The new Block Cipher: BC2

International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009 16 The New Block Cipher: BC2 Yusuf Kurniawan1 , Adang Suwandi A.2 , M. Sukrisno Mardiyanto2 , Iping Supriana S.2 , and Sarwono Sutikno2 (Corresponding author: Yusuf Kurniawan) Universitas Pasundan, Department of Informatics1 Jl Setiabudi 193 Bandung 40153, Jawa Barat, Indonesia (Email: ysfk2002@yahoo.com) Institute of Technology Bandung, School of Electrical Engineering and Informatics2 Jl Ganesha 10, Bandung 40132, Indonesia (Received Mar. 23, 2006; revised and accepted May 7, 2006) Abstract • || is concatenation of two operators; In this paper, we propose a new block cipher called BC2 (Block Cipher 2). We make a cipher using components that are believed secure. The structure of BC2 is very simple. We use Feistel network with input-output 128 bits, matrix Maximum Distance Separable (MDS) 8x8 with branch number 9 to give high diffusion, a function affine equivalent to the inverse function in GF(28 ) that we get from Camellia and Hierocrypt S-Box for confusion and we make FN function, based on FL function of Camellia. We use a heuristic method to count the minimum number of active substitution box at Feistel Network. And we also construct a new key schedule that is fast and secure. • Knl is the left side of 2n-bit key. This key part has size of n bits; Keywords: BC2, block cipher, FN function, heuristic method 1 Introduction In here we give some definition and list of symbols that we use. In this paper we use finite field GF (28 ) that we can represent as GF (2)[x]/m(x), where m(x) = x8 +x4 +x3 +x2 + 1. We can write m(x) as ’11d’ like as Khazad [11]. And we use subscript x as representation of hexadecimal. In this paper, multiplication with x is expressed as xT(number). For example, multiplication 7fx • 2x = xT (7f ) = f ex , and f ex • 2x = xT (f e) = e1x . This is similar to Rijndael proposal [7]. Some notations used in this paper are listed as follows: • ∪ is OR; • ∩ is AND; • ≪ is left circular rotation by one bit; • ≫ is right circular rotation by one bit; • ⊕ is bitwise XOR; • Kr is the right side of K. The size is a half of full key. The rest of this paper is organized as follows. The Section 2 describes the new block cipher BC2, its randomizing part and key schedule, Section 3 explains how to implement BC2 at various platforms efficiently, Section 4 explains cryptanalysis of BC2, Section 5 explains the design rationale of BC2 and Section 6 gives conclusion. 2 BC2 (Block Cipher 2) The BC2 is a 128-bit block cipher using Feistel Network that supports 128, 192 and 256-bit key lengths. Like many other ciphers, we use Substitution Boxes to give confusion, linear layer to give diffusion and mixed key to give dependent on key. The structure of BC2 for 128-bit key length, is showed in Figure 1. For 128-bit key length, the number of round is 13. There are two FN functions. One of them is located after round 4, and the other is after round 9. The FN function have a very slow diffusion, so if we place it before first round, then attacker can arrange the input and output of FN function to easier cryptanalysis. It follows that FN function is unusable. For 192 and 256-bit key length, the number of round is 18. There are 3 F N/F N −1 functions that are located after rounds 4, 9, and 14. All F functions are same, like Figure 2. The number in F function only show the number of round. For decryption, the order of round subkey is reversed. So, KW3 replace KW1, KW4 replace KW2, KW1 replace KW3, and KW2 replace KW4. K13 replace K1 and so forth. And then, KFN1 is replaced by KFN4, KFN2 is replaced by KFN3 and so forth. 17 International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009 PlainText 128 bit Ciphertext KW2 (64bit) KW 1 (64 bit) KW 4 (64bit) KW 3 (64 bit) K13 (64bit) K1 (64bit) KFN1 (64 bit) F1 F1 ………… ………… ………… ………… ………… ………… KFN2 (64bit) FN -1 FN KFN4 (64 bit) K9 (64bit) K5 (64bit) F5 F5 ………… ………… ………… ………… ………… ………… K5 (64bit) K9 (64bit) F9 F9 KFN3 (64 bit) FN -1 FN KFN4 (64bit) KFN2 (64 bit) FN -1 FN F10 F10 ………… ………… ………… ………… ………… ………… K1 (64bit) K13 (64bit) F13 F13 KW 4 (64 bit) KW 1 (64 bit) KW 2 (64 bit) PlainText Ciphertext Enkripsi BC2 KFN1 (64bit) K4 (64bit) K10 (64bit) KW 3 (64 bit) KFN3 (64bit) FN -1 FN Dekripsi BC2 Figure 1: Encryption and decryption of BC2-128 18 International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009 Input of F Function : 64 bits S1 S2 S3 S4 S5 S6 S7 S8 MDS 8x8 Subkeys 64 bits Output of F Function : 64 bits Figure 2: F function of BC2 64bit XL 32bit XR 32bit YL Ka Table 1: The constant for key schedule YR 64bit 32bit 32bit Kc 16bit Kb Ka Kc 16bit 32bit 32bit Kb YL YR FN XL XR FN-1 Figure 3: FN function and its inversion 2.1 Substitution Box c1 c2 √ frac(√0.8) frac( 0.9) the matrix satisfies    b0 1  b1   2     b2   1     b3   3     b4  =  1     b5   2     b6   3 b7 2 0xe4f92e2dff6ec9ab294a33804a57d359 0xf2dce89b636cb24692e711b6e1c3ff31 the requirement above. 2 1 2 1 3 1 2 3 3 2 1 2 1 3 1 2 2 3 2 1 2 1 3 1 1 2 3 2 1 2 1 3 3 1 2 3 2 1 2 1 1 3 1 2 3 2 1 2 2 1 3 1 2 3 2 1             a0 a1 a2 a3 a4 a5 a6 a7             where ai is input of MDS and bi is output of MDS. So b = L a. We use Camellia’s S-Box [8] and Hierocrypt’s S-Box [12] for BC2. The maximum differential probability of these 2.3 Add Key AK S-Boxes is 2−6 and maximum linear probability is 2−4 In this part, we use only XOR component to avoid weakaccording to our experiment with PC. The degree of them ness that we can find in IDEA cipher. is 7. 2.4 Key Schedule We construct a new key schedule with the criteria: 2.2 Linear Layer L We use MDS (Maximum Distance Separable) matrix to realize linear component to give high diffusion. We do not use XORs component like in Camellia cipher, because it does not give branch number exactly. We use circular matrix with low number in order to be able to be implemented efficiently in hardware. 1) simple and fast for many platforms 2) it should be resistant to related key attack 3) it should be hard to find masterkey if attacker can get (partial) subkey(s). 4) there are no weak keys. A linear [n, k, d] code C with generator matrix G = 5) every bit of masterkey gives influence to all subkeys. [Ik×k Lk×(n−k) ] is MDS if, and only if, every square subWe use the basic instructions (like XOR, AND, OR, 1matrix formed from rows and columns of L is nonsingular bit rotation) to achieve Objectives 1, 2, and 3. We also use (cf. [4], Chapter 11, § 4, Theorem 8). the matrix component(like in Rijndael) in key schedule to We make MDS code using trial and error method until achieve Objective 4. This component gives high diffusion 19 International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009 K1 ^ K2 AK with C1^K1 AK with C2^K2 KA a00 a01 a02 a03 b00 b01 b02 b03 b00 b01 b02 b03 c00 c01 c02 c03 a10 a11 a12 a13 b10 b11 b12 b13 b13 b10 b11 b12 c10 c11 c12 c13 a20 a21 a22 a23 b20 b21 b22 b23 b22 b23 b20 b21 c20 c21 c21 c23 a30 a31 a32 a33 b30 b31 b32 b33 b31 b32 b33 b30 c30 c31 c32 c33 d00 d01 d02 d03 e00 e01 e02 e03 e00 e01 e02 e03 f00 f01 f02 f03 d10 d11 d12 d13 e10 e11 e12 e13 e13 e10 e11 e12 f12 f13 f10 f11 d20 d21 d22 d23 e20 e21 e22 e23 e22 e23 e20 e21 f20 f21 f22 f23 d30 d31 d32 d33 e30 e31 e32 e33 e31 e32 e33 e30 f32 f33 f30 f31 g00 g01 g02 g03 e00 e01 e02 e03 e00 e01 e02 e03 f00 f01 f02 f03 g10 g11 g12 g13 e10 e11 e12 e13 e13 e10 e11 e12 f12 f13 f10 f11 g20 g21 g22 g23 e20 e21 e22 e23 e22 e23 e20 e21 f20 f21 f22 f23 g30 g31 g32 g33 e30 e31 e32 e33 e31 e32 e33 e30 f32 f33 f30 f31 SB SB SB KC = SR SR SR KA KB MC MC MC AK with C1 KB C2 Figure 4: key schedule of BC2 and confusion. To achieve the last objective, we use high diffusion that we get from MixColumn function. We can see key schedule at Figure 4. Masterkey is composed from K1 and K2, K1 || K2. If we only need 128 bits, so we set K2=0, and if we need 192 bits, the last half of K2 is set to zero. From Figure 4 we get KA, KB, and KC. We use square matrix (like as Rijndael) to create subkeys. At first, we perform XOR operation between K1 and K2 (AK). Then we substitute them with Camellia and Hierocrypt S-Box (SB). Then we rotate their bytes ShiftRows (SR)and use MixColumn (MC) to give high diffusion. The matrix of MixColumn is similar to matrix at linear component in randomizing part as follows:   1 2 3 2  2 1 2 3     1 2 1 2  3 1 2 1 Outputs of MCs are XORed with constant (Table 1) and Masterkey. The outputs of this process are KA, KB, and KC. From these keys, we compose all subkeys, like as Tables 2 and 3. 3 Implementation In this section, we explain how to implement BC2 at various platform. If input of F function is IF, substitution operation is SB, L is linear operation, AK is AddKey, and output of F function is OF, then we can write OF = AK(L(SB(IF ))). 3.1 64-bit Processors In this platform, BC2 can be implemented very efficiently. Like as Khazad or Rijndael cipher, we can write              b0 b1 b2 b3 b4 b5 b6 b7            =           SB[x2 ] • 3 SB[x2 ] • 2 SB[x2 ] SB[x2 ] • 2 SB[x2 ] SB[x2 ] • 3 SB[x2 ] SB[x2 ] • 2                         SB[x5 ] • 3 SB[x5 ] SB[x5 ] • 2 SB[x5 ] • 3 SB[x5 ] • 2 SB[x5 ] SB[x5 ] • 2 SB[x5 ]  SB[x0 ] SB[x0 ] • 2 SB[x0 ] SB[x0 ] • 3 SB[x0 ] SB[x0 ] • 2 SB[x0 ] • 3 SB[x0 ] • 2            ⊕                       ⊕                       ⊕           SB[x3 ] • 2 SB[x3 ] • 3 SB[x3 ] • 2 SB[x3 ] SB[x3 ] • 2 SB[x3 ] SB[x3 ] • 3 SB[x3 ] SB[x6 ] SB[x6 ] • 3 SB[x6 ] SB[x6 ] • 2 SB[x6 ] • 3 SB[x6 ] • 2 SB[x6 ] SB[x6 ] • 2  SB[x1 ] • 2 SB[x1 ] SB[x1 ] • 2 SB[x1 ] SB[x1 ] • 3 SB[x1 ] SB[x1 ] • 2 SB[x1 ] • 3            ⊕                       ⊕                 ⊕      SB[x4 ] SB[x4 ] • 2 SB[x4 ] • 3 SB[x4 ] • 2 SB[x4 ] SB[x4 ] • 2 SB[x4 ] SB[x4 ] • 3 SB[x7 ] • 2 SB[x7 ] SB[x7 ] • 3 SB[x7 ] SB[x7 ] • 2 SB[x7 ] • 3 SB[x7 ] • 2 SB[x7 ]       ⊕                  where xi is input of SBox-i and x is input of F function. 20 International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009 Table 2: key schedule for 128 bit key KW 1 KW 2 SK1 SK2 SK3 SK4 KF N 1 KF N 2 SK5 SK6 SK7 KW 1 KW 2 SK1 SK2 SK3 SK4 KF N 1 KF N 2 SK5 SK6 SK7 SK8 SK9 KF N centre1 If we define       T0 =       SB[x0 ] SB[x0 ] • 2 SB[x0 ] SB[x0 ] • 3 SB[x0 ] SB[x0 ] • 2 SB[x0 ] • 3 SB[x0 ] • 2 KAl ⊕ KBl ⊕ KCl KAr ⊕ KBr ⊕ KCr (KW 1 ∪ KW 2) ⊕ KAl (KW 1 ∩ KW 2) ⊕ KBl (SK1 ∪ SK2) ⊕ KAr (SK1 ∩ SK2) ⊕ KBr (KAl ∪ SK3) ⊕ KCl (KBl ∪ SK4) ⊕ KCr (KAl ∪ KBl ) ⊕ KF N 2 (KAr ∪ KBr ) ⊕ KCr (SK532l ≪ 1)||(SK532r ≪ 1) SK8 SK9 KF N 3 KF N 4 SK10 SK11 SK12 SK13 KW 3 KW 4 Table 3: key schedule for 192 and 256-bit key KAl ⊕ KBl ⊕ KCl KF N centre2 (KAr ∩ SK9) ⊕ KBr KAr ⊕ KBr ⊕ KCr SK10 SK1 ⊕ SK5 ⊕ KF N centre1 (KW 1 ∪ KW 2) ⊕ KAl SK11 (SK2 ∪ SK6) ⊕ KF N centre2 (KW 1 ∩ KW 2) ⊕ KBl SK12 (SK8 ∩ SK10) ⊕ SK5 (SK1 ∪ SK2) ⊕ KAr SK13 (SK9 ∪ SK10) ⊕ SK6 (SK1 ∩ SK2) ⊕ KBr SK14 (SK1132l ≪ 1)||(SK1132r ≪ 1) (KAl ∪ SK3) ⊕ KCl KF N 3 (SK1 ∪ SK5) ⊕ KCl ) (KBl ∪ SK4) ⊕ KCr KF N 4 SK2 ⊕ SK6 ⊕ SK11 (KAl ∪ KBl ) ⊕ KF N 2 SK15 (SK7 ∩ KCl ) ⊕ SK12 (KAr ∪ KBr ) ⊕ KCr SK16 (SK8 ∪ KCr ) ⊕ SK13 (SK532l ≪ 1)||(SK532r ≪ 1) SK17 (SK9 ∪ KW 1) ⊕ SK14 (SK632l ≪ 1)||(SK632r ≪ 1) SK18 (SK10 ∪ KW 2) ⊕ SK15 (SK732l ≪ 1)||(SK732r ≪ 1) KW 3 SK10 ⊕ SK11 ⊕ SK12 KAl ⊕ SK8 ⊕ KBl KW 4 SK5 ⊕ SK6 ⊕ SK7              SB[x1 ] • 2  SB[x1 ]   SB[x1 ] • 2   SB[x1 ] T1 =   SB[x1 ] • 3   SB[x1 ]   SB[x1 ] • 2 SB[x1 ] • 3             or OF0−3 = T [0] ⊕ T [1] ⊕ T [2] ⊕ T [3] ⊕ T [4] ⊕ T [5] ⊕ T [6] ⊕ T [7] ⊕ SK0−3 .   b4   b5      b 6  = a0  b7   OF = T0 ⊕ T1 ⊕ T2 ⊕ T3 ⊕ T4 ⊕ T5 ⊕ T6 ⊕ T7 ⊕ SK, where SK is subkey at each round. All T tables require 16 k bytes. 32-bit Processors To this platform we can write:          3 2 1 b0   2   1   2   b1            b 2  = a0  1  ⊕ a1  2  ⊕ a2  1  ⊕ a3  2 1 3 b3         2 1 3 1  1   3   1   2         a4   3  ⊕ a5  2  ⊕ a6  1  ⊕ a7  3  1 2 3 2   1  2   ⊕ a1    3 2   1  2     a4   1  ⊕ a5  3 and so forth, then we have: 3.2 (SK632l ≪ 1)||(SK632r ≪ 1) (SK732l ≪ 1)||(SK732r ≪ 1) KAl ⊕ SK8 ⊕ KBl (KAr ∩ SK9) ⊕ KBr SK1 ⊕ SK5 ⊕ KF N 3 (SK2 ∪ SK6) ⊕ KF N 4 (SK8 ∩ SK10) ⊕ SK5 (SK9 ∪ SK10) ⊕ SK6 SK10 ⊕ SK11 ⊕ SK12 SK5 ⊕ SK6 ⊕ SK7   3  1   ⊕ a2    2 3   2  1   ⊕ a6   2  1   1  3   ⊕ a3    1 2   3  2   ⊕ a7   1  2  2 1  ⊕ 3  1  2 3   2  1 or OF4−7 = T [8]⊕T [9]⊕T [10]⊕T [11]⊕T [12]⊕T [13]⊕ T [14] ⊕ T [15] ⊕ SK4−7 and ai = SB[xi ]. In this method, All T Tables require 24 x 4 x 28 = 214 bytes. If we use one table for T[0] and T[12], one for  T[4] and T[8], and so forth, then we need only 8 k bytes. 2 The speed comparison of BC2 with other block ciphers at 3   ⊕ personal computer can be seen at appendix. 2  1 3.3 8-bit Processors For this platform, the method that we describe above is unsuitable. So we use other method. We can write linear 21 International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009 layer as follows: L0 (64 bit) r0 = a0 ⊕ a2 ⊕ a4 ⊕ a6 r1 r2 = = a1 ⊕ a3 ⊕ a5 ⊕ a7 xT (r0 ) r3 b0 = = xT (r1 ) r0 ⊕ a5 ⊕ r3 ⊕ xT (a2 ) b1 b2 = = r1 ⊕ a6 ⊕ r2 ⊕ xT (a3 ) r0 ⊕ a7 ⊕ r3 ⊕ xT (a4 ) b3 b4 = = r1 ⊕ a0 ⊕ r2 ⊕ xT (a5 ) r0 ⊕ a1 ⊕ r3 ⊕ xT (a6 ) b5 b6 = = r1 ⊕ a2 ⊕ r2 ⊕ xT (a7 ) r0 ⊕ a3 ⊕ r3 ⊕ xT (a0 ) b7 = r1 ⊕ a4 ⊕ r2 ⊕ xT (a1 ). R0(64 bit) XOR with K1 S S S S S S S S S S S MDS 8x8 L1' R1' = 0 XOR with K2 S S S S S MDS 8x8 L2' = 0 R2' In this method we need four registers, 30 exors, 10 xT Figure 5: Active S-box in BC2 operations, and 12 assignments for linear layer implementation. If we have six registers, then we can reduce the If we continue this method, then after 10 rounds, the operation. We write r4=r0 ⊕ r3 and r5 = r1 ⊕ r2 . The minimum number of active S-Box become 28. So, DPmax operations of SBox and Addkey are performed per byte. is (2−6 )28 = 2−168 and since the behavior of linear attack [10] looks like differential attack, so LPmax is (2−4 )28 = 3.4 Key Schedule Implementation 2−112 . For differential attack, we need 2168 chosen plain224 known We use the same component in key schedule and random- text pairs, and for linear attack, we need 2 plaintext. And since we also consider 3R-attack, so we izing part to give efficiency in implementation. We also need 13 rounds. And since we consider the worst case of use the basic instruction (OR, XOR, AND, 1-bit rotation) linear/differential attack of BC2, so we hope BC2 stronger in key schedule in order to be able to be implemented efagainst these attacks than we predict, moreover if we conficiently at various platforms. sider FN function. As comparison, maximum differential/linear characteristic probabilities of Camellia cipher reduced to 16 round 4 Cryptanalysis without FL and F L−1 , respectively, are 2−132 and 2−88 . 4.1 Differential and Linear Cryptanalysis If we use this heuristic method to count active SBox in Camellia, we get 26 active SBox, at least, in 16 rounds, so In this section we discuss about how to measure maximum DPmax =(2−6 )26 = 2−156 and LPmax = (2−4 )26 = 2−104 . differential and linear probability (DPmax and LPmax ) of This probability can cryptanalysis Camellia with 2R atBC2 without FN and F N −1 functions. We use heuristic tack. method to count the minimal number of active substitution boxes. For differential attack [2], we use character4.2 Square Attack and Its Variant istics a0 , a1 , a2 , a3 , a4 , a5 , a6 , a7 for left side plaintext(64 bits). So, the size of ai is 1 byte. And for right side Cipher having byte oriented is vulnerable with square at255 we use b’,0,0,0,0,0,0,0 (64 bits). Difference b’ is chosen tack [6] and its variant [5]. In BC2, the property of ⊕p = 0 so that the output of F function at round 1 is same as i=0 a0 , a1 , a2 , a3 , a4 , a5 , a6 , a7 so the difference input of round where p is byte plaintext, is hold till the input of round 2 is b’,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, because there is can- 5. So square attack and its variant are very unlikely to cellation between output of F function with difference of succeed for full round (13 rounds). left side in plaintext. So we get the minimal number of active S-Box for first two round of BC2 is 1. And differ4.3 Higher Order Differential Attack ence at input of round 3 is 0,0,0,0,0,0,0,0, b’,0,0,0,0,0,0,0 (look at Figure 5). So, number active SBox in round 1 is In general, a cipher with a low non-linear order is vulnerone, in round 2 is zero, in round 3 is one. able to this attack. Since BC2 use non-linear component Since the branch number of linear layer is 9, and with degree 7, so after a few rounds, the degree will inthe left difference of input at round 3 is zero, then the crease rapidly. Moreover, BC2 has 13 rounds, so this difference of input at round 4 become b’,0,0,0,0,0,0,0, attack is impossible to be done. Moreover, the FN funcc0 , c2 , c3 , c4 , c5 , c6 , c7 . And it follows the number of ac- tion in BC2 increase resistance to this attack, like Misty cipher that have only low degree in its S-Box. tive S-Box in round 4 become 8. International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009 4.4 Interpolation Attack A cipher with S-Box having simple algebraic is vulnerable to interpolation attack [13]. But, S-Box of BC2 use addition of affine function, so this attack seems very unlikely to succeed for this cipher. 4.5 Related-key Attack and Slide Attack Related-key attack [3] can work if there is slow diffusion or symmetry in the key schedule. Since key schedule of BC2 uses function that has fast diffusion and nonlinear operation and uses different mixing operation of XOR, OR, AND and rotation at each round subkey, we hope this method is very effective in countering all kinds of known key based attacks. Every bit of masterkey influences KB and KC. And every round subkey is influenced by KA, KB and KC directly or indirectly. So we hope the weakness in the key schedule of SAFER can be hindered. And since the confusion component is not influenced by subkey directly (BC2 use XOR to mix subkey) so the weakness that one find in IDEA, is very unlikely to succeed for BC2. Slide Attack [1] can work if there is symmetry in the randomizing part of cipher and in the key schedule. Since BC2 has FN function, so the symmetry in the randomizing part decreases. Moreover, the different process in the each round of key schedule, make this attack very unlikely to succeed. 5 5.1 Design Rationale Non-linear Component We choose S-Box from Camellia and Hierocrypt because these components have very excellent features. They have maximum differential probability 2−6 , maximum linear probability 2−4 and degree 7. So these components can be resistance against differential, linear and higher order differential attacks. The affine function in these components can improve the BC2 strength to interpolation attack and other algebraic attacks. 5.2 Linear Component We use MDS (Maximum Distance Separable) to increase the number of active S-Box, so BC2 can be resistance to linear/differential attack. MDS gives high diffusion that is also important to face boomerang attack. 5.3 FN Function This component is made to face unknown attacks. FN component also can damage path of linear hull and impossible differential attack. FN is designed more complicated than Camellia has, in order to give more protection, for example, against truncated differential attack [9]. This attack use partial of plaintext to predict partial of ciphertext with high probability. A byte-oriented cipher is 22 vulnerable to this attack, so we add two more rotation to break this alignment. 6 Conclusions We proposed a new block cipher algorithm BC2. We design a new keyschedule that is fast and one-way function. So, it should hard to find masterkey if attacker can get subkey. We also use differential and linear attack to attack BC2. Our method to search linear/differential path can be used to attack other BC2-like ciphers if we know their branch number. References [1] A. Biryukov and D. Wagner, “Slide attacks,” in Proceedings of Fast Software Encryption, LNCS 1636, pp. 245-259, Springer-Verlag, 1999. [2] E. Biham and A. Shamir, “Differential cryptanalysis of the DES-like cryptosystems,” in Advances in Cryptology (Crypto’90), pp. 2-21, Springer Verlag, 1993. [3] E. Biham, “New types of cryptanalytic attacks using related keys,” Journal of Cryptology, vol. 7, no. 4, pp. 229-246, 1994. [4] F. J. MacWilliams and N. J. A. Sloane, The Theory of Error-Correcting Codes, North-Holland Mathematical Library, vol. 16, 1977. [5] H. Gilbert and M. Minier, “A collision attack on 7 rounds of Rijndael,” in the Proceedings of The Third AES Candidate Conference, pp. 230-241, 2000. [6] J. Daemen, L. Knudsen, and V. Rijmen, “The block cipher SQUARE,” in the Proceedings of Fast Software Encryption 1997, LNCS 1267, pp. 149-165, Springer-Verlag, 1997. [7] J. Daemen and V. Rijmen, “AES proposal: Rijndael,” AES submission. (http://www.nist.gov/aes) [8] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moria, J. Nakajima, and T. Tokita, “Camellia: A 128bit block cipher suitable for multiple platform - Design and analysis,” in Proceedings of Selected Areas in Cryptography , LNCS 2012, pp. 39-56, SpringerVerlag, 2001. [9] L. R. Knudsen, “Truncated and higher order differentials,” in Fast Software Encryption, LNCS 1008, pp. 196-211, Springer-Verlag, 1995. [10] M. Matsui, “Linear cryptanalysis method for DES cipher,” in Advances in Cryptology (Eurocrypt’93), pp. 386-397, 1993. [11] P. S. L. M. Barreto and V. Rijmen, “The Khazad legacy-level block cipher,” in New European Schemes for Signature, Integrity, and Encryption, pp. 84-87, 2000. [12] K. Ohkuma, H. Shimizu, F. Sano, and S. Kawamura, “The block cipher Hierocrypt,” in Proceedings of Selected Areas in Cryptography, LNCS 2012, pp. 72-88, Springer-Verlag, 2001. 23 International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009 [13] T. Jakobsen and L.R. Knudsen, “The interpolation attack on block ciphers,” Fast Software Encryption, LNCS 1267, pp. 28-40, Springer-Verlag, 1997. Appendix A: Substitution Boxes In this section, we can see the substitution box from Camellia called SB C and one from Hierocrypt called SB H. const byte SB C[256] = { 70x , 2cx , b3x , c0x , e4x , 57x , eax , aex , 23x , 6bx , 45x , a5x , edx , 4fx , 1dx , 92x , 86x , afx , 7cx , 1fx , 3ex , dcx , 5ex , 0bx , a6x , 39x , d5x , 5dx , d9x , 5ax , 51x , 6cx , 8bx , 9ax , f bx , b0x , 74x , 2bx , f 0x , 84x , dfx , cbx , 34x , 76x , 6dx , a9x , d1x , 04x , Table 5: The speed comparison Block ciphers keyschedule encryption time(µs) time per 128-bit data (µs) encryption rate (Mbit/s) 3DES-168 BC2-128 BC2-192 BC2-256 Camellia-128 Camellia-192 Camellia-256 AES-128 AES-192 AES-256 Serpent-128 Serpent-192 Serpent-256 4.5516 0.7926 0.9693 0.965 1.4811 2.0029 2.0139 2.3403 2.4405 3.0464 12.3297 14.2815 16.4357 22.456 89.0506 63.6076 63.6223 76.53671 59.03787 58.84687 123.0178 102.9932 98.24238 49.1589 49.1419 49.236 5.7 1.4373 2.0123 2.0121 1.6724 2.1681 2.1751 1.0405 1.2428 1.3029 2.6038 2.6047 2.5997 14x , 3ax , dex , 11x , 32x , 9cx , 53x , f 2x , f ex , cfx , c3x , 7ax , 24x , e8x , 60x , 69x , aax , a0x , a1x , 62x , 54x , 1ex , e0x , 64x , 10x , 00x , a3x , 75x , 8ax , e6x , 09x , ddx , 87x , 83x , cdx , 90x , 73x , f 6x , 9dx , bfx , 52x , d8x , c8x , c6x , 81x , 6fx , 13x , 63x , e9x , a7x , 9fx , bcx , 29x , f 9x , 2fx , b4x , 78x , 06x , e7x , 71x , d4x , abx , 88x , 8dx , Appendix B: The Characteristic for Differential/linear Attack 72x , b9x , f 8x , acx , 36x , 2ax , 3cx , f 1x , 40x , d3x , bbx , 43x , 15x , adx , 77x , 80x , In this section, we give the complete table of minimum number of active Sbox in BC2. From Table 4 we can b8x , 8fx , ebx , cex , 30x , 5fx , c5x , 1ax , e1x , cax , 47x , 3dx , 01x , d6x , 56x , 4dx , count that the minimum number of active SBox of BC2 10 0dx , 66x , ccx , 2dx , 12x , 20x , b1x , 99x , 4cx , c2x , 7ex , 05x , b7x , 31x , 17x , d7x , round is 28, for BC2 13 round is 37 and for BC2 16 round 58x , 61x , 1bx , 1cx , 0fx , 16x , 18x , 22x , 44x , b2x , b5x , 91x , 08x , a8x , f cx , 50x , is 46. So for 3R attack, the DPmax is (2−6 )28 = 2−168 , d0x , 7dx , 89x , 97x , 5bx , 95x , f fx , d2x , c4x , 48x , f 7x , dbx , 03x , dax , 3fx , 94x , (2−6 )37 = 2−222 and (2−6 )46 = 2−276 , respectively. For 5cx , 02x , 4ax , 33x , 67x , f 3x , 7fx , e2x , 9bx , 26x , 37x , 3bx , 96x , 4bx , bex , 2ex , linear attack, LPmax is 2−112 , 2−148 , and 2−184 respec79x , 8cx , 6ex , 8ex , f 5x , b6x , f dx , 59x , 98x , 6ax , 46x , bax , 25x , 42x , a2x , f ax , tively. 07x , 55x , eex , 0ax , 49x , 68x , 38x , a4x , 28x , 7bx , c9x , c1x , e3x , f 4x , c7x , 9ex , We also use Table 4 to count minimum number of ac}; tive SBox of other Feistel cipher, if we know their branch So, SB C[0] = 70 hex, SB C[8] = 23 hex, number. For example, the branch number of Camellia is SB C[16] = 86 hex and so forth. 5 so we can change the number “8” in the table with “4”. And then, we get the minimum number of active SBox is 11 for Camellia 8 round. And for Camellia 16 round, the const byte SB H[256] = { minimum number of active SBox is 26. 82x , ecx , 27x , e5x , 85x , 35x , 0cx , 41x , efx , 93x , 19x , 21x , 0ex , 4ex , 65x , bdx , 07x , f cx , 55x , 70x , 98x , 8ex , 84x , 4ex , bcx , 75x , cex , 18x , 02x , e9x , 5dx , 80x , 1cx , 60x , 78x , 42x , 9dx , 2ex , f 5x , e8x , c6x , 7ax , 2fx , a4x , b2x , 5fx , 19x , 87x , 0bx , 9bx , 9cx , d3x , c3x , 77x , 3dx , 6fx , b9x , 2dx , 4dx , f 7x , 8cx , a7x , acx , 17x , 3cx , 5ax , 41x , c9x , 29x , edx , dex , 27x , 69x , 30x , 72x , a8x , 95x , 3ex , f 9x , d8x , 21x , 8bx , 44x , d7x , 11x , 0dx , 48x , f dx , 6ax , 01x , 57x , e5x , bdx , 85x , ecx , 1ex , 37x , 9fx , b5x , 9ax , 7cx , 09x , f 1x , b1x , 94x , 81x , 82x , 08x , f bx , c0x , 51x , 0fx , 61x , 7fx , 1ax , 56x , 96x , 13x , c1x , 67x , 99x , 03x , 5ex , b6x , cax , f ax , 9ex , dfx , d6x , 83x , ccx , a2x , 12x , 23x , b7x , 65x , d0x , 39x , 7dx , 3bx , d5x , b0x , afx , 1fx , 06x , c8x , 34x , c5x , 1bx , 79x , 4bx , 66x , bfx , 88x , 4ax , c4x , efx , 58x , 3fx , 0ax , 2cx , 73x , d1x , f 8x , 6bx , e6x , 20x , b8x , 22x , 43x , b3x , 33x , e7x , f 0x , 71x , 7ex , 52x , 89x , 47x , 63x , 0ex , 6dx , e3x , bex , 59x , 64x , eex , f 6x , 38x , 5cx , f 4x , 5bx , 49x , d4x , e0x , f 3x , bbx , 54x , 26x , 2bx , 00x , 86x , 90x , f fx , f ex , a6x , 7bx , 05x , adx , 68x , a1x , 10x , ebx , c7x , e2x , f 2x , 46x , 8ax , 6cx , 14x , 6ex , cfx , 35x , 45x , 50x , d2x , 92x , 74x , 93x , e1x , dax , aex , a9x , 53x , e4x , 40x , cdx , bax , 97x , a3x , Appendix C: The Speed Comparison of BC2 with Other Ciphers In this section, we give speed comparison of BC2 with other block ciphers at personal computer. We use C ANSI with Borland C++ v6.0 compiler, 1200 Mhz AMD Duron processor, 512 MB RAM, and Windows XP sp2 to compare them. The key schedule of BC2 is one of the fastest of all other ciphers. Yusuf Kurniawan received the B.S. degree and the master degree in electrical engineering from Institut eax , 15x , ddx , c2x , a5x , 0cx , 04x , 1dx , 8fx , cbx , b4x , 4fx , 16x , abx , aax , a0x , Teknologi Bandung (ITB), Bandung, Indonesia, in 1994 }; and 1997, respectively. He is currently the Doctoral StuSo, SB H[0] = 7 hex, SB H[8] = bc hex, SB H[16] = dent of School of Electrical Engineering and Informatics 1c hex and so forth. at the ITB. His research interests focus on the design of 91x , 31x , 25x , 76x , 36x , 32x , 28x , 3ax , 24x , 4cx , dbx , d9x , 8dx , dcx , 62x , 2ax , International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009 24 Table 4: The characteristic for differential/linear attack of BC2 round left right Minimum number of active SBox 1 a 1 , a2 , a3 , a4 , a5 , a6 , a7 , a8 b1 , 0, 0, 0, 0, 0, 0, 0 1 2 b1 , 0, 0, 0, 0, 0, 0, 0 0,0,0,0,0,0,0,0 0 3 0,0,0,0,0,0,0,0 b1 , 0, 0, 0, 0, 0, 0, 0 1 4 b1 , 0, 0, 0, 0, 0, 0, 0 c 1 , c2 , c3 , c4 , c5 , c6 , c7 , c8 8 5 c 1 , c2 , c3 , c4 , c5 , c6 , c7 , c8 0, 0, 0, 0, 0, 0, 0, 0 0 6 0,0,0,0,0,0,0,0 c 1 , c2 , c3 , c4 , c5 , c6 , c7 , c8 8 7 c 1 , c2 , c3 , c4 , c5 , c6 , c7 , c8 e1 , 0, 0, 0, 0, 0, 0, 0 1 8 e1 , 0, 0, 0, 0, 0, 0, 0 0,0,0,0,0,0,0,0 0 9 0,0,0,0,0,0,0,0 e1 , 0, 0, 0, 0, 0, 0, 0 1 10 e1 , 0, 0, 0, 0, 0, 0, 0 d1 , d2 , d3 , d4 , d5 , d6 , d7 , d8 8 11 d1 , d2 , d3 , d4 , d5 , d6 , d7 , d8 0, 0, 0, 0, 0, 0, 0, 0 0 12 0,0,0,0,0,0,0,0 d1 , d2 , d3 , d4 , d5 , d6 , d7 , d8 8 13 d1 , d2 , d3 , d4 , d5 , d6 , d7 , d8 f1 , 0, 0, 0, 0, 0, 0, 0 1 14 f1 , 0, 0, 0, 0, 0, 0, 0 0,0,0,0,0,0,0,0 0 15 0,0,0,0,0,0,0,0 f1 , 0, 0, 0, 0, 0, 0, 0 1 16 f1 , 0, 0, 0, 0, 0, 0, 0 g1 , g2 , g3 , g4 , g5 , g6 , g7 , g8 8 block cipher and cryptology. Iping Supriana S. received Doctoral degree from INPG, France in 1985. He is a senior lecturer at School of ElecAdang Suwandi A. received B.S. degree in Electrical trical Engineering and Informatics at the ITB. He is chair & Control Engineering from Electrical Engineering of security software project of digital mark reader at ITB. Department ITB, Bandung, Indonesia, in 1976 and the Docteur Ingenieur in Signaux et Bruits Option Sarwono Sutikno received B.S in Electronics degree Electronique from Universite des Sciences Technique du from Institute Technoloy of Bandung, Bandung, IndoneLanguedoc Montpellier France He is currently Chair sia, in 1984, and received the Master of Engineering deand Professor of School of Electrical Engineering and gree and Doctor of Engineering degree in Integrated SysInformatics. at the ITB. His field interests are intelligent tem from Tokyo Institute of Technology, Tokyo, Japan system instrumentation & Bioinformatics. in 1990 and 1994, respectively. His research interests focus on implementation of cryptographics algorithms in M. Sukrisno Mardiyanto received DEA and Docteur Integrated Circuits including Embedded System Security. Ingenieur from Institute National Polytechnique de His Security Engineering focus includes Information SeGrenoble (INPG), France in 1982 and 1986, respectively. curity Management System. He holds several professional He has been chair of Study Program of Informatics at certifications including Certified Information System AuITB since 2005. His research interests focus on Software ditor and ISMS Provisional Auditor, he is also appointed Engineering, Computer Network and Computer Security. ISACA Academic Advocate.