CC BY
11
Каждый из восьми s-боксов размера 6x4 алгоритма DES можно представить как 32 s-бокса размера 4x4 с помощью фиксаций битов ai и a6, управляющих выбором одной из четырёх подстановок степени 16 s-бокса, где al, a2,..., a6 — биты входного набора s-бокса. При фиксации других битов биективность s-бокса не обеспечена. Установлено, что 6 s-боксов не обладают свойством 2 (наличие неподвижных точек). Ряд s-боксов не обладают свойством 4: у 16 s-боксов ps = 8/16, у 14— ps = 6/16, и имеется по одному s-боксу, у которых ps = 4/16 и 10/16.
В алгоритме ГОСТ 28147-89 используется 8 s-боксов размера 4x4, имеются рекомендации по их выбору [3]. Установлено, что из восьми s-боксов три не обладают свойством 2 (наличие неподвижных точек); у всех s-боксов ps = 4/16. Выводы
1. Построенное множество s-боксов размера 4x4, обладающее рядом позитивных свойств, может быть использовано при решении задач синтеза перспективных криптографических алгоритмов.
2. Созданное программное обеспечение может быть использовано для исследования s-боксов размера 4x4, используемых в различных действующих и перспективных криптографических системах.
ЛИТЕРАТУРА
1. Menyachikhin A. Spectral-Linear and Spectral-Difference Methods for Generating Cryptographically Strong S-Boxes. CTCrypt Preproc., 2016.
2. Фомичев В. М. Методы дискретной математики в криптологии. М.: Диалог-МИФИ, 2010. 424 с.
3. Рекомендации по стандартизации ТК 26 «Задание узлов замены блока подстановки алгоритма шифрования ГОСТ 28147-89». 2013.
УДК 519.7 DOI 10.17223/2226308X/10/43
CRYPTAUTOMATA: DEFINITION, CRYPTANALYSIS, EXAMPLE1
G. P. Agibalov
This conference paper is an extended abstract of a recent article in Prikladnaya Diskretnaya Matematika (2017, No. 36), where we presented the definition of the cryptautomata and described some cryptanalysis techniques for them. In cryptosystems, the cryptautomata are widely used as its primitives including cryptographic generators, s-boxes, filters, combiners, key hash functions as well as symmetric and public-key ciphers, and digital signature schemes. A cryptautomaton is defined as a class C of automata networks of a fixed structure N constructed by means of the series, parallel, and feedback connection operations over initial finite automata (finite state machines) with transition and output functions taken from some predetermined functional classes. A cryptautomaton key can include initial states, transition and output functions of some components in N. Choosing a certain key k produces a certain network Nk from C to be a new cryptographic algorithm. In case of invertibility of Nk, this algorithm can be used for encryption. The operation (functioning) of any network Nk in the discrete time is described by the canonical system of equations of its automaton. The structure of Nk is described by the union of canonical systems of equations of its components. The cryptanalysis problems for a cryptautomaton are considered as the problems of solving the operational or structural system of equations
1Работа поддержана грантом РФФИ, проект № 17-01-00354.
of Nk with the corresponding unknowns that are key k variables and (or) plaintexts (input sequences). For solving such a system E, the method DSS is used. It is the iteration of the following three actions: 1) E is Divided into subsystems E' and E", where E' is easy solvable; 2) E' is Solved; 3) the solutions of E' are Substituted into E'' by turns. The definition and cryptanalysis of a cryptautomaton are illustrated by giving the example of the autonomous alternating control cryptautomaton. It is a generalization of the LFSR-based cryptographic alternating step generator. We present a number of attacks on this cryptautomaton with the states or output functions of its components as a key.
Keywords: finite automaton, automata network, cryptautomaton, alternating control cryptautomaton, cryptanalysis, "divide-and-solve-and-substitute", partially defined function completion.
1. Definition
In this paper, we will present an extended abstract of the recent article [1] devoted to the definition of the cryptautomata and to description of some cryptanalysis techniques for them. Here is a formal mathematical definition: a cryptautomaton is a three-tuple (C, I, K), where C, the network class, is a finite set of possible automaton networks; I, the keyplace, is a finite set of possible key variables, and K, the keyspace, is a finite set of possible keys. The automaton networks under consideration are constructed of some initial finite automata (finite-state machines) by using the operations of series, parallel, and feedback connections, and they themselves uniquely define some initial finite automata.
The set C is completely defined by any automaton network N £ C and consists of all the automaton networks that can only differ from N in some parameters of some components. For every such a parameter, the set of these components is presented in the keyplace I, and the parameter itself — in the keyspace K as a part of a key. Here, by the parameters of an automaton A = (X^ Si, Yi, gj, /¿, Sj(1)) in N, we mean its initial state Sj(1), its transition function gi : Xi x Si ^ Si, and its output function fi : Xi x Si ^ Yj. It is supposed, that the parameters si(1), gi, and fi are elements of, respectively, the set Si of states in Ai, a class Gi of some functions g : Xi x Si ^ Si, and a class Fi of some functions f : Xi x Si ^ Yj.
So, if N consists of r components Ai, i £ {1, 2,... , r}, then the keyplace I is the three-tuple of sets Is, It, and Io that are subsets of {1, 2,...,r}, and the keyspace K of the
cryptautomaton is the Cartesian product of sets Ks, Kt, and Ko, where Ks = Si,
ie/s
Kt = J} Gi, and Ko = J} Fi. Thus, a key in K is a three-tuple ksktko, where ks £ Ks,
ie/t ie/o
kt £ Kt, and ko £ Ko, that is, a cryptautomaton key can be composed of initial states of some components in N, of transition functions in Gi for some i £ {1, 2,... ,r}, and of output functions in Fj for some j £ {1,2,..., r}.
Each key k in K defines a certain automaton network Nk in C and C = {Nk : k£K}. The operation (functioning) of this network Nk in discrete time is described by the canonical system of equations of its automaton as well as by the union of canonical systems of equations describing the operations of components in Nk. The second system of equations also describes the structure (circuit) of Nk. In case that, for any k, the automaton of Nk is invertible, the cryptautomaton (C, I, K) is a cipher.
2. Cryptanalysis
There are many different cryptanalysis problems for a given cryptautomaton (C, I, K). Some of them are put as follows: given a finite output sequence 7 of a network Nk in C and, possibly, an input sequence a which Nk transforms into 7, determine the key k and (or) the
sequence a. For solving these problems, we offer to solve the following two mathematical problems:
1) finding solutions of the systems of equations describing the operation or structure of the automaton networks in the network class C;
2) completing partially defined functions in a functional class, that is, for given a partially defined function 0 and a class $ of completely defined functions, it is required to find a function in $ which coincides with 0 on its domain.
In fact, the second problem is connected with the first one and appears after partial determining unknown output or transition functions of some components in the network Nk by solving its system of equations.
The system E of equations of any automaton network is recursively easy solvable (r.e.s.), that is, it has a nonempty subsystem Ex C E with a small effective subset U of unknowns such that assigning any possible values to them makes Ex to be easily solvable and the subsystem E2 = E \ Ex becomes r.e.s. after substitution of any solution of Ex into it. Thus, every solution of E can be computed by the method DSS [1, 2], consisting of three repeated actions: Divide E into Ex and E2, Solve Ex, and Substitute solutions of Ex into E2.
In [1], we illustrated the method DSS by solving canonical systems of equations of finite automata, series, parallel, and feedback automaton networks over the field F2 of two elements. The solution problem was the following one: given an output sequence of an automaton network N, find the input sequences of N. Besides, we defined an autonomous cryptautomaton with alternating control over F2 (that is a generalization of the cryptographic alternating step generator on LFSRs [3]) and illustrated the method DSS and the problem of completing partially defined functions by several attacks on this cryptautomaton with some different keyplaces I and corresponding keyspaces K.
3. Autonomous alternating control cryptautomaton
Let £ be an autonomous cryptautomaton (C, I, K). It is called an alternating control cryptautomaton if each automaton network N in C is a network with alternating control, that is, N is a series-parallel connection of three automata: an autonomous automaton Ax, Ax = (F^1,F2,gx, fx, sx(1)), and two unautonomous automata A2 and A3, Ai = (F2, Fm, F2, gj, fi, Si(1)), i £ {2, 3}, both controlled by Ax in such a way that, for any their input symbol yx (produced on the output of Ax) and states s2 h s3 respectively, the alternation condition g2(yx, s2) = s2 ^ g3(yx, s3) = s3 is true, and both producing output symbols y2 and y3 respectively with the sum y2 © y3 mod 2 on the output of N. For each i £ {1, 2, 3}, it is supposed that Si = F^, gi £ Gi, and fi £ Fi, where Gi and Fi are some functional classes. The following is the canonical system of equations of the network N with alternating control:
yx(t) = fx(sx(t)), sx(t + 1) = gx(sx(t)),
y2(t) = f2(yx(t),S2(t)), S2(t + 1) = g2(yx(t),S2(t)),
y3(t) = f3(yx(t),S3(t)),
S3(t + 1) = g3(yx(t),S3(t)), y(t) = y2(t) © y3(t), t > 1, sx(1)s2(1)s3(1) — initial state,
where the first two equations describe the automaton Ai, the next five equations — the parallel subnetwork N' of the automata A2 and A3.
Here, for cryptanalysis of an alternating control cryptautomaton E, we describe some attacks on it with a known output sequence 7 = y(1)y(2) . ..y(l), l ^ 1, in order to determine its key k by using the method DSS in solving the canonical system of equations of a network Nk in C and by completing partially defined output functions of its components in their classes. The attacks depend on the type of keyplace I in E.
1. Is = {1}, It = Io = 0; Ks = Si = Fm1, Kt = Ko = 0; K = Ks = F^1; k = si(1) £ K.
Attack 1:1) given 7 on the output of E, use the method DSS and compute the input
sequences of parallel subnetwork N' that are, simultaneously, the output sequences of the automaton A1; 2) for each of these sequences, find an initial state s1(1) of the automaton A1 by an exhaustive key search.
Computational complexity of the attack equals 2mi.
2. Is = {1,2}, It = Io = 0; Ks = Si x S2 = Fm1 x FT2, Kt = Ko = 0; K = Ks = = FiT1 x FiT2; k = si(1)s2(1) £ K.
In this case, the key of E is computed by a meet-in-the-middle attack. In advance, before the attack, for each possible value a of unknown si(1), compute si(t + 1) = gi(si(t)) and yi(t) = fi(si(t)) for t £ {1, 2, ...,l} and si(1) = a and store a in memory by address H(yi(1)yi(2)... yi(l)), where H : Fz2 ^ F^11 is a hash function.
Attack 2: given 7 on the output of E, use the method DSS and compute the input sequences of subnetwork N' for different values of s2(1) chosen unless, for some its value b, a sequence fi will be obtained on the input of N' such that there is a value a of si(1) in memory by address H(fi); in this case the pair (a, b) is taken for the result — the key k.
Computational complexity of the attack equals 2m2.
Remark: the attack remains valid after exchanging roles of A2 and A3 in it.
3. Is = {1,2,3}, It = Io = 0; Ks = Si x S2 x S3 = FT1 x F^12 x FT3, Kt = Ko = = 0; K = Ks = F^11 x F^12 x F^13; k = si(1)s2(1)s3(1) £ K, and the set of variables yi(1), yi(2),..., yi(l) is a linearization set in the system of equations E' of the subnetwork N' of the network N.
Attack 3: for each si(1) in Si, 1) compute si(t +1) = gi(si(t)) and yi(t) = fi(si(t)) for t £ {1, 2,..., l}; 2) execute the linearization attack on E', namely: substitute the values yi(1),yi(2),... ,yi(l) into E', solve the obtained system E'' of linear equations by Gauss method and find the values of unknowns s2(t) h s3(t), t £ {1,2,..., l}; 3) from each solution of E'' satisfying the alternation condition for all t, 1 ^ t ^ l, take the values of s2(1) and s3(1) and fix the three-tuple (si(1)s2(1)s3(1)) as one of the values of the key k.
Computational complexity of the attack equals 2m1.
Remark. So we have proved that in this case, the real key of the alternating control cryptautomaton is the initial state of the controlling automaton and its estending by means of initiall states of controlled automata doesn't increase the cryptographic security of the cryptautomaton. For the LFSR-based cryptographic alternating step generators, this fact was shown earlier in [4].
4. Is = It = 0, Io = {1}; Ks = Kt = 0, Ko = Fi; K = Ko = Fi; k = f £ K.
Attack 4: 1) compute si(t + 1) = gi(si(t)), t £ {1, 2,..., l - 1}; 2) as in Attack 1,
step 1, compute the input sequences of subnetwork N' of the network N by method DSS; 3) by any of them yi(1)yi(2) ...yi(l) and the internal sequence si(1)si(2) ...si(l) of the automaton Ai, construct a partially defined function fi as fi(si(t)) = yi(t) for t £ {1, 2,..., l}; 4) in the class Fi, find a function fi which is an extension of fi and, in case of success of this operation, give fi as one of the values of the key k.
Remark: to obtain all the values of the key k under which the cryptautomaton produces y, the construction in the step 3 is executed for every sequence computed in the step 2.
5. Is = It = 0, 1o = {2}; Ks = Kt = 0, Ko = F2; K = Ko = F2; k = f2 £ K. Attack 5: 1) compute sx(t + 1) = gx(sx(t)), yx(t) = fx(sx(t)) in the automaton Ax
and S3(t + 1) = g3(yx(t), S3(t)), y3(t) = f3(yx, S3(t)) in the automaton A3 for t £ {1, 2,..., l}; 2) construct a partially defined function f2 as f2(yx(t), s2(t)) = y(t) © y3(t) for t £ {1,2,...,1}; 3) in the class F2, find a function f2 which is an extension of f2 and, in case of success of this operation, give f2 as one of the values of the key k.
Remark: the attack remains valid after exchanging roles of A2 and A3 in it.
6. Is = It = 0, 1o = {2,3}; Ks = Kt = 0, Ko = F2 x F3; K = Ko = F2 x F3; k = f2f3 £ K.
Attack 6: 1) compute sx(t + 1) = gx(sx(t)), yx(t) = fx(sx(t)) in the automaton Ax for t £ {1, 2,...,/}, s2(t + 1) = g2(yx(t),s2 (t)) in the automaton A2, and s3(t + 1) = = g3(yx(t),s3(t)) in the automaton A3 for t £ {1, 2,..., l — 1}; 2) compute 21 pairs of sequences y2j (1)yy (2)... y2j (l), y3j (1)y3j (2) ...y3j (l), j £ {1,2,...,1}, such that y2j (t) = = y3j (t) = 0 V y2j (t) = y3j (t) = 1 if y(t) = 0 or (y2j (t) = 0, y3j (t) = 1) V (y2j (t) = 1, y3j(t) = 0) if y(t) = 1; 3) for each j £ {1, 2,..., l}, construct partial Boolean functions f2j-and f3j as f2j (yx(t), S2(t)) = y2j (t) and f3j (yx(t), S3(t)) = y3j (t), t £ {1, 2,...,/}; 4) in the classes F2 and F3, find some functions f2 and f3 respectively which are the extensions of f2j and f3j respectively and, in case of success of this operation, give f2f3 as one of the values of the key k.
Computational complexity of the attack equals 21.
Remark: if, in the step 4 for every j, at least one of the functions f2j or f3j is not completed in the corresponding class, F2 or F3, then the cryptanalysis problem for the cryptautomaton £ hasn't solution in this case.
REFERENCES
1. Agibalov G. P. Kriptoavtomaty s funktsional'nymi klyuchami [Cryptautomata with functional keys]. Prikladnaya Diskretnaya Matematika, 2017, no. 36, pp. 59-72. (in Russian)
2. Agibalov G. P. and Pankratova I. A. O dvukhkaskadnykh konechno-avtomatnykh kriptograficheskikh generatorakh i metodakh ikh kriptoanaliza [About 2-cascade finite automata cryptographic generators and their cryptanalysis]. Prikladnaya Diskretnaya Matematika, 2017, no. 35, pp. 38-47. (in Russian)
3. Menezes A., van Oorshot P., and Vanstone S. Handbook of Applied Cryptography. CRC Press Inc., 1997. 661 p.
4. Agibalov G. P. Logicheskie uravneniya v kriptoanalize generatorov klyuchevogo potoka [Logical equations in cryptanalysis of key stream generators]. Vestnik TSU. Prilozhenie, 2003, no. 6, pp. 31-41. (in Russian)
