About this Journal Submit a Manuscript Table of Contents
International Journal of Distributed Sensor Networks
Volume 2013 (2013), Article ID 169638, 9 pages
http://dx.doi.org/10.1155/2013/169638
Research Article

Security Analysis of Scalable Block Cipher PP-1 Applicable to Distributed Sensor Networks

1Center for Information Security Technologies (CIST), Korea University, Anam-dong, Seongbuk-gu, Seoul 136-713, Republic of Korea
2Department of Mathematics, University of Seoul, Jeonnong-dong, Dongdaemun-gu, Seoul 130-743, Republic of Korea
3Department of Computer Science and Engineering, Seoul National University of Science and Technology, 232 Gongneung-ro, Nowon-gu, Seoul 139-743, Republic of Korea
4Electronics and Telecommunication Research Institute, 218 Gajeong-ro, Yuseong-gu, Daejeon 305-700, Republic of Korea

Received 12 August 2013; Accepted 22 August 2013

Academic Editor: Jongsung Kim

Copyright © 2013 Yuseop Lee et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

PP-1 is a scalable block cipher which can be implemented on a platform with limited resource. In this paper, we analyze the security of PP-1 by using truncated differential cryptanalysis. As concrete examples, we consider four versions of PP-1, PP-1/64, PP-1/128, PP-1/192, and PP-1/256. Our attack is applicable to full-round versions of them, respectively. The proposed attacks can recover a secret key of PP-1 with the computational complexity which is faster than the exhaustive search. These are the first known cryptanalytic results on PP-1.

1. Introduction

Recently, the research on lightweight block ciphers has received considerable attention. Since these can be efficiently implemented under restricted resources such as low-cost, low-power, and lightweight platforms, they are applicable to low-end devices such as RFID tags, sensor nodes, and smart devices [16]. So far, many lightweight block ciphers (e.g., HIGHT [7], CLEFIA [8], KATAN/KTANTAN [9], PRINTCIPHER [5], and PP-1 [10]) have been proposed.

PP-1 is an involutional SPN block cipher which can be implemented on a platform with limited resources. It supports the scalability, which allows using different data block sizes and secret key sizes. In detail, PP-1 is an -bit scalable block cipher and supports -bit secret keys. . It uses an S-box which is an involution and a bit-oriented permutation which is also an involution. As a result, it is a totally involutional cipher. To our knowledge, there is no cryptanalytic result on PP-1.

In this paper, we analyze the security of PP-1 on truncated differential cryptanalysis. As concrete examples, we consider four versions of PP-1, PP-1/64, PP-1/128, PP-1/192, and PP-1/256. Here, , , , and indicate the length of data blocks. Our attack is applicable to full-round versions of them, respectively. Our attack results are summarized in Table 1. Here, PP-1/_ means an -bit PP-1 which supports a -bit secret key. Note that since our attacks do not use the property of the key schedule of PP-1, the data complexity and the memory complexity of the attacks on PP-1/_ and PP-1/_ have the same value. From this table, our attacks can recover a secret key of PP-1 with the computational complexity which is faster than the exhaustive search. These results are the first known cryptanalytic results on PP-1.

tab1
Table 1: Our attack results on PP-1.

The rest of this paper is organized as follows. In Section 2, we briefly present PP-1. In Section 3, differentials on PP-1 are derived, and their probabilities are computed. Truncated differential cryptanalysis on each version of PP-1 is proposed in Sections 4, 5, and 6, respectively. Finally, we give our conclusion in Section 7.

2. Description of PP-1

PP-1 is an -bit scalable block cipher and has -round SPN structure . The length of a secret key is or bits. In [10], the designers of PP-1 proposed the following four versions of PP-1 as concrete examples. (i)PP-1/64: , , that is, a -round block cipher with  bit secret keys and rounds. (ii)PP-1/128: , , PP-1/192: , , PP-1/256: , .

For the simplicity of notations, we denote an -bit PP-1 with a -bit secret key PP-1/_. And input/output values and a round key in round are denoted by , , and , respectively .

We omit the key schedule of PP-1, as it is not effectively used in our attack.

2.1. The Round Function

As shown in Figure 1(a), the round function of PP-1 consists of nonlinear functions and an -bit involutional permutation . For example, when , the round function uses only . Note that is not conducted in the last round. have the same structure but different round keys are used.

fig1
Figure 1: (a) The round function of PP-1 and (b) the nonlinear function .

In round , two -bit round keys are used as follows: Here, takes  bit sub-round key .

2.2. The Nonlinear Function

In round , outputs a  bit value from a  bit input value and a  bit subround key . It consists of one S-box , , , and modulo (see Figure 1(b)).

A  bit sub-round key is divided into eight  bit elementary keys as follows, respectively: Thus, each elementary key is XORed or added or subtracted with an  bit intermediate value. For example, is XORed with the  bit output value of the first S-box.

2.3. The Permutation Function

is an -bit involutional bit-oriented permutation. It is constructed by using two algorithms, the auxiliary algorithm (Algorithm 1) to compute auxiliary permutation Prm and the main algorithm (Algorithm 2) to compute permutation .

alg1
Algorithm 1: Prm(, , ).

alg2
Algorithm 2: (, , ).

For example, the  bit permutation is obtained as a result of calls of Algorithm 2 for a pair numbered as from to , the number of block bits and the number of S-box bits . When , the value of Prm is equal to and the resultant pair . It means that the third bit of the input value is mapping to the eighteenth bit of the output value.

3. Construction of Differentials on PP-1

In this section, we introduce the methodology of constructing differentials on PP-1 used in our attacks. For the simplicity of notations, we define the following notations. (i): a -round differential characteristic where input/output differences are and , respectively. (ii): a -round differential where input/output differences are and , respectively. (iii): a byte string where the th byte value is and the other bytes are zero (the index of the left most byte is ).

3.1. Differential Characteristic on PP-1

In general, a differential characteristic with the higher probability passes less nonlinear operations, such as S-box, than it with the lower probability. Recall that a -function consists of S-box, addition, substraction, and XOR. Among these operations, nonlinear operations are S-box, addition, and subtraction. Thus, in order to construct a differential characteristic with a high probability, we should avoid them.

We examined such differential characteristics on PP-1. As a result, we found several -round differential characteristics with a probability of . For example, in the case of PP-1/64, we can construct with a probability of . This characteristic passes only one S-box in each round and the probability that S-box outputs an output difference from an input difference is .

We expect that this type of difference characteristics have the highest probability. That is, they pass least S-boxes, addition operations, and subtraction operations. We extend it to differentials in the next subsection.

3.2. Finding of Differentials with a High Probability

The probability of a differential is computed by adding the probabilities of all differential characteristics which are included in it. The more differential characteristics with a high probability a differential includes, the higher its probability is. Thus, in order to find a differential on PP-1 with a high probability, we consider the following criteria. (i)In each round, a differential characteristic has only one active S-box. (ii)In each round, a differential characteristic does not pass addition/subtraction operations.

The probabilities that all -round differential characteristics satisfying the above criteria are at least , since the minimum probability from the difference distribution table on S-box is . Thus, we measure the probability of a differential by counting only the number of differential characteristics which satisfy the above criteria and are included in it. That is, if there are such differential characteristics, the probability of a differential including them is at least . On the other hand, in the case of differential characteristics which do not satisfy the above criteria, they pass the additional nonlinear operations in each round. In this case, the probabilities of them are much smaller than . Thus, we expect that differential characteristics which do not satisfy the above criteria depend on the probability of a differential less.

In order to count efficiently differential characteristics satisfying the above criteria, we consider differences ’s satisfying the following conditions. (i) where and is a nonzero byte value. (ii) where and is a nonzero byte value.

Let be a set containing such ’s. We can easily prove that all -round differential characteristics satisfying the above criteria include in each round . It means that we only need to consider in order to find all differential characteristics holding the above criteria.

Let be the number of . For each and included in , we compute using the following recurrence relation: Since is compute by using the difference distribution table for an S-box of PP-1, we can easily compute for given .

For example, we found twenty one ’s for PP-1/64 (see Table 2). As a simulation result, is . It means that the probability of is .

tab2
Table 2: A difference set for PP-1/64.

4. Truncated Differential Analysis on PP-1/64

In this section, we propose truncated differential analysis on full-round PP-1/64_64 and full-round PP-1/64_128. Since PP-1/64_64 and PP-1/64_128 have the same structure except the key schedule, the attack procedures on them are similar. Thus, we mainly introduce the attack procedure on PP-1/64_64.

By using the method in the previous section, we construct forty nine -round differentials . And we extend these -round differentials to total -round differentials . Here, ’s are defined as follows :

4.1. Construction of Structures

We consider a structure consisting of plaintext; that is, where is a  bit fixed value. Then we can compose plaintext pairs for each structure. Among these plaintext pairs, there are plaintext pairs where an input difference of round is one of for each . Table 3 presents the expected number of right plaintext pairs where an output difference of round is included in . These values are computed as follows:

tab3
Table 3: The expected number of right pairs for PP-1/64.
4.2. Truncated Differential Analysis on PP-1/64

The main idea of our attack is to exploit the fact that the expected number of plaintext pairs where an output difference of round is included in is for each structure (see Table 3).

In our attack on PP-1/64_64, we first obtain a  bit partial information on and an  bit . The attack procedure is as follows (see Figure 2).(1) Choose structures which are composed of plaintexts and obtain the corresponding ciphertexts. From these ciphertexts, compute ciphertext pairs (note that we can compute total ciphertext pairs for each structure). (2)Check that the difference between ciphertext pair is ; that is, for each . We keep all ciphertext pairs passing Step and the corresponding plaintext pairs in a table and call a set containing them . (3)Filter out the ciphertext pairs where , and are not zero in . Do the following for the remaining ciphertext pairs: (a)Guess an  bit (note that this substep indicates “Guess 1” in Figure 2). (b)Partially encrypt all remaining ciphertext pairs with the guessed round key to get . Check that is included in from (4). If it is included in , add the counter, corresponding to the guessed key, to one. (c)Output a guessed key which has the maximal counter as a right . (4)From , filter out the ciphertext pairs where , , and are not zero and the ciphertext pairs considered in Step . Do the following for the remaining ciphertext pairs: (a)Check that is a nonzero value for each remaining ciphertext pair. Partially encrypt the ciphertext pairs passing this test with the recovered round key to obtain . If this value is not included in , filter out the corresponding ciphertext pairs. (b)Guess  bit round keys . (“Guess 2” in Figure 2). (c)Similarly to Step , partially encrypt the remaining ciphertext pairs with the guessed round keys to get . Check that is included in from (4). If it is included in , add the counter, corresponding to the guessed key, to one. (d)Output a guessed key which has the maximal counter as right and . (5)From , discard the ciphertext pairs where , and are not zero and the ciphertext pairs considered in Step and . Do the following for the remaining ciphertext pairs: (a)Similarly to Step , filter out the ciphertext pairs where and are not included in and , respectively. (b)Guess an  bit round keys . (“Guess 3” in Figure 2). (c)Similarly to Step , check that is included in . Output a guessed key which has the maximal counter as a right . (6)From , discard the ciphertext pairs where and are not zero and the ciphertext pairs considered in Step , and . Do the following for the remaining ciphertext pairs:(a)Similarly to Step , filter out the ciphertext pairs where , and are not included in , and , respectively. (b)Guess an  bit round keys . (“Guess 4” in Figure 2). (c)Similarly to Step , check that is included in . Output a guessed key which has the maximal counter as a right . (7)From , filter out the ciphertext pairs where is not zero and the ciphertext pairs considered in Step , , and . Do the following for the remaining ciphertext pairs:(a)Similarly to Step , filter out the ciphertext pairs where , , and are not included in , , and , respectively. (b)Guess  bit round keys . (“Guess 5” in Figure 2). (c)Similarly to Step , check that is included in . Output a guessed key which has the maximal counter as right and . (8)From , filter out the ciphertext pairs considered in Step , , , and . Do the following for the remaining ciphertext pairs:(a)Similarly to Step , filter out the ciphertext pairs where , , , and are not included in , , , and , respectively. (b)Guess  bit round keys . (“Guess 6” in Figure 2). (c)Similarly to Step , check that is included in . Output a guessed key which has the maximal counter as right and . (9)Get the the corresponding plaintext pairs to all ciphertext pairs considered in Step , , , , and , respectively. With them, do the following:(a)Guess an  bit (“Guess 7” in Figure 2). (b)Partially encrypt the plaintext pairs in Step with the guessed round key to obtain the output difference of the th S-box in round , that is, . (c)If the computed difference is included in , add the counter, corresponding to the guessed key, to one. (d)Output a guessed key which has the maximal counter as a right . (10)With an  bit suggested round key, compute a secret key by operating the key schedule of PP-1_64. Output the computed secret key as a right secret key of PP-1_64.

169638.fig.002
Figure 2: The attack procedure on full-round PP-1/64_64.

In our attack on PP-1/64_64, we construct structures which are composed of plaintexts. Thus, the data complexity of our attack is about chosen plaintexts. We store all ciphertext pairs passing Step and the corresponding plaintext pairs in a table. The probability that a ciphertext pair passes Step is . Thus, ciphertext pairs pass this step. Hence, the memory complexity of this attack is about memory bytes.

The computational complexity of our attack is dominated by Step . The computational complexity of Step is about encryptions. The probability that a wrong ciphertext pair passes Step is . Since the expected number of the remaining wrong ciphertext pairs is , we expect that only right ciphertext pairs are survived. From (4), we can check easily that all ciphertext pairs where the corresponding 's are included in pass Step . Thus, the expected number of right ciphertext pairs is from Table 3. The computational complexity of Step is about encryptions. Similarly to Step , the computational complexities of other steps are also small. Hence, the computational complexity of our attack on PP-1/64_64 is about encryptions.

In the case of the attack on PP-1/64_128, the data and memory complexities are the same as them of the attack on PP-1/64_64. However, the computational complexity of this attack is dominated by Step and , since we should do an exhaustive search for the remaining  bit key information. The computational complexity of Step is about encryptions. In Step , the probability that a wrong key passes this step is . Thus, it is sufficient to use just one plaintext/ciphertext pair. The computational complexity of Step is about . Hence, the computational complexity of PP-1/64_128 is about encryptions.

5. Truncated Differential Analysis on Full-Round PP-1/128

Our attacks on full-round PP-1/128_128 and full-round PP-1/128_256 use -round differentials which are constructed by using the method introduced in Section 3. In detail, in order to construct them, we consider twenty five -round differentials . Then we extend these -round differentials to total -round differentials . Here, 's are defined as follows :

In the similar manner to the previous section, we choose a structure which consist of plaintext; that is, , where is a  bit fixed value. Then, as shown in Table 4, we can calculate the expected number of right plaintext pairs where is included in for each structure.

tab4
Table 4: The expected number of right pairs for PP-1/128.
5.1. Truncated Differential Analysis on PP-1/128

Our attack on full-round PP-1/128_128 is similar to that on full-round PP-1/128_256. Thus, we mainly present the attack procedure on PP-1/128_128. Since it is similar to the attack procedure on full-round PP-1/64_64, we briefly introduce it. The attack procedure on full-round PP-1/128_128 is as follows (see Figure 3).(1)Select structures which are composed of plaintexts and get the corresponding ciphertexts. From these ciphertexts, compute ciphertext pairs (). (2)Check that for each ciphertext pair. We keep all ciphertext pairs passing Step and the corresponding plaintext pairs in a table and call a set containing them .(3)From , filter out the ciphertext pairs where , , , , , and are not zero. Do the following for the remaining ciphertext pairs:(a)Guess an  bit round key (“Guess 1” in Figure 3). (b)Check that is included in . Output a guessed key which has the maximal counter as right . (4)Similarly to Step , determine sequentially the following right round keys.(a) (“Guess 2”), (b) (“Guess 3”). (c) (“Guess 4”). (d) (“Guess 5”). (e) (“Guess 6”). (f) (“Guess 7”). (5)Get the the corresponding plaintext pairs to all ciphertext pairs considered in Steps and . With them, do the following: (a)Guess an  bit (“Guess 8”). (b)Partially encrypt the plaintext pairs in Step with the guessed round key to obtain the output difference of the th S-box in second -function of round , that is, . (c)If the computed difference is included in , add the counter, corresponding to the guessed key, to one. (d)Output a guessed key which has the maximal counter as a right . (6)With an  bit suggested round key, do an exhaustive search for the remaining  bit key information by using one trial encryption. During this procedure, if a  bit secret key satisfies one known plaintext/ciphertext pair, output this  bit secret key as a right  bit secret key of full-round PP-1/128_128.

169638.fig.003
Figure 3: The attack procedure on full-round PP-1/128_128.

In this attack, we construct structures. Thus, the data complexity of our attack on full-round PP-1/128_128 is about chosen plaintexts. In Step , since the probability that a ciphertext pair passes Step is , we store ciphertext pairs pass this step and the corresponding plaintext pairs in a table. Thus, the memory complexity of this attack is about memory bytes. The computational complexity of this attack is dominated by Step , that is, about encryptions.

In the case of the attack on full-round PP-1/128_256, the data and memory complexities are the same as them of the attack on full-round PP-1/128_128. However, the computational complexity of this attack is dominated by Step , since we should do an exhaustive search for the remaining  bit key information. In Step , the probability that a wrong key that passes this step is . Thus, this step needs two plaintext/ciphertext pairs. The computational complexity of Step is about encryptions. Hence, the computational complexity of our attack on full-round PP-1/128_256 is about encryptions.

6. Truncated Differential Analysis on Full-Round PP-1/192 and PP-1/256

This section introduces our attack results on full-round PP-1/192 and full-round PP-1/256. Overall, the attack procedures on them are similar to the attack procedures on PP-1/64.

Our attacks on full-round PP-1/192 uses structures , where is a  bit fixed value. First, we construct thirty six -round differentials . Then we extend these -round differentials to total -round truncated differentials   . Note that ’s used in this attack are the same as them in the attack on full-round PP-1/128. Table 5 presents the expected number of right plaintext pairs where is included in in each structure. The complexities of our attacks are as follows.

tab5
Table 5: The expected number of right pairs for PP-1/192.

PP-1/192_192(PP-1/192_384)(a)The data complexity: about chosen plaintexts. (b)The memory complexity: about memory bytes. (c)The computational complexity: about encryptions.

In the case of PP-1/256, we consider structure , where is a  bit fixed value. And we construct -round differentials . Note that ’s used in this attack are also the same as them in the attack on full-round PP-1/128. Table 6 presents the expected number of right plaintext pairs where is included in in each structure. The complexities of our attacks are as follows.

tab6
Table 6: The expected number of right pairs for PP-1/256.

PP-1/256_256(PP-1/256_512)(a)The data complexity: about chosen plaintexts. (b)The memory complexity: about memory bytes. (c)The computational complexity: about encryptions.

7. Conclusion

In this paper, we have presented the first known cryptanalytic results of four concrete versions of a scalable block cipher PP-1, full-round PP-1/64, full-round PP-1/128, full-round PP-1/192, and full-round PP-1/256, by using truncated differential cryptanalysis. As summarized in Table 1, our attacks on these algorithms require computational complexities smaller than the exhaustive search. These results indicate that PP-1 is vulnerable to truncated differential cryptanalysis and that it is insecure.

Acknowledgments

This research was supported by the Ministry of Science, ICT and Future Planning (MSIP), Korea, under the Convergence Information Technology Research Center (C-ITRC) support Program (NIPA-2013-H0301-13-3007) supervised by the National IT Industry Promotion Agency (NIPA).

References

  1. J. Chen, B. Mariam, and M. Matsumoto, “A single mobile target tracking in voronoi-based clustered wireless sensor network,” Journal of Information Processing Systems, vol. 1, pp. 17–28, 2011.
  2. C. Huang, R. H. Cheng, S. R. Chen, and C. Li, “Enhancing network availability by tolerance control in multi-sink wireless sensor network,” Journal of Convergence, vol. 1, no. 1, pp. 15–22, 2010. View at Publisher · View at Google Scholar · View at Scopus
  3. P. Sarkar and A. Saha, “Security enhanced communication in wireless sensor networks using reed-muller codes and partially balanced incomplete block designs,” vol. 2, pp. 23–30. View at Publisher · View at Google Scholar · View at Scopus
  4. D. Kumar, T. Aseri, and R. Patel, “Multi-hop communication routing (MCR) protocol for heterogeneous wireless sensor networks,” International Journal of Information Technology, Communications and Convergence, vol. 1, pp. 130–145, 2010.
  5. H. Lim, K. Jang, and B. Kim, “A study on design and implementation of the ubiquitous computing environment-based dynamic smart on/off-line learner tracking system,” Journal of Information Processing Systems, vol. 6, no. 4, pp. 609–620, 2010. View at Publisher · View at Google Scholar
  6. B. Xie, A. Kumar, D. Zhao, R. Reddy, and B. He, “On secure communication in integrated heterogeneous wireless networks,” International Journal of Information Technology, Communications and Convergence, vol. 1, no. 1, pp. 4–23, 2010. View at Publisher · View at Google Scholar
  7. D. Hong, J. Sung, S. Hong et al., “HIGHT: a new block cipher suitable for low-resource device,” Cryptographic Hardware and Embedded Systems, vol. 4249, pp. 46–59, 2006. View at Scopus
  8. T. Shirai, K. Shibutani, T. Akishita, S. Moriai, and T. Iwata, “The 128-bit blockcipher CLEFIA (extended abstract),” Fast Software Encryption, vol. 4593, pp. 181–195, 2007. View at Publisher · View at Google Scholar · View at Scopus
  9. C. de Cannière, O. Dunkelman, and M. Knežević, “KATAN and KTANTAN—a family of small and efficient hardware-oriented block ciphers,” Cryptographic Hardware and Embedded Systems, vol. 5747, pp. 272–288, 2009. View at Publisher · View at Google Scholar · View at Scopus
  10. K. Bucholc, K. Chmiel, A. Grocholewska-Czuryło, E. Idzikowska, I. Janicka-Lipska, and J. Stokłosa, “Scalable PP-1 block cipher,” International Journal of Applied Mathematics and Computer Science, vol. 20, no. 2, pp. 401–411, 2010. View at Publisher · View at Google Scholar · View at Scopus