A Block Cipher Using Key-Dependent S-Box and P-Boxes

Home , Data Encryption Standard, Key schedule, Khufu and Khafre

A Block Cipher Using Key-Dependent S-box and P-boxes

Runtong Zhang Like Chen College of Computer Science and Technology, Dalian College of Computer Science and Technology, Dalian Maritime University, Dalian, China; Maritime University, Dalian, China Institute of Information Systems, School of Economics and [email protected] Management, Beijing Jiaotong University, Beijing, China [email protected]

Abstract-Block ciphers based on key-dependent cipher be proved. However these ciphers usually have to do more structures have been investigated for years, however, their round encryptions to achieve security and their fixed overall performance in terms of security and speed has not been sufficiently addressed. In this paper, we propose a 128-bit building structure leaves opportunities to potential attacks. Feistel block cipher, which simultaneously engages key- The number of the existing block ciphers belong to the dependent S-box and key-dependent P-box. With these two key- second group is much less than that of the first group. This dependent transformations, the internal structure of this cipher group of ciphers engages key-dependent cryptanalytic algorithm is secured, so as to resist the linear and differential structures, such as key-dependent S-boxes, to strengthen cryptanalysis in a few round encryptions. Hence, the encryption and decryption functions are quite efficiency. We named this their security level. Because the S-boxes of these ciphers are key-dependent structure the DSDP structure, and the cipher unknown to the attackers, they could defy analysis based on DSDP. A fast permutation algorithm is used to generate both specific properties of the S-box. In general, this kind of the key-dependent S-box and key-dependent P-boxes. This ciphers could achieve higher security level within less round greatly compensates the performance penalty of complex key encryptions [8]. Theoretically, the ciphers of this group schedule. The basic operations used in DSDP are all efficient bytewise operations, so the algorithm will have a reasonable fast should have been more practical and popular, especially in speed on recent processors, 16-bit processors and smart cards those resource limited environment. However the existing as well as 8-bit processors. We implement the algorithm with C ones of this group, such as Khufu [9] and Blowfish [10], are and Java respectively on several PCs with different processors, not quite successful to some extend. and estimate the optimized assembly performance on Pentium. Khufu is a 64-bit block 512-bit key cipher designed by The experimental results and the estimation show that DSDP has a very fast encryption/decryption speed and a reasonable Merkle with a fast software implementation in mind. The fast key scheduling implementation. strength of Khufu is based on key-dependent 8-32-bit S- boxes, and it is faster than Khafre, which has a similar

cryptanalytic structure with fixed S-boxes, due to a smaller I. INTRODUCTION number of rounds. It is believed that Khufu is stronger than Khafre, since Khufu has secret key-dependent S-boxes, Since the introduction of the differential and linear which prohibit attacks based on analysis of specific S-boxes. cryptanalysis [1][2], the theory of these two powerful However, due to the drawback of its cryptanalytic structure, cryptanalytic tools became the potential rule guiding the new the avalanche effect of the difference could be postponed by block cipher design. In the last two decades, many block eight rounds [8]. And the large expanding S-boxes (n bits of ciphers are designed to resist these two kinds of attacks [26], input, m bits of output, n<plaintext into 64-bit ciphertext maximum input-output correlation probability as small as using a variable key length [10]. This cipher only engages possible in consecutive rounds. Under this guideline, the the simplest operations in its cryptographic structure, so it is cipher must modestly choose specific S-boxes (nonlinear quite efficient in the encryption and decryption stage. transformation) where the maximum difference propagation However, its key scheduling stage is so complicated that the probability and the maximum input-output correlation are as keys should not be changed frequently [10]. Usually, the small as possible, and the linear part can not be with few keys have to be precomputed and stored. Furthermore, all its active S-boxes [3]. Many advanced ciphers such as AES, four 8-32-bit S-boxes are randomly generated, and may lead Square, MISTY, and Camellia [4][3][5][6], etc., belong to to weak keys [11]. this group. The advantage of this group of ciphers is that their security against the differential and linear attacks could

978-1-4244-1666-0/08/$25.00 '2008 IEEE 1463

Authorized licensed use limited to: NATIONAL CHANGHUA UNIVERSITY OF EDUCATION. Downloaded on April 24, 2009 at 02:09 from IEEE Xplore. Restrictions apply. In this paper, a novel bytewise block cipher algorithm is into two parts Li-1 and Ri-1. The right part Ri-1 is left proposed. This cipher encrypts a 128-bit block with a unchanged variable of key length utilizing the Feistel structure. The L R purpose of this cipher is to offer a reasonable fast software K implementation on most processors, including recent processors, 16-bit processors, smart cards as well as 8-bit F processors. In order to meet our purpose, a novel key- dependent cipher structure is introduced to the round function. We engage a fast key-dependent permutation technique to speed up the key schedule. Through this permutation, one S-box and R P-boxes are calculated (R is the round number). The S-box is designed with 8-bit input Fig. 1. Feistel structure. and 8-bit output without repetition of S-box entry values. Since the S-box is generated with great random, this cipher and forms the left part of the output Li. The right part of the could defy any attack based on specific properties of the S- output is constructed by adding a modified copy of Ri-1 to the box. In each round, a different key-dependent P-box is used left part of the input Li-1, i.e., to secure the permutation layer, so as to hide all the linear Li = Ri-1, ⊕ and differential trails from the attackers and to resist the Ri= Li-1 f(Ri-1, Ki). linear and differential cryptanalysis completely. S-box and An example of such a structure is given in Fig. 1. the P-boxes are all quite key-dependent, so we name this Examples of block ciphers in this class are data encryption structure DSDP structure, and the cipher DSDP. In addition, standard (DES), Khufu, CAST, and Twofish only a few generally supported basic operations are involved, [12][9][13][7][17]. An advantage of this approach is that the so the algorithm offers a good compatibility. We implement same round function can be used for both encryption and the algorithm with C and Java. The experimental result decryption, while a round function itself need not be shows that this cipher has a very efficient implementation. invertible. Since DES is a Feistel network, more This paper is organized as follows: Section 2 briefly cryptanalytic experience is available on Feistel ciphers than reviews preliminary concepts of modern block ciphers. on any other general structure. Section 3 describes the high-level structure and the design The second commonly used structure is usually called rationale of DSDP. Section 4 evaluates DSDP’s software substitution-permutation networks (short for SPN). In this performance and section 5 analyzes the advantages of this structure, every input bit is treated in a similar way. An algorithm. We conclude in section 6. example of such a network is given in Fig2. Examples of block ciphers in this class are SAFER, SHARK, Rijndael, and 3-WAY [14][15][16][13][17]. An advantage of this II. PRELIMINARIES approach is inherent parallelism, while a disadvantage is that Block ciphers divide the plaintext into separate blocks of inverse algorithm, which is required for decryption, may be fixed size (e.g., 64 or 128 bits), and encrypts each of them different from the encryption algorithm. independently using the same key-dependent transformation. B. Nonlinear Substitution Transformations (S-Boxes) Two general principles guiding the design of block ciphers A nonlinear Substitution transformation, also called an S- are diffusion and confusion. Diffusion means the spread of box, is essential for every strong encryption algorithm. S- the influence of a single plaintext bit over many ciphertext boxes can be either fixed for all keys or key dependent. Since bits so as to hide the statistical feature of the plaintext. no specific properties of the key-dependent S-box is offered Confusion means the use of transformations that complicate to attackers, it is our belief that key-dependent S-boxes are the dependence of the statistical feature of the ciphertext on more secure than fixed S-boxes. Most key-dependent S- that of the plaintext. Most ciphers achieve the diffusion and boxes created by some process are effectively random. For the confusion by means of product cipher, which repeats a example, SEAL [18] uses SHA [19] to create its key- simpler SPN (Substitution & Permutation Network) cipher dependent S-boxes. structure a number of times to construct the whole algorithm.

This contributes the cipher’s simplicity and ease of implementation. The SPN structure of modern block ciphers consists of four transformations (also called layers): 1) Key addition substitution transformation (also called S-box); 2) permutation transformation; 3) linear mixing transformation; S-box substitution and 4) key-adding transformation.

A. Global Structure Permutation There are two commonly used global structures of the existing block ciphers. The first is Feistel structure, named after H. Feistel, one of the IBM researchers who designed Linear mixing LUCIFER and DES. Its round function splits the input block Fig. 2. SPN structure.

1464

Authorized licensed use limited to: NATIONAL CHANGHUA UNIVERSITY OF EDUCATION. Downloaded on April 24, 2009 at 02:09 from IEEE Xplore. Restrictions apply. Blowfish [10] uses repeated iterations of itself. But the cost can be carried out by one instruction on many processors and of the key-setup time in these ciphers is enormous as a fairly contribute to their security. However, 16-bit performance penalty. multiplication in 8-bit or 16-bit processors may be quite slow. Shift operations, especially rotate-shifting, are frequently C. Linear Mixing Transformations used in designing modern block cipher. They indirectly In order to decrease the complexity of implementation and improve data diffusion. Unfortunately, on some processors, increase the speed of computations, usually nonlinear such as Pentium, the cost of variable rotation is very high transformations are applied only to small parts of the block (four clocks). Even worse, variable rotations cannot pair with data and linear transformations are used to spread local any other instructions. In software, efficiency of look-up changes. The simplest linear functions are a bit permutation, tables strongly depends on memory access speed. In early used, for example, in DES, and a rotation, used in Khufu. microprocessors, memory access was much more expensive More general linear transformations are pseudo-Hadamard than register access, while most resent processors can read transformation, used in SAFER [14], and MDS from and write to memory in only one cycle. transformation: the diffusion operation based on maximum

distance separable (MDS) linear codes, used in Twofish and Rijndael [7][16]. Plaintext(128) D. P-box Transformations The permutation layers are simple linear transformations operated on the complete block, to diffuse the effect of the S- RK0(64) box. Before linear and differential cryptanalysis, P-boxes are L (64) R (64) commonly engaged in block ciphers. For example, in DES 0 0 F Function and its variant, P-boxes are designed to diffuse the output bit 0 alteration from the S-boxes. But, fixed P-boxes leave opportunity to the differential and linear cryptanalysis. So, in most modern ciphers, the P-box layer is combined or even replaced by invertible linear transformations. P-box in these L (64) R (64) algorithms remains minor cryptographic property. 1 1

…………………………………… III. THE DSDP ALGORITHM

A. Algorithm introduction DSDP is an iterated block cipher with a block length of 128 bits and a key length of L bits. Note that L is commonly selected greater than 128. The cipher engages an r-round RKr-1(64) Lr-1(64) Rr-1(64) Feistel global structure. The round number r is variable. Fr-1 Function Users can manipulate the trade-off between high speed and high security by simply adjusting the round number r, but r must be even. We suggest implementation of DSDP greater than 8 rounds. Fig. 3 shows an overview of the global structure. In the F function, key-dependent S-box and P- boxes are engaged to construct the SPN structure in order to enhance the security level of the algorithm. The complex key scheduling stage is the central weakness of the existing block ciphers using key-dependent cryptanalytic structure, so we engage an efficient bytewise permutation algorithm to Cipher Text(128) generate both the S-box and the P-boxes. Since the S-box

and P-boxes are all generated key-dependently, we name Fig. 3. DSDP global structure. them DS and DP respectively for short. In this section, we describe the algorithm step by step. Taking the above discussion into consideration, we have B. Basic Operations concluded that logical operations and look-up tables meet There are 4 kinds of commonly used basic operations in our design policy. So, only XOR operation, and look-up modern block ciphers, logical operations, arithmetic tables are involved in DSDP. This selection offers the operations, shift operations, and look-up tables. Logical algorithm a very fast software implementation (see section 4). operations such as XOR are most common components of C. Key Schedule modern block ciphers and are small and fast in any software The key schedule is one of the most important parts of the systems. Arithmetic operations such as additions, cipher. It consists of three parts, including the generation of subtractions and sometimes multiplications are also subkeys for the round function, a key-dependent S-box (short commonly used in software-oriented ciphers because they for DS) for nonlinear transformation, and key-dependent P-

1465

Authorized licensed use limited to: NATIONAL CHANGHUA UNIVERSITY OF EDUCATION. Downloaded on April 24, 2009 at 02:09 from IEEE Xplore. Restrictions apply. boxes (short for DPs) for linear diffusion. In this subsection, as RKi[0,…,N/2-1], and the second RN/2 TK to control DP we present the generation of DS and DP first. generation denoted as PKi[0, …,N/2-1]. ‘i’ represents the 1) Generation of DS & DP round number. Obviously, this algorithm can extend cipher The DS and DPs are all calculated through the very same keys of any lengths to the subkey requirement, however we permutation approach used in the fast streaming cipher RC4, suggest that a cipher key greater than 128-bit length should created by RSA Data Security, Inc. [20]. As the key be used. scheduling of RC4, this algorithm offers great randomicity, D. Linear Transformation and can be implemented efficiently. Here, we present the In DSDP, the design strategy of the linear mixing layer permutation algorithm with the following pseudo-code. follows that of the counterpart of Camellia [6]. The design Function Permute(T, K, M){ J = 0; rationale is for computational efficiency, it should be For I = 0 to M-1 represented using only bytewise eXclusive-ORs and for J = (J+T[I]+K[ I % L]) % M; security against differential and linear cryptanalysis, its Swap(T[I], T[J]); branch number should be optimal. We choose this linear End_For } transformation among the existing approaches that satisfy The input data T{0,…,M-1} is permuted depending on the these conditions, considering highly efficient implementation controlling key K. L represents the bytewise length of K. on 32-bit processors and high end smart cards, as well as 8- Note that I visits every value from 0 to M-1, so every entry bit processors. The transformation is represented as follows of T is swapped at least once (possibly with itself). Through DB′[0] = DB[0] ⊕DB[2] ⊕DB[3] ⊕DB[5] ⊕DB[6] ⊕DB[7]; this approach, both DS and DP are generated. The pseudo- DB′[1] = DB[0] ⊕DB[1] ⊕DB[3] ⊕DB[4] ⊕DB[6] ⊕DB[7]; code is DB′[2] = DB[0] ⊕DB[1] ⊕DB[2] ⊕DB[4] ⊕DB[5] ⊕DB[7]; For I = 0 to 255 DB′[3] = DB[1] ⊕DB[2] ⊕DB[3] ⊕DB[4] ⊕DB[5] ⊕DB[6]; S[I] = I; DB′[4] = DB[0] ⊕DB[1] ⊕DB[5] ⊕DB[6]⊕DB[7]; End_For DB′[5] = DB[1] ⊕DB[2] ⊕DB[4] ⊕DB[6] ⊕DB[7]; DS=Permute(S, SK, 256); DB′[6] = DB[2] ⊕DB[3] ⊕DB[4] ⊕DB[5] ⊕DB[7]; For I = 0 to N/2-1 DB′[7] = DB[0] ⊕DB[3] ⊕DB[4] ⊕DB[5] ⊕DB[6]; P[I] = N/2-I; Here, DB represents the current intermediate data bytes of End_For the F function and DB′ the result of the linear transformation. DP=Permute(P, PK, N/2); Here, S and P represent the initial state of DS and DP E. DS and DP respectively. They could be changed for different application. A distinguishing feature of DSDP is its use of DS and DP, N denotes the block size of the cipher, which is assigned 16 which are both key-dependent index tables. An S-box is a in DSDP. SK is selected as the cipher key supplied by the look-up table. The P-box represents one of the basic ideas of user. PK is calculated through the subkey generation Shannon’s cryptographic theory, which is only a word/bit algorithm. Obviously, secure key-dependent S-box and P- permutation of the block data. Both S-box and P-box are first boxes are calculated through the above operations. used in Lucifer, then DES, and now most block ciphers. In 2) Generation of Subkeys DSDP, we use an 8-8-bit S-box and P-boxes which operates Subkeys of DSDP consist of two parts, including RN/2 on 8 data entries in the F function. Both the S-box and P- round keys which is input to the F function, and another boxes are key-dependent and generated through the approach RN/2 round keys to control the generation of P-boxes. As it described above. So we called them DS and DP for short. In is well know that attackers may recover some subkey bits, or addition, we do not use expanding S-boxes in order to avoid even the whole cipher key, from several known subkey bits the impossible differentials. of the cipher without a secure key scheduling. In order to As described above, we implement DSDP within 8 rounds, protect the cipher against this kind of attack, a secure so 8 DPs should be generated. The subkeys PK used to variable must be involved in the key scheduling. In DSDP, control the permutation of DP are generated through the the secure DS is involved in this stage, so, without the algorithm discussed above. knowledge of the specific S-box, attackers can not deduce F. Round Function F the latter subkey bits from the former, and vice versa. All the The round function of DSDP consists of four consecutive subkeys are calculated through the same approach operations: represented in the following pseudo-code. 1) Key Adding Layer: At each round, N/2 bytes subkey

RK is XORed to the current intermediate data DB . For I = 0 to Len-1 i i For I = 0 to N/2-1 TK[I] = K[I] ⊕ DS[ K[I]+i ]; DB[I]=DB[I] ⊕ RK[I]; End_For End_For For I = Len to RN-1 2) DS Layer: The data bytes combining with N/2 bytes of Tmp = TK[I - Len] ⊕ TK[I – Len/2] ⊕ (TK[I-1]); TK[I] = DS[Tmp]; round key are substituted by the element of DS. End_For For I = 0 to N/2-1 Here, “⊕” denotes the eXclusive OR operation and TK the DB[I]=DS[DB[I]] End_For generated subkey. After the generation, the first RN/2 bytes 3) Linear Mixing Layer: All the result data bytes of the of TK are defined as the round key for the F function denoted previous stage are transformed through the approach

1466

Authorized licensed use limited to: NATIONAL CHANGHUA UNIVERSITY OF EDUCATION. Downloaded on April 24, 2009 at 02:09 from IEEE Xplore. Restrictions apply. described previously. TABLE 3 4) DP Layer: After the linear transformation, the data ENCRYPTION PERFORMANCE COMPARISON C Code(MB/s) Java Code(MB/s) sequence of DB is permuted according to a table-driven DP, PC1 PC2 PC1 PC2 which is also key-dependently generated. Then, the current Blowfish 25.3 8.8 26.5 4.0 intermediate data bytes are the output of the round function. Khufu 96.9 10.8 43.6 6.0 Tmp=DB; DSDP 84.1 11.5 22.3 3.4 For I = 0 to N/2-1 DB[DP[I]]=Tmp[I]; TABLE 4 KEY-SETUP EFFICIENCY COMPARISON End_For C Code(Clock/Time) Java Code(Clock/Time)

PC1 PC2 PC1 PC2 IV. ALGORITHM PERFORMANCE AND ANALYSIS Blowfish 410400 189175 384000 416005 In this section, we provide some measurement of the DSDP 7953 6006 28552 24920 encryption and decryption time of an eight-round DSDP and also the time required for key setup. We also compare its All the ciphers involved in our simulation are Feistel software performance with Blowfish and Khufu, which are ciphers, which have equal efficiencies between encryption all block ciphers with key-dependent cipher structure. and decryption. So, we only compare the encryption In order to test the compatibility of the algorithm, performance of the ciphers. performance was measured on two different PC Timing in C implementation was obtained by encryption environments. Table 1 lists the specification of the and decryption random data from 10MB to 100MB in ECB simulation environments. Table 2 lists the implementation mode, due to its straightforward implementation. Timings in parameters of block ciphers. Java were obtained under the same condition. C and Java The performance figures shown here for C key-setup are all tested through scheduling the same user-key 6 implementations were obtained using the complier in Visual 10 times. As the designer of Khufu did not define the C++ 6.0. Java implementation was complied with JavaSoft’s specific key-setup algorithm, here, we only compare that of JDK 1.5 complier, and the performance of the resulting byte Blowfish and DSDP. We will estimate the key-setup code was measured with JavaSoft’s JDK 1.5 interpreter. To efficiency of Khufu later in this section. improve the accuracy of our timing measurements, each tests Fig. 4-5 illustrates the performance comparison in was executed 10 times, and we report the average of the different simulation environments. Table 3 lists the average times obtained. encryption speeds. Table 4 reports the key-setup efficiency of Blowfish and DSDP. From the simulation result, it can be seen that three block ciphers are all very efficient in encryption stage, however the key-setup stage of Blowfish is far slower than DSDP. From our estimation, Khufu’s key- setup is even slower than that of Blowfish’s. This will quite limit the practical use of these ciphers. In addition, Blowfish and Khufu are all particularly designed for 32-bit processors, and in 16-bit and 8-bit processors, the encryption/decryption speed, as well as their key-setup efficiency, will greatly slow a) C implementation b) Java implementation down. However, all the operations involved in DSDP are Fig. 4. Encryption comparison in PC1. based on byte. This offers DSDP a wonderful compatibility

within different processors. In this section, we also give some crude estimates for the performance of DSDP for optimized assembly implementations on 8-bit processor. We first consider the round function of DSDP (see section 3). 1) Key-adding Layer: On 8-bit processors, the whole layer operations can be computed using eight load instructions, and eight XORs. a) C implementation b) Java implementation 2) DS Layer: This layer involves only eight lookup-table Fig. 5. Encryption comparison of in PC2. operations.

TABLE 1 3) Linear Mixing Layer: The calculation of the linear SIMULATION ENVIRONMENT SPECIFICATION mixing layer requires 36 XORs, however, if we follow fig.6, Processor RAM OS only 16 XORs are required. PC1 Celeron 2.4 GHz 512 MB Windows XP 4) DP Layer: The DP layer could be combined with the PC2 Celeron 400 MHz 160 MB Window 98 output XORs with the left part of the block data, so no extra TABLE 2 IMPLEMENTATION PARAMETERS time is needed. Blowfish Khufu DSDP 5) Round Output: XOR the output of the round function F Block Size(bit) 64 64 128 with the left half block data, eight load operations and eight Rounds 16 32 8 XORs are required.

1467

Authorized licensed use limited to: NATIONAL CHANGHUA UNIVERSITY OF EDUCATION. Downloaded on April 24, 2009 at 02:09 from IEEE Xplore. Restrictions apply. Putting things together, we can estimate the total number reasonable fast key-setup is obtained. This extremely of instructions needed for one round is 64 cycles, and for the overcome the weakness of the existing block ciphers using whole eight round DSDP is 512 cycles. key-dependent round structures, and makes the cipher very practical in real use. The C code and Java code are implemented respectively. Experimental results showed that DSDP is a very promising cipher for practical use. D D S P ACKNOWLEDGMENT

This work was partially supported by the National Science Fig. 6. Implementation approach of linear mixing layer. Fund of China under grant number 60773033.

V. ANALYSIS A distinguishing feature of DSDP is its use of DS and DP, REFERENCES which are both key-dependent lookup-tables. The DS and DP [1] M. Matsui, “Linear cryptanalysis method for DES cipher,” Advances protect against differential and linear cryptanalysis. Since the in Cryptology –EUROCRYPT ’ 93 Proceedings, Springer-Verlag, 1994, structure of the DS is completely hidden from the pp. 286-397. [2] E. Biham and A. Shamir, Differential cryptanalysis of the Data cryptanalyst, DSDP could resist cryptanalysis base on Encryption Standard. New York: Springer-Verlag, 1993. specific properties of the S-box. DPs are introduced to secure [3] J. Daemen, L. R. Knudsen and V. Rijmen, “The block cipher Square,” the permutation layer. Combining with DS, they hide all the in Fast software encryption – FSE’97, Springer Verlag, Haifa, Israel, January 1997, pp. 149-165. linear and differential trails, and thus thoroughly resist linear [4] Advanced Encryption Standard, FIPS-197, National Institute of and differential attacks. Other shortcut attacks also have to Standards and Technology. Nov. 2001. recover the specific internal structure of the cipher, then one [5] M. Matsui, “New block encryption algorithm MISTY,” in Fast Software Encryption - 4th International Workshop (FSE’97), 1997, 256-entry-DS and eight 8-entry-DPs have to be recovered. Springer-Verlag, LNCS, vol. 1267, pp. 54-68. 700 DS has 256!, about 2 possibilities,. One DP has 8! [6] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moria, J. Nakajima, possibilities, so eight DPs have (8!)8, about 2140 possibilities. and T. Tokita, “Camellia: A 128-bit block cipher suitable for multiple platforms – Design and analysis,” submitted to NESSIE, 2000. So cryptanalysts who want to recover the internal structure Available at http://www.cryptonessie.org. of DSDP would pay more price than brute force attack. So, [7] B. Schneier, J. Kelsey, D. Whiting, D. Wagner, and C. Hall. “Twofish: by introducing secret key into S-box and P-box operation, A 128-Bit Block Cipher,” in First Advanced Encryption Standard (AES) Conference, Ventura, California, USA, 1998. DSDP has a more secure building structure than existing [8] E. Biham, A. Biryukov, A. Shamir, “Miss-in-the-middle attacks on ciphers with specific S-box and P-box. It could execute less IDEA, Khufu and Khafre,” in 6th Fast Software Encryption Workshop, round iterations to achieve secure. 1999, Springer-Verlag, LNCS, vol. 1636, pp. 124-138. Additionally, basic operations used in DSDP are all [9] R. C. Merkle, “Fast software encryption functions,” in Proc. CRYPTO’90, 1990, Springer-Verlag, LNCS, vol. 537, pp. 476-501. efficient instructions, which could be executed in only one [10] B. Schneier, “Description of a new variable-length key, 64-bit block cycle on most processors. Combining these with the above cipher (Blowfish),” in Fast Software Encryption – Porceedings of the designing strategies, DSDP got a very fast software Cambridge Security Workshop, Cambridge, United Kingdom, Lectures Notes in Computer Science 809, Springer-Verlag, 1994, pp. 191-204. implementation in the encryption/decryption stage. And, [11] S. Vaudenay, “On the weak keys of Blowfish,” in Third International since the operations used in the algorithm are all bytewise, it Workshop Proceedings, Springer-Verlag, 1996, pp. 27-32. can also run fast on 8-bit processors. [12] Data Encryption Standard (DES), FIPS-46, National Institute of Standard and Technology. 1979 [Online]. Available: However, price must be paid for the generation of DS and http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf, revised as DPs. This would lead to a comparatively less efficient key- FIPS 46-1: 1988, FIPS 46-2: 1993, FIPS 46-3: 1999. setup. In DSDP, we engage a fast permutation algorithm to [13] B. Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C. New York: Wiley, 1996. calculate the DS and DPs, which greatly lower down the cost [14] J. L. Massey, “SAFER K-64: A byte-oriented block-ciphering of key-setup. Furthermore, less round iterations require less algorithm,” in Fast Software Encryption, 1993. Cambridge, U.K.: round keys. These offer DSDP a much faster key-setup than Springer-Verlag, 1994, vol. 809, LNCS, pp. 1-17. [15] V. Rijmen, J. Daemen, B. Preneel, A. Bosselaers, and E. De Win, “The the existing ciphers using key-dependent internal structures Cipher Shark,” in Fast Software Encryption, 1996, Cambridge, U.K.: (Blowfish and Khufu). Springer-Verlag, 1997, vol. 1039, LNCS, pp. 99-111. [16] J. Daemen and V. Rijmen, The design of Rijindael: AES- The Advanced Encryption Standard. Berlin, Germany: Springer-Verlag, VI. CONCLUSION 2002. [17] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook of This paper proposed a novel 128-bit software block cipher Applied Cryptography. Boca Raton, FL: CRC, 1997. DSDP. The cipher engages the Feistel structure. A key- [18] D. Coppersmith and P Rogaway, “Software-efficient pseudorandom dependent S-box and eight key-dependent P-boxes is function and the use thereof for encryption,” U.S. patent 5,454,039, Sep 26 1995. introduced into the algorithm, so the internal structure of this [19] Secure Hash Standard, NIST, U.S. Deparment of Commerce, May algorithm is hided so as to resist the existing shortcut attacks, 1993. such as linear and differential cryptanalysis. Only a few [20] B. Schneier, Applied Cryptography. John Wiley & Sons, Inc, Toronto, Canada, 2 edition, 1996. generally supported efficient instructions are involved in the algorithm, so the algorithm offers a good efficiency and compatibility. By using a fast permutation approach, a

1468

Authorized licensed use limited to: NATIONAL CHANGHUA UNIVERSITY OF EDUCATION. Downloaded on April 24, 2009 at 02:09 from IEEE Xplore. Restrictions apply.