DOI QR코드

DOI QR Code

Recovery-Key Attacks against TMN-family Framework for Mobile Wireless Networks

  • Phuc, Tran Song Dat (Department of Computer Science and Engineering, Seoul National University of Science and Technology) ;
  • Shin, Yong-Hyeon (Department of Computer Science and Engineering, Seoul National University of Science and Technology) ;
  • Lee, Changhoon (Department of Computer Science and Engineering, Seoul National University of Science and Technology)
  • Received : 2020.12.15
  • Accepted : 2021.03.31
  • Published : 2021.06.30

Abstract

The proliferation of the Internet of Things (IoT) technologies and applications, especially the rapid rise in the use of mobile devices, from individuals to organizations, has led to the fundamental role of secure wireless networks in all aspects of services that presented with many opportunities and challenges. To ensure the CIA (confidentiality, integrity and accessibility) security model of the networks security and high efficiency of performance results in various resource-constrained applications and environments of the IoT platform, DDO-(data-driven operation) based constructions have been introduced as a primitive design that meet the demand of high speed encryption systems. Among of them, the TMN-family ciphers which were proposed by Tuan P.M., Do Thi B., etc., in 2016, are entirely suitable approaches for various communication applications of wireless mobile networks (WMNs) and advanced wireless sensor networks (WSNs) with high flexibility, applicability and mobility shown in two different algorithm selections, TMN64 and TMN128. The two ciphers provide strong security against known cryptanalysis, such as linear attacks and differential attacks. In this study, we demonstrate new probability results on the security of the two TMN construction versions - TMN64 and TMN128, by proposing efficient related-key recovery attacks. The high probability characteristics (DCs) are constructed under the related-key differential properties on a full number of function rounds of TMN64 and TMN128, as 10-rounds and 12-rounds, respectively. Hence, the amplified boomerang attacks can be applied to break these two ciphers with appropriate complexity of data and time consumptions. The work is expected to be extended and improved with the latest BCT technique for better cryptanalytic results in further research.

Keywords

1. Introduction

The explosion of mobile devices and services, as smart phones and tablets becoming an essential part of modern society, along with the rapid development and spread of the IoT technologies, is leading to the significant challenges of secure and trustworthy service composition that requires the balance the inherent tension between security and accessibility of wireless technologies and networks employed in the constrained IoT environments. In the context of unreliable constrained wireless networks for IoT networks, the specific secure requirements and needs of these networks are needed as not only dealing with the unauthorized access to systems and data, but also ensuring the suitability, mobility and applicability on both software and hardware performances when operating and integrating in such environments.

With the limitations about the processing capacity and resources, the deployment results seem not suitable for the constrained IoT environments in handling with both secure highspeed encryption and high efficiency in hardware integration. To address those issues, the prominent solution focuses on improving the protection of cipher designs by distinct switch operations and functions, like the Data-Dependent Permutation-based constructions (such as CIKS-1 [18], SCO-family [7] and Cobra-family [19] [20]), the Data-Dependent Operationbased constructions (such as CIKS-128 [8], CIKS-128H [13], MD-64 [5] and DDO-64 [14]) and the Switchable Data-Dependent Operation-based constructions (such as BMD-128 [4], XO-64 [6], BM123-64 [2]). However, the fact is, for as long as there have been wireless communication networks, there have been fatal weaknesses that were still vulnerable to wellknown related attacks. One of them, simple key scheduling generator in the cipher structures for high speed transformation and lightweight targets gives cryptanalytic possibility for attackers to exploit these mechanisms by applying common related-key differential attack methods.

TMN block cipher [1] is kind of DDO-based construction proposed by Tuan P.M., Do Thi B., etc., in 2016. It has two different versions: TMN64 with 64-bits block size, covering 128- bits key size and total 10 function rounds; and TMN128 with block size of 128-bits, having 256-bits secret key size and 12 function rounds in total. These are designed in combination of new concept in functions and attributes of the data-dependent operations (DDOs) and the Controlled Substitution-Permutation Network (CSPN) frameworks [13]. Hence, the two ciphers are regarded as an effective solution with more adjustable and desirable approach for fitting targets of application and system with particular fixed designs. In the designs, the authors showed high suitability, applicability in characteristics of various other algorithms for specific high-speed networks targets, as well as high authenticity of protecting against types of popular cryptanalysis, such as differential and linear attacks, by using the improvement of on-the-fly round key generator.

1.1 Related Study

Related-key differential amplified boomerang attack was evolved by Kelsey et al. [16], which is a pure adaptive chosen-plaintext attack and is an upgrade model of the related-key boomerang attack developed by Wagner, 1999 [17] and Biham et al., 2005 [15]. Particularly, the attack had become effective cryptanalysis technique applying for various cipher mechanisms since the target aims to exploit two distinctive related-key differential characteristics for finding right quartets with high probability. Some of the previous cryptanalysis that used this attack scenario on DDO-based ciphers had given high efficiency and high probability in cryptanalytic results, like on BMD-128 [9], XO-64 [10], DDO-64 [11], MD-64 [12], and BM123-64 [3].

E1KOBZ_2021_v15n6_2148_f0001.png 이미지

Fig. 1. The related-key boomerang characteristics.

In the model of related-key boomerang attack, the cipher E is divided into two sub-ciphers, depicted as E = E1 ○ E0. In addition, for E0 and E1, the related-key differentials are integrated into an adaptive chosen-plaintext and chosen-ciphertext characteristics of the cipher E, as the characteristics based on the encryption/ decryption process covering the related keys.

We suppose that α → β is a related-key differential for E0 with probability p using key difference ∆K, and δ → γ is another related-key differential for E1 with probability q using key difference ∆K’. With the related keys K, K*, K’, K’* where ∆K = K ⊕ K* and ∆K’ = K’ ⊕ K’*, we can execute the attack as follows.

(1) Pick up two random plaintexts P and P’, and then assign P* = P ⊕ α, P’* = P’ ⊕ α to get the quartet of plaintext (P, P*, P’, P’*).

(2) Gain the matching quartet of ciphertext (C, C*, C’, C’*), as C = EK(P), C* = EK*(P*), C’ = EK’(P’) and C’* = EK’*(P’*), using the secret key differences, as ∆K = K ⊕ K* = K’ ⊕ K’* and ∆K’ = K ⊕ K’ = K* ⊕ K’*.

(3) Examine whether C ⊕ C’ = C* ⊕ C’* = δ or not.

If the quartet of plaintext (P, P*, P’, P’*) progresses through Stage 3, we output it as a correct quartet in the model of related-key amplified boomerang attack.

The correct plaintext quartets must satisfy the following conditions:

(a) P ⊕ P* = P’ ⊕ P’* = α

(b) I ⊕ I* = I’ ⊕ I’* = β

(c) I ⊕ I’ = γ

(d) C ⊕ C’ = C* ⊕ C’* = δ.

while I and I’ is the intermediate encryption values after E0.

We choose m1 and m2 are number of pairs of (P, P*) and number of pairs of (P’, P’*), respectively, with difference α. As we also suppose that α → β is the first related-key differential for E0 under the probability of p using the key difference ∆K, and δ → γ is the second related-key differential for E1 under the probability of q using the key difference ∆K’, there exists the number of pairs (m1∙p) and (m2∙p) fulfill the first related-key differential α → β for E0 using the key difference ∆K. Then, the quartets meet the conditions (a) and (b) are about m1∙m2∙ p2. Similarly, if we obtain I ⊕ I’ = γ under the probability of 2-n in all possible values, we get m1∙m2∙2-n∙p2 quartets meet the requirements of (a), (b) and (c). And the relatedkey differential boomerang characteristic can differentiate a cipher E from a perfect cipher if the probability p∙q > 2-n/2, when the supposed number of correct quartets is approximately m1∙m2∙2-n∙p2∙q2.

1.2 Research Contributions

In this paper, we demonstrate the related-key recovery attacks on the two variants of TMN constructions, TMN64 and TMN128. The attack, by obtaining the two related-key boomerang distinguishers with high probabilities in distinct designs, can exploit a full 10-rounds and 12 rounds of TMN64 and TMN128, respectively with highly favorable cryptanalytic results. The proposed amplified boomerang attacks require about 247 in complexity of data, memory bytes of 250 and complexity of time using 265 encryptions for the TMN64 design; and about 269 complexity of data, memory bytes of 272 and complexity of time using 2129 encryptions for TMN128 model of TMN schemes. These cryptanalytic results are the first security results on the two variants of the TMN-family so far. In this way, we prove that the TMN-family constructions, like other previous research of DDP-based or DDO-based schemes, are still vulnerable and being insecure against related-key differential cryptanalysis. The assurance of the security on these types of cipher constructions remains unclear and should be designed with a better security primitive approach.

The remainder of this paper is structured as follows; the two TMN-family constructions, TMN64 and TMN128, are described in Section 2. In Section 3, we define the related-key boomerang differential properties in each round function of these two designs based on the controlled element CE F2/2 that allows us to build the high probability of differential characteristics (DCs) presented in Section 4. Then, the recovery attacks on the TMN64 and TMN128 ciphers are proposed with the analysis methods and complexity assessments shown in Section 5. Lastly, in Section 6, we give the conclusion of all our study.

2. TMN64, TMN128 Block Ciphers Description

2.1 Preliminaries

Some notations are concisely described in this section that they are used throughout the paper. As c1 denotes the MSB (the most significant bit) and cn denotes the LSB (the least significant bit), a cipher C can be defined as C = (c1, c2, …, cn).

The related-key differential characteristics applied to the amplified boomerang attack methods are combining with related differential components of block ciphers, like the input, the output, and the key of a round function.

- r : round function of a block cipher.

- ∆Qr, ∆Qr : round key difference values for each round r.

- ∆Xr / ∆Yr : input / output difference values for each round r.

- ei,j : binary data bit adjusting for a round r, as the active bit values i and j; at the ith and j th positions, the bit value are ‘1’, and the others are ‘0s’ for each block data. (e.g., e3,5 = (0, 0, 1, 0, 1,…, 0)).

- ⊕ : bitwise XOR operation.

- ⋘, ⋙ : bitwise left, right rotation.

2.2 TMN64, TMN128 Constructions

TMN64, TMN128 [1] are designed as DDO-based block cipher mechanisms with different data block sizes, 64-bits and 128-bits under 128-bits and 256-bits secret keys, respectively. Totally, it covers 10 rounds function for TMN64 and 12 rounds function for TMN128. A round function Crypt(e) for each construction will do same switchable data operations from the 1st round to the last round (the FT function) for yielding the appropriate ciphertext as output.

The round function Crypt(e) of TMN64, TMN128 is based on the controlled substitution permutation networks (CSPNs), an extension function E, two specified permutations (I1 and I2) and DDO-based functions \(F_{n / m}^{V / e}\left(F_{32 / 384}, F_{32 / 384}^{-1}, F_{64 / 768}, F_{64 / 768}^{-1}\right)\) including basic controlled element function F2/2.

The encryption algorithm of TMN128 can be define as:

1. Input with 128-bit block size as plaintext is divided into two sub-blocks A and B, with 64-bits for each block.

2. From the 1st round to the 11th round (as r = 1 to 11), for each round r, execute identical operations:

(A, B) = Crypt(0) (A, B, Qr, Qr)

(A, B) = (B, A)

3. Generate the 12th round (last round) integrating with the FT (final transformation):

(A, B) = Crypt(0) (A, B, Q12, Q12)

(A, B) = (L ⊕ QFT, R ⊕ QFT)

(A, B) = (A, B).

Fig. 2 and Fig. 3 illustrates the round function Crypt(0) of TMN64 and TMN128 in details. Refer to [1] for more description of the TMN64 and TMN128 constructions.

E1KOBZ_2021_v15n6_2148_f0002.png 이미지

Fig. 2. The overall construction and the Crypt(0) of TMN64.

E1KOBZ_2021_v15n6_2148_f0003.png 이미지

Fig. 3. The overall construction and Round function Crypt(0) of TMN128.

The DDO functions \(F_{n / m}^{V / e}: F_{32 / 384}, F_{32 / 384}^{-1}, F_{64 / 768} \text {, and } F_{64 / 768}^{-1}\) are built based on CE F2/2, as F2/2 is defined by \(\left(\left(x_{1}, x_{2}\right),[v, z] /\left(y_{1}, y_{2}\right)\right)\) (see Fig. 4). As the authors of TMN ciphers did not mention clearly about the way of executing F2/2, we can refer it as same previous DDObased schemes using for the high-speed wireless communication networks.

E1KOBZ_2021_v15n6_2148_f0004.png 이미지

Fig. 4. DDO-based functions (a) F32/192, F-132/192; (b) F64/384, F-164/384; (c) F8/24, F-18/24 and (d) CE F2/2.

y1 = vz ⊕ vzx1 ⊕ zx1 ⊕ zx2 ⊕ x1 ⊕ v ⊕ 1

y2 = zx1 ⊕ vzx2 ⊕ z ⊕ vx1 ⊕ zx2 ⊕ vz ⊕ v ⊕ x2 ⊕ 1

y3 = x1 ⊕ vzx2 ⊕ vx1 ⊕ x2 ⊕ vzx1 ⊕ z.

The extension function E does output controlling vector as (V,Z) = (V1, V2, V3, V4, V5, V6, Z1, Z2, Z3, Z4, Z5, Z6), taking a 32-bits input X then produce 192-bits output Y for TMN64, and 64-bits input X then produce 384-bits output Y for TMN128.

The fixed permutations are used at the right branch between two DDO operations \(F_{n / m}^{V / e}\) and at the left branch of the hybrid CSPNs Si (see Fig. 5 and Fig. 6) within the two structures.

E1KOBZ_2021_v15n6_2148_f0005.png 이미지

Fig. 5. CSPNs Si , Sd and S-1d.

E1KOBZ_2021_v15n6_2148_f0006.png 이미지

Fig. 6. Different 4 X 4 bit S-boxes.

The extension boxes E(X) of TMN-64 and TMN-128.

The secret key scheduling is improved to deal with the weaknesses of simple weak key genegator in most DDP-based constructions, by using a on-the-fly expansion round key. The target of this function is creating the key for the next round while implementing encryption (or decryption) at same time.

E1KOBZ_2021_v15n6_2148_f0007.png 이미지

Fig. 7. On-the-fly secret round key expansion procedure.

3. Differential Properties of TMN64, TMN128

This section presents the differential properties of DDO operations in Crypt(0) round function of the two ciphers TMN64 and TMN128, based on the differential properties of CE F2/2. These properties enable us to construct effective differential boomerang characteristics later.

3.1 Differential Properties of CE F2/2

We assume that x1 and x2 are two input values and a (v, z) pair is a controlling vector of controlled element F2/2. So, the CE F2/2 can be depicted as F2/2 (x1, x2, v, z). According to the differential distribution put in to definitions of CE F2/2 in TMN structures, we can obtain differential properties as:

y1 = vz ⊕ vzx1 ⊕ zx1 ⊕ zx2 ⊕ x1 ⊕ v ⊕ 1

y2 = zx1 ⊕ vzx2 ⊕ z ⊕ vx1 ⊕ zx2 ⊕ vz ⊕ v ⊕ x2 ⊕ 1

Pr[F2/2(x1, x2, v, z) ⊕ F2/2(x1 ⊕ 1, x2, v, z) = (1, 0)] = 2-2.

It means, for the difference (x1 ⊕ 1, 0) of the input and the (0, 0) difference of the controlling vector, we can gain the probability of 2-2 with the output difference of (1, 0). This differential property can be found as same distribution with other DDO-based cipher mechanisms.

3.2 Differential Properties of TMN64 and TMN128

Applying the same method, we can distribute differential properties of DDO operations: F32/192, F-132/192, F64/384 and F-164/384. We mark X as input value and (V, Z) pair as controlling vector, and since for each TMN64 and TMN128 structure has same 3 active layers F2/2 (within F8/24 and F-18/24 functions), then we have the differential properties as following:

\(\begin{aligned} &\operatorname{Pr}\left[F_{32 / 192}(X, V, Z) \oplus F_{32 / 192}\left(X \oplus e_{32}, V, Z\right)=e_{32}\right]=2^{-6} \\ &\operatorname{Pr}\left[F^{-1}{ }_{32 / 192}(X, V, Z) \oplus F^{-1}{ }_{32 / 192}\left(X \oplus \mathrm{e}_{32}, V, Z\right)=e_{32}\right]=2^{-6} \\ &\operatorname{Pr}\left[F_{64 / 384}(X, V, Z) \oplus F_{64 / 384}\left(X \oplus e_{64}, V, Z\right)=e_{64}\right]=2^{-6} \\ &\operatorname{Pr}\left[F^{-1}{ }_{64 / 384}(X, V, Z) \oplus F_{64 / 384}^{-1}\left(X \oplus e_{64}, V, Z\right)=e_{64}\right]=2^{-6} . \end{aligned}\)

4. Related-key Amplified Boomerang Characteristics of TMN64, TMN128

In this section, we indicate the way of establishing the related-key differential boomerang characteristics with high probability based on the differential properties we explored before on full 10-rounds and 12-rounds of TMN64 and TMN128 block ciphers, respectively.

4.1 Related-key Amplified Boomerang Characteristic of TMN64

We suppose that the (P, P*, P’, P’*) plaintexts with difference α = P ⊕ P* = P’ ⊕ P’* = (e32, e32) are encrypted to get appropriate ciphertext (C, C*, C’, C’*) using the master keys (K, K*, K’, K’*) satisfying the key difference ∆K = K ⊕ K* = K’ ⊕ K’* = (e32, 0, 0, 0).

By this way, we can generate the 1st related-key propagation of differential distinguisher (α → β) from the 1st round to the 5th round of TMN64 to get the corresponding output difference β = (0, 0), with probability of 1.

Then, we mark the transitional values as (I, I*, I’, I’*) with the difference γ = I ⊕ I* = I’ ⊕ I’* = (0, 0). These values are encoded using the master key (K, K*, K’, K’*) satisfying the key difference ∆K’ = K ⊕ K’ = K* ⊕ K’* = (0, e32, 0, 0). Overall, we can yield the 2nd related-key propagation of differential distinguisher (γ → δ) from the round 6th to the last round 10th with a probability of 2-12, to get the final corresponding output difference δ = (e32, 0).

Table 1. Related-key propagation of differential distinguisher on full-round of TMN64.

E1KOBZ_2021_v15n6_2148_t0001.png 이미지

E1KOBZ_2021_v15n6_2148_f0008.png 이미지

Fig. 8. Differential propagation at the 10th round and the FT on the TMN64.

For further definitions of related-key DCs on the TMN64 cipher, refer to [Appendix A].

4.2 Related-key Amplified Boomerang Characteristic of TMN128

We similarly do as the same methods applied to TMN64, by assuming the plaintexts (P, P*, P’, P’*) with difference value 𝛼𝛼 = P ⊕ P* = P’ ⊕ P’* = (e64, e64) are encrypted to get appropriate ciphertext (C, C*, C’, C’*) using the master keys (K, K*, K’, K’*), as the key difference is ∆K = K ⊕ K* = K’ ⊕ K’* = (e64, 0, 0, 0).

In this manner, we can obtain the 1st related-key propagation of differential distinguisher (α → β) from the 1st round to the 5th round of TMN128 for obtaining the output difference β = (0, 0), with probability of 1.

Then, we assign the transitional values as (I, I*, I’, I’*) with the difference 𝛾𝛾 = I ⊕ I* = I’ ⊕ I’* = (e64, e64). These values are encoded using the master key (K, K*, K’, K’*), as the key difference is ∆K’ = K ⊕ K’ = K* ⊕ K’* = (e64, e64, 0, 0). Finally, we can yield the 2nd relatedkey propagation of differential distinguisher (γ → δ) from round 6th to the last round 12th with a probability of 2-24, to get the final corresponding output difference δ = (e64, e64).

Table 2. Related-key propagation of differential distinguisher on full-round of TMN128.

E1KOBZ_2021_v15n6_2148_t0002.png 이미지

E1KOBZ_2021_v15n6_2148_f0009.png 이미지

Fig. 9. Differential propagation at the 12th round and the FT on the TMN128.

For further definitions of related-key DCs on the TMN128 cipher, refer to [Appendix A].

5. Proposed Key Recovery Attacks on TMN64, TMN128

This section illustrates the methods we apply to employ the recovery attacks on the TMN-64 and TMN-128 constructions.

5.1 Amplified Boomerang Attack Method on TMN64

According to the obtained related-key DCs in Section 4 for TMN64, we expect m2∙2-88 correct quartets when executing with m RK-CP (related-key chosen-plaintext) pairs, depicted as (P, P*) and (P’, P’*), and the related-key amplified boomerang distribution constructed reach to the 10th round of TMN64 with probability of 2-88 (that is 2-n∙p2∙q2). And then, we select a set of 246 plaintext pairs (that is m2∙2-88 = 23) for the attack while we look for 8(23) correct amplified boomerang quartets.

The proposed related-key recovery attack based on the amplified boomerang cryptanalytic method on full 10-rounds TMN64 as follows.

1) We firstly select a group of 246 pairs of plaintext (Pj, Pj*), (where j = 1, …, 266), and construct 291 quartets of plaintext (Pi, Pi*, Pi’, Pi’*), (where i = 1, …, 291) under the input difference α = (e32, e32). Then, the quartets of plaintext (Pi ,Pi*, Pi’, Pi’*) are encrypted using the master key (K, K*, K’, K’*) satisfying the differences of keys, those are ∆K = K ⊕ K* = K’ ⊕ K’* = (e32, 0, 0, 0) and ∆K’ = K ⊕ K’ = K* ⊕ K’* = (0, e32, 0, 0), to obtain the appropriate quartets of ciphertext (Ci, Ci*, Ci’, Ci’*).

2) We examine with each i, that Ci ⊕ Ci’ = Ci* ⊕ Ci’* = (e32, 0) for each route.

3) At this step, we predict a sub-key (K1) with 32-bit key size of the FT, and gain the subkeys (K1*, K1’ and K1’*) using the guessed key K1

(a.) We do decrypt for all the quartets of ciphertext (Ci, Ci*, Ci’, Ci’*) progressing through Stage 2, with the predicted quartets of sub-key to obtain 32-bit left inputs (Xi, Xi*, Xi’, Xi’*) on the 10th round prior the additional layer of key (⊕ XOR operation) at the final transformation.

(b.) Then, we check that Xi ⊕ Xi’ = Xi* ⊕ Xi’* = (0, 0) for each i value.

4) Finally, for the recovery attacks, we generate a brute-force search for catching the remaining 96-bit (K2, K3, K4) with all the predicted sub-keys progressing through Stage 3. When any predicted 128-bits key is satisfying the pairs of two plaintext/ ciphertext, we can then do output the key as the correct 128-bits master key of the TMN64. In other ways, we return to the method at Stage 3.

The proposed attack on TMN64 requires 246 pairs of plaintext and 247 RK-CPs (related-key chosen plaintexts) as the complexity of data, under the total related-key DC of 2-12 probability. The requirement of memory is approximately 250(= 247 ∙ 8) bytes during the attack. The complexity of time at Stage 1 is around 247 full 10-rounds encryptions of TMN64. We expect that each ciphertext progressing through Stage 2 with 2-64 probability. Therefore, we expect around 228 (that is 292 ∙ 2-64) correct quartets of ciphertext go by this stage. We look forward the complexity of time at Stage 3 and Stage 4 is around 262 (that is 264 ∙ 4 ∙ 1/8 ∙ 1/2) and 265 (that is 264 ∙ 1 ∙ 2) data encryptions, respectively. Overall, the complexity of time executing all the attack is approximately 265 (that is 247 + 262 + 265) TMN64 computational encryptions on average.

5.2 Amplified Boomerang Attack Method on TMN128

Following the obtained related-key DCs in Section 4 for TMN128, we look for m∙ 2-176 correct quartets when executing with m RK-CP (related-key chosen-plaintext) pairs, depicted as (P, P*) and (P’, P’*), as the related-key amplified boomerang distribution constructed reach to the 12th round of TMN128 with probability of 2-176 (that is 2-n ∙ p2 ∙ q2). And then, we select a set of 290 plaintext pairs (m 2 ∙ 2-176 = 23) for the attack while we suppose 8(23) correct amplified boomerang quartets.

The proposed related-key recovery attack based on the amplified boomerang cryptanalytic method on full 12-rounds TMN128 as follows.

1) To begin with, we prepare a group of 290 pairs of plaintext (Pj, Pj*), (j = 1, …, 290), and construct corresponding 2179 quartets of plaintext (Pi, Pi*, Pi’, Pi’*), (i = 1, …, 2179) under the input difference 𝛼𝛼 = (e64, e64). Then, we encode the quartets of plaintext (Pi, Pi*, Pi’, Pi’*) using the unknown sub-keys (K, K*, K’, K’*) having ∆K = K ⊕ K* = K’ ⊕ K’* = (e64, 0, 0, 0) and ∆K’ = K ⊕ K’ = K* ⊕ K’* = (e64, e64, 0, 0) key difference, for catching the matching quartets of ciphertext (Ci, Ci*, Ci’, Ci’*).

2) We examine with each i, that Ci ⊕ Ci’ = Ci* ⊕ Ci’* = (e64, e64) for each route.

3) At this step, we predict a sub-key (K1) with 64-bit key size of the FT, and gain the subkeys (K1*, K1’ and K1’*) using the guessed key K1.

(a.) We do decrypt for all the quartets of ciphertext (Ci, Ci*, Ci’, Ci’*) progressing through Stage 2, with the predicted quartets of sub-key to obtain 64-bit left inputs (Xi, Xi*, Xi’, Xi’*) on the 12th round prior the additional layer of key (⊕ XOR operation) at the final transformation.

(b.) Then, we check that Xi ⊕ Xi’ = Xi* ⊕ Xi’* = (0, 0) for each i value.

4) Lastly, we generate a brute-force search for catching the remaining 192-bit (K2, K3, K4) with all the predicted sub-keys progressing through Stage 3. When any predicted 256-bits key is satisfying the pairs of two plaintext/ ciphertext, we can then do output the key as the correct 256-bits master key of the TMN64. In other ways, we return to the method at Stage 3.

The proposed attack on TMN128 requires 290 pairs of plaintext and and 291 RK-CPs (related-key chosen plaintexts) as the complexity of data, under the total related-key DC of 2-24 probability. The requirement of memory is approximately 294 (= 291 ∙ 8) bytes during the attack. The complexity of time at Stage 1 is around 291 full 10-rounds encryptions of TMN128. Similarly, we also expect that each ciphertext progressing through Stage 2 with 2-128 probability. Therefore, we expect around 252 (that is 2180 ∙ 2-128) correct quartets of ciphertext go by this stage. We look forward the complexity of time at Stage 3 and Stage 4 is around 2126 (that is 2128 ∙ 4 ∙ 1/8 ∙ 1/2) and 2129 (that is 2128 ∙ 1 ∙ 2) data encryptions, respectively. Overall, the complexity of time executing all the attack is approximately 2129 (≈ 291 + 2126 + 2129) TMN128 computational encryptions on average.

6. Conclusion

In this paper, we discussed the security of the TMN-family framework: TMN64 and TMN128, resisting against the related-key recovery attack based on the differential boomerang cryptanalytic method. Depending on high probability of differential characteristics we constructed, we suggested a kind of related-key recovery attacks as the amplified boomerang cryptanalysis in different two versions: on a full 10-rounds of TMN64 and 12-rounds of TMN128. The attack requires about 247 RK-CP (related-key chosen plaintexts), 250 memory bytes and 265 complexity of time for all encryptions unit of the TMN64; and 291 RK-CP (related-key chosen plaintexts), 294 memory bytes and 2129 complexity of time for all encryptions unit of the TMN128. According to our cryptanalytic results, although the TMN constructions had enhanced the way of generating round keys to handle with the weak key scheduling problems, the full-round of TMN64 and TMN128 were distinguished from an ideal cipher properly, that proved the TMN constructions are still vulnerable to related-key differential attacks. We suggest a better primitive approach in designing the block ciphers, especially the structures based on DDP or DDO functions in the further research.

Appendix

Acknowledgement

This research was supported by the MSIT (Ministry of Science and ICT), Korea, under the ITRC (Information Technology Research Center) support program (IITP-2020-0-01797) supervised by the IITP (Institute of Information & Communications Technology Planning & Evaluation).

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. P. M. Tuan, B. Do Thi, M. N. Hieu, and N. Do Thanh, "New Block Ciphers for Wireless Moblile Netwoks," Advances in Information and Communication Technology, ICTA 2016, Intelligent Systems and Computing, vol. 538, pp. 393-402, Dec. 2016.
  2. D. Bac, N. Minh, "High-Speed Block Cipher Algorithm Based on Hybrid Method," Ubiquitous Information Technologies and Applications. Lecture Notes in Electrical Engineering, vol. 280, pp. 285-291, 2014. https://doi.org/10.1007/978-3-642-41671-2_37
  3. T.SD. Phuc, C. Lee, "Cryptanalysis on SDDO-Based BM123-64 Designs Suitable for Various IoT Application Targets," Symmetry, vol. 10, no. 8, p.353, Aug 2018. https://doi.org/10.3390/sym10080353
  4. D. Bac, N. Minh, H. Duy, "An Effective and Secure Cipher Based on SDDO," International Journal of Computer Network and Information Security, vol. 4, no. 11, pp. 1-10, Oct 2012. https://doi.org/10.5815/ijcnis.2012.11.01
  5. D. Bac, N. Ming, H. Duy, "New SDDO-Based Block Cipher for Wireless Sensor Network Security," International Journal of Computer Science and Network Security, vol. 10, no. 3, pp. 54-60, 2010.
  6. N.H. Minh, H.N. Duy, L.H. Dung, "Design and Estimate of a New Fast Block Cipher for Wireless Communication Devices," in Proc. of 2008 International Conference Advanced Technologies for Communications, pp. 409-412, Jan 2008..
  7. N.A. Moldovyan, "On Cipher Design Based on Switchable Controlled Operations," Computer Network Security, MMM-ACNS, Lecture Notes in Computer Science, vol. 2776, pp. 316-327, 2003.
  8. N.D. Goots, B.V. Izotov, A.A. Moldovyan, N.A. Moldovyan, Modern cryptography: Protect Your Data with Fast Block Ciphers, Wayne, A-LIST Publish, 2003
  9. J. Kang, K. Jeong, C. Lee, S. Hong. "Distinguishing attack on SDDO-based block cipher BMD-128," Ubiquitous Information Technologies and Applications. Lecture Notes in Electrical Engineering, vol. 280, pp. 595-602, 2014. https://doi.org/10.1007/978-3-642-41671-2_76
  10. T.SD. Phuc, C. Lee, N. Xiong, "Cryptanalysis of the XO-64 Suitable for Wireless Systems," Wireless Personal Communications, vol. 93, no. 2, pp. 589-600, 2017. https://doi.org/10.1007/s11277-016-3663-4
  11. C. Lee, J. Kim, J. Sung, S. Hong, S. Lee, "Security analysis of the full-round DDO-64 block cipher," The Journal of Systems and Software, vol. 81, no. 12, pp. 2328-2335, Dec 2008. https://doi.org/10.1016/j.jss.2008.04.039
  12. J. Kang, K. Jeong, S. Yeo, C. Lee, "Related-key Attack on the MD-64 Block Cipher Suitable For Pervasive Computing Environment," in Proc. of 2012 26th International Conference on Advance Information Networking and Application Workshops, pp. 726-731, Mar 2012.
  13. N. Sklavos, N.A. Moldovyan, O. Koufopavlou, "A New DDP-based Cipher CIKS-128H: Architecture, Design & VLSI Implementation Optimization of CBC-Encryption & Hashing over 1 GBPS," in Proc. of 2003 46th IEEE Midwest Symposium on Circuits and Systems, vol. 1, pp. 463- 466, Dec 2003.
  14. N. Moldovyan, A. Moldovyan, Data-driven Ciphers for Fast Telecommunication Systems, United Kingdom: Auerbach Publication. Talor & Francis Group, 2008, pp. 77-185.
  15. E. Biham, O. Dunkelman, N. Keller, "Related-key boomerang and rectangle attacks," Advances in Cryptology - EUROCRYPT'05. Lecture Notes in Computer Science, vol. 3494, pp. 507-525, 2005.
  16. J. Kelsey, T. Kohno, B. Schneier, "Amplified Boomerang Attacks against Reduced-Round MARS and Serpent," in Proc. of International Workshop on Fast Software Encryption. Lecture Notes in Computer Science, vol. 1978, pp. 75-93, 2000.
  17. D. Wagner, "The Boomerang Attack," in Proc. of International Workshop on Fast Software Encryption. Lecture Notes in Computer Science, vol. 1636, pp. 156-170, 1999.
  18. A. Moldovyan, N. Moldovyan, "A cipher Based on Data-Dependent Permutations," Journal of Cryptology, vol. 15, pp. 61-72, 2002. https://doi.org/10.1007/s00145-001-0012-9
  19. N. Goots, N. Moldovyan, P. Moldovyanu, D. Summerville, "Fast DDP-based Ciphers: from Hardware to Software," in Proc. of 2003 46th IEEE Midwest International Symposium on Circuits and Systems, vol. 2, pp.770-773, Dec 2003.
  20. N. Sklavos, N. Moldovyan, O. Koufopavlou, "High Speed Networking Security: Design and Implementation of Two New DDP-based Ciphers," Mobile Networks and Applications-MONET, vol. 10, no. 1, pp. 219-231, 2005. https://doi.org/10.1023/B:MONE.0000048556.51292.31