International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009
16
The New Block Cipher: BC2
Yusuf Kurniawan1 , Adang Suwandi A.2 , M. Sukrisno Mardiyanto2 ,
Iping Supriana S.2 , and Sarwono Sutikno2
(Corresponding author: Yusuf Kurniawan)
Universitas Pasundan, Department of Informatics1
Jl Setiabudi 193 Bandung 40153, Jawa Barat, Indonesia (Email: ysfk2002@yahoo.com)
Institute of Technology Bandung, School of Electrical Engineering and Informatics2
Jl Ganesha 10, Bandung 40132, Indonesia
(Received Mar. 23, 2006; revised and accepted May 7, 2006)
Abstract
• || is concatenation of two operators;
In this paper, we propose a new block cipher called BC2
(Block Cipher 2). We make a cipher using components
that are believed secure. The structure of BC2 is very
simple. We use Feistel network with input-output 128
bits, matrix Maximum Distance Separable (MDS) 8x8
with branch number 9 to give high diffusion, a function
affine equivalent to the inverse function in GF(28 ) that we
get from Camellia and Hierocrypt S-Box for confusion and
we make FN function, based on FL function of Camellia.
We use a heuristic method to count the minimum number of active substitution box at Feistel Network. And we
also construct a new key schedule that is fast and secure.
• Knl is the left side of 2n-bit key. This key part has
size of n bits;
Keywords: BC2, block cipher, FN function, heuristic
method
1
Introduction
In here we give some definition and list of symbols that
we use.
In this paper we use finite field GF (28 ) that we can represent as GF (2)[x]/m(x), where m(x) = x8 +x4 +x3 +x2 +
1. We can write m(x) as ’11d’ like as Khazad [11]. And we
use subscript x as representation of hexadecimal. In this
paper, multiplication with x is expressed as xT(number).
For example, multiplication 7fx • 2x = xT (7f ) = f ex ,
and f ex • 2x = xT (f e) = e1x . This is similar to Rijndael
proposal [7].
Some notations used in this paper are listed as follows:
• ∪ is OR;
• ∩ is AND;
• ≪ is left circular rotation by one bit;
• ≫ is right circular rotation by one bit;
• ⊕ is bitwise XOR;
• Kr is the right side of K. The size is a half of full key.
The rest of this paper is organized as follows. The Section 2 describes the new block cipher BC2, its randomizing part and key schedule, Section 3 explains how to
implement BC2 at various platforms efficiently, Section
4 explains cryptanalysis of BC2, Section 5 explains the
design rationale of BC2 and Section 6 gives conclusion.
2
BC2 (Block Cipher 2)
The BC2 is a 128-bit block cipher using Feistel Network
that supports 128, 192 and 256-bit key lengths. Like many
other ciphers, we use Substitution Boxes to give confusion, linear layer to give diffusion and mixed key to give
dependent on key. The structure of BC2 for 128-bit key
length, is showed in Figure 1. For 128-bit key length, the
number of round is 13. There are two FN functions. One
of them is located after round 4, and the other is after
round 9. The FN function have a very slow diffusion, so
if we place it before first round, then attacker can arrange
the input and output of FN function to easier cryptanalysis. It follows that FN function is unusable.
For 192 and 256-bit key length, the number of round
is 18. There are 3 F N/F N −1 functions that are located
after rounds 4, 9, and 14.
All F functions are same, like Figure 2. The number
in F function only show the number of round.
For decryption, the order of round subkey is reversed.
So, KW3 replace KW1, KW4 replace KW2, KW1 replace
KW3, and KW2 replace KW4. K13 replace K1 and so
forth. And then, KFN1 is replaced by KFN4, KFN2 is
replaced by KFN3 and so forth.
17
International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009
PlainText
128 bit
Ciphertext
KW2
(64bit)
KW 1
(64 bit)
KW 4
(64bit)
KW 3
(64 bit)
K13
(64bit)
K1
(64bit)
KFN1
(64 bit)
F1
F1
…………
…………
…………
…………
…………
…………
KFN2
(64bit)
FN -1
FN
KFN4
(64 bit)
K9
(64bit)
K5
(64bit)
F5
F5
…………
…………
…………
…………
…………
…………
K5
(64bit)
K9
(64bit)
F9
F9
KFN3
(64 bit)
FN -1
FN
KFN4
(64bit)
KFN2
(64 bit)
FN -1
FN
F10
F10
…………
…………
…………
…………
…………
…………
K1
(64bit)
K13
(64bit)
F13
F13
KW 4
(64 bit)
KW 1
(64 bit)
KW 2
(64 bit)
PlainText
Ciphertext
Enkripsi BC2
KFN1
(64bit)
K4
(64bit)
K10
(64bit)
KW 3
(64 bit)
KFN3
(64bit)
FN -1
FN
Dekripsi BC2
Figure 1: Encryption and decryption of BC2-128
18
International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009
Input of F Function : 64 bits
S1
S2
S3
S4
S5
S6
S7
S8
MDS 8x8
Subkeys
64 bits
Output of F Function : 64 bits
Figure 2: F function of BC2
64bit
XL
32bit
XR
32bit
YL
Ka
Table 1: The constant for key schedule
YR
64bit
32bit
32bit
Kc
16bit
Kb
Ka
Kc
16bit
32bit
32bit
Kb
YL
YR
FN
XL
XR
FN-1
Figure 3: FN function and its inversion
2.1
Substitution Box
c1
c2
√
frac(√0.8)
frac( 0.9)
the matrix satisfies
b0
1
b1 2
b2 1
b3 3
b4 = 1
b5 2
b6 3
b7
2
0xe4f92e2dff6ec9ab294a33804a57d359
0xf2dce89b636cb24692e711b6e1c3ff31
the requirement above.
2
1
2
1
3
1
2
3
3
2
1
2
1
3
1
2
2
3
2
1
2
1
3
1
1
2
3
2
1
2
1
3
3
1
2
3
2
1
2
1
1
3
1
2
3
2
1
2
2
1
3
1
2
3
2
1
a0
a1
a2
a3
a4
a5
a6
a7
where ai is input of MDS and bi is output of MDS. So
b = L a.
We use Camellia’s S-Box [8] and Hierocrypt’s S-Box [12]
for BC2. The maximum differential probability of these 2.3 Add Key AK
S-Boxes is 2−6 and maximum linear probability is 2−4 In this part, we use only XOR component to avoid weakaccording to our experiment with PC. The degree of them ness that we can find in IDEA cipher.
is 7.
2.4
Key Schedule
We construct a new key schedule with the criteria:
2.2
Linear Layer L
We use MDS (Maximum Distance Separable) matrix to
realize linear component to give high diffusion. We do not
use XORs component like in Camellia cipher, because it
does not give branch number exactly. We use circular
matrix with low number in order to be able to be implemented efficiently in hardware.
1) simple and fast for many platforms
2) it should be resistant to related key attack
3) it should be hard to find masterkey if attacker can
get (partial) subkey(s).
4) there are no weak keys.
A linear [n, k, d] code C with generator matrix G = 5) every bit of masterkey gives influence to all subkeys.
[Ik×k Lk×(n−k) ] is MDS if, and only if, every square subWe use the basic instructions (like XOR, AND, OR, 1matrix formed from rows and columns of L is nonsingular bit rotation) to achieve Objectives 1, 2, and 3. We also use
(cf. [4], Chapter 11, § 4, Theorem 8).
the matrix component(like in Rijndael) in key schedule to
We make MDS code using trial and error method until achieve Objective 4. This component gives high diffusion
19
International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009
K1 ^ K2
AK with
C1^K1
AK with
C2^K2
KA
a00
a01
a02
a03
b00
b01
b02
b03
b00
b01
b02
b03
c00
c01
c02
c03
a10
a11
a12
a13
b10
b11
b12
b13
b13
b10
b11
b12
c10
c11
c12
c13
a20
a21
a22
a23
b20
b21
b22
b23
b22
b23
b20
b21
c20
c21
c21
c23
a30
a31
a32
a33
b30
b31
b32
b33
b31
b32
b33
b30
c30
c31
c32
c33
d00
d01
d02
d03
e00
e01
e02
e03
e00
e01
e02
e03
f00
f01
f02
f03
d10
d11
d12
d13
e10
e11
e12
e13
e13
e10
e11
e12
f12
f13
f10
f11
d20
d21
d22
d23
e20
e21
e22
e23
e22
e23
e20
e21
f20
f21
f22
f23
d30
d31
d32
d33
e30
e31
e32
e33
e31
e32
e33
e30
f32
f33
f30
f31
g00
g01
g02
g03
e00
e01
e02
e03
e00
e01
e02
e03
f00
f01
f02
f03
g10
g11
g12
g13
e10
e11
e12
e13
e13
e10
e11
e12
f12
f13
f10
f11
g20
g21
g22
g23
e20
e21
e22
e23
e22
e23
e20
e21
f20
f21
f22
f23
g30
g31
g32
g33
e30
e31
e32
e33
e31
e32
e33
e30
f32
f33
f30
f31
SB
SB
SB
KC
=
SR
SR
SR
KA
KB
MC
MC
MC
AK with
C1
KB
C2
Figure 4: key schedule of BC2
and confusion. To achieve the last objective, we use high
diffusion that we get from MixColumn function. We can
see key schedule at Figure 4. Masterkey is composed from
K1 and K2, K1 || K2.
If we only need 128 bits, so we set K2=0, and if we need
192 bits, the last half of K2 is set to zero. From Figure 4
we get KA, KB, and KC. We use square matrix (like
as Rijndael) to create subkeys. At first, we perform XOR
operation between K1 and K2 (AK). Then we substitute
them with Camellia and Hierocrypt S-Box (SB). Then
we rotate their bytes ShiftRows (SR)and use MixColumn
(MC) to give high diffusion. The matrix of MixColumn
is similar to matrix at linear component in randomizing
part as follows:
1 2 3 2
2 1 2 3
1 2 1 2
3 1 2 1
Outputs of MCs are XORed with constant (Table 1)
and Masterkey. The outputs of this process are KA, KB,
and KC. From these keys, we compose all subkeys, like as
Tables 2 and 3.
3
Implementation
In this section, we explain how to implement BC2 at
various platform. If input of F function is IF, substitution operation is SB, L is linear operation, AK is AddKey, and output of F function is OF, then we can write
OF = AK(L(SB(IF ))).
3.1
64-bit Processors
In this platform, BC2 can be implemented very efficiently.
Like as Khazad or Rijndael cipher, we can write
b0
b1
b2
b3
b4
b5
b6
b7
=
SB[x2 ] • 3
SB[x2 ] • 2
SB[x2 ]
SB[x2 ] • 2
SB[x2 ]
SB[x2 ] • 3
SB[x2 ]
SB[x2 ] • 2
SB[x5 ] • 3
SB[x5 ]
SB[x5 ] • 2
SB[x5 ] • 3
SB[x5 ] • 2
SB[x5 ]
SB[x5 ] • 2
SB[x5 ]
SB[x0 ]
SB[x0 ] • 2
SB[x0 ]
SB[x0 ] • 3
SB[x0 ]
SB[x0 ] • 2
SB[x0 ] • 3
SB[x0 ] • 2
⊕
⊕
⊕
SB[x3 ] • 2
SB[x3 ] • 3
SB[x3 ] • 2
SB[x3 ]
SB[x3 ] • 2
SB[x3 ]
SB[x3 ] • 3
SB[x3 ]
SB[x6 ]
SB[x6 ] • 3
SB[x6 ]
SB[x6 ] • 2
SB[x6 ] • 3
SB[x6 ] • 2
SB[x6 ]
SB[x6 ] • 2
SB[x1 ] • 2
SB[x1 ]
SB[x1 ] • 2
SB[x1 ]
SB[x1 ] • 3
SB[x1 ]
SB[x1 ] • 2
SB[x1 ] • 3
⊕
⊕
⊕
SB[x4 ]
SB[x4 ] • 2
SB[x4 ] • 3
SB[x4 ] • 2
SB[x4 ]
SB[x4 ] • 2
SB[x4 ]
SB[x4 ] • 3
SB[x7 ] • 2
SB[x7 ]
SB[x7 ] • 3
SB[x7 ]
SB[x7 ] • 2
SB[x7 ] • 3
SB[x7 ] • 2
SB[x7 ]
⊕
where xi is input of SBox-i and x is input of F function.
20
International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009
Table 2: key schedule for 128 bit key
KW 1
KW 2
SK1
SK2
SK3
SK4
KF N 1
KF N 2
SK5
SK6
SK7
KW 1
KW 2
SK1
SK2
SK3
SK4
KF N 1
KF N 2
SK5
SK6
SK7
SK8
SK9
KF N centre1
If we define
T0 =
SB[x0 ]
SB[x0 ] • 2
SB[x0 ]
SB[x0 ] • 3
SB[x0 ]
SB[x0 ] • 2
SB[x0 ] • 3
SB[x0 ] • 2
KAl ⊕ KBl ⊕ KCl
KAr ⊕ KBr ⊕ KCr
(KW 1 ∪ KW 2) ⊕ KAl
(KW 1 ∩ KW 2) ⊕ KBl
(SK1 ∪ SK2) ⊕ KAr
(SK1 ∩ SK2) ⊕ KBr
(KAl ∪ SK3) ⊕ KCl
(KBl ∪ SK4) ⊕ KCr
(KAl ∪ KBl ) ⊕ KF N 2
(KAr ∪ KBr ) ⊕ KCr
(SK532l ≪ 1)||(SK532r ≪ 1)
SK8
SK9
KF N 3
KF N 4
SK10
SK11
SK12
SK13
KW 3
KW 4
Table 3: key schedule for 192 and 256-bit key
KAl ⊕ KBl ⊕ KCl
KF N centre2
(KAr ∩ SK9) ⊕ KBr
KAr ⊕ KBr ⊕ KCr
SK10
SK1 ⊕ SK5 ⊕ KF N centre1
(KW 1 ∪ KW 2) ⊕ KAl
SK11
(SK2 ∪ SK6) ⊕ KF N centre2
(KW 1 ∩ KW 2) ⊕ KBl
SK12
(SK8 ∩ SK10) ⊕ SK5
(SK1 ∪ SK2) ⊕ KAr
SK13
(SK9 ∪ SK10) ⊕ SK6
(SK1 ∩ SK2) ⊕ KBr
SK14
(SK1132l ≪ 1)||(SK1132r ≪ 1)
(KAl ∪ SK3) ⊕ KCl
KF N 3
(SK1 ∪ SK5) ⊕ KCl )
(KBl ∪ SK4) ⊕ KCr
KF N 4
SK2 ⊕ SK6 ⊕ SK11
(KAl ∪ KBl ) ⊕ KF N 2
SK15
(SK7 ∩ KCl ) ⊕ SK12
(KAr ∪ KBr ) ⊕ KCr
SK16
(SK8 ∪ KCr ) ⊕ SK13
(SK532l ≪ 1)||(SK532r ≪ 1)
SK17
(SK9 ∪ KW 1) ⊕ SK14
(SK632l ≪ 1)||(SK632r ≪ 1)
SK18
(SK10 ∪ KW 2) ⊕ SK15
(SK732l ≪ 1)||(SK732r ≪ 1)
KW 3
SK10 ⊕ SK11 ⊕ SK12
KAl ⊕ SK8 ⊕ KBl
KW 4
SK5 ⊕ SK6 ⊕ SK7
SB[x1 ] • 2
SB[x1 ]
SB[x1 ] • 2
SB[x1 ]
T1 =
SB[x1 ] • 3
SB[x1 ]
SB[x1 ] • 2
SB[x1 ] • 3
or OF0−3 = T [0] ⊕ T [1] ⊕ T [2] ⊕ T [3] ⊕ T [4] ⊕ T [5] ⊕
T [6] ⊕ T [7] ⊕ SK0−3 .
b4
b5
b 6 = a0
b7
OF = T0 ⊕ T1 ⊕ T2 ⊕ T3 ⊕ T4 ⊕ T5 ⊕ T6 ⊕ T7 ⊕ SK,
where SK is subkey at each round. All T tables require
16 k bytes.
32-bit Processors
To this platform we can write:
3
2
1
b0
2
1
2
b1
b 2 = a0 1 ⊕ a1 2 ⊕ a2 1 ⊕ a3
2
1
3
b3
2
1
3
1
1
3
1
2
a4
3 ⊕ a5 2 ⊕ a6 1 ⊕ a7 3
1
2
3
2
1
2
⊕ a1
3
2
1
2
a4
1 ⊕ a5
3
and so forth, then we have:
3.2
(SK632l ≪ 1)||(SK632r ≪ 1)
(SK732l ≪ 1)||(SK732r ≪ 1)
KAl ⊕ SK8 ⊕ KBl
(KAr ∩ SK9) ⊕ KBr
SK1 ⊕ SK5 ⊕ KF N 3
(SK2 ∪ SK6) ⊕ KF N 4
(SK8 ∩ SK10) ⊕ SK5
(SK9 ∪ SK10) ⊕ SK6
SK10 ⊕ SK11 ⊕ SK12
SK5 ⊕ SK6 ⊕ SK7
3
1
⊕ a2
2
3
2
1
⊕ a6
2
1
1
3
⊕ a3
1
2
3
2
⊕ a7
1
2
2
1
⊕
3
1
2
3
2
1
or OF4−7 = T [8]⊕T [9]⊕T [10]⊕T [11]⊕T [12]⊕T [13]⊕
T [14] ⊕ T [15] ⊕ SK4−7 and ai = SB[xi ].
In this method, All T Tables require 24 x 4 x 28 =
214 bytes. If we use one table for T[0] and T[12], one for
T[4] and T[8], and so forth, then we need only 8 k bytes.
2
The speed comparison of BC2 with other block ciphers at
3
⊕ personal computer can be seen at appendix.
2
1
3.3
8-bit Processors
For this platform, the method that we describe above is
unsuitable. So we use other method. We can write linear
21
International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009
layer as follows:
L0 (64 bit)
r0
=
a0 ⊕ a2 ⊕ a4 ⊕ a6
r1
r2
=
=
a1 ⊕ a3 ⊕ a5 ⊕ a7
xT (r0 )
r3
b0
=
=
xT (r1 )
r0 ⊕ a5 ⊕ r3 ⊕ xT (a2 )
b1
b2
=
=
r1 ⊕ a6 ⊕ r2 ⊕ xT (a3 )
r0 ⊕ a7 ⊕ r3 ⊕ xT (a4 )
b3
b4
=
=
r1 ⊕ a0 ⊕ r2 ⊕ xT (a5 )
r0 ⊕ a1 ⊕ r3 ⊕ xT (a6 )
b5
b6
=
=
r1 ⊕ a2 ⊕ r2 ⊕ xT (a7 )
r0 ⊕ a3 ⊕ r3 ⊕ xT (a0 )
b7
=
r1 ⊕ a4 ⊕ r2 ⊕ xT (a1 ).
R0(64 bit)
XOR with K1
S
S
S
S
S
S
S
S
S
S
S
MDS 8x8
L1'
R1' = 0
XOR with K2
S
S
S
S
S
MDS 8x8
L2' = 0
R2'
In this method we need four registers, 30 exors, 10 xT
Figure 5: Active S-box in BC2
operations, and 12 assignments for linear layer implementation. If we have six registers, then we can reduce the
If we continue this method, then after 10 rounds, the
operation. We write r4=r0 ⊕ r3 and r5 = r1 ⊕ r2 . The
minimum
number of active S-Box become 28. So, DPmax
operations of SBox and Addkey are performed per byte.
is (2−6 )28 = 2−168 and since the behavior of linear attack
[10] looks like differential attack, so LPmax is (2−4 )28 =
3.4 Key Schedule Implementation
2−112 . For differential attack, we need 2168 chosen plain224
known
We use the same component in key schedule and random- text pairs, and for linear attack, we need 2
plaintext.
And
since
we
also
consider
3R-attack,
so we
izing part to give efficiency in implementation. We also
need
13
rounds.
And
since
we
consider
the
worst
case
of
use the basic instruction (OR, XOR, AND, 1-bit rotation)
linear/differential
attack
of
BC2,
so
we
hope
BC2
stronger
in key schedule in order to be able to be implemented efagainst these attacks than we predict, moreover if we conficiently at various platforms.
sider FN function.
As comparison, maximum differential/linear characteristic
probabilities of Camellia cipher reduced to 16 round
4 Cryptanalysis
without FL and F L−1 , respectively, are 2−132 and 2−88 .
4.1 Differential and Linear Cryptanalysis If we use this heuristic method to count active SBox in
Camellia, we get 26 active SBox, at least, in 16 rounds, so
In this section we discuss about how to measure maximum DPmax =(2−6 )26 = 2−156 and LPmax = (2−4 )26 = 2−104 .
differential and linear probability (DPmax and LPmax ) of This probability can cryptanalysis Camellia with 2R atBC2 without FN and F N −1 functions. We use heuristic tack.
method to count the minimal number of active substitution boxes. For differential attack [2], we use character4.2 Square Attack and Its Variant
istics a0 , a1 , a2 , a3 , a4 , a5 , a6 , a7 for left side plaintext(64
bits). So, the size of ai is 1 byte. And for right side Cipher having byte oriented is vulnerable with square at255
we use b’,0,0,0,0,0,0,0 (64 bits). Difference b’ is chosen
tack [6] and its variant [5]. In BC2, the property of ⊕p = 0
so that the output of F function at round 1 is same as
i=0
a0 , a1 , a2 , a3 , a4 , a5 , a6 , a7 so the difference input of round where p is byte plaintext, is hold till the input of round
2 is b’,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, because there is can- 5. So square attack and its variant are very unlikely to
cellation between output of F function with difference of succeed for full round (13 rounds).
left side in plaintext. So we get the minimal number of
active S-Box for first two round of BC2 is 1. And differ4.3 Higher Order Differential Attack
ence at input of round 3 is 0,0,0,0,0,0,0,0, b’,0,0,0,0,0,0,0
(look at Figure 5). So, number active SBox in round 1 is In general, a cipher with a low non-linear order is vulnerone, in round 2 is zero, in round 3 is one.
able to this attack. Since BC2 use non-linear component
Since the branch number of linear layer is 9, and with degree 7, so after a few rounds, the degree will inthe left difference of input at round 3 is zero, then the crease rapidly. Moreover, BC2 has 13 rounds, so this
difference of input at round 4 become b’,0,0,0,0,0,0,0, attack is impossible to be done. Moreover, the FN funcc0 , c2 , c3 , c4 , c5 , c6 , c7 . And it follows the number of ac- tion in BC2 increase resistance to this attack, like Misty
cipher that have only low degree in its S-Box.
tive S-Box in round 4 become 8.
International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009
4.4
Interpolation Attack
A cipher with S-Box having simple algebraic is vulnerable
to interpolation attack [13]. But, S-Box of BC2 use addition of affine function, so this attack seems very unlikely
to succeed for this cipher.
4.5
Related-key Attack and Slide Attack
Related-key attack [3] can work if there is slow diffusion
or symmetry in the key schedule. Since key schedule of
BC2 uses function that has fast diffusion and nonlinear
operation and uses different mixing operation of XOR,
OR, AND and rotation at each round subkey, we hope this
method is very effective in countering all kinds of known
key based attacks. Every bit of masterkey influences KB
and KC. And every round subkey is influenced by KA, KB
and KC directly or indirectly. So we hope the weakness
in the key schedule of SAFER can be hindered. And
since the confusion component is not influenced by subkey
directly (BC2 use XOR to mix subkey) so the weakness
that one find in IDEA, is very unlikely to succeed for BC2.
Slide Attack [1] can work if there is symmetry in the
randomizing part of cipher and in the key schedule. Since
BC2 has FN function, so the symmetry in the randomizing part decreases. Moreover, the different process in the
each round of key schedule, make this attack very unlikely
to succeed.
5
5.1
Design Rationale
Non-linear Component
We choose S-Box from Camellia and Hierocrypt because
these components have very excellent features. They have
maximum differential probability 2−6 , maximum linear
probability 2−4 and degree 7. So these components can be
resistance against differential, linear and higher order differential attacks. The affine function in these components
can improve the BC2 strength to interpolation attack and
other algebraic attacks.
5.2
Linear Component
We use MDS (Maximum Distance Separable) to increase
the number of active S-Box, so BC2 can be resistance to
linear/differential attack. MDS gives high diffusion that
is also important to face boomerang attack.
5.3
FN Function
This component is made to face unknown attacks. FN
component also can damage path of linear hull and impossible differential attack. FN is designed more complicated
than Camellia has, in order to give more protection, for
example, against truncated differential attack [9]. This
attack use partial of plaintext to predict partial of ciphertext with high probability. A byte-oriented cipher is
22
vulnerable to this attack, so we add two more rotation to
break this alignment.
6
Conclusions
We proposed a new block cipher algorithm BC2. We design a new keyschedule that is fast and one-way function.
So, it should hard to find masterkey if attacker can get
subkey. We also use differential and linear attack to attack BC2. Our method to search linear/differential path
can be used to attack other BC2-like ciphers if we know
their branch number.
References
[1] A. Biryukov and D. Wagner, “Slide attacks,” in Proceedings of Fast Software Encryption, LNCS 1636,
pp. 245-259, Springer-Verlag, 1999.
[2] E. Biham and A. Shamir, “Differential cryptanalysis of the DES-like cryptosystems,” in Advances in
Cryptology (Crypto’90), pp. 2-21, Springer Verlag,
1993.
[3] E. Biham, “New types of cryptanalytic attacks using
related keys,” Journal of Cryptology, vol. 7, no. 4,
pp. 229-246, 1994.
[4] F. J. MacWilliams and N. J. A. Sloane, The Theory of Error-Correcting Codes, North-Holland Mathematical Library, vol. 16, 1977.
[5] H. Gilbert and M. Minier, “A collision attack on 7
rounds of Rijndael,” in the Proceedings of The Third
AES Candidate Conference, pp. 230-241, 2000.
[6] J. Daemen, L. Knudsen, and V. Rijmen, “The block
cipher SQUARE,” in the Proceedings of Fast Software Encryption 1997, LNCS 1267, pp. 149-165,
Springer-Verlag, 1997.
[7] J. Daemen and V. Rijmen, “AES proposal: Rijndael,” AES submission. (http://www.nist.gov/aes)
[8] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moria, J. Nakajima, and T. Tokita, “Camellia: A 128bit block cipher suitable for multiple platform - Design and analysis,” in Proceedings of Selected Areas
in Cryptography , LNCS 2012, pp. 39-56, SpringerVerlag, 2001.
[9] L. R. Knudsen, “Truncated and higher order differentials,” in Fast Software Encryption, LNCS 1008,
pp. 196-211, Springer-Verlag, 1995.
[10] M. Matsui, “Linear cryptanalysis method for DES
cipher,” in Advances in Cryptology (Eurocrypt’93),
pp. 386-397, 1993.
[11] P. S. L. M. Barreto and V. Rijmen, “The Khazad
legacy-level block cipher,” in New European Schemes
for Signature, Integrity, and Encryption, pp. 84-87,
2000.
[12] K. Ohkuma, H. Shimizu, F. Sano, and S. Kawamura,
“The block cipher Hierocrypt,” in Proceedings of Selected Areas in Cryptography, LNCS 2012, pp. 72-88,
Springer-Verlag, 2001.
23
International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009
[13] T. Jakobsen and L.R. Knudsen, “The interpolation
attack on block ciphers,” Fast Software Encryption,
LNCS 1267, pp. 28-40, Springer-Verlag, 1997.
Appendix A: Substitution Boxes
In this section, we can see the substitution box from
Camellia called SB C and one from Hierocrypt called
SB H.
const byte SB C[256] = {
70x , 2cx , b3x , c0x , e4x , 57x , eax , aex , 23x , 6bx , 45x , a5x , edx , 4fx , 1dx , 92x ,
86x , afx , 7cx , 1fx , 3ex , dcx , 5ex , 0bx , a6x , 39x , d5x , 5dx , d9x , 5ax , 51x , 6cx ,
8bx , 9ax , f bx , b0x , 74x , 2bx , f 0x , 84x , dfx , cbx , 34x , 76x , 6dx , a9x , d1x , 04x ,
Table 5: The speed comparison
Block ciphers
keyschedule encryption
time(µs)
time per
128-bit
data (µs)
encryption
rate
(Mbit/s)
3DES-168
BC2-128
BC2-192
BC2-256
Camellia-128
Camellia-192
Camellia-256
AES-128
AES-192
AES-256
Serpent-128
Serpent-192
Serpent-256
4.5516
0.7926
0.9693
0.965
1.4811
2.0029
2.0139
2.3403
2.4405
3.0464
12.3297
14.2815
16.4357
22.456
89.0506
63.6076
63.6223
76.53671
59.03787
58.84687
123.0178
102.9932
98.24238
49.1589
49.1419
49.236
5.7
1.4373
2.0123
2.0121
1.6724
2.1681
2.1751
1.0405
1.2428
1.3029
2.6038
2.6047
2.5997
14x , 3ax , dex , 11x , 32x , 9cx , 53x , f 2x , f ex , cfx , c3x , 7ax , 24x , e8x , 60x , 69x ,
aax , a0x , a1x , 62x , 54x , 1ex , e0x , 64x , 10x , 00x , a3x , 75x , 8ax , e6x , 09x , ddx ,
87x , 83x , cdx , 90x , 73x , f 6x , 9dx , bfx , 52x , d8x , c8x , c6x , 81x , 6fx , 13x , 63x ,
e9x , a7x , 9fx , bcx , 29x , f 9x , 2fx , b4x , 78x , 06x , e7x , 71x , d4x , abx , 88x , 8dx ,
Appendix B: The Characteristic for
Differential/linear Attack
72x , b9x , f 8x , acx , 36x , 2ax , 3cx , f 1x , 40x , d3x , bbx , 43x , 15x , adx , 77x , 80x ,
In this section, we give the complete table of minimum
number of active Sbox in BC2. From Table 4 we can
b8x , 8fx , ebx , cex , 30x , 5fx , c5x , 1ax , e1x , cax , 47x , 3dx , 01x , d6x , 56x , 4dx ,
count that the minimum number of active SBox of BC2 10
0dx , 66x , ccx , 2dx , 12x , 20x , b1x , 99x , 4cx , c2x , 7ex , 05x , b7x , 31x , 17x , d7x ,
round is 28, for BC2 13 round is 37 and for BC2 16 round
58x , 61x , 1bx , 1cx , 0fx , 16x , 18x , 22x , 44x , b2x , b5x , 91x , 08x , a8x , f cx , 50x ,
is 46. So for 3R attack, the DPmax is (2−6 )28 = 2−168 ,
d0x , 7dx , 89x , 97x , 5bx , 95x , f fx , d2x , c4x , 48x , f 7x , dbx , 03x , dax , 3fx , 94x ,
(2−6 )37 = 2−222 and (2−6 )46 = 2−276 , respectively. For
5cx , 02x , 4ax , 33x , 67x , f 3x , 7fx , e2x , 9bx , 26x , 37x , 3bx , 96x , 4bx , bex , 2ex ,
linear attack, LPmax is 2−112 , 2−148 , and 2−184 respec79x , 8cx , 6ex , 8ex , f 5x , b6x , f dx , 59x , 98x , 6ax , 46x , bax , 25x , 42x , a2x , f ax ,
tively.
07x , 55x , eex , 0ax , 49x , 68x , 38x , a4x , 28x , 7bx , c9x , c1x , e3x , f 4x , c7x , 9ex ,
We also use Table 4 to count minimum number of ac};
tive SBox of other Feistel cipher, if we know their branch
So, SB C[0] = 70 hex, SB C[8] = 23 hex, number. For example, the branch number of Camellia is
SB C[16] = 86 hex and so forth.
5 so we can change the number “8” in the table with “4”.
And then, we get the minimum number of active SBox is
11 for Camellia 8 round. And for Camellia 16 round, the
const byte SB H[256] = {
minimum number of active SBox is 26.
82x , ecx , 27x , e5x , 85x , 35x , 0cx , 41x , efx , 93x , 19x , 21x , 0ex , 4ex , 65x , bdx ,
07x , f cx , 55x , 70x , 98x , 8ex , 84x , 4ex , bcx , 75x , cex , 18x , 02x , e9x , 5dx , 80x ,
1cx , 60x , 78x , 42x , 9dx , 2ex , f 5x , e8x , c6x , 7ax , 2fx , a4x , b2x , 5fx , 19x , 87x ,
0bx , 9bx , 9cx , d3x , c3x , 77x , 3dx , 6fx , b9x , 2dx , 4dx , f 7x , 8cx , a7x , acx , 17x ,
3cx , 5ax , 41x , c9x , 29x , edx , dex , 27x , 69x , 30x , 72x , a8x , 95x , 3ex , f 9x , d8x ,
21x , 8bx , 44x , d7x , 11x , 0dx , 48x , f dx , 6ax , 01x , 57x , e5x , bdx , 85x , ecx , 1ex ,
37x , 9fx , b5x , 9ax , 7cx , 09x , f 1x , b1x , 94x , 81x , 82x , 08x , f bx , c0x , 51x , 0fx ,
61x , 7fx , 1ax , 56x , 96x , 13x , c1x , 67x , 99x , 03x , 5ex , b6x , cax , f ax , 9ex , dfx ,
d6x , 83x , ccx , a2x , 12x , 23x , b7x , 65x , d0x , 39x , 7dx , 3bx , d5x , b0x , afx , 1fx ,
06x , c8x , 34x , c5x , 1bx , 79x , 4bx , 66x , bfx , 88x , 4ax , c4x , efx , 58x , 3fx , 0ax ,
2cx , 73x , d1x , f 8x , 6bx , e6x , 20x , b8x , 22x , 43x , b3x , 33x , e7x , f 0x , 71x , 7ex ,
52x , 89x , 47x , 63x , 0ex , 6dx , e3x , bex , 59x , 64x , eex , f 6x , 38x , 5cx , f 4x , 5bx ,
49x , d4x , e0x , f 3x , bbx , 54x , 26x , 2bx , 00x , 86x , 90x , f fx , f ex , a6x , 7bx , 05x ,
adx , 68x , a1x , 10x , ebx , c7x , e2x , f 2x , 46x , 8ax , 6cx , 14x , 6ex , cfx , 35x , 45x ,
50x , d2x , 92x , 74x , 93x , e1x , dax , aex , a9x , 53x , e4x , 40x , cdx , bax , 97x , a3x ,
Appendix C: The Speed Comparison of BC2 with Other Ciphers
In this section, we give speed comparison of BC2 with
other block ciphers at personal computer. We use C ANSI
with Borland C++ v6.0 compiler, 1200 Mhz AMD Duron
processor, 512 MB RAM, and Windows XP sp2 to compare them.
The key schedule of BC2 is one of the fastest of all
other ciphers.
Yusuf Kurniawan received the B.S. degree and the
master degree in electrical engineering from Institut
eax , 15x , ddx , c2x , a5x , 0cx , 04x , 1dx , 8fx , cbx , b4x , 4fx , 16x , abx , aax , a0x ,
Teknologi Bandung (ITB), Bandung, Indonesia, in 1994
};
and 1997, respectively. He is currently the Doctoral StuSo, SB H[0] = 7 hex, SB H[8] = bc hex, SB H[16] = dent of School of Electrical Engineering and Informatics
1c hex and so forth.
at the ITB. His research interests focus on the design of
91x , 31x , 25x , 76x , 36x , 32x , 28x , 3ax , 24x , 4cx , dbx , d9x , 8dx , dcx , 62x , 2ax ,
International Journal of Network Security, Vol.8, No.1, PP.16–24, Jan. 2009
24
Table 4: The characteristic for differential/linear attack of BC2
round
left
right
Minimum
number
of
active SBox
1
a 1 , a2 , a3 , a4 , a5 , a6 , a7 , a8
b1 , 0, 0, 0, 0, 0, 0, 0
1
2
b1 , 0, 0, 0, 0, 0, 0, 0
0,0,0,0,0,0,0,0
0
3
0,0,0,0,0,0,0,0
b1 , 0, 0, 0, 0, 0, 0, 0
1
4
b1 , 0, 0, 0, 0, 0, 0, 0
c 1 , c2 , c3 , c4 , c5 , c6 , c7 , c8
8
5
c 1 , c2 , c3 , c4 , c5 , c6 , c7 , c8
0, 0, 0, 0, 0, 0, 0, 0
0
6
0,0,0,0,0,0,0,0
c 1 , c2 , c3 , c4 , c5 , c6 , c7 , c8
8
7
c 1 , c2 , c3 , c4 , c5 , c6 , c7 , c8
e1 , 0, 0, 0, 0, 0, 0, 0
1
8
e1 , 0, 0, 0, 0, 0, 0, 0
0,0,0,0,0,0,0,0
0
9
0,0,0,0,0,0,0,0
e1 , 0, 0, 0, 0, 0, 0, 0
1
10
e1 , 0, 0, 0, 0, 0, 0, 0
d1 , d2 , d3 , d4 , d5 , d6 , d7 , d8 8
11
d1 , d2 , d3 , d4 , d5 , d6 , d7 , d8
0, 0, 0, 0, 0, 0, 0, 0
0
12
0,0,0,0,0,0,0,0
d1 , d2 , d3 , d4 , d5 , d6 , d7 , d8 8
13
d1 , d2 , d3 , d4 , d5 , d6 , d7 , d8
f1 , 0, 0, 0, 0, 0, 0, 0
1
14
f1 , 0, 0, 0, 0, 0, 0, 0
0,0,0,0,0,0,0,0
0
15
0,0,0,0,0,0,0,0
f1 , 0, 0, 0, 0, 0, 0, 0
1
16
f1 , 0, 0, 0, 0, 0, 0, 0
g1 , g2 , g3 , g4 , g5 , g6 , g7 , g8 8
block cipher and cryptology.
Iping Supriana S. received Doctoral degree from INPG,
France in 1985. He is a senior lecturer at School of ElecAdang Suwandi A. received B.S. degree in Electrical trical Engineering and Informatics at the ITB. He is chair
& Control Engineering from Electrical Engineering of security software project of digital mark reader at ITB.
Department ITB, Bandung, Indonesia, in 1976 and
the Docteur Ingenieur in Signaux et Bruits Option Sarwono Sutikno received B.S in Electronics degree
Electronique from Universite des Sciences Technique du from Institute Technoloy of Bandung, Bandung, IndoneLanguedoc Montpellier France He is currently Chair sia, in 1984, and received the Master of Engineering deand Professor of School of Electrical Engineering and gree and Doctor of Engineering degree in Integrated SysInformatics. at the ITB. His field interests are intelligent tem from Tokyo Institute of Technology, Tokyo, Japan
system instrumentation & Bioinformatics.
in 1990 and 1994, respectively. His research interests focus on implementation of cryptographics algorithms in
M. Sukrisno Mardiyanto received DEA and Docteur Integrated Circuits including Embedded System Security.
Ingenieur from Institute National Polytechnique de His Security Engineering focus includes Information SeGrenoble (INPG), France in 1982 and 1986, respectively. curity Management System. He holds several professional
He has been chair of Study Program of Informatics at certifications including Certified Information System AuITB since 2005. His research interests focus on Software ditor and ISMS Provisional Auditor, he is also appointed
Engineering, Computer Network and Computer Security. ISACA Academic Advocate.