Mathematical Problems in Engineering

Volume 2013 (2013), Article ID 962342, 4 pages

http://dx.doi.org/10.1155/2013/962342

## Information Leakage of VGF2 Structure

Information Science and Technology Institute, Zhengzhou 450000, China

Received 9 January 2013; Accepted 5 April 2013

Academic Editor: Kwok-Wo Wong

Copyright © 2013 Ting Cui et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

The block cipher VGF2 was designed at Inscrypt 2009. It was based on a new variant of generalized Feistel structure. By checking the property of the linear permutation, we find a full round differential in VGF2 with probability 1. Since this differential cannot distinguish the correct unknown key from the wrong keys, we fail in launching a key-recovery attack on this structure. However, we may guess half part of the plaintext without calculating the key. And we notice that this weakness may cause insecurity in some special environments.

#### 1. Introduction

The architecture is one of the most important parts of block ciphers. It will directly affect the implementation performance and the choice of round number. Architectures of block ciphers could be roughly classified by SP structure [1] and Feistel family structure [2, 3]. The SP structure can provide a fast diffusion, but usually its decryption and encryption processes cannot be similar. Feistel family structures is another important structure, and it provides flexibility in the design of round function and decryption-encryption similarity; however, since only part of the input data goes through the round function in each round, these structures need more rounds to achieve enough diffusion.

Reference [4] proposed a new block cipher called VGF2. Its architecture can be considered as an extension of combining the SPN structure and generalized Feistel network together. It keeps the advantages of both SPN structure and the generalized Feistel network. It can achieve full diffusion very quickly, and decryption-encryption processes of this structure are similar.

In the design of VGF2, the original idea to achieve better diffusion is to use an involutory transformation with good branch number to replace the switch transformation. In [4], security levels of the structure against many cryptanalysis such as differential, linear, impossible differential, and integral cryptanalysis are also estimated.

In this paper, we find some information leakage in VGF2 structure. For arbitrary rounds VGF2 structure, we obtain two differentials with probability 1. Since these differentials cannot distinguish the correct key from the wrong keys, we fail in launching a key-recovery attack on this structure. However, we may guess half part of the plaintext without calculating the key.

The rest of this paper is organized as follows. Section 2 provides a description of VGF2, Section 3 presents the differential properties of VGF2 structure, and Section 4 introduces the information leakage of VGF2 cipher. As an application, Section 5 launches an attack on VGF2-based CMAC whose underlying block cipher is VGF2; in this attack, we can find a fake “familiar” message within CMAC operations, and the successful rate reaches 0.393. In Section 6, we conclude this paper.

#### 2. Description of VGF2 Structure

Throughout this paper, denotes the bitwise XOR and + denotes the addition over real number space.

Now we will give a brief description of VGF2 structure.

All the states in VGF2 are split into 4 subblocks of equal size, and then the input and output blocks of each round can be denoted as , and respectively. For the sake of convenience, we will introduce two transformations as follows:(i) layer: , where is the round function;(ii) layer:

One round VGF2 structure is composed of two layers (see Figure 1); that is,

#### 3. Differential Properties of VGF2 Structure

In this section, we will introduce the differential properties of VGF2 structure.

Lemma 1. * Let , where is a bijection. Then, both differentials are with probability 1 of the following:*(1)*,
*(2)*.*

*Proof. *Let and be inputs of the layer. Then, output differential of the layer is calculated by
Assume that , and we conclude that differential is with probability 1. The second differential can be obtained in a similar way.

It is well known that if is a linear transformation over , then . Base on this rule, we have.

Theorem 2. * For the VGF2 structure, there exists 1-round differential whose probability is equal to 1 as follows:*(1)*,
*(2)*.*

* Proof. * Since 1-round VGF2 structure can be expressed by , by Lemma 1, we have with probability 1; hence, the output of the first round is
Let and , then we obtain this theorem. Similarly, we can prove the second case.

Obviously, we have the following.

Theorem 3. *For the VGF2 structure, if , then -round differential and are both with probability 1. If , then -round differential and are both with probability 1.*

#### 4. Information Leakage of VGF2 Structure

Base on the VGF2 structure, [4] proposed a 16-round and 256-bit block cipher VGF2 with the last layer omitted.

Since traditional differential cryptanalysis [5] uses high-probability characteristics or differentials to distinguish the correct unknown keys from the wrong keys. When a correct key is used to decrypt the last few rounds of many pairs of ciphertexts, it is expected that the difference predicted by the differential appears frequently, while when a wrong key is used, the difference occurs less frequently. However, differentials detected in this paper expose equal probability under any key; thus, we cannot launch a differential attack on this structure. But we may still conclude the following observation.

*Observation 1. * For VGF2 cipher, if we get a plain/ciphertext pair and , then for any ciphertext in set , we can predict that the plaintext is in the set . When ciphertext is chosen from the set , we can affirm that the plaintext is from set .

This weakness may bring insecurity under some special environments, and in next section, we will provide an example.

#### 5. An Example Attack on VGF2-Based CMAC

MAC functions based on block ciphers are of great practical significance. And it is a well-known method to generate a Message Authentication Code (MAC) based on a block cipher in CBC-like mode. In this section, we will attack VGF2-based CMAC [6], which is recommended by NIST. This way of implementing a block cipher is independent of the actual block cipher being used, and so we can restrict this mode of use on VGF2 cipher. The CMAC algorithm divides message into , where each is 256 bits length, and if the length of is 256 bit, then ; else, , where (see Figure 2).

Since the remaining part of CMAC does not affect the attack procedure, we just focus on the CBC core (see Figure 3). Our target is to fake a similar message of . In fact, the attack below can be extended to most CBC-like MACs.

*Step 1. * Choose any , and replace by , where are randomly chosen from and .

*Step 2. *If , we replace by ; otherwise, replace by , where are randomly chosen from .

*Step 3. *Compute ; if
the program output .

When we introduce a randomly chosen difference in the th block, then by Observation 1, we may conclude that for any integer , output difference of the th and the th blocks are and , respectively, where are randomly picked up from . Consider case; only when and , we can obtain a collision.

We choose pairs of . And the successful rate is calculated by the birthday paradox; that is,

We can analyze case similarly.

Since all but two of the original message blocks are reserved, the fake message may probably be a meaningful message. And this may increase the risk of CMAC.

#### 6. Conclusion

In this paper, we find two differentials in VGF2 structure whose probability is 1. Since these differentials cannot distinguish the correct key from wrong ones, we failed in launching a key-recovery attack on VGF2 structure. However, this property causes a significant information leakage; it allows us to obtain half part of the plaintext without calculating the key, and this may lead to some weakness in special environments.

In spite of the weakness presented in this paper, VGF2 structure retains some attractive features such as high diffusion and similarity in both decryption and encryption processes. And we believe that all these good features are caused by properties of matrix ; since its branch number reaches 4 [4], the whole structure can provide high diffusion, and also the involutory choice of matrix ensures the structure involutory. However, the binary matrix is not a good choice, which makes our attacks succeed. This motivates us to explore the possibility of improving that retains all the good properties of the VGF2 structure and yet is secure against our attacks. The best beneficial way to achieve this goal is to propose a new nonbinary matrix , which can retain both *large branch number* and *involution*, for example, involutory MDS matrix. Then, the proof will be invalid for this case.

#### Acknowledgment

The work in this paper is supported by the Natural Science Foundation of China (Grant no. 61272488, 61272041, and 61202491).

#### References

- J. Daemen and V. Rijmen,
*The Design of Rijndael—AES—The Advanced Encryption Standard*, Springer, Berlin, Germany, 2002. View at Zentralblatt MATH · View at MathSciNet - Data Encryption Standard (DES),
*Federal Information Processing Standards Publication FIPS-46-3*, National Bureau of Standards, 1999. - K. Nyberg, “Generalized Feistel networks,” in
*Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security (ASIACRYPT '96)*, K.-C. Kim and T. Matsumoto, Eds., vol. 1163 of*Lecture Notes in Computer Science*, pp. 91–104, Springer, Kyongju, Korea, November 1996. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - L. Zhang, W. Wu, and L. Zhang, “Proposition of two cipher structures,” in
*Proceedings of the 5th China International Conference on Information Security and Cryptology (Inscrypt '09)*, F. Bao, M. Yung, D. Lin, and J. Jing, Eds., vol. 6151 of*Lecture Notes in Computer Science*, pp. 215–229, Springer, Beijing, China, December 2009. View at Publisher · View at Google Scholar · View at MathSciNet - E. Biham and A. Shamir, “Differential cryptanalysis of DES-like cryptosystems,” in
*Proceedings of the 10th Annual International Cryptology Conference*, A. Menezes and S. A. Vanstone, Eds., vol. 537 of*Lecture Notes in Computer Science*, pp. 2–21, Springer, August 1990. View at Publisher · View at Google Scholar - NIST, “Recommendation for block cipher modes of operation: the CMAC mode for authentication,”
*NIST Special Publication*800-38B, 2005. View at Google Scholar