New Mersenne Number Transform Diffusion Power Analysis

Problem statement: Due to significant developments in the processing power and parallel processing technologies, the existing encryption al gorithms are increasingly susceptible to attacks, s uch as side-channel attacks, for example. Designing new en cryption algorithms that work efficiently on differ ent platforms and security levels to protect the transm itted data from any possible attacks is one of the most important issues in today’s information and network security. The aim is to find more secure, reliable and flexible systems that can run as a ratified standar d, with reasonable computational complexity for a sufficient service time. To expand the longevity of the algorithm, it is important to be designed to w rk efficiently on a variety of block sizes and key len gths according to the security demand. A sensible s olution is the suggested use of a parameter transform. Approach: The present study evaluates the appropriateness of the New Mersenne Number Transform for security a pplications by analyzing and estimating its avalanche and diffusion power. Results: The results confirm that the transform in general reflects good avalanche characteristics that are for most cases o ver 50% and can be up to 100%. The lower bound can be further improved by increasing the modulus and/or t he transform length. Conclusion: This New Mersenne Number Transform is highly flexible and adaptable f or this application. It can be involved in the desi gn of a secure cryptosystem for the following reasons; chan ging a single input element makes drastic changes i n the output elements and vice versa (sensitivity), provi des variable block size and key length (parameteriz ation). Has long transform length (power of two), is error free and its inverse is the same with a scale facto r of (1/N) which simplifies implementation of both encry ption and decryption. Finally, it is appropriate fo r real time implementations such as fast algorithms, which can be applied to it, to speed up processing.


INTRODUCTION
introduced two main principles for designing secure cryptographic systems; confusion and diffusion.Substitution is one of the processes of confusion, in which the elements of the plaintext are mapped into other elements in order to complicate the relationship between the plaintext and the corresponding cipher text and its strength depends on the strength of the non-linear properties of the applied substitution box (S-box).Diffusion is the process that rearranges the plaintext into the cipher text.Accordingly, the measure of how influential the diffusion process is; can be measured by how the plaintext is redistributed across the cipher text.Additionally a small change in the influencer of the diffusion process (such as the key or the plaintext itself) should have a significant impact on the resulting cipher text.This effect is called the avalanche effect and a system is considered to have good avalanche characteristics if roughly half of the output data is affected for a single input change.Hence this impact is important to verify that the system is resilient to statistical attacks (Feistel, 1973;Heys and Tavares, 1995).However, after differential (Biham and Shamir, 1991) and linear (Matsui, 1994) cryptanalysis have been involved, designing the diffusion part of algorithms by relaying only on elements transposition or permutation has no longer become secure and algorithms become subject to attacks.Hence more sophisticated techniques have been involved to improve and strengthen the diffusion part, such as the use of transforms.For instance, in the Twofish algorithm (Schneier, 1999), a fixed transform, (4×4) Maximum Distance Separable (MDS) matrix over Galois field GF (2 8 ) is utilized.Where at each round an input vector of four bytes in length is multiplied by the MDS over GF (2 8 ).A MDS matrix in hexadecimal form is given in (1) (Schneier, 1999) Eq. 1: In the current state of the art, the Advanced Encryption Standard (AES) algorithm (Daemen and Rijmen, 2002), which was announced by National Institute of Standards and Technology (NIST) as U. S. Federal Information Processing Standards Publications 197 (FIPS PUB 197) on November 26, 2001FIPS197 2001, a transform called mix columns is used for diffusion purposes, where the columns of the state are considered as a polynomial over GF(2 8 ) and a mix columns operation is undertaken by multiplying the columns modulo (x 4 +1) with a fixed polynomial c(x).For inverse mix columns, the fixed polynomial d(x) is alternatively used.The c(x) and d(x) in hexadecimal values are given in ( 2) and ( 3) respectively (Daemen and Rijmen, 2002) Eq. 2 and 3: These transforms are powerful in diffusing data.However, their lengths are fixed for these dedicated algorithms.The disadvantage of this is that there is a need for an alternative algorithm, should the key length or block size becomes insufficient to suit the security requirements, due to future increases in processor power and parallel processing technologies, as was the case with the previous standard Data Encryption Standard (DES) algorithm FIPS_PUB_46-2 1977.Accordingly, a practical solution is the use of a parameter-based transform such that the key length and/or the block size can be changed by changing the transform size to adhere to the required level of security, i.e., a revision free algorithm, ensuring practical usage for the proposed lifespan.
In this study, a parameter-based New Mersenne Number Transform (NMNT) has been considered for security applications by evaluating its diffusion power and avalanche characteristics.
Consider that diffusion power of the algorithm in the design is very important, as the number of rounds for any iterated block cipher cryptosystem is inversely proportional to that value.Accordingly, building round functions with a higher diffusion rate will likely result in an efficient algorithm with a lesser number of rounds, which improves system performance, regarding speed and complexity.

New Mersenne Number Transform (NMNT):
NMNT is one of the Number Theoretic Transform (NTT) family.NTTs use modular arithmetic operations on a field or ring of integers, without the errors inherent to normal floating-point operations, such as those found in the Discrete Fourier Transform (DFT) for example.NTTs have wide applications in different areas including; digital signal processing (Agarwal, 1980), digital filtering (Agarwal and Burrus, 1974;Boussakta and Holt, 1994), image processing (Boussakta and Holt, 1999), decoding (Reed et al., 1978) and cryptography (Yang et al., 2010;Yang and Boussakta, 2008).
In the field of cryptography, NTTs are mainly used to improve the diffusion of the algorithm, in addition to other relevant applications in digital image information hiding (Yanqun and Qianping, 2009).The NMNT has been previously involved in the design of a cryptosystem by utilizing a cascade of such a transform with different transform lengths to ensure high diffusion rate throughout the processing (Yang et al., 2010).The NMNT is defined modulo of the Mersenne numbers (Mp).A detailed description of the transform can be found in Boussakta and Holt (1992;1995).The transform can be used in one or multi dimensional (Boussakta and Holt, 1993;Boussakta et al., 2001).Both the forward and inverse transforms have a similar appearance, with a scale factor of (1/N) being the only difference.The forward 1-D NMNT X(k) of an integer sequence x(n) with transform length N and its inverse is defined as Eq.4-12 fellow: Where: The above kernels β 1 (nk) and β 2 (nk) are calculated for a maximum transform length 2 P+1 .For transform lengths less than that, their values can be calculated using the following Eq.13 and 14: where, Re() and Im() stand for real and imaginary parts of the enclosed term respectively, denotes modulo Mp and d is an integer power of two.Two different techniques are used to scrutinize and verify the diffusion power of the transform.The first technique involves the calculation of the branch number (Daemen and Rijmen, 2002) of the transform; a tool that is used to give an indication to the diffusion power of a linear transformation.
The Branch Number (BN) is calculated based on (15) Eq. 15: where, W(a) is the bundle weight (number of non-zero elements, also called number of active elements) and F is the linear transformation.The Bn of a transform is upper bounded by Eq. 16 (Daemen and Rijmen, 2002): The second technique, which has been exploited previously on evaluating the diffusion power of the Fermat Number Transform (FNT) (Al-Gailani et al., 2011), is based on probabilities by calculating the diffusion power as a range of probabilities for different cases.These cases are determined according to the kernel matrix analysis listed in (Al-Gailani and Boussakta, 2010).The differences between these cases depend on the number of modified elements and their locations.The type of element modification depends on the modified values, these are; same value, different values with a total sum equal to the modulus for each modified pair/elements and different values with a total sum not equal to the modulus for each modified pair/elements.The range of probabilities for each case is calculated by counting the differences between the elements of the modified and unmodified versions, where diffusion power percentages represents the process results over-all by 100%.
The results are verified by recalculating the above cases by modifying the elements in three different tests.The first test is performed by transforming the input elements and producing the initially diffused elements.Next, the input is modified and transformed and the output is compared to the transformed output of the unmodified input.The second test is performed by modifying the transformed output elements and recalculating the input elements by applying the inverse transform and comparing the original input to the inversely transformed input.The final test involves modifying the mathematical equation according to the relevant cases (in the following explanation), examples are illustrated below; for modifying single element (17), single paired (18) and unpaired elements ( 19), all-odd elements (20), all-even elements ( 21) and all elements respectively (22) Eq. 17-23: where, i is the location of the modified element (0 ≤ i ≤ N-1) and a is the modification value that is added to the initial value.Considering all these cases is very important so that apart from determining the diffusion power, the cases that provide maximum or minimum diffusion percentages can be exploited or avoided in the design.The elements are modified at the following locations: • Initially, all of the single elements at even and odd locations are modified • Next, all of the even/odd numbers of paired elements are modified at their corresponding even/odd/mix locations.This is shown in Fig. 2 using the formula (i, i+N/2 x ) where (1≤×≤log 2 N-1) • Following the modification of even/odd paired elements in the even/odd/mix locations, the remaining unpaired elements are modified which are situated in even/odd/mix locations • A combination that requires the modification of both the paired elements is performed at even/odd/mix locations (i, i+N/2 x ) using predetermined values and the remaining unpaired elements are replaced with random values • The elements that reside in all-even positions, followed by the elements that reside in all-odd locations are modified • Finally, all of the elements are modified for the last time, completing this particular process within the implementation

RESULTS
The calculations of the branch number for transform lengths (N): 4 and 8 are shown in Table 1.To illustrate that, consider the case for input bundle weight equal 1, under column N = 4, the output weight is 4, in total giving 5, which represents (N+1), signifying that the transform has maximum diffusion power.The same or larger output can be gain for input weights equal 3 or 4. However for input weight equal 2, the output weight is minimum 2, in total 4, this mean that for this case the transform has a lower value than (N+1), providing less diffusion than the maximum.This is especially the case for modifying an even number of active elements and up to (N/2) from the total elements.The details of all cases including those cases that provide low diffusion are explained in detail in the second method represented below.It has been shown from the results on (Al-Gailani and Boussakta, 2010) that there has been sufficient analysis performed using the NMNT with different moduli and transform lengths.The results can be classified into two groups.First group summarized the cases that provide good diffusion power that is at minimum 50% and the second group lists the cases that exhibit low diffusion power that is at maximum 50%.All calculations are based on element level i.e., (P-bits).
Cases that provide good diffusion power: Modifying a single element: Modifying a single element at odd locations (Fig. 3), gives diffusion between 75-100%, depending on the number of elements with zero value at that row in the kernel matrix corresponding to the location of the modified element.Modifying a single element at even locations (Fig. 4), gives diffusion between 75-100%, increasing with larger transform length.
Modifying paired elements: Modifying any number of paired elements (i, i+N/2 x ) at any location with any value and ×>1, gives minimum diffusion 50%.The lower bound improving with larger x and modulus and improving for larger transform length for elements modifying at even locations.Figure 5 explains the case for modifying an odd number of paired elements at any location with the same value, while Fig. 6 clarifies the case for modifying an even number of paired elements with the same value.
Modifying unpaired elements: Modifying even numbers of unpaired elements at any location with any value gives diffusion between 50-100%, increasing to 68-100% for modifying odd numbers of unpaired elements.In both instances, the lower bounds improved in most cases with larger modulus and/or transform length.Figure 7 explains the case for modifying an odd number of unpaired elements at even locations with the same value, while Fig. 8 shows the case for modifying an even number of unpaired elements at even locations with different values, with a total sum equal to Mp.

Modifying all elements:
Modifying any number of paired elements with any value at any location and all other elements modified randomly (Fig. 9), gives in general diffusions over 75% increasing with larger moduli and transform lengths.

Cases that produce low diffusion power:
Modifying paired elements: Modifying a number of paired elements (i,i+N/2 x ) up to N/2-1 pairs for x = 1 and leaving all other elements unchanged, at any location with same value for each pair (Fig. 5 and 6), or different values, with a total sum equal to Mp for each pair, gives in best cases a diffusion of 50%.The lower bounds improve close to the upper bounds (50%) when modifying pairs at even locations with a larger modulus and/or transform length.The probability of this case arising is N×Mp -N ×(Mp-1) for a single pair (N≥8) and become N×2 N/2-2 ×Mp -N ×(Mp-1) N/2-1 for N/2-1 pairs.The diffusion power improves for x > 1.
Modifying all input elements: Modifying all input elements with the same value (Fig. 10), which is equivalent to adding a DC value, the diffusion percentage becomes (N -1 )×100%.The probability for this case taking place is Mp -N × (Mp-1).Modifying all even/odd input elements: Modifying all even input elements with the same value or all odd input elements with the same value (Fig. 10) or different values, with a total sum equal to modulus for each pair, same values for all modified pairs at odd locations, the diffusion percentage is 2×N -1 ×100%.The probability for this case raising is: The probabilities of the last two cases occurring can be reduced by increasing the modulus and/or the transform length.
Table 2 expands on (Al-Gailani and Boussakta, 2010) and explains some of these results in an example for P = 7, Mp = 127 and N = 16.In the beginning, initial data is required that represents the unmodified version and all comparison is done with it.This data is displayed in the first two rows.In the first two examples (rows 3-6), a single element is modified at odd positions (shadowed), where their diffusion percentage outputs are different.The first example gives 100% diffusion, providing that all of the output elements are completely different (shadowed), while the second example gives 75% diffusion.The reason behind this is related to the number of zero elements in that row within the kernel matrix corresponding to the position of the modified element.The next example (row 7-8), explains the case for modifying a single element at an even position.In every such case, all of the output elements are modified except two.This is because within the kernel matrix there are two zero elements in each even row.Examples on (rows 9-12), explain the case for modifying a single pair (i,i+N/2 )with the same value.The results show that the diffusion vary between 37.5 and 50%.Finally, (rows 13-14) explains the case for modifying three elements with the same value, the output is completely different, giving 100% diffusion.Fig. 10: All elements and all even/odd elements modification with same value

DISCUSSION
The diffusion power of the NMNT has been considered in this study using two different techniques in order to evaluate the appropriateness of the transform for security applications.
The branch number of the transform which is discussed on the first technique indicates that the transform can provide maximum diffusion power for most cases, exception mostly for even input weight and up to the transform length (N)/2.However, the analysis from the second technique explains deeply this case which obviously arises with very low probability when modifying only pairs of elements (just for x = 1) with the same value or different values with their sum equal to the modulus.
The results of the second technique are classified into two groups; the diffusion power for the first group which represents the cases that provide good diffusions, in general over 50% and the percentages of the lower bounds are further improved with higher modulus and/or transform length.One of the factors that improve the diffusion percentages with higher transform lengths is when the percentages relating to the number of zero elements, explained in ( 23) is inversely proportional to the transform length as illustrated in Fig. 11: The second group represents the cases that provide low diffusion power, less than 50%.These cases can be avoided by ensuring that the number of modified elements is odd, or alternatively the probability for those cases arising can be reduced by increasing the modulus and/or the transform length.In general, increasing the modulus and/or transform length is beneficial as it either improves the diffusion power, or reduces the probability for those cases arising in the second group.Of relevant importance is ensuring that the diffusion power improves with bigger block sizes or key lengths, which may be achieved by increasing the modulus and/or the transform length.This will facilitate the design by providing the possibility of changing the block size or key length to the required level of security without the need to alter the algorithm and at the same time fix the number of rounds for different sizes, which supports the compatibility of the algorithm on different platforms.

CONCLUSION
In conclusion, although the results demonstrate that the transform in certain cases provides lower diffusion than the maximum due to the matrix symmetry that can be avoided in the design, it can be concluded that the transform has many features qualifying it to be used in the design of a secure cryptosystem.Advantages include parameterization; providing flexibility to change the key length and/or block size to meet the required level of security and sensitivity; the diffusion power has been proven that in general it is good.Having a long transform length, these operations are performed without the errors that normally arise through using floating-point operations.Finally, fast algorithms such as radix-2 (Nibouche et al., 2009), radix-4 (Boussakta et al., 2003) and split radix (Alshibami et al., 2000) can be adapted to it, to speed up processing.
According to the above, the transform is recommended to be employed in the design of a secure cryptosystem as a main diffusion layer for both the traditional cryptosystem like the AES or for applications such as audio or image encryption that require special treatments due to their size.Such applications are usually based on the chaos function, for instance the one found in (Ling et al., 2007), which proposes a practical and flexible cryptosystem that can be easily adapted to the international multimedia standards, such as JPEG 2000 and MPEG4.

Fig. 7 :
Fig. 7: Lower bounds for modifying odd number of unpaired elements with same value

Fig. 11 :
Fig. 11: Percentages of the number of zero elements relative to the total (Al-Gailani and Boussakta, 2010)