Analiza Criptografica Asupra Versiunilor Serpent

CRYPTOGRAPHIC ANALYSIS OF THE VERSIONS OF THE SERPENT CIPHER
CIGDEM ACAR
SEPTEMBER 2008
A MASTERS GRADUATE PROJECT
SUBMITTED TO THE DEPARTMENT OF CRYPTOGRAPHY OF THE MIDDLE EAST TECHNICAL UNIVERSITY
BY
CIGDEM ACAR
IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER SCIENCE IN THE DEPARTMENT OF CRYPTOGRAPHY
AUGUST 2008
Abstract
Cidem Acar g M.Sc., Department of Cryptography Supervisor: Assoc. Prof. Dr. Melek Diker YUCEL September 2008, 60 pages
In this project, s-boxes of Serpent are evaluated according to its Linear Approximation Tables (LAT) and Dierence Distribution Tables (XOR). Then, All of the outputs of Serpent Ciphers Versions are examined by NIST Statistical Test Suite for randomness testing. Finally, the randomness characteristics of Serpent Ciphers Versions are compared with respect to each other for full and partial rounds. The overall performance of the versions of the Serpent Cipher is found to be same, although there is a signicant dierence in their s-boxes and linear transformation parts. Keywords: Serpent-0, Serpent, Serpent-p, Serpent-p-ns, Linear Approximation Table, Dierence Distribution Table, randomness testing.
Contents
Page Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 2.2 2.3 2.4 2.5 3.1 3.2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Boolean Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cryptographic Properties of Boolean Functions . . . . . . . . . . . . . Linear Approximation Table (LAT) . . . . . . . . . . . . . . . . . . . . Dierence Distribution Table (Exclusive or-XOR) . . . . . . . . . . . . Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Serpent Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2.1 3.2.2 3.2.3 Serpent-0 Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . Serpent-1 (Serpent) Cipher . . . . . . . . . . . . . . . . . . . . . Serpent-p and Serpent-p-ns Cipher . . . . . . . . . . . . . . . . 3.2.3.1 3.2.3.2 3.3 3.4 Description of Serpent-p . . . . . . . . . . . . . . . . . Description of Serpent-p-ns . . . . . . . . . . . . . . . 1 3 3 3 5 6 8 10 10 10 10 10 12 12 13 13 14 14 16 17 21 i ii iv
3 Analysis of Serpents S-boxes . . . . . . . . . . . . . . . . . . . . . . . . . .
S-boxes of Serpent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Analysis of Serpents S-boxes . . . . . . . . . . . . . . . . . . . . . . . 3.4.1 3.4.2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Results of LAT Tables of Serpents S-boxes . . . . . . . . . . . . 3.4.2.1 3.4.2.2 3.4.3 Properties of Serpents Linear Approximation Tables .
Observations on Serpents Linear Approximation Tables 18
Results of XOR Tables of Serpents S-boxes . . . . . . . . . . . ii
3.4.3.1 3.4.3.2 3.4.3.3 4.1 4.2 4.3 4.4
Properties of Serpents Dierence Distribution Tables . Observations for cryptanalysis . . . . . . . . . . . . . .
21 23 25 25 25 28 29 29 31 32 33 34 34 36 38 39 40 44 47 47 52 57 57
Observations on Serpents Dierence Distribution Tables 23
4 Randomness Testing of Serpent Ciphers Versions . . . . . . . . . . . . . . . Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Randomness Testing Experimental Preparation . . . . . . . . . . . . . Randomness Testing of the Perturbed Random Plaintext . . . . . . . . Full Round Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4.1 4.4.2 4.4.3 4.4.4 4.5 4.5.1 4.5.2 4.5.3 4.5.4 4.6 Full Round Testing For Serpent-0 . . . . . . . . . . . . . . . . . Full Round Testing For Serpent-1 (Serpent) . . . . . . . . . . . Full Round Testing For Serpent-p . . . . . . . . . . . . . . . . . Full Round Testing For Serpent-p-ns . . . . . . . . . . . . . . . Partial Round Testing For Serpent-0 . . . . . . . . . . . . . . . Partial Round Testing For Serpent-1 (Serpent) . . . . . . . . . . Partial Round Testing For Serpent-p . . . . . . . . . . . . . . . Partial Round Testing For Serpent-p-ns . . . . . . . . . . . . . .
Partial Round Testing . . . . . . . . . . . . . . . . . . . . . . . . . . .
Comparison of Test Results . . . . . . . . . . . . . . . . . . . . . . . .
5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A Appendix A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.1 Linear Approximation Tables (LAT) of Serpents S-boxes . . . . . . . . A.2 Dierence Distribution Tables (XOR) of Serpents S-boxes . . . . . . . B Appendix B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B.1 Description of the Statistical Tests . . . . . . . . . . . . . . . . . . . .
iii
List of Tables
3.1 3.2 3.3 3.4 3.5 3.6 3.7 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 Serpent-1 and Serpent-p-ns S-box denitions . . . . . . . . . . . . . . 14 15 17 19 22 22 24 26 27 29 30 31 32 33 35 37 39 40 41
Serpent-0 and Serpent-ps S-box denitions . . . . . . . . . . . . . . . . Parts of LAT Tables of the S-boxes with input/output sum weight of 1 Parts of LAT Tables of the S-boxes . . . . . . . . . . . . . . . . . . . . A part of XOR Table of the S-boxes with input/output dierences weight of 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Parts of XOR Tables of the S-boxes . . . . . . . . . . . . . . . . . . . . A part of XOR Table of the S-box 0 . . . . . . . . . . . . . . . . . . . . List of Statistical Tests Applied During Test Application . . . . . . . . Parameter Adjustments for some of the Statistical Tests . . . . . . . . Test Results of Perturbed Random Plaintext . . . . . . . . . . . . . . . Test Results of Full Round Serpent-0s Output . . . . . . . . . . . . . . Test Results of Full Round Serpent-1s Output . . . . . . . . . . . . . . Test Results of Full Round Serpent-ps Output . . . . . . . . . . . . . . Test Results of Full Round Serpent-p-nss Output . . . . . . . . . . . . Test Results of Partial Round Serpent-0s Output . . . . . . . . . . . . Test Results of Partial Round Serpent-1s Output . . . . . . . . . . . .
4.10 Test Results of Partial Round Serpent-ps Output . . . . . . . . . . . . 4.11 Test Results of Partial Round Serpent-p-ns Output . . . . . . . . . . . 4.12 Comparison of Test Results of Serpent Cipher Versions Full Round Outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.13 Comparison of Test Results of Serpent Cipher Versions Round 1 Outputs 41 4.14 Comparison of Test Results of Serpent Cipher Versions Round 2 Outputs 42 4.15 Comparison of Test Results of Serpent Cipher Versions Round 3 Outputs 43 A.1 LAT Table of the S-box 0 . . . . . . . . . . . . . . . . . . . . . . . . . iv 48
A.2 LAT Table of the S-box 1 . . . . . . . . . . . . . . . . . . . . . . . . . A.3 LAT Table of the S-box 2 . . . . . . . . . . . . . . . . . . . . . . . . . A.4 LAT Table of the S-box 3 . . . . . . . . . . . . . . . . . . . . . . . . . A.5 LAT Table of the S-box 4 . . . . . . . . . . . . . . . . . . . . . . . . . A.6 LAT Table of the S-box 5 . . . . . . . . . . . . . . . . . . . . . . . . . A.7 LAT Table of the S-box 6 . . . . . . . . . . . . . . . . . . . . . . . . . A.8 LAT Table of the S-box 7 . . . . . . . . . . . . . . . . . . . . . . . . . A.9 XOR Table of the S-box 0 . . . . . . . . . . . . . . . . . . . . . . . . . A.10 XOR Table of the S-box 1 . . . . . . . . . . . . . . . . . . . . . . . . . A.11 XOR Table of the S-box 2 . . . . . . . . . . . . . . . . . . . . . . . . . A.12 XOR Table of the S-box 3 . . . . . . . . . . . . . . . . . . . . . . . . . A.13 XOR Table of the S-box 4 . . . . . . . . . . . . . . . . . . . . . . . . . A.14 XOR Table of the S-box 5 . . . . . . . . . . . . . . . . . . . . . . . . . A.15 XOR Table of the S-box 6 . . . . . . . . . . . . . . . . . . . . . . . . . A.16 XOR Table of the S-box 7 . . . . . . . . . . . . . . . . . . . . . . . . .
48 49 49 50 50 51 51 52 53 53 54 54 55 55 56
List of Abbreviations
AES . . . . . . . . . . . . . Advanced Encryption Standard ASCII . . . . . . . . . . . American Standard Code for Information Interchange DES . . . . . . . . . . . . . Data Encryption Standard LAT . . . . . . . . . . . . . Linear Approximation Table MOSAC . . . . . . . . . Maximum Order Strict Avalanche Criterion NIST . . . . . . . . . . . . National Institute of Standards and Technology SAC . . . . . . . . . . . . . Strict Avalanche Criterion XOR . . . . . . . . . . . . . Exclusive or XOR Table . . . . . . Distribution Dierence Distribution Table
vi
Chapter 1 Introduction
For many applications, the Data Encryption Standard (DES) algorithm is not suitable because of its too small key and ineciency of its implementation. In order to overcome this issue, the US National Institute of Standards and Technology has issued a call for a successor algorithm which would be called the Advanced Encryption Standard (AES). As a result, this intention culminated in ve algorithms. One of those algorithms was the Serpent Algorithm. This algorithm was better than DES algorithm when compared with respect to their performance, key length and strength of s-boxes. In this project, the cryptographic properties of the Serpents S-boxes are examined by a program which has written in Java programming language. The cryptographic properties of the Serpents S-boxes, its cryptographic strengths against the Dierential and Linear cryptanalysis attacks and randomness testing of the Serpent cipher versions are given. In the rst chapter, a brief information about Boolean functions and their cryptographic properties and also, an information about vector Boolean functions (S-boxes) and their cryptographic properties such as Linear Approximation (LAT) and Dierence Distribution (Exclusive or-XOR) tables are given. In the second chapter, a brief information about the Serpent Cipher, the Serpents S-boxes is dened. Then, the results and observations of the cryptographic properties of the Linear Approximation and Dierence Distribution of the Serpents S-boxes are explained. The last chapter contains the observations of randomness testing of the outputs of the versions of the Serpent Cipher by using NIST Statistical Test Suite [3]. The tests are done using a code written in C programming language. In addition, normal distribution statistical test results and graphics of Serpents outputs are also given in 1
this chapter. As a result, an intuition about randomness of the outputs are acquired.
Chapter 2 Preliminaries
2.1 Introduction
In this chapter, some basic concepts about Boolean functions and some cryptographic properties of Boolean functions such as balance, nonlinearity, correlation immunity, Linear Approximation Table (LAT) and Dierence Distribution Table (Exclusive or-XOR) are presented.
2.2
Boolean Functions
and scalar multiplication .
n Let F2 denote the nite eld with binary values and let F2 denote the vector space
of binary n-tuples over F2 with respect to addition
n Denition 2.2.1. A Boolean Function f , is an F2 -valued function dened on F2 , n f : F2 F2 . n m Denition 2.2.2. A vector Boolean function, S(x) : F2 F2 , which maps n bits to
m bits, each entry of S(x) = (f1 (x), ..., fm ()x)1xm is a Boolean function. Denition 2.2.3. A Boolean function, which is in the form f (x) = where w = (w1 , ..., wn )
n F2 n i=1
w i xi c
and c F2 , is called an ane function. If c = 0, f (x) is
called a linear, denoted by lw (x) = w x. Denition 2.2.4. The Hamming distance between two functions f (x) and g(x) is the function
n dH (f (x), g(x)) = #{x F2 |f (x) = g(x)}.
n Denition 2.2.5. A Boolean function f (x) : F2 F2 is balanced if its truth table
consists of equal number of 0s and 1s. Denition 2.2.6. The cross-correlation between f (x) and g(x) is the function cf,g (d) =
n xF2
(1)f (x) (1)g(xd)
n for all d F2 .
Denition 2.2.7. The autocorrelation function of f (x) is rf (d) =

n xF2
(1)f (x) (1)f (xd)
n for all d F2 .
Denition 2.2.8. The Walsh-Hadamard transform of the Boolean function f (x) is Wf (w) =
n xF2
(1)f (x) (1)wx
n for all a F2 , the correlation between f (x) and lw (x) = w x . Furthermore, inverse
of this transform is, (1)f (x) = 1 2n Wf (w)(1)wx

n wF2
Then, we have (Wf (w0 ), ..., Wf (w2n 1 ))t = Hn ((1)f (w0 ) , ..., (1)f (w2n 1 ) )t where Hn is the Sylvester-Hadamard matrix of order n dened by 1 1 Hn = H1 Hn1 f or n > 1.
H1 =
1 1
and
Using the denition of the Hamming distance and Walsh-Hadamard transform, we
get (1)f (x) (1)g(x) = 2n dH (f (x), g(x)) + dH (f (x), g(x))(1)

n xF2
= 2n 2dH (f (x), g(x)) By replacing g(x) with lw (x), we can obtain Wf (w) =
n xF2
(1)f (x) (1)lw (x) = 2n 2dH (f (x), lw (x)),
therefore dH (f (x), lw (x)) = 2n1 Wf (w) . 2
2.3
Cryptographic Properties of Boolean Functions
Denition 2.3.1. (Nonlinearity) The nonlinearity of a Boolean function f (x) is dened to be the distance of f (x) to the set of ane functions, Nf = minw,c dH (f (x), (w x c)) = minw {dH (f (x), lw (x)), dH (f (x), lw (x))} where lw (x) is a linear function and lw (x) = lw (x) 1. Using the denition of nonlinearity and the Hamming distance, Nf = mina {dH (f (x), lw ), dH (f (x), lw )} 1 1 = mina {2n1 (1)f (x) (1)lw (x) , 2n1 (1)f (x) (1)lw (x) } 2 xF n 2 xF n
2 2
1 n = 2n1 maxwF2 |Wf (w)|, 2 where Wf (w) is the Walsh-Hadamard transform of the Boolean function f (x). 5
Denition 2.3.2. (Correlation Immunity of a Boolean Function) A function is said to be correlation immune of order t, denoted by CI(t), if for the Walsh-Hadamard transform, it holds that Wf (w) = 0, for 1 wH (w) t, where wH (w) denote the Hamming weight of w. Denition 2.3.3. (Resiliency) The correlation immunity of order t and the property balancedness together give the property resiliency of order t Denition 2.3.4. (Propogation Characteristics of a Boolean function) A function is said to satisfy the propagation criterion P C(k) of degree k, if the functions f (x)
n f (x d) are balanced for all {d F2 |1 wH (d) k}.
Denition 2.3.5. (SAC ) For a Boolean function f (x), if the autocorrelation function rf (w) =
n xF2 (1)
f (x)
n (1)f (x)w = 0 for all w F2 such that wH (w) = 1 satises
the SAC. Namely, Strict Avalanche Criterion, SAC corresponds propagation criterion of order 1, P C(1) and maximum order strict avalanche criterion MOSAC is the same thing as P C(n).
n n If a vector Boolean function S(x) : F2 F2 satisfy the Strict Avalanche Criterion,
the change of the i th input bit results in the change of the j th output exactly for half of the input vectors, so the probability that the j th output bit is complemented
1 is 2 .
2.4
Linear Approximation Table (LAT)
Linear cryptanalysis is a known plaintext attack that take the advantage of high probability occurrences of linear expressions involving plaintext bits, ciphertext bits and subkey bits. A complete enumeration of all linear approximations of a cipher gives Linear Approximation Table (LAT). Each element in the table represents the number of matches between the linear equation represented in hexadecimal as Input Sum and the sum of the output bits represented in hexadecimal as Output Sum minus 2n1 . More formally, the denition for the elements of the LAT table follows. 6
n n n Denition 2.4.1. Let x, y F2 and S(x) : F2 F2 is the vector Boolean function.
Each element of the Linear Approximation Table is dened as

n LAT,F2 (, ) = #{x| S(x) = x} 2n1
= #{x| S(x) = l (x)} 2n1 = 2n dH ( S(x), l (x)) 2n1 = 2n1 dH ( S(x), l (x)) where is the row indices and is the column indices. Using the distance between S(x) and l (x), we get 1 dH ( S(x), l (x)) = 2n1 WS(x) () 2 n1 n =2 LAT,F2 and
n LAT,F2 {0} =
WS(x) () . 2
By combining nonlinearity and the linear approximation table (LAT), we obtain

n Nf = 2n1 max,F2 {0} |LAT (, )|.
In addition,
n LAT,F2 {0} = |x| x = S(x)| 2n1
Multiplying both sides with
1 , 2n
n 2n LAT,F2 = 2n |x| x = S(x)|
1 2 (2.1)
= P r{ x = S(x)} If x f (x) Bn (Booleanf unction) then, 7
1 2
n 2n LAT,F2 = P r{ x = f (x)}
1 2
Wf () =
n xF2
(1)f (x) (1)x = |x|f (x) = x| |x|f (x) = x| = 2|x|f (x) = x| 2n Wf () 2 1 2n Wf () 2n |x|f (x) = x| = + 2 2 n 1 LAT,F2 1 2n Wf () = + P r{f (x) = x} = + n 2 2 2 2 |x|f (x) = x| = 2n1 +
where P r is the probability.
2.5
Dierence Distribution Table (Exclusive or-XOR)
Dierential cryptanalysis is a chosen plaintext attack, which uses the high probability occurrences of plaintext dierences and dierences into the last round of the cipher. The attacker examine the dierential characteristics, where dierential characteristic is a sequence of input and output dierences to the rounds so that the output dierence from one round corresponds to the input dierence for the next round. For nding dierential characteristic, the dierence distribution table (XOR) is generated.
n n n Denition 2.5.1. Let S(x) : F2 F2 is a vector Boolean function with x, y F2 .
Let two inputs be X and X with the corresponding outputs Y and Y , respectively. The input dierence is X = X X and the output dierence Y = Y Y . Then an element of the XOR table dened by XOR(X, Y ) = #{X|S(X) S(X X) = Y }. Each element of the table represents the number of occurrences of the corresponding 8
output dierence Y value given the input dierence X. Remark 2.5.2. (Properties of XOR table) 1. XOR(X = 0, Y = 0) = 2n 2.
n F2
XOR(, ) = 2n
3. For an n n and one to one s-box mapping XOR(, 0) = 0, = 0 Denition 2.5.3. The dierential uniformity parameter, , is maxX,Y =0 XOR(X, Y ) If the dierential uniformity is large, then the security of the cipher against dierential cryptanalysis is low.
Chapter 3 Analysis of Serpents S-boxes

3.1 Introduction
In this chapter, the cryptographical results of Serpents S-boxes are evaluated according to the Dierence Distribution (XOR) and Linear Approximation tables (LAT) . In the rst section, brief descriptions of the versions of the Serpent Cipher are given. In the second section, the summary of the generation of Serpents S-boxes will be given. The last section presents the analysis of Serpents S-boxes.
3.2
3.2.1
Serpent Cipher
Serpent-0 Cipher
The Serpent-0 is the rst version of the Serpent Cipher. Serpent-0 use the S-boxes from DES. Algorithm was fast as DES and yet more secure than three-key triple-DES, provided a 192 or 256 bit key was selected. After strengthening the algorithm and improving its performance, a candidate for AES, the Serpent-1, more briey, Serpent was introduced.
3.2.2
Serpent-1 (Serpent) Cipher
Serpent is a 32-round substitution permutation network (SPN) operating on four 32-bit words, thus with block size of 128 bits.
10
The indices of the bits are counted from 0 to bit 31 for one 32-bit word, 0 to 127 for 128-bit blocks and 0 to 255 for 256-bit keys. Serpent encrypts a 128-bit plaintext P to a 128-bit ciphertext C in 32 rounds with 33 subkeys K0 , ..., K32 . The cipher consist of: - an initial permutation IP (no cryptographic signicance) - 32 rounds - a key mixing operation - a pass through S-boxes - a linear transformation In the last round, this linear transformation is replaced by an additional key mixing operation - a nal permutation FP (no cryptographic signicance) The following equations describes the operations of the cipher formally: B0 : = IP (P ) Bi+1 : = Ri (Bi ) C : = F P (B32 ) where P is the plaintext, C is the ciphertext and Ri (X) = L(Si (X Ki )) i = 0, ..., 30 Ri (X) = Si (X Ki ) K32 i = 32
11
3.2.3
Serpent-p and Serpent-p-ns Cipher
The two variants of Serpent: 1. Serpent with the rotation linear transformation and the S-boxes of Serpent-0 (derived from the S-boxes of DES). This variant is called Serpent-p. 2. Serpent with the rotation linear transformation and the new S-boxes of Serpent-1. This variant is called Serpent-p-ns. 3.2.3.1 Description of Serpent-p
Serpent-p encrypts 128-bit blocks under keys of 128, 192 and 256 bits. Given a plaintext - P:
B0 = IP (P ) Bi+1 = Ri (Bi ) C = IP 1 (B64 ) Ri = Roti (Si (X Ki )) Ri (X) = Si (X Ki ) K64 i = 0, ..., 62 i = 63
After each of the 64 rounds , we use Roti , which is a set of rotations dened as (0, 1, 3, 7) for even i s and (0, 5, 13, 22) for odd is. This means that for even i s the rst bit in each nibble is rotated to the left by 0 nibbles, the second by 1 (eg., from nibble 3 to nibble 4), etc. In each round the same s-box is used 32 times, while dierent s-boxes are used in the various rounds. The s-boxes are derived from the S-boxes of DES, giving 32 s-boxes in total. Serpent-p uses the key schedule of Serpent (Serpent-1).
12
3.2.3.2
Description of Serpent-p-ns
Serpent-p-ns is dened as a variant of Serpent-p with the following modications: 1. Serpent-p-ns uses the same s-boxes as Serpent-1. 2. Serpent-p-ns has 32 rounds. Therefore in the encryption process i is between 0 to 31, and in the key schedule algorithm i is between 0 to 32. Also for Serpent-p-ns n(i) = (3 i) mod 8. Therefore, Serpent-p-ns diers from Serpent-1 only in the linear transformation.
3.3
S-boxes of Serpent
For many applications, the Data Encryption Standard (DES) algorithm is not much secure with its too small 56-bit key. Although triple-DES can solve the key length problem, DES is inecient for hardware encryption. Serpent cipher is an ecient algorithm and uses the s-boxes which are generated from the S-boxes of DES, but much more secure than the S-boxes of DES. The Serpent cipher has 8 s-boxes with dimension 4 4 for each. The S-boxes of Serpent were generated in the following algorithm: index :=0 repeat currentsbox := index modulo 32 for i:=0 to 15 do j := sbox[(currentsbox+1) modulo 32][serpent[i]]; swapentries(sbox[currentsbox][i],sbox[currentsbox][j]); if sbox[currentsbox][.] has the desired properties, save it; index := index + 1; until 8 S-boxes have been generated In the algorithm, a matrix with 32 arrays each with 16 entries was used. The array sbox[.][.] contains 32 rows of the DES S-boxes. The array serpent[.] contains 13
the least signicant four bits of each of the 16 ASCII characters in the expression sboxesforserpent. The function swapentries swaps the elements of the array sbox.
Table 3.1: Serpent-1 and Serpent-p-ns S-box denitions

Input S0 0 3 1 8 2 15 3 1 4 10 5 6 6 5 7 11 8 14 9 13 10 4 11 2 12 7 13 0 14 9 15 12 S1 15 12 2 7 9 0 5 10 1 11 14 8 6 13 3 4 S2 8 6 7 9 3 12 10 15 13 1 14 4 0 11 5 2 Output S3 S4 0 1 15 15 11 8 8 3 12 12 9 0 6 11 3 6 13 2 1 5 2 4 4 10 10 9 7 14 5 7 14 13 S5 15 5 2 11 4 10 9 12 0 3 14 8 13 6 7 1 S6 7 2 12 5 8 4 6 11 14 9 1 15 13 3 10 0 S7 1 13 15 0 14 8 2 11 7 4 12 10 9 3 5 6
3.4
3.4.1
Analysis of Serpents S-boxes

Introduction
The resistance of the block ciphers to attacks depend on their diusion and confusion properties. Diusion is the property that each of plaintext equally has to appear in the ciphertext. Confusion is the property that the relation between plaintexts and ciphertexts has to be complex enough. It means that confusion comes with nonlinearity property. The overall nonlinearity of the cipher is ensured by the s-boxes of the cipher. In this chapter, we examine the resistance to Linear cryptanalysis and Dierential cryptanalysis attacks of Serpent cipher. We constitute the Linear Approximation (LAT
14
Table 3.2: Serpent-0 and Serpent-ps S-box denitions S0 14 , 4 , 13 , 1 , 2 , 15 , 11 , 8 , 3 , 10 , 6 , 12 , 5 , 9 , 0 , 7 S1 0 , 15 , 7 , 4 , 14 , 2 , 13 , 1 , 10 , 6 , 12 , 11 , 9 , 5 , 3 , 8 S2 4 , 1 , 14 , 8 , 13 , 6 , 2 , 11 , 15 , 12 , 9 , 7 , 3 , 10 , 5 , 0 S3 15 , 12 , 8 , 2 , 4 , 9 , 1 , 7 , 5 , 11 , 3 , 14 , 10 , 0 , 6 , 13 S4 15 , 1 , 8 , 14 , 6 , 11 , 3 , 4 , 9 , 7 , 2 , 13 , 12 , 0 , 5 , 10 S5 3 , 13 , 4 , 7 , 15 , 2 , 8 , 14 , 12 , 0 , 1 , 10 , 6 , 9 , 11 , 5 S6 0 , 14 , 7 , 11 , 10 , 4 , 13 , 1 , 5 , 8 , 12 , 6 , 9 , 3 , 2 , 15 S7 13 , 8 , 10 , 1 , 3 , 15 , 4 , 2 , 11 , 6 , 7 , 12 , 0 , 5 , 14 , 9 S8 10 , 0 , 9 , 14 , 6 , 3 , 15 , 5 , 1 , 13 , 12 , 7 , 11 , 4 , 2 , 8 S9 13 , 7 , 0 , 9 , 3 , 4 , 6 , 10 , 2 , 8 , 5 , 14 , 12 , 11 , 15 , 1 S10 13 , 6 , 4 , 9 , 8 , 15 , 3 , 0 , 11 , 1 , 2 , 12 , 5 , 10 , 14 , 7 S11 1 , 10 , 13 , 0 , 6 , 9 , 8 , 7 , 4 , 15 , 14 , 3 , 11 , 5 , 2 , 12 S12 7 , 13 , 14 , 3 , 0 , 6 , 9 , 10 , 1 , 2 , 8 , 5 , 11 , 12 , 4 , 15 S13 13 , 8 , 11 , 5 , 6 , 15 , 0 , 3 , 4 , 7 , 2 , 12 , 1 , 10 , 14 , 9 S14 10 , 6 , 9 , 0 , 12 , 11 , 7 , 13 , 15 , 1 , 3 , 14 , 5 , 2 , 8 , 4 S15 3 , 15 , 0 , 6 , 10 , 1 , 13 , 8 , 9 , 4 , 5 , 11 , 12 , 7 , 2 , 14 S16 2 , 12 , 4 , 1 , 7 , 10 , 11 , 6 , 8 , 5 , 3 , 15 , 13 , 0 , 14 , 9 S17 14 , 11 , 2 , 12 , 4 , 7 , 13 , 1 , 5 , 0 , 15 , 10 , 3 , 9 , 8 , 6 S18 4 , 2 , 1 , 11 , 10 , 13 , 7 , 8 , 15 , 9 , 12 , 5 , 6 , 3 , 0 , 14 S19 11 , 8 , 12 , 7 , 1 , 14 , 2 , 13 , 6 , 15 , 0 , 9 , 10 , 4 , 5 , 3 S20 12 , 1 , 10 , 15 , 9 , 2 , 6 , 8 , 0 , 13 , 3 , 4 , 14 , 7 , 5 , 11 S21 10 , 15 , 4 , 2 , 7 , 12 , 9 , 5 , 6 , 1 , 13 , 14 , 0 , 11 , 3 , 8 S22 9 , 14 , 15 , 5 , 2 , 8 , 12 , 3 , 7 , 0 , 4 , 10 , 1 , 13 , 11 , 6 S23 4 , 3 , 2 , 12 , 9 , 5 , 15 , 10 , 11 , 14 , 1 , 7 , 6 , 0 , 8 , 13 S24 4 , 11 , 2 , 14 , 15 , 0 , 8 , 13 , 3 , 12 , 9 , 7 , 5 , 10 , 6 , 1 S25 13 , 0 , 11 , 7 , 4 , 9 , 1 , 10 , 14 , 3 , 5 , 12 , 2 , 15 , 8 , 6 S26 1 , 4 , 11 , 13 , 12 , 3 , 7 , 14 , 10 , 15 , 6 , 8 , 0 , 5 , 9 , 2 S27 6 , 11 , 13 , 8 , 1 , 4 , 10 , 7 , 9 , 5 , 0 , 15 , 14 , 2 , 3 , 12 S28 13 , 2 , 8 , 4 , 6 , 15 , 11 , 1 , 10 , 9 , 3 , 14 , 5 , 0 , 12 , 7 S29 1 , 15 , 13 , 8 , 10 , 3 , 7 , 4 , 12 , 5 , 6 , 11 , 0 , 14 , 9 , 2 S30 7 , 11 , 4 , 1 , 9 , 12 , 14 , 2 , 0 , 6 , 10 , 13 , 15 , 3 , 5 , 8 S31 2 , 1 , 14 , 7 , 4 , 10 , 8 , 13 , 15 , 12 , 9 , 0 , 3 , 5 , 6 , 11
15
) and Dierence Distribution (XOR) tables of the S-boxes of Serpent and give the results about the nonlinearity and resistance of Serpents S-boxes.
3.4.2
Results of LAT Tables of Serpents S-boxes
For each of the S-boxes of Serpent, the Linear Approximation table (LAT) is a
n n matrix of size 16 16. It means that each s-box Si (x) : F2 F2 where n = 4. The
elements of the LAT table are calculated by

n LAT,F2 (, ) = #{x| x = S(x)} 2n1
(sec 2.4)
The full Linear Approximation tables (LAT) of the S-boxes of Serpent will be given in the rst part of Appendix A in the document. Nonlinearity property of each of s-box can be computed by the equation,
n Nf = 2n1 max,F2 {0} |LAT (, )|.
According to the results, each of LAT tables of s-boxes of Serpent have maximum value is equal to 4 except the element at the intersection of the rst row and rst column (LAT (0, 0)). Hence the nonlinearity of each s-box can be computed likely,
n Nf = 2n1 max,F2 {0} |LAT (, )|.
n for n = 4 and max,F2 {0} |LAT (, )| = 4,
Nf = 241 4 = 4. It can be seen from the LAT tables of s-boxes that each linear characteristic has a probability in the range
1 2
1. 4
16
Table 3.3: Parts of LAT Tables of the S-boxes with input/output sum weight of 1 S-box 0 S-box 1 1x 2x 4x 8x 1x 2x 4x 8x 1x -2 -2 -2 0 1x -2 -2 0 +2 2x +2 -2 0 0 2x -2 +2 0 -2 4x 0 0 0 0 4x 0 -2 0 -2 8x -2 -2 +2 0 8x 0 0 0 0 S-box 2 S-box 3 1x 2x 4x 8x 1x 2x 4x 8x 1x 0 0 0 0 1x +2 0 0 0 2x 0 +2 +2 0 2x -2 +2 0 -2 4x 0 +2 -2 0 4x 0 +2 +2 0 8x 0 -2 0 -2 8x 0 0 +2 -2 S-box 4 S-box 5 1x 2x 4x 8x 1x 2x 4x 8x 1x 0 +2 +2 0 1x 0 0 -2 0 2x 0 +2 0 0 2x 0 0 -2 +2 4x 0 0 +2 +2 4x 0 -2 +2 0 8x 0 0 +2 0 8x 0 0 0 -2 S-box 6 S-box 7 1x 2x 4x 8x 1x 2x 4x 8x 1x +2 0 -2 -2 1x -2 0 -2 0 2x 0 0 0 0 2x -2 +2 0 0 4x -2 0 -2 0 4x 0 +2 -2 0 8x +2 0 -2 +2 8x 0 0 +2 -2 3.4.2.1 Properties of Serpents Linear Approximation Tables
The LAT distributions of subsets with weight 1 can be observed from Table 3.3 (full LAT distributions of S-boxes is in Appendix LAT Tables). It can be seen from the tables with weight 1 input and output sums, there are only three values (2, 0, +2), so a linear relation between one single bit in the input and one single bit in the output has a probability in the range are low for Linear cryptanalysis. On the other hand, there are some weakness of the LAT tables. For example, for
1 2
1 . These probabilities 8
17
some input sum values give a value only for 4 output sum values with probability bias
1 . 4
Then, other output sum values are 0.
3.4.2.2
Observations on Serpents Linear Approximation Tables
These observations of LAT tables can be used for linear cryptanalysis of Serpent. 1. For the LAT Table of S-Box 0, input sum 4x = (0100)2 give values only for output sums Cx = (1100)2 , Dx = (1101)2 , Ex = (1110)2 , Fx = (1111)2 and input sum 9x = (1001)2 give values only for output sums 5x = (0101)2 , 6x = (0110)2 , Cx = (1100)2 , Fx = (1111)2 . 2. For the LAT Table of S-Box 1, input sum 3x = (0011)2 give values only for output sums 6x = (0110)2 , 7x = (0111)2 , Cx = (1100)2 , Dx = (1101)2 and input sum Bx = (1011)2 give values only for output sums 1x = (0001)2 , 2x = (0010)2 , 8x = (1000)2 , Bx = (1011)2 . 3. For the LAT Table of S-Box 2, input sum 6x = (0110)2 give values only for output sums 3x = (0011)2 , 5x = (0101)2 , Bx = (1011)2 , Dx = (1101)2 and input sum 7x = (0111)2 give values only for output sums 2x = (0010)2 , 6x = (0110)2 , 8x = (1000)2 , Cx = (1100)2 . 4. For the LAT Table of S-Box 3, input sum Fx = (1111)2 give values only for output sums 1x = (0001)2 , 3x = (0011)2 , 4x = (0100)2 , 6x = (0110)2 . 5. For the LAT Table of S-Box 4, input sum Bx = (1011)2 give values only for output sums 4x = (0100)2 , 5x = (0101)2 , 8x = (1000)2 , 9x = (1001)2 . 6. For the LAT Table of S-Box 5, input sum Bx = (1011)2 give values only for output sums 2x = (0010)2 , 3x = (0011)2 , 4x = (0100)2 , 5x = (0101)2 . 7. For the LAT Table of S-Box 6, input sum 9x = (1001)2 give values only for output sums 3x = (0011)2 , 6x = (0110)2 , Ax = (1010)2 , Fx = (1111)2 and input 18
4x 9x
0x 0 0 0x 0 0 0x 0 0 0x 0 0x 0 0x 0 0x 0 0 0x 0
1x 0 0 1x 0 -4 1x 0 0 1x +4 1x 0 1x 0 1x 0 -4 1x 0
2x 0 0 2x 0 -4 2x 0 +4 2x 0 2x 0 2x -4 2x 0 0 2x 0
3x Bx
6x 7x
Fx
Bx
Bx
9x Bx
7x
Table 3.4: Parts of LAT Tables of the S-boxes A part of LAT Table of the S-box 0 3x 4x 5x 6x 7x 8x 9x Ax Bx 0 0 0 0 0 0 0 0 0 0 0 +4 -4 0 0 0 0 0 A part of LAT Table of the S-box 1 3x 4x 5x 6x 7x 8x 9x Ax Bx 0 0 0 +4 -4 0 0 0 0 0 0 0 0 0 -4 0 0 +4 A part of LAT Table of the S-box 2 3x 4x 5x 6x 7x 8x 9x Ax Bx -4 0 +4 0 0 0 0 0 -4 0 0 0 -4 0 -4 0 0 0 A part of LAT Table of the S-box 3 3x 4x 5x 6x 7x 8x 9x Ax Bx -4 +4 0 +4 0 0 0 0 0 A part of LAT Table of the S-box 4 3x 4x 5x 6x 7x 8x 9x Ax Bx 0 -4 -4 0 0 +4 -4 0 0 A part of LAT Table of the S-box 5 3x 4x 5x 6x 7x 8x 9x Ax Bx +4 -4 -4 0 0 0 0 0 0 A part of LAT Table of the S-box 6 3x 4x 5x 6x 7x 8x 9x Ax Bx +4 0 0 +4 0 0 0 -4 0 0 +4 0 0 0 0 -4 0 0 A part of LAT Table of the S-box 7 3x 4x 5x 6x 7x 8x 9x Ax Bx 0 +4 +4 0 0 +4 -4 0 0
Cx Dx +4 -4 +4 0 Cx -4 0 Cx 0 -4 Cx 0 Cx 0 Cx 0 Cx 0 -4 Cx 0 Dx -4 0 Dx -4 0 Dx 0 Dx 0 Dx 0 Dx 0 0 Dx 0
Ex -4 0 Ex 0 0 Ex 0 0 Ex 0 Ex 0 Ex 0 Ex 0 0 Ex 0
Fx -4 +4 Fx 0 0 Fx 0 0 Fx 0 Fx 0 Fx 0 Fx +4 0 Fx 0
19
sum Bx = (1011)2 give values only for output sums 1x = (0001)2 , 4x = (0100)2 , 9x = (1001)2 , Cx = (1100)2 . 8. For the LAT Table of S-Box 7, input sum 7x = (1011)2 give values only for output sums 4x = (0100)2 , 5x = (0101)2 , 8x = (1000)2 , 9x = (1001)2 .
20
3.4.3
Results of XOR Tables of Serpents S-boxes
For each of the S-boxes of Serpent, the Dierence Distribution table (XOR) is a
n n matrix of size 16 16. It means that each s-box Si (x) : F2 F2 where n = 4. The
elements of the XOR table are calculated by XOR(X, Y ) = #{X|S(X) S(X X) = Y }.(Section2.5) The full Dierence Distribution tables (XOR) of the S-boxes of Serpent will be given in the second part of Appendix A in the document. The dierential uniformity parameter, , is maxX,Y =0 XOR(X, Y )(Def inition2.5.3) All Dierence Distribution (XOR) tables have maximum value is 4 except the element at the intersection of the rst row and rst column (XOR(X = 0, Y = 0)), then the dierential uniformity, of each s-boxes of Serpent is maxX,Y =0 XOR(X, Y ) = 4. It can be seen from the XOR tables of s-boxes that each dierential characteristic
1 has a probability of at most 4 .
3.4.3.1
Properties of Serpents Dierence Distribution Tables
Table 3.5 shows the XOR distributions of input and output dierences with weight 1 for each s-boxes of Serpent, (the full XOR tables of S-box in Appendix A.2). As a result, for each s-boxes of Serpent, a one-bit input dierence will never lead to a one-bit output dierence.
21
Table 3.5: A part of XOR Table of the S-boxes with input/output dierences weight of 1 1x 0 0 0 0 2x 0 0 0 0 4x 0 0 0 0 8x 0 0 0 0
1x 2x 4x 8x
4x Dx
0x 0 0 0x 0 0 0x 0 0x 0
1x 0 0 1x 0 4 1x 0 1x 0
4x Fx
4x
Fx
Table 3.6: Parts of XOR Tables of the S-boxes A part of XOR Table of the S-box 0 2x 3x 4x 5x 6x 7x 8x 9x Ax Bx Cx 0 0 0 0 0 0 0 4 4 0 0 0 4 0 0 0 4 4 0 0 0 0 A part of XOR Table of the S-box 1 2x 3x 4x 5x 6x 7x 8x 9x Ax Bx Cx 0 0 0 0 4 4 0 0 0 0 4 0 0 0 0 0 0 0 0 0 4 0 A part of XOR Table of the S-box 2 2x 3x 4x 5x 6x 7x 8x 9x Ax Bx Cx 0 0 0 0 4 0 0 0 4 4 0 A part of XOR Table of the S-box 6 2x 3x 4x 5x 6x 7x 8x 9x Ax Bx Cx 0 0 0 4 0 4 4 0 0 0 0
Dx 4 0 Dx 4 0 Dx 4 Dx 0
Ex 4 0 Ex 0 4 Ex 0 Ex 0
Fx 0 4 Fx 0 4 Fx 0 Fx 4
22
3.4.3.2
Observations on Serpents Dierence Distribution Tables
These observations are the result of XOR tables of Serpent. 1. For the XOR Table of S-Box 0, input dierence 4x = (0100)2 give values only for output dierences 9x = (1001)2 , Ax = (1010)2 , Dx = (1101)2 , Ex = (1110)2 and input dierence Dx = (1101)2 give values only for output dierences 3x = (0011)2 , 7x = (0111)2 , 8x = (1000)2 , Fx = (1111)2 . 2. For the LAT Table of S-Box 1, input dierence 4x = (0100)2 give values only for output dierences 6x = (0110)2 , 7x = (0111)2 , Cx = (1100)2 , Dx = (1101)2 and input dierence Fx = (1111)2 give values only for output dierences 1x = (0001)2 , Bx = (1011)2 , Ex = (1110)2 , Fx = (1111)2 . 3. For the LAT Table of S-Box 2, input dierence 4x = (0100)2 give values only for output dierences 6x = (0110)2 , Ax = (1010)2 , Bx = (1011)2 , Dx = (1101)2 . 4. For the LAT Table of S-Box 6, input dierence Fx = (1111)2 give values only for output dierences 5x = (0101)2 , 7x = (0111)2 , 8x = (1000)2 , Fx = (1111)2 . 3.4.3.3 Observations for cryptanalysis
These observations of XOR tables can be used for Dierential cryptanalysis of Serpent. 1. In three out of 8 of Serpents S-boxes, S0 , S1, S2 the input dierence
1 4x = (0100)2 can become the output dierence with probability 4 .
2. In two out of 8 of Serpents S-boxes, S1 , S6 the input dierence Fx = (1111)2

1 can become the output dierence with probability 4 .
3. In one out of 8 of Serpents S-boxes, S0 the input dierence Dx = (1101)2 can

1 become the output dierence with probability 4 .
4. There are many places where given an active bit, and an arbitrary bit, the output is the same under the same probability, such in S2 where 4x = (0100)2 23
2x 4x 6x
0x 0 0 0
1x 0 0 2
2x 0 0 2
3x 0 0 4
4x 0 0 0
5x 0 0 2
6x 0 0 2
7x 0 0 4
8x 0 0 0
9x 2 4 0
Ax 2 4 0
Bx 0 0 0
Cx 4 0 0
Dx 2 4 0
Ex 2 4 0
Fx 4 0 0
Table 3.7: A part of XOR Table of the S-box 0 and Cx = (1100)2 give Dx = (1101)2 with probability of 1 . Also, in S3 , 4
1 2x = (0010)2 and 3x = (0011)2 give Fx = (1111)2 with probability of 4 .
5. In S0 , the input dierence 6x = (0110)2 has probability 0 to become (1???)2 . This means that the rst bit is always zero. The cipher can be attacked by nding dierential and keeping some bit at zero dierence. This reduces the number of unknown bits in the next rounds.1 6. Also, in S0 , the input dierence 2x = (0010)2 has probability 0 to become (0???)2 and input dierence 4x = (0100)2 has probability 0 to become (0???)2 . Hence, these input dierences give an output dierence of the form (1???)2 . 7. There are some connections of some output dierences such as in S0 , the input dierence 4x = (0100)2 give output dierence in the form (1?x3 x4 )2 , where x3 x4 = 1. In the observations item (1), item (2), item (3) can be examined by Table 3.6. Also, the observation explained in the items, item (5) and item (6) can be examined by Table 3.7.
? denotes unknown values of bits.
24
Chapter 4 Randomness Testing of Serpent Ciphers Versions

4.1 Introduction
A random process is one whose consequences are unknown. This is why randomness is crucial in cryptographic applications. It provides a way to create information that third part can not predict or learn. Thus, the experiments which tests randomness of the outputs of ciphers, are done. There are some ways for randomness testing. Especially, today NIST Statistical Test Suite [3] is used for randomness testing. This chapter consists of the results of the randomness testing of Serpent Ciphers versions and the tests were done according to the NIST Statistical Test Suite [3]. In the rst section, Randomness Testing Experimental Preparation, that is; which statistical tests were used, chosen sample data and test parameters are described. In the second section, the results of randomness testing of full round output of Serpent Ciphers versions and perturbed plaintext are given and in the last section, the results of randomness testing of partial round output of Serpent Ciphers versions are given. Partial round output means the outputs of round 1, round 2 and round 3.
4.2
Randomness Testing Experimental Preparation
This section denes some preparations of randomness testing. These preparations consists of list of statistical tests, test parameters and sample data used in randomness testing.
25
Table 4.1: List of Statistical Tests Applied During Test Application Statistical Test No. of P-values Test ID Monobit 1 1 Block Frequency 1 2 Cusum 2 3-4 Runs 1 5 Long Runs of Ones 1 6 Rank 1 7 Spectral DFT 1 8 Aperiodic Templates 148 9-156 Periodic Template 1 157 Universal Statistical 1 158 Approximate Entropy 1 159 Random Excursions 8 160-167 Random Excursions Variant 18 168-185 Serial 2 186-187 Lempel-Ziv Compression 1 188 Linear Complexity 1 189 Randomness testing of the outputs of Serpent Ciphers versions is divided into two parts. First part is the testing of the full round outputs of the cipher. Second part is the testing of the partial round outputs of the cipher. All tests were done according to the application of the NIST Statistical Test Suite. This suite consists of 16 core statistical tests, under dierent parameter inputs they becomes 189 statistical tests.
26
Table 4.2: Parameter Adjustments for some of the Statistical Tests Statistical Test Parameter Value Block Frequency Test Block Length(M) 128 bit Non-Overlapping Template Test Block Length(m) 9 bit Overlapping Template Test Block Length(m) 9 bit Approximate Entropy Test Block Length(m) 10 bit Serial Test Block Length(m) 16 Linear Complexity Test Block Length(M) 500 bit Universal Test Block Length(m) 1280 bit Randomness Testing was performed with these specications: 1. For each output of the Serpent Ciphers versions, the input parameters such as the sequence-length, sample-size, and signicance-level sequences and the signicance-level is 0.01. 2. For each P-value, a success/failure assessment was made based on whether or not it exceeded or fell below the pre-selected signicance level. 3. For each statistical test and each output, the proportion of binary sequences in a sample that passed the statistical test was calculated. If the P-values fell below 0.01, the output was agged as suspect2 . Data Description: Data set was selected based on the belief that they would be useful in evaluating the randomness of cryptographic algorithms. Plaintext Avalanche data type was used for testing. To examine the sensitivity of algorithms to changes in the plaintext, 300 binary sequences were analyzed. The 300 sequences were parsed from a string constructed as
The signicance-level was xed at 0.01 in each experiment. Thus, the expected number of rejections is 1 out of every 100 binary sequences. 2 Based on the size of the number of sequences and tests that were performed, 1 in 10.000 will not give an excessive number of rejections when a generator is good.
1
were xed for each
output data. The sequence-length is 65536 bits, the sample-size is 300 binary
27
follows: given 1200 random 128 bit plaintext blocks, and a 192-bit (or 256-bit) key of all zeros, 153,600 derived blocks were concatenated. Each derived block was based on the XOR of the ciphertext formed using the xed 192-bit (or 256-bit) key and the random plaintext and the ciphertext formed using the xed 192-bit (or 256-bit) key and the perturbed random plaintext with the ith bit changed for 1 i 128. A total of 128 sets of derived blocks were formed for each random plaintext. All derived blocks were concatenated, and a total of 153,600 derived blocks resulted. The 300 sequences of 65,536 bits (512 blocks) were parsed from the concatenated derived blocks.
4.3
Randomness Testing of the Perturbed Random Plaintext
In this section, the analysis of perturbed random plaintext is showed. This data was chosen from 1200 random text where ith bit changed for 1 i 128. One bit changed then concatenated, other bit changed and then concatenated. This data was prepared in non-random way. Thus, non-randomness is expected from the testing of this perturbed plaintext. The randomness testing results of the perturbed plaintext are given in this section by NIST Statistical Test Suite. Test Results of perturbed random plaintext is given in Table 4.3. According to the test results, for only Longest Run test, the perturbed plaintext gives 100% success rate. It gives success rate because it depends on the selected test parameters. Also, for Block Frequency test, perturbed plaintext gives 0.7467 success proportion, again it depends on the selected test parameters, since Block Frequency block length is chosen 128 bit. On the other hand, for 6 of these 16 statistical test, perturbed plaintext give 0.0000 success proportion. And all other tests give low success rate. As a result, perturbed plaintext can be observed non-random as it is expected.
28
Table 4.3: Test Results of Perturbed Random Plaintext Test Success Proportion Approximate Entropy 0.0000 Block Frequency 0.7467 Cusum 0.2017 FFT 0.0000 Frequency 0.2017 Longest Run 1.0000 Linear Complexity 0.9433 Non-overlapping Template 0.0008 Overlapping Template 0.0558 Runs 0.0542 Serial 0.0000 Universal 0.0000 Rank 0.0000 Random Excursion 0.3478 Random Excursion Variant 0.0570 Lempel-Ziv 0.0000
4.4
Full Round Testing
In this section, the analysis of full round Serpent Ciphers versions outputs is showed. Each experiment is done by sample data which is plaintext avalanche data type generating from full round output of each Serpent Ciphers versions. And this data is 300 number of binary string with 65536 sequence length for each. In experiments, 148 templates for each binary sequences are used for Non-overlapping Template Test.
4.4.1
Full Round Testing For Serpent-0
In this section, the experimental results of analysis of full round Serpent-0s outputs are given. Serpent-0 is a 32-round SPN. Thus, the 32-round outputs of the cipher are used. In 300 sample data, for one sequence, the maximum number of 0s is equal to 33085 and the maximum number of 1s is equal to 33099, the minimum number of 0s is equal 29
to 32437 and the minimum number of 1s is equal to 32451. Test Results of full round Serpent-0s output is given in Table 4.4. Table 4.4: Test Results of Full Round Serpent-0s Output Test Success Proportion Approximate Entropy 0.9867 Block Frequency 0.9900 Cusum 0.9933 FFT 1.0000 Frequency 0.9967 Longest Run 0.9867 Linear Complexity 0.9667 Non-overlapping Template 0.9833 Overlapping Template 0.9867 Runs 0.9867 Serial 0.9900 Rank 0.9867 Random Excursions 0.9165 Random Excursions Variant 0.9165 Lempel-Ziv 1.0000 Universal test is not applicable for the chosen sample data since the selected test parameters are not appropriate for this test. According to Table 4.4, the minimum success proportion is 0.9165 and the maximum success proportion is 1.0000 . And the number of test that gives 100% success rate is 2. This means that the P-values of all the test results of these sequences does not fell below 0.01. As a conclusion, Serpent-0s outputs gives good results for randomness. Thus, the full round output of Serpent-0 can be decided as random.
30
4.4.2
pent).
Full Round Testing For Serpent-1 (Serpent)
This section describes the analysis result of full round output of Serpent-1 (SerAccording to the experiments, for 100 sample binary sequences, the maximum number of 0s is equal to 33160 and the minimum of 0s is equal to 32387; therefore, the maximum number of 1s is equal to 33149 and the minimum number of 1s is equal to 32451. Again in the experiment, for Non-overlapping Template Test, 148 templates are used for each binary string. Test Results of full round Serpent-1s output is given in Table 4.5. Table 4.5: Test Results of Full Round Serpent-1s Output Test Success Proportion Approximate Entropy 0.9900 Block Frequency 1.0000 Cusum 0.9900 FFT 1.0000 Frequency 0.9833 Longest Run 0.9767 Linear Complexity 0.9833 Non-overlapping Template 0.9733 Overlapping Template 0.9900 Runs 0.9933 Serial 0.9800 Rank 0.9933 Random Excursion 0.9474 Random Excursion Variant 0.9474 Lempel-Ziv 1.0000 Universal test is not applicable for the chosen sample data since the selected test parameters are not appropriate for this test. According to Table 4.5, the minimum success proportion is 0.9474 and the maximum success proportion is 1.0000 . And the number of test that gives 100% success rate is 3. This means that the P-values of all the test results of these sequences does not fell 31
below 0.01. Thus, Serpent-1s outputs give better results than the results of Serpent-0. However, they give nearest results. As a conclusion, Serpent-1s outputs give good results for randomness. Thus, the full round output of Serpent-1 can be decided as random.
4.4.3
Full Round Testing For Serpent-p
The new version Serpent-p of Serpent Cipher is tested by NISTs Statistical Test Suite and the following results are occurred. For 300 sample binary sequences, the maximum number of 0s is equal to 33203, so then the minimum number of 1s is equal to 32451; and the maximum number of 1s is equal to 33109, so then the minimum number of 0s is equal to 32427. Test Results of full round Serpent-ps output is given in Table 4.6. Table 4.6: Test Results of Full Round Serpent-ps Output Test Success Proportion Approximate Entropy 0.9800 Block Frequency 0.9833 Cusum 0.9867 FFT 1.0000 Frequency 0.9833 Longest Run 0.9833 Linear Complexity 0.9900 Non-overlapping Template 0.9700 Overlapping Template 0.9933 Runs 0.9833 Serial 0.9733 Rank 0.9867 Random Excursion 1.0000 Random Excursion Variant 0.9333 Lempel-Ziv 1.0000 Universal test is not applicable for the chosen sample data since the selected test parameters are not appropriate for this test. 32
According to Table 4.6, the minimum success proportion is 0.9700 and the maximum success proportion is 1.0000 . And the number of test that gives 100% success rate is 3. This means that the P-values of all the test results of these sequences does not fell below 0.01. Thus, Serpent-ps outputs give nearest results to Serpent-1. As a conclusion, Serpent-ps outputs give good results for randomness. Thus, for the full round output of Serpent-p, randomness is evident.
4.4.4
Full Round Testing For Serpent-p-ns
In this section, another new version Serpent-p-ns of Serpent cipher is examined by Nist Statistical Test Suite. By examining each binary sequences the maximum numbers of 0s and 1s are equal to 33136 and 33096, respectively. And the minimum numbers of 0s and 1s are equal to 32440 and 32400, respectively. Test Results of full round Serpent-p-nss output is given in Table 4.7. Table 4.7: Test Results of Full Round Serpent-p-nss Output Test Success Proportion Approximate Entropy 0.9933 Block Frequency 0.9833 Cusum 0.9933 FFT 0.9967 Frequency 0.9900 Longest Run 0.9867 Linear Complexity 0.9733 Non-overlapping Template 0.9767 Overlapping Template 0.9967 Runs 0.9967 Serial 0.9800 Rank 0.9933 Random Excursion 0.9444 Random Excursion Variant 0.9444 Lempel-Ziv 1.0000
33
Universal test is not applicable for the chosen sample data since the selected test parameters are not appropriate for this test. According to Table 4.7, the minimum success proportion is 0.9444 and the maximum success proportion is 1.0000 . And one test that gives 100% success rate, which is Lempel-Ziv. This means that the P-values of all the test results of these sequences does not fell below 0.01. This results are near to test results of previous Serpent Ciphers versions. As a conclusion, Serpent-p-ns outputs give good results for randomness. Thus, for the full round output of Serpent-p-ns, randomness is evident.
4.5
Partial Round Testing
In this section, partial round testing of Serpent ciphers versions are done. Partial Round means that round 1s, round 2s and round 3s outputs of Serpent ciphers versions are used in the statistical test experiments. Each experiment is done by sample data which is 300 number of binary string of partial round output of each Serpent ciphers versions. For Non-overlapping Template Test, 148 templates for each binary sequences are used in the experiment. The following subsections describes the experiment results.
4.5.1
Partial Round Testing For Serpent-0
The results of partial round testing of Serpent-0 is given below. For outputs of round 1: For 300 sample binary sequences, the maximum number of 0s is equal to 59697, so then the minimum number of 1s is equal to 5839; and the maximum number of 1s is equal to 6195, so then the minimum number of 0s is equal to 59341. For outputs of round 2: The maximum number of 0s is equal to 36021, so then the minimum number of
34
1s is equal to 29515; and the maximum number of 1s is equal to 30633, so then the minimum number of 0s is equal to 34903. For outputs of round 3: The maximum number of 0s is equal to 33153, so then the minimum number of 1s is equal to 32383; and the maximum number of 1s is equal to 33085, so then the minimum number of 0s is equal to 32451. Test Results of partial rounds of Serpent-0s output are given in Table 4.8. Table 4.8: Test Results of Partial Round Serpent-0s Output Test Success Proportion Round 1 Round 2 Round 3 Approximate Entropy 0.0000 0.0000 0.9800 Block Frequency 0.0000 0.0000 0.9900 Cusum 0.0000 0.0000 0.9867 FFT 0.0000 0.1867 0.9967 Frequency 0.0000 0.0000 0.9933 Longest Run 0.0000 0.9433 0.9900 Linear Complexity 0.6900 0.9867 0.9867 Non-overlapping Template 0.0000 0.6500 0.9695 Overlapping Template 0.0000 0.6500 0.9695 Runs 0.0000 0.0000 0.9933 Serial 0.0000 0.0000 0.9800 Rank 0.0000 0.9900 0.9867 Random Excursions 0.0000 0.0000 0.9286 Random Excursions Variant 0.0000 0.0000 0.9286 Lempel-Ziv 0.0000 0.0000 0.0000 In the experiment, for Non-overlapping Template Test, 148 templates are used for each binary string. Universal test is not applicable for the chosen sample data since the selected test parameters are not appropriate for this test. According to the results in Table 4.8, for 14 tests, Serpent-0s round 1 give all failure. And only for 1 test, which is Linear Complexity test, Serpent-0s round 1 outputs give 0.6900 success proportion. It can be caused by chosen test parameter. Thus, it can be concluded that Serpent-0s round 1 outputs are decided to be non-random. 35
For 9 tests, Serpent-0s round 2 outputs give all failure. The outputs pass the Discrete Fourier Transform test with low success proportion. But for Longest Run, Linear Complexity and Rank tests, the outputs give success proportion above 0.9000 . Again, Serpent-0s round 2 outputs can be said non-random. On the other hand, Serpent-0s round 3 outputs give success proportion between 0.9200 and 0.9900 for all tests except Universal and Lempel-ziv Tests. From this observation, it can be decided that Serpent-0s round 3 outputs are random according to the results of NIST Statistical Test Suite.
4.5.2
Partial Round Testing For Serpent-1 (Serpent)
The results of partial round testing of Serpent-1 is given below. For outputs of round 1: The maximum number of 0s is equal to 59523, so then the minimum number of 1s is equal to 6013; and the maximum number of 1s is equal to 6389, so then the minimum number of 0s is equal to 59147. It can be observed from above result, 0s and 1s are not distributed equally on the outputs. This can be evidence for non-randomness. For outputs of round 2: The maximum number of 0s is equal to 36636, so then the minimum number of 1s is equal to 28900; and the maximum number of 1s is equal to 29965, so then the minimum number of 0s is equal to 35571. For outputs of round 3: The maximum number of 0s is equal to 33089, so then the minimum number of 1s is equal to 32447; and the maximum number of 1s is equal to 33111, so then the minimum number of 0s is equal to 32425. Test results of partial rounds of Serpent-1s output are given in Table 4.9. Universal test is not applicable for the chosen sample data since the selected test parameters are not appropriate for this test. According to the results in Table 4.9, for 14 tests, Serpent-1s round 1 outputs give all failure. And only for 1 test, which is Linear Complexity test, Serpent-1s round 36
Table 4.9: Test Results of Partial Round Serpent-1s Output Test Success Proportion Round 1 Round 2 Round 3 Approximate Entropy 0.0000 0.0000 0.9867 Block Frequency 0.0000 0.0000 0.9933 Cusum 0.0000 0.0000 0.9967 FFT 0.0000 0.1867 1.0000 Frequency 0.0000 0.0000 0.9967 Longest Run 0.0000 0.9300 0.9867 Linear Complexity 0.7866 0.9900 0.9867 Non-overlapping Template 0.0000 0.6600 0.9933 Overlapping Template 0.0000 0.6600 0.9933 Runs 0.0000 0.0000 0.9933 Serial 0.0000 0.6567 0.9867 Rank 0.0000 0.9867 0.9867 Random Excursions 0.0000 0.0000 0.9091 Random Excursions Variant 0.0000 0.0000 1.0000 Lempel-Ziv 0.0000 0.0000 0.0000 1 outputs give 0.7866 success proportion. Again, it can be caused by chosen test parameter. Thus, it can be concluded that Serpent-1s round 1 outputs are decided to be non-random. For 9 tests, Serpent-1s round 2 outputs give all failure. The outputs pass the Longest Run, Linear Complexity, Non-overlapping Template, Overlapping Template, Serial and Rank tests. The outputs give success proportion above 0.6000. Again, Serpent-1s round 2 outputs can be agged as suspect. On the other hand, Serpent-1s round 3 outputs give success proportion between 0.9091 and 1.0000 for all tests except Universal and Lempel-ziv Tests. Also, for 2 tests, Discrete Fourier Transform and Random Excursions Variant, the outputs give 100% success rate. From these observations, it can be decided that Serpent-1s round 3 outputs are random according to the results of NIST Statistical Test Suite.
37
4.5.3
Partial Round Testing For Serpent-p
The results of partial round testing of Serpent-p is given below. For outputs of round 1: The maximum number of 0s is equal to 64327, so then the minimum number of 1s is equal to 1209; and the maximum number of 1s is equal to 1287, so then the minimum number of 0s is equal to 64249. It can be observed from above result, 0s and 1s are not distributed equally on the outputs. This can be evidence for non-randomness. For outputs of round 2: The maximum number of 0s is equal to 62513, so then the minimum number of 1s is equal to 3023; and the maximum number of 1s is equal to 3368, so then the minimum number of 0s is equal to 62168. Again, 0s and 1s are not distributed equally on the outputs. For outputs of round 3: The maximum number of 0s is equal to 58979, so then the minimum number of 1s is equal to 6557; and the maximum number of 1s is equal to 7456, so then the minimum number of 0s is equal to 58080. Test results of partial rounds of Serpent-ps output are given in Table 4.10. Universal test is not applicable for the chosen sample data since the selected test parameters are not appropriate for this test. According to the results in Table 4.10, for 14 tests, Serpent-ps round 1 outputs give all failure. And only for 1 test, which is Linear Complexity test, Serpent-ps round 1 outputs give 0.0033 success proportion. But this success proportion is low. Hence, Serpent-ps round 1 outputs can be agged as suspect. As in the Serpent-ps round 1 outputs, except Linear Complexity test, all other tests give all failure for Serpent-ps round 2 outputs. Linear Complexity test give 0.9233 success proportion. Thus, Serpent-ps round 2 can be agged as suspect, too. In addition, as in the Serpent-ps round 1 and round 2 outputs, round 3 outputs give 0.9900 success proportion for only Linear Complexity test. Other tests give failure. It can be decided that Serpent-ps round 3 outputs are non-random. 38
Table 4.10: Test Results of Partial Round Serpent-ps Output Test Success Proportion Round 1 Round 2 Round 3 Approximate Entropy 0.0000 0.0000 0.0000 Block Frequency 0.0000 0.0000 0.0000 Cusum 0.0000 0.0000 0.0000 FFT 0.0000 0.0000 0.0000 Frequency 0.0000 0.0000 0.0000 Longest Run 0.0000 0.0000 0.0000 Linear Complexity 0.0033 0.9233 0.9900 Non-overlapping Template 0.0000 0.0000 0.0000 Overlapping Template 0.0000 0.0000 0.0000 Runs 0.0000 0.0000 0.0000 Serial 0.0000 0.0000 0.0000 Rank 0.0000 0.0000 0.0000 Random Excursions 0.0000 0.0000 0.0000 Random Excursions Variant 0.0000 0.0000 0.0000 Lempel-Ziv 0.0000 0.0000 0.0000
4.5.4
Partial Round Testing For Serpent-p-ns
The results of partial round testing of Serpent-p-ns is given. For outputs of round 1: The maximum number of 0s and 1s are equal to 64 and 77, respectively. And the minimum numbers of 0s and 1s are equal to 51 and 64, respectively. For outputs of round 2: The maximum number of 0s and 1s are equal to 74 and 75, respectively. And the minimum numbers of 0s and 1s are equal to 53 and 54, respectively. For outputs of round 3: The maximum number of 0s and 1s are equal to 71 and 78, respectively. And the minimum numbers of 0s and 1s are equal to 50 and 57, respectively. Test results of partial rounds of Serpent-p-nss output are given in Table 4.11. Universal test is not applicable for the chosen sample data since the selected test parameters are not appropriate for this test.
39
Table 4.11: Test Results of Partial Round Serpent-p-ns Output Test Success Proportion Round 1 Round 2 Round 3 Approximate Entropy 0.0000 0.0000 0.0000 Block Frequency 0.0000 0.0000 0.0000 Cusum 0.0000 0.0000 0.0000 FFT 0.0000 0.0000 0.0000 Frequency 0.0000 0.0000 0.0000 Longest Run 0.0000 0.0000 0.0000 Linear Complexity 0.0033 0.9133 0.9933 Non-overlapping Template 0.0000 0.0000 0.0000 Overlapping Template 0.0000 0.0000 0.0000 Runs 0.0000 0.0000 0.0000 Serial 0.0000 0.0000 0.0000 Rank 0.0000 0.0000 0.0000 Random Excursions 0.0000 0.0000 0.0000 Random Excursions Variant 0.0000 0.0000 0.0000 Lempel-Ziv 0.0000 0.0000 0.0000 According to the results in Table 4.11, for 14 tests, Serpent-p-ns round 1 outputs give all failure. And only for 1 test, which is Linear Complexity test, Serpent-p-ns round 1 outputs give 0.0033 success proportion. But this success proportion is low. Hence, Serpent-p-ns round 1 outputs can be agged as suspect. As in the Serpent-p-ns round 1 outputs, except Linear Complexity test, all other tests give all failure for Serpent-p-ns round 2 outputs. Linear Complexity test give 0.9133 success proportion. Thus, Serpent-p-ns round 2 can be agged as suspect, too. In addition, as in the Serpent-p-ns round 1 and round 2 outputs, round 3 outputs give 0.9933 success proportion for only Linear Complexity test. Other tests give failure. It can be decided that Serpent-p-ns round 3 outputs are non-random.
4.6
Comparison of Test Results
By comparing the randomness test results, all Serpent Cipher versions full round outputs pass all of the statistical tests except Universal test. Universal test can not be 40
applied since given test parameters are not appropriate for this test. Comparison Table of full round outputs of Serpent Cipher versions, is given in Table 4.12 Table 4.12: Comparison of Test Results of Serpent Cipher Versions Full Round Outputs Serpent-0 No failure Failure proportion All sequences Success give success proportion above 0.9000 Serpent-1 No failure proportion All sequences give success proportion above 0.9000 Serpent-p No failure proportion All sequences give success proportion above 0.9000 Serpent-p-ns No failure proportion All sequences give success proportion above 0.9000
Comparison Table of round 1 outputs of Serpent Cipher versions, is given in Table 4.13 Table 4.13: Comparison of Test Results of Serpent Cipher Versions Round 1 Outputs
Serpent-0 All sequences Failure give failure for all tests. Only Linear Success Complexity test gives 0.6999 success proportion. Serpent-1 All sequences give failure for all tests. Only Linear Complexity test gives 0.7866 success proportion. Serpent-p All sequences give failure for all tests. Only Linear Complexity test gives 0.0033 success proportion. Serpent-p-ns All sequences give failure for all tests. Only Linear Complexity test gives 0.0033 success proportion.
Comparison Table of round 2 outputs of Serpent Cipher versions, is given in Table 41
4.14 Table 4.14: Comparison of Test Results of Serpent Cipher Versions Round 2 Outputs
Serpent-0 Frequency, Failure Block Frequency Cusum Runs App. Entropy Serial give failure. Success Serpent-1 Frequency, Block Frequency Cusum Runs App. Entropy FFT give failure. Only Linear Complexity test gives 0.9233 success proportion. Only Linear Complexity test gives 0.9133 success proportion. Serpent-p All sequences give failure for all tests. Serpent-p-ns All sequences give failure for all tests.
Longest Run 0.9433 Longest Run 0.9300 Rank 0.9900 FFT 0.1867 Linear Complexity 0.9867 Rank 0.9867 Serial 0.6567 Linear Complexity 0.9900
Comparison Table of round 3 outputs of Serpent Cipher versions, is given in Table 4.15 According to the randomness testing experiments; 1. Perturbed random plaintext can be observed non-random. 2. Full round outputs of Serpent Ciphers Versions is where randomness is evident. 3. Round 1 outputs of all Serpent Ciphers Versions are agged as suspect. 4. Round 2 outputs of all Serpent Ciphers Versions are agged as suspect. 5. It can be observed randomness from Serpent-0 and Serpent-1s round 3 outputs. However, Serpent-p and Serpent-p-ns round 3 outputs are agged as suspect.
42
Table 4.15: Comparison of Test Results of Serpent Cipher Versions Round 3 Outputs Serpent-0 Lempel-Ziv, Failure give failure. All tests Success give success proportion between 0.9286 and Serpent-1 Lempel-Ziv, give failure. All tests give success proportion between 0.9091 and Serpent-p All sequences give failure for all tests. Only Linear Complexity test gives 0.9900 success proportion. Serpent-p-ns All sequences give failure for all tests. Only Linear Complexity test gives 0.9933 success proportion.
0.9967 value. 0.9967 value.
43
Chapter 5 Conclusion
Serpent was a candidate for the Advanced Encryption Standard. It has known its cryptographic strengths against the known attacks such as; Dierential cryptanalysis and Linear cryptanalysis. This project contains results and observations of the cryptographic properties of the Serpents s-boxes and also randomness testing of the cipher outputs. As a conclusion, according to the observations Serpents s-boxes have good cryptographic properties. First of all, each linear characteristic of Serpents s-boxes has a probability in the range
1 2
1 . This means that the probability bias is 4
1 4
for each s-boxes and for nding
a linear characteristic, too much known plaintexts are required. Also, a linear relation between one single bit in the input and one single bit in the output has a probability in the range
1 2 1 8.
In addition, each dierential characteristic of Serpents s-boxes has a probability at most 1 , and one-bit input dierence never lead to one-bit output dierence. 4 According to these results although there are some weakness of the Serpents sboxes, these s-boxes have good cryptographic properties against the known attacks. At the same time, for all of the outputs of Serpent Ciphers versions, randomness tests are done using NIST Statistical Test Suite. According to the randomness test results, Serpent-0 and Serpent (Serpent-1) can be observed random rst at the third round. Although, Serpent-p and Serpent-p-ns is the upgrade versions of Serpent, their round 1, round 2 and round3 outputs are agged as suspect. However, full round outputs of Serpent-p and Serpent-p-ns can be observed random.
44
Bibliography
[1] R. Anderson, E. Biham, and L.Knudsen, Serpent: A proposal for the
Advanced Encryption Standard, NIST AES Proposal, 1998.
[2] E. Biham, R. Anderson, L. Knudsen, Serpent: 222-238.
A New Block Cipher
Proposal, in Fast Software Encryption - FSE 98, Springer LNCS vol 1372 pp
[3] A. Ruhkin, et. al., A Statistical Test Suite for the Validation of Random and Pseudo Random Number Generators for Cryptographic Applications , NIST Special Publication, Spring 2000. [4] M. Matsui, Linear cryptanalysis Method for DES Cipher, in Advances in Cryptology - Eurocrypt 93, Springer LNCS v 765 pp 386-397.
[5] E. Biham, A. Shamir, Dierential Cryptanalysis of DES-like cryptosystems, in Advances in Cryptology: Proceedings of CRYPTO 90, pages 1-21. Springer-Verlag, 1991.
[6] E. Biham, On Matsuis linear cryptanalysis, in Advances in Cryptology: Proceedings of EUROCRYPT 94, pages 341-355, Springer-Verlag, 1995. [7] O. Dunkelman, presented An in Analysis the second of AES Serpent-p Conference, and Serpentat:
p-ns,
available
http://csrc.nist.gov/encryption/aes/round1/conf2/aes2conf.htm [8] L. Knudsen, M. Robshaw, D. Wagner, Truncated Dierentials and Skipjack. 45
[9] Howard M. Heys, A tutorial on Linear and Dierential Cryptanalysis, Memorial University of Newfoundland, St. Johns, NF, Canada.
[10] L. Knudsen, Block Ciphers: A Survey, State of the Art in Applied Cryptography: Course on Computer Security and Industrial Cryptography (Lecture Notes in Computer Science no. 1528), Springer-Verlag, pages 18-48, 1998.
[11] M. Hellman, S. Langford, Dierential-Linear Cryptanalysis, Advances in Cryptology - CRYPTO 94 (Lecture Notes in Computer Science no. 839), SpringerVerlag, pages 26-39, 1994. [12] L. Knudsen, Truncated and Higher Order Dierentials, Fast Software Encryption (Lecture Notes in Computer Science no. 1008), Springer-Verlag, pages 196-211, 1995. [13] J. Soto, L. Bassham, Randomness Testing of the Advanced Encryption Standard Finalist Candidates,NIST, Spring 2000.
46
Appendix A Appendix A
A.1 Linear Approximation Tables (LAT) of Serpents S-boxes
Maximum values of LAT Tables of Serpents S-boxes The maximum value of LAT Table of S-box 0 = 4. The maximum value of LAT Table of S-box 1 = 4. The maximum value of LAT Table of S-box 2 = 4. The maximum value of LAT Table of S-box 3 = 4. The maximum value of LAT Table of S-box 4 = 4. The maximum value of LAT Table of S-box 5 = 4. The maximum value of LAT Table of S-box 6 = 4. The maximum value of LAT Table of S-box 7 = 4.
47
Table A.1: LAT Table of the S-box 0

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 +8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 -2 +2 0 0 +2 -2 0 -2 0 +4 -2 -2 -4 0 -2 2 0 -2 -2 -4 0 -2 +2 0 -2 0 0 +2 +2 -4 0 +2 3 4 5 6 7 8 9 10 0 0 0 0 0 0 0 0 0 -2 0 0 -2 0 -2 +2 0 0 +2 +2 +4 0 -2 -2 0 +2 -2 -2 -2 0 -4 0 0 0 0 0 0 0 0 0 +4 -2 -4 0 +2 0 +2 +2 0 0 -2 -2 +4 -4 -2 -2 -4 +2 -2 +2 +2 +4 0 0 0 +2 0 0 +2 0 -2 +2 0 0 +4 -4 0 0 0 0 0 +2 -2 -2 -2 0 0 -4 0 +4 -2 -2 0 0 +2 +2 +4 +2 0 +4 -2 0 -2 -2 0 0 0 0 0 0 +4 -4 +4 +2 +2 -2 +2 +4 0 0 0 -4 -2 -2 0 +4 -2 -2 11 12 13 14 0 0 0 0 +4 -2 0 -4 +4 0 -2 +2 0 +2 +2 +2 0 +4 -4 -4 0 +2 0 0 0 0 +2 -2 0 +2 +2 -2 -4 -2 -4 0 0 +4 0 0 0 -2 -2 -2 +4 0 -2 +2 0 +2 0 0 0 0 0 0 0 -2 +2 -2 0 0 -2 +2 15 0 +2 0 -2 -4 +2 0 +2 +2 +4 +2 0 +2 0 -2 0

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 +8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 2 3 4 5 0 0 0 0 0 -2 -2 -4 0 -2 -2 -2 0 0 +2 0 0 0 0 0 0 -2 +2 0 0 +2 0 -2 0 +2 -2 0 +2 0 -2 -4 +2 +2 0 +4 0 0 0 0 +4 -2 +2 0 0 +2 +2 +2 +4 0 -2 -4 -4 0 0 0 0 -2 +2 +4 0 +2 -4 +2 +4 +2 +2 0 -2 -4 +2 0 -2 +2 -4 0 6 0 +2 +2 +4 +2 0 -4 +2 0 -2 +2 0 -2 0 0 +2 7 0 0 +4 -4 -2 -2 -2 +2 -4 0 0 0 -2 +2 +2 +2 8 9 10 11 12 13 14 15 0 0 0 0 0 0 0 0 +2 0 0 -2 +2 0 -4 +2 0 -2 -2 +4 0 -2 +2 0 0 0 0 0 -4 -4 0 0 -2 -2 0 -4 +2 +2 0 -4 0 +2 +4 +2 +4 -2 0 -2 0 -2 +4 -2 0 -2 0 +2 +2 -2 0 0 +2 -2 0 0 0 0 0 0 0 +4 0 +4 -2 +4 0 -2 -2 0 -4 -2 -2 0 0 +2 +2 0 -4 +2 -4 0 0 +4 0 0 0 0 +2 +2 -4 0 +2 -2 0 0 0 +2 0 -2 0 -2 0 +2 -4 -2 0 -2 0 -2 0 +2 +2 +2 +4 0 -2 +2 0 0
48

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 +8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 +4 -4 0 0 +4 +4 2 0 0 +2 +2 +2 -2 0 +4 -2 -2 0 0 0 +4 -2 +2 3 0 0 +2 +2 -2 +2 -4 0 +2 +2 0 0 0 +4 +2 -2 4 0 0 +2 +2 -2 -2 0 0 0 +4 -2 +2 +2 -2 0 +4 5 0 +4 -2 +2 -2 +2 +4 0 0 0 -2 -2 +2 +2 0 0 6 0 0 0 0 +4 0 0 -4 +2 -2 -2 +2 +2 +2 +2 +2 7 0 +4 +4 0 0 0 0 0 -2 -2 +2 +2 +2 -2 +2 -2 8 9 10 11 12 13 14 15 0 0 0 0 0 0 0 0 0 -4 0 +4 0 0 0 0 0 0 -2 -2 +2 -2 +4 0 0 +4 -2 +2 +2 -2 -4 0 0 0 -2 +2 -2 -2 0 -4 -4 0 -2 -2 +2 +2 0 -4 0 0 0 -4 0 -4 0 0 -4 0 0 0 -4 0 0 0 -2 -2 -4 0 -2 -2 0 +4 +2 -2 0 0 -2 -2 0 -4 +2 -2 -2 -2 0 0 -4 0 -2 -2 +2 -2 0 0 -4 0 +2 +2 -2 -2 -4 +4 0 0 +2 -2 +2 -2 0 0 0 0 -2 +2 +4 0 -2 -2 0 0 -2 -2 0 0 +2 +2 0 0

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 +8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 +2 -2 +4 0 -2 -2 0 0 +2 +2 0 0 -2 +2 +4 2 0 0 +2 +2 +2 -2 0 +4 0 0 +2 +2 -2 +2 -4 0 3 0 -2 0 +2 +2 0 -2 0 +4 +2 0 +2 +2 0 +2 -4 4 0 0 0 0 +2 +2 -2 -2 +2 -2 -2 +2 0 +4 0 +4 5 6 7 8 9 10 11 0 0 0 0 0 0 0 +2 -4 +2 0 +2 0 -2 +2 +2 -4 -2 0 0 +2 0 -2 +2 -2 -2 0 +4 +2 0 0 0 +4 +2 -2 0 0 +2 0 +2 -2 +4 0 +2 +4 +2 0 +2 0 +2 +2 +2 +2 +2 -2 +2 -2 +2 +2 -2 +2 -2 -2 -4 +2 0 +2 0 +2 0 0 0 -2 0 +2 +2 0 +2 0 0 +4 -4 -2 -2 +4 +2 +2 -2 -2 +4 0 -2 -2 0 +2 0 +4 +2 +2 0 -2 +4 +2 0 +2 0 +4 0 0 0 0 0 12 0 0 +2 +2 +2 +2 +4 -4 0 0 +2 +2 -2 -2 0 0 13 14 15 0 0 0 +2 +4 +2 0 +4 +2 -2 0 0 -2 0 -4 +4 0 -2 -2 0 +2 0 0 0 0 0 +4 +2 +4 -2 +4 -4 +2 + 0 0 +2 0 0 0 0 +2 -2 0 +2 0 0 0
49

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 +8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 +4 -4 0 0 0 0 0 -4 0 0 -4 2 3 4 5 6 0 0 0 0 0 +2 +2 +2 -2 0 +2 -2 0 0 +2 0 -4 +2 -2 -2 0 0 +2 +2 -2 +2 -2 0 0 +2 -2 -2 -2 +2 0 -4 0 +4 0 0 0 +4 +2 -2 +2 +2 -2 0 0 -2 +2 +2 -2 +2 0 0 0 -4 -4 0 0 0 0 0 +4 +2 -2 +2 +2 +4 -2 -2 0 -4 +2 +4 0 +2 -2 -2 7 0 -4 -2 -2 -2 +2 0 0 +2 +2 -4 0 0 0 -2 +2 8 0 0 0 0 +2 +2 +2 +2 0 -4 0 +4 -2 +2 -2 +2 9 0 0 0 0 -2 +2 +2 -2 0 -4 0 -4 -2 -2 +2 +2 10 11 12 13 0 0 0 0 -2 -2 -2 +2 +2 -2 +4 +4 -4 0 +2 -2 +2 -2 0 -4 0 0 +2 -2 0 -4 0 0 +2 +2 +2 +2 0 -4 +2 -2 +2 -2 0 0 +2 +2 +2 -2 0 0 0 0 -2 +2 +2 -2 0 0 -4 0 +4 0 -2 -2 +2 +2 0 0 14 15 0 0 0 -4 -2 +2 +2 +2 -4 0 0 -4 +2 -2 +2 -2 +2 +2 +2 -2 +4 0 0 0 -2 -2 +2 +2 0 0 0 0

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 +8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 2 3 0 0 0 0 0 0 0 0 0 0 +4 +4 0 -2 +2 +4 -2 -2 -4 +2 +2 0 -2 +2 0 0 0 0 0 0 0 0 0 0 -4 +4 -4 -2 -2 0 -2 +2 0 +2 -2 -4 -2 -2 4 0 -2 -2 0 +2 0 0 +2 0 +2 -2 -4 -2 0 -4 +2 5 0 +2 +2 0 +2 0 0 +2 0 -2 +2 -4 +2 +4 0 -2 6 7 0 0 +2 -2 -2 +2 0 0 0 +4 +2 -2 +2 -2 +4 0 -4 -4 +2 -2 +2 -2 0 0 0 0 -2 -2 +2 +2 0 0 8 0 0 +2 -2 0 0 +2 -2 -2 +2 0 0 +2 -2 -4 -4 9 0 +4 +2 +2 0 0 -2 +2 +2 +2 -4 0 +2 -2 0 0 10 11 12 13 14 15 0 0 0 0 0 0 0 +4 +2 +2 -2 -2 +2 +2 0 -4 0 +4 +2 -2 +2 -2 +2 -2 +2 -2 +2 +2 -4 0 +2 -2 +4 0 +2 +2 0 0 +2 +2 0 +4 0 0 -4 0 +2 +2 +2 -2 -2 +2 -2 +2 -2 -2 0 -4 -4 0 +4 0 -2 -2 -2 -2 0 0 0 0 0 0 0 -4 0 0 +2 -2 -4 0 +2 -2 0 0 -2 -2 0 0 -2 +2 +2 +2 +2 -2 0 0
50

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 +8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 2 0 0 +2 0 0 0 -2 0 -2 0 0 0 +2 -4 0 -4 +2 0 0 0 +2 0 -4 0 0 0 -2 0 -4 -4 -2 +4 3 4 5 0 0 0 -2 -2 0 0 0 0 +2 -2 +4 -2 -2 0 +4 0 -4 -2 +2 0 0 -4 0 +2 -2 0 +4 0 0 +2 +2 +4 0 +4 0 0 0 +4 +2 -2 0 0 0 0 -2 -2 0 6 7 8 9 0 0 0 0 +2 0 -2 -4 0 0 0 0 +2 +4 -2 0 +2 -4 0 -2 0 0 +2 -2 +2 0 0 +2 0 0 +2 -2 -2 0 +2 0 +4 0 0 0 +2 -4 +2 0 0 0 0 -4 -4 0 +2 -2 -2 -4 -4 +2 0 0 +2 +2 +2 0 +4 +2 10 0 -2 -4 +2 0 +2 0 +2 -2 -4 +2 0 -2 0 -2 0 11 12 13 0 0 0 0 0 -2 +4 0 0 0 0 +2 -2 +2 +4 +2 +2 +2 +2 -2 +4 +2 -2 -2 -4 -4 +2 0 0 0 0 0 -2 0 -4 0 +2 +2 +2 +2 -2 0 -2 +2 -2 +2 -2 0 14 15 0 0 +4 -2 -4 -4 0 -2 -2 0 +2 -2 +2 0 -2 +2 0 -2 0 +4 0 -2 0 0 +2 +2 +2 0 +2 -2 +2 0

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 +8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 -2 -2 0 0 -2 -2 0 0 +2 +2 0 -4 -2 -2 +4 2 3 4 5 6 0 0 0 0 0 0 -2 -2 0 +2 +2 0 0 -2 +2 -2 -2 +2 -2 +4 +2 +2 -2 +2 0 -2 +4 0 -2 +2 0 -2 -2 0 -2 0 0 +4 +4 0 0 0 +2 +2 +2 -4 -2 0 -2 0 +2 -4 -2 0 0 +2 +2 0 -4 -2 +2 -2 0 0 +2 +2 0 +2 0 0 0 -2 +4 -2 -4 +4 0 +2 -2 +2 7 0 -4 0 0 -4 0 0 0 +2 -2 +2 +2 +2 -2 -2 -2 8 0 0 0 0 0 0 +4 +4 -2 +2 -2 +2 +2 -2 -2 +2 9 0 -2 -2 0 0 -2 +2 -4 +2 0 -4 -2 +2 0 0 +2 10 11 12 13 0 0 0 0 0 -2 +2 +4 -2 +4 0 -2 +2 +2 -2 +2 +2 +2 +2 -2 -2 -4 0 -2 0 -2 -2 0 0 0 0 0 +2 -2 +4 0 +2 0 +2 -4 0 -2 0 -2 +4 0 +2 +2 0 0 +2 -2 +4 -2 -4 -2 -2 0 +2 0 -2 -2 0 0 14 15 0 0 -2 0 -2 -4 +4 0 +4 0 +2 0 +2 -4 0 0 0 -4 -2 0 +2 0 0 0 0 +4 -2 0 +2 0 0 0
51
A.2
Dierence Distribution Tables (XOR) of Serpents S-boxes
Maximum values of XOR Tables of Serpent S-boxes The maximum value of XOR Table of S-box 0 = 4. The maximum value of XOR Table of S-box 1 = 4. The maximum value of XOR Table of S-box 2 = 4. The maximum value of XOR Table of S-box 3 = 4. The maximum value of XOR Table of S-box 4 = 4. The maximum value of XOR Table of S-box 5 = 4. The maximum value of XOR Table of S-box 6 and S-box 7 = 4. Table A.9: XOR Table of the S-box 0
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 16 0 0 0 0 0 0 2 0 0 0 0 0 2 0 0 0 0 0 2 0 2 0 2 0 2 0 0 0 2 0 2 2 3 4 5 6 0 0 0 0 0 0 2 0 2 2 0 0 0 0 0 2 2 0 0 0 0 0 0 0 0 2 0 4 2 0 2 4 0 2 2 2 0 4 2 0 0 2 0 2 2 2 0 0 2 2 2 2 0 0 0 2 0 0 2 2 0 0 4 0 2 0 4 0 0 0 0 0 4 0 2 2 0 0 2 2 7 8 9 10 11 0 0 0 0 0 2 0 0 0 2 0 0 2 2 0 2 0 4 0 2 0 0 4 4 0 0 2 0 2 2 4 0 0 0 0 0 2 2 0 2 2 0 0 0 2 0 0 2 2 0 2 0 0 4 2 0 0 0 0 0 0 2 2 0 2 4 4 0 0 0 0 2 0 2 2 0 4 0 0 0 12 13 0 0 2 0 4 2 2 0 0 4 0 0 0 0 0 2 2 4 0 2 2 0 4 0 0 2 0 0 0 0 0 0 14 0 4 2 0 4 2 0 0 0 2 0 0 0 0 2 0 15 0 0 4 0 0 0 0 0 0 0 0 4 0 4 0 4
52
Table A.10: XOR Table of the S-box 1

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 2 0 0 0 4 0 2 0 2 0 4 2 3 4 5 6 0 0 0 0 0 0 2 0 2 2 0 2 0 2 0 2 2 0 4 0 0 0 0 0 4 2 0 0 2 0 2 0 0 2 2 2 2 0 4 0 0 0 0 0 2 0 0 4 0 2 0 4 4 0 0 2 2 0 0 2 2 2 0 0 0 4 0 4 0 2 0 0 4 0 0 0 0 0 0 0 7 8 9 10 11 0 0 0 0 0 2 0 2 2 2 0 0 2 2 2 0 2 2 0 0 4 0 0 0 0 0 2 0 2 2 2 2 0 2 2 0 2 2 0 0 2 0 0 0 0 0 0 4 2 0 2 0 0 2 0 2 2 2 0 0 0 2 2 0 4 0 0 0 2 0 2 4 0 2 0 0 0 0 0 4 12 13 0 0 0 0 2 2 0 0 4 4 2 2 0 0 0 0 2 2 0 2 2 0 2 2 0 0 0 2 2 0 0 0 14 0 0 0 4 0 0 0 4 4 0 0 0 0 0 0 4 15 0 2 2 0 0 2 2 0 4 0 0 0 0 0 0 4

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 16 0 0 0 0 0 0 4 0 0 0 4 0 0 0 0 0 0 0 0 0 0 0 4 0 0 0 4 0 0 0 0 2 3 4 5 6 0 0 0 0 0 0 0 0 2 0 0 4 0 4 0 2 0 0 0 2 0 0 0 0 4 0 2 2 2 2 2 2 2 2 0 0 0 4 2 0 0 2 0 2 0 0 2 0 0 0 2 0 2 0 4 0 0 2 0 2 2 0 2 0 0 2 2 0 2 2 2 0 2 0 0 4 2 0 0 0 7 8 9 10 11 0 0 0 0 0 2 0 0 2 2 0 0 4 0 0 0 0 2 0 0 0 0 0 4 4 0 2 0 0 0 0 2 2 0 0 2 0 0 2 2 4 0 2 0 0 2 4 2 2 2 0 2 0 4 0 0 2 2 0 0 0 2 0 0 4 0 0 0 0 0 4 2 0 0 0 2 0 2 2 2 12 13 0 0 2 0 0 0 2 0 0 4 2 0 0 0 2 0 0 4 2 0 0 0 2 0 0 4 2 0 0 4 2 0 14 0 4 0 2 0 0 2 0 0 0 2 0 2 2 2 0 15 0 2 4 2 0 0 2 2 2 0 0 2 0 0 0 0
53

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 16 0 0 0 0 0 0 0 0 0 0 2 0 2 0 0 0 0 0 2 0 0 0 2 0 2 0 2 0 4 0 0 2 3 4 5 6 0 0 0 0 0 0 2 0 4 2 0 0 0 2 0 2 2 4 0 0 0 0 0 0 4 0 2 0 0 0 0 2 0 0 2 2 4 4 2 0 0 2 0 0 2 2 2 0 0 2 2 0 2 0 2 2 0 2 2 0 0 0 2 0 2 2 0 2 4 0 2 0 0 2 0 2 0 0 0 0 7 8 9 10 11 0 0 0 0 0 0 0 0 0 2 2 0 2 4 2 0 2 2 0 0 4 0 0 2 2 0 2 2 2 2 2 4 0 0 0 0 0 2 0 0 0 0 2 0 0 0 2 0 2 2 2 0 4 0 2 0 0 2 2 0 2 4 0 2 0 2 0 0 0 0 0 0 0 0 2 2 2 0 2 2 12 13 0 0 2 2 0 0 0 0 2 2 2 0 2 0 0 0 2 4 0 0 2 0 2 2 0 0 0 4 0 2 2 0 14 0 0 0 0 0 2 0 2 4 0 0 0 2 0 2 4 15 0 2 4 4 0 0 2 0 0 2 0 0 0 0 2 0

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 16 0 0 0 0 0 0 2 0 0 0 2 0 0 0 0 0 0 0 2 0 0 0 4 0 2 0 2 0 2 0 0 2 3 4 5 6 0 0 0 0 0 0 0 0 0 0 0 2 0 0 4 2 0 2 0 0 0 4 0 2 0 0 2 0 0 0 0 2 4 2 0 2 2 2 0 0 0 2 0 2 0 4 0 2 0 2 2 0 0 4 2 0 0 0 2 0 0 0 0 2 0 4 0 2 2 2 2 2 0 0 2 0 0 4 0 4 7 8 9 10 11 0 0 0 0 0 4 0 0 2 2 2 0 2 0 0 2 2 2 2 2 2 0 0 0 4 0 2 2 0 0 0 2 2 2 0 2 2 0 2 0 0 0 2 2 2 2 0 2 0 0 0 2 0 2 2 2 0 0 0 4 0 2 0 0 0 0 0 2 0 0 0 2 2 2 0 0 2 0 2 0 12 13 0 0 2 2 2 0 0 0 0 2 4 2 0 2 0 0 4 0 0 2 0 2 0 2 2 0 0 0 0 2 2 0 14 0 4 2 0 0 2 0 0 2 0 0 0 4 0 0 2 15 0 0 2 0 2 0 0 4 0 0 0 2 4 2 0 0
54

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 16 0 0 0 0 0 0 2 0 0 0 2 0 2 0 2 0 0 0 0 0 2 0 4 0 0 0 2 0 0 0 0 2 3 4 5 6 0 0 0 0 0 0 2 0 2 4 0 0 0 0 2 0 2 2 0 0 0 0 0 2 0 2 0 0 2 2 2 2 0 0 4 0 2 2 2 0 0 2 0 0 2 2 0 0 4 0 2 2 2 0 0 0 0 0 2 0 2 2 4 2 0 2 2 0 0 0 2 0 2 0 0 2 0 4 0 2 7 8 9 10 11 0 0 0 0 0 0 0 2 2 2 2 0 0 2 2 2 4 0 0 0 2 0 4 0 4 0 0 0 0 0 2 0 2 0 0 0 4 0 0 0 0 0 2 0 0 2 2 0 2 2 0 2 0 2 2 2 0 0 0 4 2 0 2 2 0 2 2 2 2 0 0 2 2 2 0 0 0 0 2 0 12 13 0 0 0 0 0 4 2 2 0 2 0 0 0 0 2 0 4 2 2 0 0 2 0 2 0 0 2 0 0 2 4 0 14 0 2 4 0 0 4 2 0 2 0 0 0 0 0 0 2 15 0 0 0 0 2 4 0 2 2 0 0 2 0 0 4 0

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 16 0 0 0 0 0 0 2 0 0 0 2 0 4 0 0 0 0 0 2 0 0 0 0 0 2 0 2 0 2 0 0 2 3 4 5 6 0 0 0 0 0 0 0 0 2 0 0 2 0 0 2 4 2 0 0 0 0 2 0 0 2 0 4 2 2 0 0 0 4 0 0 4 2 2 0 0 0 0 0 2 0 0 2 2 0 2 4 0 2 0 2 0 2 0 4 2 0 0 2 2 4 0 0 2 0 0 4 0 0 0 2 0 0 0 4 0 7 8 9 10 11 0 0 0 0 0 2 0 2 2 0 4 0 0 0 2 0 2 2 0 0 0 0 0 4 2 2 0 0 2 0 0 0 4 0 0 0 2 0 0 0 2 0 2 2 4 0 0 2 0 2 0 2 0 0 2 0 4 0 0 2 2 0 0 2 0 0 0 2 4 0 0 2 2 0 2 4 4 0 0 0 12 13 0 0 2 2 0 0 0 2 0 0 0 2 4 0 2 2 2 2 2 0 2 2 0 0 0 2 2 0 0 2 0 0 14 0 4 2 2 2 0 0 2 0 2 0 2 0 0 0 0 15 0 0 4 0 4 0 0 0 0 0 0 0 0 4 0 4
55

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 16 0 0 0 0 0 0 2 0 0 0 0 0 2 0 4 0 0 0 2 0 0 0 4 0 2 0 0 0 0 0 0 2 3 4 5 6 0 0 0 0 0 0 4 0 0 4 0 2 0 2 0 2 0 0 2 2 0 0 0 2 0 2 2 4 0 0 4 2 0 2 2 0 2 0 0 0 0 2 0 0 2 0 0 2 4 0 0 0 2 0 0 2 0 0 0 0 0 0 0 0 2 2 0 2 2 0 4 2 2 2 2 0 0 4 0 2 7 8 9 10 11 0 0 0 0 0 0 0 2 2 0 0 0 0 0 2 0 2 0 2 0 2 0 2 0 2 0 0 2 2 0 0 2 2 0 0 2 0 0 2 0 4 0 2 2 2 0 0 0 2 0 2 4 0 0 4 2 2 0 0 4 0 2 2 2 0 2 2 2 2 0 0 0 0 0 2 2 2 2 0 0 12 13 0 0 2 0 4 2 0 2 2 2 0 2 0 0 0 0 0 2 2 2 0 2 0 2 2 0 0 0 0 0 4 0 14 0 0 4 0 2 0 0 2 0 2 2 0 4 0 0 0 15 0 2 0 2 2 2 0 4 0 0 0 0 0 2 2 0
56
Appendix B Appendix B
B.1 Description of the Statistical Tests
the number of ones and zeros in a sequence are approximately the same as would be expected for a truly random sequence. The test assesses the closeness of the
1 fraction of ones to 2 , that is, the number of ones and zeroes in a sequence should
1. Frequency(Monobit) Test: The purpose of this test is to determine whether
be about the same. 2. Block Frequency Test: The focus of the test is the proportion of ones within M-bit blocks. The purpose of this test is to determine whether the frequency of ones in an M-bit block is approximately the Frequency (Monobit) test. 3. Runs Test The focus of this test is the total number of runs in the sequence, where a run is an uninterrupted sequence of identical bits. The purpose of the runs test is to determine whether the number of runs of ones and zeros of various lengths is as expected for a random sequence. In particular, this test determines whether the oscillation between such zeros and ones is too fast or too slow. 4. Long Runs of Ones Test: The focus of the test is the longest run of ones within M-bit blocks. The purpose of this test is to determine whether the length of the longest run of ones within the tested sequence is consistent with the length of the longest run of ones that would be expected in a random sequence.
M , 2
as would be expected under an
assumption of randomness. For block size M = 1, this test degenerates to test 1,
57
5. Binary Matrix Rank Test: The focus of the test is the rank of disjoint submatrices of the entire sequence. The purpose of this test is to check for linear dependence among xed length substrings of the original sequence. 6. Discrete Fourier Transform(Spectral) Test: The focus of this test is the peak heights in the Discrete Fourier Transform of the sequence. The purpose of this test is to detect periodic features (i.e., repetitive patterns that are near each other) in the tested sequence that would indicate a deviation from the assumption of randomness. The intention is to detect whether the number of peaks exceeding the 95 % threshold is signicantly dierent than 5 %. 7. Non-overlapping Template Matching Test: The focus of this test is the number of occurrences of pre-specied target strings. The purpose of this test is to detect generators that produce too many occurrences of a given non-periodic (aperiodic) pattern. An m-bit window is used to search for a specic m-bit pattern. If the pattern is not found, the window slides one bit position. If the pattern is found, the window is reset to the bit after the found pattern, and the search resumes. 8. Overlapping Template Matching Test: The focus of the Overlapping Template Matching test is the number of occurrences of prespecied target strings. Both this test and the Non-overlapping Template Matching test use an m-bit window to search for a specic m-bit pattern. If the pattern is not found, the window slides one bit position. The dierence between overlapping and nonoverlapping is that when the pattern is found, the window slides only one bit before resuming the search. 9. Maurers Universal Statistical Test: The focus of this test is the number of bits between matching patterns (a measure that is related to the length of a compressed sequence). The purpose of the test is to detect whether or not the sequence can be signicantly compressed without loss of information. A signicantly compressible sequence is considered to be non-random. 58
10. Lempel-Ziv Compression Test: The focus of this test is the number of cumulatively distinct patterns (words) in the sequence. The purpose of the test is to determine how far the tested sequence can be compressed. The sequence is considered to be non-random if it can be signicantly compressed. A random sequence will have a characteristic number of distinct patterns. 11. Linear Complexity Test: The focus of this test is the length of a linear feedback shiftregister (LFSR). The purpose of this test is to determine whether or not the sequence is complex enough to be considered random. Random sequences are characterized by longer LFSRs. An LFSR that is too short implies nonrandomness. 12. Serial Test: The focus of this test is the frequency of all possible overlapping m-bit patterns across the entire sequence. The purpose of this test is to determine whether the number of occurrences of the 2m m-bit overlapping patterns is approximately the same as would be expected for a random sequence. Random sequences have uniformity; that is, every m-bit pattern has the same chance of appearing as every other m-bit pattern. 13. Approximate Entropy Test: The focus of this test is the frequency of all possible overlapping m-bit patterns across the entire sequence. The purpose of the test is to compare the frequency of overlapping blocks of two consecutive/adjacent lengths (m and m+1) against the expected result for a random sequence. 14. Cumulative Sums(Cusum) Test: The focus of this test is the maximal excursion (from zero) of the random walk dened by the cumulative sum of adjusted (-1, +1) digits in the sequence. The purpose of the test is to determine whether the cumulative sum of the partial sequences occurring in the tested sequence is too large or too small relative to the expected behavior of that cumulative sum for random sequences. 15. Random Excursions Test: The focus of this test is the number of cycles having exactly K visits in a cumulative sum random walk. The cumulative sum random 59
walk is derived from partial sums after the (0,1) sequence is transferred to the appropriate (-1, +1) sequence. The purpose of this test is to determine if the number of visits to a particular state within a cycle deviates from what one would expect for a random sequence. This test is actually a series of eight tests (and conclusions), one test and conclusion for each of the states: -4, -3, -2, -1 and +1, +2, +3, +4. 16. Random Excursions Variant: The focus of this test is the total number of times that a particular state is visited (i.e., occurs) in a cumulative sum random walk. The purpose of this test is to detect deviations from the expected number of visits to various states in the random walk. This test is actually a series of eighteen tests (and conclusions), one test and conclusion for each of the states: -9, -8, . . ., -1 and +1, +2, . . ., +9.
60

Analiza Criptografica Asupra Versiunilor Serpent

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Analiza Criptografica Asupra Versiunilor Serpent

Transféré par

Droits d'auteur :

Formats disponibles

CRYPTOGRAPHIC ANALYSIS OF THE VERSIONS OF THE SERPENT CIPHER

CRYPTOGRAPHIC ANALYSIS OF THE VERSIONS OF THE SERPENT CIPHER

A MASTERS GRADUATE PROJECT

SUBMITTED TO THE DEPARTMENT OF CRYPTOGRAPHY OF THE MIDDLE EAST TECHNICAL UNIVERSITY

3 Analysis of Serpents S-boxes . . . . . . . . . . . . . . . . . . . . . . . . . .

Observations on Serpents Linear Approximation Tables 18

Results of XOR Tables of Serpents S-boxes . . . . . . . . . . . ii

3.4.3.1 3.4.3.2 3.4.3.3 4.1 4.2 4.3 4.4

Properties of Serpents Dierence Distribution Tables . Observations for cryptanalysis . . . . . . . . . . . . . .

Observations on Serpents Dierence Distribution Tables 23

Partial Round Testing . . . . . . . . . . . . . . . . . . . . . . . . . . .

Comparison of Test Results . . . . . . . . . . . . . . . . . . . . . . . .

of binary n-tuples over F2 with respect to addition

and c F2 , is called an ane function. If c = 0, f (x) is

n Denition 2.2.5. A Boolean function f (x) : F2 F2 is balanced if its truth table

(1)f (x) (1)g(xd)

Denition 2.2.7. The autocorrelation function of f (x) is rf (d) =

(1)f (x) (1)f (xd)

(1)f (x) (1)wx

of this transform is, (1)f (x) = 1 2n Wf (w)(1)wx

Using the denition of the Hamming distance and Walsh-Hadamard transform, we

get (1)f (x) (1)g(x) = 2n dH (f (x), g(x)) + dH (f (x), g(x))(1)

(1)f (x) (1)lw (x) = 2n 2dH (f (x), lw (x)),

therefore dH (f (x), lw (x)) = 2n1 Wf (w) . 2

Cryptographic Properties of Boolean Functions

n (1)f (x)w = 0 for all w F2 such that wH (w) = 1 satises

Linear Approximation Table (LAT)

n n n Denition 2.4.1. Let x, y F2 and S(x) : F2 F2 is the vector Boolean function.

Each element of the Linear Approximation Table is dened as

By combining nonlinearity and the linear approximation table (LAT), we obtain

Multiplying both sides with

n 2n LAT,F2 = 2n |x| x = S(x)|

= P r{ x = S(x)} If x f (x) Bn (Booleanf unction) then, 7

where P r is the probability.

Dierence Distribution Table (Exclusive or-XOR)

Chapter 3 Analysis of Serpents S-boxes

Serpent-1 (Serpent) Cipher

Serpent-p and Serpent-p-ns Cipher

B0 = IP (P ) Bi+1 = Ri (Bi ) C = IP 1 (B64 ) Ri = Roti (Si (X Ki )) Ri (X) = Si (X Ki ) K64 i = 0, ..., 62 i = 63

Table 3.1: Serpent-1 and Serpent-p-ns S-box denitions

Analysis of Serpents S-boxes

Results of LAT Tables of Serpents S-boxes

elements of the LAT table are calculated by

n for n = 4 and max,F2 {0} |LAT (, )| = 4,

Then, other output sum values are 0.

Observations on Serpents Linear Approximation Tables

Results of XOR Tables of Serpents S-boxes

Properties of Serpents Dierence Distribution Tables

Observations on Serpents Dierence Distribution Tables

2. In two out of 8 of Serpents S-boxes, S1 , S6 the input dierence Fx = (1111)2

3. In one out of 8 of Serpents S-boxes, S0 the input dierence Dx = (1101)2 can

? denotes unknown values of bits.

Chapter 4 Randomness Testing of Serpent Ciphers Versions

Randomness Testing Experimental Preparation

were xed for each

Randomness Testing of the Perturbed Random Plaintext

Full Round Testing

Full Round Testing For Serpent-0

Full Round Testing For Serpent-1 (Serpent)

Full Round Testing For Serpent-p

Full Round Testing For Serpent-p-ns

Partial Round Testing

Partial Round Testing For Serpent-0