Security Analysis of Scalable Block Cipher PP-1 Applicable to Distributed Sensor Networks

Abstract

PP-1 is a scalable block cipher which can be implemented on a platform with limited resource. In this paper, we analyze the security of PP-1 by using truncated differential cryptanalysis. As concrete examples, we consider four versions of PP-1, PP-1/64, PP-1/128, PP-1/192, and PP-1/256. Our attack is applicable to full-round versions of them, respectively. The proposed attacks can recover a secret key of PP-1 with the computational complexity which is faster than the exhaustive search. These are the first known cryptanalytic results on PP-1.

1. Introduction

Recently, the research on lightweight block ciphers has received considerable attention. Since these can be efficiently implemented under restricted resources such as low-cost, low-power, and lightweight platforms, they are applicable to low-end devices such as RFID tags, sensor nodes, and smart devices [1–6]. So far, many lightweight block ciphers (e.g., HIGHT [7], CLEFIA [8], KATAN/KTANTAN [9], PRINTCIPHER [5], and PP-1 [10]) have been proposed.

PP-1 is an involutional SPN block cipher which can be implemented on a platform with limited resources. It supports the scalability, which allows using different data block sizes and secret key sizes. In detail, PP-1 is an n-bit scalable block cipher and supports $n / 2 n$ -bit secret keys. $(n = 64, 128, 192, \dots)$ . It uses an $8 \times 8$ S-box which is an involution and a bit-oriented permutation which is also an involution. As a result, it is a totally involutional cipher. To our knowledge, there is no cryptanalytic result on PP-1.

In this paper, we analyze the security of PP-1 on truncated differential cryptanalysis. As concrete examples, we consider four versions of PP-1, PP-1/64, PP-1/128, PP-1/192, and PP-1/256. Here, $64$ , $128$ , $192$ , and $256$ indicate the length of data blocks. Our attack is applicable to full-round versions of them, respectively. Our attack results are summarized in Table 1. Here, PP-1/n_k means an n-bit PP-1 which supports a k-bit secret key. Note that since our attacks do not use the property of the key schedule of PP-1, the data complexity and the memory complexity of the attacks on PP-1/n_k and PP-1/n_ $2 k$ have the same value. From this table, our attacks can recover a secret key of PP-1 with the computational complexity which is faster than the exhaustive search. These results are the first known cryptanalytic results on PP-1.

Table 1

Our attack results on PP-1.

Target algorithm	Data complexity	Memory complexity	Computational complexity
PP-1/64_64	$2^{45.29}$ CP	$2^{41.29}$ bytes	$2^{45.29}$ encryptions
PP-1/64_128	$2^{45.29}$ CP	$2^{41.29}$ bytes	$2^{48.21}$ encryptions

PP-1/128_128	$2^{103.45}$ CP	$2^{44.45}$ bytes	$2^{103.45}$ encryptions
PP-1/128_256	$2^{103.45}$ CP	$2^{44.45}$ bytes	$2^{168}$ encryptions

PP-1/192_192	$2^{157.85}$ CP	$2^{35.44}$ bytes	$2^{157.85}$ encryptions
PP-1/192_384	$2^{157.85}$ CP	$2^{35.44}$ bytes	$2^{296}$ encryptions

PP-1/256_256	$2^{210.84}$ CP	$2^{24.84}$ bytes	$2^{210.84}$ encryptions
PP-1/256_512	$2^{210.84}$ CP	$2^{24.84}$ bytes	$2^{432}$ encryptions

PP-1/n_k: an n-bit PP-1 with a k-bit secret key.

CP: chosen plaintexts.

The rest of this paper is organized as follows. In Section 2, we briefly present PP-1. In Section 3, differentials on PP-1 are derived, and their probabilities are computed. Truncated differential cryptanalysis on each version of PP-1 is proposed in Sections 4, 5, and 6, respectively. Finally, we give our conclusion in Section 7.

2. Description of PP-1

PP-1 is an n-bit scalable block cipher and has r-round SPN structure $(n = 64,128,192, \dots)$ . The length of a secret key is n or $2 n$ bits. In [10], the designers of PP-1 proposed the following four versions of PP-1 as concrete examples.

(i)

PP-1/64: $n = 64$ , $r = 11$ , that is, a $64$ -round block cipher with $64 / 128$ bit secret keys and $11$ rounds.

(ii)

PP-1/128: $n = 128$ , $r = 22$ , PP-1/192: $n = 192$ , $r = 32$ , PP-1/256: $n = 256$ , $r = 43$ .

For the simplicity of notations, we denote an n-bit PP-1 with a k-bit secret key PP-1/n_k. And input/output values and a round key in round i are denoted by $I^{i}$ , $O^{i}$ , and ${RK}^{i}$ , respectively $(i = 1, \dots, r)$ .

We omit the key schedule of PP-1, as it is not effectively used in our attack.

2.1. The Round Function

As shown in Figure 1(a), the round function of PP-1 consists of $(n / 64)$ nonlinear $NL$ functions $({NL}_{0}, \dots, {NL}_{(n / 64 - 1)})$ and an n-bit involutional permutation P. For example, when $n = 64$ , the round function uses only ${NL}_{0}$ . Note that P is not conducted in the last round. $({NL}_{0}, \dots, {NL}_{(n / 64 - 1)})$ have the same structure but different round keys are used.

Figure 1

(a) The round function of PP-1 and (b) the nonlinear function ${NL}_{j}$ .

In round i, two n-bit round keys ${RK}^{i} = ({RK}_{0}^{i}, {RK}_{1}^{i})$ are used as follows:

\begin{matrix} {RK}_{0}^{i} = {RK}_{00}^{i} ∥ \dots ∥ {RK}_{0 (n / 64 - 1)}^{i}, \\ {RK}_{1}^{i} = {RK}_{10}^{i} ∥ \dots ∥ {RK}_{1 (n / 64 - 1)}^{i} . \end{matrix}

(1)

Here, ${NL}_{j}$ takes $128$ bit sub-round key $({RK}_{0 j}^{i}, {RK}_{1 j}^{i})$ $(j = 0, \dots, (n / 64 - 1))$ .

2.2. The Nonlinear Function $NL$

In round i, ${NL}_{j}$ outputs a $64$ bit value from a $64$ bit input value and a $128$ bit subround key $({RK}_{0 j}^{i}, {RK}_{1 j}^{i})$ $(j = 0, \dots, (n / 64 - 1))$ . It consists of one $8 \times 8$ S-box S, $XOR (\oplus)$ , $addition (⊞)$ , and $substraction (⊟)$ modulo $2^{8}$ (see Figure 1(b)).

A $128$ bit sub-round key $({RK}_{0 j}^{i}, {RK}_{1 j}^{i})$ is divided into eight $8$ bit elementary keys as follows, respectively:

\begin{matrix} {RK}_{0 j}^{i} = {RK}_{0 j 0}^{i} ∥ \dots ∥ {RK}_{0 j 7}^{i}, \\ {RK}_{1 j}^{i} = {RK}_{1 j 0}^{i} ∥ \dots ∥ {RK}_{1 j 7}^{i} . \end{matrix}

(2)

Thus, each elementary key is XORed or added or subtracted with an $8$ bit intermediate value. For example, ${RK}_{1 j 0}^{i}$ is XORed with the $8$ bit output value of the first S-box.

2.3. The Permutation Function P

P is an n-bit involutional bit-oriented permutation. It is constructed by using two algorithms, the auxiliary algorithm (Algorithm 1) to compute auxiliary permutation Prm and the main algorithm (Algorithm 2) to compute permutation P.

Algorithm 1: Prm(x, nBb, nSb).

(1) nS ← nBb div nSb.

(2) Sno ← (x mod nS) + 1.

(3) Sb ← ((x − 1) div nS) + 1.

(4) y← (Sno − 1) · nSb + Sb.

(5) Return y.

Algorithm 2: P(pno, nBb, nSb).

(1) y← Prm(pno, nBb div 2, nSb div 2).

(2) px ← 2 · pno − 1.

(3) py ← 2 · y.

(4) Return (px, py).

For example, the $128$ bit permutation P is obtained as a result of $64$ calls of Algorithm 2 for a pair numbered as $p n o$ from $1$ to $64$ , the number of block bits $n B b = 128$ and the number of S-box bits $n S b = 8$ . When $p n o = 2$ , the value y of Prm is equal to $9$ and the resultant pair $(p x, p y) = (3,18)$ . It means that the third bit of the input value is mapping to the eighteenth bit of the output value.

3. Construction of Differentials on PP-1

In this section, we introduce the methodology of constructing differentials on PP-1 used in our attacks. For the simplicity of notations, we define the following notations.

(i)

$(α \to β)_{t}$ : a t-round differential characteristic where input/output differences are α and β, respectively.

(ii)

$[α \to β]_{t}$ : a t-round differential where input/output differences are α and β, respectively.

(iii)

$(a, x)$ : a byte string where the ath byte value is x and the other bytes are zero (the index of the left most byte is $0$ ).

3.1. Differential Characteristic on PP-1

In general, a differential characteristic with the higher probability passes less nonlinear operations, such as S-box, than it with the lower probability. Recall that a $N F$ -function consists of S-box, addition, substraction, and XOR. Among these operations, nonlinear operations are S-box, addition, and subtraction. Thus, in order to construct a differential characteristic with a high probability, we should avoid them.

We examined such differential characteristics on PP-1. As a result, we found several t-round differential characteristics with a probability of $2^{- 7 \cdot t}$ . For example, in the case of PP-1/64, we can construct $((7, 0 x 01) \to (7, 0 x 01))_{t}$ with a probability of $2^{- 7 \cdot t}$ . This characteristic passes only one S-box in each round and the probability that S-box outputs an output difference $0 x 01$ from an input difference $0 x 01$ is $2^{- 7}$ .

We expect that this type of difference characteristics have the highest probability. That is, they pass least S-boxes, addition operations, and subtraction operations. We extend it to differentials in the next subsection.

3.2. Finding of Differentials with a High Probability

The probability of a differential is computed by adding the probabilities of all differential characteristics which are included in it. The more differential characteristics with a high probability a differential includes, the higher its probability is. Thus, in order to find a differential on PP-1 with a high probability, we consider the following criteria.

(i)

In each round, a differential characteristic has only one active S-box.

(ii)

In each round, a differential characteristic does not pass addition/subtraction operations.

The probabilities that all t-round differential characteristics satisfying the above criteria are at least $2^{- 7 \cdot t}$ , since the minimum probability from the difference distribution table on S-box is $2^{- 7}$ . Thus, we measure the probability of a differential by counting only the number of differential characteristics which satisfy the above criteria and are included in it. That is, if there are w such differential characteristics, the probability of a differential including them is at least $w \cdot 2^{- 7 \cdot t}$ . On the other hand, in the case of differential characteristics which do not satisfy the above criteria, they pass the additional nonlinear operations in each round. In this case, the probabilities of them are much smaller than $2^{- 7 \cdot t}$ . Thus, we expect that differential characteristics which do not satisfy the above criteria depend on the probability of a differential less.

In order to count efficiently differential characteristics satisfying the above criteria, we consider differences δ's satisfying the following conditions.

(i)

$δ = (a, x)$ where $(a \mod 8) \in {0,2, 5,7}$ and x is a nonzero byte value.

(ii)

$P (δ) = (b, y)$ where $(b \mod 8) \in {0,2, 5,7}$ and y is a nonzero byte value.

Let 𝒟 be a set containing such δ's. We can easily prove that all t-round differential characteristics satisfying the above criteria include $(δ_{i} \to δ_{j})_{1}$ in each round $(δ_{i}, δ_{j} \in 𝒟)$ . It means that we only need to consider 𝒟 in order to find all differential characteristics holding the above criteria.

Let $N (δ_{i}, δ_{j}, t)$ be the number of $(δ_{i} \to δ_{j})_{t}$ . For each $δ_{i}$ and $δ_{j}$ included in 𝒟, we compute w using the following recurrence relation:

\begin{matrix} N (δ_{i}, δ_{j}, t + 1) = \sum_{δ_{k} \in 𝒟} ‍ N (δ_{i}, δ_{k}, 1) \cdot N (δ_{k}, δ_{j}, t) . \end{matrix}

(3)

Since $N (δ_{i}, δ_{k}, 1)$ is compute by using the difference distribution table for an S-box of PP-1, we can easily compute $N (δ_{i}, δ_{j}, t)$ for given t.

For example, we found twenty one δ's for PP-1/64 (see Table 2). As a simulation result, $N ((7, 0 x 01), (7, 0 x 09), 8)$ is $8429$ . It means that the probability of $[(7, 0 x 01) \to (7, 0 x 09)]_{8}$ is $2^{- 42.96} (= 8429 \cdot 2^{- 7 \cdot 8})$ .

Table 2

A difference set 𝒟 for PP-1/64.

(0, 0x20)	(0, 0x04)	(0, 0x01)	(2, 0x40)	(2, 0x10)	(2, 0x20)	(2, 0x30)
(5, 0x02)	(5, 0x04)	(5, 0x80)	(5, 0x84)	(5, 0x01)	(5, 0x08)	(5, 0x09)
(7, 0x02)	(7, 0x04)	(7, 0x80)	(7, 0x84)	(7, 0x01)	(7, 0x08)	(7, 0x09)

4. Truncated Differential Analysis on PP-1/64

In this section, we propose truncated differential analysis on full-round PP-1/64_64 and full-round PP-1/64_128. Since PP-1/64_64 and PP-1/64_128 have the same structure except the key schedule, the attack procedures on them are similar. Thus, we mainly introduce the attack procedure on PP-1/64_64.

By using the method in the previous section, we construct forty nine $8$ -round differentials $[P ((7, α)) \to (7, β)]_{8} (α, β \in {0 x 01,0 x 02,0 x 04,0 x 08,0 x 09,0 x 80, 0 x 84})$ . And we extend these $8$ -round differentials to total $1785 (= 7 \cdot 255)$ $9$ -round differentials $[P ((7, α)) \to P ((7, x_{j}^{i}))]_{9}$ $(x_{j}^{i} \in X^{i})$ . Here, $X^{i}$ 's are defined as follows $(i = 1, \dots, 6)$ :

\begin{matrix} X^{0} = {0000000 0_{2}}, \\ X^{1} = {0000 ? 00 ?_{2} ∣ ? \in {0,1}} - X^{0}, \\ X^{2} = {0 ? 00 ? 00 ?_{2} ∣ ? \in {0,1}} - ⋃_{i = 0}^{1} X^{i}, \\ X^{3} = {? ? 00 ? ? 0 ?_{2} ∣ ? \in {0,1}} - ⋃_{i = 0}^{2} X^{i}, \\ X^{4} = {? ? 00 ? ? ? ?_{2} ∣ ? \in {0,1}} - ⋃_{i = 0}^{3} X^{i}, \\ X^{5} = {? ? ? 0 ? ? ? ?_{2} ∣ ? \in {0,1}} - ⋃_{i = 0}^{4} X^{i}, \\ X^{6} = {? ? ? ? ? ? ? ?_{2} ∣ ? \in {0,1}} - ⋃_{i = 0}^{5} X^{i} . \end{matrix}

(4)

4.1. Construction of Structures

We consider a structure $S_{i}$ consisting of $256$ plaintext; that is, $S_{i} = {(i ∥ j) ∣ j = 0,1, 2, \dots, 255}$ where i is a $56$ bit fixed value. Then we can compose $2^{15}$ plaintext pairs for each structure. Among these plaintext pairs, there are $2^{7}$ plaintext pairs where an input difference of round $2$ is one of $P ((7, α))$ for each α. Table 3 presents the expected number of right plaintext pairs where an output difference of round $10$ is included in $P ((7, X^{i}))$ . These values are computed as follows:

\begin{matrix} \sum_{α} ‍ \sum_{x_{j}^{i} \in X^{i}} ‍ 2^{7} \cdot Pr [{[α ⟶ x_{j}^{i}]}_{9}] . \end{matrix}

(5)

Table 3

The expected number of right pairs for PP-1/64.

Set of output differences of round 10	The expected number of right pairs
P((7, $X^{1}$ ))	$2^{- 35.29}$
P((7, $X^{2}$ ))	$2^{- 35.27}$
P((7, $X^{3}$ ))	$2^{- 33.19}$
P((7, $X^{4}$ ))	$2^{- 32.65}$
P((7, X⁵))	$2^{- 31.53}$
P((7, $X^{6}$ ))	$2^{- 30.66}$

4.2. Truncated Differential Analysis on PP-1/64

The main idea of our attack is to exploit the fact that the expected number of plaintext pairs where an output difference of round $10$ is included in $P (X^{i})$ is $2^{- 30.66} ~ 2^{- 35.29}$ for each structure (see Table 3).

In our attack on PP-1/64_64, we first obtain a $72$ bit partial information on ${RK}^{11} = ({RK}_{0}^{11}, {RK}_{1}^{11})$ and an $8$ bit ${RK}_{007}^{1}$ . The attack procedure is as follows (see Figure 2).

(1)

Choose $2^{37.29}$ structures which are composed of $256$ plaintexts and obtain the corresponding ciphertexts. From these ciphertexts, compute $2^{52.29} (= 2^{15} \cdot 2^{37.29})$ ciphertext pairs $(C^{i}, C^{i *})$ (note that we can compute total $2^{15}$ ciphertext pairs for each structure).

(2)

Check that the difference $Δ C^{i}$ between ciphertext pair $(C^{i}, C^{i *})$ is $0 x ? ? ? ? 00 ? ? 00 ? ? ? ? ? ?$ ; that is, $Δ C_{02}^{i} = Δ C_{04}^{i} = 0 x 00$ for each i $(? \in {0,1}^{4})$ . We keep all ciphertext pairs passing Step (2) and the corresponding plaintext pairs in a table and call a set containing them 𝒜.

(3)

Filter out the ciphertext pairs where $Δ C_{00}^{i}, Δ C_{01}^{i}, Δ C_{03}^{i}$ , $Δ C_{05}^{i}$ and $Δ C_{06}^{i}$ are not zero in 𝒜. Do the following for the remaining ciphertext pairs:

(a)

Guess an $8$ bit ${RK}_{107}^{11}$ (note that this substep indicates “Guess 1” in Figure 2).

(b)

Partially encrypt all remaining ciphertext pairs with the guessed round key ${RK}_{107}^{11}$ to get $Δ I_{07}^{11}$ . Check that $Δ I_{07}^{11}$ is included in $P (X^{1})$ from (4). If it is included in $P (X^{1})$ , add the counter, corresponding to the guessed key, to one.

(c)

Output a guessed key which has the maximal counter as a right ${RK}_{107}^{11}$ .

(4)

From 𝒜, filter out the ciphertext pairs where $Δ C_{00}^{i}, Δ C_{03}^{i}$ , $Δ C_{05}^{i}$ , and $Δ C_{06}^{i}$ are not zero and the ciphertext pairs considered in Step (3). Do the following for the remaining ciphertext pairs:

(a)

Check that $Δ C_{07}$ is a nonzero value for each remaining ciphertext pair. Partially encrypt the ciphertext pairs passing this test with the recovered round key ${RK}_{107}^{11}$ to obtain $Δ I_{07}^{11}$ . If this value is not included in $P (X^{1})$ , filter out the corresponding ciphertext pairs.

(b)

Guess $16$ bit round keys $({RK}_{001}^{11}, {RK}_{101}^{11})$ . (“Guess 2” in Figure 2).

(c)

Similarly to Step $(3) (b)$ , partially encrypt the remaining ciphertext pairs with the guessed round keys to get $Δ I_{01}^{11}$ . Check that $Δ I_{01}^{11}$ is included in $P (X^{2})$ from (4). If it is included in $P (X^{2})$ , add the counter, corresponding to the guessed key, to one.

(d)

Output a guessed key which has the maximal counter as right ${RK}_{001}^{11}$ and ${RK}_{101}^{11}$ .

(5)

From 𝒜, discard the ciphertext pairs where $Δ C_{00}^{i}, Δ C_{03}^{i}$ , and $Δ C_{06}^{i}$ are not zero and the ciphertext pairs considered in Step (3) and (4). Do the following for the remaining ciphertext pairs:

(a)

Similarly to Step $(4) (a)$ , filter out the ciphertext pairs where $Δ I_{07}^{11}$ and $Δ I_{01}^{11}$ are not included in $P (X^{1})$ and $P (X^{2})$ , respectively.

(b)

Guess an $8$ bit round keys ${RK}_{105}^{11}$ . (“Guess 3” in Figure 2).

(c)

Similarly to Step $(4) (c)$ , check that $Δ I_{05}^{11}$ is included in $P (X^{3})$ . Output a guessed key which has the maximal counter as a right ${RK}_{105}^{11}$ .

(6)

From 𝒜, discard the ciphertext pairs where $Δ C_{03}^{i}$ and $Δ C_{06}^{i}$ are not zero and the ciphertext pairs considered in Step (3), (4) and (5). Do the following for the remaining ciphertext pairs:

(a)

Similarly to Step $(5) (a)$ , filter out the ciphertext pairs where $Δ I_{07}^{11}$ , $Δ I_{01}^{11}$ and $Δ I_{05}^{11}$ are not included in $P (X^{1})$ , $P (X^{2})$ and $P (X^{3})$ , respectively.

(b)

Guess an $8$ bit round keys ${RK}_{100}^{11}$ . (“Guess 4” in Figure 2).

(c)

Similarly to Step $(5) (c)$ , check that $Δ I_{00}^{11}$ is included in $P (X^{4})$ . Output a guessed key which has the maximal counter as a right ${RK}_{100}^{11}$ .

(7)

From 𝒜, filter out the ciphertext pairs where $Δ C_{03}^{i}$ is not zero and the ciphertext pairs considered in Step (3), (4), (5) and (6). Do the following for the remaining ciphertext pairs:

(a)

Similarly to Step $(6) (a)$ , filter out the ciphertext pairs where $Δ I_{07}^{11}$ , $Δ I_{01}^{11}$ , $Δ I_{05}^{11}$ and $Δ I_{00}^{11}$ are not included in $P (X^{1})$ , $P (X^{2})$ , $P (X^{3})$ and $P (X^{4})$ , respectively.

(b)

Guess $16$ bit round keys $({RK}_{006}^{11}, {RK}_{106}^{11})$ . (“Guess 5” in Figure 2).

(c)

Similarly to Step $(6) (c)$ , check that $Δ I_{06}^{11}$ is included in $P (X^{5})$ . Output a guessed key which has the maximal counter as right ${RK}_{006}^{11}$ and ${RK}_{106}^{11}$ .

(8)

From 𝒜, filter out the ciphertext pairs considered in Step (3), (4), (5), (6) and (7). Do the following for the remaining ciphertext pairs:

(a)

Similarly to Step $(7) (a)$ , filter out the ciphertext pairs where $Δ I_{07}^{11}$ , $Δ I_{01}^{11}$ , $Δ I_{05}^{11}$ , $Δ I_{00}^{11}$ and $Δ I_{06}^{11}$ are not included in $P (X^{1})$ , $P (X^{2})$ , $P (X^{3})$ , $P (X^{4})$ and $P (X^{5})$ , respectively.

(b)

Guess $16$ bit round keys $({RK}_{003}^{11}, {RK}_{103}^{11})$ . (“Guess 6” in Figure 2).

(c)

Similarly to Step $(7) (c)$ , check that $Δ I_{03}^{11}$ is included in $P (X^{6})$ . Output a guessed key which has the maximal counter as right ${RK}_{003}^{11}$ and ${RK}_{103}^{11}$ .

(9)

Get the the corresponding plaintext pairs to all ciphertext pairs considered in Step $(3) (b)$ , $(4) (c)$ , $(5) (c)$ , $(6) (c)$ , $(7) (c)$ and $(8) (c)$ , respectively. With them, do the following:

(a)

Guess an $8$ bit ${RK}_{007}^{1}$ (“Guess 7” in Figure 2).

(b)

Partially encrypt the plaintext pairs in Step (9) with the guessed round key to obtain the output difference of the $8$ th S-box in round $1$ , that is, $(P^{- 1} (I^{2}))_{07}$ .

(c)

If the computed difference is included in ${0 x 01, 0 x 02, 0 x 04, 0 x 08, 0 x 09, 0 x 80, 0 x 84}$ , add the counter, corresponding to the guessed key, to one.

(d)

Output a guessed key which has the maximal counter as a right ${RK}_{007}^{1}$ .

(10)

With an $80$ bit suggested round key, compute a secret key by operating the key schedule of PP-1_64. Output the computed secret key as a right secret key of PP-1_64.

Figure 2

The attack procedure on full-round PP-1/64_64.

In our attack on PP-1/64_64, we construct $2^{37.29}$ structures which are composed of $256$ plaintexts. Thus, the data complexity of our attack is about $2^{45.29} (\approx 2^{37.29} \cdot 2^{8})$ chosen plaintexts. We store all ciphertext pairs passing Step (2) and the corresponding plaintext pairs in a table. The probability that a ciphertext pair passes Step (2) is $2^{- 16}$ . Thus, $2^{36.29} (\approx 2^{52.29} \cdot 2^{- 16})$ ciphertext pairs pass this step. Hence, the memory complexity of this attack is about $2^{41.29} (\approx 2^{52.29} \cdot 2^{- 16} \cdot 4 \cdot 8)$ memory bytes.

The computational complexity of our attack is dominated by Step (1). The computational complexity of Step (1) is about $2^{45.29} (\approx 2^{37.29} \cdot 2^{8})$ encryptions. The probability that a wrong ciphertext pair passes Step (3) is $2^{- 40}$ . Since the expected number of the remaining wrong ciphertext pairs is $2^{- 3.71} (\approx 2^{36.29} \cdot 2^{- 40})$ , we expect that only right ciphertext pairs are survived. From (4), we can check easily that all ciphertext pairs where the corresponding $Δ O^{10}$ 's are included in $P (X^{1})$ pass Step (3). Thus, the expected number of right ciphertext pairs is $4 (\approx 2^{37.29} \cdot 2^{- 35.29})$ from Table 3. The computational complexity of Step $(3) (b)$ is about $2^{3.54} (\approx 2^{8} \cdot 4 \cdot 1 / 11 \cdot 1 / 8)$ encryptions. Similarly to Step $(3) (b)$ , the computational complexities of other steps are also small. Hence, the computational complexity of our attack on PP-1/64_64 is about $2^{45.29}$ encryptions.

In the case of the attack on PP-1/64_128, the data and memory complexities are the same as them of the attack on PP-1/64_64. However, the computational complexity of this attack is dominated by Step (1) and (10), since we should do an exhaustive search for the remaining $48$ bit key information. The computational complexity of Step (1) is about $2^{45.29} (\approx 2^{37.29} \cdot 2^{8})$ encryptions. In Step (10), the probability that a wrong key passes this step is $2^{- 64}$ . Thus, it is sufficient to use just one plaintext/ciphertext pair. The computational complexity of Step (10) is about $2^{48}$ . Hence, the computational complexity of PP-1/64_128 is about $2^{48.21} (\approx 2^{45.29} + 2^{48})$ encryptions.

5. Truncated Differential Analysis on Full-Round PP-1/128

Our attacks on full-round PP-1/128_128 and full-round PP-1/128_256 use $20$ -round differentials which are constructed by using the method introduced in Section 3. In detail, in order to construct them, we consider twenty five $19$ -round differentials $[P ((15, α)) \to (15, β)]_{19} (α, β \in {0 x 01,0 x 08,0 x 09,0 x 10,0 x 80})$ . Then we extend these $19$ -round differentials to total $1275 (= 5 \cdot 255)$ $20$ -round differentials $[P ((15, α)) \to P ((15, y_{j}^{i}))]_{20}$ $(y_{j}^{i} \in Y^{i})$ . Here, $Y^{i}$ 's are defined as follows $(i = 1, \dots, 7)$ :

\begin{matrix} Y^{0} = {0000000 0_{2}}, \\ Y^{1} = {0000 ? 00 ?_{2} ∣ ? \in {0,1}} - Y^{0}, \\ Y^{2} = {0 ? 00 ? 00 ?_{2} ∣ ? \in {0,1}} - ⋃_{i = 0}^{1} Y^{i}, \\ Y^{3} = {? ? 00 ? 00 ?_{2} ∣ ? \in {0,1}} - ⋃_{i = 0}^{2} Y^{i}, \\ Y^{4} = {? ? 00 ? ? 0 ?_{2} ∣ ? \in {0,1}} - ⋃_{i = 0}^{3} Y^{i}, \\ Y^{5} = {? ? 00 ? ? ? ?_{2} ∣ ? \in {0,1}} - ⋃_{i = 0}^{4} Y^{i}, \\ Y^{6} = {? ? ? 0 ? ? ? ?_{2} ∣ ? \in {0,1}} - ⋃_{i = 0}^{5} Y^{i}, \\ Y^{7} = {? ? ? ? ? ? ? ?_{2} ∣ ? \in {0,1}} - ⋃_{i = 0}^{6} Y^{i} . \end{matrix}

(6)

In the similar manner to the previous section, we choose a structure $S_{i}$ which consist of $256$ plaintext; that is, $S_{i} = {(i ∥ j) ∣ j = 0,1, 2, \dots, 255}$ , where i is a $120$ bit fixed value. Then, as shown in Table 4, we can calculate the expected number of right plaintext pairs where $Δ O^{21}$ is included in $P (15, (Y^{i}))$ for each structure.

Table 4

The expected number of right pairs for PP-1/128.

Set of output differences of round 21	The expected number of right pairs
P((15, $Y^{1}$ ))	$2^{- 93.33}$
P((15, $Y^{2}$ ))	$2^{- 93.45}$
P((15, $Y^{3}$ ))	$2^{- 92.64}$
P((15, $Y^{4}$ ))	$2^{- 92.01}$
P((15, $Y^{5}$ ))	$2^{- 96.86}$
P((15, $Y^{6}$ ))	$2^{- 89.78}$
P((15, $Y^{7}$ ))	$2^{- 88.92}$

5.1. Truncated Differential Analysis on PP-1/128

Our attack on full-round PP-1/128_128 is similar to that on full-round PP-1/128_256. Thus, we mainly present the attack procedure on PP-1/128_128. Since it is similar to the attack procedure on full-round PP-1/64_64, we briefly introduce it. The attack procedure on full-round PP-1/128_128 is as follows (see Figure 3).

(1)

Select $2^{95.45}$ structures which are composed of $256$ plaintexts and get the corresponding ciphertexts. From these ciphertexts, compute $2^{110.45}$ ciphertext pairs ( $C^{i}, C^{i *}$ ).

(2)

Check that $Δ C_{01}^{i} = Δ C_{02}^{i} = Δ C_{04}^{i} = Δ C_{05}^{i} = Δ C_{06}^{i} = Δ C_{10}^{i} = Δ C_{11}^{i} = Δ C_{12}^{i} = Δ C_{14}^{i} = 0$ for each ciphertext pair. We keep all ciphertext pairs passing Step (2) and the corresponding plaintext pairs in a table and call a set containing them 𝒜.

(3)

From 𝒜, filter out the ciphertext pairs where $Δ C_{00}^{i}$ , $Δ C_{03}^{i}$ , $Δ C_{07}^{i}$ , $Δ C_{13}^{i}$ , $Δ C_{15}^{i}$ , and $Δ C_{16}^{i}$ are not zero. Do the following for the remaining ciphertext pairs:

(a)

Guess an $8$ bit round key ${RK}_{117}^{22}$ (“Guess 1” in Figure 3).

(b)

Check that $Δ I_{17}^{22}$ is included in $P (Y^{1})$ . Output a guessed key which has the maximal counter as right ${RK}_{117}^{22}$ .

(4)

Similarly to Step (3), determine sequentially the following right round keys.

(a)

$({RK}_{003}^{22}, {RK}_{103}^{22})$ (“Guess 2”),

(b)

${RK}_{115}^{22}$ (“Guess 3”).

(c)

$({RK}_{013}^{22}, {RK}_{115}^{22})$ (“Guess 4”).

(d)

${RK}_{101}^{22}$ (“Guess 5”).

(e)

$({RK}_{016}^{22}, {RK}_{116}^{22})$ (“Guess 6”).

(f)

${RK}_{117}^{22}$ (“Guess 7”).

(5)

Get the the corresponding plaintext pairs to all ciphertext pairs considered in Steps (3) and (4). With them, do the following:

(a)

Guess an $8$ bit ${RK}_{017}^{1}$ (“Guess 8”).

(b)

Partially encrypt the plaintext pairs in Step (5) with the guessed round key to obtain the output difference of the $8$ th S-box in second $N F$ -function of round $1$ , that is, $(P^{- 1} (I^{2}))_{17}$ .

(c)

If the computed difference is included in ${0 x 01, 0 x 08, 0 x 09, 0 x 10, 0 x 80}$ , add the counter, corresponding to the guessed key, to one.

(d)

Output a guessed key which has the maximal counter as a right ${RK}_{017}^{1}$ .

(6)

With an $88$ bit suggested round key, do an exhaustive search for the remaining $40$ bit key information by using one trial encryption. During this procedure, if a $128$ bit secret key satisfies one known plaintext/ciphertext pair, output this $128$ bit secret key as a right $128$ bit secret key of full-round PP-1/128_128.

Figure 3

The attack procedure on full-round PP-1/128_128.

In this attack, we construct $2^{95.45}$ structures. Thus, the data complexity of our attack on full-round PP-1/128_128 is about $2^{103.45} (\approx 2^{95.45} \cdot 2^{8})$ chosen plaintexts. In Step (2), since the probability that a ciphertext pair passes Step (2) is $2^{- 72}$ , we store $2^{38.45} (\approx 2^{110.45} \cdot 2^{- 72})$ ciphertext pairs pass this step and the corresponding plaintext pairs in a table. Thus, the memory complexity of this attack is about $2^{44.45} (\approx 2^{38.45} \cdot 4 \cdot 16)$ memory bytes. The computational complexity of this attack is dominated by Step (1), that is, about $2^{103.45} (\approx 2^{95.45} \cdot 2^{8})$ encryptions.

In the case of the attack on full-round PP-1/128_256, the data and memory complexities are the same as them of the attack on full-round PP-1/128_128. However, the computational complexity of this attack is dominated by Step (6), since we should do an exhaustive search for the remaining $168$ bit key information. In Step (6), the probability that a wrong key that passes this step is $2^{- 128}$ . Thus, this step needs two plaintext/ciphertext pairs. The computational complexity of Step (6) is about $2^{168} (\approx 2^{168} + 2^{168} \cdot 2^{- 128})$ encryptions. Hence, the computational complexity of our attack on full-round PP-1/128_256 is about $2^{168}$ encryptions.

6. Truncated Differential Analysis on Full-Round PP-1/192 and PP-1/256

This section introduces our attack results on full-round PP-1/192 and full-round PP-1/256. Overall, the attack procedures on them are similar to the attack procedures on PP-1/64.

Our attacks on full-round PP-1/192 uses $2^{149.85}$ structures $S_{i} = {(i ∥ j) ∣ j = 0,1, 2, \dots, 255}$ , where i is a $184$ bit fixed value. First, we construct thirty six $29$ -round differentials $[P ((23, α)) \to (23, β)]_{29}$ $(α, β \in {0 x 01,0 x 02,0 x 08,0 x 09,0 x 40, 0 x 80})$ . Then we extend these $29$ -round differentials to total $1530 (= 6 \cdot 255)$ $30$ -round truncated differentials $[P ((23, α)) \to P ((23, y_{j}^{i}))]_{30}$ $(y_{j}^{i} \in Y^{i})$ . Note that $Y^{i}$ 's used in this attack are the same as them in the attack on full-round PP-1/128. Table 5 presents the expected number of right plaintext pairs where $Δ O^{31}$ is included in $P (23, (Y^{i}))$ in each structure. The complexities of our attacks are as follows.

Table 5

The expected number of right pairs for PP-1/192.

Set of output differences of round 31	The expected number of right pairs
P((23, $Y^{1}$ ))	$2^{- 147.85}$
P((23, $Y^{2}$ ))	$2^{- 147.01}$
P((23, $Y^{3}$ ))	$2^{- 145.93}$
P((23, $Y^{4}$ ))	$2^{- 145.48}$
P((23, $Y^{5}$ ))	$2^{- 144.38}$
P((23, $Y^{6}$ ))	$2^{- 143.26}$
P((23, $Y^{7}$ ))	$2^{- 142.38}$

PP-1/192_192(PP-1/192_384)

(a)

The data complexity: about $2^{157.85}$ chosen plaintexts.

(b)

The memory complexity: about $2^{35.44}$ memory bytes.

(c)

The computational complexity: about $2^{157.85} (2^{296})$ encryptions.

In the case of PP-1/256, we consider $2^{202.84}$ structure $S_{i} = {(i ∥ j) ∣ j = 0,1, 2, \dots, 255}$ , where i is a $248$ bit fixed value. And we construct $2040$ $41$ -round differentials $[P ((31, α)) \to P ((31, y_{j}^{i}))]_{41} (α \in {0 x 01,0 x 02,0 x 04,0 x 08,0 x 09, 0 x 10,0 x 40,0 x 80}) (y_{j}^{i} \in Y^{i})$ . Note that $Y^{i}$ 's used in this attack are also the same as them in the attack on full-round PP-1/128. Table 6 presents the expected number of right plaintext pairs where $Δ O^{42}$ is included in $P (31, (Y^{i}))$ in each structure. The complexities of our attacks are as follows.

Table 6

The expected number of right pairs for PP-1/256.

Set of output differences of round 42	The expected number of right pairs
P((31, Y¹))	$2^{- 200.73}$
P((31, Y²))	$2^{- 200.84}$
P((31, Y³))	$2^{- 199.89}$
P((31, Y⁴))	$2^{- 199.23}$
P((31, Y⁵))	$2^{- 198.10}$
P((31, Y⁶))	$2^{- 197.09}$
P((31, Y⁷))	$2^{- 196.18}$

PP-1/256_256(PP-1/256_512)

(a)

The data complexity: about $2^{210.84}$ chosen plaintexts.

(b)

The memory complexity: about $2^{24.84}$ memory bytes.

(c)

The computational complexity: about $2^{210.84} (2^{432})$ encryptions.

7. Conclusion

In this paper, we have presented the first known cryptanalytic results of four concrete versions of a scalable block cipher PP-1, full-round PP-1/64, full-round PP-1/128, full-round PP-1/192, and full-round PP-1/256, by using truncated differential cryptanalysis. As summarized in Table 1, our attacks on these algorithms require computational complexities smaller than the exhaustive search. These results indicate that PP-1 is vulnerable to truncated differential cryptanalysis and that it is insecure.

Footnotes

Acknowledgments

This research was supported by the Ministry of Science, ICT and Future Planning (MSIP), Korea, under the Convergence Information Technology Research Center (C-ITRC) support Program (NIPA-2013-H0301-13-3007) supervised by the National IT Industry Promotion Agency (NIPA).

References

Chen

Mariam

Matsumoto

A single mobile target tracking in voronoi-based clustered wireless sensor network

Journal of Information Processing Systems 2011 1 17 28

Huang

Cheng

R. H.

Chen

S. R.

Enhancing network availability by tolerance control in multi-sink wireless sensor network

Journal of Convergence 2010 1 1 15 22

2-s2.0-78049497469

10.1109/ITCS.2010.5581293

Sarkar

Saha

Security enhanced communication in wireless sensor networks using reed-muller codes and partially balanced incomplete block designs

Journal of Convergence 2011 2 23 30

2-s2.0-80051990665

10.1109/ISPAW.2011.39

Kumar

Aseri

Patel

Multi-hop communication routing (MCR) protocol for heterogeneous wireless sensor networks

International Journal of Information Technology, Communications and Convergence 2010 1 130 145

Lim

Jang

Kim

A study on design and implementation of the ubiquitous computing environment-based dynamic smart on/off-line learner tracking system

Journal of Information Processing Systems 2010 6 4 609 620

10.3745/JIPS.2010.6.4.609

Xie

Kumar

Zhao

Reddy

On secure communication in integrated heterogeneous wireless networks

International Journal of Information Technology, Communications and Convergence 2010 1 1 4 23

10.1504/IJITCC.2010.035224

Hong

Sung

Hong

Lim

Lee

Koo

B. S.

Lee

Chang

Lee

Jeong

Kim

Chee

HIGHT: a new block cipher suitable for low-resource device

Cryptographic Hardware and Embedded Systems 2006 4249 46 59

2-s2.0-33750699594

Shirai

Shibutani

Akishita

Moriai

Iwata

The 128-bit blockcipher CLEFIA (extended abstract)

Fast Software Encryption 2007 4593 181 195

10.1007/978-3-540-74619-5_12

2-s2.0-38149123507

de Cannière

Dunkelman

Knežević

KATAN and KTANTAN—a family of small and efficient hardware-oriented block ciphers

Cryptographic Hardware and Embedded Systems 2009 5747 272 288

2-s2.0-70350589237

10.1007/978-3-642-04138-9_20

10.

Bucholc

Chmiel

Grocholewska-Czuryło

Idzikowska

Janicka-Lipska

Stokłosa

Scalable PP-1 block cipher

International Journal of Applied Mathematics and Computer Science 2010 20 2 401 411

2-s2.0-77954415230

10.2478/v10006-010-0030-6

Security Analysis of Scalable Block Cipher PP-1 Applicable to Distributed Sensor Networks

Abstract

1. Introduction

2. Description of PP-1

2.1. The Round Function

2.2. The Nonlinear Function NL

2.3. The Permutation Function P

Algorithm 1: Prm(x, nBb, nSb).

Algorithm 2: P(pno, nBb, nSb).

3. Construction of Differentials on PP-1

3.1. Differential Characteristic on PP-1

3.2. Finding of Differentials with a High Probability

4. Truncated Differential Analysis on PP-1/64

4.1. Construction of Structures

4.2. Truncated Differential Analysis on PP-1/64

5. Truncated Differential Analysis on Full-Round PP-1/128

5.1. Truncated Differential Analysis on PP-1/128

6. Truncated Differential Analysis on Full-Round PP-1/192 and PP-1/256

7. Conclusion

Footnotes

Acknowledgments

References

2.2. The Nonlinear Function $NL$