The block cipher NSABC spec -- updated
in [Cryptography]
|
Prev: Podcast interview w/ Dr. Jay Kennedy re Plato's secret codes
Next: Prime Number SUMS model the Riemann Zeta function
From: Tran Ngoc Duong on 6 Aug 2010 09:55 This is the updated version of the article originally posted on 26-27 July. Changes include completely re-written subsections 3.1 "Data order" and 3.5 "Bias E", more notes explaining simplicity and efficiency, clarified description, added illustrations and examples (as suggested by Tom St. Denis and others), minor wording improvements. The algorithm itself remains unchanged. Many thanks for your consideration. For those who are not interested, I'm sorry for long post. Again. Tran Ngoc Duong. ======================================================================== THE BLOCK CIPHER NSABC (Public domain) Alice Nguyenova-Stepanikova Tran Ngoc Duong <tranngocduong at gmail dot com> (corresponding author) 27th July, 2010 A b s t r a c t. We introduce NSABC/w (Near-Skipjack Algebraic Block Cipher operating on w-bit word arithmetics, w even), a 4w-bit analogous of Skipjack [NSA98] with 5w-bit key. The Skipjack's internal 4-round Feistel structure is replaced with a w-bit, 2-round cascade of the binary operation (x,z) |-> (2*x*z + (1-2*e)*(x-z+e)) <<< (w/2), partially encrypting a data word x under control of a key word z and a round-dependent constant word e. Similar to the multiplication in IDEA [LM91, LMM91], the present operation bases on an algebraic group over w-bit words, so it is also capable of decrypting by means of the inverse element of z in the group. The cipher may utilize an optional secret 4w-bit "tweak", i.e. an easily changeable parameter with unique value for every block encrypted under the same key [LRW02], that is in turn derived from the block index and a 4w-bit [additional] key, to facilitate applications such as disk encryption. With w=64, on a modern 64-bit processor, encryption takes about 5 clock cycles per byte and, when the tweak is omitted, only 4.4 clock cycles per byte. 1. Introduction In the today's world full of cryptographic algorithms, one may wonder what makes a block cipher attractive. The authors' answer to the question is one word: elegance. If something looks nice, then there is a big chance that it is also good. An elegant specification makes it easier to memorize. Memorizability makes it easier to analyze, that allows for fruitful cryptanalytic results, leading to deeper understanding which, in turn, makes greater confidence in the algorithm. The elegance comprises the following features: -- Few algebraic operations, best use [quasi-]group ones. Using of many operations, such as tables of constants, S-boxes, data-dependent transpositions or operator selections results in "wild", hardly-tractable and possibly undesirable interactions between operations. [Quasi-]group operations are preferable because of the "perfect secrecy": if x is product of y and z in a quasigroup, knowledge about either variable gives no information about any of the other two. -- Simple and regular key schedule. A complex key schedule with, say, bit transpositions or non-linear operations, which effectively adds another, unrelated, function to the cipher, results in hardly-tractable and possibly undesirable interactions between the functions. From the pragmatic viewpoint, moreover, a simple and regular key schedule is very fast, which makes the cipher much more useful as a universal primitive to construct others, such as hash functions. IDEA, a secure block cipher designed by Xuejia Lai and James L. Massey [LM91, LMM91] is an example of elegance. Besides being elegant with an efficient choice and arrangement of algebraic operations, it is elegant for some more features: -- The use of "incompatible" group operations, where "incompatible" means there are no simple relations (such as distributivity) between them. The incompatibility excludes any exploitable algebraic property and makes it impossible to solve the cipher algebraically. -- The use of modular multiplication. Multiplication is apparently more powerful than addition and thus greatly contributes to security and efficiency of the cipher. However, modular multiplication in IDEA uses the Fermat prime modulus 2**w+1 which does not exist for w=32 or w=64, making it not extendable to machine word lengths nowaday. Furthermore, it rotates the [primary] key in a way that some key bits are re-used much more slowly than others, making the key schedule irregular. Skipjack, a secure block cipher designed by cryptographers of the U.S. National Security Agency [NSA98], is another example of elegant design. Besides being elegant with an efficient, simple and regular key schedule, it is elegant for one more feature: -- The use of two ciphers, an "outer" cipher, or *wrapper*, consisting of first and last rounds, and an "inner" cipher, or *core*, consisting of middle rounds. The terms are introduced in the design rationale of MARS [IBM98], a block cipher structurally similar to Skipjack. The MARS's designers justifies this two-layer structure that it breaks any repetitious property, it makes any iterative characteristic impossible, and it disallows any propagation of eventual vulnerabilities in either layer to the other one, thus making attacks more difficult. The wrapper is primarily aimed at fast diffusion and the core primarily at strong confusion. As Claude E. Shannon termed in his pioneer work [Sha49], *diffusion* here refers to the process of letting one input bit affect many output bits in very different ways, and *confusion* here refers to the process of letting one output bit be affected by many input bits in very different ways. Skipjack (as opposed to MARS) was sought elegant as the wrapper here is, in essence, the inverse function of the core. However, Skipjack uses an S-box, making it rather slow, hard to program in a secure manner, and not extendable to large machine word lengths, as such. This article describes an atempt to combine the ideas of elegance of IDEA with the nice structure of Skipjack into a scalable and tweakable block cipher called NSABC -- Near-Skipjack Algebraic Block Cipher. NSABC uses the entire overall structure of Skipjack, including the key schedule (except word re-numbering which is merely cosmetic), and only replaces the intereal 4-round Feistel structure of Skipjack with another structure. The new structure consists of two rounds of an operation, denoted "(o)", which is essentially multiplication of odd integers modulo 2**(w+1) that are represented by integers modulo 2**w. Each instance of "(o)" is followed by a swap of high and low half-words. Thus NSABC uses only two algebraic operations, XOR and "o", which are mutually incompatible. NSABC is scalable. It is defined for every even word length w, which allows scaling up with 8-bit increment in block length and 10-bit increment in key length. NSABC is tweakable. It can use an easily changeable parameter, called *tweak* [LRW02], to make a unique version of the cipher for every block encrypted under the same key. In algorithm design there is always a trade-off between security and efficiency, and designers always have to ask "What do we want, a very strong and fairly fast cipher, or fairly strong but very fast?" NSABC reflects the authors' view on the dilemma. If Skipjack is regarded as very secure but not very fast, then NSABC may be regarded as a design with stress on the second aspect: make it very fast, abeit not very secure. For 64-bit word length, NSABC key length is 320 bits, optionally plus 256 bits more, but the true level of security is yet to be determined. On the other hand, on a modern 64-bit processor it takes only 5 clock cycles per byte and only 4.4 clock cycles per byte if tweaking is omitted. NSABC is not patented and is put in public domain. As it bases on Skipjack, eventual users should be aware of Skipjack patent(s) which may be possibly held by the U.S. Government and take steps to make sure the use is free of legal issues. The authors are not aware of any patent related to other parts of the design. The rest of the article is organized as follows. Section 2 defines operations over machine words. Section 3 specifies the algorithm. Section 4 gives notes for efficient implementation. Section 5 gives numerical examples. Section 6 concludes the article. 2. Operations over words This section defines operations over words, mainly a multiplication-like group operation, denoted ".", a family containing it, parameterized by the group unit e, denoted "(.)", and quasi-group operations based on "." and "(.)", denoted "o" and "(o)" respectively. We write a**n to denote n-th power of a. We use the symbol +, -, *, ~, ^ to denote two-complement, w-bit (unless otherwise said), arithmetic/logic operations with the C programming languague meanings. Let's define binary operations "." and "o" as follows. x . y = 2*x*y + x + y x o y = 2*x*y + x - y Note that the bivariate polynomials x . y and x o y are permutation polynomials in either variable for every fixed value of the other variable [Riv99]. In other words, "." and "o" are quasi-group operations. Furthermore, "." is a group operation over the set of w-bit numbers. (This fact, although simple and straightforward, does not seem to have been mentioned in the literature.) The operation "." is very similar to [usual] modular multiplication. Indeed, it can be done (at least theoretically) by dropping the rightmost bit, which is always "1", of the product modulo 2**(w+1) of the operands each appended with an "1" bit. Symbolically, x . y = ((2*x+1)*(2*y+1) - 1) mod 2**(w+1) / 2 In other words, the group defined by "." is isomorphic to the multiplicative group of odd integers modulo 2**(w+1), via the isomorphism x |-> 2*x + 1 (mod 2**(w+1)) The unit of the group is 0. The inverse element of x, denoted x', is x' = - x/(2*x + 1) where "/" denotes the inverse operation of "*", i.e. modular multiplication by the modular multiplicative inverse of the denominator, which indeed exists for every x. The following relations hold. (~x) . y = ~(x . y) (1-x) o y = 1 - (x o y) x . y = -((-x) o y) x o y = -((-x) . y) (x . a) . a' = x (x o a) o a' = x Let's define trivariate polynomials p and q as follows. p(x,y,e) = (x-e).(y-e) + e = 2*x*y + (1 - 2*e)*(x + y - e) q(x,y,e) = -p(-x,y,e) = 2*x*y + (1 - 2*e)*(x - y + e) Then, over the set of w-bit numbers, p and q are permutation polynomials in either variable while keeping the other two fixed [Riv99]. Let e be fixed. The binary operations "(.)" and "(o)" defined by x (.) y = p(x,y,e) x (o) y = q(x,y,e) are quasigroup operations. Furthermore, "(.)" defines a group over the set of w-bit numbers that is isomorphic to the group defined by "." above. The isomorphism is x |-> x - e The unit of this group is e. The inverse element of x, denoted x('), is x(') = (x - e)' + e = ((2*e - 1)*x - 2*e*(e-1)) / (2*(x-e) + 1) The following relations hold. x (.) y = -((-x) (o) y) x (o) y = -((-x) (.) y) x (.) y = (x-e) . (y-e) + e x (o) y = (x+e) o (y-e) - e (x (.) a) (.) a(') = x (x (o) a) (o) a(') = x The operation "(o)" will be used for encryption and, due to the last relation, also for decryption. 3. Specification This section provides details of NSABC/w. From now on w, the word length, must be even. Throughout this article, X denotes a 4w-bit plaintext block, Y a 4w-bit ciphertext block, Z a 5w-bit key, T a 4w-bit secret *tweak*, i.e., a value that is used to encrypt only one block under the key. NSABC is specified in terms of two functions: ENCRYPT(X,Z,T), which encrypts X under control of Z and T, DECRYPT(Y,Z,T), which decrypts Y under control of Z and T. Relation: DECRYPT( ENCRYPT(X,Z,T),Z,T ) = X Tweaking is optional and can be disabled by letting T constantly zero. With tweaking disabled, NSABC becomes a conventional, non-tweakable, block cipher. 3.1. Data order We write a multi-part data values in string (number) notation or tuple (vector) notation. In *string notation*, the value is written as a sequence of symbols, possibly separated by space(s) that are insignificant. In *tuple notation*, the value is written as a sequence, in parentheses, of comma-separated symbols. For examples, z y x and 43 210 are in string notation, (x,y,z) and (0,1,2,3,4) are in tuple notation. The string notation indicates *high-first* order. That is, the first (i.e. leftmost) symbol denotes the most significant part of the value when it is intepreted as a number. Conversely, the tuple notation indicates *low-first* order. That is, the first symbol denotes the least significant part of the value when it is interpreted as a number. For examples, if x0, x1, x2 are words, then: -- In x2 x1 x0, the symbol x2 denotes the most significant word when the value x2 x1 x0 is interpreted as a 3-word number. -- In (x0,x1,x2), the symbol x0 denotes the least significant word when the value (x0,x1,x2) is interpreted as a 3-word number. For convenience, the same value may be written in string notation as well as in tuple notation. Thus, for examples, for every a, b, c, d, a b c d = (d,c,b,a) The term "part", used above, usually refers to "word", but it may also refer to "digit" (of a number), "component" (of a tuple or vector), as well as group thereof. For example, if x, y, z, t are known to be 1-digit, 2-digit, 3-digit and 4-digit values respectively, then (x,y,z,t) = 9876543210 means x=0, y=21, z=543 and t=9876. 3.2. Operations on word strings Let R denote the transposition that reverses the word order of a word string. For example, for 8-bit words, 0x0123AB R = 0xAB2301 Let S denote the transposition that swaps the high order and low order halves of every word of a word string. For example, for 8-bit words, 0x0123AB S = 0x1032BA Let ' denote the word-wise application of the inverse operator "'" on a word string. For example, (a,b,c)' = (a',b',c'). The following relations hold. xRR = x xSS = x x'' = x xRS = xSR xR' = x'R The operator "^" on word strings denote word-wise application of "^". For example, (a0,a1,a2) ^ (b0,b1,b2) = (a0^b0, a1^b1, a2^b2) The following relations hold. (x ^ y)S = xS ^ yS (x ^ y)R = xR ^ yR (x ^ y)RS = xRS ^ yRS Unless otherwise specified, operators "+" and "-" on word strings denote word-wise modular addition and subtraction, respectively, i.e. operands are regarded as vectors of words. For example, (a0,a1,a2) + (b0,b1,b2) = (a0+b0, a1+b1, a2+b2) (a0,a1,a2) - (b0,b1,b2) = (a0-b0, a1-b1, a2-b2) The following relations hold. (x + y)R = xR + yR (x - y)R = xR - yR 3.3. Functions ENCRYPT This function is specified in terms of three functions: DE, a data encryption function; KE, a key expansion function; and TE, a tweak expansion function. ENCRYPT uses a 64w-bit constant E, called *bias*, as a parameter to DE. Constant: E...64w-bit bias Input: X...4w-bit plaintext block Z...5w-bit key T...4w-bit tweak Output: Y...4w-bit ciphertext block Relation: ENCRYPT(X,Z,T) = DE(X, KE(Z), TE(T), E) 3.4. Functions DE, KE and TE These functions operate on a 4-word *data register* (x0,x1,x2,x3) and use a 5-word *key register* (z0,z1,z2,z3,z4) and a 4-word *tweak register* (t0,t1,t2,t3). The key register is initially loaded with the key Z. The tweak register is initially loaded with the tweak T. The data register is initially loaded with the plaintext block X, and after encipherment it contains the ciphertext block Y. [The concrete, vector, notation here specifies the order of words so, for example, x0 is initially loaded with the least significant word of X and after encipherment it contains the least significant word of Y.] These functions consist of 32 rounds of operations. In each round, a permutation G applies on the word x0, an exclusive-or (XOR) operation "mixes" x0 and t0 into another word of the data register, that is either x1 or x3, depends on the round *type* that is either *A* or *B*: -- In an A-typed round, the "mixing" takes place after G and targets x1 (see Fig. 1A); -- In a B-typed round, the "mixing" takes place before G and targets x3 (see Fig. 1B). The permutation G is key-dependent and round-dependent. In each round, the pair of key words (z0,z3) and a pair of words from the bias E enter the G-box. At the end of every round, there is a transposition on the data register that circularly exchanges contents of the four words, and other transpositions that do similarly for the key register and the tweak register. Encryption runs in four *passes*: firstly eight rounds of type A, then eight rounds of type B, then eight rounds of type A again, finally eight rounds of type B again. t3(0) t1(0) x3(0) x1(0) z4(0) z2(0) z0(0) | t2(0) | t0(0) | x2(0) | x0(0) | z3(0) | z1(0) | | | | | | | | | | | | | | | | | | | | | +--+--+ | | | | | | | | | | |E(0)--|> G <|---------------------o K(0) | | | | | |E(1)--|> <|------o K(1) | | | | | | | | | +--+--+ | | | | | | | | | | | | | | | | | | | | |L(0)o------------->+<---o | | | | | | | | | | | | | | | | | | \ \ \ | \ \ \ | \ \ \ \ | \ \ \ | \ \ \ | \ \ \ \ | +--\----\----\-+ +--\----\----\-+ +--\----\----\----\-+ | \ \ \ | \ \ \ | \ \ \ \ | | | | | | | | | | | | | | t2(1) | t0(1) | x2(1) | x0(1) | z3(1) | z1(1) | t3(1) t1(1) x3(1) x1(1) z4(1) z2(1) z0(1) Fig. 1A. Round 0 of DE, KE and TE. t3(8) t1(8) x3(8) x1(8) z4(8) z2(8) z0(8) | t2(8) | t0(8) | x2(8) | x0(8) | z3(8) | z1(8) | | | | | | | | | | | | | | | | |L(8)o--->+<-------------o | | | | | | | | | | | | | | | | | | | | | | | | | +--+--+ | | | | | | | | | | |E(16)-|> G <|---------------------o K(16) | | | | | |E(17)-|> <|------o K(17) | | | | | | | | | +--+--+ | | | | | | | | | | | | | | | | | | \ \ \ | \ \ \ | \ \ \ \ | \ \ \ | \ \ \ | \ \ \ \ | +--\----\----\-+ +--\----\----\-+ +--\----\----\----\-+ | \ \ \ | \ \ \ | \ \ \ \ | | | | | | | | | | | | | | t2(9) | t0(9) | x2(9) | x0(9) | z3(9) | z1(9) | t3(9) t1(9) x3(9) x1(9) z4(9) z2(9) z0(9) Fig. 1B. Round 8 of DE, KE and TE. KE (key expansion) Input: Z...5w-bit key Output: K...64w-bit expanded key Pseudo-code: (z0,z1,z2,z3,z4) := Z for k := 0, 1, 2,..., 31 loop K(2*k) := z0 K(2*k+1) := z3 (z0,z1,z2,z3,z4) := (z1,z2,z3,z4,z0) end loop K := (K(0),K(1),K(2),...,K(63)) TE (tweak expansion) Input: T...4w-bit tweak Output: L...32w-bit expanded tweak Pseudo-code: (t0,t1,t2,t3) := T for k := 0, 1, 2,..., 31 loop L(k) := t0 (t0,t1,t2,t3) := (t1,t2,t3,t0) end loop L := (L(0),L(1),L(2),...,L(31)) DE (data encryption) Input: X...4w-bit plaintext block K...64w-bit expanded key L...32w-bit expanded tweak E...64w-bit bias Output: Y...4w-bit ciphertext block Pseudo-code: (x0,x1,x2,x3) := X for k := 0, 1, 2,..., 31 loop if 0 <= k <= 7 or 16 <= k <= 23 then x0 := G( x0, (K(2*k), K(2*k+1)), (E(2*k), E(2*k+1)) ) x1 := x1 ^ x0 ^ L(k) elsif 8 <= k <= 15 or 24 <= k <= 31 then x3 := x3 ^ x0 ^ L(k) x0 := G( x0, (K(2*k), K(2*k+1)), (E(2*k), E(2*k+1)) ) end if (x0,x1,x2,x3) := (x1,x2,x3,x0) end loop Y := (x0,x1,x2,x3) Relations: Y = (x0(32),x1(32),x2(32),x3(32)) for 0 <= k <= 7 or 0 <= k <= 23: x0(k+1) = x1(k) ^ g(k) ^ L(k) x1(k+1) = x2(k) x2(k+1) = x3(k) x3(k+1) = g(k) for 8 <= k <= 15 or 24 <= k <= 31: x0(k+1) = x1(k) x1(k+1) = x2(k) x2(k+1) = x3(k) ^ x0(k) ^ L(k) x3(k+1) = g(k) for 0 <= k <= 31: g(k) = G(x0(k), (K(2*k), K(2*k+1)), (E(2*k), E(2*k+1))) K(2*k) = z0(k) K(2*k+1) = z3(k) z0(k+1) = z1(k) z1(k+1) = z2(k) z2(k+1) = z3(k) z3(k+1) = z4(k) z4(k+1) = z0(k) L(k) = t0(k) t0(k+1) = t1(k) t1(k+1) = t2(k) t2(k+1) = t3(k) t3(k+1) = t0(k) K = (K(0),K(1),K(2),...,K(63)) L = (L(0),L(1),L(2),...,L(31)) (x0(0),x1(0),x2(0),x3(0)) = X (z0(0),z1(0),z2(0),z3(0),z4(0)) = Z (t0(0),t1(0),t2(0),t3(0)) = T (E(0),E(1),E(2),...,E(63)) = E NOTES (1) The bias E is declared as a parameter to DE (although actually it is a well-specified constant in the algorithm) to indicate the possibility of further parameterization. One may choose his/her own E to create an other, "non-standard", variant of ENCRYPT [and DECRYPT]. (2) The full algorithm is illustrated in Fig. 2, where (X0,X1,X2,X3)=X, (Y0,Y1,Y2,Y3)=Y, (Z0,Z1,Z2,Z3,Z4)=Z, (T0,T1,T2,T3)=T and the constant E is omitted. The figure is obtained by "unrolling" [i.e. eliminating all circular transpositions of] the dataflow graph of the full cipher that would be resulted from cascading the individual rounds as in Fig. 1A and Fig. 1B. X3 X2 X1 X0 | | | | | | | 0 G<-Z0,Z3 | | T0->+<---------o | | 1 G<-Z1,Z4 | | T1->+<---------o | | 2 G<-Z2,Z0 | | T2->+<---------o | | 3 G<-Z3,Z1 | | | o------------------------------->+<-T3 | | | 4 G<-Z4,Z2 | | T0->+<---------o | | 5 G<-Z0,Z3 | | T1->+<---------o | | 6 G<-Z1,Z4 | | T2->+<---------o | | 7 G<-Z2,Z0 | | | | ----------------------------o | / | | | o--/---------------------------->+<-T3 / | | 8 G<-Z3,Z1 / | o--------->+<-T1 T0->+ | 9 G<-Z4,Z2 | | o--------->+<-T2 | | 10 G<-Z0,Z3 | | o--------->+<-T3 | | 11 G<-Z1,Z4 | | | T0->+<-------------------------------o | | | 12 G<-Z2,Z0 | | o--------->+<-T1 | | 13 G<-Z3,Z1 | | o--------->+<-T2 | | 14 G<-Z4,Z2 | | o--------->+<-T3 | | 15 G<-Z0,Z3 | | | | | | | | | | 16 G<-Z1,Z4 | | T0->+<---------o | | 17 G<-Z2,Z0 | | T1->+<---------o | | 18 G<-Z3,Z1 | | T2->+<---------o | | 19 G<-Z4,Z2 | | | o------------------------------->+<-T3 | | | 20 G<-Z0,Z3 | | T0->+<---------o | | 21 G<-Z1,Z4 | | T1->+<---------o | | 22 G<-Z2,Z0 | | T2->+<---------o | | 23 G<-Z3,Z1 | | | | ----------------------------o | / | | | o--/---------------------------->+<-T3 / | | 24 G<-Z4,Z2 / | o--------->+<-T1 T0->+ | 25 G<-Z0,Z3 | | o--------->+<-T2 | | 26 G<-Z1,Z4 | | o--------->+<-T3 | | 27 G<-Z2,Z0 | | | T0->+<-------------------------------o | | | 28 G<-Z3,Z1 | | o--------->+<-T1 | | 29 G<-Z4,Z2 | | o--------->+<-T2 | | 30 G<-Z0,Z3 | | o--------->+<-T3 | | 31 G<-Z1,Z4 | | | | | | | Y3 Y2 Y1 Y0 Fig. 2. The full cipher, by "unrolling" the graphs in Fig. 1A and Fig. 1B. (3) The round structure is up to word indexing the same as that of Skipjack. The word re-indexing, which is cryptographically insignificant, was introduced to ease description and illustration. 3.5. Bias E The 64w-bit constant E, which is used by ENCRYPT and DECRYPT and enters as a parameter to DE, is generated in 32 rounds of operation on a 2w-bit *bias register* (f0,f1) that is initialized by the constant value (0,1). In each round, the content of f1 is added to f0, then the content of f0 is added to f1, then the content of the register becomes a pair of words of E (see Fig. 3.) f1(5) f0(5) | | o---->[+] | | [+]<----o | | f1(6) f0(6) E(11) E(10) Fig. 3. Round 5 of E (regarded as a constant function). Input: none. Output: E...64w-bit bias Pseudo-code: (f0,f1) := (0,1) for k := 0,1,2,...,31 loop f0 := f0 + f1 f1 := f1 + f0 E(2*k) := f0 E(2*k+1)) := f1 end loop E := (E(0),E(1),E(2),...,E(63)) Relations: E = (E(0),E(1),E(2),...,E(63)) for k = 0,1,2,...,31: E(2*k) = f0(k+1) E(2*k+1) = f1(k+1) f0(k+1) = f0(k) + f1(k) f1(k+1) = f1(k) + f0(k+1) (f0(0),f1(0)) = (0,1) NOTES (1) It holds E(n) = F(n+2), where F(_) is defined by F(n+2) = F(n+1) + F(n) and (F(0),F(1)) = (0,1), i.e. E = (1, 2, 3, 5, 8, 13,..., 17167680177565) (mod 2**w). In other words, E is the sequence of 64 consecutive Fibonacci numbers immediately following the initial 0 and 1, modulo 2**w. (2) The round structure of E, usually known as *pseudo-Hadamard transform*, was used as a diffusion construct in prior cipher designs [Mas94, Sch+98]. Here it is not aimed at diffusion since it generates a constant, which has zero uncertainty. 3.6. Function G Function G, which takes as argument a w-bit intermediate plaintext word and is parameterized by a pair of w-bit subkey words (k0,k1) and a pair of constant words (e0,e1) to return a w-bit intermediate ciphertext word, is a cascade of two rounds, each consisting of an evaluation of the polynomial q (defined in section 2) followed by a swap of half-words (see Fig. 4). The first evaluation uses k0 and e0, the second one uses k1 and e1. argument | | +------+ e0---|> q <|---k0 +------+ | | \ / \/ /\ / \ | | +------+ e1---|> q <|---k1 +------+ | | \ / \/ /\ / \ | | result Fig. 4. Function G. Relation: G(x,(k0,k1),(e0,e1)) = q( q(x,k0,e0)S, k1, e1 )S NOTES (1) The algorithm uses 64 instances of the quasi-group operation "(o)", each with its own choice of the underlying group defined by the operation "(.)" with unit e. So, to be specific, instead of writing something like x (o) z, we wrote q(x,z,e). (2) Alternatively, it may be seen as using 64 identical instances of the simpler operation "o", or of the simplest, group operation ".", but operands and result of each instance of the operation are "biased" by adding or subtracting the constant e that is specific to the instance, and furthermore, for ".", the left operand enters and the result leaves it in altered sign. That's why E, the sequence of such e, is termed the "bias". 3.7. Function DECRYPT DECRYPT can be easily derived from the relation with ENCRYPT. Here it is given explitly in terms of functions DE, KE and TE. Relations: DE( DE(X,KE(Z),TE(T),E)RS, (KE(ZR)-ER)'+ER, TE(TRS), ER )RS = X DECRYPT(Y,Z,T) = DE( YRS, (KE(ZR)-ER)'+ER, TE(TRS), ER )RS In other words, encrypting the plaintext block Y in reverse half-word order (Y RS) using the tweak T in reverse half-word order (T RS) and the key schedule consisting of inverse words of an expanded key resulted from the key Z in reverse word order (Z R), where the inversions are of the [algebraic] groups defined by the operation "(.)" and each group is specified by its unit that is the corresponding word of the constant E in reverse word order (E R), recovers the plaintext block X in reverse half-word order (X RS). NOTES (1) Like Skipjack, decryption is similar to encryption. To decrypt with Skipjack, one swaps adjacent words, i.e. swaps the first and the second and swaps the third and the fourth words in the cipher block, the key and the plain block. To decrypt with NSABC, one reverses the word order, i.e., swaps the first and the last words as well as the second first and the second last ones. (2) Unlike Skipjack, DECRYPT cannot be expressed explicitly in terms of ENCRYPT. That's why our cipher is termed "near Skipjack" only. 3.8. Tweak derivation The 4w-bit secret tweak T is used to encrypt only one block [under a given key Z]. In order to encrypt multiple blocks the tweak is derived from the block index and a 4w-bit [additional] key, called *tweak key*, as follows. Let T(j) denote the tweak used to encrypt j-th block. For zero-th block, the tweak key is used as the tweak directly: T(0) = tweak key Successive tweak is computed from the current tweak by the recurrent relation: T(j) = T(j-1) + 2*T(0) + 1 or, equivalently, T(j) = T(0) . j where all operators, including ".", are defined on 4w-bit modular arithmetics and all operands, including 1 and j, are regarded as 4w-bit numbers. NOTES (1) The second relation is meant for sequential access and the third is meant for random access to the j-th block. There T(0) conveniently refers to the [unnamed] tweak key. (2) The family of functions {T: j |-> T(0).j}, parameterized by the tweak key T(0), is not epsilon-almost 2-XOR universal w.r.t. definition by [LRW02]. Eventual application of the present tweak derivation method in the Liskov-Rivest-Wagner construction, i.e. by defining ENCRYPT(X,Z,T,j) = DE(X^T(j),KE(Z),0)^T(j), is therefore impossible. 4. Notes on implementation This section provides methods for efficient software implementation for two types of environment: memory-constrained, such as embedded computers, and memory-abundant, such as servers and workstations. 4.1. Memory-constrained environment (1) The function ENCRYPT can be implemented without using any memory on a processor with at least 16 word registers: 4 for (x0,x1,x2,x3) -- data, 5 for (z0,z1,z2,z3,z4) -- key, 4 for (t0,t1,t2,t3) -- tweak, 2 for (f0,f1) -- bias, and 1 for k -- round index. Indeed, all other intermediate word strings (namely the expanded key K, the expanded tweak L and the bias E) can vanish because every word of them, once produced, can be consumed immediately, provided that the functions KE, TE, E (regarded as a constant function) and DE are programmed to run in parallel and in sync with each increment of k. (2) In an extremely memory-constrained environment, modes of operation that avoid DECRYPT (i.e. ones using ENCRYPT to decrypt) are preferable. That's because modular multiplicative inversion is so time-consuming that every practial implementation of DECRYPT must always pre-compute the key schedule. 4.2. Memory-abundant environment (1) The polynomial q in function G can be evaluated using only one multiplication and one addition, with a modified key schedule. Indeed, q(x,z,e) = M*x + N where x is a data word, z key word, e the unit of the [quasi-]group in use, and M = 2*(z - e) + 1 N = (2*e - 1)*(z - e) is a pair of subkeys precomputed in a [modified] key schedule consisting of 64 such pairs. (2) The cipher is partially parallelizable. The following procedure executes all 32 rounds in 20 steps, of which half performing two or three parallel evaluations of the function G. The procedure becomes evident by examining the dataflow graph of the algorithm, shown in Fig. 5, which is obtained by "unrolling" the one in Fig. 2. (Here "unrolling" means introducing a circular transposition so that the G-boxes at round k and k+3 lay on a vertical line.) Recall that g(k) is the result of G in round k. 1. Compute g(0) 2. Compute g(1) 3. Compute g(2) 4. Compute g(3) 5. Compute g(4) 6. Compute g(5), g(11) in parallel 7. Compute g(6), g(9) in parallel 8. Compute g(7), g(10), g(13) in parallel 9. Compute g(8), g(14) in parallel 10. Compute g(12), g(15) in parallel 11. Compute g(16) 12. Compute g(17) 13. Compute g(18) 14. Compute g(19) 15. Compute g(20) 16. Compute g(21), g(27) in parallel 17. Compute g(22), g(25) in parallel 18. Compute g(23), g(26), g(29) in parallel 19. Compute g(24), g(30) in parallel 20. Compute g(28), g(31) in parallel On a modern 64-bit processor, each step should take about 8 clock cycles on average. So, for w=64 i.e. 32-byte blocks it achieves 20*8/32 = 5 clock cycles per byte encrypted. If the tweak T is not used one may remove it from the source code completely to save about 1 clock cycle per byte per step, resulting in 20*7/32 = 4.4 clock cycles per byte. X0 X1 \ \ \0 \1 G-----G \ \ X2 X3 \ \ \ \ 1 \2 \3 \4 G-----G-----G-----G \ \ \ \ \ \ \ \ \ \ \ \ 4 \5 \6 \7 G-----G-----G-----G \ \ \ \ \ \ . . . |\ |\ |\ 7 | \8 | \9 | \10 G--|--G | G | G | \ | \ | | \| \| . + + |\ |\ |\ 10 | \11 | \12 | \13 G | G | G | G \ | \ | \ | \| \| \| + + + |\ |\ \ 13 | \14 | \15 \16 G | G | G G \ | \ | \ \| \| \ + + \ \ \ \ 16 \17 \18 \19 G-----G-----G-----G \ \ \ \ \ \ \ \ \ \ \ \ 19 \20 \21 \22 G-----G-----G-----G \ \ \ \ \ \ \ . . \ |\ |\ 22 \23 | \24 | \25 G-----G--|--G | G \ | \ | \ | \| . . + |\ |\ |\ 25 | \26 | \27 | \28 G | G | G | G \ | \ | \ | \| \| \| + + + |\ |\ |\ 28 | \29 | \30 | \31 G | G | G | G \ | \ | \ | \| \| \| + + + \ \ \ 31 \ \ \ G Y0 Y1 Y2 \ \Y3 Fig. 5. The full cipher, by "unrolling" the graph in Fig. 2. 5. Examples This section provides examples of NSABC/16 and NSABC/64 encryption. Tab. 5.1 shows the contents of all registers in NSABC/16 at the start of round k, for k = 0, 1, 2,..., 32 where k = 32 conveniently denotes the end of round 31, which is that of the algorithm, during the execution of ENCRYPT under key = 0x0AA00BB00CC00DD00EE0, tweak = 0x0001002203334444, and plain = 0x0123456789ABCDEF. Tab. 5.2 represents 26 vectors of ENCRYPT in NSABC/16 under parameters thereby specified. Tab. 5.3 represents a vector for iterated encryption in NSABC/64. Encryption runs under a fixed key Z. Using the tweak T(0), a plain block X(0) is encrypted into a cipher block denoted Y(0). Every Y(j) is then recorded and become X(j+1), the plain block for the next encipherment (if any), using a new tweak T(j+1) that is derived from T(j) by the method specified in subsection 3.8. The vector is printed with Z, T(0), X(0) and X(j) for some other values of j. All data are printed hexadecimally, except the key Z that is in base32-without- padding format specified by the IETF RFC 4648 [Jos06]. Tab. 5.1. Contents of registers during ENCRYPT in NSABC/16. ======= ======== ==================== ================ ================ Round Bias reg Key register Tweak register Data register index k f1 f0 z4 z3 z2 z1 z0 t3 t2 t1 t0 x3 x2 x1 x0 ======= ======== ==================== ================ ================ 0 00010000 0AA00BB00CC00DD00EE0 0001002203334444 0123456789ABCDEF 1 00020001 0EE00AA00BB00CC00DD0 4444000100220333 55BC012345679853 2 00050003 0DD00EE00AA00BB00CC0 0333444400010022 33DB55BC0123758F 3 000D0008 0CC00DD00EE00AA00BB0 0022033344440001 6ADC33DB55BC6BDD 4 00220015 0BB00CC00DD00EE00AA0 0001002203334444 012E6ADC33DB5493 5 00590037 0AA00BB00CC00DD00EE0 4444000100220333 C87D012E6ADCBFE2 6 00E90090 0EE00AA00BB00CC00DD0 0333444400010022 0750C87D012E6EBF 7 02620179 0DD00EE00AA00BB00CC0 0022033344440001 82C80750C87D83C4 8 063D03DB 0CC00DD00EE00AA00BB0 0001002203334444 A62C82C807506E50 9 10550A18 0BB00CC00DD00EE00AA0 4444000100220333 3BA48C3882C80750 10 2AC21A6D 0AA00BB00CC00DD00EE0 0333444400010022 42573FC78C3882C8 11 6FF1452F 0EE00AA00BB00CC00DD0 0022033344440001 C5C1C0BD3FC78C38 12 2511B520 0DD00EE00AA00BB00CC0 0001002203334444 637A49F8C0BD3FC7 13 FF42DA31 0CC00DD00EE00AA00BB0 4444000100220333 0A3318F949F8C0BD 14 D8B5D973 0BB00CC00DD00EE00AA0 0333444400010022 4278C9BD18F949F8 15 8ADDB228 0AA00BB00CC00DD00EE0 0022033344440001 74260BA2C9BD18F9 16 C7E23D05 0EE00AA00BB00CC00DD0 0001002203334444 616C6CDE0BA2C9BD 17 CCC904E7 0DD00EE00AA00BB00CC0 4444000100220333 7041616C6CDE3FA7 18 9E79D1B0 0CC00DD00EE00AA00BB0 0333444400010022 FE487041616C91A5 19 0EA27029 0BB00CC00DD00EE00AA0 0022033344440001 7714FE487041165A 20 8D6D7ECB 0AA00BB00CC00DD00EE0 0001002203334444 B3237714FE48C363 21 99A50C38 0EE00AA00BB00CC00DD0 4444000100220333 3B42B3237714814E 22 3F82A5DD 0DD00EE00AA00BB00CC0 0333444400010022 B0C33B42B323C4E4 23 24E1E55F 0CC00DD00EE00AA00BB0 0022033344440001 316FB0C33B42826E 24 2F210A40 0BB00CC00DD00EE00AA0 0001002203334444 5A0A316FB0C36149 25 68823961 0AA00BB00CC00DD00EE0 4444000100220333 71617F07316FB0C3 26 0A65A1E3 0EE00AA00BB00CC00DD0 0333444400010022 1CF3C2917F07316F 27 B6ADAC48 0DD00EE00AA00BB00CC0 0022033344440001 EBA52DBEC2917F07 28 19A262F5 0CC00DD00EE00AA00BB0 0001002203334444 648794A32DBEC291 29 96397C97 0BB00CC00DD00EE00AA0 4444000100220333 1E37E25294A32DBE 30 A90912D0 0AA00BB00CC00DD00EE0 0333444400010022 079D30BAE25294A3 31 64E2BBD9 0EE00AA00BB00CC00DD0 0022033344440001 BAFA931C30BAE252 32 859D20BB 0DD00EE00AA00BB00CC0 0001002203334444 5CA158A9931C30BA Tab. 5.2. Some vectors for NSABC/16 single block encipherments. ==================== ================ ================ ================ Z (key) T (tweak) X (plain) Y (cipher) ==================== ================ ================ ================ 00000000000000000000 0000000000000000 0000000000000098 1275C2B1DC5E3621 00000000000000000000 0000000000000000 0000000000009800 720620D75549C54D 00000000000000000000 0000000000000000 0000000000980000 1F2E2B943747B1DE 00000000000000000000 0000000000000000 0000000098000000 B1810BC2441D1445 00000000000000000000 0000000000000000 0000009800000000 ED61842661D49429 00000000000000000000 0000000000000000 0000980000000000 EA1C14B378A7B595 00000000000000000000 0000000000000000 0098000000000000 4DCBF3FCA282C4C4 00000000000000000000 0000000000000000 9800000000000000 0609058C12509447 00000000000000000000 0000000000000098 0000000000000000 AE4D0DFF58FFD3B2 00000000000000000000 0000000000009800 0000000000000000 D20388E6B94C96DF 00000000000000000000 0000000000980000 0000000000000000 A64BFCFDB32C5DBF 00000000000000000000 0000000098000000 0000000000000000 650F1DF8371AF343 00000000000000000000 0000009800000000 0000000000000000 BC8FA7FE1C928EAB 00000000000000000000 0000980000000000 0000000000000000 62C00204766B5BCE 00000000000000000000 0098000000000000 0000000000000000 40F6C79331EAD337 00000000000000000000 9800000000000000 0000000000000000 A9A7601DD937CFBA 00000000000000000098 0000000000000000 0000000000000000 2D078508E13FEA31 00000000000000009800 0000000000000000 0000000000000000 75FBFF2A6706DFDB 00000000000000980000 0000000000000000 0000000000000000 70BF79184C06F9AB 00000000000098000000 0000000000000000 0000000000000000 D505CBFAB03913EF 00000000009800000000 0000000000000000 0000000000000000 3EEC55CD065E275B 00000000980000000000 0000000000000000 0000000000000000 4ADA724B4913D4D0 00000098000000000000 0000000000000000 0000000000000000 F492E17C8F066561 00009800000000000000 0000000000000000 0000000000000000 F9060CFF3C7A6FA1 00980000000000000000 0000000000000000 0000000000000000 F7CDC677FF2F087F 98000000000000000000 0000000000000000 0000000000000000 008B4A112C5B2B5E Tab. 5.3. A vector for iterated NSABC/64 encryption. ====== ================================================================ Label Value ====== ================================================================ Z DIFFUZE2HOPEBESTCONFVSE2THROWDICENSAZGOODATLASTQOZSKIPJAXDAMNYCE T(0) 1DEA15C007316AC7EC1A15F00706AC7EFA17ED270CA7EA7CA717774E35A3E7BA X(0) 31ACB074E5A185A590D471305CAD03A0E43A8C9314C8B52C01843A8708C51AA3 X(1) 3ED6DCD4A1E13501493BF8CC306C0130987CF497E67D92F100B10451494A91BD X(2) 8242D4BC301A3FCEC9D751077D5C18A2384508B785BABC6A2446948862B47EE6 X(3) 4DB8C3D9385F21EE22C8D4CD81A9C4ED8FCC040DE2652F22DE5A6F8AAD977AD6 X(5) 5A756A9300A1F94CD073A8F336CDA083DBD445A39F0BF7596472EC7EDDD4816F X(8) 33F7CB09C2F6A07507C56F833D6746F33A54E0CEE66CE1F0FA428DA04B8C23BF X(13) AC1FCD227034D51A047CCBDA5FE27E64F9D3A59D24B382066174F49C63FBFFE9 X(21) 1DBC7DD4E5F3CC89EC726D5B0DDFB1E949DCCD8B2D67038AD998C8B33FF4F6F1 X(34) EA0EFFC95B7921F1A7266C2F902A8D97A3305DC0945F1BB10FED47C743F61E6D X(55) 65C8DEBA8EE3B6730480DF43F8F9B0FC763FEE15E1C93B06208D9A01411C3A17 X(89) 46043207307750E211E66BA40E2C21310CF7769881CBDBCF326E251E99BCD3C9 X(144) 9CF208AF5D94AD1486B255A19261BEBA6F15911CDAA2E339A5A7B590A5E73498 X(233) 903CA8F6BE987A3FE00EB97F94767678CB619A7898FFC871CD19BEADE4E5A95F X(377) D068EEA27849B0EB10101F9D79379DC5EE3D637764C9EFA462178CB467247FDC X(610) 821C6763628A36F2D383F516E550A11E60C7F12B5AB545F66C0B4AA09430C6CD X(987) B6CF160291E3D46CBBA728277466AE1BF9BDED75D3B6289E40EC1BA3287C83B9 6. Conclusion We defined NSABC, a Skipjack-like block cipher with fine scalability, utilizing a group operation over machine words of every size, that is basically modular multiplication, a powerful operation available on many processors. NSABC is meant to be simple. It uses no S-boxes or "magic" constants. It makes use only two well-known word-oriented algebraic operations: exclusive-or and modular multiplication. It re-uses the simple and regular structure of Skipjack that has become publicly known for over a decade -- sufficient time to be truly understood. The simplicity makes it easier to memorize and to analyze, which in turn makes deeper understanding and greater confidence in the algorithm. NSABC bases on some valuable design of a well-reputed agency in the branch. We therefore believe that it is worth analysis and it can withstand rigorous analysis. If this happens to be true, then we may have a strong cipher with 256-bit blocks, allowing to encrypt enormous amount of data under the same key, and with 320-bit keys, allowing to keep encrypted data secret over any imaginable time. NSABC is fast enough to be comparable with modern block ciphers. 7. References [IBM98] Burwick C., Coppersmith D., D'Avignon E., Gennaro G., Halevi S., Jutla C., Matyas S. M. Jr., O'Connor L., Peyravian M., Safford D., Zunic N.: MARS - a candidate cipher for AES. 1998. [LM91] Lai X., Massey J. L.: A proposal for a new block encryption standard. 1991. [LMM91] Lai X., Massey J. L., Murphy S.: Markov ciphers and differential cryptanalysis. 1991. [LRW02] Liskov M., Rivest R. L., Wagner D.: Tweakable block ciphers. 2002. [Mas94] Massey J. L.: A byte-oriented block-ciphering algorithm. 1994. [NSA98] National Security Agency: Skipjack and KEA specification. 1998. [Jos06] Josefsson S.: The Base16, Base32, and Base64 data encodings, RFC4648. 2006. [Riv99] Rivest R. L.: Permutation polynomials modulo 2**w. 1999. [Sha49] Shannon C. E.: Communication theory of secrecy systems. 1949. [Sch+98] Schneier B., Kelsey J., Whiting D., Wagner D., Hall C., Ferguson N.: Twofish -- a 128-bit block cipher. 1998. --- news://freenews.netfront.net/ - complaints: news(a)netfront.net --- |