International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009 16 The New Block Cipher: BC2 Yusuf Kurniawan1, Adang Suwandi A.2, M. Sukrisno Mardiyanto2, Iping Supriana S.2, and Sarwono Sutikno2 (Corresponding author: Yusuf Kurniawan) Universitas Pasundan, Department of Informatics1 Jl Setiabudi 193 Bandung 40153, Jawa Barat, Indonesia (Email: [email protected]) Institute of Technology Bandung, School of Electrical Engineering and Informatics2 Jl Ganesha 10, Bandung 40132, Indonesia (Received Mar. 23, 2006; revised and accepted May 7, 2006) Abstract • || is concatenation of two operators; In this paper, we propose a new block cipher called BC2 • Knl is the left side of 2n-bit key. This key part has (Block Cipher 2). We make a cipher using components size of n bits; that are believed secure. The structure of BC2 is very simple. We use Feistel network with input-output 128 • Kr is the right side of K. The size is a half of full key. bits, matrix Maximum Distance Separable (MDS) 8x8 with branch number 9 to give high diffusion, a function The rest of this paper is organized as follows. The Sec- 8 affine equivalent to the inverse function in GF(2 ) that we tion 2 describes the new block cipher BC2, its random- get from Camellia and Hierocrypt S-Box for confusion and izing part and key schedule, Section 3 explains how to we make FN function, based on FL function of Camellia. implement BC2 at various platforms efficiently, Section We use a heuristic method to count the minimum num- 4 explains cryptanalysis of BC2, Section 5 explains the ber of active substitution box at Feistel Network. And we design rationale of BC2 and Section 6 gives conclusion. also construct a new key schedule that is fast and secure. Keywords: BC2, block cipher, FN function, heuristic method 2 BC2 (Block Cipher 2) The BC2 is a 128-bit block cipher using Feistel Network 1 Introduction that supports 128, 192 and 256-bit key lengths. Like many other ciphers, we use Substitution Boxes to give confu- In here we give some definition and list of symbols that sion, linear layer to give diffusion and mixed key to give we use. dependent on key. The structure of BC2 for 128-bit key In this paper we use finite field GF (28) that we can rep- length, is showed in Figure 1. For 128-bit key length, the resent as GF (2)[x]/m(x), where m(x)= x8+x4+x3+x2+ number of round is 13. There are two FN functions. One 1. We can write m(x) as ’11d’ like as Khazad [11]. And we of them is located after round 4, and the other is after use subscript x as representation of hexadecimal. In this round 9. The FN function have a very slow diffusion, so paper, multiplication with x is expressed as xT(number). if we place it before first round, then attacker can arrange For example, multiplication 7fx • 2x = xT (7f) = fex, the input and output of FN function to easier cryptanal- and fex • 2x = xT (fe)= e1x. This is similar to Rijndael ysis. It follows that FN function is unusable. proposal [7]. For 192 and 256-bit key length, the number of round Some notations used in this paper are listed as follows: is 18. There are 3 FN/FN −1 functions that are located after rounds 4, 9, and 14. • ∪ is OR; All F functions are same, like Figure 2. The number • ∩ is AND; in F function only show the number of round. For decryption, the order of round subkey is reversed. ≪ • is left circular rotation by one bit; So, KW3 replace KW1, KW4 replace KW2, KW1 replace • ≫ is right circular rotation by one bit; KW3, and KW2 replace KW4. K13 replace K1 and so forth. And then, KFN1 is replaced by KFN4, KFN2 is • ⊕ is bitwise XOR; replaced by KFN3 and so forth. International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009 17 PlainText 128 bit Ciphertext KW 1 KW2 KW 3 KW 4 (64 bit) (64bit) (64 bit) (64bit) K1 K13 (64bit) (64bit) F1 F1 ………… ………… ………… ………… ………… ………… KFN4 KFN3 KFN1 -1 KFN2 FN FN-1 (64 bit) FN FN (64bit) (64 bit) (64bit) K5 K9 (64bit) (64bit) F5 F5 ………… ………… ………… ………… ………… ………… K5 K9 (64bit) (64bit) F9 F9 KFN2 KFN3 -1 KFN4 -1 KFN1 (64 bit) FN FN (64 bit) FN FN (64bit) (64bit) K10 K4 (64bit) (64bit) F10 F10 ………… ………… ………… ………… ………… ………… K13 K1 (64bit) (64bit) F13 F13 KW 1 KW 3 KW 4 KW 2 (64 bit) (64 bit) (64 bit) (64 bit) Ciphertext PlainText Enkripsi BC2 Dekripsi BC2 Figure 1: Encryption and decryption of BC2-128 International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009 18 Input of F Function : 64 bits S1 S2 S3 S4 S5 S6 S7 S8 MDS 8x8 Subkeys 64 bits Output of F Function : 64 bits Figure 2: F function of BC2 X 64bit X L R YL 64bit YR 32bit 32bit Table 1: The constant for key schedule Ka 32bit 32bit c1 frac(√0.8) 0xe4f92e2dff6ec9ab294a33804a57d359 16bit Kc c2 frac(√0.9) 0xf2dce89b636cb24692e711b6e1c3ff31 Kb Ka the matrix satisfies the requirement above. Kc 16bit 32bit 32bit b 12321312 a 0 0 Kb b1 21232131 a1 b2 12123213 a2 Y Y L R XL XR b3 31212321 a3 FN -1 = FN b4 13121232 a4 b5 21312123 a5 Figure 3: FN function and its inversion b 32131212 a 6 6 b7 23213121 a7 2.1 Substitution Box where ai is input of MDS and bi is output of MDS. So b = L a. We use Camellia’s S-Box [8] and Hierocrypt’s S-Box [12] AK for BC2. The maximum differential probability of these 2.3 Add Key − − S-Boxes is 2 6 and maximum linear probability is 2 4 In this part, we use only XOR component to avoid weak- according to our experiment with PC. The degree of them ness that we can find in IDEA cipher. is 7. 2.4 Key Schedule We construct a new key schedule with the criteria: 2.2 Linear Layer L 1) simple and fast for many platforms We use MDS (Maximum Distance Separable) matrix to 2) it should be resistant to related key attack realize linear component to give high diffusion. We do not use XORs component like in Camellia cipher, because it 3) it should be hard to find masterkey if attacker can does not give branch number exactly. We use circular get (partial) subkey(s). matrix with low number in order to be able to be imple- 4) there are no weak keys. mented efficiently in hardware. A linear [n,k,d] code C with generator matrix G = 5) every bit of masterkey gives influence to all subkeys. [Ik×k Lk×(n−k)] is MDS if, and only if, every square sub- We use the basic instructions (like XOR, AND, OR, 1- matrix formed from rows and columns of L is nonsingular bit rotation) to achieve Objectives 1, 2, and 3. We also use (cf. [4], Chapter 11, § 4, Theorem 8). the matrix component(like in Rijndael) in key schedule to We make MDS code using trial and error method until achieve Objective 4. This component gives high diffusion International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009 19 a00 a01 a02 a03 b00 b01 b02 b03 b00 b01 b02 b03 c00 c01 c02 c03 a a a a b b b b b b b b c c c c K1 ^ K2 10 11 12 13 SB 10 11 12 13 SR 13 10 11 12 MC 10 11 12 13 a20 a21 a22 a23 b20 b21 b22 b23 b22 b23 b20 b21 c20 c21 c21 c23 a30 a31 a32 a33 b30 b31 b32 b33 b31 b32 b33 b30 c30 c31 c32 c33 e e e e d00 d01 d02 d03 e00 e01 e02 e03 00 01 02 03 f00 f01 f02 f03 d d d d e e e e e e e e f f f f AK with 10 11 12 13 SB 10 11 12 13 SR 13 10 11 12 MC 12 13 10 11 C1^K1 e e e e d20 d21 d22 d23 e20 e21 e22 e23 22 23 20 21 f20 f21 f22 f23 e e e e d30 d31 d32 d33 e30 e31 e32 e33 31 32 33 30 f32 f33 f30 f31 g00 g01 g02 g03 e00 e01 e02 e03 e00 e01 e02 e03 f00 f01 f02 f03 AK with g g g g e e e e e e e e f f f f AK with 10 11 12 13 SB 10 11 12 13 SR 13 10 11 12 MC 12 13 10 11 C1 C2^K2 KB g20 g21 g22 g23 e20 e21 e22 e23 e22 e23 e20 e21 f20 f21 f22 f23 KA g30 g31 g32 g33 e30 e31 e32 e33 e31 e32 e33 e30 f32 f33 f30 f31 KC = KA KB C2 Figure 4: key schedule of BC2 and confusion. To achieve the last objective, we use high diffusion that we get from MixColumn function. We can see key schedule at Figure 4. Masterkey is composed from b0 SB[x0] SB[x1] • 2 K1 and K2, K1 || K2. b1 SB[x0] • 2 SB[x1] If we only need 128 bits, so we set K2=0, and if we need b2 SB[x0] SB[x1] • 2 192 bits, the last half of K2 is set to zero. From Figure 4 b3 SB[x0] • 3 SB[x1] we get KA, KB, and KC.