Japan

## サイト内の現在位置を表示しています。

# 技術情報 - CIPHERUNICORN-A(128-bit block size)

**CIPHERUNICORN-A and -E are symmetric ciphers. They belong to the CIPHERUNICORN family developed by NEC Corporation.**

**"CIPHERUNICORN" is a registered trademark of NEC Corporation in Japan. **

## Abstract

CIPHERUNICORN-A is common key encryption technology with a Feistel structure that can use a data block length of 128 bits and key lengths of 128, 192, or 256 bits.

Two typical methods used for attacking common key encryption are linear cryptanalysis and differential cryptanalysis. These methods use shuffling bias in the data randomizer function to infer information on a key. Shuffling bias often originates in the base shuffling process. A structure in which shuffling bias cannot be detected in the base process is therefore desirable. In CIPHERUNICORN-A, the base process in data shuffling is the round function, and it has been confirmed by a cipher strength evaluation system that we have developed that this function exhibits no shuffling bias.

Y.Tsunoo, H.Kubo, H.Miyauchi and K.Nakamura, "A New 128-bit Block Cipher CIPHERUNICORN-A," ISEC2000-5, Technical Report of IEICE, The Institute of Electronics, Information and Communication Engineers, 2000. (In English)

Y.Tsunoo, H.Kubo, H.Miyauchi and K.Nakamura, "A New 128-bit Block Cipher CIPHERUNICORN-A," SCIS2000-A18, The 2000 Symposium on Cryptography and Information Security Okinawa, Japan, January 26-28, 2000. (In Japanese)

## Design Principle and Criteria

Two methods that have been found to be effective in mounting attacks on block ciphers of any structure are linear cryptanalysis and differential cryptanalysis. These methods use shuffling bias in the data randomizer function to infer information on a key. Shuffling bias often originates in the base shuffling process. A structure in which shuffling bias cannot be detected in the base process is therefore desirable.

Against the above background, we decided to design CIPHERUNICORN-A so that shuffling bias does not appear in the round function, the base process of data shuffling. This was evaluated by statistically investigating the relationship between input and output.

In addition, to perform a uniform evaluation of encryption algorithms in the design process, we established a common evaluation scale in examining input and output with the encryption algorithm treated as a black box. We specified, in particular, the following items as constituting a state with no bias and sufficient shuffling, and we checked for this state using a statistical technique that we adopted for this purpose.

- A highly probable relationship between input and output bits does not exist.
- A highly probable relationship between output bits does not exist.
- A highly probable relationship between a change in input bits and a change in output bits does not exist.
- A highly probable relationship between a change in key bits and change in output bits does not exist.
- An output bit that has a high probability of being 0 or 1 does not exist.

### Data randomizer

#### 1.Feistel structure

The Feistel structure has been adopted as the base structure of this cipher because of the following advantages.

- Encryption and decryption have the same structure
- Encryption and decryption can be performed at about the same speed
- No limitations are set on the structure of the round function
- The Feistel structure has been thoroughly analyzed

#### 2.Initial/final processing

To prevent input to the 1st round function and input to the last round function from becoming known and making an attack easy to mount, initial and final processing have been added.

### Round function

#### 1.Dual structure

The round function adopts a dual structure that guarantees the security of one part of the structure if the other should be cracked. It consists of a main stream section and temporary key generation mechanism that input extended keys (function key and seed key, respectively). A temporary key is created by the temporary key generation mechanism and combined with the main stream.

#### 2.Main stream

The structure of the main stream has the following properties.

- Bijective if the temporary key is fixed
- Data is sufficiently shuffled in the main stream itself.

#### 3.Temporary key generation mechanism

The structure of the temporary key generation mechanism has the following properties.

- The temporary key is output uniformly throughout its possible range.
- The structure is simpler than that of the main stream (considering the possibility of parallel processing).
- The structure differs from that of the main stream (difference in structure guarantees security).
- Size of temporary key is made shorter than that of seed key.
- Data is sufficiently shuffled in the temporary key generation mechanism itself.

Because the temporary key generation mechanism is simpler in structure than the main stream, an adversary is likely to mount an attack on this mechanism first. Even if the temporary key should become known, however, it is expected that the existence of multiple seed-key candidates will make it difficult to infer the secret key or function key from the seed key.

#### 4.Operators

Considering a 32-bit processor to be the basic form of implementation for this cipher, we have adopted operators that can be processed at high speed on this kind of platform. We have also combined operations having different algebraic structures with the aim of making the cipher stronger

#### 5.Operation units

As a countermeasure to truncated differential attack, three types of operation units are used: 8, 32, and 64 bits.

### Substitution tables

Four 8-bit input/output tables are used as a set of substitution tables. Each of these 8-bit input/output tables must satisfy the following conditions.

- Bijective
- Maximum differential probability of 2
^{-6} - Maximum linear probability of 2
^{-6} - An algebraic degree of 7
- Input/output polynomials of high degree and many terms
- Average number of diffusion bits (number of output bits changed due to change in one input bit) equal to 4.0
- No fixed points

The method adopted here to generate a substitution table that satisfies the above conditions is to use an inverse function over a Galois field (GF) of 28 in combination with an affine transformation.

An inverse function over a GF (2^{8}) is a bijective function with an algebraic degree of 7 known to have a maximum linear and differential probability of 2^{-6} (best case). The degree of its input/output polynomials is also high at 254. By incorporating an affine transformation, the number of terms in the input /output polynomials can be expected to increase.

In order to use a combination of four 8-bit input/output tables, moreover, a different irreducible polynomial was adopted for each table.

The following equation is used to generate a substitution table.

S(x) ＝ matrixA{ (x ＋ c)-1 mod g } ＋ d

matrixA ： GF(2) 8 x 8 bijective matrix

c,d ： 8-bit constants (other than 0)

g ： 8th-degree irreducible polynomial

After selecting matrixA, c, d, and g by random numbers, a search is made for a substitution table that satisfies the above conditions.

### Key scheduler

The structure of the key scheduler has the following properties.

- Mapping from the secret key to extended keys is injective.
- Each of the extended keys is affected by all information in the secret key.
- A highly probable relationship between the secret keys and extended keys or among the extended keys does not exist (secure against related-key attacks).
- The structure makes use of the constituent elements of the round function.