A study on the construction and analysis of substitution boxes for symmetric cryptosystems

S(ubstitution)-boxes are quite important components of modern symmetric cryptosystems (in particular, block ciphers) in the sense that S-boxes bring nonlinearity to block ciphers and strengthen their cryptographic security. An S-box is said to satisfy the strict avalanche criterion (SAC), if and only if for any single input bit of the S-box, the inversion of it changes each output bit with probability one half. In this thesis, with the concrete proof of cryptographical properties of S-boxes satisfying the SAC, we propose a variety of provable construction methods for S-boxes satisfying the SAC. For Boolean S-boxes satisfying the SAC, we can construct and enlarge them by using concatenation, Kronecker (or direct) product, and dyadic shift. For bijective S-boxes satisfying the SAC, when an n-bit input Boolean function and an n-bit input bijective function satisfying the SAC are given, the combined function is proved to become an (n+1)-bit bijective function satisfying the SAC as well. Also, we propose one simple construction method to construct bijective functions satisfying the maximum order SAC. Until now, bent functions have been given great attention in coding theory, logic synthesis and spread spectrum communications. We show that there exists an interesting relationship between bent functions and Boolean functions satisfying the (maximum order) SAC. All Boolean functions satisfying the maximum order SAC are always bent and all bent functions satisfy at least the 0-th order SAC. For practical applications, we apply these cryptographically useful functions to construct DES-like S-boxes according to our design criteria including the possibility of differential attack. Compared with DES S-boxes, we found that our designed DES-like S-boxes exhibit better cyptographic properties than those of DES S-boxes. Moreover, as an experimental work of symmetric cryptosystems, we examine the statistical properties of DES-like cryptosystems (FEAL-4, FEAL-8, Multi2, DES, and s2DES ). s2DES is the DES-like cryptosystem in which all the S-boxes of DES are replaced by our designed 8 DES-like S-boxes. These experiments again indicate to us that our designed DES-like S-boxes have good cryptographic performances. Finally this thesis will aid us in designing and analyzing block cipher algorithms directly and stream cipher algorithms indirectly. iii Acknowledgements I would like to heartily thank my chief advisor, Professor Hideki Imai, for his guidance, encouragement, and support during my 3-year research work. I am also grateful to Professor Yasunori Dohi, Professor Rokuya Ishii, and Associate Professor Ryuji Kohno for their advice. I would like to express my special thanks to Associate Professor Tsutomu Matsumoto for his useful suggestions and helpful comments. I would like to acknowledge many foreign students in Imai Research Laboratory and, in particular, Mr. Manuel Cerecedo (from Spain) and Mr. Young Yoon (from Canada) for their proof reading of my rst draft and correcting of its grammatical mistakes. Special appreciation and thanks go to my wife, Jongsun Kang, for her patience and understanding throughout the course of this endeavor. Moreover, I feel thankful to my two lovely sons, 6-year-old Sunghak Kim and 4-year-old Jaehak Kim for growing up favorably. Finally, nancial support from the Japanese Ministry of Education (Monbusho) and my workplace in Korea, Electronics and Telecommunications Research Institute (ETRI), is gratefully acknowledged. iv

[1]  Réjane Forré Problems and methods related to cryptographic applications of smart cards , 1990 .

[2]  Abraham Lempel,et al.  Maximal families of bent sequences , 1982, IEEE Trans. Inf. Theory.

[3]  Walter Fumy,et al.  On the F-function of FEAL , 1987, CRYPTO.

[4]  N. Zierler Linear Recurring Sequences , 1959 .

[5]  Adi Shamir,et al.  On the Security of DES , 1985, CRYPTO.

[6]  Abraham Lempel,et al.  On the Complexity of Finite Sequences , 1976, IEEE Trans. Inf. Theory.

[7]  Thomas Siegenthaler,et al.  Decrypting a Class of Stream Ciphers Using Ciphertext Only , 1985, IEEE Transactions on Computers.

[8]  Derrick Grover,et al.  Cryptography: A Primer , 1982 .

[9]  R. R. Jueneman,et al.  Analysis of Certain Aspects of Output Feedback Mode , 1982, CRYPTO.

[10]  F. Ayoub Probabilistic completeness of substitution-permutation encryption networks , 1982 .

[11]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[12]  Oded Goldreich,et al.  DES-like functions can generate the alternating group , 1983, IEEE Trans. Inf. Theory.

[13]  James L. Massey,et al.  Shift-register synthesis and BCH decoding , 1969, IEEE Trans. Inf. Theory.

[14]  D. Chaum,et al.  Cryptanalysis of DES with a reduced number of rounds , 1986, CRYPTO 1986.

[15]  Ben J. M. Smeets,et al.  A Note On Sequences Generated by Clock Controlled Shift Registers , 1985, EUROCRYPT.

[16]  Robert A. Scholtz,et al.  Bent-function sequences , 1982, IEEE Trans. Inf. Theory.

[17]  Ed Dawson,et al.  Comparison of Block Ciphers , 1990, AUSCRYPT.

[18]  H. Feistel Cryptography and Computer Privacy , 1973 .

[19]  J. Blass,et al.  Symposium , 1979, The Lancet.

[20]  Réjane Forré,et al.  The Strict Avalanche Criterion: Spectral Properties of Boolean Functions and an Extended Definition , 1988, CRYPTO.

[21]  P. W. Purdom,et al.  Cycle length in a random function , 1968 .

[22]  Gustavus J. Simmons,et al.  Cycle Structure of the DES for Keys Having Palindromic (or Antipalindromic) Sequences of Round Keys , 1987, IEEE Transactions on Software Engineering.

[23]  H. Imai,et al.  On generating cryptographically desirable substitutions , 1990 .

[24]  Josef Pieprzyk,et al.  Towards effective nonlinear cryptosystem design , 1988 .

[25]  Donald E. Knuth,et al.  The art of computer programming. Vol.2: Seminumerical algorithms , 1981 .

[26]  Hideki Imai,et al.  A Recursive Construction Method of S-boxes Satisfying Strict Avalanche Criterion , 1990, CRYPTO.

[27]  Vera Pless,et al.  Encryption Schemes for Computer Confidentiality , 1977, IEEE Transactions on Computers.

[28]  James L. Massey,et al.  A spectral characterization of correlation-immune combining functions , 1988, IEEE Trans. Inf. Theory.

[29]  Jun-Hui Yang,et al.  Patterns of Entropy Drop of the Key in an S-Box of the DES , 1987, CRYPTO.

[30]  John B. Kam,et al.  Structured Design of Substitution-Permutation Encryption Networks , 1979, IEEE Transactions on Computers.

[31]  P. Vijay Kumar,et al.  Generalized Bent Functions and Their Properties , 1985, J. Comb. Theory, Ser. A.

[32]  Rainer A. Rueppel,et al.  Linear Complexity and Random Sequences , 1985, EUROCRYPT.

[33]  Jozef P. Pieprzyk Nonlinear functions and their application to cryptography , 1985 .

[34]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[35]  S. M. Jennings,et al.  Multiplexed Sequences: Some Properties of the Minimum Polynomial , 1982, EUROCRYPT.

[36]  박한규,et al.  암호 함수의 구성 방법에 관한 연구 ( A Study on the Construction Methods of Cryptographic Functions ) , 1991 .

[37]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[38]  Stafford E. Tavares,et al.  On the Design of S-Boxes , 1985, CRYPTO.

[39]  Stafford E. Tavares,et al.  Sequence Complexity as a Test for Cryptographic Systems , 1985, CRYPTO.

[40]  Thomas Siegenthaler,et al.  Correlation-immunity of nonlinear combining functions for cryptographic applications , 1984, IEEE Trans. Inf. Theory.

[41]  D. Campana,et al.  Spread-spectrum communications , 1993, IEEE Potentials.

[42]  Abraham Lempel,et al.  A universal algorithm for sequential data compression , 1977, IEEE Trans. Inf. Theory.

[43]  C. Moler,et al.  Advances in Cryptology , 2000, Lecture Notes in Computer Science.

[44]  L. A. Shepp,et al.  Ordered cycle lengths in a random permutation , 1966 .

[45]  Henry Beker,et al.  Cipher Systems: The Protection of Communications , 1982 .

[46]  Gustavus J. Simmons,et al.  Cycle Structures of the DES with Weak and Semi-Weak Keys , 1986, CRYPTO.

[47]  C. Adams,et al.  The Use of Bent Sequences to Achieve Higher-Order Strict Avalanche Criterion in S-Box Design , 1990 .

[48]  Frank Rubin,et al.  Decrypting a Stream Cipher Based on J-K Flop-Flops , 1979, IEEE Trans. Computers.

[49]  Jennifer Seberry,et al.  LOKI - A Cryptographic Primitive for Authentication and Secrecy Applications , 1990, AUSCRYPT.

[50]  Adi Shamir,et al.  On Digital Signatures and Public-Key Cryptosystems. , 1977 .

[51]  John M. Carroll,et al.  Using Binary derivatives to Test an enhancement of des , 1983, Cryptologia.

[52]  Babbage On the relevance of the strict avalanche criterion , 1990 .

[53]  Thomas Beth,et al.  The Stop-and-Go Generator , 1985, EUROCRYPT.

[54]  A. Kolmogorov Three approaches to the quantitative definition of information , 1968 .

[55]  Josef Pieprzyk,et al.  Non-linearity of Exponent Permutations , 1990, EUROCRYPT.

[56]  Edwin L. Key,et al.  An analysis of the structure and complexity of nonlinear binary sequence generators , 1976, IEEE Trans. Inf. Theory.

[57]  O. Antoine,et al.  Theory of Error-correcting Codes , 2022 .

[58]  Andrew Chi-Chih Yao,et al.  The Complexity of Finding Cycles in Periodic Functions , 1982, SIAM J. Comput..

[59]  R. Yarlagadda,et al.  Analysis and synthesis of bent sequences , 1989 .

[60]  Ray J. Solomonoff,et al.  A Formal Theory of Inductive Inference. Part I , 1964, Inf. Control..

[61]  Alan T. Sherman,et al.  Is the data encryption standard a group , 1986 .

[62]  Sheelagh Lloyd,et al.  Properties of Binary Functions , 1991, EUROCRYPT.

[63]  Sheelagh Lloyd,et al.  Counting Functions Satisfying a Higher Order Strict Avalanche Criterion , 1990, EUROCRYPT.

[64]  Donald E. Knuth,et al.  The Art of Computer Programming, Vol. 2 , 1981 .

[65]  Dieter Gollmann,et al.  Pseudo Random Properties of Cascade Connections of Clock Controlled Shift Registers , 1984, EUROCRYPT.

[66]  Ernest F. Brickell,et al.  Structure in the S-boxes of the DES , 1986, CRYPTO.

[67]  D. Coppersmith,et al.  Generators for Certain Alternating Groups with Applications to Cryptography , 1975 .

[68]  Willi Meier,et al.  Nonlinearity Criteria for Cryptographic Functions , 1990, EUROCRYPT.