inputs x which satisfy x ~ T x=S(x) ~ T y for given sets of mask values ( T x, T y).
From Eq. (4) ~,s (Tx, Ty) can be calculated for all sets of n-bit data T x as the input mask value and m-bit data T y as the output mask value, except 0. A combination of T x and T y that maximizes ~.S (Tx, Ty) constitutes a vulnerability to the linear cryptanalysis--this means that the smaller the maximum value of ~,S (Tx, Ty) , the higher the resistance to linear cryptanalysis. Therefore, it is the necessary condition for the resistance to linear cryptanalysis that the criterion for linear cryptanalysis, ns , given by the following equation (5) is small.
ns = maxas (rx,ry) (5) Eq. (5) indicates selecting that one of all the combinations of T x and T y ~ 0 which provides the maximum value of ~.s (Tx,Ty) and setting as the value of ns .
(c) Necessary Condition for Resistance to Higher Order Differential Attack A description will be given below of the definition of a criterion for higher order differential attack as a measure of the resistance thereto of the S-box, a method for measuring the criterion and a necessary condition for the resistance to higher order differential attack.
The higher order differential attack utilizes the fact that the computation of a higher order differential the intermediate output in the course of encryption with respect to the input provides a key-independent constant. An arbitrary bit of arbitrary intermediate data during encryption can be expressed by a Boolean polynomial regarding the input. For instance, a bit y~ of certain intermediate data can be expressed by a Boolean polynomial regarding an N-bit input x as follows:
y~ = Xo+X1X3+XpXZX3+ ... +X1X4XSX6 ... XN
When the degree of the Boolean polynomial is d, the calculation of the (d+1)-th order differential (for instance, XOR of 2d+i outputs) results in providing a key-independent constant; attacks on ciphers of low-degree Boolean polymers are reported in the afore-mentioned literature. "The Interpolation Attack on Block Ciphers" by T. Jackson and L.R. Knudsen.
With a low-degree Boolean polynomial representation of an F-function, an insufficient number of iterations of the F-function will not raise the degree of the Boolean representation of the whole cipher, increasing the risk of the cipher being cryptanalyzed. Hence, a necessary condition for making the cipher secure against higher order differential attack without increasing the number of iterations of the F-function is that the degree of the Boolean polynomial representation of the S-box as a component of the F-function is also high.
For S-box S: GF(2)"~GF(2)"' ; x~-->S(x), set y = S(x), (7a) x = (x"_1, x"_z, ..., xo) E GF(2)", (7b) y = (y",_1, Ym-2~ ..., Yo) E GF(2)"' (7c) And a set of variables X = {x"_1, x"-z, ..., xo} is defined. At this time, a Boolean function y; = S;(x) is defined as follows:
S; : GF(2)"-~GF(2); xl-~S;(x) (8) Let degXS; denote the degree of the Boolean function S; (0<_ i <_ m-1 ) regarding the variable set X. Let the minimum value of degXS; (0<_ i <_m-1) be represented by degxS, which is the criterion for higher order differential attack.
degxS = min(degxS;) (9) where min is conditioned by 0 s i s m-1.
A necessary condition that the S-box needs to satisfy to provide security against higher order differential attack is that degxS has a large value: It is known that when S is bijective (i.e. the input/output relationship can be determined uniquely in both directions), the maximum value of degxS is n-1.
(d) Necessary Condition for Resistance to Interpolation Attack A description will be given below of the definition of a criterion for interpolation attack as a measure of the resistance thereto of the S-box, a method for measuring the criterion and a necessary condition for the resistance to interpolation attack.
The principle of interpolation attack is as follows: With a key k fixed, a ciphertext y can be expressed, for example, by the following equation using a polynomial fk(x) over GF(q) regarding a plaintext X.
y = fk(X) - Cq_lXq 1 ~- Cq_2Xq 2 -E- ... ~- GXl + ... -fClX1 + COXO (10) where q is a prime or its power. When the number of terms of non-zero coefficients contained in the polynomial fk(x) with respect to x is c, the polynomial fk(x) can be constructed as by the Lagrange interpolation theorem if c different sets of plaintexts and the corresponding sets of ciphertexts (x;, y;) (where i = 1, ... , c) are given. By this, a ciphertext corresponding a desired plaintext x can be obtained.
The larger the number of terms contained in the polynomial fk(x), the larger the number of sets of plaintexts and ciphertexts necessary for interpolation attack using the polynomial representation fk(x) over GF(q), and the attack becomes difficult accordingly or becomes impossible.
When the number of terms contained in the polynomial representation over GF(q) of the S-box is small, there is a possibility that the number of terms contained in the polynomial of the whole cipher over GF(q) decreases. Of course, even if the number of terms contained in the polynomial over GF(q) of the S-box is large, care should be taken in the construction of the whole cipher to avoid that the terms cancel out each other, resulting in a decrease in the number of terms contained in the polynomial over GF(q) of the whole cipher; however, this concerns encryption technology, and as the criterion of the S-box for interpolation attack, it is a necessary condition for the resistance to interpolation attack that the number of terms contained in the polynomial representation over GF(q) is large. Let the number of terms contained in the polynomial representation over GF(q) of the function S of the S-box be represented by coeffqS, which is used as the criterion for interpolation attack using the polynomial representation over GF(q).
Since the interpolation attack exists by the number of possible qs, it is desirable to calculate the number of terms coeffqS in as many polynomials over GF(q) as possible and make sure that they do not take small values.
(e) Necessary Condition for Resistance to Partitioning Cryptanalysis A description will be given below of the deEnition of a criterion for partitioning cryptanalysis as a measure of the resistance thereto of the S-box, a method for measuring the criterion and a necessary condition for providing the resistance to partitioning cryptanalysis. In partitioning cryptanalysis, an observation is made of some measure which holds for a certain subset of the whole plaintext set and a certain subset of the whole ciphertext set, and if a large imbalance is found in the measure, then it can be used to cryptanalyze the whole cipher. As "some measure I" there are mentioned a peak imbalance and a squared Euclidean imbalance in literature "C. Harpes, J. L. Massey, 'Partitioning Cryptanalysis,' Fast Software Encryption Workshop (FSE4) (Lecture Notes in Computer Science 1267), pp. 13-27, Springer-Verlag, 1997."
In literature "Takeshi Hamada, Takafumi Yokoyama, Tohru Shimada, Toshinobu Kaneko, 'On partitioning cryptanalysis of DES,' Proc. in 1998 Symposium on Cryptography and Information Security (SCIS'98-2.2.A)," it is reported that an attack on the whole cipher succeeded through utilization of imbalance observed in input and output sets of the S-box of the DES
cipher--this indicates that the criterion for partitioning cryptanalysis similarly defined for the input and output sets of the S-box is a necessary condition for the whole cipher to be secure against partitioning cryptanalysis.
Let a divided subsets of the whole set of S-box inputs be represented by F~, Fl, ... , F"_1 and v divided subsets of the whole set of S-box outputs by Go, Gl, ... , G,,_i. Suppose that all the subsets contain an equal number of elements. A function f for mapping the input x on the subscript {0, 1, ... , u-1} of each subset will hereinafter be referred to as an input partitioning function and a function g for mapping the output y on the subscript {0, 1, ...
, v-1} of each subset as an output partitioning function. That is, the function f indicates the input subset to which the input x belongs, and the function g indicates the output subset to which the output y belongs. Let partitions F
and G be defined by F = {Fo, Fl, ..., F"_1}, G = {Go, Gl, ..., G~_1}.
Then, an imbalance I$(F, G) of an S-box partition pair (F, G) is given by the following equation (11).
I
IS(F, G) = a ~1(g(s(xyF(x) = i) (11) Expressing I(g(S(x))~F(x)=i on the right-hand side of Eq. (11) by I(V), this is the afore-mentioned "Measure L" According to the afore-mentioned literature by C. Harpes et al., in the case of using the peak imbalance as this measure, it is expressed as follows:
Ip(~ = VV 1 maxpw ~ ~~- v (12) In the case of using the squared Euclidean imbalance as this measure, it is expressed as follows:
y ~_i _1 a IE(V ) = v _ 1 ~ ~p[V ~ j) _ v ) (13) P[V=jJ represents the probability that the whole output y corresponding to the whole input x of an i-th (i=0, ... , u-1) input group F; assigned to an output group G~ (j=0, ... , v-1), and the sum total of probabilities of the assignment to respective output groups is 1. For example, if k~ outputs of the whole output y (k; outputs) corresponding to the whole input x (assumed to consist of k; inputs) are assigned to the group G~, then the probability of assignment to the group G~ is k~/k;. The peak imbalance IP(V) of Eq. (12) represents a value obtained by normalizing imbalance of the maximum assignment probability relative to an average probability, and the Euclidean imbalance IE(V) of Eq. (13) represents a value obtained by normalizing a square-sum of imbalance of the assignment probability from the average one.
This measure IP or IE is applied to Eq. (11) to calculate the imbalance IS(F, G) for each partition-pair (F, G). The partition-pair varies, for instance, with the way of selecting the partitioning functions f and g. For example, the division numbers a and v are also parameters that are specified by the functions f and g.
The measure given by Eq. (11) is the criterion for the partitioning ' 16-attack on the S-box and takes a value greater than 0 and smaller than 1; it is a necessary condition for the resistance to the partitioning attack that the difference between the above value and its one-half is small. Accordingly, the S-box function is chosen which minimizes the value ~IS(F, G)-1/2~.
(f) Necessary Condition for Resistance to Differential-Linear Cryptanalysis A description will be given below of the definition of a criterion for differential-linear cryptanalysis as a measure of the resistance thereto of the S-box, a method for measuring the criterion and a necessary condition for providing the resistance to differential-linear cryptanalysis.
In differential-linear cryptanalysis, an observation is made of, for example, the exclusive OR of S-box input and output difference values, and if a large imbalance is found, then it can be used to cryptanalyze the whole cipher.
Letting the S-box input, input difference value and output mask value be represented by x, a x and r y, respectively, ~ S( 0 x, t y) defined by the following equation can be calculated.
~S(ex,ry)=I2#fxEcF(a)~I~s(x)+s(x+ex)~~ry'y-2~I (14) where the operations "+" and "~ " are the same as those used in the criterion for differential cryptanalysis and the criterion for linear cryptanalysis, respectively. The maximum value ~ S given by the following equation for any one of all combinations of a x and r y in the measure ~ S( a x, r y) thus calculated is used as the criterion for differential-linear cryptanalysis.
~S i max ~s (~~rv> (15) ex~o,ry~o Since a large value of the criterion ~ S may be a weakness in differential-linear cryptanalysis, it is a necessary condition for the resistance thereto that this value is small (no marked imbalance).
Incidentally, such functions S as expressed by the following equations are used in some ciphers.
S: GF(2)"--~GF(2)": x--~x2k in GF(2") (16a) S: GF(2)"-~GF(2)": x~xZk+i iri GF(2") (16a) Letting k denote a natural number equal to or greater than n, the differential-linear attack criteria of these functions S take 2n (the maximum theoretical value). No report has been made of an example in which this property leads to a concrete cipher attack, but it is desirable that the criteria take as small a value as possible.
Next, a description will be given of an embodiment according to a second aspect of the present invention.
The resistance of the S-box to various attacks is evaluated as described above, but the generation of a highly resistant random function gives rise to an issue of how to select a group of candidate functions. The reason for this is that much complexity is needed to select functions satisfying the above-mentioned condition from an enormous number of functions.
By the way, from an example cited in literature "T. Jakobsen, L. R.
Knudsen, 'The Interpolation Attack on Block Cipher,' Fast Software Encryption Workshop (FSE4) (Lecture Notes in Computer Science 1267), pp. 28-40, Springer-Verlag, 1997," it is known that the block cipher is readily cryptanalyzed by the higher order and the interpolation cryptanalysis in the case where the S-box is formed by a function of a certain algebraic structure selected as a function resistant to the differential and the linear cryptanalysis and the whole cipher is constructed in combination with only an operation which does not destroy the algebraic structure. On the other hand, the inventors of this application have found that a composite function, which is a combination of a function resistant to the differential and the linear cryptanalysis with a function of a different algebraic structure (basic operation structure), is also resistant to other attacks in many cases.
According to the second aspect of the present invention, functions resistant to the differential and the linear cryptanalysis and functions which have algebraic structures different from those of the first-mentioned functions are combined (composition of functions, for instance) and such composite functions are selected as groups of candidate functions; the resistance to each cryptanalysis is evaluated fox each function group and functions of high resistance are chosen.
Incidentally, the way of selecting the candidate function groups in the present invention is not limited specifically to the above.
According to the second aspect of the present invention, a function (for example, a composite function), which is a combination of at least one function resistant to the differential and the linear cryptanalysis with at least one function of a different algebraic structure is selected as a candidate function group.
With this scheme, it is possible to efficiently narrow down from a small number of candidates those functions which are resistant not only to the differential and the linear cryptanalysis but also to attacks which utilize the algebraic structures of the functions used, such as the higher order differential and the :interpolation attack.
In the following embodiment according to the second aspect of the present invention, a description will be given of how to design an 8-bit I/O S-box.
Now, consider that a P-function part 21 for generating a function P(x, e) and an A-function part 22 for generating a function A(y, a, b) of an algebraic structure different from the function P(x, e) are combined as a candidate function for forming an S-box 20 as shown in Fig. 2.
S: GF(2)g-~GF(2)g; xl--~A((P(x, e)), a, b) where P(x, e) = xe in GF(2g) (17) A(y, a, b) = ay + b(mod 28) ( 18) The function P(x, e) defined by Eq. (17) is a power function to be defined over Galois Field GF(2g); this function is resistant to differential cryptanalysis and linear cryptanalysis when the parameter a is selected suitably, but it has no resistance to higher order differential, linear-differential, interpolation and partitioning attacks. On the other hand, the function A(y, a, b) defined by Eq.
(18) is constructed by a simple addition and a simple multiplication, and this function has no resistance to any of the attacks.
Here, the parameters a, b and a can freely be set to any natural numbers in the range of from 0 to 255 (i.e. 2g-1). Ofthem, the parameters a and b need to have a Hamming weight greater than 3 but smaller than 5, that is, these parameters a and b are each 8-bit and required to have three to five "1" (or "0") bits, and the S-box needs to be bijective; the parameters a, b and c are narrowed down by evaluating whether they satisfy such necessary conditions for providing security against differential cryptanalysis, linear cryptanalysis, interpolation attack and partitioning attack.
In Fig. 3 there is depicted the procedure of an embodiment of the apparatus according to the present invention. Incidentally, the invention is not limited specifically to this embodiment. There is flexibility in the way of selecting functions as candidates for the S-box. Further, the number of design criteria for the S-box is also large, and their priority and the order of narrowing down the candidates are also highly flexible.
Step S 1: In the input part 11, predetermine the range of each of the parameters a, b and a in Eqs. ( 17) and ( 18) to be greater than 0 but smaller than 2g-1, and limit the Hamming weights W,,(a) and W,,(b) of the parameters a and b to the range of from 3 to 5.
Step S2: Evaluate whether candidate functions S are bijective or not.
When the parameter a is an odd number and the parameter a is prime relative to 28-1 (which parameter is expressed by (e,255)=1), the functions S are bijective;
5 select those of the parameters which satisfy these conditions, and discard candidates which do not satisfy them. This processing is performed in the criteria evaluating part 14g in Fig. 1. Alternatively, the parameter a is obtained by inputting only an odd number in the input part 11.
Step S3: It is known that the Hamming weight W,,(e) of the parameter a 10 (which weight indicates the number of "1 s" in a in the binary representation; for example, if a = 11101011, Wh(e) = 6) and the degree degXP of the function P in the Boolean function representation are equal to each other. In order to satisfy the condition for a criterion degXS of the remaining candidate functions S for higher order differential attack, select those of the remaining candidate functions 15 S whose parameters a having a Hamming weights Wh(e) of '7 that is the theoretically maximum value of e, that is, select a = 127, 191, 223, 239, 251, and 254. Discard the candidates that do not meet the condition.
Step S4: Determine if any candidates still remain undiscarded.
Step S5: When it is determined in the preceding step that no candidate has 20 survived, ease the condition Wh(e) ~-- W,,(e)-1 and then go back to Step S3.
Step S6: From the candidate functions remaining after the process of ' CA 02299538 2000-02-O1 Step S3, select those candidates for which the criterion a S for differential attack defined by Eq. (3) is smaller than a predetermined reference value a R. Discard the candidates that do not meet this condition.
Step S7: Determine if any candidates still remain undiscarded after Step S6.
Step S8: If no candidate remains, add a predetermined step width a d to the reference value a R (ease the condition) to update it, and return to step S6 to repeat the processing.
Step S9: From the candidate functions S remaining after Step S6,.
select those candidates for which the criterion A S for linear attack defined by Eq. (5) is smaller than a predetermined reference value A R. Discard the candidates that do not meet this condition.
Step S 10: Determine if any candidates still remain undiscarded after Step S9.
Step 11: If no candidate remains, add a predetermined step width A d to the reference value A R (ease the condition) to update it, and return to step S9 to repeat the processing.
Step S12: From the candidate functions S remaining after step S9, select those candidates for which the criterion 8 S for differential-linear attack defined by Eq. (15) is smaller than a predetermined reference value Discard the candidates that do not meet this condition.
Step S 13: Determine if any candidates still remain undiscarded after Step S12.
Step S14: If no candidate remains, add a predetermined step width ~ d to the reference value ~ R (ease the condition) to update it, and return to step S12 to repeat the processing.
As a result, the parameters are narrowed down to those given below.
(a, b) _ (97, 97), (97, 225), (225, 97), (225, 225) a = 127, 191, 223, 239, 247, 251, 253, 254 Step S 15 : For the candidate functions S by all combinations of the parameters remaining after Step S 12, calculate the criterion Is(F, G) for partitioning attack and select those candidates for which I IS(F, G)-1/2 ~ is smaller than a reference value IR. Discard the candidates that do not meet this condition.
Step S 16: Determine if any candidates still remain undiscarded after Step 515.
Step S 17: If no candidate remains, add a predetermined step width Id to the reference value IR (ease the condition) to update it, and return to Step S
15 to repeat the processing.
Step S 18: For the candidate functions S by all combinations of the parameters remaining after Step S 15, select those candidates for which the criterion coeffaS (where q = 28) for interpolation attack, which utilizes the polynomial over GF(2g), is larger than a reference value cqR, and discard the other candidates.
Step S 19: Determine if any candidates still remain undiscarded after Step S 18.
Step S20: If no candidate remains, subtract a predetermined step width cqd from the reference value cqR (ease the condition) to update it, and return to Step S 19 to repeat the processing.
Step S21: From all primes p in the range of from 2g-~-1 to 29, select those of the candidate functions S for which the criterion coeffpS for interpolation attack is larger than the reference value cpR, and discard the other candidates.
Step 522: Determine if any candidates still remain undiscarded after Step 521.
Step S23: If no candidate remains, subtract a predetermined step width cpd tiom the reference value c},R (ease the condition) to update it, and return to Step S21 to repeat the processing.
As the result of the evaluation described above, the following combinations (a total of 32 combinations) of parameters are left undiscarded.
(a, b) _ (97, 97), (97, 22S), (225, 97), (225, 22S) (e) = 127, 191, 223, 239, 247, 2S 1, 253, 254 This is identical with the results obtained in Step S 14. This means that functions secure against every attack taken into account in this embodiment are already obtained in Step S 14.
Since the 32 functions thus selected are equally strong on the above-mentioned criteria, any of the functions can be used as the S-box.
In the evaluation of the S-box or in the function generation, the reference 1 S values D~z, /~R, V,~, c~~I~ and cr~z of the criteria for evaluation are each determined according to the required degree of randomness, that is, the required security against the respective cryptanalysis.
In the flowchart o Fig. 3, the order of selection of function candidates having the required resistance to the respective attacks (cryptanalyses) is not limited specifically to the order depicted in Fig. 3 but may also be changed.
With the random function generating method according to the present invention, it is unnecessary to select function candidates that have the required resistance to every attack shown in Fig. 3; and it also falls inside the scope of the present invention to select function candidates for at least one of higher order 2S differential, differential-linear, partitioning and interpolation attacks. Instead of narrowing down the function candidates one after another for a plurality of cryptanalysis methods, it is also possible to evaluate the resistance of every function candidates to the respective cryptanalyses and select functions that have the reference resistance to them.
While in the above the random function generating method has been described to determine parameters of composite functions each composed of two functions, it need scarcely be said that the method is similarly applicable to parameters of functions each composed of three or more functions and to the determination of parameters of one function.
The function randomness evaluating method and the random function generating method of the present invention, described above in the first and second embodiments, may also be prerecorded on a recording medium as programs for execution by a computer so that the programs are read out and executed by the computer to evaluate the randomness of functions and generate random functions.
EFFECT OF THE INVENTION
As described above, according to the present invention, in the method and apparatus for evaluating the randomness of S-box functions that serve as components of an cryptographic device or the like, there is provided, in addition to the conventional evaluating method, means for evaluating whether the functions is resistant to differential, linear, higher order differential, interpolation, partitioning and differential-linear attacks and other possible attacks, whereby it is possible to evaluate the randomness of the functions and design ciphers highly secure against the above cryptanalyses.
Furthermore, since functions each formed by a combination of a function resistant to differential cryptanalysis and linear cryptanalysis and a function of an algebraic structure different from that of the first-mentioned function are selected as candidate functions, functions resistant not only to the differential and linear cryptanalyses but also to attacks utilizing the algebraic 5 structure, such as high order differential and interpolation attacks can be narrowed down from a small number of candidates.
Moreover, such a procedure as depicted in Fig. 3 allows efficient narrowing down of functions with a small amount of computational complexity.
Besides, by selecting candidate functions from combinations of functions 10 of well-known different algebraic structures instead of selecting the candidates at random, it is also easy to show that the S-box has no trap-door (a secret trick that enables only a designer to cryptanalyze the cipher concerned).
The random function thus evaluated and generated by the present invention is used as the S-box formed by a ROM to generate an irregular output 15 from the input to a cryptographic device which conceals data fast and securely.
Step S3: It is known that the Hamming weight W,,(e) of the parameter a 10 (which weight indicates the number of "1 s" in a in the binary representation; for example, if a = 11101011, Wh(e) = 6) and the degree degXP of the function P in the Boolean function representation are equal to each other. In order to satisfy the condition for a criterion degXS of the remaining candidate functions S for higher order differential attack, select those of the remaining candidate functions 15 S whose parameters a having a Hamming weights Wh(e) of '7 that is the theoretically maximum value of e, that is, select a = 127, 191, 223, 239, 251, and 254. Discard the candidates that do not meet the condition.
Step S4: Determine if any candidates still remain undiscarded.
Step S5: When it is determined in the preceding step that no candidate has 20 survived, ease the condition Wh(e) ~-- W,,(e)-1 and then go back to Step S3.
Step S6: From the candidate functions remaining after the process of ' CA 02299538 2000-02-O1 Step S3, select those candidates for which the criterion a S for differential attack defined by Eq. (3) is smaller than a predetermined reference value a R. Discard the candidates that do not meet this condition.
Step S7: Determine if any candidates still remain undiscarded after Step S6.
Step S8: If no candidate remains, add a predetermined step width a d to the reference value a R (ease the condition) to update it, and return to step S6 to repeat the processing.
Step S9: From the candidate functions S remaining after Step S6,.
select those candidates for which the criterion A S for linear attack defined by Eq. (5) is smaller than a predetermined reference value A R. Discard the candidates that do not meet this condition.
Step S 10: Determine if any candidates still remain undiscarded after Step S9.
Step 11: If no candidate remains, add a predetermined step width A d to the reference value A R (ease the condition) to update it, and return to step S9 to repeat the processing.
Step S12: From the candidate functions S remaining after step S9, select those candidates for which the criterion 8 S for differential-linear attack defined by Eq. (15) is smaller than a predetermined reference value Discard the candidates that do not meet this condition.
Step S 13: Determine if any candidates still remain undiscarded after Step S12.
Step S14: If no candidate remains, add a predetermined step width ~ d to the reference value ~ R (ease the condition) to update it, and return to step S12 to repeat the processing.
As a result, the parameters are narrowed down to those given below.
(a, b) _ (97, 97), (97, 225), (225, 97), (225, 225) a = 127, 191, 223, 239, 247, 251, 253, 254 Step S 15 : For the candidate functions S by all combinations of the parameters remaining after Step S 12, calculate the criterion Is(F, G) for partitioning attack and select those candidates for which I IS(F, G)-1/2 ~ is smaller than a reference value IR. Discard the candidates that do not meet this condition.
Step S 16: Determine if any candidates still remain undiscarded after Step 515.
Step S 17: If no candidate remains, add a predetermined step width Id to the reference value IR (ease the condition) to update it, and return to Step S
15 to repeat the processing.
Step S 18: For the candidate functions S by all combinations of the parameters remaining after Step S 15, select those candidates for which the criterion coeffaS (where q = 28) for interpolation attack, which utilizes the polynomial over GF(2g), is larger than a reference value cqR, and discard the other candidates.
Step S 19: Determine if any candidates still remain undiscarded after Step S 18.
Step S20: If no candidate remains, subtract a predetermined step width cqd from the reference value cqR (ease the condition) to update it, and return to Step S 19 to repeat the processing.
Step S21: From all primes p in the range of from 2g-~-1 to 29, select those of the candidate functions S for which the criterion coeffpS for interpolation attack is larger than the reference value cpR, and discard the other candidates.
Step 522: Determine if any candidates still remain undiscarded after Step 521.
Step S23: If no candidate remains, subtract a predetermined step width cpd tiom the reference value c},R (ease the condition) to update it, and return to Step S21 to repeat the processing.
As the result of the evaluation described above, the following combinations (a total of 32 combinations) of parameters are left undiscarded.
(a, b) _ (97, 97), (97, 22S), (225, 97), (225, 22S) (e) = 127, 191, 223, 239, 247, 2S 1, 253, 254 This is identical with the results obtained in Step S 14. This means that functions secure against every attack taken into account in this embodiment are already obtained in Step S 14.
Since the 32 functions thus selected are equally strong on the above-mentioned criteria, any of the functions can be used as the S-box.
In the evaluation of the S-box or in the function generation, the reference 1 S values D~z, /~R, V,~, c~~I~ and cr~z of the criteria for evaluation are each determined according to the required degree of randomness, that is, the required security against the respective cryptanalysis.
In the flowchart o Fig. 3, the order of selection of function candidates having the required resistance to the respective attacks (cryptanalyses) is not limited specifically to the order depicted in Fig. 3 but may also be changed.
With the random function generating method according to the present invention, it is unnecessary to select function candidates that have the required resistance to every attack shown in Fig. 3; and it also falls inside the scope of the present invention to select function candidates for at least one of higher order 2S differential, differential-linear, partitioning and interpolation attacks. Instead of narrowing down the function candidates one after another for a plurality of cryptanalysis methods, it is also possible to evaluate the resistance of every function candidates to the respective cryptanalyses and select functions that have the reference resistance to them.
While in the above the random function generating method has been described to determine parameters of composite functions each composed of two functions, it need scarcely be said that the method is similarly applicable to parameters of functions each composed of three or more functions and to the determination of parameters of one function.
The function randomness evaluating method and the random function generating method of the present invention, described above in the first and second embodiments, may also be prerecorded on a recording medium as programs for execution by a computer so that the programs are read out and executed by the computer to evaluate the randomness of functions and generate random functions.
EFFECT OF THE INVENTION
As described above, according to the present invention, in the method and apparatus for evaluating the randomness of S-box functions that serve as components of an cryptographic device or the like, there is provided, in addition to the conventional evaluating method, means for evaluating whether the functions is resistant to differential, linear, higher order differential, interpolation, partitioning and differential-linear attacks and other possible attacks, whereby it is possible to evaluate the randomness of the functions and design ciphers highly secure against the above cryptanalyses.
Furthermore, since functions each formed by a combination of a function resistant to differential cryptanalysis and linear cryptanalysis and a function of an algebraic structure different from that of the first-mentioned function are selected as candidate functions, functions resistant not only to the differential and linear cryptanalyses but also to attacks utilizing the algebraic 5 structure, such as high order differential and interpolation attacks can be narrowed down from a small number of candidates.
Moreover, such a procedure as depicted in Fig. 3 allows efficient narrowing down of functions with a small amount of computational complexity.
Besides, by selecting candidate functions from combinations of functions 10 of well-known different algebraic structures instead of selecting the candidates at random, it is also easy to show that the S-box has no trap-door (a secret trick that enables only a designer to cryptanalyze the cipher concerned).
The random function thus evaluated and generated by the present invention is used as the S-box formed by a ROM to generate an irregular output 15 from the input to a cryptographic device which conceals data fast and securely.
Claims (29)
1. A function randomness evaluating apparatus comprising:
input means for inputting digital signals representing candidate functions S(x) of S-box to be evaluated, input difference values .DELTA.x and output mask values .GAMMA.y, and storing them in storage means;
differential-linear-cryptanalysis resistance evaluating means for: counting, for all sets of input difference value 0x and output mask value .GAMMA.y of each of the functions S(x) read out of the storage means, a number of input values x for which the inner product of (S(x)+S(x+.DELTA.x)) and said output mask value .GAMMA.y is 1;
and evaluating resistance of said function to differential-linear cryptanalysis based on the result of said number; and output means for outputting an output digital signal representing an evaluation result.
input means for inputting digital signals representing candidate functions S(x) of S-box to be evaluated, input difference values .DELTA.x and output mask values .GAMMA.y, and storing them in storage means;
differential-linear-cryptanalysis resistance evaluating means for: counting, for all sets of input difference value 0x and output mask value .GAMMA.y of each of the functions S(x) read out of the storage means, a number of input values x for which the inner product of (S(x)+S(x+.DELTA.x)) and said output mask value .GAMMA.y is 1;
and evaluating resistance of said function to differential-linear cryptanalysis based on the result of said number; and output means for outputting an output digital signal representing an evaluation result.
2. The function randomness evaluating apparatus of claim 1, wherein:
said differential-linear cryptanalysis resistance evaluating means is means for: calculating the following equation for every set of said input difference value .DELTA.x except 0 and said output mask value .GAMMA.y except 0 .xi.(.DELTA.x, .GAMMA.y) = ¦2x#{x ~ GF(2)" ¦(S(x) + S(x + .DELTA.x)) .cndot.
.GAMMA.y =1}-2"¦;
calculating a maximum value .XI. among the calculation results; and evaluating the resistance of said function to said differential-linear cryptanalysis based on said maximum value .XI..
said differential-linear cryptanalysis resistance evaluating means is means for: calculating the following equation for every set of said input difference value .DELTA.x except 0 and said output mask value .GAMMA.y except 0 .xi.(.DELTA.x, .GAMMA.y) = ¦2x#{x ~ GF(2)" ¦(S(x) + S(x + .DELTA.x)) .cndot.
.GAMMA.y =1}-2"¦;
calculating a maximum value .XI. among the calculation results; and evaluating the resistance of said function to said differential-linear cryptanalysis based on said maximum value .XI..
3. The function randomness evaluating apparatus of claim 1 or 2, further comprising at least one of:
higher-order-differential cryptanalysis resistance evaluating means for calculating a minimum value of the degree of a Boolean polynomial for input bits by which output bits of the function to be evaluated are expressed, and evaluating that larger said minimum value, higher the resistance of said function to higher order differential cryptanalysis is;
interpolation-cryptanalysis resistance evaluating means for: expressing an output value y as y = f k(x) for an input value x and a fixed key k using a polynomial over Galois field which is composed of elements equal to a prime p or a power of said prime p; counting a number of terms of said polynomial; and evaluating the resistance of said function to interpolation cryptanalysis based on the result of said number;
partitioning-cryptanalysis resistance evaluating means for: dividing all input values of the function to be evaluated and the corresponding output values into input subsets and output subsets; calculating an imbalance of the relationships between the input subset and the output subset with respect to their average corresponding relationship; and evaluating the resistance of said function to partitioning cryptanalysis based on the result of said calculation.
higher-order-differential cryptanalysis resistance evaluating means for calculating a minimum value of the degree of a Boolean polynomial for input bits by which output bits of the function to be evaluated are expressed, and evaluating that larger said minimum value, higher the resistance of said function to higher order differential cryptanalysis is;
interpolation-cryptanalysis resistance evaluating means for: expressing an output value y as y = f k(x) for an input value x and a fixed key k using a polynomial over Galois field which is composed of elements equal to a prime p or a power of said prime p; counting a number of terms of said polynomial; and evaluating the resistance of said function to interpolation cryptanalysis based on the result of said number;
partitioning-cryptanalysis resistance evaluating means for: dividing all input values of the function to be evaluated and the corresponding output values into input subsets and output subsets; calculating an imbalance of the relationships between the input subset and the output subset with respect to their average corresponding relationship; and evaluating the resistance of said function to partitioning cryptanalysis based on the result of said calculation.
4. The function randomness evaluating apparatus of claim 3, wherein:
said partitioning-cryptanalysis resistance evaluating means is means for:
dividing an input value set F and an output value set G of said function into a input subsets {F0, F1, ..., F u-1} and v output subsets {G0, G1, ..., G v-1};
for each partition-pair (F i, G i) (i = 0, ..., u-1; j = 0, 1, ..., v-1), calculating a maximum one of probabilities that all output values y corresponding to all input values x of the input subset F i belong to the respective output subsets G j (j = 0, ..., v-1);
calculating a measure I S(F, G) of an average imbalance of a partition-pair (F, G) based on all maximum values calculated for all partition pairs; and evaluating the resistance of said function to said partitioning cryptanalysis based on said measure.
said partitioning-cryptanalysis resistance evaluating means is means for:
dividing an input value set F and an output value set G of said function into a input subsets {F0, F1, ..., F u-1} and v output subsets {G0, G1, ..., G v-1};
for each partition-pair (F i, G i) (i = 0, ..., u-1; j = 0, 1, ..., v-1), calculating a maximum one of probabilities that all output values y corresponding to all input values x of the input subset F i belong to the respective output subsets G j (j = 0, ..., v-1);
calculating a measure I S(F, G) of an average imbalance of a partition-pair (F, G) based on all maximum values calculated for all partition pairs; and evaluating the resistance of said function to said partitioning cryptanalysis based on said measure.
5. The function randomness evaluating apparatus of claim 1 or 2, further comprising at least one of:
differential-cryptanalysis resistance evaluating means for calculating, for the function S(x) to be evaluated, the number of input values x that satisfy S(x)+ S(x+.DELTA.x)=.DELTA.y for every set (.DELTA.x, .DELTA.y) and evaluating the resistance of said function to differential cryptanalysis based on the result of said calculation; and linear-cryptanalysis resistance evaluating means for calculating, for the function to be evaluated, the number of input values x for which the inner product of the input value x and its mask value .GAMMA.x is equal to the inner product of a function output value S(x) and its mask value .GAMMA.y and evaluating the resistance of said function to linear cryptanalysis based on the result of said calculation.
differential-cryptanalysis resistance evaluating means for calculating, for the function S(x) to be evaluated, the number of input values x that satisfy S(x)+ S(x+.DELTA.x)=.DELTA.y for every set (.DELTA.x, .DELTA.y) and evaluating the resistance of said function to differential cryptanalysis based on the result of said calculation; and linear-cryptanalysis resistance evaluating means for calculating, for the function to be evaluated, the number of input values x for which the inner product of the input value x and its mask value .GAMMA.x is equal to the inner product of a function output value S(x) and its mask value .GAMMA.y and evaluating the resistance of said function to linear cryptanalysis based on the result of said calculation.
6. A random function generating apparatus comprising:
input means for inputting digital signals representing parameter values of each of a plurality of functions of different algebraic structures and storing them in storage means;
candidate function generating means for generating candidate functions each formed by a combination of said plurality of functions of different algebraic structures based on said plurality of parameters read out of the storage means;
resistance evaluating means for evaluating resistance of each of said candidate functions to a cryptanalysis;
selecting means for selecting those of said resistance-evaluated candidate functions which are highly resistant to said cryptanalysis and outputting digital signals representing selected ones of said resistance-evaluated candidate functions, wherein one of said plurality of functions of different algebraic structures is resistant to each of differential cryptanalysis and linear cryptanalysis.
input means for inputting digital signals representing parameter values of each of a plurality of functions of different algebraic structures and storing them in storage means;
candidate function generating means for generating candidate functions each formed by a combination of said plurality of functions of different algebraic structures based on said plurality of parameters read out of the storage means;
resistance evaluating means for evaluating resistance of each of said candidate functions to a cryptanalysis;
selecting means for selecting those of said resistance-evaluated candidate functions which are highly resistant to said cryptanalysis and outputting digital signals representing selected ones of said resistance-evaluated candidate functions, wherein one of said plurality of functions of different algebraic structures is resistant to each of differential cryptanalysis and linear cryptanalysis.
7. The random function generating apparatus of claim 6, wherein said input means is adapted to input digital signals representing input difference values .DELTA.x and output mask values .GAMMA.y and storing them in the storage means, and said resistance evaluating means comprises at least one of:
higher-order-differential cryptanalysis resistance evaluating means for:
calculating a minimum value of the degree of a Boolean polynomial for input bits by which output bits of each of said candidate functions are expressed; and evaluating the resistance of said each candidate function to higher order cryptanalysis based on the result of said calculation;
interpolation-cryptanalysis resistance evaluating means for: expressing an output value y as y = f k (x) for an input value x and a fixed key k using a polynomial over Galois field which is composed of elements equal to a prime p or a power of said prime p; counting a number of terms of said polynomial; and evaluating the resistance of said each candidate function to interpolation cryptanalysis based on the result of said number;
partitioning-cryptanalysis resistance evaluating means for: dividing all input values of the function to be evaluated and the corresponding output values into input subsets and output subsets; calculating an imbalance of the relationships between the input subset and the output subset with respect to their average corresponding relationship; and evaluating the resistance of said function to partitioning cryptanalysis based on the result of said calculation; and differential-linear cryptanalysis resistance evaluating means for:
calculating, for every set of input difference value .DELTA.x and output mask value .GAMMA.y of the function S(x) to be evaluated, a number of input values x for which the inner product of (S(x)+S(x+.DELTA.x)) and said output mask value .GAMMA.y is 1; and evaluating the resistance of said function to differential-linear cryptanalysis based on the result of said calculation.
higher-order-differential cryptanalysis resistance evaluating means for:
calculating a minimum value of the degree of a Boolean polynomial for input bits by which output bits of each of said candidate functions are expressed; and evaluating the resistance of said each candidate function to higher order cryptanalysis based on the result of said calculation;
interpolation-cryptanalysis resistance evaluating means for: expressing an output value y as y = f k (x) for an input value x and a fixed key k using a polynomial over Galois field which is composed of elements equal to a prime p or a power of said prime p; counting a number of terms of said polynomial; and evaluating the resistance of said each candidate function to interpolation cryptanalysis based on the result of said number;
partitioning-cryptanalysis resistance evaluating means for: dividing all input values of the function to be evaluated and the corresponding output values into input subsets and output subsets; calculating an imbalance of the relationships between the input subset and the output subset with respect to their average corresponding relationship; and evaluating the resistance of said function to partitioning cryptanalysis based on the result of said calculation; and differential-linear cryptanalysis resistance evaluating means for:
calculating, for every set of input difference value .DELTA.x and output mask value .GAMMA.y of the function S(x) to be evaluated, a number of input values x for which the inner product of (S(x)+S(x+.DELTA.x)) and said output mask value .GAMMA.y is 1; and evaluating the resistance of said function to differential-linear cryptanalysis based on the result of said calculation.
8. A method for evaluating the randomness of the input/output relationship of a function, said method comprising:
inputting digital signals representing candidate functions S(x) of S-box to be evaluated, input difference values .DELTA.x and output mask values .GAMMA.y, and storing them in storage means;
a differential-linear cryptanalysis resistance evaluating step of: counting, for every set of input difference value .DELTA.x and output mask value .GAMMA.y of each of the functions S(x) read out of the storage means, a number of input values x for which an inner product of (S(x)+S(x+.DELTA.x)) and said output mask value .GAMMA.y is 1;
and evaluating resistance of said function to differential-linear cryptanalysis based on the result of said number; and outputting an output digital signal representing an evaluation result.
inputting digital signals representing candidate functions S(x) of S-box to be evaluated, input difference values .DELTA.x and output mask values .GAMMA.y, and storing them in storage means;
a differential-linear cryptanalysis resistance evaluating step of: counting, for every set of input difference value .DELTA.x and output mask value .GAMMA.y of each of the functions S(x) read out of the storage means, a number of input values x for which an inner product of (S(x)+S(x+.DELTA.x)) and said output mask value .GAMMA.y is 1;
and evaluating resistance of said function to differential-linear cryptanalysis based on the result of said number; and outputting an output digital signal representing an evaluation result.
9. The randomness evaluating method of claim 8, wherein:
said differential-linear cryptanalysis resistance evaluating step is a step of:
calculating the following equation for every set of said input difference value .DELTA.x except 0 and said output mask value .GAMMA.y except 0 .xi.S).DELTA.x,.GAMMA.y)=¦2×#{x~GF(2)n¦(S(x)+S(x+.DELTA.x).cndot..GAMMA.y =1}-2n¦;
calculating a maximum value ~ among the calculation results; and evaluating the resistance of said function to said differential-linear cryptanalysis using said maximum value ~.
said differential-linear cryptanalysis resistance evaluating step is a step of:
calculating the following equation for every set of said input difference value .DELTA.x except 0 and said output mask value .GAMMA.y except 0 .xi.S).DELTA.x,.GAMMA.y)=¦2×#{x~GF(2)n¦(S(x)+S(x+.DELTA.x).cndot..GAMMA.y =1}-2n¦;
calculating a maximum value ~ among the calculation results; and evaluating the resistance of said function to said differential-linear cryptanalysis using said maximum value ~.
10. The method for evaluating method of claim 8 or 9, further comprising at least one of:
(a) a higher-order-differential cryptanalysis resistance evaluating step of:
calculating a minimum value of the degree of a Boolean polynomial for input bits of said function S(x) by which its output bits are expressed; and evaluating the resistance of said function to higher order cryptanalysis based on the result of said calculation;
(b) a partitioning-cryptanalysis resistance evaluating step of: dividing all input values of the function to be evaluated and the corresponding output values into input subsets and output subsets; calculating an imbalance of the relationships between the input subset and the output subset with respect to their average corresponding relationships; and evaluating the resistance of said function to partitioning cryptanalysis based on the result of said calculation; and (c) an interpolation-cryptanalysis resistance evaluating step of: expressing an output value y as y = f k(x) for an input value x and a fixed key k using a polynomial over Galois field which is composed of elements equal to a prime p or a power of said prime p; counting a number of terms of said polynomial; and evaluating the resistance of said function to interpolation cryptanalysis.
(a) a higher-order-differential cryptanalysis resistance evaluating step of:
calculating a minimum value of the degree of a Boolean polynomial for input bits of said function S(x) by which its output bits are expressed; and evaluating the resistance of said function to higher order cryptanalysis based on the result of said calculation;
(b) a partitioning-cryptanalysis resistance evaluating step of: dividing all input values of the function to be evaluated and the corresponding output values into input subsets and output subsets; calculating an imbalance of the relationships between the input subset and the output subset with respect to their average corresponding relationships; and evaluating the resistance of said function to partitioning cryptanalysis based on the result of said calculation; and (c) an interpolation-cryptanalysis resistance evaluating step of: expressing an output value y as y = f k(x) for an input value x and a fixed key k using a polynomial over Galois field which is composed of elements equal to a prime p or a power of said prime p; counting a number of terms of said polynomial; and evaluating the resistance of said function to interpolation cryptanalysis.
11. The randomness evaluating method of claim 10, wherein:
said partitioning-cryptanalysis resistance evaluating step (b) is a step of dividing an input value set F and an output value set G of said function into a input subsets {F0, F1, ..., F u-1} and v output subsets {G0, G1, ..., G v-1};
for each partition-pair (F i, G i) (i = U, ..., u-1; j = 0, 1, ..., v-1), calculating a maximum one of probabilities that all output values y corresponding to all input values x of the input subset F i belong to the respective output subsets G j (j = 0, ..., v-1);
calculating a measure I S(F, G) of an average imbalance of a partition-pair (F, G) based on all maximum values calculated for all partition pairs; and evaluating the resistance of said function to said partitioning cryptanalysis based on said measure.
said partitioning-cryptanalysis resistance evaluating step (b) is a step of dividing an input value set F and an output value set G of said function into a input subsets {F0, F1, ..., F u-1} and v output subsets {G0, G1, ..., G v-1};
for each partition-pair (F i, G i) (i = U, ..., u-1; j = 0, 1, ..., v-1), calculating a maximum one of probabilities that all output values y corresponding to all input values x of the input subset F i belong to the respective output subsets G j (j = 0, ..., v-1);
calculating a measure I S(F, G) of an average imbalance of a partition-pair (F, G) based on all maximum values calculated for all partition pairs; and evaluating the resistance of said function to said partitioning cryptanalysis based on said measure.
12. The randomness evaluating method according to any one of claims 8, 9, 10 and 11, further comprising at least one of:
(d) a differential-cryptanalysis resistance evaluating step of calculating the number of input values x that satisfy S(x)+ S(x+.DELTA.x)=.DELTA.y for every set (.DELTA.x, .DELTA.y) except .DELTA.x=0; and evaluating the resistance of said function to differential cryptanalysis based on the result of said calculation; and (e) a linear-cryptanalysis resistance evaluating means for calculating, for said function S(x), the number of input values x for which the inner product of the input value x and its mask value .GAMMA.x is equal to the inner product of a function output value S(x) and its mask value .GAMMA.y and evaluating the resistance of said function to linear cryptanalysis based on the result of said calculation.
(d) a differential-cryptanalysis resistance evaluating step of calculating the number of input values x that satisfy S(x)+ S(x+.DELTA.x)=.DELTA.y for every set (.DELTA.x, .DELTA.y) except .DELTA.x=0; and evaluating the resistance of said function to differential cryptanalysis based on the result of said calculation; and (e) a linear-cryptanalysis resistance evaluating means for calculating, for said function S(x), the number of input values x for which the inner product of the input value x and its mask value .GAMMA.x is equal to the inner product of a function output value S(x) and its mask value .GAMMA.y and evaluating the resistance of said function to linear cryptanalysis based on the result of said calculation.
13. A random function generating method comprising the steps of:
(o) inputting digital signals representing input difference values .DELTA.x, output mask values .GAMMA.y and parameter values of each of a plurality of functions of different algebraic structures and storing them in storage means;
(a) setting various input values read out of the storage means for each of candidate functions S(x) of S-box and calculating output values corresponding to said various input values x;
(b) storing the output values in storage means; and (c) evaluating resistance of each of said candidate functions to a cryptanalysis based on the output values stored in said storage means, and selectively outputting candidate function highly resistant to said cryptanalysis;
and wherein said step (c) comprising:
(c-1) a higher-order cryptanalysis resistance evaluating step of: calculating a minimum value of the degree of a Boolean polynomial for input bits of each of said candidate functions by which its output bits are expressed; evaluating the resistance of said each candidate function to higher order cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined first reference and discarding the others;
(c-2) a differential-linear cryptanalysis resistance evaluating step of:
calculating, for every set of input difference value Ox and output mask value .GAMMA.y of each candidate function S(x), a number of input values x for which the inner product of (S(x)+S(x+.DELTA.x)) and said output mask value .GAMMA.y is 1;
evaluating resistance of said function to differential-linear cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined second reference and discarding the others;
(c-3) a partitioning-cryptanalysis resistance evaluating step of dividing all input values of each candidate function and the corresponding output values into input subsets and output subsets; calculating an imbalance of the relationships between the input subset and the output subset with respect to their average corresponding relationship; evaluating the resistance of said each candidate function to said partitioning cryptanalysis based on the result of said calculation;
and leaving those of said candidate functions whose resistance is higher than a predetermined third reference and discarding the others; and (c-4) an interpolation-cryptanalysis resistance evaluating step of:
expressing an output value y as y = f k(x) for an input value x and a fixed key k using a polynomial over Galois field which is composed of elements equal to a prime p or a power of said prime p; counting a number of terms of said polynomial; evaluating the resistance of said function to interpolation cryptanalysis; and leaving those of said candidate functions whose resistance is higher than a predetermined fourth reference and discarding the others.
(o) inputting digital signals representing input difference values .DELTA.x, output mask values .GAMMA.y and parameter values of each of a plurality of functions of different algebraic structures and storing them in storage means;
(a) setting various input values read out of the storage means for each of candidate functions S(x) of S-box and calculating output values corresponding to said various input values x;
(b) storing the output values in storage means; and (c) evaluating resistance of each of said candidate functions to a cryptanalysis based on the output values stored in said storage means, and selectively outputting candidate function highly resistant to said cryptanalysis;
and wherein said step (c) comprising:
(c-1) a higher-order cryptanalysis resistance evaluating step of: calculating a minimum value of the degree of a Boolean polynomial for input bits of each of said candidate functions by which its output bits are expressed; evaluating the resistance of said each candidate function to higher order cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined first reference and discarding the others;
(c-2) a differential-linear cryptanalysis resistance evaluating step of:
calculating, for every set of input difference value Ox and output mask value .GAMMA.y of each candidate function S(x), a number of input values x for which the inner product of (S(x)+S(x+.DELTA.x)) and said output mask value .GAMMA.y is 1;
evaluating resistance of said function to differential-linear cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined second reference and discarding the others;
(c-3) a partitioning-cryptanalysis resistance evaluating step of dividing all input values of each candidate function and the corresponding output values into input subsets and output subsets; calculating an imbalance of the relationships between the input subset and the output subset with respect to their average corresponding relationship; evaluating the resistance of said each candidate function to said partitioning cryptanalysis based on the result of said calculation;
and leaving those of said candidate functions whose resistance is higher than a predetermined third reference and discarding the others; and (c-4) an interpolation-cryptanalysis resistance evaluating step of:
expressing an output value y as y = f k(x) for an input value x and a fixed key k using a polynomial over Galois field which is composed of elements equal to a prime p or a power of said prime p; counting a number of terms of said polynomial; evaluating the resistance of said function to interpolation cryptanalysis; and leaving those of said candidate functions whose resistance is higher than a predetermined fourth reference and discarding the others.
14. The random function generating method of claim 13, wherein:
said differential-linear-cryptanalysis resistance evaluating Step (c-2) includes a step of: calculating the following equation for every set of said input difference value .DELTA.x except 0 and said output mask value .GAMMA.y except .xi.S(.DELTA.x,.GAMMA.y)=¦2×#{x~GF(2)n¦(S(x)+S(x+.DELTA.x)).cndot..GAMMA.
y=1}-2n¦;
calculating a maximum value ~ among the calculation results; and evaluating the resistance of said candidate function to said differential-linear cryptanalysis based on said maximum value ~; and said partitioning-cryptanalysis resistance evaluating Step (3) includes a step of dividing an input value set F and an output value set G of said function into a input subsets {F0, F1, ..., F u-1} and v output subsets {G0, G1, ..., G
v-1}; for each partition-pair (F i, G i;)(i = 0, ..., u-1; j = 0, 1, ..., v-1), calculating a maximum one of probabilities that all output values y corresponding to all input values x of the input subset F i belong to the respective output subsets G j(j = 0, ..., v-1); calculating a measure I S(F, G) of an average imbalance of a partition-pair (F, G) based on all maximum values calculated for all partition pairs; and evaluating the resistance of said candidate function to said partitioning cryptanalysis based on said measure.
said differential-linear-cryptanalysis resistance evaluating Step (c-2) includes a step of: calculating the following equation for every set of said input difference value .DELTA.x except 0 and said output mask value .GAMMA.y except .xi.S(.DELTA.x,.GAMMA.y)=¦2×#{x~GF(2)n¦(S(x)+S(x+.DELTA.x)).cndot..GAMMA.
y=1}-2n¦;
calculating a maximum value ~ among the calculation results; and evaluating the resistance of said candidate function to said differential-linear cryptanalysis based on said maximum value ~; and said partitioning-cryptanalysis resistance evaluating Step (3) includes a step of dividing an input value set F and an output value set G of said function into a input subsets {F0, F1, ..., F u-1} and v output subsets {G0, G1, ..., G
v-1}; for each partition-pair (F i, G i;)(i = 0, ..., u-1; j = 0, 1, ..., v-1), calculating a maximum one of probabilities that all output values y corresponding to all input values x of the input subset F i belong to the respective output subsets G j(j = 0, ..., v-1); calculating a measure I S(F, G) of an average imbalance of a partition-pair (F, G) based on all maximum values calculated for all partition pairs; and evaluating the resistance of said candidate function to said partitioning cryptanalysis based on said measure.
15. The random function generating method of claim 13 or 14, wherein:
said Step (c-1) includes a step of when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said first reference by a first predetermined width, and executing again the evaluation and selecting process;
said Step (c-2) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said second reference by a second predetermined width, and executing again the evaluation and selecting process;
said Step (c-3) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said third reference by a third predetermined width, and executing again the evaluation and selecting process; and said Step (c-4) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said fourth reference by a fourth predetermined width, and executing again the evaluation and selecting process.
said Step (c-1) includes a step of when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said first reference by a first predetermined width, and executing again the evaluation and selecting process;
said Step (c-2) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said second reference by a second predetermined width, and executing again the evaluation and selecting process;
said Step (c-3) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said third reference by a third predetermined width, and executing again the evaluation and selecting process; and said Step (c-4) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said fourth reference by a fourth predetermined width, and executing again the evaluation and selecting process.
16. The random function generating method of claim 13 or 14, further comprising:
(c-5) a differential-cryptanalysis resistance evaluating step of: calculating, for each candidate function S(x), the number of inputs x that satisfy S(x)+ S(x+.DELTA.x)=.DELTA.y for every set (.DELTA.x, .DELTA.y) except .DELTA.x=0; evaluating the resistance of said each candidate function to differential cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined fifth reference and discarding the others before said Step (c-2); and (c-6) a linear-cryptanalysis resistance evaluating step of: calculating, for each candidate function, the number of input values x for which the inner product of the input value x and its mask value .GAMMA.x is equal to the inner product of a function output value S(x) and its mask value .GAMMA.y; evaluating the resistance of said each candidate function to linear cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined sixth reference and discarding the others, after said Step (c-5).
(c-5) a differential-cryptanalysis resistance evaluating step of: calculating, for each candidate function S(x), the number of inputs x that satisfy S(x)+ S(x+.DELTA.x)=.DELTA.y for every set (.DELTA.x, .DELTA.y) except .DELTA.x=0; evaluating the resistance of said each candidate function to differential cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined fifth reference and discarding the others before said Step (c-2); and (c-6) a linear-cryptanalysis resistance evaluating step of: calculating, for each candidate function, the number of input values x for which the inner product of the input value x and its mask value .GAMMA.x is equal to the inner product of a function output value S(x) and its mask value .GAMMA.y; evaluating the resistance of said each candidate function to linear cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined sixth reference and discarding the others, after said Step (c-5).
17. The random function generating method of claim 16, wherein:
said Step (c-5) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said fifth reference by a fifth predetermined width, and executing again the evaluation and selecting process; and said Step (c-6) includes a step o~ when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said sixth reference by a sixth predetermined width, and executing again the evaluation and selecting process.
said Step (c-5) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said fifth reference by a fifth predetermined width, and executing again the evaluation and selecting process; and said Step (c-6) includes a step o~ when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said sixth reference by a sixth predetermined width, and executing again the evaluation and selecting process.
18. The random function generating method according to any one of claims 13, 14, and 15, wherein said candidate functions are each a composite function composed of at least one function resistant to said differential cryptanalysis and said linear cryptanalysis and at least one function of an algebraic structure different from that of said at least one function.
19. A computer-readable recording medium having recorded thereon statements and instructions for use in the execution in a computer of the method for generating a random function, said method comprising the steps of:
(a) setting various values as each parameter for candidate functions S(x) of S-box function and calculating output values corresponding to various input values;
(b) storing the output values in storage means; and (c) evaluating resistance of each of said candidate functions to a cryptanalysis based on the output values stored in said storage means, and selectively outputting candidate function highly resistant to said cryptanalysis;
and wherein said Step (c) comprising:
(c-1) a higher-order cryptanalysis resistance evaluating step of: calculating a minimum value of the degree of a Boolean polynomial for input bits of each of said candidate functions by which its output bits are expressed; evaluating the resistance of said each candidate function to higher order cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined first reference and discarding the others;
(c-2) a differential-linear cryptanalysis resistance evaluating step of:
calculating, for every set of input difference value .DELTA.x and output mask value .GAMMA.y of each candidate function S(x), a number of input values x for which the inner product of (S(x)+S(x+.DELTA.x)) and said output mask value .GAMMA.y is 1;
evaluating resistance of said function to differential-linear cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined second reference and discarding the others;
(c-3) a partitioning-cryptanalysis resistance evaluating step of: dividing all input values of each candidate function and the corresponding output values into input subsets and output subsets; calculating an imbalance of the relationships between the input subset and the output subset with respect to their average corresponding relationship; evaluating the resistance of said each candidate function to said partitioning cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined third reference and discarding the others; and (c-4) an interpolation-cryptanalysis resistance evaluating step of expressing an output value y as y = f k(x) for an input value x and a fixed key k using a polynomial over Galois field which is composed of elements equal to a prime p or a power of said prime p; counting a number of terms of said polynomial; evaluating the resistance of said function to interpolation cryptanalysis; and leaving those of said candidate functions whose resistance is higher than a predetermined fourth reference and discarding the others.
(a) setting various values as each parameter for candidate functions S(x) of S-box function and calculating output values corresponding to various input values;
(b) storing the output values in storage means; and (c) evaluating resistance of each of said candidate functions to a cryptanalysis based on the output values stored in said storage means, and selectively outputting candidate function highly resistant to said cryptanalysis;
and wherein said Step (c) comprising:
(c-1) a higher-order cryptanalysis resistance evaluating step of: calculating a minimum value of the degree of a Boolean polynomial for input bits of each of said candidate functions by which its output bits are expressed; evaluating the resistance of said each candidate function to higher order cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined first reference and discarding the others;
(c-2) a differential-linear cryptanalysis resistance evaluating step of:
calculating, for every set of input difference value .DELTA.x and output mask value .GAMMA.y of each candidate function S(x), a number of input values x for which the inner product of (S(x)+S(x+.DELTA.x)) and said output mask value .GAMMA.y is 1;
evaluating resistance of said function to differential-linear cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined second reference and discarding the others;
(c-3) a partitioning-cryptanalysis resistance evaluating step of: dividing all input values of each candidate function and the corresponding output values into input subsets and output subsets; calculating an imbalance of the relationships between the input subset and the output subset with respect to their average corresponding relationship; evaluating the resistance of said each candidate function to said partitioning cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined third reference and discarding the others; and (c-4) an interpolation-cryptanalysis resistance evaluating step of expressing an output value y as y = f k(x) for an input value x and a fixed key k using a polynomial over Galois field which is composed of elements equal to a prime p or a power of said prime p; counting a number of terms of said polynomial; evaluating the resistance of said function to interpolation cryptanalysis; and leaving those of said candidate functions whose resistance is higher than a predetermined fourth reference and discarding the others.
20. The recording medium of claim 19, wherein:
said differential-linear-cryptanalysis resistance evaluating Step (c-2) includes a step of: calculating the following equation for every set of said input difference .DELTA.x except 0 and said output mask value .GAMMA.y except 0 .xi.S(.DELTA.x,.GAMMA.y)=¦2×#~GF(2)n¦(S(x)+S(x+.DELTA.x)).cndot..GAMMA.y=
1}-2n¦;
calculating a maximum value ~ among the calculation results; and evaluating the resistance of said candidate function to said differential-linear cryptanalysis based on said maximum value ~; and said partitioning-cryptanalysis resistance evaluating Step (3) includes a step of dividing an input value set F and an output value set G of said function into a input subsets {F0, F1, ..., F u-1} and v output subsets {G0, G1, ..., G
v-1}; for each partition-pair (F i, G i)(i = 0, ..., u-1; j = 0, 1, ..., v-1), calculating a maximum one of probabilities that all output values y corresponding to all input values x of the input subset F; belong to the respective output subsets G j(j = 0, ..., v-1); calculating a measure I S(F, G) of an average imbalance of a partition-pair (F, G) based on all maximum values calculated for all partition pairs; and evaluating the resistance of said candidate function to said partitioning cryptanalysis based on said measure.
said differential-linear-cryptanalysis resistance evaluating Step (c-2) includes a step of: calculating the following equation for every set of said input difference .DELTA.x except 0 and said output mask value .GAMMA.y except 0 .xi.S(.DELTA.x,.GAMMA.y)=¦2×#~GF(2)n¦(S(x)+S(x+.DELTA.x)).cndot..GAMMA.y=
1}-2n¦;
calculating a maximum value ~ among the calculation results; and evaluating the resistance of said candidate function to said differential-linear cryptanalysis based on said maximum value ~; and said partitioning-cryptanalysis resistance evaluating Step (3) includes a step of dividing an input value set F and an output value set G of said function into a input subsets {F0, F1, ..., F u-1} and v output subsets {G0, G1, ..., G
v-1}; for each partition-pair (F i, G i)(i = 0, ..., u-1; j = 0, 1, ..., v-1), calculating a maximum one of probabilities that all output values y corresponding to all input values x of the input subset F; belong to the respective output subsets G j(j = 0, ..., v-1); calculating a measure I S(F, G) of an average imbalance of a partition-pair (F, G) based on all maximum values calculated for all partition pairs; and evaluating the resistance of said candidate function to said partitioning cryptanalysis based on said measure.
21. The recording medium of claim 19 or 20, wherein:
said Step (c-1) includes a step o~ when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said first reference by a first predetermined width, and executing again the evaluation and selecting process;
said Step (c-2) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said second reference by a second predetermined width, and executing again the evaluation and selecting process;
said Step (c-3) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said third reference by a third predetermined width, and executing again the evaluation and selecting process; and said Step (c-4) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said fourth reference by a fourth predetermined width, and executing again the evaluation and selecting process.
said Step (c-1) includes a step o~ when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said first reference by a first predetermined width, and executing again the evaluation and selecting process;
said Step (c-2) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said second reference by a second predetermined width, and executing again the evaluation and selecting process;
said Step (c-3) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said third reference by a third predetermined width, and executing again the evaluation and selecting process; and said Step (c-4) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said fourth reference by a fourth predetermined width, and executing again the evaluation and selecting process.
22. The recording medium of claim 19 or 20, wherein said method includes:
(c-5) a differential-cryptanalysis resistance evaluating step of: calculating, for each candidate function S(x), the number of inputs x that satisfy S(x)+ S(x+.DELTA.x)=.DELTA.y for every set (.DELTA.x, .DELTA.y) except .DELTA.x=0; evaluating the resistance of said each candidate function to differential cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined fifth reference and discarding the others before said Step (c-2); and (c-6) a linear-cryptanalysis resistance evaluating step of: calculating, for each candidate function, the number of input values x for which the inner product of the input value x and its mask value .GAMMA.x is equal to the inner product of a function output value S(x) and its mask value .GAMMA.y; evaluating the resistance of said each candidate function to linear cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined sixth reference and discarding the others after said Step (c-5).
(c-5) a differential-cryptanalysis resistance evaluating step of: calculating, for each candidate function S(x), the number of inputs x that satisfy S(x)+ S(x+.DELTA.x)=.DELTA.y for every set (.DELTA.x, .DELTA.y) except .DELTA.x=0; evaluating the resistance of said each candidate function to differential cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined fifth reference and discarding the others before said Step (c-2); and (c-6) a linear-cryptanalysis resistance evaluating step of: calculating, for each candidate function, the number of input values x for which the inner product of the input value x and its mask value .GAMMA.x is equal to the inner product of a function output value S(x) and its mask value .GAMMA.y; evaluating the resistance of said each candidate function to linear cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined sixth reference and discarding the others after said Step (c-5).
23. The recording medium of claim 22, wherein:
said Step (c-5) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said fifth reference by a fifth predetermined width, and executing again the evaluation and selecting process; and said Step (c-6) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said sixth reference by a sixth predetermined width, and executing again the evaluation and selecting process.
said Step (c-5) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said fifth reference by a fifth predetermined width, and executing again the evaluation and selecting process; and said Step (c-6) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said sixth reference by a sixth predetermined width, and executing again the evaluation and selecting process.
24. The recording medium according to any one of claims 19, 20 and 21, wherein said candidate functions are each a composite function composed of at least one function resistant to said differential cryptanalysis and said linear cryptanalysis and at least one function of an algebraic structure different from that of said at least one function.
25. A computer readable recording medium having recorded thereon statements and instructions for use in the execution in a computer of a method for evaluating randomness of an input/output relationship of a function, said method comprising:
(a) a differential-linear cryptanalysis resistance evaluating step of:
calculating, for every set of input difference value .DELTA.x and output mask value .GAMMA.y of a function S(x) to be evaluated, a number of input values x for which the inner product of (S(x)+S(x+.DELTA.x)) and said output mask value .GAMMA.y is 1; and evaluating resistance of said function to differential-linear cryptanalysis based on the result of said calculation.
(a) a differential-linear cryptanalysis resistance evaluating step of:
calculating, for every set of input difference value .DELTA.x and output mask value .GAMMA.y of a function S(x) to be evaluated, a number of input values x for which the inner product of (S(x)+S(x+.DELTA.x)) and said output mask value .GAMMA.y is 1; and evaluating resistance of said function to differential-linear cryptanalysis based on the result of said calculation.
26. The recording medium of claim 25, wherein:
said differential-linear cryptanalysis resistance evaluating Step (a) is a step of: calculating the following equation for every set of said input difference value .DELTA.x except 0 and said output mask value .GAMMA.y except 0 .xi.s(.DELTA.x,.GAMMA.y) =¦2x#{x.epsilon.GF(2)n¦(S(x)+S(x+.DELTA.x).cndot..GAMMA.y =1} - 2n¦;
calculating a maximum value .XI. among the calculation results; and evaluating the resistance of said function to said differential-linear cryptanalysis using said maximum value .XI.
said differential-linear cryptanalysis resistance evaluating Step (a) is a step of: calculating the following equation for every set of said input difference value .DELTA.x except 0 and said output mask value .GAMMA.y except 0 .xi.s(.DELTA.x,.GAMMA.y) =¦2x#{x.epsilon.GF(2)n¦(S(x)+S(x+.DELTA.x).cndot..GAMMA.y =1} - 2n¦;
calculating a maximum value .XI. among the calculation results; and evaluating the resistance of said function to said differential-linear cryptanalysis using said maximum value .XI.
27. The recording medium of claim 25 or 26, further comprising at least one of:
(b) a higher-order-differential cryptanalysis resistance evaluating step of:
calculating a minimum value of the degree of a Boolean polynomial for input bits of said function S(x) by which its output bits are expressed; and evaluating the resistance of said function to higher order cryptanalysis based on the result of said calculation;
(c) a partitioning-cryptanalysis resistance evaluating step of dividing all input values of the function to be evaluated and the corresponding outputs into input subsets and output subsets; calculating an imbalance of the relationships between the input subset and the output subset with respect to their average corresponding relationship; and evaluating the resistance of said function to partitioning cryptanalysis based on the result of said calculation; and (d) an interpolation-cryptanalysis resistance evaluating step of: expressing an output value y as y = f k(x) for an input value x and a fixed key k using a polynomial over Galois field which is composed of elements equal to a prime p or a power of said prime p; counting a number of terms of said polynomial; and evaluating the resistance of said function to interpolation cryptanalysis.
(b) a higher-order-differential cryptanalysis resistance evaluating step of:
calculating a minimum value of the degree of a Boolean polynomial for input bits of said function S(x) by which its output bits are expressed; and evaluating the resistance of said function to higher order cryptanalysis based on the result of said calculation;
(c) a partitioning-cryptanalysis resistance evaluating step of dividing all input values of the function to be evaluated and the corresponding outputs into input subsets and output subsets; calculating an imbalance of the relationships between the input subset and the output subset with respect to their average corresponding relationship; and evaluating the resistance of said function to partitioning cryptanalysis based on the result of said calculation; and (d) an interpolation-cryptanalysis resistance evaluating step of: expressing an output value y as y = f k(x) for an input value x and a fixed key k using a polynomial over Galois field which is composed of elements equal to a prime p or a power of said prime p; counting a number of terms of said polynomial; and evaluating the resistance of said function to interpolation cryptanalysis.
28. The recording medium of claim 27, wherein:
said partitioning-cryptanalysis resistance evaluating Step (c) is a step of:
dividing an input value set F and an output value set G of said function into u input subsets {F0, F1, ..., F u-1} and v output subsets {G0, G1, ..., G v-1};
for each partition-pair (F i, G i) (i = 0, ..., u-1; j = 0, 1, ..., v-1), calculating a maximum one of probabilities that all output values y corresponding to all input values x of the input subset F; belong to the respective output subsets G j (j = 0, ..., v-1);
calculating a measure I s(F, G) of an average imbalance of a partition-pair (F, G) based on all maximum values calculated for all partition pairs; and evaluating the resistance of said function to said partitioning cryptanalysis based on said measure.
said partitioning-cryptanalysis resistance evaluating Step (c) is a step of:
dividing an input value set F and an output value set G of said function into u input subsets {F0, F1, ..., F u-1} and v output subsets {G0, G1, ..., G v-1};
for each partition-pair (F i, G i) (i = 0, ..., u-1; j = 0, 1, ..., v-1), calculating a maximum one of probabilities that all output values y corresponding to all input values x of the input subset F; belong to the respective output subsets G j (j = 0, ..., v-1);
calculating a measure I s(F, G) of an average imbalance of a partition-pair (F, G) based on all maximum values calculated for all partition pairs; and evaluating the resistance of said function to said partitioning cryptanalysis based on said measure.
29. The recording medium according to any one of claims 25, 26, 27 and 28, said method further comprising at least one of:
(e) a differential-cryptanalysis resistance evaluating step of: calculating the number of input values x that satisfy S(x)+ S(x+.DELTA.x)=.DELTA.y for every set (.DELTA.x,.DELTA.y) except .DELTA.x=0; and evaluating the resistance of said function to differential cryptanalysis based on the result of said calculation; and (f) a linear-cryptanalysis resistance evaluating means for calculating, for said function S(x), the number of input values x for which the inner product of the input value x and its mask value .GAMMA.x is equal to the inner product of a function output value S(x) and its mask value .GAMMA.y and evaluating the resistance of said function to linear cryptanalysis based on the result of said calculation.
(e) a differential-cryptanalysis resistance evaluating step of: calculating the number of input values x that satisfy S(x)+ S(x+.DELTA.x)=.DELTA.y for every set (.DELTA.x,.DELTA.y) except .DELTA.x=0; and evaluating the resistance of said function to differential cryptanalysis based on the result of said calculation; and (f) a linear-cryptanalysis resistance evaluating means for calculating, for said function S(x), the number of input values x for which the inner product of the input value x and its mask value .GAMMA.x is equal to the inner product of a function output value S(x) and its mask value .GAMMA.y and evaluating the resistance of said function to linear cryptanalysis based on the result of said calculation.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| JP15306698 | 1998-06-02 | ||
| JP10/153066 | 1998-06-02 | ||
| PCT/JP1999/002924 WO1999063706A1 (en) | 1998-06-02 | 1999-06-01 | Device and method for evaluating randomness of function, device and method for generating random function, and recorded medium on which programs for implementing these methods are recorded |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CA2299538A1 CA2299538A1 (en) | 1999-12-09 |
| CA2299538C true CA2299538C (en) | 2004-08-03 |
Family
ID=15554249
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002299538A Expired - Fee Related CA2299538C (en) | 1998-06-02 | 1999-06-01 | Apparatus and method for evaluating randomness of functions, random function generating apparatus and method, and recording medium having recorded thereon programs for implementing the methods. |
Country Status (4)
| Country | Link |
|---|---|
| US (1) | US7187769B1 (en) |
| EP (1) | EP1001569A4 (en) |
| CA (1) | CA2299538C (en) |
| WO (1) | WO1999063706A1 (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7460665B2 (en) * | 2004-01-21 | 2008-12-02 | National Institute Of Information And Communications Technology | Cipher strength evaluation apparatus |
| US7499541B2 (en) * | 2004-05-11 | 2009-03-03 | National Institute Of Information And Communications Technology | Cipher strength evaluation apparatus |
| JP4882598B2 (en) * | 2006-07-28 | 2012-02-22 | ソニー株式会社 | Cryptographic processing apparatus, cryptographic processing algorithm construction method, cryptographic processing method, and computer program |
| US11151164B2 (en) * | 2013-03-13 | 2021-10-19 | International Business Machines Corporation | Replication group partitioning |
| WO2016047111A1 (en) * | 2014-09-25 | 2016-03-31 | 日本電気株式会社 | Analysis system, analysis device, analysis method, and storage medium having analysis program recorded therein |
| US9363276B2 (en) * | 2014-10-08 | 2016-06-07 | Corsec Security, Inc. | Method and system for testing and validation of cryptographic algorithms |
| EP3672139A1 (en) * | 2018-12-19 | 2020-06-24 | Koninklijke Philips N.V. | A circuit compiling device and circuit evaluation device |
Family Cites Families (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP3029381B2 (en) * | 1994-01-10 | 2000-04-04 | 富士通株式会社 | Data converter |
| US5511123A (en) * | 1994-08-04 | 1996-04-23 | Northern Telecom Limited | Symmetric cryptographic system for data encryption |
| CA2164768C (en) * | 1995-12-08 | 2001-01-23 | Carlisle Michael Adams | Constructing symmetric ciphers using the cast design procedure |
| KR0153758B1 (en) * | 1995-12-26 | 1998-11-16 | 양승택 | The safe method using differential cryptanalysis and linear cryptanalysis |
| US6031911A (en) * | 1996-07-18 | 2000-02-29 | Entrust Technologies, Ltd. | Practical S box design |
| US5745577A (en) * | 1996-07-25 | 1998-04-28 | Northern Telecom Limited | Symmetric cryptographic system for data encryption |
| KR100389902B1 (en) * | 1997-06-23 | 2003-09-22 | 삼성전자주식회사 | Fast block encryption method guaranteeing security for differential cryptanalysis and linear cryptanalysis |
| CA2302784A1 (en) * | 1997-09-17 | 1999-03-25 | Frank C. Luyster | Improved block cipher method |
| US6035042A (en) * | 1997-12-10 | 2000-03-07 | Allegheny Teledyne Inc. | High speed and method of providing high speed table generation for block encryption |
| JP3246433B2 (en) * | 1998-01-27 | 2002-01-15 | 日本電気株式会社 | Cryptographic strength evaluation support apparatus and machine-readable recording medium recording program |
-
1999
- 1999-06-01 CA CA002299538A patent/CA2299538C/en not_active Expired - Fee Related
- 1999-06-01 EP EP99922630A patent/EP1001569A4/en not_active Withdrawn
- 1999-06-01 WO PCT/JP1999/002924 patent/WO1999063706A1/en not_active Application Discontinuation
- 1999-06-01 US US09/463,907 patent/US7187769B1/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| WO1999063706A1 (en) | 1999-12-09 |
| EP1001569A4 (en) | 2002-03-13 |
| EP1001569A1 (en) | 2000-05-17 |
| US7187769B1 (en) | 2007-03-06 |
| CA2299538A1 (en) | 1999-12-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Rijmen et al. | The cipher SHARK | |
| Robshaw | Stream ciphers | |
| Benaloh | Dense probabilistic encryption | |
| Hong et al. | HIGHT: A new block cipher suitable for low-resource device | |
| JP4596686B2 (en) | Secure encryption against DPA | |
| Canteaut | Open problems related to algebraic attacks on stream ciphers | |
| CA2064769C (en) | Encryption system | |
| Saha et al. | RK-AES: an improved version of AES using a new key generation process with random keys | |
| Khan et al. | A chaos-based substitution box (S-Box) design with improved differential approximation probability (DP) | |
| Coron et al. | High order masking of look-up tables with common shares | |
| Biham | Cryptanalysis of Patarin’s 2-round public key system with S boxes (2R) | |
| CA2299538C (en) | Apparatus and method for evaluating randomness of functions, random function generating apparatus and method, and recording medium having recorded thereon programs for implementing the methods. | |
| Biryukov et al. | Security and performance analysis of ARIA | |
| Robshaw | Block ciphers | |
| Baigneres et al. | Proving the security of AES substitution-permutation network | |
| Jacobson Jr et al. | The MAGENTA Block Cipher Algorithm | |
| Khurana et al. | Variants of Differential and Linear Cryptanalysis | |
| Xiao et al. | Hardware design and analysis of block cipher components | |
| Golić | DeKaRT: A new paradigm for key-dependent reversible circuits | |
| JP3145363B2 (en) | Function randomness evaluation device and evaluation method, random function generation device and generation method, and recording medium recording a program for implementing these methods | |
| John et al. | On the design of stream ciphers with Cellular Automata having radius= 2 | |
| RU2206961C2 (en) | Method for iterative block encryption of binary data | |
| Waqas et al. | Cryptographic strength evaluation of AES s-box variants | |
| Siddavaatam et al. | An adaptive security framework with extensible computational complexity for cipher systems | |
| Carter et al. | Key schedules of iterative block ciphers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request | ||
| MKLA | Lapsed |
Effective date: 20140603 |