Algebraic Properties of the Block Cipher DESL

: The Data Encryption Standard Lightweight extension (DESL) is a lightweight block cipher which is very similar to DES, but unlike DES uses only a single S-box. This work demonstrates that this block cipher satisﬁes comparable algebraic properties to DES—namely, the round functions of DESL generate the alternating group and both ciphers resist multiple right-hand sides attacks.


Introduction
Lightweight cryptography provides solutions tailored for devices with energy or computational constraints, which are increasingly present with the rapid increase of sensors and IoT devices. These requirements should not be met at the cost of losing security properties. Therefore, lightweight ciphers should ensure they offer similar security guarantees to their counterparts.
One of the protocols designed following these principles is DESL, a lightweight cipher very similar to the Data Encryption Standard (DES) [1], proposed by Leander et al. [2]. The proposed cipher introduces one radical change: all substitution boxes in the DES are replaced with a single new S-box. As detailed by Leander et al., this DES Lightweight extension (DESL) has very attractive features in terms of implementability on low-cost platforms. The obvious cryptanalytic question is whether these features might have been paid for with a loss of security. In other words, is the security of DESL comparable to that of the original DES? Leander et al.'s original paper [2] shows that DESL offers resistance against several common attack techniques, including certain types of linear and differential cryptanalyses. Finding structural weaknesses in DESL's design remains a challenge, so despite its short key length, DESL continues to attract interest and keeps getting cited [3][4][5]. Just a few days before submitting this manuscript, Ji et al. used DESL as a testing ground for proposed improvements of Matsui's algorithm [6]. In this contribution, we compare two algebraic properties of DESL with those of DES.
First we show that the round functions of DESL generate the same permutation group as the round functions of DES, namely the alternating group on 2 64 points. Our proof strategy is the same as taken by Wernsdorf for DES [7], the core part being to establish 3-transitivity for the group in question. It is not surprising that the replacement of DES's S-boxes in DESL necessitates modifications of Wernsdorf's proof, and one might be tempted to hope that facing only one S-box (instead of several as in DES) simplifies the analysis-this did not seem to be the case for the S-box in question.
In the second part of the paper, we compare the resistance of full and reduced round versions of DES and DESL against an algebraic attack technique known as multiple right-hand sides (MRHS) [8]. This type of attack seems particularly interesting for Feistel ciphers like DES and DESL MRHS equations allow a fairly compact encoding of non-linear equations for the secret key, obtained from a known plaintext-ciphertext pair. The operations for solving such equations are in principle suitable for being accelerated through hardware [9], but establishing run-time estimates for such an attack against genuine ciphers is (perhaps unsurprisingly) challenging. While being devised as a tool for cryptanalysis, Raddum and Zajac recently demonstrated that a cipher representation derived from MRHS equations may yield a faster encryption than a reference implementation of a cipher [10]. In [11], Zajac leveraged MRHS equations as a tool to study the connection between the cost of algebraic attacks and the multiplicative complexity of lightweight ciphers. Here we consider the original cryptanalytic application of MRHS equations. The experimental results we found indicate that DESL offers resistance to this type of algebraic attack that is comparable to DES. As an aside, our results falsify a conjecture by Schoonen [12] (Hypothesis 5.1).
To keep our presentation reasonably self-contained, the next section presents the relevant details on the block cipher in question as well as the main ideas underlying an MRHS-based algebraic attack.

Preliminaries
With the exception of two modifications, DESL is identical to the Data Encryption Standard; in particular, plaintexts and ciphertexts are elements of {0, 1} 64 and the key can be taken for an element of {0, 1} 56 . The first difference between DES and DESL is not relevant for the group-theoretic property and the algebraic attack we explore: unlike for DES, there is no initial permutation and no final permutation of the data processed in the cipher. The implications of the second modification is less obvious: DESL replaces all eight S-boxes in DES with a single new S-box. Figure 1 illustrates the basic data flow in DESL, and we refer to the DES specification [1] and Leander et al.'s paper [2] for a detailed specification. For our purposes it is enough to be aware of the following:
• In each round, the 64-bit input is split into a left half L i ∈ {0, 1} 32 and a right half R i ∈ {0, 1} 32 . Then the value L i :  For the group-theoretic part of our discussion of DESL, we make use of an observation about DES by Davio et al. [13] which has also been exploited in [7]. Namely, we rewrite DESL as shown in Figure 2, that is, by applying P −1 respectively P before the first round and after the last round, we combine E and P into a single function EP such that P no longer has to be applied after the application of the S-box. The composition of and E and P is given in Table 2.
Ciphertext (64 bit) Equivalent description of DESL with the permutation P being applied before the expansion function E. DESL, DES, and many other block ciphers can be modeled as series of polynomial equations over the binary field F 2 , therewith suggesting algebraic attacks as a possible attack vector. MRHS offers an alternative to algebraic attacks using SAT solvers or Gröbner bases. Instead of working with ordinary polynomials, equations are represented in a different way, which for several block ciphers, including DESL and DES, can be derived conveniently. For a detailed discussion of MRHS, we refer to Raddum and Semaev's work [8]. Here we restrict ourselves to an informal review of those aspects needed for our application. In particular, we do not discuss specifics of the implementation of the algorithm and refer to [8] (Section 6) for more details (cf. also [12,14]).

Basic Terminology
For a column vector x = (x 1 x 2 . . . x y ) T ∈ F y 2 , a k × y binary matrix A of rank k, and column vectors b 1 , b 2 , . . . , b s ∈ F k consider the following type of equation: We refer to such an equation as an MRHS system of linear equations with right hand sides b 1 , b 2 , . . . , b s . By a solution to (1) we mean a vector in F For example, the following is an MRHS system of linear equations: and algebraically, it corresponds to the nonlinear equation Given a system of symbols a solution to such a system is defined in the obvious way: it is a vector x ∈ F y 2 satisfying all of the underlying n MRHS systems of linear equations, and the goal of the procedure discussed next is to identify all solutions of (2).

Solving a System of Symbols
There are three main components to MRHS: agreeing, gluing, and extracting equations. Since memory is finite in any actual implementation of the algorithm, it may also happen that we have to guess variables, and sometimes an equation symbol is made use of. Each of these parts is discussed below, and we start with a description of the main components.

Agreeing
The basic idea of an agreeing phase is to remove columns b in a right hand side L i if no solution of A i x = b can be a solution to the system (2). To achieve this, pairwise agreeing of symbols is employed. Namely, let S i : A i x = [L i ] and S j : A j x = [L j ] be two symbols; we say that S i and S j agree if for every b ∈ L i , there exists a b ∈ L j such that the linear system is consistent, and, vice versa, for each b ∈ L j there exists a b ∈ L i such that (3) is consistent. In a situation where S i and S j do not agree, we remove those columns b from L i for which the linear system Different strategies can be used to realize this basic idea, but for our purposes it is not necessary to go into further detail on this.
However, it is important to note that if two symbols S h and S i agree but S i and S j disagree, columns may be deleted in one or both of L i and L j . After this happens, it may well happen that S h does not agree with either of the modified symbols, and it becomes necessary to re-agree S h with them. During the latter agreement, columns from L h may have to be deleted, and so on, possibly resulting in a chain reaction of column deletions. To ensure that a system of symbols reaches a pairwise-agreed state, we perform the Agreeing1 algorithm in Figure 3 (see [8] (Section 3.1)).
While the symbols in a System (2) do not pairwise agree, 1. Find S i and S j which do not agree. 2. Agree S i and S j .

Gluing
When a system of symbols is in a pairwise-agreed state, we may choose to apply a different operation: The gluing of two symbols S i = (A i , L i ) and S j = (A j , L j ) results in a new symbol Bx = [L] whose set of solutions is the set of common solutions to A i x = [L i ] and A j x = [L j ]. After having formed this new symbol, it is inserted into the system at hand and the two symbols S i and S j which formed (B, L) are no longer necessary and are removed from the system.
Gluing a matrix L i of width s i with a matrix L j of width s j may yield a matrix L with as many as s i · s j columns. In an implementation, computing certain glues might therefore turn out to be infeasible, and one restricts to gluing only pairs of symbols where the number of columns in the resulting symbol does not exceed a certain threshold.
Once several glues have been performed, the symbols in the resulting system will usually no longer be pairwise-agreed, so the algorithm in Figure 3 can be run again, initiating another round of agreeing and gluing. The eventual goal of iterated agreeing and gluing steps is to obtain a system of symbols which consists of a single symbol.

Extracting Equations
From a given symbol S : Ax = [L] we can try to extract unique right-hand side (URHS) equations, and if this is done, the resulting linear equations are placed in a dedicated symbol S 0 to which we refer as an equation symbol. The equation symbol is checked for consistency and size. The A-part of S 0 has the same number of columns as the A-parts of the other symbols, but its L-part has only one column. The equation symbol is not considered a proper part of the system (2) and does not take part in the Agreeing1 algorithm, nor is it removed after being glued to a symbol in the system. However, various implementations will involve S 0 in an agreement or gluing step. Furthermore, information from guessing variables may also be reflected by S 0 .

Guessing Variables
It may happen that all symbols in a system are pairwise-agreed, no new URHS equations can be extracted, and no pair of symbols can be glued without exceeding the threshold. Lacking a better alternative, in such a situation one can guess the (one-bit) value of a variable. Before performing a guess, the system of symbols-to which we will refer as the state-is stored. After the guess has been made, pairwise agreeing, gluing, and equation extraction are performed as normal. If after some steps the state, again, does not allow for any new URHS equation to be computed or pair of symbols to be glued, the state is saved again, and we guess the value of another variable.
Obviously a guess for a variable can be incorrect, and this discovery manifests as follows: during the agreement of two symbols, all right-hand sides of at least one of the symbols get removed, indicating that the system has no solution. When this happens, the state can be rolled back to a previously saved state, so that a different guess can be made.

The Group Generated by DESL's Round Functions
In this section we show that the round functions of DESL generate the same group as the round functions of DES. The main part of the argument is to establish 3-transitivity of the group generated by DESL's round functions. To present the (somewhat technical) proof it will be convenient to introduce some notation.

Notation
The inputs for the S-box of DESL are bitstrings of length 6, outputting bit strings of length 4, as detailed in Table 1. The bitstring inputs are obtained by dividing a 48 bit string into eight blocks of equal length. To refer to the latter, given a ∈ {0, 1} 48 , we set [a] j : 8) for the selection of 4-bit blocks. It will be clear from the context when we are dealing with 48-bit, respectively 32-bit values. Finally, as manifested in the balanced Feistel structure, splitting a bitstring of even length into two halves is a common operation in DESL, and for (a 1 , . . . , a 2m ) ∈ {0, 1} 2m we define a L := (a i ) m i=1 ∈ {0, 1} m and a R := (a i ) 2m i=m+1 ∈ {0, 1} m . Furthermore, for ease of readability, we will often represent bitstrings by the decimal number they represent in binary (again, the length of the bitstring will always be clear from the context). Accordingly, we write A 2 64 and S 2 64 for the alternating and symmetric group respectively on {0, 1} 64 . Given a set of permutations Π, we denote by Π the group generated by them. Specifically we are interested in the group G generated by the round functions F K of DESL, where K ranges over all possible values in {0, 1} 48 . As in Wernsdorf's analysis of DES in [7], we ignore any restrictions imposed by the key schedule and allow the round keys to be chosen freely.
Using the description and notation from Section 2.1, for a given round key K ∈ {0, 1} 48 we can represent F K ∈ S 2 64 as We can therefore state our result in terms of these functions, proving that

Establishing 3-Transitivity of G
Before proving the main result, we will prove some previous lemmas. Proof. Verifying the transitivity of G is straightforward, and the work of Even and Goldreich [15] ensures that G is contained in the alternating group.
As an intermediate step, In other words, when evaluating F L (K,K ) (a, b), the right half of the input does not vary and its left half is XORed with the value (S( to the left half of the input. For F R (K,K ) the situation is similar, with the left half of the input being stabilized. The following proposition helps in understanding the effect of repeatedly applying a map of the form F R K,K , respectively F L K,K . Proposition 1. The functions F L K,K and F R K,K defined above satisfy the following: (a) ∀(K, K ) ∈ M : F L K,K ∈ G 0,d and F R K,K ∈ G 0 . (b) ∀(K, K ) ∈ M d : F L K,K ∈ G 0,d and F R K,K ∈ G 0,d . (c) Let n ∈ N. Then, for all (K 1 , K 1 ), . . . , (K n , K n ) ∈ M and for all (a, b) ∈ {0, 1} 32 × {0, 1} 32 , the following hold: and, analogously, Proof. The proof is immediate from the definition of F L K,K and F R K,K .
Since a = 0, then ∃ i ∈ {1, . . . , 32} : a i = 1. Therefore, ∃ l ∈ {1, . . . , 8} such that [EP(a) 32 i=1 ] l = 0 and, like before (but using "right-functions") we prove that we can get an element a = F R Notice that in this case the pairs (K i , K i ) must be not only in M, but in M d , so that a ∼ a (Proposition 1(b)).
Hence, this case is traced back to the case ∃ i ∈ {33, . . . , 64} : a i = 1 and the proof is complete.
. . , 11}. Therefore, the only position we cannot assure is equal to e is i = 12, therefore J(1) c = {12}. For the rest of the indices j, we use similar arguments to compute sets J(j).
Proof. According to Table 2  Proof. Because of Corollary 1, it is enough to show that ∃g ∈ G 0 such that g(d) = d.
Once we have shown that G is a 3-transitive subgroup of A 2 64 , it is not particularly difficult to verify that G is actually equal to the alternating group on 2 64 points. Proof. We refer to the proof of Theorem 1 in [7], since the same proof applies here.

Applying MRHS to DESL and DES
The previous section focuses on a structural group-theoretic property which does not take the actual number of DESL rounds into account. Subsequently, we studied an algebraic attack against reduced and full round versions of DESL and compared the behavior of the attack with the situation for DES. The underlying question is, to what extent does the modified S-box change the complexity of an algebraic attack?

Symbol Creation for DESL
Since the structure of DES and DESL is the same, the process for creating the A-parts of MRHS symbols for DESL is the same as that for DES, which is described nicely in [12] (pp. 50-53). The only difference is that the L-part of each symbol will not correspond to a DES S-box, but instead to the DESL S-box. This L-part is given as 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 8 5 E 3 6 9 6 9 6 6 9 9 A C 3 5 E 9 4 3 1 6 F 8 9 7 2 C 6 C 9 3 8 B D 6 7 4 8 3 1 E 6 1 C 9 3 E 6 9 9 A 5 9 6 6 6 5 6 9 5 A A 9 where each entry is written as standard hex notation to save space. Note that the top six rows correspond to each of the possible inputs to an S-box, and the bottom four rows correspond to the output of the S-box. For example, if the input to the S-box is 000000, then the output is 1110, both being readable from the first column of this matrix. If the input is 000001, then the output is 0101, both being readable from the second column. Further, if the input is 000010, the output is 0101, and if the input is 000011, the output is 0000.

Results
For serious ciphers, very often the first MRHS action cycle of agreeing, gluing, and equation extracting (that is, until a guess is called for) will not be sufficient to discover the key, so guesses of the key variables must be committed. Naturally, the fewer guesses required, the better an attack is deemed to be. We give the name δ to the number of key bits we must guess before we discover the whole key through an MRHS attack.
For our attacks, we use a machine called Blue with the following specifications: two quad-core Xeon E5520 2.26 GHz processors (though only one core was used), 24 GB of RAM, using Windows 7 Server (Standard Edition). The ciphertext was 0123456789ABCDEF, and the key was the first 56 bits of the SHA-1 hash of "Katalina" (without quotes).
Under these conditions, DESL was attacked on Blue, varying both the number of rounds of the cipher and the threshold of MRHS. The results are summarized in Table 3, with the note that the threshold listed is actually the base 2 logarithm of the actual threshold, so we always choose a power of 2 for the number of columns each L-part is allowed to grow to. Table 3. DESL δ on Blue, for varying rounds and thresholds. We can see from this data that four rounds of DESL could be handled in the initial turn of an MRHS attack, but things became more complicated with more rounds. For more than six rounds it was not at all guaranteed that an increased threshold would actually help with the computation. Only for twelve rounds did we see an improvement with increased threshold, but once we moved to a threshold of 23, δ increased dramatically.

Rounds of DESL
By way of contrast, DES was attacked on Blue varying the number of rounds and threshold. The results are summarized in Table 4. Table 4. DES δ on Blue, varying rounds and thresholds. Overall, DESL was about as secure as DES from an MRHS perspective, though there were two occasions where DESL required three more bits to guess before recovering the entire key.

Rounds of DES
We remark in passing that it was conjectured by Schoonen in [12] (Hypothesis 5.1) that for 7-16 rounds of DES, δ would always be 56 minus the (base 2 logarithm of the) threshold, but Table 4 makes it plain that this was not the case.

Conclusions
Unlike DES, the DES Lightweight extension (DESL) uses a single S-box. The security of DESL against a number of common types of attacks has already been argued in the literature. In this work we establish that the round functions of DESL generate the same permutation group as the round functions of DES, namely, the alternating group on 2 64 points. Moreover, based on our work, DESL appeared to offer comparable resistance to MRHS-based algebraic attacks as DES. Therefore, from these algebraic points of view, DESL has no disadvantage compared to DES, and the structural properties of DESL remain an interesting cryptanalytic topic of study.