Abstract

We study possible alternatives for ShiftRows to be used as cell permutations in AES-like ciphers. As observed during the design process of the block cipher Midori, when using a matrix with a non-optimal branch number for the MixColumns operation, the choice of the cell permutation, i.e., an alternative for ShiftRows, can actually improve the security of the primitive. In contrast, when using an MDS matrix it is known that one cannot increase the minimum number of active S-boxes by deviating from the ShiftRows-type permutation. However, finding the optimal choice for the cell permutation for a given, non-optimal, MixColumns operation is a highly non-trivial problem. In this work, we propose techniques to speed up the search for the optimal cell permutations significantly. As case studies, we apply those techniques to Midori and Skinny and provide possible alternatives for their cell permutations. We finally state an easy-to-verify sufficient condition on a cell permutation, to be used as an alternative in Midori, that attains a high number of active S-boxes and thus provides good resistance against differential and linear attacks.

Highlights

  • The Advanced Encryption Standard (AES) [18] can certainly be considered to be the most important block cipher in practice

  • We provide a theoretical argument on when a cell permutation, to be used as an alternative in Midori, attains a high number of active S-boxes

  • There were still 2,726,526 permutations left. For all of those permutations, we found the minimum number of active S-boxes up to 40 rounds using Matsui’s algorithm

Read more

Summary

Introduction

The Advanced Encryption Standard (AES) [18] can certainly be considered to be the most important block cipher in practice. The authors decided to change the MixColumns operation in a way that it applies multiplication with a binary matrix with branch number 4, compared to the nonbinary MixColumns operation in the AES with branch number 5 This has the benefit of significantly reducing the energy consumption of this operation. While for AES we have at least 25 active S-boxes in any (linear or differential) four-round trail, moving to a branch number of 4 reduces this number to 16 This follows from the four-round propagation theorem The interesting and important question raised by the designers of Midori is what the optimal choice of the cell permutation, used as a substitute for ShiftRows, is. We focus on the task of computationally finding the best permutations among all permutations, i.e., without any restriction on the search space

Our Contribution
Preliminaries
Active S-boxes and Differential Cryptanalysis
Classifying Cell Permutations
Structure Matrix of a Cell Permutation
Search Algorithm
The Difference between Weak M-Equivalence and M-Equivalence
Case Study – The Best Cell Permutations for Midori
Computing the Minimum Number of Active S-boxes
Case Study – The Best Cell Permutations for Skinny
Proof on the Minimum Number of Active S-boxes for the Midori Cell Permutation
Conclusion
B Proof of Proposition 3
C Optimal Permutations
Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call