International Journal of Network Security, Vol.1, No.1, PP.52–60, July 2005 (http://isrc.nchu.edu.tw/ijns/) 52 The PYRAMIDS Block Cipher Hussein Ahmad Al Hassan1, Magdy Saeb2 and Hassan Desoky Hamed1 (Corresponding author: Magdy Saeb) Department of Mathematics, Faculty of Science, Cairo University, Cairo, Egypt1 Arab Academy for Science, Technology and Maritime Transport, Computer Engineering Department2 Abu Kir, Alexandria, Egypt (Email: [email protected]) (Received June 05, 2005; revised and accepted June 16, 2005) Abstract 2 Design Rationale The cipher is a 64, 128, 256-bit length, which also accepts The “PYRAMIDS” Block Cipher is a symmetric encryp- a variable key length 128, 192, 256 bits. The PYRAMIDS tion algorithm of a 64, 128, 256-bit plaintext block, that is an iterated cipher consisting of a repeated application of accepts a variable key length of 128, 192, 256 bits. The a simple round transformation with different operations, algorithm is an iterated cipher consisting of repeated ap- and different sequence in each round. Moreover, we take plications of simple round transformations with different into account, in the design criteria, robustness against the operations and different sequences in each round. cryptanalysis, speed, simplicity, and suitability for hard- Keywords: Block cipher, cryptography, data communica- ware applications. tion security, decryption, encryption 3 The Round Transformation The round transformation is composed of different transformations. These transformations are addition +, 1 Introduction xor (⊕), right rotation (>>>), and ordered operation (⊗). By considering the block of the text W is consisting 0 1 2 3 of 4 words w0, w1, w2, w3, the sub-keys are ki , ki , ki , ki , In the last few years the merging of computer and commu- and Rot is the rotation. The pseudo code of the i-th nications technologies has been developing progressively. round is shown next. The need of security to protect the data through networks has become of vital importance. This area of research has Round(W, k) become quite active in the recent years. Encryption algo- { 1 rithms have received wide attention and study. A lot of w1 = w1 + ki ; 2 algorithms were published in this area such as RC6 [15], w2 = w2 + ki ; 1 0 1 Rijndael (AES) [8], Serpent [3], Two-fish [17], Mars [6], w0 = w0 ⊕ ((w2 ⊗i ki ) >>> Roti ); 1 Khazad [1]. These algorithms vary in security levels, de- // fi 1 3 2 sign, structure, and throughput. All of these algorithms w3 = w3 ⊕ ((w1 ⊗i ki ) >>> Roti ); 2 are using a fixed round function in the encryption and // fi decryption processes. Explicitly, if the algorithm is to be w1 = w1 ⊕ w0; attacked then the same scenario is applied irrespective of w2 = w2 ⊕ w3; 2 the user’s key. However, if the round function is changed w0 = w0 >>> Roti ; 1 with every different user’s key then the attacker needs to w3 = w3 >>> Roti ; analyze the algorithm for every user’s key. In this work, (w0, w1, w2, w3) = (w2, w0, w3, w1); we make full use of this simple fact to design an algorithm } that is of high security and at the same time adaptable to hardware implementations. This work starts with the The pseudo code of decryption round is given by: design rationale, and then move to the description of the algorithm itself. We then move to discuss the algorithm InvRound(W, k) specifications and its key scheduling process. { International Journal of Network Security, Vol.1, No.1, PP.52–60, July 2005 (http://isrc.nchu.edu.tw/ijns/) 53 (w0, w1, w2, w3) = (w1, w3, w0, w2); key scheduling algorithm. This scheduling algorithm is 2 w0 = w0 >>> (L − Roti ); explained as follows: // L is the word Length 1 • The basic operations used in the key scheduling al- w3 = w3 >>> (L − Rot ); i gorithm are: w1 = w1 ⊕ w0; x << y: shift the bits of x to left by the amount y. w2 = w2 ⊕ w3; 1 0 1 x>>y: shift the bits of x to right by the amount y. w0 = w0 ⊕ ((w2 ⊗i ki ) >>> Roti ); 1 mod (%), bitwise AND (&). // inverse of fi 1 3 2 w3 = w3 ⊕ ((w1 ⊗i ki ) >>> Roti ); The procedure employed to derive the sub-keys is as 2 // inverse of fi follows: 1 w1 = w1 − ki ; 2 • The constants are constructed in the following way: w2 = w2 − ki ; } if(not odd(Ci = (Ci−1 << 2)+(Ci−1 >> 1))) Ci + +; The computational flow graph of the algorithm is Where i = 1, 2, 3, · · ·; and C0 for 16, 32, 64-bit shown in Figure 1. The algorithm utilizes the same word are chosen randomly. In our implementation we operations for encryption and decryption procedures. choose C0 randomly from 10000 digits of the fraction During the execution cycle, each round function is exe- of the Golden Ratio. These starting constants are cuted using a different order of operations. Accordingly, 0x1D5B, 0x5571D066, and 0xEB6F 1276660AA498, for this variable-round-calling will appreciably add to the 16-bit word, 32-bit word, and 64-bit word respectively. algorithm security level. These constants are required to avoid weak keys such as The number of rounds is determined by the data size of in the case of IDEA [12]. The key scheduling algorithm the cipher since the key is expanded using different prim- has three phases for every word length. Figure 2 depicts itive equations depending on the size of the block. When schematically these phases. the user key is less than 256-bit long, then it is expanded These three phases are explained as follows: to 256-bit long, so number of rounds is depending on the data size and not the key size. Phase 1: In this phase, the input user’s key is ex- panded and modified as follows: Considering the number of words as q, then when the 4 The Algorithm Specifications algorithm is executed in 16-bit word length mode, the 256-bit key length can be represented with q = 16 words The PYRAMIDS provides a little variation between and the expanding procedure is: encryption and decryption procedures. The pseudo code for the encryption procedure is given by: for i =0 to q − 1 ExpandedKey[i] = (UserKey[i%s] Encryption(Plaintext, Ciphertext, k, ⊗,Rot) <<< (UserKey[i%s] ⊕ C[i]) ⊕ C[q − 1 − i]; { for i =0 to R − 1 Where s is the length of input user’s key. Round(Plaintext, Ciphertext, k, ⊗,Rot); Phase 2: In this phase, the pre-keys are constructed by for i =0 to 4 passing the input user’s key and constants through the j Ciphertext[j]= Ciphertext[j] ⊕ k4R+1 round of the cipher. } Round(Subkey[0..3], Expandedkey[0..3], C[0..3], ⊗,Rot); The pseudo code for the decryption procedure is given by: Round(Subkey[4..7], Expandedkey[4..7], C[4..7], ⊗,Rot); Decryption(Plaintext, Ciphertext, k, ⊗,Rot) Phase 3: In this phase, the sub-keys obtained from { the previous phase are used to order the rotations’ and for i =0 to 4 operations’ arrays. They are also used to construct j Ciphertext[j]= Ciphertext[j] ⊕ k4R+1 the final sub-keys which are utilized through the en- for i = R − 1 down to 0 cryption and the decryption procedures. The pseudo InvRound(Ciphertext, Plaintext, k, ⊗,Rot); code of ordering the rotations and operations is as follows: } for i =0 to t { 5 The Key Scheduling Process IndexRotation[i]= subkey[i%q]%(t − 1); IndexOperation[i]= subkey[(t − i)%q]%(t − i); The PYRAMIDS cipher uses 4 ∗ (R + 1) sub-keys. These } sub-keys are derived from the user’s input key using the International Journal of Network Security, Vol.1, No.1, PP.52–60, July 2005 (http://isrc.nchu.edu.tw/ijns/) 54 w0 w1 w2 w3 ? ? 1 3 ki - + + ki ? ? 0 - 1 - 2 2 ki fi fi ki - ? ? L L ? XX ? Rot1 XX Rot2 i XXX i XXX XX X XXX 9XXX XXXz XX 1 XXXz 9 3 kR P kR ? PPq ? ?) ? k0 - k2 R L L L L R ? ? ? ? C0 C1 C2 C3 Figure 1: The computational graph of PYRAMIDS’ round Input User’s Key ? Expanded Key ? Pre-Subkeys ? ? Constructing Operations Array Constructing Final Subkeys Constructing Rotations Array Figure 2: Computational graph of the key scheduling algorithm for i =0 to t These sub-keys are computed for 16-bit words. The { final sub-keys for other word lengths are calculated as Swap(Rotation[i], Rotation[IndexRotation[i]]); follows: Swap(Operation[i], Operation[IndexOperation[i]]); } for i =8 to 4 ∗ R +1 subkey[i] = ((((((subkey[i − 8] ⊕ subkey[i − 7]) The variable t represents the number of operations + subkey[i − 5]) & subkey[i − 4]) in each table for different word length. The tables of + subkey[i − 3]) ⊕ subkey[i − 1]) initial rotations and operations are shown in Appendix >>> subkey[i − 2]) ⊕ C[i] A. The final sub-keys are calculated as follows: The final sub-keys generations achieve fast avalanche for i = 16 to 4 ∗ R +1 because it is based on the primitive polynomial: subkey[i] = ((((((subkey[i − 16] ⊕ subkey[i − 15]) 8 7 5 4 3 Z(x)= x + x + x + x + x + x + 1 in GF (2). + subkey[i − 10]) & subkey[i − 9]) + subkey[i − 2]) ⊕ subkey[i − 1]) The arrays of the operations, rotations, and sub-keys >>> subkey[i − 3]) ⊕ C[i] are then sent to the encryption/decryption procedure. The key scheduling algorithm in the final sub-keys generations achieves fast avalanche. This is accurate 6 Hardware Implementation Suit- since the final sub-keys generations are based on the ability primitive polynomial given by: An implementation in the software of the proposed algo- Q(x)= x16 + x15 + x14 + x7 + x6 + x + 1 in GF (2).