International Journal of Computer Applications (0975 – 8887)

Volume 139 – No.1, April 2016

Provably Secure Encryption Algorithm based on Feistel

Structure
Ahmed M. Rayan Ahmed A. Abdel-Hafez Ismail Mohamed Hafez
Master Student, Elec. & Communications Department, Elec. & Comm. Department,
Comm. Dep., Faculty of Military Technical Collage, Faculty of Engineering, ASU,
Engineering, ASU, Egypt Egypt Egypt

ciphers are composed of several round-permutations Fi

ABSTRACT (iterated ciphers) of finite field GF(2n ), where each Fi ,1≤ i≤ r,
In 1997 The National Institute of Standards and Technology is parametrized by a secret quantity k i named the round key,
(NIST) started a process to select a symmetric-key encryption which is derived from the master key K as shown in figure 1.
algorithm instead of DES. NIST determined the evaluation
criteria that would be used to compare the candidate
algorithms depending on the analyses and comments received,
NIST selected five finalist algorithms (RC6, MARS, Rijndael,
Serpent and Twofish). At the end, NIST selected Rijndael as
the proposed Advanced Encryption Standard algorithm
(AES). Although Twofish algorithm based on Feistel structure
and possesses a large security margin, it has some drawbacks
as The Twofish structure is not easy to analyses, the mixing of Fig 1: Block Cipher
various operations makes it hard to give a clean analysis and Parameter 𝑟 is the number of rounds in the cipher. In each
forces us to use approximation techniques. Moreover, The use iterated cipher, the 𝑟 round-permutations 𝐹𝑖 are chosen to
of key-dependent S-Boxes adds complexity and greatly be very similar for two reasons. First, the implementation cost
increase the effort required to write automated tools to search of the iterated cipher in hardware. Moreover, the type of
for characteristics (differentials, linear, …) of the structure. In design provides some simple security arguments. However,
this paper a proposal of a new Secure Symmetric-key the rounds should be slightly different in order to resist some
Encryption (SSE) algorithm based on Feistel structure is structural attacks such as slide attacks [1].This difference may
produced to overcome the previous drawbacks and produce a be introduced by key schedule(i.e. identical round
provable secure algorithm. permutations with different rounds-keys), or the round
permutation may be slightly different. The main basic
Keywords constructions for the round permutation: substitution-
Symmetric-key cryptography; Block Ciphers; Substitution-
permutation network (SPN) as (Rijndael, Square,…), Lai-
Box; Diffusive Components; MDS; branch number.
Massey scheme as (Proposed Encryption Standard (PES), …)
1. INTRODUCTION and Feistel network as (Data Encryption Standard (DES),
Symmetric-key cryptography is the most prominent and an Twofish, ….). The later type as shown in figure 2 relies on an
important element in many cryptographic systems comes in inner function 𝐹𝑘 operating on the half of the block size.
two flavors, stream ciphers and block ciphers. The later type
of Symmetric-key cryptography is more powerful object, as it
can be used in more ways, to encrypt and authenticate,
provide integrity, protection and confidentiality. It provides
high diffusion (information from one plain text symbol is
diffused into several cipher text symbols), and also can be
employed in many modes (CTR –OFB - …) to gives stream
cipher algorithm. Block cipher is easier to be implemented in Fig 2: Feistel network
software, as it avoids time consuming bit manipulations, This structure used in many encryption algorithms and
operates on data in computer-sized block. This paper is presents several advantages as the encryption and decryption
organized as follows: Section 2 provides an overview of block operations hardly need separate implementations, and
cipher design principles. Section 3, briefly explain Twofish consequently low implementations cost, it has been widely
cryptographic algorithm. Section 4, describes the (SSE) studied from the theoretical point of view [2]. Some of the
algorithm. Section 5 proves the security of (SSE) algorithm. Feistel structure algorithms reversible with changes only in
Finally, conclusion and future work will be in Section 6. the key schedule (e.g., DES, and Blowfish), while others uses
round functions slightly different, but are built from the same
2. BLOCK CIPHERS DESIGN blocks as Twofish algorithm. The design principles for the
PRINCIPLES round permutation follow the principles introduced by
Block ciphers are the most widely primitives for ensuring data Shannon [3]:
confidentiality. Let n and k be two positive integers, a block
(1) Confusion: means making “the relation between
cipher with block–size n and key–size k is a family of 2k
the simple statics of the cipher text and the simple
permutations {Ek : {1,0}n to {1,0}n }k ϵ{1,0}n on bitstrings of
decryption of the key is very complex and involved
length n. For implementation reasons, all classical block one”. This implies for instance that any algebraic

1
 International Journal of Computer Applications (0975 – 8887)
Volume 139 – No.1, April 2016

relation between these quantities must have a high diff erential and linear characteristics, even if they are
degree and a large number of terms. secret”. To overcome the drawbacks of the previous
strategies, by using strong Algebraic S-Boxes that are key-
(2) Diffusion: means “dissipating the static dependent but are not randomly generated to get the benefits
structure of the plaintext into long range statistics”. of strong S-Boxes and also of key-dependent S-Boxes by
This implies that all plaintext bits and key bits must applying the operations before encryption begins and use the
influence all ciphertext bits. Then, the key idea modified S-Boxes for the actual encryption, so the overhead is
behind the Feistel structure is to decompose the exclusively in the set-up phase. There is no increase in the
round function into two distinct steps: a nonlinear per-block encryption cost. There are several classes of
substitution function for providing confusion called operations may be used [4].
Substitution- box, and linear permutation for
providing diffusion. 1. Permuting S-Box columns: It can be achieved by
permuting each row in a key-dependent way.
2.1 Substitution- box
The strength of most block ciphers (more specifically their 2. Adding affine functions to S-Box columns: The
resistance against linear and diff erential cryptanalysis) is addition of affine functions can be done by XORing
inevitably tied to the strength of their S-Boxes, which is a constant into all rows, this constant may be the
usually their sole non-linear component. An n -bit to m -bit XORing of all bytes of the round subkey.
S-Box defines simply a substitution, i.e. to each n bits input 3. Permuting S-Box Inputs: Rearranging the order of
is mapped a corresponding 𝑚 bits output value (which has the S-Box rows in a key-dependent way.
not necessarily to be the same length as the input). S-Boxes
are responsible for bringing confusion in the data processing. 4. Adding Affine Functions to S-Box Inputs: Adding
This means that they should hide any mathematical selected affine functions to S-Box inputs by
relationship between the plaintext, the ciphertext and the key XORing a constant binary vector into the input and
[2]. It is possible to identify three diff erent strategies to build then use the output as an input to the S-Boxes.
S-Boxes:
2.2 Diffusive components
a. (1) Random choice: choose the contents completely The purpose of a diff usive construction is to provide an
at random. A way to choose random S-Boxes is to avalanche eff ect, both in the context of diff erential and linear
make them key- dependent, there are at least two approximations. In the linear context, this means that there
disadvantages, which can be traded off against each should be no correlations between linear combinations of a
other. One is that generating the S-Boxes has a cost. small set of inputs and linear combinations of a small set of
The other is that the generated S-Boxes are not outputs. In the diff erential context, small input changes
optimized and may even be weak. On the other should cause large output changes, and conversely [6].
hand, generating cryptographically strong S-Boxes Maximum Distance Separable matrix (MDS) is a very popular
at run time are impractical [4]. tool to achieve diffusion. The concept of MDS is taken from
b. (2) Random choice followed by filtering: generate linear coding that is defined by three variables:
random ones and to check if they have the desired 1. 𝑛: The length of codeword (the sum of number of
properties until a good one is found but it is a very bytes input and output).
heavy and computation-intensive process [2].
2. 𝑘: The dimension of the codeword (Dimension of
c. (3) Algebraic constructions: using algebraic matrix).
methods to offer good non-linearity properties:
3. 𝑑: The minimum number of positions. In which any
d. *Mixing non-isomorphic operations (XOR and 2 codewords differ (number of positions where the
addition modulo 232 for 32 -bit vectors, for two codewords differ).
instance).
A linear code is called MDS if 𝑑 = n − k + 1 . In simple words,
 Using algebraic operations known as Mixing of if two inputs are applied with particular number of diff erence
addition in GF(2𝑛 )and in 𝑍𝑛 or Power function to MDS matrix, then at least a certain number of diff erences
in GF(2𝑛 ). in the output are got. If the total number of diff erences in
input bytes are denoted as △in and total number of diff erences
 Combination of an inverse function X →X e in
in output as △𝑜𝑢𝑡 , then for MDS matrix △𝑖𝑛 +△𝑜𝑢𝑡 ≥ 𝐵 ,
GF(2n ) and an affine transformation over
some other incompatible algebraic structure. where B is called branch number which gives a tighter
bounds for the security of the cipher (the number of outputs
 Combination of a power function X →X e in that will change if one byte of input for single round is
GF 2𝑛 and an affine transformation over 𝑍𝑛 . changed). For the matrix used in Twofish the branch number
is 5, as it has input of length 4 bytes and output of 4 bytes
On the other hand, these constructions are helpful to Courtois-
(length of codeword n is 8 bytes) and dimension of matrix k
Pieprzyk algebraic attacks [2].
is 4, so 𝑑 =8 − 4 + 1 = 5.
In his introduction to the Biham and Biryukov work on DES
with permuted S-Boxes, Schneider summarizes the usefulness 2.3 Efficient MDS matrix generation
of randomly-generated S-Boxes [5], “Linear and diff erential The square matrix A is an MDS matrix if every square
cryptanalysis work only if the analyst knows the composition submatrices of A are nonsingular or matrix A is a full rank
of the S-Boxes. If the S-Boxes are key-dependent and chosen matrix with the inverse matrix having all entries non zero and
by a cryptographically strong method, then linear and all of its 2 × 2 submatrices are full rank. There are many
diff erential cryptanalysis are much more difficult. Remember, strategies to generate MDS matrix:
though, that randomly-generated S-Boxes have very poor

2
 International Journal of Computer Applications (0975 – 8887)
Volume 139 – No.1, April 2016

(1) Use of circling MDS matrix: Mk∗k (GF(P))

matrix is said to be circling and is noted C(𝛼1 ,.., 𝛼𝑘 )
if it is of the form:
α1 α2 …… αk
αk α1 ……. αk−1
. . ……. .
α2 α3 ……. α1
Where α1 ,..., αk ∈ GF(q).With this construction,
the number of distinct coefficients will be
minimized to optimize the number of precomputed
tables, and maximize the number of “1”
coefficients.
(2) Use of Hadamard Matrix Second: Hadamard
Matrices are matrices of the form
H1 H2
H2 H1
Where H1 and H2 are Hadamard matrices. An Fig 3: Twofish Algorithm
interesting fact is that Hadamard matrices are
entirely defined by their first line. Therefore only 3.1 Input and output whitening
distinct coefficients are necessary. Another property 128 bits plaintext is divided into four words of each 32 bits.
is that H × H = C 2 . , where C is the sum of Each word passes through input whitening process that is
XOR four units of 32 bits subkey and 128 bits plaintext.
element of the first row. By setting C to 1, H = 𝐻−1
: H is involuntary. This reduces the number of 3.2 F- function
coefficients for ciphering, deciphering to k instead Two words of the left side are used as inputs of two g-
of 2k . The matrix of the cipher ANUBIS [7] is function inside the F- function in each round. One input word
such an example. passes through 8 bits left circulation. A g- function is
1 α 𝛼2 𝛼 + α2 composed of MDS matrix multiplier and 4 S-Box. Outputs of
two g- function combined to use PHT (Pseudo-Hadamard
α 1 𝛼 + 𝛼2 𝛼2 Transform), and two subkeys are added by modulo-2 addition.
α2 𝛼 + 𝛼2 1 𝛼 3.3 Swapping
α + α2 𝛼2 𝛼 1 Two outputs of the F function exchange a position for the
following round. The results of the last round exchange a
(3) Use of Algebraic method: It is possible to position again after 16th Round and then passes through
generate matrices that are MDS by construction output whitening to create 128 bits ciphertext.
using some code theory. A Reed-Solomon code has
a generating matrix of the form: 3.4 Key schedule
Twofish is defined for keys of length N = 128, N = 192, and N
1 1 1 …… 1
= 256.The global key in our case is 128. The key schedule
1 α 𝛼2 ……. α(n−1) uses the same primitives as the round function, and provides
2
two sets of subkeys:
G 𝛼 = 1 𝛼2 𝛼4 ……. 𝛼 (𝑛−1)
. . . ……. . 1) K Subkeys: 40 words of expanded key 𝐾0 ..
𝐾39
1 α(k−1) 𝛼 2(𝑘−1) ……. α(n−1)(k−1)
2) word of keys in each round (2* 16=32 words),
And any sub matrix 𝑘 × 𝑘 of G 𝛼 is MDS matrix. 4 words for input whitening and 4 word of
output whitening, the total is 32 +8 = 40
3. TWOFISH CRYPTOGRAPHIC words). The generation of 𝐾 set is done by
ALGORITHM dividing the master key (4 words) into two sets
Twofish as shown in figure 3 is a 128-bit block cipher that 𝑀𝑒𝑣𝑒𝑛 (2 word) and 𝑀𝑜𝑑𝑑 (2word), then
accepts a variable length key. It is a 16-round Feistel network Apply M0 ,M1 , M2 , M3 to function h as shown
with additional whitening of the input and output. Its in figure 4 to generate K 0 , .., K 39 [8].
encryption and decryption round functions are slightly
diff erent, but are built from the same blocks. That is, it is
simple to build a hardware or software module that perform
both encryption and decryption without duplicating much
functionality, but the same module cannot perform both
encrypt and decrypt [8].

3
 International Journal of Computer Applications (0975 – 8887)
Volume 139 – No.1, April 2016

Fig 4: K subkeys generation

(2) S Subkeys: It contains S0 , S1 that is used in S-Box,
and they are fixed during the entire encryption and
decryption process. The generation of S subkeys is done
by taking the key bytes in groups of 8, interpreting them
as a vector over GF(28 ) with the primitive polynomial x 8
+ x 6 + x 5 + x 3 + x 2 + 1, and multiplying them by a 4×8
matrix derived from an RS code.

4. (SSE) ALGORITHM
As mentioned before, Although Twofish algorithm possesses
a large security margin, it has some drawbacks as the analysis Fig 5: (SSE) Algorithm
of its Key-dependent S-Boxes is complicated and the overall
complexity of design has drawn some concern [9]. Moreover, 4.1 S-Boxes layer
it had the following observations [10]: Our aim is to build strong Key dependent S-Boxes layer to
overcome the drawbacks (differential cryptanalysis – linear
1) It is not clear whether key-dependent S-Boxes used
cryptanalysis) of fixed S-Boxes. The building of this S-Box
in Twofish algorithm necessarily offer any
layer will be done in two steps:
additional security over strong fixed S-Boxes. The
flexibility of key-dependent S-Boxes can actually an 1) Building offline a random balanced vectorial
advantage to the attacker.” Instead of choosing the function over GF(28 ) with the primitive polynomial
characteristic to fit the S-Box, we choose the S-Box x 8 + x 4 + x 3 + x 2 +1 bits that is satisfies good linear
to fit the characteristic”. properties (nonlinearity - algebraic degree -
2) The designers did not produce any significant immunity order - ...) and differential properties
reason for adding fixed rotations by one bit position (propagation criteria – max. autocorrelation - ...)
in the algorithm except “They believe that the one- Compared to S-Boxes of the AES algorithm.
bit rotations make cryptanalysis harder, if they have 2) Conceal the input of the S-box by adding Affine
any effect at all”. But fixed rotations can be used by Function to S-Box Inputs (XORing the round
the cryptanalyst to reduce the number of active S- constant into all S-Box input) as described by
Boxes in a characteristic. Maybe this is the reason Algorithm 1. 16 different round constants given
that one of the Twofish designers said “We have no from the key schedule will achieve a different S-
reason to believe that the 1-bit rotations make Box for each round, and the right circular shift for
Twofish stronger against differential attack” [11]. each constant inside the round function resulting 8
3) The fixed rotation by eight bits is intended to lead to different S-Boxes output in each round as shown in
conflicts that the cryptanalyst will find that is hard figure 6.
to resolve. However the use of S-Boxes that is
changed with the key means that there may be some
keys that will resolve any potential conflict.
The proposal symmetric-key encryption algorithm (SSE) as
shown in figure 5 uses a 16-round reversible Feistel structure
with additional whitening of the input and output is presented.
It overcomes these drawbacks and observations of Twofish
algorithm by providing a proven security for each component,
besides construct a new key schedule that is fast and secure. Fig 6: S-Boxes layer
So, the output of the S-Boxes Layer is dependent on the key
constant driven from key schedule algorithm, and this output
will be different even if the input for S-Box is the same.

4
 International Journal of Computer Applications (0975 – 8887)
Volume 139 – No.1, April 2016

Algorithm 1: Key dependent S-Boxes

// Input:

// 8 byte input to Key dependent S-Boxes layer

// 16 of 1 byte round constant 𝑅𝐶0 … . . 𝑅𝐶15
for all r from 0 to 15 do
for all j from 0 to 8 do
S-box_1 r [ j] S-box i [j ⊕ (RC r >>> j)]
end for Fig 7: Bit Permutation
end for Algorithm 2: bit-permutation
// Output: // 8 byte output Key dependent S-Boxes layer // Input: Eight bytes P_I0 , …, P_I7
Bit-Permutation (P_O i [ j] , P_I j [i])
4.2 Optimal MDS {
Our aim was to build MDS matrix with high branch number, for all i from 0 to 7 do
by implementing an algorithm that generates a random MDS for all j from 0 to 7 do
matrix M ϵ Mk∗k (GF (q)). For efficiency the number of P_O i [ j] P_I j [i]
distinct coefficients is minimized to optimize the number of end for
precomputed tables, and maximize the number of « 1 »
end for
coefficients leading to a simple and efficient implementation }
in software. Circling MDS matrix strategy is used. To fit the
// Output: Eight bytes P_O0 , …, P_O7
condition of minimizing the number of distinct coefficient,
efficient circling matrix C(α) with α2i = 1 for all i with 0 ≤ i ≤ 4.4 Key schedule
[log 2 (k +1)] − 1 , (i.e. 1≤ 2i ≤ [k /2]) is generated. As any cipher can be broken due to a bad key-schedule
01 01 04 01 08 05 02 09 design, so many concepts are achieved in our key-schedule
09 01 01 04 01 08 05 02 design:
02 09 01 01 04 01 08 05 (1) Reuse the Same Primitives that is used in the
C (α)= 05 02 09 01 01 04 01 08 encryption algorithm (S-Boxes – MDS - …).
08 05 02 09 01 01 04 01 (2) The design is secure and simple for analysis.
01 08 05 02 09 01 01 04 (3) Using constant (IV) to avoid related subkey
04 01 08 05 02 09 01 01 attack.
01 04 01 08 05 02 09 01 (4) Using Key dependent S-Boxes layer to avoid
linear and differential cryptanalysis.
4.3 Bit permutation (5) Change in only one bit of master key gives
A regular bit-permutation is used. This bit-permutation shown influence to all subkeys.
in figure 7 can be written in the following way: (6) No weak keys.
P (i) = i *8 mod 63 i ϵ {0,...,62}. The key schedule shown in figure 8 and described by
63 i = 63. Algorithm 3 with 128 bits global key, provided 40 subkey of
expanded key SK 0 , .., SK 39 , and 16 round constant (1 byte)
This bit-permutation described by Algorithm 2 will satisfy RC for each round to Xored to the input of S-Boxes.
three important features to the algorithm:
(1) If there is change in only one byte, this will
satisfy that all output bytes (8 bytes) will change
and the number of active S-Boxes will increase.
(2) Helps to make a clear security analysis for the
algorithm.

Fig 8: key schedule

5
 International Journal of Computer Applications (0975 – 8887)
Volume 139 – No.1, April 2016

Algorithm 3: key schedule Algorithm TOP500 list of the world’s most powerful supercomputers.
with a performance of 33.86 petaflop/s (quadrillions of
// Input: calculations per second) [12]) do 33.86 * (1015 ) decryptions
// Master Key 16 bytes 𝑀0 .. 𝑀15 , Constant IV (C 0 = 8 per second (33.86 * (1015 ) quadrillions of calculations per
bytes) . second). That is mean (10.41 * (1023 ) decryptions per year
//Start Algorithm for one machine. About (2127 ) decryptions on average are
// Divide the master key into two sets M_1, M_2 (2127 )
for all 𝑖 from 0 to 7 do needed, so you would need = 16.34* (1013 )
10.41 ∗ (10 23 )
M_1 𝑖 M[𝑖] (2127 )
years. Or, need = 16.34 * (1013 ) computers /
M_2 𝑖 M[𝑖 + 8] 10.41 ∗ (10 23 )
end for year and this is costly and infeasible.
// Start 20 iteration
for all 𝑟 from 0 to 19 do 5.2 Linear and differential cryptanalysis
𝑍 = hamming weight (C[𝑟]) There are two approaches used to ensure the resistance of any
block cipher to linear and diff erential cryptanalysis, either
If 𝑍 is odd then using key-dependent S-Boxes, or increase the number of
// use M_1 as IP and (𝐾𝐶𝑟 = Xored M_2 bytes as active S-Boxes.
constant to xored with the input of S-Boxes)
In order to achieve the first approach, S-Box layer started with
for all 𝑖 from 0 to 7 do
carefully-prepared 8 diff erent strong static S-Boxes with good
𝐾𝐶𝑟 𝑖 𝐾𝐶𝑟 𝑖 >>> 𝑖 linear and differential properties compared with AES and key-
end for dependent operations are applied to the input of S-Boxes
for all 𝒊 from 0 to 7 do before using it to achieve best diff erential and linear
Sbox_in 𝑖 M_1[𝑖] 𝐾𝐶𝑟 (𝑖) characteristics. The goal was to introduce additional entropy
end for so that attacks which depend on knowledge of the S-Boxes
//Apply to S-Boxes become impractical, without changing the properties which
for all 𝑖 from 0 to 7 do make the S-Boxes strong. Affine function is added to the
𝑆_𝑂 𝑖 (S-Box Sbox_in 𝑖 ) ⊕ (𝑀_1[𝑖] >>> 𝑖) input of S-Boxes (XORing a round constant to the input)
end for before encryption begins and use the modified S-Boxes layer
// Multiply by MDS matrix for the actual encryption. The addition of affine functions does
for all 𝑖 from 0 to 7 do nothing to degrade cryptographic security in the S-Boxes
𝑀_𝑂 𝑖 (MDS 𝑖 𝑗 *𝑆_𝑂 𝑖 ) ⊕ ( 𝑀_2[i]>>> 𝑖) layer. However, such an operation, can make it significantly
end for more difficult to construct characteristics in a diff erential
//Apply to Bit-Permutation cryptanalysis attack (because it cannot be computed in
Bit - Permutation (𝑆𝐾_𝐼,𝑀_𝑂) advance when the XOR of two given S-Box outputs will
// Generate the output subkeys (𝑆𝐾_𝑂) produce one value or another). Hence, this operation increases
𝑆𝐾_𝑂[𝑟] 𝑆𝐾_𝐼 ⊕ ( C[𝑟]) the security of the cipher by raising the computational
// Generate the algorithm rounds constant (RC) complexity of mounting this attack [4].
If 𝑖 > 3 then
For the second approach, the diffusion layers of the (SSE)
𝐟𝐨𝐫 all 𝑗 from 0 to 7 do Algorithm are MDS and bit permutation. As the replacement
𝑅𝐶 𝑋𝑜𝑟𝑒𝑑( 𝑆𝐾_𝑂 𝑗 ) of permutation layer in SPN with a diff usive linear
𝐞𝐧𝐝 for transformation improves the avalanche characteristics of the
end if block cipher which increases the cipher’s resistance to
// Build the new constant (Circular shift of 64bits subkey) diff erential and linear cryptanalysis [13-14]. Thus the main
for all 𝑖 from 0 to 63 do application of MDS matrix in cryptography is in designing
C[𝑟 + 1] (𝑆𝐾_𝐼[𝑟] >>> 𝑖 ) block ciphers that provide security against diff erential and
end for linear cryptanalysis [6].
else Z is even then If there is one active byte at the input to the F function, there
Use 𝑀_1[𝑖] as IP and (𝑅𝐶𝑟 = Xored M_1 bytes as constant must be at least 8 active bytes at its output. For the next
to xored with the input of S-Boxes). round, one active S-Box will appear at the output of MDS
(Piling-Up Lemma) [15], but bit permutation layer increase
𝐞𝐧𝐝 if
this number to 8 bytes. The minimal Number of Active S-
end for Boxes for (SSE) algorithm satisfied the relation (number of
// End Algorithm active S-Boxes = 8r +1, where r = 0:15), and shown in table 1
// Output: compared to the minimal Number of Active S-Boxes for AES
// 20 Subkeys of 8 bytes SK 0 , …, SK19 shown in table 2. The total number of active S-Boxes
// 16 Round constants RC (1 byte) increases faster.
Table 1 : Number of active S-Boxes in (SSE) algorithm
5. (SSE) ALGORITHM
5.1 Brute force attack Round 1 2 3 4 5 6 7 8 9 10
As the key length of (SSE) algorithm is 128-bit, the key has a Min. 1 9 17 25 33 41 49 57 65 73
complexity of (2128 ).To be attacked by Brute Force Attack.
Let's used super computer (Tianhe-2, a supercomputer Table 2: Number of active S-Boxes in AES
developed by China’s National University of Defense
Technology, has retained its position as the world’s No. 1 Round 1 2 3 4 5 6 7 8 9 10
system, according to the 45th edition of the twice-yearly Min. 1 5 9 25 26 30 34 50 51 55

6
 International Journal of Computer Applications (0975 – 8887)
Volume 139 – No.1, April 2016

5.3 Higher order differential cryptanalysis the function F is weak enough, it permits to retrieve the key k,
It is another version of differential cryptanalysis, looks at so the structure of H-function of key schedule algorithm
higher order relations between pairs of plaintext and cipher (strong Key dependent S-Boxes, MDS, bit permutation)
texts, and is applicable to algorithms which can be represented makes this attack very unlikely to succeed.
as Boolean polynomials of a low algebraic degree [16][17], or
algorithms with a few rounds and poor short-term diff usion.
5.6 Related subkey attack
In order to avoid this attack, (SSE) algorithm S-Box has been The idea of this attack depends on finding a fixed diff erence
generated using the multiplicative inverse procedure similar to (relationship) between expanded keys (subkeys), but not to
AES with a randomly chosen primitive polynomial defining a original keys. It is applied to 11 round of version. 256-bit
Galois field. The nonlinearity of this S-Box is 110 and its AES since its key schedule is close to linear and therefore the
nonlinear degree is 7, strong diffusion functions (MDS, bit subkeys can be viewed as a codeword of a linear code.
permutation) and the number of rounds equal 16. This fixed difference between expanded keys (subkeys) in the
(SSE) key schedule algorithm is infeasible as:
5.4 Interpolation attack
This attack is efective against ciphers with a very small (1)The generation of each round subkey is
number of rounds, or against ciphers whose rounds functions independent on the others round subkeys but depend
have very low algebraic degree [18]. (SSE) algorithm has two only on the master key.
reasons make this attack very unlikely to succeed. The first (2) The structure of key schedule algorithm is
reason, S-Boxes have large algebraic degree = 7, moreover, slightly different for each round (S-Boxes layer is
the combination of operations from diff erent algebraic groups not the same - The values M_1>>> r and M_2>>> r
(including both addition mod 232 and Xor operations) that xored with the outputs of S-Boxes and MDS is
increase the degree. The second reason, its number of rounds dependent on round number).
is large = 16.
(3) Using a different constant to be xored with the
5.5 Related-key attack and slide attack output subkey in each round.
These attacks focus on the key scheduling. In the related-key
attack, attacker obtains the encryption of certain plaintexts The previous reasons make this attack very unlikely to
under several keys having certain relationships with each succeed.
other to reveal the secret key. The basic related-key attack is
“chosen key attack” based on the observation that in many
6. CONCLUSION AND FUTURE WORK
This paper has proposed a new secure symmetric-Key
block ciphers, the key scheduling algorithm can be viewed as
encryption (SSE) Algorithm based on the well-studied Feistel
a set of algorithms each of which “extracts one particular
Structure to overcome the drawback and observations of
subkey from the subkeys of previous rounds”. If all the
Twofish algorithm. Each component in (SSE) Algorithm was
algorithms of extracting the subkeys of the various rounds are
studied carefully; a proven security for these components is
the same then for a given key all the subkeys can be shifted
produced. Cipher structure can be used on platforms with
one round backwards and get a new set of valid subkeys
limited resources, the identical function be used for
which can be derived from some other keys[19]. It depends on
encryption and decryption with changes only in the key
slow diff usion or symmetry in the key schedule. (SSE) key
schedule. New key dependent S-Boxes layer was designed,
schedule algorithm uses functions that have maximum
fully dependent on the master key, which improves cipher
diff usion (MDS, bit permutation) and strong Key dependent
quality when it comes to linear and differential cryptanalysis.
S-Boxes layer. The generation of each round subkey is
New efficient MDS matrix and bit permutation to increase the
independent on the other round subkeys but depends only on
number of active S-Boxes compared to AES algorithm are
the master key. Although the structure of the key schedule
used. The key schedule is secure and simple for analysis, uses
algorithm seems the same during generation of each round
the same components that are used in (SSE) Algorithm, has
subkey, but it differs in many things:
been considerably simplified in comparison to that of Twofish
(1) the contents of S-Boxes layer is not the same in Algorithm.
each round but depends on a constant that is
A new cryptanalysis attacks as algebraic attack and fast
delivered from the xored bytes from the previous
algebraic attack on (SSE) Algorithm to evaluate it will be our
round subkey after circulated shift right (not from
future work.
previous round subkey directly ).
(2) In each round, the generation of its subkey 7. REFERENCES
depend on half of master key M_1 or M_2 [1] A. Biryukov, D. Wagner. “Slide Attacks,” Fast software
(independently any other subkeys). The selection Encryption (FSE’99), volume 1636, lecture notes in
between the two half depend on the hamming computer science, pp.245-259, springer, 1999.
weight of the byte resulted from xored bytes from
[2] P. JUNOD, Statistical Cryptanalysis of Block Ciphers
the previous round subkey after circulated shift right
(Lausanne, EPFL, 2005).
(even or odd).
[3] C. E. Shannon, “Communication theory of secrecy
(3) The changing in any bit of master key influences
systems,” Bell System Technical Journal, vol. 28, pp.
𝑆𝐾𝑖 and Round constant 𝑅𝐶𝑖 directly ,as The values 656–715, Oct. 1949.
that is xored with the outputs of S-Boxes and MDS
is differ depending on the round number (M_1>>> [4] S. Harris1, C. Adams2, “Key-Dependent S-Box
r ,M_2>>> r). Manipulations” Selected Areas in Cryptography (SAC
'99) Proceedings, LNCS 1556, Springer, 1999.
Slide attack can be viewed as a particular case of related-key
attack in which the relation is between the key and itself. If

7
 International Journal of Computer Applications (0975 – 8887)
Volume 139 – No.1, April 2016

[5] M. Matsui, R. Zuccherato,” Selected Areas in [12] Top500 List - June 2015.
Cryptography,” 10th Annual International Workshop, http://www.top500.org/list/2015/06/
SAC 2003, Ottawa, Canada, August 2003.
[13] H. M. Heys, S. E. Tavares, “The Design of Substitution-
[6] K. Gupta, I. Ghosh Ray, “On Constructions of MDS Permutation Networks Resistant to Differential and
Matrices from Companion Matrices for Lightweight Linear Cryptanalysis,” Proceedings of 2nd ACM
Cryptography,” CD -ARES 2013 Workshops, Conference on Computer and Communications Security,
MoCrySEn, pp. 29-43, Springer 2013. Fairfax, Virginia, pp. 148–155, 1994.
[7] P. S. L. M. Barreto and V. Rijmen, “The ANUBIS block [14] H. M. Heys, S. E. Tavares, “Avalanche Characteristics of
cipher,” 1st NESSIE Workshop, Heverlee, Belgium, Substitution - Permutation Encryption Networks,” IEEE
Nov. 2000. Trans. Comp., Vol. 44, pp. 1131-1139, Sept 1995.
[8] B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, [15] ] M. Matsui, “ Linear cryptanalysis method for DES
N. Ferguson, “Twofish: A 128-bit Block Cipher,” AES cipher,” in Advances in Cryptology -EUROCRYPT'93,
Round 1 Technical Evaluation CD-1: Documentation, Lecture Notes in Computer Science 765, Springer-
National Institute of Standards and Technology, Aug Verlag, pp. 386–397, 1994.
1998.
[16] X. Lai, “Higher order derivatives and differential
[9] J. Nechvatal, E. Barker, D. Dodson, M. Dworkin, J. Foti cryptanalysis,” Communications and Cryptology,
and E. Roback,” Status report on the first round of the pp.227-233, Kluwer Academic Publishers, 1994.
development of the advanced encryption standard,”
Journal of Research of the NIST, vol. 104, no 5, [17] L.R. Knudsen, “Truncated and Higher Order
Nechvatal et al., Sep-Oct, 1999. Diff erentials,” Fast Software Encryption, 2nd
International Workshop Proceedings, pp. 196– 211,
[10] S. Murphy, M. Robshaw,” Differential Cryptanalysis, Springer- Verlag, 1995.
Key- Dependent S-Boxes and Twofish,” Codes and
Cryptography, Vol. 27, pp. 229-255, 2002. [18] T. Jakobsen and L.R. Knudsen, “The interpolation attack
on block ciphers,” Fast Software Encryption, LNCS
[11] B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, 1267, pp. 28-40, Springer- Verlag, 1997.
N. Ferguson,” Twofish: A 128-bit Block Cipher,”
Counterpane Systems, USA, AES submission, 15 June, [19] G. Piret, M. Ciet, J. Quisquater, “Related key and slide
1998. attacks: Analysis, connections, and improvements,”
Proceedings of the 23rd Symposium on IT in Benelux,
pp. 315-325, 2002.

IJCATM : www.ijcaonline.org 8