Sage Journals: Discover world-class research

Abstract

COSB-128 (Moldovyan et al., 2002) is a block cipher with 128-bit and 256-bit secret keys, which use key and data-dependent operational substitutions in fast controllable permutation blocks (CPB) concept. It is designed with a simple key schedule to ensure a high speed of data transformation by fast block encryption algorithms and expected to be high stability to all known methods of cryptanalysis, especially differential and linear attacks. In this paper, we show that the COSB-128 block cipher still remains weaknesses to differential related-key cryptanalysis, by constructing two full 10-round related-key differential characteristics (DCs) of COSB-128 with high probabilities, and thence propose our two related-key differential attacks. The attacks require about 2²⁴ data and time complexities to recover 63-bit key information and 2²² data and time complexities to recover 6-bit key information. This study is the first known cryptanalytic result on COSB-128 until now. From this study, the new potential for the cryptanalysis on these types of block cipher will be further revealed.

1. Introduction

Recently, the use of network-based devices and services has increased gradually. Thence, the security becomes an essential interest, which is required not only to be strong with most known attacks but also to be optimized on software-hardware implementations [1, 2] or specialized applications. With these criteria, designing cipher using in which data-dependent controllable operations is a cryptographic primitive approach in modern applied cryptography.

When the best known algorithms using controllable permutations (RC5, RC6, etc. [3]) showed their limitations in protective transformation, the operational substitutions offer promise for fast block encryption algorithms with better performance.

Recently, there are some designs of block ciphers which are presented, such as CIKS-1 [4], CIKS-128 [5], Cobra-H64, Cobra-H128 [6], SCO-1, SCO-2, and SCO-3 [7] which aim to enhance the security of the DDP- (data-dependent permutation-) based ciphers structure. Although there are many well-known ciphers, with different specifications and characteristics, the security of them is still under consideration. All of them use a very simple key scheduling for high speed encryption algorithms, which enables the cryptanalysis exploit by applying related-key attacks concept.

COSB-128 [8] is a 128-bit block cipher with a 256-bit key; the number of round is 10. It uses controlled operational substitution (COS) with the concept of fast controllable permutation blocks (CPB) [9]. This cipher is expected to have high performance in hardware-software implementations and high stability to all known cryptanalysis, especially differential attacks and linear attacks.

Related-key differential cryptanalysis was introduced in 1994 by Biham [1, 2] and has become an effective and popular method for attacking many types of block ciphers. This attack researched on CIKS-cipher family [10], Cobra-cipher family [11], or SCO-cipher family [12]… has given a reasonable result with better performance.

In this paper, we show that this type of block cipher is still vulnerable to related-key differential attack, by constructing two full 10-round differential characteristics (DCs) of COSB-128 with high probabilities; thence, we present our two related-key differential attacks on it. The attack allows us to recover 63-bit key information with about 2²⁴ data related-key chosen plaintexts and 2²⁴ encryptions and 6-bit key information with about 2²² data related-key chosen plaintexts and 2²² encryptions. This study is the first known cryptanalytic result on COSB-128 so far.

This paper is organized as follows: in Section 2, we present the COSB-128 block cipher; in Section 3, the related-key differential characteristics and our related-key differential attack on COSB-128 are proposed. Finally, we give the conclusion of this paper in Section 4.

2. Description of COSB-128 Block Cipher

In this section, the structure of COSB-128 block cipher is reviewed. Firstly, we notice some notations using through the whole paper. The cipher $A = (a_{1}, a_{2}, \dots, a_{n})$ is assigned with $a_{1}$ and $a_{n}$ being the most significant bit and the least significant bit, respectively: (i)

$Δ X_{r}$ : the input difference in round r;

(ii)

$Δ K_{r}$ : the round-key difference in round r;

(iii)

$Δ Y_{r}$ : the output difference in round r;

(iv)

$e_{i, j}$ : the ith bit and jth bit are ones; the others are zeros within a cipher (e.g., $e_{2,5} = (0, 1, 0, 0, 1, 0, \dots, 0)$ ).

COSB-128 [8] is a 128-bit block cipher using 256-bit secret key; the number of round is 10. The ciphers do the same iterative structure with the round function

{Crypt}^{(e)}

(

e = 0

: encryption,

e = 1

: decryption).

The round function ${Crypt}^{(e)}$ consists of basic arithmetical operations: ×, multiplication, ⊕, modulo 2 addition, a transformation of control vector H, a substitution transformation G, and two CPB-Boxes, $F_{64 / 192}$ and $F_{64 / 192}^{- 1}$ .

The encryption procedure of COSB-128 is as follows. (1)

128-bit plaintext is divided into two 64-bit subblocks A and B:

\begin{matrix} X = (A, B) . \end{matrix}

(1)

Perform initial transformation as follows:

\begin{matrix} (A_{0}, B_{0}) = (A \oplus z_{1}, B \oplus z_{2}) . \end{matrix}

(2)

For $r = 1$ to 9 do the following:

\begin{matrix} (a) (A_{r}, B_{r}) = {Crypt}^{(0)} (A_{r - 1}, B_{r - 1}, K_{r}^{(0)}) \\ (b) (A_{r}, B_{r}) = (B_{r}, A_{r}) . \end{matrix}

(3)

Perform transformation $(A_{10}, B_{10})$ as follows:

\begin{matrix} (A_{10}, B_{10}) = {Crypt}^{(0)} (A_{9}, B_{9}, K_{10}^{(0)}) . \end{matrix}

(4)

Perform final transformation as follows:

\begin{matrix} Y = (A^{'}, B^{'}) = (A_{10} \oplus z_{3}, B_{10} \oplus z_{4}) . \end{matrix}

(5)

The round function Crypt⁽⁰⁾ is given in Figures 1 and 2. For more detailed description of COSB-128, see [8].

Figure 1

Round function ${Crypt}^{(0)}$ of COSB-128.

Figure 2

(a) $F_{64 / 192}$ and $F_{64 / 192}^{- 1}$ , (b) $F_{8 / 12}$ , (c) $F_{8 / 12}^{- 1}$ , (d) $F_{4 / 4}$ , (e) $F_{4 / 4}^{- 1}$ , and (f) $F_{2 / 1}$ .

The control ciphers $V_{1}, V_{2} \in {G F (2)}^{192}$ are performed through the transformation of control vector H, with the ciphers $V_{i}$ , $i = 1, 2$ . Consider the following:

\begin{matrix} V_{i} = \{{W_{1}}^{(i)} | {W_{2}}^{(i)} | {W_{3}}^{(i)} | {W_{4}}^{(i)} | {W_{5}}^{(i)} | {W_{6}}^{(i)}\} . \end{matrix}

(6)

The output values of

{W_{j}}^{(i)}

are defined as

\begin{matrix} {W_{1}}^{(1)} = A_{l}, {W_{2}}^{(1)} = {A_{h}}^{⋘ 1}, \\ {W_{3}}^{(1)} = {(A \oplus K_{1})}_{h}^{⋘ 18}, {W_{4}}^{(1)} = {(A \oplus K_{1})}_{l}^{⋘ 4}, \\ {W_{5}}^{(1)} = {(A \oplus K_{2})}_{l}^{⋘ 8}, {W_{6}}^{(1)} = {(A \oplus K_{2})}_{h}^{⋘ 16}, \\ {W_{1}}^{(2)} = A_{l}, {W_{2}}^{(2)} = {A_{h}}^{⋘ 1}, \\ {W_{3}}^{(2)} = {(A \oplus K_{4})}_{h}^{⋘ 18}, {W_{4}}^{(2)} = {(A \oplus K_{4})}_{l}^{⋘ 4}, \\ {W_{5}}^{(2)} = {(A \oplus K_{3})}_{l}^{⋘ 8}, {W_{6}}^{(1)} = {(A \oplus K_{3})}_{h}^{⋘ 16}, \end{matrix}

(7)

where

{W_{j}}^{(i)} \in G F {(2)}^{32}

l

is 32 lower-order digits, and h is 32 higher-order digits.

The substitution function G uses output vector $Ψ (A, Q)$ , in which Q depends on round cycles; $Q = K_{1} \oplus K_{3}$ for odd rounds and $Q = K_{2} \oplus K_{4}$ for even rounds; A, $Q \in G F {(2)}^{64}$ . Consider the following:

\begin{array}{l} Ψ (A, Q) = (A_{1} \times A_{3} \times Q_{2} \times A_{5} \times A_{6} \times A_{8}) \\ \oplus (A_{1} \times A_{3} \times A_{6} \times A_{8}) \\ \oplus (A_{1} \times Q_{2} \times A_{5} \times A_{8}) \oplus (A_{3} \times Q_{2} \times A_{5} \times A_{6}) \\ \oplus (A_{1} \times Q_{2} \times A_{6}) \oplus (A_{3} \times A_{5} \times A_{8}) \\ \oplus (A_{1} \times A_{3} \times Q_{2}) \oplus (A_{5} \times A_{6} \times A_{8}) \\ \oplus (A_{1} \times A_{4}) \oplus (Q_{1} \times A_{6}) \oplus (A_{2} \times A_{8}) \\ \oplus (A_{3} \times Q_{3}) \oplus (Q_{2} \times A_{7}) \\ \oplus (A_{5} \times Q_{4}) \oplus A_{0} \oplus Q_{0}, \end{array}

(8)

where

\begin{matrix} A_{0} = (a_{1}, a_{1}, \dots, a_{n}), \\ A_{1} = (a_{n}, a_{1}, \dots, a_{n - 1}), \\ ⋮ \\ A_{j} = (a_{n - j + 1}, \dots, a_{n}, a_{1}, \dots, a_{n - j}), \\ Q_{0} = (q_{1}, q_{1}, \dots, q_{n}), \\ Q_{1} = (q_{n}, q_{1}, \dots, q_{n - 1}), \\ ⋮ \\ Q_{j} = (q_{n - j + 1}, \dots, q_{n}, q_{1}, \dots, q_{n - j}) . \end{matrix}

(9)

The key schedule of COSB-128 is constructed in such a simple way, where 256-bit secret key Z is split into four 64-bit subkeys;

Z = (z_{1}, z_{2}, z_{3}, z_{4})

. The procedure of key scheduling is specified as in Table 1.

Table 1

Key schedule of COSB-128.

Key	$O_{1}$	$O_{2}$	$O_{3}$	$O_{4}$	$O_{5}$	$O_{6}$	$O_{7}$	$O_{8}$	$O_{9}$	$O_{10}$
K ₁	z ₁	z ₄	z ₃	z ₂	z ₄	z ₃	z ₁	z ₂	z ₃	z ₁
K ₂	z ₂	z ₁	z ₄	z ₃	z ₂	z ₄	z ₃	z ₁	z ₂	z ₃
K ₃	z ₃	z ₂	z ₁	z ₄	z ₁	z ₂	z ₄	z ₃	z ₄	z ₂
K ₄	z ₄	z ₃	z ₂	z ₁	z ₃	z ₁	z ₂	z ₄	z ₁	z ₄

3. Key Recovery Attacks on COSB-128

In this section, we construct a full 10-round related-key differential characteristic (DC) of COSB-128 with high probabilities using some properties of ${Crypt}^{(e)}$ function and thence propose our related-key differential attack on COSB-128 block cipher.

3.1. Properties of COSB-128

We obtain some appropriate properties of ${Crypt}^{(e)}$ function of COSB-128 that enable us to construct related-key differential characteristics.

3.1.1. Properties with $F_{2 / 1}$

We assume $\Pr (F_{2 / 1}) (Δ Y / Δ X, Δ V)$ is a probability to have the output difference $Δ Y$ of $F_{2 / 1}$ , with $Δ X$ and $Δ V$ being the input difference and the controlling vector difference, respectively. Then we can calculate the probability as the following. (a)

$\Pr (F_{2 / 1}) ((0, 0) / (0, 0), 0) = 1$ .

(b)

$\Pr (F_{2 / 1}) ((0, 1) / (0, 1), 0) = \Pr (F_{2 / 1}) ((1, 1) / (0, 1), 0) = 2^{- 1}$ .

(c)

$\Pr (F_{2 / 1}) ((1, 0) / (1, 0), 0) = \Pr (F_{2 / 1}) ((1, 1) / (1, 0), 0) = 2^{- 1}$ .

(d)

$\Pr (F_{2 / 1}) ((1, 0) / (1, 1), 0) = \Pr (F_{2 / 1}) ((0, 1) / (1, 1), 0) = 2^{- 1}$ .

(e)

$\Pr (F_{2 / 1}) ((0, 0) / (0, 0), 1) = \Pr (F_{2 / 1}) ((1, 1) / (0, 0), 1) = 2^{- 2}$ .

(f)

$\Pr (F_{2 / 1}) ((0, 0) / (1, 1), 1) = \Pr (F_{2 / 1}) ((1, 1) / (1, 1), 1) = 2^{- 2}$ .

(g)

$\Pr (F_{2 / 1}) (Δ Y / Δ X, Δ V) = 2^{- 2}$ ,

where ΔY =

{(0, 1), (1, 0)}

Δ X = {(0, 1), (1, 0)}

, and

Δ V = 1

3.1.2. Properties with $F_{n / m}$

Extensively, we let $\Pr (F_{n / m}) (Δ Y / Δ X, Δ V)$ be a probability to have the output difference $Δ Y$ of $F_{n / m}$ , with $Δ X$ being the input difference and $Δ V$ being the controlling vector difference. We have the following. (a)

$\Pr (F_{n / m}) ((0) / (0), e_{i}) = \Pr (F_{n / m}^{- 1}) ((0) / (0), e_{i}) = 2^{- 2}$ .

(b)

$\Pr (F_{n / m (V)} (X)) = \Pr (F_{n / m (V \oplus e_{i})} (X)) = 2^{- 2}$ , with $X \in {\{0, 1\}}^{n}$ .

(c)

$\Pr ({F_{n / m (V)}^{- 1}}^{} (X)) = \Pr (F_{n / m (V \oplus e_{i})}^{- 1} (X)) = 2^{- 2}$ , with $X \in {\{0, 1\}}^{n} .$

3.1.3. Properties with $F_{64 / 192}^{(e)}$

Similarly, we can get the probability $\Pr (F_{64 / 192}^{(e)}) (Δ Y / Δ X, Δ V)$ of $F_{64 / 192}^{(0)}$ , $F_{64 / 192}^{(1)}$ , with $Δ Y$ -output difference, $Δ X$ -input difference, and $Δ V$ -controlling vector difference. Consider the following. (a)

$\Pr (F_{64 / 192}) (0 / 0, 0) = \Pr (F_{64 / 192}^{- 1}) (0 / 0, 0) = 1$ .

(b)

$\Pr (F_{64 / 192}) (0 / 0, e_{i}) = \Pr (F_{64 / 192}^{- 1}) (0 / 0, e_{i}) = 2^{- 2}$ .

(c)

$\Pr (F_{64 / 192}) (e_{j} / e_{i}, 0) = \Pr (F_{64 / 192}^{- 1}) (e_{j} / e_{i}, 0) = 2^{- 12}$ , for any fixed i, j.

(both $F_{64 / 192}$ and $F_{64 / 192}^{- 1}$ have 6 active layers $F_{2 / 1}$ within structure)

(d)

$\Pr (F_{64 / 192}) (e_{j} / e_{i}, e_{i}) = \Pr (F_{64 / 192}^{- 1}) (e_{j} / e_{i}, e_{i}) = 2^{- 12}$ , for any fixed i, j.

(both $F_{64 / 192}$ and $F_{64 / 192}^{- 1}$ have 6 active layers $F_{2 / 1}$ within structure).

3.1.4. Properties with Transformation H and G

(a)

Let A, $A^{'}$ , and $A^{''}$ be the inputs of transformation H, respectively:

\begin{array}{r} V_{i} = {W_{1} | W_{2} | W_{3} | W_{4} | W_{5} | W_{6}} = H (A, A^{'}, A^{″}); \\ i = 1, 2. \end{array}

(10)

With the control vector $V_{1}$ of $F_{64 / 192}$ , we have $H (A, A^{'}, A^{''}) \oplus (A, A^{'} \oplus e_{16}, A^{''}) = e_{94}$ and $H (A, A^{'}, A^{''}) \oplus (A, A^{'}, A^{''} \oplus e_{16}) = e_{192}$ . Similarly, $H (A, A^{'}, A^{''}) \oplus (A, A^{'} \oplus e_{16}, A^{''}) = e_{126}$ and $H (A, A^{'}, A^{''}) \oplus (A, A^{'}, A^{''} \oplus e_{16}) = e_{32}$ of the control vector $V_{2}$ of $F_{64 / 192}^{- 1}$ .

(b)

Let A be the input of G with key-dependent metric Q; then we can get the probability $\Pr (G_{Q} (A) \oplus G_{Q} (A) = 0) = 1$ and $\Pr (G_{Q} \oplus e_{64} (A) \oplus G_{Q} \oplus e_{64} (A) = 0) = 1$ .

3.2. Related-Key Differential Characteristics of COSB-128

With the properties defined in Section 3.1 combined with such a simple key schedule of COSB-128 structure, we are able to construct the related-key differential characteristics (DCs) for COSB-128 with high probability.

We assume that the plaintext pairs $(P, P^{*})$ are encrypted under the key pairs $(K, K^{*})$ , respectively, in which $α = Δ P = P \oplus P^{*} = (0, e_{16})$ and $Δ K = K \oplus K^{*} = (0, e_{16}, 0, 0)$ , to get the corresponding ciphertext pairs $(C, C^{*})$ .

Then, as Table 2 shows, we can construct a 10-round related-key differential characteristic $α \to β$ , where $β = (e_{16}, e_{j})$ , $(1 \leq j \leq 64)$ for rounds 1~10 of COSB-128 with probability $2^{- 22}$ .

Table 2

Related-key differential characteristics (DCs) of a full 10-round COSB-128.

Round(r)	$Δ X_{r}$	( $Δ K_{r}$ )	$E 1 / E 2 / E 3$	Probability
IT	(0, $e_{16}$ ) = α	(0, $e_{16}$ )		1
1	(0, 0)	(0, $e_{16}$ , 0, 0)	2⁻²/1/1	2⁻²	$Z_{1}$
2	(0, 0)	(0, 0, $e_{16}$ , 0)	1/1/2⁻²	2⁻²	$Z_{2}$
3	(0, 0)	(0, 0, 0, $e_{16}$ )	1/1/2⁻²	2⁻²	$Z_{3}$
4	(0, 0)	( $e_{16}$ , 0, 0, 0)	2⁻²/1/1	2⁻²	$Z_{4}$
5	(0, 0)	(0, $e_{16}$ , 0, 0)	2⁻²/1/1	2⁻²	$Z_{1}$
6	(0, 0)	(0, 0, $e_{16}$ , 0)	1/1/2⁻²	2⁻²	$Z_{2}$
7	(0, 0)	(0, 0, 0, $e_{16}$ )	1/1/2⁻²	2⁻²	$Z_{3}$
8	(0, 0)	( $e_{16}$ , 0, 0, 0)	2⁻²/1/1	2⁻²	$Z_{4}$
9	(0, 0)	(0, $e_{16}$ , 0, 0)	2⁻²/1/1	2⁻²	$Z_{1}$
10	(0, 0)	(0, 0, $e_{16}$ , 0)	1/1/2⁻⁴	2⁻⁴	$Z_{2}^{'}$
FT	(0, $e_{j}$ )	( $e_{16}$ , 0)		1
Output ( $Δ Y$ )	( $e_{16}$ , $e_{j}$ ) = β

Total				2⁻²²

We describe the way to construct the DCs in detail as follows. ( $Z_{1}$ )

The first rounds with the input and round key differences are $(0, 0)$ and $(0, e_{16}, 0, 0)$ , respectively, so the output difference of the first H is $e_{192}$ with probability 1 (Section 3.1.4(a)). Thence, since the input difference and the control vector difference of $F_{64 / 192}$ are 0 and $e_{192}$ , the output difference of $F_{64 / 192}$ is 0 with probability $E 1 = 2^{- 2}$ (Section 3.1.3(b)). The output difference of G is 0 with probability $E 2 = 1$ when the input and the round key differences are 0 and 0, respectively (odd round cycle, $Q = K_{1} \oplus K_{3}$ ). Plus, the output difference of $F_{64 / 192}^{- 1}$ is 0 with probability $E 3 = 1$ since output difference of the second H is 0 with probability 1 (Section 3.1.4(b)). Finally, we can get that the output difference of function ${Crypt}^{(e)}$ is 0 with probability $2^{- 2}$ in case the input differences are $(0, 0)$ under the round key differences which are $(0, e_{16}, 0, 0)$ . Apply the method ( $Z_{1}$ ) for the fifth round and ninth round to find the DC of them.

( $Z_{2}$ )

The second round with the input and round key differences are $(0, 0)$ and $(0, 0, e_{16}, 0)$ , respectively; so the output difference of the first H is 0 with probability 1. Thence, since the input difference and the control vector difference of $F_{64 / 192}$ are 0 and 0, the output difference of $F_{64 / 192}$ is 0 with probability $E 1 = 1$ (Section 3.1.3(a)). The output difference of G is 0 with probability $E 2 = 1$ when the input and the round key differences are 0 and 0, respectively (even round cycle, $Q = K_{2} \oplus K_{4}$ ). Plus, the output difference of $F_{64 / 192}^{- 1}$ is 0 with probability $E 3 = 2^{- 2}$ (Section 3.1.3(b)) since output difference of the second H is $e_{32}$ with probability 1 (Section 3.1.4(b)). Finally, we can get that the output difference of function ${Crypt}^{(e)}$ is 0 with probability $2^{- 2}$ in case the input differences are $(0, 0)$ under the round key differences which are $(0, 0, e_{16}, 0)$ . Apply the method ( $Z_{2}$ ) for the sixth round to find the DC of it.

Similarly, we can get the methods ( $Z_{3}$ ) and ( $Z_{4}$ ) with probabilities $2^{- 2}$ since the input is $(0, 0)$ and round key differences are $(0, 0, 0, e_{16})$ , $(e_{16}, 0, 0, 0)$ , respectively.

With the last round, we change a little the difference characteristics for the output of $F_{64 / 192}^{- 1}$ support to our related-key differential attacks. The input and round key differences of ${Crypt}^{(e)}$ are $(0, 0)$ and $(0, 0, e_{16}, 0)$ . The output difference of $F_{64 / 192}$ is 0 with probability $E 1 = 1$ (the output difference of the first H is 0). Thus, the output difference of G with the input and the round key differences being 0 and 0 is 0 with probability $E 2 = 1$ (Section 3.1.4(b)). Plus the output difference of the second H is $e_{32}$ with probability 1 (Section 3.1.4(a)); in this case, the input difference and the control vector differences of $F_{64 / 192}^{- 1}$ are 0 and $e_{32}$ ; we get that the output difference $F_{64 / 192}^{- 1}$ is $e_{j}$ with probability $2^{- 4}$ (Section 3.1.1). Finally, for the last round, the related-key differential characteristic holds the probability $2^{- 4}$ .

See the Appendix for more description.

3.3. The First Related-Key Differential Attack on COSB-128

Based on the related-key DC we have constructed, we can recover a part of master key of COSB-128.

At first, we encrypt 2²³ plaintext pairs $(P, P^{*})$ and $Δ P = P \oplus P^{*} = (0, e_{16})$ to get 2²³ corresponding ciphertext pairs $(C, C^{*})$ under an unknown key $K = (K_{1}, K_{2}, K_{3}, K_{4})$ and an unknown related key $(K_{1}, K_{2} \oplus e_{16}, K_{3}, K_{4})$ . While the probability of related-key differential characteristics of COSB-128 is $2^{- 22}$ , we expect there are at least 2 ciphertext pairs $(C, C^{*})$ with the difference $(e_{16}, e_{j})$ for each j, where $1 \leq j \leq 64$ . So, with the DC described in Table 2, we can infer the jth one-bit difference where the ciphertext pairs $(C, C^{*})$ are given from the output differences of $F_{1 / 2}^{V_{6}^{' 32}}$ in $F_{64 / 192}^{- 1}$ at the last round (refer to Figure 3). Thence, it can be expected that the differential route given is unique and we are able to retrieve 6 bits of controlling vectors for this route.

Figure 3

The possible routes of the $F_{64 / 192}^{- 1}$ on the last round.

The related-key differential attack on the full-round COSB-128 is as follows. (1)

Choose a pool of 2²³ plaintext pairs $(P_{i}, P_{i}^{*})$ with difference $Δ P = α = P \oplus P^{*} = (0, e_{16})$ . Then, with the chosen plaintext attack, we encrypt the plaintext pairs using $(K, K^{*})$ to get the ciphertext pairs $(C_{i}, C_{i}^{*})$ , in which $Δ K = K \oplus K^{*} = (0, e_{16}, 0, 0)$ .

(2)

For each i and j, check if $C_{i} \oplus C_{i}^{*} = (e_{16}, e_{j})$ , where $1 \leq i, j \leq 64$ .

(3)

We assign j-BPO the bit-one positions of j. Then, with the number of ciphertext pairs satisfying the conditions at (2), we can extract some bits of the control vector through the difference route of the j-BPOs and the position of the 64th input bit of $F_{64 / 192}^{- 1}$ (see Figure 3). From this point, because the control vector $V_{2}$ of $F_{64 / 192}^{- 1}$ in last round is in form of $C_{L} \oplus K_{3}$ , $C_{L} \oplus K_{3} \oplus K_{4}$ , and $C_{L}$ , we are able to find some corresponding bits of $K_{3}$ and $K_{3} \oplus K_{4}$ .

The data complexity of this attack is 2²⁴ related-key chosen plaintexts. The time complexity of (1) is about 2²⁴ full round COSB-128 encryptions and the time complexities of (2) and (3) are much less than that of (1). Also, each ciphertext pair passes (2) with probability of at least $2^{- 22}$ ; thence, the ciphertext pairs with $(e_{16}, e_{j})$ difference are expected to be at least 2. It means, for each j ( $1 \leq j \leq 64$ ), we have at least one ciphertext pair meets the $(e_{16}, e_{j})$ difference. So, we expect to retrieve 56-bit keys information of $F_{64 / 192}^{- 1}$ and 7-bit keys information of $F_{64 / 192}$ with the data and time complexities of 2²⁴.

3.4. The Second Related-Key Differential Attack on COSB-128

For increasing the differential probability, we propose the second attack by constructing another related-key differential characteristic on COSB-128 with probability $2^{- 20}$ . In fact, we assume the probability of differential patterns of the 2nd, 3rd, 4th, 5th, and 6th layers in the box $F_{64 / 192}^{- 1}$ at the last round is 1. It means the bit-one input difference of the 32th $F_{2 / 1}$ always gets the direction to the j-bit output difference of the 6th layer. Also, the probability is 1 because when the input difference is $(0, 1)$ and controlling vector difference is 0 of $F_{2 / 1}$ , the corresponding hamming weight of output difference is always 1. Then, we can recover a 6-bit key with data complexity being about 2²² related-key chosen plaintexts with time complexity of about 2²² full round COSB-128 encryptions.

The second related-key differential attack on COSB-128 is as follows. (1)

This step is same as the algorithm applied on the Step (1) of the first related-key differential attack on COSB-128 in Section 3.3.

(2)

For each i, check if $C_{i} \oplus C_{i}^{*} = (e_{16}, e_{j})$ , where $1 \leq j \leq 64$ .

Thus, we can extent this attack to retrieve the whole of master key pair $(K, K^{'})$ by applying an exhaustive search for the remaining keys. The exhaustive search takes a running time of 2²⁵⁰ encryptions and recovers the full key with the same data complexity and time complexity of about 2²⁵⁰ full-round COSB-128 encryptions.

4. Conclusion

The network-environment devices and services have increased rapidly in recent years. It leads the cryptography to new way; it does not only offer protection for stability to all known attacks, but also needs to be optimized on software-hardware implementations and suitable for most constrained environment applications in communication networks nowadays. In order to construct fast block encryption algorithms for ensuring high speed encryption in data transformation, the data-dependent controllable operations have been highly used.

While the operational permutation blocks (RC5, RC6, etc. [3]) still remain limitations in protective data transformation, COSB-128 [8] is a 128-bit block and 256-bit key, which uses the controllable operational substitutions in the concept of CPB [9], is proposed to give a good performance and be stable to most known cryptanalyses.

In this paper, we constructed the two related-key differential characteristics of a full 10-round of COSB-128 cipher with high probabilities based on some differential properties combined with the simple key schedule within COSB-128 structure. Then, it enables us to propose the two related-key differential attacks on COSB-128. Our attacks require 2²⁴ and 2²² related-key chosen plaintexts, respectively, with the time complexities of 2²⁴ and 2²² full-round COSB-128 encryptions, to recover 63 bits and 6 bits key information, respectively. This research is the first known cryptanalytic result on COSB-128 so far. Furthermore, it is hoped it will extend a new potential with better performance for cryptanalysis on this algorithm with type of ciphers in further research.

Footnotes

Appendix

The differential characteristics in ${Crypt}^{(e)}$ function at several rounds of COSB-128 structure are shown in Figure 4.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgment

This study was supported by Korea Internet Security Agency.

References

Biham

New types of cryptanalytic attacks using related keys

Advances in Cryptology—EUROCRYPT ‘93 1994 765

Springer

398 409 Lecture Notes in Computer Science

Biham

New types of cryptanalytic attacks using related keys

Journal of Cryptology 1994 7 4 229 246

Izotov

B. V.

Moldovyan

A. A.

Moldovyan

N. A.

Controlled operations as a cryptographic primitive

Information Assurance in Computer Networks 2001 2052

Berlin, Germany

Springer

230 241 Lecture Notes in Computer Science

10.1007/3-540-45116-1_23

Moldovyan

A. A.

Moldovyan

N. A.

A cipher based on data-dependent permutations

Journal of Cryptology 2002 15 1 61 72

10.1007/s00145-001-0012-9

MR1880935

2-s2.0-0141755484

Goots

Izotov

Moldovyan

Modern cryptography: Protect Your Data with Fast Block Ciphers 2003

Wayne, Pa, USA

A-LIST Publish

Sklavos

Moldovyan

N. A.

Koufopavlou

High speed networking security: design and implementation of two new DDP-based ciphers

Mobile Networks and Applications 2005 10 1 219 231

10.1023/b:mone.0000048556.51292.31

2-s2.0-17444420720

Moldovyan

On cipher design based on switchable controlled operations

Computer Network Security: : Proceedings of the Second International Workshop on Mathematical Methods, Models, and Architectures for Computer Network Security, MMM-ACNS 2003, St. Petersburg, Russia, September 21-23, 2003 2003 2776

Berlin, Germany

Springer

316 327 Lecture Notes in Computer Science

10.1007/978-3-540-45215-7_27

Moldovyan

N. A.

Moldovyan

A. A.

Eremeev

M. A.

Protective data transformations in ACSs on the basis of a new primitive

Automation and Remote Control 2002 63 12 1996 2013

10.1023/a:1021651617432

2-s2.0-0036924919

Moldovyan

A Rapid Transformation Method for the Protection of Information in ACSs

Avtomatika i Telemekhanika 2000 4 151 165

10.

Lee

Hong

Sung

Lee

Related-key attacks on DDP based ciphers: CIKS-128 and CIKS-128H

Progress in Cryptology—INDOCRYPT 2004 2004 3348

Springer

191 205 Lecture Notes in Computer Science

10.1007/978-3-540-30556-9_16

MR2147925

11.

Lee

Kim

Hong

Sung

Lee

Related-key differential attacks on Cobra-S128, Cobra-F64a, and Cobra-F64b

Progress in Cryptology—Mycrypt 2005 2005 3715

Springer

244 262 Lecture Notes in Computer Science

12.

Jeong

Lee

Kim

Hong

Security analysis of the SCO-family using key schedules

Information Sciences 2009 179 4232 4242

Related-Key Differential Attacks on COSB-128

Abstract

1. Introduction

2. Description of COSB-128 Block Cipher

3. Key Recovery Attacks on COSB-128

3.1. Properties of COSB-128

3.1.1. Properties with F 2 / 1

3.1.2. Properties with F n / m

3.1.3. Properties with F 64 / 192 ( e )

3.1.4. Properties with Transformation H and G

3.2. Related-Key Differential Characteristics of COSB-128

3.3. The First Related-Key Differential Attack on COSB-128

3.4. The Second Related-Key Differential Attack on COSB-128

4. Conclusion

Footnotes

Appendix

Conflict of Interests

Acknowledgment

References

3.1.1. Properties with $F_{2 / 1}$

3.1.2. Properties with $F_{n / m}$

3.1.3. Properties with $F_{64 / 192}^{(e)}$