Cryptanalysis on SDDO-Based BM123-64 Designs Suitable for Various IoT Application Targets
Abstract
:1. Introduction
2. BM123-64 Block Cipher Description
2.1. Preliminaries
- -
- r denotes each function round of block cipher.
- -
- ∆Xr denotes input difference value that occurs in each r.
- -
- ∆Yr denotes output difference value that occurs in each r.
- -
- ∆Ur, ∆Qr denote round key difference values that occur in each r.
- -
- ei denotes the data bit changing within each round function, with i value considered as an active bit; at the ith position, the bit value is “1”, and the remaining bits are “0” in each block data. for instance, e1,3 = (1, 0, 1, 0, …, 0)).
2.2. BM123-64 Construction
- 64-bit input plaintext splits into two 32-bit block A and block B.
- From rounds r = 1 to 7, they have the same operations for each round:(A, B) = Crypt(0) (A, B, Ur, Qr)(A, B) = (B, A)
- In the last round, there is final transformation to output ciphertext:(A, B) = Crypt(0) (A, B, U8, Q8)(A, B) = (L ⊕ UFT, R ⊕ QFT)(A, B) = (A, B).
- Case 1:
- y1 = vzx1 ⊕ vz ⊕ vx1 ⊕ vx2 ⊕ v ⊕ z ⊕ x1 ⊕ 1y2 = vzx2 ⊕ vz ⊕ vx1 ⊕ vx2 ⊕ zx1 ⊕ x2 ⊕ v ⊕ z ⊕ 1y3 = vzx1 ⊕ vzx2 ⊕ zx1 ⊕ x1 ⊕ x2.
- Case 2:
- y1 = vzx1 ⊕ vzx2 ⊕ vx1 ⊕ vx2 ⊕ zx1 ⊕ zx2 ⊕ z ⊕ v ⊕ x2y2 = vzx1 ⊕ vzx2 ⊕ vz ⊕ vx1 ⊕ vx2 ⊕ zx1 ⊕ zx2 ⊕ x1y3 = vz ⊕ v ⊕ z ⊕ x1 ⊕ x2.
- Case 3:
- y1 = vx2 ⊕ x2 ⊕ x1 ⊕ v ⊕ 1y2 = vx1 ⊕ x2.
3. Proposed Attack Methods on BM123-64 Construction
3.1. BM123-64 Crypt(e) Function Properties
3.1.1. Differential Properties of F2/2 Function
- Case 1:
- y1 = vzx1 ⊕ vz ⊕ vx1 ⊕ vx2 ⊕ v ⊕ z ⊕ x1 ⊕ 1y2 = vzx2 ⊕ vz ⊕ vx1 ⊕ vx2 ⊕ zx1 ⊕ x2 ⊕ v ⊕ z ⊕ 1Pr [F2/2 (x1, x2, [v, z]) ⊕ F2/2 (x1 ⊕ 1, x2, [v, z]) = (1, 0)] = 2−2.
- Case 2:
- y1 = vzx1 ⊕ vzx2 ⊕ vx1 ⊕ vx2 ⊕ zx1 ⊕ zx2 ⊕ z ⊕ v ⊕ x2y2 = vzx1 ⊕ vzx2 ⊕ vz ⊕ vx1 ⊕ vx2 ⊕ zx1 ⊕ zx2 ⊕ x1Pr [F2/2 (x1, x2, [v, z]) ⊕ F2/2 (x1 ⊕ 1, x2, [v, z]) = (1, 0)] = 2−1.
- Case 3:
- y1 = vx2 ⊕ x2 ⊕ x1 ⊕ v ⊕ 1;y2 = vx1 ⊕ x2Pr [F2/2 (x1, x2, [v, z]) ⊕ F2/2 (x1 ⊕ 1, x2, [v, z]) = (1, 0)] = 2−1.
3.1.2. Differential Properties of F16/64 and F −116/64 Functions
- Case 1:
- Pr [F16/64 (X, V, Z) ⊕ F16/64 (X ⊕ e16, V, Z) = e16] = 2−8Pr [F−116/64 (X, V, Z) ⊕ F−116/64 (X ⊕ e16, V, Z) = e16] = 2−8
- Case 2:
- Pr [F16/64 (X, V, Z) ⊕ F16/64 (X ⊕ e16, V, Z) = e16] = 2−4Pr [F−116/64 (X, V, Z) ⊕ F−116/64 (X ⊕ e16, V, Z) = e16] = 2−4
- Case 3:
- Pr [F16/64 (X, V, Z) ⊕ F16/64 (X ⊕ e16, V, Z) = e16] = 2−4Pr [F−116/64 (X, V, Z) ⊕ F−116/64 (X ⊕ e16, V, Z) = e16] = 2−4
3.2. Related-Key Boomerang of BM123-64
3.3. Related-Key Amplified Boomerang Attack on the BM123-64 Designs
- (1)
- We pick a set of 266 pairs of plaintexts (Pj, Pj *), (j = 1, …, 266), then we expand into another set of 2131 quartets of plaintexts, denoted as (Pi, Pi *, Pi ’, Pi ’*), (i = 1, …, 2131) in Case 1, or 250 pairs of plaintexts (Pj, Pj *), (j = 1, …, 250) and generate 299 quartets of plaintexts (Pi, Pi *, Pi ’, Pi ’*), (i = 1, …, 299) in Case 2 and Case 3, with input difference = (0, 0). We ask for encryption of all the quartets (Pi, Pi *, Pi ’, Pi ’*) using the related-keys (K, K*, K’, K’*) difference, described as two terms of relation: ∆K = K ⊕ K* = K’ ⊕ K’* = (0, e16, e32, 0, 0, 0, 0, 0) and ∆K’ = K ⊕ K’ = K* ⊕ K’* = (0, e32, 0, 0, 0, 0, 0, 0) to output respective quartets of ciphertexts (Ci, Ci *, Ci ’, Ci ’*).
- (2)
- We do XOR with all possible values of Ci and Ci’, Ci *, and Ci’* for each i value, then check whether the output result is (0, e16) and store all these difference values to apply in the previous eight rounds.
- (3)
- By this way, at the final transformation, we expect to hold a 64-bit subkey including K1 and K3, then get the remaining subkeys (K1*, K3*), (K1’, K3’), and (K1’*, K3’*) of the quartets of subkeys.
- (a)
- Similarly, at the eighth round, we ask for decryption of all quartets of ciphertexts values obtained from Step 2 with subkey quartets of K1 and K3 to hold 64-bit input values (Xj, Xj*, Xj’, Xj’*) at the left side process of round function.
- (b)
- We do XOR with all possible values of Xj and Xj’, Xj *, and Xj’* for each j value, then check whether the output result is 0.
- (4)
- After passing Step 3, all values of quartets of two subkeys K1 and K3 are explored. We can do brute force attacks to obtain the remaining 192-bit subkeys (K2, K4, K5, K6, K7, K8) with all K1 and K3.
4. Results and Discussion
5. Conclusions
Author Contributions
Funding
Conflicts of Interest
Appendix A
References
- Bac, D.; Minh, N. High-Speed Block Cipher Algorithm Based on Hybrid Method. In Ubiquitous Information Technologies Applications; Lecture Notes in Electrical Engineering; Springer: Berlin/Heidelberg, Germany, 2014; Volume 280, pp. 285–291. [Google Scholar]
- Moldovyan, N. On Cipher Design Based on Switchable Controlled Operations. In MMM-ACNS, LNCS; Springer: Berlin/Heidelberg, Germany, 2003; Volume 2776, pp. 316–327. [Google Scholar]
- Bac, D.; Minh, N.; Duy, H. An Effective and Secure Cipher Based on SDDO. Int. J. Comput. Netw. Inf. Secur. 2012, 4, 1. [Google Scholar]
- Bac, D.; Minh, N.; Duy, H. New SDDO-Based Block Cipher for Wireless Sensor Network Security. Int. J. Comput. Netw. Inf. Secur. 2010, 10, 54–60. [Google Scholar]
- Minh, N.; Luan, N.; Dung, L. KT-64: A New Block Cipher Suitable to Efficient FPGA Implementation. IJCSNS Int. J. Comput. Netw. Inf. Secur. 2010, 19, 10–18. [Google Scholar]
- Minh, N.; Duy, H.; Dung, L. Design and Estimate of a New Fast Block Cipher for Wireless Communication Devices. In Proceedings of the International Conference on Advanced Technologies for Communications, Hanoi, Vietnam, 6–9 October 2008; pp. 409–412. [Google Scholar]
- Moldovyan, N.; Moldovyan, A.; Sklavos. Controlled Elements for Designing Ciphers Suitable to Efficient VLSI Implementation. Telecommun. Syst. J. 2006, 32, 149–163. [Google Scholar] [CrossRef]
- Kang, J.; Jeong, K.; Lee, C.; Hong, S. Distinguishing attack on SDDO-based block cipher BMD-128. In Ubiquitous Information Technologies and Applications; Springer: Berlin/Heidelberg, Germany, 2014; Volume 280, pp. 595–602. [Google Scholar]
- Phuc, T.S.D.; Lee, C.; Xiong, N. Cryptanalysis of the XO-64 Suitable for Wireless Systems. Wirel. Pers. Commun. 2017, 93, 589–600. [Google Scholar] [CrossRef]
- Izotov, B.V.; Moldovyan, N.; Moldovyan, A. Controlled Operations as a Cryptographic Primitive. In Information Assurance in Computer Networks; Springer: Berlin/Heidelberg, Germany, 2001; Volume 2052, pp. 230–241. [Google Scholar]
- Kang, J.; Jeong, K.; Yeo, S.; Lee, C. Related-key Attack on the MD-64 Block Cipher Suitable for Pervasive Computing Environment. In Proceedings of the International Conference on Advance Information Networking and Application Workshops, Fukuoka, Japan, 26–29 March 2012; pp. 726–731. [Google Scholar] [CrossRef]
- Lee, C.; Kim, J.; Sung, J.; Hong, S.; Lee, S. Security analysis of the full-round DDO-64 block cipher. J. Syst. Softw. 2008, 84, 2328–2335. [Google Scholar] [CrossRef]
- Moldovyan, N.; Moldovyan, A. Data-driven Ciphers for Fast Telecommunication Systems. In Auerbach Publication; Talor & Francis Group: New York, NY, USA; London, UK, 2008; pp. 77–185. ISBN 1420054112 9781420054118. [Google Scholar]
- Biham, E.; Dunkelman, O.; Keller, N. Related-key boomerang and rectangle attacks. In Advances in Cryptology—EUROCRYPT’05, LNCS; Springer: Berlin/Heidelberg, Germany, 2005; Volume 3494, pp. 507–525. [Google Scholar]
- Kelsey, J.; Kohno, T.; Schneier, B. Amplified Boomerang Attacks against Reduced-Round MARS and Serpent. In Proceedings of Fast Software Encryption 7; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2000; Volume 1978, pp. 75–93. [Google Scholar] [CrossRef]
- Wagner, D. The Boomerang Attack. In Proceedings of Fast Software Encryption 6; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 1999; Volume 1636, pp. 156–170. [Google Scholar] [CrossRef]
Round Or | O1 | O2 | O3 | O4 | O5 | O6 | O7 | O8 | OFT |
---|---|---|---|---|---|---|---|---|---|
Ur | K3 | K4 | K8 | K6 | K2 | K7 | K5 | K2 | K3 |
Qr | K1 | K2 | K5 | K7 | K3 | K6 | K8 | K4 | K1 |
e’1 | 1 | 1 | 1 | 0 | 0 | 1 | 1 | 0 | - |
e’2 | 0 | 1 | 1 | 0 | 1 | 1 | 1 | 1 | - |
e’3 | 0 | 0 | 0 | 1 | 1 | 0 | 0 | 1 | - |
e’4 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | - |
Round (r) | ∆Xr | (∆Ur, ∆Qr) | Probability | ||
---|---|---|---|---|---|
Case 1 | Case 2 | Case 3 | |||
1 | = (0, 0) | (0, e32) | 2−16 | 2−8 | 2−8 |
2 | (e16, 0) | (e16, 0) | 1 | 1 | 1 |
3 | (0, 0) | (0, 0) | 1 | 1 | 1 |
4 | (0, 0) | (0, 0) | 1 | 1 | 1 |
Output | = (0, 0) | 2−16 | 2−8 | 2−8 | |
5 | (0, e32) = | (0, e32) | 1 | 1 | 1 |
6 | (0, 0) | (0, 0) | 1 | 1 | 1 |
7 | (0, 0) | (0, 0) | 1 | 1 | 1 |
8 | (0, 0) | (0, e16) | 2−16 | 2−8 | 2−8 |
FT | (0, e16) | (0, 0) | 1 | 1 | 1 |
Output (∆Y) | = (0, e16) | ||||
Total | 2−32 | 2−16 | 2−16 |
Block Cipher | Total Rounds | Complexity Data/Time | Key Bits Recovery |
---|---|---|---|
DDP-64 | 10/10 | 254 RCP/254 | 22 |
CHESS-64 | 8/8 | 244 RCP/244 239 RCP/239 244 RCP/2108 239 RCP/2122 | 20 6 128 128 |
DDO-64V1 | 8/8 | 235.5 RCP/265.5 | |
DDO-64V2 | 8/8 | 23 RCP/231 | |
MD-64 | 8/8 | 243.1 RCP/295 | |
BMD-128 | 7/8 | 279 RCP/2129 | |
KT-64 | 8/8 | 245.5 RCP/265.17 | |
XO-64 | 8/8 | 244 RCP/265 | |
BM123-64 (Case#1) (*) | 8/8 | 267 RCP/267 | |
BM123-64 (Case#2) (*) BM123-64 (Case#3) (*) | 8/8 | 251 RCP/265 |
© 2018 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Phuc, T.S.D.; Lee, C. Cryptanalysis on SDDO-Based BM123-64 Designs Suitable for Various IoT Application Targets. Symmetry 2018, 10, 353. https://doi.org/10.3390/sym10080353
Phuc TSD, Lee C. Cryptanalysis on SDDO-Based BM123-64 Designs Suitable for Various IoT Application Targets. Symmetry. 2018; 10(8):353. https://doi.org/10.3390/sym10080353
Chicago/Turabian StylePhuc, Tran Song Dat, and Changhoon Lee. 2018. "Cryptanalysis on SDDO-Based BM123-64 Designs Suitable for Various IoT Application Targets" Symmetry 10, no. 8: 353. https://doi.org/10.3390/sym10080353