Commit | Line | Data |
---|---|---|
e6e0e332 MW |
1 | %%% -*-latex-*- |
2 | %%% | |
23ec5116 | 3 | %%% $Id: storin.tex,v 1.4 2000/05/28 00:39:32 mdw Exp $ |
e6e0e332 MW |
4 | %%% |
5 | %%% Definition of the cipher | |
6 | %%% | |
7 | %%% (c) 2000 Mark Wooding | |
8 | %%% | |
9 | ||
10 | %%%----- Revision history --------------------------------------------------- | |
11 | %%% | |
12 | %%% $Log: storin.tex,v $ | |
23ec5116 MW |
13 | %%% Revision 1.4 2000/05/28 00:39:32 mdw |
14 | %%% Fix some errors. | |
15 | %%% | |
4643f89a MW |
16 | %%% Revision 1.3 2000/05/25 19:46:22 mdw |
17 | %%% Improve analysis section. | |
18 | %%% | |
31b692a0 MW |
19 | %%% Revision 1.2 2000/05/21 21:43:26 mdw |
20 | %%% Fix a couple of typos. | |
21 | %%% | |
e6e0e332 MW |
22 | %%% Revision 1.1 2000/05/21 11:28:30 mdw |
23 | %%% Initial check-in. | |
24 | %%% | |
25 | ||
26 | %%%----- Preamble ----------------------------------------------------------- | |
27 | ||
28 | \documentclass[a4paper]{article} | |
29 | \usepackage[palatino, helvetica, courier, maths=cmr]{mdwfonts} | |
30 | \usepackage{mdwtab} | |
31 | \usepackage{mathenv} | |
32 | \usepackage{amsfonts} | |
33 | \usepackage{mdwmath} | |
34 | \usepackage[all, dvips]{xy} | |
35 | ||
36 | \def\ror{\mathbin{>\!\!>\!\!>}} | |
37 | \def\rol{\mathbin{<\!\!<\!\!<}} | |
38 | \def\lsr{\mathbin{>\!\!>}} | |
39 | \def\lsl{\mathbin{<\!\!<}} | |
40 | \def\xor{\oplus} | |
41 | \def\seq#1{{\langle #1 \rangle}} | |
42 | ||
4643f89a MW |
43 | \def\hex#1{\texttt{#1}_{16}} |
44 | ||
e6e0e332 MW |
45 | \sloppy |
46 | ||
47 | \title{Storin: A block cipher for digital signal processors} | |
48 | \author{Mark Wooding (\texttt{mdw@nsict.org})} | |
49 | ||
50 | %% --- The cipher diagrams --- | |
51 | ||
52 | \def\figkeymix#1#2#3#4{% | |
53 | \ar "a"; p-(0, 0.5)*{\xor} ="a" \ar "a"+(1, 0) *+[r]{k_{#1}}; "a"% | |
54 | \ar "b"; p-(0, 0.5)*{\xor} ="b" \ar "b"+(1, 0) *+[r]{k_{#2}}; "b"% | |
55 | \ar "c"; p-(0, 0.5)*{\xor} ="c" \ar "c"+(1, 0) *+[r]{k_{#3}}; "c"% | |
56 | \ar "d"; p-(0, 0.5)*{\xor} ="d" \ar "d"+(1, 0) *+[r]{k_{#4}}; "d"% | |
57 | } | |
58 | ||
59 | \def\figmatrix{% | |
60 | \POS "a"+(3, -1) *++=(7, 0)[F]u\txt{Matrix multiply} ="m"% | |
61 | \ar "a"; "m"+U-(3, 0) \ar "b"; "m"+U-(1, 0)% | |
62 | \ar "c"; "m"+U+(1, 0) \ar "d"; "m"+U+(3, 0)% | |
63 | } | |
64 | ||
65 | \def\figlintrans{% | |
66 | \ar "m"+D-(3, 0); "a"-(0, 2.25)*{\xor} ="a"% | |
67 | \POS "a"+(1, 0) *+[F]{{} \lsr 12} ="x"% | |
68 | \ar `r "a"+(0, 0.5); p+(1, 0) "x" \ar "x"; "a"% | |
69 | \ar "m"+D-(1, 0); "b"-(0, 2.25)*{\xor} ="b"% | |
70 | \POS "b"+(1, 0) *+[F]{{} \lsr 12} ="x"% | |
71 | \ar `r "b"+(0, 0.5); p+(1, 0) "x" \ar "x"; "b"% | |
72 | \ar "m"+D+(1, 0); "c"-(0, 2.25)*{\xor} ="c"% | |
73 | \POS "c"+(1, 0) *+[F]{{} \lsr 12} ="x"% | |
74 | \ar `r "c"+(0, 0.5); p+(1, 0) "x" \ar "x"; "c"% | |
75 | \ar "m"+D+(3, 0); "d"-(0, 2.25)*{\xor} ="d"% | |
76 | \POS "d"+(1, 0) *+[F]{{} \lsr 12} ="x"% | |
77 | \ar `r "d"+(0, 0.5); p+(1, 0) "x" \ar "x"; "d"% | |
78 | } | |
79 | ||
80 | \def\figilintrans{% | |
81 | \ar "a"; "a"-(0, 1)*{\xor} ="a"% | |
82 | \POS "a"+(1, 0) *+[F]{{} \lsr 12} ="x"% | |
83 | \ar `r "a"+(0, 0.5); p+(1, 0) "x" \ar "x"; "a"% | |
84 | \ar "b"; "b"-(0, 1)*{\xor} ="b"% | |
85 | \POS "b"+(1, 0) *+[F]{{} \lsr 12} ="x"% | |
86 | \ar `r "b"+(0, 0.5); p+(1, 0) "x" \ar "x"; "b"% | |
87 | \ar "c"; "c"-(0, 1)*{\xor} ="c"% | |
88 | \POS "c"+(1, 0) *+[F]{{} \lsr 12} ="x"% | |
89 | \ar `r "c"+(0, 0.5); p+(1, 0) "x" \ar "x"; "c"% | |
90 | \ar "d"; "d"-(0, 1)*{\xor} ="d"% | |
91 | \POS "d"+(1, 0) *+[F]{{} \lsr 12} ="x"% | |
92 | \ar `r "d"+(0, 0.5); p+(1, 0) "x" \ar "x"; "d"% | |
93 | } | |
94 | ||
31b692a0 | 95 | \def\figstart#1{% |
e6e0e332 MW |
96 | \POS 0;<1cm,0cm>:% |
97 | \turnradius{4pt}% | |
31b692a0 MW |
98 | \ar @{-} (0, 0) *+{a#1}; p-(0, 0.5) ="a" |
99 | \ar @{-} (2, 0) *+{b#1}; p-(0, 0.5) ="b" | |
100 | \ar @{-} (4, 0) *+{c#1}; p-(0, 0.5) ="c" | |
101 | \ar @{-} (6, 0) *+{d#1}; p-(0, 0.5) ="d" | |
e6e0e332 MW |
102 | } |
103 | ||
104 | \def\figround#1#2#3#4#5{% | |
105 | \ar @{.} "a"-(0.5, 0); p+(8, 0)% | |
106 | \POS "a"+(8, -1.75) *[r]\txt{#5}% | |
107 | \figkeymix{#1}{#2}{#3}{#4}% | |
108 | \figmatrix% | |
109 | \figlintrans% | |
110 | \ar @{-} "a"; p-(0, .5) ="a" | |
111 | \ar @{-} "b"; p-(0, .5) ="b" | |
112 | \ar @{-} "c"; p-(0, .5) ="c" | |
113 | \ar @{-} "d"; p-(0, .5) ="d" | |
114 | } | |
115 | ||
116 | \def\figiround#1#2#3#4#5{% | |
117 | \ar @{.} "a"-(0.5, 0); p+(8, 0)% | |
118 | \POS "a"+(8, -1.75) *[r]\txt{#5}% | |
119 | \figkeymix{#1}{#2}{#3}{#4}% | |
120 | \figilintrans% | |
121 | \figmatrix% | |
122 | \ar @{-} "m"+D-(3, 0); p-(0, .5) ="a" | |
123 | \ar @{-} "m"+D-(1, 0); p-(0, .5) ="b" | |
124 | \ar @{-} "m"+D+(1, 0); p-(0, .5) ="c" | |
125 | \ar @{-} "m"+D+(3, 0); p-(0, .5) ="d" | |
126 | } | |
127 | ||
128 | \def\figgap{% | |
129 | \ar @{.} "a"-(0.5, 0); p+(8, 0) | |
130 | \POS "a"+(8, -1)*[r]\txt{Six more rounds} | |
131 | \ar @{--} "a"; "a"-(0, 2) ="a" | |
132 | \ar @{--} "b"; "b"-(0, 2) ="b" | |
133 | \ar @{--} "c"; "c"-(0, 2) ="c" | |
134 | \ar @{--} "d"; "d"-(0, 2) ="d" | |
135 | } | |
136 | ||
31b692a0 | 137 | \def\figwhite#1#2#3#4#5{% |
e6e0e332 MW |
138 | \ar @{.} "a"-(0.5, 0); p+(8, 0) |
139 | \POS "a"+(8, -1)*[r]\txt{Postwhitening} | |
140 | \figkeymix{#1}{#2}{#3}{#4} | |
31b692a0 MW |
141 | \ar "a"; p-(0, 1) *+{a#5} |
142 | \ar "b"; p-(0, 1) *+{b#5} | |
143 | \ar "c"; p-(0, 1) *+{c#5} | |
144 | \ar "d"; p-(0, 1) *+{d#5} | |
e6e0e332 MW |
145 | } |
146 | ||
147 | \begin{document} | |
148 | \maketitle | |
149 | ||
150 | %%%----- The main text ------------------------------------------------------ | |
151 | ||
152 | \begin{abstract} | |
153 | We present Storin: a new 96-bit block cipher designed to play to the | |
154 | strengths of current digital signal processors (DSPs). In particular, DSPs | |
155 | tend to provide single-cycle multiply-and-accumulate operations, making | |
156 | matrix multiplications very cheap. Working in an environment where | |
157 | multiplication is as fast as exclusive-or changes the usual perceptions | |
158 | about which operations provide good cryptographic strength cheaply. The | |
159 | scarcity of available memory, for code and for tables, and a penalty for | |
160 | nonsequential access to data also make traditional block ciphers based | |
161 | around substitution tables unsuitable. | |
162 | \end{abstract} | |
163 | ||
164 | \tableofcontents | |
165 | ||
166 | \section{Definition of the cipher} | |
167 | ||
168 | \subsection{Overview} | |
169 | ||
170 | Storin is an eight-round SP network operating on 96-bit blocks. The block | |
171 | cipher uses 36 24-bit subkey words, derived from a user key by the key | |
172 | schedule. | |
173 | ||
174 | The 96-bit input is split into four 24-bit words. Each round then processes | |
175 | these four words, using the following three steps: | |
176 | \begin{enumerate} | |
177 | \item Mixing in of some key material. Four 24-bit subkey words are XORed | |
178 | with the four data words. | |
179 | \item A matrix multiplication mod $2^{24}$. The four words are treated as a | |
180 | column vector and premultiplied by a $4 \times 4$ vector using addition and | |
181 | multiplication mod $2^{24}$. This is the main nonlinear step in the | |
182 | cipher, and it also provides most of the cipher's diffusion. | |
183 | \item A simple linear transformation, which replaces each word $x$ by $x \xor | |
184 | (x \lsr 12)$. | |
185 | \end{enumerate} | |
186 | The four data words output by the final round are XORed with the last four | |
187 | subkey words in a final postwhitening stage and combined to form the 96-bit | |
188 | ciphertext. | |
189 | ||
190 | The cipher structure is shown diagrammatically in figure~\ref{fig:cipher}. | |
191 | ||
192 | \begin{figure} | |
193 | \centering | |
194 | \leavevmode | |
195 | \begin{xy} | |
196 | \xycompile{ | |
31b692a0 | 197 | \figstart{} |
e6e0e332 MW |
198 | \figround{0}{1}{2}{3}{Round 1} |
199 | \figround{4}{5}{6}{7}{Round 2} | |
200 | \figgap | |
31b692a0 | 201 | \figwhite{32}{33}{34}{35}{'}} |
e6e0e332 MW |
202 | \end{xy} |
203 | \caption{The Storin encryption function} | |
204 | \label{fig:cipher} | |
205 | \end{figure} | |
206 | ||
207 | Since the matrix used in step 2 is chosen to be invertible, the cipher can be | |
208 | inverted readily, simply by performing the inverse steps in the reverse | |
209 | order. Since the postwhitening stage is the same as a key mixing stage, | |
210 | decryption can be viewed as eight rounds consisting of key mixing, linear | |
211 | transformation and matrix multiplication, followed by a postwhitening stage. | |
212 | Thus, the structure of the inverse cipher is very similar to the forwards | |
213 | cipher, and uses the same components. The decryption function is shown | |
214 | diagrammatically in figure~\ref{fig:decipher}. | |
215 | ||
216 | \begin{figure} | |
217 | \centering | |
218 | \leavevmode | |
219 | \begin{xy} | |
220 | \xycompile{ | |
31b692a0 | 221 | \figstart{'} |
e6e0e332 MW |
222 | \figiround{32}{33}{34}{35}{Round 1} |
223 | \figiround{28}{29}{30}{31}{Round 2} | |
224 | \figgap | |
31b692a0 | 225 | \figwhite{0}{1}{2}{3}{}} |
e6e0e332 MW |
226 | \end{xy} |
227 | \caption{The Storin decryption function} | |
228 | \label{fig:decipher} | |
229 | \end{figure} | |
230 | ||
231 | The key schedule is designed to be simple and to reuse the cipher components | |
232 | already available. Given a user key, which is a sequence of one or more | |
233 | 24-bit words, it produces the 36 subkey words required by the cipher. The | |
234 | key schedule is very similar to Blowfish \cite{blowfish}. The subkey array | |
235 | is assigned an initial constant value derived from the matrix used in the | |
236 | cipher. Words from the user key are XORed into the array, starting from the | |
237 | beginning, and restarting from the beginning of the user key when all the | |
238 | user key words are exhausted. A 96-bit block is initialized to zero, and | |
239 | enciphered with Storin, using the subkeys currently in the array. The first | |
240 | four subkey words are then replaced with the resulting ciphertext, which is | |
241 | then encrypted again using the new subkeys. The next four subkey words are | |
242 | replaced with the ciphertext, and the process continues, nine times in all, | |
243 | until all of the subkey words have been replaced. | |
244 | ||
4643f89a | 245 | The Storin key schedule can in theory accept user keys up to 36 words (864 |
23ec5116 MW |
246 | bits) long. However, there are known problems with keys longer than 28 words |
247 | (672 bits), and these large keys are forbidden. We expect that with long | |
248 | keys, attacks will be found which are more efficient than an exhaustive | |
249 | search of the keyspace; we therefore (conservatively) recommend 5 word | |
250 | (120-bit) keys as a practical maximum. | |
e6e0e332 MW |
251 | |
252 | ||
253 | \subsection{Encryption} | |
254 | ||
255 | We define $\mathcal{W} = \mathbb{Z}_{2^{24}}$ to be set of 24-bit words, and | |
256 | $\mathcal{P} = \mathcal{W}^4$ to be the set of four-entry column vectors over | |
257 | $\mathcal{W}$. Storin plaintext blocks are members of $\mathcal{P}$. | |
258 | ||
259 | The Storin encryption function uses 36 24-bit words of key material $k_0$, | |
260 | $k_1$, \ldots, $k_{35}$, which are produced from the user key by the key | |
261 | schedule, described below. The key-mixing operation $K_i: \mathcal{P} | |
262 | \rightarrow \mathcal{P}$ is defined for $0 \le i < 9$ by: | |
263 | \[ | |
264 | K_i \begin{pmatrix} a \\ b \\ c \\d \end{pmatrix} | |
265 | = | |
266 | \begin{pmatrix} | |
267 | a \xor k_{4i} \\ b \xor k_{4i+1} \\ c \xor k_{4i+2} \\ d \xor k_{4i+3} | |
268 | \end{pmatrix} | |
269 | \] | |
270 | ||
271 | The matrix multiplication operation $M: \mathcal{P} \to \mathcal{P}$ | |
272 | is described by $M(\mathbf{x}) = \mathbf{M} \mathbf{x}$, where $\mathbf{M}$ | |
273 | is a fixed invertible $4 \times 4$ matrix over $\mathcal{W}$. The value of | |
274 | $\mathbf{M}$ is defined below. | |
275 | ||
276 | The linear transformation $L: \mathcal{P} \to \mathcal{P}$ is defined by: | |
277 | \[ | |
278 | L \begin{pmatrix} a \\ b \\ c \\ d \end{pmatrix} | |
279 | = | |
280 | \begin{pmatrix} | |
281 | a \xor (a \lsr 12) \\ | |
282 | b \xor (b \lsr 12) \\ | |
283 | c \xor (c \lsr 12) \\ | |
284 | d \xor (d \lsr 12) | |
285 | \end{pmatrix} | |
286 | \] | |
287 | ||
288 | The round function $R_i: \mathcal{P} \to \mathcal{P}$ is defined for $0 \le i | |
289 | < 8$ by | |
290 | \[ R_i(\mathbf{x}) = L\bigl(\mathbf{M} K_i(\mathbf{x}) \bigr) \] | |
291 | ||
292 | The cipher $C: \mathcal{P} \to \mathcal{P}$ is defined in terms of $R_i$ and | |
293 | $K_i$. Let $\mathbf{x}_0 \in \mathcal{P}$ be a plaintext vector. Let | |
294 | $\mathbf{x}_{i+1} = R_i(\mathbf{x}_i)$ for $0 \le i < 8$. Then we define | |
295 | $C(\mathbf{x})$ by setting $C(\mathbf{x}_0) = K_8(\mathbf{x}_8)$. | |
296 | ||
297 | ||
298 | \subsection{Key schedule} | |
299 | ||
300 | The key schedule converts a user key, which is a sequence of 24-bit words, | |
301 | into the 36 subkeys required by the cipher. | |
302 | ||
303 | For $i \ge 0$, we define that | |
304 | \[ | |
305 | \begin{pmatrix} | |
306 | m_{16i + 0} & m_{16i + 1} & m_{16i + 2} & m_{16i + 3} \\ | |
307 | m_{16i + 4} & m_{16i + 5} & m_{16i + 6} & m_{16i + 7} \\ | |
308 | m_{16i + 8} & m_{16i + 9} & m_{16i + 10} & m_{16i + 11} \\ | |
309 | m_{16i + 12} & m_{16i + 13} & m_{16i + 14} & m_{16i + 15} | |
310 | \end{pmatrix} | |
311 | = \mathbf{M}^{i + 2} | |
312 | \] | |
313 | ||
314 | Let the user-supplied key be $u_0$, $u_1$, \ldots, $u_{n-1}$, for some $n > | |
315 | 0$. We define the sequence $z_0$, $z_1$, \ldots\ by | |
316 | \[ z_i = m_i \xor u_{i \bmod n} \] | |
317 | for $i \ge 0$. | |
318 | ||
319 | Denote the result of encrypting vector $\mathbf{x}$ using subkeys from the | |
320 | sequence $\seq{w} = w_0, w_1, \ldots, w_{35}$ as $C_{\seq{w}}(\mathbf{x})$. | |
321 | We define the key schedule to be $k_0$, $k_1$, \ldots, $k_{35}$, where: | |
322 | \begin{eqlines*} | |
323 | \seq{p^{(i)}} = k_0, k_1, \ldots, k_{4i-1}, z_{4i}, z_{4i+1}, \ldots \\ | |
324 | \mathbf{x}_0 = \begin{pmatrix} 0 \\ 0 \\ 0 \\ 0 \end{pmatrix}; \qquad | |
325 | \begin{pmatrix} k_{4i} \\ k_{4i+1} \\ k_{4i+2} \\ k_{4i+3} \end{pmatrix} | |
326 | = \mathbf{x}_{i+1} = C_{\seq{p^{(i)}}}(\mathbf{x}_i) | |
327 | \end{eqlines*} | |
328 | ||
329 | ||
330 | \subsection{Decryption} | |
331 | ||
332 | The individual operations used during encryption are all invertible. Key | |
333 | mixing is inverted by taking keys from the other end of the array: | |
334 | \[ K^{-1}_i(\mathbf{x}) = K_{8-i}(\mathbf{x}) \] | |
335 | The matrix multiplication may be inverted simply by using the inverse matrix | |
336 | $\mathbf{M}^{-1}$: | |
337 | \[ M^{-1}(\mathbf{x}) = \mathbf{M}^{-1} \mathbf{x} \] | |
338 | Finally, the linear transformation is its own inverse: | |
339 | \[ L^{-1}(\mathbf{x}) = L(\mathbf{x}) \] | |
340 | The inverse round function can now be defined as: | |
341 | \[ R^{-1}_i(\mathbf{x}) = | |
342 | \mathbf{M}^{-1} L\bigl(K^{-1}_i(\mathbf{x})\bigr) \] | |
343 | ||
344 | The decryption function $C^{-1}: \mathcal{P} \to \mathcal{P}$ is defined | |
345 | in terms of $R^{-1}$ and $K^{-1}$ in a very similar way to encryption. Let | |
346 | $\mathbf{x}_0$ be a ciphertext vector. Let $\mathbf{x}_{i+1} = | |
347 | R^{-1}_i(\mathbf{x}_i)$ for $0 \le i < 8$. Then we define | |
348 | $C^{-1}(\mathbf{x}_0) = K^{-1}_8(\mathbf{x}_8)$. | |
349 | ||
350 | ||
351 | \subsection{Constants} | |
352 | ||
353 | The matrix $\mathbf{M}$ and its inverse $\mathbf{M}^{-1}$ are: | |
354 | \begin{eqnarray*}[rl] | |
355 | \mathbf{M} = & | |
4643f89a MW |
356 | \begin{pmatrix} |
357 | \hex{f7a413} & \hex{54bd81} & \hex{447550} & \hex{ff4449} \\ | |
358 | \hex{f31e87} & \hex{d85388} & \hex{de32cb} & \hex{40e3d7} \\ | |
359 | \hex{d9db1d} & \hex{551b45} & \hex{e9d19f} & \hex{e443de} \\ | |
360 | \hex{4b949a} & \hex{4d435d} & \hex{ef0a17} & \hex{b784e1} | |
e6e0e332 MW |
361 | \end{pmatrix} \\ |
362 | \mathbf{M}^{-1} = & | |
4643f89a MW |
363 | \begin{pmatrix} |
364 | \hex{17391b} & \hex{fafb4b} & \hex{a66823} & \hex{f2efb6} \\ | |
365 | \hex{13e0e5} & \hex{2ed5e4} & \hex{b2cfff} & \hex{d9cdb5} \\ | |
366 | \hex{2af462} & \hex{33826d} & \hex{de66a1} & \hex{eb6c85} \\ | |
367 | \hex{c2f423} & \hex{e904a3} & \hex{e772d8} & \hex{d791f1} | |
e6e0e332 MW |
368 | \end{pmatrix} |
369 | \end{eqnarray*} | |
370 | ||
371 | ||
372 | ||
373 | \section{Rationale and analysis} | |
374 | ||
375 | \subsection{Design decisions} | |
376 | ||
377 | The initial objective was to produce a cipher which played to the particular | |
378 | strengths of digital signal processors. DSPs tend to have good multipliers, | |
31b692a0 | 379 | and are particularly good at matrix multiplication. The decision to use a |
e6e0e332 MW |
380 | matrix multiplication over $\mathbb{Z}_{2^{24}}$ seemed natural, given that |
381 | 24 bits is a commonly offered word size. | |
382 | ||
383 | The choice of a 96-bit block is also fairly natural. A 2 word (48-bit) block | |
384 | is clearly too small, and a 3 word (72-bit) block is a little on the small | |
385 | side too. | |
386 | ||
387 | ||
388 | \subsection{Matrix multiplication over $\mathbb{Z}_{2^{24}}$} | |
389 | ||
390 | Integer multiplication on a DSP is a cheap source of nonlinearity. Note that | |
391 | bit $i$ of the result depends on all of the bits in the operands of lesser or | |
392 | equal significance.position $i$ downwards. | |
393 | ||
394 | The decision to make the $4 \times 4$ matrix fixed was taken fairly early on. | |
395 | Generating invertible matrices from key material seemed like too much work to | |
396 | expect from the DSP. | |
397 | ||
398 | The matrix is generated pseudorandomly from a seed string, using SHA-1. The | |
399 | criteria we used to choose the matrix are: | |
400 | \begin{enumerate} | |
401 | \item The matrix must be invertible. | |
402 | \item Exactly one entry in each row and column of the matrix must be even. | |
403 | \end{enumerate} | |
404 | Criterion 1 is obvious. Criterion 2 encourages diffusion between the entries | |
405 | in the block vector. Note that if a matrix satisfies the second criterion, | |
406 | its inverse also does. | |
407 | ||
408 | Consider a vector $\mathbf{x}$ and its product with the matrix $\mathbf{M} | |
409 | \mathbf{x}$. Whether the top bit of entry $i$ in $\mathbf{x}$ affects | |
410 | entry $j$ in the product depends on whether the entry in row $j$, column $i$ | |
411 | of $\mathbf{M}$ is even. Criterion 2 ensures the following: | |
412 | \begin{itemize} | |
4643f89a | 413 | \item A top-bit change in a single word affects three words in the output. |
e6e0e332 MW |
414 | \item A top-bit change in two words affects two words in the output. |
415 | \end{itemize} | |
416 | ||
417 | The seed string used is \texttt{matrix-seed-string}. The program which | |
418 | generates the matrix is included with the Storin example source code. | |
419 | ||
420 | \subsection{The linear transformation} | |
421 | ||
422 | A bit change in one of the inputs to the matrix can only affect bits at that | |
423 | position and higher in the output. The linear transformation at the end of | |
424 | the round aims to provide diffusion from the high-order bits back to the | |
425 | low-order bits. | |
426 | ||
427 | A single high-order bit change in the input to a round will affect the | |
428 | high-order bits of three words in the output of the matrix multiply. The | |
429 | linear transformation causes it to affect bits in the low halves of each of | |
430 | these words. The second round's multiplication causes these bits to affect | |
431 | the whole top halves of all of the output words. The linear transformation | |
432 | propagates this change to the bottom halves. Complete avalanche is therefore | |
433 | achieved after three rounds of Storin. | |
434 | ||
435 | ||
436 | \subsection{Key schedule notes} | |
437 | ||
438 | The key schedule is intended to be adequate for bulk encryption; it doesn't | |
4643f89a MW |
439 | provide good key agility, and isn't intended to. The key schedule accepts up |
440 | to 28 words of user key, although expecting 672 bits of security from the | |
441 | cipher is not realistic. The suggested maximum of 5 words (120 bits) seems | |
442 | more sensible. This maximum can be raised easily when our understanding of | |
443 | the cipher increases our confidence in it. | |
e6e0e332 MW |
444 | |
445 | The key schedule is strongly reminiscent of Blowfish \cite{blowfish}. Use of | |
446 | existing components of the cipher, such as the matrix multiplication and the | |
447 | cipher itself, help reduce the amount of code required in the implementation. | |
448 | ||
4643f89a | 449 | The restriction of the key schedule to 28 words is due to an interesting |
23ec5116 MW |
450 | property, also shared by Blowfish \cite{blowfish} (see |
451 | figure~\ref{fig:bfkeysched}): the output of the first round of the second | |
452 | encryption doesn't depend on the previous round. To see why this is so, it | |
453 | is enough to note that the first round key has just been set equal to what is | |
454 | now the plaintext; the result of the key mixing stage is zero, which is | |
455 | unaffected by the matrix and linear transformation. | |
e6e0e332 | 456 | |
4643f89a MW |
457 | A limit of 28 words is chosen to ensure that the round-1 key affects the |
458 | round-2 key in a part of the cipher earlier than the postwhitening stage. | |
459 | ||
460 | \begin{figure} | |
461 | \centering | |
462 | \leavevmode | |
463 | \begin{xy} | |
464 | \xycompile{ | |
465 | \POS 0; <0.7cm, 0cm>: | |
466 | \POS (0, 0) ="o" +(3, 0) ="w" | |
467 | \ar "o" *+{P[0]}; p-(0, 1) *{\xor} ="x" | |
468 | \ar "x" -(1, 0) *+[l]{P[0]}; "x" | |
469 | \ar@{-} "x"; p-(0, 2) ="as" | |
470 | \ar "w" *+{P[1]}; p-(0, 2) *{\xor} ="x" | |
471 | \ar "o"-(0, 2); "x" |-*+[F]{F} | |
472 | \ar@{-} "x"; p-(0, 1) ="bs" | |
473 | \ar@{-} "as"; "bs"-(0, 1) ="w" | |
474 | \ar@{-} "bs"; "as"-(0, 1) ="o" | |
475 | \ar "o"; p-(0, 1) *+{P[1] \xor F(0)} ="x" | |
476 | \ar "x"; p-(0, 1) *{\xor} ="x" | |
477 | \ar "x" -(1, 0) *+[l]{P[1]}; "x" | |
478 | \ar "x"; p-(0, 2) *+{F(0)} | |
479 | \ar "w"; p-(0, 1) *+{0} ="x" | |
480 | \ar "x"; p-(0, 2) *{\xor} ="x" | |
481 | \ar "o"-(0, 3); "x" |-*+[F]{F} | |
482 | \ar "x"; p-(0, 1) *+{F^2(0)}} | |
483 | \end{xy} | |
484 | \caption{Blowfish key schedule: $P[2]$ and $P[3]$ don't depend on $P[0]$ and | |
485 | $P[1]$.} | |
486 | \label{fig:bfkeysched} | |
487 | \end{figure} | |
e6e0e332 MW |
488 | |
489 | \subsection{Attacking Storin} | |
490 | ||
4643f89a MW |
491 | There is a two-round truncated differential \cite{storin-tdiff}, which can be |
492 | used to break Storin reduced to only 2 rounds. The differential | |
493 | \[ (\hex{800000}, \hex{800000}, \hex{800000}, 0) \to | |
494 | (0, 0, \hex{800000}, 0) \] | |
495 | holds with probability 1 through the matrix multiplication. | |
496 | Differentials in the linear transform are easy to find; for example: | |
497 | \[ (0, 0, \hex{800000}, 0) \to (0, 0, \hex{800800}, 0) \] | |
498 | We can continue through the second round's matrix multiplication with a | |
499 | truncated differential, again with probability 1: | |
500 | \[ (0, 0, \hex{800800}, 0) \to | |
501 | (\hex{???000}, \hex{???800}, \hex{???800}, \hex{???800}) \] | |
502 | The following linear transform can be commuted with the postwhitening by | |
503 | applying a trivial reversible transformation to the postwhitening keys, and | |
504 | we can apply it to the ciphertext. If we do this, we can combine the | |
505 | differentials above to construct a probability-1 characteristic for a 2-round | |
506 | variant of Storin: | |
507 | \[ (\hex{800000}, \hex{800000}, \hex{800000}, 0) \to | |
508 | (\hex{???000}, \hex{???800}, \hex{???800}, \hex{???800}) \] | |
509 | This characteristic is non-iterative, and can't be extended to more rounds. | |
510 | ||
511 | In \cite{storin-collide}, Matthew Fisher speculates on breaking 2 rounds of | |
512 | Storin by forcing collisions in the matrix multiplication outputs. This | |
513 | attack doesn't extend to more than two rounds either. | |
514 | ||
e6e0e332 MW |
515 | One possible avenue of attack worth exploring is to attempt to cause zero |
516 | words to be input into the first-round matrix by choosing plaintext words | |
517 | identical to subkey words for the first round. Causing $n$ matrix input | |
518 | words to be zero clearly takes $O(2^{24n})$ time. If a method can be found | |
519 | to detect when zero words have been input to the matrix, this can be used to | |
520 | discover the subkey words rather more rapidly than exhaustive search. We | |
521 | can't see a way to exploit this at the moment, but it could be a fruitful | |
522 | place to look for cryptanalysis. | |
523 | ||
524 | ||
525 | \section{Conclusion} | |
526 | ||
527 | We have presented a new block cipher, Storin. Any cryptanalysis will be | |
528 | received with interest. | |
529 | ||
530 | ||
531 | \begin{thebibliography}{99} | |
4643f89a MW |
532 | \bibitem{storin-collide} M. Fisher, `Yet another block cipher: Storin', |
533 | sci.crypt article, message-id \texttt{<8gjctn\$9ct\$1@nnrp1.deja.com>} | |
534 | \bibitem{idea} X. Lai, `On the Design and Security of Block Ciphers', ETH | |
535 | Series in Informatics Processing, J. L. Massey (editor), vol. 1, | |
536 | Hartung-Gorre Verlag Konstanz, Technische Hochschule (Zurich), 1992 | |
537 | \bibitem{blowfish} B. Schneier, `The Blowfish Encryption Algorithm', | |
538 | \textit{Dr Dobb's Journal}, vol. 19 no. 4, April 1994, pp. 38--40 | |
539 | \bibitem{storin-tdiff} M. D. Wooding, `Yet another block cipher: Storin', | |
540 | sci.crypt article, message-id | |
541 | \texttt{<slrn8iqhaq.872.mdw@mull.ncipher.com>} | |
e6e0e332 MW |
542 | \end{thebibliography} |
543 | ||
544 | %%%----- That's all, folks -------------------------------------------------- | |
545 | ||
546 | \end{document} | |
547 | ||
548 | %%% Local Variables: | |
549 | %%% mode: latex | |
550 | %%% TeX-master: t | |
551 | %%% End: |