A Block Cipher Using Key-Dependent S-box and P-boxes Runtong Zhang Like Chen College of Computer Science and Technology, Dalian College of Computer Science and Technology, Dalian Maritime University, Dalian, China; Maritime University, Dalian, China Institute of Information Systems, School of Economics and [email protected] Management, Beijing Jiaotong University, Beijing, China [email protected] Abstract-Block ciphers based on key-dependent cipher be proved. However these ciphers usually have to do more structures have been investigated for years, however, their round encryptions to achieve security and their fixed overall performance in terms of security and speed has not been sufficiently addressed. In this paper, we propose a 128-bit building structure leaves opportunities to potential attacks. Feistel block cipher, which simultaneously engages key- The number of the existing block ciphers belong to the dependent S-box and key-dependent P-box. With these two key- second group is much less than that of the first group. This dependent transformations, the internal structure of this cipher group of ciphers engages key-dependent cryptanalytic algorithm is secured, so as to resist the linear and differential structures, such as key-dependent S-boxes, to strengthen cryptanalysis in a few round encryptions. Hence, the encryption and decryption functions are quite efficiency. We named this their security level. Because the S-boxes of these ciphers are key-dependent structure the DSDP structure, and the cipher unknown to the attackers, they could defy analysis based on DSDP. A fast permutation algorithm is used to generate both specific properties of the S-box. In general, this kind of the key-dependent S-box and key-dependent P-boxes. This ciphers could achieve higher security level within less round greatly compensates the performance penalty of complex key encryptions [8]. Theoretically, the ciphers of this group schedule. The basic operations used in DSDP are all efficient bytewise operations, so the algorithm will have a reasonable fast should have been more practical and popular, especially in speed on recent processors, 16-bit processors and smart cards those resource limited environment. However the existing as well as 8-bit processors. We implement the algorithm with C ones of this group, such as Khufu [9] and Blowfish [10], are and Java respectively on several PCs with different processors, not quite successful to some extend. and estimate the optimized assembly performance on Pentium. Khufu is a 64-bit block 512-bit key cipher designed by The experimental results and the estimation show that DSDP has a very fast encryption/decryption speed and a reasonable Merkle with a fast software implementation in mind. The fast key scheduling implementation. strength of Khufu is based on key-dependent 8-32-bit S- boxes, and it is faster than Khafre, which has a similar cryptanalytic structure with fixed S-boxes, due to a smaller I. INTRODUCTION number of rounds. It is believed that Khufu is stronger than Khafre, since Khufu has secret key-dependent S-boxes, Since the introduction of the differential and linear which prohibit attacks based on analysis of specific S-boxes. cryptanalysis [1][2], the theory of these two powerful However, due to the drawback of its cryptanalytic structure, cryptanalytic tools became the potential rule guiding the new the avalanche effect of the difference could be postponed by block cipher design. In the last two decades, many block eight rounds [8]. And the large expanding S-boxes (n bits of ciphers are designed to resist these two kinds of attacks [26], input, m bits of output, n<<m) facilitates the construction of and their central ideas can be mainly classified into two impossible differentials, so the cipher is vulnerable to the groups. meet in the middle attacks. In addition, its key setup stage is The first group chooses the fixed cipher structures with the complicated and quite time consuming. maximum difference propagation probability and the Blowfish encrypts a 64-bit plaintext into 64-bit ciphertext maximum input-output correlation probability as small as using a variable key length [10]. This cipher only engages possible in consecutive rounds. Under this guideline, the the simplest operations in its cryptographic structure, so it is cipher must modestly choose specific S-boxes (nonlinear quite efficient in the encryption and decryption stage. transformation) where the maximum difference propagation However, its key scheduling stage is so complicated that the probability and the maximum input-output correlation are as keys should not be changed frequently [10]. Usually, the small as possible, and the linear part can not be with few keys have to be precomputed and stored. Furthermore, all its active S-boxes [3]. Many advanced ciphers such as AES, four 8-32-bit S-boxes are randomly generated, and may lead Square, MISTY, and Camellia [4][3][5][6], etc., belong to to weak keys [11]. this group. The advantage of this group of ciphers is that their security against the differential and linear attacks could 978-1-4244-1666-0/08/$25.00 '2008 IEEE 1463 Authorized licensed use limited to: NATIONAL CHANGHUA UNIVERSITY OF EDUCATION. Downloaded on April 24, 2009 at 02:09 from IEEE Xplore. Restrictions apply. In this paper, a novel bytewise block cipher algorithm is into two parts Li-1 and Ri-1. The right part Ri-1 is left proposed. This cipher encrypts a 128-bit block with a unchanged variable of key length utilizing the Feistel structure. The L R purpose of this cipher is to offer a reasonable fast software K implementation on most processors, including recent processors, 16-bit processors, smart cards as well as 8-bit F processors. In order to meet our purpose, a novel key- dependent cipher structure is introduced to the round function. We engage a fast key-dependent permutation technique to speed up the key schedule. Through this permutation, one S-box and R P-boxes are calculated (R is the round number). The S-box is designed with 8-bit input Fig. 1. Feistel structure. and 8-bit output without repetition of S-box entry values. Since the S-box is generated with great random, this cipher and forms the left part of the output Li. The right part of the could defy any attack based on specific properties of the S- output is constructed by adding a modified copy of Ri-1 to the box. In each round, a different key-dependent P-box is used left part of the input Li-1, i.e., to secure the permutation layer, so as to hide all the linear Li = Ri-1, ⊕ and differential trails from the attackers and to resist the Ri= Li-1 f(Ri-1, Ki). linear and differential cryptanalysis completely. S-box and An example of such a structure is given in Fig. 1. the P-boxes are all quite key-dependent, so we name this Examples of block ciphers in this class are data encryption structure DSDP structure, and the cipher DSDP. In addition, standard (DES), Khufu, CAST, and Twofish only a few generally supported basic operations are involved, [12][9][13][7][17]. An advantage of this approach is that the so the algorithm offers a good compatibility. We implement same round function can be used for both encryption and the algorithm with C and Java. The experimental result decryption, while a round function itself need not be shows that this cipher has a very efficient implementation. invertible. Since DES is a Feistel network, more This paper is organized as follows: Section 2 briefly cryptanalytic experience is available on Feistel ciphers than reviews preliminary concepts of modern block ciphers. on any other general structure. Section 3 describes the high-level structure and the design The second commonly used structure is usually called rationale of DSDP. Section 4 evaluates DSDP’s software substitution-permutation networks (short for SPN). In this performance and section 5 analyzes the advantages of this structure, every input bit is treated in a similar way. An algorithm. We conclude in section 6. example of such a network is given in Fig2. Examples of block ciphers in this class are SAFER, SHARK, Rijndael, and 3-WAY [14][15][16][13][17]. An advantage of this II. PRELIMINARIES approach is inherent parallelism, while a disadvantage is that Block ciphers divide the plaintext into separate blocks of inverse algorithm, which is required for decryption, may be fixed size (e.g., 64 or 128 bits), and encrypts each of them different from the encryption algorithm. independently using the same key-dependent transformation. B. Nonlinear Substitution Transformations (S-Boxes) Two general principles guiding the design of block ciphers A nonlinear Substitution transformation, also called an S- are diffusion and confusion. Diffusion means the spread of box, is essential for every strong encryption algorithm. S- the influence of a single plaintext bit over many ciphertext boxes can be either fixed for all keys or key dependent. Since bits so as to hide the statistical feature of the plaintext. no specific properties of the key-dependent S-box is offered Confusion means the use of transformations that complicate to attackers, it is our belief that key-dependent S-boxes are the dependence of the statistical feature of the ciphertext on more secure than fixed S-boxes. Most key-dependent S- that of the plaintext. Most ciphers achieve the diffusion and boxes created by some process are effectively random. For the confusion by means of product cipher, which repeats a example, SEAL [18] uses SHA [19] to create its key- simpler SPN (Substitution & Permutation Network) cipher dependent S-boxes. structure a number of times to construct the whole algorithm. This contributes the cipher’s simplicity and ease of implementation.