DOCSLIB.ORG

The New Block Cipher: BC2

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
The New Block Cipher: BC2 International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009 16 The New Block Cipher: BC2 Yusuf Kurniawan1, Adang Suwandi A.2, M. Sukrisno Mardiyanto2, Iping Supriana S.2, and Sarwono Sutikno2 (Corresponding author: Yusuf Kurniawan) Universitas Pasundan, Department of Informatics1 Jl Setiabudi 193 Bandung 40153, Jawa Barat, Indonesia (Email: [email protected]) Institute of Technology Bandung, School of Electrical Engineering and Informatics2 Jl Ganesha 10, Bandung 40132, Indonesia (Received Mar. 23, 2006; revised and accepted May 7, 2006) Abstract • || is concatenation of two operators; In this paper, we propose a new block cipher called BC2 • Knl is the left side of 2n-bit key. This key part has (Block Cipher 2). We make a cipher using components size of n bits; that are believed secure. The structure of BC2 is very simple. We use Feistel network with input-output 128 • Kr is the right side of K. The size is a half of full key. bits, matrix Maximum Distance Separable (MDS) 8x8 with branch number 9 to give high diffusion, a function The rest of this paper is organized as follows. The Sec- 8 affine equivalent to the inverse function in GF(2 ) that we tion 2 describes the new block cipher BC2, its random- get from Camellia and Hierocrypt S-Box for confusion and izing part and key schedule, Section 3 explains how to we make FN function, based on FL function of Camellia. implement BC2 at various platforms efficiently, Section We use a heuristic method to count the minimum num- 4 explains cryptanalysis of BC2, Section 5 explains the ber of active substitution box at Feistel Network. And we design rationale of BC2 and Section 6 gives conclusion. also construct a new key schedule that is fast and secure. Keywords: BC2, block cipher, FN function, heuristic method 2 BC2 (Block Cipher 2) The BC2 is a 128-bit block cipher using Feistel Network 1 Introduction that supports 128, 192 and 256-bit key lengths. Like many other ciphers, we use Substitution Boxes to give confu- In here we give some definition and list of symbols that sion, linear layer to give diffusion and mixed key to give we use. dependent on key. The structure of BC2 for 128-bit key In this paper we use finite field GF (28) that we can rep- length, is showed in Figure 1. For 128-bit key length, the resent as GF (2)[x]/m(x), where m(x)= x8+x4+x3+x2+ number of round is 13. There are two FN functions. One 1. We can write m(x) as ’11d’ like as Khazad [11]. And we of them is located after round 4, and the other is after use subscript x as representation of hexadecimal. In this round 9. The FN function have a very slow diffusion, so paper, multiplication with x is expressed as xT(number). if we place it before first round, then attacker can arrange For example, multiplication 7fx • 2x = xT (7f) = fex, the input and output of FN function to easier cryptanal- and fex • 2x = xT (fe)= e1x. This is similar to Rijndael ysis. It follows that FN function is unusable. proposal [7]. For 192 and 256-bit key length, the number of round Some notations used in this paper are listed as follows: is 18. There are 3 FN/FN −1 functions that are located after rounds 4, 9, and 14. • ∪ is OR; All F functions are same, like Figure 2. The number • ∩ is AND; in F function only show the number of round. For decryption, the order of round subkey is reversed. ≪ • is left circular rotation by one bit; So, KW3 replace KW1, KW4 replace KW2, KW1 replace • ≫ is right circular rotation by one bit; KW3, and KW2 replace KW4. K13 replace K1 and so forth. And then, KFN1 is replaced by KFN4, KFN2 is • ⊕ is bitwise XOR; replaced by KFN3 and so forth. International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009 17 PlainText 128 bit Ciphertext KW 1 KW2 KW 3 KW 4 (64 bit) (64bit) (64 bit) (64bit) K1 K13 (64bit) (64bit) F1 F1 ………… ………… ………… ………… ………… ………… KFN4 KFN3 KFN1 -1 KFN2 FN FN-1 (64 bit) FN FN (64bit) (64 bit) (64bit) K5 K9 (64bit) (64bit) F5 F5 ………… ………… ………… ………… ………… ………… K5 K9 (64bit) (64bit) F9 F9 KFN2 KFN3 -1 KFN4 -1 KFN1 (64 bit) FN FN (64 bit) FN FN (64bit) (64bit) K10 K4 (64bit) (64bit) F10 F10 ………… ………… ………… ………… ………… ………… K13 K1 (64bit) (64bit) F13 F13 KW 1 KW 3 KW 4 KW 2 (64 bit) (64 bit) (64 bit) (64 bit) Ciphertext PlainText Enkripsi BC2 Dekripsi BC2 Figure 1: Encryption and decryption of BC2-128 International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009 18 Input of F Function : 64 bits S1 S2 S3 S4 S5 S6 S7 S8 MDS 8x8 Subkeys 64 bits Output of F Function : 64 bits Figure 2: F function of BC2 X 64bit X L R YL 64bit YR 32bit 32bit Table 1: The constant for key schedule Ka 32bit 32bit c1 frac(√0.8) 0xe4f92e2dff6ec9ab294a33804a57d359 16bit Kc c2 frac(√0.9) 0xf2dce89b636cb24692e711b6e1c3ff31 Kb Ka the matrix satisfies the requirement above. Kc 16bit 32bit 32bit b 12321312 a 0 0 Kb b1 21232131 a1 b2 12123213 a2 Y Y L R XL XR b3 31212321 a3 FN -1 = FN b4 13121232 a4 b5 21312123 a5 Figure 3: FN function and its inversion b 32131212 a 6 6 b7 23213121 a7 2.1 Substitution Box where ai is input of MDS and bi is output of MDS. So b = L a. We use Camellia’s S-Box [8] and Hierocrypt’s S-Box [12] AK for BC2. The maximum differential probability of these 2.3 Add Key − − S-Boxes is 2 6 and maximum linear probability is 2 4 In this part, we use only XOR component to avoid weak- according to our experiment with PC. The degree of them ness that we can find in IDEA cipher. is 7. 2.4 Key Schedule We construct a new key schedule with the criteria: 2.2 Linear Layer L 1) simple and fast for many platforms We use MDS (Maximum Distance Separable) matrix to 2) it should be resistant to related key attack realize linear component to give high diffusion. We do not use XORs component like in Camellia cipher, because it 3) it should be hard to find masterkey if attacker can does not give branch number exactly. We use circular get (partial) subkey(s). matrix with low number in order to be able to be imple- 4) there are no weak keys. mented efficiently in hardware. A linear [n,k,d] code C with generator matrix G = 5) every bit of masterkey gives influence to all subkeys. [Ik×k Lk×(n−k)] is MDS if, and only if, every square sub- We use the basic instructions (like XOR, AND, OR, 1- matrix formed from rows and columns of L is nonsingular bit rotation) to achieve Objectives 1, 2, and 3. We also use (cf. [4], Chapter 11, § 4, Theorem 8). the matrix component(like in Rijndael) in key schedule to We make MDS code using trial and error method until achieve Objective 4. This component gives high diffusion International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009 19 a00 a01 a02 a03 b00 b01 b02 b03 b00 b01 b02 b03 c00 c01 c02 c03 a a a a b b b b b b b b c c c c K1 ^ K2 10 11 12 13 SB 10 11 12 13 SR 13 10 11 12 MC 10 11 12 13 a20 a21 a22 a23 b20 b21 b22 b23 b22 b23 b20 b21 c20 c21 c21 c23 a30 a31 a32 a33 b30 b31 b32 b33 b31 b32 b33 b30 c30 c31 c32 c33 e e e e d00 d01 d02 d03 e00 e01 e02 e03 00 01 02 03 f00 f01 f02 f03 d d d d e e e e e e e e f f f f AK with 10 11 12 13 SB 10 11 12 13 SR 13 10 11 12 MC 12 13 10 11 C1^K1 e e e e d20 d21 d22 d23 e20 e21 e22 e23 22 23 20 21 f20 f21 f22 f23 e e e e d30 d31 d32 d33 e30 e31 e32 e33 31 32 33 30 f32 f33 f30 f31 g00 g01 g02 g03 e00 e01 e02 e03 e00 e01 e02 e03 f00 f01 f02 f03 AK with g g g g e e e e e e e e f f f f AK with 10 11 12 13 SB 10 11 12 13 SR 13 10 11 12 MC 12 13 10 11 C1 C2^K2 KB g20 g21 g22 g23 e20 e21 e22 e23 e22 e23 e20 e21 f20 f21 f22 f23 KA g30 g31 g32 g33 e30 e31 e32 e33 e31 e32 e33 e30 f32 f33 f30 f31 KC = KA KB C2 Figure 4: key schedule of BC2 and confusion. To achieve the last objective, we use high diffusion that we get from MixColumn function. We can see key schedule at Figure 4. Masterkey is composed from b0 SB[x0] SB[x1] • 2 K1 and K2, K1 || K2. b1 SB[x0] • 2 SB[x1] If we only need 128 bits, so we set K2=0, and if we need b2 SB[x0] SB[x1] • 2 192 bits, the last half of K2 is set to zero. From Figure 4 b3 SB[x0] • 3 SB[x1] we get KA, KB, and KC.
Load more

Recommended publications
  • Differential Cryptanalysis of the BSPN Block Cipher Structure
    Differential Cryptanalysis of the BSPN Block Cipher Structure Liam Keliher AceCrypt Research Group Department of Mathematics & Computer Science Mount Allison University Sackville, New Brunswick, Canada [email protected] Abstract. BSPN (byte-oriented SPN ) is a general block cipher struc­ ture presented at SAC’96 by Youssef et al. It was designed as a more ef­ ficient version of the bit-oriented SPN structure published earlier in 1996 by Heys and Tavares in the Journal of Cryptology. BSPN is a flexible SPN structure in which only the linear transformation layer is exactly specified, while s-boxes, key-scheduling details, and number of rounds are intentionally left unspecified. Because BSPN can be implemented very efficiently in hardware, several researchers have recommended the 64-bit version as a lightweight cipher for use in wireless sensor networks (WSNs). Youssef et al. perform preliminary analysis on BSPN (using typical block sizes and numbers of rounds) and claim it is resistant to differential and linear cryptanalysis. However, in this paper we show that even if BSPN (similarly parameterized) is instantiated with strong AES- like s-boxes, there exist high probability differentials that allow BSPN to be broken using differential cryptanalysis. In particular, up to 9 rounds of BSPN with a 64-bit block size can be attacked, and up to 18 rounds with a 128-bit block size can be attacked. Keywords: BSPN, block cipher, SPN, differential cryptanalysis, wire­ less sensor network (WSN) 1 Introduction BSPN (byte-oriented SPN ) is a general block cipher structure presented at SAC’96 by Youssef et al. [19]. It was designed as a more efficient byte-oriented version of the bit-oriented SPN structure published by Heys and Tavares in the Journal of Cryptology [5].
    [Show full text]
  • A Lightweight Encryption Algorithm for Secure Internet of Things
    Pre-Print Version, Original article is available at (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 8, No. 1, 2017 SIT: A Lightweight Encryption Algorithm for Secure Internet of Things Muhammad Usman∗, Irfan Ahmedy, M. Imran Aslamy, Shujaat Khan∗ and Usman Ali Shahy ∗Faculty of Engineering Science and Technology (FEST), Iqra University, Defence View, Karachi-75500, Pakistan. Email: fmusman, [email protected] yDepartment of Electronic Engineering, NED University of Engineering and Technology, University Road, Karachi 75270, Pakistan. Email: firfans, [email protected], [email protected] Abstract—The Internet of Things (IoT) being a promising and apply analytics to share the most valuable data with the technology of the future is expected to connect billions of devices. applications. The IoT is taking the conventional internet, sensor The increased number of communication is expected to generate network and mobile network to another level as every thing mountains of data and the security of data can be a threat. The will be connected to the internet. A matter of concern that must devices in the architecture are essentially smaller in size and be kept under consideration is to ensure the issues related to low powered. Conventional encryption algorithms are generally confidentiality, data integrity and authenticity that will emerge computationally expensive due to their complexity and requires many rounds to encrypt, essentially wasting the constrained on account of security and privacy [4]. energy of the gadgets. Less complex algorithm, however, may compromise the desired integrity. In this paper we propose a A. Applications of IoT: lightweight encryption algorithm named as Secure IoT (SIT).
    [Show full text]
  • Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1
    International Journal of Grid and Distributed Computing Vol. 10, No. 11 (2017), pp.79-98 http://dx.doi.org/10.14257/ijgdc.2017.10.11.08 Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1 Rahul Saha1, G. Geetha2, Gulshan Kumar3 and Hye-Jim Kim4 1,3School of Computer Science and Engineering, Lovely Professional University, Punjab, India 2Division of Research and Development, Lovely Professional University, Punjab, India 4Business Administration Research Institute, Sungshin W. University, 2 Bomun-ro 34da gil, Seongbuk-gu, Seoul, Republic of Korea Abstract Cryptography has always been a core component of security domain. Different security services such as confidentiality, integrity, availability, authentication, non-repudiation and access control, are provided by a number of cryptographic algorithms including block ciphers, stream ciphers and hash functions. Though the algorithms are public and cryptographic strength depends on the usage of the keys, the ciphertext analysis using different functions and operations used in the algorithms can lead to the path of revealing a key completely or partially. It is hard to find any survey till date which identifies different operations and functions used in cryptography. In this paper, we have categorized our survey of cryptographic functions and operations in the algorithms in three categories: block ciphers, stream ciphers and cryptanalysis attacks which are executable in different parts of the algorithms. This survey will help the budding researchers in the society of crypto for identifying different operations and functions in cryptographic algorithms. Keywords: cryptography; block; stream; cipher; plaintext; ciphertext; functions; research problems 1. Introduction Cryptography [1] in the previous time was analogous to encryption where the main task was to convert the readable message to an unreadable format.
    [Show full text]
  • ICEBERG : an Involutional Cipher Efficient for Block Encryption in Reconfigurable Hardware
    1 ICEBERG : an Involutional Cipher Efficient for Block Encryption in Reconfigurable Hardware. Francois-Xavier Standaert, Gilles Piret, Gael Rouvroy, Jean-Jacques Quisquater, Jean-Didier Legat UCL Crypto Group Laboratoire de Microelectronique Universite Catholique de Louvain Place du Levant, 3, B-1348 Louvain-La-Neuve, Belgium standaert,piret,rouvroy,quisquater,[email protected] Abstract. We present a fast involutional block cipher optimized for re- configurable hardware implementations. ICEBERG uses 64-bit text blocks and 128-bit keys. All components are involutional and allow very effi- cient combinations of encryption/decryption. Hardware implementations of ICEBERG allow to change the key at every clock cycle without any per- formance loss and its round keys are derived “on-the-fly” in encryption and decryption modes (no storage of round keys is needed). The result- ing design offers better hardware efficiency than other recent 128-key-bit block ciphers. Resistance against side-channel cryptanalysis was also con- sidered as a design criteria for ICEBERG. Keywords: block cipher design, efficient implementations, reconfigurable hardware, side-channel resistance. 1 Introduction In October 2000, NIST (National Institute of Standards and Technology) se- lected Rijndael as the new Advanced Encryption Standard. The selection pro- cess included performance evaluation on both software and hardware platforms. However, as implementation versatility was a criteria for the selection of the AES, it appeared that Rijndael is not optimal for reconfigurable hardware im- plementations. Its highly expensive substitution boxes are a typical bottleneck but the combination of encryption and decryption in hardware is probably as critical. In general, observing the AES candidates [1, 2], one may assess that the cri- teria selected for their evaluation led to highly conservative designs although the context of certain cryptanalysis may be considered as very unlikely (e.g.
    [Show full text]
  • On Constructions of MDS Matrices from Circulant-Like Matrices for Lightweight Cryptography
    On Constructions of MDS Matrices From Circulant-Like Matrices For Lightweight Cryptography Technical Report No. ASU/2014/1 Dated : 14th February, 2014 Kishan Chand Gupta Applied Statistics Unit Indian Statistical Institute 203, B. T. Road, Kolkata 700108, INDIA. [email protected] Indranil Ghosh Ray Applied Statistics Unit Indian Statistical Institute 203, B. T. Road, Kolkata 700108, INDIA. indranil [email protected] On Constructions of MDS Matrices From Circulant-Like Matrices For Lightweight Cryptography Kishan Chand Gupta and Indranil Ghosh Ray Applied Statistics Unit, Indian Statistical Institute. 203, B. T. Road, Kolkata 700108, INDIA. [email protected], indranil [email protected] Abstract. Maximum distance separable (MDS) matrices have applications not only in coding theory but are also of great importance in the design of block ciphers and hash functions. It is highly nontrivial to find MDS matrices which could be used in lightweight cryptography. In a SAC 2004 paper, Junod et. al. constructed a new class of efficient MDS matrices whose submatrices were circulant matrices and they coined the term circulating-like matrices for these new class of matrices which we rename as circulant-like matrices. In this paper we study this construction and propose efficient 4 × 4 and 8 × 8 circulant-like MDS matrices. We prove that such d × d circulant-like MDS matrices can not be involutory or orthogonal which are good for designing SPN networks. Although these matrices are efficient, but the inverse of such matrices are not guaranteed to be efficient. Towards this we design a new type of circulant- like MDS matrices which are by construction involutory.
    [Show full text]
  • Efficient FPGA Implementations of Block Ciphers KHAZAD and MISTY1
    Efficient FPGA Implementations of Block Ciphers KHAZAD and MISTY1 Francois-Xavier Standaert, Gael Rouvroy, Jean-Jacques Quisquater, Jean-Didier Legat fstandaert,rouvroy,quisquater,[email protected] UCL Crypto Group Laboratoire de Microelectronique Universite Catholique de Louvain Place du Levant, 3, B-1348 Louvain-La-Neuve, Belgium Abstract. The technical analysis used in determining which of the NESSIE candidates will be selected as a standard block cipher includes efficiency testing of both hardware and soft- ware implementations of candidate algorithms. Reprogrammable devices such as Field Pro- grammable Gate Arrays (FPGA’s) are highly attractive options for hardware implementations of encryption algorithms and this report investigates the significance of FPGA implementa- tions of the block ciphers KHAZAD and MISTY1. A strong focus is placed on high throughput circuits and we propose designs that unroll the cipher rounds and pipeline them in order to optimize the frequency and throughput results. In addition, we implemented solutions that allow to change the plaintext and the key on a cycle-by-cycle basis with no dead cycle. The resulting designs fit on a VIRTEX1000 FPGA and have throughput between 8 and 9 Gbits=s. This is an impressive result compared with existing FPGA implementations of block ciphers within similar devices. 1 Introduction The NESSIE project1 is about to put forward a portfolio of strong cryptographic primitives that has been obtained after an open call and been evaluated using a transparent and open process. These primitives include block ciphers, stream ciphers, hash functions, MAC algorithms, digital signature schemes, and public-key encryption schemes. The technical analysis used in determining which of the NESSIE candidates will be selected as a standard block cipher includes efficiency testing of both hardware and software implementations of candidate algorithms.
    [Show full text]
  • Meet-In-The-Middle and Impossible Differential Fault Analysis On
    Meet-in-the-Middle and Impossible Differential Fault Analysis on AES Patrick Derbez1, Pierre-Alain Fouque1, and Delphine Leresteux2 1 Ecole´ Normale Sup´erieure, 45 rue d’Ulm, F-75230 Paris CEDEX 05 2 DGA Information Superiority, BP7, 35998 Rennes Arm´ees [email protected] [email protected] [email protected] Abstract. Since the early work of Piret and Quisquater on fault attacks against AES at CHES 2003, many works have been devoted to reduce the number of faults and to improve the time complexity of this attack. This attack is very efficient as a single fault is injected on the third round before the end, and then it allows to recover the whole secret key in 232 in time and memory. However, since this attack, it is an open problem to know if provoking a fault at a former round of the cipher allows to recover the key. Indeed, since two rounds of AES achieve a full diffusion and adding protections against fault attack decreases the performance, some countermeasures propose to protect only the three first and last rounds. In this paper, we give an answer to this problem by showing two practical crypto- graphic attacks on one round earlier of AES-128 and for all keysize variants. The first attack requires 10 faults and its complexity is around 240 in time and memory, an improvement allows only 5 faults and its complexity in memory is reduced to 224 while the second one requires either 1000 or 45 faults depending on fault model and recovers the secret key in around 240 in time and memory.
    [Show full text]
  • Related-Key Cryptanalysis of AES, Hierocrypt-3, and Cipherunicorn-A
    Related-key cryptanalysis of AES, Hierocrypt-3, and CipherUnicorn-A Dmitry Khovratovich Independent Researcher for the CRYPTREC Project November 17, 2012 2 Contents 1 Introduction 5 1.1 History and relevance of related-key attacks . 5 1.2 Definitions and controversies . 6 2 Key recovery attacks in the related-key setting 9 2.1 Regular differential attacks . 9 2.2 Boomerang attacks . 11 3 AES 13 3.1 Description . 13 3.2 Local collision approach and long differentials . 15 3.3 Distinguishing attacks . 17 3.4 Boomerang attacks on AES-128, AES-192, and AES-256 . 18 4 Hierocrypt-3 21 4.1 Key schedule properties . 23 4.2 Differentials . 24 4.3 Attacks . 26 5 CipherUnicorn-A 29 5.1 Key schedule properties and (in)feasibility of related-key attacks . 31 5.2 Fixed point property and its implications . 32 6 Conclusion 35 3 4 CONTENTS Chapter 1 Introduction 1.1 History and relevance of related-key attacks Block ciphers are a very important primitive in cryptography and are the primary tool to achieve confidentiality. Since the beginning of public cryptography in late 1970s, block ciphers have been extensively studied by both academic community and leading industry agents. Originally, the security of block ciphers was informally defined as the (in)ability of adversary to read the encrypted information without the key that was used for encryption. Eventually, formal models with rigorous definitions appeared, making the use of block ciphers provably secure under reasonable assumptions. However, with more and more applied systems in the need of security, the environments where block ciphers are used are regularly changed with sometimes dangerous consequences for the overall security.
    [Show full text]
  • Statistical Cryptanalysis of Block Ciphers
    STATISTICAL CRYPTANALYSIS OF BLOCK CIPHERS THÈSE NO 3179 (2005) PRÉSENTÉE À LA FACULTÉ INFORMATIQUE ET COMMUNICATIONS Institut de systèmes de communication SECTION DES SYSTÈMES DE COMMUNICATION ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ÈS SCIENCES PAR Pascal JUNOD ingénieur informaticien dilpômé EPF de nationalité suisse et originaire de Sainte-Croix (VD) acceptée sur proposition du jury: Prof. S. Vaudenay, directeur de thèse Prof. J. Massey, rapporteur Prof. W. Meier, rapporteur Prof. S. Morgenthaler, rapporteur Prof. J. Stern, rapporteur Lausanne, EPFL 2005 to Mimi and Chlo´e Acknowledgments First of all, I would like to warmly thank my supervisor, Prof. Serge Vaude- nay, for having given to me such a wonderful opportunity to perform research in a friendly environment, and for having been the perfect supervisor that every PhD would dream of. I am also very grateful to the president of the jury, Prof. Emre Telatar, and to the reviewers Prof. em. James L. Massey, Prof. Jacques Stern, Prof. Willi Meier, and Prof. Stephan Morgenthaler for having accepted to be part of the jury and for having invested such a lot of time for reviewing this thesis. I would like to express my gratitude to all my (former and current) col- leagues at LASEC for their support and for their friendship: Gildas Avoine, Thomas Baign`eres, Nenad Buncic, Brice Canvel, Martine Corval, Matthieu Finiasz, Yi Lu, Jean Monnerat, Philippe Oechslin, and John Pliam. With- out them, the EPFL (and the crypto) would not be so fun! Without their support, trust and encouragement, the last part of this thesis, FOX, would certainly not be born: I owe to MediaCrypt AG, espe- cially to Ralf Kastmann and Richard Straub many, many, many hours of interesting work.
    [Show full text]
  • Research Problems in Block Cipher Cryptanalysis: an Experimental Analysis Amandeep, G
    International Journal of Innovative Technology and Exploring Engineering (IJITEE) ISSN: 2278-3075, Volume-8 Issue-8S3, June 2019 Research Problems in Block Cipher Cryptanalysis: An Experimental Analysis Amandeep, G. Geetha Abstract: Cryptography has always been a very concerning Organization of this paper is as follows. Section 2 lists the issue in research related to digital security. The dynamic need of Block ciphers in a chronological order in a table having six applications and keeping online transactions secure have been columns stating name of the algorithm, year of publication, giving pathways to the need of developing different its cryptographic strategies. Though a number of cryptographic structure, block size, key size, and the cryptanalysis done on algorithms have been introduced till now, but each of these algorithms has its own disadvantages or weaknesses which are that particular cipher. This table becomes the basis of the identified by the process of cryptanalysis. This paper presents a analysis done in Section 3 and tabulates the information as to survey of different block ciphers and the results of attempts to which structure has been cryptanalyzed more, thereby identify their weakness. Depending upon the literature review, establishing a trend of structures analyzed Section 4 some open research problems are being presented which the identifies the open research problems based on the analysis cryptologists can depend on to work for bettering cyber security. done in Section 3. Section 5 of the paper, presents the conclusion of this study. Index Terms: block ciphers, cryptanalysis, attacks, SPN, Feistel. II. RELATED WORK I. INTRODUCTION This paper surveys 69 block ciphers and presents, in Cryptography is the science which deals with Table I, a summarized report as per the attacks concerned.
    [Show full text]
  • Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and Secret Spns
    IACR Transactions on Symmetric Cryptology ISSN 2519-173X, Vol. 2016, No. 2, pp. 226–247. DOI:10.13154/tosc.v2016.i2.226-247 Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs Alex Biryukov1, Dmitry Khovratovich2 and Léo Perrin3 1 Interdisciplinary Centre for Security, Reliability and Trust (SnT), Computer Science and Communications Research Unit (CSC), University of Luxembourg, Luxembourg, Luxembourg [email protected] 2 University of Luxembourg, Luxembourg, Luxembourg [email protected] 3 Interdisciplinary Centre for Security, Reliability and Trust (SnT), Computer Science and Communications Research Unit, University of Luxembourg, Luxembourg, Luxembourg [email protected] Abstract. We devise the first closed formula for the number of rounds of a blockcipher with secret components so that these components can be revealed using multiset, algebraic-degree, or division-integral properties, which in this case are equivalent. Using the new result, we attack 7 (out of 9) rounds of Kuznyechik, the recent Russian blockcipher standard, thus halving its security margin. With the same technique we attack 6 (out of 8) rounds of Khazad, the legacy 64-bit blockcipher. Finally, we show how to cryptanalyze and find a decomposition of generic SPN construction for which the inner-components are secret. All the attacks are the best to date. Keywords: Generic SPN · Algebraic attack · Multi-set · Integral · Division property · Kuznyechik · Khazad 1 Introduction 1.1 Multiset, integrals, division, and algebraic degree Multiset attacks originated in the late 1990s with application to byte-oriented block- ciphers [BS01] and are also known as Square [DKR97], integral [KW02], and satura- tion [Luc01] attacks. For years, they remained the most efficient method to attack AES [FKL+00, DF13], Camellia, and other popular designs.
    [Show full text]
  • Hardware Performance Characterization of Block Cipher Structures∗
    Hardware Performance Characterization of Block Cipher Structures∗ Lu Xiao and Howard M. Heys Electrical and Computer Engineering Faculty of Engineering and Applied Science Memorial University of Newfoundland St. John's, NF, Canada A1B 3X5 fxiao, [email protected] Abstract In this paper, we present a general framework for evaluating the performance char- acteristics of block cipher structures composed of S-boxes and Maximum Distance Sep- arable (MDS) mappings. In particular, we examine nested Substitution-Permutation Networks (SPNs) and Feistel networks with round functions composed of S-boxes and MDS mappings. Within each cipher structure, many cases are considered based on two types of S-boxes (i.e., 4×4 and 8×8) and parameterized MDS mappings. In our study of each case, the hardware complexity and performance are analyzed. Cipher security, in the form of resistance to differential, linear, and Square attacks, is used to deter- mine the minimum number of rounds required for a particular parameterized structure. Because the discussed structures are similar to many existing ciphers (e.g., Rijndael, Camellia, Hierocrypt, and Anubis), the analysis provides a meaningful mechanism for seeking efficient ciphers through a wide comparison of performance, complexity, and security. 1 Introduction In product ciphers like DES [1] and Rijndael [2], the concepts of confusion and diffusion are vital to security. The Feistel network and the Substitution-Permutation Network (SPN) are two typical architectures to achieve this. In both architectures, Substitution-boxes (S- boxes) are typically used to perform substitution on small sub-blocks. An S-box is a nonlinear mapping from input bits to output bits, which meets many security requirements.
    [Show full text]