3 %%% $Id: storin.tex,v 1.1 2000/05/21 11:28:30 mdw Exp $
5 %%% Definition of the cipher
7 %%% (c) 2000 Mark Wooding
10 %%%----- Revision history ---------------------------------------------------
12 %%% $Log: storin.tex,v $
13 %%% Revision 1.1 2000/05/21 11:28:30 mdw
17 %%%----- Preamble -----------------------------------------------------------
19 \documentclass[a4paper]{article
}
20 \usepackage[palatino, helvetica, courier, maths=cmr
]{mdwfonts
}
25 \usepackage[all,
dvips]{xy
}
27 \def\ror{\mathbin{>\!\!>\!\!>
}}
28 \def\rol{\mathbin{<\!\!<\!\!<
}}
29 \def\lsr{\mathbin{>\!\!>
}}
30 \def\lsl{\mathbin{<\!\!<
}}
32 \def\seq#1{{\langle #1 \rangle}}
36 \title{Storin: A block cipher for digital signal processors
}
37 \author{Mark Wooding (
\texttt{mdw@nsict.org
})
}
39 %% --- The cipher diagrams ---
41 \def\figkeymix#1#2#3#4{%
42 \ar "a"; p-(
0,
0.5)*
{\xor} ="a"
\ar "a"+(
1,
0) *+
[r
]{k_
{#1}}; "a"
%
43 \ar "b"; p-(
0,
0.5)*
{\xor} ="b"
\ar "b"+(
1,
0) *+
[r
]{k_
{#2}}; "b"
%
44 \ar "c"; p-(
0,
0.5)*
{\xor} ="c"
\ar "c"+(
1,
0) *+
[r
]{k_
{#3}}; "c"
%
45 \ar "d"; p-(
0,
0.5)*
{\xor} ="d"
\ar "d"+(
1,
0) *+
[r
]{k_
{#4}}; "d"
%
49 \POS "a"+(
3, -
1) *++=(
7,
0)
[F
]u
\txt{Matrix multiply
} ="m"
%
50 \ar "a"; "m"+U-(
3,
0)
\ar "b"; "m"+U-(
1,
0)
%
51 \ar "c"; "m"+U+(
1,
0)
\ar "d"; "m"+U+(
3,
0)
%
55 \ar "m"+D-(
3,
0); "a"-(
0,
2.25)*
{\xor} ="a"
%
56 \POS "a"+(
1,
0) *+
[F
]{{} \lsr 12} ="x"
%
57 \ar `r "a"+(
0,
0.5); p+(
1,
0) "x"
\ar "x"; "a"
%
58 \ar "m"+D-(
1,
0); "b"-(
0,
2.25)*
{\xor} ="b"
%
59 \POS "b"+(
1,
0) *+
[F
]{{} \lsr 12} ="x"
%
60 \ar `r "b"+(
0,
0.5); p+(
1,
0) "x"
\ar "x"; "b"
%
61 \ar "m"+D+(
1,
0); "c"-(
0,
2.25)*
{\xor} ="c"
%
62 \POS "c"+(
1,
0) *+
[F
]{{} \lsr 12} ="x"
%
63 \ar `r "c"+(
0,
0.5); p+(
1,
0) "x"
\ar "x"; "c"
%
64 \ar "m"+D+(
3,
0); "d"-(
0,
2.25)*
{\xor} ="d"
%
65 \POS "d"+(
1,
0) *+
[F
]{{} \lsr 12} ="x"
%
66 \ar `r "d"+(
0,
0.5); p+(
1,
0) "x"
\ar "x"; "d"
%
70 \ar "a"; "a"-(
0,
1)*
{\xor} ="a"
%
71 \POS "a"+(
1,
0) *+
[F
]{{} \lsr 12} ="x"
%
72 \ar `r "a"+(
0,
0.5); p+(
1,
0) "x"
\ar "x"; "a"
%
73 \ar "b"; "b"-(
0,
1)*
{\xor} ="b"
%
74 \POS "b"+(
1,
0) *+
[F
]{{} \lsr 12} ="x"
%
75 \ar `r "b"+(
0,
0.5); p+(
1,
0) "x"
\ar "x"; "b"
%
76 \ar "c"; "c"-(
0,
1)*
{\xor} ="c"
%
77 \POS "c"+(
1,
0) *+
[F
]{{} \lsr 12} ="x"
%
78 \ar `r "c"+(
0,
0.5); p+(
1,
0) "x"
\ar "x"; "c"
%
79 \ar "d"; "d"-(
0,
1)*
{\xor} ="d"
%
80 \POS "d"+(
1,
0) *+
[F
]{{} \lsr 12} ="x"
%
81 \ar `r "d"+(
0,
0.5); p+(
1,
0) "x"
\ar "x"; "d"
%
87 \ar @
{-
} (
0,
0) *+
{a
}; p-(
0,
0.5) ="a"
88 \ar @
{-
} (
2,
0) *+
{b
}; p-(
0,
0.5) ="b"
89 \ar @
{-
} (
4,
0) *+
{c
}; p-(
0,
0.5) ="c"
90 \ar @
{-
} (
6,
0) *+
{d
}; p-(
0,
0.5) ="d"
93 \def\figround#1#2#3#4#5{%
94 \ar @
{.
} "a"-(
0.5,
0); p+(
8,
0)
%
95 \POS "a"+(
8, -
1.75) *
[r
]\txt{#5}%
96 \figkeymix{#1}{#2}{#3}{#4}%
99 \ar @
{-
} "a"; p-(
0,
.5) ="a"
100 \ar @
{-
} "b"; p-(
0,
.5) ="b"
101 \ar @
{-
} "c"; p-(
0,
.5) ="c"
102 \ar @
{-
} "d"; p-(
0,
.5) ="d"
105 \def\figiround#1#2#3#4#5{%
106 \ar @
{.
} "a"-(
0.5,
0); p+(
8,
0)
%
107 \POS "a"+(
8, -
1.75) *
[r
]\txt{#5}%
108 \figkeymix{#1}{#2}{#3}{#4}%
111 \ar @
{-
} "m"+D-(
3,
0); p-(
0,
.5) ="a"
112 \ar @
{-
} "m"+D-(
1,
0); p-(
0,
.5) ="b"
113 \ar @
{-
} "m"+D+(
1,
0); p-(
0,
.5) ="c"
114 \ar @
{-
} "m"+D+(
3,
0); p-(
0,
.5) ="d"
118 \ar @
{.
} "a"-(
0.5,
0); p+(
8,
0)
119 \POS "a"+(
8, -
1)*
[r
]\txt{Six more rounds
}
120 \ar @
{--
} "a"; "a"-(
0,
2) ="a"
121 \ar @
{--
} "b"; "b"-(
0,
2) ="b"
122 \ar @
{--
} "c"; "c"-(
0,
2) ="c"
123 \ar @
{--
} "d"; "d"-(
0,
2) ="d"
126 \def\figwhite#1#2#3#4{%
127 \ar @
{.
} "a"-(
0.5,
0); p+(
8,
0)
128 \POS "a"+(
8, -
1)*
[r
]\txt{Postwhitening
}
129 \figkeymix{#1}{#2}{#3}{#4}
130 \ar "a"; p-(
0,
1) *+
{a'
}
131 \ar "b"; p-(
0,
1) *+
{c'
}
132 \ar "c"; p-(
0,
1) *+
{b'
}
133 \ar "d"; p-(
0,
1) *+
{d'
}
139 %%%----- The main text ------------------------------------------------------
142 We present Storin: a new
96-bit block cipher designed to play to the
143 strengths of current digital signal processors (DSPs). In particular, DSPs
144 tend to provide single-cycle multiply-and-accumulate operations, making
145 matrix multiplications very cheap. Working in an environment where
146 multiplication is as fast as exclusive-or changes the usual perceptions
147 about which operations provide good cryptographic strength cheaply. The
148 scarcity of available memory, for code and for tables, and a penalty for
149 nonsequential access to data also make traditional block ciphers based
150 around substitution tables unsuitable.
155 \section{Definition of the cipher
}
157 \subsection{Overview
}
159 Storin is an eight-round SP network operating on
96-bit blocks. The block
160 cipher uses
36 24-bit subkey words, derived from a user key by the key
163 The
96-bit input is split into four
24-bit words. Each round then processes
164 these four words, using the following three steps:
166 \item Mixing in of some key material. Four
24-bit subkey words are XORed
167 with the four data words.
168 \item A matrix multiplication mod $
2^
{24}$. The four words are treated as a
169 column vector and premultiplied by a $
4 \times 4$ vector using addition and
170 multiplication mod $
2^
{24}$. This is the main nonlinear step in the
171 cipher, and it also provides most of the cipher's diffusion.
172 \item A simple linear transformation, which replaces each word $x$ by $x
\xor
175 The four data words output by the final round are XORed with the last four
176 subkey words in a final postwhitening stage and combined to form the
96-bit
179 The cipher structure is shown diagrammatically in figure~
\ref{fig:cipher
}.
187 \figround{0}{1}{2}{3}{Round
1}
188 \figround{4}{5}{6}{7}{Round
2}
190 \figwhite{32}{33}{34}{35}}
192 \caption{The Storin encryption function
}
196 Since the matrix used in step
2 is chosen to be invertible, the cipher can be
197 inverted readily, simply by performing the inverse steps in the reverse
198 order. Since the postwhitening stage is the same as a key mixing stage,
199 decryption can be viewed as eight rounds consisting of key mixing, linear
200 transformation and matrix multiplication, followed by a postwhitening stage.
201 Thus, the structure of the inverse cipher is very similar to the forwards
202 cipher, and uses the same components. The decryption function is shown
203 diagrammatically in figure~
\ref{fig:decipher
}.
211 \figiround{32}{33}{34}{35}{Round
1}
212 \figiround{28}{29}{30}{31}{Round
2}
214 \figwhite{0}{1}{2}{3}}
216 \caption{The Storin decryption function
}
220 The key schedule is designed to be simple and to reuse the cipher components
221 already available. Given a user key, which is a sequence of one or more
222 24-bit words, it produces the
36 subkey words required by the cipher. The
223 key schedule is very similar to Blowfish
\cite{blowfish
}. The subkey array
224 is assigned an initial constant value derived from the matrix used in the
225 cipher. Words from the user key are XORed into the array, starting from the
226 beginning, and restarting from the beginning of the user key when all the
227 user key words are exhausted. A
96-bit block is initialized to zero, and
228 enciphered with Storin, using the subkeys currently in the array. The first
229 four subkey words are then replaced with the resulting ciphertext, which is
230 then encrypted again using the new subkeys. The next four subkey words are
231 replaced with the ciphertext, and the process continues, nine times in all,
232 until all of the subkey words have been replaced.
234 The Storin key schedule can accept user keys up to
36 words (
864 bits) long.
235 It is unrealistic, however, to expect this much strength from the cipher. We
236 recommend against using keys longer than
5 words (
120 bits).
239 \subsection{Encryption
}
241 We define $
\mathcal{W
} =
\mathbb{Z
}_
{2^
{24}}$ to be set of
24-bit words, and
242 $
\mathcal{P
} =
\mathcal{W
}^
4$ to be the set of four-entry column vectors over
243 $
\mathcal{W
}$. Storin plaintext blocks are members of $
\mathcal{P
}$.
245 The Storin encryption function uses
36 24-bit words of key material $k_0$,
246 $k_1$,
\ldots, $k_
{35}$, which are produced from the user key by the key
247 schedule, described below. The key-mixing operation $K_i:
\mathcal{P
}
248 \rightarrow \mathcal{P
}$ is defined for $
0 \le i <
9$ by:
250 K_i
\begin{pmatrix
} a \\ b \\ c \
\d \end{pmatrix
}
253 a
\xor k_
{4i
} \\ b
\xor k_
{4i+
1} \\ c
\xor k_
{4i+
2} \\ d
\xor k_
{4i+
3}
257 The matrix multiplication operation $M:
\mathcal{P
} \to \mathcal{P
}$
258 is described by $M(
\mathbf{x
}) =
\mathbf{M
} \mathbf{x
}$, where $
\mathbf{M
}$
259 is a fixed invertible $
4 \times 4$ matrix over $
\mathcal{W
}$. The value of
260 $
\mathbf{M
}$ is defined below.
262 The linear transformation $L:
\mathcal{P
} \to \mathcal{P
}$ is defined by:
264 L
\begin{pmatrix
} a \\ b \\ c \\ d
\end{pmatrix
}
267 a
\xor (a
\lsr 12) \\
268 b
\xor (b
\lsr 12) \\
269 c
\xor (c
\lsr 12) \\
274 The round function $R_i:
\mathcal{P
} \to \mathcal{P
}$ is defined for $
0 \le i
276 \
[ R_i(
\mathbf{x
}) = L
\bigl(
\mathbf{M
} K_i(
\mathbf{x
})
\bigr) \
]
278 The cipher $C:
\mathcal{P
} \to \mathcal{P
}$ is defined in terms of $R_i$ and
279 $K_i$. Let $
\mathbf{x
}_0
\in \mathcal{P
}$ be a plaintext vector. Let
280 $
\mathbf{x
}_
{i+
1} = R_i(
\mathbf{x
}_i)$ for $
0 \le i <
8$. Then we define
281 $C(
\mathbf{x
})$ by setting $C(
\mathbf{x
}_0) = K_8(
\mathbf{x
}_8)$.
284 \subsection{Key schedule
}
286 The key schedule converts a user key, which is a sequence of
24-bit words,
287 into the
36 subkeys required by the cipher.
289 For $i
\ge 0$, we define that
292 m_
{16i +
0} & m_
{16i +
1} & m_
{16i +
2} & m_
{16i +
3} \\
293 m_
{16i +
4} & m_
{16i +
5} & m_
{16i +
6} & m_
{16i +
7} \\
294 m_
{16i +
8} & m_
{16i +
9} & m_
{16i +
10} & m_
{16i +
11} \\
295 m_
{16i +
12} & m_
{16i +
13} & m_
{16i +
14} & m_
{16i +
15}
300 Let the user-supplied key be $u_0$, $u_1$,
\ldots, $u_
{n-
1}$, for some $n >
301 0$. We define the sequence $z_0$, $z_1$,
\ldots\ by
302 \
[ z_i = m_i
\xor u_
{i
\bmod n
} \
]
305 Denote the result of encrypting vector $
\mathbf{x
}$ using subkeys from the
306 sequence $
\seq{w
} = w_0, w_1,
\ldots, w_
{35}$ as $C_
{\seq{w
}}(
\mathbf{x
})$.
307 We define the key schedule to be $k_0$, $k_1$,
\ldots, $k_
{35}$, where:
309 \seq{p^
{(i)
}} = k_0, k_1,
\ldots, k_
{4i-
1}, z_
{4i
}, z_
{4i+
1},
\ldots \\
310 \mathbf{x
}_0 =
\begin{pmatrix
} 0 \\
0 \\
0 \\
0 \end{pmatrix
};
\qquad
311 \begin{pmatrix
} k_
{4i
} \\ k_
{4i+
1} \\ k_
{4i+
2} \\ k_
{4i+
3} \end{pmatrix
}
312 =
\mathbf{x
}_
{i+
1} = C_
{\seq{p^
{(i)
}}}(
\mathbf{x
}_i)
316 \subsection{Decryption
}
318 The individual operations used during encryption are all invertible. Key
319 mixing is inverted by taking keys from the other end of the array:
320 \
[ K^
{-
1}_i(
\mathbf{x
}) = K_
{8-i
}(
\mathbf{x
}) \
]
321 The matrix multiplication may be inverted simply by using the inverse matrix
323 \
[ M^
{-
1}(
\mathbf{x
}) =
\mathbf{M
}^
{-
1} \mathbf{x
} \
]
324 Finally, the linear transformation is its own inverse:
325 \
[ L^
{-
1}(
\mathbf{x
}) = L(
\mathbf{x
}) \
]
326 The inverse round function can now be defined as:
327 \
[ R^
{-
1}_i(
\mathbf{x
}) =
328 \mathbf{M
}^
{-
1} L
\bigl(K^
{-
1}_i(
\mathbf{x
})
\bigr) \
]
330 The decryption function $C^
{-
1}:
\mathcal{P
} \to \mathcal{P
}$ is defined
331 in terms of $R^
{-
1}$ and $K^
{-
1}$ in a very similar way to encryption. Let
332 $
\mathbf{x
}_0$ be a ciphertext vector. Let $
\mathbf{x
}_
{i+
1} =
333 R^
{-
1}_i(
\mathbf{x
}_i)$ for $
0 \le i <
8$. Then we define
334 $C^
{-
1}(
\mathbf{x
}_0) = K^
{-
1}_8(
\mathbf{x
}_8)$.
337 \subsection{Constants
}
339 The matrix $
\mathbf{M
}$ and its inverse $
\mathbf{M
}^
{-
1}$ are:
340 \begin{eqnarray*
}[rl
]
342 \begin{pmatrix
}[[>
{\hbox\bgroup\ttfamily}c<
{\egroup}]
343 f7a413 &
54bd81 &
447550 & ff4449 \\
344 f31e87 & d85388 & de32cb &
40e3d7 \\
345 d9db1d &
551b45 & e9d19f & e443de \\
346 4b949a &
4d435d & ef0a17 & b784e1
349 \begin{pmatrix
}[[>
{\hbox\bgroup\ttfamily}c<
{\egroup}]
350 17391b & fafb4b & a66823 & f2efb6 \\
351 13e0e5 &
2ed5e4 & b2cfff & d9cdb5 \\
352 2af462 &
33826d & de66a1 & eb6c85 \\
353 c2f423 & e904a3 & e772d8 & d791f1
359 \section{Rationale and analysis
}
361 \subsection{Design decisions
}
363 The initial objective was to produce a cipher which played to the particular
364 strengths of digital signal processors. DSPs tend to have good multipliers,
365 and are particularly good at matrix multiplication. The decision use a
366 matrix multiplication over $
\mathbb{Z
}_
{2^
{24}}$ seemed natural, given that
367 24 bits is a commonly offered word size.
369 The choice of a
96-bit block is also fairly natural. A
2 word (
48-bit) block
370 is clearly too small, and a
3 word (
72-bit) block is a little on the small
374 \subsection{Matrix multiplication over $
\mathbb{Z
}_
{2^
{24}}$
}
376 Integer multiplication on a DSP is a cheap source of nonlinearity. Note that
377 bit $i$ of the result depends on all of the bits in the operands of lesser or
378 equal significance.position $i$ downwards.
380 The decision to make the $
4 \times 4$ matrix fixed was taken fairly early on.
381 Generating invertible matrices from key material seemed like too much work to
384 The matrix is generated pseudorandomly from a seed string, using SHA-
1. The
385 criteria we used to choose the matrix are:
387 \item The matrix must be invertible.
388 \item Exactly one entry in each row and column of the matrix must be even.
390 Criterion
1 is obvious. Criterion
2 encourages diffusion between the entries
391 in the block vector. Note that if a matrix satisfies the second criterion,
392 its inverse also does.
394 Consider a vector $
\mathbf{x
}$ and its product with the matrix $
\mathbf{M
}
395 \mathbf{x
}$. Whether the top bit of entry $i$ in $
\mathbf{x
}$ affects
396 entry $j$ in the product depends on whether the entry in row $j$, column $i$
397 of $
\mathbf{M
}$ is even. Criterion
2 ensures the following:
399 \item A top-bit change in a single word or three words affects three words in
401 \item A top-bit change in two words affects two words in the output.
404 The seed string used is
\texttt{matrix-seed-string
}. The program which
405 generates the matrix is included with the Storin example source code.
407 \subsection{The linear transformation
}
409 A bit change in one of the inputs to the matrix can only affect bits at that
410 position and higher in the output. The linear transformation at the end of
411 the round aims to provide diffusion from the high-order bits back to the
414 A single high-order bit change in the input to a round will affect the
415 high-order bits of three words in the output of the matrix multiply. The
416 linear transformation causes it to affect bits in the low halves of each of
417 these words. The second round's multiplication causes these bits to affect
418 the whole top halves of all of the output words. The linear transformation
419 propagates this change to the bottom halves. Complete avalanche is therefore
420 achieved after three rounds of Storin.
423 \subsection{Key schedule notes
}
425 The key schedule is intended to be adequate for bulk encryption; it doesn't
426 provide good key agility, and isn't intended to. The key schedule accepts an
427 arbitrary number of
24-bit words, although expecting
864 bits of security
428 from the cipher is not realistic. The suggested maximum of
5 words (
120
429 bits) seems more sensible. This maximum can be raised easily when our
430 understanding of the cipher increases our confidence in it.
432 The key schedule is strongly reminiscent of Blowfish
\cite{blowfish
}. Use of
433 existing components of the cipher, such as the matrix multiplication and the
434 cipher itself, help reduce the amount of code required in the implementation.
436 There is an interesting feature of the key schedule: the output of the first
437 round of the second encryption is zero. To see why this is so, it is enough
438 to note that the first round key has just been set equal to what is now the
439 plaintext; the result of the key mixing stage is zero, which is unaffected by
440 the matrix and linear transformation.
443 \subsection{Attacking Storin
}
445 A brief
\footnote{About three days' worth on a
300MHz Pentium II.
}
446 computerized analysis of the matrix multiplication failed to turn up any
447 high-probability differential characteristics. While an exhaustive search
448 was clearly not possible, the program tested all differentials of Hamming
449 weight
5 or less, and then random differentials, applying each to a suite of
450 $
2^
{13}$ different
96-bit inputs chosen at random. No output difference was
451 noted more than once.
453 One possible avenue of attack worth exploring is to attempt to cause zero
454 words to be input into the first-round matrix by choosing plaintext words
455 identical to subkey words for the first round. Causing $n$ matrix input
456 words to be zero clearly takes $O(
2^
{24n
})$ time. If a method can be found
457 to detect when zero words have been input to the matrix, this can be used to
458 discover the subkey words rather more rapidly than exhaustive search. We
459 can't see a way to exploit this at the moment, but it could be a fruitful
460 place to look for cryptanalysis.
465 We have presented a new block cipher, Storin. Any cryptanalysis will be
466 received with interest.
469 \begin{thebibliography
}{99}
470 \bibitem{idea
}{X. Lai, `On the Design and Security of Block Ciphers', ETH
471 Series in Informatics Processing, J. L. Massey (editor), vol.
1,
472 Hartung-Gorre Verlag Konstanz, Technische Hochschule (Zurich),
1992}
473 \bibitem{blowfish
}{B. Schneier, `The Blowfish Encryption Algorithm',
474 \textit{Dr Dobb's Journal
}, vol.
19 no.
4, April
1994, pp.
38--
40}
475 \end{thebibliography
}
477 %%%----- That's all, folks --------------------------------------------------