An E cient Nonlinear Shift-Invariant Transformation

Joan Daemen, Rene Govaerts and Joos Vandewalle

Katholieke Universiteit Leuven, Laboratorium ESAT Kardinaal Mercierlaan 94, B-3001 Heverlee, Belgium
email: joan.daemen@esat.kuleuven.ac.be

transformation with respect to its nonlinear properties relevant in cryptographic applications. With respect to di erential cryptanalysis it is shown that the space of possible disturbances at the output of the transformation caused by a disturbance at the input of the transformation can be described as an a ne variety. All disturbances in this set are equiprobable. The a ne variety can e ciently be calculated given the input disturbance. With respect to linear cryptanalysis it is shown that the space of all possible linear combinations of input components that are correlated to a given linear combination of output components can be described as an a ne variety. The correlation of the linear combination of output components is equal for all linear combinations of input components in this set. The a ne variety can e ciently be calculated given the linear combination of output components.

Abstract. In this paper we investigate a simple nonlinear shift-invariant

1 Introduction
Cryptographically secure ciphers and hash functions can not be realized without the use of nonlinear component functions. This paper describes the nonlinear behavior of a transformation with a very simple speci cation. This transformation will be denoted by . In 1], Stephen Wolfram proposed the generation of pseudorandom sequences by means of automata with shift-invariant state-transition functions, called cellular automata. The transformation is closely related to one of the two nonlinear transformations that were proposed in 1] to be used as state-transition function. Later it was shown in 2] that the cellular automata proposals of 1] had important cryptographic weaknesses. These weaknesses could be attributed to the low di usion or information spreading capability of the state-transition function. In 6] we criticized the approach as set out in 1] and proposed a number of new shift-invariant state-transition functions ourselves. This included a shiftinvariant transformation that is composed of and a simple linear transformation for high di usion. Later research led us to the conclusion that the requirement of a shift-invariant state-transition is an unnecessary restriction with unfavorable consequences for the cryptographic strength of the resulting sequence generator. Therefore we abandoned the cellular automata approach. 1

Because of its ease of implementation, invertibility and the compactness of its description, is the single nonlinear component in almost all our cryptographic designs that were proposed since. This includes cryptographic hash functions 7, 8], a synchronous stream cipher 8] and a block cipher 10]. The suitability for hardware implementations was demonstrated by the chip realization 9] of the algorithms described in 8]. This chip was realized using standard cells in a conservative 2:4 technology and implements a cryptographic hash function (560 Mbit/s.) and a synchronous stream cipher (280 Mbit/s.). is a member of the set of shift-invariant transformations on one-dimensional binary arrays. A systematic treatment of detection and proof of invertibility in this set is given in 11]. This paper discusses the nonlinear properties of that are relevant in the context of two types of general cryptanalytic attacks: di erential cryptanalysis 3] and linear cryptanalysis 4]. For a detailed description of these attacks we refer to the original publications. Because of their generality and the fundamental nature of the weaknesses that are exploited both types of cryptanalysis can be applied to a wide range of block ciphers and cryptographic hash functions.

2 The transformation
operates on a binary one-dimensional array of length n of binary valued cells. An assignment of values for this array is called a state. The i-th component of a state a is denoted by ai . The bitwise complementation of a state a is denoted by a. The bitwise AND of two states a and b is denoted by ab and the bitwise XOR of two states a and b is denoted by a + b. A translation r over r cells is a transformation that shifts a r positions to the left with periodic boundary conditions. We have b = r (a) () bi = a(i+r) mod n ; for 0 i<n : (1) is de ned by (a) = a + 1 (a) 2 (a) (2) A transformation is shift-invariant if it commutes with translation. From 2 it can easily be derived that ( i (a)) = i ( (a)) hence i= i . The individual components of b = (a) can be calculated by evaluating a Boolean function for the appropriate set of components of a. This function is called the local map of : (3) bi = ai + ai+1 ai+2 : It can be seen that the local map has algebraic degree two. This has interesting consequences for the nonlinear behavior of . From the speci cation of it can be seen that in dedicated hardware implementations it can be implemented as an interconnected array of very simple 2

identical 1-bit output \processors" that implement the local map. The shiftinvariance ensures that the computational load is optimally distributed. In software implementations the shift-invariance allows e cient implementations by employing bitwise logical operators. In 8] it is argued that invertibility is a desirable property for the round function of hash functions and block ciphers and the state-transition function of synchronous stream ciphers.

Proposition1. If n is odd, is invertible.

This proposition is proven by describing an algorithm that determines a unique preimage a for every state b such that b = (a). Proof. We have bk+1 = 1 ! ak = bk : This can be seen by considering two cases: { ak+1 = 1: the local map 3 for bi can be reduced to bk = ak + 0ak+2 = ak . { ak+1 = 0: it follows from the local map for bk+1 that 1 = 0+ ak+2ak+3 , hence that ak+2 = 0. Substitution in the local map for bk yields bk = ak + ak+1 0 = ak . If ai is determined, ai 2 can also be determined. Again, two cases have to be considered: { ai = 0: From the local map of bi 2 it follows that bi 2 = ai 2 + ai 1 0 = ai 2. { ai = 1: From the local map of bi 1 it follows that bi 1 = ai 1 +0ai+1 = ai 1. The knowledge of ai 1 allows us to calculate ai 2 from the local map of bi 2, i.e., ai 2 = bi 2 + ai 1. If b is not equal to the all-zero state (denoted by 0 ) at least a single component of a, say ak , can be determined. From this component we can recursively determine ak 2; ak 4 : : :. If n is odd, all components can be xed in this way. Hence for the 2n 1 states di ering from 0 a unique preimage can be found. Since (0 ) = 0 it follows from the single-valuedness of () that the preimage corresponding to the all-zero state is the all-zero state itself. t u

3 Di erence propagation properties

Di erential cryptanalysis 3] exploits the predictability of di erence propagation. Suppose a pair of unknown states has a known di erence, i.e., a; a + a0 with a unknown. All values of the di erence b0 of the two corresponding -images are called compatible with a0 . The output di erence b0 is given by b0 = (a0 ) + 1(a0 ) 2 (a) + 2 (a0) 1 (a) : (4) For a given input di erence a0 is xed and a is a variable. From 4 it can be seen that b0 depends in a linear way on a. If nothing is known about a, all 3

values of b0 compatible with a0 are equiprobable. From 4 it can be seen that the space of all possible b0 that are compatible with a0 is an a ne variety: P 0 fx = (a ) + k ak uk jak 2 Z Z2 g. If k denotes the state with a single nonzero component on position k, the k-th generating state uk is speci ed by 0 uk = a0 k k 1 + ak+2 k The total number of b0 values compatible with a0 depends on the dimension of the a ne variety, i.e. the number of linearly independent states in fuk g. This dimension is called the propagation weight of a0 and is denoted by wp (a0 ). The number of b0 values compatible with a0 is equal to 2wp(a ) . It can easily be shown that for a0 6= 1 , the propagation weight wp (a0 ) is equal to the number of components of a0 that are 1 plus the number of 001-patterns in a0 . If a0 = 1 the propagation weight is n 1.
0

4 Correlation to linear functions

Linear cryptanalysis 4] exploits the correlations between linear combinations of input bits and linear combinations of output bits.

4.1 Preliminaries De nition2. The correlation coe cient C(f; g) associated with two Boolean
e cient that ranges between 1 and 1:

The correlation between two Boolean function is expressed by a correlation co-

functions f (a) and g(a) is given by C(f; g) = 2 prob(f (a) = g(a)) 1. If the correlation coe cient is di erent from zero the functions are said to be correlated. In the following, the term correlation will denote the amplitude of the correlation coe cient. A selection state v is a binary state that selects all components i of a state that have vi = 1. Analogous to the inner product of vectors in linear algebra, the linear combination of the components of a state a selected by v is written as vt a where the t su x denotes transposing v. A linear Boolean function vt a is completely speci ed by its corresponding selection state v. A Boolean function is completely speci ed by the set of correlation coe cients with all correlated linear functions. These can be seen as coordinates with respect to the basis of linear functions. Let f^(a) be a real valued function that is +1 in the entries that f (a) = 1 and 1 in the entries that f (a) = 0. The real-valued function corresponding to a linear function vt a can be written as ta v ( 1) . We have f (a)d + g(a) = f^(a)^ g (a). The inner product of two real-valued functions, not to be confused with the inner product of states, is de ned by X g(a) : ^(a); g (5) <f ^(a) >= f^(a)^
a

From the de nition of the correlation coe cient it can be seen that C(f (a); g(a)) = 2 n < f^(a); g ^(a) > : (6) The linear functions form an orthogonal basis with respect to the inner product as de ned in 5, i.e. ( 1)vt a ; ( 1)wt a >= 2n v+w : (7) The representation of a Boolean function with respect to this basis is called its Walsh-Hadamard transform 5]. The correlation coe cients C(f (a); vt a) are ^ (v). We have denoted by F ^(a) = X F ^ (v)( 1)vt a f (8)
<

and dually

F v

^ ( ) = 2 n X f^(a)( 1)vt a
a

(9)

^ (v) = W (f (a)). We say F Adding two Boolean functions h(a) = f (a)+ g(a) corresponds to multiplying ^ (a) = f^(a)^ their real-valued counterparts h g(a). Using 8 we can derive X ^ (v) = F ^ (v + w)G ^ (w) : H (10) Hence (binary) addition in the Boolean domain corresponds to convolution in the transform domain. If the convolution operation is denoted by this can be expressed by W (f + g) = W (f ) W (g). Given this convolution property it is easy to demonstrate some composition properties that are useful in the study of linear cryptanalysis. { Complementation of a Boolean function g(a) = f (a) + 1 corresponds to ^ (v) = F ^ (v). multiplication by 1 in the transform domain: G t { Adding a linear function g(a) = f (a) + u a corresponds to a shift operation ^ (v) = F ^ (v + u). in the transform domain: G The set of all possible inputs a to a Boolean function f (a) can be described as ^ (vi ) 6= 0 is a vector space. The subspace generated by the vectors vi such that F called its input space Vf . The input space of the sum of two Boolean function is a subspace of the (vector) sum of their corresponding input spaces: Vf +g Vf +Vg . This follows directly from the convolution property. Two Boolean functions are called disjunct if their input spaces are disjunct, i.e., if the intersection of their input spaces only contains the origin. A vector v 2 Vf +g with f and g disjunct, can be decomposed only in one way into a component u 2 Vf and a component ^ (v) = W (f + g) are given by w 2 Vg . In this case the values of the entries of H ^ (v) = F ^ (u)G ^ (w) with v = u + w and u 2 Vf ; w 2 Vg : H (11) 5
w

All input selections v such that vt a is correlated with ut (a) are called compatible with u. We have X u (a +(a +1)a ) = X u (a + a )+ X u a a : (12) ut (a) = i i i+1 i+2 i i i+2 i i+1 i+2 The right hand side of 12 is split up into a sum of linear terms and a sum of quadratic product terms. We will rst investigate the e ect of adding the product terms. The e ect of adding the linear sum corresponds to a shift in the transform domain. We describe four cases: { a0a1 + a1a2 = (a0 + a2 )a1: addition of two neighboring products can be reduced to a single product. { a0a1 and a2a3 are disjunct. { (a0 + a2)a1 and a2 a3 are disjunct. { (a0 + a2)a1 and (a2 + a4)a3 are disjunct. The product terms corresponding to components of u that are not successive are disjunct. Therefore the quadratic functions obtained by grouping the product terms corresponding to the all-one substrings P of u separated by zeros are disjunct. Such a quadratic function is of the form 0<i s aiai+1 . This expression can be converted to a sum of disjunct products. The reduction depends on the length s. If s is even, we have X (a + a )a (13) 2i 1 2i+1 2i and if s is odd
i i i

4.2 Correlation of to linear functions

0<i s=2

Hence the number of disjunct product terms corresponding to an all-1 substring of length s is b s+1 2 c. Now we have given a general procedure to split 12 up into a single linear term and a number of quadratic product terms that are mutually disjunct. Let the result of this reduction be denoted by X (u2i 1ta)(u2ita) : (15) ut (a) = wt a + A Boolean function that is the product of two linear terms (ut a)(wta) is correlated to the linear functions 0; ut a and wt a with correlation coe cient 1/2 and to the linear function (u + w)t a with correlation coe cient 1=2. Its WalshHadamard transform can be described by 1( + (16) W ((ut a)(wta)) = 2 v v+u + v+w v+u+w ) Since the product terms in 15 are mutually disjunct, 11 can be applied here. The entries in the Walsh-Hadamard transform of 15 are given by ^ (v)j = 2 r if v 2 fw + X xi uijxi 2 Z jF Z2 g; (17)
0<i 2r 0<i<r

0<i (s 1)=2

(a2i 1 + a2i+1)a2i + asas+1

(14)

and 0 otherwise. Hence a linear combination of output components is correlated to 22r di erent linear combinations of input components. The correlation is equal to 2 r for all of these input combinations. Analogous to the propagation weight in DC, the number 2r is called the dependence weight of v and denoted by wd (v). it is clear that for there is a correspondence between the two types of nonlinear behavior. This correspondence is described in Table 1.

Di erential Cryptanalysis
0

input di erence a0 propagation weight wp (a0 ) 2wp(a ) compatible output di erences with probability 2 wp(a )
0

Linear Cryptanalysis
output selection u dependence weight wd (u) 2wd(u) compatible input selections with correlation 2 wd (u)=2

Table 1. Summary of the described nonlinear properties of .

5 Conclusions
The transformation has been investigated from a cryptographic point of view. It is shown that the propagation properties relevant in di erential cryptanalysis and the correlation properties relevant in linear cryptanalysis have a simple description.

References
1] S. Wolfram, \Random Sequence Generation by Cellular Automata", Advances in Applied Mathematics, 7 (1986) 123{169. 2] W. Meier, O. Sta elbach, \Analysis of Pseudo Random Sequences Generated by Cellular Automata," Advances in Cryptology{Proceedings of Eurocrypt '91, LNCS 547, D.W. Davies, Ed. , Springer-Verlag 1991, pp. 186{199. 3] E. Biham and A. Shamir, Di erential Cryptanalysis of of the Data Encryption Standard, Springer-Verlag, 1993. 4] Linear Cryptanalysis Method for DES Cipher, Advances in Cryptology { Proceedings of Eurocrypt '93, LNCS 765, T. Helleseth, Ed. , Springer-Verlag 1993, pp. 386{ 397. 5] B. Preneel, Analysis and Design of Cryptographic Hash Functions, Doct. Dissertation KULeuven, 1993. 6] J. Daemen, R. Govaerts and J. Vandewalle, \E cient Pseudorandom Sequence Generation by Cellular Automata," Proceedings of Twelfth Symposium on Information Theory in the Benelux, F.M.J. Willems and Tj. J. Tjalkens, Eds. , Werkgemeenschap voor Informatie- en Communicatietheorie, 1991, pp. 17{24.

7] J. Daemen, R. Govaerts and J. Vandewalle, \A Framework for the Design of OneWay Hash Functions Including Cryptanalysis of Damgard's One-Way Function based on a Cellular Automaton," Advances in Cryptology: Proc. of Asiacrypt '91, LNCS 739, H. Imai, R. Rivest and T. Matsumoto, Eds. , Springer-Verlag 1993, pp. 82{96. 8] J. Daemen, R. Govaerts and J. Vandewalle, \A Hardware Design Model for Cryptographic Algorithms," Computer Security { Esorics '92, Proc. 2nd European Symposium on Research in Computer Security, LNCS 648, Y. Deswarte, G. Eizenberg and J.-J. Quisquater, Eds. , Springer-Verlag, 1992, pp. 419{434. 9] J. Daemen, L. Claesen, M. Genoe, G. Peeters, R. Govaerts and J. Vandewalle, \A cryptographic chip for ISDN and High Speed multi-media applications," Proceedings of VLSI Signal Processing VI, L.D.J. Eggermont, P. Dewilde, E. Deprettere and J. van Meerbergen, Eds. , IEEE, 1993, pp. 12{20. 10] J. Daemen, R. Govaerts and J. Vandewalle, \A New Approach towards Block Cipher Design," Proceedings of the Cambridge Workshop on Cryptography 1993 , to appear. 11] J. Daemen, R. Govaerts and J. Vandewalle, \Invertible Shift-invariant Transformations on Binary Arrays," Journal of Applied Mathematics and Computation, North-Holland, to appear.