KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

Related-Key Differential Attacks on CHESS-64

  • Luo, Wei (Zhengzhou Information Science and Technology Institute) ;
  • Guo, Jiansheng (Zhengzhou Information Science and Technology Institute)
  • Received : 2014.03.06
  • Accepted : 2014.08.09
  • Published : 2014.09.30
Download PDF
⟨ Previous Next ⟩

Abstract

With limited computing and storage resources, many network applications of encryption algorithms require low power devices and fast computing components. CHESS-64 is designed by employing simple key scheduling and Data-Dependent operations (DDO) as main cryptographic components. Hardware performance for Field Programmable Gate Arrays (FPGA) and for Application Specific Integrated Circuits (ASIC) proves that CHESS-64 is a very flexible and powerful new cipher. In this paper, the security of CHESS-64 block cipher under related-key differential cryptanalysis is studied. Based on the differential properties of DDOs, we construct two types of related-key differential characteristics with one-bit difference in the master key. To recover 74 bits key, two key recovery algorithms are proposed based on the two types of related-key differential characteristics, and the corresponding data complexity is about $2^{42.9}$ chosen-plaintexts, computing complexity is about $2^{42.9}$ CHESS-64 encryptions, storage complexity is about $2^{26.6}$ bits of storage resources. To break the cipher, an exhaustive attack is implemented to recover the rest 54 bits key. These works demonstrate an effective and general way to attack DDO-based ciphers.

Keywords

1. Introduction

Security and privacy are primary requirements for wired and wireless communication. As a most common method, encryption is used to provide secure and secret communication. In the field of ubiquitous computing systems [1], sensor networks [2], wireless networks [3], IPsec [4] and mobile communication [5], limited computing and storage resources bring a variety of privacy and security challenges for encryption algorithms. As a result, more efficient cryptographic primitives are badly needed to provide high performance on resource-constrained devices.

In the past decade, for encryption applications requiring a fast hardware implementation with limited computing and storage resources, Data-Dependent permutations (DDPs) [6] have been used as main cryptographic primitives in a number of fast block ciphers, namely Spectr-H64 [7], Cobra-H64/128 [8], CIKS-128H [9], DDP-64 [10] and so on. As a linear primitive, DDP conserves weights of transformed bit string, and DDP-based ciphers show their natural weaknesses against differential cryptanalytic attacks. In 2004, [11] proposed related-key differential attacks on full-round CIKS-128 and CIKS-128H. In 2005, Cobra-H64 and Cobra-H128 were proved to be insecure under related-key differential attacks [12]. It was proved that DDP-64 do not have a high security level as the designer promised [13].

To strengthen the security of DDP-based ciphers, more powerful cryptographic primitive, namely Data-Dependent operations (DDOs) are introduced to design block ciphers [14,15,16,17,18] implemented on resource-constrained devices. In order to achieve higher speed and cost fewer computing and storage resources, these ciphers usually use simple key schedule. For DDO-based ciphers, there is no general cryptanalysis method as DDP-based ciphers, and security problem turns out to be a stumbling block for the application of high speed DDO-based ciphers. Consequently, the security evaluation gradually makes a significant task for the application of DDO-based ciphers on resource-constrained devices.

As an example of DDO-based cipher, CHESS-64 was designed to achieve more efficient hardware implementations than any existing DDP-based ciphers. In 2009, Lee et al proposed a related-key differential attack on CHESS-64 by constructing a related-key differential characteristic with high probability [19]. In our work, we point out some flaws in Lee et al’s work on constructing related-key differential characteristic and recovering key. As a result, Lee et al’s attack won’t work as promised.

Further, in this paper, we construct two types of related-key differential characteristics with one-bit difference in the master key, based on which, two key recovery algorithms are proposed. Specifically, the first key recovery algorithm could recover 42 bits of the master key with about 242.4 chosen-plaintexts, 242.4 CHESS-64 encryptions and 212.2 bits of storage resources, while the second key recovery algorithm could recover another 32 bits of the master key requiring about 241.1 chosen-plaintexts, 241 CHESS-64 encryptions and 226.6 bits of storage resources. To break CHESS-64, we perform an exhaustive search to recover the rest 54 bits of the master key. We firstly proposed correct cryptanalytic results on CHESS-64 so far, and we present a new and common method to analyze the security of DDO-based ciphers. We summarize our results and existing cryptanalytic results on some typical DDP-based and DDO-based ciphers in Table 1.

Table 1.Data: Related-Key Chosen Plaintexts, Time: Encryption Units

Outline. This paper is organized as follows. In Section 2, we firstly give some notations, and then we briefly describe the structure of CHESS-64. In Section 3, we study the related-key differential properties of CHESS-64, construct two types of related-key differential characteristics, and point out some flaws in existing cryptanalytic results on CHESS-64. In Section 4, two key recovery algorithms are presented on CHESS-64. Finally, we conclude in Section 5.

 

2. Description of CHESS-64

In this section, we firstly present some notations in this paper, and then we give a brief introduction of the particular DDOs used in CHESS-64 and the structure of CHESS-64.

2.1 Notations

We use the following notations in this paper. Note that a bit string will be numbered from left to right, starting with bit 1. For example, for L = (l1,l2,⋯,ln), l1 is the left most bit and ln is the right most bit.

- ei : a binary string e in which the i-th bit is one and the others are zeros;

- D(i) : the i-th bit of a 32-bit string, namely D;

- Fn/m : a DDO with m bits as controlling binary string, and n bits as input and output, respectively;

- >>>16 : a 16-bit right cyclic rotation;

- X,Y : a 64-bit plain-text and a 64-bit cipher-text, respectively;

- Xi,Yi : the input and output of the i-th round of CHESS-64.

2.2 DDOs used in CHESS-64

CHESS-64 employs three DDOs as its nonlinear operations which are depicted in Fig. 1.

Fig. 1.(a) F32/96, (b) F-132/96, (c) F32/80’

As shown in Fig. 1-(a) and Fig. 1-(b), due to the symmetric structure, F32/96 and differ only in the distribution of controlling bits over the basic building block F2/1, which is defined as follows.

While the basic building block F2/1' used in F32/80' is defined as follows.

2.3 Structure of CHESS-64

CHESS-64 is a pure DDO-based cipher which only employs DDOs and other linear operations. Composed of initial transformation (IT), round function Crypt, and final transformation (FT), CHESS-64 is an 8-round iterated block cipher with a block size of 64 bits and 128 bits master key. The cipher’s general structure and round function are shown in Fig. 2-(a) and Fig. 2-(b), respectively.

Fig. 2.(a) Structure of CHESS-64, (b) Round function Crypt

As shown in Fig. 2-(a), the cipher uses two 64-bit key blocks RK0 and RK9 to transform the input data and output data, respectively. For the former 7 rounds, two 32-bit output blocks would be swapped for the input of the next round, but not for the last round .

As shown in Fig. 2-(b), round function Crypt is composed of five kinds of operations: bitwise module 2 addition, two extend-functions (E,E'), three DDOs (F32/96,,F32/80'), two cyclic rotations (<<<16,>>>7), and an involution (I).

Details of transformation components of round function Crypt could be obtained in [8].

To obtain a high speed performance, CHESS-64 employs a very simple key schedule. The 128-bit master key K of CHESS-64 is divided into four 32-bit key blocks K1,K2,K3,K4, and round keys are presented in Table 2, where Km(m=1,2,3,4) donates a 32-bit key block, and RKi(i=1,2,⋯,8) donates round key of the i-th round.

Table 2.Key schedule of CHESS-64

Encryption procedure of CHESS-64 is presented in the following table.

 

3 Properties for Components of CHESS-64

In this section, we firstly describe some differential properties for the basic building blocks of DDOs, which allow us to analyze differential properties for DDOs in the next step. And then, by adding one-bit difference in the master key, we construct three kinds of one-round related-key differential characteristics with high probability. Finally, two types of full-round related-key differential characteristics are constructed by employing properties of DDOs and one-round related-key differential characteristics.

3.1 Differential properties for the basic building blocks

As components of round function Crypt , F32/96(),F32/80' employ F2/1,F2/1' as basic building blocks, respectively.

The following properties hold for F2/1.

Property 1. For F2/1 , if the difference weight of controlling string is 0, and the difference weight of input is 1, the output difference is

Property 2. For F2/1 , if the difference weight of controlling string is 0, and the difference weight of input is 2, the output difference is

Property 3. For F2/1 , if the difference weight of controlling string is 1, and the difference weight of input is 0, the output difference is

Analogously, the following properties hold for F2/1'.

Property 4. For F2/1', if the difference weight of controlling string is 0, and the difference weight of input is 1, the output difference is

Property 5. For F2/1', if the difference weight of controlling string is 0, and the difference weight of input is 2, the output difference is

Property 6. For F2/1', if the difference weight of controlling string is 1, and the difference weight of input is 0, the output difference is

3.2 Differential properties for DDOs

As depicted in Fig. 1, DDOs are constructed with basic building blocks in layered topology. Specifically, is constructed with 6 layers of F2/1 , and each layer consists of 16 F2/1 in alignment; while F32/80' is constructed with 5 layers of F2/1', and each layer consists of 16 F2/1' in alignment. Base on the differential properties of basic building blocks, we present differential properties of ,F32/80' when the difference weight of input is 1.

Let the input difference of (F32/80') be ek(k=1,2,⋯32). By Property 1 and Property 2 (Property 4 and Property 5), we can accurately obtain the probability distribution of the output differences by analyzing difference transmission properties layer by layer. For example, if the input difference of is e16, the probability distribution of the output differences of is depicted in Appendix Table 1.

Theorem 1. For , if the difference weight of input is 1, there are two differential routes at most that could transmit input difference ek(k=1,2,⋯32) to any output difference.

Proof. According to the topology of , when the difference weight of input and output is 1, there exist no more than 2 one-bit differential routes. Consequently, there exist 2 differential paths at most which could transmit ek to nonzero bit of any output difference. In other words, there are two differential routes at most which could transmit ek to any output difference.

As shown in Fig. 3, for , the bold lines donate the two possible difference routes when the input difference is e31 and the output difference is e25 . By Property 1, for the first route (See Fig. 3-(a)), we can exactly know that the six-bit of controlling string from top to bottom is “011000”. By Property 1 and Property 2, for the second route (See Fig. 3-(b)), the ten-bit of controlling string from top to bottom and from left to right is “1111100001”.

Fig. 3.(a) The first difference route of e31→e25 for F32/96-1, (b) The second difference route of e31→e25 for F32/96-1

Based on our analysis above, it’s clear that there are two flaws in [9], which are as follows.

(1) It’s impossible to obtain the exact six-bit of controlling string with one-bit input and output difference for .

For example, as there are two possible difference routes for e31→e25 (See Fig. 3), it’s impossible to know which one is correct with a certain cipher-text pair.

(2) Lee et al made a mistake in calculating probability of one-bit differential route in .

For example, for with an input difference e31 , the output difference is e25 with probability 2-6 + 2-10 (not 2-6, as Lee et al presented in the last paragraph of sub-section 4.1).

Theorem 2. For F32/80', if the difference weight of input is 1, we can exactly obtain one differential route according to input difference ek(k=1,2,⋯32) and output difference.

Proof. According to the topology of F32/80', when the difference weight of input and output is 1, there exactly exists one one-bit differential route. In other words, there exists one differential route that could transmit ek to nonzero bit of any output difference. Consequently, we can exactly obtain one difference route according to input difference ek(k=1,2,⋯32) and output difference.

As shown in Fig. 4, for F32/80', the bold line donates the certain difference route when the input difference is e17 and the output difference is e25. According to Property 4, we can exactly know the five-bit of controlling string from top to bottom is “10010”.

Fig. 4.Difference route of e17→e25 for F32/80’

Property 7. For (F32/80') , if the difference weight of controlling string is 0 and the difference weight of input is nonzero, the difference weight of output is nonzero.

Proof. By Property 1 and Property 2 (Property 4 and Property 5), for F2/1(F2/1') , when the difference weight of controlling string is 0 and the difference weight of input is nonzero, the difference weight of output is nonzero. As (F32/80') are constructed with F2/1(F2/1') in layered topology, we can certainly know that the difference weight of output is nonzero for (F32/80') by analyzing differential properties layer by layer.

3.3 Related-key differential characteristics

With chosen-plain-texts, by adding one-bit difference in the master key, Lee et al’s tried to construct one-round related-key differential characteristics and full-round related-key differential characteristics further [9]. However, in this paper, we show that there are two flaws in Lee et al’s work on constructing one-round related-key differential characteristics. And by using the properties and theorems in the previous sub-sections, three correct one-round related-key differential characteristics are constructed with one-bit difference in the master key.

When ΔK3=e17, by Table 2, sub-key differences of every round (ΔRKi) are as follows.

According to the three kinds of sub-key differences, three kinds of corresponding one-round related-key differential characteristics are constructed as follows.

Case1 ΔRKi = (e17,0)

Since ΔRKi = (e17,0) , input difference of the first F32/80' is ΔL2=e17. Then, according to >>>7 and E' , the controlling string difference of the second F32/80' is ΔW'=e56.67 . By Property 4, the probability distribution of the output differences of the first F32/80' (ΔV2) is depicted in Table 3. By Property 6 and Property 4, the probability distribution of the output differences of the second F32/80'(ΔV3) is depicted in Table 4.

Table 3.OD: Output Difference, P.: Probability

Table 4.OD: Output Difference, P.: Probability

According to Table 3 and Table 4, when ΔV2,ΔV3 coming from Table 5, the input difference of is I(ΔV2)⨁ΔV3=0, and the corresponding probability is

Table 5.The probability distribution that the input differences of F-132/96 is 0 (△Ki=(e17,0))

According to our analysis above, the probability of one-round related-key differential characteristic is =2-7, and [9] made two mistakes in the procedure of constructing it, which are as follows.

(1) Lee et al made a mistake in calculating ΔW'.

In [9], ΔW'=e56,77. However, the correct result is ΔW'=e56,77.

(2) Lee et al made a mistake in calculating the probability of one-round related-key differential characteristic.

Lee et al just used one pair of ΔV2,ΔV3 to calculate the probability of , and their result is 2-9. Actually, according to the six pairs of ΔV2,ΔV3, the correct probability of is 2-7.

Case2 ΔRKi = (0,e17)

As the high symmetry of round function Crypt, similar to Case 1, in Case 2, we could use ΔKi = (0,e17) to construct another one-round related-key differential characteristic whose probability is ==2-7.

Case3 ΔRKi = (0,0)

holds with probability =1.

These three correct one-round related-key differential characteristics are constructed with ΔK3=e17. And with any ΔKm =ej(m=1,2,3,4,1 ≤ j ≤ 32) , we can construct similar one-round related-key differential characteristics. To move a single step forward, we can’t ignore the fact that |ΔW'|=2 for 10 ≤ j ≤ 25 , and |ΔW'|=3 for other j . As a result, we should choose ΔKm =ej(m=1,2,3,4,10 ≤ j ≤ 25) to make the constructed one-round related-key differential characteristics with higher probability. When 10 ≤ j ≤ 25 , the probability distribution of I(ΔV2)⨁ΔV3=0(the input differences of ) is depicted in Appendix Table 2.

The first type of related-key differential characteristics

According to Appendix Table 2, when j=12,16,23,24, the input difference of is I(ΔV2)⨁ΔV3≠0 , and the output difference of is nonzero.

When ΔK3 = ej , as depicted in the left part of Table 6, we construct the first type of related-key differential characteristics with corresponding three one-round related-key differential characteristics, where j=10,11,13,14,15,17,18,19,20,21,22,25 , ΔK=(0,0,ej,0), ΔX=(0,ej), ΔY=(0,0), and the probability is

Table 6.RDC: related-key differential characteristics, P.: Probability, IT: initial transformation, FT: final transformation

The second type of related-key differential characteristics

When ΔK=(0,0,e17,0) , based on the first type of related-key differential characteristics, we construct the second type of related-key differential characteristics by adding one-bit difference to the input of in the last round, which are depicted in the right part of Table 6.

In Fig. 5, for the second type of related-key differential characteristics, the differential routes of the last round is dispicted, where donates the set of all possible output differences of with I(ΔV2)⨁ΔV3 = ek as input difference. According to Table 3 and Table 4, Appendix Table 3, depicts the probability distribution of I(ΔV2)⨁ΔV3 = ek . The second type of related-key differential characteristics hold with probability

Fig. 5.The differential routes of the last round for the second type of related-key differential characteristics

 

4 Related-key differential attacks on CHESS-64

In this section, by using the two types of related-key differential characteristics in the previous section, we present two key recovery algorithms on CHESS-64.

4.1 The first related-key differential attack algorithm

For the first type of related-key differential characteristics, according to Appendix Table 2, we can exactly get the output difference of the two F32/80' (ΔV2,ΔV3, respectively) in the last round. For the first F32/80', some bits of L3 could be recovered by using ej→ΔV2 to recover the controlling bits of F32/80'. For the second F32/80', some bits of L2 could be recovered by using difference of controlling string and output difference of F32/80' to recover the controlling bits of F32/80'. For a cipher-text pair of the first type of related-key differential characteristics, we can recover key bits by solving equations L3⨁YL=K1⨁K4 and L2⨁<<<16(YL)=<<<16(K1)⨁K3.

For example, when j=11 , according to Appendix Table 2, we can exactly get ΔV2=e9,ΔV3=e1 or ΔV2=e9,11,ΔV3=e1,3. Further, for ΔV2=e9,ΔV3=e1, by Theorem 2, five bits of L3 could be recovered, i. e., L3(31)=1,L3(3)=0,L3(8)=0,L3(14)=0,L3(19)=1, and by Property 6 and Property 4, one bit of L2 could be recovered, scilicet, L2(15)=0. Then, the following equations could be constructed.

Obviously, by solving equations above, 6 bits information of the master key could be recovered. Similar to ΔV2=e9,ΔV3=e1, for ΔV2=e9,11,ΔV3=e1,3, 7 bits of the master key could be recovered by constructing and solving corresponding equations. For different j, the recovered bits of K1⨁K4,<<<16(K1)⨁K3 are depicted in Appendix Table 4.

For j=11,13,15,17,18,19,21,22,25, implement Key Recovery Algorithm 1.

Algorithm 1

Analysis of Key Recovery Algorithm 1

According to Appendix Table 2, for j=11,13,15,17,18,19,21,22,25 , the probability of related-key differential characteristics are 2-38.8, 2-32,2-36.4,2-28,2-36,2-32,2-32,2-36,2-28.8 , respectively. If we set nj = 40.8,34,38.4,30,38,34,34,38,30.8 , the expected number of cipher-text pairs that pass Step 2 is and further, the expected number of hits for correct key bits in Step3 is 4. According to Appendix Table 4, by Key Recovery Algorithm 1, we can recover 5 bits key information at least for each j , and the expected number of hits for wrong key bits is 4×2-5 at most. Therefore, by using Key Recovery Algorithm 1, we can distinguish the correct key bits from the incorrect ones. As depicted in Appendix Table 3, for j=11,13,15,17,18,19,21,22,25 , implementing Key Recovery Algorithm 1, we can obtain the 30 bits of K1⨁K4 and 12 bits of <<<16(K1)⨁K3.

Theorem 3. By implementing Key Recovery Algorithm 1, we can recover 42 bits information of the master key with a computing complexity of 242.4 CHESS-64 encryptions, a data complexity of 244.4 chosen plain-texts, and a storage complexity of 212.2 bits of storage resources.

Proof. Step 1 needs about 241.8+235+239.4+231+239+235+235+239+231.8 ≈ 242.4 chosen plain-texts. For Step 2, the computing complexity is about 242.4 CHESS-64 encryptions, and we need about 4×64×2×9≈212.2 bits to store cipher-text pairs. For Step 3, the computing complexity of recovering key bits is far less than the computing complexity of Step 2. Therefore, to recover 42(=30+12) bits information of the master key by implementing Key Recovery Algorithm 1, we need a computing complexity of 242.4 CHESS-64 encryptions, a data complexity of 244.4 chosen plain-texts, and a storage complexity of 212.2 bits of storage resources.

4.2 The second related-key differential attack algorithm

For the second type of related-key differential characteristics, in the last round, if the input difference of is I(ΔV2)⨁ΔV3=ek , we can get the probability distribution of output difference of by Property 1 and Property 2. For example, if I(ΔV2)⨁ΔV3=e16, the probability distribution of the output differences of is depicted in Appendix Table 1.

In the following, the input difference of is I(ΔV2)⨁ΔV3=ek , donates the set of all possible output differences of , L4,k donates the set of controlling bits which determine the output differences of , and K1,k donates the set of corresponding bits of K1 which is related to L4,k. For example,

According to the topology of , for every ek(k=1,2,⋯,32), the output differences of are determined by the left 16 bits and the right 7 bits of L4 . Therefore, |K1,k|= |L4,k|=23 .

For k=7,16,23,31, implement Key Recovery Algorithm 2.

Algorithm 2

Analysis of Key Recovery Algorithm 2

According to Appendix Table 3, for k=7,16,23,31, the corresponding probability of related-key differential characteristics are 2-30,2-31,2-30,2-30 , respectively. If we set n=40, there are at least 240×2-31=29 cipher-text pairs that could pass Step 2 (For , different input differences may lead to the same output difference), and further, the expected number of hits for correct K1,k in Step3 is 29. On the other hand, as there are no more than 240×2-21=219 cipher-text pairs that could pass Step 2, the expected number of hits for incorrect K1,k is 219×2-23=2-4 at most. Therefore, by using Key Recovery Algorithm 2, we can distinguish correct K1,k from the wrong ones.

In the following, we discuss the uniqueness of recovered K1,k by performing Key Recovery Algorithm 2.

According to the topology of , if and only if the positions of differences in (k = 7,16,23,31) cover 1,2,⋯,32 , we can get a unique K1,k by implementing Key Recovery Algorithm 2. When the input difference weight of is 1, any bit of output difference is 1 with probability at least 1/32 . Further, as there are at least 240×2-31=29 cipher-text pairs that could pass Step 2, positions of differences in (k=7,16,23,31) cover 1,2,⋯,32 with probability at least 1-×(1-1/32)29 ≈ 1。Therefore, we can get a unique K1,k by implementing Key Recovery Algorithm 2. According to Appendix Table 3, as K1=K1,7∪K1,16∪K1,23∪K1,31 , we can get the whole 32 bits of K1 by implementing Key Recovery Algorithm 2 for k=7,16,23,31.

Theorem 4. By implementing Key Recovery Algorithm 2, we can recover 32 bits of the master key with a computing complexity of 241.1 CHESS-64 encryptions, a data complexity of 241 chosen plain-texts, and a storage complexity of 226.6 bits of storage resources.

Proof. Step 1 needs about 241 chosen plain-texts. For Step 2, the computing complexity is about 241 CHESS-64 encryptions, and we need about 219×2×64=226 bits of storage resources to store cipher-text pairs. Step 3 needs to compute at most 219×223=242 times. According to the structure of Crypt, a computation is about a quarter of a round computation. Then, Step3 needs about 242×1 / 4×1 / 8=237 CHESS-64 encryptions, and about 223×4=225 bits of storage resources to store guessed key. Therefore, to recover 32 bits of the master key by implementing Key Recovery Algorithm 2, we need a computing complexity of 241+237≈241.1 CHESS-64 encryptions, a data complexity of 241 chosen plain-texts, and a storage complexity of 225+226≈226.6 bits of storage resources.

Summary. By Theorem 3 and Theorem 4, we can recover the whole 32 bits of K1, 30 bits of K4, and 12 bits of K3 by implementing Key Recovery Algorithm 1 and Key Recovery Algorithm 2. To recover 42+32=74 bits of the master key, we need about 242.4+241.1≈242.9 CHESS-64 encryptions, 242.4+241.1≈242.9 chosen plain-texts, and 212.2+226.6≈226.6 bits of storage resources. By performing an exhaustive search for the rest 54 bits key, we can recover the whole 128 bits of the master key and break CHESS-64 absolutely.

 

5. Conclusion

The DDO-based cipher CHESS-64 has been designed for the application of fast and cheap hardware implementation and high security level, which is considerably resistant against all known attacks. In this paper, however, we put forward two key recovery algorithms on CHESS-64 which are the first correct cryptanalytic results. In detail, as the two key recovery algorithms could be performed independently, we could recover 74(=42+32) bits of the cipher’s master key with 242.9 chosen-plaintexts, 242.9 full-round CHESS-64 encryptions, and 226.6 bits of storage resources. Moreover, the related-key differential attacks could be extended to recover the whole 128 bits master key by performing an exhaustive search for the remain 54 bits key, and the corresponding computing complexity are about 254 CHESS-64 encryptions. In this paper, we present a new method to study the properties of DDOs in the procedure of constructing related-key differential characteristics, which is expected to be useful for the further analysis of DDO-based ciphers.

Our related-key differential attacks on CHESS-64 provide some suggestions for the design of DDO-based block ciphers. The most significant features of DDO are its good performance in hardware application and complicating plaintext data. However, according to our research on CHESS-64, the combination of DDOs and Feistel-like structure contribute to the results that attackers could recover data of left-side by differential route in right-side, which results in a threat to the master key. At the same time, to speed up the cipher, designer often choose simple schedule which makes the cipher vulnerable to related-key attack. In a word, to avoid the information leakage algorithms of DDOs under differential attacks, the designer should carefully consider the way to combine DDOs with other cryptographic primitives and the way to combine round key with data.

References

  1. Thi Hong Nhan Vu, Quang Hiep Vu, Yang Koo Lee and The Duy Bui, "A user context recognition method for ubiquitous computing systems," in Proc. of 8th International Conference on Computing Technology and Information Management (ICCM), pp. 568-573, April 24-26, 2012.
  2. A. Bertrand, J. Szurley, P. Ruckebusch, and I. Moerman, "Efficient Calculation of Sensor Utility and Sensor Removal in Wireless Sensor Networks for Adaptive Signal Estimation and Beamforming," IEEE Transactions on Signal Processing, vol. 60, no. 11, pp. 5857-5869, November, 2012. https://doi.org/10.1109/TSP.2012.2210888
  3. P. Makris, D.N. Skoutas, and C. Skianis, "A Survey on Context-Aware Mobile and Wireless Networking: On Networking and Computing Environments' Integration," IEEE Communications Surveys & Tutorials, vol. 15, no. 1, pp. 362 -386, First Quarter, 2013. https://doi.org/10.1109/SURV.2012.040912.00180
  4. Heng Yin and Haining Wang, "Building an Application-Aware IPsec Policy System," IEEE/ACM Transactions on Networking, vol. 15, no. 6, pp. 1502-1513, December, 2007. https://doi.org/10.1109/TNET.2007.896536
  5. Zhang R., L. Wang, Parr G, et al., "Advances in base- and mobile-station aided cooperative wireless communications: An overview," IEEE Vehicular Technology Magazine, vol. 8, no. 1, pp. 57-69, March, 2013. https://doi.org/10.1109/MVT.2012.2234254
  6. A. A. Moldovyan and N. A. Moldovyan, "A cipher based on data-dependent permutation," Journal of Cryptology, vol. 15, no.1, pp. 61-72, March, 2002. https://doi.org/10.1007/s00145-001-0012-9
  7. Goots N. D., "Modern cryptography: Protect Your Data with Fast Block Cipher," A-LIST Publish, Wayne, 2003.
  8. N. Sklavos, N. A. Moldovyan, and O. Koufopavlou, "High Speed Networking Security: Design and Implementation of Two New DDP-Based Ciphers," Mobile Networks and Applications, vol. 10, no. 1-2, pp. 219-231, February, 2005. https://doi.org/10.1023/B:MONE.0000048556.51292.31
  9. Sklavos N., Moldovyan N. A., and Koufopavlou O., "A New DDP-based Cipher CIKS-128H: Architecture, Design & VLSI Implementation Optimization of CBC Encryption & Hashing over 1 GBPS," in Proc. of The 46th IEEE Midwest Symposium on Circuits & Systems, Cairo, Egypt, December 27-30, 2003.
  10. N. A. Moldovyan, et al. "Pure DDP-Based Cipher: Architecture Analysis, Hardware Implementation Cost and Performance up to 6.5 Gbps," The International Arab Journal of Information Technology, vol. 2, no. 1, pp. 24-27, 2005.
  11. Youngdai Ko, Changhoon Lee, Seokhie Hong, Jaechul Sung and Sangjin Lee, "Related-Key Attacks on DDP Based Ciphers: CIKS-128 and CIKS-128H," INDOCRYPT, LNCS 3348, pp. 191-205, December 20-22, 2004.
  12. Changhoon Lee, Jongsung Kim, Jaechul Sung, Seokhie Hong, Sangjin Lee and Dukjae Moon, "Related-Key Differential Attacks on Cobra-H64 and Cobra-H128," in Proc. of 10th IMA International Conference, LNCS 3796, pp. 201-219, December 19-21, 2005.
  13. Changhoon Lee, Sangjin Lee, Jong Hyuk Park, Sajid Hussain, and Jun Hwan Song, "Security analysis of pure DDP-based cipher proper for multimedia and ubiquitous device," Telecommunication System, 44(3-4), pp. 267-279, August 2010. https://doi.org/10.1007/s11235-009-9264-8
  14. Moldovyan N. A., Sklavos N., Moldovyan A. A., and Koufopavlou O., "CHESS-64, a Block Cipher Based on Data-Dependent Operations: Design Variants and Hardware Implementation Efficiency," Asian Journal of Information Technology, vol. 4, no. 4, pp. 323-334, April, 2005.
  15. N. Moldovyan, A. Moldovyan, M. Eremeev, and N. Sklavos, "New Class of Cryptographic Primitives and Cipher Design for Networks Security," International Journal of Network Security, vol.2, no.2, pp. 114-225, February, 2006.
  16. A. A. Moldovyan, N. A. Moldovyan, and N. Sklavos, "Controlled elements for designing ciphers suitable to efficient VLSI implementation," Telecommunication System, vol. 32, no. 2-3, pp. 149-163, July, 2006. https://doi.org/10.1007/s11235-006-9135-5
  17. Bac Do Thi, Minh Nguyen Hieu, and Duy Ho Ngoc, "An Effective and Secure Cipher Based on SDDO," I. J. Computer Network and Information Security, vol. 11, no. 11, pp. 1-10, October, 2012.
  18. Nguyen Hieu Minh, Do Thi Bac, and Ho Ngoc Duy, "New SDDO-Based Block Cipher for Wireless Sensor Network Security," International Journal of Computer Science and Network Security, vol.10, no.3, pp. 54-60, March, 2010.
  19. Changhoon Lee, Jongsung Kim, Seokhie Hong, and Yang-Sun Lee, "Security Analysis of the Full-Round CHESS-64 Cipher Suitable for Pervasive Computing Environments," Journal of Universal Computer Science, vol. 15, no. 5, pp. 1007-1022, May, 2009.
  20. Jinkeon Kang, Kitae Jeong, Sang-Soo Yeo, and Changhoon Lee, "Related-Key Attack on the MD-64 Block Cipher Suitable for Pervasive Computing Environments," in proc. of 26th International Conference on Advanced Information Networking and Applications Workshops, pp. 726-731, March 26-29, 2012.