1

Have tried to create simplest example. A,B,C,D are 32-bit unsigned, as is k[4]. P is an expansion type p-box of 256 "random" 32-bit values. Assume key-whitening and multiple rounds/keys

#define b0(u) ((u)&0xff)
#define b1(u) (((u)>>8)&0xff)
#define b2(u) (((u)>>16)&0xff)
#define b3(u) (((u)>>24))

// rounds...
A += P[b0(D)^b1(D)^b2(D)^b3(D)] ^k[0];
B += P[b0(A)^b1(A)^b2(A)^b3(A)] ^k[1];
C += P[b0(B)^b1(B)^b2(B)^b3(B)] ^k[2];
D += P[b0(C)^b1(C)^b2(C)^b3(C)] ^k[3];
k+=4
// end rounds

Also, is there a term for this specific method? (besides just "weak")

fgrieu
  • 140,762
  • 12
  • 307
  • 587
Chris Miller
  • 61
  • 5
  • Is this cipher even reversible? – bmm6o Jul 19 '18 at 15:02
  • Absolutely! Thanks for asking: D -= P[b0(C)^b1(C)^b2(C)^b3(C)] ^k[3]; C -= P[b0(B)^b1(B)^b2(B)^b3(B)] ^k[2]; B -= P[b0(A)^b1(A)^b2(A)^b3(A)] ^k[1]; A -= P[b0(D)^b1(D)^b2(D)^b3(D)] ^k[0];

    k-=4;

     – Chris Miller Jul 19 '18 at 15:03
  • Are the P values constant or derived from the key? – conchild Jul 19 '18 at 17:16
  • I have two flavors of slightly more complicate variations, and the p-box can be scheduled as part of the key (which slows down scheduling a little) or used static. – Chris Miller Jul 19 '18 at 17:52

1 Answers1

1

This is a simple 128-bit block cipher, reversibly changing a 32-bit word of the state at each of 4 steps shown. It is very similar to an unbalanced Feistel cipher, except that the change of state is with += rather than the conventional ^=. In the context that deviation has three consequences, with the first rather desirable:

  1. It creates alternation of ^ and + in the diffusion pattern.
  2. Decryption is less similar to encryption than in a Feistel cipher (I guess the decryption code use uses -= ).
  3. Hardware implementation would be slightly bigger/more power hungry, perhaps even slightly slower; but 1 more than compensates, and that's a non-issue in software.

To hope for security, there must of course be MUCH more rounds than shown. We have not even reached full diffusion (nothing in B or C influenced the outcome of A ). As a crude reference, AES-128 modifies its full state 10 times (discounting the initial XOR with a subkey); and Speck-128-128 modifies it 16 times. Security will depend a lot on the number of rounds, on a sensible choice of table P, and on the key schedule (producing the array k of subkeys from the actual key).

Note: Implementation in software is likely to suffer from data cache timing dependencies and other cache-related side channels, due to indexing in P at data-dependent indexes.

Note: as pointed by Poncho (correcting my mistakes), this cipher generates an even permutation; but that's not a weakness, since that reveals 1 bit of information only after $2^{128}-2$ input-output pairs are collected.

fgrieu
  • 140,762
  • 12
  • 307
  • 587
  • 1
    As for point (2), the sketched cipher will always be an even permutation, even though it uses +=; that's because at each round, there are bits that do not participate in the transform. – poncho Jul 19 '18 at 15:58
  • 1
    Also, I do not understand your last point at all; if we replace b0(X)^b1(X)^b2(X)^b3(X) with b0(X), I don't see any right-ward diffusion from the upper 24 bits at all... – poncho Jul 19 '18 at 16:01
  • @poncho: I'm embarrassed by my two goofs. I do not quite get that evenness thing (I think I remember you are the one who told me that + makes a symmetric Feistel cipher capable of generating odd permutations; which I dutifully verified, and wrongly regurgitated. – fgrieu Jul 19 '18 at 16:20
  • 1
    For any round function that includes a bit that is unaffected, and doesn't affect any other bit is, is always an even permutation. It's easy to show; if we consider the permutations that round implements (with a specific key), and the exchanges that implement that permutation, we can pair up the exchanges with that bit=0 with equivalent exchanges with that bit=1. Because we can pair the exchanges up, we always can implement it with an even number of exchanges, which means it's an even permutation – poncho Jul 19 '18 at 17:30
  • @Poncho: I get it now! – fgrieu Jul 19 '18 at 17:32
  • Thanks for the great feedback, Poncho. I'll google "even permutation" to get a better feel for what you're saying. Here all 4 bytes of each A,B,C,D are hashed into a single p-box index. In my testing it exhibits greater diffusion than AES or rc6 over a single round. In another version I use have each byte index the p-box and hash those 4 return values as the function. Also I use bytes from the other 3, not just one at each step. – Chris Miller Jul 19 '18 at 18:17
  • Thank you so much, fgrieu. It's indeed the simplest variation. Using ^ (instead of +) and adding 3 steps (i.e., A->B->C->D->C->B->A) would balance it so decryption looks exactly like encryption except for key order. But the 4-step form is better over multiple rounds I think. There are lots of ways to extract and hash p-box values. I've implemented 256, 512, 1024, and 2048 element ones. They can be populated with any normal/random sequence (I use Euler's #, phi, sqrt 2, etc.) or scheduled. Very easy to roll proprietary/custom implementations of this cipher. Assuming it's sound? – Chris Miller Jul 19 '18 at 18:34
  • 1
    @fgrieu: This unbalanced Feistel structure with modular addition instead of XOR isn't unheard of in battle-tested ciphers, for example, SHACAL-2 (and thus SHA-2) uses one. –  Jul 19 '18 at 18:36
  • 1
    @ChrisMiller What you call a "p-box" is usually called an S-box, and rather than use random sequences, they're usually specifically designed to have desirable properties like non-linearity and resistance to differential analysis. –  Jul 19 '18 at 18:36
  • Hi conchild. If I #define SCHEDULE_PBOX then the table is scheduled as part of the key (sort of). Else the static const table is used. Both ways seem to work well. – Chris Miller Jul 19 '18 at 18:40
  • @Fanael, thanks. Will check them out. I thought s-boxes were for SPN network ciphers and had to be invertable, and also more rigorously defined mathematically because of this. Permutation (p-) boxes are more for one-way hashing and so can be compression or expansion capable (unlike s-boxes). – Chris Miller Jul 19 '18 at 18:46
  • @ChrisMiller An S-box needs to be invertible only when used in a SPN, in a Feistel network this property is not needed: for example, the DES S-boxes take 6 bits of input and output 4 bits. –  Jul 19 '18 at 18:50
  • @ChrisMiller The term "P-box" is typically used to describe the permutation part of a SPN. –  Jul 19 '18 at 18:50
  • 1
    @ChrisMiller one must design the S-Box(p-box in ur terms) to have strong cryptogrpahic properties which have been proven to resists existing cryptanalysis attacks. I would suggest that making such ciphers for mind exercise is good but should not be used in production. One must use publically tested and verfied standard ciphers with standard implimentations so that SCA can be avoided. – crypt Jul 19 '18 at 19:06
  • @R18S Where an s-box is going to be inverted (as in an SPN like AES), this is true. But for an expansion-type p-box used as a one-way hash, even if not scheduled as part of the key, I'm not so sure. – Chris Miller Jul 20 '18 at 12:56
  • @fgrieu AES 1 round:

    w=T0[b3(a)]^T1[b2(d)]^T2[(b1(c)]^T3[b0(b)]^k1; x=T0[b3(b)]^T1[b2(a)]^T2[(b1(d)]^T3[b0(c)]^k2; y=T0[b3(c)]^T1[b2(b)]^T2[(b1(a)]^T3[b0(d)]^k3; z=T0[b3(d)]^T1[b2(c)]^T2[(b1(b)]^T3[b0(a)]^k4;

    changing bits 0-7 in a impacts only z? also, do these table look-ups expose AES to timing attacks as well?

     – Chris Miller Jul 20 '18 at 13:35
  • @ChrisMiller: AES changes its whole state at each round (that's a must since it is a substitution cipher with identical rounds), which is the (crude) measure used in the answer. The answer does not state that AES has full diffusion at each round (that requires two rounds). – fgrieu Jul 20 '18 at 13:47